1*** Settings ***
2Documentation    Test certificate in OpenBMC.
3
4Resource         ../../lib/resource.robot
5Resource         ../../lib/bmc_redfish_resource.robot
6Resource         ../../lib/openbmc_ffdc.robot
7Resource         ../../lib/certificate_utils.robot
8Library          String
9
10Force Tags       Certificate_Test
11
12Suite Setup      Suite Setup Execution
13Test Teardown    Test Teardown Execution
14
15
16*** Variables ***
17
18${invalid_value}  abc
19${ROOT_CA_FILE_PATH}  /etc/ssl/certs/authority/*
20
21
22** Test Cases **
23
24Verify Server Certificate Replace
25    [Documentation]  Verify server certificate replace.
26    [Tags]  Verify_Server_Certificate_Replace
27    [Template]  Replace Certificate Via Redfish
28
29    # cert_type  cert_format                         expected_status
30    Server       Valid Certificate Valid Privatekey  ok
31    Server       Empty Certificate Valid Privatekey  error
32    Server       Valid Certificate Empty Privatekey  error
33    Server       Empty Certificate Empty Privatekey  error
34
35
36Verify Client Certificate Replace
37    [Documentation]  Verify client certificate replace.
38    [Tags]  Verify_Client_Certificate_Replace
39    [Template]  Replace Certificate Via Redfish
40
41    # cert_type  cert_format                         expected_status
42    Client       Valid Certificate Valid Privatekey  ok
43    Client       Empty Certificate Valid Privatekey  error
44    Client       Valid Certificate Empty Privatekey  error
45    Client       Empty Certificate Empty Privatekey  error
46
47
48Verify CA Certificate Replace
49    [Documentation]  Verify CA certificate replace.
50    [Tags]  Verify_CA_Certificate_Replace
51    [Template]  Replace Certificate Via Redfish
52
53    # cert_type  cert_format        expected_status
54    CA           Valid Certificate  ok
55    CA           Empty Certificate  error
56
57
58Verify Client Certificate Install
59    [Documentation]  Verify client certificate install.
60    [Tags]  Verify_Client_Certificate_Install
61    [Template]  Install And Verify Certificate Via Redfish
62
63    # cert_type  cert_format                         expected_status
64    Client       Valid Certificate Valid Privatekey  ok
65    Client       Empty Certificate Valid Privatekey  error
66    Client       Valid Certificate Empty Privatekey  error
67    Client       Empty Certificate Empty Privatekey  error
68
69
70Verify CA Certificate Install
71    [Documentation]  Verify CA certificate install.
72    [Tags]  Verify_CA_Certificate_Install
73    [Template]  Install And Verify Certificate Via Redfish
74
75    # cert_type  cert_format        expected_status
76    CA           Valid Certificate  ok
77    CA           Empty Certificate  error
78
79
80Verify Server Certificate View Via Openssl
81    [Documentation]  Verify server certificate via openssl command.
82    [Tags]  Verify_Server_Certificate_View_Via_Openssl
83
84    redfish.Login
85
86    ${cert_file_path}=  Generate Certificate File Via Openssl  Valid Certificate Valid Privatekey
87    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
88    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
89
90    ${certificate_dict}=  Create Dictionary
91    ...  @odata.id=/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1
92    ${payload}=  Create Dictionary  CertificateString=${file_data}
93    ...  CertificateType=PEM  CertificateUri=${certificate_dict}
94
95    ${resp}=  redfish.Post  /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate
96    ...  body=${payload}
97
98    Wait Until Keyword Succeeds  2 mins  15 secs  Verify Certificate Visible Via OpenSSL  ${cert_file_path}
99
100
101Verify CSR Generation For Server Certificate
102    [Documentation]  Verify CSR generation for server certificate.
103    [Tags]  Verify_CSR_Generation_For_Server_Certificate
104    [Template]  Generate CSR Via Redfish
105
106    # csr_type  key_pair_algorithm  key_bit_length  key_curv_id  expected_status
107    Server      RSA                 ${2048}         ${EMPTY}     ok
108    Server      EC                  ${EMPTY}        prime256v1   ok
109    Server      EC                  ${EMPTY}        secp521r1    ok
110    Server      EC                  ${EMPTY}        secp384r1    ok
111
112
113Verify CSR Generation For Client Certificate
114    [Documentation]  Verify CSR generation for client certificate.
