Skip to content

Commit

Permalink
Update tests to match SHA1 cutoff date for key signatures.
Browse files Browse the repository at this point in the history
  • Loading branch information
ni4 committed Jan 19, 2024
1 parent 86ef400 commit 01ad985
Show file tree
Hide file tree
Showing 3 changed files with 24 additions and 10 deletions.
6 changes: 5 additions & 1 deletion src/tests/cli_tests.py
Original file line number Diff line number Diff line change
Expand Up @@ -4862,12 +4862,16 @@ def do_test_encrypt(self, sign_key_size, enc_key_size):
self.operation_key_location = tuple((key_path(pfx, False), key_path(pfx, True)))
self.rnp.userid = self.gpg.userid = pfx + AT_EXAMPLE
# DSA 1024 key uses SHA-1 as hash but verification would succeed till 2024
if sign_key_size == 1024:
return
self._encrypt_decrypt(self.gpg, self.rnp)

def do_test_decrypt(self, sign_key_size, enc_key_size):
pfx = EncryptElgamal.key_pfx(sign_key_size, enc_key_size)
self.operation_key_location = tuple((key_path(pfx, False), key_path(pfx, True)))
self.rnp.userid = self.gpg.userid = pfx + AT_EXAMPLE
if sign_key_size == 1024:
return
self._encrypt_decrypt(self.rnp, self.gpg)

def test_encrypt_P1024_1024(self): self.do_test_encrypt(1024, 1024)
Expand All @@ -4882,7 +4886,7 @@ def test_generate_elgamal_key1024_in_gpg_and_encrypt(self):
cmd = EncryptElgamal.GPG_GENERATE_DSA_ELGAMAL_PATTERN.format(1024, 1024, self.gpg.userid)
self.operation_key_gencmd = cmd
# Will not fail till 2024 since 1024-bit DSA key uses SHA-1 as hash.
self._encrypt_decrypt(self.gpg, self.rnp)
# self._encrypt_decrypt(self.gpg, self.rnp)

def test_generate_elgamal_key1536_in_gpg_and_encrypt(self):
cmd = EncryptElgamal.GPG_GENERATE_DSA_ELGAMAL_PATTERN.format(1536, 1536, self.gpg.userid)
Expand Down
26 changes: 17 additions & 9 deletions src/tests/ffi.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -5976,11 +5976,16 @@ TEST_F(rnp_tests, test_ffi_security_profile)
assert_int_equal(flags, 0);
/* SHA1 - now, data verify disabled, key sig verify is enabled */
flags = 0;
assert_rnp_success(rnp_get_security_rule(
ffi, RNP_FEATURE_HASH_ALG, "SHA1", time(NULL), &flags, &from, &level));
assert_int_equal(from, SHA1_DATA_FROM);
auto now = time(NULL);
bool sha1_cutoff = now > SHA1_KEY_FROM;
/* This would pick default rule closer to the date independent on usage */
assert_rnp_success(
rnp_get_security_rule(ffi, RNP_FEATURE_HASH_ALG, "SHA1", now, &flags, &from, &level));
auto expect_from = sha1_cutoff ? SHA1_KEY_FROM : SHA1_DATA_FROM;
auto expect_usage = sha1_cutoff ? RNP_SECURITY_VERIFY_KEY : RNP_SECURITY_VERIFY_DATA;
assert_int_equal(from, expect_from);
assert_int_equal(level, RNP_SECURITY_INSECURE);
assert_int_equal(flags, RNP_SECURITY_VERIFY_DATA);
assert_int_equal(flags, expect_usage);
flags = 0;
assert_rnp_success(rnp_get_security_rule(
ffi, RNP_FEATURE_HASH_ALG, "SHA1", SHA1_DATA_FROM - 1, &flags, &from, &level));
Expand All @@ -5993,11 +5998,14 @@ TEST_F(rnp_tests, test_ffi_security_profile)
assert_int_equal(level, RNP_SECURITY_INSECURE);
assert_int_equal(flags, RNP_SECURITY_VERIFY_DATA);
flags = RNP_SECURITY_VERIFY_KEY;
assert_rnp_success(rnp_get_security_rule(
ffi, RNP_FEATURE_HASH_ALG, "SHA1", time(NULL), &flags, &from, &level));
assert_int_equal(from, 0);
assert_int_equal(level, RNP_SECURITY_DEFAULT);
assert_int_equal(flags, 0);
assert_rnp_success(
rnp_get_security_rule(ffi, RNP_FEATURE_HASH_ALG, "SHA1", now, &flags, &from, &level));
expect_from = sha1_cutoff ? SHA1_KEY_FROM : 0;
auto expect_level = sha1_cutoff ? RNP_SECURITY_INSECURE : RNP_SECURITY_DEFAULT;
expect_usage = sha1_cutoff ? RNP_SECURITY_VERIFY_KEY : 0;
assert_int_equal(from, expect_from);
assert_int_equal(level, expect_level);
assert_int_equal(flags, expect_usage);
flags = RNP_SECURITY_VERIFY_KEY;
assert_rnp_success(rnp_get_security_rule(
ffi, RNP_FEATURE_HASH_ALG, "SHA1", SHA1_KEY_FROM + 5, &flags, &from, &level));
Expand Down
2 changes: 2 additions & 0 deletions src/tests/key-add-userid.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,8 @@ TEST_F(rnp_tests, test_key_add_userid)
selfsig0.key_flags = 0x2;
selfsig0.key_expiration = base_expiry;
selfsig0.primary = false;
auto curtime = global_ctx.time();
global_ctx.set_time(curtime > SHA1_KEY_FROM ? SHA1_KEY_FROM - 100 : 0);
key->add_uid_cert(selfsig0, PGP_HASH_SHA1, global_ctx);
// attempt to add sha1-signed uid and make sure it succeeds now and fails after the cutoff
// date in 2024
Expand Down

0 comments on commit 01ad985

Please sign in to comment.