xref: /openbmc/openbmc-test-automation/redfish/managers/test_certificate.robot (revision 037407d32b7ca72f455e7daf70bf8db5502ddd0c)
1*** Settings ***
2Documentation    Test certificate in OpenBMC.
3
4Resource         ../../lib/resource.robot
5Resource         ../../lib/bmc_redfish_resource.robot
6Resource         ../../lib/openbmc_ffdc.robot
7Resource         ../../lib/certificate_utils.robot
8Library          String
9
10Force Tags       Certificate_Test
11
12Suite Setup      Suite Setup Execution
13Suite Teardown   Suite Teardown
14Test Teardown    Test Teardown Execution
15
16
17*** Variables ***
18
19${invalid_value}  abc
20${ROOT_CA_FILE_PATH}  /etc/ssl/certs/authority/*
21
22
23** Test Cases **
24
25Verify Server Certificate Replace
26    [Documentation]  Verify server certificate replace.
27    [Tags]  Verify_Server_Certificate_Replace
28    [Template]  Replace Certificate Via Redfish
29
30    # cert_type  cert_format                         expected_status
31    Server       Valid Certificate Valid Privatekey  ok
32    Server       Empty Certificate Valid Privatekey  error
33    Server       Valid Certificate Empty Privatekey  error
34    Server       Empty Certificate Empty Privatekey  error
35
36
37Verify Client Certificate Replace
38    [Documentation]  Verify client certificate replace.
39    [Tags]  Verify_Client_Certificate_Replace
40    [Template]  Replace Certificate Via Redfish
41
42    # cert_type  cert_format                         expected_status
43    Client       Valid Certificate Valid Privatekey  ok
44    Client       Empty Certificate Valid Privatekey  error
45    Client       Valid Certificate Empty Privatekey  error
46    Client       Empty Certificate Empty Privatekey  error
47
48
49Verify CA Certificate Replace
50    [Documentation]  Verify CA certificate replace.
51    [Tags]  Verify_CA_Certificate_Replace
52    [Template]  Replace Certificate Via Redfish
53
54    # cert_type  cert_format        expected_status
55    CA           Valid Certificate  ok
56    CA           Empty Certificate  error
57
58
59Verify Client Certificate Install
60    [Documentation]  Verify client certificate install.
61    [Tags]  Verify_Client_Certificate_Install
62    [Template]  Install And Verify Certificate Via Redfish
63
64    # cert_type  cert_format                         expected_status
65    Client       Valid Certificate Valid Privatekey  ok
66    Client       Empty Certificate Valid Privatekey  error
67    Client       Valid Certificate Empty Privatekey  error
68    Client       Empty Certificate Empty Privatekey  error
69
70
71Verify CA Certificate Install
72    [Documentation]  Verify CA certificate install.
73    [Tags]  Verify_CA_Certificate_Install
74    [Template]  Install And Verify Certificate Via Redfish
75
76    # cert_type  cert_format        expected_status
77    CA           Valid Certificate  ok
78    CA           Empty Certificate  error
79
80
81Verify Maximum CA Certificate Install
82    [Documentation]  Verify maximum CA certificate install.
83    [Tags]  Verify_Maximum_CA_Certificate_Install
84    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Delete All CA Certificate Via Redfish
85
86    # Get CA certificate count from BMC.
87    ${cert_list}=  Redfish_Utils.Get Member List  /redfish/v1/Managers/bmc/Truststore/Certificates
88    ${cert_count}=  Get Length  ${cert_list}
89
90    # Install CA certificate to reach maximum count of 10.
91    FOR  ${INDEX}  IN RANGE  ${cert_count}  10
92      Install And Verify Certificate Via Redfish  CA  Valid Certificate  ok  ${FALSE}
93      ${cert_count}=  Evaluate  ${cert_count} + 1
94    END
95
96    # Verify error while installing 11th CA certificate.
97    Install And Verify Certificate Via Redfish  CA  Valid Certificate  error  ${FALSE}
98
99
100Verify Error While Uploading Same CA Certificate
101    [Documentation]  Verify error while uploading same CA certificate two times.
102    [Tags]  Verify_Error_While_Uploading_Same_CA_Certificate
103
104    # Create certificate file for uploading.
