1*** Settings ***
2Documentation    Test certificate in OpenBMC.
3
4Resource         ../../lib/resource.robot
5Resource         ../../lib/bmc_redfish_resource.robot
6Resource         ../../lib/openbmc_ffdc.robot
7Resource         ../../lib/certificate_utils.robot
8Library          String
9
10Force Tags       Certificate_Test
11
12Suite Setup      Suite Setup Execution
13Test Teardown    Test Teardown Execution
14
15
16*** Variables ***
17
18${invalid_value}  abc
19
20
21** Test Cases **
22
23Verify Server Certificate Replace
24    [Documentation]  Verify server certificate replace.
25    [Tags]  Verify_Server_Certificate_Replace
26    [Template]  Replace Certificate Via Redfish
27
28    # cert_type  cert_format                         expected_status
29    Server       Valid Certificate Valid Privatekey  ok
30    Server       Empty Certificate Valid Privatekey  error
31    Server       Valid Certificate Empty Privatekey  error
32    Server       Empty Certificate Empty Privatekey  error
33
34
35Verify Client Certificate Replace
36    [Documentation]  Verify client certificate replace.
37    [Tags]  Verify_Client_Certificate_Replace
38    [Template]  Replace Certificate Via Redfish
39
40    # cert_type  cert_format                         expected_status
41    Client       Valid Certificate Valid Privatekey  ok
42    Client       Empty Certificate Valid Privatekey  error
43    Client       Valid Certificate Empty Privatekey  error
44    Client       Empty Certificate Empty Privatekey  error
45
46
47Verify CA Certificate Replace
48    [Documentation]  Verify CA certificate replace.
49    [Tags]  Verify_CA_Certificate_Replace
50    [Template]  Replace Certificate Via Redfish
51
52    # cert_type  cert_format        expected_status
53    CA           Valid Certificate  ok
54    CA           Empty Certificate  error
55
56
57Verify Client Certificate Install
58    [Documentation]  Verify client certificate install.
59    [Tags]  Verify_Client_Certificate_Install
60    [Template]  Install And Verify Certificate Via Redfish
61
62    # cert_type  cert_format                         expected_status
63    Client       Valid Certificate Valid Privatekey  ok
64    Client       Empty Certificate Valid Privatekey  error
65    Client       Valid Certificate Empty Privatekey  error
66    Client       Empty Certificate Empty Privatekey  error
67
68
69Verify CA Certificate Install
70    [Documentation]  Verify CA certificate install.
71    [Tags]  Verify_CA_Certificate_Install
72    [Template]  Install And Verify Certificate Via Redfish
73
74    # cert_type  cert_format        expected_status
75    CA           Valid Certificate  ok
76    CA           Empty Certificate  error
77
78
79Verify Server Certificate View Via Openssl
80    [Documentation]  Verify server certificate via openssl command.
81    [Tags]  Verify_Server_Certificate_View_Via_Openssl
82
83    redfish.Login
84
85    ${cert_file_path}=  Generate Certificate File Via Openssl  Valid Certificate Valid Privatekey
86    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
87    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
88
89    ${certificate_dict}=  Create Dictionary
90    ...  @odata.id=/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1
91    ${payload}=  Create Dictionary  CertificateString=${file_data}
92    ...  CertificateType=PEM  CertificateUri=${certificate_dict}
93
94    ${resp}=  redfish.Post  /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate
95    ...  body=${payload}
96
97    Wait Until Keyword Succeeds  2 mins  15 secs  Verify Certificate Visible Via OpenSSL  ${cert_file_path}
98
99
100Verify CSR Generation For Server Certificate
101    [Documentation]  Verify CSR generation for server certificate.
102    [Tags]  Verify_CSR_Generation_For_Server_Certificate
103    [Template]  Generate CSR Via Redfish
104
105    # csr_type  key_pair_algorithm  key_bit_length  key_curv_id  expected_status
106    Server      RSA                 ${2048}         ${EMPTY}     ok
107    Server      EC                  ${EMPTY}        prime256v1   ok
108    Server      EC                  ${EMPTY}        secp521r1    ok
109    Server      EC                  ${EMPTY}        secp384r1    ok
110
111
112Verify CSR Generation For Client Certificate
113    [Documentation]  Verify CSR generation for client certificate.
