From db83bd7e36cd4332484e4e42dac8bad22b4333d0 Mon Sep 17 00:00:00 2001 From: Dan Streetman Date: Fri, 6 Jun 2025 14:18:06 -0400 Subject: [PATCH] test: update keyutil test to verify new pkcs7 --hash-algorithm param --- test/units/TEST-74-AUX-UTILS.keyutil.sh | 52 +++++++++++++++++-------- 1 file changed, 35 insertions(+), 17 deletions(-) diff --git a/test/units/TEST-74-AUX-UTILS.keyutil.sh b/test/units/TEST-74-AUX-UTILS.keyutil.sh index efe19a0c0c4..0c5c0d5d9b2 100755 --- a/test/units/TEST-74-AUX-UTILS.keyutil.sh +++ b/test/units/TEST-74-AUX-UTILS.keyutil.sh @@ -47,31 +47,49 @@ testcase_public() { (! /usr/lib/systemd/systemd-keyutil public) } -testcase_pkcs7() { - echo -n "test" > /tmp/payload +verify_pkcs7() { + # Verify using internal certificate + openssl smime -verify -binary -inform der -in /tmp/payload.p7s -content /tmp/payload -noverify > /dev/null + # Verify using external (original) certificate + openssl smime -verify -binary -inform der -in /tmp/payload.p7s -content /tmp/payload -noverify -certfile /tmp/test.crt -nointern > /dev/null +} - # Generate PKCS#1 signature - openssl dgst -sha256 -sign /tmp/test.key -out /tmp/payload.sig /tmp/payload +verify_pkcs7_fail() { + # Verify using internal certificate + (! openssl smime -verify -binary -inform der -in /tmp/payload.p7s -content /tmp/payload -noverify > /dev/null) + # Verify using external (original) certificate + (! openssl smime -verify -binary -inform der -in /tmp/payload.p7s -content /tmp/payload -noverify -certfile /tmp/test.crt -nointern > /dev/null) +} - # Generate PKCS#7 "detached" signature - /usr/lib/systemd/systemd-keyutil --certificate /tmp/test.crt --output /tmp/payload.p7s --signature /tmp/payload.sig pkcs7 +testcase_pkcs7() { + echo -n "test" > /tmp/payload - # Verify using internal x509 certificate - openssl smime -verify -binary -inform der -in /tmp/payload.p7s -content /tmp/payload -noverify > /dev/null + for hashalg in sha256 sha384 sha512; do + # shellcheck disable=SC2086 + openssl dgst -$hashalg -sign /tmp/test.key -out /tmp/payload.p1s /tmp/payload - # Verify using external (original) x509 certificate - openssl smime -verify -binary -inform der -in /tmp/payload.p7s -content /tmp/payload -certificate /tmp/test.crt -nointern -noverify > /dev/null + # Test with and without content in the PKCS7 + for content_param in "" "--content /tmp/payload"; do + # Test with and without specifying signing hash alg + for hashalg_param in "" "--hash-algorithm $hashalg"; do + # shellcheck disable=SC2086 + /usr/lib/systemd/systemd-keyutil --certificate /tmp/test.crt --output /tmp/payload.p7s --signature /tmp/payload.p1s $content_param $hashalg_param pkcs7 - rm -f /tmp/payload.p7s + # Should always pass, except when not specifying hash alg and hash alg != sha256 + if [ -z "$hashalg_param" ] && [ "$hashalg" != "sha256" ]; then + verify_pkcs7_fail + else + verify_pkcs7 + fi - # Generate PKCS#7 non-"detached" signature - /usr/lib/systemd/systemd-keyutil --certificate /tmp/test.crt --output /tmp/payload.p7s --signature /tmp/payload.sig --content /tmp/payload pkcs7 + rm -f /tmp/payload.p7s + done + done - # Verify using internal x509 certificate - openssl smime -verify -binary -inform der -in /tmp/payload.p7s -noverify > /dev/null + rm -f /tmp/payload.p1s + done - # Verify using external (original) x509 certificate - openssl smime -verify -binary -inform der -in /tmp/payload.p7s -certificate /tmp/test.crt -nointern -noverify > /dev/null + rm -f /tmp/payload } run_testcases -- 2.47.3