1*** Settings *** 2 3 4Documentation Suite to test certificate via DMTF redfishtool. 5 6Library OperatingSystem 7Library String 8Library Collections 9 10Resource ../../lib/resource.robot 11Resource ../../lib/bmc_redfish_resource.robot 12Resource ../../lib/openbmc_ffdc.robot 13Resource ../../lib/certificate_utils.robot 14Resource ../../lib/dmtf_redfishtool_utils.robot 15 16Suite Setup Suite Setup Execution 17 18 19*** Variables *** 20 21${root_cmd_args} = SEPARATOR= 22... redfishtool raw -r ${OPENBMC_HOST}:${HTTPS_PORT} -u ${OPENBMC_USERNAME} -p ${OPENBMC_PASSWORD} -S Always 23 24${invalid_value} abc 25 26*** Test Cases *** 27 28 29Verify Redfishtool Replace Server Certificate Valid CertKey 30 [Documentation] Verify replace server certificate. 31 [Tags] Verify_Redfishtool_Replace_Server_Certificate_Valid_CertKey 32 33 Verify Redfishtool Replace Certificate Server Valid Certificate Valid Privatekey ok 34 35 36Verify Redfishtool Replace Client Certificate Valid CertKey 37 [Documentation] Verify replace client certificate. 38 [Tags] Verify_Redfishtool_Replace_Client_Certificate_Valid_CertKey 39 40 Verify Redfishtool Replace Certificate Client Valid Certificate Valid Privatekey ok 41 42 43Verify Redfishtool Replace CA Certificate Valid Cert 44 [Documentation] Verify replace CA certificate. 45 [Tags] Verify_Redfishtool_Replace_CA_Certificate_Valid_Cert 46 47 Verify Redfishtool Replace Certificate CA Valid Certificate ok 48 49 50Verify Redfishtool Client Certificate Install Valid CertKey 51 [Documentation] Verify client certificate installation. 52 [Tags] Verify_Redfishtool_Client_Certificate_Install_Valid_CertKey 53 54 Verify Redfishtool Install Certificate Client Valid Certificate Valid Privatekey ok 55 56 57Verify Redfishtool CA Certificate Install Valid Cert 58 [Documentation] Verify CA Certificate installation. 59 [Tags] Verify_Redfishtool_CA_Certificate_Install_Valid_Cert 60 61 Verify Redfishtool Install Certificate CA Valid Certificate ok 62 63 64Verify Redfishtool Replace Server Certificate Errors 65 [Documentation] Verify error while replacing invalid server certificate. 66 [Tags] Verify_Redfishtool_Replace_Server_Certificate_Errors 67 [Template] Verify Redfishtool Replace Certificate 68 69 Server Empty Certificate Empty Privatekey error 70 Server Empty Certificate Valid Privatekey error 71 Server Valid Certificate Empty Privatekey error 72 73 74Verify Redfishtool Replace Client Certificate Errors 75 [Documentation] Verify error while replacing invalid client certificate. 76 [Tags] Verify_Redfishtool_Replace_Client_Certificate_Errors 77 [Template] Verify Redfishtool Replace Certificate 78 79 Client Empty Certificate Empty Privatekey error 80 Client Empty Certificate Valid Privatekey error 81 Client Valid Certificate Empty Privatekey error 82 83 84Verify Redfishtool Replace CA Certificate Errors 85 [Documentation] Verify error while replacing invalid CA certificate. 86 [Tags] Verify_Redfishtool_Replace_CA_Certificate_Errors 87 [Template] Verify Redfishtool Replace Certificate 88 89 CA Empty Certificate error 90 91 92Verify Redfishtool Client Certificate Install Errors 93 [Documentation] Verify error while installing invalid client certificate. 94 [Tags] Verify_Redfishtool_Client_Certificate_Install_Errors 95 [Template] Verify Redfishtool Install Certificate 96 97 Client Empty Certificate Empty Privatekey error 98 Client Empty Certificate Valid Privatekey error 99 Client Valid Certificate Empty Privatekey error 100 101 102Verify Redfishtool CA Certificate Install Errors 103 [Documentation] Verify error while installing invalid CA certificate. 