1*** Settings *** 2Documentation Test certificate in OpenBMC. 3 4Resource ../../lib/resource.robot 5Resource ../../lib/bmc_redfish_resource.robot 6Resource ../../lib/openbmc_ffdc.robot 7Resource ../../lib/certificate_utils.robot 8Library String 9 10Force Tags Certificate_Test 11 12Suite Setup Suite Setup Execution 13Suite Teardown Suite Teardown 14Test Teardown Test Teardown Execution 15 16 17*** Variables *** 18 19${invalid_value} abc 20${ROOT_CA_FILE_PATH} /etc/ssl/certs/authority/* 21 22 23** Test Cases ** 24 25Verify Server Certificate Replace 26 [Documentation] Verify server certificate replace. 27 [Tags] Verify_Server_Certificate_Replace 28 [Template] Replace Certificate Via Redfish 29 30 # cert_type cert_format expected_status 31 Server Valid Certificate Valid Privatekey ok 32 Server Empty Certificate Valid Privatekey error 33 Server Valid Certificate Empty Privatekey error 34 Server Empty Certificate Empty Privatekey error 35 36 37Verify Client Certificate Replace 38 [Documentation] Verify client certificate replace. 39 [Tags] Verify_Client_Certificate_Replace 40 [Template] Replace Certificate Via Redfish 41 42 # cert_type cert_format expected_status 43 Client Valid Certificate Valid Privatekey ok 44 Client Empty Certificate Valid Privatekey error 45 Client Valid Certificate Empty Privatekey error 46 Client Empty Certificate Empty Privatekey error 47 48 49Verify CA Certificate Replace 50 [Documentation] Verify CA certificate replace. 51 [Tags] Verify_CA_Certificate_Replace 52 [Template] Replace Certificate Via Redfish 53 54 # cert_type cert_format expected_status 55 CA Valid Certificate ok 56 CA Empty Certificate error 57 58 59Verify Client Certificate Install 60 [Documentation] Verify client certificate install. 61 [Tags] Verify_Client_Certificate_Install 62 [Template] Install And Verify Certificate Via Redfish 63 64 # cert_type cert_format expected_status 65 Client Valid Certificate Valid Privatekey ok 66 Client Empty Certificate Valid Privatekey error 67 Client Valid Certificate Empty Privatekey error 68 Client Empty Certificate Empty Privatekey error 69 70 71Verify CA Certificate Install 72 [Documentation] Verify CA certificate install. 73 [Tags] Verify_CA_Certificate_Install 74 [Template] Install And Verify Certificate Via Redfish 75 76 # cert_type cert_format expected_status 77 CA Valid Certificate ok 78 CA Empty Certificate error 79 80 81Verify Maximum CA Certificate Install 82 [Documentation] Verify maximum CA certificate install. 83 [Tags] Verify_Maximum_CA_Certificate_Install 84 [Teardown] Run Keywords FFDC On Test Case Fail AND Delete All CA Certificate Via Redfish 85 86 # Get CA certificate count from BMC. 87 ${cert_list}= Redfish_Utils.Get Member List /redfish/v1/Managers/bmc/Truststore/Certificates 88 ${cert_count}= Get Length ${cert_list} 89 90 # Install CA certificate to reach maximum count of 10. 91 FOR ${INDEX} IN RANGE ${cert_count} 10 92 Install And Verify Certificate Via Redfish CA Valid Certificate ok ${FALSE} 93 ${cert_count}= Evaluate ${cert_count} + 1 94 END 95 96 # Verify error while installing 11th CA certificate. 97 Install And Verify Certificate Via Redfish CA Valid Certificate error ${FALSE} 98 99 100Verify Error While Uploading Same CA Certificate 101 [Documentation] Verify error while uploading same CA certificate two times. 102 [Tags] Verify_Error_While_Uploading_Same_CA_Certificate 103 104 # Create certificate file for uploading. 