FAPI Test: Add failure test no root certificate.

It is now checked whether the provisioning fails if the appropriate
root certificate does not exist.
For this purpose the EK certificate is generated with a self
signed certificate which is not in the list of the FAPI cerificates.

Signed-off-by: Juergen Repp <juergen_repp@web.de>

Makefile-test.am

@@ -404,6 +404,7 @@ FAPI_TESTS_INTEGRATION = \
     test/integration/fapi-policy-or-nv-read-write.fint \
     test/integration/fapi-second-provisioning.fint \
     test/integration/fapi-provisioning-error.fint \
+    test/integration/fapi-provisioning-cert-error.fint \
     test/integration/fapi-info.fint \
     test/integration/fapi-unseal.fint \
     test/integration/fapi-unseal-persistent.fint
@@ -2547,6 +2548,14 @@ test_integration_fapi_provisioning_error_fint_SOURCES = \
     test/integration/fapi-provisioning-error.int.c \
     test/integration/main-fapi.c test/integration/test-fapi.h
 
+test_integration_fapi_provisioning_cert_error_fint_CFLAGS  = $(TESTS_CFLAGS) \
+ -DSELF_SIGNED_CERTIFICATE
+test_integration_fapi_provisioning_cert_error_fint_LDADD   = $(TESTS_LDADD)
+test_integration_fapi_provisioning_cert_error_fint_LDFLAGS = $(TESTS_LDFLAGS)
+test_integration_fapi_provisioning_cert_error_fint_SOURCES = \
+    test/integration/fapi-provisioning-cert-error.int.c \
+    test/integration/main-fapi.c test/integration/test-fapi.h
+
 test_integration_fapi_quote_destructive_fint_CFLAGS  = $(TESTS_CFLAGS)
 test_integration_fapi_quote_destructive_fint_LDADD   = $(TESTS_LDADD)
 test_integration_fapi_quote_destructive_fint_LDFLAGS = $(TESTS_LDFLAGS)

script/ekca/create_ca.sh

@@ -84,7 +84,7 @@ mkdir certreqs certs crl newcerts private
 touch intermed-ca.index
 echo 00 > intermed-ca.crlnum
 echo 2000 > intermed-ca.serial
-echo "abcdef" > pass.txt
+echo "123456" > pass.txt
 
 cp "${EKCADIR}/intermed-ca.cnf" ./
 export OPENSSL_CONF=./intermed-ca.cnf

script/ekca/init_ca.sh

@@ -78,7 +78,7 @@ mkdir certreqs certs crl newcerts private
 touch intermed-ca.index
 echo 00 > intermed-ca.crlnum
 echo 2000 > intermed-ca.serial
-echo "abcdef" > pass.txt
+echo "123456" > pass.txt
 
 cp "${EKCADIR}/intermed-ca.cnf" ./
 export OPENSSL_CONF=./intermed-ca.cnf

src/tss2-fapi/api/Fapi_Provision.c

@@ -895,6 +895,12 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context)
 #pragma message ( "*** Allow self generated certifcate ***" )
             root_ca_file = getenv("FAPI_TEST_ROOT_CERT");
 
+            if (root_ca_file && strcasecmp(root_ca_file, "self") == 0) {
+                /* The self signed root ca file will as intermediate certificate. */
+                context->state = PROVISION_PREPARE_READ_INT_CERT;
+                return TSS2_FAPI_RC_TRY_AGAIN;
+            }
+
             if (!root_ca_file && ifapi_io_path_exists(FAPI_TEST_ROOT_CERT_FILE)) {
                 root_ca_file = FAPI_TEST_ROOT_CERT_FILE;
             }

test/integration/fapi-provisioning-cert-error.int.c

@@ -0,0 +1,65 @@
+/* SPDX-License-Identifier: BSD-2-Clause */
+/*******************************************************************************
+ * Copyright 2017-2018, Fraunhofer SIT sponsored by Infineon Technologies AG
+ * All rights reserved.
+ *******************************************************************************/
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdlib.h>
+
+#include "tss2_fapi.h"
+#include "tss2_esys.h"
+
+#include "test-fapi.h"
+#include "fapi_util.h"
+#include "fapi_int.h"
+#include "tss2_esys.h"
+
+#include "esys_iutil.h"
+#define LOGMODULE test
+#include "util/log.h"
+#include "util/aux_util.h"
+#include "tss2_mu.h"
+#include "fapi_int.h"
+
+
+/** Test the FAPI cleanup in an error case.
+ *
+ * Tested FAPI commands:
+ *  - Fapi_Provision()
+ *
+ * @param[in,out] context The FAPI_CONTEXT.
+ * @retval EXIT_FAILURE
+ * @retval EXIT_SUCCESS
+ */
+int
+test_fapi_test_provisioning_cert_error(FAPI_CONTEXT *context)
+{
+    TSS2_RC r;
+
+#ifndef SELF_SIGNED_CERTIFICATE
+    return EXIT_SKIP;
+#endif
+
+
+    setenv("FAPI_TEST_ROOT_CERT", "self", 1);
+    setenv("FAPI_TEST_INT_CERT",  "./ca/root-ca/root-ca.cert.pem", 1);
+
+    r = Fapi_Provision(context, NULL, NULL, NULL);
+
+    if (r == TSS2_FAPI_RC_GENERAL_FAILURE)
+        return EXIT_SUCCESS;
+
+    LOG_ERROR("Test with self signed certificate did not fail.");
+    return EXIT_FAILURE;
+
+}
+
+int
+test_invoke_fapi(FAPI_CONTEXT *fapi_context)
+{
+    return test_fapi_test_provisioning_cert_error(fapi_context);
+}

test/integration/main-fapi.c

@@ -856,7 +856,7 @@ get_ecc_ek_public(TSS2_SYS_CONTEXT *sys_context, EVP_PKEY **evp_pub)
 
 }
 
-char pwd[6] = "abcdef";
+char pwd[6] = "123456";
 
 int pass_cb(char *buf, int size, int rwflag, void *u)
 {
@@ -1264,11 +1264,21 @@ init_ek_certificates(TSS2_SYS_CONTEXT *sys_ctx)
         goto error_cleanup;
     }
 
-    rc = load_intermed_cert_and_key("ca/intermed-ca/private/intermed-ca.key.pem",
+#ifdef SELF_SIGNED_CERTIFICATE
+    /* The self signed root certificate will be used as intermediate
+       certificate. */
+    rc = load_intermed_cert_and_key("ca/root-ca/private/root-ca.key.pem",
+                                    &intermed_key,
+                                    "ca/root-ca/root-ca.cert.pem",
+                                    &intermed_cert);
+#else
+     rc = load_intermed_cert_and_key("ca/intermed-ca/private/intermed-ca.key.pem",
                                     &intermed_key,
                                     "ca/intermed-ca/intermed-ca.cert.pem",
                                     &intermed_cert);
-    if (rc != TSS2_RC_SUCCESS) {
+#endif
+
+     if (rc != TSS2_RC_SUCCESS) {
         LOG_ERROR("Failed to load intermediate key and cert %s\n", Tss2_RC_Decode(rc));
         goto error_cleanup;
     }