1*** Settings *** 2Documentation Test certificate in OpenBMC. 3 4Resource ../../lib/resource.robot 5Resource ../../lib/bmc_redfish_resource.robot 6Resource ../../lib/openbmc_ffdc.robot 7Resource ../../lib/certificate_utils.robot 8Library String 9 10Force Tags Certificate_Test 11 12Suite Setup Suite Setup Execution 13Test Teardown Test Teardown Execution 14 15 16*** Variables *** 17 18${invalid_value} abc 19${ROOT_CA_FILE_PATH} /etc/ssl/certs/authority/* 20 21 22** Test Cases ** 23 24Verify Server Certificate Replace 25 [Documentation] Verify server certificate replace. 26 [Tags] Verify_Server_Certificate_Replace 27 [Template] Replace Certificate Via Redfish 28 29 # cert_type cert_format expected_status 30 Server Valid Certificate Valid Privatekey ok 31 Server Empty Certificate Valid Privatekey error 32 Server Valid Certificate Empty Privatekey error 33 Server Empty Certificate Empty Privatekey error 34 35 36Verify Client Certificate Replace 37 [Documentation] Verify client certificate replace. 38 [Tags] Verify_Client_Certificate_Replace 39 [Template] Replace Certificate Via Redfish 40 41 # cert_type cert_format expected_status 42 Client Valid Certificate Valid Privatekey ok 43 Client Empty Certificate Valid Privatekey error 44 Client Valid Certificate Empty Privatekey error 45 Client Empty Certificate Empty Privatekey error 46 47 48Verify CA Certificate Replace 49 [Documentation] Verify CA certificate replace. 50 [Tags] Verify_CA_Certificate_Replace 51 [Template] Replace Certificate Via Redfish 52 53 # cert_type cert_format expected_status 54 CA Valid Certificate ok 55 CA Empty Certificate error 56 57 58Verify Client Certificate Install 59 [Documentation] Verify client certificate install. 60 [Tags] Verify_Client_Certificate_Install 61 [Template] Install And Verify Certificate Via Redfish 62 63 # cert_type cert_format expected_status 64 Client Valid Certificate Valid Privatekey ok 65 Client Empty Certificate Valid Privatekey error 66 Client Valid Certificate Empty Privatekey error 67 Client Empty Certificate Empty Privatekey error 68 69 70Verify CA Certificate Install 71 [Documentation] Verify CA certificate install. 72 [Tags] Verify_CA_Certificate_Install 73 [Template] Install And Verify Certificate Via Redfish 74 75 # cert_type cert_format expected_status 76 CA Valid Certificate ok 77 CA Empty Certificate error 78 79 80Verify Server Certificate View Via Openssl 81 [Documentation] Verify server certificate via openssl command. 82 [Tags] Verify_Server_Certificate_View_Via_Openssl 83 84 redfish.Login 85 86 ${cert_file_path}= Generate Certificate File Via Openssl Valid Certificate Valid Privatekey 87 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path} 88 ${file_data}= Decode Bytes To String ${bytes} UTF-8 89 90 ${certificate_dict}= Create Dictionary 91 ... @odata.id=/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1 92 ${payload}= Create Dictionary CertificateString=${file_data} 93 ... CertificateType=PEM CertificateUri=${certificate_dict} 94 95 ${resp}= redfish.Post /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate 96 ... body=${payload} 97 98 Wait Until Keyword Succeeds 2 mins 15 secs Verify Certificate Visible Via OpenSSL ${cert_file_path} 99 100 101Verify CSR Generation For Server Certificate 102 [Documentation] Verify CSR generation for server certificate. 