diff --git a/configure.ac b/configure.ac index 29927a7..8a5340a 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT([sbsigntool], [0.9.3], [James.Bottomley@HansenPartnership.com]) +AC_INIT([sbsigntool], [0.9.5], [James.Bottomley@HansenPartnership.com]) AM_INIT_AUTOMAKE() @@ -55,9 +55,12 @@ AC_DEFINE_UNQUOTED(HAVE_LITTLE_ENDIAN, $little_endian, [Little-endian system]) AC_DEFINE_UNQUOTED(HAVE_BIG_ENDIAN, $big_endian, [Big-endian system]) PKG_PROG_PKG_CONFIG() -PKG_CHECK_MODULES(libcrypto, libcrypto, - [], - AC_MSG_ERROR([libcrypto (from the OpenSSL package) is required])) +PKG_CHECK_MODULES(libcrypto, [libcrypto >= 3.0.0], + [ac_have_openssl3=1], + [PKG_CHECK_MODULES(libcrypto, libcrypto, + [], + AC_MSG_ERROR([libcrypto (from the OpenSSL package) is required]))]) +AM_CONDITIONAL(HAVE_OPENSSL3, test "$ac_have_openssl3" = "1") PKG_CHECK_MODULES(uuid, uuid, [], @@ -65,7 +68,7 @@ PKG_CHECK_MODULES(uuid, uuid, dnl gnu-efi headers require extra include dirs EFI_ARCH=$(uname -m | sed 's/i.86/ia32/;s/arm.*/arm/') -AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = "aarch64" ]) +AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = "aarch64" -o "$EFI_ARCH" = riscv64 ]) ## # no consistent view of where gnu-efi should dump the efi stuff, so find it diff --git a/docs/Makefile.am b/docs/Makefile.am index 1b5a588..89ed110 100644 --- a/docs/Makefile.am +++ b/docs/Makefile.am @@ -1,8 +1,9 @@ -man1_MANS = sbsign.1 sbverify.1 sbattach.1 sbvarsign.1 sbsiglist.1 +man1_MANS = sbsign.1 sbverify.1 sbattach.1 sbvarsign.1 sbsiglist.1 \ + sbkeysync.1 EXTRA_DIST = sbsign.1.in sbverify.1.in sbattach.1.in \ - sbvarsign.1.in sbsiglist.1.in + sbvarsign.1.in sbsiglist.1.in sbkeysync.1.in CLEANFILES = $(man1_MANS) $(builddir)/%.1: $(srcdir)/%.1.in $(top_builddir)/src/% diff --git a/docs/sbkeysync.1.in b/docs/sbkeysync.1.in new file mode 100644 index 0000000..00aa509 --- /dev/null +++ b/docs/sbkeysync.1.in @@ -0,0 +1,2 @@ +[name] +sbkeysync - UEFI secure boot key synchronization tool diff --git a/src/Makefile.am b/src/Makefile.am index 19a7766..38f93ff 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -4,10 +4,14 @@ bin_PROGRAMS = sbsign sbverify sbattach sbvarsign sbsiglist sbkeysync coff_headers = coff/external.h coff/pe.h AM_CFLAGS = -Wall -Wextra --std=gnu99 +if HAVE_OPENSSL3 +AM_CFLAGS += -DOPENSSL_API_COMPAT=0x10100000L +endif + common_SOURCES = idc.c idc.h image.c image.h fileio.c fileio.h \ efivars.h $(coff_headers) common_LDADD = ../lib/ccan/libccan.a $(libcrypto_LIBS) -common_CFLAGS = -I$(top_srcdir)/lib/ccan/ +common_CFLAGS = -I$(top_srcdir)/lib/ccan/ -Werror sbsign_SOURCES = sbsign.c $(common_SOURCES) sbsign_LDADD = $(common_LDADD) diff --git a/src/coff/pe.h b/src/coff/pe.h index 0d1036e..198f23d 100644 --- a/src/coff/pe.h +++ b/src/coff/pe.h @@ -152,6 +152,7 @@ #define IMAGE_FILE_MACHINE_TRICORE 0x0520 #define IMAGE_FILE_MACHINE_WCEMIPSV2 0x0169 #define IMAGE_FILE_MACHINE_AARCH64 0xaa64 +#define IMAGE_FILE_MACHINE_RISCV64 0x5064 #define IMAGE_SUBSYSTEM_UNKNOWN 0 #define IMAGE_SUBSYSTEM_NATIVE 1 diff --git a/src/idc.c b/src/idc.c index 236cefd..0a82218 100644 --- a/src/idc.c +++ b/src/idc.c @@ -189,7 +189,7 @@ int IDC_set(PKCS7 *p7, PKCS7_SIGNER_INFO *si, struct image *image) idc->data->type = OBJ_nid2obj(peid_nid); idc->data->value = ASN1_TYPE_new(); - type_set_sequence(image, idc->data->value, peid, &IDC_PEID_it); + type_set_sequence(image, idc->data->value, peid, ASN1_ITEM_rptr(IDC_PEID)); idc->digest->alg->parameter = ASN1_TYPE_new(); idc->digest->alg->algorithm = OBJ_nid2obj(NID_sha256); @@ -238,7 +238,11 @@ struct idc *IDC_get(PKCS7 *p7, BIO *bio) /* extract the idc from the signed PKCS7 'other' data */ str = p7->d.sign->contents->d.other->value.asn1_string; +#if OPENSSL_VERSION_NUMBER < 0x10100000L idcbuf = buf = ASN1_STRING_data(str); +#else + idcbuf = buf = ASN1_STRING_get0_data(str); +#endif idc = d2i_IDC(NULL, &buf, ASN1_STRING_length(str)); /* If we were passed a BIO, write the idc data, minus type and length, @@ -289,7 +293,11 @@ int IDC_check_hash(struct idc *idc, struct image *image) } /* check hash against the one we calculated from the image */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L buf = ASN1_STRING_data(str); +#else + buf = ASN1_STRING_get0_data(str); +#endif if (memcmp(buf, sha, sizeof(sha))) { fprintf(stderr, "Hash doesn't match image\n"); fprintf(stderr, " got: %s\n", sha256_str(buf)); diff --git a/src/image.c b/src/image.c index 3ada37b..a828b5a 100644 --- a/src/image.c +++ b/src/image.c @@ -239,6 +239,7 @@ static int image_pecoff_parse(struct image *image) switch (magic) { case IMAGE_FILE_MACHINE_AMD64: case IMAGE_FILE_MACHINE_AARCH64: + case IMAGE_FILE_MACHINE_RISCV64: rc = image_pecoff_parse_64(image); break; case IMAGE_FILE_MACHINE_I386: diff --git a/src/sbattach.c b/src/sbattach.c index a0c01b8..809e24c 100644 --- a/src/sbattach.c +++ b/src/sbattach.c @@ -233,7 +233,11 @@ int main(int argc, char **argv) ERR_load_crypto_strings(); OpenSSL_add_all_digests(); +#if OPENSSL_VERSION_NUMBER < 0x10100000L OPENSSL_config(NULL); +#else + OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); +#endif /* here we may get highly unlikely failures or we'll get a * complaint about FIPS signatures (usually becuase the FIPS * module isn't present). In either case ignore the errors diff --git a/src/sbkeysync.c b/src/sbkeysync.c index 7b17f40..7748990 100644 --- a/src/sbkeysync.c +++ b/src/sbkeysync.c @@ -54,9 +54,11 @@ #include "fileio.h" #include "efivars.h" +static struct statfs statfstype; + #define EFIVARS_MOUNTPOINT "/sys/firmware/efi/efivars" -#define PSTORE_FSTYPE 0x6165676C -#define EFIVARS_FSTYPE 0xde5e81e4 +#define PSTORE_FSTYPE ((typeof(statfstype.f_type))0x6165676C) +#define EFIVARS_FSTYPE ((typeof(statfstype.f_type))0xde5e81e4) #define EFI_IMAGE_SECURITY_DATABASE_GUID \ { 0xd719b2cb, 0x3d3a, 0x4596, \ @@ -208,7 +210,11 @@ static int x509_key_parse(struct key *key, uint8_t *data, size_t len) goto out; key->id_len = ASN1_STRING_length(serial); +#if OPENSSL_VERSION_NUMBER < 0x10100000L key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len); +#else + key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len); +#endif key->description = talloc_array(key, char, description_len); X509_NAME_oneline(X509_get_subject_name(x509), @@ -883,10 +889,12 @@ int main(int argc, char **argv) { bool use_default_keystore_dirs; struct sync_context *ctx; + int rc; use_default_keystore_dirs = true; ctx = talloc_zero(NULL, struct sync_context); list_head_init(&ctx->new_keys); + rc = EXIT_SUCCESS; for (;;) { int idx, c; @@ -930,7 +938,11 @@ int main(int argc, char **argv) ERR_load_crypto_strings(); OpenSSL_add_all_digests(); OpenSSL_add_all_ciphers(); +#if OPENSSL_VERSION_NUMBER < 0x10100000L OPENSSL_config(NULL); +#else + OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); +#endif /* here we may get highly unlikely failures or we'll get a * complaint about FIPS signatures (usually becuase the FIPS * module isn't present). In either case ignore the errors @@ -975,10 +987,10 @@ int main(int argc, char **argv) if (ctx->verbose) print_new_keys(ctx); - if (!ctx->dry_run) - insert_new_keys(ctx); + if (!ctx->dry_run && insert_new_keys(ctx)) + rc = EXIT_FAILURE; talloc_free(ctx); - return EXIT_SUCCESS; + return rc; } diff --git a/src/sbsign.c b/src/sbsign.c index ff1fdfd..898fe66 100644 --- a/src/sbsign.c +++ b/src/sbsign.c @@ -49,6 +49,8 @@ #include #include #include +#include +#include #include @@ -75,6 +77,7 @@ static struct option options[] = { { "help", no_argument, NULL, 'h' }, { "version", no_argument, NULL, 'V' }, { "engine", required_argument, NULL, 'e'}, + { "addcert", required_argument, NULL, 'a'}, { NULL, 0, NULL, 0 }, }; @@ -88,6 +91,7 @@ static void usage(void) "\t--key signing key (PEM-encoded RSA " "private key)\n" "\t--cert certificate (x509 certificate)\n" + "\t--addcert additional intermediate certificates in a file\n" "\t--detached write a detached signature, instead of\n" "\t a signed binary\n" "\t--output write signed data to \n" @@ -112,9 +116,43 @@ static void set_default_outfilename(struct sign_context *ctx) ctx->infilename, extension); } +static int add_intermediate_certs(PKCS7 *p7, const char *filename) +{ + STACK_OF(X509_INFO) *certs; + X509_INFO *cert; + BIO *bio = NULL; + int i; + + bio = BIO_new(BIO_s_file()); + if (!bio || BIO_read_filename(bio, filename) <=0) { + fprintf(stderr, + "error in reading intermediate certificates file\n"); + ERR_print_errors_fp(stderr); + return -1; + } + + certs = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL); + if (!certs) { + fprintf(stderr, + "error in parsing intermediate certificates file\n"); + ERR_print_errors_fp(stderr); + return -1; + } + + for (i = 0; i < sk_X509_INFO_num(certs); i++) { + cert = sk_X509_INFO_value(certs, i); + PKCS7_add_certificate(p7, cert->x509); + } + + sk_X509_INFO_pop_free(certs, X509_INFO_free); + BIO_free_all(bio); + + return 0; +} + int main(int argc, char **argv) { - const char *keyfilename, *certfilename, *engine; + const char *keyfilename, *certfilename, *addcertfilename, *engine; struct sign_context *ctx; uint8_t *buf, *tmp; int rc, c, sigsize; @@ -124,11 +162,12 @@ int main(int argc, char **argv) keyfilename = NULL; certfilename = NULL; + addcertfilename = NULL; engine = NULL; for (;;) { int idx; - c = getopt_long(argc, argv, "o:c:k:dvVhe:", options, &idx); + c = getopt_long(argc, argv, "o:c:k:dvVhe:a:", options, &idx); if (c == -1) break; @@ -157,6 +196,9 @@ int main(int argc, char **argv) case 'e': engine = optarg; break; + case 'a': + addcertfilename = optarg; + break; } } @@ -189,9 +231,14 @@ int main(int argc, char **argv) talloc_steal(ctx, ctx->image); ERR_load_crypto_strings(); + ERR_load_BIO_strings(); OpenSSL_add_all_digests(); OpenSSL_add_all_ciphers(); +#if OPENSSL_VERSION_NUMBER < 0x10100000L OPENSSL_config(NULL); +#else + OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); +#endif /* here we may get highly unlikely failures or we'll get a * complaint about FIPS signatures (usually becuase the FIPS * module isn't present). In either case ignore the errors @@ -228,6 +275,9 @@ int main(int argc, char **argv) if (rc) return EXIT_FAILURE; + if (addcertfilename && add_intermediate_certs(p7, addcertfilename)) + return EXIT_FAILURE; + sigsize = i2d_PKCS7(p7, NULL); tmp = buf = talloc_array(ctx->image, uint8_t, sigsize); i2d_PKCS7(p7, &tmp); diff --git a/src/sbvarsign.c b/src/sbvarsign.c index 273fd0d..58031ec 100644 --- a/src/sbvarsign.c +++ b/src/sbvarsign.c @@ -105,7 +105,6 @@ static uint32_t default_attrs = EFI_VARIABLE_NON_VOLATILE | static uint32_t attr_invalid = 0xffffffffu; static const char *attr_prefix = "EFI_VARIABLE_"; -static const EFI_GUID default_guid = EFI_GLOBAL_VARIABLE; static const EFI_GUID cert_pkcs7_guid = EFI_CERT_TYPE_PKCS7_GUID; static void set_default_outfilename(struct varsign_context *ctx) @@ -252,7 +251,7 @@ static int add_auth_descriptor(struct varsign_context *ctx) md = EVP_get_digestbyname("SHA256"); p7 = PKCS7_new(); - flags = PKCS7_BINARY | PKCS7_DETACHED | PKCS7_NOSMIMECAP;; + flags = PKCS7_BINARY | PKCS7_DETACHED | PKCS7_NOSMIMECAP | PKCS7_NOATTR;; PKCS7_set_type(p7, NID_pkcs7_signed); PKCS7_content_new(p7, NID_pkcs7_data); @@ -333,7 +332,7 @@ int write_signed(struct varsign_context *ctx, int include_attrs) printf("Wrote signed data:\n"); if (include_attrs) { i = sizeof(ctx->var_attrs); - printf(" [%04zx:%04zx] attrs\n", 0l, i); + printf(" [%04lx:%04zx] attrs\n", 0l, i); } printf(" [%04zx:%04x] authentication descriptor\n", @@ -513,7 +512,11 @@ int main(int argc, char **argv) OpenSSL_add_all_digests(); OpenSSL_add_all_ciphers(); ERR_load_crypto_strings(); +#if OPENSSL_VERSION_NUMBER < 0x10100000L OPENSSL_config(NULL); +#else + OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); +#endif /* here we may get highly unlikely failures or we'll get a * complaint about FIPS signatures (usually becuase the FIPS * module isn't present). In either case ignore the errors diff --git a/src/sbverify.c b/src/sbverify.c index 3920d91..8f14f35 100644 --- a/src/sbverify.c +++ b/src/sbverify.c @@ -210,8 +210,7 @@ static int x509_verify_cb(int status, X509_STORE_CTX *ctx) == XKU_CODE_SIGN) status = 1; - else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY || - err == X509_V_ERR_CERT_UNTRUSTED || + else if (err == X509_V_ERR_CERT_UNTRUSTED || err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT || err == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) { /* all certs given with the --cert argument are trusted */ @@ -221,6 +220,7 @@ static int x509_verify_cb(int status, X509_STORE_CTX *ctx) } else if (err == X509_V_ERR_CERT_HAS_EXPIRED || err == X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD || err == X509_V_ERR_CERT_NOT_YET_VALID || + err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY || err == X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD) /* UEFI explicitly allows expired certificates */ status = 1; @@ -239,7 +239,7 @@ int main(int argc, char **argv) uint8_t *sig_buf; size_t sig_size; struct idc *idc; - bool verbose; + int