From 171dc8843d6124791a82803b80eb66e2f4c59ac8 Mon Sep 17 00:00:00 2001 From: Eric Richter Date: Thu, 3 Oct 2024 11:08:38 -0500 Subject: [PATCH 1/5] test/guest: reformat guest_generate_testdata There are several style problems in this file, most notably indentation issues: mixed tabs and spaces, as well as incorrect level of indentation. Correct them, as well as other subtle formatting issues. Signed-off-by: Eric Richter --- test/guest_generate_testdata.py | 426 ++++++++++++++++---------------- 1 file changed, 212 insertions(+), 214 deletions(-) diff --git a/test/guest_generate_testdata.py b/test/guest_generate_testdata.py index e023dbad..8f5f37e8 100644 --- a/test/guest_generate_testdata.py +++ b/test/guest_generate_testdata.py @@ -1,35 +1,35 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2021 IBM Corp. -import subprocess #for commmands -import os #for getting size of file +import subprocess +import os import sys import time DATAPATH = "./testdata/guest" -#[nameoffile,var,signing var] +# [nameoffile, var, signing var] variable_by_PK = [ - ["PK_by_PK","PK","PK"], - ["KEK_by_PK","KEK","PK"], - ["db_by_PK","db","PK"], - ["dbx_by_PK","dbx","PK"], - ["grubdb_by_PK","grubdb","PK"], - ["grubdbx_by_PK","grubdbx","PK"], - ["moduledb_by_PK","moduledb","PK"], - ["trustedcadb_by_PK","trustedcadb","PK"], - ["sbat_by_PK","sbat","PK"] - ] + ["PK_by_PK", "PK", "PK"], + ["KEK_by_PK", "KEK", "PK"], + ["db_by_PK", "db", "PK"], + ["dbx_by_PK", "dbx", "PK"], + ["grubdb_by_PK", "grubdb", "PK"], + ["grubdbx_by_PK", "grubdbx", "PK"], + ["moduledb_by_PK", "moduledb", "PK"], + ["trustedcadb_by_PK", "trustedcadb", "PK"], + ["sbat_by_PK", "sbat", "PK"] +] variable_by_KEK = [ - ["db_by_KEK","db","KEK"], - ["dbx_by_KEK","dbx","KEK"], - ["grubdb_by_KEK","grubdb","KEK"], - ["grubdbx_by_KEK","grubdbx","KEK"], - ["moduledb_by_KEK","moduledb","KEK"], - ["trustedcadb_by_KEK","trustedcadb","KEK"], - ["sbat_by_KEK","sbat","KEK"] - ] + ["db_by_KEK", "db", "KEK"], + ["dbx_by_KEK", "dbx", "KEK"], + ["grubdb_by_KEK", "grubdb", "KEK"], + ["grubdbx_by_KEK", "grubdbx", "KEK"], + ["moduledb_by_KEK", "moduledb", "KEK"], + ["trustedcadb_by_KEK", "trustedcadb", "KEK"], + ["sbat_by_KEK", "sbat", "KEK"] +] hash_algorithm = ["SHA1", "SHA224", "SHA256", "SHA384", "SHA512"] x509_hash_algorithm = ["SHA256", "SHA384", "SHA512"] @@ -50,200 +50,198 @@ auth_reset = "reset" log_dir = "./log" -if len(sys.argv)>1: - secvarctl = [sys.argv[1]] +if len(sys.argv) > 1: + secvarctl = [sys.argv[1]] else: - secvarctl = ["../bin/secvarctl-dbg"] + secvarctl = ["../bin/secvarctl-dbg"] secvarctl = secvarctl + ["-m", "guest", "generate"] -def command (args, err=None, out=None):#stores last log of function into log file - return subprocess.call (args, stderr=err, stdout=out) - -def create_environments (): - command (["mkdir", "-p", log_dir]) - with open ("./log/genlog.txt", "w") as f: - for directory in test_dir: - command (["mkdir", "-p", directory], f, f) - for var_name in variables: - command (["mkdir", "-p", test_dir[3] + var_name], f, f) - -def convert_pem_to_Der (pem_cert_file, der_cert_file): - command ([ "openssl", "x509", "-outform", "der", "-in", pem_cert_file, "-out", der_cert_file]) - -def generate_x509_cert (priv="default.key",pub="default.crt",crtType="-x509",rsa="rsa:2048", sha="-sha256", nodes="-nodes",subj="/C=NC/O=testing corp" ): - command (["openssl", "req", "-new" ,crtType ,"-newkey", rsa, "-keyout",priv, "-out", pub,nodes, sha, "-subj",subj]) - convert_pem_to_Der (pub, pub[:-4] + ".der") - return - -def generate_esl (variable_name, format_type, cert_file, esl_file): - command (secvarctl + [format_type, "-i", cert_file, "-o", esl_file, "-n", variable_name]) - -def generate_auth (variable_name, signer_key_file, signer_cert_file, cert_file, auth_file, format_type, enforce = ""): - time.sleep (1) - cmd = [format_type, "-k", signer_key_file, "-c", signer_cert_file, "-n", variable_name, "-i", cert_file, "-o", auth_file] - if enforce == force: - cmd = cmd + [force] - command (secvarctl + cmd) - -def generate_pkcs7 (input_file, output_file, sign_cert, sign_key, hash_algo): - command (["openssl", "cms", "-sign", "-binary", "-in", input_file , "-signer", sign_cert, "-inkey", sign_key, "-out", output_file, "-noattr", "-outform", "DER", "-md", hash_algo]) - -def create_sbat_file (sbat_file): - with open (sbat_file, "w") as f: - for data in sbat_data: - f.write (data); - -def create_size_file (data_file, size_file): - size = os.path.getsize (data_file) - with open (size_file, "w") as f: - f.write (str (size)); - f.close (); - -def add_timestamp (esl_file, data_file): - file_object = open (data_file, 'wb') - t=time.gmtime() - file_object.write((0).to_bytes(1,byteorder=sys.byteorder)) - file_object.write((t.tm_year).to_bytes(2,byteorder=sys.byteorder)) - file_object.write((t.tm_mon).to_bytes(1,byteorder=sys.byteorder)) - file_object.write((t.tm_mday).to_bytes(1,byteorder=sys.byteorder)) - file_object.write((t.tm_hour).to_bytes(1,byteorder=sys.byteorder)) - file_object.write((t.tm_min).to_bytes(1,byteorder=sys.byteorder)) - file_object.write((t.tm_sec).to_bytes(1,byteorder=sys.byteorder)) - file_object.close() - os.system("cat " + esl_file + " >> " + data_file) - os.system("rm -rf " + esl_file) - -def create_goldenkey_files (): - - for var_name in variables:#generate valid pub and private keys - esl_file = test_dir[3] + var_name + "/esldata" - data_file = test_dir[3] + var_name + "/data" - update_file = test_dir[3] + var_name + "/update" - size_file = test_dir[3] + var_name + "/size" - - if var_name == SBAT_name: - cert_file = test_dir[3] + var_name + "/" + var_name + ".csv" - create_sbat_file (cert_file) - format_type = file_to_esl - else: - format_type = cert_to_esl - key_file = test_dir[3] + var_name + "/" + var_name + ".key" - cert_file = test_dir[3] + var_name + "/" + var_name + ".crt" - generate_x509_cert (key_file, cert_file) - - generate_esl (var_name, format_type, cert_file, esl_file) - add_timestamp (esl_file, data_file) - command (["touch", update_file]) - create_size_file (data_file, size_file) - -def create_pkcs7_files (): - - for hash_alg in hash_algorithm: - for var_by_PK in variable_by_PK: - if var_by_PK[1] != SBAT_name and hash_alg == "SHA256": - pkcs7_file = test_dir[4] + hash_alg + "_" + var_by_PK[0] + ".pkcs7" - key_file = test_dir[2] + var_by_PK[2] + ".key" - cert_file = test_dir[2] + var_by_PK[2] + ".crt" - var_cert_file = test_dir[2] + var_by_PK[0] + ".crt" - generate_pkcs7 (var_cert_file, pkcs7_file, cert_file, key_file, hash_alg) - - for var_by_KEK in variable_by_KEK: - if var_by_KEK[1] != SBAT_name and hash_alg == "SHA256": - pkcs7_file = test_dir[4] + hash_alg + "_" + var_by_KEK[0] + ".pkcs7" - key_file = test_dir[2] + var_by_KEK[2] + ".key" - cert_file = test_dir[2] + var_by_KEK[2] + ".crt" - var_cert_file = test_dir[2] + var_by_KEK[0] + ".crt" - generate_pkcs7 (var_cert_file, pkcs7_file, cert_file, key_file, hash_alg) - -def create_x509_cert_files (): - - for var_name in variables: - if var_name == SBAT_name: - cert_file = test_dir[2] + var_name + ".csv" - create_sbat_file (cert_file) - else: - key_file = test_dir[2] + var_name + ".key" - cert_file = test_dir[2] + var_name + ".crt" - generate_x509_cert (key_file, cert_file) - - for var_by_PK in variable_by_PK: - if var_by_PK[1] != SBAT_name: - key_file = test_dir[2] + var_by_PK[0] + ".key" - cert_file = test_dir[2] + var_by_PK[0] + ".crt" - generate_x509_cert (key_file, cert_file) - - for var_by_KEK in variable_by_KEK: - if var_by_KEK[1] != SBAT_name: - key_file = test_dir[2] + var_by_KEK[0] + ".key" - cert_file = test_dir[2] + var_by_KEK[0] + ".crt" - generate_x509_cert (key_file, cert_file) - -def create_esl_files (): - - for var_name in variables: - esl_file = test_dir[0] + var_name + ".esl" - - if var_name == SBAT_name: - cert_file = test_dir[2] + var_name + ".csv" - format_type = file_to_esl - else: - format_type = cert_to_esl - key_file = test_dir[2] + var_name + ".key" - cert_file = test_dir[2] + var_name + ".crt" - - generate_esl (var_name, format_type, cert_file, esl_file) - -def create_auth_files (): - - for var_by_PK in variable_by_PK: - auth_file = test_dir[1] + var_by_PK[0] + ".auth" - PK_key_file = test_dir[3] + var_by_PK[2] + "/" + var_by_PK[2] + ".key" - PK_cert_file = test_dir[3] + var_by_PK[2] + "/" + var_by_PK[2] + ".crt" - - if var_by_PK[1] == SBAT_name: - cert_file = test_dir[2] + var_by_PK[1] + ".csv" - format_type = file_to_auth - else: - format_type = cert_to_auth - cert_file = test_dir[2] + var_by_PK[0] + ".crt" - - generate_auth (var_by_PK[1], PK_key_file, PK_cert_file, cert_file, auth_file, format_type, non_force) - - for var_by_KEK in variable_by_KEK: - auth_file = test_dir[1] + var_by_KEK[0] + ".auth" - KEK_key_file = test_dir[3] + var_by_KEK[2] + "/" + var_by_KEK[2] + ".key" - KEK_cert_file = test_dir[3] + var_by_KEK[2] + "/" + var_by_KEK[2] + ".crt" - - if var_by_KEK[1] == SBAT_name: - cert_file = test_dir[2] + var_by_KEK[1] + ".csv" - format_type = file_to_auth - else: - format_type = cert_to_auth - cert_file = test_dir[2] + var_by_KEK[0] + ".crt" - - generate_auth (var_by_KEK[1], KEK_key_file, KEK_cert_file, cert_file, auth_file, format_type, non_force) - -def create_reset_auth_files (): - - format_type = auth_reset - cert_file = "" - for var_by_PK in variable_by_PK: - auth_file = test_dir[1] + auth_reset + "_" + var_by_PK[0] + ".auth" - PK_key_file = test_dir[3] + var_by_PK[2] + "/" + var_by_PK[2] + ".key" - PK_cert_file = test_dir[3] + var_by_PK[2] + "/" + var_by_PK[2] + ".crt" - generate_auth (var_by_PK[1], PK_key_file, PK_cert_file, cert_file, auth_file, format_type, non_force) - - for var_by_KEK in variable_by_KEK: - auth_file = test_dir[1] + auth_reset + "_" + var_by_KEK[0] + ".auth" - KEK_key_file = test_dir[3] + var_by_KEK[2] + "/" + var_by_KEK[2] + ".key" - KEK_cert_file = test_dir[3] + var_by_KEK[2] + "/" + var_by_KEK[2] + ".crt" - generate_auth (var_by_KEK[1], KEK_key_file, KEK_cert_file, cert_file, auth_file, format_type, non_force) - -create_environments () -create_goldenkey_files () -create_x509_cert_files () -create_pkcs7_files () -create_esl_files () -create_auth_files () -create_reset_auth_files () +# Stores last log of function into log file +def command(args, err=None, out=None): + return subprocess.call(args, stderr=err, stdout=out) + +def create_environments(): + command(["mkdir", "-p", log_dir]) + with open("./log/genlog.txt", "w") as f: + for directory in test_dir: + command(["mkdir", "-p", directory], f, f) + for var_name in variables: + command(["mkdir", "-p", test_dir[3] + var_name], f, f) + +def convert_pem_to_Der(pem_cert_file, der_cert_file): + command(["openssl", "x509", "-outform", "der", "-in", pem_cert_file, "-out", der_cert_file]) + +def generate_x509_cert(priv="default.key", pub="default.crt", crtType="-x509", rsa="rsa:2048", sha="-sha256", nodes="-nodes", subj="/C=NC/O=testing corp"): + command(["openssl", "req", "-new", crtType, "-newkey", rsa, "-keyout", priv, "-out", pub, nodes, sha, "-subj", subj]) + convert_pem_to_Der(pub, pub[:-4] + ".der") + return + +def generate_esl(variable_name, format_type, cert_file, esl_file): + command(secvarctl + [format_type, "-i", cert_file, "-o", esl_file, "-n", variable_name]) + +def generate_auth(variable_name, signer_key_file, signer_cert_file, cert_file, auth_file, format_type, enforce=""): + time.sleep(1) + cmd = [format_type, "-k", signer_key_file, "-c", signer_cert_file, "-n", variable_name, "-i", cert_file, "-o", auth_file] + if enforce == force: + cmd = cmd + [force] + command(secvarctl + cmd) + +def generate_pkcs7(input_file, output_file, sign_cert, sign_key, hash_algo): + command(["openssl", "cms", "-sign", "-binary", "-in", input_file, "-signer", sign_cert, "-inkey", sign_key, "-out", output_file, "-noattr", "-outform", "DER", "-md", hash_algo]) + +def create_sbat_file(sbat_file): + with open(sbat_file, "w") as f: + for data in sbat_data: + f.write(data) + +def create_size_file(data_file, size_file): + size = os.path.getsize(data_file) + with open(size_file, "w") as f: + f.write(str(size)) + f.close() + +def add_timestamp(esl_file, data_file): + file_object = open(data_file, 'wb') + t = time.gmtime() + file_object.write((0).to_bytes(1, byteorder=sys.byteorder)) + file_object.write((t.tm_year).to_bytes(2, byteorder=sys.byteorder)) + file_object.write((t.tm_mon).to_bytes(1, byteorder=sys.byteorder)) + file_object.write((t.tm_mday).to_bytes(1, byteorder=sys.byteorder)) + file_object.write((t.tm_hour).to_bytes(1, byteorder=sys.byteorder)) + file_object.write((t.tm_min).to_bytes(1, byteorder=sys.byteorder)) + file_object.write((t.tm_sec).to_bytes(1, byteorder=sys.byteorder)) + file_object.close() + os.system("cat " + esl_file + " >> " + data_file) + os.system("rm -rf " + esl_file) + +def create_goldenkey_files(): + # Generate valid pub and private keys + for var_name in variables: + esl_file = test_dir[3] + var_name + "/esldata" + data_file = test_dir[3] + var_name + "/data" + update_file = test_dir[3] + var_name + "/update" + size_file = test_dir[3] + var_name + "/size" + + if var_name == SBAT_name: + cert_file = test_dir[3] + var_name + "/" + var_name + ".csv" + create_sbat_file(cert_file) + format_type = file_to_esl + else: + format_type = cert_to_esl + key_file = test_dir[3] + var_name + "/" + var_name + ".key" + cert_file = test_dir[3] + var_name + "/" + var_name + ".crt" + generate_x509_cert(key_file, cert_file) + + generate_esl(var_name, format_type, cert_file, esl_file) + add_timestamp(esl_file, data_file) + command(["touch", update_file]) + create_size_file(data_file, size_file) + +def create_pkcs7_files(): + for hash_alg in hash_algorithm: + for var_by_PK in variable_by_PK: + if var_by_PK[1] != SBAT_name and hash_alg == "SHA256": + pkcs7_file = test_dir[4] + hash_alg + "_" + var_by_PK[0] + ".pkcs7" + key_file = test_dir[2] + var_by_PK[2] + ".key" + cert_file = test_dir[2] + var_by_PK[2] + ".crt" + var_cert_file = test_dir[2] + var_by_PK[0] + ".crt" + generate_pkcs7(var_cert_file, pkcs7_file, cert_file, key_file, hash_alg) + + for var_by_KEK in variable_by_KEK: + if var_by_KEK[1] != SBAT_name and hash_alg == "SHA256": + pkcs7_file = test_dir[4] + hash_alg + "_" + var_by_KEK[0] + ".pkcs7" + key_file = test_dir[2] + var_by_KEK[2] + ".key" + cert_file = test_dir[2] + var_by_KEK[2] + ".crt" + var_cert_file = test_dir[2] + var_by_KEK[0] + ".crt" + generate_pkcs7(var_cert_file, pkcs7_file, cert_file, key_file, hash_alg) + +def create_x509_cert_files(): + for var_name in variables: + if var_name == SBAT_name: + cert_file = test_dir[2] + var_name + ".csv" + create_sbat_file(cert_file) + else: + key_file = test_dir[2] + var_name + ".key" + cert_file = test_dir[2] + var_name + ".crt" + generate_x509_cert(key_file, cert_file) + + for var_by_PK in variable_by_PK: + if var_by_PK[1] != SBAT_name: + key_file = test_dir[2] + var_by_PK[0] + ".key" + cert_file = test_dir[2] + var_by_PK[0] + ".crt" + generate_x509_cert(key_file, cert_file) + + for var_by_KEK in variable_by_KEK: + if var_by_KEK[1] != SBAT_name: + key_file = test_dir[2] + var_by_KEK[0] + ".key" + cert_file = test_dir[2] + var_by_KEK[0] + ".crt" + generate_x509_cert(key_file, cert_file) + +def create_esl_files(): + + for var_name in variables: + esl_file = test_dir[0] + var_name + ".esl" + + if var_name == SBAT_name: + cert_file = test_dir[2] + var_name + ".csv" + format_type = file_to_esl + else: + format_type = cert_to_esl + key_file = test_dir[2] + var_name + ".key" + cert_file = test_dir[2] + var_name + ".crt" + + generate_esl(var_name, format_type, cert_file, esl_file) + +def create_auth_files(): + for var_by_PK in variable_by_PK: + auth_file = test_dir[1] + var_by_PK[0] + ".auth" + PK_key_file = test_dir[3] + var_by_PK[2] + "/" + var_by_PK[2] + ".key" + PK_cert_file = test_dir[3] + var_by_PK[2] + "/" + var_by_PK[2] + ".crt" + + if var_by_PK[1] == SBAT_name: + cert_file = test_dir[2] + var_by_PK[1] + ".csv" + format_type = file_to_auth + else: + format_type = cert_to_auth + cert_file = test_dir[2] + var_by_PK[0] + ".crt" + + generate_auth(var_by_PK[1], PK_key_file, PK_cert_file, cert_file, auth_file, format_type, non_force) + + for var_by_KEK in variable_by_KEK: + auth_file = test_dir[1] + var_by_KEK[0] + ".auth" + KEK_key_file = test_dir[3] + var_by_KEK[2] + "/" + var_by_KEK[2] + ".key" + KEK_cert_file = test_dir[3] + var_by_KEK[2] + "/" + var_by_KEK[2] + ".crt" + + if var_by_KEK[1] == SBAT_name: + cert_file = test_dir[2] + var_by_KEK[1] + ".csv" + format_type = file_to_auth + else: + format_type = cert_to_auth + cert_file = test_dir[2] + var_by_KEK[0] + ".crt" + + generate_auth(var_by_KEK[1], KEK_key_file, KEK_cert_file, cert_file, auth_file, format_type, non_force) + +def create_reset_auth_files(): + format_type = auth_reset + cert_file = "" + for var_by_PK in variable_by_PK: + auth_file = test_dir[1] + auth_reset + "_" + var_by_PK[0] + ".auth" + PK_key_file = test_dir[3] + var_by_PK[2] + "/" + var_by_PK[2] + ".key" + PK_cert_file = test_dir[3] + var_by_PK[2] + "/" + var_by_PK[2] + ".crt" + generate_auth(var_by_PK[1], PK_key_file, PK_cert_file, cert_file, auth_file, format_type, non_force) + + for var_by_KEK in variable_by_KEK: + auth_file = test_dir[1] + auth_reset + "_" + var_by_KEK[0] + ".auth" + KEK_key_file = test_dir[3] + var_by_KEK[2] + "/" + var_by_KEK[2] + ".key" + KEK_cert_file = test_dir[3] + var_by_KEK[2] + "/" + var_by_KEK[2] + ".crt" + generate_auth(var_by_KEK[1], KEK_key_file, KEK_cert_file, cert_file, auth_file, format_type, non_force) + +if __name__ == "__main__": + create_environments() + create_goldenkey_files() + create_x509_cert_files() + create_pkcs7_files() + create_esl_files() + create_auth_files() + create_reset_auth_files() From 68bfdc82211747f8e55baec771265040902ccd74 Mon Sep 17 00:00:00 2001 From: Eric Richter Date: Thu, 3 Oct 2024 11:34:38 -0500 