Tests: Add intermediate certificate tests to the sign-verify cases
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
This commit is contained in:
James Bottomley
parent
df27a417b9
commit
6c2b07fa1c
5 changed files with 70 additions and 13 deletions
|
|
@ -3,6 +3,10 @@ AUTOMAKE_OPTIONS = parallel-tests
|
|||
|
||||
test_key = private-key.rsa
|
||||
test_cert = public-cert.pem
|
||||
ca_key = ca-key.ec
|
||||
ca_cert = ca-cert.pem
|
||||
int_key = int-key.ec
|
||||
int_cert = int-cert.pem
|
||||
test_arches = $(EFI_ARCH)
|
||||
|
||||
check_PROGRAMS = test.pecoff
|
||||
|
|
@ -31,11 +35,25 @@ check_SCRIPTS = test-wrapper.sh
|
|||
|
||||
AM_CFLAGS=-fpic -I/usr/include/efi -I/usr/include/efi/$(EFI_ARCH)
|
||||
|
||||
$(test_key): Makefile
|
||||
%.rsa: Makefile
|
||||
openssl genrsa -out $@ 2048
|
||||
|
||||
$(test_cert): $(test_key) Makefile
|
||||
openssl req -x509 -sha256 -subj '/' -new -key $< -out $@
|
||||
%.ec: Makefile
|
||||
openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 -out $@
|
||||
|
||||
$(ca_cert): $(ca_key) Makefile
|
||||
openssl req -x509 -days 1 -sha256 -subj '/CN=CA Key/' -new -key $< -out $@
|
||||
|
||||
$(int_cert): $(int_key) $(ca_cert) Makefile
|
||||
openssl req -new -subj '/CN=Intermediate Certificate/' -key $< -out tmp.req
|
||||
echo -e "[ca]\nbasicConstraints = critical, CA:true\n" > ca.cnf
|
||||
openssl x509 -req -sha256 -CA $(ca_cert) -CAkey $(ca_key) -in tmp.req -set_serial 1 -days 1 -extfile ca.cnf -extensions ca -out $@
|
||||
-rm -f tmp.req ca.cnf
|
||||
|
||||
$(test_cert): $(test_key) $(int_cert) Makefile
|
||||
openssl req -new -subj '/CN=Signer Certificate/' -key $< -out tmp.req
|
||||
openssl x509 -req -sha256 -CA $(int_cert) -CAkey $(int_key) -in tmp.req -set_serial 1 -days 1 -out $@
|
||||
-rm -f tmp.req
|
||||
|
||||
TESTS = sign-verify.sh \
|
||||
sign-verify-detached.sh \
|
||||
|
|
@ -65,4 +83,5 @@ AM_TESTS_ENVIRONMENT = TEST_ARCHES='$(test_arches)'; export TEST_ARCHES;
|
|||
SH_LOG_COMPILER = $(srcdir)/test-wrapper.sh
|
||||
|
||||
EXTRA_DIST = test.S $(TESTS) $(check_SCRIPTS)
|
||||
CLEANFILES = $(test_key) $(test_cert)
|
||||
CLEANFILES = $(test_key) $(test_cert) $(int_key) $(int_cert) $(ca_key) \
|
||||
$(ca_cert)
|
||||
|
|
|
|||
|
|
@ -3,7 +3,19 @@
|
|||
sig="test.sig"
|
||||
signed="test.signed"
|
||||
|
||||
"$sbsign" --cert "$cert" --key "$key" --detached --output "$sig" "$image"
|
||||
cp "$image" "$signed"
|
||||
"$sbattach" --attach "$sig" "$signed"
|
||||
"$sbverify" --cert "$cert" "$signed"
|
||||
"$sbsign" --cert "$cert" --key "$key" --detached --output "$sig" "$image" || exit 1
|
||||
cp "$image" "$signed" || exit 1
|
||||
"$sbattach" --attach "$sig" "$signed" || exit 1
|
||||
"$sbverify" --cert "$cert" "$signed" || exit 1
|
||||
"$sbverify" --cert "$intcert" "$signed" || exit 1
|
||||
# there's no intermediate cert in the image so it can't chain to the ca which
|
||||
# is why this should fail
|
||||
"$sbverify" --cert "$cacert" "$signed" && exit 1
