tests: support blocked sha1

Some distributions (Fedora 41) are starting to block sha1 hashes. This prevents some test cases. The change is documented: https://fedoraproject.org/wiki/SHA1SignaturesGuidance. However, there is no API provided by openssl to detect if sha1 is supported or not. As a workaraound a scripts gets added which does that by singing and verifying some dummy data. Disabling sha1 by default was introduced to Fedora 41 by this commit: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/035c735a8310af5e3999c327d96ad5e354837250 Removing the following 2 lines from /etc/crypto-policies/back-ends/opensslcnf.config [evp_properties] rh-allow-sha1-signatures = no allows to run the tests successfully also with sha1. The test log also shows that with sha1 supported the tests are executed and without sha1 support the tests are skipped for HASH=sha1. Signed-off-by: Adrian Freihofer <adrian.freihofer@gmail.com>
tpm2-software · Aug 9, 2024 · b9b0ea2 · b9b0ea2
1 parent 7a33520
commit b9b0ea2
Show file tree

Hide file tree

Showing 5 changed files with 42 additions and 3 deletions.
diff --git a/Makefile.am b/Makefile.am
@@ -143,6 +143,7 @@ EXTRA_DIST = \
     VERSION \
     $(TESTS_SHELL) \
     $(SH_LOG_COMPILER) \
+    test/check_hash_support.sh \
     test/run-with-simulator \
     test/ec_pki/openssl.cnf \
     test/rsa_pki/etc
diff --git a/test/check_hash_support.sh b/test/check_hash_support.sh
@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: BSD-3-Clause
+
+# SHA-1 is considered as insecure by some Linux distributions.
+# So far there is no official API to detect SHA-1 support at run-time.
+# This script checks if a hash is supported for signing.
+# More details: https://fedoraproject.org/wiki/SHA1SignaturesGuidance
+
+set -e -o pipefail
+
+tmpdir=$(mktemp -d)
+cleanup() {
+    rm -rf "$tmpdir"
+}
+trap cleanup EXIT
+
+if [ $# -eq 1 ]; then
+    DGST_ALGO=$1
+else
+    echo "Please pass the algorithm. Example sha1"
+    exit 1
+fi
+
+# TPM2 must support it
+tpm2_getcap algorithms | grep -q "$DGST_ALGO"
+
+# openssl must support it
+openssl genpkey -algorithm RSA -out "$tmpdir/private_key.pem" -pkeyopt rsa_keygen_bits:2048 &>/dev/null
+openssl rsa -pubout -in "$tmpdir/private_key.pem" -out "$tmpdir/public_key.pem" &>/dev/null
+echo "Some data" > "$tmpdir/data.txt"
+openssl dgst "-$DGST_ALGO" -sign "$tmpdir/private_key.pem" -out "$tmpdir/signature" "$tmpdir/data.txt" &>/dev/null
+openssl dgst "-$DGST_ALGO" -verify "$tmpdir/public_key.pem" -signature "$tmpdir/signature" "$tmpdir/data.txt" &>/dev/null
diff --git a/test/ecdsa_genpkey_sign_rawin.sh b/test/ecdsa_genpkey_sign_rawin.sh
@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: BSD-3-Clause
 set -eufx
 
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
 echo -n "abcde12345abcde12345" > testdata
 
 # generate private key as PEM
@@ -13,7 +15,7 @@ openssl pkey -provider tpm2 -provider base -in testkey.priv -pubout -out testkey
 # check various digests
 for HASH in sha1 sha256 sha384 sha512; do
     # skip unsupported algorithms
-    tpm2_getcap algorithms | grep $HASH || continue
+    "$SCRIPT_DIR/check_hash_support.sh" $HASH || continue
 
     # sign using ECDSA and a defined hash
     openssl pkeyutl -provider tpm2 -provider base -sign -inkey testkey.priv -rawin -in testdata \

diff --git a/test/rsa_genpkey_sign_rawin.sh b/test/rsa_genpkey_sign_rawin.sh
@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: BSD-3-Clause
 set -eufx
 
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
 echo -n "abcde12345abcde12345" > testdata
 
 # generate key with no scheme/hash constraints
@@ -13,7 +15,7 @@ openssl pkey -provider tpm2 -provider base -in testkey.priv -pubout -out testkey
 # check default scheme with various digests
 for HASH in sha1 sha256 sha384 sha512; do
     # skip unsupported algorithms
-    tpm2_getcap algorithms | grep $HASH || continue
+    "$SCRIPT_DIR/check_hash_support.sh" $HASH || continue
 
     # sign using a defined scheme/hash
     openssl pkeyutl -provider tpm2 -provider base -sign -inkey testkey.priv -rawin -in testdata \

diff --git a/test/rsapss_genpkey_sign_rawin.sh b/test/rsapss_genpkey_sign_rawin.sh
@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: BSD-3-Clause
 set -eufx
 
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
 echo -n "abcde12345abcde12345" > testdata
 
 # check default scheme with various digests
 for HASH in sha1 sha256 sha384 sha512; do
     # skip unsupported algorithms
-    tpm2_getcap algorithms | grep $HASH || continue
+    "$SCRIPT_DIR/check_hash_support.sh" $HASH || continue
 
     # generate key with no scheme/hash constraints
     openssl genpkey -provider tpm2 -algorithm RSA-PSS -pkeyopt bits:1024 \