diff options
author | Daiki Ueno <ueno@gnu.org> | 2021-11-14 07:12:38 +0000 |
---|---|---|
committer | Daiki Ueno <ueno@gnu.org> | 2021-11-14 07:12:38 +0000 |
commit | a957c6c0b4abf6cb1c9756ef10e8b884cf7ae8aa (patch) | |
tree | 4c1891e3295b8250118feb113ad6f47b6205f822 /tests | |
parent | ce730c61808c38f318297835d7a3f159a202b820 (diff) | |
parent | 42bff24a6423f45bcfc2d03ed075916bfd6077be (diff) | |
download | gnutls-a957c6c0b4abf6cb1c9756ef10e8b884cf7ae8aa.tar.gz |
Merge branch 'wip/dueno/tpm2' into 'master'
Port openconnect TPM2 code
Closes #594
See merge request gnutls/gnutls!1460
Diffstat (limited to 'tests')
-rw-r--r-- | tests/Makefile.am | 4 | ||||
-rwxr-xr-x | tests/tpm2.sh | 221 |
2 files changed, 225 insertions, 0 deletions
diff --git a/tests/Makefile.am b/tests/Makefile.am index 14427d67db..e9ee9e9de2 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -490,6 +490,10 @@ endif dist_check_SCRIPTS = rfc2253-escape-test.sh rsa-md5-collision/rsa-md5-collision.sh systemkey.sh +if ENABLE_TPM2 +dist_check_SCRIPTS += tpm2.sh +endif + if !WINDOWS # diff --git a/tests/tpm2.sh b/tests/tpm2.sh new file mode 100755 index 0000000000..854986c552 --- /dev/null +++ b/tests/tpm2.sh @@ -0,0 +1,221 @@ +#!/bin/sh + +# Copyright (C) 2018-2019 IBM Corporation +# Copyright (C) 2019,2021 Red Hat, Inc. +# +# Author: Stefan Berger, Nikos Mavrogiannopoulos, Daiki Ueno +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +set +e + +: ${srcdir=.} +: ${CERTTOOL=../src/certtool${EXEEXT}} +KEYPEMFILE=tpmkey.$$.key.pem +CTXFILE=tpmkey.$$.ctx + +if ! test -x "${CERTTOOL}"; then + exit 77 +fi + +if [ -z "$(which swtpm 2>/dev/null)" ]; then + echo "Need swtpm package to run this test." + exit 77 +fi + +if [ -z "$(which ncat 2>/dev/null)" ]; then + echo "Need ncat from nmap-ncat package to run this test." + exit 77 +fi + +if [ -z "$(which tpm2_startup 2>/dev/null)" ]; then + echo "Need tpm2_startup from tpm2-tools package to run this test." + exit 77 +fi + +if [ -z "$(which base64 2>/dev/null)" ]; then + echo "Need the base64 tool to run this test." + exit 77 +fi + +if [ -z "$(which tpm2tss-genkey 2>/dev/null)" ]; then + echo "Need tpm2tss-genkey from tpm2-tss-engine package to run this test." + exit 77 +fi + +. "${srcdir}/scripts/common.sh" + +workdir=$(mktemp -d) + +PORT=2321 +SWTPM_SERVER_PORT=$PORT +echo "Server port: $PORT" +SWTPM_CTRL_PORT=$((SWTPM_SERVER_PORT + 1)) # fake port used by ncat only +echo "Ncat port: $SWTPM_CTRL_PORT" +echo "Directory: $workdir" + +SWTPM_PIDFILE=${workdir}/swtpm.pid + +eval "${GETPORT}" + +TCSD_LISTEN_PORT=$PORT +export TSS_TCSD_PORT=$TCSD_LISTEN_PORT +echo "TCSD port: $PORT" + +export TPM2TOOLS_TCTI="mssim:host=127.0.0.1,port=${SWTPM_SERVER_PORT}" +export TPM2TSSENGINE_TCTI="$TPM2TOOLS_TCTI" +export