test: update keyutil test to verify new pkcs7 --hash-algorithm param

author Dan Streetman <ddstreet@ieee.org>

Fri, 6 Jun 2025 18:18:06 +0000 (14:18 -0400)

committer Dan Streetman <ddstreet@ieee.org>

Tue, 10 Jun 2025 12:46:36 +0000 (08:46 -0400)
author Dan Streetman <ddstreet@ieee.org>
Fri, 6 Jun 2025 18:18:06 +0000 (14:18 -0400)
committer Dan Streetman <ddstreet@ieee.org>
Tue, 10 Jun 2025 12:46:36 +0000 (08:46 -0400)
diff --git a/test/units/TEST-74-AUX-UTILS.keyutil.sh b/test/units/TEST-74-AUX-UTILS.keyutil.sh

index efe19a0c0c44d33c47103d86efb9b7af1523f0d2..0c5c0d5d9b22d4814bf3ff04a13a72c6f122a247 100755 (executable)
--- a/test/units/TEST-74-AUX-UTILS.keyutil.sh
+++ b/test/units/TEST-74-AUX-UTILS.keyutil.sh
@@ -47,31 +47,49 @@ testcase_public() {
      (! /usr/lib/systemd/systemd-keyutil public)
  }
  
-testcase_pkcs7() {
-    echo -n "test" > /tmp/payload
+verify_pkcs7() {
+    # Verify using internal certificate
+    openssl smime -verify -binary -inform der -in /tmp/payload.p7s -content /tmp/payload -noverify > /dev/null
+    # Verify using external (original) certificate
+    openssl smime -verify -binary -inform der -in /tmp/payload.p7s -content /tmp/payload -noverify -certfile /tmp/test.crt -nointern > /dev/null
+}
  
-    # Generate PKCS#1 signature
-    openssl dgst -sha256 -sign /tmp/test.key -out /tmp/payload.sig /tmp/payload
+verify_pkcs7_fail() {
+    # Verify using internal certificate
+    (! openssl smime -verify -binary -inform der -in /tmp/payload.p7s -content /tmp/payload -noverify > /dev/null)
+    # Verify using external (original) certificate
+    (! openssl smime -verify -binary -inform der -in /tmp/payload.p7s -content /tmp/payload -noverify -certfile /tmp/test.crt -nointern > /dev/null)
+}
  
-    # Generate PKCS#7 "detached" signature
-    /usr/lib/systemd/systemd-keyutil --certificate /tmp/test.crt --output /tmp/payload.p7s --signature /tmp/payload.sig pkcs7
+testcase_pkcs7() {
+    echo -n "test" > /tmp/payload
  
-    # Verify using internal x509 certificate
-    openssl smime -verify -binary -inform der -in /tmp/payload.p7s -content /tmp/payload -noverify > /dev/null
+    for hashalg in sha256 sha384 sha512; do
+        # shellcheck disable=SC2086
+        openssl dgst -$hashalg -sign /tmp/test.key -out /tmp/payload.p1s /tmp/payload
  
-    # Verify using external (original) x509 certificate
-    openssl smime -verify -binary -inform der -in /tmp/payload.p7s -content /tmp/payload -certificate /tmp/test.crt -nointern -noverify > /dev/null
+        # Test with and without content in the PKCS7
+        for content_param in "" "--content /tmp/payload"; do
+            # Test with and without specifying signing hash alg
+            for hashalg_param in "" "--hash-algorithm $hashalg"; do
+                # shellcheck disable=SC2086
+                /usr/lib/systemd/systemd-keyutil --certificate /tmp/test.crt --output /tmp/payload.p7s --signature /tmp/payload.p1s $content_param $hashalg_param pkcs7
  
-    rm -f /tmp/payload.p7s
+                # Should always pass, except when not specifying hash alg and hash alg != sha256
+                if [ -z "$hashalg_param" ] && [ "$hashalg" != "sha256" ]; then
+                    verify_pkcs7_fail
+                else
+                    verify_pkcs7
+                fi
  
-    # Generate PKCS#7 non-"detached" signature
-    /usr/lib/systemd/systemd-keyutil --certificate /tmp/test.crt --output /tmp/payload.p7s --signature /tmp/payload.sig --content /tmp/payload pkcs7
+                rm -f /tmp/payload.p7s
+            done
+        done
  
-    # Verify using internal x509 certificate
-    openssl smime -verify -binary -inform der -in /tmp/payload.p7s -noverify > /dev/null
+        rm -f /tmp/payload.p1s
+    done
  
-    # Verify using external (original) x509 certificate
-    openssl smime -verify -binary -inform der -in /tmp/payload.p7s -certificate /tmp/test.crt -nointern -noverify > /dev/null
+    rm -f /tmp/payload
  }
  
  run_testcases
author	Dan Streetman <ddstreet@ieee.org>
	Fri, 6 Jun 2025 18:18:06 +0000 (14:18 -0400)
committer	Dan Streetman <ddstreet@ieee.org>
	Tue, 10 Jun 2025 12:46:36 +0000 (08:46 -0400)