[WIP] Add RedHat keyfile-corpus as an external test #15188
Conversation
Not sure what's missing in the pkcs12 app. You would just convert the pkcs12 file into the pem file containing certs and keys and then you would just try to find the reference data in the output. Wouldn't that be sufficient? |
|
Although it is not a requirement for this PR and just trying to parse the pkcs12 files is also useful as a test. |
I'm not sure there's currently a way to provide separate passwords, e.g. the PKCS#8 key password or separate mac/encrypt passwords using just the command line without getting a prompt for user input. Having '-encpass', '-keypass' and '-macpass' options might be sufficient. I don't think we can cover all possible combinations allowed by PKCS#12 though using just the command line, e.g. separate passwords for each encrypted key. For testing, splitting the file up before processing/decrypting the parts is an option though. I'll take a look at this approach. |
|
Why do you skip the malformed files.. Could they be added as negative tests? |
| @p12_files = grep(!/pass-cipher/, @p12_files); | ||
|
|
||
| # Skip files with an empty password - pkcs12 app cannot handle this | ||
| @p12_files = grep(!/pass\(empty/, @p12_files); |
There was a problem hiding this comment.
it can handle them, use password-newline.txt created like so: echo > password-newline.txt as password file
| ok(run(app(["openssl", "pkcs12", | ||
| "-noout", | ||
| #"-info", | ||
| "-in", "kf-$fnum.p12", | ||
| "-provider-path=$provider_path", | ||
| "-provider", "legacy", | ||
| "-provider", "default", | ||
| #"-nokeys", NOTE: pkcs12 app does not allow key password as an argument, yet. | ||
| "-password", "file:$passfile"])), |
There was a problem hiding this comment.
I've got good experience by using -info (easier debugging) and -out /dev/null -nodes (as some issues didn't manifest themselves without actually trying to re-export the keys) instead of -noout
|
I've just released version 0.3.0 with files that use SHA512/224, SHA512/256 and SHA-3 in PRF and MAC |
t8m
added
branch: master
Check that we can read/decode each of the PKCS#12 files in the repo:
https://github.com/redhat-qe-security/keyfile-corpus
The tests run as part of the external test suite. Keyfile-corpus is added as a git submodule which needs to be init'ed before the tests can be run (external test system does this).
Currently there are failures due to:
Also, the tests are not yet comprehensive. They do not:
The above would require either additions to the pkcs12 app or some other means of reading/verifying the files.