forked from pool/tpm2.0-tools
Alberto Planas Dominguez
2dec5107b8
- Add patch to fix leakage of TPM simulator process add_missing_shut_down_call_on_cleanup.patch - Add patch to fix fapi-quote-verify[_ecc].sh test fix_check_of_qualifying_data.patch - Enable test execution by default OBS-URL: https://build.opensuse.org/request/show/989000 OBS-URL: https://build.opensuse.org/package/show/security/tpm2.0-tools?expand=0&rev=93
168 lines
6.8 KiB
Diff
168 lines
6.8 KiB
Diff
From 3b1f00301350848e9454c7adf0487c1a14738236 Mon Sep 17 00:00:00 2001
|
|
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
|
|
Date: Sat, 8 Jan 2022 13:43:00 +0100
|
|
Subject: [PATCH] test/fapi/fapi-quote-verify.sh Fix check of qualifying data.
|
|
|
|
Because of a bug in Fapi_VerifyQuote the qualifying data was not checked correctly.
|
|
Errors that were not recognized before occur now.
|
|
The order of the tests was cleaned up and for every quote and verify quote now
|
|
the correct combination of the qualifying data and quote info containing the nonce
|
|
is used.
|
|
|
|
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
|
|
---
|
|
test/integration/fapi/fapi-quote-verify.sh | 38 ++++++++++++----------
|
|
1 file changed, 20 insertions(+), 18 deletions(-)
|
|
|
|
diff --git a/test/integration/fapi/fapi-quote-verify.sh b/test/integration/fapi/fapi-quote-verify.sh
|
|
index ad4ade3a1..497d4337f 100644
|
|
--- a/test/integration/fapi/fapi-quote-verify.sh
|
|
+++ b/test/integration/fapi/fapi-quote-verify.sh
|
|
@@ -18,6 +18,7 @@ KEY_PATH=HS/SRK/quotekey
|
|
NONCE_FILE=$TEMP_DIR/nonce.file
|
|
PUBLIC_QUOTE_KEY=$TEMP_DIR/public_quote.key
|
|
QUOTE_INFO=$TEMP_DIR/quote.info
|
|
+QUOTE_EMPTY_INFO=$TEMP_DIR/quote_empty.info
|
|
SIGNATURE_FILE=$TEMP_DIR/signature.file
|
|
CERTIFICATE_FILE=$TEMP_DIR/certificate.file
|
|
PCR_LOG=$TEMP_DIR/pcr.log
|
|
@@ -35,14 +36,32 @@ tss2 provision
|
|
|
|
tss2 createkey --path=$KEY_PATH --type="noDa, restricted, sign" --authValue=""
|
|
|
|
+tss2 exportkey --pathOfKeyToDuplicate=$KEY_PATH --exportedData=$PUBLIC_QUOTE_KEY --force
|
|
+tss2 import --path="ext/myNewParent" --importData=$PUBLIC_QUOTE_KEY
|
|
+
|
|
+
|
|
tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" --qualifyingData=$NONCE_FILE \
|
|
--signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \
|
|
--certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force
|
|
|
|
+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
|
|
+ --qualifyingData=$NONCE_FILE --quoteInfo=$QUOTE_INFO \
|
|
+ --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
|
|
+
|
|
echo "tss2 quote with EMPTY_FILE" # Expected to succeed
|
|
tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" \
|
|
--qualifyingData=$EMPTY_FILE --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \
|
|
- --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force
|
|
+ --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_EMPTY_INFO --force
|
|
+
|
|
+echo "tss2 verifyquote with EMPTY_FILE qualifyingData" # Expected to succeed
|
|
+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
|
|
+ --qualifyingData=$EMPTY_FILE --quoteInfo=$QUOTE_EMPTY_INFO \
|
|
+ --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
|
|
+
|
|
+# Try with missing qualifyingData
|
|
+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
|
|
+ --quoteInfo=$QUOTE_EMPTY_INFO \
|
|
+ --signature=$SIGNATURE_FILE
|
|
|
|
echo "tss2 quote with BIG_FILE" # Expected to fail
|
|
expect <<EOF
|
|
@@ -65,18 +84,6 @@ if [[ "`cat $LOG_FILE`" == $SANITIZER_FILTER ]]; then
|
|
exit 1
|
|
fi
|
|
|
|
-tss2 exportkey --pathOfKeyToDuplicate=$KEY_PATH --exportedData=$PUBLIC_QUOTE_KEY --force
|
|
-tss2 import --path="ext/myNewParent" --importData=$PUBLIC_QUOTE_KEY
|
|
-
|
|
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
|
|
- --qualifyingData=$NONCE_FILE --quoteInfo=$QUOTE_INFO \
|
|
- --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
|
|
-
|
|
-echo "tss2 verifyquote with EMPTY_FILE qualifyingData" # Expected to succeed
|
|
