tests/pkd: Add tests using certificates with SHA2 in signatures

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>

tests/pkd/pkd_client.h

@@ -78,6 +78,9 @@
 #define OPENSSH_CERT_CMD \
     OPENSSH_CMD_START(OPENSSH_HOSTKEY_ALGOS) "-o CertificateFile=" CLIENT_ID_FILE "-cert.pub " OPENSSH_CMD_END
 
+#define OPENSSH_SHA256_CERT_CMD \
+    OPENSSH_CMD_START(OPENSSH_HOSTKEY_ALGOS) "-o CertificateFile=" CLIENT_ID_FILE "-sha256-cert.pub " OPENSSH_CMD_END
+
 /* Dropbear */
 
 #define DROPBEAR_BINARY "dbclient"

tests/pkd/pkd_hello.c

@@ -629,6 +629,7 @@ PKDTESTS_MAC_OPENSSHONLY(emit_keytest, openssh_dsa, OPENSSH_MAC_CMD)
 #define CLIENT_ID_FILE OPENSSH_RSA_TESTKEY
 PKDTESTS_DEFAULT(emit_keytest, openssh_rsa, OPENSSH_CMD)
 PKDTESTS_DEFAULT(emit_keytest, openssh_cert_rsa, OPENSSH_CERT_CMD)
+PKDTESTS_DEFAULT(emit_keytest, openssh_sha256_cert_rsa, OPENSSH_SHA256_CERT_CMD)
 PKDTESTS_DEFAULT_OPENSSHONLY(emit_keytest, openssh_rsa, OPENSSH_CMD)
 PKDTESTS_KEX(emit_keytest, openssh_rsa, OPENSSH_KEX_CMD)
 PKDTESTS_KEX_OPENSSHONLY(emit_keytest, openssh_rsa, OPENSSH_KEX_CMD)
@@ -710,6 +711,7 @@ struct {
 
     PKDTESTS_DEFAULT(emit_testmap, openssh_rsa, OPENSSH_CMD)
     PKDTESTS_DEFAULT(emit_testmap, openssh_cert_rsa, OPENSSH_CERT_CMD)
+    PKDTESTS_DEFAULT(emit_testmap, openssh_sha256_cert_rsa, OPENSSH_SHA256_CERT_CMD)
     PKDTESTS_DEFAULT_OPENSSHONLY(emit_testmap, openssh_rsa, OPENSSH_CMD)
     PKDTESTS_KEX(emit_testmap, openssh_rsa, OPENSSH_KEX_CMD)
     PKDTESTS_KEX_OPENSSHONLY(emit_testmap, openssh_rsa, OPENSSH_KEX_CMD)
@@ -773,6 +775,8 @@ static int pkd_run_tests(void) {
 
         PKDTESTS_DEFAULT(emit_unit_test_comma, openssh_rsa, OPENSSH_CMD)
         PKDTESTS_DEFAULT(emit_unit_test_comma, openssh_cert_rsa, OPENSSH_CERT_CMD)
+        PKDTESTS_DEFAULT_FIPS(emit_unit_test_comma, openssh_sha256_cert_rsa,
+                              OPENSSH_SHA256_CERT_CMD)
         PKDTESTS_DEFAULT_OPENSSHONLY(emit_unit_test_comma, openssh_rsa, OPENSSH_CMD)
         PKDTESTS_KEX(emit_unit_test_comma, openssh_rsa, OPENSSH_KEX_CMD)
         PKDTESTS_CIPHER(emit_unit_test_comma, openssh_rsa, OPENSSH_CIPHER_CMD)
@@ -807,7 +811,8 @@ static int pkd_run_tests(void) {
 
     const struct CMUnitTest openssh_fips_tests[] = {
         PKDTESTS_DEFAULT_FIPS(emit_unit_test_comma, openssh_rsa, OPENSSH_CMD)
-        PKDTESTS_DEFAULT_FIPS(emit_unit_test_comma, openssh_cert_rsa, OPENSSH_CERT_CMD)
+        PKDTESTS_DEFAULT_FIPS(emit_unit_test_comma, openssh_sha256_cert_rsa,
+                              OPENSSH_SHA256_CERT_CMD)
         PKDTESTS_KEX_FIPS(emit_unit_test_comma, openssh_rsa, OPENSSH_KEX_CMD)
         PKDTESTS_CIPHER_FIPS(emit_unit_test_comma, openssh_rsa, OPENSSH_CIPHER_CMD)
         PKDTESTS_CIPHER_OPENSSHONLY_FIPS(emit_unit_test_comma, openssh_rsa, OPENSSH_CIPHER_CMD)

tests/pkd/pkd_keyutil.c

@@ -112,6 +112,13 @@ void setup_openssh_client_keys() {
     }
     assert_int_equal(rc, 0);
 
+    if (access(OPENSSH_RSA_TESTKEY "-sha256-cert.pub", F_OK) != 0) {
+        rc = system_checked(OPENSSH_KEYGEN " -I ident -t rsa-sha2-256 "
+                            "-s " OPENSSH_CA_TESTKEY " "
+                            OPENSSH_RSA_TESTKEY ".pub 2>/dev/null");
+    }
+    assert_int_equal(rc, 0);
+
     if (access(OPENSSH_ECDSA256_TESTKEY, F_OK) != 0) {
         rc = system_checked(OPENSSH_KEYGEN " -t ecdsa -b 256 -q -N \"\" -f "
                             OPENSSH_ECDSA256_TESTKEY);
@@ -180,6 +187,7 @@ void setup_openssh_client_keys() {
 void cleanup_openssh_client_keys() {
     cleanup_key(OPENSSH_CA_TESTKEY);
     cleanup_key(OPENSSH_RSA_TESTKEY);
+    cleanup_file(OPENSSH_RSA_TESTKEY "-sha256-cert.pub");
     cleanup_key(OPENSSH_ECDSA256_TESTKEY);
     cleanup_key(OPENSSH_ECDSA384_TESTKEY);
     cleanup_key(OPENSSH_ECDSA521_TESTKEY);