-
Notifications
You must be signed in to change notification settings - Fork 23
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* morten/cli-tests: ssh-tpm-add: include the description in the add output Use key.Decode instead of keyfile.Decode to get the wrapped type ssh-tpm-keygen: remove duplicate code Implement testscript for integration tests ssh-tpm-keygen: ensure we always create the ~/.ssh directory key: implement a wrap function to wrap a TPMKey utils/tpm: include a fixed seed simulator
- Loading branch information
Showing
12 changed files
with
313 additions
and
79 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,99 @@ | ||
| package script_tests | ||
|
|
||
| import ( | ||
| "encoding/pem" | ||
| "fmt" | ||
| "log" | ||
| "os" | ||
| "os/exec" | ||
| "path/filepath" | ||
| "testing" | ||
| "time" | ||
|
|
||
| keyfile "github.com/foxboron/go-tpm-keyfiles" | ||
| "github.com/foxboron/go-tpm-keyfiles/pkix" | ||
| "github.com/foxboron/ssh-tpm-agent/utils" | ||
| "github.com/google/go-tpm/tpm2" | ||
| "github.com/rogpeppe/go-internal/testscript" | ||
| ) | ||
|
|
||
| func ScriptsWithPath(t *testing.T, path string) { | ||
| tmp := t.TempDir() | ||
| fmt.Println("built") | ||
| c := exec.Command("go", "build", "-buildmode=pie", "-o", tmp, "../cmd/...") | ||
| out, err := c.CombinedOutput() | ||
| if err != nil { | ||
| t.Fatal(string(out)) | ||
| } | ||
| testscript.Run(t, testscript.Params{ | ||
| Deadline: time.Now().Add(5 * time.Second), | ||
| Setup: func(e *testscript.Env) error { | ||
| e.Setenv("PATH", tmp+string(filepath.ListSeparator)+e.Getenv("PATH")) | ||
| e.Vars = append(e.Vars, "SSH_TPM_AGENT_SIMULATOR=1") | ||
| e.Vars = append(e.Vars, fmt.Sprintf("SSH_AUTH_SOCK=%s/agent.sock", e.WorkDir)) | ||
| e.Vars = append(e.Vars, fmt.Sprintf("SSH_TPM_AUTH_SOCK=%s/agent.sock", e.WorkDir)) | ||
| e.Vars = append(e.Vars, fmt.Sprintf("HOME=%s", e.WorkDir)) | ||
| return nil | ||
| }, | ||
| Dir: path, | ||
| Cmds: map[string]func(ts *testscript.TestScript, neg bool, args []string){ | ||
| // Create an EK certificate from our fixed seed simulator | ||
| "getekcert": func(ts *testscript.TestScript, neg bool, args []string) { | ||
| tpm, err := utils.GetFixedSim() | ||
| if err != nil { | ||
| t.Fatal(err) | ||
| } | ||
| defer tpm.Close() | ||
| rsp, err := tpm2.CreatePrimary{ | ||
| PrimaryHandle: tpm2.AuthHandle{ | ||
| Handle: tpm2.TPMRHOwner, | ||
| Auth: tpm2.PasswordAuth([]byte(nil)), | ||
| }, | ||
| InSensitive: tpm2.TPM2BSensitiveCreate{ | ||
| Sensitive: &tpm2.TPMSSensitiveCreate{ | ||
| UserAuth: tpm2.TPM2BAuth{ | ||
| Buffer: []byte(nil), | ||
| }, | ||
| }, | ||
| }, | ||
| InPublic: tpm2.New2B(keyfile.ECCSRK_H2_Template), | ||
| }.Execute(tpm) | ||
| if err != nil { | ||
| log.Fatalf("failed creating primary key: %v", err) | ||
| } | ||
| keyfile.FlushHandle(tpm, rsp.ObjectHandle) | ||
| srkPublic, err := rsp.OutPublic.Contents() | ||
| if err != nil { | ||
| log.Fatalf("failed getting srk public content: %v", err) | ||
| } | ||
| b, err := pkix.FromTPMPublic(srkPublic) | ||
| if err != nil { | ||
| log.Fatal(err) | ||
| } | ||
| if err := os.WriteFile(ts.MkAbs("srk.pem"), | ||
| pem.EncodeToMemory(&pem.Block{ | ||
| Type: "PUBLIC KEY", | ||
| Bytes: b, | ||
