1*** Settings *** 2 3 4Documentation Suite to test certificate via DMTF redfishtool. 5 6Library OperatingSystem 7Library String 8Library Collections 9Library JSONLibrary 10 11Resource ../../lib/resource.robot 12Resource ../../lib/bmc_redfish_resource.robot 13Resource ../../lib/openbmc_ffdc.robot 14Resource ../../lib/certificate_utils.robot 15Resource ../../lib/dmtf_redfishtool_utils.robot 16 17Suite Setup Suite Setup Execution 18 19 20*** Variables *** 21 22${root_cmd_args} = SEPARATOR= 23... redfishtool raw -r ${OPENBMC_HOST}:${HTTPS_PORT} -u ${OPENBMC_USERNAME} -p ${OPENBMC_PASSWORD} -S Always 24 25${invalid_value} abc 26 27*** Test Cases *** 28 29 30Verify Redfishtool Replace Server Certificate Valid CertKey 31 [Documentation] Verify replace server certificate. 32 [Tags] Verify_Redfishtool_Replace_Server_Certificate_Valid_CertKey 33 34 Verify Redfishtool Replace Certificate Server Valid Certificate Valid Privatekey ok 35 36 37Verify Redfishtool Replace Client Certificate Valid CertKey 38 [Documentation] Verify replace client certificate. 39 [Tags] Verify_Redfishtool_Replace_Client_Certificate_Valid_CertKey 40 41 Verify Redfishtool Replace Certificate Client Valid Certificate Valid Privatekey ok 42 43 44Verify Redfishtool Replace CA Certificate Valid Cert 45 [Documentation] Verify replace CA certificate. 46 [Tags] Verify_Redfishtool_Replace_CA_Certificate_Valid_Cert 47 48 Verify Redfishtool Replace Certificate CA Valid Certificate ok 49 50 51Verify Redfishtool Client Certificate Install Valid CertKey 52 [Documentation] Verify client certificate installation. 53 [Tags] Verify_Redfishtool_Client_Certificate_Install_Valid_CertKey 54 55 Verify Redfishtool Install Certificate Client Valid Certificate Valid Privatekey ok 56 57 58Verify Redfishtool CA Certificate Install Valid Cert 59 [Documentation] Verify CA Certificate installation. 60 [Tags] Verify_Redfishtool_CA_Certificate_Install_Valid_Cert 61 62 Verify Redfishtool Install Certificate CA Valid Certificate ok 63 64 65Verify Redfishtool Replace Server Certificate Errors 66 [Documentation] Verify error while replacing invalid server certificate. 67 [Tags] Verify_Redfishtool_Replace_Server_Certificate_Errors 68 [Template] Verify Redfishtool Replace Certificate 69 70 Server Empty Certificate Empty Privatekey error 71 Server Empty Certificate Valid Privatekey error 72 Server Valid Certificate Empty Privatekey error 73 74 75Verify Redfishtool Replace Client Certificate Errors 76 [Documentation] Verify error while replacing invalid client certificate. 77 [Tags] Verify_Redfishtool_Replace_Client_Certificate_Errors 78 [Template] Verify Redfishtool Replace Certificate 79 80 Client Empty Certificate Empty Privatekey error 81 Client Empty Certificate Valid Privatekey error 82 Client Valid Certificate Empty Privatekey error 83 84 85Verify Redfishtool Replace CA Certificate Errors 86 [Documentation] Verify error while replacing invalid CA certificate. 87 [Tags] Verify_Redfishtool_Replace_CA_Certificate_Errors 88 [Template] Verify Redfishtool Replace Certificate 89 90 CA Empty Certificate error 91 92 93Verify Redfishtool Client Certificate Install Errors 94 [Documentation] Verify error while installing invalid client certificate. 95 [Tags] Verify_Redfishtool_Client_Certificate_Install_Errors 96 [Template] Verify Redfishtool Install Certificate 97 98 Client Empty Certificate Empty Privatekey error 99 Client Empty Certificate Valid Privatekey error 100 Client Valid Certificate Empty Privatekey error 101 102 103Verify Redfishtool CA Certificate Install Errors 104 [Documentation] Verify error while installing invalid CA certificate. 