blob: 69ec381abdd61da18a894171a20f94cd1f79a395 [file] [log] [blame]
#!/bin/bash
##
# test is to check that the key derivation works
# 1. create TPM internal private key
# 2. create and openssl private key
# 3. verify that the key derived from the openssl public key and the
# TPM private key is the same as that derived from the TPM public
# key and the openssl private key
#
##
# There's a huge caveat for the stupidity of openssl 1.0.2: the
# generated keys cannot have generic parameters; they must be
# identified by the curve OID. The reason is that deep within the
# derive peer key functions, openssl will perform a curve generator
# comparison, which it does by the ameth pointer. The ameth pointer
# is either an optimised value for a known curve or a generic value
# for parameters. Because the TPM engine takes care to preserve the
# curve ID, it's key has the optimised method. The public key of the
# non-TPM curve *must* have the same method and openssl has many ways
# to lose this information
##
for curve in $(${bindir}/create_tpm2_key --list-curves); do
if openssl ecparam -name ${curve} 2>&1 | egrep '(invalid|unknown) curve'; then
continue
fi
echo "Checking curve ${curve} explicitly named"
${bindir}/create_tpm2_key -p 81000001 --ecc ${curve} key0.tpm || exit 1
openssl pkey $ENGINE $INFORM -in key0.tpm -pubout -out key0.pub || exit 1
#openssl ecparam -name ${curve} > key1.param
#openssl genpkey -paramfile key1.param -out key1.priv || exit 1
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:${curve} -pkeyopt ec_param_enc:named_curve -out key1.priv || exit 1
openssl pkey -in key1.priv -pubout -out key1.pub || exit 1
# OK have two private and two public keys now generate two
# derivations, one from key0.tpm and key1.pub and the other from
# key1.priv and key0.pub.
openssl pkeyutl -derive $ENGINE $KEYFORM -inkey key0.tpm -peerkey key1.pub -out derive.1 || exit 1
openssl pkeyutl -derive -inkey key1.priv -peerkey key0.pub -out derive.2 || exit 1
# if we got it right, both derivations should be the same
cmp derive.1 derive.2 || exit 1
done