diff options
| author | James Bottomley <James.Bottomley@HansenPartnership.com> | 2018-11-07 08:16:38 -0800 |
|---|---|---|
| committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2018-11-12 21:11:41 -0800 |
| commit | d273032c8f756a04bcfa98aea54c0241c0b0eed9 (patch) | |
| tree | cf0bb99366e59952ad1232f7929e84414a905efb | |
| parent | 5823c84636fa6fadbf13a675625fad80bcbf3e1a (diff) | |
| download | openssl_tpm2_engine-d273032c8f756a04bcfa98aea54c0241c0b0eed9.tar.gz | |
check_enhanced_auth.sh: add loop over name algorithm type
This test checks for two things, firstly that we get the policy right
with different name algorithms and secondly that we actually get the
name algorithm correctly specified. This all works because with
policyPCR the hash of the expected policy registers has to be done
with the name algorithm hash, so we'll get a mismatch here if either
the name algorithm is wrong (or the policy parsing fails).
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
| -rwxr-xr-x | tests/check_enhanced_auth.sh | 154 | ||||
| -rw-r--r-- | tests/policies/policy_authvalue_pcr.txt | 2 | ||||
| -rw-r--r-- | tests/policies/policy_pcr_authvalue.txt | 2 | ||||
| -rw-r--r-- | tests/policies/policy_pcrsha1.txt | 1 | ||||
| -rw-r--r-- | tests/policies/policy_pcrsha384.txt | 1 |
5 files changed, 85 insertions, 75 deletions
diff --git a/tests/check_enhanced_auth.sh b/tests/check_enhanced_auth.sh index 7006387..8c25ed3 100755 --- a/tests/check_enhanced_auth.sh +++ b/tests/check_enhanced_auth.sh @@ -2,10 +2,12 @@ bindir=${srcdir}/.. -tss_pcrreset_cmd=/usr/bin/tsspcrreset -tss_pcrextend_cmd=/usr/bin/tsspcrextend +tss_pcrreset_cmd=tsspcrreset +tss_pcrextend_cmd=tsspcrextend -if [ ! -e ${tss_pcrreset_cmd} ] || [ ! -e ${tss_pcrextend_cmd} ]; then +if which ${tss_pcrreset_cmd} && which ${tss_pcrextend_cmd}; then + : +else echo "TSS utils not found, please specify the correct path." exit 1 fi @@ -20,75 +22,85 @@ a=0; while [ $a -lt 5 ]; do echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && exit 1 done -## -# test is -# 1. create TPM internal private key with PolicyAuthValue authorization -# 2. get the corresponding public key from the engine -# 3. encode a message using the TPM key -# 4. verify the message through the public key -${bindir}/create_tpm2_key -a -k passw0rd key2.tpm -c policies/policy_authvalue.txt && \ -openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \ -echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \ -openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin || exit 1 +for h in "sha1" "" "sha384"; do + echo "Testing Name Parameter: ${h}" + if [ -n "${h}" ]; then + n="-n ${h}" + else + n="" + fi + ## + # test is + # 1. create TPM internal private key with PolicyAuthValue authorization + # 2. get the corresponding public key from the engine + # 3. encode a message using the TPM key + # 4. verify the message through the public key + ${bindir}/create_tpm2_key ${n} -a -k passw0rd key2.tpm -c policies/policy_authvalue.txt && \ + openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \ + echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \ + openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin || exit 1 -## -# test is -# 1. reset PCR 16 -# 2. extend PCR 16 with 'aaa' -# 3. create TPM internal private key with PolicyPCR authorization (PCR 16 extended with 'aaa') -# 4. get the corresponding public key from the engine -# 5. encode a message using the TPM key -# 6. verify the message through the public key -${tss_pcrreset_cmd} -ha 16 -${tss_pcrextend_cmd} -ha 16 -ic aaa -${bindir}/create_tpm2_key key2.tpm -c policies/policy_pcr.txt && \ -openssl rsa -engine tpm2 -inform engine -in key2.tpm -pubout -out key2.pub && \ -echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -out tmp.msg && \ -openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin || exit 1 + ## + # test is + # 1. reset PCR 16 + # 2. extend PCR 16 with 'aaa' + # 3. create TPM internal private key with PolicyPCR authorization (PCR 16 extended with 'aaa') + # 4. get the corresponding public key from the engine + # 5. encode a message using the TPM key + # 6. verify the message through the public key + ${tss_pcrreset_cmd} -ha 16 + ${tss_pcrextend_cmd} -ha 16 -ic aaa + ${bindir}/create_tpm2_key ${n} key2.tpm -c policies/policy_pcr${h}.txt && \ + openssl rsa -engine tpm2 -inform engine -in key2.tpm -pubout -out key2.pub && \ + echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -out tmp.msg && \ + openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin || exit 1 -## -# test is -# 1. reset PCR 16 -# 2. create TPM internal private key with PolicyPCR authorization (should fail because PCR 16 does not have the correct value) -# 3. get the corresponding public key from the engine -# 4. encode a message using the TPM key -# 5. verify the message through the public key -${tss_pcrreset_cmd} -ha 16 -${bindir}/create_tpm2_key key2.tpm -c policies/policy_pcr.txt -openssl rsa -engine tpm2 -inform