105 ${cert_file_path}= Generate Certificate File Via Openssl Valid Certificate 365 106 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path} 107 ${file_data}= Decode Bytes To String ${bytes} UTF-8 108 109 # Install CA certificate. 110 Install Certificate File On BMC ${REDFISH_CA_CERTIFICATE_URI} ok data=${file_data} 111 112 # Adding delay after certificate installation. 113 Sleep 30s 114 115 # Check error while uploading same certificate. 116 Install Certificate File On BMC ${REDFISH_CA_CERTIFICATE_URI} error data=${file_data} 117 118 119Verify Server Certificate View Via Openssl 120 [Documentation] Verify server certificate via openssl command. 121 [Tags] Verify_Server_Certificate_View_Via_Openssl 122 123 ${cert_file_path}= Generate Certificate File Via Openssl Valid Certificate Valid Privatekey 124 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path} 125 ${file_data}= Decode Bytes To String ${bytes} UTF-8 126 127 ${certificate_dict}= Create Dictionary 128 ... @odata.id=/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1 129 ${payload}= Create Dictionary CertificateString=${file_data} 130 ... CertificateType=PEM CertificateUri=${certificate_dict} 131 132 ${resp}= redfish.Post /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate 133 ... body=${payload} 134 135 Wait Until Keyword Succeeds 2 mins 15 secs Verify Certificate Visible Via OpenSSL ${cert_file_path} 136 137 138Verify CSR Generation For Server Certificate 139 [Documentation] Verify CSR generation for server certificate. 140 [Tags] Verify_CSR_Generation_For_Server_Certificate 141 [Template] Generate CSR Via Redfish 142 143 # csr_type key_pair_algorithm key_bit_length key_curv_id expected_status 144 Server RSA ${2048} ${EMPTY} ok 145 Server EC ${EMPTY} prime256v1 ok 146 Server EC ${EMPTY} secp521r1 ok 147 Server EC ${EMPTY} secp384r1 ok 148 149 150Verify CSR Generation For Client Certificate 151 [Documentation] Verify CSR generation for client certificate. 152 [Tags] Verify_CSR_Generation_For_Client_Certificate 153 [Template] Generate CSR Via Redfish 154 155 # csr_type key_pair_algorithm key_bit_length key_curv_id expected_status 156 Client RSA ${2048} ${EMPTY} ok 157 Client EC ${EMPTY} prime256v1 ok 158 Client EC ${EMPTY} secp521r1 ok 159 Client EC ${EMPTY} secp384r1 ok 160 161 162Verify CSR Generation For Server Certificate With Invalid Value 163 [Documentation] Verify error while generating CSR for server certificate with invalid value. 164 [Tags] Verify_CSR_Generation_For_Server_Certificate_With_Invalid_Value 165 [Template] Generate CSR Via Redfish 166 167 # csr_type key_pair_algorithm key_bit_length key_curv_id expected_status 168 Server ${invalid_value} ${2048} prime256v1 error 169 Server RAS ${invalid_value} ${EMPTY} error 170 Server EC ${EMPTY} ${invalid_value} error 171 172 173Verify CSR Generation For Client Certificate With Invalid Value 174 [Documentation] Verify error while generating CSR for client certificate with invalid value. 175 [Tags] Verify_CSR_Generation_For_Client_Certificate_With_Invalid_Value 176 [Template] Generate CSR Via Redfish 177 178 Client ${invalid_value} ${2048} prime256v1 error 179 Client RSA ${invalid_value} ${EMPTY} error 180 Client EC ${EMPTY} ${invalid_value} error 181 182 183Verify Expired Certificate Install 184 [Documentation] Verify installation of expired certificate. 