Andreas Stieger
d72be1f0f4
rnp 0.17.1 OBS-URL: https://build.opensuse.org/request/show/1190048 OBS-URL: https://build.opensuse.org/package/show/security:privacy/rnp?expand=0&rev=33
104 lines
5.2 KiB
Diff
104 lines
5.2 KiB
Diff
From eb1f10b003c2addf8098a764b823696d48b62c01 Mon Sep 17 00:00:00 2001
|
|
From: Nickolay Olshevsky <o.nickolay@gmail.com>
|
|
Date: Fri, 19 Jan 2024 16:05:32 +0200
|
|
Subject: [PATCH] Update tests to match SHA1 cutoff date for key signatures.
|
|
|
|
---
|
|
src/tests/cli_tests.py | 10 +++++-----
|
|
src/tests/ffi.cpp | 26 +++++++++++++++++---------
|
|
src/tests/key-add-userid.cpp | 2 ++
|
|
3 files changed, 24 insertions(+), 14 deletions(-)
|
|
|
|
diff --git a/src/tests/cli_tests.py b/src/tests/cli_tests.py
|
|
index bde7faf9d..634c88504 100755
|
|
--- a/src/tests/cli_tests.py
|
|
+++ b/src/tests/cli_tests.py
|
|
@@ -4862,12 +4862,16 @@ def do_test_encrypt(self, sign_key_size, enc_key_size):
|
|
self.operation_key_location = tuple((key_path(pfx, False), key_path(pfx, True)))
|
|
self.rnp.userid = self.gpg.userid = pfx + AT_EXAMPLE
|
|
# DSA 1024 key uses SHA-1 as hash but verification would succeed till 2024
|
|
+ if sign_key_size == 1024:
|
|
+ return
|
|
self._encrypt_decrypt(self.gpg, self.rnp)
|
|
|
|
def do_test_decrypt(self, sign_key_size, enc_key_size):
|
|
pfx = EncryptElgamal.key_pfx(sign_key_size, enc_key_size)
|
|
self.operation_key_location = tuple((key_path(pfx, False), key_path(pfx, True)))
|
|
self.rnp.userid = self.gpg.userid = pfx + AT_EXAMPLE
|
|
+ if sign_key_size == 1024:
|
|
+ return
|
|
self._encrypt_decrypt(self.rnp, self.gpg)
|
|
|
|
def test_encrypt_P1024_1024(self): self.do_test_encrypt(1024, 1024)
|
|
@@ -4878,11 +4882,7 @@ def test_decrypt_P1024_1024(self): self.do_test_decrypt(1024, 1024)
|
|
def test_decrypt_P2048_2048(self): self.do_test_decrypt(2048, 2048)
|
|
def test_decrypt_P1234_1234(self): self.do_test_decrypt(1234, 1234)
|
|
|
|
- def test_generate_elgamal_key1024_in_gpg_and_encrypt(self):
|
|
- cmd = EncryptElgamal.GPG_GENERATE_DSA_ELGAMAL_PATTERN.format(1024, 1024, self.gpg.userid)
|
|
- self.operation_key_gencmd = cmd
|
|
- # Will not fail till 2024 since 1024-bit DSA key uses SHA-1 as hash.
|
|
- self._encrypt_decrypt(self.gpg, self.rnp)
|
|
+ # 1024-bit key generation test was removed since it uses SHA1, which is not allowed for key signatures since Jan 19, 2024.
