From c1f78634ec3927ddcfdc4687bc6e408c658a0ece Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 5 Oct 2023 10:02:59 +0200 Subject: sm: Improve the octet string cramming for pkcs#12 * sm/minip12.c (need_octet_string_cramming): New. (tlv_expect_object, tlv_expect_octet_string): Run the test before cramming. * sm/minip12.c (ENABLE_DER_STRUCT_DUMPING): New but undefined macro for debug purposes. (bag_decrypted_data_p, bag_data_p): Use macro to allow dumping. -- This bug was exhibited by importing a gpgsm exported EC certificate. We use an extra test instead of retrying to allow retruning an error from malloc failure. And well, for easier reading of the code. GnuPG-bug-id: 6536 --- tests/cms/Makefile.am | 1 + tests/cms/samplekeys/Description-p12 | 10 ++++++++++ tests/cms/samplekeys/edward.tester@demo.gnupg.com.p12 | Bin 0 -> 1561 bytes 3 files changed, 11 insertions(+) create mode 100644 tests/cms/samplekeys/edward.tester@demo.gnupg.com.p12 (limited to 'tests') diff --git a/tests/cms/Makefile.am b/tests/cms/Makefile.am index 7efdf37b1..d5d753902 100644 --- a/tests/cms/Makefile.am +++ b/tests/cms/Makefile.am @@ -99,6 +99,7 @@ EXTRA_DIST = $(XTESTS) $(KEYS) $(CERTS) $(TEST_FILES) \ samplekeys/opensc-test.p12 \ samplekeys/t5793-openssl.pfx \ samplekeys/t5793-test.pfx \ + samplekeys/edward.tester@demo.gnupg.com.p12 \ samplemsgs/pwri-sample.cbc.p7m \ samplemsgs/pwri-sample.cbc-2.p7m \ samplemsgs/pwri-sample.gcm.p7m \ diff --git a/tests/cms/samplekeys/Description-p12 b/tests/cms/samplekeys/Description-p12 index f882de9ea..6fbbd82cf 100644 --- a/tests/cms/samplekeys/Description-p12 +++ b/tests/cms/samplekeys/Description-p12 @@ -1,4 +1,6 @@ # Description-p12 - Machine readable description of our P12 test vectors +# The Cert line gives the SHA1 fingerprint of the certificate +# The Key line gives a hash of the key parameters as returned by minip12.c Name: ov-user.p12 Desc: Private test key from www.openvalidation.org @@ -30,3 +32,11 @@ Desc: QuaVadis format of t5793-openssl Pass: test Cert: 80348a438e4b803b99e708da0b7fdd0659dedd15 Key: c271e44ab4fb19ca1aae71102ea4d7292ccc981d + +Name: edward.tester@demo.gnupg.com.p12 +Desc: GnuPG exported Brainpool certificate +Pass: abc,123456 +Cert: ff810b9281a43c394aa138e9c7fd4c0193216fa6 +Key: 94c6d0b067370a8f2a09ae43cfe8d700bbd61e75 + +# eof # diff --git a/tests/cms/samplekeys/edward.tester@demo.gnupg.com.p12 b/tests/cms/samplekeys/edward.tester@demo.gnupg.com.p12 new file mode 100644 index 000000000..a6f983780 Binary files /dev/null and b/tests/cms/samplekeys/edward.tester@demo.gnupg.com.p12 differ -- cgit v1.2.3 From d17efdcd6f755f13c9ff9b7a3127c13496ab7055 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Tue, 3 Oct 2023 11:53:00 +0900 Subject: tests:tpm2dtests: Fix tests with TPM2D. * tests/tpm2dtests/Makefile.am (TESTS_ENVIRONMENT): Fix. * tests/tpm2dtests/all-tests.scm: