On 06/03/23 5:06 pm, Mimi Zohar wrote:
On systems with OpenSSL sha1 disabled, the sign-verify.test fails:
- openssl dgst -sha1 sha1.txt
- openssl dgst -sha1 -sign test-rsa1024.key -hex sha1.txt
Error setting context
804BD5CF787F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:343:
sha1 (test-rsa1024.key) test is skipped (openssl is unable to sign)
Instead of enabling sha1 support on these systems by setting the environment
variable OPENSSL_ENABLE_SHA1_SIGNATURES, generate a sha256 certificate.
Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
Tested-by: Nageswara R Sastry <rnsastry@xxxxxxxxxxxxx>
...
PASS: ima_hash.test
PASS: sign_verify.test
PASS: boot_aggregate.test
SKIP: fsverity.test
SKIP: portable_signatures.test
PASS: ima_policy_check.test
SKIP: mmap_check.test
...
---
tests/gen-keys.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/gen-keys.sh b/tests/gen-keys.sh
index 1a6c22a2f3c4..8905cdf2d216 100755
--- a/tests/gen-keys.sh
+++ b/tests/gen-keys.sh
@@ -71,7 +71,7 @@ for m in 1024 1024_skid 2048; do
ext=
fi
if [ ! -e test-rsa$m.key ]; then
- log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 $ext \
+ log openssl req -verbose -new -nodes -utf8 -sha256 -days 10000 -batch -x509 $ext \
-config test-ca.conf \
-newkey rsa:$bits \
-out test-rsa$m.cer -outform DER \
@@ -93,7 +93,7 @@ for curve in prime192v1 prime256v1; do
continue
fi
if [ ! -e test-$curve.key ]; then
- log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 \
+ log openssl req -verbose -new -nodes -utf8 -sha256 -days 10000 -batch -x509 \
-config test-ca.conf \
-newkey ec \
-pkeyopt ec_paramgen_curve:$curve \
--
Thanks and Regards
R.Nageswara Sastry
