1*** Settings *** 2Documentation Test certificate in OpenBMC. 3 4Resource ../../lib/resource.robot 5Resource ../../lib/bmc_redfish_resource.robot 6Resource ../../lib/openbmc_ffdc.robot 7Resource ../../lib/certificate_utils.robot 8Library String 9 10Force Tags Certificate_Test 11 12Suite Setup Suite Setup Execution 13Test Teardown Test Teardown Execution 14 15 16*** Variables *** 17 18${invalid_value} abc 19${ROOT_CA_FILE_PATH} /etc/ssl/certs/authority/* 20 21 22** Test Cases ** 23 24Verify Server Certificate Replace 25 [Documentation] Verify server certificate replace. 26 [Tags] Verify_Server_Certificate_Replace 27 [Template] Replace Certificate Via Redfish 28 29 # cert_type cert_format expected_status 30 Server Valid Certificate Valid Privatekey ok 31 Server Empty Certificate Valid Privatekey error 32 Server Valid Certificate Empty Privatekey error 33 Server Empty Certificate Empty Privatekey error 34 35 36Verify Client Certificate Replace 37 [Documentation] Verify client certificate replace. 38 [Tags] Verify_Client_Certificate_Replace 39 [Template] Replace Certificate Via Redfish 40 41 # cert_type cert_format expected_status 42 Client Valid Certificate Valid Privatekey ok 43 Client Empty Certificate Valid Privatekey error 44 Client Valid Certificate Empty Privatekey error 45 Client Empty Certificate Empty Privatekey error 46 47 48Verify CA Certificate Replace 49 [Documentation] Verify CA certificate replace. 50 [Tags] Verify_CA_Certificate_Replace 51 [Template] Replace Certificate Via Redfish 52 53 # cert_type cert_format expected_status 54 CA Valid Certificate ok 55 CA Empty Certificate error 56 57 58Verify Client Certificate Install 59 [Documentation] Verify client certificate install. 60 [Tags] Verify_Client_Certificate_Install 61 [Template] Install And Verify Certificate Via Redfish 62 63 # cert_type cert_format expected_status 64 Client Valid Certificate Valid Privatekey ok 65 Client Empty Certificate Valid Privatekey error 66 Client Valid Certificate Empty Privatekey error 67 Client Empty Certificate Empty Privatekey error 68 69 70Verify CA Certificate Install 71 [Documentation] Verify CA certificate install. 72 [Tags] Verify_CA_Certificate_Install 73 [Template] Install And Verify Certificate Via Redfish 74 75 # cert_type cert_format expected_status 76 CA Valid Certificate ok 77 CA Empty Certificate error 78 79 80Verify Maximum CA Certificate Install 81 [Documentation] Verify maximum CA certificate install. 82 [Tags] Verify_Maximum_CA_Certificate_Install 83 [Teardown] Run Keywords FFDC On Test Case Fail AND Delete All CA Certificate Via Redfish 84 85 # Get CA certificate count from BMC. 86 redfish.Login 87 ${cert_list}= Redfish_Utils.Get Member List /redfish/v1/Managers/bmc/Truststore/Certificates 88 ${cert_count}= Get Length ${cert_list} 89 90 # Install CA certificate to reach maximum count of 10. 91 FOR ${INDEX} IN RANGE ${cert_count} 10 92 Install And Verify Certificate Via Redfish CA Valid Certificate ok ${FALSE} 93 ${cert_count}= Evaluate ${cert_count} + 1 94 END 95 96 # Verify error while installing 11th CA certificate. 97 Install And Verify Certificate Via Redfish CA Valid Certificate error ${FALSE} 98 99 100Verify Error While Uploding Same CA Certificate 101 [Documentation] Verify error while uploading same CA certificate two times. 102 [Tags] Verify_Error_While_Uploding_Same_CA_Certificate 103 104 # Create certificate file for uploading. 105 ${cert_file_path}= Generate Certificate File Via Openssl Valid Certificate 365 106 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path} 107 ${file_data}= Decode Bytes To String ${bytes} UTF-8 108 109 # Install CA certificate. 110 Install Certificate File On BMC ${REDFISH_CA_CERTIFICATE_URI} ok data=${file_data} 111 112 # Adding delay after certificate installation. 