185 [Tags] Verify_Expired_Certificate_Install 186 [Setup] Run Keywords Get Current BMC Date AND Modify BMC Date 187 [Template] Install And Verify Certificate Via Redfish 188 [Teardown] Run Keywords FFDC On Test Case Fail AND Restore BMC Date 189 190 # cert_type cert_format expected_status 191 Client Expired Certificate error 192 CA Expired Certificate error 193 194 195Verify Expired Certificate Replace 196 [Documentation] Verify replacing the certificate with an expired one. 197 [Tags] Verify_Expired_Certificate_Replace 198 [Setup] Run Keywords Get Current BMC Date AND Modify BMC Date 199 [Template] Replace Certificate Via Redfish 200 [Teardown] Run Keywords FFDC On Test Case Fail AND Restore BMC Date 201 202 # cert_type cert_format expected_status 203 Server Expired Certificate error 204 205 206Verify Not Yet Valid Certificate Install 207 [Documentation] Verify installation of not yet valid certificates. 208 [Tags] Verify_Not_Yet_Valid_Certificate_Install 209 [Setup] Run Keywords Get Current BMC Date AND Modify BMC Date 210 [Template] Install And Verify Certificate Via Redfish 211 [Teardown] Run Keywords FFDC On Test Case Fail AND Restore BMC Date 212 213 # cert_type cert_format expected_status 214 Client Not Yet Valid Certificate ok 215 CA Not Yet Valid Certificate ok 216 217 218Verify Not Yet Valid Certificate Replace 219 [Documentation] Verify replacing certificate with a not yet valid one. 220 [Tags] Verify_Not_Yet_Valid_Certificate_Replace 221 [Setup] Run Keywords Get Current BMC Date AND Modify BMC Date 222 [Template] Replace Certificate Via Redfish 223 [Teardown] Run Keywords FFDC On Test Case Fail AND Restore BMC Date 224 225 # cert_type cert_format expected_status 226 Server Not Yet Valid Certificate ok 227 Client Not Yet Valid Certificate ok 228 CA Not Yet Valid Certificate ok 229 230 231Verify Certificates Location Via Redfish 232 [Documentation] Verify the location of certificates via Redfish. 233 [Tags] Verify_Certificates_Location_Via_Redfish 234 235 ${cert_id}= Install And Verify Certificate Via Redfish 236 ... CA Valid Certificate ok 237 238 ${resp}= Redfish.Get /redfish/v1/CertificateService/CertificateLocations 239 ${Links}= Get From Dictionary ${resp.dict} Links 240 241 ${match_cert}= Catenate 242 ... /redfish/v1/Managers/bmc/Truststore/Certificates/${cert_id} 243 ${match}= Set Variable ${False} 244 245 FOR ${Certificates_dict} IN @{Links['Certificates']} 246 Continue For Loop If 247 ... "${Certificates_dict['@odata.id']}}" != "${match_cert}}" 248 ${match}= Set Variable ${True} 249 END 250 251 Should Be Equal ${match} ${True} 252 ... msg=Verify the location of certificates via Redfish fail. 253 254 255*** Keywords *** 256 257Install And Verify Certificate Via Redfish 258 [Documentation] Install and verify certificate using Redfish. 259 [Arguments] ${cert_type} ${cert_format} ${expected_status} ${delete_cert}=${True} 260 261 # Description of argument(s): 262 # cert_type Certificate type (e.g. "Client" or "CA"). 263 # cert_format Certificate file format 264 # (e.g. "Valid_Certificate_Valid_Privatekey"). 265 # expected_status Expected status of certificate replace Redfish 266 # request (i.e. "ok" or "error"). 