New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Add RedHat keyfile-corpus as an external test #15188
base: master
Are you sure you want to change the base?
Conversation
Not sure what's missing in the pkcs12 app. You would just convert the pkcs12 file into the pem file containing certs and keys and then you would just try to find the reference data in the output. Wouldn't that be sufficient? |
Although it is not a requirement for this PR and just trying to parse the pkcs12 files is also useful as a test. |
I'm not sure there's currently a way to provide separate passwords, e.g. the PKCS#8 key password or separate mac/encrypt passwords using just the command line without getting a prompt for user input. Having '-encpass', '-keypass' and '-macpass' options might be sufficient. I don't think we can cover all possible combinations allowed by PKCS#12 though using just the command line, e.g. separate passwords for each encrypted key. For testing, splitting the file up before processing/decrypting the parts is an option though. I'll take a look at this approach. |
Why do you skip the malformed files.. Could they be added as negative tests? |
@p12_files = grep(!/pass-cipher/, @p12_files); | ||
|
||
# Skip files with an empty password - pkcs12 app cannot handle this | ||
@p12_files = grep(!/pass\(empty/, @p12_files); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it can handle them, use password-newline.txt
created like so: echo > password-newline.txt
as password file
ok(run(app(["openssl", "pkcs12", | ||
"-noout", | ||
#"-info", | ||
"-in", "kf-$fnum.p12", | ||
"-provider-path=$provider_path", | ||
"-provider", "legacy", | ||
"-provider", "default", | ||
#"-nokeys", NOTE: pkcs12 app does not allow key password as an argument, yet. | ||
"-password", "file:$passfile"])), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've got good experience by using -info
(easier debugging) and -out /dev/null -nodes
(as some issues didn't manifest themselves without actually trying to re-export the keys) instead of -noout
I've just released version 0.3.0 with files that use SHA512/224, SHA512/256 and SHA-3 in PRF and MAC |
Check that we can read/decode each of the PKCS#12 files in the repo:
https://github.com/redhat-qe-security/keyfile-corpus
The tests run as part of the external test suite. Keyfile-corpus is added as a git submodule which needs to be init'ed before the tests can be run (external test system does this).
Currently there are failures due to:
Also, the tests are not yet comprehensive. They do not:
The above would require either additions to the pkcs12 app or some other means of reading/verifying the files.