FAPI TEST: rework test certificate creation

* A CA script for initializing the CA was added. * Functions for creating the EK certificate were added. Signed-off-by: Juergen Repp <[email protected]>
JuergenReppSIT · Nov 22, 2023 · 0736aa5 · 0736aa5
1 parent 232c0ec
commit 0736aa5
Show file tree

Hide file tree

Showing 5 changed files with 721 additions and 1 deletion.
diff --git a/Makefile-test.am b/Makefile-test.am
@@ -21,6 +21,7 @@ EXTRA_DIST += $(srcdir)/script/int-log-compiler.sh \
               $(srcdir)/script/fint-log-compiler.sh \
               $(srcdir)/script/int-log-compiler-common.sh \
               $(srcdir)/script/ekca/create_ca.sh \
+              $(srcdir)/script/ekca/init_ca.sh \
               $(srcdir)/script/ekca/ek.cnf \
               $(srcdir)/script/ekca/intermed-ca.cnf \
               $(srcdir)/script/ekca/root-ca.cnf

diff --git a/Makefile.am b/Makefile.am
@@ -966,11 +966,25 @@ install-data-hook: install-dirs
 	fi
 
 uninstall-local:
+	-rm -r -f $(top_builddir)/ca
 	-rm $(DESTDIR)$(udevrulesdir)/$(udevrulesprefix)tpm-udev.rules
 	cd $(DESTDIR)$(man3dir) && \
 		[ -L Tss2_TctiLdr_Initialize_Ex.3 ] && \
 			rm -f Tss2_TctiLdr_Initialize_Ex.3 || true
 
+clean-hook:
+	-rm -r -f $(top_builddir)/ca
+
+check-hook:
+	-rm -r -f $(top_builddir)/ca
+
+prepare-check:
+if INIT_CI
+	$(top_srcdir)/script/ekca/init_ca.sh $(top_builddir)
+endif
+
+check: prepare-check
+
 EXTRA_DIST += \
     doc/doxygen.dox \
     doc/coding_standard_c.md \

diff --git a/configure.ac b/configure.ac
@@ -640,6 +640,8 @@ AS_IF([test "x$enable_self_generated_certificate" = xyes],
 	[AC_DEFINE([SELF_GENERATED_CERTIFICATE], [1], [Allow usage of self generated root certificate])],
 	[AS_IF([test "x$integration_tcti" != "xdevice"], [AC_DEFINE([FAPI_TEST_EK_CERT_LESS], [1], [Perform integration tests without EK certificate verification])])])
 
+AM_CONDITIONAL([INIT_CI], [test "x$enable_self_generated_certificate" == xyes])
+
 AS_IF([test "x$enable_integration" = "xyes" && test "x$enable_self_generated_certificate" != "xyes" && test "x$integration_tcti" != "xdevice"],
       [AC_MSG_WARN([Running integration tests without EK certificate verification, use --enable-self-generated-certificate for full test coverage])])
 