105    ${cert_file_path}=  Generate Certificate File Via Openssl  Valid Certificate  365
106    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
107    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
108
109    # Install CA certificate.
110    Install Certificate File On BMC  ${REDFISH_CA_CERTIFICATE_URI}  ok  data=${file_data}
111
112    # Adding delay after certificate installation.
113    Sleep  30s
114
115    # Check error while uploading same certificate.
116    Install Certificate File On BMC  ${REDFISH_CA_CERTIFICATE_URI}  error  data=${file_data}
117
118
119Verify Server Certificate View Via Openssl
120    [Documentation]  Verify server certificate via openssl command.
121    [Tags]  Verify_Server_Certificate_View_Via_Openssl
122
123    ${cert_file_path}=  Generate Certificate File Via Openssl  Valid Certificate Valid Privatekey
124    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
125    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
126
127    ${certificate_dict}=  Create Dictionary
128    ...  @odata.id=/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1
129    ${payload}=  Create Dictionary  CertificateString=${file_data}
130    ...  CertificateType=PEM  CertificateUri=${certificate_dict}
131
132    ${resp}=  redfish.Post  /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate
133    ...  body=${payload}
134
135    Wait Until Keyword Succeeds  2 mins  15 secs  Verify Certificate Visible Via OpenSSL  ${cert_file_path}
136
137
138Verify CSR Generation For Server Certificate
139    [Documentation]  Verify CSR generation for server certificate.
140    [Tags]  Verify_CSR_Generation_For_Server_Certificate
141    [Template]  Generate CSR Via Redfish
142
143    # csr_type  key_pair_algorithm  key_bit_length  key_curv_id  expected_status
144    Server      RSA                 ${2048}         ${EMPTY}     ok
145    Server      EC                  ${EMPTY}        prime256v1   ok
146    Server      EC                  ${EMPTY}        secp521r1    ok
147    Server      EC                  ${EMPTY}        secp384r1    ok
148
149
150Verify CSR Generation For Client Certificate
151    [Documentation]  Verify CSR generation for client certificate.
152    [Tags]  Verify_CSR_Generation_For_Client_Certificate
153    [Template]  Generate CSR Via Redfish
154
155    # csr_type  key_pair_algorithm  key_bit_length  key_curv_id  expected_status
156    Client      RSA                 ${2048}         ${EMPTY}     ok
157    Client      EC                  ${EMPTY}        prime256v1   ok
158    Client      EC                  ${EMPTY}        secp521r1    ok
159    Client      EC                  ${EMPTY}        secp384r1    ok
160
161
162Verify CSR Generation For Server Certificate With Invalid Value
163    [Documentation]  Verify error while generating CSR for server certificate with invalid value.
164    [Tags]  Verify_CSR_Generation_For_Server_Certificate_With_Invalid_Value
165    [Template]  Generate CSR Via Redfish
166
167    # csr_type  key_pair_algorithm  key_bit_length    key_curv_id       expected_status
168    Server      ${invalid_value}    ${2048}           prime256v1        error
169    Server      RAS                 ${invalid_value}  ${EMPTY}          error
170    Server      EC                  ${EMPTY}          ${invalid_value}  error
171
172
173Verify CSR Generation For Client Certificate With Invalid Value
174    [Documentation]  Verify error while generating CSR for client certificate with invalid value.
175    [Tags]  Verify_CSR_Generation_For_Client_Certificate_With_Invalid_Value
176    [Template]  Generate CSR Via Redfish
177
178    Client      ${invalid_value}    ${2048}           prime256v1        error
179    Client      RSA                 ${invalid_value}  ${EMPTY}          error
180    Client      EC                  ${EMPTY}          ${invalid_value}  error
181
182
183Verify Expired Certificate Install
184    [Documentation]  Verify installation of expired certificate.
185    [Tags]  Verify_Expired_Certificate_Install
186    [Setup]  Run Keywords  Get Current BMC Date  AND  Modify BMC Date
187    [Template]  Install And Verify Certificate Via Redfish
188    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore BMC Date
189
190    # cert_type  cert_format          expected_status
191    Client       Expired Certificate  error
192    CA           Expired Certificate  error
193
194
195Verify Expired Certificate Replace
196    [Documentation]  Verify replacing the certificate with an expired one.
