diff mbox series

acceptance-tests: add support for signed images

Message ID 20180827113528.18620-1-Denis.Osterland@diehl.com
State Changes Requested
Headers show
Series acceptance-tests: add support for signed images | expand

Commit Message

Denis Osterland-Heim Aug. 27, 2018, 11:38 a.m. UTC 
Use CA and signer from OpenSSL demos to sign and verify test images.

Signed-off-by: Denis Osterland <Denis.Osterland@diehl.com>
---
 scripts/acceptance-tests/CheckImage.mk | 35 +++++++++++++++++---------
 1 file changed, 23 insertions(+), 12 deletions(-)
diff mbox series

Patch

diff --git a/scripts/acceptance-tests/CheckImage.mk b/scripts/acceptance-tests/CheckImage.mk
index 903b0d0..0dbb9ba 100644
--- a/scripts/acceptance-tests/CheckImage.mk
+++ b/scripts/acceptance-tests/CheckImage.mk
@@ -18,7 +18,8 @@ 
 #
 # test commands for --check command-line option
 #
-SWU_CHECK = ./swupdate $(if $(CONFIG_HW_COMPATIBILITY),-H test:1) -l 5 -c $(if $(strip $(filter-out FORCE,$<)),-i $<) $(if $(strip $(KBUILD_VERBOSE:0=)),,>/dev/null 2>&1)
+SWU_CHECK_BASE = ./swupdate -l 5 -c $(if $(CONFIG_SIGNED_IMAGES),-k $(obj)/cacert.pem)
+SWU_CHECK = $(SWU_CHECK_BASE) $(if $(CONFIG_HW_COMPATIBILITY),-H test:1) $(if $(strip $(filter-out FORCE,$<)),-i $<) $(if $(strip $(KBUILD_VERBOSE:0=)),,>/dev/null 2>&1)
 
 quiet_cmd_swu_check_assert_false = RUN     $@
       cmd_swu_check_assert_false = $(SWU_CLEAN); if $(SWU_CHECK); then false; fi
@@ -27,10 +28,10 @@  quiet_cmd_swu_check_assert_true = RUN     $@
       cmd_swu_check_assert_true = $(SWU_CLEAN); $(SWU_CHECK)
 
 quiet_cmd_swu_check_inv_websrv = RUN     $@
-      cmd_swu_check_inv_websrv = $(SWU_CLEAN); if ./swupdate -l 5 -c -w "-document_root $(srctree)" >/dev/null 2>&1; then false; fi
+      cmd_swu_check_inv_websrv = $(SWU_CLEAN); if $(SWU_CHECK_BASE) -w "-document_root $(srctree)" >/dev/null 2>&1; then false; fi
 
 quiet_cmd_swu_check_inv_suricatta = RUN     $@
-      cmd_swu_check_inv_suricatta = $(SWU_CLEAN); if ./swupdate -l 5 -c -u "-t default -i 42 -u localhost:8080" >/dev/null 2>&1; then false; fi
+      cmd_swu_check_inv_suricatta = $(SWU_CLEAN); if $(SWU_CHECK_BASE) -u "-t default -i 42 -u localhost:8080" >/dev/null 2>&1; then false; fi
 
 quiet_cmd_mkswu = MKSWU   $@
       cmd_mkswu = mkdir -p $(dir $@); cd $(dir $<); for l in $(patsubst $(dir $<)%,%,$(filter-out FORCE,$^)); do echo "$$l"; done | cpio -ov -H crc > $(objtree)/$@
@@ -50,14 +51,14 @@  tests-$(CONFIG_SURICATTA) += InvOptsCheckWithSur
 # file not found test
 #
 PHONY += FileNotFoundTest FileNotFound.swu
-FileNotFoundTest: FileNotFound.swu FORCE
+FileNotFoundTest: FileNotFound.swu FORCE $(if $(CONFIG_SIGNED_IMAGES), $(obj)/cacert.pem)
 	$(call cmd,swu_check_assert_false)
 
