From 8c4b19bac16176c6c439768616c137bbae1e9ffa Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Wed, 8 Apr 2026 22:38:57 -0400 Subject: [PATCH 1/5] build-sys: Require OpenSSL's libcrypto >= v3.5 for ML-KEM & ML-DSA support Require that OpenSSL's libcrypto >= v3.5 is available since ML-KEM and ML-DSA support was added in this version. Signed-off-by: Stefan Berger --- configure.ac | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/configure.ac b/configure.ac index a1cde33e0..e55ce892e 100644 --- a/configure.ac +++ b/configure.ac @@ -115,13 +115,8 @@ AC_ARG_WITH([openssl], []) AS_CASE([$cryptolib],[openssl], - [PKG_CHECK_MODULES([LIBCRYPTO],[libcrypto]) - AC_CHECK_LIB(crypto, - [AES_set_encrypt_key], - [true], - AC_MSG_ERROR(Faulty openssl crypto library) - ) - AC_CHECK_HEADERS([openssl/aes.h],[], + [PKG_CHECK_MODULES([LIBCRYPTO],[libcrypto >= 3.5]) + AC_CHECK_HEADERS([openssl/obj_mac.h],[], AC_MSG_ERROR(Is openssl-devel/libssl-dev installed?)) AC_MSG_RESULT([Building with openssl crypto library]) From c968042b2beeacf8455d969a408eeb4596fc73ae Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Wed, 8 Apr 2026 22:40:51 -0400 Subject: [PATCH 2/5] CI: Require Ubuntu 26.04 with OpenSSL >= v3.5 for all test runners Since swtpm now needs OpenSSL >= v3.5, upgrade the requirement for Ubuntu to 26.04. Signed-off-by: Stefan Berger --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fb160af8a..35bc72e90 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,7 +6,7 @@ on: jobs: test-distcheck: - runs-on: ubuntu-24.04 + runs-on: ubuntu-26.04 env: PREFIX: "/usr" CONFIG: "--with-openssl --prefix=/usr" @@ -20,7 +20,7 @@ jobs: uses: ./.github/actions/test-swtpm test-coveralls: - runs-on: ubuntu-24.04 + runs-on: ubuntu-26.04 env: PREFIX: "/usr" CONFIG: "--with-openssl --prefix=/usr --enable-test-coverage" @@ -52,7 +52,7 @@ jobs: cpp-coveralls -e libtpms --gcov-options '\-lp' test-asan-ubsan: - runs-on: ubuntu-24.04 + runs-on: ubuntu-26.04 env: CFLAGS: "-fsanitize=address,undefined -g -fno-omit-frame-pointer -fno-sanitize-recover" LIBTPMS_CFLAGS: "-fsanitize=address,undefined -g -fno-omit-frame-pointer -fno-sanitize-recover" @@ -71,7 +71,7 @@ jobs: uses: ./.github/actions/test-swtpm test-asan-ubsan-non-openssl: - runs-on: ubuntu-24.04 + runs-on: ubuntu-26.04 env: CFLAGS: "-fsanitize=address,undefined -g -fno-omit-frame-pointer -fno-sanitize-recover" LIBTPMS_CFLAGS: "-fsanitize=address,undefined -g -fno-omit-frame-pointer -fno-sanitize-recover" From afd04376d2bb0c7a80987cbc7d6294d087b76bf5 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Thu, 7 May 2026 14:40:49 +0000 Subject: [PATCH 3/5] swtpm_cert: Adjust error message for 'days' too far in future X509_time_adj_ex will return a NULL pointer if the days parameter is too far in the future. Therefore adjust the error message. Also avoid a memory leak when the return value was NULL. Signed-off-by: Stefan Berger --- src/swtpm_cert/ek-cert.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/swtpm_cert/ek-cert.c b/src/swtpm_cert/ek-cert.c index 20518b1f7..c0380331e 100644 --- a/src/swtpm_cert/ek-cert.c +++ b/src/swtpm_cert/ek-cert.c @@ -1589,8 +1589,9 @@ int main(int argc, char *argv[]) if (days < 0) { ASN1_TIME_set_string(asn1_time, "99991231235959Z"); } else { - asn1_time = X509_time_adj_ex(asn1_time, days, 0, &now); - CHECK_OSSL_NULLPTR1(asn1_time, "Out of memory.\n"); + CHECK_OSSL_NULLPTR(X509_time_adj_ex(asn1_time, days, 0, &now), + "Days '%lu' may be too far in the future.\n", + days); } CHECK_OSSL_RETURN1(X509_set1_notAfter(crt, asn1_time) != 1, "Could not set expiration time on CRT.\n"); From 41d67953f4b65c3e845d58700386a1ba067d7aaa Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Thu, 7 May 2026 19:40:37 +0000 Subject: [PATCH 4/5] swtpm_cert: Fix the ASN.1 for IAK/IDevID SAN The IAK/IDevID certificate did not pass certificate chain verification due to malformed ASN.1 in the SAN. Fix the ASN.1 that is put into the SAN to have proper nesting of sequences. Signed-off-by: Stefan Berger --- src/swtpm_cert/ek-cert.c | 6 +++--- src/swtpm_cert/tpm.asn | 8 ++++++-- src/swtpm_cert/tpm_asn1.h | 8 ++++---- 3 files changed, 13 insertions(+), 9 deletions(-) diff --git a/src/swtpm_cert/ek-cert.c b/src/swtpm_cert/ek-cert.c index c0380331e..14e772fa6 100644 --- a/src/swtpm_cert/ek-cert.c +++ b/src/swtpm_cert/ek-cert.c @@ -792,13 +792,13 @@ create_iak_info(datum_t *asn1, const char *hwSerialNum) err = asn1_create_element(_tpm_asn, "TPM.TPMIAKSanInfo", &at); ASN1_CHECK_ERROR(err, "asn1_create_element"); - err = asn1_write_value(at, "tpmIAKSanInfoSeq.id", "1.3.6.1.5.5.7.8.4", 0); + err = asn1_write_value(at, "tpmIAKSanInfoSet.tpmIAKSanInfoSeq.id", "1.3.6.1.5.5.7.8.4", 0); ASN1_CHECK_ERROR(err, "asn1_write_value"); - err = asn1_write_value(at, "tpmIAKSanInfoSeq.iakSanInfoSet.hwType", "2.23.133.1.2", 0); + err = asn1_write_value(at, "tpmIAKSanInfoSet.tpmIAKSanInfoSeq.iakSanInfoSet.hwType", "2.23.133.1.2", 0); ASN1_CHECK_ERROR(err, "asn1_write_value"); - err = asn1_write_value(at, "tpmIAKSanInfoSeq.iakSanInfoSet.hwSerialNum", hwSerialNum, 0); + err = asn1_write_value(at, "tpmIAKSanInfoSet.tpmIAKSanInfoSeq.iakSanInfoSet.hwSerialNum", hwSerialNum, 0); ASN1_CHECK_ERROR(err, "asn1_write_value"); err = encode_asn1(asn1, at); diff --git a/src/swtpm_cert/tpm.asn b/src/swtpm_cert/tpm.asn index 29675e655..75e4125f7 100644 --- a/src/swtpm_cert/tpm.asn +++ b/src/swtpm_cert/tpm.asn @@ -116,12 +116,16 @@ TPMEKCertExtendedKeyUsage ::= SEQUENCE { -- IAK -- TPMIAKSanInfo ::= SEQUENCE { - tpmIAKSanInfoSeq [0] IMPLICIT TPMIAKSanInfoSeq + tpmIAKSanInfoSet TPMIAKSanInfoSet +} + +TPMIAKSanInfoSet ::= SET { + tpmIAKSanInfoSeq TPMIAKSanInfoSeq } TPMIAKSanInfoSeq ::= SEQUENCE { id OBJECT IDENTIFIER, - iakSanInfoSet [0] EXPLICIT IAKHardwareModuleName + iakSanInfoSet IAKHardwareModuleName } IAKHardwareModuleName ::= SEQUENCE { diff --git a/src/swtpm_cert/tpm_asn1.h b/src/swtpm_cert/tpm_asn1.h index 784ee3803..b4162cbe3 100644 --- a/src/swtpm_cert/tpm_asn1.h +++ b/src/swtpm_cert/tpm_asn1.h @@ -95,12 +95,12 @@ const asn1_static_node tpm_asn1_tab[] = { { "TPMEKCertExtendedKeyUsage", 1610612741, NULL }, { "id", 12, NULL }, { "TPMIAKSanInfo", 1610612741, NULL }, - { "tpmIAKSanInfoSeq", 536879106, "TPMIAKSanInfoSeq"}, - { NULL, 4104, "0"}, + { "tpmIAKSanInfoSet", 2, "TPMIAKSanInfoSet"}, + { "TPMIAKSanInfoSet", 1610612750, NULL }, + { "tpmIAKSanInfoSeq", 201326594, "TPMIAKSanInfoSeq"}, { "TPMIAKSanInfoSeq", 1610612741, NULL }, { "id", 1073741836, NULL }, - { "iakSanInfoSet", 536879106, "IAKHardwareModuleName"}, - { NULL, 2056, "0"}, + { "iakSanInfoSet", 2, "IAKHardwareModuleName"}, { "IAKHardwareModuleName", 536870917, NULL }, { "hwType", 1073741836, NULL }, { "hwSerialNum", 7, NULL }, From 2218e610d11053d70cf9586124608eff9b07e0bc Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Thu, 7 May 2026 15:22:46 +0000 Subject: [PATCH 5/5] tests: Refactor certificate creation tests Refactor the certificate creation tests to - create all needed keys and certs using openssl CLI tool - accept input parameters passed to test script - grep for more expected data in the created certificates - verify the created certificate with the intermediate CA - test signing with a secp521r1 key Signed-off-by: Stefan Berger --- tests/Makefile.am | 9 +- tests/_test_swtpm_cert | 113 +++++++ tests/_test_tpm2_swtpm_cert | 307 ++++++++++++++++++ tests/data/ecprivek.pem | 9 - tests/data/ecpubek.pem | 4 - tests/data/issuercert.pem | 25 -- tests/data/pubek.pem | 10 - tests/data/signkey-encrypted.pem | 42 --- tests/data/signkey.pem | 190 ------------ tests/data/swtpm-localca-rootca-cert.pem | 24 -- tests/data/swtpm-localca-rootca-privkey.pem | 190 ------------ tests/test_swtpm_cert | 167 +++------- tests/test_tpm2_swtpm_cert | 326 +++++--------------- tests/test_tpm2_swtpm_cert_ecc | 127 -------- 14 files changed, 553 insertions(+), 990 deletions(-) create mode 100755 tests/_test_swtpm_cert create mode 100755 tests/_test_tpm2_swtpm_cert delete mode 100644 tests/data/ecprivek.pem delete mode 100644 tests/data/ecpubek.pem delete mode 100644 tests/data/issuercert.pem delete mode 100644 tests/data/pubek.pem delete mode 100644 tests/data/signkey-encrypted.pem delete mode 100644 tests/data/signkey.pem delete mode 100644 tests/data/swtpm-localca-rootca-cert.pem delete mode 100644 