rpms / systemd

Clone
Source Code
GIT

Blame SOURCES/0126-test-check-if-we-can-use-SHA1-MD-for-signing-before-.patch

c10s-sig-hyperscale c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-atomic-beta c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c8s-sig-hyperscale c8s-sig-hyperscale-hotfix-252 c9 c9-beta c9s-sig-hyperscale c9s-sig-hyperscale-hotfix-252
  1.   2aaceffb63c380c5ea3df653b8aee499968c289a
  2.   SOURCES
  3.   0126-test-check-if-we-can-use-SHA1-MD-for-signing-before-.patch
Blob History Raw
2aacef 
From 17cc25a2d7c2ebe75e18cf813d539e5997610e25 Mon Sep 17 00:00:00 2001
2aacef 
From: Frantisek Sumsal <frantisek@sumsal.cz>
2aacef 
Date: Fri, 2 Dec 2022 12:48:26 +0100
2aacef 
Subject: [PATCH] test: check if we can use SHA1 MD for signing before using it
2aacef
2aacef 
Some distributions have started phasing out SHA1, which breaks
2aacef 
the systemd-measure test case in its current form. Let's make sure we
2aacef 
can use SHA1 for signing beforehand to mitigate this.
2aacef
2aacef 
Spotted on RHEL 9, where SHA1 signatures are disallowed by [0]:
2aacef 
```
2aacef 
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out "/tmp/pcrsign-private.pem"
2aacef 
...
2aacef 
openssl rsa -pubout -in "/tmp/pcrsign-private.pem" -out "/tmp/pcrsign-public.pem"
2aacef 
writing RSA key
2aacef 
/usr/lib/systemd/systemd-measure sign --current --bank=sha1 --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem"
2aacef 
Failed to initialize signature context.
2aacef 
```
2aacef
2aacef 
[0] https://gitlab.com/redhat/centos-stream/rpms/openssl/-/blob/c9s/0049-Selectively-disallow-SHA1-signatures.patch
2aacef
2aacef 
(cherry picked from commit d19e5540f20c78caa949ff33050b4a530cae1982)
2aacef
2aacef 
Related: #2141979
2aacef 
---
2aacef 
 test/units/testsuite-70.sh | 15 ++++++++++++---
2aacef 
 1 file changed, 12 insertions(+), 3 deletions(-)
2aacef
2aacef 
diff --git a/test/units/testsuite-70.sh b/test/units/testsuite-70.sh
2aacef 
index b1cf7e83c4..89cd2a3f82 100755
2aacef 
--- a/test/units/testsuite-70.sh
2aacef 
+++ b/test/units/testsuite-70.sh
2aacef 
@@ -102,8 +102,17 @@ if [ -e /usr/lib/systemd/systemd-measure ] && \
2aacef 
     openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out "/tmp/pcrsign-private.pem"
2aacef 
     openssl rsa -pubout -in "/tmp/pcrsign-private.pem" -out "/tmp/pcrsign-public.pem"
2aacef
2aacef 
+    MEASURE_BANKS=("--bank=sha256")
2aacef 
+    # Check if SHA1 signatures are supported
2aacef 
+    #
2aacef 
+    # Some distros have started phasing out SHA1, so make sure the SHA1
2aacef 
+    # signatures are supported before trying to use them.
2aacef 
+    if echo hello | openssl dgst -sign /tmp/pcrsign-private.pem -sha1 >/dev/null; then
2aacef 
+        MEASURE_BANKS+=("--bank=sha1")
2aacef 
+    fi
2aacef 
+
2aacef 
     # Sign current PCR state with it
2aacef 
-    /usr/lib/systemd/systemd-measure sign --current --bank=sha1 --bank=sha256 --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: | tee "/tmp/pcrsign.sig"
2aacef 
+    /usr/lib/systemd/systemd-measure sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: | tee "/tmp/pcrsign.sig"
2aacef 
     dd if=/dev/urandom of=/tmp/pcrtestdata bs=1024 count=64
2aacef 
     systemd-creds encrypt /tmp/pcrtestdata /tmp/pcrtestdata.encrypted --with-key=host+tpm2-with-public-key --tpm2-public-key="/tmp/pcrsign-public.pem"
2aacef 
     systemd-creds decrypt /tmp/pcrtestdata.encrypted - --tpm2-signature="/tmp/pcrsign.sig" | cmp - /tmp/pcrtestdata
2aacef 
@@ -113,7 +122,7 @@ if [ -e /usr/lib/systemd/systemd-measure ] && \
2aacef 
     systemd-creds decrypt /tmp/pcrtestdata.encrypted - --tpm2-signature="/tmp/pcrsign.sig" > /dev/null && { echo 'unexpected success'; exit 1; }
2aacef
2aacef 
     # Sign new PCR state, decrypting should work now.
2aacef 
-    /usr/lib/systemd/systemd-measure sign --current --bank=sha1 --bank=sha256 --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: > "/tmp/pcrsign.sig2"
2aacef 
+    /usr/lib/systemd/systemd-measure sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: > "/tmp/pcrsign.sig2"
2aacef 
     systemd-creds decrypt /tmp/pcrtestdata.encrypted - --tpm2-signature="/tmp/pcrsign.sig2" | cmp - /tmp/pcrtestdata
2aacef
2aacef 
     # Now, do the same, but with a cryptsetup binding
2aacef 
@@ -135,7 +144,7 @@ if [ -e /usr/lib/systemd/systemd-measure ] && \
2aacef 
     SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=1 /usr/lib/systemd/systemd-cryptsetup attach test-volume2 $img - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig2",headless=1 && { echo 'unexpected success'; exit 1; }
2aacef
2aacef 
     # But once we sign the current PCRs, we should be able to unlock again
2aacef 
-    /usr/lib/systemd/systemd-measure sign --current --bank=sha1 --bank=sha256 --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: > "/tmp/pcrsign.sig3"
2aacef 
+    /usr/lib/systemd/systemd-measure sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: > "/tmp/pcrsign.sig3"
2aacef 
     SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=0 /usr/lib/systemd/systemd-cryptsetup attach test-volume2 $img - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig3",headless=1
2aacef 
     /usr/lib/systemd/systemd-cryptsetup detach test-volume2
2aacef 
     SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=1 /usr/lib/systemd/systemd-cryptsetup attach test-volume2 $img - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig3",headless=1

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation