diff options
author | Roberto Sassu <roberto.sassu@huawei.com> | 2018-06-26 16:56:38 +0200 |
---|---|---|
committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2018-06-28 13:58:25 -0700 |
commit | baf70b97ca02400e19b5e4599a114acd607254b2 (patch) | |
tree | ded0d264b4245b0d1969a94f74b4eb62ac0a33fe | |
parent | a7788b6f55e3e7214147b05dcff7a426f18a8d47 (diff) | |
download | openssl_tpm2_engine-baf70b97ca02400e19b5e4599a114acd607254b2.tar.gz |
openssl_tpm2_engine: add tests for enhanced authorization
Add tests for enhanced authorization:
1) PolicyAuthValue
2) PolicyPCR
3) PolicyAuthValue + PolicyPCR
4) PolicyPCR + PolicyAuthValue
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
-rw-r--r-- | tests/Makefile.am | 1 | ||||
-rwxr-xr-x | tests/check_enhanced_auth.sh | 84 | ||||
-rw-r--r-- | tests/policies/policy_authvalue.txt | 1 | ||||
-rw-r--r-- | tests/policies/policy_authvalue_pcr.txt | 2 | ||||
-rw-r--r-- | tests/policies/policy_pcr.txt | 1 | ||||
-rw-r--r-- | tests/policies/policy_pcr_authvalue.txt | 2 |
6 files changed, 91 insertions, 0 deletions
diff --git a/tests/Makefile.am b/tests/Makefile.am index e434272..d9713d1 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -14,6 +14,7 @@ TESTS = fail_connect.sh \ create_non_tpm_keys.sh \ da_check.sh \ test_nv_key.sh \ + check_enhanced_auth.sh \ stop_sw_tpm.sh AM_TESTS_ENVIRONMENT = TPM_INTERFACE_TYPE=socsim; \ diff --git a/tests/check_enhanced_auth.sh b/tests/check_enhanced_auth.sh new file mode 100755 index 0000000..e8ab9d8 --- /dev/null +++ b/tests/check_enhanced_auth.sh @@ -0,0 +1,84 @@ +#!/bin/bash + +bindir=${srcdir}/.. + +tss_pcrreset_cmd=/usr/bin/tsspcrreset +tss_pcrextend_cmd=/usr/bin/tsspcrextend + +if [ ! -e ${tss_pcrreset_cmd} ] || [ ! -e ${tss_pcrextend_cmd} ]; then + echo "TSS utils not found, please specify the correct path." + exit 1 +fi + +## +# test is +# 1. create TPM internal private key with PolicyAuthValue authorization +# 2. get the corresponding public key from the engine +# 3. encode a message using the TPM key +# 4. verify the message through the public key +${bindir}/create_tpm2_key -a -k passw0rd key2.tpm -c policies/policy_authvalue.txt && \ +openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \ +echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \ +openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin + +## +# test is +# 1. reset PCR 16 +# 2. extend PCR 16 with 'aaa' +# 3. create TPM internal private key with PolicyPCR authorization (PCR 16 extended with 'aaa') +# 4. get the corresponding public key from the engine +# 5. encode a message using the TPM key +# 6. verify the message through the public key +${tss_pcrreset_cmd} -ha 16 +${tss_pcrextend_cmd} -ha 16 -ic aaa +${bindir}/create_tpm2_key key2.tpm -c policies/policy_pcr.txt && \ +openssl rsa -engine tpm2 -inform engine -in key2.tpm -pubout -out key2.pub && \ +echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -out tmp.msg && \ +openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin + +## +# test is +# 1. reset PCR 16 +# 2. create TPM internal private key with PolicyPCR authorization (should fail because PCR 16 does not have the correct value) +# 3. get the corresponding public key from the engine +# 4. encode a message using the TPM key +# 5. verify the message through the public key +${tss_pcrreset_cmd} -ha 16 +${bindir}/create_tpm2_key key2.tpm -c policies/policy_pcr.txt +openssl rsa -engine tpm2 -inform engine -in key2.tpm -pubout -out key2.pub && \ +echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -out tmp.msg && \ +openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin +if [ $? -ne 1 ]; then + echo "TPM key should not be accessible" + exit 1 +fi + +## +# test is +# 1. reset PCR 16 +# 2. extend PCR 16 with 'aaa' +# 3. create TPM internal private key with PolicyAuthValue + PolicyPCR authorization +# 4. get the corresponding public key from the engine +# 5. encode a message using the TPM key +# 6. verify the message through the public key +${tss_pcrreset_cmd} -ha 16 +${tss_pcrextend_cmd} -ha 16 -ic aaa +${bindir}/create_tpm2_key -a -k passw0rd key2.tpm -c policies/policy_authvalue_pcr.txt && \ +openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \ +echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \ +openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin + +## +# test is +# 1. reset PCR 16 +# 2. extend PCR 16 with 'aaa' +# 3. create TPM internal private key with PolicyPCR + PolicyAuthValue authorization +# 4. get the corresponding public key from the engine +# 5. encode a message using the TPM key +# 6. verify the message through the public key +${tss_pcrreset_cmd} -ha 16 +${tss_pcrextend_cmd} -ha 16 -ic aaa +${bindir}/create_tpm2_key -a -k passw0rd key2.tpm -c policies/policy_pcr_authvalue.txt && \ +openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \ +echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \ +openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin diff --git a/tests/policies/policy_authvalue.txt b/tests/policies/policy_authvalue.txt new file mode 100644 index 0000000..fb070ba --- /dev/null +++ b/tests/policies/policy_authvalue.txt @@ -0,0 +1 @@ +0000016b diff --git a/tests/policies/policy_authvalue_pcr.txt b/tests/policies/policy_authvalue_pcr.txt new file mode 100644 index 0000000..c5760d7 --- /dev/null +++ b/tests/policies/policy_authvalue_pcr.txt @@ -0,0 +1,2 @@ +0000016b +0000017f00000001000b030000012c28901f71751debfba3f3b5bf3be9c54b8b2f8c1411f2c117a0e838ee4e6c13 diff --git a/tests/policies/policy_pcr.txt b/tests/policies/policy_pcr.txt new file mode 100644 index 0000000..4313037 --- /dev/null +++ b/tests/policies/policy_pcr.txt @@ -0,0 +1 @@ +0000017f00000001000b030000012c28901f71751debfba3f3b5bf3be9c54b8b2f8c1411f2c117a0e838ee4e6c13 diff --git a/tests/policies/policy_pcr_authvalue.txt b/tests/policies/policy_pcr_authvalue.txt new file mode 100644 index 0000000..cb29f1e --- /dev/null +++ b/tests/policies/policy_pcr_authvalue.txt @@ -0,0 +1,2 @@ +0000017f00000001000b030000012c28901f71751debfba3f3b5bf3be9c54b8b2f8c1411f2c117a0e838ee4e6c13 +0000016b |