tests/data/swtpm-localca-rootca-privkey.pem delete mode 100755 tests/test_tpm2_swtpm_cert_ecc diff --git a/tests/Makefile.am b/tests/Makefile.am index 6c67d6b34..1737fc27f 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -82,7 +82,6 @@ TESTS = \ test_tpm2_save_load_state_locking \ test_tpm2_setbuffersize \ test_tpm2_swtpm_cert \ - test_tpm2_swtpm_cert_ecc \ test_tpm2_swtpm_localca \ test_tpm2_swtpm_localca_pkcs11.test \ test_tpm2_swtpm_setup_create_cert \ @@ -113,12 +112,6 @@ EXTRA_DIST = \ $(TEST_UTILS) \ swtpm_setup.conf \ create_certs.sh \ - data/ecpubek.pem \ - data/ecprivek.pem \ - data/issuercert.pem \ - data/pubek.pem \ - data/signkey.pem \ - data/signkey-encrypted.pem \ data/keyfile.txt \ data/keyfile256bit.txt \ data/pwdfile.txt \ @@ -189,6 +182,7 @@ EXTRA_DIST = \ _test_save_load_state \ _test_setbuffersize \ _test_swtpm_bios \ + _test_swtpm_cert \ _test_tpm_probe \ _test_tpm2_avoid_da_lockout \ _test_tpm2_derived_keys \ @@ -213,6 +207,7 @@ EXTRA_DIST = \ _test_tpm2_save_load_state_locking \ _test_tpm2_setbuffersize \ _test_tpm2_swtpm_bios \ + _test_tpm2_swtpm_cert \ _test_tpm2_volatilestate \ _test_tpm2_wrongorder \ _test_volatilestate \ diff --git a/tests/_test_swtpm_cert b/tests/_test_swtpm_cert new file mode 100755 index 000000000..bb3d2aeac --- /dev/null +++ b/tests/_test_swtpm_cert @@ -0,0 +1,113 @@ +#!/usr/bin/env bash + +# For the license, see the LICENSE file in the root directory. + +ROOT=${abs_top_builddir:-$(dirname "$0")/..} +TESTDIR=${abs_top_testdir:=$(dirname "$0")} + +source "${TESTDIR}/common" + +trap "cleanup" SIGTERM EXIT + +function cleanup() +{ + rm -f "${cert}" "${pwdfile}" +} + +cert="$(mktemp)" || exit 1 +pwdfile="$(mktemp)" || exit 1 + +function check_cert_size() +{ + local cert="$1" + local exp="$2" + + local size + + size=$(get_filesize "${cert}") + if [ "$size" -ne "$exp" ]; then + echo "Warning: Certificate file has unexpected size." + echo " Expected: $exp; found: $size" + fi +} + +COMMON=( + --signkey "${PARAM_SIGNKEY_ENCRYPTED}" + --issuercert "${PARAM_ISSUERCERT}" + --out-cert "${cert}" + --days 3650 + --pem + --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 + --tpm-spec-family 1.2 --tpm-spec-revision 123 --tpm-spec-level 321 +) + +if ! VARNAME=${PARAM_PASSWORD} ${SWTPM_CERT} \ + "${COMMON[@]}" \ + --signkey-pwd env:VARNAME \ + --modulus 'b9dda830729de58f9f5bed2b3b9394ad4ec5afb9c390b89a3337250cbc575cfc8f31f7ffd3f05f4155076f7d1605381cd281b7f147b801154e4f89ee529fe36eae50f79561850e5b63037edaacbb390ea3fcd037e674fb179e3c5afe31214d78a756ca44cc6cf25421b51420ede548310c92b08a513ccc62fd0ef45dcf6546f6e865be6a661d045d1c47b60b428d11dc97cb9f35ee7c385bb20320934b015f8014e8fb19851c2af307e1e64648c142175e40b60615dc494fdb09ea5d5a6f3273b65a241e3cf30cc449b9fb3f900d1ed4be967b32b16f95a1d732dbfa143eaa1c2017556117f70faee5d77f836705d05405361ad5871a32161fa5a1234cfab497'; +then + echo "Error: ${SWTPM_CERT} returned error code." + exit 1 +fi + +check_cert_size "${cert}" 1395 + +# truncate result file +echo -n > "${cert}" +echo "Test 1: OK" + +if ! ${SWTPM_CERT} \ + "${COMMON[@]}" \ + --signkey-pwd file:<(printf "%s" "${PARAM_PASSWORD}") \ + --modulus 'b9dda830729de58f9f5bed2b3b9394ad4ec5afb9c390b89a3337250cbc575cfc8f31f7ffd3f05f4155076f7d1605381cd281b7f147b801154e4f89ee529fe36eae50f79561850e5b63037edaacbb390ea3fcd037e674fb179e3c5afe31214d78a756ca44cc6cf25421b51420ede548310c92b08a513ccc62fd0ef45dcf6546f6e865be6a661d045d1c47b60b428d11dc97cb9f35ee7c385bb20320934b015f8014e8fb19851c2af307e1e64648c142175e40b60615dc494fdb09ea5d5a6f3273b65a241e3cf30cc449b9fb3f900d1ed4be967b32b16f95a1d732dbfa143eaa1c2017556117f70faee5d77f836705d05405361ad5871a32161fa5a1234cfab497'; +then + echo "Error: ${SWTPM_CERT} returned error code." + exit 1 +fi + +#expecting size to be constant +check_cert_size "${cert}" 1395 + +# truncate result file +echo -n > "${cert}" +echo "Test 2: OK" + + +if ! ${SWTPM_CERT} \ + "${COMMON[@]}" \ + --signkey-pwd "pass:${PARAM_PASSWORD}" \ + --pubkey "${PARAM_RSAPUBKEY}"; +then + echo "Error: ${SWTPM_CERT} returned error code." + exit 1 +fi + +check_cert_size "${cert}" 1460 + +# truncate result file +echo -n > "${cert}" +echo "Test 3: OK" + + +###################### Platform Certificate ##################### + +printf "%s" "${PARAM_PASSWORD}" > "${pwdfile}" +exec 100<"${pwdfile}" +if ! ${SWTPM_CERT} \ + --type platform \ + "${COMMON[@]}" \ + --signkey-pwd fd:100 \ + --pubkey "${PARAM_RSAPUBKEY}" \ + --platform-manufacturer Fedora \ + --platform-model QEMU \ + --platform-version 2.1; then + echo "Error: ${SWTPM_CERT} returned error code." + exit 1 +fi + +#expecting size to be constant +check_cert_size "${cert}" 1489 + +# truncate result file +echo -n > "${cert}" +echo "Test 4: OK" diff --git a/tests/_test_tpm2_swtpm_cert b/tests/_test_tpm2_swtpm_cert new file mode 100755 index 000000000..3fae0a6ca --- /dev/null +++ b/tests/_test_tpm2_swtpm_cert @@ -0,0 +1,307 @@ +#!/usr/bin/env bash + +# For the license, see the LICENSE file in the root directory. + +ROOT=${abs_top_builddir:-$(dirname "$0")/..} +TESTDIR=${abs_top_testdir:-$(dirname "$0")} + +source "${TESTDIR}/common" + +cert="$(mktemp)" || exit 1 + +trap "cleanup" SIGTERM EXIT +function cleanup() +{ + rm -f "${cert}" +} + +function check_cert_size() +{ + local cert="$1" + local exp="$2" + + local size lo hi + + lo=$(cut -d"-" -f1 <<< "${exp}") + hi=$(cut -d"-" -f2 <<< "${exp}") + + # Check size of DER cert + size=$(openssl x509 -in "${cert}" -outform der | wc -c) + if [ "${size}" -lt "${lo}" ] || [ "${size}" -gt "${hi}" ]; then + echo "Warning: DER Certificate has unexpected size." + echo " Expected: $exp; found: $size" + fi +} + +function check_cert() +{ + local cert="$1" + local size="$2" + + shift 2 + + local txt msg + + check_cert_size "${cert}" "${size}" + txt=$(openssl x509 -in "${cert}" -noout -text) + + while [ $# -ne 0 ]; do + if ! grep -q "$1" <<< "${txt}"; then + echo "Could not find expected data in cert." + echo "expected: $1" + echo "${txt}" + exit 1 + fi + shift + done + if ! msg=$(openssl verify \ + -partial_chain \ + -CAfile "${PARAM_ISSUERCERT}" \ + "${cert}" 2>&1); then + echo "Could not verify the certificate." + echo "${msg}" + exit 1 + fi +} + +# shellcheck disable=2206 +PARAM_CERT_SIZES=(${PARAM_CERT_SIZES}) + +COMMON=( + --tpm2 + --signkey "${PARAM_SIGNKEY}" + --issuercert "${PARAM_ISSUERCERT}" + --out-cert "${cert}" + --days 3650 + --pem + --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 2 + --tpm-spec-family 2 --tpm-spec-revision 146 --tpm-spec-level 0 + --subject "CN=swtpm,serialNumber=123,O=test,OU=test" +) +TC=0 + +if ! ${SWTPM_CERT} \ + "${COMMON[@]}" \ + --modulus b9dda830729de58f9f5bed2b3b9394ad4ec5afb9c390b89a3337250cbc575cfc8f31f7ffd3f05f4155076f7d1605381cd281b7f147b801154e4f89ee529fe36eae50f79561850e5b63037edaacbb390ea3fcd037e674fb179e3c5afe31214d78a756ca44cc6cf25421b51420ede548310c92b08a513ccc62fd0ef45dcf6546f6e865be6a661d045d1c47b60b428d11dc97cb9f35ee7c385bb20320934b015f8014e8fb19851c2af307e1e64648c142175e40b60615dc494fdb09ea5d5a6f3273b65a241e3cf30cc449b9fb3f900d1ed4be967b32b16f95a1d732dbfa143eaa1c2017556117f70faee5d77f836705d05405361ad5871a32161fa5a1234cfab497 \ + --decrypt \ + --days -1; +then + echo "Error: ${SWTPM_CERT} returned error code." + exit 1 +fi + +check_cert "${cert}" "${PARAM_CERT_SIZES[$((TC++))]}" \ + "Serial Number: 1 (0x1)" \ + "Dec 31 23:59:59 9999 GMT" \ + "Public-Key: (2048 bit)" \ + "CA:FALSE" \ + "Endorsement Key Certificate" \ + "Key Encipherment" \ + "DirName:/tcg-at-tpmManufacturer=IBM/tcg-at-tpmModel=swtpm-libtpms/tcg-at-tpmVersion=2" + +# truncate result file +echo -n > "${cert}" +echo "Test ${TC}: OK (modulus)" + + +if ! ${SWTPM_CERT} \ + "${COMMON[@]}" \ + --ecc-x 61eaf811ea582656ca2a835dd1b9cd63eb196d7ff62711d6e9b8f85e580a47ca \ + --ecc-y a51efdc71fd6c791a24a75beb50526aa81b44cc598e65b2d5e116084aea4cb5b; +then + echo "Error: ${SWTPM_CERT} returned error code." + exit 1 +fi + +check_cert "${cert}" "${PARAM_CERT_SIZES[$((TC++))]}" \ + "Serial Number: 1 (0x1)" \ + "Public-Key: (256 bit)" \ + "CA:FALSE" \ + "Endorsement Key Certificate" \ + "Key Agreement" \ + "DirName:/tcg-at-tpmManufacturer=IBM/tcg-at-tpmModel=swtpm-libtpms/tcg-at-tpmVersion=2" + +# truncate result file +echo -n > "${cert}" +echo "Test ${TC}: OK (ecc; coordinates)" + + +if ! ${SWTPM_CERT} \ + "${COMMON[@]}" \ + --allow-signing \ + --pubkey "${PARAM_RSAPUBKEY}"; +then + echo "Error: ${SWTPM_CERT} returned error code." + exit 1 +fi + +check_cert "${cert}" "${PARAM_CERT_SIZES[$((TC++))]}" \ + "Serial Number: 1 (0x1)" \ + "Public-Key: (2432 bit)" \ + "CA:FALSE" \ + "Endorsement Key Certificate" \ + "Digital Signature" \ + "DirName:/tcg-at-tpmManufacturer=IBM/tcg-at-tpmModel=swtpm-libtpms/tcg-at-tpmVersion=2" + +# truncate result file +echo -n > "${cert}" +echo "Test ${TC}: OK (allow signing)" + + +if ! ${SWTPM_CERT} \ + "${COMMON[@]}" \ + --pubkey "${PARAM_ECPUBKEY}"; +then + echo "Error: ${SWTPM_CERT} returned error code." + exit 1 +fi + +check_cert "${cert}" "${PARAM_CERT_SIZES[$((TC++))]}" \ + "Serial Number: 1 (0x1)" \ + "Public-Key: (256 bit)" \ + "CA:FALSE" \ + "Endorsement Key Certificate" \ + "Key Encipherment" \ + "DirName:/tcg-at-tpmManufacturer=IBM/tcg-at-tpmModel=swtpm-libtpms/tcg-at-tpmVersion=2" + +# truncate result file +echo -n > "${cert}" +echo "Test ${TC}: OK (ecc)" + +###################### Platform Certificate ##################### + +if ! ${SWTPM_CERT} \ + "${COMMON[@]}" \ + --serial 123 \ + --type platform \ + --pubkey "${PARAM_RSAPUBKEY}" \ + --platform-manufacturer Fedora \ + --platform-model QEMU \ + --platform-version 2.1; +then + echo "Error: ${SWTPM_CERT} returned error code." + exit 1 +fi + +check_cert "${cert}" "${PARAM_CERT_SIZES[$((TC++))]}" \ + "Serial Number: 123 (0x7b)" \ + "Public-Key: (2432 bit)" \ + "CA:FALSE" \ + "Platform Attribute Certificate" \ + "Key Encipherment" \ + "DirName:/tcg-at-platformManufacturerStr=Fedora/tcg-at-platformModel=QEMU/tcg-at-platformVersion=2.1" + +# truncate result file +echo -n > "${cert}" +echo "Test ${TC}: OK (platform cert)" + + +if ! ${SWTPM_CERT} \ + "${COMMON[@]}" \ + --serial 12 \ + --type platform \ + --pubkey "${PARAM_ECPUBKEY}" \ + --platform-manufacturer Fedora \ + --platform-model QEMU \ + --platform-version 2.1; +then + echo "Error: ${SWTPM_CERT} returned error code." + exit 1 +fi + +check_cert "${cert}" "${PARAM_CERT_SIZES[$((TC++))]}" \ + "Serial Number: 12 (0xc)" \ + "Public-Key: (256 bit)" \ + "CA:FALSE" \ + "Platform Attribute Certificate" \ + "Key Encipherment" \ + "DirName:/tcg-at-platformManufacturerStr=Fedora/tcg-at-platformModel=QEMU/tcg-at-platformVersion=2.1" + +# truncate result file +echo -n > "${cert}" +echo "Test ${TC}: OK (platform cert; ec key)" + +###################### IAK Certificate ##################### + +serial=1234:5678 +if ! ${SWTPM_CERT} \ + "${COMMON[@]}" \ + --type iak \ + --pubkey "${PARAM_RSAPUBKEY}" \ + --subject "serialNumber=${serial}" \ + --tpm-serial-num "${serial}"; +then + echo "Error: ${SWTPM_CERT} returned error code." + exit 1 +fi + +check_cert "${cert}" "${PARAM_CERT_SIZES[$((TC++))]}" \ + "Serial Number: 1 (0x1)" \ + "Subject: serialNumber[[:space:]]*=[[:space:]]*${serial}" \ + "Public-Key: (2432 bit)" \ + "DirName:/id-on-hardwareModuleName=0.*${serial}" \ + "CA:FALSE" \ + "Digital Signature" + +# truncate result file +echo -n > "${cert}" +echo "Test ${TC}: OK (IAK)" + +###################### IDevID Certificate ##################### + +serial=1234:5678 +if ! ${SWTPM_CERT} \ + "${COMMON[@]}" \ + --type idevid \ + --pubkey "${PARAM_RSAPUBKEY}" \ + --subject "serialNumber=${serial}" \ + --tpm-serial-num "${serial}"; +then + echo "Error: ${SWTPM_CERT} returned error code." + exit 1 +fi + +check_cert "${cert}" "${PARAM_CERT_SIZES[$((TC++))]}" \ + "Serial Number: 1 (0x1)" \ + "Subject: serialNumber[[:space:]]*=[[:space:]]*${serial}" \ + "Public-Key: (2432 bit)" \ + "DirName:/id-on-hardwareModuleName=0.*${serial}" \ + "CA:FALSE" \ + "Digital Signature" + +# truncate result file +echo -n > "${cert}" +echo "Test ${TC}: OK (IDevID)" + +####################### max. serial number ##################### + +# max. serial number -- must pass +if ! ${SWTPM_CERT} \ + "${COMMON[@]}" \ + --pubkey "${PARAM_RSAPUBKEY}" \ + --serial 1461501637330902918203684832716283019655932542975; +then + echo "Error: ${SWTPM_CERT} failed with max. serial number." + exit 1 +fi + +check_cert "${cert}" "${PARAM_CERT_SIZES[$((TC++))]}" \ + "Serial Number:[[:space:]]*$" \ + "ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff" \ + "Public-Key: (2432 bit)" \ + "CA:FALSE" \ + "Key Encipherment" + +# max. serial number + 1 -- must fail +if ${SWTPM_CERT} \ + "${COMMON[@]}" \ + --pubkey "${PARAM_RSAPUBKEY}" \ + --serial 1461501637330902918203684832716283019655932542976; +then + echo "Error: ${SWTPM_CERT} should have failed with max. serial number + 1." + exit 1 +fi + +# truncate result file +echo -n > "${cert}" +echo "Test ${TC}: OK (failed as expected)" diff --git a/tests/data/ecprivek.pem b/tests/data/ecprivek.pem deleted file mode 100644 index 1823f9a1f..000000000 --- a/tests/data/ecprivek.pem +++ /dev/null @@ -1,9 +0,0 @@ -ASN1 OID: prime256v1 ------BEGIN EC PARAMETERS----- -BggqhkjOPQMBBw== ------END EC PARAMETERS----- ------BEGIN EC PRIVATE KEY----- -MHcCAQEEINoBbt73wFU8ku/qodAP58flsgL94j+FsX6ycP8ts8MKoAoGCCqGSM49 -AwEHoUQDQgAEne14S57Dr9tYfw2PtsVoaC0IrHjiEFKihkvMeimuYRVxYkZh5kmZ -fwcOIKlGawAo1JhUgA3iYSlLi3ho71aq0g== ------END EC PRIVATE KEY----- diff --git a/tests/data/ecpubek.pem b/tests/data/ecpubek.pem deleted file mode 100644 index 190702994..000000000 --- a/tests/data/ecpubek.pem +++ /dev/null @@ -1,4 +0,0 @@ ------BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEne14S57Dr9tYfw2PtsVoaC0IrHji -EFKihkvMeimuYRVxYkZh5kmZfwcOIKlGawAo1JhUgA3iYSlLi3ho71aq0g== ------END PUBLIC KEY----- diff --git a/tests/data/issuercert.pem b/tests/data/issuercert.pem deleted file mode 100644 index 4c41b6209..000000000 --- a/tests/data/issuercert.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEITCCAomgAwIBAgIMWtYHsR4z7cnrzsG6MA0GCSqGSIb3DQEBCwUAMB8xHTAb -BgNVBAMTFHN3dHBtLWxvY2FsY2Etcm9vdGNhMB4XDTE4MDQxNzE0NDE1M1oXDTI4 -MDQxNDE0NDE1M1owGDEWMBQGA1UEAxMNc3d0cG0tbG9jYWxjYTCCAaIwDQYJKoZI -hvcNAQEBBQADggGPADCCAYoCggGBAL+1uBTQ5yVOzAwkgNWxRbsqKLMvxPcRcf8W -S70ZSOUu9nvELDvMQPEGE7Y48Qxv2O/XZ8Pa9H6Gupg+uvUBTYnnHBUgJLuXF9YD -naXaS1KY1dHOVOZQygFySq7Z4E0lo8IE+3uROzJT5yv/55DAJseRBB0i5BZMgEno -KGX/61IiAhq6U9ZwTmrK7xi4EzOepNHFW2d0TpKcZAGtCESQ0uaGIileQTUL4cU4 -o0e12Z9ixOXZpJFKigtsVbSe7lrJD9PORQURHGA+p3Tb85VsPwobpNZN8D1sqKif -rSunNgh5mLseK5esx2WWen94AlbO4uYViXMK85QIiBkDGdOah5BUD8R0LFnNtPR8 -FS+4dSwYJGFCpoYqQu1RoBlIR2hREUmtYFt+8/YBUZOG8Aa4S4R2bt6nc6vP37SE -HCbkqJ8+yAmmdL1OXtT8/dQ5l1fnjbOtTAuZcyUMiHZLhRXFkNtUub6Gf+LusZRA -Vw2BQTGtqDzbBX7z7gNEPNgcwgI5kwIDAQABo2QwYjAPBgNVHRMBAf8EBTADAQH/ -MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYEFEssFsYTUSoI/6sRe4KVVdFY50Uo -MB8GA1UdIwQYMBaAFCAqCpiHlm6wK32Kv48wTVONvNeTMA0GCSqGSIb3DQEBCwUA -A4IBgQBKlh2vXX548odk5k8H+p72VeWatwwcwzdAFKY0KG5kbXGkWeJu8qlioeMl -X1tPXB0lRIf9wY+R7/eFLOeUxSqAx8gGMz7hnbG3YhjY71brPqDN8nPQowoxkG1Y -2mCjMGaTAzpO3Bi3MWnf3zrfxxivxuVv6+EyN4YnnQcs9Okd3HxmXmD1cOrWw4KV -11Ucq+Ff4W04Pz7VfftByE0dscD8SXzmnSx3nAMBxWucwXfOsbQRevzCddLBJa/T -ySZgvqhMlB7KCfQn/+JsK9N192s6kaq0OtENqEvpi3DrWXydaNCZipMKGoc7gty3 -j0sq7aUFfx2ooiDJT+pijT9HJ/N4vLavj8IU06lY1wL1ujKxarME3gqQZNX1iCq/ -OL/LAiSRJofvW5GxCB3ALPXhwXmrj6Y7qMvWY5u+cCw/NN3xi4mCOX5Qmk/wbXrC -x7j+sza1e3x7CMVmprQYLcqxewaH25APirRtnZdp8doX61fwoh1NU0Y7jehTPbN3 -ITy9dIc= ------END CERTIFICATE----- diff --git a/tests/data/pubek.pem b/tests/data/pubek.pem deleted file mode 100644 index ec8bf0ede..000000000 --- a/tests/data/pubek.pem +++ /dev/null @@ -1,10 +0,0 @@ ------BEGIN PUBLIC KEY----- -MIIBUjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAv1muaCRQNM6UweD+Bpcl -q7Pbysd+RrpugzdPXA+lVY8yPwKSvX7jjW2fVp6SpUnqupxiqjZIWaQPznjtlHRi -7Ak8cl+pBLoBLYfEpz+EUl+IFTOaRSV6tN3ljTEh/gNhgzVk9mYB+4kgfZLNPezc -U4YRypCWxg8ipjc97Pv4zqnRaWCL7mfdmdzoddyjOx6ekvZvg8FonLW/qPOODGyR -qwN5chRD8VzRQBo0xDtPJ5Sph942/Xv5PI34P+wO2aGFzLsLD1IuEzNDtu19zEYG -HqxLuZn0YHp8ouTNKRiQRnfyHE0tLDXiAbQF71wjFQMxXXK3+DC1C0LC0Pub0sir -oxFB4hBG2tuSiM45zRj4M0J8JAfA6d6ef5bygFJly5ew9xXQc0do+1hVtROUyUSF -PwIDAQAB ------END PUBLIC KEY----- diff --git a/tests/data/signkey-encrypted.pem b/tests/data/signkey-encrypted.pem deleted file mode 100644 index 2e2fe215a..000000000 --- a/tests/data/signkey-encrypted.pem +++ /dev/null @@ -1,42 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: AES-256-CBC,4F72E2939BD5ADD1C5F148D23C8C7B69 - -7ROHqAz7swVFcJCsxSL1TEYAWNB/WLFq7MM1pAT0CiWsm4GODgERLHb1/Zm9I8s4 -gvpAkpOslbjBZKP+kz0DgwR30RDiMalVniWrCYJn91gIqcRCjKdk400ktzg38Nr5 -yEIMODGDskumbxXV6vaFTh6blSLHfLmo1WNyKGeHB8MX2+oQUpZKL31JNWorMRHQ -gF32UOcsLFR1ZAgjtxjeFiYremmxDlBIl2OrIrl0ZepFtbLIxV8Gqpl342rN1fBo -Clks/3DHzbLjgHh/LozArdhqZFS7axp2N3V/W3TtrrLcY5sJXTFDZ+y6Dv4gREq+ -9HwwvhvjlxNovvbM4JQigf7G5C7EGRvoLJYgrWi6nB34l/mX86Us3LD+dSmTVUM/ -sqy7hnXYpZ2Xyj3UaL7pXwqlhx5dqrpBf2cr+jIhcXkCRE4Sxo438kvd91rLZyFG -3/28x36MIFLS0yJscXHx58j55pEtBeGA+WmMSuWIFdk9dhp0Ntb4nskaOGyKzITk -mspagdstrVAd4EWpaeL8MsGE1vVXWKC2fJrt8UlZPy0C7AlbS53SSAdrddxCOFN6 -LMGzZl73Szy+FRADuL0jJBYnJm84DBx5VXHx9jjRVKlfMUy7Rg/QZvHqC0cyEd/b -ccCMXeGqLGrVxj5uXZ/aHb0E3e2TU1PgZBZTU9RXfDmQUy2sxzlFFbfpeae9KOB+ -vu/v4sjbsZatFgHUwB7RZjosgC+b6eWJlRtkR2qC1S79Hjpa1P8VMHgR8G2Uyg43 -j4101PgA/dbOpFXQ2e4MX7vs/nuGEgd2+JNRnIQ3g5lnWzHBCjGtRsAmsYxTZjZc -CvuaGStwDk4TZbJqI4jQmcgZ1dKpXT+ElFyfWzrufYIZL5QyyazUtz1EOqPR+rdl -9NZ6gI9SSKhobqHPY5nffMq2hCOjkYJ0gKp9ufiQKLS2U3uzqNJ+ZINI7lzjj2v1 -Y96Frn8RVF/7Vks+FVlurpM9110toPfNNrqph+KDQjIotIdfGAUJOyypBA7aTD1q -dz6M6SVOAyVhtnx1LqA5kR3S/yjFipVOT0XZli04gCEKsAOPGsVp7v0+Bij3x1I0 -WK5shQsZzUaiHtDxdQl0yoVmC6ujjHWpGOPTq+qWkd5dtlxNpPTOKXhAQiyRGV3D -ytHCjxV+5obqpwdYK7s/+eDtlbLum6zBXY7OU6TwJJB3wdteYpi/mGVWDxiBqCVa -iQnG7ulr+nBNti1gGj8NwtQ1mCPZsuLkrqwq8hrDOJan8JQC+xUz/DGdsUKIFlYn -WeamZ94kQSCNLmmS0eEac1Npq4b7z09y8zZ8lb6hAGe1LnVa+Jsumj4r7Rz1XMMe -pj4nc1W2BwNzjgNo92JkkxCFEwDH+HOceh8S9yRPOQYzvvom8jCIgdU5f0aNgxQw -HdPTjYRMHoXe0rxovMFS2xhxOJd80JiNhaiZo57CqES4+LRe7jgZHc+LEQEn4pzY -8bTWjyk5yZkpDvqrYTTsl5w2v83YAiRibAvfpilfkgzrjK+IQB0OAS77X/TcFHho -bfwfeb6WWSpl1ORLm0exUXu+Gbe5n5axCNVtwyrVD+nTevozS/manKHLrsymJ628 -Bej6lZmr5fISn5y3xRaW4ktRrdeibpOGVOELBMsU7icm2DzJFs/JpCMJElV/qNsD -KcBDOhRkt3qnQuCXk+bRdlNUpEFXzHP6oD9j1/ueA5sFG1m4yAHA+y16xCussdTJ -mC9JtCt10cXnqHULBfrTxu23a4E+qEa1GKKbV/vnJGlqPhGkMZeuuXz8gEoAyC5S -Xf4XjFXAY9CBLbzD43TCIdUTYrpq22XMbICC2dmD9UF9+u54VQnIolxvgqRZEe/b -Kpur0RTyWci8xXpKM0gzVi1JNyb6QijvEXif9JhW+a5PaKT5SZwB36Rs0uT7ZYl/ -h+Jc+ylh4ITxHYNkZxjTgXN1kxcKgq5A0ojvxbDAe40ZY06TqiOfmI/CQE8f6vkp -4/oeq+9HHAs7uiu+KEkDpBnSopPKRy9UBC0UZVkq7AUpeRAEUnUbkOI91afKbkms -0yNcVKkNR/Hx9IK32A0vr9cZoJshG4GA63I2i/HO0F7cJAtHM9A6UGH7/PaM7OSZ -6m6q3hv/nIfTrMkPaIhVnOjNJehlnbb6IIICs1Wrs4GFnOiURFW4AjRRjQagJF/x -u6Lzx3AHepYdYhBISyM5PuxP1FUxYjxkI8tUT78F0vbYo+xfQ8JTX/wRT23T3Tnj -yYX/R9h8Aqb3lRSpS0IyAHuuO79c9ih2D0uF9WaZBfwZD7x/y8cpQV07gXMhkHb6 -uPpjKpnDY0yvS9qNSCJJ32oBUQCpvSpW2qK5AiDwfDcsP8e+kAsew8/V4GnRuqFp ------END RSA PRIVATE KEY----- diff --git a/tests/data/signkey.pem b/tests/data/signkey.pem deleted file mode 100644 index 46c226cef..000000000 --- a/tests/data/signkey.pem +++ /dev/null @@ -1,190 +0,0 @@ -Public Key Info: - Public Key Algorithm: RSA - Key Security Level: High (3072 bits) - -modulus: - 00:bf:b5:b8:14:d0:e7:25:4e:cc:0c:24:80:d5:b1:45 - bb:2a:28:b3:2f:c4:f7:11:71:ff:16:4b:bd:19:48:e5 - 2e:f6:7b:c4:2c:3b:cc:40:f1:06:13:b6:38:f1:0c:6f - d8:ef:d7:67:c3:da:f4:7e:86:ba:98:3e:ba:f5:01:4d - 89:e7:1c:15:20:24:bb:97:17:d6:03:9d:a5:da:4b:52 - 98:d5:d1:ce:54:e6:50:ca:01:72:4a:ae:d9:e0:4d:25 - a3:c2:04:fb:7b:91:3b:32:53:e7:2b:ff:e7:90:c0:26 - c7:91:04:1d:22:e4:16:4c:80:49:e8:28:65:ff:eb:52 - 22:02:1a:ba:53:d6:70:4e:6a:ca:ef:18:b8:13:33:9e - a4:d1:c5:5b:67:74:4e:92:9c:64:01:ad:08:44:90:d2 - e6:86:22:29:5e:41:35:0b:e1:c5:38:a3:47:b5:d9:9f - 62:c4:e5:d9:a4:91:4a:8a:0b:6c:55:b4:9e:ee:5a:c9 - 0f:d3:ce:45:05:11:1c:60:3e:a7:74:db:f3:95:6c:3f - 0a:1b:a4:d6:4d:f0:3d:6c:a8:a8:9f:ad:2b:a7:36:08 - 79:98:bb:1e:2b:97:ac:c7:65:96:7a:7f:78:02:56:ce - e2:e6:15:89:73:0a:f3:94:08:88:19:03:19:d3:9a:87 - 90:54:0f:c4:74:2c:59:cd:b4:f4:7c:15:2f:b8:75:2c - 18:24:61:42:a6:86:2a:42:ed:51:a0:19:48:47:68:51 - 11:49:ad:60:5b:7e:f3:f6:01:51:93:86:f0:06:b8:4b - 84:76:6e:de:a7:73:ab:cf:df:b4:84:1c:26:e4:a8:9f - 3e:c8:09:a6:74:bd:4e:5e:d4:fc:fd:d4:39:97:57:e7 - 8d:b3:ad:4c:0b:99:73:25:0c:88:76:4b:85:15:c5:90 - db:54:b9:be:86:7f:e2:ee:b1:94:40:57:0d:81:41:31 - ad:a8:3c:db:05:7e:f3:ee:03:44:3c:d8:1c:c2:02:39 - 93: - -public exponent: - 01:00:01: - -private exponent: - 00:be:f0:c5:29:a6:6f:b2:4e:eb:18:64:fb:14:db:7d - 72:4f:29:3e:5f:23:b4:58:e1:cb:89:6f:62:26:5e:de - 35:8a:35:f7:4b:7f:3b:8e:ab:00:bc:7d:4f:f5:75:c7 - a8:b0:29:41:26:67:5c:00:f1:3b:c4:0b:26:b6:83:d7 - b0:b4:48:da:19:ab:bc:53:5e:e0:3f:b5:b2:cc:db:1c - a7:30:bf:c8:db:f2:91:20:c1:94:0e:22:5c:ca:f4:cb - ba:70:b1:f9:b0:37:14:58:aa:0c:a3:5c:3c:4d:85:b4 - 9a:2c:2b:86:c1:8b:9f:52:0e:ac:8d:d8:3e:cf:48:98 - 03:5b:49:37:af:ec:f2:ea:87:9f:1b:c8:e8:fd:e6:f9 - e9:7b:2d:30:3e:b8:2e:d2:03:85:ef:cd:61:60:b9:45 - f5:68:3f:7a:28:70:95:df:01:bd:27:0e:29:8c:4b:f6 - 5d:af:72:a6:f5:2b:e8:ab:d9:78:cb:5c:1c:b7:96:20 - 8e:30:bc:ba:0c:7d:66:fa:11:0a:d0:3e:02:b8:6e:64 - 2c:73:4c:cc:e3:f0:6a:8f:7c:a6:a2:17:6c:d2:82:47 - 17:33:e3:17:e7:a4:ad:e0:5c:d7:23:50:45:f2:fc:a8 - 47:9f:c9:26:f9:9b:e1:94:4d:cf:a5:b5:bf:96:9a:80 - e9:39:8b:51:5e:79:59:85:c1:fc:25:96:9e:4a:ce:b8 - b9:48:ed:cc:b9:1a:a1:98:05:7c:02:6e:53:39:b2:eb - 48:14:89:0b:60:2e:ea:64:89:05:11:e5:39:b0:72:0f - a3:56:bd:49:65:eb:d1:51:30:a2:c9:d1:f3:f2:e5:4b - d0:f6:ff:e4:8d:87:bc:24:a0:6b:e2:7b:c7:88:26:c6 - 2a:f0:3a:94:a9:4a:cd:04:f4:9b:e1:78:f1:94:ff:11 - 31:80:5f:be:05:8d:f0:16:c1:0b:61:02:2b:cc:6b:7d - 01:c7:2e:2b:dc:e0:9a:07:67:1f:db:a8:d3:f5:65:3e - c1: - -prime1: - 00:c5:1a:78:1b:df:1d:ec:13:ac:52:53:85:b9:63:c8 - dd:5d:05:83:34:3e:07:b3:d4:2f:75:5d:a9:28:c3:96 - 84:18:31:ac:c6:d4:81:23:c8:67:72:e0:44:97:92:36 - 5f:0a:30:ed:d8:75:7a:46:ed:83:f0:6a:88:bc:fe:0c - f2:9c:09:3c:66:01:71:ee:4c:5c:5c:6d:6b:97:56:cb - 7d:2c:90:ce:7d:b3:e3:94:3a:27:94:40:1c:aa:8a:ae - e1:b9:d8:0d:5a:29:a0:2a:54:bf:77:23:22:58:8c:29 - 3a:ee:15:d5:57:be:41:76:78:c7:11:f6:6f:8d:80:89 - 1e:1a:d7:a4:a5:a5:df:cf:81:00:bd:fb:de:f3:cd:d1 - 5a:76:0a:52:ed:68:ed:7e:ad:16:96:df:95:8a:59:25 - 33:2d:35:0c:e8:02:19:96:be:40:a7:91:08:a2:16:01 - 05:6b:12:04:e7:91:41:39:1a:a9:15:21:e7:d7:59:f7 - 43: - -prime2: - 00:f8:fe:aa:bf:03:5f:45:c9:7e:7b:ac:d6:28:55:70 - 59:f1:68:0c:56:89:2b:38:2d:98:41:63:11:98:f8:7d - 8b:e1:76:58:0e:17:e2:d2:0b:fc:ee:31:c4:27:a3:49 - 28:5c:2f:21:1c:75:89:6d:6c:b3:ce:d7:50:01:a6:ef - cd:ec:e8:1c:01:cb:86:42:66:65:f8:c1:30:44:5d:6f - 9c:51:8b:33:a1:e0:d0:dd:77:f3:6a:05:37:08:87:ad - 3b:de:9c:d3:45:60:ac:d5:59:0f:09:53:ff:eb:eb:94 - 22:a6:2c:f0:0a:a3:82:c9:67:9a:28:73:8d:3b:36:3d - e7:1f:7a:1c:0c:86:04:0f:f9:14:b3:f7:88:88:94:30 - 38:28:45:96:a7:8b:a2:96:3b:4c:0a:9f:53:15:5a:ef - 92:97:e2:73:2d:49:f8:ab:b1:e6:81:12:36:0a:e6:a9 - 18:3b:99:48:1b:8a:ca:93:55:16:eb:97:fe:60:9d:c7 - 71: - -coefficient: - 77:f0:e7:18:46:f3:f8:b6:01:33:c4:b1:15:8d:ce:dc - c7:ee:c1:45:96:66:7b:13:6c:2d:fa:dc:f7:53:98:af - 45:4f:f6:a0:48:9c:34:31:9a:cb:24:f3:24:52:83:e5 - ad:14:15:75:13:6c:15:37:7b:18:af:39:e7:35:91:3d - 9a:c3:64:51:fd:95:48:7c:18:68:7e:2a:0d:f1:92:f1 - fa:b0:a6:b0:71:b3:71:1d:c8:19:24:05:f5:99:2a:a6 - 47:72:e7:78:d3:48:80:03:5b:a6:2e:ac:6e:6d:d2:e6 - fa:2a:e4:70:84:1c:bc:46:58:5a:9c:b9:da:c0:eb:63 - 99:53:86:8f:1c:23:b1:20:c8:10:dd:2f:15:12:80:ad - 67:dc:1c:29:60:bf:68:c7:ff:e2:98:38:eb:e9:22:3d - 47:63:8a:2b:6c:70:a8:4c:b4:8a:2e:ac:3b:9c:49:fb - 30:14:38:0e:de:eb:67:b0:ea:3c:72:f6:db:36:45:86 - - -exp1: - 00:91:ed:73:e9:66:ba:17:93:c5:2c:3a:8c:31:e2:af - cf:3c:54:9d:7c:2b:44:b6:9e:2c:f8:de:fc:23:a3:13 - 27:ff:65:9f:be:a1:8c:6e:fa:ab:a4:80:68:28:33:e7 - 2f:5c:33:37:94:df:fd:44:d0:0a:b4:0f:9b:e7:18:cc - 6b:3e:9d:13:eb:8d:bc:55:2a:91:e3:18:5b:e4:f3:2c - bb:23:28:9e:c8:b0:4b:98:ed:a9:69:f8:41:80:fe:26 - 56:16:aa:df:cf:d6:2b:af:cb:88:e9:e2:c8:45:f8:97 - 79:fa:d5:8d:5b:66:0f:bf:6f:d2:2a:f9:62:43:c8:5b - 3c:3f:b1:52:44:15:d7:eb:20:5e:75:4a:2a:1a:25:52 - 8f:7f:ff:4a:c0:5c:c4:20:da:73:74:06:5b:07:cf:d2 - 5b:de:67:7d:83:b4:32:4f:c9:d1:c2:7d:fd:7f:4b:7d - 3c:0e:b6:8b:8d:0a:9c:d8:73:65:a5:b0:b1:9e:5e:0c - 53: - -exp2: - 6a:83:6e:81:45:ad:04:ca:7c:2b:e5:b4:bb:0e:49:80 - 80:4f:55:2f:d3:7f:c4:89:64:9f:5c:04:d4:1e:40:7e - 8d:15:35:f7:d9:69:f3:16:a3:bd:35:56:c6:ea:07:ca - 97:1c:a6:1a:69:81:3f:69:07:c6:0c:bf:31:e5:ba:a1 - a9:9d:65:15:b3:7d:9c:7b:f7:55:21:37:47:97:7c:be - 2e:f7:d0:3f:88:4f:70:dd:f6:27:bd:51:5c:79:c5:b6 - 5d:b5:52:7f:54:2a:bb:1d:5c:dc:4d:ad:a5:bb:61:e4 - 2c:97:fe:9b:5e:74:fd:39:2f:6d:ec:78:57:03:0e:1a - 07:92:11:db:9d:9c:b1:44:89:01:af:7b:1d:89:de:d2 - b7:0f:85:b1:e8:7e:c5:ab:5a:0d:15:38:d2:62:d3:27 - 2f:87:f4:63:44:48:77:12:24:1b:c4:b1:8f:9a:3a:6d - 9e:59:24:ca:7b:65:ca:fe:d4:4e:35:f7:e0:56:be:51 - - - -Public Key ID: 4B:2C:16:C6:13:51:2A:08:FF:AB:11:7B:82:95:55:D1:58:E7:45:28 -Public key's random art: -+--[ RSA 3072]----+ -|. =Bo .oo | -| o . o.oEo.. | -| o o * .. | -| + o + | -| + . o S | -| o o o o . | -|. + o . | -| = | -| . | -+-----------------+ - ------BEGIN RSA PRIVATE KEY----- -MIIG5AIBAAKCAYEAv7W4FNDnJU7MDCSA1bFFuyoosy/E9xFx/xZLvRlI5S72e8Qs -O8xA8QYTtjjxDG/Y79dnw9r0foa6mD669QFNieccFSAku5cX1gOdpdpLUpjV0c5U -5lDKAXJKrtngTSWjwgT7e5E7MlPnK//nkMAmx5EEHSLkFkyASegoZf/rUiICGrpT -1nBOasrvGLgTM56k0cVbZ3ROkpxkAa0IRJDS5oYiKV5BNQvhxTijR7XZn2LE5dmk -kUqKC2xVtJ7uWskP085FBREcYD6ndNvzlWw/Chuk1k3wPWyoqJ+tK6c2CHmYux4r -l6zHZZZ6f3gCVs7i5hWJcwrzlAiIGQMZ05qHkFQPxHQsWc209HwVL7h1LBgkYUKm -hipC7VGgGUhHaFERSa1gW37z9gFRk4bwBrhLhHZu3qdzq8/ftIQcJuSonz7ICaZ0 -vU5e1Pz91DmXV+eNs61MC5lzJQyIdkuFFcWQ21S5voZ/4u6xlEBXDYFBMa2oPNsF -fvPuA0Q82BzCAjmTAgMBAAECggGBAL7wxSmmb7JO6xhk+xTbfXJPKT5fI7RY4cuJ -b2ImXt41ijX3S387jqsAvH1P9XXHqLApQSZnXADxO8QLJraD17C0SNoZq7xTXuA/ -tbLM2xynML/I2/KRIMGUDiJcyvTLunCx+bA3FFiqDKNcPE2FtJosK4bBi59SDqyN -2D7PSJgDW0k3r+zy6oefG8jo/eb56XstMD64LtIDhe/NYWC5RfVoP3oocJXfAb0n -DimMS/Zdr3Km9Svoq9l4y1wct5YgjjC8ugx9ZvoRCtA+ArhuZCxzTMzj8GqPfKai -F2zSgkcXM+MX56St4FzXI1BF8vyoR5/JJvmb4ZRNz6W1v5aagOk5i1FeeVmFwfwl -lp5Kzri5SO3MuRqhmAV8Am5TObLrSBSJC2Au6mSJBRHlObByD6NWvUll69FRMKLJ -0fPy5UvQ9v/kjYe8JKBr4nvHiCbGKvA6lKlKzQT0m+F48ZT/ETGAX74FjfAWwQth -AivMa30Bxy4r3OCaB2cf26jT9WU+wQKBwQDFGngb3x3sE6xSU4W5Y8jdXQWDND4H -s9QvdV2pKMOWhBgxrMbUgSPIZ3LgRJeSNl8KMO3YdXpG7YPwaoi8/gzynAk8ZgFx -7kxcXG1rl1bLfSyQzn2z45Q6J5RAHKqKruG52A1aKaAqVL93IyJYjCk67hXVV75B -dnjHEfZvjYCJHhrXpKWl38+BAL373vPN0Vp2ClLtaO1+rRaW35WKWSUzLTUM6AIZ -lr5Ap5EIohYBBWsSBOeRQTkaqRUh59dZ90MCgcEA+P6qvwNfRcl+e6zWKFVwWfFo -DFaJKzgtmEFjEZj4fYvhdlgOF+LSC/zuMcQno0koXC8hHHWJbWyzztdQAabvzezo -HAHLhkJmZfjBMERdb5xRizOh4NDdd/NqBTcIh6073pzTRWCs1VkPCVP/6+uUIqYs -8AqjgslnmihzjTs2PecfehwMhgQP+RSz94iIlDA4KEWWp4uiljtMCp9TFVrvkpfi -cy1J+Kux5oESNgrmqRg7mUgbisqTVRbrl/5gncdxAoHBAJHtc+lmuheTxSw6jDHi -r888VJ18K0S2niz43vwjoxMn/2WfvqGMbvqrpIBoKDPnL1wzN5Tf/UTQCrQPm+cY -zGs+nRPrjbxVKpHjGFvk8yy7IyieyLBLmO2pafhBgP4mVhaq38/WK6/LiOniyEX4 -l3n61Y1bZg+/b9Iq+WJDyFs8P7FSRBXX6yBedUoqGiVSj3//SsBcxCDac3QGWwfP -0lveZ32DtDJPydHCff1/S308DraLjQqc2HNlpbCxnl4MUwKBwGqDboFFrQTKfCvl -tLsOSYCAT1Uv03/EiWSfXATUHkB+jRU199lp8xajvTVWxuoHypccphppgT9pB8YM -vzHluqGpnWUVs32ce/dVITdHl3y+LvfQP4hPcN32J71RXHnFtl21Un9UKrsdXNxN -raW7YeQsl/6bXnT9OS9t7HhXAw4aB5IR252csUSJAa97HYne0rcPhbHofsWrWg0V -ONJi0ycvh/RjREh3EiQbxLGPmjptnlkkyntlyv7UTjX34Fa+UQKBwHfw5xhG8/i2 -ATPEsRWNztzH7sFFlmZ7E2wt+tz3U5ivRU/2oEicNDGayyTzJFKD5a0UFXUTbBU3 -exivOec1kT2aw2RR/ZVIfBhofioN8ZLx+rCmsHGzcR3IGSQF9Zkqpkdy53jTSIAD -W6YurG5t0ub6KuRwhBy8RlhanLnawOtjmVOGjxwjsSDIEN0vFRKArWfcHClgv2jH -/+KYOOvpIj1HY4orbHCoTLSKLqw7nEn7MBQ4Dt7rZ7DqPHL22zZFhg== ------END RSA PRIVATE KEY----- diff --git a/tests/data/swtpm-localca-rootca-cert.pem b/tests/data/swtpm-localca-rootca-cert.pem deleted file mode 100644 index 89a7c425f..000000000 --- a/tests/data/swtpm-localca-rootca-cert.pem +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEBzCCAm+gAwIBAgIMWtYHsQCZEuhkMw24MA0GCSqGSIb3DQEBCwUAMB8xHTAb -BgNVBAMTFHN3dHBtLWxvY2FsY2Etcm9vdGNhMB4XDTE4MDQxNzE0NDE1M1oXDTI4 -MDQxNDE0NDE1M1owHzEdMBsGA1UEAxMUc3d0cG0tbG9jYWxjYS1yb290Y2EwggGi -MA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCr+QDbyew2WXnlSyPiTDaRHlFz -u/YxVXgpHUf1OQjnxg3rsYq87TBa058R5DkqdJwtwIzHL4zlXrK/fq2LDFTeS89v -QSWMx61SayExCCKOQqkTs7jpt8Gy1PNxVeCekyXKwevwRAt0dVebLANwy1xaOlyQ -XpSyCUuJIn1jrmCJIP7yK8EJnOSXuMrH4FZbRC2OkQXmS5AETigZ9lpTxuB2bukp -egf5dNVW3TBW/ugH9/wToSvkisrchv/IHxqGY7tAADo8a31ptJ1uURbeY1tHQtwd -qBuj9t3dWfmzSdC4RTyGzwywTrIgT/xn2bagVCMNzxiAjHthmotNZ7XjNlO6IZMJ -DBJXmk8H8Nf4I8HTNAPRfXYUkVmHx82909PnpC9UV0z/m7v2JSUKvQYHSes+Kan3 -n/Rie7/fOUUGuPhozup5gTauPgVue8YtYGY0DNeLwK5BrImRM9apDuUJQ8LSLa6c -d45SzPp16+GJ6qCKQTEnSdmTyeg1k+L61h+EN80CAwEAAaNDMEEwDwYDVR0TAQH/ -BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBQgKgqYh5ZusCt9ir+P -ME1TjbzXkzANBgkqhkiG9w0BAQsFAAOCAYEAi4Ed2INpqVXvZkoJ/771U+jBS2PQ -IP+2OynmMd0OLFMwcKMds38joRR+K9IVS0z3gFI9uH0hMBtozLI809qTGBV2CLsP -KS0MMSIjtFzxGRKeHqRO8Iys3Z5kxc5dPUP+d9nODDhrUpGTFBuplhD6PpypOrfd -wYgLNhtwcqZ5hVdK/QZ8Ti4ZlrpeMCRMPs6ZVJU/d3YDFZNygCKnDhAlcf+06UG+ -LeqF64FhyokSyn0nflzSziuAmQhiBdY/l6XuOLbK9K9VBVVO1RtfHderc/lvqCs/ -0rmgjPLNfo4nLJNz8gk0SsHmF8ntKx8hcKeepnAFzlM/XvL6faJXXm5axmMNd+kb -Vorqs23oHaqgY0Z9XMm2NjBo3DnkANUDywYVddhcqa+VABl8KjZfal9mIzNT+wY2 -jbFFbRwwkox7+UaZuFdUoxWd4zQEed5pcNeBbrFUrFeLln7Dsn0npYc7UlJpwI7W -+181x87URGPZcu/ykj6XD0wsxonAjXZIIwIb ------END CERTIFICATE----- diff --git a/tests/data/swtpm-localca-rootca-privkey.pem b/tests/data/swtpm-localca-rootca-privkey.pem deleted file mode 100644 index 3e1403b93..000000000 --- a/tests/data/swtpm-localca-rootca-privkey.pem +++ /dev/null @@ -1,190 +0,0 @@ -Public Key Info: - Public Key Algorithm: RSA - Key Security Level: High (3072 bits) - -modulus: - 00:ab:f9:00:db:c9:ec:36:59:79:e5:4b:23:e2:4c:36 - 91:1e:51:73:bb:f6:31:55:78:29:1d:47:f5:39:08:e7 - c6:0d:eb:b1:8a:bc:ed:30:5a:d3:9f:11:e4:39:2a:74 - 9c:2d:c0:8c:c7:2f:8c:e5:5e:b2:bf:7e:ad:8b:0c:54 - de:4b:cf:6f:41:25:8c:c7:ad:52:6b:21:31:08:22:8e - 42:a9:13:b3:b8:e9:b7:c1:b2:d4:f3:71:55:e0:9e:93 - 25:ca:c1:eb:f0:44:0b:74:75:57:9b:2c:03:70:cb:5c - 5a:3a:5c:90:5e:94:b2:09:4b:89:22:7d:63:ae:60:89 - 20:fe:f2:2b:c1:09:9c:e4:97:b8:ca:c7:e0:56:5b:44 - 2d:8e:91:05:e6:4b:90:04:4e:28:19:f6:5a:53:c6:e0 - 76:6e:e9:29:7a:07:f9:74:d5:56:dd:30:56:fe:e8:07 - f7:fc:13:a1:2b:e4:8a:ca:dc:86:ff:c8:1f:1a:86:63 - bb:40:00:3a:3c:6b:7d:69:b4:9d:6e:51:16:de:63:5b - 47:42:dc:1d:a8:1b:a3:f6:dd:dd:59:f9:b3:49:d0:b8 - 45:3c:86:cf:0c:b0:4e:b2:20:4f:fc:67:d9:b6:a0:54 - 23:0d:cf:18:80:8c:7b:61:9a:8b:4d:67:b5:e3:36:53 - ba:21:93:09:0c:12:57:9a:4f:07:f0:d7:f8:23:c1:d3 - 34:03:d1:7d:76:14:91:59:87:c7:cd:bd:d3:d3:e7:a4 - 2f:54:57:4c:ff:9b:bb:f6:25:25:0a:bd:06:07:49:eb - 3e:29:a9:f7:9f:f4:62:7b:bf:df:39:45:06:b8:f8:68 - ce:ea:79:81:36:ae:3e:05:6e:7b:c6:2d:60:66:34:0c - d7:8b:c0:ae:41:ac:89:91:33:d6:a9:0e:e5:09:43:c2 - d2:2d:ae:9c:77:8e:52:cc:fa:75:eb:e1:89:ea:a0:8a - 41:31:27:49:d9:93:c9:e8:35:93:e2:fa:d6:1f:84:37 - cd: - -public exponent: - 01:00:01: - -private exponent: - 49:ec:c4:1d:b6:f3:3f:79:bf:18:7d:f0:72:fa:e8:0a - 01:ca:69:c1:c6:d6:f6:32:ad:19:d5:30:e8:cf:97:32 - 60:11:8d:44:62:6a:63:7a:e7:b5:5d:6f:89:d3:62:45 - 30:b5:b0:ce:7e:f6:46:33:2b:0b:7e:5d:03:84:cd:86 - b1:77:fe:0f:37:21:09:44:cc:45:19:03:86:c7:b3:f7 - 9b:ce:c8:57:18:c0:d1:17:1a:cb:7b:50:bb:39:ef:6f - 33:75:a1:02:ab:7d:71:16:70:0e:58:21:32:7f:78:b7 - a0:96:e1:c8:86:8a:f1:cb:f2:ab:4c:d3:68:c6:3e:ac - 5c:6b:a5:bb:59:72:84:21:64:62:67:01:5c:9d:e6:f4 - de:70:20:e5:1a:5e:52:3b:76:a9:92:68:c9:d2:97:f2 - d1:42:91:7d:cf:a7:c0:3d:65:15:b8:0d:ed:8d:b8:bf - 35:31:0a:fb:5f:46:fa:65:49:f2:f2:07:cc:d3:30:53 - 3d:50:c6:40:93:32:04:ee:e5:a4:32:1b:07:0c:d1:87 - bd:49:cd:0f:c3:df:9e:2c:11:9b:99:e4:e6:83:b4:61 - a6:35:b0:91:46:3f:9c:86:74:c2:f8:2d:0b:e4:b6:9b - 3d:dd:cb:38:d7:73:b3:65:c4:3f:f2:96:09:69:bb:d3 - b0:b3:73:80:66:83:45:48:aa:ef:34:1d:cf:b2:82:9b - e8:9b:29:5a:3a:fd:b2:90:b9:52:be:4a:ea:f3:fd:c1 - 6a:d4:25:d5:79:cf:d9:85:b6:62:d6:da:0b:d0:b2:21 - 26:37:f1:ae:d9:74:cb:35:98:73:40:d5:51:e9:91:dc - b9:94:d2:36:e2:fd:b4:72:fa:e0:6b:a0:c6:c4:e8:fc - 29:d3:2e:94:c5:d2:66:94:34:f9:24:29:6b:f7:ea:bf - 8b:dc:23:5e:04:cd:76:a7:4e:a9:b7:e9:80:cb:be:d1 - 5f:c9:c5:51:ad:b5:f1:3f:af:e9:51:8a:53:c0:d3:d1 - - -prime1: - 00:c7:2a:e9:5e:01:20:1b:cb:84:6b:17:7a:73:90:6a - 5c:41:dc:7d:ee:95:37:34:da:08:9e:c8:51:75:2e:51 - 82:ee:6f:75:50:26:b2:28:ff:fc:d4:da:c1:37:76:84 - 7f:9d:b7:a2:1c:68:6f:96:fd:52:ba:4e:74:bf:02:cc - b6:bd:a8:72:0d:f6:78:1f:98:b4:e0:9b:6f:47:e2:70 - 0f:f2:20:78:0a:c7:e0:61:9e:02:81:7b:40:fe:08:64 - fd:0d:0b:f3:54:4e:65:60:10:29:a4:b4:99:dc:61:f8 - 3b:20:e9:a4:8c:9e:ea:54:b6:96:0e:9f:2e:60:9f:23 - bf:ae:84:01:7f:7a:77:5a:66:d9:73:e0:25:f9:2a:49 - 79:37:28:19:39:3f:3e:ef:94:f3:e7:3f:e2:ef:f5:ab - e0:b5:dd:18:28:3a:23:49:8b:a1:87:8c:e3:0b:f9:ff - 38:c5:36:74:10:14:ca:87:3c:82:0a:83:e6:75:a2:d9 - 7b: - -prime2: - 00:dd:0b:83:d1:10:04:08:39:0a:4c:c2:78:05:b4:70 - 91:4e:b2:66:2b:de:2c:c4:3c:2c:30:17:d3:29:10:cc - fe:79:59:fc:e0:59:ea:26:6c:19:59:15:cd:09:8f:a2 - c9:04:7d:e1:b4:0b:cc:02:cb:88:20:07:ef:49:0f:75 - 71:b3:be:a4:9f:e0:4d:24:bf:d8:7f:a6:f3:e7:e6:a2 - cd:05:bd:cc:44:67:68:67:43:0a:f2:1e:c1:6c:25:2c - 9c:15:27:f0:ef:75:45:d5:f7:c2:4a:65:a5:c1:53:7c - 5a:cf:d1:f4:4a:5f:6e:96:3d:69:82:3c:36:51:04:37 - 96:ff:e5:d5:ae:81:0b:fd:34:ee:13:94:0f:54:e3:3c - 81:d1:2a:c5:4d:bd:3a:86:84:80:47:16:43:7c:ec:53 - 24:01:2e:52:17:ee:c7:6a:d1:77:70:bd:03:b2:4b:62 - ad:20:b5:36:ce:28:4f:89:32:0d:95:6c:e8:45:ee:3d - 57: - -coefficient: - 13:cf:5c:7a:f5:3f:ac:3e:2d:65:b2:66:3c:43:d8:0f - 75:90:e8:02:15:c4:a5:52:73:bd:0e:bb:86:a9:6c:bb - e6:de:f3:4c:d0:4f:67:db:f6:8f:ce:ad:09:52:62:fd - b2:44:c1:1d:41:c3:2f:0e:35:5f:83:43:bf:8d:98:9f - 96:01:42:73:9f:01:0e:53:84:14:b9:99:ea:0c:04:14 - f7:53:ac:85:4c:c3:51:e6:0b:96:bd:d8:64:e2:fd:72 - 5a:da:c1:b1:ff:6f:45:31:43:e7:a9:db:a6:9d:13:42 - 26:53:2d:70:86:d8:de:03:53:a0:53:5c:dc:a5:76:6c - 10:c0:67:a8:77:ae:b3:03:28:12:0b:90:f3:ed:76:ff - 08:04:a0:c1:a0:28:52:eb:bd:e5:76:78:5b:2b:92:7c - 19:dd:33:39:2f:a5:6d:09:98:d5:fc:3c:1c:c9:71:14 - 09:e3:02:e4:3d:23:c0:4f:18:c1:c6:99:9e:91:db:2e - - -exp1: - 08:fc:81:ad:11:25:ee:bb:1f:0d:69:f0:c7:78:13:a4 - 78:00:47:da:54:f7:39:b6:40:bf:51:50:83:96:04:6d - 80:ee:9c:7f:72:4f:85:94:0f:47:57:5b:72:72:31:86 - 44:8a:7d:91:04:91:4c:61:bf:b2:d2:49:68:38:eb:1d - af:af:02:fe:68:49:81:3b:75:a5:d0:bd:93:a3:be:e4 - a9:4b:17:bf:7c:c7:3e:00:50:22:a1:7a:0c:3c:3a:ba - 44:35:6e:d4:35:f9:52:fd:47:b3:bb:c6:59:70:3e:30 - 04:cb:25:f6:86:51:12:63:6e:9f:d8:44:d2:6d:3b:c2 - b1:50:19:75:34:04:60:9a:d5:62:ea:11:2c:8d:e0:e4 - cc:3d:4d:ee:0c:51:7d:a3:dd:e1:68:3b:88:12:30:a0 - 21:f4:88:db:7f:cc:09:cc:78:0c:52:aa:07:e7:4e:c1 - b3:fc:41:fe:5b:c1:cb:9a:4a:4f:c9:25:c3:d7:06:33 - - -exp2: - 24:d2:37:3a:0b:25:f0:cc:b7:a7:83:b9:84:91:c3:32 - a1:5e:5c:60:b0:58:da:b3:7f:54:df:93:20:43:19:32 - c6:ba:33:c2:97:97:c6:a0:b9:34:3a:ca:75:ee:44:5a - a1:f1:ea:38:18:c2:fa:30:37:53:c6:9e:98:98:07:a3 - 52:22:ce:bf:87:18:b2:a7:76:84:05:26:9a:19:b4:42 - dc:d2:fa:04:e7:08:e0:32:ad:cf:19:4a:75:1e:58:29 - 03:e9:2c:5c:67:37:a3:e5:ea:aa:83:f6:31:97:1b:9e - f1:01:73:65:34:32:72:ba:76:29:e8:a7:cf:a5:19:31 - 81:1d:23:14:37:90:ec:b3:f5:78:b3:70:3e:5e:c0:04 - 8b:f8:48:f7:a3:2e:ed:9b:82:d6:d4:a1:97:5c:b2:98 - cb:cd:90:85:46:14:57:f9:de:a0:9c:0b:d2:96:76:30 - 8a:c3:45:06:e0:76:27:4f:7c:2d:c8:ff:84:2e:a4:6f - - - -Public Key ID: 20:2A:0A:98:87:96:6E:B0:2B:7D:8A:BF:8F:30:4D:53:8D:BC:D7:93 -Public key's random art: -+--[ RSA 3072]----+ -| | -| . o | -| = o | -|.o.o o o . | -|Bo= . . E | -|** . . . | -|=+. | -|o=... | -|+.==. | -+-----------------+ - ------BEGIN RSA PRIVATE KEY----- -MIIG4gIBAAKCAYEAq/kA28nsNll55Usj4kw2kR5Rc7v2MVV4KR1H9TkI58YN67GK -vO0wWtOfEeQ5KnScLcCMxy+M5V6yv36tiwxU3kvPb0EljMetUmshMQgijkKpE7O4 -6bfBstTzcVXgnpMlysHr8EQLdHVXmywDcMtcWjpckF6UsglLiSJ9Y65giSD+8ivB -CZzkl7jKx+BWW0QtjpEF5kuQBE4oGfZaU8bgdm7pKXoH+XTVVt0wVv7oB/f8E6Er -5IrK3Ib/yB8ahmO7QAA6PGt9abSdblEW3mNbR0LcHagbo/bd3Vn5s0nQuEU8hs8M -sE6yIE/8Z9m2oFQjDc8YgIx7YZqLTWe14zZTuiGTCQwSV5pPB/DX+CPB0zQD0X12 -FJFZh8fNvdPT56QvVFdM/5u79iUlCr0GB0nrPimp95/0Ynu/3zlFBrj4aM7qeYE2 -rj4FbnvGLWBmNAzXi8CuQayJkTPWqQ7lCUPC0i2unHeOUsz6devhieqgikExJ0nZ -k8noNZPi+tYfhDfNAgMBAAECggGASezEHbbzP3m/GH3wcvroCgHKacHG1vYyrRnV -MOjPlzJgEY1EYmpjeue1XW+J02JFMLWwzn72RjMrC35dA4TNhrF3/g83IQlEzEUZ -A4bHs/ebzshXGMDRFxrLe1C7Oe9vM3WhAqt9cRZwDlghMn94t6CW4ciGivHL8qtM -02jGPqxca6W7WXKEIWRiZwFcneb03nAg5RpeUjt2qZJoydKX8tFCkX3Pp8A9ZRW4 -De2NuL81MQr7X0b6ZUny8gfM0zBTPVDGQJMyBO7lpDIbBwzRh71JzQ/D354sEZuZ -5OaDtGGmNbCRRj+chnTC+C0L5LabPd3LONdzs2XEP/KWCWm707Czc4Bmg0VIqu80 -Hc+ygpvomylaOv2ykLlSvkrq8/3BatQl1XnP2YW2YtbaC9CyISY38a7ZdMs1mHNA -1VHpkdy5lNI24v20cvrga6DGxOj8KdMulMXSZpQ0+SQpa/fqv4vcI14EzXanTqm3 -6YDLvtFfycVRrbXxP6/pUYpTwNPRAoHBAMcq6V4BIBvLhGsXenOQalxB3H3ulTc0 -2gieyFF1LlGC7m91UCayKP/81NrBN3aEf523ohxob5b9UrpOdL8CzLa9qHIN9ngf -mLTgm29H4nAP8iB4CsfgYZ4CgXtA/ghk/Q0L81ROZWAQKaS0mdxh+Dsg6aSMnupU -tpYOny5gnyO/roQBf3p3WmbZc+Al+SpJeTcoGTk/Pu+U8+c/4u/1q+C13RgoOiNJ -i6GHjOML+f84xTZ0EBTKhzyCCoPmdaLZewKBwQDdC4PREAQIOQpMwngFtHCRTrJm -K94sxDwsMBfTKRDM/nlZ/OBZ6iZsGVkVzQmPoskEfeG0C8wCy4ggB+9JD3Vxs76k -n+BNJL/Yf6bz5+aizQW9zERnaGdDCvIewWwlLJwVJ/DvdUXV98JKZaXBU3xaz9H0 -Sl9ulj1pgjw2UQQ3lv/l1a6BC/007hOUD1TjPIHRKsVNvTqGhIBHFkN87FMkAS5S -F+7HatF3cL0DsktirSC1Ns4oT4kyDZVs6EXuPVcCgcAI/IGtESXuux8NafDHeBOk -eABH2lT3ObZAv1FQg5YEbYDunH9yT4WUD0dXW3JyMYZEin2RBJFMYb+y0kloOOsd -r68C/mhJgTt1pdC9k6O+5KlLF798xz4AUCKhegw8OrpENW7UNflS/Uezu8ZZcD4w -BMsl9oZREmNun9hE0m07wrFQGXU0BGCa1WLqESyN4OTMPU3uDFF9o93haDuIEjCg -IfSI23/MCcx4DFKqB+dOwbP8Qf5bwcuaSk/JJcPXBjMCgcAk0jc6CyXwzLeng7mE -kcMyoV5cYLBY2rN/VN+TIEMZMsa6M8KXl8aguTQ6ynXuRFqh8eo4GML6MDdTxp6Y -mAejUiLOv4cYsqd2hAUmmhm0QtzS+gTnCOAyrc8ZSnUeWCkD6SxcZzej5eqqg/Yx -lxue8QFzZTQycrp2Keinz6UZMYEdIxQ3kOyz9XizcD5ewASL+Ej3oy7tm4LW1KGX -XLKYy82QhUYUV/neoJwL0pZ2MIrDRQbgdidPfC3I/4QupG8CgcATz1x69T+sPi1l -smY8Q9gPdZDoAhXEpVJzvQ67hqlsu+be80zQT2fb9o/OrQlSYv2yRMEdQcMvDjVf -g0O/jZiflgFCc58BDlOEFLmZ6gwEFPdTrIVMw1HmC5a92GTi/XJa2sGx/29FMUPn -qdumnRNCJlMtcIbY3gNToFNc3KV2bBDAZ6h3rrMDKBILkPPtdv8IBKDBoChS673l -dnhbK5J8Gd0zOS+lbQmY1fw8HMlxFAnjAuQ9I8BPGMHGmZ6R2y4= ------END RSA PRIVATE KEY----- diff --git a/tests/test_swtpm_cert b/tests/test_swtpm_cert index 4b095ee50..cada40978 100755 --- a/tests/test_swtpm_cert +++ b/tests/test_swtpm_cert @@ -1,127 +1,62 @@ #!/usr/bin/env bash -# For the license, see the LICENSE file in the root directory. - -ROOT=${abs_top_builddir:-$(dirname "$0")/..} -TESTDIR=${abs_top_testdir:=$(dirname "$0")} - -source "${TESTDIR}/common" - -trap "cleanup" SIGTERM EXIT +cd "$(dirname "$0")" || exit 1 +TMPDIR=$(mktemp -d) || exit 1 function cleanup() { - rm -f "${cert}" "${pwdfile}" -} - -cert="$(mktemp)" || exit 1 -pwdfile="$(mktemp)" || exit 1 - -function check_cert_size() -{ - local cert="$1" - local exp="$2" - - local size - - size=$(get_filesize "${cert}") - if [ "$size" -ne "$exp" ]; then - echo "Warning: Certificate file has unexpected size." - echo " Expected: $exp; found: $size" - fi + rm -rf "${TMPDIR}" } +trap "cleanup" SIGTERM EXIT -if ! VARNAME=password ${SWTPM_CERT} \ - --signkey "${TESTDIR}/data/signkey-encrypted.pem" \ - --signkey-pwd env:VARNAME \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --out-cert "${cert}" \ - --modulus 'b9dda830729de58f9f5bed2b3b9394ad4ec5afb9c390b89a3337250cbc575cfc8f31f7ffd3f05f4155076f7d1605381cd281b7f147b801154e4f89ee529fe36eae50f79561850e5b63037edaacbb390ea3fcd037e674fb179e3c5afe31214d78a756ca44cc6cf25421b51420ede548310c92b08a513ccc62fd0ef45dcf6546f6e865be6a661d045d1c47b60b428d11dc97cb9f35ee7c385bb20320934b015f8014e8fb19851c2af307e1e64648c142175e40b60615dc494fdb09ea5d5a6f3273b65a241e3cf30cc449b9fb3f900d1ed4be967b32b16f95a1d732dbfa143eaa1c2017556117f70faee5d77f836705d05405361ad5871a32161fa5a1234cfab497' \ - --days 3650 \ - --pem \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ - --tpm-spec-family 1.2 --tpm-spec-revision 123 --tpm-spec-level 321; then - echo "Error: ${SWTPM_CERT} returned error code." - exit 1 -fi - -#expecting size to be constant -check_cert_size "${cert}" 1395 - -# truncate result file -echo -n > "${cert}" -echo "Test 1: OK" - -if ! ${SWTPM_CERT} \ - --signkey "${TESTDIR}/data/signkey-encrypted.pem" \ - --signkey-pwd file:<(echo -en "password") \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --out-cert "${cert}" \ - --modulus 'b9dda830729de58f9f5bed2b3b9394ad4ec5afb9c390b89a3337250cbc575cfc8f31f7ffd3f05f4155076f7d1605381cd281b7f147b801154e4f89ee529fe36eae50f79561850e5b63037edaacbb390ea3fcd037e674fb179e3c5afe31214d78a756ca44cc6cf25421b51420ede548310c92b08a513ccc62fd0ef45dcf6546f6e865be6a661d045d1c47b60b428d11dc97cb9f35ee7c385bb20320934b015f8014e8fb19851c2af307e1e64648c142175e40b60615dc494fdb09ea5d5a6f3273b65a241e3cf30cc449b9fb3f900d1ed4be967b32b16f95a1d732dbfa143eaa1c2017556117f70faee5d77f836705d05405361ad5871a32161fa5a1234cfab497' \ - --days 3650 \ - --subject "OU=foo,L=NewYork,ST=NY,C=US" \ - --pem \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ - --tpm-spec-family 1.2 --tpm-spec-revision 123 --tpm-spec-level 321; then - echo "Error: ${SWTPM_CERT} returned error code." - exit 1 -fi - -#expecting size to be constant -check_cert_size "${cert}" 1395 - -# truncate result file -echo -n > "${cert}" -echo "Test 2: OK" - -if ! ${SWTPM_CERT} \ - --signkey "${TESTDIR}/data/signkey-encrypted.pem" \ - --signkey-pwd pass:password \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --out-cert "${cert}" \ - --pubkey "${TESTDIR}/data/pubek.pem" \ - --days 3650 \ - --subject "OU=foo,L=NewYork,ST=NY,C=US" \ - --pem \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ - --tpm-spec-family 1.2 --tpm-spec-revision 123 --tpm-spec-level 321; then - echo "Error: ${SWTPM_CERT} returned error code." - exit 1 -fi - -#expecting size to