diff --git a/script/ekca/init_ca.sh b/script/ekca/init_ca.sh
@@ -0,0 +1,129 @@
+#!/usr/bin/env bash
+
+#set -x
+
+#set -euf
+OS=$(uname)
+DATE_FMT_BEFORE=""
+DATE_FMT_AFTER=""
+SED_CMD=""
+
+if [ "$OS" == "Linux" ]; then
+    DATE_FMT_BEFORE="+%y%m%d000000Z -u -d -1day"
+    DATE_FMT_AFTER="+%y%m%d000000Z -u -d +10years+1day"
+    SED_CMD="sed -i"
+elif [ "$OS" == "FreeBSD" ]; then
+    DATE_FMT_BEFORE="-u -v-1d +%y%m%d000000Z"
+    DATE_FMT_AFTER="-u -v+10y +%y%m%d000000Z"
+    SED_CMD="sed -i '' -e"
+fi
+
+EKCADIR="$(dirname $(realpath ${0}))/"
+CA_DIR="$1/ca"
+if test -e $CA_DIR; then
+    exit
+fi
+mkdir -p $CA_DIR
+
+pushd "$CA_DIR"
+
+mkdir root-ca
+pushd root-ca
+
+mkdir certreqs certs crl newcerts private
+touch root-ca.index
+echo 00 > root-ca.crlnum
+echo 1000 > root-ca.serial
+echo "123456" > pass.txt
+
+cp "${EKCADIR}/root-ca.cnf" ./
+export OPENSSL_CONF=./root-ca.cnf
+ROOT_URL="file:$ROOTCRT"
+${SED_CMD} "s|ROOTCRT|$ROOT_URL|g" $OPENSSL_CONF
+ROOT_URL="file:$ROOTCRL"
+${SED_CMD} "s|ROOTCRL|$ROOT_URL|g" $OPENSSL_CONF
+openssl req -new -out root-ca.req.pem -passout file:pass.txt
+
+#
+# Create self signed root certificate
+#
+
+openssl ca -selfsign \
+    -in root-ca.req.pem \
+    -out root-ca.cert.pem \
+    -extensions root-ca_ext \
+    -startdate `date ${DATE_FMT_BEFORE}` \
+    -enddate `date ${DATE_FMT_AFTER}` \
+    -passin file:pass.txt -batch
+
+openssl x509 -outform der -in  root-ca.cert.pem -out root-ca.cert.crt
+
+openssl verify -verbose -CAfile root-ca.cert.pem \
+        root-ca.cert.pem
+
+openssl ca -gencrl  -cert root-ca.cert.pem \
+        -out root-ca.cert.crl.pem -passin file:pass.txt
+openssl crl -in root-ca.cert.crl.pem -outform DER -out root-ca.cert.crl
+
+popd #root-ca
+
+#
+# Create intermediate certificate
+#
+mkdir intermed-ca
+pushd intermed-ca
+
+mkdir certreqs certs crl newcerts private
+touch intermed-ca.index
+echo 00 > intermed-ca.crlnum
+echo 2000 > intermed-ca.serial
+echo "abcdef" > pass.txt
+
+cp "${EKCADIR}/intermed-ca.cnf" ./
+export OPENSSL_CONF=./intermed-ca.cnf
+
+# Adapt CRT URL to current test directory
+${SED_CMD} "s|ROOTCRT|$ROOT_URL|g" $OPENSSL_CONF
+
+openssl req -new -out intermed-ca.req.pem -passout file:pass.txt
+
+openssl rsa -inform PEM -in private/intermed-ca.key.pem \
+        -outform DER -out private/intermed-ca.key.der -passin file:pass.txt
+
+cp intermed-ca.req.pem  \
+   ../root-ca/certreqs/
+
+INTERMED_URL="file:$INTERMEDCRT"
+${SED_CMD} "s|INTERMEDCRT|$INTERMED_URL|g" $OPENSSL_CONF
+
+pushd ../root-ca
+export OPENSSL_CONF=./root-ca.cnf
+
+openssl ca \
+    -in certreqs/intermed-ca.req.pem \
+    -out certs/intermed-ca.cert.pem \
+    -extensions intermed-ca_ext \
+    -startdate `date ${DATE_FMT_BEFORE}` \
+    -enddate `date ${DATE_FMT_AFTER}` \
+    -passin file:pass.txt -batch
+
+openssl x509 -outform der -in certs/intermed-ca.cert.pem \
+        -out certs/intermed-ca.cert.crt
+
+openssl verify -verbose -CAfile root-ca.cert.pem \
+        certs/intermed-ca.cert.pem
+
+cp certs/intermed-ca.cert.pem \
+   ../intermed-ca
+
+cp certs/intermed-ca.cert.crt \
+   ../intermed-ca
+
+popd #root-ca
+
+export OPENSSL_CONF=./intermed-ca.cnf
+openssl ca -gencrl  -cert ../root-ca/certs/intermed-ca.cert.pem \
+        -out intermed-ca.crl.pem -passin file:pass.txt
+openssl crl -in intermed-ca.crl.pem -outform DER -out intermed-ca.crl
+
+popd #intermed-ca