105 [Tags] Verify_Redfishtool_CA_Certificate_Install_Errors 106 [Template] Verify Redfishtool Install Certificate 107 108 # cert_type cert_format expected_status 109 CA Empty Certificate error 110 111 112Verify Error While Uploading Same CA Certificate Via Redfishtool 113 [Documentation] Verify error while uploading same CA certificate two times. 114 [Tags] Verify_Error_While_Uploading_Same_CA_Certificate_Via_Redfishtool 115 116 # Create certificate file for uploading. 117 ${cert_file_path}= Generate Certificate File Via Openssl Valid Certificate 365 118 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path} 119 ${file_data}= Decode Bytes To String ${bytes} UTF-8 120 121 # Install CA certificate. 122 Redfishtool Install Certificate File On BMC ${REDFISH_CA_CERTIFICATE_URI} ok data=${file_data} 123 124 # Adding delay after certificate installation. 125 Sleep 30s 126 127 # Check error while uploading same certificate. 128 Redfishtool Install Certificate File On BMC ${REDFISH_CA_CERTIFICATE_URI} error data=${file_data} 129 130 131Install Server Certificate Using Redfishtool And Verify Via OpenSSL 132 [Documentation] Install server certificate using Redfishtool and verify via OpenSSL. 133 [Tags] Install_Server_Certificate_Using_Redfishtool_And_Verify_Via_OpenSSL 134 135 ${cert_file_path}= Generate Certificate File Via Openssl Valid Certificate Valid Privatekey 136 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path} 137 ${file_data}= Decode Bytes To String ${bytes} UTF-8 138 139 ${certificate_dict}= Create Dictionary 140 ... @odata.id=/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1 141 142 ${dict_objects}= Create Dictionary CertificateString=${file_data} 143 ... CertificateType=PEM CertificateUri=${certificate_dict} 144 145 ${string}= Convert To String ${dict_objects} 146 ${string}= Replace String ${string} ' " 147 ${payload}= Set Variable '${string}' 148 149 ${response}= Redfishtool Post 150 ... ${payload} /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate 151 152 Wait Until Keyword Succeeds 2 mins 15 secs Verify Certificate Visible Via OpenSSL ${cert_file_path} 153 154 155Verify CSR Generation For Server Certificate Via Redfishtool 156 [Documentation] Verify CSR generation for server certificate. 157 [Tags] Verify_CSR_Generation_For_Server_Certificate_Via_Redfishtool 158 [Template] Generate CSR Via Redfishtool 159 160 # csr_type key_pair_algorithm key_bit_length key_curv_id expected_status 161 Server RSA ${2048} ${EMPTY} ok 162 Server EC ${EMPTY} prime256v1 ok 163 Server EC ${EMPTY} secp521r1 ok 164 Server EC ${EMPTY} secp384r1 ok 165 166 167Verify CSR Generation For Client Certificate Via Redfishtool 168 [Documentation] Verify CSR generation for client certificate. 169 [Tags] Verify_CSR_Generation_For_Client_Certificate_Via_Redfishtool 170 [Template] Generate CSR Via Redfishtool 171 172 # csr_type key_pair_algorithm key_bit_length key_curv_id expected_status 173 Client RSA ${2048} ${EMPTY} ok 174 Client EC ${EMPTY} prime256v1 ok 175 Client EC ${EMPTY} secp521r1 ok 176 Client EC ${EMPTY} secp384r1 ok 177 178 179Verify CSR Generation For Server Certificate With Invalid Value Via Redfishtool 180 [Documentation] Verify error while generating CSR for server certificate with invalid value. 