Topics

[PATCH v2 4/4] Add tests for restricted keys

James Bottomley
 

Add general tests of the new command plus a specific test of the
ability to create a key to a wrapped parent, clear the TPM (thus
effectively creating a new tpm), re-wrapping the key and demonstrating
that the old parented key can still be used.

Signed-off-by: James Bottomley <James.Bottomley@...>

---

v2: add more tests: EC parents and import tests
---
tests/Makefile.am | 1 +
tests/restricted_parent.sh | 82 ++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 83 insertions(+)
create mode 100755 tests/restricted_parent.sh

diff --git a/tests/Makefile.am b/tests/Makefile.am
index d9cb3b8..21da53d 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -19,6 +19,7 @@ TESTS = fail_connect.sh \
check_counter_timer.sh \
check_importable.sh \
check_rsa_oaep_pss.sh \
+ restricted_parent.sh \
stop_sw_tpm.sh

AM_TESTS_ENVIRONMENT = TPM_INTERFACE_TYPE=socsim; \
diff --git a/tests/restricted_parent.sh b/tests/restricted_parent.sh
new file mode 100755
index 0000000..4f6f11e
--- /dev/null
+++ b/tests/restricted_parent.sh
@@ -0,0 +1,82 @@
+#!/bin/bash
+set -x
+
+
+bindir=${srcdir}/..
+NV=81000101
+NV2=81000102
+
+##
+# basic restricted key creation tests for rsa, ecc both internal and wrapped
+##
+${bindir}/create_tpm2_key --restricted --rsa key.tpm || exit 1
+${bindir}/create_tpm2_key --restricted --ecc prime256v1 key.tpm || exit 1
+# now generate permanent wrapped keys for the NV indexes
+openssl genrsa 2048 > keyrsa.priv || exit 1;
+${bindir}/create_tpm2_key --restricted -w keyrsa.priv keyrsa.tpm || exit 1
+openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 -pkeyopt ec_param_enc:named_curve -out keyecc.priv || exit 1
+${bindir}/create_tpm2_key --restricted -w keyecc.priv keyecc.tpm || exit 1
+##
+# now lodge the RSA and EC parents at NV and NV2
+##
+${bindir}/load_tpm2_key keyrsa.tpm ${NV} || exit 1
+${bindir}/load_tpm2_key keyecc.tpm ${NV2} || exit 1
+##
+# Using the already created RSA restricted wrapped key the tests are:
+# 1. Load the restricted key into NV memory
+# 2. parent a TPM internal key1 to the new NV key
+# 3. generate a public key from key1
+# 4. Sign and verify to prove key1 works
+# 5. Clear the TPM, this renders all the existing keys unusable and
+# regenerates the storage primary seed
+# 6. re-wrap the original private key to the new TPM and move it to NV
+# 7. Sign and verify to prove key1 still works despite clearing the TPM.
+##
+for parent in ${NV2} ${NV}; do
+ ${bindir}/create_tpm2_key -p ${parent} key.tpm || exit 1
+ openssl rsa -engine tpm2 -inform engine -in key.tpm -pubout -out key.pub || exit 1
+ echo "This is a test of moveable keys" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg || exit 1
+ openssl rsautl -verify -in tmp.msg -inkey key.pub -pubin || exit 1
+done
+# on exit key 1 is parented to ${NV}
+tssclear -hi p || exit 1
+${bindir}/create_tpm2_key --restricted -w keyrsa.priv keyrsa.tpm || exit 1
+${bindir}/load_tpm2_key keyrsa.tpm ${NV} || exit 1
+
+echo "This is a test of moveable keys" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg || exit 1
+openssl rsautl -verify -in tmp.msg -inkey key.pub -pubin || exit 1
+
+##
+# A few more tests of the load_tpm2_key command
+# 1. check that a key with policy requires to be forced
+# 2. check the use of parent auth to load the NV area
+##
+tssclear -hi p
+${bindir}/create_tpm2_key --restricted -c policies/policy_pcr.txt key2.tpm || exit 1
+${bindir}/load_tpm2_key key2.tpm ${NV} && exit 1
+${bindir}/load_tpm2_key --force key2.tpm ${NV} || exit 1
+
+##
+# now try to parent to a key with authorization
+##
+tssclear -hi p
+${bindir}/create_tpm2_key --auth --password Passw0rd --restricted key2.tpm || exit 1
+${bindir}/load_tpm2_key key2.tpm ${NV} || exit 1
+${bindir}/create_tpm2_key --auth-parent Passw0rd --parent ${NV} key3.tpm || exit 1
+${bindir}/load_tpm2_key --auth-parent Passw0rd key3.tpm ${NV2} || exit 1
+##
+# finally try importable keys. At the moment these only work for ecc parents
+##
+tssclear -hi p
+${bindir}/create_tpm2_key --restricted -w keyecc.priv keyecc.tpm || exit 1
+${bindir}/load_tpm2_key keyecc.tpm ${NV2} || exit 1
+openssl pkey -engine tpm2 -inform engine -in //nvkey:${NV2} -pubout -out keyecc.pub || exit 1
+openssl genrsa 2048 > key.priv || exit 1
+openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 -pkeyopt ec_param_enc:named_curve -out key1.priv
+for key in key.priv key1.priv; do
+ ${bindir}/create_tpm2_key --parent ${NV2} --import keyecc.pub --wrap ${key} key.tpm || exit 1
+ openssl req -new -x509 -subj '/CN=test/' -key key.tpm -engine tpm2 -keyform engine -out tmp.crt || exit 1
+ openssl verify -CAfile tmp.crt -check_ss_sig tmp.crt || exit 1
+done
+
+exit 0
--
2.16.4