From patchwork Mon Aug 27 11:38:40 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Denis Osterland-Heim <denis.osterland@diehl.com>
X-Patchwork-Id: 962490
Return-Path: <swupdate+bncBAABBQWFR7OAKGQENCE46KQ@googlegroups.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=googlegroups.com
	(client-ip=2a00:1450:4864:20::440;
	helo=mail-wr1-x440.google.com;
	envelope-from=swupdate+bncbaabbqwfr7oakgqence46kq@googlegroups.com;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=none (p=none dis=none) header.from=diehl.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=googlegroups.com header.i=@googlegroups.com
	header.b="URMOABht"; dkim-atps=neutral
Received: from mail-wr1-x440.google.com (mail-wr1-x440.google.com
	[IPv6:2a00:1450:4864:20::440])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 41zVJl0CPRz9s1c
	for <incoming@patchwork.ozlabs.org>;
	Mon, 27 Aug 2018 21:38:45 +1000 (AEST)
Received: by mail-wr1-x440.google.com with SMTP id p105-v6sf14766396wrc.11
	for <incoming@patchwork.ozlabs.org>;
	Mon, 27 Aug 2018 04:38:45 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1535369923; cv=pass;
	d=google.com; s=arc-20160816;
	b=mqrpbPxhEU5MfjOfGmk85bPNkebLSH+U3qY0o9MJqxw9VxFYE8B6o399r4ULZcg/ql
	CbYQXAbLMtbXl4Iwd8N8vMEYhYbIrYSLn30YX1etIS3YdQUxf02OZe28B5Nr5Wl1Hmaj
	hajA9YfsDGUaLjfB1B2ZgoO9fIFdgZj3REgCKKpf4BRmCG7Y+cO/Id3LxdkjkPAd250n
	vXWspZtzIRs4TDow16sIigJmZ20HzRDhxfMCPkwbjVaWgaj/grt+1ZUIBSNou3IjhLNZ
	3FP2un6pQV3HoPJlrH0xY8giyi7YN74BSfGSqmUgLJdTvhDZSbQxMFogQKUjBhDq2diN
	IcMg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
	:list-id:mailing-list:precedence:mime-version
	:content-transfer-encoding:content-language:accept-language
	:message-id:date:thread-index:thread-topic:subject:cc:to:from
	:arc-authentication-results:arc-message-signature:sender
	:dkim-signature:arc-authentication-results;
	bh=P6+LQpiIBPgf9bEdJCCwWI/+oxxE2xlERDnnDAiISU4=;
	b=KCi7JDtIJllZkFhTGMbi7YF+npBPC7D7TxZO7iVmLizFLGTCrDS3yPzGplPRM3Lgw9
	Ml5/WtRQTlRGHB4LHEXk7plZAhKwtX3J1jG5soy6bDnKSIou+vbYxN6pTLHOGavfn3Fy
	VVqKuTwd6rgqGDSHEFo1o7pMZXUSl8W4QAcg9Y9Mj7rD2TGko9wY6Al99r20jhJs+KJ/
	290dFGMUl00hOpUSF778qgLwYg5dl0duRGOHoE8iXZbZp0g18cvsCZFlWSyW43vzOPVi
	BLMWZI2jFGLBetWIP40suuqdIl2fxrYxP915hsuLEzzDlwOFFs2kOOTaGDn5VEl17Z4h
	b7mw==
ARC-Authentication-Results: i=2; gmr-mx.google.com;
	spf=pass (google.com: domain of
	prvs=770855156=denis.osterland@diehl.com designates
	193.201.238.219 as permitted sender)
	smtp.mailfrom="prvs=770855156=denis.osterland@diehl.com"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=googlegroups.com; s=20161025;
	h=sender:from:to:cc:subject:thread-topic:thread-index:date:message-id
	:accept-language:content-language:content-transfer-encoding
	:mime-version:x-original-sender:x-original-authentication-results