103 [Tags] Verify_CSR_Generation_For_Server_Certificate 104 [Template] Generate CSR Via Redfish 105 106 # csr_type key_pair_algorithm key_bit_length key_curv_id expected_status 107 Server RSA ${2048} ${EMPTY} ok 108 Server EC ${EMPTY} prime256v1 ok 109 Server EC ${EMPTY} secp521r1 ok 110 Server EC ${EMPTY} secp384r1 ok 111 112 113Verify CSR Generation For Client Certificate 114 [Documentation] Verify CSR generation for client certificate. 115 [Tags] Verify_CSR_Generation_For_Client_Certificate 116 [Template] Generate CSR Via Redfish 117 118 # csr_type key_pair_algorithm key_bit_length key_curv_id expected_status 119 Client RSA ${2048} ${EMPTY} ok 120 Client EC ${EMPTY} prime256v1 ok 121 Client EC ${EMPTY} secp521r1 ok 122 Client EC ${EMPTY} secp384r1 ok 123 124 125Verify CSR Generation For Server Certificate With Invalid Value 126 [Documentation] Verify error while generating CSR for server certificate with invalid value. 127 [Tags] Verify_CSR_Generation_For_Server_Certificate_With_Invalid_Value 128 [Template] Generate CSR Via Redfish 129 130 # csr_type key_pair_algorithm key_bit_length key_curv_id expected_status 131 Server ${invalid_value} ${2048} prime256v1 error 132 Server RAS ${invalid_value} ${EMPTY} error 133 Server EC ${EMPTY} ${invalid_value} error 134 135 136Verify CSR Generation For Client Certificate With Invalid Value 137 [Documentation] Verify error while generating CSR for client certificate with invalid value. 138 [Tags] Verify_CSR_Generation_For_Client_Certificate_With_Invalid_Value 139 [Template] Generate CSR Via Redfish 140 141 Client ${invalid_value} ${2048} prime256v1 error 142 Client RSA ${invalid_value} ${EMPTY} error 143 Client EC ${EMPTY} ${invalid_value} error 144 145 146*** Keywords *** 147 148Install And Verify Certificate Via Redfish 149 [Documentation] Install and verify certificate using Redfish. 150 [Arguments] ${cert_type} ${cert_format} ${expected_status} 151 152 # Description of argument(s): 153 # cert_type Certificate type (e.g. "Client" or "CA"). 154 # cert_format Certificate file format 155 # (e.g. "Valid_Certificate_Valid_Privatekey"). 156 # expected_status Expected status of certificate replace Redfish 157 # request (i.e. "ok" or "error"). 158 159 redfish.Login 160 Delete Certificate Via BMC CLI ${cert_type} 161 162 ${time}= Set Variable If '${cert_format}' == 'Expired Certificate' -10 365 163 ${cert_file_path}= Generate Certificate File Via Openssl ${cert_format} ${time} 164 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path} 165 ${file_data}= Decode Bytes To String ${bytes} UTF-8 166 167 ${certificate_uri}= Set Variable If 168 ... '${cert_type}' == 'Client' ${REDFISH_LDAP_CERTIFICATE_URI} 169 ... '${cert_type}' == 'CA' ${REDFISH_CA_CERTIFICATE_URI} 170 171 ${cert_id}= Install Certificate File On BMC ${certificate_uri} ${expected_status} data=${file_data} 172 Logging Installed certificate id: ${cert_id} 173 174 # Adding delay after certificate installation. 175 Sleep 30s 176 177 ${cert_file_content}= OperatingSystem.Get File ${cert_file_path} 178 ${bmc_cert_content}= Run Keyword If '${expected_status}' == 'ok' redfish_utils.Get Attribute 179 ... ${certificate_uri}/${cert_id} CertificateString 180 181 Run Keyword If '${expected_status}' == 'ok' Should Contain ${cert_file_content} ${bmc_cert_content} 182 183 184Install Certificate File On BMC 185 [Documentation] Install certificate file in BMC using POST operation. 