tests: Add unit test for device ID builder

This makes the tests/run.sh script to generate the IAK and IDevID
certificates if the tpm2-openssl provider is available.

The added test is executed only if both the IAK and IDevID certificates
are available.

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>

Author: ansasaki

keylime/src/device_id.rs

@@ -485,4 +485,51 @@ mod tests {
             .idevid_asym_alg("")
             .idevid_hash_alg("");
     }
+
+    #[tokio::test]
+    #[cfg(feature = "testing")]
+    async fn test_device_id_builder() {
+        let _mutex = tpm::testing::lock_tests().await;
+        let certs_dir = Path::new(env!("CARGO_MANIFEST_DIR"))
+            .join("test-data")
+            .join("iak-idevid-certs");
+
+        if certs_dir.exists() {
+            let iak_cert = certs_dir.join("iak.cert.pem");
+            let idevid_cert = certs_dir.join("idevid.cert.pem");
+            if iak_cert.exists() && idevid_cert.exists() {
+                let mut tpm_ctx = tpm::Context::new().unwrap(); //#[allow_ci]
+                let result = DeviceIDBuilder::new()
+                    .iak_handle("")
+                    .iak_cert_path(
+                        iak_cert
+                            .to_str()
+                            .expect("Failed to get str for IAK cert"),
+                    )
+                    .iak_password("")
+                    .iak_template("")
+                    .iak_asym_alg("")
+                    .iak_hash_alg("")
+                    .idevid_handle("")
+                    .idevid_cert_path(
+                        idevid_cert
+                            .to_str()
+                            .expect("Failed to get str for IDevID cert"),
+                    )
+                    .idevid_password("")
+                    .idevid_template("")
+                    .idevid_asym_alg("")
+                    .idevid_hash_alg("")
+                    .build(&mut tpm_ctx);
+                assert!(result.is_ok(), "Result: {result:?}");
+                let dev_id = result.unwrap(); //#[allow_ci]
+
+                // Flush context to free TPM memory
+                let r = tpm_ctx.flush_context(dev_id.iak.handle.into());
+                assert!(r.is_ok(), "Result: {r:?}");
+                let r = tpm_ctx.flush_context(dev_id.idevid.handle.into());
+                assert!(r.is_ok(), "Result: {r:?}");
+            }
+        }
+    }
 }

tests/generate-iak-idevid-certs.sh

@@ -159,7 +159,7 @@ pushd "${OUTPUTDIR}" > /dev/null || exit 1
             -out cacert.pem
     popd > /dev/null || exit 1
     cat intermediate/cacert.pem root/cacert.pem \
-        > cert-chain.pem
+        > ca-cert-chain.pem
 popd > /dev/null || exit 1
 
 mkdir "${OUTPUTDIR}/ikeys"

tests/run.sh

@@ -2,6 +2,19 @@
 # SPDX-License-Identifier: Apache-2.0
 # Copyright 2021 Keylime Authors
 
+# Check that the script is running from inside the repository tree
+GIT_ROOT=$(git rev-parse --show-toplevel) || {
+    echo "Please run this script from inside the rust-keylime repository tree"
+    exit 1
+}
+
+TESTS_DIR="${GIT_ROOT}/tests"
+TEST_DATA_DIR="${GIT_ROOT}/test-data"
+TPMDIR="${TEST_DATA_DIR}/tpm-state"
+
+# These certificates are used for the keylime/device_id tests
+IAK_IDEVID_CERTS="${GIT_ROOT}/keylime/test-data/iak-idevid-certs"
+
 # Store the old TCTI setting
 OLD_TCTI=$TCTI
 OLD_TPM2TOOLS_TCTI=$TPM2TOOLS_TCTI
@@ -11,14 +24,13 @@ set -euf -o pipefail
 
 echo "-------- Setting up Software TPM"
 
-# Create temporary directories
-TEMPDIR=$(mktemp -d)
-TPMDIR="${TEMPDIR}/tpmdir"
-mkdir -p ${TPMDIR}
+if [[ ! -d "${TPMDIR}" ]]; then
+    mkdir -p "${TPMDIR}"
+fi
 
 # Manufacture a new Software TPM
 swtpm_setup --tpm2 \
-    --tpmstate ${TPMDIR} \
+    --tpmstate "${TPMDIR}" \
     --createek --decryption --create-ek-cert \
     --create-platform-cert \
     --lock-nvram \
@@ -29,7 +41,7 @@ swtpm_setup --tpm2 \
 function start_swtpm {
     # Initialize the swtpm socket
     swtpm socket --tpm2 \
-        --tpmstate dir=${TPMDIR} \
+        --tpmstate dir="${TPMDIR}" \
         --flags startup-clear \
         --ctrl type=tcp,port=2322 \
         --server type=tcp,port=2321 \
@@ -39,7 +51,7 @@ function start_swtpm {
 
 function stop_swtpm {
     # Stop swtpm if running
-    if [[ -n "$SWTPM_PID" ]]; then
+    if [[ -n "${SWTPM_PID}" ]]; then
         echo "Stopping swtpm"
         kill $SWTPM_PID
     fi
@@ -72,6 +84,25 @@ RUST_BACKTRACE=1 cargo build
 
 echo "-------- Testing"
 start_swtpm
+
+
+# Check that tpm2-openssl provider is available
+if openssl list -provider tpm2 -providers > /dev/null; then
+    # If any IAK/IDevID related certificate is missing, re-generate them
+    if [[ ( ! -f "${IAK_IDEVID_CERTS}/iak.cert.pem" ) ||
+        ( ! -f "${IAK_IDEVID_CERTS}/iak.cert.der" ) ||
+        ( ! -f "${IAK_IDEVID_CERTS}/idevid.cert.pem" ) ||
+        ( ! -f "${IAK_IDEVID_CERTS}/idevid.cert.der" ) ||
+        ( ! -f "${IAK_IDEVID_CERTS}/ca-cert-chain.pem" ) ]]
+    then
+        # Remove any leftover from old certificates
+        rm -rf "${IAK_IDEVID_CERTS}"
+        mkdir -p "${IAK_IDEVID_CERTS}"
+        echo "-------- Create IAK/IDevID certificates"
+        "${GIT_ROOT}/tests/generate-iak-idevid-certs.sh" -o "${IAK_IDEVID_CERTS}"
+    fi
+fi
+
 mkdir -p /var/lib/keylime
 RUST_BACKTRACE=1 RUST_LOG=info \
 KEYLIME_CONFIG=$PWD/keylime-agent.conf \