be constant -check_cert_size "${cert}" 1460 - -# truncate result file -echo -n > "${cert}" -echo "Test 3: OK" - - -###################### Platform Certificate ##################### - -echo -en "password" > "${pwdfile}" -exec 100<"${pwdfile}" -if ! ${SWTPM_CERT} \ - --type platform \ - --signkey "${TESTDIR}/data/signkey-encrypted.pem" \ - --signkey-pwd fd:100 \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --pubkey "${TESTDIR}/data/pubek.pem" \ - --out-cert "${cert}" \ - --days 3650 \ - --subject "OU=foo,L=NewYork,ST=NY,C=US" \ - --pem \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ - --platform-manufacturer Fedora \ - --platform-model QEMU \ - --platform-version 2.1; then - echo "Error: ${SWTPM_CERT} returned error code." +# CA: +CACERT=${TMPDIR}/swtpm-localca-rootca-cert.pem +CAKEY=${TMPDIR}/swtpm-localca-rootca-privkey.pem + +# EK keys: +RSAPRIVKEY=${TMPDIR}/rsaprivkey.pem +RSAPUBKEY=${TMPDIR}/rsapubkey.pem + +# RSA 3072 key used for signing +RSA3072ENCRYPTED_PRIVKEY=${TMPDIR}/rsa3072privkey.pem +RSA3072ENCRYPTED_PUBKEY=${TMPDIR}/rsa3072pubkey.pem +ISSUERCERT_RSA3072ENCRYPTED_PRIVKEY=${TMPDIR}/rsa3072privkeyissuercert.pem + +if ! msg=$(openssl genrsa -out "${RSAPRIVKEY}" 2432 2>&1) || + ! msg=$(openssl rsa -in "${RSAPRIVKEY}" -pubout -out "${RSAPUBKEY}" 2>&1) || + ! msg=$(openssl req \ + -x509 \ + -new \ + -noenc \ + -keyout "${CAKEY}" \ + -newkey rsa:3072 \ + -sha256 \ + -days 365 \ + -out "${CACERT}" \ + -subj "/CN=swtpm-localca-rootca" 2>&1) || \ + ! msg=$(openssl genrsa -out "${RSA3072ENCRYPTED_PRIVKEY}" -aes256 -passout pass:password 3072 2>&1) || \ + ! msg=$(openssl rsa -in "${RSA3072ENCRYPTED_PRIVKEY}" -pubout -passin pass:password -out "${RSA3072ENCRYPTED_PUBKEY}" 2>&1) || \ + ! msg=$(openssl req \ + -x509 \ + -key "${RSA3072ENCRYPTED_PRIVKEY}" \ + -passin pass:password \ + -out "${ISSUERCERT_RSA3072ENCRYPTED_PRIVKEY}" \ + -days 1000 \ + -subj "/CN=swtpm-localca" \ + -CA "${CACERT}" \ + -CAkey "${CAKEY}" 2>&1); +then + echo "Could not create the required keys" + echo "${msg}" exit 1 fi -#expecting size to be constant -check_cert_size "${cert}" 1489 +PARAM_RSAPUBKEY="${RSAPUBKEY}" \ +PARAM_PASSWORD=password \ +PARAM_SIGNKEY_ENCRYPTED="${RSA3072ENCRYPTED_PRIVKEY}" \ +PARAM_ISSUERCERT="${ISSUERCERT_RSA3072ENCRYPTED_PRIVKEY}" \ + ./_test_swtpm_cert +ret=$? +[ $ret -ne 0 ] && [ $ret -ne 77 ] && exit $ret -# truncate result file -echo -n > "${cert}" -echo "Test 4: OK" +exit 0 diff --git a/tests/test_tpm2_swtpm_cert b/tests/test_tpm2_swtpm_cert index b7e51042d..bd4670421 100755 --- a/tests/test_tpm2_swtpm_cert +++ b/tests/test_tpm2_swtpm_cert @@ -1,261 +1,95 @@ #!/usr/bin/env bash -# For the license, see the LICENSE file in the root directory. - -ROOT=${abs_top_builddir:-$(dirname "$0")/..} -TESTDIR=${abs_top_testdir:-$(dirname "$0")} - -source "${TESTDIR}/common" - -cert="$(mktemp)" || exit 1 - -trap "cleanup" SIGTERM EXIT - +cd "$(dirname "$0")" || exit 1 +TMPDIR=$(mktemp -d) || exit 1 function cleanup() { - rm -f "${cert}" + rm -rf "${TMPDIR}" } +trap "cleanup" SIGTERM EXIT -function check_cert_size() -{ - local cert="$1" - local exp="$2" - - local size - - size=$(get_filesize "${cert}") - if [ "$size" -ne "$exp" ]; then - echo "Warning: Certificate file has unexpected size." - echo " Expected: $exp; found: $size" - fi -} - -if ! ${SWTPM_CERT} \ - --tpm2 \ - --allow-signing \ - --signkey "${TESTDIR}/data/signkey.pem" \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --out-cert "${cert}" \ - --modulus 'b9dda830729de58f9f5bed2b3b9394ad4ec5afb9c390b89a3337250cbc575cfc8f31f7ffd3f05f4155076f7d1605381cd281b7f147b801154e4f89ee529fe36eae50f79561850e5b63037edaacbb390ea3fcd037e674fb179e3c5afe31214d78a756ca44cc6cf25421b51420ede548310c92b08a513ccc62fd0ef45dcf6546f6e865be6a661d045d1c47b60b428d11dc97cb9f35ee7c385bb20320934b015f8014e8fb19851c2af307e1e64648c142175e40b60615dc494fdb09ea5d5a6f3273b65a241e3cf30cc449b9fb3f900d1ed4be967b32b16f95a1d732dbfa143eaa1c2017556117f70faee5d77f836705d05405361ad5871a32161fa5a1234cfab497' \ - --days 3650 \ - --pem \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ - --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0; then - echo "Error: ${SWTPM_CERT} returned error code." - exit 1 -fi - -#expecting size to be constant -check_cert_size "${cert}" 1395 - -# truncate result file -echo -n > "${cert}" -echo "Test 1: OK" - -if ! ${SWTPM_CERT} \ - --tpm2 \ - --signkey "${TESTDIR}/data/signkey.pem" \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --out-cert "${cert}" \ - --modulus 'b9dda830729de58f9f5bed2b3b9394ad4ec5afb9c390b89a3337250cbc575cfc8f31f7ffd3f05f4155076f7d1605381cd281b7f147b801154e4f89ee529fe36eae50f79561850e5b63037edaacbb390ea3fcd037e674fb179e3c5afe31214d78a756ca44cc6cf25421b51420ede548310c92b08a513ccc62fd0ef45dcf6546f6e865be6a661d045d1c47b60b428d11dc97cb9f35ee7c385bb20320934b015f8014e8fb19851c2af307e1e64648c142175e40b60615dc494fdb09ea5d5a6f3273b65a241e3cf30cc449b9fb3f900d1ed4be967b32b16f95a1d732dbfa143eaa1c2017556117f70faee5d77f836705d05405361ad5871a32161fa5a1234cfab497' \ - --days 3650 \ - --subject "OU=foo,L=NewYork,ST=NY,C=US" \ - --pem \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ - --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0; then - echo "Error: ${SWTPM_CERT} returned error code." - exit 1 -fi - -#expecting size to be constant -check_cert_size "${cert}" 1472 - -# truncate result file -echo -n > "${cert}" -echo "Test 2: OK" - -if ! ${SWTPM_CERT} \ - --tpm2 \ - --signkey "${TESTDIR}/data/signkey.pem" \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --out-cert "${cert}" \ - --pubkey "${TESTDIR}/data/pubek.pem" \ - --days 3650 \ - --subject "OU=foo,L=NewYork,ST=NY,C=US" \ - --pem \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ - --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0; then - echo "Error: ${SWTPM_CERT} returned error code." - exit 1 -fi - -#expecting size to be constant -check_cert_size "${cert}" 1537 - -# truncate result file -echo -n > "${cert}" -echo "Test 3: OK" - - -###################### Platform Certificate ##################### - -if ! ${SWTPM_CERT} \ - --tpm2 \ - --type platform \ - --signkey "${TESTDIR}/data/signkey.pem" \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --pubkey "${TESTDIR}/data/pubek.pem" \ - --out-cert "${cert}" \ - --days 3650 \ - --subject "OU=foo,L=NewYork,ST=NY,C=US" \ - --pem \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ - --platform-manufacturer Fedora \ - --platform-model QEMU \ - --platform-version 2.1; then - echo "Error: ${SWTPM_CERT} returned error code." - exit 1 -fi - -#expecting size to be constant -check_cert_size "${cert}" 1484 - -# truncate result file -echo -n > "${cert}" -echo "Test 4: OK" - -###################### IAK Certificate ##################### - -serial=1234:5678 -if ! ${SWTPM_CERT} \ - --tpm2 \ - --type iak \ - --signkey "${TESTDIR}/data/signkey.pem" \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --pubkey "${TESTDIR}/data/pubek.pem" \ - --out-cert "${cert}" \ - --days 3650 \ - --subject "serialNumber=${serial}" \ - --pem \ - --tpm-serial-num "${serial}" \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 2; then - echo "Error: ${SWTPM_CERT} returned error code." - exit 1 -fi - -ac=$(openssl x509 -in "${cert}" -noout -text | - sed -n "s/.*Subject: serialNumber[[:space:]]*=[[:space:]]*\(.*\)$/\1/p") -if [ "${ac}" != "${serial}" ]; then - echo "Error: Could not find serial number in Subject line" - echo "expected: ${serial}" - echo "actual : ${ac}" - exit 1 -fi - -if ! openssl x509 -in "${cert}" -noout -text | - grep -A1 "Key Usage:" | - grep -q "Digital Signature"; then - echo "Error: IAK certificate must indicate Digital Signature" - exit 1 -fi - -#expecting size to be constant -check_cert_size "${cert}" 1375 - -# truncate result file -echo -n > "${cert}" -echo "Test 5: OK" - -###################### IDevID Certificate ##################### - -serial=1234:5678 -if ! ${SWTPM_CERT} \ - --tpm2 \ - --type idevid \ - --signkey "${TESTDIR}/data/signkey.pem" \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --pubkey "${TESTDIR}/data/pubek.pem" \ - --out-cert "${cert}" \ - --days 3650 \ - --subject "serialNumber=${serial}" \ - --pem \ - --tpm-serial-num "${serial}" \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 2; then - echo "Error: ${SWTPM_CERT} returned error code." - exit 1 -fi - -ac=$(openssl x509 -in "${cert}" -noout -text | - sed -n "s/.