181 [Tags] Verify_CSR_Generation_For_Server_Certificate_With_Invalid_Value_Via_Redfishtool 182 [Template] Generate CSR Via Redfishtool 183 184 # csr_type key_pair_algorithm key_bit_length key_curv_id expected_status 185 Server ${invalid_value} ${2048} prime256v1 error 186 Server RAS ${invalid_value} ${EMPTY} error 187 188 189Verify CSR Generation For Client Certificate With Invalid Value Via Redfishtool 190 [Documentation] Verify error while generating CSR for client certificate with invalid value. 191 [Tags] Verify_CSR_Generation_For_Client_Certificate_With_Invalid_Value_Via_Redfishtool 192 [Template] Generate CSR Via Redfishtool 193 194 Client ${invalid_value} ${2048} prime256v1 error 195 Client RSA ${invalid_value} ${EMPTY} error 196 197*** Keywords *** 198 199 200Generate CSR Via Redfishtool 201 [Documentation] Generate CSR using Redfish. 202 [Arguments] ${cert_type} ${key_pair_algorithm} ${key_bit_length} ${key_curv_id} ${expected_status} 203 204 # Description of argument(s): 205 # cert_type Certificate type ("Server" or "Client"). 206 # key_pair_algorithm CSR key pair algorithm ("EC" or "RSA"). 207 # key_bit_length CSR key bit length ("2048"). 208 # key_curv_id CSR key curv id ("prime256v1" or "secp521r1" or "secp384r1"). 209 # expected_status Expected status of certificate replace Redfishtool request ("ok" or "error"). 210 211 ${certificate_uri}= Set Variable If 212 ... '${cert_type}' == 'Server' ${REDFISH_HTTPS_CERTIFICATE_URI}/ 213 ... '${cert_type}' == 'Client' ${REDFISH_LDAP_CERTIFICATE_URI}/ 214 215 ${certificate_dict}= Create Dictionary @odata.id=${certificate_uri} 216 217 ${csr_dict}= Create Dictionary City=Austin CertificateCollection=${certificate_dict} 218 ... CommonName=${OPENBMC_HOST} Country=US Organization=xyz 219 ... OrganizationalUnit=ISL State=AU KeyBitLength=${key_bit_length} 220 ... KeyPairAlgorithm=${key_pair_algorithm} KeyCurveId=${key_curv_id} 221 222 # Remove not applicable field for CSR generation. 223 Run Keyword If '${key_pair_algorithm}' == 'EC' Remove From Dictionary ${csr_dict} KeyBitLength 224 ... ELSE IF '${key_pair_algorithm}' == 'RSA' Remove From Dictionary ${csr_dict} KeyCurveId 225 226 ${expected_resp}= Set Variable If '${expected_status}' == 'ok' ${HTTP_OK} 227 ... '${expected_status}' == 'error' ${HTTP_BAD_REQUEST} 228 229 ${string}= Convert To String ${csr_dict} 230 231 ${string2}= Replace String ${string} ' " 232 233 ${payload}= Set Variable '${string2}' 234 235 ${response}= Redfishtool Post 236 ... ${payload} /redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR 237 ... expected_error=${expected_resp} 238 239 # Delay added between two CSR generation request. 240 Sleep 5s 241 242 243Verify Redfishtool Install Certificate 244 [Documentation] Install and verify certificate using Redfishtool. 245 [Arguments] ${cert_type} ${cert_format} ${expected_status} ${delete_cert}=${True} 246 247 # Description of argument(s): 248 # cert_type Certificate type (e.g. "Client" or "CA"). 249 # cert_format Certificate file format 250 # expected_status Expected status of certificate install Redfishtool 251 # request (i.e. "ok" or "error"). 