naccyde / rpms / systemd

Forked from rpms/systemd a year ago
Clone
2aacef
From 17cc25a2d7c2ebe75e18cf813d539e5997610e25 Mon Sep 17 00:00:00 2001
2aacef
From: Frantisek Sumsal <frantisek@sumsal.cz>
2aacef
Date: Fri, 2 Dec 2022 12:48:26 +0100
2aacef
Subject: [PATCH] test: check if we can use SHA1 MD for signing before using it
2aacef
2aacef
Some distributions have started phasing out SHA1, which breaks
2aacef
the systemd-measure test case in its current form. Let's make sure we
2aacef
can use SHA1 for signing beforehand to mitigate this.
2aacef
2aacef
Spotted on RHEL 9, where SHA1 signatures are disallowed by [0]:
2aacef
```
2aacef
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out "/tmp/pcrsign-private.pem"
2aacef
...
2aacef
openssl rsa -pubout -in "/tmp/pcrsign-private.pem" -out "/tmp/pcrsign-public.pem"
2aacef
writing RSA key
2aacef
/usr/lib/systemd/systemd-measure sign --current --bank=sha1 --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem"
2aacef
Failed to initialize signature context.
2aacef
```
2aacef
2aacef
[0] https://gitlab.com/redhat/centos-stream/rpms/openssl/-/blob/c9s/0049-Selectively-disallow-SHA1-signatures.patch
2aacef
2aacef
(cherry picked from commit d19e5540f20c78caa949ff33050b4a530cae1982)
2aacef
2aacef
Related: #2141979
2aacef
---
2aacef
 test/units/testsuite-70.sh | 15 ++++++++++++---
2aacef
 1 file changed, 12 insertions(+), 3 deletions(-)
2aacef
2aacef
diff --git a/test/units/testsuite-70.sh b/test/units/testsuite-70.sh
2aacef
index b1cf7e83c4..89cd2a3f82 100755
2aacef
--- a/test/units/testsuite-70.sh
2aacef
+++ b/test/units/testsuite-70.sh
2aacef
@@ -102,8 +102,17 @@ if [ -e /usr/lib/systemd/systemd-measure ] && \
2aacef
     openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out "/tmp/pcrsign-private.pem"
2aacef
     openssl rsa -pubout -in "/tmp/pcrsign-private.pem" -out "/tmp/pcrsign-public.pem"
2aacef
 
2aacef
+    MEASURE_BANKS=("--bank=sha256")
2aacef
+    # Check if SHA1 signatures are supported
2aacef
+    #
2aacef
+    # Some distros have started phasing out SHA1, so make sure the SHA1
2aacef
+    # signatures are supported before trying to use them.
2aacef
+    if echo hello | openssl dgst -sign /tmp/pcrsign-private.pem -sha1 >/dev/null; then
2aacef
+        MEASURE_BANKS+=("--bank=sha1")
2aacef
+    fi
2aacef
+
2aacef
     # Sign current PCR state with it
2aacef
-    /usr/lib/systemd/systemd-measure sign --current --bank=sha1 --bank=sha256 --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: | tee "/tmp/pcrsign.sig"
2aacef
+    /usr/lib/systemd/systemd-measure sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: | tee "/tmp/pcrsign.sig"
2aacef
     dd if=/dev/urandom of=/tmp/pcrtestdata bs=1024 count=64
2aacef
     systemd-creds encrypt /tmp/pcrtestdata /tmp/pcrtestdata.encrypted --with-key=host+tpm2-with-public-key --tpm2-public-key="/tmp/pcrsign-public.pem"
2aacef
     systemd-creds decrypt /tmp/pcrtestdata.encrypted - --tpm2-signature="/tmp/pcrsign.sig" | cmp - /tmp/pcrtestdata
2aacef
@@ -113,7 +122,7 @@ if [ -e /usr/lib/systemd/systemd-measure ] && \
2aacef
     systemd-creds decrypt /tmp/pcrtestdata.encrypted - --tpm2-signature="/tmp/pcrsign.sig" > /dev/null && { echo 'unexpected success'; exit 1; }
2aacef
 
2aacef
     # Sign new PCR state, decrypting should work now.
2aacef
-    /usr/lib/systemd/systemd-measure sign --current --bank=sha1 --bank=sha256 --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: > "/tmp/pcrsign.sig2"
2aacef
+    /usr/lib/systemd/systemd-measure sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: > "/tmp/pcrsign.sig2"
2aacef
     systemd-creds decrypt /tmp/pcrtestdata.encrypted - --tpm2-signature="/tmp/pcrsign.sig2" | cmp - /tmp/pcrtestdata
2aacef
 
2aacef
     # Now, do the same, but with a cryptsetup binding
2aacef
@@ -135,7 +144,7 @@ if [ -e /usr/lib/systemd/systemd-measure ] && \
2aacef
     SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=1 /usr/lib/systemd/systemd-cryptsetup attach test-volume2 $img - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig2",headless=1 && { echo 'unexpected success'; exit 1; }
2aacef
 
2aacef
     # But once we sign the current PCRs, we should be able to unlock again
2aacef
-    /usr/lib/systemd/systemd-measure sign --current --bank=sha1 --bank=sha256 --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: > "/tmp/pcrsign.sig3"
2aacef
+    /usr/lib/systemd/systemd-measure sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: > "/tmp/pcrsign.sig3"
2aacef
     SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=0 /usr/lib/systemd/systemd-cryptsetup attach test-volume2 $img - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig3",headless=1
2aacef
     /usr/lib/systemd/systemd-cryptsetup detach test-volume2
2aacef
     SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=1 /usr/lib/systemd/systemd-cryptsetup attach test-volume2 $img - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig3",headless=1