1*** Settings ***
2Documentation    Test certificate in OpenBMC.
3
4Resource         ../../lib/resource.robot
5Resource         ../../lib/bmc_redfish_resource.robot
6Resource         ../../lib/openbmc_ffdc.robot
7Resource         ../../lib/certificate_utils.robot
8Library          String
9
10Force Tags       Certificate_Test
11
12Suite Setup      Suite Setup Execution
13Test Teardown    Test Teardown Execution
14
15
16*** Variables ***
17
18${invalid_value}  abc
19${ROOT_CA_FILE_PATH}  /etc/ssl/certs/authority/*
20
21
22** Test Cases **
23
24Verify Server Certificate Replace
25    [Documentation]  Verify server certificate replace.
26    [Tags]  Verify_Server_Certificate_Replace
27    [Template]  Replace Certificate Via Redfish
28
29    # cert_type  cert_format                         expected_status
30    Server       Valid Certificate Valid Privatekey  ok
31    Server       Empty Certificate Valid Privatekey  error
32    Server       Valid Certificate Empty Privatekey  error
33    Server       Empty Certificate Empty Privatekey  error
34
35
36Verify Client Certificate Replace
37    [Documentation]  Verify client certificate replace.
38    [Tags]  Verify_Client_Certificate_Replace
39    [Template]  Replace Certificate Via Redfish
40
41    # cert_type  cert_format                         expected_status
42    Client       Valid Certificate Valid Privatekey  ok
43    Client       Empty Certificate Valid Privatekey  error
44    Client       Valid Certificate Empty Privatekey  error
45    Client       Empty Certificate Empty Privatekey  error
46
47
48Verify CA Certificate Replace
49    [Documentation]  Verify CA certificate replace.
50    [Tags]  Verify_CA_Certificate_Replace
51    [Template]  Replace Certificate Via Redfish
52
53    # cert_type  cert_format        expected_status
54    CA           Valid Certificate  ok
55    CA           Empty Certificate  error
56
57
58Verify Client Certificate Install
59    [Documentation]  Verify client certificate install.
60    [Tags]  Verify_Client_Certificate_Install
61    [Template]  Install And Verify Certificate Via Redfish
62
63    # cert_type  cert_format                         expected_status
64    Client       Valid Certificate Valid Privatekey  ok
65    Client       Empty Certificate Valid Privatekey  error
66    Client       Valid Certificate Empty Privatekey  error
67    Client       Empty Certificate Empty Privatekey  error
68
69
70Verify CA Certificate Install
71    [Documentation]  Verify CA certificate install.
72    [Tags]  Verify_CA_Certificate_Install
73    [Template]  Install And Verify Certificate Via Redfish
74
75    # cert_type  cert_format        expected_status
76    CA           Valid Certificate  ok
77    CA           Empty Certificate  error
78
79
80Verify Maximum CA Certificate Install
81    [Documentation]  Verify maximum CA certificate install.
82    [Tags]  Verify_Maximum_CA_Certificate_Install
83    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Delete All CA Certificate Via Redfish
84
85    # Get CA certificate count from BMC.
86    redfish.Login
87    ${cert_list}=  Redfish_Utils.Get Member List  /redfish/v1/Managers/bmc/Truststore/Certificates
88    ${cert_count}=  Get Length  ${cert_list}
89
90    # Install CA certificate to reach maximum count of 10.
91    FOR  ${INDEX}  IN RANGE  ${cert_count}  10
92      Install And Verify Certificate Via Redfish  CA  Valid Certificate  ok  ${FALSE}
93      ${cert_count}=  Evaluate  ${cert_count} + 1
94    END
95
96    # Verify error while installing 11th CA certificate.
97    Install And Verify Certificate Via Redfish  CA  Valid Certificate  error  ${FALSE}
98
99
100Verify Error While Uploding Same CA Certificate
101    [Documentation]  Verify error while uploading same CA certificate two times.
102    [Tags]  Verify_Error_While_Uploding_Same_CA_Certificate
103
104    # Create certificate file for uploading.
105    ${cert_file_path}=  Generate Certificate File Via Openssl  Valid Certificate  365
106    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
107    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
108
109    # Install CA certificate.
110    Install Certificate File On BMC  ${REDFISH_CA_CERTIFICATE_URI}  ok  data=${file_data}
111
112    # Adding delay after certificate installation.