113 Sleep 30s 114 115 # Check error while uploading same certificate. 116 Install Certificate File On BMC ${REDFISH_CA_CERTIFICATE_URI} error data=${file_data} 117 118 119Verify Server Certificate View Via Openssl 120 [Documentation] Verify server certificate via openssl command. 121 [Tags] Verify_Server_Certificate_View_Via_Openssl 122 123 redfish.Login 124 125 ${cert_file_path}= Generate Certificate File Via Openssl Valid Certificate Valid Privatekey 126 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path} 127 ${file_data}= Decode Bytes To String ${bytes} UTF-8 128 129 ${certificate_dict}= Create Dictionary 130 ... @odata.id=/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1 131 ${payload}= Create Dictionary CertificateString=${file_data} 132 ... CertificateType=PEM CertificateUri=${certificate_dict} 133 134 ${resp}= redfish.Post /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate 135 ... body=${payload} 136 137 Wait Until Keyword Succeeds 2 mins 15 secs Verify Certificate Visible Via OpenSSL ${cert_file_path} 138 139 140Verify CSR Generation For Server Certificate 141 [Documentation] Verify CSR generation for server certificate. 142 [Tags] Verify_CSR_Generation_For_Server_Certificate 143 [Template] Generate CSR Via Redfish 144 145 # csr_type key_pair_algorithm key_bit_length key_curv_id expected_status 146 Server RSA ${2048} ${EMPTY} ok 147 Server EC ${EMPTY} prime256v1 ok 148 Server EC ${EMPTY} secp521r1 ok 149 Server EC ${EMPTY} secp384r1 ok 150 151 152Verify CSR Generation For Client Certificate 153 [Documentation] Verify CSR generation for client certificate. 154 [Tags] Verify_CSR_Generation_For_Client_Certificate 155 [Template] Generate CSR Via Redfish 156 157 # csr_type key_pair_algorithm key_bit_length key_curv_id expected_status 158 Client RSA ${2048} ${EMPTY} ok 159 Client EC ${EMPTY} prime256v1 ok 160 Client EC ${EMPTY} secp521r1 ok 161 Client EC ${EMPTY} secp384r1 ok 162 163 164Verify CSR Generation For Server Certificate With Invalid Value 165 [Documentation] Verify error while generating CSR for server certificate with invalid value. 166 [Tags] Verify_CSR_Generation_For_Server_Certificate_With_Invalid_Value 167 [Template] Generate CSR Via Redfish 168 169 # csr_type key_pair_algorithm key_bit_length key_curv_id expected_status 170 Server ${invalid_value} ${2048} prime256v1 error 171 Server RAS ${invalid_value} ${EMPTY} error 172 Server EC ${EMPTY} ${invalid_value} error 173 174 175Verify CSR Generation For Client Certificate With Invalid Value 176 [Documentation] Verify error while generating CSR for client certificate with invalid value. 177 [Tags] Verify_CSR_Generation_For_Client_Certificate_With_Invalid_Value 178 [Template] Generate CSR Via Redfish 179 180 Client ${invalid_value} ${2048} prime256v1 error 181 Client RSA ${invalid_value} ${EMPTY} error 182 Client EC ${EMPTY} ${invalid_value} error 183 184 185Verify Expired Client Certificate Install 186 [Documentation] Verify installation of expired CA certificate. 187 [Tags] Verify_Expired_Client_Certificate_Install 188 189 Install And Verify Certificate Via Redfish Client Expired Certificate error 190 191 192Verify Expired CA Certificate Install 193 [Documentation] Verify installation of expired CA certificate. 194 [Tags] Verify_Expired_CA_Certificate_Install 195 196 Install And Verify Certificate Via Redfish CA Expired Certificate error 197 198 199*** Keywords *** 200 201Install And Verify Certificate Via Redfish 202 [Documentation] Install and verify certificate using Redfish. 203 [Arguments] ${cert_type} ${cert_format} ${expected_status} ${delete_cert}=${True} 204 205 # Description of argument(s): 206 # cert_type Certificate type (e.g. "Client" or "CA"). 