tests/futility/test_rwsig.sh


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64

#!/bin/bash -eux
# Copyright 2017 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

me=${0##*/}
TMP="$me.tmp"

# Work in scratch directory
cd "$OUTDIR"

DATADIR="${SCRIPTDIR}/data"
TESTKEYS=${SRCDIR}/tests/testkeys

SIGS="1024 2048 2048_exp3 3072_exp3 4096 8192"
HASHES="SHA1 SHA256 SHA512"
EC_RW="EC_RW.bin"

set -o pipefail

infile=${DATADIR}/hammer_dev.bin
outfile=${TMP}.hammer_dev.bin
cp ${infile} ${outfile}
# Signing without private key should extract EC_RW.bin
${FUTILITY} sign --type rwsig --version 2 ${outfile}
cmp ${infile} ${outfile}
cmp ${EC_RW} ${DATADIR}/${EC_RW}

for s in $SIGS; do
    echo -n "$s " 1>&3

    for h in $HASHES; do
        pemfile=${TESTKEYS}/key_rsa${s}.pem
        outkeys=${TMP}.${s}_${h}
        outfile=${TMP}.${s}_${h}.bin

        ${FUTILITY} create --desc "Test key" --hash_alg ${h} \
                    ${pemfile} ${outkeys}

        # The input file should be correctly signed to start with
        ${FUTILITY} show --type rwsig ${infile}

        # Using the wrong key to verify it should fail
        if ${FUTILITY} show --type rwsig --pubkey ${outkeys}.vbpubk2 \
                       ${infile}; then
            exit 1
        fi

        cp ${infile} ${outfile}

        # Sign ec.bin with a new private key
        ${FUTILITY} sign --type rwsig --prikey ${outkeys}.vbprik2 \
                --version 2 ${outfile}
        # Check EC_RW.bin is produced
        [[ -e ${EC_RW} ]]

        ${FUTILITY} show --type rwsig --pubkey ${outkeys}.vbpubk2 ${outfile}
        ${FUTILITY} show --type rwsig ${outfile}
    done
done

# cleanup
rm -rf ${TMP}*
exit 0