114    [Tags]  Verify_CSR_Generation_For_Client_Certificate
115    [Template]  Generate CSR Via Redfish
116
117    # csr_type  key_pair_algorithm  key_bit_length  key_curv_id  expected_status
118    Client      RSA                 ${2048}         ${EMPTY}     ok
119    Client      EC                  ${EMPTY}        prime256v1   ok
120    Client      EC                  ${EMPTY}        secp521r1    ok
121    Client      EC                  ${EMPTY}        secp384r1    ok
122
123
124Verify CSR Generation For Server Certificate With Invalid Value
125    [Documentation]  Verify error while generating CSR for server certificate with invalid value.
126    [Tags]  Verify_CSR_Generation_For_Server_Certificate_With_Invalid_Value
127    [Template]  Generate CSR Via Redfish
128
129    # csr_type  key_pair_algorithm  key_bit_length    key_curv_id       expected_status
130    Server      ${invalid_value}    ${2048}           prime256v1        error
131    Server      RAS                 ${invalid_value}  ${EMPTY}          error
132    Server      EC                  ${EMPTY}          ${invalid_value}  error
133
134
135Verify CSR Generation For Client Certificate With Invalid Value
136    [Documentation]  Verify error while generating CSR for client certificate with invalid value.
137    [Tags]  Verify_CSR_Generation_For_Client_Certificate_With_Invalid_Value
138    [Template]  Generate CSR Via Redfish
139
140    Client      ${invalid_value}    ${2048}           prime256v1        error
141    Client      RSA                 ${invalid_value}  ${EMPTY}          error
142    Client      EC                  ${EMPTY}          ${invalid_value}  error
143
144
145*** Keywords ***
146
147Install And Verify Certificate Via Redfish
148    [Documentation]  Install and verify certificate using Redfish.
149    [Arguments]  ${cert_type}  ${cert_format}  ${expected_status}
150
151    # Description of argument(s):
152    # cert_type           Certificate type (e.g. "Client" or "CA").
153    # cert_format         Certificate file format
154    #                     (e.g. "Valid_Certificate_Valid_Privatekey").
155    # expected_status     Expected status of certificate replace Redfish
156    #                     request (i.e. "ok" or "error").
157
158    redfish.Login
159    Delete Certificate Via BMC CLI  ${cert_type}
160
161    ${time}=  Set Variable If  '${cert_format}' == 'Expired Certificate'  -10  365
162    ${cert_file_path}=  Generate Certificate File Via Openssl  ${cert_format}  ${time}
163    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
164    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
165
166    ${certificate_uri}=  Set Variable If
167    ...  '${cert_type}' == 'Client'  ${REDFISH_LDAP_CERTIFICATE_URI}
168    ...  '${cert_type}' == 'CA'  ${REDFISH_CA_CERTIFICATE_URI}
169
170    Install Certificate File On BMC  ${certificate_uri}  ${expected_status}  data=${file_data}
171
172    # Adding delay after certificate installation.
173    Sleep  30s
174
175    ${cert_file_content}=  OperatingSystem.Get File  ${cert_file_path}
176    ${bmc_cert_content}=  Run Keyword If  '${expected_status}' == 'ok'  redfish_utils.Get Attribute
177    ...  ${certificate_uri}/1  CertificateString
178
179    Run Keyword If  '${expected_status}' == 'ok'  Should Contain  ${cert_file_content}  ${bmc_cert_content}
180
181
182Install Certificate File On BMC
183    [Documentation]  Install certificate file in BMC using POST operation.
184    [Arguments]  ${uri}  ${status}=ok  &{kwargs}
185
186    # Description of argument(s):
187    # uri         URI for installing certificate file via REST
188    #             e.g. "/xyz/openbmc_project/certs/server/https".
