Fix policy tests without RSA or ECC.

wolfSSL · Aug 19, 2024 · e058d9a · e058d9a
1 parent 6243365
commit e058d9a
Show file tree

Hide file tree

Showing 2 changed files with 114 additions and 98 deletions.
diff --git a/examples/pcr/policy_sign.c b/examples/pcr/policy_sign.c
@@ -309,6 +309,19 @@ int TPM2_PCR_PolicySign_Example(void* userCtx, int argc, char *argv[])
 
     printf("Sign PCR Policy Example\n");
 
+#ifndef HAVE_ECC
+    if (alg == TPM_ALG_ECC) {
+        printf("ECC not compiled in!\n");
+        return 0; /* don't report error */
+    }
+#endif
+#ifdef NO_RSA
+    if (alg == TPM_ALG_RSA) {
+        printf("RSA not compiled in!\n");
+        return 0; /* don't report error */
+    }
+#endif
+
     /* Setup PCR's */
     if (pcrArraySz == 0) {
         pcrArray[pcrArraySz] = TPM2_DEMO_PCR_INDEX;

diff --git a/examples/run_examples.sh b/examples/run_examples.sh
@@ -568,121 +568,124 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "pcr 16 extend failed! $RESULT" && exit 1
 
-    # RSA
-    ./examples/pcr/policy_sign -pcr=16 -rsa -key=./certs/example-rsa2048-key.der -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out 2>&1
-    RESULT=$?
-    [ $RESULT -ne 0 ] && echo -e "policy sign rsa der failed! $RESULT" && exit 1
-    ./examples/pcr/policy_sign -pcr=16 -rsa -key=./certs/example-rsa2048-key.pem -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out 2>&1
-    RESULT=$?
-    [ $RESULT -ne 0 ] && echo -e "policy sign rsa pem failed! $RESULT" && exit 1
-
-    TMPFILE=$(mktemp)
-    SECRET_STRING=`head -c 32 /dev/random | base64`
-    ./examples/boot/secret_seal -rsa -policy=policyauth.bin -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out 2>&1
-    RESULT=$?
-    [ $RESULT -ne 0 ] && echo -e "secret seal rsa failed! $RESULT" && exit 1
-    ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -rsa -publickey=./certs/example-rsa2048-key-pub.der -seal=sealblob.bin &> $TMPFILE
-    RESULT=$?
-    cat $TMPFILE >> run.out
-    [ $RESULT -ne 0 ] && echo -e "secret unseal rsa failed! $RESULT" && exit 1
-    grep "$SECRET_STRING" $TMPFILE >> run.out 2>&1
-    RESULT=$?
-    [ $RESULT -ne 0 ] && echo -e "secret unseal rsa match failed! $RESULT" && exit 1
+    if [ $WOLFCRYPT_RSA -eq 1 ]; then
+        # RSA
+        ./examples/pcr/policy_sign -pcr=16 -rsa -key=./certs/example-rsa2048-key.der -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out 2>&1
+        RESULT=$?
+        [ $RESULT -ne 0 ] && echo -e "policy sign rsa der failed! $RESULT" && exit 1
+        ./examples/pcr/policy_sign -pcr=16 -rsa -key=./certs/example-rsa2048-key.pem -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out 2>&1
+        RESULT=$?
+        [ $RESULT -ne 0 ] && echo -e "policy sign rsa pem failed! $RESULT" && exit 1
 
