Skip SHA1-based tests, use SHA256 when possible
Resolves: RHEL-64906
This commit is contained in:
parent
ca540caeef
commit
60852f2783
96
0001-tests-rsa_pki-default-to-sha256.patch
Normal file
96
0001-tests-rsa_pki-default-to-sha256.patch
Normal file
@ -0,0 +1,96 @@
|
|||||||
|
From c0a9076035513521fea11ee1f99eae6b80e49e6d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Adrian Freihofer <adrian.freihofer@gmail.com>
|
||||||
|
Date: Fri, 9 Aug 2024 15:58:01 +0200
|
||||||
|
Subject: [PATCH 1/2] tests: rsa_pki default to sha256
|
||||||
|
|
||||||
|
Some distributions (Fedora 41) are starting to block sha1 hashes. This
|
||||||
|
prevents this test case. Let's use sha256, which is more future-proof
|
||||||
|
and should currently be supported by all distributions.
|
||||||
|
|
||||||
|
Removing the following 2 lines from
|
||||||
|
/etc/crypto-policies/back-ends/opensslcnf.config
|
||||||
|
[evp_properties]
|
||||||
|
rh-allow-sha1-signatures = no
|
||||||
|
allows to run the tests successfully also with sha1.
|
||||||
|
|
||||||
|
Signed-off-by: Adrian Freihofer <adrian.freihofer@gmail.com>
|
||||||
|
---
|
||||||
|
test/rsa_pki/etc/email.conf | 2 +-
|
||||||
|
test/rsa_pki/etc/root-ca.conf | 4 ++--
|
||||||
|
test/rsa_pki/etc/server.conf | 2 +-
|
||||||
|
test/rsa_pki/etc/signing-ca.conf | 4 ++--
|
||||||
|
4 files changed, 6 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/test/rsa_pki/etc/email.conf b/test/rsa_pki/etc/email.conf
|
||||||
|
index 8d59829..7606c38 100644
|
||||||
|
--- a/test/rsa_pki/etc/email.conf
|
||||||
|
+++ b/test/rsa_pki/etc/email.conf
|
||||||
|
@@ -6,7 +6,7 @@
|
||||||
|
[ req ]
|
||||||
|
default_bits = 2048 # RSA key size
|
||||||
|
encrypt_key = no
|
||||||
|
-default_md = sha1 # MD to use
|
||||||
|
+default_md = sha256 # MD to use
|
||||||
|
utf8 = yes # Input is UTF-8
|
||||||
|
string_mask = utf8only # Emit UTF-8 strings
|
||||||
|
prompt = no # Don't prompt for DN
|
||||||
|
diff --git a/test/rsa_pki/etc/root-ca.conf b/test/rsa_pki/etc/root-ca.conf
|
||||||
|
index 69d284e..2f72eb4 100644
|
||||||
|
--- a/test/rsa_pki/etc/root-ca.conf
|
||||||
|
+++ b/test/rsa_pki/etc/root-ca.conf
|
||||||
|
@@ -15,7 +15,7 @@ dir = testdb # Top dir
|
||||||
|
[ req ]
|
||||||
|
default_bits = 2048 # RSA key size
|
||||||
|
encrypt_key = no
|
||||||
|
-default_md = sha1 # MD to use
|
||||||
|
+default_md = sha256 # MD to use
|
||||||
|
utf8 = yes # Input is UTF-8
|
||||||
|
string_mask = utf8only # Emit UTF-8 strings
|
||||||
|
prompt = no # Don't prompt for DN
|
||||||
|
@@ -50,7 +50,7 @@ crlnumber = $dir/ca/$ca/db/$ca.crl.srl # CRL number file
|
||||||
|
database = $dir/ca/$ca/db/$ca.db # Index file
|
||||||
|
unique_subject = no # Require unique subject
|
||||||
|
default_days = 3652 # How long to certify for
|
||||||
|
-default_md = sha1 # MD to use
|
||||||
|
+default_md = sha256 # MD to use
|
||||||
|
policy = match_pol # Default naming policy
|
||||||
|
email_in_dn = no # Add email to cert DN
|
||||||
|
preserve = no # Keep passed DN ordering
|
||||||
|
diff --git a/test/rsa_pki/etc/server.conf b/test/rsa_pki/etc/server.conf
|
||||||
|
index 8f7b620..737fe55 100644
|
||||||
|
--- a/test/rsa_pki/etc/server.conf
|
||||||
|
+++ b/test/rsa_pki/etc/server.conf
|
||||||
|
@@ -9,7 +9,7 @@ SAN = DNS:yourdomain.tld # Default value
