diff --git a/tests/Makefile.am b/tests/Makefile.am index a6606f0..93f46e2 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -3,6 +3,10 @@ AUTOMAKE_OPTIONS = parallel-tests test_key = private-key.rsa test_cert = public-cert.pem +ca_key = ca-key.ec +ca_cert = ca-cert.pem +int_key = int-key.ec +int_cert = int-cert.pem test_arches = $(EFI_ARCH) check_PROGRAMS = test.pecoff @@ -31,11 +35,25 @@ check_SCRIPTS = test-wrapper.sh AM_CFLAGS=-fpic -I/usr/include/efi -I/usr/include/efi/$(EFI_ARCH) -$(test_key): Makefile +%.rsa: Makefile openssl genrsa -out $@ 2048 -$(test_cert): $(test_key) Makefile - openssl req -x509 -sha256 -subj '/' -new -key $< -out $@ +%.ec: Makefile + openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 -out $@ + +$(ca_cert): $(ca_key) Makefile + openssl req -x509 -days 1 -sha256 -subj '/CN=CA Key/' -new -key $< -out $@ + +$(int_cert): $(int_key) $(ca_cert) Makefile + openssl req -new -subj '/CN=Intermediate Certificate/' -key $< -out tmp.req + echo -e "[ca]\nbasicConstraints = critical, CA:true\n" > ca.cnf + openssl x509 -req -sha256 -CA $(ca_cert) -CAkey $(ca_key) -in tmp.req -set_serial 1 -days 1 -extfile ca.cnf -extensions ca -out $@ + -rm -f tmp.req ca.cnf + +$(test_cert): $(test_key) $(int_cert) Makefile + openssl req -new -subj '/CN=Signer Certificate/' -key $< -out tmp.req + openssl x509 -req -sha256 -CA $(int_cert) -CAkey $(int_key) -in tmp.req -set_serial 1 -days 1 -out $@ + -rm -f tmp.req TESTS = sign-verify.sh \ sign-verify-detached.sh \ @@ -65,4 +83,5 @@ AM_TESTS_ENVIRONMENT = TEST_ARCHES='$(test_arches)'; export TEST_ARCHES; SH_LOG_COMPILER = $(srcdir)/test-wrapper.sh EXTRA_DIST = test.S $(TESTS) $(check_SCRIPTS) -CLEANFILES = $(test_key) $(test_cert) +CLEANFILES = $(test_key) $(test_cert) $(int_key) $(int_cert) $(ca_key) \ + $(ca_cert) diff --git a/tests/sign-attach-verify.sh b/tests/sign-attach-verify.sh index 2ae6e70..21ed6db 100755 --- a/tests/sign-attach-verify.sh +++ b/tests/sign-attach-verify.sh @@ -3,7 +3,19 @@ sig="test.sig" signed="test.signed" -"$sbsign" --cert "$cert" --key "$key" --detached --output "$sig" "$image" -cp "$image" "$signed" -"$sbattach" --attach "$sig" "$signed" -"$sbverify" --cert "$cert" "$signed" +"$sbsign" --cert "$cert" --key "$key" --detached --output "$sig" "$image" || exit 1 +cp "$image" "$signed" || exit 1 +"$sbattach" --attach "$sig" "$signed" || exit 1 +"$sbverify" --cert "$cert" "$signed" || exit 1 +"$sbverify" --cert "$intcert" "$signed" || exit 1 +# there's no intermediate cert in the image so it can't chain to the ca which +# is why this should fail +"$sbverify" --cert "$cacert" "$signed" && exit 1 + +# now add intermediates +"$sbsign" --cert "$cert" --key "$key" --addcert "$intcert" --detached --output "$sig" "$image" || exit 1 +cp "$image" "$signed" || exit 1 +"$sbattach" --attach "$sig" "$signed" || exit 1 +"$sbverify" --cert "$cert" "$signed" || exit 1 +"$sbverify" --cert "$intcert" "$signed" || exit 1 +"$sbverify" --cert "$cacert" "$signed" || exit 1 diff --git a/tests/sign-verify-detached.sh b/tests/sign-verify-detached.sh index 7b045e4..d2959be 100755 --- a/tests/sign-verify-detached.sh +++ b/tests/sign-verify-detached.sh @@ -2,5 +2,16 @@ sig="test.sig" -"$sbsign" --cert "$cert" --key "$key" --detached --output $sig "$image" -"$sbverify" --cert "$cert" --detached $sig "$image" +"$sbsign" --cert "$cert" --key "$key" --detached --output $sig "$image" || exit 1 +"$sbverify" --cert "$cert" --detached $sig "$image" || exit 1 +"$sbverify" --cert "$intcert" --detached $sig "$image" || exit 1 +# should fail because no intermediate +"$sbverify" --cert "$cacert" --detached $sig "$image" && exit 1 + +# now make sure everything succeeds with the intermediate added +"$sbsign" --cert "$cert" --key "$key" --addcert "$intcert" --detached --output $sig "$image" || exit 1 +"$sbverify" --cert "$cert" --detached $sig "$image" || exit 1 +"$sbverify" --cert "$intcert" --detached $sig "$image" || exit 1 +"$sbverify" --cert "$cacert" --detached $sig "$image" || exit 1 + +exit 0 diff --git a/tests/sign-verify.sh b/tests/sign-verify.sh index cf493f3..a61aff8 100755 --- a/tests/sign-verify.sh +++ b/tests/sign-verify.sh @@ -2,5 +2,16 @@ signed="test.signed" -"$sbsign" --cert "$cert" --key "$key" --output "$signed" "$image" -"$sbverify" --cert "$cert" "$signed" +"$sbsign" --cert "$cert" --key "$key" --output "$signed" "$image" || exit 1 +"$sbverify" --cert "$cert" "$signed" || exit 1 +"$sbverify" --cert "$intcert" "$signed" || exit 1 +# there's no intermediate cert in the image so it can't chain to the ca which +# is why this should fail +"$sbverify" --cert "$cacert" "$signed" && exit 1 + +# now add the intermediates and each level should succeed +"$sbsign" --cert "$cert" --addcert "$intcert" --key "$key" --output "$signed" "$image" || exit 1 +"$sbverify" --cert "$cert" "$signed" || exit 1 +"$sbverify" --cert "$intcert" "$signed" || exit 1 +"$sbverify" --cert "$cacert" "$signed" || exit 1 + diff --git a/tests/test-wrapper.sh b/tests/test-wrapper.sh index b9c6cf1..4ef6710 100755 --- a/tests/test-wrapper.sh +++ b/tests/test-wrapper.sh @@ -11,8 +11,12 @@ sbattach=$bindir/sbattach key="$datadir/private-key.rsa" cert="$datadir/public-cert.pem" +intkey="$datadir/int-key.ec" +intcert="$datadir/int-cert.pem" +cakey="$datadir/ca-key.ec" +cacert="$datadir/ca-cert.pem" -export basedir datadir bindir sbsign sbverify sbattach key cert +export basedir datadir bindir sbsign sbverify sbattach key cert intkey intcert cakey cacert # 'test' needs to be an absolute path, as we will cd to a temporary # directory before running the test