	:precedence:mailing-list:list-id:list-post:list-help:list-archive
	:list-subscribe:list-unsubscribe;
	bh=P6+LQpiIBPgf9bEdJCCwWI/+oxxE2xlERDnnDAiISU4=;
	b=URMOABhtziwVqBhQy9g+5oII5qJYGPOdh1vOV//PfICsKnKM2Lhz/OyPZvaiXuyEED
	XVjfwbQWCgZQT4+IG/znVKquVDJmRJIkmTPsdo2c9wg+jDlDiM8M+0DmG5FsrTfAHqPj
	S1OnlSEWtBuNAnT6/IbgaRyrIa4fUhB4VNoRw0jwa1/gE2BEwGIx4uwjlq49YTODaXbw
	4xydpZJ9HSFlG2xj1ZCIyE+vV1qc9IY+9b8F5pRK9R3r+EOUKtwF0cWTaScgExrlVF80
	gZYrzbPWlMsbKXXf6zbJ1amjdJvqq3VvGJ7rP/eAu2lS749BPd+Om2d/4vahV1jZO/NW
	D3/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=sender:x-gm-message-state:from:to:cc:subject:thread-topic
	:thread-index:date:message-id:accept-language:content-language
	:content-transfer-encoding:mime-version:x-original-sender
	:x-original-authentication-results:precedence:mailing-list:list-id
	:x-spam-checked-in-group:list-post:list-help:list-archive
	:list-subscribe:list-unsubscribe;
	bh=P6+LQpiIBPgf9bEdJCCwWI/+oxxE2xlERDnnDAiISU4=;
	b=lvUJ46J4ZTLRmOpXw5DgyqnoUryTvLwG/V8mYEPnL4KDAjXuOVeM5Po/9pqLqvhWvT
	FibF4TBIzJEXzK3n06x3xIODTeQA7DZ44NlLr791halFch5d/ncvEPSKNtCWZ9Igz5Y3
	LJQigMMYzO33pg35GsBhctcN+WBAaw1UzwiLsS25ym8u4YxcDutTk/4TmcTHJKyldSbL
	J6eH6E1m/gFh5ysYA1XOMFBpVj0zygxcitzobeaQTpkvlpLckwSlrXnGtgl7VLDX7hM8
	qmgXeXZdsz4RI1brovm+ObtSZclKobI5rV/KoyqgnxcwUZwijyhIpyx8sM4TeKopaznl
	67nQ==
Sender: swupdate@googlegroups.com
X-Gm-Message-State: APzg51CcruYlhZlqYxn6oPHJWkdzYMqbM9QRbXc7seON2JzPVCnxL2Rp
	r3U7bGplD0/mtxd3OGDB+mQ=
X-Google-Smtp-Source: 
 ANB0VdZVXhPBkOPlbc4jJ8gcSd6+F3j+aR7hp9xNGHnmjlN8NZ5gmG7vDhkHSNpZ+8rzSD1kJsH5jw==
X-Received: by 2002:adf:9d1a:: with SMTP id
	k26-v6mr130497wre.4.1535369923085;
	Mon, 27 Aug 2018 04:38:43 -0700 (PDT)
X-BeenThere: swupdate@googlegroups.com
Received: by 2002:a1c:3f44:: with SMTP id m65-v6ls2122246wma.6.gmail; Mon, 27
	Aug 2018 04:38:42 -0700 (PDT)
X-Received: by 2002:a1c:89c3:: with SMTP id
	l186-v6mr876053wmd.32.1535369922673;
	Mon, 27 Aug 2018 04:38:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1535369922; cv=none;
	d=google.com; s=arc-20160816;
	b=Bbjc4gbid/AEdZ0vF2J1h+17K4c4X4PU9IYRjwOmIzLhNQ2NgOZgG2VuIVmZelbfR7
	jNTro5I0L7eVNvoK/Adc9LVuEUNlSxkUA2EVlBedLKhuNjTMcubRb2K6hRZjJudHAzVV
	URMjDbjsDLmUkb6E6MWjxPOyQxEPipW2o0AEoRzAbPPJMomeXo+QeDASFZbNwAJ9JzbC
	I1EqWeU9izu+OQBZHd8s2GITTySa5zAX0plfMj4gg4q7K3n58rHMXdQmcBB/pMmmG4Zi
	4NXIjmW+Zca/MCeA8ccssEjzs9sCMCEshLi6eM11SYJUOY6Dxy50ilDVnJvN6dljhzCs
	tq8g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=mime-version:content-transfer-encoding:content-language
	:accept-language:message-id:date:thread-index:thread-topic:subject
	:cc:to:from:arc-authentication-results;
	bh=tz03BOvcjggZRJ1CDDfzQu9JtzamSDRjiL4tEFxLax0=;
	b=B1FVLZTEzm+tUHYeoG3SYbBiw3NqA8EQdcMVzU9XHdlf8DG0ncjqF/UMOIiNgNT+e3
