From e840b623a60309fe9682670b4adbffc86975b740 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Jan 06 2022 20:12:15 +0000 Subject: Verify that the AES-128 is used for encrypting the local CA OpenSSL by default used very old defaults, RC2-CBC and 3DES, for encryption. This resulted in a credential that was unusable if FIPS was enabled. Both values are now hardcoded to AES-128-CBC so that it is both more modern and will work in all situations. This tests that nothing has changed. Related: https://bugzilla.redhat.com/show_bug.cgi?id=1950132 Signed-off-by: Rob Crittenden --- diff --git a/tests/026-local/expected.openssl1 b/tests/026-local/expected.openssl1 index 1f81c7c..feef31b 100644 --- a/tests/026-local/expected.openssl1 +++ b/tests/026-local/expected.openssl1 @@ -70,4 +70,6 @@ Certificate: [verify] cert: OK +cert cipher: OK +key cipher: OK OK. diff --git a/tests/026-local/expected.openssl3 b/tests/026-local/expected.openssl3 index 05666cc..6cd5ed3 100644 --- a/tests/026-local/expected.openssl3 +++ b/tests/026-local/expected.openssl3 @@ -65,4 +65,6 @@ Certificate: [verify] cert: OK +cert cipher: OK +key cipher: OK OK. diff --git a/tests/026-local/run.sh b/tests/026-local/run.sh index 3e7ade5..b8dc869 100755 --- a/tests/026-local/run.sh +++ b/tests/026-local/run.sh @@ -52,4 +52,20 @@ echo "[subject]" dumpcert cert echo "[verify]" openssl verify -CAfile $tmpdir/ca-cert cert + +# Check the encryption used in the creds file +certenc=`openssl pkcs12 -info -in /tmp/foo/creds -passin pass: -nodes 2>&1 | grep "PKCS7 Encrypted data:" | awk '{ print $6 }' | sed 's/,//'` +keyenc=`openssl pkcs12 -info -in /tmp/foo/creds -passin pass: -nokeys 2>&1 | grep "Shrouded Keybag:" | awk '{ print $5 }' | sed 's/,//'` + +if [ $certenc != "AES-128-CBC" ]; then + echo "Fail, cert cipher is $certenc" +else + echo "cert cipher: OK" +fi +if [ $keyenc != "AES-128-CBC" ]; then + echo "Fail, key cipher is $keyenc" +else + echo "key cipher: OK" +fi + echo OK.