From 25cb39b7fc03415ba3d4897239e4331949ac0f0e Mon Sep 17 00:00:00 2001
From: Tom Krizek <tkrizek@isc.org>
Date: Mon, 8 Jan 2024 12:54:19 +0100
Subject: [PATCH] Rewrite testcrypto.sh into python

Run the crypto support checks when initializing the isctest package and
save those results in environment variable. This removes the need to
repeatedly check for crypto operation support, as it's not something
that would change at test runtime.
---
 bin/tests/system/isctest/vars/__init__.py   |  3 +-
 bin/tests/system/isctest/vars/algorithms.py | 59 +++++++++----
 bin/tests/system/isctest/vars/all.py        | 12 ++-
 bin/tests/system/testcrypto.sh              | 94 ---------------------
 4 files changed, 56 insertions(+), 112 deletions(-)
 delete mode 100755 bin/tests/system/testcrypto.sh

diff --git a/bin/tests/system/isctest/vars/__init__.py b/bin/tests/system/isctest/vars/__init__.py
index 6ed7020344..1af9e20767 100644
--- a/bin/tests/system/isctest/vars/__init__.py
+++ b/bin/tests/system/isctest/vars/__init__.py
@@ -12,13 +12,14 @@
 import os
 
 from .all import ALL
-from .algorithms import set_algorithm_set
+from .algorithms import init_crypto_supported, set_algorithm_set
 from .openssl import parse_openssl_config
 from .. import log
 
 
 def init_vars():
     """Initializes the environment variables."""
+    init_crypto_supported()
     set_algorithm_set(os.getenv("ALGORITHM_SET"))
     parse_openssl_config(ALL["OPENSSL_CONF"])
 
diff --git a/bin/tests/system/isctest/vars/algorithms.py b/bin/tests/system/isctest/vars/algorithms.py
index 41888649ec..56f3edc62c 100644
--- a/bin/tests/system/isctest/vars/algorithms.py
+++ b/bin/tests/system/isctest/vars/algorithms.py
@@ -10,10 +10,10 @@
 # information regarding copyright ownership.
 
 import os
-from pathlib import Path
 import platform
 import random
 import subprocess
+import tempfile
 import time
 from typing import Dict, List, NamedTuple, Optional, Union
 
@@ -112,25 +112,54 @@ ALGORITHM_SETS = {
     # ),
 }
 
-# TODO rewrite testcrypto.sh to python
-TESTCRYPTO = Path(__file__).resolve().parent.parent.parent / "testcrypto.sh"
 
-
-def _is_supported(alg: Algorithm) -> bool:
+def is_crypto_supported(alg: Algorithm) -> bool:
     """Test whether a given algorithm is supported on the current platform."""
-    try:
-        subprocess.run(
-            f"{TESTCRYPTO} -q {alg.name}",
-            shell=True,
-            check=True,
-            env=BASIC_VARS,
+    assert alg in ALL_ALGORITHMS, f"unknown algorithm: {alg}"
+    with tempfile.TemporaryDirectory() as tmpdir:
+        proc = subprocess.run(
+            [
+                BASIC_VARS["KEYGEN"],
+                "-a",
+                alg.name,
+                "-b",
+                str(alg.bits),
+                "foo",
+            ],
+            cwd=tmpdir,
+            check=False,
             stdout=subprocess.DEVNULL,
         )
-    except subprocess.CalledProcessError as exc:
-        log.debug(exc)
+        if proc.returncode == 0:
+            return True
         log.info("algorithm %s not supported", alg.name)
         return False
-    return True
+
+
+# Indicate algorithm support on the current platform.
+CRYPTO_SUPPORTED_VARS = {
+    "RSASHA1_SUPPORTED": "0",
+    "RSASHA256_SUPPORTED": "0",
+    "RSASHA512_SUPPORTED": "0",
+    "ECDSAP256SHA256_SUPPORTED": "0",
+    "ECDSAP384SHA384_SUPPORTED": "0",
+    "ED25519_SUPPORTED": "0",
+    "ED448_SUPPORTED": "0",
+}
+
+SUPPORTED_ALGORITHMS: List[Algorithm] = []
+
+
+def init_crypto_supported():
+    """Initialize the environment variables indicating cryptography support."""
+    for alg in ALL_ALGORITHMS:
+        supported = is_crypto_supported(alg)
+        if supported:
+            SUPPORTED_ALGORITHMS.append(alg)
+        envvar = f"{alg.name}_SUPPORTED"
+        val = "1" if supported else "0"
+        CRYPTO_SUPPORTED_VARS[envvar] = val
+        os.environ[envvar] = val
 
