test: update keyutil test to verify new pkcs7 --hash-algorithm param

2026-04-14 08:25:20 +09:00 · 2025-06-06 14:18:06 -04:00
parent 103fa98f84
commit db83bd7e36
1 changed files with 35 additions and 17 deletions
--- a/test/units/TEST-74-AUX-UTILS.keyutil.sh
+++ b/test/units/TEST-74-AUX-UTILS.keyutil.sh
@@ -47,31 +47,49 @@ testcase_public() {
    (! /usr/lib/systemd/systemd-keyutil public)
 }

+verify_pkcs7() {
+    # Verify using internal certificate
+    openssl smime -verify -binary -inform der -in /tmp/payload.p7s -content /tmp/payload -noverify > /dev/null
+    # Verify using external (original) certificate
+    openssl smime -verify -binary -inform der -in /tmp/payload.p7s -content /tmp/payload -noverify -certfile /tmp/test.crt -nointern > /dev/null
+}
+
+verify_pkcs7_fail() {
+    # Verify using internal certificate
+    (! openssl smime -verify -binary -inform der -in /tmp/payload.p7s -content /tmp/payload -noverify > /dev/null)
+    # Verify using external (original) certificate
+    (! openssl smime -verify -binary -inform der -in /tmp/payload.p7s -content /tmp/payload -noverify -certfile /tmp/test.crt -nointern > /dev/null)
+}
+
 testcase_pkcs7() {
    echo -n "test" > /tmp/payload

-    # Generate PKCS#1 signature
-    openssl dgst -sha256 -sign /tmp/test.key -out /tmp/payload.sig /tmp/payload
+    for hashalg in sha256 sha384 sha512; do
+        # shellcheck disable=SC2086
+        openssl dgst -$hashalg -sign /tmp/test.key -out /tmp/payload.p1s /tmp/payload

-    # Generate PKCS#7 "detached" signature
-    /usr/lib/systemd/systemd-keyutil --certificate /tmp/test.crt --output /tmp/payload.p7s --signature /tmp/payload.sig pkcs7
+        # Test with and without content in the PKCS7
+        for content_param in "" "--content /tmp/payload"; do
+            # Test with and without specifying signing hash alg
+            for hashalg_param in "" "--hash-algorithm $hashalg"; do
+                # shellcheck disable=SC2086
+                /usr/lib/systemd/systemd-keyutil --certificate /tmp/test.crt --output /tmp/payload.p7s --signature /tmp/payload.p1s $content_param $hashalg_param pkcs7

-    # Verify using internal x509 certificate
-    openssl smime -verify -binary -inform der -in /tmp/payload.p7s -content /tmp/payload -noverify > /dev/null
+                # Should always pass, except when not specifying hash alg and hash alg != sha256
+                if [ -z "$hashalg_param" ] && [ "$hashalg" != "sha256" ]; then
+                    verify_pkcs7_fail
+                else
+                    verify_pkcs7
+                fi

-    # Verify using external (original) x509 certificate
-    openssl smime -verify -binary -inform der -in /tmp/payload.p7s -content /tmp/payload -certificate /tmp/test.crt -nointern -noverify > /dev/null
+                rm -f /tmp/payload.p7s
+            done
+        done

-    rm -f /tmp/payload.p7s
+        rm -f /tmp/payload.p1s
+    done

-    # Generate PKCS#7 non-"detached" signature
-    /usr/lib/systemd/systemd-keyutil --certificate /tmp/test.crt --output /tmp/payload.p7s --signature /tmp/payload.sig --content /tmp/payload pkcs7
-
-    # Verify using internal x509 certificate
-    openssl smime -verify -binary -inform der -in /tmp/payload.p7s -noverify > /dev/null
-
-    # Verify using external (original) x509 certificate
-    openssl smime -verify -binary -inform der -in /tmp/payload.p7s -certificate /tmp/test.crt -nointern -noverify > /dev/null
+    rm -f /tmp/payload
 }

 run_testcases