Test genpkey app for EC keygen with various args#12080
Test genpkey app for EC keygen with various args#12080romen wants to merge 10 commits intoopenssl:masterfrom
Conversation
This commit adds a new recipe to test EC key generation with the `genpkey` CLI app. For each built-in curve, it tests key generation with text output, in PEM and in DER format, using `explicit` and `named_curve` for parameters encoding. The list of built-in curves is static at the moment, as this allows to differentiate between prime curves and binary curves to avoid failing when ec2m is disabled.
!!!DO NOT MERGE!!! This commit should be dropped before merging !!!DO NOT MERGE!!! Test only P-256 and in the `-text` format only: this is to highlight the current failure with ec_param_enc:explicit.
romen
force-pushed
the
issues/3.0.0/ec_explicit_params_encoding
branch
from
d211135 to
da56060
Compare
|
I need @levitte's feedback on how to address the issue. Currently we have this openssl/crypto/evp/pmeth_lib.c Lines 1000 to 1015 in da56060 but this was from before further developments for serializers. If we don't provide a way for the framework to keep track of encoding settings, what are the alternatives?
|
|
I am not very familiar with the serializer code. But this is another tentative plan for a solution.
|
This reverts commit da56060.
Make SM2 curve testing conditional to sm2 feature support. (cherry picked from commit 321ebf3)
Add more aliases (cherry picked from commit 5c87108)
Add extra negative test with unknown curve (cherry picked from commit e52dee3)
!!!DO NOT MERGE!!! This commit should be dropped before merging !!!DO NOT MERGE!!! Test only P-256 and in the `-text` format only: this is to highlight the current failure with ec_param_enc:explicit.
|
The last set of commits cherry-picks the additional tests (and a fix) included in #12085 (the 1.1.1 counterpart of this PR). The very last commit disables anyway most of these tests to keep only |
This reverts commit baf8fa8.
There currently do not support 'ec_param_enc:explicit' with provider side key generation. Reflect that by encoding the expected failure with a Test::More TODO section for those particular tests. Because the tests in this recipe are data driven, we implement this mechanism with two functions, one for stuff that's supported and one for stuff that isn't.
I just rearranged the code with the subroutines to be at the beginning, it might be just a cosmetic thing, but it really makes a difference for me (with basically no knowledge of Perl) in readability to know in advance the meaning of the subroutines and how they are used, so I can better understand what is happening in the foreach loops.
@levitte I cherry-picked your amendment in this PR, and added a small change to move the subroutines towards the beginning of the file (as it seems more readable to me). Can you find in the documentation if the TODO annotation in |
|
I looked through early Test::More changelog, and it shows that the TODO feature has been around for a long time (12 years back at least) |
| 'named_curve' => \&supported, | ||
| 'explicit' => \&unsupported |
There was a problem hiding this comment.
Another way would be this:
| 'named_curve' => \&supported, | |
| 'explicit' => \&unsupported | |
| 'named_curve' => sub { my $str = shift; | |
| ok(run(@_), $str); }, | |
| 'explicit' => sub { my $str = shift; | |
| TODO: { local $TODO = "Currently not supported"; | |
| ok(run(@_), $str); } | |
| }, |
There was a problem hiding this comment.
That would get rid of the function definitions higher up.
There was a problem hiding this comment.
I think the current approach is fine, using \&<name>.
What I find a bit unreadable of having the subroutines at the end is that when you first encounter \&supported or \&unsupported reading from top to bottom, there is very little context to understand what is going on.
Having them first, with the comment describing what is happening, makes it easier to grasp what is going on in the associative arrays and the loops even for Perl-scared people like me!
romen
changed the title
|
I took this out of
|
romen
added
the
approval: review pending
|
@levitte would you be willing to review this? |
|
@levitte would this require further changes? |
|
Ping @levitte |
levitte
added
approval: done
|
Why was this added to the "New Core + FIPS" project? |
It's adding tests for something we broke during the development of the new core+providers architecture. |
Not in my opinion. It's affected by new core / fips work, but itself doesn't touch anything that's distinctly new core / fips. |
|
24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually. |
levitte
added
approval: ready to merge
This commit adds a new recipe to test EC key generation with the `genpkey` CLI app. For each built-in curve, it tests key generation with text output, in PEM and in DER format, using `explicit` and `named_curve` for parameters encoding. The list of built-in curves is static at the moment, as this allows to differentiate between prime curves and binary curves to avoid failing when ec2m is disabled. Reviewed-by: Richard Levitte <[email protected]> (Merged from #12080)
There currently do not support 'ec_param_enc:explicit' with provider side key generation. Reflect that by encoding the expected failure with a Test::More TODO section for those particular tests. Because the tests in this recipe are data driven, we implement this mechanism with two functions, one for stuff that's supported and one for stuff that isn't. Reviewed-by: Nicola Tuveri <[email protected]> (Merged from #12080)
3 participants
This PR adds a new recipe to test EC key generation with the
genpkeyCLI app.For each built-in curve, it tests key generation with text output, in PEM and in DER format, using
explicitandnamed_curvefor parameters encoding.The list of built-in curves is static at the moment, as this allows to differentiate between prime curves and binary curves to avoid failing when
ec2mis disabled.Issue
At this time these new tests, that are passing in 1.1.1 (#12085) are failing due to changes introduced in #11328.
Issue #12102 tracks the progress on solving the issue.
TODO: {}blockFor now, the failing tests are annotated within a
TODO: {}block that informs the testing harness that the tests are expected to fail because development is not yet completed.The PR fixing #12102 will address also the removal of this
TODO: {}annotation.Credits
Thanks to @bbbrumley and the rest of the team behind the OpenSSL Triggerflow CI (paper) that detected and reported this problem!
Checklist
genpkey -algorithm EC -pkeyopt ec_param_enc:explicitfails #12102)