 
 def _filter_supported(algs: AlgorithmSet) -> AlgorithmSet:
@@ -140,7 +169,7 @@ def _filter_supported(algs: AlgorithmSet) -> AlgorithmSet:
         candidates = getattr(algs, alg_type)
         if isinstance(candidates, Algorithm):
             candidates = [candidates]
-        supported = list(filter(_is_supported, candidates))
+        supported = [alg for alg in candidates if alg in SUPPORTED_ALGORITHMS]
         if len(supported) == 1:
             supported = supported.pop()
         elif not supported:
diff --git a/bin/tests/system/isctest/vars/all.py b/bin/tests/system/isctest/vars/all.py
index 3478a84a54..eabe2c3791 100644
--- a/bin/tests/system/isctest/vars/all.py
+++ b/bin/tests/system/isctest/vars/all.py
@@ -15,7 +15,7 @@ from collections import ChainMap
 from .autoconf import AC_VARS  # type: ignore
 
 # pylint: enable=import-error
-from .algorithms import ALG_VARS
+from .algorithms import ALG_VARS, CRYPTO_SUPPORTED_VARS
 from .basic import BASIC_VARS
 from .dirs import DIR_VARS
 from .openssl import OPENSSL_VARS
@@ -53,4 +53,12 @@ class VarLookup(ChainMap):
         return iter(self.keys())
 
 
-ALL = VarLookup(AC_VARS, BASIC_VARS, OPENSSL_VARS, PORT_VARS, DIR_VARS, ALG_VARS)
+ALL = VarLookup(
+    AC_VARS,
+    BASIC_VARS,
+    OPENSSL_VARS,
+    PORT_VARS,
+    DIR_VARS,
+    ALG_VARS,
+    CRYPTO_SUPPORTED_VARS,
+)
diff --git a/bin/tests/system/testcrypto.sh b/bin/tests/system/testcrypto.sh
deleted file mode 100755
index aaf793b192..0000000000
--- a/bin/tests/system/testcrypto.sh
+++ /dev/null
@@ -1,94 +0,0 @@
-#!/bin/sh
-
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0.  If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-prog=$0
-args=""
-quiet=0
-dir=""
-msg="cryptography"
-
-if test -z "$KEYGEN"; then
-  . ../conf.sh
-  alg="-a $DEFAULT_ALGORITHM -b $DEFAULT_BITS"
-else
-  alg=""
-  quiet=1
-  args="-q"
-fi
-
-while test "$#" -gt 0; do
-  case $1 in
-    -q)
-      if test $quiet -eq 0; then
-        args="$args -q"
-        quiet=1
-      fi
-      ;;
-    rsa | RSA | rsasha1 | RSASHA1)
-      alg="-a RSASHA1"
-      msg="RSA cryptography"
-      ;;
-    rsasha256 | RSASHA256)
-      alg="-a RSASHA256"
-      msg="RSA cryptography"
-      ;;
-    rsasha512 | RSASHA512)
-      alg="-a RSASHA512"
-      msg="RSA cryptography"
-      ;;
-    ecdsa | ECDSA | ecdsap256sha256 | ECDSAP256SHA256)
-      alg="-a ECDSAP256SHA256"
-      msg="ECDSA cryptography"
-      ;;
-    ecdsap384sha384 | ECDSAP384SHA384)
-      alg="-a ECDSAP384SHA384"
-      msg="ECDSA cryptography"
-      ;;
-    eddsa | EDDSA | ed25519 | ED25519)
-      alg="-a ED25519"
-      msg="EDDSA cryptography"
-      ;;
-    ed448 | ED448)
-      alg="-a ED448"
-      msg="EDDSA cryptography"
-      ;;
-    *)
-      echo "${prog}: unknown argument"
-      exit 1
-      ;;
-  esac
-  shift
-done
-
-if test -z "$alg"; then
-  echo "${prog}: no algorithm selected"
-  exit 1
-fi
-
-if test -n "$TMPDIR"; then
-  dir=$(mktemp -d "$TMPDIR/XXXXXX")
-  args="$args -K $dir"
-fi
-
-if $KEYGEN $args $alg foo >/dev/null 2>&1; then
-  if test -z "$dir"; then
-    rm -f Kfoo*
-  else
-    rm -rf "$dir"
-  fi
-else
-  if test $quiet -eq 0; then
-    echo_i "This test requires support for $msg" >&2
-  fi
-  exit 255
-fi