Rewrite testcrypto.sh into python

Run the crypto support checks when initializing the isctest package and
save those results in environment variable. This removes the need to
repeatedly check for crypto operation support, as it's not something
that would change at test runtime.

bin/tests/system/isctest/vars/__init__.py

@@ -12,13 +12,14 @@
 import os
 
 from .all import ALL
-from .algorithms import set_algorithm_set
+from .algorithms import init_crypto_supported, set_algorithm_set
 from .openssl import parse_openssl_config
 from .. import log
 
 
 def init_vars():
     """Initializes the environment variables."""
+    init_crypto_supported()
     set_algorithm_set(os.getenv("ALGORITHM_SET"))
     parse_openssl_config(ALL["OPENSSL_CONF"])
 

bin/tests/system/isctest/vars/algorithms.py

@@ -10,10 +10,10 @@
 # information regarding copyright ownership.
 
 import os
-from pathlib import Path
 import platform
 import random
 import subprocess
+import tempfile
 import time
 from typing import Dict, List, NamedTuple, Optional, Union
 
@@ -112,25 +112,54 @@ ALGORITHM_SETS = {
     # ),
 }
 
-# TODO rewrite testcrypto.sh to python
-TESTCRYPTO = Path(__file__).resolve().parent.parent.parent / "testcrypto.sh"
 
-
+def is_crypto_supported(alg: Algorithm) -> bool:
-def _is_supported(alg: Algorithm) -> bool:
     """Test whether a given algorithm is supported on the current platform."""
-    try:
+    assert alg in ALL_ALGORITHMS, f"unknown algorithm: {alg}"
-        subprocess.run(
+    with tempfile.TemporaryDirectory() as tmpdir:
-            f"{TESTCRYPTO} -q {alg.name}",
+        proc = subprocess.run(
-            shell=True,
+            [
-            check=True,
+                BASIC_VARS["KEYGEN"],
-            env=BASIC_VARS,
+                "-a",
+                alg.name,
+                "-b",
+                str(alg.bits),
+                "foo",
+            ],
+            cwd=tmpdir,
+            check=False,
             stdout=subprocess.DEVNULL,
         )
-    except subprocess.CalledProcessError as exc:
+        if proc.returncode == 0:
-        log.debug(exc)
+            return True
         log.info("algorithm %s not supported", alg.name)
         return False
-    return True
+
+
+# Indicate algorithm support on the current platform.
+CRYPTO_SUPPORTED_VARS = {
+    "RSASHA1_SUPPORTED": "0",
+    "RSASHA256_SUPPORTED": "0",
+    "RSASHA512_SUPPORTED": "0",
+    "ECDSAP256SHA256_SUPPORTED": "0",
+    "ECDSAP384SHA384_SUPPORTED": "0",
+    "ED25519_SUPPORTED": "0",
+    "ED448_SUPPORTED": "0",
+}
+
+SUPPORTED_ALGORITHMS: List[Algorithm] = []
+
+
+def init_crypto_supported():
+    """Initialize the environment variables indicating cryptography support."""
+    for alg in ALL_ALGORITHMS:
+        supported = is_crypto_supported(alg)
+        if supported:
+            SUPPORTED_ALGORITHMS.append(alg)
+        envvar = f"{alg.name}_SUPPORTED"
+        val = "1" if supported else "0"
+        CRYPTO_SUPPORTED_VARS[envvar] = val
+        os.environ[envvar] = val
 
 
 def _filter_supported(algs: AlgorithmSet) -> AlgorithmSet:
@@ -140,7 +169,7 @@ def _filter_supported(algs: AlgorithmSet) -> AlgorithmSet:
         candidates = getattr(algs, alg_type)
         if isinstance(candidates, Algorithm):
             candidates = [candidates]
-        supported = list(filter(_is_supported, candidates))
+        supported = [alg for alg in candidates if alg in SUPPORTED_ALGORITHMS]
         if len(supported) == 1:
             supported = supported.pop()
         elif not supported:

bin/tests/system/isctest/vars/all.py

@@ -15,7 +15,7 @@ from collections import ChainMap
 from .autoconf import AC_VARS  # type: ignore
 
 # pylint: enable=import-error
-from .algorithms import ALG_VARS
+from .algorithms import ALG_VARS, CRYPTO_SUPPORTED_VARS
 from .basic import BASIC_VARS
 from .dirs import DIR_VARS
 from .openssl import OPENSSL_VARS
@@ -53,4 +53,12 @@ class VarLookup(ChainMap):
         return iter(self.keys())
 
 
-ALL = VarLookup(AC_VARS, BASIC_VARS, OPENSSL_VARS, PORT_VARS, DIR_VARS, ALG_VARS)
+ALL = VarLookup(
+    AC_VARS,
+    BASIC_VARS,
+    OPENSSL_VARS,
+    PORT_VARS,
+    DIR_VARS,
+    ALG_VARS,
+    CRYPTO_SUPPORTED_VARS,
+)

bin/tests/system/testcrypto.sh

@@ -1,94 +0,0 @@
-#!/bin/sh
-
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0.  If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-prog=$0
-args=""
-quiet=0
-dir=""
-msg="cryptography"
-
-if test -z "$KEYGEN"; then
-  . ../conf.sh
-  alg="-a $DEFAULT_ALGORITHM -b $DEFAULT_BITS"
-else
-  alg=""
-  quiet=1
-  args="-q"
-fi
-
-while test "$#" -gt 0; do
-  case $1 in
-    -q)
-      if test $quiet -eq 0; then
-        args="$args -q"
-        quiet=1
-      fi
-      ;;
-    rsa | RSA | rsasha1 | RSASHA1)
-      alg="-a RSASHA1"
-      msg="RSA cryptography"
-      ;;
-    rsasha256 | RSASHA256)
-      alg="-a RSASHA256"
-      msg="RSA cryptography"
-      ;;
-    rsasha512 | RSASHA512)
-      alg="-a RSASHA512"
-      msg="RSA cryptography"
-      ;;
-    ecdsa | ECDSA | ecdsap256sha256 | ECDSAP256SHA256)
-      alg="-a ECDSAP256SHA256"
-      msg="ECDSA cryptography"
-      ;;
-    ecdsap384sha384 | ECDSAP384SHA384)
-      alg="-a ECDSAP384SHA384"
-      msg="ECDSA cryptography"
-      ;;
-    eddsa | EDDSA | ed25519 | ED25519)
-      alg="-a ED25519"
-      msg="EDDSA cryptography"
-      ;;
-    ed448 | ED448)
-      alg="-a ED448"
-      msg="EDDSA cryptography"
-      ;;
-    *)
-      echo "${prog}: unknown argument"
-      exit 1
-      ;;
-  esac
-  shift
-done
-
-if test -z "$alg"; then
-  echo "${prog}: no algorithm selected"
-  exit 1
-fi
-
-if test -n "$TMPDIR"; then
-  dir=$(mktemp -d "$TMPDIR/XXXXXX")
-  args="$args -K $dir"
-fi
-
-if $KEYGEN $args $alg foo >/dev/null 2>&1; then
-  if test -z "$dir"; then
-    rm -f Kfoo*
-  else
-    rm -rf "$dir"
-  fi
-else
-  if test $quiet -eq 0; then
-    echo_i "This test requires support for $msg" >&2
-  fi
-  exit 255
-fi