File rnp-v0.17.0-test-SHA1-cutoff.patch of Package rnp
From eb1f10b003c2addf8098a764b823696d48b62c01 Mon Sep 17 00:00:00 2001
From: Nickolay Olshevsky <o.nickolay@gmail.com>
Date: Fri, 19 Jan 2024 16:05:32 +0200
Subject: [PATCH] Update tests to match SHA1 cutoff date for key signatures.
---
src/tests/cli_tests.py | 10 +++++-----
src/tests/ffi.cpp | 26 +++++++++++++++++---------
src/tests/key-add-userid.cpp | 2 ++
3 files changed, 24 insertions(+), 14 deletions(-)
diff --git a/src/tests/cli_tests.py b/src/tests/cli_tests.py
index bde7faf9d..634c88504 100755
--- a/src/tests/cli_tests.py
+++ b/src/tests/cli_tests.py
@@ -4862,12 +4862,16 @@ def do_test_encrypt(self, sign_key_size, enc_key_size):
self.operation_key_location = tuple((key_path(pfx, False), key_path(pfx, True)))
self.rnp.userid = self.gpg.userid = pfx + AT_EXAMPLE
# DSA 1024 key uses SHA-1 as hash but verification would succeed till 2024
+ if sign_key_size == 1024:
+ return
self._encrypt_decrypt(self.gpg, self.rnp)
def do_test_decrypt(self, sign_key_size, enc_key_size):
pfx = EncryptElgamal.key_pfx(sign_key_size, enc_key_size)
self.operation_key_location = tuple((key_path(pfx, False), key_path(pfx, True)))
self.rnp.userid = self.gpg.userid = pfx + AT_EXAMPLE
+ if sign_key_size == 1024:
+ return
self._encrypt_decrypt(self.rnp, self.gpg)
def test_encrypt_P1024_1024(self): self.do_test_encrypt(1024, 1024)
@@ -4878,11 +4882,7 @@ def test_decrypt_P1024_1024(self): self.do_test_decrypt(1024, 1024)
def test_decrypt_P2048_2048(self): self.do_test_decrypt(2048, 2048)
def test_decrypt_P1234_1234(self): self.do_test_decrypt(1234, 1234)
- def test_generate_elgamal_key1024_in_gpg_and_encrypt(self):
- cmd = EncryptElgamal.GPG_GENERATE_DSA_ELGAMAL_PATTERN.format(1024, 1024, self.gpg.userid)
- self.operation_key_gencmd = cmd
- # Will not fail till 2024 since 1024-bit DSA key uses SHA-1 as hash.
- self._encrypt_decrypt(self.gpg, self.rnp)
+ # 1024-bit key generation test was removed since it uses SHA1, which is not allowed for key signatures since Jan 19, 2024.
def test_generate_elgamal_key1536_in_gpg_and_encrypt(self):
cmd = EncryptElgamal.GPG_GENERATE_DSA_ELGAMAL_PATTERN.format(1536, 1536, self.gpg.userid)
diff --git a/src/tests/ffi.cpp b/src/tests/ffi.cpp
index 8f1694d9f..07b778f00 100644
--- a/src/tests/ffi.cpp
+++ b/src/tests/ffi.cpp
@@ -5976,11 +5976,16 @@ TEST_F(rnp_tests, test_ffi_security_profile)
assert_int_equal(flags, 0);
/* SHA1 - now, data verify disabled, key sig verify is enabled */
flags = 0;
- assert_rnp_success(rnp_get_security_rule(
- ffi, RNP_FEATURE_HASH_ALG, "SHA1", time(NULL), &flags, &from, &level));
- assert_int_equal(from, SHA1_DATA_FROM);
+ auto now = time(NULL);
+ bool sha1_cutoff = now > SHA1_KEY_FROM;
+ /* This would pick default rule closer to the date independent on usage */
+ assert_rnp_success(
+ rnp_get_security_rule(ffi, RNP_FEATURE_HASH_ALG, "SHA1", now, &flags, &from, &level));
+ auto expect_from = sha1_cutoff ? SHA1_KEY_FROM : SHA1_DATA_FROM;
+ auto expect_usage = sha1_cutoff ? RNP_SECURITY_VERIFY_KEY : RNP_SECURITY_VERIFY_DATA;
+ assert_int_equal(from, expect_from);
assert_int_equal(level, RNP_SECURITY_INSECURE);
- assert_int_equal(flags, RNP_SECURITY_VERIFY_DATA);
+ assert_int_equal(flags, expect_usage);
flags = 0;
assert_rnp_success(rnp_get_security_rule(
ffi, RNP_FEATURE_HASH_ALG, "SHA1", SHA1_DATA_FROM - 1, &flags, &from, &level));
@@ -5993,11 +5998,14 @@ TEST_F(rnp_tests, test_ffi_security_profile)
assert_int_equal(level, RNP_SECURITY_INSECURE);
assert_int_equal(flags, RNP_SECURITY_VERIFY_DATA);
flags = RNP_SECURITY_VERIFY_KEY;
- assert_rnp_success(rnp_get_security_rule(
- ffi, RNP_FEATURE_HASH_ALG, "SHA1", time(NULL), &flags, &from, &level));
- assert_int_equal(from, 0);
- assert_int_equal(level, RNP_SECURITY_DEFAULT);
- assert_int_equal(flags, 0);
+ assert_rnp_success(
+ rnp_get_security_rule(ffi, RNP_FEATURE_HASH_ALG, "SHA1", now, &flags, &from, &level));
+ expect_from = sha1_cutoff ? SHA1_KEY_FROM : 0;
+ auto expect_level = sha1_cutoff ? RNP_SECURITY_INSECURE : RNP_SECURITY_DEFAULT;
+ expect_usage = sha1_cutoff ? RNP_SECURITY_VERIFY_KEY : 0;
+ assert_int_equal(from, expect_from);
+ assert_int_equal(level, expect_level);
+ assert_int_equal(flags, expect_usage);
flags = RNP_SECURITY_VERIFY_KEY;
assert_rnp_success(rnp_get_security_rule(
ffi, RNP_FEATURE_HASH_ALG, "SHA1", SHA1_KEY_FROM + 5, &flags, &from, &level));
diff --git a/src/tests/key-add-userid.cpp b/src/tests/key-add-userid.cpp
index 5c2a4f71d..edd420573 100644
--- a/src/tests/key-add-userid.cpp
+++ b/src/tests/key-add-userid.cpp
@@ -68,6 +68,8 @@ TEST_F(rnp_tests, test_key_add_userid)
selfsig0.key_flags = 0x2;
selfsig0.key_expiration = base_expiry;
selfsig0.primary = false;
+ auto curtime = global_ctx.time();
+ global_ctx.set_time(curtime > SHA1_KEY_FROM ? SHA1_KEY_FROM - 100 : 0);
key->add_uid_cert(selfsig0, PGP_HASH_SHA1, global_ctx);
// attempt to add sha1-signed uid and make sure it succeeds now and fails after the cutoff
// date in 2024