104 [Tags] Verify_Redfishtool_CA_Certificate_Install_Errors 105 [Template] Verify Redfishtool Install Certificate 106 107 # cert_type cert_format expected_status 108 CA Empty Certificate error 109 110 111Verify Error While Uploading Same CA Certificate Via Redfishtool 112 [Documentation] Verify error while uploading same CA certificate two times. 113 [Tags] Verify_Error_While_Uploading_Same_CA_Certificate_Via_Redfishtool 114 115 # Create certificate file for uploading. 116 ${cert_file_path}= Generate Certificate File Via Openssl Valid Certificate 365 117 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path} 118 ${file_data}= Decode Bytes To String ${bytes} UTF-8 119 120 # Install CA certificate. 121 Redfishtool Install Certificate File On BMC ${REDFISH_CA_CERTIFICATE_URI} ok data=${file_data} 122 123 # Adding delay after certificate installation. 124 Sleep 30s 125 126 # Check error while uploading same certificate. 127 Redfishtool Install Certificate File On BMC ${REDFISH_CA_CERTIFICATE_URI} error data=${file_data} 128 129 130Install Server Certificate Using Redfishtool And Verify Via OpenSSL 131 [Documentation] Install server certificate using Redfishtool and verify via OpenSSL. 132 [Tags] Install_Server_Certificate_Using_Redfishtool_And_Verify_Via_OpenSSL 133 134 ${cert_file_path}= Generate Certificate File Via Openssl Valid Certificate Valid Privatekey 135 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path} 136 ${file_data}= Decode Bytes To String ${bytes} UTF-8 137 138 ${certificate_dict}= Create Dictionary 139 ... @odata.id=/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1 140 141 ${dict_objects}= Create Dictionary CertificateString=${file_data} 142 ... CertificateType=PEM CertificateUri=${certificate_dict} 143 144 ${string}= Convert To String ${dict_objects} 145 ${string}= Replace String ${string} ' " 146 ${payload}= Set Variable '${string}' 147 148 ${response}= Redfishtool Post 149 ... ${payload} /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate 150 151 Wait Until Keyword Succeeds 2 mins 15 secs Verify Certificate Visible Via OpenSSL ${cert_file_path} 152 153 154Verify CSR Generation For Server Certificate Via Redfishtool 155 [Documentation] Verify CSR generation for server certificate. 156 [Tags] Verify_CSR_Generation_For_Server_Certificate_Via_Redfishtool 157 [Template] Generate CSR Via Redfishtool 158 159 # csr_type key_pair_algorithm key_bit_length key_curv_id expected_status 160 Server RSA ${2048} ${EMPTY} ok 161 Server EC ${EMPTY} prime256v1 ok 162 Server EC ${EMPTY} secp521r1 ok 163 Server EC ${EMPTY} secp384r1 ok 164 165 166Verify CSR Generation For Client Certificate Via Redfishtool 167 [Documentation] Verify CSR generation for client certificate. 168 [Tags] Verify_CSR_Generation_For_Client_Certificate_Via_Redfishtool 169 [Template] Generate CSR Via Redfishtool 170 171 # csr_type key_pair_algorithm key_bit_length key_curv_id expected_status 172 Client RSA ${2048} ${EMPTY} ok 173 Client EC ${EMPTY} prime256v1 ok 174 Client EC ${EMPTY} secp521r1 ok 175 Client EC ${EMPTY} secp384r1 ok 176 177 178Verify CSR Generation For Server Certificate With Invalid Value Via Redfishtool 179 [Documentation] Verify error while generating CSR for server certificate with invalid value. 