diff options
| author | Clemens Lang <cllang@redhat.com> | 2022-07-04 16:15:07 +0200 |
|---|---|---|
| committer | Dmitry Belyavskiy <beldmit@gmail.com> | 2022-08-17 09:20:41 +0200 |
| commit | 653a7706781ebbe8a6a4b84d29b39d001c395ffe (patch) | |
| tree | fb4d55bb3be0b0873b12750809192e64cacb2f22 /test | |
| parent | 33b9bb45a4d463052aef763cc7c64c91384d4249 (diff) | |
APPS: dgst: Support properties when signing
The -provider and -propquery options did not work on dgst when using it
for signing or signature verification (including HMACs). Fix this and
add tests that check that operations that would usually fail with the
FIPS provider work when run with
| -provider default -propquery '?fips!=yes'
Additionally, modify the behavior of dgst -list to also use the current
library context and property query. This reduces the output below the
headline "Supported digests" to a list of the digest algorithms that
will actually work with the current configuration, which is closer to
what users probably expect with this headline.
See also 30b2c3592e8511b60d44f93eb657a1ecb3662c08, which previously
fixed the same problem in dsaparam and gendsa. See also the initial
report in https://bugzilla.redhat.com/show_bug.cgi?id=2094956.
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18717)
Diffstat (limited to 'test')
| -rw-r--r-- | test/recipes/20-test_cli_fips.t | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/test/recipes/20-test_cli_fips.t b/test/recipes/20-test_cli_fips.t index bb5660dc3c..36567653f9 100644 --- a/test/recipes/20-test_cli_fips.t +++ b/test/recipes/20-test_cli_fips.t @@ -67,7 +67,7 @@ sub pubfrompriv { } -my $tsignverify_count = 8; +my $tsignverify_count = 9; sub tsignverify { my $prefix = shift; my $fips_key = shift; @@ -149,6 +149,18 @@ sub tsignverify { $testtext); $testtext = $prefix.': '. + 'Verify something with a non-FIPS key'. + ' in FIPS mode but with a non-FIPS property query'; + ok(run(app(['openssl', 'dgst', + '-provider', 'default', + '-propquery', '?fips!=yes', + '-sha256', + '-verify', $nonfips_pub_key, + '-signature', $sigfile, + $tbs_data])), + $testtext); + + $testtext = $prefix.': '. 'Verify a valid signature against the wrong data with a non-FIPS key'. ' (should fail)'; ok(!run(app(['openssl', 'dgst', '-sha256', |