Tests for name algorithm fixes

The reason we didn't notice non-sha256 name algorithms didn't work on
import is because we didn't test them, so loop all the import tests
over different name algorithms to make sure we never regress here.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

2 files changed, 83 insertions, 67 deletions

diff --git a/tests/check_importable.sh b/tests/check_importable.sh
index 9725872..d30a8e2 100755
--- a/tests/check_importable.sh
+++ b/tests/check_importable.sh
@@ -6,21 +6,32 @@ bindir=${srcdir}/..
 prim=$(tsscreateprimary -ecc nistp256 -hi o -opem srk.pub | sed 's/Handle //') || exit 1
 tssflushcontext -ha ${prim} || exit 1
 
-# check an EC key with a cert and password
-openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 -out key.priv || exit 1
-${bindir}/create_tpm2_key --import srk.pub --wrap key.priv -a -k passw0rd key.tpm || exit 1
-openssl req -new -x509 -subj '/CN=test/' -key key.tpm -passin pass:passw0rd -engine tpm2 -keyform engine -out tmp.crt || exit 1
-openssl verify -CAfile tmp.crt -check_ss_sig tmp.crt || exit 1
+for n in sha1 sha256 sha384; do
+    echo "Checking Name Hash $n"
+    if [ "$n" = "sha256" ]; then
+	POLICYFILE=policies/policy_pcr.txt
+    else
+	POLICYFILE=policies/policy_pcr${n}.txt
+    fi
+    # check an EC key with a cert and password
+    openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 -out key.priv || exit 1
+    ${bindir}/create_tpm2_key --import srk.pub --wrap key.priv -n ${n} -a -k passw0rd key.tpm || exit 1
+    openssl req -new -x509 -subj '/CN=test/' -key key.tpm -passin pass:passw0rd -engine tpm2 -keyform engine -out tmp.crt || exit 1
+    openssl verify -CAfile tmp.crt -check_ss_sig tmp.crt || exit 1
 
-# Check the loadability of an importable key
-NV=81000201
-${bindir}/load_tpm2_key key.tpm ${NV} || exit 1
-openssl req -new -x509 -subj '/CN=test/' -key //nvkey:${NV} -passin pass:passw0rd -engine tpm2 -keyform engine -out tmp.crt || exit 1
-openssl verify -CAfile tmp.crt -check_ss_sig tmp.crt || exit 1
-
-#check an RSA key with a cert and policy
-openssl genrsa 2048 > key.priv || exit 1
-${bindir}/create_tpm2_key --import srk.pub --wrap key.priv -a -k passw0rd -c policies/policy_authvalue.txt key.tpm || exit 1
-openssl req -new -x509 -subj '/CN=test/' -key key.tpm -passin pass:passw0rd -engine tpm2 -keyform engine -out tmp.crt || exit 1
-openssl verify -CAfile tmp.crt -check_ss_sig tmp.crt || exit 1
+    # Check the loadability of an importable key
+    NV=81000201
+    ${bindir}/load_tpm2_key key.tpm ${NV} || exit 1
+    openssl req -new -x509 -subj '/CN=test/' -key //nvkey:${NV} -passin pass:passw0rd -engine tpm2 -keyform engine -out tmp.crt || exit 1
+    openssl verify -CAfile tmp.crt -check_ss_sig tmp.crt || exit 1
+    tssevictcontrol -hi o -ho ${NV} -hp ${NV}
 
+    #check an RSA key with a cert and policy
+    openssl genrsa 2048 > key.priv || exit 1
+    tsspcrreset -ha 16
+    ${bindir}/create_tpm2_key --import srk.pub -n ${n} --wrap key.priv -c ${POLICYFILE} key.tpm || exit 1
+    openssl req -new -x509 -subj '/CN=test/' -key key.tpm -engine tpm2 -keyform engine -out tmp.crt && exit 1
+    tsspcrextend -ha 16 -ic aaa
+    openssl req -new -x509 -subj '/CN=test/' -key key.tpm -engine tpm2 -keyform engine -out tmp.crt || exit 1
+    openssl verify -CAfile tmp.crt -check_ss_sig tmp.crt || exit 1
+done
diff --git a/tests/seal_unseal.sh b/tests/seal_unseal.sh
index 53c1185..e677dc7 100755
--- a/tests/seal_unseal.sh
+++ b/tests/seal_unseal.sh
@@ -1,60 +1,65 @@
 #!/bin/bash
-set -x
 
 bindir=${srcdir}/..
 
-##
-# test is
-# 1. Verify that a standard key can't be unsealed
-# 2. seal a phrase
-# 3. recover the same phrase on unseal
-##
-DATA="This is some DATA"
-AUTH="Passw0rd"
-${bindir}/create_tpm2_key key.tpm || exit 1;
-${bindir}/unseal_tpm2_data key.tpm 2> /dev/null && exit 1;
-echo $DATA | ${bindir}/seal_tpm2_data -a -k ${AUTH} seal.tpm || exit 1;
-${bindir}/unseal_tpm2_data -k ${AUTH} seal.tpm | grep -q "${DATA}" || exit 1;
+for n in sha1 sha256 sha384; do
+    echo "Checking Name Hash $n"
+    ##
+    # test is
+    # 1. Verify that a standard key can't be unsealed
+    # 2. seal a phrase
+    # 3. recover the same phrase on unseal
+    ##
+    DATA="This is some DATA $n"
+    AUTH="Passw0rd"
+    ${bindir}/create_tpm2_key key.tpm || exit 1;
+    ${bindir}/unseal_tpm2_data key.tpm 2> /dev/null && exit 1;
+    echo $DATA | ${bindir}/seal_tpm2_data -n ${n} -a -k ${AUTH} seal.tpm || exit 1;
+    ${bindir}/unseal_tpm2_data -k ${AUTH} seal.tpm | grep -q "${DATA}" || exit 1;
 
