diff options
author | James Bottomley <James.Bottomley@HansenPartnership.com> | 2022-12-05 12:22:37 -0500 |
---|---|---|
committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2023-01-11 10:00:21 -0500 |
commit | b9a0d3eb4e0fd57fe286138690abdddc3351f49c (patch) | |
tree | d6438ca5da293fdc44ad0b32f7e8a4ab58977a35 | |
parent | 1efc7828438605da447147ad9672878edcd82746 (diff) | |
download | openssl_tpm2_engine-b9a0d3eb4e0fd57fe286138690abdddc3351f49c.tar.gz |
tests: add tests for signed policies
Run through a sequence of checks to make sure keys with multiple signed
policies work in all cases.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
-rw-r--r-- | tests/Makefile.am | 1 | ||||
-rwxr-xr-x | tests/check_signed_policies.sh | 87 |
2 files changed, 88 insertions, 0 deletions
diff --git a/tests/Makefile.am b/tests/Makefile.am index c983389..718ef14 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -26,6 +26,7 @@ TESTS += check_curves.sh \ check_rsa_oaep_pss.sh \ restricted_parent.sh \ seal_unseal.sh \ + check_signed_policies.sh \ dynamic_engine.sh \ stop_sw_tpm.sh diff --git a/tests/check_signed_policies.sh b/tests/check_signed_policies.sh new file mode 100755 index 0000000..39c0022 --- /dev/null +++ b/tests/check_signed_policies.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +bindir=${srcdir}/.. + +tss_pcrreset_cmd=tsspcrreset +tss_pcrextend_cmd=tsspcrextend + +if which ${tss_pcrreset_cmd} && which ${tss_pcrextend_cmd}; then + : +else + echo "TSS utils not found, please specify the correct path." + exit 1 +fi + +DATA="This is some data to test" + +for alg in EC RSA; do + for h in sha1 "" sha384; do + echo "Testing Name Parameter: ${h} and policy key algorithm ${alg}" + if [ -n "${h}" ]; then + n="-n ${h}" + else + n="" + fi + + ## + # test is + # 1. create a standard public/private key pair for policies + # 2. create a tpm key with a signed policy + # 3. verify the private part of the key is unusable (no policies) + # 4. seal data with signed policy + echo "This is a Message" > plain.txt + if [ "$alg" = "EC" ]; then + openssl genpkey -out policy.key -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 + else + openssl genpkey -out policy.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048 + fi + openssl pkey -in policy.key -pubout -out policy.pub + ${bindir}/create_tpm2_key ${n} --signed-policy policy.pub key.tpm || exit 1 + openssl pkeyutl -sign -engine tpm2 -keyform engine -inkey key.tpm -in plain.txt -out tmp.msg && exit 1 + echo ${DATA} | ${bindir}/seal_tpm2_data --signed-policy policy.pub seal.tpm || exit 1 + ${bindir}/unseal_tpm2_data seal.tpm && exit 1 + + ## + # test is + # 1. reset PCR 16 + # 2. extend PCR 16 with 'aaa' + # 3. Add a four signed policy to the key with extensions of this PCR + # 4. reset PCR 16 + # 5. do sign with key and verify four times. Check that all + # but the last succeeds and the last one fails + ${tss_pcrreset_cmd} -ha 16 + ${bindir}/signed_tpm2_policy --policy-name "PCR16-0" --pcr-lock 16 key.tpm policy.key || exit 1 + ${bindir}/signed_tpm2_policy --policy-name "PCR16-0" --pcr-lock 16 seal.tpm policy.key || exit 1 + openssl rsa -engine tpm2 -inform engine -in key.tpm -pubout -out key.pub || exit 1 + ${tss_pcrextend_cmd} -ha 16 -ic aaa + ${bindir}/signed_tpm2_policy --policy-name "PCR16-extend" --pcr-lock 16 key.tpm policy.key || exit 1 + ${bindir}/signed_tpm2_policy --policy-name "PCR16-extend" --pcr-lock 16 seal.tpm policy.key || exit 1 + ${tss_pcrextend_cmd} -ha 16 -ic aaa + ${bindir}/signed_tpm2_policy --policy-name "PCR16-extendx2" --pcr-lock 16 key.tpm policy.key || exit 1 + ${bindir}/signed_tpm2_policy --policy-name "PCR16-extendx2" --pcr-lock 16 seal.tpm policy.key || exit 1 + ${tss_pcrextend_cmd} -ha 16 -ic aaa + ${bindir}/signed_tpm2_policy --policy-name "PCR16-extendx3" --pcr-lock 16 key.tpm policy.key || exit 1 + ${bindir}/signed_tpm2_policy --policy-name "PCR16-extendx3" --pcr-lock 16 seal.tpm policy.key || exit 1 + ${tss_pcrreset_cmd} -ha 16 + openssl pkeyutl -sign -in plain.txt -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && \ + openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key.pub -pubin || exit 1 + ${bindir}/unseal_tpm2_data seal.tpm | grep -q "${DATA}" || exit 1 + ${tss_pcrextend_cmd} -ha 16 -ic aaa + openssl pkeyutl -sign -in plain.txt -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && \ + openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key.pub -pubin || exit 1 + ${bindir}/unseal_tpm2_data seal.tpm | grep -q "${DATA}" || exit 1 + ${tss_pcrextend_cmd} -ha 16 -ic aaa + openssl pkeyutl -sign -in plain.txt -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && \ + openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key.pub -pubin || exit 1 + ${bindir}/unseal_tpm2_data seal.tpm | grep -q "${DATA}" || exit 1 + ${tss_pcrextend_cmd} -ha 16 -ic aaa + openssl pkeyutl -sign -in plain.txt -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && \ + openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key.pub -pubin || exit 1 + ${bindir}/unseal_tpm2_data seal.tpm | grep -q "${DATA}" || exit 1 + ${tss_pcrextend_cmd} -ha 16 -ic aaa + openssl pkeyutl -sign -in plain.txt -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && exit 1 + ${bindir}/unseal_tpm2_data seal.tpm && exit 1 + + done +done +exit 0 |