engine -in key2.tpm -pubout -out key2.pub && \ -echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -out tmp.msg && \ -openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin -if [ $? -ne 1 ]; then - echo "TPM key should not be accessible" - exit 1 -fi + ## + # test is + # 1. reset PCR 16 + # 2. create TPM internal private key with PolicyPCR authorization (should fail because PCR 16 does not have the correct value) + # 3. get the corresponding public key from the engine + # 4. encode a message using the TPM key + # 5. verify the message through the public key + ${tss_pcrreset_cmd} -ha 16 + ${bindir}/create_tpm2_key ${n} key2.tpm -c policies/policy_pcr${h}.txt + openssl rsa -engine tpm2 -inform engine -in key2.tpm -pubout -out key2.pub && \ + echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -out tmp.msg && \ + openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin + if [ $? -ne 1 ]; then + echo "TPM key should not be accessible" + exit 1 + fi -## -# test is -# 1. reset PCR 16 -# 2. extend PCR 16 with 'aaa' -# 3. create TPM internal private key with PolicyAuthValue + PolicyPCR authorization -# 4. get the corresponding public key from the engine -# 5. encode a message using the TPM key -# 6. verify the message through the public key -${tss_pcrreset_cmd} -ha 16 -${tss_pcrextend_cmd} -ha 16 -ic aaa -${bindir}/create_tpm2_key -a -k passw0rd key2.tpm -c policies/policy_authvalue_pcr.txt && \ -openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \ -echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \ -openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin || exit 1 + ## + # test is + # 1. reset PCR 16 + # 2. extend PCR 16 with 'aaa' + # 3. create TPM internal private key with PolicyAuthValue + PolicyPCR authorization + # 4. get the corresponding public key from the engine + # 5. encode a message using the TPM key + # 6. verify the message through the public key + cat policies/policy_authvalue.txt policies/policy_pcr${h}.txt > policy_authvalue_pcr.txt + ${tss_pcrreset_cmd} -ha 16 + ${tss_pcrextend_cmd} -ha 16 -ic aaa + ${bindir}/create_tpm2_key ${n} -a -k passw0rd key2.tpm -c policy_authvalue_pcr.txt && \ + openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \ + echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \ + openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin || exit 1 -## -# test is -# 1. reset PCR 16 -# 2. extend PCR 16 with 'aaa' -# 3. create TPM internal private key with PolicyPCR + PolicyAuthValue authorization -# 4. get the corresponding public key from the engine -# 5. encode a message using the TPM key -# 6. verify the message through the public key -${tss_pcrreset_cmd} -ha 16 -${tss_pcrextend_cmd} -ha 16 -ic aaa -${bindir}/create_tpm2_key -a -k passw0rd key2.tpm -c policies/policy_pcr_authvalue.txt && \ -openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \ -echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \ -openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin + ## + # test is + # 1. reset PCR 16 + # 2. extend PCR 16 with 'aaa' + # 3. create TPM internal private key with PolicyPCR + PolicyAuthValue authorization + # 4. get the corresponding public key from the engine + # 5. encode a message using the TPM key + # 6. verify the message through the public key + cat policies/policy_pcr${h}.txt policies/policy_authvalue.txt > policy_pcr_authvalue.txt + ${tss_pcrreset_cmd} -ha 16 + ${tss_pcrextend_cmd} -ha 16 -ic aaa + ${bindir}/create_tpm2_key ${n} -a -k passw0rd key2.tpm -c policy_pcr_authvalue.txt && \ + openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \ + echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \ + openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin || exit 1 +done diff --git a/tests/policies/policy_authvalue_pcr.txt b/tests/policies/policy_authvalue_pcr.txt deleted file mode 100644 index c5760d7..0000000 --- a/tests/policies/policy_authvalue_pcr.txt +++ /dev/null @@ -1,2 +0,0 @@ -0000016b -0000017f00000001000b030000012c28901f71751debfba3f3b5bf3be9c54b8b2f8c1411f2c117a0e838ee4e6c13 diff --git a/tests/policies/policy_pcr_authvalue.txt b/tests/policies/policy_pcr_authvalue.txt deleted file mode 100644 index cb29f1e..0000000 --- a/tests/policies/policy_pcr_authvalue.txt +++ /dev/null @@ -1,2 +0,0 @@ -0000017f00000001000b030000012c28901f71751debfba3f3b5bf3be9c54b8b2f8c1411f2c117a0e838ee4e6c13 -0000016b diff --git a/tests/policies/policy_pcrsha1.txt b/tests/policies/policy_pcrsha1.txt new file mode 100644 index 0000000..d99d898 --- /dev/null +++ b/tests/policies/policy_pcrsha1.txt @@ -0,0 +1 @@ +0000017f00000001000b0300000103b422070c933d5b86cb1bf840950e59ff5b9d11 diff --git a/tests/policies/policy_pcrsha384.txt b/tests/policies/policy_pcrsha384.txt new file mode 100644 index 0000000..572fe48 --- /dev/null +++ b/tests/policies/policy_pcrsha384.txt @@ -0,0 +1 @@ +0000017f00000001000b03000001c301083bfa6a2bd3fa627705bb4e5ff7d1d317516815ce1416cd0f4c203d2fd92ad0eecd6e80a0c77217e6932b7f092c |