180 [Tags] Verify_CSR_Generation_For_Server_Certificate_With_Invalid_Value_Via_Redfishtool 181 [Template] Generate CSR Via Redfishtool 182 183 # csr_type key_pair_algorithm key_bit_length key_curv_id expected_status 184 Server ${invalid_value} ${2048} prime256v1 error 185 Server RAS ${invalid_value} ${EMPTY} error 186 187 188Verify CSR Generation For Client Certificate With Invalid Value Via Redfishtool 189 [Documentation] Verify error while generating CSR for client certificate with invalid value. 190 [Tags] Verify_CSR_Generation_For_Client_Certificate_With_Invalid_Value_Via_Redfishtool 191 [Template] Generate CSR Via Redfishtool 192 193 Client ${invalid_value} ${2048} prime256v1 error 194 Client RSA ${invalid_value} ${EMPTY} error 195 196*** Keywords *** 197 198 199Generate CSR Via Redfishtool 200 [Documentation] Generate CSR using Redfish. 201 [Arguments] ${cert_type} ${key_pair_algorithm} ${key_bit_length} ${key_curv_id} ${expected_status} 202 203 # Description of argument(s): 204 # cert_type Certificate type ("Server" or "Client"). 205 # key_pair_algorithm CSR key pair algorithm ("EC" or "RSA"). 206 # key_bit_length CSR key bit length ("2048"). 207 # key_curv_id CSR key curv id ("prime256v1" or "secp521r1" or "secp384r1"). 208 # expected_status Expected status of certificate replace Redfishtool request ("ok" or "error"). 209 210 ${certificate_uri}= Set Variable If 211 ... '${cert_type}' == 'Server' ${REDFISH_HTTPS_CERTIFICATE_URI}/ 212 ... '${cert_type}' == 'Client' ${REDFISH_LDAP_CERTIFICATE_URI}/ 213 214 ${certificate_dict}= Create Dictionary @odata.id=${certificate_uri} 215 216 ${csr_dict}= Create Dictionary City=Austin CertificateCollection=${certificate_dict} 217 ... CommonName=${OPENBMC_HOST} Country=US Organization=IBM 218 ... OrganizationalUnit=ISL State=AU KeyBitLength=${key_bit_length} 219 ... KeyPairAlgorithm=${key_pair_algorithm} KeyCurveId=${key_curv_id} 220 221 # Remove not applicable field for CSR generation. 222 Run Keyword If '${key_pair_algorithm}' == 'EC' Remove From Dictionary ${csr_dict} KeyBitLength 223 ... ELSE IF '${key_pair_algorithm}' == 'RSA' Remove From Dictionary ${csr_dict} KeyCurveId 224 225 ${expected_resp}= Set Variable If '${expected_status}' == 'ok' ${HTTP_OK} 226 ... '${expected_status}' == 'error' ${HTTP_BAD_REQUEST} 227 228 ${string}= Convert To String ${csr_dict} 229 230 ${string2}= Replace String ${string} ' " 231 232 ${payload}= Set Variable '${string2}' 233 234 ${response}= Redfishtool Post 235 ... ${payload} /redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR 236 ... expected_error=${expected_resp} 237 238 # Delay added between two CSR generation request. 239 Sleep 5s 240 241 242Verify Redfishtool Install Certificate 243 [Documentation] Install and verify certificate using Redfishtool. 244 [Arguments] ${cert_type} ${cert_format} ${expected_status} ${delete_cert}=${True} 245 246 # Description of argument(s): 247 # cert_type Certificate type (e.g. "Client" or "CA"). 248 # cert_format Certificate file format 249 # expected_status Expected status of certificate install Redfishtool 250 # request (i.e. "ok" or "error"). 