Add testing for RSA TPM keys that have the Sign capability

aws · Jun 26, 2024 · aca9860 · aca9860
1 parent 7767d1d
commit aca9860
Show file tree

Hide file tree

Showing 2 changed files with 103 additions and 5 deletions.
diff --git a/Makefile b/Makefile
@@ -111,7 +111,36 @@ $(certsdir)/tpm-sw-ec-81000001-key-with-pw.pem:
 	fi
 	TPM_INTERFACE_TYPE=socsim create_tpm2_key -e prime256v1 -p 81000001 $@ --auth --password 1234
 
-SWTPMKEYS_WO_PW := $(certsdir)/tpm-sw-rsa-key.pem $(certsdir)/tpm-sw-ec-secp384r1-key.pem $(certsdir)/tpm-sw-ec-prime256-key.pem $(certsdir)/tpm-sw-ec-81000001-key.pem
+# Create an RSA key with the Sign capability
+$(certsdir)/tpm-sw-rsa-81000001-sign.key:
+	$(START_SWTPM_TCP)
+	if ! TPM_INTERFACE_TYPE=socsim tssreadpublic -ho 81000001; then \
+		TPM_INTERFACE_TYPE=socsim tsscreateprimary -hi o -rsa && \
+		TPM_INTERFACE_TYPE=socsim tssevictcontrol -hi o -ho 80000000 -hp 81000001; \
+	fi
+	PUB_KEY=$$(echo "$@" | sed 's/.key/.pub/'); \
+	TPM_INTERFACE_TYPE=socsim tsscreate -hp 81000001 -rsa -gp -opr $@ -opu $${PUB_KEY}
+
+$(certsdir)/tpm-sw-rsa-81000001-sign-key.pem: $(certsdir)/tpm-sw-rsa-81000001-sign.key
+	# Hacky way to run just a single function
+	go test ./... -run "^TestCreateRsaTpmPemKeyWithSignCapability$$"
+
+$(certsdir)/tpm-sw-rsa-81000001-sign-with-pw.key:
+	$(START_SWTPM_TCP)
+	if ! TPM_INTERFACE_TYPE=socsim tssreadpublic -ho 81000001; then \
+		TPM_INTERFACE_TYPE=socsim tsscreateprimary -hi o -rsa && \
+		TPM_INTERFACE_TYPE=socsim tssevictcontrol -hi o -ho 80000000 -hp 81000001; \
+	fi
+	PUB_KEY=$$(echo "$@" | sed 's/.key/.pub/'); \
+	TPM_INTERFACE_TYPE=socsim tsscreate -hp 81000001 -rsa -gp -opr $@ -opu $${PUB_KEY} -pwdk 1234
+
+$(certsdir)/tpm-sw-rsa-81000001-sign-key-with-pw.pem: $(certsdir)/tpm-sw-rsa-81000001-sign-with-pw.key
+	go test ./... -run "^TestCreateRsaTpmPemKeyWithPasswordWithSignCapability$$"
+
+SWTPM_TMPPRIVKEYS := $(certsdir)/tpm-sw-rsa-81000001-sign.key $(certsdir)/tpm-sw-rsa-81000001-sign-with-pw.key
+SWTPM_TMPPUBKEYS := $(patsubst %.key, %.pub, $(SWTPM_TMPPRIVKEYS))
+SWTPM_TMPKEYS := $(SWTPM_TMPPRIVKEYS) $(SWTPM_TMPPUBKEYS)
+SWTPMKEYS_WO_PW := $(certsdir)/tpm-sw-rsa-key.pem $(certsdir)/tpm-sw-ec-secp384r1-key.pem $(certsdir)/tpm-sw-ec-prime256-key.pem $(certsdir)/tpm-sw-ec-81000001-key.pem $(certsdir)/tpm-sw-rsa-81000001-sign-key.pem
 SWTPMKEYS_W_PW := $(patsubst %.pem, %-with-pw.pem, $(SWTPMKEYS_WO_PW))
 SWTPMKEYS := $(SWTPMKEYS_WO_PW) $(SWTPMKEYS_W_PW)
 SWTPMCERTS := $(foreach digest, sha1 sha256 sha384 sha512, $(patsubst %-key.pem, %-$(digest)-cert.pem, $(SWTPMKEYS_WO_PW)))
@@ -285,5 +314,5 @@ test-clean:
 	rm -rf tst/softhsm/*
 	$(STOP_SWTPM_TCP) || :
 	$(STOP_SWTPM_UNIX) || :
-	rm -rf $(SWTPMKEYS) $(SWTPMCERTS) tst/swtpm
+	rm -rf $(SWTPMKEYS) $(SWTPMCERTS) $(SWTPM_TPMFILES) tst/swtpm
 