113    Sleep  30s
114
115    # Check error while uploading same certificate.
116    Install Certificate File On BMC  ${REDFISH_CA_CERTIFICATE_URI}  error  data=${file_data}
117
118
119Verify Server Certificate View Via Openssl
120    [Documentation]  Verify server certificate via openssl command.
121    [Tags]  Verify_Server_Certificate_View_Via_Openssl
122
123    redfish.Login
124
125    ${cert_file_path}=  Generate Certificate File Via Openssl  Valid Certificate Valid Privatekey
126    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
127    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
128
129    ${certificate_dict}=  Create Dictionary
130    ...  @odata.id=/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1
131    ${payload}=  Create Dictionary  CertificateString=${file_data}
132    ...  CertificateType=PEM  CertificateUri=${certificate_dict}
133
134    ${resp}=  redfish.Post  /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate
135    ...  body=${payload}
136
137    Wait Until Keyword Succeeds  2 mins  15 secs  Verify Certificate Visible Via OpenSSL  ${cert_file_path}
138
139
140Verify CSR Generation For Server Certificate
141    [Documentation]  Verify CSR generation for server certificate.
142    [Tags]  Verify_CSR_Generation_For_Server_Certificate
143    [Template]  Generate CSR Via Redfish
144
145    # csr_type  key_pair_algorithm  key_bit_length  key_curv_id  expected_status
146    Server      RSA                 ${2048}         ${EMPTY}     ok
147    Server      EC                  ${EMPTY}        prime256v1   ok
148    Server      EC                  ${EMPTY}        secp521r1    ok
149    Server      EC                  ${EMPTY}        secp384r1    ok
150
151
152Verify CSR Generation For Client Certificate
153    [Documentation]  Verify CSR generation for client certificate.
154    [Tags]  Verify_CSR_Generation_For_Client_Certificate
155    [Template]  Generate CSR Via Redfish
156
157    # csr_type  key_pair_algorithm  key_bit_length  key_curv_id  expected_status
158    Client      RSA                 ${2048}         ${EMPTY}     ok
159    Client      EC                  ${EMPTY}        prime256v1   ok
160    Client      EC                  ${EMPTY}        secp521r1    ok
161    Client      EC                  ${EMPTY}        secp384r1    ok
162
163
164Verify CSR Generation For Server Certificate With Invalid Value
165    [Documentation]  Verify error while generating CSR for server certificate with invalid value.
166    [Tags]  Verify_CSR_Generation_For_Server_Certificate_With_Invalid_Value
167    [Template]  Generate CSR Via Redfish
168
169    # csr_type  key_pair_algorithm  key_bit_length    key_curv_id       expected_status
170    Server      ${invalid_value}    ${2048}           prime256v1        error
171    Server      RAS                 ${invalid_value}  ${EMPTY}          error
172    Server      EC                  ${EMPTY}          ${invalid_value}  error
173
174
175Verify CSR Generation For Client Certificate With Invalid Value
176    [Documentation]  Verify error while generating CSR for client certificate with invalid value.
177    [Tags]  Verify_CSR_Generation_For_Client_Certificate_With_Invalid_Value
178    [Template]  Generate CSR Via Redfish
179
180    Client      ${invalid_value}    ${2048}           prime256v1        error
181    Client      RSA                 ${invalid_value}  ${EMPTY}          error
182    Client      EC                  ${EMPTY}          ${invalid_value}  error
183
184
185*** Keywords ***
186
187Install And Verify Certificate Via Redfish
188    [Documentation]  Install and verify certificate using Redfish.
189    [Arguments]  ${cert_type}  ${cert_format}  ${expected_status}  ${delete_cert}=${True}
190
191    # Description of argument(s):
192    # cert_type           Certificate type (e.g. "Client" or "CA").
193    # cert_format         Certificate file format
194    #                     (e.g. "Valid_Certificate_Valid_Privatekey").
195    # expected_status     Expected status of certificate replace Redfish
196    #                     request (i.e. "ok" or "error").
197    # delete_cert         Certificate will be deleted before installing if this True.