*Subject: serialNumber[[:space:]]*=[[:space:]]*\(.*\)$/\1/p") -if [ "${ac}" != "${serial}" ]; then - echo "Error: Could not find serial number in Subject line" - echo "expected: ${serial}" - echo "actual : ${ac}" - exit 1 -fi - -if ! openssl x509 -in "${cert}" -noout -text | - grep -A1 "Key Usage:" | - grep -q "Digital Signature"; then - echo "Error: IDevID certificate must indicate Digital Signature" +# CA: +CACERT=${TMPDIR}/swtpm-localca-rootca-cert.pem +CAKEY=${TMPDIR}/swtpm-localca-rootca-privkey.pem + +# EK keys: +RSAPRIVKEY=${TMPDIR}/rsaprivkey.pem +RSAPUBKEY=${TMPDIR}/rsapubkey.pem +EC256PRIVKEY=${TMPDIR}/ec256privkey.pem +EC256PUBKEY=${TMPDIR}/ec256pubkey.pem + +# secp521r1 key used for signing +EC521PRIVKEY=${TMPDIR}/ec521privkey.pem +EC521PUBKEY=${TMPDIR}/ec521pubkey.pem +ISSUERCERT_EC521=${TMPDIR}/ec521-issuercert.pem + +# RSA 3072 key used for signing +RSA3072PRIVKEY=${TMPDIR}/rsa3072privkey.pem +RSA3072PUBKEY=${TMPDIR}/rsa3072pubkey.pem +ISSUERCERT_RSA3072=${TMPDIR}/rsa3072-issuercert.pem + +if ! msg=$(openssl genrsa -out "${RSAPRIVKEY}" 2432 2>&1) || + ! msg=$(openssl rsa -in "${RSAPRIVKEY}" -pubout -out "${RSAPUBKEY}" 2>&1) || + ! msg=$(openssl ecparam -name prime256v1 -genkey -noout -out "${EC256PRIVKEY}" 2>&1) || \ + ! msg=$(openssl ec -in "${EC256PRIVKEY}" -pubout -out "${EC256PUBKEY}" 2>&1) || \ + ! msg=$(openssl req \ + -x509 \ + -new \ + -noenc \ + -keyout "${CAKEY}" \ + -newkey rsa:3072 \ + -sha256 \ + -days 365 \ + -out "${CACERT}" \ + -subj "/CN=swtpm-localca-rootca" 2>&1) || \ + ! msg=$(openssl ecparam -name secp521r1 -genkey -noout -out "${EC521PRIVKEY}" 2>&1) || \ + ! msg=$(openssl ec -in "${EC521PRIVKEY}" -pubout -out "${EC521PUBKEY}" 2>&1) || \ + ! msg=$(openssl req \ + -x509 \ + -key "${EC521PRIVKEY}" \ + -out "${ISSUERCERT_EC521}" \ + -days 1000 \ + -subj "/CN=swtpm-localca" \ + -CA "${CACERT}" \ + -CAkey "${CAKEY}" 2>&1) || \ + ! msg=$(openssl genrsa -out "${RSA3072PRIVKEY}" 3072 2>&1) || \ + ! msg=$(openssl rsa -in "${RSA3072PRIVKEY}" -pubout -out "${RSA3072PUBKEY}" 2>&1) || \ + ! msg=$(openssl req \ + -x509 \ + -key "${RSA3072PRIVKEY}" \ + -out "${ISSUERCERT_RSA3072}" \ + -days 1000 \ + -subj "/CN=swtpm-localca" \ + -CA "${CACERT}" \ + -CAkey "${CAKEY}" 2>&1) \ +; then + echo "Could not create the required keys" + echo "${msg}" exit 1 fi -#expecting size to be constant -check_cert_size "${cert}" 1375 +echo "Testing with RSA certificate signing key" -# truncate result file -echo -n > "${cert}" -echo "Test 6: OK" +PARAM_RSAPUBKEY="${RSAPUBKEY}" \ +PARAM_ECPUBKEY="${EC256PUBKEY}" \ +PARAM_SIGNKEY="${RSA3072PRIVKEY}" \ +PARAM_ISSUERCERT="${ISSUERCERT_RSA3072}" \ +PARAM_CERT_SIZES="1046 841 1092 841 1057 806 973 973 1112" \ + ./_test_tpm2_swtpm_cert +ret=$? +[ $ret -ne 0 ] && [ $ret -ne 77 ] && exit $ret -####################### max. serial number ##################### -# max. serial number -- must pass -if ! ${SWTPM_CERT} \ - --tpm2 \ - --signkey "${TESTDIR}/data/signkey.pem" \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --out-cert "${cert}" \ - --pubkey "${TESTDIR}/data/pubek.pem" \ - --days 3650 \ - --subject "OU=foo,L=NewYork,ST=NY,C=US" \ - --pem \ - --serial 1461501637330902918203684832716283019655932542975 \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ - --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0; then - echo "Error: ${SWTPM_CERT} failed with max. serial number." - exit 1 -fi -tmp=$(openssl x509 -in "${cert}" -noout -text | - grep -A1 "Serial Number:" | - tail -n1 | - sed -n 's/[[:space:]]*\([[:xdigit:]:]*\)/\1/p') -exp="ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff" -if [ "${tmp}" != "${exp}" ]; then - echo "Error: unexpected serial number in cert" - echo "expected: ${exp}" - echo "actual : ${tmp}" - exit 1 -fi +printf "\nTesting with secp521r1 certificate signing key\n" -# max. serial number + 1 -- must fail -if ${SWTPM_CERT} \ - --tpm2 \ - --signkey "${TESTDIR}/data/signkey.pem" \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --out-cert "${cert}" \ - --pubkey "${TESTDIR}/data/pubek.pem" \ - --days 3650 \ - --subject "OU=foo,L=NewYork,ST=NY,C=US" \ - --pem \ - --serial 1461501637330902918203684832716283019655932542976 \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ - --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0; then - echo "Error: ${SWTPM_CERT} should have failed with max. serial number + 1." - exit 1 -fi +PARAM_RSAPUBKEY="${RSAPUBKEY}" \ +PARAM_ECPUBKEY="${EC256PUBKEY}" \ +PARAM_SIGNKEY="${EC521PRIVKEY}" \ +PARAM_ISSUERCERT="${ISSUERCERT_EC521}" \ +PARAM_CERT_SIZES="792-794 588-589 838-840 587-589 804-805 552-554 720-721 720-721 859-860" \ + ./_test_tpm2_swtpm_cert +ret=$? +[ $ret -ne 0 ] && [ $ret -ne 77 ] && exit $ret -# truncate result file -echo -n > "${cert}" -echo "Test 7: OK" +exit 0 diff --git a/tests/test_tpm2_swtpm_cert_ecc b/tests/test_tpm2_swtpm_cert_ecc deleted file mode 100755 index baf2848f3..000000000 --- a/tests/test_tpm2_swtpm_cert_ecc +++ /dev/null @@ -1,127 +0,0 @@ -#!/usr/bin/env bash - -# For the license, see the LICENSE file in the root directory. - -ROOT=${abs_top_builddir:-$(dirname "$0")/..} -TESTDIR=${abs_top_testdir:-$(dirname "$0")} - -source "${TESTDIR}/common" - -cert="$(mktemp)" || exit 1 - -trap "cleanup" SIGTERM EXIT - - -function cleanup() -{ - rm -f "${cert}" -} - -function check_cert_size() -{ - local cert="$1" - local exp="$2" - - local size - - size=$(get_filesize "${cert}") - if [ "$size" -ne "$exp" ]; then - echo "Warning: Certificate file has unexpected size." - echo " Expected: $exp; found: $size" - fi -} - -if ! ${SWTPM_CERT} \ - --tpm2 \ - --signkey "${TESTDIR}/data/signkey.pem" \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --out-cert "${cert}" \ - --ecc-x 61eaf811ea582656ca2a835dd1b9cd63eb196d7ff62711d6e9b8f85e580a47ca \ - --ecc-y a51efdc71fd6c791a24a75beb50526aa81b44cc598e65b2d5e116084aea4cb5b \ - --days 3650 \ - --pem \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 2.0 \ - --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0; then - echo "Error: ${SWTPM_CERT} returned error code." - exit 1 -fi - -#expecting size to be constant -check_cert_size "${cert}" 1119 - -# truncate result file -echo -n > "${cert}" -echo "Test 1: OK" - -if ! ${SWTPM_CERT} \ - --tpm2 \ - --signkey "${TESTDIR}/data/signkey.pem" \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --out-cert "${cert}" \ - --ecc-x 61eaf811ea582656ca2a835dd1b9cd63eb196d7ff62711d6e9b8f85e580a47ca \ - --ecc-y a51efdc71fd6c791a24a75beb50526aa81b44cc598e65b2d5e116084aea4cb5b \ - --days 3650 \ - --subject "OU=foo,L=NewYork,ST=NY,C=US" \ - --pem \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ - --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0; then - echo "Error: ${SWTPM_CERT} returned error code." - exit 1 -fi - -#expecting size to be constant -check_cert_size "${cert}" 1196 - -# truncate result file -echo -n > "${cert}" -echo "Test 2: OK" - -if ! ${SWTPM_CERT} \ - --tpm2 \ - --signkey "${TESTDIR}/data/signkey.pem" \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --out-cert "${cert}" \ - --pubkey "${TESTDIR}/data/ecpubek.pem" \ - --days 3650 \ - --subject "OU=foo,L=NewYork,ST=NY,C=US" \ - --pem \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ - --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0; then - echo "Error: ${SWTPM_CERT} returned error code." - exit 1 -fi - -#expecting size to be constant -check_cert_size "${cert}" 1196 - -# truncate result file -echo -n > "${cert}" -echo "Test 3: OK" - - -###################### Platform Certificate ##################### - -if ! ${SWTPM_CERT} \ - --tpm2 \ - --type platform \ - --signkey "${TESTDIR}/data/signkey.pem" \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --pubkey "${TESTDIR}/data/ecpubek.pem" \ - --out-cert "${cert}" \ - --days 3650 \ - --subject "OU=foo,L=NewYork,ST=NY,C=US" \ - --pem \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ - --platform-manufacturer Fedora \ - --platform-model QEMU \ - --platform-version 2.1; then - echo "Error: ${SWTPM_CERT} returned error code." - exit 1 -fi - -#expecting size to be constant -check_cert_size "${cert}" 1143 - -# truncate result file -echo -n > "${cert}" -echo "Test 4: OK"