189    # status      Expected status of certificate installation via REST
190    #             e.g. error, ok.
191    # kwargs      A dictionary of keys/values to be passed directly to
192    #             POST Request.
193
194    Initialize OpenBMC  quiet=${quiet}
195
196    ${headers}=  Create Dictionary  Content-Type=application/octet-stream
197    ...  X-Auth-Token=${XAUTH_TOKEN}
198    Set To Dictionary  ${kwargs}  headers  ${headers}
199
200    ${ret}=  Post Request  openbmc  ${uri}  &{kwargs}
201
202    Run Keyword If  '${status}' == 'ok'
203    ...  Should Be Equal As Strings  ${ret.status_code}  ${HTTP_OK}
204    ...  ELSE IF  '${status}' == 'error'
205    ...  Should Be Equal As Strings  ${ret.status_code}  ${HTTP_INTERNAL_SERVER_ERROR}
206
207    Delete All Sessions
208
209
210Replace Certificate Via Redfish
211    [Documentation]  Test 'replace certificate' operation in the BMC via Redfish.
212    [Arguments]  ${cert_type}  ${cert_format}  ${expected_status}
213
214    # Description of argument(s):
215    # cert_type           Certificate type (e.g. "Server" or "Client").
216    # cert_format         Certificate file format
217    #                     (e.g. Valid_Certificate_Valid_Privatekey).
218    # expected_status     Expected status of certificate replace Redfish
219    #                     request (i.e. "ok" or "error").
220
221    # Install certificate before replacing client or CA certificate.
222    Run Keyword If  '${cert_type}' == 'Client'
223    ...    Install And Verify Certificate Via Redfish  ${cert_type}  Valid Certificate Valid Privatekey  ok
224    ...  ELSE IF  '${cert_type}' == 'CA'
225    ...    Install And Verify Certificate Via Redfish  ${cert_type}  Valid Certificate  ok
226
227    redfish.Login
228
229    ${time}=  Set Variable If  '${cert_format}' == 'Expired Certificate'  -10  365
230    ${cert_file_path}=  Generate Certificate File Via Openssl  ${cert_format}  ${time}
231
232    ${bytes}=  OperatingSystem.Get Binary File  ${cert_file_path}
233    ${file_data}=  Decode Bytes To String  ${bytes}  UTF-8
234
235    ${certificate_uri}=  Set Variable If
236    ...  '${cert_type}' == 'Server'  ${REDFISH_HTTPS_CERTIFICATE_URI}/1
237    ...  '${cert_type}' == 'Client'  ${REDFISH_LDAP_CERTIFICATE_URI}/1
238    ...  '${cert_type}' == 'CA'  ${REDFISH_CA_CERTIFICATE_URI}/1
239
240    ${certificate_dict}=  Create Dictionary  @odata.id=${certificate_uri}
241    ${payload}=  Create Dictionary  CertificateString=${file_data}
242    ...  CertificateType=PEM  CertificateUri=${certificate_dict}
243
244    ${expected_resp}=  Set Variable If  '${expected_status}' == 'ok'  ${HTTP_OK}
245    ...  '${expected_status}' == 'error'  ${HTTP_INTERNAL_SERVER_ERROR}
246    ${resp}=  redfish.Post  /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate
247    ...  body=${payload}  valid_status_codes=[${expected_resp}]
248
249    ${cert_file_content}=  OperatingSystem.Get File  ${cert_file_path}
250    ${bmc_cert_content}=  redfish_utils.Get Attribute  ${certificate_uri}  CertificateString
251
252    Run Keyword If  '${expected_status}' == 'ok'
253    ...    Should Contain  ${cert_file_content}  ${bmc_cert_content}
254    ...  ELSE
255    ...    Should Not Contain  ${cert_file_content}  ${bmc_cert_content}
256
257
258Generate CSR Via Redfish
259    [Documentation]  Generate CSR using Redfish.
