Skip SHA1-based tests, use SHA256 when possible

Resolves: RHEL-64906
2024-10-25 11:23:27 +02:00 · 2024-10-25 11:23:27 +02:00 · 60852f2783
commit 60852f2783
parent ca540caeef
4 changed files with 161 additions and 32 deletions
--- a/0001-tests-rsa_pki-default-to-sha256.patch
+++ b/0001-tests-rsa_pki-default-to-sha256.patch
@ -0,0 +1,96 @@
+From c0a9076035513521fea11ee1f99eae6b80e49e6d Mon Sep 17 00:00:00 2001
+From: Adrian Freihofer <adrian.freihofer@gmail.com>
+Date: Fri, 9 Aug 2024 15:58:01 +0200
+Subject: [PATCH 1/2] tests: rsa_pki default to sha256
+
+Some distributions (Fedora 41) are starting to block sha1 hashes. This
+prevents this test case. Let's use sha256, which is more future-proof
+and should currently be supported by all distributions.
+
+Removing the following 2 lines from
+/etc/crypto-policies/back-ends/opensslcnf.config
+  [evp_properties]
+  rh-allow-sha1-signatures = no
+allows to run the tests successfully also with sha1.
+
+Signed-off-by: Adrian Freihofer <adrian.freihofer@gmail.com>
+---
+ test/rsa_pki/etc/email.conf      | 2 +-
+ test/rsa_pki/etc/root-ca.conf    | 4 ++--
+ test/rsa_pki/etc/server.conf     | 2 +-
+ test/rsa_pki/etc/signing-ca.conf | 4 ++--
+ 4 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/test/rsa_pki/etc/email.conf b/test/rsa_pki/etc/email.conf
+index 8d59829..7606c38 100644
+--- a/test/rsa_pki/etc/email.conf
+++ b/test/rsa_pki/etc/email.conf
+@@ -6,7 +6,7 @@
+ [ req ]
+ default_bits            = 2048                  # RSA key size
+ encrypt_key             = no
+-default_md              = sha1                  # MD to use
+default_md              = sha256                # MD to use
+ utf8                    = yes                   # Input is UTF-8
+ string_mask             = utf8only              # Emit UTF-8 strings
+ prompt                  = no                    # Don't prompt for DN
+diff --git a/test/rsa_pki/etc/root-ca.conf b/test/rsa_pki/etc/root-ca.conf
+index 69d284e..2f72eb4 100644
+--- a/test/rsa_pki/etc/root-ca.conf
+++ b/test/rsa_pki/etc/root-ca.conf
+@@ -15,7 +15,7 @@ dir                     = testdb                # Top dir
+ [ req ]
+ default_bits            = 2048                  # RSA key size
+ encrypt_key             = no
+-default_md              = sha1                  # MD to use
+default_md              = sha256                # MD to use
+ utf8                    = yes                   # Input is UTF-8
+ string_mask             = utf8only              # Emit UTF-8 strings
+ prompt                  = no                    # Don't prompt for DN
+@@ -50,7 +50,7 @@ crlnumber               = $dir/ca/$ca/db/$ca.crl.srl # CRL number file
+ database                = $dir/ca/$ca/db/$ca.db # Index file
+ unique_subject          = no                    # Require unique subject
+ default_days            = 3652                  # How long to certify for
+-default_md              = sha1                  # MD to use
+default_md              = sha256                # MD to use
+ policy                  = match_pol             # Default naming policy
+ email_in_dn             = no                    # Add email to cert DN
+ preserve                = no                    # Keep passed DN ordering
+diff --git a/test/rsa_pki/etc/server.conf b/test/rsa_pki/etc/server.conf
+index 8f7b620..737fe55 100644
+--- a/test/rsa_pki/etc/server.conf
+++ b/test/rsa_pki/etc/server.conf