186 [Arguments] ${uri} ${status}=ok &{kwargs} 187 188 # Description of argument(s): 189 # uri URI for installing certificate file via REST 190 # e.g. "/xyz/openbmc_project/certs/server/https". 191 # status Expected status of certificate installation via REST 192 # e.g. error, ok. 193 # kwargs A dictionary of keys/values to be passed directly to 194 # POST Request. 195 196 Initialize OpenBMC quiet=${quiet} 197 198 ${headers}= Create Dictionary Content-Type=application/octet-stream 199 ... X-Auth-Token=${XAUTH_TOKEN} 200 Set To Dictionary ${kwargs} headers ${headers} 201 202 ${ret}= Post Request openbmc ${uri} &{kwargs} 203 ${content_json}= To JSON ${ret.content} 204 ${cert_id}= Set Variable If '${ret.status_code}' == '${HTTP_OK}' ${content_json["Id"]} -1 205 206 Run Keyword If '${status}' == 'ok' 207 ... Should Be Equal As Strings ${ret.status_code} ${HTTP_OK} 208 ... ELSE IF '${status}' == 'error' 209 ... Should Be Equal As Strings ${ret.status_code} ${HTTP_INTERNAL_SERVER_ERROR} 210 211 Delete All Sessions 212 213 [Return] ${cert_id} 214 215Replace Certificate Via Redfish 216 [Documentation] Test 'replace certificate' operation in the BMC via Redfish. 217 [Arguments] ${cert_type} ${cert_format} ${expected_status} 218 219 # Description of argument(s): 220 # cert_type Certificate type (e.g. "Server" or "Client"). 221 # cert_format Certificate file format 222 # (e.g. Valid_Certificate_Valid_Privatekey). 223 # expected_status Expected status of certificate replace Redfish 224 # request (i.e. "ok" or "error"). 225 226 # Install certificate before replacing client or CA certificate. 227 Run Keyword If '${cert_type}' == 'Client' 228 ... Install And Verify Certificate Via Redfish ${cert_type} Valid Certificate Valid Privatekey ok 229 ... ELSE IF '${cert_type}' == 'CA' 230 ... Install And Verify Certificate Via Redfish ${cert_type} Valid Certificate ok 231 232 redfish.Login 233 234 ${time}= Set Variable If '${cert_format}' == 'Expired Certificate' -10 365 235 ${cert_file_path}= Generate Certificate File Via Openssl ${cert_format} ${time} 236 237 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path} 238 ${file_data}= Decode Bytes To String ${bytes} UTF-8 239 240 ${certificate_uri}= Set Variable If 241 ... '${cert_type}' == 'Server' ${REDFISH_HTTPS_CERTIFICATE_URI}/1 242 ... '${cert_type}' == 'Client' ${REDFISH_LDAP_CERTIFICATE_URI}/1 243 ... '${cert_type}' == 'CA' ${REDFISH_CA_CERTIFICATE_URI}/1 244 245 ${certificate_dict}= Create Dictionary @odata.id=${certificate_uri} 246 ${payload}= Create Dictionary CertificateString=${file_data} 247 ... CertificateType=PEM CertificateUri=${certificate_dict} 248 249 ${expected_resp}= Set Variable If '${expected_status}' == 'ok' ${HTTP_OK} 250 ... '${expected_status}' == 'error' ${HTTP_INTERNAL_SERVER_ERROR} 251 ${resp}= redfish.Post /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate 252 ... body=${payload} valid_status_codes=[${expected_resp}] 253 254 ${cert_file_content}= OperatingSystem.Get File ${cert_file_path} 255 ${bmc_cert_content}= redfish_utils.Get Attribute ${certificate_uri} CertificateString 256 257 Run Keyword If '${expected_status}' == 'ok' 258 ... Should Contain ${cert_file_content} ${bmc_cert_content} 259 ... ELSE 260 ... Should Not Contain ${cert_file_content} ${bmc_cert_content} 261 262 263Generate CSR Via Redfish 264 [Documentation] Generate CSR using Redfish. 