260    [Arguments]  ${cert_type}  ${key_pair_algorithm}  ${key_bit_length}  ${key_curv_id}  ${expected_status}
261
262    # Description of argument(s):
263    # cert_type           Certificate type ("Server" or "Client").
264    # key_pair_algorithm  CSR key pair algorithm ("EC" or "RSA")
265    # key_bit_length      CSR key bit length ("2048").
266    # key_curv_id         CSR key curv id ("prime256v1" or "secp521r1" or "secp384r1").
267    # expected_status     Expected status of certificate replace Redfish
268    #                     request ("ok" or "error").
269
270    redfish.Login
271
272    ${certificate_uri}=  Set Variable If
273    ...  '${cert_type}' == 'Server'  ${REDFISH_HTTPS_CERTIFICATE_URI}/
274    ...  '${cert_type}' == 'Client'  ${REDFISH_LDAP_CERTIFICATE_URI}/
275
276    ${certificate_dict}=  Create Dictionary  @odata.id=${certificate_uri}
277    ${payload}=  Create Dictionary  City=Austin  CertificateCollection=${certificate_dict}
278    ...  CommonName=${OPENBMC_HOST}  Country=US  Organization=IBM
279    ...  OrganizationalUnit=ISL  State=AU  KeyBitLength=${key_bit_length}
280    ...  KeyPairAlgorithm=${key_pair_algorithm}  KeyCurveId=${key_curv_id}
281
282    # Remove not applicable field for CSR generation.
283    Run Keyword If  '${key_pair_algorithm}' == 'EC'  Remove From Dictionary  ${payload}  KeyBitLength
284    ...  ELSE IF  '${key_pair_algorithm}' == 'RSA'  Remove From Dictionary  ${payload}  KeyCurveId
285
286    ${expected_resp}=  Set Variable If  '${expected_status}' == 'ok'  ${HTTP_OK}
287    ...  '${expected_status}' == 'error'  ${HTTP_INTERNAL_SERVER_ERROR}, ${HTTP_BAD_REQUEST}
288    ${resp}=  redfish.Post  /redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR
289    ...  body=${payload}  valid_status_codes=[${expected_resp}]
290
291    # Delay added between two CSR generation request.
292    Sleep  5s
293
294
295Delete Certificate Via BMC CLI
296    [Documentation]  Delete certificate via BMC CLI.
297    [Arguments]  ${cert_type}
298
299    # Description of argument(s):
300    # cert_type           Certificate type (e.g. "Client" or "CA").
301
302    ${certificate_file_path}  ${certificate_service}  ${certificate_uri}=
303    ...  Run Keyword If  '${cert_type}' == 'Client'
304    ...    Set Variable  /etc/nslcd/certs/cert.pem  phosphor-certificate-manager@nslcd.service
305    ...    ${REDFISH_LDAP_CERTIFICATE_URI}
306    ...  ELSE IF  '${cert_type}' == 'CA'
307    ...    Set Variable  /etc/ssl/certs/Root-CA.pem  phosphor-certificate-manager@authority.service
308    ...    ${REDFISH_CA_CERTIFICATE_URI}
309
310    ${file_status}  ${stderr}  ${rc}=  BMC Execute Command
311    ...  [ -f ${certificate_file_path} ] && echo "Found" || echo "Not Found"
312
313    Return From Keyword If  "${file_status}" != "Found"
314    BMC Execute Command  rm ${certificate_file_path}
315    BMC Execute Command  systemctl restart ${certificate_service}
316    Wait Until Keyword Succeeds  1 min  10 sec
317    ...  Redfish.Get  ${certificate_uri}/1  valid_status_codes=[${HTTP_INTERNAL_SERVER_ERROR}]
318
319
320Suite Setup Execution
321    [Documentation]  Do suite setup tasks.
322
323    # Create certificate sub-directory in current working directory.
324    Create Directory  certificate_dir
325
326
327Test Teardown Execution
328    [Documentation]  Do the post test teardown.
329
330    FFDC On Test Case Fail
331    redfish.Logout
332