2020-02-14 11:50:13 +01:00
|
|
|
#!/bin/bash
|
2020-08-25 13:11:46 +02:00
|
|
|
rm -f target/debug/clevis-{encrypt,decrypt}-tpm2plus
|
2020-02-14 11:50:13 +01:00
|
|
|
cargo build || (echo "Failed to build"; exit 1)
|
2020-08-25 13:11:46 +02:00
|
|
|
ln -s clevis-pin-tpm2 target/debug/clevis-encrypt-tpm2plus
|
|
|
|
ln -s clevis-pin-tpm2 target/debug/clevis-decrypt-tpm2plus
|
|
|
|
|
2020-02-14 11:50:13 +01:00
|
|
|
echo "Working: no sealing" | ./target/debug/clevis-pin-tpm2 encrypt '{}' | ./target/debug/clevis-pin-tpm2 decrypt || (echo "Failed: no sealing"; exit 1)
|
2020-11-10 10:52:18 +01:00
|
|
|
# This tests we can handle the extra argument (either empty string or -y) from Clevis v15
|
|
|
|
# https://github.com/latchset/clevis/commit/36fae7c2dbf030d6c74abaed945db7bf3c25d054
|
2020-12-03 15:30:58 +01:00
|
|
|
echo "Working: no sealing (clevis v15, empty)" | ./target/debug/clevis-pin-tpm2 encrypt '{}' '' | ./target/debug/clevis-pin-tpm2 decrypt || (echo "Failed: no sealing"; exit 1)
|
|
|
|
echo "Working: no sealing (clevis v15, -y)" | ./target/debug/clevis-pin-tpm2 encrypt '{}' '-y' | ./target/debug/clevis-pin-tpm2 decrypt || (echo "Failed: no sealing"; exit 1)
|
|
|
|
echo "Working: no sealing (clevis decrypt)" | ./target/debug/clevis-pin-tpm2 encrypt '{}' | clevis decrypt || (echo "Failed: no sealing (clevis decrypt)"; exit 1)
|
|
|
|
echo "Working: no sealing (clevis encrypt)" | clevis encrypt tpm2 '{}' | ./target/debug/clevis-pin-tpm2 decrypt || (echo "Failed: no sealing (clevis encrypt)"; exit 1)
|
|
|
|
echo "Working: no sealing (renamed encrypt)" | ./target/debug/clevis-encrypt-tpm2plus '{}' | ./target/debug/clevis-pin-tpm2 decrypt || (echo "Failed: no sealing"; exit 1)
|
|
|
|
echo "Working: no sealing (renamed decrypt)" | ./target/debug/clevis-pin-tpm2 encrypt '{}' | ./target/debug/clevis-decrypt-tpm2plus || (echo "Failed: no sealing (clevis decrypt)"; exit 1)
|
2021-11-03 10:24:38 +01:00
|
|
|
name_alg_out=$(echo "Working: with name alg" | ./target/debug/clevis-pin-tpm2 encrypt '{"hash": "sha1"}')
|
|
|
|
echo $name_alg_out | cut -d'.' -f1 | jose b64 dec -i- | grep "\"hash\":\"sha1\"" || (echo "Failed: with name alg: not using sha1"; exit 1)
|
|
|
|
echo $name_alg_out | ./target/debug/clevis-pin-tpm2 decrypt || (echo "Failed: with name alg"; exit 1)
|
|
|
|
echo "Working: with name alg (clevis decrypt)" | ./target/debug/clevis-pin-tpm2 encrypt '{"hash": "sha1"}' | clevis decrypt || (echo "Failed: with name alg (clevis decrypt)"; exit 1)
|
|
|
|
echo "Working: with name alg (clevis encrypt)" | clevis encrypt tpm2 '{"hash": "sha1"}' | ./target/debug/clevis-pin-tpm2 decrypt || (echo "Failed: with name alg (clevis encrypt)"; exit 1)