diff --git a/aws_signing_helper/tpm_signer_test.go b/aws_signing_helper/tpm_signer_test.go
@@ -1,6 +1,9 @@
 package aws_signing_helper
 
 import (
+	"encoding/asn1"
+	"encoding/pem"
+	"errors"
 	"fmt"
 	"os"
 	"strings"
@@ -18,7 +21,7 @@ func TestTPMSigner(t *testing.T) {
 		tpm_keys = []string{"hw-rsa", "hw-ec", "hw-ec-81000001"}
 	} else {
 		// TODO: Add "sw-rsa" back in
-		tpm_keys = []string{"sw-ec-prime256", "sw-ec-secp384r1", "sw-ec-81000001"}
+		tpm_keys = []string{"sw-rsa-81000001-sign", "sw-ec-prime256", "sw-ec-secp384r1", "sw-ec-81000001"}
 	}
 
 	for _, digest := range tpm_digests {
@@ -48,6 +51,71 @@ func TestTPMSigner(t *testing.T) {
 	RunSignTestWithTestTable(t, testTable)
 }
 
+func createRsaTpmPemKeyWithSignCapability(suffix string, emptyAuth bool) (error) {
+	privKeyFileName := fmt.Sprintf("../tst/certs/tpm-sw-rsa-81000001-sign%s.key", suffix)
+	privKeyBytes, err := os.ReadFile(privKeyFileName)
+	if err != nil {
+		return errors.New("unable to read RSA private key file")
+	}
+	pubKeyFileName := fmt.Sprintf("../tst/certs/tpm-sw-rsa-81000001-sign%s.pub", suffix)
+	pubKeyBytes, err := os.ReadFile(pubKeyFileName)
+	if err != nil {
+		return errors.New("unable to read RSA public key file")
+	}
+
+	tpmData := tpm2_TPMKey{
+		Oid: oidLoadableKey, 
+		EmptyAuth: emptyAuth,
+		Parent: 0x81000001, 
+		Pubkey: pubKeyBytes, 
+		Privkey: privKeyBytes, 
+	}
+
+	asn1Bytes, err := asn1.Marshal(tpmData)
+	if err != nil {
+		return errors.New("unable to marshal TPM key ASN.1 module")
+	}
+
+	pemBlock := &pem.Block{
+		Type: "TSS2 PRIVATE KEY", 
+		Bytes: asn1Bytes, 
+	}
+
+	pemFileName := fmt.Sprintf("../tst/certs/tpm-sw-rsa-81000001-sign-key%s.pem", suffix)
+	pemFile, err := os.Create(pemFileName)
+	if err != nil {
+		return errors.New("unable to create TPM key PEM file")
+	}
+	defer pemFile.Close()
+
+	err = pem.Encode(pemFile, pemBlock)
+	if err != nil {
+		return errors.New("unable to write TPM key to file")
+	}
+
+	return nil
+}
+
+// The RSA key with the Sign capability will have already been created 
+// as a part of the owner hierarchy (as a part of the Makefile testing 
+// target). This method will marshal the resulting data into the PEM 
+// TPM key format. 
+func TestCreateRsaTpmPemKeyWithSignCapability(t *testing.T) {
+	err := createRsaTpmPemKeyWithSignCapability("", true)
+	if err != nil {
+		fmt.Println(err.Error())
+		t.Fail()
+	}
+}
+
+func TestCreateRsaTpmPemKeyWithPasswordWithSignCapability(t *testing.T) {
+	err := createRsaTpmPemKeyWithSignCapability("-with-pw", false)
+	if err != nil {
+		fmt.Println(err.Error())
+		t.Fail()
+	}
+}
+
 func TestTPMSignerFails(t *testing.T) {
 	testTable := []CredentialsOpts{}
 
@@ -58,8 +126,9 @@ func TestTPMSignerFails(t *testing.T) {
 	if strings.HasPrefix(tpmdev, "/dev/") {
 		tpm_keys = []string{"hw-rsa", "hw-ec", "hw-ec-81000001"}
 	} else {
-		// TODO: Add sw-rsa back in
-		tpm_keys = []string{"sw-ec-prime256", "sw-ec-secp384r1", "sw-ec-81000001"}
+		// Note that the "sw-rsa" key will fail to sign since it doesn't have the 
+		// Sign capability. 
+		tpm_keys = []string{"sw-rsa", "sw-ec-prime256", "sw-ec-secp384r1", "sw-ec-81000001"}
 	}
 
 	for _, digest := range tpm_digests {