+@@ -9,7 +9,7 @@ SAN                     = DNS:yourdomain.tld    # Default value
+ [ req ]
+ default_bits            = 2048                  # RSA key size
+ encrypt_key             = no
+-default_md              = sha1                  # MD to use
+default_md              = sha256                # MD to use
+ utf8                    = yes                   # Input is UTF-8
+ string_mask             = utf8only              # Emit UTF-8 strings
+ prompt                  = no                    # Don't prompt for DN
+diff --git a/test/rsa_pki/etc/signing-ca.conf b/test/rsa_pki/etc/signing-ca.conf
+index 912d7c3..3f9795d 100644
+--- a/test/rsa_pki/etc/signing-ca.conf
+++ b/test/rsa_pki/etc/signing-ca.conf
+@@ -15,7 +15,7 @@ dir                     = testdb                # Top dir
+ [ req ]
+ default_bits            = 2048                  # RSA key size
+ encrypt_key             = no
+-default_md              = sha1                  # MD to use
+default_md              = sha256                # MD to use
+ utf8                    = yes                   # Input is UTF-8
+ string_mask             = utf8only              # Emit UTF-8 strings
+ prompt                  = no                    # Don't prompt for DN
+@@ -50,7 +50,7 @@ crlnumber               = $dir/ca/$ca/db/$ca.crl.srl # CRL number file
+ database                = $dir/ca/$ca/db/$ca.db # Index file
+ unique_subject          = no                    # Require unique subject
+ default_days            = 730                   # How long to certify for
+-default_md              = sha1                  # MD to use
+default_md              = sha256                # MD to use
+ policy                  = match_pol             # Default naming policy
+ email_in_dn             = no                    # Add email to cert DN
+ preserve                = no                    # Keep passed DN ordering
+-- 
+2.47.0
+
--- a/0001-tests-workaround-for-tpm2-tools-bug.patch
+++ b/0001-tests-workaround-for-tpm2-tools-bug.patch
@ -1,30 +0,0 @@
-From d46a3ae2d3f06852388eb8439a9c06d97a8d3ca2 Mon Sep 17 00:00:00 2001
-From: Adrian Freihofer <adrian.freihofer@gmail.com>
-Date: Wed, 27 Mar 2024 08:27:37 +0100
-Subject: [PATCH] tests: workaround for tpm2-tools bug
-
-The test fails because of a bug in the tpm2-tools:
-https://github.com/tpm2-software/tpm2-tools/pull/3374
---
- test/ec_createak_x509_index.sh | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/test/ec_createak_x509_index.sh b/test/ec_createak_x509_index.sh
-index 4323475..7476c23 100755
--- a/test/ec_createak_x509_index.sh
-+++ b/test/ec_createak_x509_index.sh
-@@ -2,6 +2,11 @@
- # SPDX-License-Identifier: BSD-3-Clause
- set -eufx
- 
-+# Temporary workaround for https://github.com/tpm2-software/tpm2-tools/pull/3374
-+if uname -m | grep s390; then
-+    exit 77
-+fi
-+
- # create EK
- tpm2_createek -G ecc -c ek_rsa.ctx
- 
-- 
-2.44.0
-
--- a/0002-tests-do-not-test-sha1-by-default.patch
+++ b/0002-tests-do-not-test-sha1-by-default.patch
@ -0,0 +1,56 @@
+From 1839c987c86752602b51981963132234ac7554a2 Mon Sep 17 00:00:00 2001
+From: Petr Gotthard <petr.gotthard@advantech.cz>
+Date: Sun, 6 Oct 2024 22:11:15 +0200
+Subject: [PATCH 2/2] tests: do not test sha1 by default
+
+Note: Chagnes on files which are not in the release tar are skipped on
+purpose since the patch is applied against the release tar by the spec
+file.
