From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.2 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E93E8C76190 for ; Thu, 25 Jul 2019 21:58:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id B130E22BF5 for ; Thu, 25 Jul 2019 21:58:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726766AbfGYV6r (ORCPT ); Thu, 25 Jul 2019 17:58:47 -0400 Received: from mx1.redhat.com ([209.132.183.28]:45374 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726380AbfGYV6q (ORCPT ); Thu, 25 Jul 2019 17:58:46 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2F643C04959E; Thu, 25 Jul 2019 21:58:46 +0000 (UTC) Received: from localhost (ovpn-116-52.gru2.redhat.com [10.97.116.52]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3933F1001B33; Thu, 25 Jul 2019 21:58:44 +0000 (UTC) Date: Thu, 25 Jul 2019 18:58:43 -0300 From: "Bruno E. O. Meneguele" To: Vitaly Chikunov Cc: Mimi Zohar , Dmitry Kasatkin , linux-integrity@vger.kernel.org Subject: Re: [RFC PATCH] ima-evm-utils: Add some tests for evmctl Message-ID: <20190725215843.GP6134@rhlt> References: <20190725061855.3734-1-vt@altlinux.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="/DkgDsqJFFamjKX0" Content-Disposition: inline In-Reply-To: <20190725061855.3734-1-vt@altlinux.org> X-PGP-Key: http://keys.gnupg.net/pks/lookup?op=get&search=0x3823031E4660608D User-Agent: Mutt/1.12.0 (2019-05-25) X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Thu, 25 Jul 2019 21:58:46 +0000 (UTC) Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org --/DkgDsqJFFamjKX0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 25, 2019 at 09:18:55AM +0300, Vitaly Chikunov wrote: > Run `make check' to execute the tests. > Currently only ima_hash, ima_sign (v2), and ima_verify are tested. >=20 > Signed-off-by: Vitaly Chikunov > --- > Makefile.am | 2 +- > configure.ac | 1 + > tests/Makefile.am | 14 ++++ > tests/functions | 135 ++++++++++++++++++++++++++++++++++++ > tests/gen-keys.sh | 75 ++++++++++++++++++++ > tests/ima_hash.test | 84 +++++++++++++++++++++++ > tests/ima_sign.test | 186 ++++++++++++++++++++++++++++++++++++++++++++= ++++++ > tests/ima_verify.test | 79 +++++++++++++++++++++ > 8 files changed, 575 insertions(+), 1 deletion(-) > create mode 100644 tests/Makefile.am > create mode 100755 tests/functions > create mode 100755 tests/gen-keys.sh > create mode 100755 tests/ima_hash.test > create mode 100755 tests/ima_sign.test > create mode 100755 tests/ima_verify.test >=20 > diff --git a/Makefile.am b/Makefile.am > index dba408d..45c6f82 100644 > --- a/Makefile.am > +++ b/Makefile.am > @@ -1,4 +1,4 @@ > -SUBDIRS =3D src > +SUBDIRS =3D src tests > dist_man_MANS =3D evmctl.1 > =20 > doc_DATA =3D examples/ima-genkey-self.sh examples/ima-genkey.sh example= s/ima-gen-local-ca.sh > diff --git a/configure.ac b/configure.ac > index 3fc63b3..dccdd92 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -67,6 +67,7 @@ EVMCTL_MANPAGE_DOCBOOK_XSL > =20 > AC_CONFIG_FILES([Makefile > src/Makefile > + tests/Makefile > packaging/ima-evm-utils.spec > ]) > AC_OUTPUT > diff --git a/tests/Makefile.am b/tests/Makefile.am > new file mode 100644 > index 0000000..8c6256c > --- /dev/null > +++ b/tests/Makefile.am > @@ -0,0 +1,14 @@ > +check_SCRIPTS =3D > +TESTS =3D $(check_SCRIPTS) > + > +check_SCRIPTS +=3D ima_hash.test ima_verify.test ima_sign.test > + > +# ima_verify depends on results of ima_hash > +ima_verify.log: ima_sign.log Small nit: comment and code don't match, ima_hash vs ima_sign :).