From d08d752365fd01b4a3f2846156d758733b644ae0 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Nov 12 2015 20:16:04 +0000 Subject: Get vague about what we expect from certutil When checking the size of DSA keys generated by certutil, take account of the fact that the key size usually doesn't grow beyond 1024 bits, and is often one or more bits shorter than the requested size. --- diff --git a/tests/001-keyiread-dsa/expected.out b/tests/001-keyiread-dsa/expected.out index 5c3e458..9d6e460 100644 --- a/tests/001-keyiread-dsa/expected.out +++ b/tests/001-keyiread-dsa/expected.out @@ -1,19 +1,19 @@ -OK (DSA:1024). -OK (DSA:1024). -OK (DSA:1024). -OK (DSA:1024). -OK (DSA:1024). -OK (DSA:1024). -OK (DSA:1024). -OK (DSA:1024). -OK (DSA:1024). -OK (DSA:1024). -OK (DSA:1024). -OK (DSA:1024). -OK (DSA:1024). -OK (DSA:1024). -OK (DSA:1024). -OK (DSA:1024). -OK (DSA:1024). -OK (DSA:1024). +OK (DSA >= ~512). +OK (DSA >= ~512). +OK (DSA >= ~512). +OK (DSA >= ~1024). +OK (DSA >= ~1024). +OK (DSA >= ~1024). +OK (DSA >= ~1024). +OK (DSA >= ~1024). +OK (DSA >= ~1024). +OK (DSA >= ~1024). +OK (DSA >= ~1024). +OK (DSA >= ~1024). +OK (DSA >= ~1024). +OK (DSA >= ~1024). +OK (DSA >= ~1024). +OK (DSA >= ~1024). +OK (DSA >= ~1024). +OK (DSA >= ~1024). Test complete. diff --git a/tests/001-keyiread-dsa/run.sh b/tests/001-keyiread-dsa/run.sh index b56df1d..20ff2aa 100755 --- a/tests/001-keyiread-dsa/run.sh +++ b/tests/001-keyiread-dsa/run.sh @@ -10,6 +10,10 @@ for size in 512 1024 1536 2048 3072 4096 ; do run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ -s "cn=T$size" -c "cn=T$size" \ -x -t u -k dsa + # Correct the expected size of the key. + if test $size -gt 1024 ; then + size=1024 + fi # Export the key. pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1 @@ -18,7 +22,7 @@ for size in 512 1024 1536 2048 3072 4096 ; do key_storage_location=$tmpdir/key.$size key_nickname=keyi$size EOF - $toolsdir/keyiread entry.openssl.$size + $toolsdir/keyiread -m $size -s entry.openssl.$size # Check the size of the key (with cache). cat > entry.nss.$size <<- EOF key_storage_type=NSSDB @@ -27,13 +31,13 @@ for size in 512 1024 1536 2048 3072 4096 ; do EOF grep ^key_pubkey_info= entry.openssl.$size >> entry.nss.$size grep ^key_pubkey= entry.openssl.$size >> entry.nss.$size - $toolsdir/keyiread entry.nss.$size + $toolsdir/keyiread -m $size -s entry.nss.$size # Check the size of the key (without cache). cat > entry.nss.$size <<- EOF key_storage_type=NSSDB key_storage_location=$tmpdir key_nickname=keyi$size EOF - $toolsdir/keyiread entry.nss.$size + $toolsdir/keyiread -m $size -s entry.nss.$size done echo Test complete. diff --git a/tests/tools/keyiread.c b/tests/tools/keyiread.c index 22f50cb..a9c0c09 100644 --- a/tests/tools/keyiread.c +++ b/tests/tools/keyiread.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2009,2011,2014 Red Hat, Inc. + * Copyright (C) 2009,2011,2014,2015 Red Hat, Inc. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -21,6 +21,7 @@ #include #include #include +#include #include #include #include @@ -70,20 +71,38 @@ type_name(enum cm_key_algorithm alg) } int -main(int argc, char **argv) +main(int argc, const char **argv) { struct cm_keyiread_state *state; struct cm_store_entry *entry; - int fd, ret, need_pin; + int fd, ret, need_pin, summary = 0, minimum = -1, i; void *parent; + const char *filename; + poptContext pctx; + struct poptOption popts[] = { + {"summary", 's', POPT_ARG_NONE, &summary, 0, NULL, NULL}, + {"minimum", 'm', POPT_ARG_INT, &minimum, 0, NULL, NULL}, + POPT_AUTOHELP + POPT_TABLEEND + }; + + pctx = poptGetContext("keyiread", argc, argv, popts, 0); + while ((i = poptGetNextOpt(pctx)) > 0) { + continue; + } + if (i != -1) { + poptPrintUsage(pctx, stdout, 0); + return 1; + } cm_log_set_method(cm_log_stderr); cm_log_set_level(3); cm_set_fips_from_env(); parent = talloc_new(NULL); - if (argc > 1) { - entry = cm_store_files_entry_read(parent, argv[1]); + if (poptPeekArg(pctx) != NULL) { + filename = poptGetArg(pctx); + entry = cm_store_files_entry_read(parent, filename); if (entry == NULL) { - printf("Error reading %s: %s.\n", argv[1], + printf("Error reading %s: %s.\n", filename, strerror(errno)); return 1; } @@ -109,15 +128,55 @@ main(int argc, char **argv) cm_keyiread_done(state); if (entry->cm_key_type.cm_key_size != 0) { if (entry->cm_key_next_type.cm_key_size != 0) { - printf("OK (%s:%d after %s:%d).\n", - type_name(entry->cm_key_next_type.cm_key_algorithm), - entry->cm_key_next_type.cm_key_size, - type_name(entry->cm_key_next_type.cm_key_algorithm), - entry->cm_key_next_type.cm_key_size); + if (summary) { + if (minimum > 0) { + if ((entry->cm_key_next_type.cm_key_size >= minimum * 0.9) && + (entry->cm_key_type.cm_key_size >= minimum * 0.9)) { + printf("OK (%s >= ~%d after %s >= ~%d).\n", + type_name(entry->cm_key_next_type.cm_key_algorithm), + minimum, + type_name(entry->cm_key_type.cm_key_algorithm), + minimum); + } else { + printf("NOT OK (%s:%d < %d after %s:%d < %d).\n", + type_name(entry->cm_key_next_type.cm_key_algorithm), + entry->cm_key_next_type.cm_key_size, minimum, + type_name(entry->cm_key_type.cm_key_algorithm), + entry->cm_key_type.cm_key_size, minimum); + } + } else { + printf("OK (%s after %s).\n", + type_name(entry->cm_key_next_type.cm_key_algorithm), + type_name(entry->cm_key_type.cm_key_algorithm)); + } + } else { + printf("OK (%s:%d after %s:%d).\n", + type_name(entry->cm_key_next_type.cm_key_algorithm), + entry->cm_key_next_type.cm_key_size, + type_name(entry->cm_key_type.cm_key_algorithm), + entry->cm_key_type.cm_key_size); + } } else { - printf("OK (%s:%d).\n", - type_name(entry->cm_key_type.cm_key_algorithm), - entry->cm_key_type.cm_key_size); + if (summary) { + if (minimum > 0) { + if (entry->cm_key_type.cm_key_size >= minimum * 0.9) { + printf("OK (%s >= ~%d).\n", + type_name(entry->cm_key_type.cm_key_algorithm), + minimum); + } else { + printf("NOT OK (%s:%d < %d).\n", + type_name(entry->cm_key_type.cm_key_algorithm), + entry->cm_key_type.cm_key_size, minimum); + } + } else { + printf("OK (%s).\n", + type_name(entry->cm_key_type.cm_key_algorithm)); + } + } else { + printf("OK (%s:%d).\n", + type_name(entry->cm_key_type.cm_key_algorithm), + entry->cm_key_type.cm_key_size); + } } ret = 0; } else {