197    [Tags]  Verify_Expired_Certificate_Replace
198    [Setup]  Run Keywords  Get Current BMC Date  AND  Modify BMC Date
199    [Template]  Replace Certificate Via Redfish
200    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore BMC Date
201
202    # cert_type  cert_format          expected_status
203    Server       Expired Certificate  error
204
205
206Verify Not Yet Valid Certificate Install
207    [Documentation]  Verify installation of not yet valid certificates.
208    [Tags]  Verify_Not_Yet_Valid_Certificate_Install
209    [Setup]  Run Keywords  Get Current BMC Date  AND  Modify BMC Date
210    [Template]  Install And Verify Certificate Via Redfish
211    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore BMC Date
212
213    # cert_type  cert_format                expected_status
214    Client       Not Yet Valid Certificate  ok
215    CA           Not Yet Valid Certificate  ok
216
217
218Verify Not Yet Valid Certificate Replace
219    [Documentation]  Verify replacing certificate with a not yet valid one.
220    [Tags]  Verify_Not_Yet_Valid_Certificate_Replace
221    [Setup]  Run Keywords  Get Current BMC Date  AND  Modify BMC Date
222    [Template]  Replace Certificate Via Redfish
223    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore BMC Date
224
225    # cert_type  cert_format                expected_status
226    Server       Not Yet Valid Certificate  ok
227    Client       Not Yet Valid Certificate  ok
228    CA           Not Yet Valid Certificate  ok
229
230
231Verify Certificates Location Via Redfish
232    [Documentation]  Verify the location of certificates via Redfish.
233    [Tags]  Verify_Certificates_Location_Via_Redfish
234
235    ${cert_id}=  Install And Verify Certificate Via Redfish
236    ...  CA  Valid Certificate  ok
237
238    ${resp}=  Redfish.Get  /redfish/v1/CertificateService/CertificateLocations
239    ${Links}=  Get From Dictionary  ${resp.dict}  Links
240
241    ${match_cert}=  Catenate
242    ...  /redfish/v1/Managers/bmc/Truststore/Certificates/${cert_id}
243    ${match}=  Set Variable  ${False}
244
245    FOR  ${Certificates_dict}  IN  @{Links['Certificates']}
246       Continue For Loop If
247       ...  "${Certificates_dict['@odata.id']}}" != "${match_cert}}"
248       ${match}=  Set Variable  ${True}
249    END
250
251    Should Be Equal  ${match}  ${True}
252    ...  msg=Verify the location of certificates via Redfish fail.
253
254
255*** Keywords ***
256
257Install And Verify Certificate Via Redfish
258    [Documentation]  Install and verify certificate using Redfish.
259    [Arguments]  ${cert_type}  ${cert_format}  ${expected_status}  ${delete_cert}=${True}
260
261    # Description of argument(s):
262    # cert_type           Certificate type (e.g. "Client" or "CA").
263    # cert_format         Certificate file format
264    #                     (e.g. "Valid_Certificate_Valid_Privatekey").
265    # expected_status     Expected status of certificate replace Redfish
266    #                     request (i.e. "ok" or "error").
267    # delete_cert         Certificate will be deleted before installing if this True.
268
269    Run Keyword If  '${cert_type}' == 'CA' and '${delete_cert}' == '${True}'
270    ...  Delete All CA Certificate Via Redfish
271    ...  ELSE IF  '${cert_type}' == 'Client' and '${delete_cert}' == '${True}'
272    ...  Delete Certificate Via BMC CLI  ${cert_type}
273
274    ${cert_file_path}=  Generate Certificate File Via Openssl  ${cert_format}
275    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
276    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
277
278    ${certificate_uri}=  Set Variable If
279    ...  '${cert_type}' == 'Client'  ${REDFISH_LDAP_CERTIFICATE_URI}
280    ...  '${cert_type}' == 'CA'  ${REDFISH_CA_CERTIFICATE_URI}
281
282    Run Keyword If  '${cert_format}' == 'Expired Certificate'  Modify BMC Date  future
283    ...  ELSE IF  '${cert_format}' == 'Not Yet Valid Certificate'  Modify BMC Date  old
284
285    ${cert_id}=  Install Certificate File On BMC  ${certificate_uri}  ${expected_status}  data=${file_data}
286    Logging  Installed certificate id: ${cert_id}
287
288    # Adding delay after certificate installation.