 #
 # corrupt file test
 #
 PHONY += CrapFileTest
-CrapFileTest: $(obj)/CrapFile.swu FORCE
+CrapFileTest: $(obj)/CrapFile.swu FORCE $(if $(CONFIG_SIGNED_IMAGES), $(obj)/cacert.pem)
 	$(call cmd,swu_check_assert_false)
 
 $(obj)/CrapFile.swu:
@@ -68,7 +69,7 @@  $(obj)/CrapFile.swu:
 # test of update file with image name in sw-description missmatch
 #
 PHONY += ImgNameErrorTest
-ImgNameErrorTest: $(obj)/ImgNameError.swu FORCE
+ImgNameErrorTest: $(obj)/ImgNameError.swu FORCE $(if $(CONFIG_SIGNED_IMAGES), $(obj)/cacert.pem)
 	$(call cmd,swu_check_assert_false)
 
 %/hello.txt:
@@ -99,14 +100,16 @@  software =\n\
 	}\n\
 " > $@
 
-$(obj)/ImgNameError.swu: $(obj)/ImgNameError/sw-description $(obj)/ImgNameError/hello.txt
+with_sig = $1 $(if $(CONFIG_SIGNED_IMAGES),$(addsuffix .sig, $1))
+
+$(obj)/ImgNameError.swu: $(call with_sig, $(obj)/ImgNameError/sw-description) $(obj)/ImgNameError/hello.txt
 	$(call cmd,mkswu)
 
 #
 # Test of a valid *.swu file
 #
 PHONY += ValidImageTest
-ValidImageTest: $(obj)/ValidImage.swu FORCE
+ValidImageTest: $(obj)/ValidImage.swu FORCE $(if $(CONFIG_SIGNED_IMAGES), $(obj)/cacert.pem)
 	$(call cmd,swu_check_assert_true)
 
 $(obj)/ValidImage/sw-description:
@@ -126,6 +129,7 @@  software =\n\
 		{\n\
 		filename = \"hello.txt\";\n\
 		path = \"/home/hello.txt\";\n\
+$(if $(CONFIG_HASH_VERIFY),		sha256 = \"d2a84f4b8b650937ec8f73cd8be2c74add5a911ba64df27458ed8229da804a26\")\
 		}\n\
 \n\
 	);\n\
@@ -133,27 +137,34 @@  software =\n\
 	}\n\
 " > $@
 
-$(obj)/ValidImage.swu: $(obj)/ValidImage/sw-description $(obj)/ValidImage/hello.txt
+$(obj)/ValidImage.swu: $(call with_sig, $(obj)/ValidImage/sw-description) $(obj)/ValidImage/hello.txt
 	$(call cmd,mkswu)
 
 #
 # invalid option test, no image given
 #
 PHONY += InvOptsNoImg
-InvOptsNoImg: FORCE
+InvOptsNoImg: FORCE $(if $(CONFIG_SIGNED_IMAGES), $(obj)/cacert.pem)
 	$(call cmd,swu_check_assert_false)
 
 #
 # invalid option test, web server with check
 #
 PHONY += InvOptsCheckWithWeb
-InvOptsCheckWithWeb: FORCE
+InvOptsCheckWithWeb: FORCE $(if $(CONFIG_SIGNED_IMAGES), $(obj)/cacert.pem)
 	$(call cmd,swu_check_inv_websrv)
 
 #
 # invalid option test, suricatta with check
 #
 PHONY += InvOptsCheckWithSur
-InvOptsCheckWithSur: FORCE
+InvOptsCheckWithSur: FORCE $(if $(CONFIG_SIGNED_IMAGES), $(obj)/cacert.pem)
 	$(call cmd,swu_check_inv_suricatta)
 
+$(obj)/signer.pem $(obj)/cacert.pem:
+	wget -O $@.tmp https://raw.githubusercontent.com/openssl/openssl/master/demos/cms/$(notdir $@)
+	mv -f $@.tmp $@
+
+%/sw-description.sig :: %/sw-description $(obj)/signer.pem
+	openssl cms -sign -in $< -out $@ -signer $(obj)/signer.pem -outform DER -nosmimecap -binary
+