=20 Maybe: -# ima_verify depends on results of ima_hash +# ima_verify depends on results of ima_sign > + > +clean-local: > + -rm -f *.txt *.out *.sig *.sig2 > +distclean: distclean-keys > +.PHONY: distclean-keys > +distclean-keys: > + -rm -f *.pub *.key *.cer > diff --git a/tests/functions b/tests/functions > new file mode 100755 > index 0000000..7ad6c7c > --- /dev/null > +++ b/tests/functions > @@ -0,0 +1,135 @@ > +#!/bin/bash > +# > +# ima-evm-utils tests bash functions > +# > +# Copyright (C) 2019 Vitaly Chikunov > +# > +# This program is free software; you can redistribute it and/or modify > +# it under the terms of the GNU General Public License as published by > +# the Free Software Foundation; either version 2, or (at your option) > +# any later version. > +# > +# This program is distributed in the hope that it will be useful, > +# but WITHOUT ANY WARRANTY; without even the implied warranty of > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > +# GNU General Public License for more details. > + > +declare -i pass=3D0 fail=3D0 skip=3D0 > + > +_require() { > + RET=3D > + for i; do > + if ! type $i; then > + echo "$i is required for test" > + RET=3D1 > + fi > + done > + [ $RET ] && exit 99 > +} > + > +if tty -s; then > + RED=3D$'\e[1;31m' > + YELLOW=3D$'\e[1;33m' > + BLUE=3D$'\e[1;34m' > + NORM=3D$'\e[m' > +fi > + > +# Define EXITEARLY to exit testing on the first error. > +exit_early() { > + if [ $EXITEARLY ]; then > + exit $1 > + fi > +} > + > +# Defaults > +MODE=3D+ > +HOWFAILED=3D > +pos() { > + MODE=3D+ > + HOWFAILED=3D > + eval "$@" > + case $? in > + 0) pass+=3D1 ;; > + 77) skip+=3D1 ;; > + 99) fail+=3D1; exit_early 1 ;; > + *) fail+=3D1; exit_early 2 ;; > + esac > +} > + > +neg() { > + MODE=3D- > + HOWFAILED=3Dproperly > + eval "$@" > + case $? in > + 0) fail+=3D1; exit_early 3 ;; > + 77) skip+=3D1 ;; > + 99) fail+=3D1; exit_early 4 ;; > + *) pass+=3D1 ;; > + esac > +# Restore defaults > + MODE=3D+ > + HOWFAILED=3D > +} > + > +_ispos() { > + [ -z "$HOWFAILED" ] > +} > + > +_isneg() { > + [ "$HOWFAILED" ] > +} > + > +red_if_pos() { > + _ispos && echo $@ $RED > +} > + > +norm_if_pos() { > + _ispos && echo $@ $NORM > +} > + > +_evmctl_catch() { > + local ret=3D$1 out=3D$2 cmd=3D$3 for=3D$4 del=3D${@:5} > + > + if [ $ret -gt 128 -a $ret -lt 255 ]; then > + echo $RED > + echo "evmctl $cmd failed hard with $ret for $for" > + sed 's/^/ /' $out > + echo $NORM > + rm -f $out $del > + return 99 > + elif [ $ret -gt 0 ]; then > + red_if_pos > + echo "evmctl $cmd failed" $HOWFAILED "with $ret for $for" > + sed 's/^/ /' $out > + norm_if_pos > + rm -f $out $del > + return 1 > + elif [ -n "$HOWFAILED" ]; then > + echo $RED > + echo "evmctl $cmd wrongly succeeded for $for" > + sed 's/^/ /' $out > + echo $NORM > + fi > + rm -f $out > + return 0 > +} > + > +_enable_gost_engine() { > + # Do not enable if it already enabled by user > + if ! openssl md_gost12_256 /dev/null >/dev/null 2>&1 \ > + && openssl engine gost >/dev/null 2>&1; then > + ENGINE=3Dgost > + fi > +} > + > +_report_exit() { > + echo "PASS: $pass SKIP: $skip FAIL: $fail" > + if [ $fail -gt 0 ]; then > + exit 1 > + elif [ $pass -gt 0 ]; then > + exit 0 > + else > + exit 77 > + fi > +} > + > diff --git a/tests/gen-keys.sh b/tests/gen-keys.sh > new file mode 100755 > index 0000000..c4073a2 > --- /dev/null > +++ b/tests/gen-keys.sh > @@ -0,0 +1,75 @@ > +#!