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
|
|
- --qualifyingData=$EMPTY_FILE --quoteInfo=$QUOTE_INFO \
|
|
- --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
|
|
-
|
|
echo "tss2 verifyquote with BIG_FILE qualifyingData" # Expected to fail
|
|
expect <<EOF
|
|
spawn sh -c "tss2 verifyquote --publicKeyPath=\"ext/myNewParent\" \
|
|
@@ -537,9 +544,4 @@ if {[lindex \$ret 2] || [lindex \$ret 3] != 1} {
|
|
}
|
|
EOF
|
|
|
|
-# Try with missing qualifyingData
|
|
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
|
|
- --quoteInfo=$QUOTE_INFO \
|
|
- --signature=$SIGNATURE_FILE
|
|
-
|
|
exit 0
|
|
|
|
diff --git a/test/integration/fapi/fapi-quote-verify.sh b/test/integration/fapi/fapi-quote-verify_ecc.sh
|
|
index ad4ade3a1..497d4337f 100644
|
|
--- a/test/integration/fapi/fapi-quote-verify_ecc.sh
|
|
+++ b/test/integration/fapi/fapi-quote-verify_ecc.sh
|
|
@@ -18,6 +18,7 @@ KEY_PATH=HS/SRK/quotekey
|
|
NONCE_FILE=$TEMP_DIR/nonce.file
|
|
PUBLIC_QUOTE_KEY=$TEMP_DIR/public_quote.key
|
|
QUOTE_INFO=$TEMP_DIR/quote.info
|
|
+QUOTE_EMPTY_INFO=$TEMP_DIR/quote_empty.info
|
|
SIGNATURE_FILE=$TEMP_DIR/signature.file
|
|
CERTIFICATE_FILE=$TEMP_DIR/certificate.file
|
|
PCR_LOG=$TEMP_DIR/pcr.log
|
|
@@ -35,14 +36,32 @@ tss2 provision
|
|
|
|
tss2 createkey --path=$KEY_PATH --type="noDa, restricted, sign" --authValue=""
|
|
|
|
+tss2 exportkey --pathOfKeyToDuplicate=$KEY_PATH --exportedData=$PUBLIC_QUOTE_KEY --force
|
|
+tss2 import --path="ext/myNewParent" --importData=$PUBLIC_QUOTE_KEY
|
|
+
|
|
+
|
|
tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" --qualifyingData=$NONCE_FILE \
|
|
--signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \
|
|
--certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force
|
|
|
|
+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
|
|
+ --qualifyingData=$NONCE_FILE --quoteInfo=$QUOTE_INFO \
|
|
+ --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
|
|
+
|
|
echo "tss2 quote with EMPTY_FILE" # Expected to succeed
|
|
tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" \
|
|
--qualifyingData=$EMPTY_FILE --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \
|
|
- --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force
|
|
+ --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_EMPTY_INFO --force
|
|
+
|
|
+echo "tss2 verifyquote with EMPTY_FILE qualifyingData" # Expected to succeed
|
|
+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
|
|
+ --qualifyingData=$EMPTY_FILE --quoteInfo=$QUOTE_EMPTY_INFO \
|
|
+ --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
|
|
+
|
|
+# Try with missing qualifyingData
|
|
+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
|
|
+ --quoteInfo=$QUOTE_EMPTY_INFO \
|
|
+ --signature=$SIGNATURE_FILE
|
|
|
|
echo "tss2 quote with BIG_FILE" # Expected to fail
|
|
expect <<EOF
|
|
@@ -65,18 +84,6 @@ if [[ "`cat $LOG_FILE`" == $SANITIZER_FILTER ]]; then
|
|
exit 1
|
|
fi
|
|
|
|
-tss2 exportkey --pathOfKeyToDuplicate=$KEY_PATH --exportedData=$PUBLIC_QUOTE_KEY --force
|
|
-tss2 import --path="ext/myNewParent" --importData=$PUBLIC_QUOTE_KEY
|
|
-
|
|
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
|
|
- --qualifyingData=$NONCE_FILE --quoteInfo=$QUOTE_INFO \
|
|
- --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
|
|
-
|
|
-echo "tss2 verifyquote with EMPTY_FILE qualifyingData" # Expected to succeed
|
|
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
|
|
- --qualifyingData=$EMPTY_FILE --quoteInfo=$QUOTE_INFO \
|
|
- --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
|
|
-
|
|
echo "tss2 verifyquote with BIG_FILE qualifyingData" # Expected to fail
|
|
expect <<EOF
|
|
spawn sh -c "tss2 verifyquote --publicKeyPath=\"ext/myNewParent\" \
|
|
@@ -537,9 +544,4 @@ if {[lindex \$ret 2] || [lindex \$ret 3] != 1} {
|
|
}
|
|
EOF
|
|
|
|
-# Try with missing qualifyingData
|
|
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
|
|
- --quoteInfo=$QUOTE_INFO \
|
|
- --signature=$SIGNATURE_FILE
|
|
-
|
|
exit 0
|