verbose; BIO *idcbio; PKCS7 *p7; int sig_count = 0; @@ -247,12 +247,16 @@ int main(int argc, char **argv) status = VERIFY_FAIL; certs = X509_STORE_new(); list = 0; - verbose = false; + verbose = 0; detached_sig_filename = NULL; OpenSSL_add_all_digests(); ERR_load_crypto_strings(); +#if OPENSSL_VERSION_NUMBER < 0x10100000L OPENSSL_config(NULL); +#else + OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); +#endif /* here we may get highly unlikely failures or we'll get a * complaint about FIPS signatures (usually becuase the FIPS * module isn't present). In either case ignore the errors @@ -278,7 +282,7 @@ int main(int argc, char **argv) list = 1; break; case 'v': - verbose = true; + verbose++; break; case 'V': version(); @@ -333,7 +337,8 @@ int main(int argc, char **argv) if (verbose || list) { print_signature_info(p7); - //print_certificate_store_certs(certs); + if (verbose > 1) + print_certificate_store_certs(certs); } if (list) diff --git a/tests/Makefile.am b/tests/Makefile.am index a6606f0..93f46e2 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -3,6 +3,10 @@ AUTOMAKE_OPTIONS = parallel-tests test_key = private-key.rsa test_cert = public-cert.pem +ca_key = ca-key.ec +ca_cert = ca-cert.pem +int_key = int-key.ec +int_cert = int-cert.pem test_arches = $(EFI_ARCH) check_PROGRAMS = test.pecoff @@ -31,11 +35,25 @@ check_SCRIPTS = test-wrapper.sh AM_CFLAGS=-fpic -I/usr/include/efi -I/usr/include/efi/$(EFI_ARCH) -$(test_key): Makefile +%.rsa: Makefile openssl genrsa -out $@ 2048 -$(test_cert): $(test_key) Makefile - openssl req -x509 -sha256 -subj '/' -new -key $< -out $@ +%.ec: Makefile + openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 -out $@ + +$(ca_cert): $(ca_key) Makefile + openssl req -x509 -days 1 -sha256 -subj '/CN=CA Key/' -new -key $< -out $@ + +$(int_cert): $(int_key) $(ca_cert) Makefile + openssl req -new -subj '/CN=Intermediate Certificate/' -key $< -out tmp.req + echo -e "[ca]\nbasicConstraints = critical, CA:true\n" > ca.cnf + openssl x509 -req -sha256 -CA $(ca_cert) -CAkey $(ca_key) -in tmp.req -set_serial 1 -days 1 -extfile ca.cnf -extensions ca -out $@ + -rm -f tmp.req ca.cnf + +$(test_cert): $(test_key) $(int_cert) Makefile + openssl req -new -subj '/CN=Signer Certificate/' -key $< -out tmp.req + openssl x509 -req -sha256 -CA $(int_cert) -CAkey $(int_key) -in tmp.req -set_serial 1 -days 1 -out $@ + -rm -f tmp.req TESTS = sign-verify.sh \ sign-verify-detached.sh \ @@ -65,4 +83,5 @@ AM_TESTS_ENVIRONMENT = TEST_ARCHES='$(test_arches)'; export TEST_ARCHES; SH_LOG_COMPILER = $(srcdir)/test-wrapper.sh EXTRA_DIST = test.S $(TESTS) $(check_SCRIPTS) -CLEANFILES = $(test_key) $(test_cert) +CLEANFILES = $(test_key) $(test_cert) $(int_key) $(int_cert) $(ca_key) \ + $(ca_cert) diff --git a/tests/sign-attach-verify.sh b/tests/sign-attach-verify.sh index 2ae6e70..21ed6db 100755 --- a/tests/sign-attach-verify.sh +++ b/tests/sign-attach-verify.sh @@ -3,7 +3,19 @@ sig="test.sig" signed="test.signed" -"$sbsign" --cert "$cert" --key "$key" --detached --output "$sig" "$image" -cp "$image" "$signed" -"$sbattach" --attach "$sig" "$signed" -"$sbverify" --cert "$cert" "$signed" +"$sbsign" --cert "$cert" --key "$key" --detached --output "$sig" "$image" || exit 1 +cp "$image" "$signed" || exit 