207 # cert_format Certificate file format 208 # (e.g. "Valid_Certificate_Valid_Privatekey"). 209 # expected_status Expected status of certificate replace Redfish 210 # request (i.e. "ok" or "error"). 211 # delete_cert Certificate will be deleted before installing if this True. 212 213 redfish.Login 214 Run Keyword If '${cert_type}' == 'CA' and '${delete_cert}' == '${True}' 215 ... Delete All CA Certificate Via Redfish 216 ... ELSE IF '${cert_type}' == 'Client' and '${delete_cert}' == '${True}' 217 ... Delete Certificate Via BMC CLI ${cert_type} 218 219 ${time}= Set Variable If '${cert_format}' == 'Expired Certificate' -10 365 220 ${cert_file_path}= Generate Certificate File Via Openssl ${cert_format} ${time} 221 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path} 222 ${file_data}= Decode Bytes To String ${bytes} UTF-8 223 224 ${certificate_uri}= Set Variable If 225 ... '${cert_type}' == 'Client' ${REDFISH_LDAP_CERTIFICATE_URI} 226 ... '${cert_type}' == 'CA' ${REDFISH_CA_CERTIFICATE_URI} 227 228 ${cert_id}= Install Certificate File On BMC ${certificate_uri} ${expected_status} data=${file_data} 229 Logging Installed certificate id: ${cert_id} 230 231 # Adding delay after certificate installation. 232 Sleep 30s 233 234 ${cert_file_content}= OperatingSystem.Get File ${cert_file_path} 235 ${bmc_cert_content}= Run Keyword If '${expected_status}' == 'ok' redfish_utils.Get Attribute 236 ... ${certificate_uri}/${cert_id} CertificateString 237 238 Run Keyword If '${expected_status}' == 'ok' Should Contain ${cert_file_content} ${bmc_cert_content} 239 [Return] ${cert_id} 240 241 242Replace Certificate Via Redfish 243 [Documentation] Test 'replace certificate' operation in the BMC via Redfish. 244 [Arguments] ${cert_type} ${cert_format} ${expected_status} 245 246 # Description of argument(s): 247 # cert_type Certificate type (e.g. "Server" or "Client"). 248 # cert_format Certificate file format 249 # (e.g. Valid_Certificate_Valid_Privatekey). 250 # expected_status Expected status of certificate replace Redfish 251 # request (i.e. "ok" or "error"). 252 253 # Install certificate before replacing client or CA certificate. 254 ${cert_id}= Run Keyword If '${cert_type}' == 'Client' 255 ... Install And Verify Certificate Via Redfish ${cert_type} Valid Certificate Valid Privatekey ok 256 ... ELSE IF '${cert_type}' == 'CA' 257 ... Install And Verify Certificate Via Redfish ${cert_type} Valid Certificate ok 258 259 redfish.Login 260 261 ${time}= Set Variable If '${cert_format}' == 'Expired Certificate' -10 365 262 ${cert_file_path}= Generate Certificate File Via Openssl ${cert_format} ${time} 263 264 ${bytes}= OperatingSystem.Get Binary File ${cert_file_path} 265 ${file_data}= Decode Bytes To String ${bytes} UTF-8 266 267 ${certificate_uri}= Set Variable If 268 ... '${cert_type}' == 'Server' ${REDFISH_HTTPS_CERTIFICATE_URI}/1 269 ... '${cert_type}' == 'Client' ${REDFISH_LDAP_CERTIFICATE_URI}/1 270 ... '${cert_type}' == 'CA' ${REDFISH_CA_CERTIFICATE_URI}/${cert_id} 271 272 ${certificate_dict}= Create Dictionary @odata.id=${certificate_uri} 273 ${payload}= Create Dictionary CertificateString=${file_data} 274 ... CertificateType=PEM CertificateUri=${certificate_dict} 275 276 ${expected_resp}= Set Variable If '${expected_status}' == 'ok' ${HTTP_OK} 277 ... '${expected_status}' == 'error' ${HTTP_NOT_FOUND}, ${HTTP_INTERNAL_SERVER_ERROR} 278 ${resp}= redfish.Post /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate 279 ... body=${payload} valid_status_codes=[${expected_resp}] 280 281 ${cert_file_content}= OperatingSystem.Get File ${cert_file_path} 282 ${bmc_cert_content}= redfish_utils.Get Attribute ${certificate_uri} CertificateString 283 284 Run Keyword If '${expected_status}' == 'ok' 285 ... Should Contain ${cert_file_content} ${bmc_cert_content} 286 ... ELSE 287 ... Should Not Contain ${cert_file_content} ${bmc_cert_content} 288 289 290Generate CSR Via Redfish 291 [Documentation] Generate CSR using Redfish. 