115    [Tags]  Verify_CSR_Generation_For_Client_Certificate
116    [Template]  Generate CSR Via Redfish
117
118    # csr_type  key_pair_algorithm  key_bit_length  key_curv_id  expected_status
119    Client      RSA                 ${2048}         ${EMPTY}     ok
120    Client      EC                  ${EMPTY}        prime256v1   ok
121    Client      EC                  ${EMPTY}        secp521r1    ok
122    Client      EC                  ${EMPTY}        secp384r1    ok
123
124
125Verify CSR Generation For Server Certificate With Invalid Value
126    [Documentation]  Verify error while generating CSR for server certificate with invalid value.
127    [Tags]  Verify_CSR_Generation_For_Server_Certificate_With_Invalid_Value
128    [Template]  Generate CSR Via Redfish
129
130    # csr_type  key_pair_algorithm  key_bit_length    key_curv_id       expected_status
131    Server      ${invalid_value}    ${2048}           prime256v1        error
132    Server      RAS                 ${invalid_value}  ${EMPTY}          error
133    Server      EC                  ${EMPTY}          ${invalid_value}  error
134
135
136Verify CSR Generation For Client Certificate With Invalid Value
137    [Documentation]  Verify error while generating CSR for client certificate with invalid value.
138    [Tags]  Verify_CSR_Generation_For_Client_Certificate_With_Invalid_Value
139    [Template]  Generate CSR Via Redfish
140
141    Client      ${invalid_value}    ${2048}           prime256v1        error
142    Client      RSA                 ${invalid_value}  ${EMPTY}          error
143    Client      EC                  ${EMPTY}          ${invalid_value}  error
144
145
146*** Keywords ***
147
148Install And Verify Certificate Via Redfish
149    [Documentation]  Install and verify certificate using Redfish.
150    [Arguments]  ${cert_type}  ${cert_format}  ${expected_status}
151
152    # Description of argument(s):
153    # cert_type           Certificate type (e.g. "Client" or "CA").
154    # cert_format         Certificate file format
155    #                     (e.g. "Valid_Certificate_Valid_Privatekey").
156    # expected_status     Expected status of certificate replace Redfish
157    #                     request (i.e. "ok" or "error").
158
159    redfish.Login
160    Delete Certificate Via BMC CLI  ${cert_type}
161
162    ${time}=  Set Variable If  '${cert_format}' == 'Expired Certificate'  -10  365
163    ${cert_file_path}=  Generate Certificate File Via Openssl  ${cert_format}  ${time}
164    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
165    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
166
167    ${certificate_uri}=  Set Variable If
168    ...  '${cert_type}' == 'Client'  ${REDFISH_LDAP_CERTIFICATE_URI}
169    ...  '${cert_type}' == 'CA'  ${REDFISH_CA_CERTIFICATE_URI}
170
171    ${cert_id}=  Install Certificate File On BMC  ${certificate_uri}  ${expected_status}  data=${file_data}
172    Logging  Installed certificate id: ${cert_id}
173
174    # Adding delay after certificate installation.
175    Sleep  30s
176
177    ${cert_file_content}=  OperatingSystem.Get File  ${cert_file_path}
178    ${bmc_cert_content}=  Run Keyword If  '${expected_status}' == 'ok'  redfish_utils.Get Attribute
179    ...  ${certificate_uri}/${cert_id}  CertificateString
180
181    Run Keyword If  '${expected_status}' == 'ok'  Should Contain  ${cert_file_content}  ${bmc_cert_content}
182
183
184Install Certificate File On BMC
185    [Documentation]  Install certificate file in BMC using POST operation.
186    [Arguments]  ${uri}  ${status}=ok  &{kwargs}
187
188    # Description of argument(s):
189    # uri         URI for installing certificate file via REST
190    #             e.g. "/xyz/openbmc_project/certs/server/https".
