summaryrefslogtreecommitdiffstats
path: root/tests/tpm2.sh
diff options
context:
space:
mode:
Diffstat (limited to '')
-rwxr-xr-xtests/tpm2.sh231
1 files changed, 231 insertions, 0 deletions
diff --git a/tests/tpm2.sh b/tests/tpm2.sh
new file mode 100755
index 0000000..6f8e44c
--- /dev/null
+++ b/tests/tpm2.sh
@@ -0,0 +1,231 @@
+#!/bin/sh
+
+# Copyright (C) 2018-2019 IBM Corporation
+# Copyright (C) 2019,2021 Red Hat, Inc.
+#
+# Author: Stefan Berger, Nikos Mavrogiannopoulos, Daiki Ueno
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+: ${srcdir=.}
+: ${CERTTOOL=../src/certtool${EXEEXT}}
+KEYPEMFILE=tpmkey.$$.key.pem
+CTXFILE=tpmkey.$$.ctx
+
+if ! test -x "${CERTTOOL}"; then
+ exit 77
+fi
+
+if [ -z "$(which swtpm 2>/dev/null)" ]; then
+ echo "Need swtpm package to run this test."
+ exit 77
+fi
+
+if [ -z "$(which ncat 2>/dev/null)" ]; then
+ echo "Need ncat from nmap-ncat package to run this test."
+ exit 77
+fi
+
+if [ -z "$(which tpm2_startup 2>/dev/null)" ]; then
+ echo "Need tpm2_startup from tpm2-tools package to run this test."
+ exit 77
+fi
+
+if [ -z "$(which base64 2>/dev/null)" ]; then
+ echo "Need the base64 tool to run this test."
+ exit 77
+fi
+
+if [ -z "$(which tpm2tss-genkey 2>/dev/null)" ]; then
+ echo "Need tpm2tss-genkey from tpm2-tss-engine package to run this test."
+ exit 77
+fi
+
+. "${srcdir}/scripts/common.sh"
+
+workdir=$(mktemp -d)
+
+PORT=2321
+SWTPM_SERVER_PORT=$PORT
+echo "Server port: $PORT"
+SWTPM_CTRL_PORT=$((SWTPM_SERVER_PORT + 1)) # fake port used by ncat only
+echo "Ncat port: $SWTPM_CTRL_PORT"
+echo "Directory: $workdir"
+
+SWTPM_PIDFILE=${workdir}/swtpm.pid
+
+eval "${GETPORT}"
+
+TCSD_LISTEN_PORT=$PORT
+export TSS_TCSD_PORT=$TCSD_LISTEN_PORT
+echo "TCSD port: $PORT"
+
+export TPM2TOOLS_TCTI="mssim:host=127.0.0.1,port=${SWTPM_SERVER_PORT}"
+export TPM2TSSENGINE_TCTI="$TPM2TOOLS_TCTI"
+export TPM20TEST_TCTI_NAME="socket"
+export TPM20TEST_SOCKET_PORT=${SWTPM_SERVER_PORT}
+export TPM20TEST_SOCKET_ADDRESS="127.0.0.1"
+
+cleanup()
+{
+ echo "Cleaning up"
+ stop_swtpm
+ rm -f ${KEYPEMFILE}
+ if [ -n "$workdir" ]; then
+ rm -rf $workdir
+ fi
+}
+
+start_swtpm()
+{
+ local workdir="$1"
+
+ local res
+
+ echo ""
+ echo " - Starting swtpm"
+
+ swtpm socket \
+ --tpm2 \
+ --flags not-need-init \
+ --pid file=$SWTPM_PIDFILE \
+ --tpmstate dir=$workdir \
+ --server type=tcp,bindaddr=127.0.0.1,port=$SWTPM_SERVER_PORT &
+
+ if wait_for_file $SWTPM_PIDFILE 3; then
+ echo "Starting the swtpm failed"
+ return 1
+ fi
+
+ echo " - Starting ncat"
+
+ SWTPM_PID=$(cat $SWTPM_PIDFILE)
+ kill -0 ${SWTPM_PID}
+ if [ $? -ne 0 ]; then
+ echo "swtpm must have terminated"
+ return 1
+ fi
+
+ ncat -l ${SWTPM_CTRL_PORT} \
+ -k -c "xargs --null -n1 printf '\x00\x00\x00\x00'" &>/dev/null &
+ if [ $? -ne 0 ]; then
+ echo "Could not start ncat"
+ stop_swtpm
+ return 1
+ fi
+ NCAT_PID=$!
+ sleep 1
+ kill -0 ${NCAT_PID}
+ if [ $? -ne 0 ]; then
+ echo "ncat must have been terminated"
+ stop_swtpm
+ return 1
+ fi
+
+ echo " - Running tpm2_startup"
+ msg=$(tpm2_startup -V -c 2>&1)
+ if [ $? -ne 0 ]; then
+ echo "TPM2_Startup() failed"
+ echo "${msg}"
+ stop_swtpm
+ return 1
+ fi
+
+ echo " - Startup completed"
+ sleep 1
+
+ return 0
+}
+
+stop_swtpm()
+{
+ if [ -n "${SWTPM_PID}" ]; then
+ echo terminate_proc ${SWTPM_PID}
+ terminate_proc ${SWTPM_PID}
+ unset SWTPM_PID
+ fi
+
+ if [ -n "${NCAT_PID}" ]; then
+ terminate_proc ${NCAT_PID}
+ unset NCAT_PID
+ fi
+}
+
+run_tests()
+{
+ local workdir="$1"
+ local OPASS=12345678
+ local EPASS=23456789
+ local LPASS=34567890
+# local OBJPASS=012345
+ local kalg=$2
+
+ [ -z "$workdir" ] && {
+ echo "No workdir"
+ return 1
+ }
+
+ start_swtpm $workdir
+
+ echo " - Set owner authorization"
+ tpm2_changeauth -c owner ${OPASS}
+ echo " - Set endorsement authorization"
+ tpm2_changeauth -c endorsement ${EPASS}
+ echo " - Set lockout authorization"
+ tpm2_changeauth -c lockout ${LPASS}
+
+ echo " - Generating ${KEYPEMFILE}"
+ tpm2tss-genkey -a ${kalg} -o ${OPASS} ${KEYPEMFILE}
+ if [ $? -ne 0 ]; then
+ echo "unable to generate key"
+ return 1
+ fi
+ cat ${KEYPEMFILE}
+
+ echo " - Generating certificate based on key"
+
+ export GNUTLS_PIN=${OPASS}
+ "${CERTTOOL}" --generate-self-signed -d 3 \
+ --load-privkey "${KEYPEMFILE}" \
+ --template "${srcdir}/cert-tests/templates/template-test.tmpl"
+ if [ $? -ne 0 ]; then
+ echo "unable to generate certificate"
+ return 1
+ fi
+
+ if test "${kalg}" = "rsa";then
+ echo " - Generating RSA-PSS certificate based on key"
+ "${CERTTOOL}" --generate-self-signed -d 3 \
+ --load-privkey "${KEYPEMFILE}" \
+ --sign-params rsa-pss \
+ --template "${srcdir}/cert-tests/templates/template-test.tmpl"
+ if [ $? -ne 0 ]; then
+ echo "unable to generate certificate"
+ return 1
+ fi
+ fi
+
+ stop_swtpm
+ echo "Ok"
+
+ return 0
+}
+
+trap "cleanup" EXIT QUIT
+
+run_tests "$workdir" ecdsa
+run_tests "$workdir" rsa