	AqoM2Behm4N4yGssFHX2AyO7uCl+vn0+iswfqxYkTW86txpjkrCk15c178uHgOnsuHi/
	uZuibo6HyVzP+A4CrnZjViYharzdfGBuJQUEqLx1CgsALG8lUpwB+z1+lrktvFHv7CDK
	qxPkkhZ7Cpl/n3ItORrSRYtp/nu+gPdr3WEQzVWnf0BruMfqjEqMAvDCMb6YuBOgW1ix
	kj/S3+xZxKzepL0bnWxhskneJJv6Gkd/Szkwg6RCHiE+ZnKQchQHW36OPnpxu0BCRJYI
	iE6Q==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
	spf=pass (google.com: domain of
	prvs=770855156=denis.osterland@diehl.com designates
	193.201.238.219 as permitted sender)
	smtp.mailfrom="prvs=770855156=denis.osterland@diehl.com"
Received: from enterprise01.smtp.diehl.com (enterprise01.smtp.diehl.com.
	[193.201.238.219]) by gmr-mx.google.com with ESMTPS id
	l11-v6si339713wmc.0.2018.08.27.04.38.42
	for <swupdate@googlegroups.com>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Mon, 27 Aug 2018 04:38:42 -0700 (PDT)
Received-SPF: pass (google.com: domain of
	prvs=770855156=denis.osterland@diehl.com designates
	193.201.238.219 as permitted sender)
	client-ip=193.201.238.219;
X-$ESA-Groupmapping: true
X-IronPort-AV: E=Sophos;i="5.53,295,1531778400"; d="scan'208";a="55660261"
From: Denis OSTERLAND <denis.osterland@diehl.com>
To: "swupdate@googlegroups.com" <swupdate@googlegroups.com>
CC: Denis OSTERLAND <denis.osterland@diehl.com>
Subject: [swupdate] [PATCH] acceptance-tests: add support for signed images
Thread-Topic: [PATCH] acceptance-tests: add support for signed images
Thread-Index: AQHUPfqArmmfPfj4K0GQr6faKWhd7g==
Date: Mon, 27 Aug 2018 11:38:40 +0000
Message-ID: <20180827113528.18620-1-Denis.Osterland@diehl.com>
Accept-Language: de-DE, en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-mailer: Evolution 3.18.5.2-0ubuntu3.2
MIME-Version: 1.0
X-TrailerSkip: 1
X-GBS-PROC: PkB65aL1SqtESF35r/jQn6tv2Dtg28YBKLzL3Hmg10JQW1qubuedzk/UEksmAMDY
X-Original-Sender: denis.osterland@diehl.com
X-Original-Authentication-Results: gmr-mx.google.com;       spf=pass
	(google.com: domain of prvs=770855156=denis.osterland@diehl.com
	designates
	193.201.238.219 as permitted sender)
	smtp.mailfrom="prvs=770855156=denis.osterland@diehl.com"
Precedence: list
Mailing-list: list swupdate@googlegroups.com;
	contact swupdate+owners@googlegroups.com
List-ID: <swupdate.googlegroups.com>
X-Spam-Checked-In-Group: swupdate@googlegroups.com
X-Google-Group-Id: 605343134186
List-Post: <https://groups.google.com/group/swupdate/post>,
	<mailto:swupdate@googlegroups.com>
List-Help: <https://groups.google.com/support/>,
	<mailto:swupdate+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/swupdate
List-Subscribe: <https://groups.google.com/group/swupdate/subscribe>,
	<mailto:swupdate+subscribe@googlegroups.com>
List-Unsubscribe: 
 <mailto:googlegroups-manage+605343134186+unsubscribe@googlegroups.com>,
	<https://groups.google.com/group/swupdate/subscribe>

