Topics

[PATCH 4/4] Add tests for restricted keys

James Bottomley
 

Add general tests of the new command plus a specific test of the
ability to create a key to a wrapped parent, clear the TPM (thus
effectively creating a new tpm), re-wrapping the key and demonstrating
that the old parented key can still be used.

Signed-off-by: James Bottomley <James.Bottomley@...>
---
tests/Makefile.am | 1 +
tests/restricted_parent.sh | 63 ++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 64 insertions(+)
create mode 100755 tests/restricted_parent.sh

diff --git a/tests/Makefile.am b/tests/Makefile.am
index d9cb3b8..21da53d 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -19,6 +19,7 @@ TESTS = fail_connect.sh \
check_counter_timer.sh \
check_importable.sh \
check_rsa_oaep_pss.sh \
+ restricted_parent.sh \
stop_sw_tpm.sh

AM_TESTS_ENVIRONMENT = TPM_INTERFACE_TYPE=socsim; \
diff --git a/tests/restricted_parent.sh b/tests/restricted_parent.sh
new file mode 100755
index 0000000..5121363
--- /dev/null
+++ b/tests/restricted_parent.sh
@@ -0,0 +1,63 @@
+#!/bin/bash
+set -x
+
+
+bindir=${srcdir}/..
+NV=81000101
+NV2=81000102
+
+##
+# basic restricted key creation tests for rsa, ecc both internal and wrapped
+##
+${bindir}/create_tpm2_key --restricted --rsa key.tpm || exit 1
+${bindir}/create_tpm2_key --restricted --ecc prime256v1 key.tpm || exit 1
+openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 -pkeyopt ec_param_enc:named_curve -out key.priv || exit 1
+${bindir}/create_tpm2_key --restricted -w key.priv key.tpm || exit 1
+openssl genrsa 2048 > key.priv || exit 1;
+${bindir}/create_tpm2_key --restricted -w key.priv key.tpm || exit 1
+
+##
+# Using the already created RSA restricted wrapped key the tests are:
+# 1. Load the restricted key into NV memory
+# 2. parent a TPM internal key1 to the new NV key
+# 3. generate a public key from key1
+# 4. Sign and verify to prove key1 works
+# 5. Clear the TPM, this renders all the existing keys unusable and
+# regenerates the storage primary seed
+# 6. re-wrap the original private key to the new TPM and move it to NV
+# 7. Sign and verify to prove key1 still works despite clearing the TPM.
+##
+${bindir}/load_tpm2_key key.tpm ${NV} || exit 1
+${bindir}/create_tpm2_key -p ${NV} key1.tpm || exit 1
+openssl rsa -engine tpm2 -inform engine -in key1.tpm -pubout -out key1.pub || exit 1
+echo "This is a test of moveable keys" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key1.tpm -out tmp.msg || exit 1
+openssl rsautl -verify -in tmp.msg -inkey key1.pub -pubin || exit 1
+
+tssclear -hi p || exit 1
+${bindir}/create_tpm2_key --restricted -w key.priv key.tpm || exit 1
+${bindir}/load_tpm2_key key.tpm ${NV} || exit 1
+
+echo "This is a test of moveable keys" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key1.tpm -out tmp.msg || exit 1
+openssl rsautl -verify -in tmp.msg -inkey key1.pub -pubin || exit 1
+
+##
+# A few more tests of the load_tpm2_key command
+# 1. check that a key with policy requires to be forced
+# 2. check the use of parent auth to load the NV area
+##
+tssclear -hi p
+${bindir}/create_tpm2_key --restricted -c policies/policy_pcr.txt key2.tpm || exit 1
+${bindir}/load_tpm2_key key2.tpm ${NV} && exit 1
+${bindir}/load_tpm2_key --force key2.tpm ${NV} || exit 1
+
+##
+# now try to parent to a key with authorization
+##
+tssclear -hi p
+${bindir}/create_tpm2_key --auth --password Passw0rd --restricted key2.tpm || exit 1
+${bindir}/load_tpm2_key key2.tpm ${NV} || exit 1
+${bindir}/create_tpm2_key --auth-parent Passw0rd --parent ${NV} key3.tpm || exit 1
+${bindir}/load_tpm2_key --auth-parent Passw0rd key3.tpm ${NV2} || exit 1
+
+
+exit 0
--
2.16.4