191    # status      Expected status of certificate installation via REST
192    #             e.g. error, ok.
193    # kwargs      A dictionary of keys/values to be passed directly to
194    #             POST Request.
195
196    Initialize OpenBMC  quiet=${quiet}
197
198    ${headers}=  Create Dictionary  Content-Type=application/octet-stream
199    ...  X-Auth-Token=${XAUTH_TOKEN}
200    Set To Dictionary  ${kwargs}  headers  ${headers}
201
202    ${ret}=  Post Request  openbmc  ${uri}  &{kwargs}
203    ${content_json}=  To JSON  ${ret.content}
204    ${cert_id}=  Set Variable If  '${ret.status_code}' == '${HTTP_OK}'  ${content_json["Id"]}  -1
205
206    Run Keyword If  '${status}' == 'ok'
207    ...  Should Be Equal As Strings  ${ret.status_code}  ${HTTP_OK}
208    ...  ELSE IF  '${status}' == 'error'
209    ...  Should Be Equal As Strings  ${ret.status_code}  ${HTTP_INTERNAL_SERVER_ERROR}
210
211    Delete All Sessions
212
213    [Return]  ${cert_id}
214
215Replace Certificate Via Redfish
216    [Documentation]  Test 'replace certificate' operation in the BMC via Redfish.
217    [Arguments]  ${cert_type}  ${cert_format}  ${expected_status}
218
219    # Description of argument(s):
220    # cert_type           Certificate type (e.g. "Server" or "Client").
221    # cert_format         Certificate file format
222    #                     (e.g. Valid_Certificate_Valid_Privatekey).
223    # expected_status     Expected status of certificate replace Redfish
224    #                     request (i.e. "ok" or "error").
225
226    # Install certificate before replacing client or CA certificate.
227    Run Keyword If  '${cert_type}' == 'Client'
228    ...    Install And Verify Certificate Via Redfish  ${cert_type}  Valid Certificate Valid Privatekey  ok
229    ...  ELSE IF  '${cert_type}' == 'CA'
230    ...    Install And Verify Certificate Via Redfish  ${cert_type}  Valid Certificate  ok
231
232    redfish.Login
233
234    ${time}=  Set Variable If  '${cert_format}' == 'Expired Certificate'  -10  365
235    ${cert_file_path}=  Generate Certificate File Via Openssl  ${cert_format}  ${time}
236
237    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
238    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
239
240    ${certificate_uri}=  Set Variable If
241    ...  '${cert_type}' == 'Server'  ${REDFISH_HTTPS_CERTIFICATE_URI}/1
242    ...  '${cert_type}' == 'Client'  ${REDFISH_LDAP_CERTIFICATE_URI}/1
243    ...  '${cert_type}' == 'CA'  ${REDFISH_CA_CERTIFICATE_URI}/1
244
245    ${certificate_dict}=  Create Dictionary  @odata.id=${certificate_uri}
246    ${payload}=  Create Dictionary  CertificateString=${file_data}
247    ...  CertificateType=PEM  CertificateUri=${certificate_dict}
248
249    ${expected_resp}=  Set Variable If  '${expected_status}' == 'ok'  ${HTTP_OK}
250    ...  '${expected_status}' == 'error'  ${HTTP_INTERNAL_SERVER_ERROR}
251    ${resp}=  redfish.Post  /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate
252    ...  body=${payload}  valid_status_codes=[${expected_resp}]
253
254    ${cert_file_content}=  OperatingSystem.Get File  ${cert_file_path}
255    ${bmc_cert_content}=  redfish_utils.Get Attribute  ${certificate_uri}  CertificateString
256
257    Run Keyword If  '${expected_status}' == 'ok'
258    ...    Should Contain  ${cert_file_content}  ${bmc_cert_content}
259    ...  ELSE
260    ...    Should Not Contain  ${cert_file_content}  ${bmc_cert_content}
261
262
263Generate CSR Via Redfish
264    [Documentation]  Generate CSR using Redfish.
