| Message ID | 20181108143252.14842-4-Denis.Osterland@diehl.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | signature: additional checks on signer certificate | expand |
On 08/11/18 16:08, Denis OSTERLAND wrote: > Add tests to verify signers common name check implementation. > This is in fact a good thing - and these accepatnce-tests should be extended in future to add more tests. Tested-by: Stefano Babic <sbabic@denx.de> Acked-by: Stefano Babic <sbabic@denx.de> Best regards, Stefano Babic > Signed-off-by: Denis Osterland <Denis.Osterland@diehl.com> > --- > scripts/acceptance-tests/CheckImage.mk | 35 +++++++++++++++++++++++++- > 1 file changed, 34 insertions(+), 1 deletion(-) > > diff --git a/scripts/acceptance-tests/CheckImage.mk b/scripts/acceptance-tests/CheckImage.mk > index 6e0fecd..bff7c24 100644 > --- a/scripts/acceptance-tests/CheckImage.mk > +++ b/scripts/acceptance-tests/CheckImage.mk > @@ -18,7 +18,7 @@ > # > # test commands for --check command-line option > # > -SWU_CHECK_BASE = ./swupdate -l 5 -c $(if $(CONFIG_SIGNED_IMAGES),-k $(obj)/cacert.pem) > +SWU_CHECK_BASE = ./swupdate -l 5 -c $(if $(CONFIG_SIGNED_IMAGES),-k $(obj)/cacert.pem) $(if $(strip $(filter %.cfg, $^)), -f $(filter %.cfg, $^)) > SWU_CHECK = $(SWU_CHECK_BASE) $(if $(CONFIG_HW_COMPATIBILITY),-H test:1) $(if $(strip $(filter-out FORCE,$<)),-i $<) $(if $(strip $(KBUILD_VERBOSE:0=)),,>/dev/null 2>&1) > > quiet_cmd_swu_check_assert_false = RUN $@ > @@ -53,6 +53,8 @@ tests-$(CONFIG_LIBCONFIG) += ValidImageTest > tests-y += InvOptsNoImg > tests-$(CONFIG_MONGOOSE) += InvOptsCheckWithWeb > tests-$(CONFIG_SURICATTA) += InvOptsCheckWithSur > +tests-$(CONFIG_SIGNED_IMAGES) += InvSigNameCheck > +tests-$(CONFIG_SIGNED_IMAGES) += ValidSigNameCheck > > # > # file not found test > @@ -180,3 +182,34 @@ $(obj)/signer.pem $(obj)/cacert.pem: > %/sw-description.sig :: %/sw-description $(obj)/signer.pem > $(call cmd,sign_desc) > > + > +# > +# invalid signer name > +# > +PHONY += InvSigNameCheck > +InvSigNameCheck: $(obj)/ValidImage.swu $(obj)/InvSigNameCheck.cfg FORCE $(if $(CONFIG_SIGNED_IMAGES), $(obj)/cacert.pem) > + $(call cmd,swu_check_assert_false) > + > +clean-files += InvSigNameCheck.cfg > +$(obj)/InvSigNameCheck.cfg: > + $(Q)printf "\ > +globals: {\n\ > + forced-signer-name = \"shall be different\";\n\ > +};\n\ > +" > $@ > + > +# > +# valid signer name > +# > +PHONY += ValidSigNameCheck > +ValidSigNameCheck: $(obj)/ValidImage.swu $(obj)/ValidSigNameCheck.cfg FORCE $(if $(CONFIG_SIGNED_IMAGES), $(obj)/cacert.pem) > + $(call cmd,swu_check_assert_true) > + > +clean-files += ValidSigNameCheck.cfg > +$(obj)/ValidSigNameCheck.cfg: > + $(Q)printf "\ > +globals: {\n\ > + forced-signer-name = \"OpenSSL test S/MIME signer 1\";\n\ > +};\n\ > +" > $@ > + >
diff --git a/scripts/acceptance-tests/CheckImage.mk b/scripts/acceptance-tests/CheckImage.mk index 6e0fecd..bff7c24 100644 --- a/scripts/acceptance-tests/CheckImage.mk +++ b/scripts/acceptance-tests/CheckImage.mk @@ -18,7 +18,7 @@ # # test commands for --check command-line option # -SWU_CHECK_BASE = ./swupdate -l 5 -c $(if $(CONFIG_SIGNED_IMAGES),-k $(obj)/cacert.pem) +SWU_CHECK_BASE = ./swupdate -l 5 -c $(if $(CONFIG_SIGNED_IMAGES),-k $(obj)/cacert.pem) $(if $(strip $(filter %.cfg, $^)), -f $(filter %.cfg, $^)) SWU_CHECK = $(SWU_CHECK_BASE) $(if $(CONFIG_HW_COMPATIBILITY),-H test:1) $(if $(strip $(filter-out FORCE,$<)),-i $<) $(if $(strip $(KBUILD_VERBOSE:0=)),,>/dev/null 2>&1) quiet_cmd_swu_check_assert_false = RUN $@ @@ -53,6 +53,8 @@ tests-$(CONFIG_LIBCONFIG) += ValidImageTest tests-y += InvOptsNoImg tests-$(CONFIG_MONGOOSE) += InvOptsCheckWithWeb tests-$(CONFIG_SURICATTA) += InvOptsCheckWithSur +tests-$(CONFIG_SIGNED_IMAGES) += InvSigNameCheck +tests-$(CONFIG_SIGNED_IMAGES) += ValidSigNameCheck # # file not found test @@ -180,3 +182,34 @@ $(obj)/signer.pem $(obj)/cacert.pem: %/sw-description.sig :: %/sw-description $(obj)/signer.pem $(call cmd,sign_desc) + +# +# invalid signer name +# +PHONY += InvSigNameCheck +InvSigNameCheck: $(obj)/ValidImage.swu $(obj)/InvSigNameCheck.cfg FORCE $(if $(CONFIG_SIGNED_IMAGES), $(obj)/cacert.pem) + $(call cmd,swu_check_assert_false) + +clean-files += InvSigNameCheck.cfg +$(obj)/InvSigNameCheck.cfg: + $(Q)printf "\ +globals: {\n\ + forced-signer-name = \"shall be different\";\n\ +};\n\ +" > $@ + +# +# valid signer name +# +PHONY += ValidSigNameCheck +ValidSigNameCheck: $(obj)/ValidImage.swu $(obj)/ValidSigNameCheck.cfg FORCE $(if $(CONFIG_SIGNED_IMAGES), $(obj)/cacert.pem) + $(call cmd,swu_check_assert_true) + +clean-files += ValidSigNameCheck.cfg +$(obj)/ValidSigNameCheck.cfg: + $(Q)printf "\ +globals: {\n\ + forced-signer-name = \"OpenSSL test S/MIME signer 1\";\n\ +};\n\ +" > $@ +
Add tests to verify signers common name check implementation. Signed-off-by: Denis Osterland <Denis.Osterland@diehl.com> --- scripts/acceptance-tests/CheckImage.mk | 35 +++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-)