292 [Arguments] ${cert_type} ${key_pair_algorithm} ${key_bit_length} ${key_curv_id} ${expected_status} 293 294 # Description of argument(s): 295 # cert_type Certificate type ("Server" or "Client"). 296 # key_pair_algorithm CSR key pair algorithm ("EC" or "RSA") 297 # key_bit_length CSR key bit length ("2048"). 298 # key_curv_id CSR key curv id ("prime256v1" or "secp521r1" or "secp384r1"). 299 # expected_status Expected status of certificate replace Redfish 300 # request ("ok" or "error"). 301 302 redfish.Login 303 304 ${certificate_uri}= Set Variable If 305 ... '${cert_type}' == 'Server' ${REDFISH_HTTPS_CERTIFICATE_URI}/ 306 ... '${cert_type}' == 'Client' ${REDFISH_LDAP_CERTIFICATE_URI}/ 307 308 ${certificate_dict}= Create Dictionary @odata.id=${certificate_uri} 309 ${payload}= Create Dictionary City=Austin CertificateCollection=${certificate_dict} 310 ... CommonName=${OPENBMC_HOST} Country=US Organization=IBM 311 ... OrganizationalUnit=ISL State=AU KeyBitLength=${key_bit_length} 312 ... KeyPairAlgorithm=${key_pair_algorithm} KeyCurveId=${key_curv_id} 313 314 # Remove not applicable field for CSR generation. 315 Run Keyword If '${key_pair_algorithm}' == 'EC' Remove From Dictionary ${payload} KeyBitLength 316 ... ELSE IF '${key_pair_algorithm}' == 'RSA' Remove From Dictionary ${payload} KeyCurveId 317 318 ${expected_resp}= Set Variable If '${expected_status}' == 'ok' ${HTTP_OK} 319 ... '${expected_status}' == 'error' ${HTTP_INTERNAL_SERVER_ERROR}, ${HTTP_BAD_REQUEST} 320 ${resp}= redfish.Post /redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR 321 ... body=${payload} valid_status_codes=[${expected_resp}] 322 323 # Delay added between two CSR generation request. 324 Sleep 5s 325 326 327Delete Certificate Via BMC CLI 328 [Documentation] Delete certificate via BMC CLI. 329 [Arguments] ${cert_type} 330 331 # Description of argument(s): 332 # cert_type Certificate type (e.g. "Client" or "CA"). 333 334 ${certificate_file_path} ${certificate_service} ${certificate_uri}= 335 ... Run Keyword If '${cert_type}' == 'Client' 336 ... Set Variable /etc/nslcd/certs/cert.pem phosphor-certificate-manager@nslcd.service 337 ... ${REDFISH_LDAP_CERTIFICATE_URI} 338 ... ELSE IF '${cert_type}' == 'CA' 339 ... Set Variable ${ROOT_CA_FILE_PATH} phosphor-certificate-manager@authority.service 340 ... ${REDFISH_CA_CERTIFICATE_URI} 341 342 ${file_status} ${stderr} ${rc}= BMC Execute Command 343 ... [ -f ${certificate_file_path} ] && echo "Found" || echo "Not Found" 344 345 Return From Keyword If "${file_status}" != "Found" 346 BMC Execute Command rm ${certificate_file_path} 347 BMC Execute Command systemctl restart ${certificate_service} 348 BMC Execute Command systemctl daemon-reload 349 Wait Until Keyword Succeeds 1 min 10 sec Redfish.Get ${certificate_uri}/1 350 ... valid_status_codes=[${HTTP_NOT_FOUND}, ${HTTP_INTERNAL_SERVER_ERROR}] 351 352 353Delete All CA Certificate Via Redfish 354 [Documentation] Delete all CA certificate via Redfish. 355 356 ${cert_list}= Redfish_Utils.Get Member List /redfish/v1/Managers/bmc/Truststore/Certificates 357 FOR ${cert} IN @{cert_list} 358 Redfish.Delete ${cert} valid_status_codes=[${HTTP_NO_CONTENT}] 359 END 360 361 362Suite Setup Execution 363 [Documentation] Do suite setup tasks. 364 365 # Create certificate sub-directory in current working directory. 366 Create Directory certificate_dir 367 368 369Test Teardown Execution 370 [Documentation] Do the post test teardown. 371 372 FFDC On Test Case Fail 373 redfish.Logout 374