267 # delete_cert Certificate will be deleted before installing if this True. 268 269 Run Keyword If '${cert_type}' == 'CA' and '${delete_cert}' == '${True}' 270 ... Delete All CA Certificate Via Redfish 271 ... ELSE IF '${cert_type}' == 'Client' and '${delete_cert}' == '${True}' 272 ... Delete Certificate Via BMC CLI ${cert_type} 273 274 ${cert_file_path}= Generate Certificate File Via Openssl ${cert_format} 275 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path} 276 ${file_data}= Decode Bytes To String ${bytes} UTF-8 277 278 ${certificate_uri}= Set Variable If 279 ... '${cert_type}' == 'Client' ${REDFISH_LDAP_CERTIFICATE_URI} 280 ... '${cert_type}' == 'CA' ${REDFISH_CA_CERTIFICATE_URI} 281 282 Run Keyword If '${cert_format}' == 'Expired Certificate' Modify BMC Date future 283 ... ELSE IF '${cert_format}' == 'Not Yet Valid Certificate' Modify BMC Date old 284 285 ${cert_id}= Install Certificate File On BMC ${certificate_uri} ${expected_status} data=${file_data} 286 Logging Installed certificate id: ${cert_id} 287 288 # Adding delay after certificate installation. 289 Sleep 30s 290 291 ${cert_file_content}= OperatingSystem.Get File ${cert_file_path} 292 ${bmc_cert_content}= Run Keyword If '${expected_status}' == 'ok' redfish_utils.Get Attribute 293 ... ${certificate_uri}/${cert_id} CertificateString 294 295 Run Keyword If '${expected_status}' == 'ok' Should Contain ${cert_file_content} ${bmc_cert_content} 296 [Return] ${cert_id} 297 298Modify BMC Date 299 [Documentation] Modify date in BMC. 300 [Arguments] ${date_set_type}=current 301 302 # Description of argument(s): 303 # date_set_type Set BMC date to a current, future, old date by 375 days. 304 # current - Sets date to local system date. 305 # future - Sets to a future date from current date. 306 # old - Sets to a old date from current date. 307 308 Redfish Power Off stack_mode=skip 309 ${current_date_time}= Get Current Date 310 ${new_time}= Run Keyword If '${date_set_type}' == 'current' Set Variable ${current_date_time} 311 ... ELSE IF '${date_set_type}' == 'future' 312 ... Add Time To Date ${current_date_time} 375 days 313 ... ELSE IF '${date_set_type}' == 'old' 314 ... Subtract Time From Date ${current_date_time} 375 days 315 316 # Enable manual mode. 317 Redfish.Patch ${REDFISH_NW_PROTOCOL_URI} 318 ... body={'NTP':{'ProtocolEnabled': ${False}}} 319 ... valid_status_codes=[${HTTP_OK}, ${HTTP_NO_CONTENT}] 320 Sleep 2s 321 Redfish.Patch ${REDFISH_BASE_URI}Managers/bmc body={'DateTime': '${new_time}'} 322 ... valid_status_codes=[${HTTP_OK}] 323 324Get Current BMC Date 325 [Documentation] Get current BMC date. 326 327 ${cli_date_time}= CLI Get BMC DateTime 328 Set Test Variable ${cli_date_time} 329 330Restore BMC Date 331 [Documentation] Restore BMC date to its prior value. 332 333 Redfish.Patch ${REDFISH_BASE_URI}Managers/bmc body={'DateTime': '${cli_date_time}'} 334 ... valid_status_codes=[${HTTP_OK}] 335 336Replace Certificate Via Redfish 337 [Documentation] Test 'replace certificate' operation in the BMC via Redfish. 338 [Arguments] ${cert_type} ${cert_format} ${expected_status} 339 340 # Description of argument(s): 341 # cert_type Certificate type (e.g. "Server" or "Client"). 342 # cert_format Certificate file format 343 # (e.g. Valid_Certificate_Valid_Privatekey). 344 # expected_status Expected status of certificate replace Redfish 345 # request (i.e. "ok" or "error"). 346 347 # Install certificate before replacing client or CA certificate. 