| Message ID | 20230306113635.350582-2-zohar@linux.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [ima-evm-utils,1/2] Update README | expand |
On 06/03/23 5:06 pm, Mimi Zohar wrote: > On systems with OpenSSL sha1 disabled, the sign-verify.test fails: > > - openssl dgst -sha1 sha1.txt > - openssl dgst -sha1 -sign test-rsa1024.key -hex sha1.txt > Error setting context > 804BD5CF787F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:343: > sha1 (test-rsa1024.key) test is skipped (openssl is unable to sign) > > Instead of enabling sha1 support on these systems by setting the environment > variable OPENSSL_ENABLE_SHA1_SIGNATURES, generate a sha256 certificate. > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Tested-by: Nageswara R Sastry <rnsastry@linux.ibm.com> ... PASS: ima_hash.test PASS: sign_verify.test PASS: boot_aggregate.test SKIP: fsverity.test SKIP: portable_signatures.test PASS: ima_policy_check.test SKIP: mmap_check.test ... > --- > tests/gen-keys.sh | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/tests/gen-keys.sh b/tests/gen-keys.sh > index 1a6c22a2f3c4..8905cdf2d216 100755 > --- a/tests/gen-keys.sh > +++ b/tests/gen-keys.sh > @@ -71,7 +71,7 @@ for m in 1024 1024_skid 2048; do > ext= > fi > if [ ! -e test-rsa$m.key ]; then > - log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 $ext \ > + log openssl req -verbose -new -nodes -utf8 -sha256 -days 10000 -batch -x509 $ext \ > -config test-ca.conf \ > -newkey rsa:$bits \ > -out test-rsa$m.cer -outform DER \ > @@ -93,7 +93,7 @@ for curve in prime192v1 prime256v1; do > continue > fi > if [ ! -e test-$curve.key ]; then > - log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 \ > + log openssl req -verbose -new -nodes -utf8 -sha256 -days 10000 -batch -x509 \ > -config test-ca.conf \ > -newkey ec \ > -pkeyopt ec_paramgen_curve:$curve \
diff --git a/tests/gen-keys.sh b/tests/gen-keys.sh index 1a6c22a2f3c4..8905cdf2d216 100755 --- a/tests/gen-keys.sh +++ b/tests/gen-keys.sh @@ -71,7 +71,7 @@ for m in 1024 1024_skid 2048; do ext= fi if [ ! -e test-rsa$m.key ]; then - log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 $ext \ + log openssl req -verbose -new -nodes -utf8 -sha256 -days 10000 -batch -x509 $ext \ -config test-ca.conf \ -newkey rsa:$bits \ -out test-rsa$m.cer -outform DER \ @@ -93,7 +93,7 @@ for curve in prime192v1 prime256v1; do continue fi if [ ! -e test-$curve.key ]; then - log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 \ + log openssl req -verbose -new -nodes -utf8 -sha256 -days 10000 -batch -x509 \ -config test-ca.conf \ -newkey ec \ -pkeyopt ec_paramgen_curve:$curve \
On systems with OpenSSL sha1 disabled, the sign-verify.test fails: - openssl dgst -sha1 sha1.txt - openssl dgst -sha1 -sign test-rsa1024.key -hex sha1.txt Error setting context 804BD5CF787F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:343: sha1 (test-rsa1024.key) test is skipped (openssl is unable to sign) Instead of enabling sha1 support on these systems by setting the environment variable OPENSSL_ENABLE_SHA1_SIGNATURES, generate a sha256 certificate. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> --- tests/gen-keys.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)