1 +"$sbattach" --attach "$sig" "$signed" || exit 1 +"$sbverify" --cert "$cert" "$signed" || exit 1 +"$sbverify" --cert "$intcert" "$signed" || exit 1 +# there's no intermediate cert in the image so it can't chain to the ca which +# is why this should fail +"$sbverify" --cert "$cacert" "$signed" && exit 1 + +# now add intermediates +"$sbsign" --cert "$cert" --key "$key" --addcert "$intcert" --detached --output "$sig" "$image" || exit 1 +cp "$image" "$signed" || exit 1 +"$sbattach" --attach "$sig" "$signed" || exit 1 +"$sbverify" --cert "$cert" "$signed" || exit 1 +"$sbverify" --cert "$intcert" "$signed" || exit 1 +"$sbverify" --cert "$cacert" "$signed" || exit 1 diff --git a/tests/sign-verify-detached.sh b/tests/sign-verify-detached.sh index 7b045e4..d2959be 100755 --- a/tests/sign-verify-detached.sh +++ b/tests/sign-verify-detached.sh @@ -2,5 +2,16 @@ sig="test.sig" -"$sbsign" --cert "$cert" --key "$key" --detached --output $sig "$image" -"$sbverify" --cert "$cert" --detached $sig "$image" +"$sbsign" --cert "$cert" --key "$key" --detached --output $sig "$image" || exit 1 +"$sbverify" --cert "$cert" --detached $sig "$image" || exit 1 +"$sbverify" --cert "$intcert" --detached $sig "$image" || exit 1 +# should fail because no intermediate +"$sbverify" --cert "$cacert" --detached $sig "$image" && exit 1 + +# now make sure everything succeeds with the intermediate added +"$sbsign" --cert "$cert" --key "$key" --addcert "$intcert" --detached --output $sig "$image" || exit 1 +"$sbverify" --cert "$cert" --detached $sig "$image" || exit 1 +"$sbverify" --cert "$intcert" --detached $sig "$image" || exit 1 +"$sbverify" --cert "$cacert" --detached $sig "$image" || exit 1 + +exit 0 diff --git a/tests/sign-verify.sh b/tests/sign-verify.sh index cf493f3..a61aff8 100755 --- a/tests/sign-verify.sh +++ b/tests/sign-verify.sh @@ -2,5 +2,16 @@ signed="test.signed" -"$sbsign" --cert "$cert" --key "$key" --output "$signed" "$image" -"$sbverify" --cert "$cert" "$signed" +"$sbsign" --cert "$cert" --key "$key" --output "$signed" "$image" || exit 1 +"$sbverify" --cert "$cert" "$signed" || exit 1 +"$sbverify" --cert "$intcert" "$signed" || exit 1 +# there's no intermediate cert in the image so it can't chain to the ca which +# is why this should fail +"$sbverify" --cert "$cacert" "$signed" && exit 1 + +# now add the intermediates and each level should succeed +"$sbsign" --cert "$cert" --addcert "$intcert" --key "$key" --output "$signed" "$image" || exit 1 +"$sbverify" --cert "$cert" "$signed" || exit 1 +"$sbverify" --cert "$intcert" "$signed" || exit 1 +"$sbverify" --cert "$cacert" "$signed" || exit 1 + diff --git a/tests/test-wrapper.sh b/tests/test-wrapper.sh index b9c6cf1..4ef6710 100755 --- a/tests/test-wrapper.sh +++ b/tests/test-wrapper.sh @@ -11,8 +11,12 @@ sbattach=$bindir/sbattach key="$datadir/private-key.rsa" cert="$datadir/public-cert.pem" +intkey="$datadir/int-key.ec" +intcert="$datadir/int-cert.pem" +cakey="$datadir/ca-key.ec" +cacert="$datadir/ca-cert.pem" -export basedir datadir bindir sbsign sbverify sbattach key cert +export basedir datadir bindir sbsign sbverify sbattach key cert intkey intcert cakey cacert # 'test' needs to be an absolute path, as we will cd to a temporary # directory before running the test