openssl_tpm2_engine: add tests for enhanced authorization

Add tests for enhanced authorization:

1) PolicyAuthValue
2) PolicyPCR
3) PolicyAuthValue + PolicyPCR
4) PolicyPCR + PolicyAuthValue

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

6 files changed, 91 insertions, 0 deletions

diff --git a/tests/Makefile.am b/tests/Makefile.am
index e434272..d9713d1 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -14,6 +14,7 @@ TESTS = fail_connect.sh \
 	create_non_tpm_keys.sh \
 	da_check.sh \
 	test_nv_key.sh \
+	check_enhanced_auth.sh \
 	stop_sw_tpm.sh
 
 AM_TESTS_ENVIRONMENT = TPM_INTERFACE_TYPE=socsim; \
diff --git a/tests/check_enhanced_auth.sh b/tests/check_enhanced_auth.sh
new file mode 100755
index 0000000..e8ab9d8
--- /dev/null
+++ b/tests/check_enhanced_auth.sh
@@ -0,0 +1,84 @@
+#!/bin/bash
+
+bindir=${srcdir}/..
+
+tss_pcrreset_cmd=/usr/bin/tsspcrreset
+tss_pcrextend_cmd=/usr/bin/tsspcrextend
+
+if [ ! -e ${tss_pcrreset_cmd} ] || [ ! -e ${tss_pcrextend_cmd} ]; then
+    echo "TSS utils not found, please specify the correct path."
+    exit 1
+fi
+
+##
+# test is
+# 1. create TPM internal private key with PolicyAuthValue authorization
+# 2. get the corresponding public key from the engine
+# 3. encode a message using the TPM key
+# 4. verify the message through the public key
+${bindir}/create_tpm2_key -a -k passw0rd key2.tpm -c policies/policy_authvalue.txt && \
+openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \
+echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \
+openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin
+
+##
+# test is
+# 1. reset PCR 16
+# 2. extend PCR 16 with 'aaa'
+# 3. create TPM internal private key with PolicyPCR authorization (PCR 16 extended with 'aaa')
+# 4. get the corresponding public key from the engine
+# 5. encode a message using the TPM key
+# 6. verify the message through the public key
+${tss_pcrreset_cmd} -ha 16
+${tss_pcrextend_cmd} -ha 16 -ic aaa
+${bindir}/create_tpm2_key key2.tpm -c policies/policy_pcr.txt && \
+openssl rsa -engine tpm2 -inform engine -in key2.tpm -pubout -out key2.pub && \
+echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -out tmp.msg && \
+openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin
+
+##
+# test is
+# 1. reset PCR 16
+# 2. create TPM internal private key with PolicyPCR authorization (should fail because PCR 16 does not have the correct value)
+# 3. get the corresponding public key from the engine
+# 4. encode a message using the TPM key
+# 5. verify the message through the public key
+${tss_pcrreset_cmd} -ha 16
+${bindir}/create_tpm2_key key2.tpm -c policies/policy_pcr.txt
+openssl rsa -engine tpm2 -inform engine -in key2.tpm -pubout -out key2.pub && \
+echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -out tmp.msg && \
+openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin
+if [ $? -ne 1 ]; then
+    echo "TPM key should not be accessible"
+    exit 1
+fi
+
+##
+# test is
+# 1. reset PCR 16
+# 2. extend PCR 16 with 'aaa'
+# 3. create TPM internal private key with PolicyAuthValue + PolicyPCR authorization
+# 4. get the corresponding public key from the engine
+# 5. encode a message using the TPM key
+# 6. verify the message through the public key
+${tss_pcrreset_cmd} -ha 16
+${tss_pcrextend_cmd} -ha 16 -ic aaa
+${bindir}/create_tpm2_key -a -k passw0rd key2.tpm -c policies/policy_authvalue_pcr.txt && \
+openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \
+echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \
+openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin
+
+##
+# test is
+# 1. reset PCR 16
+# 2. extend PCR 16 with 'aaa'
+# 3. create TPM internal private key with PolicyPCR + PolicyAuthValue authorization
+# 4. get the corresponding public key from the engine
+# 5. encode a message using the TPM key
+# 6. verify the message through the public key
+${tss_pcrreset_cmd} -ha 16
+${tss_pcrextend_cmd} -ha 16 -ic aaa
+${bindir}/create_tpm2_key -a -k passw0rd key2.tpm -c policies/policy_pcr_authvalue.txt && \
+openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \
+echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \
+openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin
diff --git a/tests/policies/policy_authvalue.txt b/tests/policies/policy_authvalue.txt
new file mode 100644
index 0000000..fb070ba
--- /dev/null
+++ b/tests/policies/policy_authvalue.txt
@@ -0,0 +1 @@
+0000016b
diff --git a/tests/policies/policy_authvalue_pcr.txt b/tests/policies/policy_authvalue_pcr.txt
new file mode 100644
index 0000000..c5760d7
--- /dev/null
+++ b/tests/policies/policy_authvalue_pcr.txt
@@ -0,0 +1,2 @@
+0000016b
+0000017f00000001000b030000012c28901f71751debfba3f3b5bf3be9c54b8b2f8c1411f2c117a0e838ee4e6c13
diff --git a/tests/policies/policy_pcr.txt b/tests/policies/policy_pcr.txt
new file mode 100644
index 0000000..4313037
--- /dev/null
+++ b/tests/policies/policy_pcr.txt
@@ -0,0 +1 @@
+0000017f00000001000b030000012c28901f71751debfba3f3b5bf3be9c54b8b2f8c1411f2c117a0e838ee4e6c13
diff --git a/tests/policies/policy_pcr_authvalue.txt b/tests/policies/policy_pcr_authvalue.txt
new file mode 100644
index 0000000..cb29f1e
--- /dev/null
+++ b/tests/policies/policy_pcr_authvalue.txt
@@ -0,0 +1,2 @@
+0000017f00000001000b030000012c28901f71751debfba3f3b5bf3be9c54b8b2f8c1411f2c117a0e838ee4e6c13
+0000016b