198
199    redfish.Login
200    Run Keyword If  '${cert_type}' == 'CA' and '${delete_cert}' == '${True}'
201    ...  Delete All CA Certificate Via Redfish
202    ...  ELSE IF  '${cert_type}' == 'Client' and '${delete_cert}' == '${True}'
203    ...  Delete Certificate Via BMC CLI  ${cert_type}
204
205    ${time}=  Set Variable If  '${cert_format}' == 'Expired Certificate'  -10  365
206    ${cert_file_path}=  Generate Certificate File Via Openssl  ${cert_format}  ${time}
207    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
208    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
209
210    ${certificate_uri}=  Set Variable If
211    ...  '${cert_type}' == 'Client'  ${REDFISH_LDAP_CERTIFICATE_URI}
212    ...  '${cert_type}' == 'CA'  ${REDFISH_CA_CERTIFICATE_URI}
213
214    ${cert_id}=  Install Certificate File On BMC  ${certificate_uri}  ${expected_status}  data=${file_data}
215    Logging  Installed certificate id: ${cert_id}
216
217    # Adding delay after certificate installation.
218    Sleep  30s
219
220    ${cert_file_content}=  OperatingSystem.Get File  ${cert_file_path}
221    ${bmc_cert_content}=  Run Keyword If  '${expected_status}' == 'ok'  redfish_utils.Get Attribute
222    ...  ${certificate_uri}/${cert_id}  CertificateString
223
224    Run Keyword If  '${expected_status}' == 'ok'  Should Contain  ${cert_file_content}  ${bmc_cert_content}
225    [Return]  ${cert_id}
226
227
228Replace Certificate Via Redfish
229    [Documentation]  Test 'replace certificate' operation in the BMC via Redfish.
230    [Arguments]  ${cert_type}  ${cert_format}  ${expected_status}
231
232    # Description of argument(s):
233    # cert_type           Certificate type (e.g. "Server" or "Client").
234    # cert_format         Certificate file format
235    #                     (e.g. Valid_Certificate_Valid_Privatekey).
236    # expected_status     Expected status of certificate replace Redfish
237    #                     request (i.e. "ok" or "error").
238
239    # Install certificate before replacing client or CA certificate.
240    ${cert_id}=  Run Keyword If  '${cert_type}' == 'Client'
241    ...    Install And Verify Certificate Via Redfish  ${cert_type}  Valid Certificate Valid Privatekey  ok
242    ...  ELSE IF  '${cert_type}' == 'CA'
243    ...    Install And Verify Certificate Via Redfish  ${cert_type}  Valid Certificate  ok
244
245    redfish.Login
246
247    ${time}=  Set Variable If  '${cert_format}' == 'Expired Certificate'  -10  365
248    ${cert_file_path}=  Generate Certificate File Via Openssl  ${cert_format}  ${time}
249
250    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
251    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
252
253    ${certificate_uri}=  Set Variable If
254    ...  '${cert_type}' == 'Server'  ${REDFISH_HTTPS_CERTIFICATE_URI}/1
255    ...  '${cert_type}' == 'Client'  ${REDFISH_LDAP_CERTIFICATE_URI}/1
256    ...  '${cert_type}' == 'CA'  ${REDFISH_CA_CERTIFICATE_URI}/${cert_id}
257
258    ${certificate_dict}=  Create Dictionary  @odata.id=${certificate_uri}
259    ${payload}=  Create Dictionary  CertificateString=${file_data}
260    ...  CertificateType=PEM  CertificateUri=${certificate_dict}
261
262    ${expected_resp}=  Set Variable If  '${expected_status}' == 'ok'  ${HTTP_OK}
263    ...  '${expected_status}' == 'error'  ${HTTP_NOT_FOUND}, ${HTTP_INTERNAL_SERVER_ERROR}
264    ${resp}=  redfish.Post  /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate
265    ...  body=${payload}  valid_status_codes=[${expected_resp}]
266
267    ${cert_file_content}=  OperatingSystem.Get File  ${cert_file_path}
268    ${bmc_cert_content}=  redfish_utils.Get Attribute  ${certificate_uri}  CertificateString
269
270    Run Keyword If  '${expected_status}' == 'ok'
271    ...    Should Contain  ${cert_file_content}  ${bmc_cert_content}
272    ...  ELSE
273    ...    Should Not Contain  ${cert_file_content}  ${bmc_cert_content}
274
275
276Generate CSR Via Redfish
277    [Documentation]  Generate CSR using Redfish.
278    [Arguments]  ${cert_type}  ${key_pair_algorithm}  ${key_bit_length}  ${key_curv_id}  ${expected_status}
279
280    # Description of argument(s):
281    # cert_type           Certificate type ("Server" or "Client").
