From 329e1e7cf89fe3269d581fed91ab375dc816f355 Mon Sep 17 00:00:00 2001 From: Juergen Repp Date: Sun, 14 Jan 2024 20:57:15 +0100 Subject: [PATCH] FAPI Test: Add failure test no root certificate. It is now checked whether the provisioning fails if the appropriate root certificate does not exist. For this purpose the EK certificate is generated with a self signed certificate which is not in the list of the FAPI cerificates. Signed-off-by: Juergen Repp --- Makefile-test.am | 9 +++ script/ekca/create_ca.sh | 2 +- script/ekca/init_ca.sh | 2 +- src/tss2-fapi/api/Fapi_Provision.c | 6 ++ .../fapi-provisioning-cert-error.int.c | 65 +++++++++++++++++++ test/integration/main-fapi.c | 20 ++++-- 6 files changed, 97 insertions(+), 7 deletions(-) create mode 100644 test/integration/fapi-provisioning-cert-error.int.c diff --git a/Makefile-test.am b/Makefile-test.am index 5f2478aad..44bd795fb 100644 --- a/Makefile-test.am +++ b/Makefile-test.am @@ -404,6 +404,7 @@ FAPI_TESTS_INTEGRATION = \ test/integration/fapi-policy-or-nv-read-write.fint \ test/integration/fapi-second-provisioning.fint \ test/integration/fapi-provisioning-error.fint \ + test/integration/fapi-provisioning-cert-error.fint \ test/integration/fapi-info.fint \ test/integration/fapi-unseal.fint \ test/integration/fapi-unseal-persistent.fint @@ -2547,6 +2548,14 @@ test_integration_fapi_provisioning_error_fint_SOURCES = \ test/integration/fapi-provisioning-error.int.c \ test/integration/main-fapi.c test/integration/test-fapi.h +test_integration_fapi_provisioning_cert_error_fint_CFLAGS = $(TESTS_CFLAGS) \ + -DSELF_SIGNED_CERTIFICATE +test_integration_fapi_provisioning_cert_error_fint_LDADD = $(TESTS_LDADD) +test_integration_fapi_provisioning_cert_error_fint_LDFLAGS = $(TESTS_LDFLAGS) +test_integration_fapi_provisioning_cert_error_fint_SOURCES = \ + test/integration/fapi-provisioning-cert-error.int.c \ + test/integration/main-fapi.c test/integration/test-fapi.h + test_integration_fapi_quote_destructive_fint_CFLAGS = $(TESTS_CFLAGS) test_integration_fapi_quote_destructive_fint_LDADD = $(TESTS_LDADD) test_integration_fapi_quote_destructive_fint_LDFLAGS = $(TESTS_LDFLAGS) diff --git a/script/ekca/create_ca.sh b/script/ekca/create_ca.sh index 61d976a32..3a57ec07c 100755 --- a/script/ekca/create_ca.sh +++ b/script/ekca/create_ca.sh @@ -84,7 +84,7 @@ mkdir certreqs certs crl newcerts private touch intermed-ca.index echo 00 > intermed-ca.crlnum echo 2000 > intermed-ca.serial -echo "abcdef" > pass.txt +echo "123456" > pass.txt cp "${EKCADIR}/intermed-ca.cnf" ./ export OPENSSL_CONF=./intermed-ca.cnf diff --git a/script/ekca/init_ca.sh b/script/ekca/init_ca.sh index 8d6ba197e..7dd757fc8 100755 --- a/script/ekca/init_ca.sh +++ b/script/ekca/init_ca.sh @@ -78,7 +78,7 @@ mkdir certreqs certs crl newcerts private touch intermed-ca.index echo 00 > intermed-ca.crlnum echo 2000 > intermed-ca.serial -echo "abcdef" > pass.txt +echo "123456" > pass.txt cp "${EKCADIR}/intermed-ca.cnf" ./ export OPENSSL_CONF=./intermed-ca.cnf diff --git a/src/tss2-fapi/api/Fapi_Provision.c b/src/tss2-fapi/api/Fapi_Provision.c index b7a2bf06d..bcf25f06f 100644 --- a/src/tss2-fapi/api/Fapi_Provision.c +++ b/src/tss2-fapi/api/Fapi_Provision.c @@ -895,6 +895,12 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context) #pragma message ( "*** Allow self generated certifcate ***" ) root_ca_file = getenv("FAPI_TEST_ROOT_CERT"); + if (root_ca_file && strcasecmp(root_ca_file, "self") == 0) { + /* The self signed root ca file will as intermediate certificate. */ + context->state = PROVISION_PREPARE_READ_INT_CERT; + return TSS2_FAPI_RC_TRY_AGAIN; + } + if (!root_ca_file && ifapi_io_path_exists(FAPI_TEST_ROOT_CERT_FILE)) { root_ca_file = FAPI_TEST_ROOT_CERT_FILE; } diff --git a/test/integration/fapi-provisioning-cert-error.int.c b/test/integration/fapi-provisioning-cert-error.int.c new file mode 100644 index 000000000..9e87b6779 --- /dev/null +++ b/test/integration/fapi-provisioning-cert-error.int.c @@ -0,0 +1,65 @@ +/* SPDX-License-Identifier: BSD-2-Clause */ +/******************************************************************************* + * Copyright 2017-2018, Fraunhofer SIT sponsored by Infineon Technologies AG + * All rights reserved. + *******************************************************************************/ + +#ifdef HAVE_CONFIG_H +#include +#endif + +#include + +#include "tss2_fapi.h" +#include "tss2_esys.h" + +#include "test-fapi.h" +#include "fapi_util.h" +#include "fapi_int.h" +#include "tss2_esys.h" + +#include "esys_iutil.h" +#define LOGMODULE test +#include "util/log.h" +#include "util/aux_util.h" +#include "tss2_mu.h" +#include "fapi_int.h" + + +/** Test the FAPI cleanup in an error case. + * + * Tested FAPI commands: + * - Fapi_Provision() + * + * @param[in,out] context The FAPI_CONTEXT. + * @retval EXIT_FAILURE + * @retval EXIT_SUCCESS + */ +int +test_fapi_test_provisioning_cert_error(FAPI_CONTEXT *context) +{ + TSS2_RC r; + +#ifndef SELF_SIGNED_CERTIFICATE + return EXIT_SKIP; +#endif + + + setenv("FAPI_TEST_ROOT_CERT", "self", 1); + setenv("FAPI_TEST_INT_CERT", "./ca/root-ca/root-ca.cert.pem", 1); + + r = Fapi_Provision(context, NULL, NULL, NULL); + + if (r == TSS2_FAPI_RC_GENERAL_FAILURE) + return EXIT_SUCCESS; + + LOG_ERROR("Test with self signed certificate did not fail."); + return EXIT_FAILURE; + +} + +int +test_invoke_fapi(FAPI_CONTEXT *fapi_context) +{ + return test_fapi_test_provisioning_cert_error(fapi_context); +} diff --git a/test/integration/main-fapi.c b/test/integration/main-fapi.c index b8a3aedc2..f43fcfe49 100644 --- a/test/integration/main-fapi.c +++ b/test/integration/main-fapi.c @@ -856,7 +856,7 @@ get_ecc_ek_public(TSS2_SYS_CONTEXT *sys_context, EVP_PKEY **evp_pub) } -char pwd[6] = "abcdef"; +char pwd[6] = "123456"; int pass_cb(char *buf, int size, int rwflag, void *u) { @@ -949,7 +949,7 @@ load_intermed_cert_and_key(const char *ca_key_path, EVP_PKEY **ca_key, unsigned long err = ERR_get_error(); char err_buffer[256]; ERR_error_string_n(err, err_buffer, sizeof(err_buffer)); - LOG_ERROR("Failure in BIO_read_filename %s", err_buffer); + LOG_ERROR("Failure in BIO_read_filename \"%s\" %s", ca_cert_path, err_buffer); goto error_cleanup; } *ca_crt = PEM_read_bio_X509(bio, NULL, NULL, NULL); @@ -965,7 +965,7 @@ load_intermed_cert_and_key(const char *ca_key_path, EVP_PKEY **ca_key, unsigned long err = ERR_get_error(); char err_buffer[256]; ERR_error_string_n(err, err_buffer, sizeof(err_buffer)); - LOG_ERROR("Failure in BIO_read_filename %s", err_buffer); + LOG_ERROR("Failure in BIO_read_filename \"%s\" %s", ca_key_path, err_buffer); goto error_cleanup; } *ca_key = PEM_read_bio_PrivateKey(bio, NULL, pass_cb, NULL); @@ -1264,11 +1264,21 @@ init_ek_certificates(TSS2_SYS_CONTEXT *sys_ctx) goto error_cleanup; } - rc = load_intermed_cert_and_key("ca/intermed-ca/private/intermed-ca.key.pem", +#ifdef SELF_SIGNED_CERTIFICATE + /* The self signed root certificate will be used as intermediate + certificate. */ + rc = load_intermed_cert_and_key("ca/root-ca/private/root-ca.key.pem", + &intermed_key, + "ca/root-ca/root-ca.cert.pem", + &intermed_cert); +#else + rc = load_intermed_cert_and_key("ca/intermed-ca/private/intermed-ca.key.pem", &intermed_key, "ca/intermed-ca/intermed-ca.cert.pem", &intermed_cert); - if (rc != TSS2_RC_SUCCESS) { +#endif + + if (rc != TSS2_RC_SUCCESS) { LOG_ERROR("Failed to load intermediate key and cert %s\n", Tss2_RC_Decode(rc)); goto error_cleanup; }