#!/usr/bin/env bash

# For the license, see the LICENSE file in the root directory.

# shellcheck disable=SC1091

TESTDIR=${abs_top_testdir:-$(dirname "$0")}
ROOT=${abs_top_builddir:-$(dirname "$0")/..}
source "${TESTDIR}/common"
skip_test_no_tpm20 "${SWTPM_EXE}"

PATH=$ROOT/src/swtpm:$PATH

PARAMETERS=(
	""
	"--createek"
	"--createek --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display"
	"--createek --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --keyfile ${TESTDIR}/data/keyfile.txt"
	"--createek --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --pwdfile ${TESTDIR}/data/pwdfile.txt"
	"--createek --allow-signing"
	"--createek --allow-signing --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display"
	"--createek --allow-signing --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --keyfile ${TESTDIR}/data/keyfile.txt"
	"--createek --allow-signing --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --pwdfile ${TESTDIR}/data/pwdfile.txt"
	"--createek --allow-signing --decryption --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --keyfile ${TESTDIR}/data/keyfile256bit.txt --cipher aes-256-cbc"
	"--createek --allow-signing --decryption --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --pwdfile ${TESTDIR}/data/pwdfile.txt --cipher aes-256-cbc"
	"--createek --create-spk --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --lock-nvram"
	"--ecc --createek"
	"--ecc --createek --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display"
	"--ecc --createek --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --keyfile ${TESTDIR}/data/keyfile.txt"
	"--ecc --createek --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --pwdfile ${TESTDIR}/data/pwdfile.txt"
	"--ecc --createek --allow-signing"
	"--ecc --createek --allow-signing --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display"
	"--ecc --createek --allow-signing --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --keyfile ${TESTDIR}/data/keyfile.txt"
	"--ecc --createek --allow-signing --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --pwdfile ${TESTDIR}/data/pwdfile.txt"
	"--ecc --createek --allow-signing --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --keyfile ${TESTDIR}/data/keyfile256bit.txt --cipher aes-256-cbc"
	"--ecc --createek --allow-signing --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --pwdfile ${TESTDIR}/data/pwdfile.txt --cipher aes-256-cbc"
	"--ecc --createek --allow-signing --decryption --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --keyfile-fd 100 --cipher aes-256-cbc"
	"--ecc --createek --allow-signing --decryption --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --pwdfile-fd 101 --cipher aes-256-cbc"
	"--ecc --createek --create-spk --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --lock-nvram"
)

# Tests for 3072 bit RSA keys to be appended to above array if RSA 3072 keys are supported
PARAMETERS_3072=(
	"--createek --rsa-keysize 3072"
	"--createek --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --rsa-keysize 3072"
	"--createek --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --keyfile ${TESTDIR}/data/keyfile.txt --rsa-keysize 3072"
	"--createek --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --pwdfile ${TESTDIR}/data/pwdfile.txt --rsa-keysize 3072"
	"--createek --allow-signing --rsa-keysize 3072"
	"--createek --allow-signing --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --rsa-keysize 3072"
	"--createek --allow-signing --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --keyfile ${TESTDIR}/data/keyfile.txt --rsa-keysize 3072"
	"--createek --allow-signing --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --pwdfile ${TESTDIR}/data/pwdfile.txt --rsa-keysize 3072"
	"--createek --allow-signing --decryption --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --keyfile ${TESTDIR}/data/keyfile256bit.txt --cipher aes-256-cbc --rsa-keysize 3072"
	"--createek --allow-signing --decryption --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --pwdfile ${TESTDIR}/data/pwdfile.txt --cipher aes-256-cbc --rsa-keysize 3072"
	"--createek --create-spk --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --lock-nvram --rsa-keysize 3072"
)

# Open read-only file descriptors referenced in test cases
exec 100<"${TESTDIR}/data/keyfile256bit.txt"
exec 101<"${TESTDIR}/data/pwdfile.txt"

# produced file size is always the same with TPM2

TPMDIR="$(mktemp -d)" || exit 1
TPMAUTHORING="$SWTPM_SETUP --tpm2 --config ${SWTPM_SETUP_CONF}"
PATH=${ROOT}/src/swtpm_bios:$PATH


trap "cleanup" SIGTERM EXIT

function cleanup()
{
	if [ -n "$TPMDIR" ]; then
		rm -rf "$TPMDIR"
	fi
}

if $TPMAUTHORING --tpm2 --print-capabilities | grep -q tpm2-rsa-keysize-3072; then
	PARAMETERS+=( "${PARAMETERS_3072[@]}" )
fi

# swtpm_setup.conf points to the local create_certs.sh
# For create_certs.sh to be found (with out full path)
# add this directory to the PATH
PATH=$PATH:$TESTDIR

for (( i=0; i<${#PARAMETERS[*]}; i++)); do
	rm -rf "${TPMDIR:?}"/*
	echo -n "Test $i: "
	params=${PARAMETERS[$i]}
	if ! $TPMAUTHORING \
		--tpm-state "$TPMDIR" \
		--tpm "$SWTPM_EXE socket ${SWTPM_TEST_SECCOMP_OPT}" \
		${params:+${params}} &>/dev/null;
	then
		echo "ERROR: Test with parameters '${params}' failed."
		exit 1
	elif [ ! -f "$TPMDIR/tpm2-00.permall" ]; then
		echo "ERROR: Test with parameters '${params}' did not
		      produce file $TPMDIR/tpm2-00.permall."
		exit 1
	fi

	# Make sure the state is encrypted when a key was given.
	# We expect sequences of 4 0-bytes in unencrypted state
	# and no such sequences in encrypted state.
	nullseq="$(od -t x1 -A n < "$TPMDIR/tpm2-00.permall" | tr -d '\n' | tr -s ' ' |
			grep "00 00 00 00")"
	if [[ "${params}" =~ (keyfile|pwdfile) ]]; then
		if [ -n "${nullseq}" ]; then
			echo "ERROR: State file is not encrypted with" \
			     "parameters '${params}'"
		fi
	else
		if [ -z "${nullseq}" ]; then
			echo "ERROR: State must not be encrypted with" \
			     "parameters '${params}'"
		fi
	fi

	echo "SUCCESS with parameters '${params}'."
done

exec 100>&-
exec 101>&-