265 [Arguments] ${cert_type} ${key_pair_algorithm} ${key_bit_length} ${key_curv_id} ${expected_status} 266 267 # Description of argument(s): 268 # cert_type Certificate type ("Server" or "Client"). 269 # key_pair_algorithm CSR key pair algorithm ("EC" or "RSA") 270 # key_bit_length CSR key bit length ("2048"). 271 # key_curv_id CSR key curv id ("prime256v1" or "secp521r1" or "secp384r1"). 272 # expected_status Expected status of certificate replace Redfish 273 # request ("ok" or "error"). 274 275 redfish.Login 276 277 ${certificate_uri}= Set Variable If 278 ... '${cert_type}' == 'Server' ${REDFISH_HTTPS_CERTIFICATE_URI}/ 279 ... '${cert_type}' == 'Client' ${REDFISH_LDAP_CERTIFICATE_URI}/ 280 281 ${certificate_dict}= Create Dictionary @odata.id=${certificate_uri} 282 ${payload}= Create Dictionary City=Austin CertificateCollection=${certificate_dict} 283 ... CommonName=${OPENBMC_HOST} Country=US Organization=IBM 284 ... OrganizationalUnit=ISL State=AU KeyBitLength=${key_bit_length} 285 ... KeyPairAlgorithm=${key_pair_algorithm} KeyCurveId=${key_curv_id} 286 287 # Remove not applicable field for CSR generation. 288 Run Keyword If '${key_pair_algorithm}' == 'EC' Remove From Dictionary ${payload} KeyBitLength 289 ... ELSE IF '${key_pair_algorithm}' == 'RSA' Remove From Dictionary ${payload} KeyCurveId 290 291 ${expected_resp}= Set Variable If '${expected_status}' == 'ok' ${HTTP_OK} 292 ... '${expected_status}' == 'error' ${HTTP_INTERNAL_SERVER_ERROR}, ${HTTP_BAD_REQUEST} 293 ${resp}= redfish.Post /redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR 294 ... body=${payload} valid_status_codes=[${expected_resp}] 295 296 # Delay added between two CSR generation request. 297 Sleep 5s 298 299 300Delete Certificate Via BMC CLI 301 [Documentation] Delete certificate via BMC CLI. 302 [Arguments] ${cert_type} 303 304 # Description of argument(s): 305 # cert_type Certificate type (e.g. "Client" or "CA"). 306 307 ${certificate_file_path} ${certificate_service} ${certificate_uri}= 308 ... Run Keyword If '${cert_type}' == 'Client' 309 ... Set Variable /etc/nslcd/certs/cert.pem phosphor-certificate-manager@nslcd.service 310 ... ${REDFISH_LDAP_CERTIFICATE_URI} 311 ... ELSE IF '${cert_type}' == 'CA' 312 ... Set Variable ${ROOT_CA_FILE_PATH} phosphor-certificate-manager@authority.service 313 ... ${REDFISH_CA_CERTIFICATE_URI} 314 315 ${file_status} ${stderr} ${rc}= BMC Execute Command 316 ... [ -f ${certificate_file_path} ] && echo "Found" || echo "Not Found" 317 318 Return From Keyword If "${file_status}" != "Found" 319 BMC Execute Command rm ${certificate_file_path} 320 BMC Execute Command systemctl restart ${certificate_service} 321 BMC Execute Command systemctl daemon-reload 322 Wait Until Keyword Succeeds 1 min 10 sec Redfish.Get ${certificate_uri}/1 323 ... valid_status_codes=[${HTTP_NOT_FOUND}, ${HTTP_INTERNAL_SERVER_ERROR}] 324 325 326Suite Setup Execution 327 [Documentation] Do suite setup tasks. 328 329 # Create certificate sub-directory in current working directory. 330 Create Directory certificate_dir 331 332 333Test Teardown Execution 334 [Documentation] Do the post test teardown. 335 336 FFDC On Test Case Fail 337 redfish.Logout 338