Use CA and signer from OpenSSL demos to sign and verify test images.

Signed-off-by: Denis Osterland <Denis.Osterland@diehl.com>
---
 scripts/acceptance-tests/CheckImage.mk | 35 +++++++++++++++++---------
 1 file changed, 23 insertions(+), 12 deletions(-)

diff --git a/scripts/acceptance-tests/CheckImage.mk b/scripts/acceptance-tests/CheckImage.mk
index 903b0d0..0dbb9ba 100644
--- a/scripts/acceptance-tests/CheckImage.mk
+++ b/scripts/acceptance-tests/CheckImage.mk
@@ -18,7 +18,8 @@
 #
 # test commands for --check command-line option
 #
-SWU_CHECK = ./swupdate $(if $(CONFIG_HW_COMPATIBILITY),-H test:1) -l 5 -c $(if $(strip $(filter-out FORCE,$<)),-i $<) $(if $(strip $(KBUILD_VERBOSE:0=)),,>/dev/null 2>&1)
+SWU_CHECK_BASE = ./swupdate -l 5 -c $(if $(CONFIG_SIGNED_IMAGES),-k $(obj)/cacert.pem)
+SWU_CHECK = $(SWU_CHECK_BASE) $(if $(CONFIG_HW_COMPATIBILITY),-H test:1) $(if $(strip $(filter-out FORCE,$<)),-i $<) $(if $(strip $(KBUILD_VERBOSE:0=)),,>/dev/null 2>&1)
 
 quiet_cmd_swu_check_assert_false = RUN     $@
       cmd_swu_check_assert_false = $(SWU_CLEAN); if $(SWU_CHECK); then false; fi
@@ -27,10 +28,10 @@ quiet_cmd_swu_check_assert_true = RUN     $@
       cmd_swu_check_assert_true = $(SWU_CLEAN); $(SWU_CHECK)
 
 quiet_cmd_swu_check_inv_websrv = RUN     $@
-      cmd_swu_check_inv_websrv = $(SWU_CLEAN); if ./swupdate -l 5 -c -w "-document_root $(srctree)" >/dev/null 2>&1; then false; fi
+      cmd_swu_check_inv_websrv = $(SWU_CLEAN); if $(SWU_CHECK_BASE) -w "-document_root $(srctree)" >/dev/null 2>&1; then false; fi
 
 quiet_cmd_swu_check_inv_suricatta = RUN     $@
-      cmd_swu_check_inv_suricatta = $(SWU_CLEAN); if ./swupdate -l 5 -c -u "-t default -i 42 -u localhost:8080" >/dev/null 2>&1; then false; fi
+      cmd_swu_check_inv_suricatta = $(SWU_CLEAN); if $(SWU_CHECK_BASE) -u "-t default -i 42 -u localhost:8080" >/dev/null 2>&1; then false; fi
 
 quiet_cmd_mkswu = MKSWU   $@
       cmd_mkswu = mkdir -p $(dir $@); cd $(dir $<); for l in $(patsubst $(dir $<)%,%,$(filter-out FORCE,$^)); do echo "$$l"; done | cpio -ov -H crc > $(objtree)/$@
@@ -50,14 +51,14 @@ tests-$(CONFIG_SURICATTA) += InvOptsCheckWithSur
 # file not found test
 #
 PHONY += FileNotFoundTest FileNotFound.swu
-FileNotFoundTest: FileNotFound.swu FORCE
+FileNotFoundTest: FileNotFound.swu FORCE $(if $(CONFIG_SIGNED_IMAGES), $(obj)/cacert.pem)
 	$(call cmd,swu_check_assert_false)
 