TPM20TEST_TCTI_NAME="socket" +export TPM20TEST_SOCKET_PORT=${SWTPM_SERVER_PORT} +export TPM20TEST_SOCKET_ADDRESS="127.0.0.1" + +cleanup() +{ + echo "Cleaning up" + stop_swtpm + rm -f ${KEYPEMFILE} + if [ -n "$workdir" ]; then + rm -rf $workdir + fi +} + +start_swtpm() +{ + local workdir="$1" + + local res + + echo "" + echo " - Starting swtpm" + + swtpm socket \ + --tpm2 \ + --flags not-need-init \ + --pid file=$SWTPM_PIDFILE \ + --tpmstate dir=$workdir \ + --server type=tcp,bindaddr=127.0.0.1,port=$SWTPM_SERVER_PORT & + + if wait_for_file $SWTPM_PIDFILE 3; then + echo "Starting the swtpm failed" + return 1 + fi + + echo " - Starting ncat" + + SWTPM_PID=$(cat $SWTPM_PIDFILE) + kill -0 ${SWTPM_PID} + if [ $? -ne 0 ]; then + echo "swtpm must have terminated" + return 1 + fi + + ncat -l ${SWTPM_CTRL_PORT} \ + -k -c "xargs --null -n1 printf '\x00\x00\x00\x00'" &>/dev/null & + if [ $? -ne 0 ]; then + echo "Could not start ncat" + stop_swtpm + return 1 + fi + NCAT_PID=$! + sleep 1 + kill -0 ${NCAT_PID} + if [ $? -ne 0 ]; then + echo "ncat must have been terminated" + stop_swtpm + return 1 + fi + + echo " - Running tpm2_startup" + msg=$(tpm2_startup -V -c 2>&1) + if [ $? -ne 0 ]; then + echo "TPM2_Startup() failed" + echo "${msg}" + stop_swtpm + return 1 + fi + + echo " - Startup completed" + sleep 1 + + return 0 +} + +stop_swtpm() +{ + if [ -n "${SWTPM_PID}" ]; then + echo terminate_proc ${SWTPM_PID} + terminate_proc ${SWTPM_PID} + unset SWTPM_PID + fi + + if [ -n "${NCAT_PID}" ]; then + terminate_proc ${NCAT_PID} + unset NCAT_PID + fi +} + +run_tests() +{ + local workdir="$1" + local OPASS=12345678 + local EPASS=23456789 + local LPASS=34567890 +# local OBJPASS=012345 + local kalg=$2 + + [ -z "$workdir" ] && { + echo "No workdir" + return 1 + } + + start_swtpm $workdir + + echo " - Set owner authorization" + tpm2_changeauth -c owner ${OPASS} + echo " - Set endorsement authorization" + tpm2_changeauth -c endorsement ${EPASS} + echo " - Set lockout authorization" + tpm2_changeauth -c lockout ${LPASS} + + echo " - Generating ${KEYPEMFILE}" + tpm2tss-genkey -a ${kalg} -o ${OPASS} ${KEYPEMFILE} + cat ${KEYPEMFILE} + + echo " - Generating certificate based on key" + + export GNUTLS_PIN=${OPASS} + "${CERTTOOL}" --generate-self-signed -d 3 \ + --load-privkey "${KEYPEMFILE}" \ + --template "${srcdir}/cert-tests/templates/template-test.tmpl" + + if test "${kalg}" = "rsa";then + echo " - Generating RSA-PSS certificate based on key" + "${CERTTOOL}" --generate-self-signed -d 3 \ + --load-privkey "${KEYPEMFILE}" \ + --sign-params rsa-pss \ + --template "${srcdir}/cert-tests/templates/template-test.tmpl" + fi + + stop_swtpm + echo "Ok" + + return 0 +} + +trap "cleanup" EXIT QUIT + +run_tests "$workdir" ecdsa +run_tests "$workdir" rsa |