/bin/bash > +# > +# Generate keys for the tests > +# > +# Copyright (C) 2019 Vitaly Chikunov > +# > +# This program is free software; you can redistribute it and/or modify > +# it under the terms of the GNU General Public License as published by > +# the Free Software Foundation; either version 2, or (at your option) > +# any later version. > +# > +# This program is distributed in the hope that it will be useful, > +# but WITHOUT ANY WARRANTY; without even the implied warranty of > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > +# GNU General Public License for more details. > + > +cd $(dirname $0) > +PATH=3D../src:$PATH > +type openssl > + > +log() { > + echo - "$*" > + eval "$@" > +} > + > +if [ ! -e test-ca.conf ]; then > +cat > test-ca.conf <<- EOF > + [ req ] > + distinguished_name =3D req_distinguished_name > + prompt =3D no > + string_mask =3D utf8only > + x509_extensions =3D v3_ca > + > + [ req_distinguished_name ] > + O =3D IMA-CA > + CN =3D IMA/EVM certificate signing key > + emailAddress =3D ca@ima-ca > + > + [ v3_ca ] > + basicConstraints=3DCA:TRUE > + subjectKeyIdentifier=3Dhash > + authorityKeyIdentifier=3Dkeyid:always,issuer > +EOF > +fi > + > +# RSA > +# Second key will be used for wrong key tests. > +for m in 1024 2048; do > + if [ ! -e test-rsa$m.key ]; then > + log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch = -x509 \ > + -config test-ca.conf \ > + -newkey rsa:$m \ > + -out test-rsa$m.cer -outform DER \ > + -keyout test-rsa$m.key > + fi > +done > + > +# EC-RDSA > +for m in \ > + gost2012_256:A \ > + gost2012_256:B \ > + gost2012_256:C \ > + gost2012_512:A \ > + gost2012_512:B; do > + IFS=3D':' read -r algo param <<< "$m" > + [ -e test-$algo-$param.key ] && continue > + log openssl req -nodes -x509 -utf8 -days 10000 -batch \ > + -config test-ca.conf \ > + -newkey $algo \ > + -pkeyopt paramset:$param \ > + -out test-$algo-$param.cer -outform DER \ > + -keyout test-$algo-$param.key > + log openssl pkey -in test-$algo-$param.key -out test-$algo-$param.pu= b -pubout > +done > + > diff --git a/tests/ima_hash.test b/tests/ima_hash.test > new file mode 100755 > index 0000000..cf4af57 > --- /dev/null > +++ b/tests/ima_hash.test > @@ -0,0 +1,84 @@ > +#!/bin/bash > +# > +# evmctl ima_hash tests > +# > +# Copyright (C) 2019 Vitaly Chikunov > +# > +# This program is free software; you can redistribute it and/or modify > +# it under the terms of the GNU General Public License as published by > +# the Free Software Foundation; either version 2, or (at your option) > +# any later version. > +# > +# This program is distributed in the hope that it will be useful, > +# but WITHOUT ANY WARRANTY; without even the implied warranty of > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > +# GNU General Public License for more details. > + > +cd $(dirname $0) > +PATH=3D../src:$PATH > +source ./functions > +_require evmctl openssl > + > +# Check with constant > +check_const() { > + local a=3D$1 p=3D$2 h=3D$3 f=3D$4 > + > + cmd=3D(evmctl ima_hash -v ${ENGINE:+--engine $ENGINE} -a $a --xattr-us= er $f) > + echo $YELLOW$MODE "${cmd[@]}" $NORM > + eval "${cmd[@]}" >$a.out 2>&1 > + _evmctl_catch $? $a.out ima_hash $a $f || return > + > + if ! getfattr -n user.ima -e hex $f | grep -qx user.ima=3D$p$h; then > + red_if_pos > + echo "Did not find expected hash value for $a:" > + echo " user.ima=3D$p$h" > + echo "" > + echo "Actual output below:" > + getfattr -n user.ima -e hex $f | sed 's/^/ /' > + norm_if_pos > + rm -f $f > + return 1 > + fi > + rm -f $f > + return 0 > +} > + > +check() { > + local a=3D$1 p=3D$2 h=3D$3 > + local f=3D$a-hash.txt > + > + rm -f $f > + touch $f > + cmd=3D(openssl dgst ${ENGINE:+--engine $ENGINE} -$a $f) > + echo $BLUE - "${cmd[@]}" $NORM > + h=3D$(set -o pipefail; eval "${cmd[@]}" 2>/dev/null | cut -d' ' -f2) > + if [ $? -ne 0 -a -z "$HOWFAILED" ]; then > + echo "$a test is skipped" > + rm -f $f > + return 77 > + fi > + check_const $a $p "$h" $f > +} > + > +# check args: algo prefix hex-hash > +pos check md4 0x01 > +pos check md5 0x01 > +pos check sha1 0x01 > +neg check SHA1 0x01 # uppercase > +neg check sha512-224 0x01 # valid for pkcs1 > +neg check sha512-256 0x01 # valid for pkcs1 > +neg check unknown 0x01 # nonexistent > +pos check sha224 0x0407 > +pos check sha256 0x0404 > +pos check sha384 0x0405 > +pos check sha512 0x0406 > +pos check rmd160 0x0403 > +neg check sm3 0x01 > +neg check sm3-256 0x01 > +_enable_gost_engine > +pos check md_gost12_256 0x0412 > +pos check streebog256 0x0412 > +pos check md_gost12_512 0x0413 > +pos check streebog512 0x0413 > + > +_report_exit > diff --git a/tests/ima_sign.test b/tests/ima_sign.test > new file mode 100755 > index 0000000..5d8edd5 > --- /dev/null > +++ b/tests/ima_sign.test > @@ -0,0 +1,186 @@ > +#!/bin/bash > +# > +# evmctl ima_sign tests > +# > +# Copyright (C) 2019 Vitaly Chikunov > +# > +# This program is free software; you can redistribute it and/or modify > +# it under the terms of the GNU General Public License as published by > +# the Free Software Foundation; either version 2, or (at your option) > +# any later version. > +# > +# This program is distributed in the hope that it will be useful, > +# but WITHOUT ANY WARRANTY; without even the implied warranty of > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > +# GNU General Public License for more details. > + > +cd $(dirname $0) > +PATH=3D../src:$PATH > +source ./functions > +_require evmctl openssl xxd getfattr > +./gen-keys.sh >/dev/null 2>&1 > + > +# Determine keyid from .cer > +keyid() { > + id=3D$(openssl x509 ${ENGINE:+-engine $ENGINE} \ > + -in $1.cer -inform DER -pubkey -noout 2>/dev/null \ > + | openssl asn1parse \ > + | grep BIT.STRING \ > + | cut -d: -f1) > + if [ -z "$id" ]; then > + echo "Cannot asn1parse $1.cer" >&2 > + exit 1 > + fi > + openssl x509 ${ENGINE:+-engine $ENGINE} \ > + -in $1.cer -inform DER -pubkey -noout 2>/dev/null \ > + | openssl asn1parse -strparse $id -out - -noout \ > + | openssl dgst -c -sha1 \ > + | cut -d' ' -f2 \ > + | grep -o ":..:..:..:..$" \ > + | tr -d : > +} > + > +_ima_sign() { > + local k=3D$1 a=3D$2 f=3D$3 > + > + cmd=3D(evmctl ima_sign ${ENGINE:+--engine $ENGINE} -a $a \ > + -k $k.key --xattr-user --sigfile $f) > + echo $YELLOW$MODE ${cmd[@]} $NORM > + eval "${cmd[@]}" >$a.out 2>&1 > + _evmctl_catch $? $a.out ima_sign "$a ($k.key)" $f || return > + > + # Check that detached signature matches xattr signature > + if [ ! -e $f.sig ]; then > + echo "evmctl ima_sign: no detached signature $f.sig" > + return 1 > + fi > + > + getfattr -n user.ima --only-values $f > $f.sig2 > + if ! cmp -bl $f.sig $f.sig2; then > + echo "evmctl ima_sign: xattr signature differ from detached $f.sig" > + rm -f $f.sig $f.sig2 > + return 1 > + fi > + > + rm -f $f.sig $f.sig2 > +} > + > +check_rsa() { > + local k=3Dtest-rsa1024 a=3D$1 p=3D$2 > + local f=3D$a.txt > + > + # Append suffix to files for negative tests, because we need > + # to leave only good files for ima_verify.test > + _isneg && f+=3D- > + rm -f $f > + > + keyid=3D$(keyid $k) > + if [ $? -ne 0 ]; then > + echo "Unable to determine keyid for $k" > + return 99 > + fi > + p=3D$(echo $p | sed "s/K/$keyid/") > + > + if ! openssl dgst -$a /dev/null >/dev/null 2>&1; then > + echo "$a ($k.key) test is skipped (openssl cannot handle $a digest)" > + return 77 > + fi > + touch $f > + cmd=3D(openssl dgst -$a -sign $k.key -hex $f) > + echo $BLUE - "${cmd[@]}" $NORM > + sig=3D$(set -o pipefail; eval "${cmd[@]}" 2>/dev/null | cut -d' ' -f2) > + if [ $? -ne 0 ] && _ispos; then > + echo "$a ($k.key) test is skipped (openssl cannot sign with $a+$k.ke= y)" > + rm -f $f > + return 77 > + fi > + > + _ima_sign $k $a $f || return > + if ! getfattr -n user.ima -e hex $f | grep -qx user.ima=3D$p$sig; then > + red_if_pos > + echo "Did not find expected hash value for $a:" > + echo " user.ima=3D$p$sig" > + echo "" > + echo "Actual output below:" > + getfattr -n user.ima -e hex $f | sed 's/^/ /' > + norm_if_pos > + rm -f $f > + return 1 > + fi > + return 0 > +} > + > +check_ecrdsa() { > + local k=3D$1 a=3D$2 p=3D$3 > + > + # Sign different files not only depending on a hash algo, > + # but also on a key. Append curve letter to the hash algo. > + curve=3D${k##*-} > + f=3D$a${curve,,}.txt > + > + # Append suffix to files for negative tests, because we need > + # to leave only good files for ima_verify.test > + _isneg && f+=3D- > + rm -f $f > + > + # Older openssl unable to parse 512-bit keys > + if ! openssl pkey ${ENGINE:+-engine $ENGINE} -in $k.key >/dev/null 2>&= 1; then > + echo "$a ($k.key) test is skipped" > + return 77 > + fi > + > + keyid=3D$(keyid $k) > + if [ $? -ne 0 ]; then > + echo "Unable to determine keyid for $k" > + return 99 > + fi > + p=3D$(echo $p | sed "s/K/$keyid/") > + > + touch $f > + _ima_sign $k $a $f || return > + # Only verify prefix here. > + if ! getfattr -n user.ima -e hex $f | grep -q ^user.ima=3D$p; then > + red_if_pos > + echo "Signature prefix does not match for $a ($k):" > + echo "Expected: user.ima=3D$p..." > + echo "" > + echo "Actual output below:" > + getfattr -n user.ima -e hex $f | sed 's/^/ /' > + norm_if_pos > + rm -f $f > + return 1 > + fi > + > + # Extract signature from xattr > + getfattr -n user.ima -e hex $f \ > + | grep ^user.ima=3D \ > + | sed s/^user.ima=3D$p// \ > + | xxd -r -p > $a.sig2 > + > + # Verify with openssl > + if ! openssl dgst ${ENGINE:+-engine $ENGINE} -$a \ > + -verify $k.pub -signature $a.sig2 $f >/dev/null 2>&1; then > + return 1 > + fi > + rm $a.sig2 > +} > + > +# check args: algo prefix hex-signature-prefix (K in place of keyid.) > +pos check_rsa md5 0x030201K0080 > +pos check_rsa sha1 0x030202K0080 > +pos check_rsa sha224 0x030207K0080 > +pos check_rsa sha256 0x030204K0080 > +pos check_rsa sha384 0x030205K0080 > +pos check_rsa sha512 0x030206K0080 > +pos check_rsa rmd160 0x030203K0080 > +neg check_rsa invalid-hash-algo 0x030202K0080 > +_enable_gost_engine > +pos check_ecrdsa test-gost2012_256-A md_gost12_256 0x030212K0040 > +pos check_ecrdsa test-gost2012_256-B md_gost12_256 0x030212K0040 > +pos check_ecrdsa test-gost2012_256-C md_gost12_256 0x030212K0040 > +pos check_ecrdsa test-gost2012_512-A md_gost12_512 0x030213K0080 > +pos check_ecrdsa test-gost2012_512-B md_gost12_512 0x030213K0080 > +neg check_ecrdsa test-gost2012_256-A md_gost12_512 0x030212K0040 > +neg check_ecrdsa test-gost2012_512-A md_gost12_256 0x030212K0040 > + > +_report_exit > diff --git a/tests/ima_verify.test b/tests/ima_verify.test > new file mode 100755 > index 0000000..6a9c876 > --- /dev/null > +++ b/tests/ima_verify.test > @@ -0,0 +1,79 @@ > +#!