+---
+ test/ecdsa_genpkey_sign_rawin.sh  | 2 +-
+ test/rsa_genpkey_sign_rawin.sh    | 2 +-
+ test/rsapss_genpkey_sign_rawin.sh | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/test/ecdsa_genpkey_sign_rawin.sh b/test/ecdsa_genpkey_sign_rawin.sh
+index 01403cf..7266049 100755
+--- a/test/ecdsa_genpkey_sign_rawin.sh
+++ b/test/ecdsa_genpkey_sign_rawin.sh
+@@ -11,7 +11,7 @@ openssl genpkey -provider tpm2 -algorithm EC -pkeyopt group:P-256 -out testkey.p
+ openssl pkey -provider tpm2 -provider base -in testkey.priv -pubout -out testkey.pub
+ 
+ # check various digests
+-for HASH in sha1 sha256 sha384 sha512; do
+for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512}; do
+     # skip unsupported algorithms
+     tpm2_getcap algorithms | grep $HASH || continue
+ 
+diff --git a/test/rsa_genpkey_sign_rawin.sh b/test/rsa_genpkey_sign_rawin.sh
+index 267cea9..f2b9a94 100755
+--- a/test/rsa_genpkey_sign_rawin.sh
+++ b/test/rsa_genpkey_sign_rawin.sh
+@@ -11,7 +11,7 @@ openssl genpkey -provider tpm2 -algorithm RSA -pkeyopt bits:1024 -out testkey.pr
+ openssl pkey -provider tpm2 -provider base -in testkey.priv -pubout -out testkey.pub
+ 
+ # check default scheme with various digests
+-for HASH in sha1 sha256 sha384 sha512; do
+for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512}; do
+     # skip unsupported algorithms
+     tpm2_getcap algorithms | grep $HASH || continue
+ 
+diff --git a/test/rsapss_genpkey_sign_rawin.sh b/test/rsapss_genpkey_sign_rawin.sh
+index 28447b2..99f8d63 100755
+--- a/test/rsapss_genpkey_sign_rawin.sh
+++ b/test/rsapss_genpkey_sign_rawin.sh
+@@ -5,7 +5,7 @@ set -eufx
+ echo -n "abcde12345abcde12345" > testdata
+ 
+ # check default scheme with various digests
+-for HASH in sha1 sha256 sha384 sha512; do
+for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512}; do
+     # skip unsupported algorithms
+     tpm2_getcap algorithms | grep $HASH || continue
+ 
+-- 
+2.47.0
+
--- a/tpm2-openssl.spec
+++ b/tpm2-openssl.spec
@ -1,6 +1,6 @@
 Name:tpm2-openssl
 Version: 1.2.0
-Release: 3%{?candidate:.%{candidate}}%{?dist}
+Release: 4%{?candidate:.%{candidate}}%{?dist}
 Summary: Provider for integration of TPM 2.0 to OpenSSL 3.0

 License: BSD-3-Clause
@ -10,7 +10,10 @@ Source1: https://github.com/tpm2-software/%{name}/%{?candidate:archive/refs/tags
 Source2: gpgkey-B7201FE8031B07AF11F5423C6329CFCB6BE6FD76.gpg
 # Will be included in Source0 after https://github.com/tpm2-software/tpm2-openssl/pull/100
 Source3: run-with-simulator
-Patch0: 0001-tests-workaround-for-tpm2-tools-bug.patch
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=2301337
+Patch1: 0001-tests-rsa_pki-default-to-sha256.patch
+Patch2: 0002-tests-do-not-test-sha1-by-default.patch

 BuildRequires: gnupg2
 BuildRequires: gcc
@ -61,6 +64,10 @@ cp %{_sourcedir}/run-with-simulator %{_builddir}/%{name}-%{version}%{?candidate:
 %{_libdir}/ossl-modules/tpm2.so

 %changelog
+* Fri Oct 25 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1.2.0-4
+- Skip SHA1-based tests, use SHA256 when possible
+  Resolves: RHEL-64906
+
 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.2.0-3
 - Bump release for June 2024 mass rebuild