|
||||||
|
[ req ]
|
||||||
|
default_bits = 2048 # RSA key size
|
||||||
|
encrypt_key = no
|
||||||
|
-default_md = sha1 # MD to use
|
||||||
|
+default_md = sha256 # MD to use
|
||||||
|
utf8 = yes # Input is UTF-8
|
||||||
|
string_mask = utf8only # Emit UTF-8 strings
|
||||||
|
prompt = no # Don't prompt for DN
|
||||||
|
diff --git a/test/rsa_pki/etc/signing-ca.conf b/test/rsa_pki/etc/signing-ca.conf
|
||||||
|
index 912d7c3..3f9795d 100644
|
||||||
|
--- a/test/rsa_pki/etc/signing-ca.conf
|
||||||
|
+++ b/test/rsa_pki/etc/signing-ca.conf
|
||||||
|
@@ -15,7 +15,7 @@ dir = testdb # Top dir
|
||||||
|
[ req ]
|
||||||
|
default_bits = 2048 # RSA key size
|
||||||
|
encrypt_key = no
|
||||||
|
-default_md = sha1 # MD to use
|
||||||
|
+default_md = sha256 # MD to use
|
||||||
|
utf8 = yes # Input is UTF-8
|
||||||
|
string_mask = utf8only # Emit UTF-8 strings
|
||||||
|
prompt = no # Don't prompt for DN
|
||||||
|
@@ -50,7 +50,7 @@ crlnumber = $dir/ca/$ca/db/$ca.crl.srl # CRL number file
|
||||||
|
database = $dir/ca/$ca/db/$ca.db # Index file
|
||||||
|
unique_subject = no # Require unique subject
|
||||||
|
default_days = 730 # How long to certify for
|
||||||
|
-default_md = sha1 # MD to use
|
||||||
|
+default_md = sha256 # MD to use
|
||||||
|
policy = match_pol # Default naming policy
|
||||||
|
email_in_dn = no # Add email to cert DN
|
||||||
|
preserve = no # Keep passed DN ordering
|
||||||
|
--
|
||||||
|
2.47.0
|
||||||
|
|
@ -1,30 +0,0 @@
|
|||||||
From d46a3ae2d3f06852388eb8439a9c06d97a8d3ca2 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Adrian Freihofer <adrian.freihofer@gmail.com>
|
|
||||||
Date: Wed, 27 Mar 2024 08:27:37 +0100
|
|
||||||
Subject: [PATCH] tests: workaround for tpm2-tools bug
|
|
||||||
|
|
||||||
The test fails because of a bug in the tpm2-tools:
|
|
||||||
https://github.com/tpm2-software/tpm2-tools/pull/3374
|
|
||||||
---
|
|
||||||
test/ec_createak_x509_index.sh | 5 +++++
|
|
||||||
1 file changed, 5 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/test/ec_createak_x509_index.sh b/test/ec_createak_x509_index.sh
|
|
||||||
index 4323475..7476c23 100755
|
|
||||||
--- a/test/ec_createak_x509_index.sh
|
|
||||||
+++ b/test/ec_createak_x509_index.sh
|
|
||||||
@@ -2,6 +2,11 @@
|
|
||||||
# SPDX-License-Identifier: BSD-3-Clause
|
|
||||||
set -eufx
|
|
||||||
|
|
||||||
+# Temporary workaround for https://github.com/tpm2-software/tpm2-tools/pull/3374
|
|
||||||
+if uname -m | grep s390; then
|
|
||||||
+ exit 77
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
# create EK
|
|
||||||
tpm2_createek -G ecc -c ek_rsa.ctx
|
|
||||||
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
56
0002-tests-do-not-test-sha1-by-default.patch
Normal file
56
0002-tests-do-not-test-sha1-by-default.patch
Normal file
@ -0,0 +1,56 @@
|
|||||||
|
From 1839c987c86752602b51981963132234ac7554a2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Gotthard <petr.gotthard@advantech.cz>
|
||||||
|
Date: Sun, 6 Oct 2024 22:11:15 +0200
|
||||||
|
Subject: [PATCH 2/2] tests: do not test sha1 by default
|
||||||
|
|
||||||
|
Note: Chagnes on files which are not in the release tar are skipped on
|
||||||
|
purpose since the patch is applied against the release tar by the spec
|
||||||
|
file.
