From da77b64fa22f30ccdfa18984c28d5054f89723b4 Mon Sep 17 00:00:00 2001 From: Manjunath Ranganathaiah Date: Fri, 28 Sep 2018 16:15:07 -0700 Subject: func test framework and tests for sshsm This patch adds test framework and tests for TPM based CA key protection import and signing. Change-Id: I7bdd602f7275dd8613faeced11aad6c09a8aab52 Issue-ID: AAF-527 Signed-off-by: Manjunath Ranganathaiah --- test/func/README.txt | 12 +++ .../data/caservice/local/org.osaaf.aaf.cm.pkcs11 | 1 + .../data/caservice/local/org.osaaf.cm.ca.props | 11 +++ test/func/data/caservice/passphrase-ipass | 1 + test/func/data/caservice/passphrase-pin | 1 + test/func/data/caservice/sopin.txt | 1 + test/func/data/caservice/upin.txt | 1 + test/func/data/distcenter/passphrase | 1 + test/func/setup.sh | 106 +++++++++++++++++++++ test/func/teardown.sh | 34 +++++++ test/func/test.sh | 34 +++++++ test/func/testaafimport.sh | 39 ++++++++ test/func/testcasign.sh | 35 +++++++ 13 files changed, 277 insertions(+) create mode 100644 test/func/README.txt create mode 100644 test/func/data/caservice/local/org.osaaf.aaf.cm.pkcs11 create mode 100644 test/func/data/caservice/local/org.osaaf.cm.ca.props create mode 100644 test/func/data/caservice/passphrase-ipass create mode 100644 test/func/data/caservice/passphrase-pin create mode 100644 test/func/data/caservice/sopin.txt create mode 100644 test/func/data/caservice/upin.txt create mode 100644 test/func/data/distcenter/passphrase create mode 100755 test/func/setup.sh create mode 100755 test/func/teardown.sh create mode 100755 test/func/test.sh create mode 100755 test/func/testaafimport.sh create mode 100755 test/func/testcasign.sh diff --git a/test/func/README.txt b/test/func/README.txt new file mode 100644 index 0000000..5ac8ae1 --- /dev/null +++ b/test/func/README.txt @@ -0,0 +1,12 @@ + +Clone the sshsm repo using + +git clone https://gerrit.onap.org/r/aaf/sshsm + +cd ~/sshsm/test/func + +Run tests using: + +./test.sh + +A return value of 0 is considered successful completion of all the tests diff --git a/test/func/data/caservice/local/org.osaaf.aaf.cm.pkcs11 b/test/func/data/caservice/local/org.osaaf.aaf.cm.pkcs11 new file mode 100644 index 0000000..05fe60f --- /dev/null +++ b/test/func/data/caservice/local/org.osaaf.aaf.cm.pkcs11 @@ -0,0 +1 @@ +name = localca diff --git a/test/func/data/caservice/local/org.osaaf.cm.ca.props b/test/func/data/caservice/local/org.osaaf.cm.ca.props new file mode 100644 index 0000000..5a3fa83 --- /dev/null +++ b/test/func/data/caservice/local/org.osaaf.cm.ca.props @@ -0,0 +1,11 @@ +## +## org.osaaf.cm.ca.props +## Properties to access Certifiate Authority +## + +#Certman +cm_ca.local=org.onap.aaf.auth.cm.ca.LocalCA,/opt/app/osaaf/local/org.osaaf.aaf.cm.pkcs11;0x2222;enc:asFEWMNqjH7GktBLb9EGl6L1zfS2qMH5ZS5Zd90KVT5B9ZyRsqx7Gb73YllO8Hyw +cm_ca.local.idDomains=org.osaaf +cm_ca.local.baseSubject=/OU=OSAAF/O=ONAP/C=US +cm_ca.local.perm_type=org.osaaf.aaf.ca + diff --git a/test/func/data/caservice/passphrase-ipass b/test/func/data/caservice/passphrase-ipass new file mode 100644 index 0000000..163769d --- /dev/null +++ b/test/func/data/caservice/passphrase-ipass @@ -0,0 +1 @@ +csittestphrase diff --git a/test/func/data/caservice/passphrase-pin b/test/func/data/caservice/passphrase-pin new file mode 100644 index 0000000..163769d --- /dev/null +++ b/test/func/data/caservice/passphrase-pin @@ -0,0 +1 @@ +csittestphrase diff --git a/test/func/data/caservice/sopin.txt b/test/func/data/caservice/sopin.txt new file mode 100644 index 0000000..28d1445 --- /dev/null +++ b/test/func/data/caservice/sopin.txt @@ -0,0 +1 @@ +123456789 diff --git a/test/func/data/caservice/upin.txt b/test/func/data/caservice/upin.txt new file mode 100644 index 0000000..28d1445 --- /dev/null +++ b/test/func/data/caservice/upin.txt @@ -0,0 +1 @@ +123456789 diff --git a/test/func/data/distcenter/passphrase b/test/func/data/distcenter/passphrase new file mode 100644 index 0000000..163769d --- /dev/null +++ b/test/func/data/distcenter/passphrase @@ -0,0 +1 @@ +csittestphrase diff --git a/test/func/setup.sh b/test/func/setup.sh new file mode 100755 index 0000000..9c0def3 --- /dev/null +++ b/test/func/setup.sh @@ -0,0 +1,106 @@ +#!/bin/bash +# +# Copyright 2018 Intel Corporation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# Receives two arguments 1. srk_handle 2. password + +docker login -u docker -p docker nexus3.onap.org:10001 +docker pull nexus3.onap.org:10001/onap/aaf/distcenter +docker pull nexus3.onap.org:10001/onap/aaf/abrmd +docker pull nexus3.onap.org:10001/onap/aaf/testcaservice +docker pull nexus3.onap.org:10001/onap/aaf/aaf_cm + +ABRMD_DATA="$(pwd)/data/abrmd" +SEC_FOLDER="$(pwd)/data/abrmd/cred" + +DISTCENTER_DATA="$(pwd)/data/distcenter" +DISTCENTER_SEC="$(pwd)/data/distcenter/data" + +CASERVICE_DATA="$(pwd)/data/caservice" +WORKDIR="$(pwd)/" + +echo $1 > $ABRMD_DATA/cred/srk_handle.txt +echo $2 > $ABRMD_DATA/cred/opass.txt + +cp $ABRMD_DATA/cred/opass.txt $CASERVICE_DATA/ipass.txt +base64 $ABRMD_DATA/cred/opass.txt > $ABRMD_DATA/cred/opass +base64 $ABRMD_DATA/cred/srk_handle.txt > $ABRMD_DATA/cred/srk_handle + + +if [ -e /dev/tpm0 ]; then + + echo "found tpm device" + # + # Running the abrmd container for tpm init + # + docker run --privileged -device=/dev/tpm0 -e ABRMD_DATA=/abrmd/data \ + -e TPM_NODE_NAME=testnode \ + -v $SEC_FOLDER:/abrmd/cred \ + -v $ABRMD_DATA:/abrmd/data \ + --entrypoint /abrmd/bin/initialize_tpm.sh \ + --name tpm-init nexus3.onap.org:10001/onap/aaf/abrmd + + sleep 1m + mkdir -p $DISTCENTER_DATA/host_testnode + ls $ABRMD_DATA/host_testnode/ + cp $ABRMD_DATA/host_testnode/out_parent_public \ + $DISTCENTER_DATA/host_testnode/ + + docker run -d --privileged -device=/dev/tpm0 \ + -v /tmp/run/dbus:/var/run/dbus:rw \ + --entrypoint /abrmd/bin/run_abrmd.sh \ + --name abrmd nexus3.onap.org:10001/onap/aaf/abrmd + + sleep 1m +fi + +# +# Running the distcenter container +# +docker run -v $DISTCENTER_DATA:/distcenter/data \ + --name distcenter nexus3.onap.org:10001/onap/aaf/distcenter + + +mkdir -p $CASERVICE_DATA/host_testnode +if [ -f $DISTCENTER_DATA/privkey.pem.gpg ]; then + cp $DISTCENTER_DATA/privkey.pem.gpg $CASERVICE_DATA/host_testnode/ + cp $DISTCENTER_DATA/ca.cert $CASERVICE_DATA/host_testnode/ + cp $DISTCENTER_DATA/passphrase $CASERVICE_DATA/host_testnode/ +else + cp $DISTCENTER_DATA/host_testnode/* \ + $CASERVICE_DATA/host_testnode + cp $SEC_FOLDER/srk_handle $CASERVICE_DATA/host_testnode/ +fi + +cp $CASERVICE_DATA/passphrase-ipass $CASERVICE_DATA/host_testnode/ +cp $CASERVICE_DATA/passphrase-pin $CASERVICE_DATA/host_testnode/ +cd $CASERVICE_DATA/ +cat passphrase-ipass | gpg --symmetric -z 9 --require-secmem \ + --cipher-algo AES256 --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 \ + --s2k-mode 3 --s2k-count 65000000 --compress-algo BZIP2 \ + --passphrase-fd 0 ipass.txt +cat passphrase-pin | gpg --symmetric -z 9 --require-secmem \ + --cipher-algo AES256 --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 \ + --s2k-mode 3 --s2k-count 65000000 --compress-algo BZIP2 \ + --passphrase-fd 0 upin.txt +cat passphrase-pin | gpg --symmetric -z 9 --require-secmem \ + --cipher-algo AES256 --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 \ + --s2k-mode 3 --s2k-count 65000000 --compress-algo BZIP2 \ + --passphrase-fd 0 sopin.txt +cp $CASERVICE_DATA/*.gpg $CASERVICE_DATA/host_testnode/ +cp $ABRMD_DATA/cred/srk_handle.txt $CASERVICE_DATA/host_testnode/tpm-handle.txt +cp $ABRMD_DATA/cred/opass $CASERVICE_DATA/host_testnode/prk_passwd +sleep 1m diff --git a/test/func/teardown.sh b/test/func/teardown.sh new file mode 100755 index 0000000..dd440c2 --- /dev/null +++ b/test/func/teardown.sh @@ -0,0 +1,34 @@ +#!/bin/bash +# +# Copyright 2018 Intel Corporation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +CASERVICE_DATA="$(pwd)/data/caservice" +DISTCENTER_DATA="$(pwd)/data/distcenter" +ABRMD_DATA="$(pwd)/data/abrmd" +rm -rf $CASERVICE_DATA/host_testnode +rm -rf $DISTCENTER_DATA/host_testnode +rm -f $DISTCENTER_DATA/privkey.pem.gpg +rm -f $DISTCENTER_DATA/ca.cert +rm -rf $ABRMD_DATA/host_testnode +rm -rf /tmp/run/dbus + +docker stop tpm-init abrmd distcenter testca aafca +docker rm tpm-init abrmd distcenter testca aafca +rm -f setup.log +rm -f $CASERVICE_DATA/*.gpg +rm -f $ABRMD_DATA/cred/opass* +rm -f $ABRMD_DATA/cred/srk_handle* + diff --git a/test/func/test.sh b/test/func/test.sh new file mode 100755 index 0000000..f860539 --- /dev/null +++ b/test/func/test.sh @@ -0,0 +1,34 @@ +#!/bin/bash +# +# Copyright 2018 Intel Corporation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# Receives two arguments 1. srk_handle 2. password + +#setup for testing +./setup.sh $1 $2 >& setup.log + +#Run tests +./testaafimport.sh +if [ "$?" -ne 0 ]; then + exit 1 +fi +./testcasign.sh +if [ "$?" -ne 0 ]; then + exit 1 +fi + +#cleanup +./teardown.sh >& /dev/null diff --git a/test/func/testaafimport.sh b/test/func/testaafimport.sh new file mode 100755 index 0000000..ee8895d --- /dev/null +++ b/test/func/testaafimport.sh @@ -0,0 +1,39 @@ +#!/bin/bash +# +# Copyright 2018 Intel Corporation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +CASERVICE_DATA="$(pwd)/data/caservice" + +echo -n "aaf_cm container ca key import: " +docker run -v $CASERVICE_DATA/host_testnode:/tmp/files \ + -v /tmp/run/dbus:/var/run/dbus:rw \ + -v $CASERVICE_DATA/local:/opt/app/osaaf/local \ + --entrypoint /sshsm/bin/import.sh \ + --name aafca nexus3.onap.org:10001/onap/aaf/aaf_cm >& runaafca.log +grep -q "swKeyImport success: 0x0 !" runaafca.log +if [ "$?" -eq 0 ]; then + echo Success + rm -f runaafca.log +else + grep -q "Created certificate:" runaafca.log + if [ "$?" -eq 0 ]; then + echo Success + rm -f runaafca.log + else + echo Failed + exit 1 + fi +fi diff --git a/test/func/testcasign.sh b/test/func/testcasign.sh new file mode 100755 index 0000000..8e24c05 --- /dev/null +++ b/test/func/testcasign.sh @@ -0,0 +1,35 @@ +#!/bin/bash +# +# Copyright 2018 Intel Corporation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +CASERVICE_DATA="$(pwd)/data/caservice" + +echo -n "testca container key import & sign: " +docker run --workdir /testca/bin -e SECRETS_FOLDER=/caservice/data \ + -e DATA_FOLDER=/caservice/data \ + -v /tmp/run/dbus:/var/run/dbus:rw \ + -v $CASERVICE_DATA/host_testnode:/caservice/data:rw \ + --entrypoint /testca/bin/import.sh \ + --name testca nexus3.onap.org:10001/onap/aaf/testcaservice \ + >& runtestca.log +grep -q "test.cert: OK" runtestca.log +if [ "$?" -eq 0 ]; then + echo Success + rm -f runtestca.log +else + echo Failed + exit 1 +fi -- cgit 1.2.3-korg