 #
 # corrupt file test
 #
 PHONY += CrapFileTest
-CrapFileTest: $(obj)/CrapFile.swu FORCE
+CrapFileTest: $(obj)/CrapFile.swu FORCE $(if $(CONFIG_SIGNED_IMAGES), $(obj)/cacert.pem)
 	$(call cmd,swu_check_assert_false)
 
 $(obj)/CrapFile.swu:
@@ -68,7 +69,7 @@ $(obj)/CrapFile.swu:
 # test of update file with image name in sw-description missmatch
 #
 PHONY += ImgNameErrorTest
-ImgNameErrorTest: $(obj)/ImgNameError.swu FORCE
+ImgNameErrorTest: $(obj)/ImgNameError.swu FORCE $(if $(CONFIG_SIGNED_IMAGES), $(obj)/cacert.pem)
 	$(call cmd,swu_check_assert_false)
 
 %/hello.txt:
@@ -99,14 +100,16 @@ software =\n\
 	}\n\
 " > $@
 
-$(obj)/ImgNameError.swu: $(obj)/ImgNameError/sw-description $(obj)/ImgNameError/hello.txt
+with_sig = $1 $(if $(CONFIG_SIGNED_IMAGES),$(addsuffix .sig, $1))
+
+$(obj)/ImgNameError.swu: $(call with_sig, $(obj)/ImgNameError/sw-description) $(obj)/ImgNameError/hello.txt
 	$(call cmd,mkswu)
 
 #
 # Test of a valid *.swu file
 #
 PHONY += ValidImageTest
-ValidImageTest: $(obj)/ValidImage.swu FORCE
+ValidImageTest: $(obj)/ValidImage.swu FORCE $(if $(CONFIG_SIGNED_IMAGES), $(obj)/cacert.pem)
 	$(call cmd,swu_check_assert_true)
 
 $(obj)/ValidImage/sw-description:
@@ -126,6 +129,7 @@ software =\n\
 		{\n\
 		filename = \"hello.txt\";\n\
 		path = \"/home/hello.txt\";\n\
+$(if $(CONFIG_HASH_VERIFY),		sha256 = \"d2a84f4b8b650937ec8f73cd8be2c74add5a911ba64df27458ed8229da804a26\")\
 		}\n\
 \n\
 	);\n\
@@ -133,27 +137,34 @@ software =\n\
 	}\n\
 " > $@
 
-$(obj)/ValidImage.swu: $(obj)/ValidImage/sw-description $(obj)/ValidImage/hello.txt
+$(obj)/ValidImage.swu: $(call with_sig, $(obj)/ValidImage/sw-description) $(obj)/ValidImage/hello.txt
 	$(call cmd,mkswu)
 
 #
 # invalid option test, no image given
 #
 PHONY += InvOptsNoImg
-InvOptsNoImg: FORCE
+InvOptsNoImg: FORCE $(if $(CONFIG_SIGNED_IMAGES), $(obj)/cacert.pem)
 	$(call cmd,swu_check_assert_false)
 
 #
 # invalid option test, web server with check
 #
 PHONY += InvOptsCheckWithWeb
-InvOptsCheckWithWeb: FORCE
+InvOptsCheckWithWeb: FORCE $(if $(CONFIG_SIGNED_IMAGES), $(obj)/cacert.pem)
 	$(call cmd,swu_check_inv_websrv)
 
 #
 # invalid option test, suricatta with check
 #
 PHONY += InvOptsCheckWithSur
-InvOptsCheckWithSur: FORCE
+InvOptsCheckWithSur: FORCE $(if $(CONFIG_SIGNED_IMAGES), $(obj)/cacert.pem)
 	$(call cmd,swu_check_inv_suricatta)
 
+$(obj)/signer.pem $(obj)/cacert.pem:
+	wget -O $@.tmp https://raw.githubusercontent.com/openssl/openssl/master/demos/cms/$(notdir $@)
+	mv -f $@.tmp $@
+
+%/sw-description.sig :: %/sw-description $(obj)/signer.pem
+	openssl cms -sign -in $< -out $@ -signer $(obj)/signer.pem -outform DER -nosmimecap -binary
+