|
2020-02-14 11:50:13 +01:00
|
|
|
echo "Working: with PCRs" | ./target/debug/clevis-pin-tpm2 encrypt '{"pcr_ids":[23]}' | ./target/debug/clevis-pin-tpm2 decrypt || (echo "Failed: with PCRs"; exit 1)
|
2020-12-03 15:30:58 +01:00
|
|
|
echo "Working: with PCRs (clevis decrypt)" | ./target/debug/clevis-pin-tpm2 encrypt '{"pcr_ids":[23]}' | clevis decrypt || (echo "Failed: with PCRs (clevis decrypt)"; exit 1)
|
|
|
|
echo "Working: with PCRs (clevis encrypt)" | clevis encrypt tpm2 '{"pcr_ids":[23]}' | ./target/debug/clevis-pin-tpm2 decrypt || (echo "Failed: with PCRs (clevis encrypt)"; exit 1)
|
2020-08-03 10:04:24 +02:00
|
|
|
echo "Working: with PCRs sha1" | ./target/debug/clevis-pin-tpm2 encrypt '{"pcr_bank": "sha1", "pcr_ids":[23]}' | ./target/debug/clevis-pin-tpm2 decrypt || (echo "Failed: with PCRs sha1"; exit 1)
|
2020-12-03 15:30:58 +01:00
|
|
|
echo "Working: with PCRs sha1 (clevis decrypt)" | ./target/debug/clevis-pin-tpm2 encrypt '{"pcr_bank": "sha1", "pcr_ids":[23]}' | clevis decrypt || (echo "Failed: with PCRs sha1 (clevis decrypt)"; exit 1)
|
|
|
|
echo "Working: with PCRs sha1 (clevis encrypt)" | clevis encrypt tpm2 '{"pcr_bank": "sha1", "pcr_ids":[23]}' | ./target/debug/clevis-pin-tpm2 decrypt || (echo "Failed: with PCRs sha1 (clevis encrypt)"; exit 1)
|
2020-08-03 10:04:24 +02:00
|
|
|
echo "Working: no sealing rsa" | ./target/debug/clevis-pin-tpm2 encrypt '{"key": "rsa"}' | ./target/debug/clevis-pin-tpm2 decrypt || (echo "Failed: no sealing rsa"; exit 1)
|
2020-12-03 15:30:58 +01:00
|
|
|
echo "Working: no sealing rsa (clevis decrypt)" | ./target/debug/clevis-pin-tpm2 encrypt '{"key": "rsa"}' | clevis decrypt || (echo "Failed: no sealing rsa (clevis decrypt)"; exit 1)
|
|
|
|
echo "Working: no sealing rsa (clevis encrypt)" | clevis encrypt tpm2 '{"key": "rsa"}' | ./target/debug/clevis-pin-tpm2 decrypt || (echo "Failed: no sealing rsa (clevis encrypt)"; exit 1)
|
2020-08-03 09:42:39 +02:00
|
|
|
|
2020-02-14 11:50:13 +01:00
|
|
|
# Negative test (PCR change)
|
|
|
|
token=$(echo Failed | ./target/debug/clevis-pin-tpm2 encrypt '{"pcr_ids":[23]}')
|
|
|
|
tpm2_pcrevent -Q README.md 23
|
|
|
|
res=$(echo "$token" | ./target/debug/clevis-pin-tpm2 decrypt 2>/dev/null)
|
|
|
|
ret=$?
|
|
|
|
if [ $ret == 0 -a "$res" == "Failed" ]
|
|
|
|
then
|
|
|
|
echo "Managed to decrypt after changing PCR"
|
|
|
|
exit 1
|
|
|
|
elif [ $ret == 0 -o "$res" != "" ]
|
|
|
|
then
|
|
|
|
echo "Something went wrong"
|
|
|
|
exit 1
|
|
|
|
else
|
|
|
|
echo "Working: with PCRs and change"
|
|
|
|
fi
|