-##
-# Check with policy
-# test is
-# 1. seal with a pcr lock and no auth
-# 2. verify unseal
-# 3. move PCR on and verify no unseal
-# 4. 1-3 with auth and pcr lock
-##
-echo $DATA | ${bindir}/seal_tpm2_data --pcr-lock 2,16 seal.tpm || exit 1;
-${bindir}/unseal_tpm2_data seal.tpm | grep -q "${DATA}" || exit 1;
-tsspcrextend -ha 16 -ic $RANDOM
-${bindir}/unseal_tpm2_data seal.tpm && exit 1
-echo $DATA | ${bindir}/seal_tpm2_data -a -k ${AUTH} --pcr-lock 2,16 seal.tpm || exit 1;
-${bindir}/unseal_tpm2_data -k ${AUTH} seal.tpm | grep -q "${DATA}" || exit 1;
-tsspcrextend -ha 16 -ic $RANDOM
-${bindir}/unseal_tpm2_data -k ${AUTH} seal.tpm && exit 1
+    ##
+    # Check with policy
+    # test is
+    # 1. seal with a pcr lock and no auth
+    # 2. verify unseal
+    # 3. move PCR on and verify no unseal
+    # 4. 1-3 with auth and pcr lock
+    ##
+    echo $DATA | ${bindir}/seal_tpm2_data -n ${n} --pcr-lock 2,16 seal.tpm || exit 1;
+    ${bindir}/unseal_tpm2_data seal.tpm | grep -q "${DATA}" || exit 1;
+    tsspcrextend -ha 16 -ic $RANDOM
+    ${bindir}/unseal_tpm2_data seal.tpm && exit 1
+    echo $DATA | ${bindir}/seal_tpm2_data -a -k ${AUTH} --pcr-lock 2,16 seal.tpm || exit 1;
+    ${bindir}/unseal_tpm2_data -k ${AUTH} seal.tpm | grep -q "${DATA}" || exit 1;
+    tsspcrextend -ha 16 -ic $RANDOM
+    ${bindir}/unseal_tpm2_data -k ${AUTH} seal.tpm && exit 1
 
-##
-# Check importable
-# test is
-# 1. create srk.pub as parent for import
-# 2. seal with password
-# 3. check unseal
-# 4. seal with policy
-# 5. check unseal
-# 6. update PCR and check unseal failure
+    ##
+    # Check importable
+    # test is
+    # 1. create srk.pub as parent for import
+    # 2. seal with password
+    # 3. check unseal
+    # 4. seal with policy
+    # 5. check unseal
+    # 6. update PCR and check unseal failure
+    DATA="Some Different DATA $n"
+    if [ "$n" = "sha256" ]; then
+	POLICYFILE="policies/policy_pcr.txt"
+    else
+	POLICYFILE="policies/policy_pcr${n}.txt"
+    fi
+    prim=$(tsscreateprimary -hi o -st -ecc nistp256 -opem srk.pub | sed 's/Handle //') || exit 1
+    tssflushcontext -ha $prim
+    TPM_INTERFACE_TYPE= echo $DATA | ${bindir}/seal_tpm2_data -n ${n} -a -k ${AUTH} --import srk.pub seal.tpm || exit 1;
+    ${bindir}/unseal_tpm2_data -k ${AUTH} seal.tpm | grep -q "${DATA}" || exit 1;
+    rm seal.tpm
 
-DATA="Some Different DATA"
-POLICYFILE="policies/policy_pcr.txt"
-prim=$(tsscreateprimary -hi o -st -ecc nistp256 -opem srk.pub | sed 's/Handle //') || exit 1
-tssflushcontext -ha $prim
-TPM_INTERFACE_TYPE= echo $DATA | ${bindir}/seal_tpm2_data -a -k ${AUTH} --import srk.pub seal.tpm || exit 1;
-${bindir}/unseal_tpm2_data -k ${AUTH} seal.tpm | grep -q "${DATA}" || exit 1;
-rm seal.tpm
-
-TPM_INTERFACE_TYPE= echo $DATA | ${bindir}/seal_tpm2_data --import srk.pub --policy ${POLICYFILE} seal.tpm || exit 1;
-tsspcrreset -ha 16
-${bindir}/unseal_tpm2_data -k ${AUTH} seal.tpm && exit 1
-tsspcrextend -ha 16 -ic aaa
-${bindir}/unseal_tpm2_data -k ${AUTH} seal.tpm | grep -q "${DATA}" || exit 1;
+    TPM_INTERFACE_TYPE= echo $DATA | ${bindir}/seal_tpm2_data -n ${n} --import srk.pub --policy ${POLICYFILE} seal.tpm || exit 1;
+    tsspcrreset -ha 16
+    ${bindir}/unseal_tpm2_data -k ${AUTH} seal.tpm && exit 1
+    tsspcrextend -ha 16 -ic aaa
+    ${bindir}/unseal_tpm2_data -k ${AUTH} seal.tpm | grep -q "${DATA}" || exit 1;
+done
 
 exit 0