Subject: [PATCH 2/5] test/guest: use named variables instead of array of directories, use os.path.join An array of paths is _very_ unclear when reading a section of code without context. Use named globals instead so that the reader does not need to move around the file to translate. Also use os.path.join() everywhere instead of manually joining paths with an add operation. This ensures path separators are included where needed, and also helps with portability. Signed-off-by: Eric Richter --- test/guest_generate_testdata.py | 101 +++++++++++++++++--------------- 1 file changed, 53 insertions(+), 48 deletions(-) diff --git a/test/guest_generate_testdata.py b/test/guest_generate_testdata.py index 8f5f37e8..1e46fc90 100644 --- a/test/guest_generate_testdata.py +++ b/test/guest_generate_testdata.py @@ -5,7 +5,13 @@ import sys import time -DATAPATH = "./testdata/guest" +DATAPATH = os.path.join(os.path.curdir, "testdata", "guest") +ESL_PATH = os.path.join(DATAPATH, "eslfiles") +AUTH_PATH = os.path.join(DATAPATH, "authfiles") +X509_PATH = os.path.join(DATAPATH, "x509certs") +GOLD_PATH = os.path.join(DATAPATH, "goldenkeys") +PKCS7_PATH = os.path.join(DATAPATH, "pkcs7files") + # [nameoffile, var, signing var] variable_by_PK = [ @@ -38,9 +44,6 @@ sbat_data = ["sbat,1\n", "grub,1\n", "grub.ibm.grub,1\n", "grub.fedora,1"] SBAT_name = "sbat" -test_dir = [f"{DATAPATH}/eslfiles/", f"{DATAPATH}/authfiles/", f"{DATAPATH}/x509certs/", - f"{DATAPATH}/goldenkeys/", f"{DATAPATH}/pkcs7files/"] - cert_to_esl = "c:e" file_to_esl = "f:e" cert_to_auth = "c:a" @@ -64,10 +67,12 @@ def command(args, err=None, out=None): def create_environments(): command(["mkdir", "-p", log_dir]) with open("./log/genlog.txt", "w") as f: - for directory in test_dir: + # TODO: is pre-generating the paths really necessary? Just do it before each operation + for directory in [ESL_PATH, AUTH_PATH, X509_PATH, GOLD_PATH, PKCS7_PATH]: command(["mkdir", "-p", directory], f, f) + # TODO: move to goldenkey generation for var_name in variables: - command(["mkdir", "-p", test_dir[3] + var_name], f, f) + command(["mkdir", "-p", os.path.join(GOLD_PATH, var_name)], f, f) def convert_pem_to_Der(pem_cert_file, der_cert_file): command(["openssl", "x509", "-outform", "der", "-in", pem_cert_file, "-out", der_cert_file]) @@ -118,19 +123,19 @@ def add_timestamp(esl_file, data_file): def create_goldenkey_files(): # Generate valid pub and private keys for var_name in variables: - esl_file = test_dir[3] + var_name + "/esldata" - data_file = test_dir[3] + var_name + "/data" - update_file = test_dir[3] + var_name + "/update" - size_file = test_dir[3] + var_name + "/size" + esl_file = os.path.join(GOLD_PATH, var_name, "esldata") + data_file = os.path.join(GOLD_PATH, var_name, "data") + update_file = os.path.join(GOLD_PATH, var_name, "update") + size_file = os.path.join(GOLD_PATH, var_name, "size") if var_name == SBAT_name: - cert_file = test_dir[3] + var_name + "/" + var_name + ".csv" + cert_file = os.path.join(GOLD_PATH, var_name, f"{var_name}.csv") create_sbat_file(cert_file) format_type = file_to_esl else: format_type = cert_to_esl - key_file = test_dir[3] + var_name + "/" + var_name + ".key" - cert_file = test_dir[3] + var_name + "/" + var_name + ".crt" + key_file = os.path.join(GOLD_PATH, var_name, f"{var_name}.key") + cert_file = os.path.join(GOLD_PATH, var_name, f"{var_name}.crt") generate_x509_cert(key_file, cert_file) generate_esl(var_name, format_type, cert_file, esl_file) @@ -142,83 +147,83 @@ def create_pkcs7_files(): for hash_alg in hash_algorithm: for var_by_PK in variable_by_PK: if var_by_PK[1] != SBAT_name and hash_alg == "SHA256": - pkcs7_file = test_dir[4] + hash_alg + "_" + var_by_PK[0] + ".pkcs7" - key_file = test_dir[2] + var_by_PK[2] + ".key" - cert_file = test_dir[2] + var_by_PK[2] + ".crt" - var_cert_file = test_dir[2] + var_by_PK[0] + ".crt" + pkcs7_file = os.path.join(PKCS7_PATH, hash_alg + "_" + var_by_PK[0] + ".pkcs7") + key_file = os.path.join(X509_PATH, var_by_PK[2] + ".key") + cert_file = os.path.join(X509_PATH, var_by_PK[2] + ".crt") + var_cert_file = os.path.join(X509_PATH, var_by_PK[0] + ".crt") generate_pkcs7(var_cert_file, pkcs7_file, cert_file, key_file, hash_alg) for var_by_KEK in variable_by_KEK: if var_by_KEK[1] != SBAT_name and hash_alg == "SHA256": - pkcs7_file = test_dir[4] + hash_alg + "_" + var_by_KEK[0] + ".pkcs7" - key_file = test_dir[2] + var_by_KEK[2] + ".key" - cert_file = test_dir[2] + var_by_KEK[2] + ".crt" - var_cert_file = test_dir[2] + var_by_KEK[0] + ".crt" + pkcs7_file = os.path.join(PKCS7_PATH, hash_alg + "_" + var_by_KEK[0] + ".pkcs7") + key_file = os.path.join(X509_PATH, var_by_KEK[2] + ".key") + cert_file = os.path.join(X509_PATH, var_by_KEK[2] + ".crt") + var_cert_file = os.path.join(X509_PATH, var_by_KEK[0] + ".crt") generate_pkcs7(var_cert_file, pkcs7_file, cert_file, key_file, hash_alg) def create_x509_cert_files(): for var_name in variables: if var_name == SBAT_name: - cert_file = test_dir[2] + var_name + ".csv" + cert_file = os.path.join(X509_PATH, var_name + ".csv") create_sbat_file(cert_file) else: - key_file = test_dir[2] + var_name + ".key" - cert_file = test_dir[2] + var_name + ".crt" + key_file = os.path.join(X509_PATH, var_name + ".key") + cert_file = os.path.join(X509_PATH, var_name + ".crt") generate_x509_cert(key_file, cert_file) for var_by_PK in variable_by_PK: if var_by_PK[1] != SBAT_name: - key_file = test_dir[2] + var_by_PK[0] + ".key" - cert_file = test_dir[2] + var_by_PK[0] + ".crt" + key_file = os.path.join(X509_PATH, var_by_PK[0] + ".key") + cert_file = os.path.join(X509_PATH, var_by_PK[0] + ".crt") generate_x509_cert(key_file, cert_file) for var_by_KEK in variable_by_KEK: if var_by_KEK[1] != SBAT_name: - key_file = test_dir[2] + var_by_KEK[0] + ".key" - cert_file = test_dir[2] + var_by_KEK[0] + ".crt" + key_file = os.path.join(X509_PATH, var_by_KEK[0] + ".key") + cert_file = os.path.join(X509_PATH, var_by_KEK[0] + ".crt") generate_x509_cert(key_file, cert_file) def create_esl_files(): for var_name in variables: - esl_file = test_dir[0] + var_name + ".esl" + esl_file = os.path.join(ESL_PATH, var_name + ".esl") if var_name == SBAT_name: - cert_file = test_dir[2] + var_name + ".csv" + cert_file = os.path.join(X509_PATH, var_name + ".csv") format_type = file_to_esl else: format_type = cert_to_esl - key_file = test_dir[2] + var_name + ".key" - cert_file = test_dir[2] + var_name + ".crt" + key_file = os.path.join(X509_PATH, var_name + ".key") + cert_file = os.path.join(X509_PATH, var_name + ".crt") generate_esl(var_name, format_type, cert_file, esl_file) def create_auth_files(): for var_by_PK in variable_by_PK: - auth_file = test_dir[1] + var_by_PK[0] + ".auth" - PK_key_file = test_dir[3] + var_by_PK[2] + "/" + var_by_PK[2] + ".key" - PK_cert_file = test_dir[3] + var_by_PK[2] + "/" + var_by_PK[2] + ".crt" + auth_file = os.path.join(AUTH_PATH, var_by_PK[0] + ".auth") + PK_key_file = os.path.join(GOLD_PATH, var_by_PK[2], var_by_PK[2] + ".key") + PK_cert_file = os.path.join(GOLD_PATH, var_by_PK[2], var_by_PK[2] + ".crt") if var_by_PK[1] == SBAT_name: - cert_file = test_dir[2] + var_by_PK[1] + ".csv" + cert_file = os.path.join(X509_PATH, var_by_PK[1] + ".csv") format_type = file_to_auth else: format_type = cert_to_auth - cert_file = test_dir[2] + var_by_PK[0] + ".crt" + cert_file = os.path.join(X509_PATH, var_by_PK[0] + ".crt") generate_auth(var_by_PK[1], PK_key_file, PK_cert_file, cert_file, auth_file, format_type, non_force) for var_by_KEK in variable_by_KEK: - auth_file = test_dir[1] + var_by_KEK[0] + ".auth" - KEK_key_file = test_dir[3] + var_by_KEK[2] + "/" + var_by_KEK[2] + ".key" - KEK_cert_file = test_dir[3] + var_by_KEK[2] + "/" + var_by_KEK[2] + ".crt" + auth_file = os.path.join(AUTH_PATH, var_by_KEK[0] + ".auth") + KEK_key_file = os.path.join(GOLD_PATH, var_by_KEK[2], var_by_KEK[2] + ".key") + KEK_cert_file = os.path.join(GOLD_PATH, var_by_KEK[2], var_by_KEK[2] + ".crt") if var_by_KEK[1] == SBAT_name: - cert_file = test_dir[2] + var_by_KEK[1] + ".csv" + cert_file = os.path.join(X509_PATH, var_by_KEK[1] + ".csv") format_type = file_to_auth else: format_type = cert_to_auth - cert_file = test_dir[2] + var_by_KEK[0] + ".crt" + cert_file = os.path.join(X509_PATH, var_by_KEK[0] + ".crt") generate_auth(var_by_KEK[1], KEK_key_file, KEK_cert_file, cert_file, auth_file, format_type, non_force) @@ -226,15 +231,15 @@ def create_reset_auth_files(): format_type = auth_reset cert_file = "" for var_by_PK in variable_by_PK: - auth_file = test_dir[1] + auth_reset + "_" + var_by_PK[0] + ".auth" - PK_key_file = test_dir[3] + var_by_PK[2] + "/" + var_by_PK[2] + ".key" - PK_cert_file = test_dir[3] + var_by_PK[2] + "/" + var_by_PK[2] + ".crt" + auth_file = os.path.join(AUTH_PATH, auth_reset + "_" + var_by_PK[0] + ".auth") + PK_key_file = os.path.join(GOLD_PATH, var_by_PK[2], var_by_PK[2] + ".key") + PK_cert_file = os.path.join(GOLD_PATH, var_by_PK[2], var_by_PK[2] + ".crt") generate_auth(var_by_PK[1], PK_key_file, PK_cert_file, cert_file, auth_file, format_type, non_force) for var_by_KEK in variable_by_KEK: - auth_file = test_dir[1] + auth_reset + "_" + var_by_KEK[0] + ".auth" - KEK_key_file = test_dir[3] + var_by_KEK[2] + "/" + var_by_KEK[2] + ".key" - KEK_cert_file = test_dir[3] + var_by_KEK[2] + "/" + var_by_KEK[2] + ".crt" + auth_file = os.path.join(AUTH_PATH, auth_reset + "_" + var_by_KEK[0] + ".auth") + KEK_key_file = os.path.join(GOLD_PATH, var_by_KEK[2], var_by_KEK[2] + ".key") + KEK_cert_file = os.path.join(GOLD_PATH, var_by_KEK[2], var_by_KEK[2] + ".crt") generate_auth(var_by_KEK[1], KEK_key_file, KEK_cert_file, cert_file, auth_file, format_type, non_force) if __name__ == "__main__": From a218785c7c8c08133d351bfc3e6ef42c67865a9b Mon Sep 17 00:00:00 2001 From: Eric Richter Date: Thu, 3 Oct 2024 11:37:17 -0500 Subject: [PATCH 3/5] test/guest: remove unused variable assignment Signed-off-by: Eric Richter --- test/guest_generate_testdata.py | 1 - 1 file changed, 1 deletion(-) diff --git a/test/guest_generate_testdata.py b/test/guest_generate_testdata.py index 1e46fc90..71b2ea50 100644 --- a/test/guest_generate_testdata.py +++ b/test/guest_generate_testdata.py @@ -193,7 +193,6 @@ def create_esl_files(): format_type = file_to_esl else: format_type = cert_to_esl - key_file = os.path.join(X509_PATH, var_name + ".key") cert_file = os.path.join(X509_PATH, var_name + ".crt") generate_esl(var_name, format_type, cert_file, esl_file) From 852447e29738da34adf90355185522b03953cacf Mon Sep 17 00:00:00 2001 From: Eric Richter Date: Thu, 3 Oct 2024 11:54:11 -0500 Subject: [PATCH 4/5] test/guest: merge variable generation lists to remove duplicate code There is no need to separate the list of variables signed by PK or by KEK, the third element of that list does that for us. Merging them, and using list decompositon, we can simplify the generation functions to use one loop and avoid list access by semi-arbitrary index numbers. Signed-off-by: Eric Richter --- test/guest_generate_testdata.py | 80 +++++++++++---------------------- 1 file changed, 26 insertions(+), 54 deletions(-) diff --git a/test/guest_generate_testdata.py b/test/guest_generate_testdata.py index 71b2ea50..a28d0368 100644 --- a/test/guest_generate_testdata.py +++ b/test/guest_generate_testdata.py @@ -37,6 +37,8 @@ ["sbat_by_KEK", "sbat", "KEK"] ] +variable_list = variable_by_PK + variable_by_KEK + hash_algorithm = ["SHA1", "SHA224", "SHA256", "SHA384", "SHA512"] x509_hash_algorithm = ["SHA256", "SHA384", "SHA512"] @@ -145,21 +147,14 @@ def create_goldenkey_files(): def create_pkcs7_files(): for hash_alg in hash_algorithm: - for var_by_PK in variable_by_PK: - if var_by_PK[1] != SBAT_name and hash_alg == "SHA256": - pkcs7_file = os.path.join(PKCS7_PATH, hash_alg + "_" + var_by_PK[0] + ".pkcs7") - key_file = os.path.join(X509_PATH, var_by_PK[2] + ".key") - cert_file = os.path.join(X509_PATH, var_by_PK[2] + ".crt") - var_cert_file = os.path.join(X509_PATH, var_by_PK[0] + ".crt") + for filename, varname, signer in variable_list: + if varname != SBAT_name and hash_alg == "SHA256": + pkcs7_file = os.path.join(PKCS7_PATH, hash_alg + "_" + filename + ".pkcs7") + key_file = os.path.join(X509_PATH, signer + ".key") + cert_file = os.path.join(X509_PATH, signer + ".crt") + var_cert_file = os.path.join(X509_PATH, filename + ".crt") generate_pkcs7(var_cert_file, pkcs7_file, cert_file, key_file, hash_alg) - for var_by_KEK in variable_by_KEK: - if var_by_KEK[1] != SBAT_name and hash_alg == "SHA256": - pkcs7_file = os.path.join(PKCS7_PATH, hash_alg + "_" + var_by_KEK[0] + ".pkcs7") - key_file = os.path.join(X509_PATH, var_by_KEK[2] + ".key") - cert_file = os.path.join(X509_PATH, var_by_KEK[2] + ".crt") - var_cert_file = os.path.join(X509_PATH, var_by_KEK[0] + ".crt") - generate_pkcs7(var_cert_file, pkcs7_file, cert_file, key_file, hash_alg) def create_x509_cert_files(): for var_name in variables: @@ -171,17 +166,12 @@ def create_x509_cert_files(): cert_file = os.path.join(X509_PATH, var_name + ".crt") generate_x509_cert(key_file, cert_file) - for var_by_PK in variable_by_PK: - if var_by_PK[1] != SBAT_name: - key_file = os.path.join(X509_PATH, var_by_PK[0] + ".key") - cert_file = os.path.join(X509_PATH, var_by_PK[0] + ".crt") + for filename, varname, _signer in variable_list: + if varname != SBAT_name: + key_file = os.path.join(X509_PATH, filename + ".key") + cert_file = os.path.join(X509_PATH, filename + ".crt") generate_x509_cert(key_file, cert_file) - for var_by_KEK in variable_by_KEK: - if var_by_KEK[1] != SBAT_name: - key_file = os.path.join(X509_PATH, var_by_KEK[0] + ".key") - cert_file = os.path.join(X509_PATH, var_by_KEK[0] + ".crt") - generate_x509_cert(key_file, cert_file) def create_esl_files(): @@ -198,48 +188,30 @@ def create_esl_files(): generate_esl(var_name, format_type, cert_file, esl_file) def create_auth_files(): - for var_by_PK in variable_by_PK: - auth_file = os.path.join(AUTH_PATH, var_by_PK[0] + ".auth") - PK_key_file = os.path.join(GOLD_PATH, var_by_PK[2], var_by_PK[2] + ".key") - PK_cert_file = os.path.join(GOLD_PATH, var_by_PK[2], var_by_PK[2] + ".crt") + for filename, varname, signer in variable_list: + auth_file = os.path.join(AUTH_PATH, filename + ".auth") + signer_key_file = os.path.join(GOLD_PATH, signer, signer + ".key") + signer_cert_file = os.path.join(GOLD_PATH, signer, signer + ".crt") - if var_by_PK[1] == SBAT_name: - cert_file = os.path.join(X509_PATH, var_by_PK[1] + ".csv") + if varname == SBAT_name: + cert_file = os.path.join(X509_PATH, varname + ".csv") format_type = file_to_auth else: format_type = cert_to_auth - cert_file = os.path.join(X509_PATH, var_by_PK[0] + ".crt") + cert_file = os.path.join(X509_PATH, filename + ".crt") - generate_auth(var_by_PK[1], PK_key_file, PK_cert_file, cert_file, auth_file, format_type, non_force) + generate_auth(varname, signer_key_file, signer_cert_file, cert_file, auth_file, format_type, non_force) - for var_by_KEK in variable_by_KEK: - auth_file = os.path.join(AUTH_PATH, var_by_KEK[0] + ".auth") - KEK_key_file = os.path.join(GOLD_PATH, var_by_KEK[2], var_by_KEK[2] + ".key") - KEK_cert_file = os.path.join(GOLD_PATH, var_by_KEK[2], var_by_KEK[2] + ".crt") - - if var_by_KEK[1] == SBAT_name: - cert_file = os.path.join(X509_PATH, var_by_KEK[1] + ".csv") - format_type = file_to_auth - else: - format_type = cert_to_auth - cert_file = os.path.join(X509_PATH, var_by_KEK[0] + ".crt") - - generate_auth(var_by_KEK[1], KEK_key_file, KEK_cert_file, cert_file, auth_file, format_type, non_force) def create_reset_auth_files(): format_type = auth_reset cert_file = "" - for var_by_PK in variable_by_PK: - auth_file = os.path.join(AUTH_PATH, auth_reset + "_" + var_by_PK[0] + ".auth") - PK_key_file = os.path.join(GOLD_PATH, var_by_PK[2], var_by_PK[2] + ".key") - PK_cert_file = os.path.join(GOLD_PATH, var_by_PK[2], var_by_PK[2] + ".crt") - generate_auth(var_by_PK[1], PK_key_file, PK_cert_file, cert_file, auth_file, format_type, non_force) - - for var_by_KEK in variable_by_KEK: - auth_file = os.path.join(AUTH_PATH, auth_reset + "_" + var_by_KEK[0] + ".auth") - KEK_key_file = os.path.join(GOLD_PATH, var_by_KEK[2], var_by_KEK[2] + ".key") - KEK_cert_file = os.path.join(GOLD_PATH, var_by_KEK[2], var_by_KEK[2] + ".crt") - generate_auth(var_by_KEK[1], KEK_key_file, KEK_cert_file, cert_file, auth_file, format_type, non_force) + for filename, varname, signer in variable_list: + auth_file = os.path.join(AUTH_PATH, auth_reset + "_" + filename + ".auth") + signer_key_file = os.path.join(GOLD_PATH, signer, signer + ".key") + signer_cert_file = os.path.join(GOLD_PATH, signer, signer + ".crt") + generate_auth(varname, signer_key_file, signer_cert_file, cert_file, auth_file, format_type, non_force) + if __name__ == "__main__": create_environments() From 8e04bdc41d5ea59a894db9dd5e5e65bb278979c8 Mon Sep 17 00:00:00 2001 From: Eric Richter Date: Thu, 3 Oct 2024 17:46:59 -0500 Subject: [PATCH 5/5] test/guest: fix newly generated data failing tests Apparently the directory for golden keys expected by the test cases should be goldenKeys, not goldenkeys. This script would generate test files that would not actually replace the old files, causing any test cases that test update auth files to fail, as they were signed with different keys. Signed-off-by: Eric Richter --- test/guest_generate_testdata.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/guest_generate_testdata.py b/test/guest_generate_testdata.py index a28d0368..3d58b53f 100644 --- a/test/guest_generate_testdata.py +++ b/test/guest_generate_testdata.py @@ -9,7 +9,7 @@ ESL_PATH = os.path.join(DATAPATH, "eslfiles") AUTH_PATH = os.path.join(DATAPATH, "authfiles") X509_PATH = os.path.join(DATAPATH, "x509certs") -GOLD_PATH = os.path.join(DATAPATH, "goldenkeys") +GOLD_PATH = os.path.join(DATAPATH, "goldenKeys") PKCS7_PATH = os.path.join(DATAPATH, "pkcs7files")