252 # delete_cert Certificate will be deleted before installing if this True. 253 254 Run Keyword If '${cert_type}' == 'CA' and '${delete_cert}' == '${True}' 255 ... Delete All CA Certificate Via Redfisthtool 256 ... ELSE IF '${cert_type}' == 'Client' and '${delete_cert}' == '${True}' 257 ... Redfishtool Delete Certificate Via BMC CLI ${cert_type} 258 259 ${cert_file_path}= Generate Certificate File Via Openssl ${cert_format} 260 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path} 261 ${file_data}= Decode Bytes To String ${bytes} UTF-8 262 263 ${certificate_uri}= Set Variable If 264 ... '${cert_type}' == 'Client' ${REDFISH_LDAP_CERTIFICATE_URI} 265 ... '${cert_type}' == 'CA' ${REDFISH_CA_CERTIFICATE_URI} 266 267 ${cert_id}= Redfishtool Install Certificate File On BMC 268 ... ${certificate_uri} ${expected_status} data=${file_data} 269 Logging Installed certificate id: ${cert_id} 270 271 # Adding delay after certificate installation. 272 Sleep 30s 273 274 ${cert_file_content}= OperatingSystem.Get File ${cert_file_path} 275 276 ${bmc_cert_content}= Run Keyword If '${expected_status}' == 'ok' 277 ... Redfishtool GetAttribute ${certificate_uri}/${cert_id} CertificateString 278 279 Run Keyword If '${expected_status}' == 'ok' Should Contain ${cert_file_content} ${bmc_cert_content} 280 281 [Return] ${cert_id} 282 283 284Delete All CA Certificate Via Redfisthtool 285 [Documentation] Delete all CA certificate via Redfish. 286 287 ${cmd_output}= Redfishtool Get /redfish/v1/Managers/bmc/Truststore/Certificates 288 ${cmd_output}= Convert String to JSON ${cmd_output} 289 ${cert_list}= Set Variable ${cmd_output["Members"]} 290 FOR ${cert} IN @{cert_list} 291 Redfishtool Delete ${cert["@odata.id"]} ${root_cmd_args} 292 END 293 294 295Redfishtool Delete Certificate Via BMC CLI 296 [Documentation] Delete certificate via BMC CLI. 297 [Arguments] ${cert_type} 298 299 # Description of argument(s): 300 # cert_type Certificate type (e.g. "Client" or "CA"). 301 302 ${certificate_file_path} ${certificate_service} ${certificate_uri}= 303 ... Run Keyword If '${cert_type}' == 'Client' 304 ... Set Variable /etc/nslcd/certs/cert.pem phosphor-certificate-manager@nslcd.service 305 ... ${REDFISH_LDAP_CERTIFICATE_URI} 306 ... ELSE IF '${cert_type}' == 'CA' 307 ... Set Variable ${ROOT_CA_FILE_PATH} phosphor-certificate-manager@authority.service 308 ... ${REDFISH_CA_CERTIFICATE_URI} 309 310 ${file_status} ${stderr} ${rc}= BMC Execute Command 311 ... [ -f ${certificate_file_path} ] && echo "Found" || echo "Not Found" 312 313 Return From Keyword If "${file_status}" != "Found" 314 BMC Execute Command rm ${certificate_file_path} 315 BMC Execute Command systemctl restart ${certificate_service} 316 BMC Execute Command systemctl daemon-reload 317 318 319Redfishtool Install Certificate File On BMC 320 [Documentation] Install certificate file in BMC using POST operation. 321 [Arguments] ${uri} ${status}=ok &{kwargs} 322 323 # Description of argument(s): 324 # uri URI for installing certificate file via Redfishtool. 325 # e.g. "/redfish/v1/AccountService/LDAP/Certificates". 326 # status Expected status of certificate installation via Redfishtool. 327 # e.g. error, ok. 328 # kwargs A dictionary of keys/values to be passed directly to 329 # POST Request. 330 331 Initialize OpenBMC 20 ${quiet}=${1} ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} 332 333 ${headers}= Create Dictionary Content-Type=application/octet-stream 334 ... X-Auth-Token=${XAUTH_TOKEN} 335 Set To Dictionary ${kwargs} headers ${headers} 336 337 ${resp}= POST On Session openbmc ${uri} &{kwargs} expected_status=any 338 ${cert_id}= Set Variable If '${resp.status_code}' == '${HTTP_OK}' ${resp.json()["Id"]} -1 339 340 Run Keyword If '${status}' == 'ok' 341 ... Should Be Equal As Strings ${resp.status_code} ${HTTP_OK} 342 ... ELSE IF '${status}' == 'error' 343 ... Should Be Equal As Strings ${resp.status_code} ${HTTP_INTERNAL_SERVER_ERROR} 344 345 Delete All Sessions 346 347 [Return] ${cert_id} 348 349 350Verify Redfishtool Replace Certificate 351 [Documentation] Verify replace server certificate. 