|
|
|
|
def test_generate_elgamal_key1536_in_gpg_and_encrypt(self):
|
|
cmd = EncryptElgamal.GPG_GENERATE_DSA_ELGAMAL_PATTERN.format(1536, 1536, self.gpg.userid)
|
|
diff --git a/src/tests/ffi.cpp b/src/tests/ffi.cpp
|
|
index 8f1694d9f..07b778f00 100644
|
|
--- a/src/tests/ffi.cpp
|
|
+++ b/src/tests/ffi.cpp
|
|
@@ -5976,11 +5976,16 @@ TEST_F(rnp_tests, test_ffi_security_profile)
|
|
assert_int_equal(flags, 0);
|
|
/* SHA1 - now, data verify disabled, key sig verify is enabled */
|
|
flags = 0;
|
|
- assert_rnp_success(rnp_get_security_rule(
|
|
- ffi, RNP_FEATURE_HASH_ALG, "SHA1", time(NULL), &flags, &from, &level));
|
|
- assert_int_equal(from, SHA1_DATA_FROM);
|
|
+ auto now = time(NULL);
|
|
+ bool sha1_cutoff = now > SHA1_KEY_FROM;
|
|
+ /* This would pick default rule closer to the date independent on usage */
|
|
+ assert_rnp_success(
|
|
+ rnp_get_security_rule(ffi, RNP_FEATURE_HASH_ALG, "SHA1", now, &flags, &from, &level));
|
|
+ auto expect_from = sha1_cutoff ? SHA1_KEY_FROM : SHA1_DATA_FROM;
|
|
+ auto expect_usage = sha1_cutoff ? RNP_SECURITY_VERIFY_KEY : RNP_SECURITY_VERIFY_DATA;
|
|
+ assert_int_equal(from, expect_from);
|
|
assert_int_equal(level, RNP_SECURITY_INSECURE);
|
|
- assert_int_equal(flags, RNP_SECURITY_VERIFY_DATA);
|
|
+ assert_int_equal(flags, expect_usage);
|
|
flags = 0;
|
|
assert_rnp_success(rnp_get_security_rule(
|
|
ffi, RNP_FEATURE_HASH_ALG, "SHA1", SHA1_DATA_FROM - 1, &flags, &from, &level));
|
|
@@ -5993,11 +5998,14 @@ TEST_F(rnp_tests, test_ffi_security_profile)
|
|
assert_int_equal(level, RNP_SECURITY_INSECURE);
|
|
assert_int_equal(flags, RNP_SECURITY_VERIFY_DATA);
|
|
flags = RNP_SECURITY_VERIFY_KEY;
|
|
- assert_rnp_success(rnp_get_security_rule(
|
|
- ffi, RNP_FEATURE_HASH_ALG, "SHA1", time(NULL), &flags, &from, &level));
|
|
- assert_int_equal(from, 0);
|
|
- assert_int_equal(level, RNP_SECURITY_DEFAULT);
|
|
- assert_int_equal(flags, 0);
|
|
+ assert_rnp_success(
|
|
+ rnp_get_security_rule(ffi, RNP_FEATURE_HASH_ALG, "SHA1", now, &flags, &from, &level));
|
|
+ expect_from = sha1_cutoff ? SHA1_KEY_FROM : 0;
|
|
+ auto expect_level = sha1_cutoff ? RNP_SECURITY_INSECURE : RNP_SECURITY_DEFAULT;
|
|
+ expect_usage = sha1_cutoff ? RNP_SECURITY_VERIFY_KEY : 0;
|
|
+ assert_int_equal(from, expect_from);
|
|
+ assert_int_equal(level, expect_level);
|
|
+ assert_int_equal(flags, expect_usage);
|
|
flags = RNP_SECURITY_VERIFY_KEY;
|
|
assert_rnp_success(rnp_get_security_rule(
|
|
ffi, RNP_FEATURE_HASH_ALG, "SHA1", SHA1_KEY_FROM + 5, &flags, &from, &level));
|
|
diff --git a/src/tests/key-add-userid.cpp b/src/tests/key-add-userid.cpp
|
|
index 5c2a4f71d..edd420573 100644
|
|
--- a/src/tests/key-add-userid.cpp
|
|
+++ b/src/tests/key-add-userid.cpp
|
|
@@ -68,6 +68,8 @@ TEST_F(rnp_tests, test_key_add_userid)
|
|
selfsig0.key_flags = 0x2;
|
|
selfsig0.key_expiration = base_expiry;
|
|
selfsig0.primary = false;
|
|
+ auto curtime = global_ctx.time();
|
|
+ global_ctx.set_time(curtime > SHA1_KEY_FROM ? SHA1_KEY_FROM - 100 : 0);
|
|
key->add_uid_cert(selfsig0, PGP_HASH_SHA1, global_ctx);
|
|
// attempt to add sha1-signed uid and make sure it succeeds now and fails after the cutoff
|
|
// date in 2024
|