|
||||||
|
---
|
||||||
|
test/ecdsa_genpkey_sign_rawin.sh | 2 +-
|
||||||
|
test/rsa_genpkey_sign_rawin.sh | 2 +-
|
||||||
|
test/rsapss_genpkey_sign_rawin.sh | 2 +-
|
||||||
|
3 files changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/test/ecdsa_genpkey_sign_rawin.sh b/test/ecdsa_genpkey_sign_rawin.sh
|
||||||
|
index 01403cf..7266049 100755
|
||||||
|
--- a/test/ecdsa_genpkey_sign_rawin.sh
|
||||||
|
+++ b/test/ecdsa_genpkey_sign_rawin.sh
|
||||||
|
@@ -11,7 +11,7 @@ openssl genpkey -provider tpm2 -algorithm EC -pkeyopt group:P-256 -out testkey.p
|
||||||
|
openssl pkey -provider tpm2 -provider base -in testkey.priv -pubout -out testkey.pub
|
||||||
|
|
||||||
|
# check various digests
|
||||||
|
-for HASH in sha1 sha256 sha384 sha512; do
|
||||||
|
+for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512}; do
|
||||||
|
# skip unsupported algorithms
|
||||||
|
tpm2_getcap algorithms | grep $HASH || continue
|
||||||
|
|
||||||
|
diff --git a/test/rsa_genpkey_sign_rawin.sh b/test/rsa_genpkey_sign_rawin.sh
|
||||||
|
index 267cea9..f2b9a94 100755
|
||||||
|
--- a/test/rsa_genpkey_sign_rawin.sh
|
||||||
|
+++ b/test/rsa_genpkey_sign_rawin.sh
|
||||||
|
@@ -11,7 +11,7 @@ openssl genpkey -provider tpm2 -algorithm RSA -pkeyopt bits:1024 -out testkey.pr
|
||||||
|
openssl pkey -provider tpm2 -provider base -in testkey.priv -pubout -out testkey.pub
|
||||||
|
|
||||||
|
# check default scheme with various digests
|
||||||
|
-for HASH in sha1 sha256 sha384 sha512; do
|
||||||
|
+for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512}; do
|
||||||
|
# skip unsupported algorithms
|
||||||
|
tpm2_getcap algorithms | grep $HASH || continue
|
||||||
|
|
||||||
|
diff --git a/test/rsapss_genpkey_sign_rawin.sh b/test/rsapss_genpkey_sign_rawin.sh
|
||||||
|
index 28447b2..99f8d63 100755
|
||||||
|
--- a/test/rsapss_genpkey_sign_rawin.sh
|
||||||
|
+++ b/test/rsapss_genpkey_sign_rawin.sh
|
||||||
|
@@ -5,7 +5,7 @@ set -eufx
|
||||||
|
echo -n "abcde12345abcde12345" > testdata
|
||||||
|
|
||||||
|
# check default scheme with various digests
|
||||||
|
-for HASH in sha1 sha256 sha384 sha512; do
|
||||||
|
+for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512}; do
|
||||||
|
# skip unsupported algorithms
|
||||||
|
tpm2_getcap algorithms | grep $HASH || continue
|
||||||
|
|
||||||
|
--
|
||||||
|
2.47.0
|
||||||
|
|
@ -1,6 +1,6 @@
|
|||||||
Name:tpm2-openssl
|
Name:tpm2-openssl
|
||||||
Version: 1.2.0
|
Version: 1.2.0
|
||||||
Release: 3%{?candidate:.%{candidate}}%{?dist}
|
Release: 4%{?candidate:.%{candidate}}%{?dist}
|
||||||
Summary: Provider for integration of TPM 2.0 to OpenSSL 3.0
|
Summary: Provider for integration of TPM 2.0 to OpenSSL 3.0
|
||||||
|
|
||||||
License: BSD-3-Clause
|
License: BSD-3-Clause
|
||||||
@ -10,7 +10,10 @@ Source1: https://github.com/tpm2-software/%{name}/%{?candidate:archive/refs/tags
|
|||||||
Source2: gpgkey-B7201FE8031B07AF11F5423C6329CFCB6BE6FD76.gpg
|
Source2: gpgkey-B7201FE8031B07AF11F5423C6329CFCB6BE6FD76.gpg
|
||||||
# Will be included in Source0 after https://github.com/tpm2-software/tpm2-openssl/pull/100
|
# Will be included in Source0 after https://github.com/tpm2-software/tpm2-openssl/pull/100
|
||||||
Source3: run-with-simulator
|
Source3: run-with-simulator
|
||||||
Patch0: 0001-tests-workaround-for-tpm2-tools-bug.patch
|
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2301337
|
||||||
|
Patch1: 0001-tests-rsa_pki-default-to-sha256.patch
|
||||||
|
Patch2: 0002-tests-do-not-test-sha1-by-default.patch
|
||||||
|
|
||||||
BuildRequires: gnupg2
|
BuildRequires: gnupg2
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
@ -61,6 +64,10 @@ cp %{_sourcedir}/run-with-simulator %{_builddir}/%{name}-%{version}%{?candidate:
|
|||||||
%{_libdir}/ossl-modules/tpm2.so
|
%{_libdir}/ossl-modules/tpm2.so
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Oct 25 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1.2.0-4
|
||||||
|
- Skip SHA1-based tests, use SHA256 when possible
|
||||||
|
Resolves: RHEL-64906
|
||||||
|
|
||||||
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.2.0-3
|
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.2.0-3
|
||||||
- Bump release for June 2024 mass rebuild
|
- Bump release for June 2024 mass rebuild
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user