Follow the change of gpgscm. * tests/tpm2dtests/run-tests.scm: Likewise. -- Cherry-picked from master commit of: 321f9c0a3f2873cb3007e2bc2a542bbd0b2cc974 GnuPG-bug-id: 6052 Signed-off-by: NIIBE Yutaka --- tests/tpm2dtests/Makefile.am | 4 ++-- tests/tpm2dtests/all-tests.scm | 21 ++++++++++++--------- tests/tpm2dtests/run-tests.scm | 2 ++ 3 files changed, 16 insertions(+), 11 deletions(-) (limited to 'tests') diff --git a/tests/tpm2dtests/Makefile.am b/tests/tpm2dtests/Makefile.am index 72ad11d9b..6048d201c 100644 --- a/tests/tpm2dtests/Makefile.am +++ b/tests/tpm2dtests/Makefile.am @@ -34,10 +34,10 @@ TESTS_ENVIRONMENT = LC_ALL=C \ PATH="../gpgscm:$(PATH)" \ abs_top_srcdir="$(abs_top_srcdir)" \ objdir="$(abs_top_builddir)" \ - TPMSERVER="$(TPMSERVER)" \ + TPMSERVER="$(TPMSERVER)" TSSSTARTUP="$(TSSSTARTUP)" \ SWTPM="$(SWTPM)" \ SWTPM_IOCTL="$(SWTPM_IOCTL)" \ - GNUPG_BUILD_ROOT="$(abs_top_builddir)/tests" \ + GNUPG_BUILD_ROOT="$(abs_top_builddir)" \ GNUPG_IN_TEST_SUITE=fact \ GPGSCM_PATH="$(abs_top_srcdir)/tests/gpgscm" diff --git a/tests/tpm2dtests/all-tests.scm b/tests/tpm2dtests/all-tests.scm index bf7a981ca..8934f01f2 100644 --- a/tests/tpm2dtests/all-tests.scm +++ b/tests/tpm2dtests/all-tests.scm @@ -30,8 +30,9 @@ (make-environment-cache (test::scm #f - (path-join "tests" "openpgp" "setup.scm") - (in-srcdir "tests" "openpgp" "setup.scm")))) + #f + (path-join "tests" "tpm2dtests" "setup.scm") + (in-srcdir "tests" "tpm2dtests" "setup.scm")))) (define (qualify path variant) (string-append "<" variant ">" path)) @@ -40,8 +41,9 @@ (make-environment-cache (test::scm #f - (qualify (path-join "tests" "openpgp" "setup.scm") variant) - (in-srcdir "tests" "openpgp" "setup.scm") + variant + (path-join "tests" "tpm2dtests" "setup.scm") + (in-srcdir "tests" "tpm2dtests" "setup.scm") (string-append "--" variant)))) (define setup-use-keyring (setup* "use-keyring")) @@ -55,7 +57,8 @@ (define tests (map (lambda (name) (test::scm setup - (qualify (path-join "tests" "tpm2dtests" name) "standard") + "standards" + (path-join "tests" "tpm2dtests" name) (in-srcdir "tests" "tpm2dtests" name))) all-tests)) (when *run-all-tests* @@ -65,15 +68,15 @@ ;; The second pass uses the keyboxd (map (lambda (name) (test::scm setup-use-keyboxd - (qualify (path-join "tests" "tpm2dtests" name) - "keyboxd") + "keyboxd" + (path-join "tests" "tpm2dtests" name) (in-srcdir "tests" "tpm2dtests" name) "--use-keyboxd")) all-tests) ;; The third pass uses the legact pubring.gpg (map (lambda (name) (test::scm setup-use-keyring - (qualify (path-join "tests" "tpm2dtests" name) - "keyring") + "keyring" + (path-join "tests" "tpm2dtests" name) (in-srcdir "tests" "tpm2dtests" name) "--use-keyring")) all-tests) ))) diff --git a/tests/tpm2dtests/run-tests.scm b/tests/tpm2dtests/run-tests.scm index fdf1859a8..638d3a8a1 100644 --- a/tests/tpm2dtests/run-tests.scm +++ b/tests/tpm2dtests/run-tests.scm @@ -29,6 +29,7 @@ (define setup (make-environment-cache (test::scm #f + #f (path-join "tests" "tpm2dtests" "setup.scm") (in-srcdir "tests" "tpm2dtests" "setup.scm")))) @@ -38,6 +39,7 @@ (load-tests "tests" "tpm2dtests") (map (lambda (name) (test::scm setup + #f (path-join "tests" "tpm2dtests" name) (in-srcdir "tests" "tpm2dtests" name) "--use-keyring")) tests))) -- cgit v1.2.3 From 0e200f2187e005d8c52d8efb5ef89e4709eabcc1 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Wed, 4 Oct 2023 18:30:33 +0900 Subject: tests:tpm2dtests: Fix tests with SWTPM. * configure.ac (TEST_LIBTSS): Fix the condition with SWTPM. * tests/tpm2dtests/start_sw_tpm.sh: Use --daemon and --pid to run SWTPM. -- Cherry-picked from master commit of: 98dd6f7af6aa3dcce19f20c22e3f825676e6b184 GnuPG-bug-id: 6052 Signed-off-by: NIIBE Yutaka --- tests/tpm2dtests/start_sw_tpm.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'tests') diff --git a/tests/tpm2dtests/start_sw_tpm.sh b/tests/tpm2dtests/start_sw_tpm.sh index 36e1a806e..fc86801e2 100755 --- a/tests/tpm2dtests/start_sw_tpm.sh +++ b/tests/tpm2dtests/start_sw_tpm.sh @@ -3,12 +3,15 @@ # remove any prior TPM contents rm -f NVChip h*.bin *.permall if [ -x "${SWTPM}" ]; then - ${SWTPM} socket --tpm2 --server type=tcp,port=2321 \ - --ctrl type=tcp,port=2322 --tpmstate dir=`pwd` & + ${SWTPM} socket --tpm2 --daemon \ + --pid file=swtpm.pid \ + --server type=tcp,port=2321 \ + --ctrl type=tcp,port=2322 --tpmstate dir=`pwd` + pid=$(cat swtpm.pid) else ${TPMSERVER} > /dev/null 2>&1 & + pid=$! fi -pid=$! ## # This powers on the tpm and starts it # then we derive the RSA version of the storage seed and -- cgit v1.2.3 From 9353dc811a04cf47f2445bb1e1f0401ea5f3d044 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Thu, 5 Oct 2023 10:21:35 +0900 Subject: tests:tpm2dtests: Modify tests with SWTPM and relax the condition. * configure.ac (SWTPM_IOCTL): Remove. (TEST_LIBTSS): Fix the condition. * tests/tpm2dtests/Makefile.am (TESTS_ENVIRONMENT): Remove SWTPM_IOCTL. * tests/tpm2dtests/start_sw_tpm.sh: Add --flags to invoke SWTPM, not requiring SWTPM_IOCTL and TSSSTARTUP any more. -- Cherry-picked from master commit of: 227b3b14f4be2f33ed721818c2186e7fca4cebdf GnuPG-bug-id: 6052 Signed-off-by: NIIBE Yutaka --- tests/tpm2dtests/Makefile.am | 1 - tests/tpm2dtests/start_sw_tpm.sh | 55 ++++++++++++++++++++-------------------- 2 files changed, 27 insertions(+), 29 deletions(-) (limited to 'tests') diff --git a/tests/tpm2dtests/Makefile.am b/tests/tpm2dtests/Makefile.am index 6048d201c..ceaf56420 100644 --- a/tests/tpm2dtests/Makefile.am +++ b/tests/tpm2dtests/Makefile.am @@ -36,7 +36,6 @@ TESTS_ENVIRONMENT = LC_ALL=C \ objdir="$(abs_top_builddir)" \ TPMSERVER="$(TPMSERVER)" TSSSTARTUP="$(TSSSTARTUP)" \ SWTPM="$(SWTPM)" \ - SWTPM_IOCTL="$(SWTPM_IOCTL)" \ GNUPG_BUILD_ROOT="$(abs_top_builddir)" \ GNUPG_IN_TEST_SUITE=fact \ GPGSCM_PATH="$(abs_top_srcdir)/tests/gpgscm" diff --git a/tests/tpm2dtests/start_sw_tpm.sh b/tests/tpm2dtests/start_sw_tpm.sh index fc86801e2..a44833e28 100755 --- a/tests/tpm2dtests/start_sw_tpm.sh +++ b/tests/tpm2dtests/start_sw_tpm.sh @@ -3,36 +3,35 @@ # remove any prior TPM contents rm -f NVChip h*.bin *.permall if [ -x "${SWTPM}" ]; then - ${SWTPM} socket --tpm2 --daemon \ - --pid file=swtpm.pid \ - --server type=tcp,port=2321 \ - --ctrl type=tcp,port=2322 --tpmstate dir=`pwd` - pid=$(cat swtpm.pid) + ${SWTPM} socket --tpm2 --daemon \ + --pid file=swtpm.pid \ + --server type=tcp,port=2321 \ + --ctrl type=tcp,port=2322 \ + --flags not-need-init,startup-clear \ + --tpmstate dir=`pwd` + cat swtpm.pid else ${TPMSERVER} > /dev/null 2>&1 & pid=$! -fi -## -# This powers on the tpm and starts it -# then we derive the RSA version of the storage seed and -# store it permanently at handle 81000001 and flush the transient -## -a=0; while [ $a -lt 10 ]; do - if [ -x "${SWTPM_IOCTL}" ]; then - ${SWTPM_IOCTL} --tcp 127.0.0.1:2322 -i > /dev/null 2>&1 - else - tsspowerup > /dev/null 2>&1 - fi - if [ $? -eq 0 ]; then - break; + ## + # This powers on the tpm and starts it + # then we derive the RSA version of the storage seed and + # store it permanently at handle 81000001 and flush the transient + ## + a=0 + while [ $a -lt 10 ]; do + tsspowerup > /dev/null 2>&1 + if [ $? -eq 0 ]; then + break; + fi + sleep 1 + a=$[$a+1] + done + if [ $a -eq 10 ]; then + echo "Waited 10s for tpm_server to come up; exiting" + exit 1 fi - sleep 1 - a=$[$a+1] -done -if [ $a -eq 10 ]; then - echo "Waited 10s for tpm_server to come up; exiting" - exit 1 -fi -tssstartup || exit 1 -echo -n $pid + ${TSSSTARTUP} || exit 1 + echo -n $pid +fi -- cgit v1.2.3 From 24b3a5a5794db4bb69b38a1df099d5e59cccf2b3 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 6 Oct 2023 10:57:12 +0200 Subject: sm: Support more HMAC algos in the pkcs#12 parser. * sm/minip12.c (oid_hmacWithSHA1): New. Also for the SHA-2 algos. (digest_algo_from_oid): New. (set_key_iv_pbes2): Add arg digest_algo. (crypt_block): Ditto. (decrypt_block): Ditto. (parse_bag_encrypted_data): Parse the optional prf part and get the hmac algorithm. (parse_shrouded_key_bag): Ditto. (p12_build): Pass SHA1 for digest_algo. * sm/t-minip12.c (run_one_test): Print failed values in verbose mode. * tests/cms/samplekeys/nistp256-openssl-self-signed.p12: New. * tests/cms/samplekeys/Description-p12: Add this one. * tests/cms/Makefile.am (EXTRA_DIST): Ditto. -- This supports the modern algorithms, i.e. using SHA256 for the KDF which is the default in openssl unless the -legacy option is used. GnuPG-bug-id: 6536 --- tests/cms/Makefile.am | 1 + tests/cms/samplekeys/Description-p12 | 6 ++++++ tests/cms/samplekeys/nistp256-openssl-self-signed.p12 | Bin 0 -> 1232 bytes 3 files changed, 7 insertions(+) create mode 100644 tests/cms/samplekeys/nistp256-openssl-self-signed.p12 (limited to 'tests') diff --git a/tests/cms/Makefile.am b/tests/cms/Makefile.am index d5d753902..b43fb1c91 100644 --- a/tests/cms/Makefile.am +++ b/tests/cms/Makefile.am @@ -100,6 +100,7 @@ EXTRA_DIST = $(XTESTS) $(KEYS) $(CERTS) $(TEST_FILES) \ samplekeys/t5793-openssl.pfx \ samplekeys/t5793-test.pfx \ samplekeys/edward.tester@demo.gnupg.com.p12 \ + samplekeys/nistp256-openssl-self-signed.p12 \ samplemsgs/pwri-sample.cbc.p7m \ samplemsgs/pwri-sample.cbc-2.p7m \ samplemsgs/pwri-sample.gcm.p7m \ diff --git a/tests/cms/samplekeys/Description-p12 b/tests/cms/samplekeys/Description-p12 index 6fbbd82cf..a73998fac 100644 --- a/tests/cms/samplekeys/Description-p12 +++ b/tests/cms/samplekeys/Description-p12 @@ -39,4 +39,10 @@ Pass: abc,123456 Cert: ff810b9281a43c394aa138e9c7fd4c0193216fa6 Key: 94c6d0b067370a8f2a09ae43cfe8d700bbd61e75 +Name: nistp256-openssl-self-signed.p12 +Desc: OpenSSL generated self-signed nistp256 key+cert +Pass: abc +Cert: 5cea0c5bf09ccd92535267c662fc098f6c81c27e +Key: 3cb2fba95d1976df69eb7aa8c65ac5354e15af32 + # eof # diff --git a/tests/cms/samplekeys/nistp256-openssl-self-signed.p12 b/tests/cms/samplekeys/nistp256-openssl-self-signed.p12 new file mode 100644 index 000000000..9eeebdae3 Binary files /dev/null and b/tests/cms/samplekeys/nistp256-openssl-self-signed.p12 differ -- cgit v1.2.3 From 7661d2fbc6eb533016df63a86ec3e35bf00cfb1f Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Tue, 24 Oct 2023 09:22:13 +0200 Subject: sm: Another partly rewrite of minip12.c * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/cms/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/cms/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752 --- tests/cms/samplekeys/Description-p12 | 6 ++++++ tests/cms/samplekeys/t6752-ov-user-ff.p12 | Bin 0 -> 2323 bytes 2 files changed, 6 insertions(+) create mode 100644 tests/cms/samplekeys/t6752-ov-user-ff.p12 (limited to 'tests') diff --git a/tests/cms/samplekeys/Description-p12 b/tests/cms/samplekeys/Description-p12 index a73998fac..01276087f 100644 --- a/tests/cms/samplekeys/Description-p12 +++ b/tests/cms/samplekeys/Description-p12 @@ -45,4 +45,10 @@ Pass: abc Cert: 5cea0c5bf09ccd92535267c662fc098f6c81c27e Key: 3cb2fba95d1976df69eb7aa8c65ac5354e15af32 +Name: t6752-ov-user-ff.p12 +Desc: Mozilla generated with a surplus octet string container +Pass: start +Cert: 4753a910e0c8b4caa8663ca0e4273a884eb5397d +Key: 93be89edd11214ab74280d988a665b6beef876c5 + # eof # diff --git a/tests/cms/samplekeys/t6752-ov-user-ff.p12 b/tests/cms/samplekeys/t6752-ov-user-ff.p12 new file mode 100644 index 000000000..153ffb000 Binary files /dev/null and b/tests/cms/samplekeys/t6752-ov-user-ff.p12 differ -- cgit v1.2.3