289    Sleep  30s
290
291    ${cert_file_content}=  OperatingSystem.Get File  ${cert_file_path}
292    ${bmc_cert_content}=  Run Keyword If  '${expected_status}' == 'ok'  redfish_utils.Get Attribute
293    ...  ${certificate_uri}/${cert_id}  CertificateString
294
295    Run Keyword If  '${expected_status}' == 'ok'  Should Contain  ${cert_file_content}  ${bmc_cert_content}
296    [Return]  ${cert_id}
297
298Modify BMC Date
299    [Documentation]  Modify date in BMC.
300    [Arguments]  ${date_set_type}=current
301
302    # Description of argument(s):
303    # date_set_type    Set BMC date to a current, future, old date by 375 days.
304    #                  current - Sets date to local system date.
305    #                  future - Sets to a future date from current date.
306    #                  old - Sets to a old date from current date.
307
308    Redfish Power Off  stack_mode=skip
309    ${current_date_time}=  Get Current Date
310    ${new_time}=  Run Keyword If  '${date_set_type}' == 'current'  Set Variable  ${current_date_time}
311    ...  ELSE IF  '${date_set_type}' == 'future'
312    ...  Add Time To Date  ${current_date_time}  375 days
313    ...  ELSE IF  '${date_set_type}' == 'old'
314    ...  Subtract Time From Date  ${current_date_time}  375 days
315
316    # Enable manual mode.
317    Redfish.Patch  ${REDFISH_NW_PROTOCOL_URI}
318    ...  body={'NTP':{'ProtocolEnabled': ${False}}}
319    ...  valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}]
320    Sleep  2s
321    Redfish.Patch  ${REDFISH_BASE_URI}Managers/bmc  body={'DateTime': '${new_time}'}
322    ...  valid_status_codes=[${HTTP_OK}]
323
324Get Current BMC Date
325    [Documentation]  Get current BMC date.
326
327    ${cli_date_time}=  CLI Get BMC DateTime
328    Set Test Variable  ${cli_date_time}
329
330Restore BMC Date
331    [Documentation]  Restore BMC date to its prior value.
332
333    Redfish.Patch  ${REDFISH_BASE_URI}Managers/bmc  body={'DateTime': '${cli_date_time}'}
334    ...  valid_status_codes=[${HTTP_OK}]
335
336Replace Certificate Via Redfish
337    [Documentation]  Test 'replace certificate' operation in the BMC via Redfish.
338    [Arguments]  ${cert_type}  ${cert_format}  ${expected_status}
339
340    # Description of argument(s):
341    # cert_type           Certificate type (e.g. "Server" or "Client").
342    # cert_format         Certificate file format
343    #                     (e.g. Valid_Certificate_Valid_Privatekey).
344    # expected_status     Expected status of certificate replace Redfish
345    #                     request (i.e. "ok" or "error").
346
347    # Install certificate before replacing client or CA certificate.
