[ima-evm-utils PATCH 0/2] Fix issue with tests and provider on Ubuntu 24.04

[ima-evm-utils PATCH 0/2] Fix issue with tests and provider on Ubuntu 24.04

[Stefan Berger]

The 1st patch fixes an issue on Ubuntu 24.04 due to which an OpenSSL
provider could not be used.

The 2nd patch passes --engine pkcs11 or --provider pkcs11 options via
EVNCTL_ENGINE variable so that the proper values are used on the command
line for a pkcs11 test case evmctl.

Regards,
   Stefan

Stefan Berger (2):
  evmctl: Replace OSS_PROVIDER_load with OSSL_PROVIDER_try_load (Ubuntu)
  tests: Use EVMCTL_ENGINE to set engine or provider for test case

 src/evmctl.c           | 2 +-
 tests/sign_verify.test | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

-- 
2.45.0

[ima-evm-utils PATCH 1/2] evmctl: Replace OSS_PROVIDER_load with OSSL_PROVIDER_try_load (Ubuntu)

[Stefan Berger]

To avoid the following type of issue replace OSSL_PROVIDER_load with
OSSL_PROVIDER_try_load():

+ evmctl  --engine gost ima_sign --keyid=aabbccdd --provider pkcs11 \
  --sigfile --hashalgo sha256 \
  --key pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;... \
  --xattr-user pkcs11test

evmctl ima_sign failed with (1)
  EVP_DigestInit() failed
  openssl: error:0308010C:digital envelope routines::unsupported
  openssl: error:03000086:digital envelope routines::initialization error

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 src/evmctl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index ffe2fc9..3ebda6f 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -3049,7 +3049,7 @@ static char *get_password(void)
 #if CONFIG_IMA_EVM_PROVIDER
 static OSSL_PROVIDER *setup_provider(const char *name)
 {
-	OSSL_PROVIDER *p = OSSL_PROVIDER_load(NULL, name);
+	OSSL_PROVIDER *p = OSSL_PROVIDER_try_load(NULL, name, 1);
 
 	if (!p) {
 		log_err("provider %s isn't available\n", optarg);
-- 
2.45.0

[ima-evm-utils PATCH 2/2] tests: Use EVMCTL_ENGINE to set engine or provider for test case

[Stefan Berger]

Use EVMCTL_ENGINE to pass --provider or --engine to evmctl. Before, when
gost tests were running, EVMCTL_ENGINE was still set to '--engine gost'
and was used on the command line for evmctl by a pkcs11 tests as well.

Note: Ubuntu 22.04 (Noble) currently seems to have an issue when softhsm is
used via --engine pkcs11. In this case ENGINE_finish() in evmctl causes a
crash/segfault. However, when pkcs11-provider is installed and used by
evcmtl then this issue does not occur. Therefore, we cannot currently run
tests on Ubuntu 22.04 that use softhsm via pkcs11 engine. Users should
install and use the pkcs11-provider instead and not force usage of the
engine by passing '--engine pkcs11' to the command line.

Fixes: ffde173250 ("tests: Add pkcs11 test using provider")
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 tests/sign_verify.test | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/tests/sign_verify.test b/tests/sign_verify.test
index f9522e0..4e7945a 100755
--- a/tests/sign_verify.test
+++ b/tests/sign_verify.test
@@ -440,8 +440,8 @@ expect_fail \
 _softhsm_setup "${WORKDIR}"
 if [ -n "${PKCS11_KEYURI}" ]; then
   if evmctl --help 2>/dev/null | grep -q engine; then
-    expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_KEYURI}" ALG=sha256 PREFIX=0x030204aabbccdd0100 OPTS="--keyid=aabbccdd --engine pkcs11"
-    expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_KEYURI}" ALG=sha1   PREFIX=0x030202aabbccdd0100 OPTS="--keyid=aabbccdd --engine pkcs11"
+    expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_KEYURI}" ALG=sha256 PREFIX=0x030204aabbccdd0100 OPTS="--keyid=aabbccdd" EVMCTL_ENGINE="--engine pkcs11"
+    expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_KEYURI}" ALG=sha1   PREFIX=0x030202aabbccdd0100 OPTS="--keyid=aabbccdd" EVMCTL_ENGINE="--engine pkcs11"
   else
     __skip() { echo "pkcs11 test with engine is skipped since there is no engine support"; return "$SKIP"; }
     expect_pass __skip
@@ -453,8 +453,8 @@ if [ -n "${PKCS11_KEYURI}" ]; then
      openssl list -providers -provider pkcs11 2>/dev/null; then
     PKCS11_PRIVKEYURI=${PKCS11_KEYURI//type=public/type=private}
 
-    expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_PRIVKEYURI}" ALG=sha256 PREFIX=0x030204aabbccdd0100 OPTS="--keyid=aabbccdd --provider pkcs11"
-    expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_PRIVKEYURI}" ALG=sha1   PREFIX=0x030202aabbccdd0100 OPTS="--keyid=aabbccdd --provider pkcs11"
+    expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_PRIVKEYURI}" ALG=sha256 PREFIX=0x030204aabbccdd0100 OPTS="--keyid=aabbccdd" EVMCTL_ENGINE="--provider pkcs11"
+    expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_PRIVKEYURI}" ALG=sha1   PREFIX=0x030202aabbccdd0100 OPTS="--keyid=aabbccdd" EVMCTL_ENGINE="--provider pkcs11"
   else
     __skip() { echo "pkcs11 test with provider is skipped since no provider support or pkcs11 not installed"; return "$SKIP"; }
     expect_pass __skip
-- 
2.45.0

Re: [ima-evm-utils PATCH 0/2] Fix issue with tests and provider on Ubuntu 24.04

[Mimi Zohar]

On Tue, 2024-05-14 at 14:22 -0400, Stefan Berger wrote:
> The 1st patch fixes an issue on Ubuntu 24.04 due to which an OpenSSL
> provider could not be used.
> 
> The 2nd patch passes --engine pkcs11 or --provider pkcs11 options via
> EVNCTL_ENGINE variable so that the proper values are used on the command
> line for a pkcs11 test case evmctl.
> 
> Regards,
>    Stefan
> 
> Stefan Berger (2):
>   evmctl: Replace OSS_PROVIDER_load with OSSL_PROVIDER_try_load (Ubuntu)
>   tests: Use EVMCTL_ENGINE to set engine or provider for test case

Thanks, Stefan.  Both patches are now queued.

Mimi