-    # RSA (recreate policy auth using public key instead of using policyauth.bin)
-    TMPFILE=$(mktemp)
-    SECRET_STRING=`head -c 32 /dev/random | base64`
-    ./examples/boot/secret_seal -rsa -publickey=./certs/example-rsa2048-key-pub.der -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out 2>&1
-    RESULT=$?
-    [ $RESULT -ne 0 ] && echo -e "secret seal rsa alt failed! $RESULT" && exit 1
-    ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -rsa -publickey=./certs/example-rsa2048-key-pub.der -seal=sealblob.bin &> $TMPFILE
-    RESULT=$?
-    cat $TMPFILE >> run.out
-    [ $RESULT -ne 0 ] && echo -e "secret unseal rsa alt failed! $RESULT" && exit 1
-    grep "$SECRET_STRING" $TMPFILE >> run.out 2>&1
-    RESULT=$?
-    rm -f $TMPFILE
-    [ $RESULT -ne 0 ] && echo -e "secret unseal rsa alt match failed! $RESULT" && exit 1
+        TMPFILE=$(mktemp)
+        SECRET_STRING=`head -c 32 /dev/random | base64`
+        ./examples/boot/secret_seal -rsa -policy=policyauth.bin -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out 2>&1
+        RESULT=$?
+        [ $RESULT -ne 0 ] && echo -e "secret seal rsa failed! $RESULT" && exit 1
+        ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -rsa -publickey=./certs/example-rsa2048-key-pub.der -seal=sealblob.bin &> $TMPFILE
+        RESULT=$?
+        cat $TMPFILE >> run.out
+        [ $RESULT -ne 0 ] && echo -e "secret unseal rsa failed! $RESULT" && exit 1
+        grep "$SECRET_STRING" $TMPFILE >> run.out 2>&1
+        RESULT=$?
+        [ $RESULT -ne 0 ] && echo -e "secret unseal rsa match failed! $RESULT" && exit 1
 
-    # Test RSA Unseal Expected Failure Case
-    # Create different ECC policy key to test failure case
-    openssl genrsa -out tmp-rsa2048-key.pem 2048 >> run.out 2>&1
-    openssl rsa -in tmp-rsa2048-key.pem -outform der -out tmp-rsa2048-key-pub.der -pubout >> run.out 2>&1
+        # RSA (recreate policy auth using public key instead of using policyauth.bin)
+        TMPFILE=$(mktemp)
+        SECRET_STRING=`head -c 32 /dev/random | base64`
+        ./examples/boot/secret_seal -rsa -publickey=./certs/example-rsa2048-key-pub.der -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out 2>&1
+        RESULT=$?
+        [ $RESULT -ne 0 ] && echo -e "secret seal rsa alt failed! $RESULT" && exit 1
+        ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -rsa -publickey=./certs/example-rsa2048-key-pub.der -seal=sealblob.bin &> $TMPFILE
+        RESULT=$?
+        cat $TMPFILE >> run.out
+        [ $RESULT -ne 0 ] && echo -e "secret unseal rsa alt failed! $RESULT" && exit 1
+        grep "$SECRET_STRING" $TMPFILE >> run.out 2>&1
+        RESULT=$?
+        rm -f $TMPFILE
+        [ $RESULT -ne 0 ] && echo -e "secret unseal rsa alt match failed! $RESULT" && exit 1
 
-    # Sign policy using different private key
-    ./examples/pcr/policy_sign -pcr=16 -rsa -key=tmp-rsa2048-key.pem -out=pcrsig_fail.bin -outpolicy=policyauth.bin >> run.out 2>&1
-    RESULT=$?
-    [ $RESULT -ne 0 ] && echo -e "policy sign (expected failure case) rsa pem failed! $RESULT" && exit 1
+        # Test RSA Unseal Expected Failure Case
+        # Create different ECC policy key to test failure case
+        openssl genrsa -out tmp-rsa2048-key.pem 2048 >> run.out 2>&1
+        openssl rsa -in tmp-rsa2048-key.pem -outform der -out tmp-rsa2048-key-pub.der -pubout >> run.out 2>&1
 
-    # This RSA unseal should fail!
-    ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig_fail.bin -rsa -publickey=tmp-rsa2048-key-pub.der -seal=sealblob.bin >> run.out 2>&1
-    RESULT=$?
-    [ $RESULT -eq 0 ] && echo -e "secret unseal rsa should have failed! $RESULT" && exit 1
+        # Sign policy using different private key
+        ./examples/pcr/policy_sign -pcr=16 -rsa -key=tmp-rsa2048-key.pem -out=pcrsig_fail.bin -outpolicy=policyauth.bin >> run.out 2>&1
+        RESULT=$?
+        [ $RESULT -ne 0 ] && echo -e "policy sign (expected failure case) rsa pem failed! $RESULT" && exit 1
 