265    [Arguments]  ${cert_type}  ${key_pair_algorithm}  ${key_bit_length}  ${key_curv_id}  ${expected_status}
266
267    # Description of argument(s):
268    # cert_type           Certificate type ("Server" or "Client").
269    # key_pair_algorithm  CSR key pair algorithm ("EC" or "RSA")
270    # key_bit_length      CSR key bit length ("2048").
271    # key_curv_id         CSR key curv id ("prime256v1" or "secp521r1" or "secp384r1").
272    # expected_status     Expected status of certificate replace Redfish
273    #                     request ("ok" or "error").
274
275    redfish.Login
276
277    ${certificate_uri}=  Set Variable If
278    ...  '${cert_type}' == 'Server'  ${REDFISH_HTTPS_CERTIFICATE_URI}/
279    ...  '${cert_type}' == 'Client'  ${REDFISH_LDAP_CERTIFICATE_URI}/
280
281    ${certificate_dict}=  Create Dictionary  @odata.id=${certificate_uri}
282    ${payload}=  Create Dictionary  City=Austin  CertificateCollection=${certificate_dict}
283    ...  CommonName=${OPENBMC_HOST}  Country=US  Organization=IBM
284    ...  OrganizationalUnit=ISL  State=AU  KeyBitLength=${key_bit_length}
285    ...  KeyPairAlgorithm=${key_pair_algorithm}  KeyCurveId=${key_curv_id}
286
287    # Remove not applicable field for CSR generation.
288    Run Keyword If  '${key_pair_algorithm}' == 'EC'  Remove From Dictionary  ${payload}  KeyBitLength
289    ...  ELSE IF  '${key_pair_algorithm}' == 'RSA'  Remove From Dictionary  ${payload}  KeyCurveId
290
291    ${expected_resp}=  Set Variable If  '${expected_status}' == 'ok'  ${HTTP_OK}
292    ...  '${expected_status}' == 'error'  ${HTTP_INTERNAL_SERVER_ERROR}, ${HTTP_BAD_REQUEST}
293    ${resp}=  redfish.Post  /redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR
294    ...  body=${payload}  valid_status_codes=[${expected_resp}]
295
296    # Delay added between two CSR generation request.
297    Sleep  5s
298
299
300Delete Certificate Via BMC CLI
301    [Documentation]  Delete certificate via BMC CLI.
302    [Arguments]  ${cert_type}
303
304    # Description of argument(s):
305    # cert_type           Certificate type (e.g. "Client" or "CA").
306
307    ${certificate_file_path}  ${certificate_service}  ${certificate_uri}=
308    ...  Run Keyword If  '${cert_type}' == 'Client'
309    ...    Set Variable  /etc/nslcd/certs/cert.pem  phosphor-certificate-manager@nslcd.service
310    ...    ${REDFISH_LDAP_CERTIFICATE_URI}
311    ...  ELSE IF  '${cert_type}' == 'CA'
312    ...    Set Variable  ${ROOT_CA_FILE_PATH}  phosphor-certificate-manager@authority.service
313    ...    ${REDFISH_CA_CERTIFICATE_URI}
314
315    ${file_status}  ${stderr}  ${rc}=  BMC Execute Command
316    ...  [ -f ${certificate_file_path} ] && echo "Found" || echo "Not Found"
317
318    Return From Keyword If  "${file_status}" != "Found"
319    BMC Execute Command  rm ${certificate_file_path}
320    BMC Execute Command  systemctl restart ${certificate_service}
321    BMC Execute Command  systemctl daemon-reload
322    Wait Until Keyword Succeeds  1 min  10 sec
323    ...  Redfish.Get  ${certificate_uri}/1  valid_status_codes=[${HTTP_NOT_FOUND}, ${HTTP_INTERNAL_SERVER_ERROR}]
324
325
326Suite Setup Execution
327    [Documentation]  Do suite setup tasks.
328
329    # Create certificate sub-directory in current working directory.
330    Create Directory  certificate_dir
331
332
333Test Teardown Execution
334    [Documentation]  Do the post test teardown.
335
336    FFDC On Test Case Fail
337    redfish.Logout
338