352 [Arguments] ${cert_type} ${cert_format} ${expected_status} 353 354 # Description of argument(s): 355 # cert_type Certificate type (e.g. "Client", "Server" or "CA"). 356 # cert_format Certificate file format 357 # (e.g. "Valid_Certificate_Valid_Privatekey"). 358 # expected_status Expected status of certificate replace Redfishtool 359 # request (i.e. "ok" or "error"). 360 361 # Install certificate before replacing client or CA certificate. 362 ${cert_id}= Run Keyword If '${cert_type}' == 'Client' 363 ... Verify Redfishtool Install Certificate ${cert_type} Valid Certificate Valid Privatekey ok 364 ... ELSE IF '${cert_type}' == 'CA' 365 ... Verify Redfishtool Install Certificate ${cert_type} Valid Certificate ok 366 367 ${cert_file_path}= Generate Certificate File Via Openssl ${cert_format} 368 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path} 369 ${file_data}= Decode Bytes To String ${bytes} UTF-8 370 371 ${certificate_uri}= Set Variable If 372 ... '${cert_type}' == 'Server' ${REDFISH_HTTPS_CERTIFICATE_URI}/1 373 ... '${cert_type}' == 'Client' ${REDFISH_LDAP_CERTIFICATE_URI}/1 374 ... '${cert_type}' == 'CA' ${REDFISH_CA_CERTIFICATE_URI}/${cert_id} 375 376 ${certificate_dict}= Create Dictionary @odata.id=${certificate_uri} 377 ${dict_objects}= Create Dictionary CertificateString=${file_data} 378 ... CertificateType=PEM CertificateUri=${certificate_dict} 379 ${string}= Convert To String ${dict_objects} 380 ${string}= Replace String ${string} ' " 381 ${payload}= Set Variable '${string}' 382 383 ${expected_resp}= Set Variable If '${expected_status}' == 'ok' ${HTTP_OK} 384 ... '${expected_status}' == 'error' ${HTTP_NOT_FOUND} 385 386 ${response}= Redfishtool Post 387 ... ${payload} /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate 388 ... expected_error=${expected_resp} 389 390 ${cert_file_content}= OperatingSystem.Get File ${cert_file_path} 391 ${bmc_cert_content}= Redfishtool GetAttribute ${certificate_uri} CertificateString 392 393 Run Keyword If '${expected_status}' == 'ok' 394 ... Should Contain ${cert_file_content} ${bmc_cert_content} 395 ... ELSE 396 ... Should Not Contain ${cert_file_content} ${bmc_cert_content} 397 398 399Redfishtool GetAttribute 400 [Documentation] Execute redfishtool for GET operation. 401 [Arguments] ${uri} ${Attribute} ${cmd_args}=${root_cmd_args} ${expected_error}="" 402 403 # Description of argument(s): 404 # uri URI for GET operation (e.g. /redfish/v1/AccountService/Accounts/). 405 # Attribute The specific attribute to be retrieved with the URI. 406 # cmd_args Commandline arguments. 407 # expected_error Expected error optionally provided in testcase (e.g. 401 / 408 # authentication error, etc. ). 409 410 ${rc} ${cmd_output}= Run and Return RC and Output ${cmd_args} GET ${uri} 411 Run Keyword If ${rc} != 0 Is HTTP error Expected ${cmd_output} ${expected_error} 412 413 ${cmd_output}= Convert String to JSON ${cmd_output} 414 415 [Return] ${cmd_output["CertificateString"]} 416 417 418Suite Setup Execution 419 [Documentation] Do suite setup execution. 420 421 ${tool_exist}= Run which redfishtool 422 Should Not Be Empty ${tool_exist} 423 424 # Create certificate sub-directory in current working directory. 425 Create Directory certificate_dir 426