348 ${cert_id}= Run Keyword If '${cert_type}' == 'Client' 349 ... Install And Verify Certificate Via Redfish ${cert_type} Valid Certificate Valid Privatekey ok 350 ... ELSE IF '${cert_type}' == 'CA' 351 ... Install And Verify Certificate Via Redfish ${cert_type} Valid Certificate ok 352 353 ${cert_file_path}= Generate Certificate File Via Openssl ${cert_format} 354 355 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path} 356 ${file_data}= Decode Bytes To String ${bytes} UTF-8 357 358 Run Keyword If '${cert_format}' == 'Expired Certificate' 359 ... Modify BMC Date future 360 ... ELSE IF '${cert_format}' == 'Not Yet Valid Certificate' 361 ... Modify BMC Date old 362 363 364 ${certificate_uri}= Set Variable If 365 ... '${cert_type}' == 'Server' ${REDFISH_HTTPS_CERTIFICATE_URI}/1 366 ... '${cert_type}' == 'Client' ${REDFISH_LDAP_CERTIFICATE_URI}/1 367 ... '${cert_type}' == 'CA' ${REDFISH_CA_CERTIFICATE_URI}/${cert_id} 368 369 ${certificate_dict}= Create Dictionary @odata.id=${certificate_uri} 370 ${payload}= Create Dictionary CertificateString=${file_data} 371 ... CertificateType=PEM CertificateUri=${certificate_dict} 372 373 ${expected_resp}= Set Variable If '${expected_status}' == 'ok' ${HTTP_OK} 374 ... '${expected_status}' == 'error' ${HTTP_NOT_FOUND}, ${HTTP_INTERNAL_SERVER_ERROR} 375 ${resp}= redfish.Post /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate 376 ... body=${payload} valid_status_codes=[${expected_resp}] 377 378 ${cert_file_content}= OperatingSystem.Get File ${cert_file_path} 379 ${bmc_cert_content}= redfish_utils.Get Attribute ${certificate_uri} CertificateString 380 381 Run Keyword If '${expected_status}' == 'ok' 382 ... Should Contain ${cert_file_content} ${bmc_cert_content} 383 ... ELSE 384 ... Should Not Contain ${cert_file_content} ${bmc_cert_content} 385 386 387Generate CSR Via Redfish 388 [Documentation] Generate CSR using Redfish. 389 [Arguments] ${cert_type} ${key_pair_algorithm} ${key_bit_length} ${key_curv_id} ${expected_status} 390 391 # Description of argument(s): 392 # cert_type Certificate type ("Server" or "Client"). 393 # key_pair_algorithm CSR key pair algorithm ("EC" or "RSA") 394 # key_bit_length CSR key bit length ("2048"). 395 # key_curv_id CSR key curv id ("prime256v1" or "secp521r1" or "secp384r1"). 396 # expected_status Expected status of certificate replace Redfish 397 # request ("ok" or "error"). 398 399 ${certificate_uri}= Set Variable If 400 ... '${cert_type}' == 'Server' ${REDFISH_HTTPS_CERTIFICATE_URI}/ 401 ... '${cert_type}' == 'Client' ${REDFISH_LDAP_CERTIFICATE_URI}/ 402 403 ${certificate_dict}= Create Dictionary @odata.id=${certificate_uri} 404 ${payload}= Create Dictionary City=Austin CertificateCollection=${certificate_dict} 405 ... CommonName=${OPENBMC_HOST} Country=US Organization=IBM 406 ... OrganizationalUnit=ISL State=AU KeyBitLength=${key_bit_length} 407 ... KeyPairAlgorithm=${key_pair_algorithm} KeyCurveId=${key_curv_id} 408 409 # Remove not applicable field for CSR generation. 410 Run Keyword If '${key_pair_algorithm}' == 'EC' Remove From Dictionary ${payload} KeyBitLength 411 ... ELSE IF '${key_pair_algorithm}' == 'RSA' Remove From Dictionary ${payload} KeyCurveId 412 413 ${expected_resp}= Set Variable If '${expected_status}' == 'ok' ${HTTP_OK} 414 ... '${expected_status}' == 'error' ${HTTP_INTERNAL_SERVER_ERROR}, ${HTTP_BAD_REQUEST} 415 ${resp}= redfish.Post /redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR 416 ... body=${payload} valid_status_codes=[${expected_resp}] 417 418 # Delay added between two CSR generation request. 419 Sleep 5s 420 421 422Suite Setup Execution 423 [Documentation] Do suite setup tasks. 424 425 # Create certificate sub-directory in current working directory. 426 Create Directory certificate_dir 427 Redfish.Login 428 429 430Test Teardown Execution 431 [Documentation] Do the post test teardown. 432 433 FFDC On Test Case Fail 434 435Suite Teardown 436 [Documentation] Do suite teardown tasks. 437 438 Redfish.Logout 439