348    ${cert_id}=  Run Keyword If  '${cert_type}' == 'Client'
349    ...    Install And Verify Certificate Via Redfish  ${cert_type}  Valid Certificate Valid Privatekey  ok
350    ...  ELSE IF  '${cert_type}' == 'CA'
351    ...    Install And Verify Certificate Via Redfish  ${cert_type}  Valid Certificate  ok
352
353    ${cert_file_path}=  Generate Certificate File Via Openssl  ${cert_format}
354
355    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
356    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
357
358    Run Keyword If  '${cert_format}' == 'Expired Certificate'
359    ...    Modify BMC Date  future
360    ...  ELSE IF  '${cert_format}' == 'Not Yet Valid Certificate'
361    ...    Modify BMC Date  old
362
363
364    ${certificate_uri}=  Set Variable If
365    ...  '${cert_type}' == 'Server'  ${REDFISH_HTTPS_CERTIFICATE_URI}/1
366    ...  '${cert_type}' == 'Client'  ${REDFISH_LDAP_CERTIFICATE_URI}/1
367    ...  '${cert_type}' == 'CA'  ${REDFISH_CA_CERTIFICATE_URI}/${cert_id}
368
369    ${certificate_dict}=  Create Dictionary  @odata.id=${certificate_uri}
370    ${payload}=  Create Dictionary  CertificateString=${file_data}
371    ...  CertificateType=PEM  CertificateUri=${certificate_dict}
372
373    ${expected_resp}=  Set Variable If  '${expected_status}' == 'ok'  ${HTTP_OK}
374    ...  '${expected_status}' == 'error'  ${HTTP_NOT_FOUND}, ${HTTP_INTERNAL_SERVER_ERROR}
375    ${resp}=  redfish.Post  /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate
376    ...  body=${payload}  valid_status_codes=[${expected_resp}]
377
378    ${cert_file_content}=  OperatingSystem.Get File  ${cert_file_path}
379    ${bmc_cert_content}=  redfish_utils.Get Attribute  ${certificate_uri}  CertificateString
380
381    Run Keyword If  '${expected_status}' == 'ok'
382    ...    Should Contain  ${cert_file_content}  ${bmc_cert_content}
383    ...  ELSE
384    ...    Should Not Contain  ${cert_file_content}  ${bmc_cert_content}
385
386
387Generate CSR Via Redfish
388    [Documentation]  Generate CSR using Redfish.
389    [Arguments]  ${cert_type}  ${key_pair_algorithm}  ${key_bit_length}  ${key_curv_id}  ${expected_status}
390
391    # Description of argument(s):
392    # cert_type           Certificate type ("Server" or "Client").
393    # key_pair_algorithm  CSR key pair algorithm ("EC" or "RSA")
394    # key_bit_length      CSR key bit length ("2048").
395    # key_curv_id         CSR key curv id ("prime256v1" or "secp521r1" or "secp384r1").
396    # expected_status     Expected status of certificate replace Redfish
397    #                     request ("ok" or "error").
398
399    ${certificate_uri}=  Set Variable If
400    ...  '${cert_type}' == 'Server'  ${REDFISH_HTTPS_CERTIFICATE_URI}/
401    ...  '${cert_type}' == 'Client'  ${REDFISH_LDAP_CERTIFICATE_URI}/
402
403    ${certificate_dict}=  Create Dictionary  @odata.id=${certificate_uri}
404    ${payload}=  Create Dictionary  City=Austin  CertificateCollection=${certificate_dict}
405    ...  CommonName=${OPENBMC_HOST}  Country=US  Organization=IBM
406    ...  OrganizationalUnit=ISL  State=AU  KeyBitLength=${key_bit_length}
407    ...  KeyPairAlgorithm=${key_pair_algorithm}  KeyCurveId=${key_curv_id}
408
409    # Remove not applicable field for CSR generation.
410    Run Keyword If  '${key_pair_algorithm}' == 'EC'  Remove From Dictionary  ${payload}  KeyBitLength
411    ...  ELSE IF  '${key_pair_algorithm}' == 'RSA'  Remove From Dictionary  ${payload}  KeyCurveId
412
413    ${expected_resp}=  Set Variable If  '${expected_status}' == 'ok'  ${HTTP_OK}
414    ...  '${expected_status}' == 'error'  ${HTTP_INTERNAL_SERVER_ERROR}, ${HTTP_BAD_REQUEST}
415    ${resp}=  redfish.Post  /redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR
416    ...  body=${payload}  valid_status_codes=[${expected_resp}]
417
418    # Delay added between two CSR generation request.
419    Sleep  5s
420
421
422Suite Setup Execution
423    [Documentation]  Do suite setup tasks.
424
425    # Create certificate sub-directory in current working directory.
426    Create Directory  certificate_dir
427    Redfish.Login
428
429
430Test Teardown Execution
431    [Documentation]  Do the post test teardown.
432
433    FFDC On Test Case Fail
434
435Suite Teardown
436    [Documentation]  Do suite teardown tasks.
437
438    Redfish.Logout
439