251 # delete_cert Certificate will be deleted before installing if this True. 252 253 Run Keyword If '${cert_type}' == 'CA' and '${delete_cert}' == '${True}' 254 ... Delete All CA Certificate Via Redfisthtool 255 ... ELSE IF '${cert_type}' == 'Client' and '${delete_cert}' == '${True}' 256 ... Redfishtool Delete Certificate Via BMC CLI ${cert_type} 257 258 ${cert_file_path}= Generate Certificate File Via Openssl ${cert_format} 259 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path} 260 ${file_data}= Decode Bytes To String ${bytes} UTF-8 261 262 ${certificate_uri}= Set Variable If 263 ... '${cert_type}' == 'Client' ${REDFISH_LDAP_CERTIFICATE_URI} 264 ... '${cert_type}' == 'CA' ${REDFISH_CA_CERTIFICATE_URI} 265 266 ${cert_id}= Redfishtool Install Certificate File On BMC 267 ... ${certificate_uri} ${expected_status} data=${file_data} 268 Logging Installed certificate id: ${cert_id} 269 270 # Adding delay after certificate installation. 271 Sleep 30s 272 273 ${cert_file_content}= OperatingSystem.Get File ${cert_file_path} 274 275 ${bmc_cert_content}= Run Keyword If '${expected_status}' == 'ok' 276 ... Redfishtool GetAttribute ${certificate_uri}/${cert_id} CertificateString 277 278 Run Keyword If '${expected_status}' == 'ok' Should Contain ${cert_file_content} ${bmc_cert_content} 279 280 [Return] ${cert_id} 281 282 283Delete All CA Certificate Via Redfisthtool 284 [Documentation] Delete all CA certificate via Redfish. 285 286 ${cmd_output}= Redfishtool Get /redfish/v1/Managers/bmc/Truststore/Certificates 287 ${json_object}= To JSON ${cmd_output} 288 ${cert_list}= Set Variable ${json_object["Members"]} 289 FOR ${cert} IN @{cert_list} 290 Redfishtool Delete ${cert["@odata.id"]} ${root_cmd_args} 291 END 292 293 294Redfishtool Delete Certificate Via BMC CLI 295 [Documentation] Delete certificate via BMC CLI. 296 [Arguments] ${cert_type} 297 298 # Description of argument(s): 299 # cert_type Certificate type (e.g. "Client" or "CA"). 300 301 ${certificate_file_path} ${certificate_service} ${certificate_uri}= 302 ... Run Keyword If '${cert_type}' == 'Client' 303 ... Set Variable /etc/nslcd/certs/cert.pem phosphor-certificate-manager@nslcd.service 304 ... ${REDFISH_LDAP_CERTIFICATE_URI} 305 ... ELSE IF '${cert_type}' == 'CA' 306 ... Set Variable ${ROOT_CA_FILE_PATH} phosphor-certificate-manager@authority.service 307 ... ${REDFISH_CA_CERTIFICATE_URI} 308 309 ${file_status} ${stderr} ${rc}= BMC Execute Command 310 ... [ -f ${certificate_file_path} ] && echo "Found" || echo "Not Found" 311 312 Return From Keyword If "${file_status}" != "Found" 313 BMC Execute Command rm ${certificate_file_path} 314 BMC Execute Command systemctl restart ${certificate_service} 315 BMC Execute Command systemctl daemon-reload 316 317 318Redfishtool Install Certificate File On BMC 319 [Documentation] Install certificate file in BMC using POST operation. 320 [Arguments] ${uri} ${status}=ok &{kwargs} 321 322 # Description of argument(s): 323 # uri URI for installing certificate file via Redfishtool. 324 # e.g. "/redfish/v1/AccountService/LDAP/Certificates". 325 # status Expected status of certificate installation via Redfishtool. 326 # e.g. error, ok. 327 # kwargs A dictionary of keys/values to be passed directly to 328 # POST Request. 329 330 Initialize OpenBMC 20 ${quiet}=${1} ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} 331 332 ${headers}= Create Dictionary Content-Type=application/octet-stream 333 ... X-Auth-Token=${XAUTH_TOKEN} 334 Set To Dictionary ${kwargs} headers ${headers} 335 336 ${ret}= Post Request openbmc ${uri} &{kwargs} 337 ${content_json}= To JSON ${ret.content} 338 ${cert_id}= Set Variable If '${ret.status_code}' == '${HTTP_OK}' ${content_json["Id"]} -1 339 340 Run Keyword If '${status}' == 'ok' 341 ... Should Be Equal As Strings ${ret.status_code} ${HTTP_OK} 342 ... ELSE IF '${status}' == 'error' 343 ... Should Be Equal As Strings ${ret.status_code} ${HTTP_INTERNAL_SERVER_ERROR} 344 345 Delete All Sessions 346 347 [Return] ${cert_id} 348 349 350Verify Redfishtool Replace Certificate 351 [Documentation] Verify replace server certificate. 