+        # This RSA unseal should fail!
+        ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig_fail.bin -rsa -publickey=tmp-rsa2048-key-pub.der -seal=sealblob.bin >> run.out 2>&1
+        RESULT=$?
+        [ $RESULT -eq 0 ] && echo -e "secret unseal rsa should have failed! $RESULT" && exit 1
 
-    rm -f tmp-rsa2048-key.pem
-    rm -f tmp-rsa2048-key-pub.der
-    rm -f pcrsig_fail.bin
 
+        rm -f tmp-rsa2048-key.pem
+        rm -f tmp-rsa2048-key-pub.der
+        rm -f pcrsig_fail.bin
+    fi
 
-    # ECC
-    ./examples/pcr/policy_sign -pcr=16 -ecc -key=./certs/example-ecc256-key.der -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out 2>&1
-    RESULT=$?
-    [ $RESULT -ne 0 ] && echo -e "policy sign ecc der failed! $RESULT" && exit 1
-    ./examples/pcr/policy_sign -pcr=16 -ecc -key=./certs/example-ecc256-key.pem -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out 2>&1
-    RESULT=$?
-    [ $RESULT -ne 0 ] && echo -e "policy sign ecc pem failed! $RESULT" && exit 1
+    if [ $WOLFCRYPT_ECC -eq 1 ]; then
+        # ECC
+        ./examples/pcr/policy_sign -pcr=16 -ecc -key=./certs/example-ecc256-key.der -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out 2>&1
+        RESULT=$?
+        [ $RESULT -ne 0 ] && echo -e "policy sign ecc der failed! $RESULT" && exit 1
+        ./examples/pcr/policy_sign -pcr=16 -ecc -key=./certs/example-ecc256-key.pem -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out 2>&1
+        RESULT=$?
+        [ $RESULT -ne 0 ] && echo -e "policy sign ecc pem failed! $RESULT" && exit 1
 
-    TMPFILE=$(mktemp)
-    SECRET_STRING=`head -c 32 /dev/random | base64`
-    ./examples/boot/secret_seal -ecc -policy=policyauth.bin -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out 2>&1
-    RESULT=$?
-    [ $RESULT -ne 0 ] && echo -e "secret seal ecc failed! $RESULT" && exit 1
-    ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -ecc -publickey=./certs/example-ecc256-key-pub.der -seal=sealblob.bin &> $TMPFILE
-    RESULT=$?
-    cat $TMPFILE >> run.out
-    [ $RESULT -ne 0 ] && echo -e "secret unseal ecc failed! $RESULT" && exit 1
+        TMPFILE=$(mktemp)
+        SECRET_STRING=`head -c 32 /dev/random | base64`
+        ./examples/boot/secret_seal -ecc -policy=policyauth.bin -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out 2>&1
+        RESULT=$?
+        [ $RESULT -ne 0 ] && echo -e "secret seal ecc failed! $RESULT" && exit 1
+        ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -ecc -publickey=./certs/example-ecc256-key-pub.der -seal=sealblob.bin &> $TMPFILE
+        RESULT=$?
+        cat $TMPFILE >> run.out
+        [ $RESULT -ne 0 ] && echo -e "secret unseal ecc failed! $RESULT" && exit 1
 
-    grep "$SECRET_STRING" $TMPFILE >> run.out 2>&1
-    RESULT=$?
-    rm -f $TMPFILE
-    [ $RESULT -ne 0 ] && echo -e "secret unseal ecc match failed! $RESULT" && exit 1
+        grep "$SECRET_STRING" $TMPFILE >> run.out 2>&1
+        RESULT=$?
+        rm -f $TMPFILE
+        [ $RESULT -ne 0 ] && echo -e "secret unseal ecc match failed! $RESULT" && exit 1
 