/bin/bash > +# > +# evmctl ima_verify tests > +# > +# Copyright (C) 2019 Vitaly Chikunov > +# > +# This program is free software; you can redistribute it and/or modify > +# it under the terms of the GNU General Public License as published by > +# the Free Software Foundation; either version 2, or (at your option) > +# any later version. > +# > +# This program is distributed in the hope that it will be useful, > +# but WITHOUT ANY WARRANTY; without even the implied warranty of > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > +# GNU General Public License for more details. > + > +cd $(dirname $0) > +PATH=3D../src:$PATH > +source ./functions > +_require evmctl openssl > + > +# Check with constant > +check() { > + local k=3D$1 a=3D$2 f=3D$3 > + > + if [ ! -e $f ]; then > + echo "Signed file $f is not found. Skipping verify $a ($k) test." > + return 77 > + fi > + if ! openssl dgst ${ENGINE:+--engine $ENGINE} -$a /dev/null >/dev/null= 2>&1; then > + echo "$a ($k.key) test is skipped (openssl does not support $a)" > + rm -f $f > + return 77 > + fi > + > + cmd=3D(evmctl ima_verify ${ENGINE:+--engine $ENGINE} -v -k $k --xattr-= user $f) > + echo $YELLOW$MODE "${cmd[@]}" $NORM > + eval "${cmd[@]}" >$f.out 2>&1 > + _evmctl_catch $? $f.out ima_verify "$f ($k)" > +} > + > +# Tests (check args: key hash-algo signed-file > +for a in md5 sha1 sha224 sha256 sha384 sha512 rmd160; do > + f=3D$a.txt > + pos check test-rsa1024.cer $a $f > + pos check /dev/zero,test-rsa1024.cer $a $f > + pos check /dev/null,test-rsa1024.cer $a $f > + pos check test-rsa1024.cer,test-rsa2048.cer $a $f > + pos check test-rsa2048.cer,test-rsa1024.cer $a $f > + pos check ,,test-rsa1024.cer $a $f > + pos check test-rsa1024.cer,,, $a $f > + neg check test-rsa2048.cer $a $f > + neg check /dev/absent $a $f > + neg check /dev/null $a $f > + neg check /dev/zero $a $f > +done > + > +_enable_gost_engine > +wk=3Dtest-gost2012_512-B.cer # first wrong key > +for k in gost2012_256-A gost2012_256-B gost2012_256-C \ > + gost2012_512-A gost2012_512-B; do > + tmp=3D${k#gost2012_} > + bits=3D${tmp%-?} > + wbits=3D$(( $bits =3D=3D 256 ? 512 : 256 )) > + curve=3D${k#*-} > + a=3Dmd_gost12_$bits # proper hash algo > + f=3D$a${curve,,}.txt # file signed in ima_sign test > + k=3Dtest-$k.cer > + wwk=3Dtest-gost2012_$wbits-$curve.cer # key with wrong bit length > + > + pos check $k $a $f > + pos check $wk,$k $a $f > + pos check $k,$wk $a $f > + neg check $wk $a $f > + neg check $wwk $a $f > + wk=3D$k # previous key is always wrong > +done > + > +_report_exit > --=20 > 2.11.0 >=20 The test cases looks pretty straightforward to me, although some helper functions took me some time to digest :-). I would say that's a nice and good start for testing the package. Tested in my local build and worked fine with no errors whatsoever. I don't think the minor nit in the comment at Makefile.am I pointed should stop it from being pulled, thus: Reviewed-by: Bruno E. O. Meneguele Thanks. --/DkgDsqJFFamjKX0 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEdWo6nTbnZdbDmXutYdRkFR+RokMFAl06JhMACgkQYdRkFR+R okP+sggA4/+nW/4hsRle4AGk81nKbzfpPE+NRzCn/eEHjxoQV+a+q8hYcdbIy/Rb L6bYUieKmL/tuY5792HT13wCo4qyihjRVGjrPYUjKdoCPZKRdsZSWVdnmTJlbMMd Y3wuEspgbbGbjV36GmW4+ZYemfhO4sdF+nXH/Yk7RlIGCarK/nAdSwnnUmjkbAO2 kFLGmiGxNTotAu0n9Fltcqaynd9KGtchVwLnzUaiQQHlCyG5tBJNQw0sEI7hrcdx bjLAxo5uGytjT5SHRPBi1dQDNeuMtnMLe0soTHBagqQbvuwKFegge0uDhEEk0B9E fSPeueiGuIy5CVprB0fmWIVoWSDS3Q== =EBcu -----END PGP SIGNATURE----- --/DkgDsqJFFamjKX0--