352 [Arguments] ${cert_type} ${cert_format} ${expected_status} 353 354 # Description of argument(s): 355 # cert_type Certificate type (e.g. "Client", "Server" or "CA"). 356 # cert_format Certificate file format 357 # (e.g. "Valid_Certificate_Valid_Privatekey"). 358 # expected_status Expected status of certificate replace Redfishtool 359 # request (i.e. "ok" or "error"). 360 361 # Install certificate before replacing client or CA certificate. 362 ${cert_id}= Run Keyword If '${cert_type}' == 'Client' 363 ... Verify Redfishtool Install Certificate ${cert_type} Valid Certificate Valid Privatekey ok 364 ... ELSE IF '${cert_type}' == 'CA' 365 ... Verify Redfishtool Install Certificate ${cert_type} Valid Certificate ok 366 367 ${cert_file_path}= Generate Certificate File Via Openssl ${cert_format} 368 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path} 369 ${file_data}= Decode Bytes To String ${bytes} UTF-8 370 371 ${certificate_uri}= Set Variable If 372 ... '${cert_type}' == 'Server' ${REDFISH_HTTPS_CERTIFICATE_URI}/1 373 ... '${cert_type}' == 'Client' ${REDFISH_LDAP_CERTIFICATE_URI}/1 374 ... '${cert_type}' == 'CA' ${REDFISH_CA_CERTIFICATE_URI}/${cert_id} 375 376 ${certificate_dict}= Create Dictionary @odata.id=${certificate_uri} 377 ${dict_objects}= Create Dictionary CertificateString=${file_data} 378 ... CertificateType=PEM CertificateUri=${certificate_dict} 379 ${string}= Convert To String ${dict_objects} 380 ${string}= Replace String ${string} ' " 381 ${payload}= Set Variable '${string}' 382 383 ${expected_resp}= Set Variable If '${expected_status}' == 'ok' ${HTTP_OK} 384 ... '${expected_status}' == 'error' ${HTTP_NOT_FOUND} 385 386 ${response}= Redfishtool Post 387 ... ${payload} /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate 388 ... expected_error=${expected_resp} 389 390 ${cert_file_content}= OperatingSystem.Get File ${cert_file_path} 391 ${bmc_cert_content}= Redfishtool GetAttribute ${certificate_uri} CertificateString 392 393 Run Keyword If '${expected_status}' == 'ok' 394 ... Should Contain ${cert_file_content} ${bmc_cert_content} 395 ... ELSE 396 ... Should Not Contain ${cert_file_content} ${bmc_cert_content} 397 398 399Redfishtool GetAttribute 400 [Documentation] Execute redfishtool for GET operation. 401 [Arguments] ${uri} ${Attribute} ${cmd_args}=${root_cmd_args} ${expected_error}="" 402 403 # Description of argument(s): 404 # uri URI for GET operation (e.g. /redfish/v1/AccountService/Accounts/). 405 # Attribute The specific attribute to be retrieved with the URI. 406 # cmd_args Commandline arguments. 407 # expected_error Expected error optionally provided in testcase (e.g. 401 / 408 # authentication error, etc. ). 409 410 ${rc} ${cmd_output}= Run and Return RC and Output ${cmd_args} GET ${uri} 411 Run Keyword If ${rc} != 0 Is HTTP error Expected ${cmd_output} ${expected_error} 412 ${json_object}= To JSON ${cmd_output} 413 414 [Return] ${json_object["CertificateString"]} 415 416 417Suite Setup Execution 418 [Documentation] Do suite setup execution. 419 420 ${tool_exist}= Run which redfishtool 421 Should Not Be Empty ${tool_exist} 422 423 # Create certificate sub-directory in current working directory. 424 Create Directory certificate_dir 425