 
-    # ECC (recreate policy auth using public key instead of using policyauth.bin)
-    TMPFILE=$(mktemp)
-    SECRET_STRING=`head -c 32 /dev/random | base64`
-    ./examples/boot/secret_seal -ecc -publickey=./certs/example-ecc256-key-pub.der -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out 2>&1
-    RESULT=$?
-    [ $RESULT -ne 0 ] && echo -e "secret seal ecc alt failed! $RESULT" && exit 1
-    ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -ecc -publickey=./certs/example-ecc256-key-pub.der -seal=sealblob.bin &> $TMPFILE
-    RESULT=$?
-    cat $TMPFILE >> run.out
-    [ $RESULT -ne 0 ] && echo -e "secret unseal ecc alt failed! $RESULT" && exit 1
-    grep "$SECRET_STRING" $TMPFILE >> run.out 2>&1
-    RESULT=$?
-    rm -f $TMPFILE
-    [ $RESULT -ne 0 ] && echo -e "secret unseal ecc alt match failed! $RESULT" && exit 1
+        # ECC (recreate policy auth using public key instead of using policyauth.bin)
+        TMPFILE=$(mktemp)
+        SECRET_STRING=`head -c 32 /dev/random | base64`
+        ./examples/boot/secret_seal -ecc -publickey=./certs/example-ecc256-key-pub.der -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out 2>&1
+        RESULT=$?
+        [ $RESULT -ne 0 ] && echo -e "secret seal ecc alt failed! $RESULT" && exit 1
+        ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -ecc -publickey=./certs/example-ecc256-key-pub.der -seal=sealblob.bin &> $TMPFILE
+        RESULT=$?
+        cat $TMPFILE >> run.out
+        [ $RESULT -ne 0 ] && echo -e "secret unseal ecc alt failed! $RESULT" && exit 1
+        grep "$SECRET_STRING" $TMPFILE >> run.out 2>&1
+        RESULT=$?
+        rm -f $TMPFILE
+        [ $RESULT -ne 0 ] && echo -e "secret unseal ecc alt match failed! $RESULT" && exit 1
 
 
-    # Test ECC Unseal Expected Failure Case
-    # Create different ECC policy key to test failure case
-    openssl ecparam -name prime256v1 -genkey -noout -out tmp-ecc256-key.pem >> run.out 2>&1
-    openssl ec -in tmp-ecc256-key.pem -outform der -out tmp-ecc256-key-pub.der -pubout >> run.out 2>&1
+        # Test ECC Unseal Expected Failure Case
+        # Create different ECC policy key to test failure case
+        openssl ecparam -name prime256v1 -genkey -noout -out tmp-ecc256-key.pem >> run.out 2>&1
+        openssl ec -in tmp-ecc256-key.pem -outform der -out tmp-ecc256-key-pub.der -pubout >> run.out 2>&1
 
-    # Sign policy using different private key
-    ./examples/pcr/policy_sign -pcr=16 -ecc -key=tmp-ecc256-key.pem -out=pcrsig_fail.bin -outpolicy=policyauth.bin >> run.out 2>&1
-    RESULT=$?
-    [ $RESULT -ne 0 ] && echo -e "policy sign (expected failure case) ecc pem failed! $RESULT" && exit 1
+        # Sign policy using different private key
+        ./examples/pcr/policy_sign -pcr=16 -ecc -key=tmp-ecc256-key.pem -out=pcrsig_fail.bin -outpolicy=policyauth.bin >> run.out 2>&1
+        RESULT=$?
+        [ $RESULT -ne 0 ] && echo -e "policy sign (expected failure case) ecc pem failed! $RESULT" && exit 1
 
-    # This ECC unseal should fail!
-    ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig_fail.bin -ecc -publickey=tmp-ecc256-key-pub.der -seal=sealblob.bin >> run.out 2>&1
-    RESULT=$?
-    [ $RESULT -eq 0 ] && echo -e "secret unseal ecc should have failed! $RESULT" && exit 1
+        # This ECC unseal should fail!
+        ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig_fail.bin -ecc -publickey=tmp-ecc256-key-pub.der -seal=sealblob.bin >> run.out 2>&1
+        RESULT=$?
+        [ $RESULT -eq 0 ] && echo -e "secret unseal ecc should have failed! $RESULT" && exit 1
 
-    rm -f tmp-ecc256-key.pem
-    rm -f tmp-ecc256-key-pub.der
-    rm -f pcrsig_fail.bin
+        rm -f tmp-ecc256-key.pem
+        rm -f tmp-ecc256-key-pub.der
+        rm -f pcrsig_fail.bin
+    fi
 
     rm -f pcrsig.bin
     rm -f policyauth.bin