| }), 0664); err != nil { | ||
| log.Fatal(err) | ||
| } | ||
| }, | ||
| }, | ||
| }) | ||
| } | ||
|
|
||
| func TestAgent(t *testing.T) { | ||
| ScriptsWithPath(t, "ssh-tpm-agent/testdata/script") | ||
| } | ||
|
|
||
| func TestKeygen(t *testing.T) { | ||
| ScriptsWithPath(t, "ssh-tpm-keygen/testdata/script") | ||
| } | ||
|
|
||
| // func TestAdd(t *testing.T) { | ||
| // ScriptsWithPath(t, "ssh-tpm-add/testdata/script") | ||
| // } | ||
|
|
||
| // func TestHostkeys(t *testing.T) { | ||
| // ScriptsWithPath(t, "ssh-tpm-hostkeys/testdata/script") | ||
| // } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,76 @@ | ||
| # Ensure we can run the agent | ||
| exec ssh-tpm-agent -d --no-load &agent& | ||
| exec sleep .2s | ||
| exec ssh-tpm-keygen | ||
| exec ssh-tpm-keygen -t rsa | ||
| exec ssh-tpm-add | ||
| stdout id_ecdsa.tpm | ||
| stdout id_rsa.tpm | ||
| exec ssh-add -l | ||
| stdout ECDSA | ||
| stdout RSA | ||
| exec ssh-add -D | ||
|
|
||
|
|
||
| # ssh sign file - ecdsa | ||
| exec ssh-tpm-add .ssh/id_ecdsa.tpm | ||
| exec ssh-add -l | ||
| stdout ECDSA | ||
| exec ssh-keygen -Y sign -n file -f .ssh/id_ecdsa.pub file_to_sign.txt | ||
| stdin file_to_sign.txt | ||
| exec ssh-keygen -Y check-novalidate -n file -f .ssh/id_ecdsa.pub -s file_to_sign.txt.sig | ||
| exists file_to_sign.txt.sig | ||
| exec ssh-add -D | ||
| rm file_to_sign.txt.sig | ||
|
|
||
|
|
||
| # ssh sign file - rsa | ||
| exec ssh-tpm-add .ssh/id_rsa.tpm | ||
| exec ssh-add -l | ||
| stdout RSA | ||
| exec ssh-keygen -Y sign -n file -f .ssh/id_rsa.pub file_to_sign.txt | ||
| stdin file_to_sign.txt | ||
| exec ssh-keygen -Y check-novalidate -n file -f .ssh/id_rsa.pub -s file_to_sign.txt.sig | ||
| exists file_to_sign.txt.sig | ||
| rm file_to_sign.txt.sig | ||
| exec ssh-add -D | ||
|
|
||
|
|
||
| # ssh create a certificate - ecdsa | ||
| exec ssh-keygen -t ecdsa -f id_ca -N '' | ||
| exec ssh-keygen -s id_ca -n fox -I 'cert' -z '0001' .ssh/id_ecdsa.pub | ||
| exists .ssh/id_ecdsa-cert.pub | ||
| exec ssh-tpm-add .ssh/id_ecdsa.tpm | ||
| stdout id_ecdsa.tpm | ||
| stdout id_ecdsa-cert.pub | ||
| exec ssh-add -l | ||
| stdout \(ECDSA\) | ||
| stdout \(ECDSA-CERT\) | ||
| exec ssh-keygen -Y sign -n file -f .ssh/id_ecdsa-cert.pub file_to_sign.txt | ||
| stdin file_to_sign.txt | ||
| exec ssh-keygen -Y check-novalidate -n file -f .ssh/id_ecdsa-cert.pub -s file_to_sign.txt.sig | ||
| exists file_to_sign.txt.sig | ||
| rm file_to_sign.txt.sig | ||
| exec ssh-add -D | ||
| rm id_ca id_ca.pub | ||
|
|
||
|
|
||
| # ssh create a certificate - rsa | ||
| exec ssh-keygen -t rsa -f id_ca -N '' | ||
| exec ssh-keygen -s id_ca -n fox -I 'cert' -z '0001' .ssh/id_rsa.pub | ||
| exists .ssh/id_rsa-cert.pub | ||
| exec ssh-tpm-add .ssh/id_rsa.tpm | ||
| exec ssh-add -l | ||
| stdout \(RSA\) | ||
| stdout \(RSA-CERT\) | ||
| exec ssh-keygen -Y sign -n file -f .ssh/id_rsa-cert.pub file_to_sign.txt | ||
| stdin file_to_sign.txt | ||
| exec ssh-keygen -Y check-novalidate -n file -f .ssh/id_rsa-cert.pub -s file_to_sign.txt.sig | ||
| exists file_to_sign.txt.sig | ||
| rm file_to_sign.txt.sig | ||
| exec ssh-add -D | ||
| rm id_ca id_ca.pub | ||
|
|
||
|
|
||
| -- file_to_sign.txt -- | ||
| Hello World |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.