vbatts/sbsigntools
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Tests: Add intermediate certificate tests to the sign-verify cases

Browse source 
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
This commit is contained in:
James Bottomley 2020-06-05 18:34:55 -07:00
parent df27a417b9
commit 6c2b07fa1c
5 changed files with 70 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
tests/Makefile.am
View file

@ -3,6 +3,10 @@ AUTOMAKE_OPTIONS = parallel-tests
test_key = private-key.rsa test_key = private-key.rsa
test_cert = public-cert.pem test_cert = public-cert.pem
ca_key = ca-key.ec
ca_cert = ca-cert.pem
int_key = int-key.ec
int_cert = int-cert.pem
test_arches = $(EFI_ARCH) test_arches = $(EFI_ARCH)
check_PROGRAMS = test.pecoff check_PROGRAMS = test.pecoff
@ -31,11 +35,25 @@ check_SCRIPTS = test-wrapper.sh
AM_CFLAGS=-fpic -I/usr/include/efi -I/usr/include/efi/$(EFI_ARCH) AM_CFLAGS=-fpic -I/usr/include/efi -I/usr/include/efi/$(EFI_ARCH)
$(test_key): Makefile %.rsa: Makefile
openssl genrsa -out $@ 2048 openssl genrsa -out $@ 2048
$(test_cert): $(test_key) Makefile %.ec: Makefile
openssl req -x509 -sha256 -subj '/' -new -key $< -out $@ openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 -out $@
$(ca_cert): $(ca_key) Makefile
openssl req -x509 -days 1 -sha256 -subj '/CN=CA Key/' -new -key $< -out $@
$(int_cert): $(int_key) $(ca_cert) Makefile
openssl req -new -subj '/CN=Intermediate Certificate/' -key $< -out tmp.req
echo -e "[ca]\nbasicConstraints = critical, CA:true\n" > ca.cnf
openssl x509 -req -sha256 -CA $(ca_cert) -CAkey $(ca_key) -in tmp.req -set_serial 1 -days 1 -extfile ca.cnf -extensions ca -out $@
-rm -f tmp.req ca.cnf
$(test_cert): $(test_key) $(int_cert) Makefile
openssl req -new -subj '/CN=Signer Certificate/' -key $< -out tmp.req
openssl x509 -req -sha256 -CA $(int_cert) -CAkey $(int_key) -in tmp.req -set_serial 1 -days 1 -out $@
-rm -f tmp.req
TESTS = sign-verify.sh \ TESTS = sign-verify.sh \
sign-verify-detached.sh \ sign-verify-detached.sh \
@ -65,4 +83,5 @@ AM_TESTS_ENVIRONMENT = TEST_ARCHES='$(test_arches)'; export TEST_ARCHES;
SH_LOG_COMPILER = $(srcdir)/test-wrapper.sh SH_LOG_COMPILER = $(srcdir)/test-wrapper.sh
EXTRA_DIST = test.S $(TESTS) $(check_SCRIPTS) EXTRA_DIST = test.S $(TESTS) $(check_SCRIPTS)
CLEANFILES = $(test_key) $(test_cert) CLEANFILES = $(test_key) $(test_cert) $(int_key) $(int_cert) $(ca_key) \
$(ca_cert)

20
tests/sign-attach-verify.sh
View file

@ -3,7 +3,19 @@
sig="test.sig" sig="test.sig"
signed="test.signed" signed="test.signed"
"$sbsign" --cert "$cert" --key "$key" --detached --output "$sig" "$image" "$sbsign" --cert "$cert" --key "$key" --detached --output "$sig" "$image" || exit 1
cp "$image" "$signed" cp "$image" "$signed" || exit 1
"$sbattach" --attach "$sig" "$signed" "$sbattach" --attach "$sig" "$signed" || exit 1
"$sbverify" --cert "$cert" "$signed" "$sbverify" --cert "$cert" "$signed" || exit 1
"$sbverify" --cert "$intcert" "$signed" || exit 1
# there's no intermediate cert in the image so it can't chain to the ca which
# is why this should fail
"$sbverify" --cert "$cacert" "$signed" && exit 1
# now add intermediates
"$sbsign" --cert "$cert" --key "$key" --addcert "$intcert" --detached --output "$sig" "$image" || exit 1
cp "$image" "$signed" || exit 1
"$sbattach" --attach "$sig" "$signed" || exit 1
"$sbverify" --cert "$cert" "$signed" || exit 1
"$sbverify" --cert "$intcert" "$signed" || exit 1
"$sbverify" --cert "$cacert" "$signed" || exit 1

15
tests/sign-verify-detached.sh
View file

@ -2,5 +2,16 @@
sig="test.sig" sig="test.sig"
"$sbsign" --cert "$cert" --key "$key" --detached --output $sig "$image" "$sbsign" --cert "$cert" --key "$key" --detached --output $sig "$image" || exit 1
"$sbverify" --cert "$cert" --detached $sig "$image" "$sbverify" --cert "$cert" --detached $sig "$image" || exit 1
"$sbverify" --cert "$intcert" --detached $sig "$image" || exit 1
# should fail because no intermediate
"$sbverify" --cert "$cacert" --detached $sig "$image" && exit 1
# now make sure everything succeeds with the intermediate added
"$sbsign" --cert "$cert" --key "$key" --addcert "$intcert" --detached --output $sig "$image" || exit 1
"$sbverify" --cert "$cert" --detached $sig "$image" || exit 1
"$sbverify" --cert "$intcert" --detached $sig "$image" || exit 1
"$sbverify" --cert "$cacert" --detached $sig "$image" || exit 1
exit 0

15
tests/sign-verify.sh
View file

@ -2,5 +2,16 @@
signed="test.signed" signed="test.signed"
"$sbsign" --cert "$cert" --key "$key" --output "$signed" "$image" "$sbsign" --cert "$cert" --key "$key" --output "$signed" "$image" || exit 1
"$sbverify" --cert "$cert" "$signed" "$sbverify" --cert "$cert" "$signed" || exit 1
"$sbverify" --cert "$intcert" "$signed" || exit 1
# there's no intermediate cert in the image so it can't chain to the ca which
# is why this should fail
"$sbverify" --cert "$cacert" "$signed" && exit 1
# now add the intermediates and each level should succeed
"$sbsign" --cert "$cert" --addcert "$intcert" --key "$key" --output "$signed" "$image" || exit 1
"$sbverify" --cert "$cert" "$signed" || exit 1
"$sbverify" --cert "$intcert" "$signed" || exit 1
"$sbverify" --cert "$cacert" "$signed" || exit 1

6
tests/test-wrapper.sh
View file

@ -11,8 +11,12 @@ sbattach=$bindir/sbattach
key="$datadir/private-key.rsa" key="$datadir/private-key.rsa"
cert="$datadir/public-cert.pem" cert="$datadir/public-cert.pem"
intkey="$datadir/int-key.ec"
intcert="$datadir/int-cert.pem"
cakey="$datadir/ca-key.ec"
cacert="$datadir/ca-cert.pem"
export basedir datadir bindir sbsign sbverify sbattach key cert export basedir datadir bindir sbsign sbverify sbattach key cert intkey intcert cakey cacert
# 'test' needs to be an absolute path, as we will cd to a temporary # 'test' needs to be an absolute path, as we will cd to a temporary
# directory before running the test # directory before running the test