282    # key_pair_algorithm  CSR key pair algorithm ("EC" or "RSA")
283    # key_bit_length      CSR key bit length ("2048").
284    # key_curv_id         CSR key curv id ("prime256v1" or "secp521r1" or "secp384r1").
285    # expected_status     Expected status of certificate replace Redfish
286    #                     request ("ok" or "error").
287
288    redfish.Login
289
290    ${certificate_uri}=  Set Variable If
291    ...  '${cert_type}' == 'Server'  ${REDFISH_HTTPS_CERTIFICATE_URI}/
292    ...  '${cert_type}' == 'Client'  ${REDFISH_LDAP_CERTIFICATE_URI}/
293
294    ${certificate_dict}=  Create Dictionary  @odata.id=${certificate_uri}
295    ${payload}=  Create Dictionary  City=Austin  CertificateCollection=${certificate_dict}
296    ...  CommonName=${OPENBMC_HOST}  Country=US  Organization=IBM
297    ...  OrganizationalUnit=ISL  State=AU  KeyBitLength=${key_bit_length}
298    ...  KeyPairAlgorithm=${key_pair_algorithm}  KeyCurveId=${key_curv_id}
299
300    # Remove not applicable field for CSR generation.
301    Run Keyword If  '${key_pair_algorithm}' == 'EC'  Remove From Dictionary  ${payload}  KeyBitLength
302    ...  ELSE IF  '${key_pair_algorithm}' == 'RSA'  Remove From Dictionary  ${payload}  KeyCurveId
303
304    ${expected_resp}=  Set Variable If  '${expected_status}' == 'ok'  ${HTTP_OK}
305    ...  '${expected_status}' == 'error'  ${HTTP_INTERNAL_SERVER_ERROR}, ${HTTP_BAD_REQUEST}
306    ${resp}=  redfish.Post  /redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR
307    ...  body=${payload}  valid_status_codes=[${expected_resp}]
308
309    # Delay added between two CSR generation request.
310    Sleep  5s
311
312
313Delete Certificate Via BMC CLI
314    [Documentation]  Delete certificate via BMC CLI.
315    [Arguments]  ${cert_type}
316
317    # Description of argument(s):
318    # cert_type           Certificate type (e.g. "Client" or "CA").
319
320    ${certificate_file_path}  ${certificate_service}  ${certificate_uri}=
321    ...  Run Keyword If  '${cert_type}' == 'Client'
322    ...    Set Variable  /etc/nslcd/certs/cert.pem  phosphor-certificate-manager@nslcd.service
323    ...    ${REDFISH_LDAP_CERTIFICATE_URI}
324    ...  ELSE IF  '${cert_type}' == 'CA'
325    ...    Set Variable  ${ROOT_CA_FILE_PATH}  phosphor-certificate-manager@authority.service
326    ...    ${REDFISH_CA_CERTIFICATE_URI}
327
328    ${file_status}  ${stderr}  ${rc}=  BMC Execute Command
329    ...  [ -f ${certificate_file_path} ] && echo "Found" || echo "Not Found"
330
331    Return From Keyword If  "${file_status}" != "Found"
332    BMC Execute Command  rm ${certificate_file_path}
333    BMC Execute Command  systemctl restart ${certificate_service}
334    BMC Execute Command  systemctl daemon-reload
335    Wait Until Keyword Succeeds  1 min  10 sec  Redfish.Get  ${certificate_uri}/1
336    ...  valid_status_codes=[${HTTP_NOT_FOUND}, ${HTTP_INTERNAL_SERVER_ERROR}]
337
338
339Delete All CA Certificate Via Redfish
340    [Documentation]  Delete all CA certificate via Redfish.
341
342    ${cert_list}=  Redfish_Utils.Get Member List  /redfish/v1/Managers/bmc/Truststore/Certificates
343    FOR  ${cert}  IN  @{cert_list}
344      Redfish.Delete  ${cert}  valid_status_codes=[${HTTP_NO_CONTENT}]
345    END
346
347
348Suite Setup Execution
349    [Documentation]  Do suite setup tasks.
350
351    # Create certificate sub-directory in current working directory.
352    Create Directory  certificate_dir
353
354
355Test Teardown Execution
356    [Documentation]  Do the post test teardown.
357
358    FFDC On Test Case Fail
359    redfish.Logout
360