|
||||
|
||||
# now add intermediates
|
||||
"$sbsign" --cert "$cert" --key "$key" --addcert "$intcert" --detached --output "$sig" "$image" || exit 1
|
||||
cp "$image" "$signed" || exit 1
|
||||
"$sbattach" --attach "$sig" "$signed" || exit 1
|
||||
"$sbverify" --cert "$cert" "$signed" || exit 1
|
||||
"$sbverify" --cert "$intcert" "$signed" || exit 1
|
||||
"$sbverify" --cert "$cacert" "$signed" || exit 1
|
||||
|
|
|
|||
|
|
@ -2,5 +2,16 @@
|
|||
|
||||
sig="test.sig"
|
||||
|
||||
"$sbsign" --cert "$cert" --key "$key" --detached --output $sig "$image"
|
||||
"$sbverify" --cert "$cert" --detached $sig "$image"
|
||||
"$sbsign" --cert "$cert" --key "$key" --detached --output $sig "$image" || exit 1
|
||||
"$sbverify" --cert "$cert" --detached $sig "$image" || exit 1
|
||||
"$sbverify" --cert "$intcert" --detached $sig "$image" || exit 1
|
||||
# should fail because no intermediate
|
||||
"$sbverify" --cert "$cacert" --detached $sig "$image" && exit 1
|
||||
|
||||
# now make sure everything succeeds with the intermediate added
|
||||
"$sbsign" --cert "$cert" --key "$key" --addcert "$intcert" --detached --output $sig "$image" || exit 1
|
||||
"$sbverify" --cert "$cert" --detached $sig "$image" || exit 1
|
||||
"$sbverify" --cert "$intcert" --detached $sig "$image" || exit 1
|
||||
"$sbverify" --cert "$cacert" --detached $sig "$image" || exit 1
|
||||
|
||||
exit 0
|
||||
|
|
|
|||
|
|
@ -2,5 +2,16 @@
|
|||
|
||||
signed="test.signed"
|
||||
|
||||
"$sbsign" --cert "$cert" --key "$key" --output "$signed" "$image"
|
||||
"$sbverify" --cert "$cert" "$signed"
|
||||
"$sbsign" --cert "$cert" --key "$key" --output "$signed" "$image" || exit 1
|
||||
"$sbverify" --cert "$cert" "$signed" || exit 1
|
||||
"$sbverify" --cert "$intcert" "$signed" || exit 1
|
||||
# there's no intermediate cert in the image so it can't chain to the ca which
|
||||
# is why this should fail
|
||||
"$sbverify" --cert "$cacert" "$signed" && exit 1
|
||||
|
||||
# now add the intermediates and each level should succeed
|
||||
"$sbsign" --cert "$cert" --addcert "$intcert" --key "$key" --output "$signed" "$image" || exit 1
|
||||
"$sbverify" --cert "$cert" "$signed" || exit 1
|
||||
"$sbverify" --cert "$intcert" "$signed" || exit 1
|
||||
"$sbverify" --cert "$cacert" "$signed" || exit 1
|
||||
|
||||
|
|
|
|||
|
|
@ -11,8 +11,12 @@ sbattach=$bindir/sbattach
|
|||
|
||||
key="$datadir/private-key.rsa"
|
||||
cert="$datadir/public-cert.pem"
|
||||
intkey="$datadir/int-key.ec"
|
||||
intcert="$datadir/int-cert.pem"
|
||||
cakey="$datadir/ca-key.ec"
|
||||
cacert="$datadir/ca-cert.pem"
|
||||
|
||||
export basedir datadir bindir sbsign sbverify sbattach key cert
|
||||
export basedir datadir bindir sbsign sbverify sbattach key cert intkey intcert cakey cacert
|
||||
|
||||
# 'test' needs to be an absolute path, as we will cd to a temporary
|
||||
# directory before running the test
|
||||
|
|
|
|||
Loading…
Reference in a new issue