[WIP] Updates to Digital Signature Verification for HDF5 Plugins (#6166)

* Add signature verification caching for HDF5 plugins

Implements a signature verification cache to avoid redundant cryptographic
operations when loading the same plugin multiple times. The cache stores
verification results (success/failure) indexed by plugin path and file
modification time, enabling instant verification on cache hits while
maintaining security through mtime-based invalidation.

Implementation Details:

1. Cache Structure (H5PLsig.c):
   - H5PL_signature_cache_entry_t: path, mtime, verified status
   - Dynamic array with doubling growth strategy (initial capacity: 8)
   - Stores both positive and negative verification results

2. Cache Operations:
   - H5PL__check_signature_cache(): Check cache, validate mtime
   - H5PL__update_signature_cache(): Add/update cache entries
   - Integrated into H5PL__verify_signature_appended()
   - Cache invalidation on file modification (mtime check)

3. Code Cleanup:
   - Removed commented GPG/GPGME configuration from H5pubconf.h.in
   - Eliminated dead code since the implementation uses OpenSSL

4. Test Infrastructure:
   - New test executable: h5signverifytest
   - 6 new test cases:
     * Verify signed plugin (positive test)
     * Verify unsigned plugin (negative test)
     * Verify tampered plugin (security test)
     * Cache basic functionality (performance test)
     * Cache invalidation on modification (security test)
     * Cache negative results (DoS prevention)
   - CMake integration with dependency management
   - CreateTamperedPlugin.cmake: Generate tampered plugins for testing

Files Modified:
- src/H5PLsig.c: Cache implementation and integration
- src/H5pubconf.h.in: Removed GPG comments
- tools/test/h5sign/CMakeLists.txt: Added h5signverifytest build
- tools/test/h5sign/CMakeTests.cmake: Added verification tests

Files Added:
- tools/test/h5sign/h5signverifytest.c: Comprehensive test suite
- tools/test/h5sign/CreateTamperedPlugin.cmake: Tamper test helper

Performance: Eliminates cryptographic overhead on repeated plugin loads
(cache hit returns instantly vs. full RSA signature verification).

Security: mtime-based invalidation ensures modified plugins are re-verified,
preventing cache from masking tampering. Negative result caching prevents
retry attacks on invalid plugins.

Backward Compatibility: Fully backward compatible, cache is transparent
optimization with no API changes.

Author: brtnfld

.github/workflows/arm-main.yml

@@ -38,6 +38,9 @@ jobs:
     runs-on: windows-11-arm
     if: ${{ inputs.build_mode != 'Debug' }}
     steps:
+      - name: Check OpenSSL Version (Windows)
+        run: openssl version
+
       - name: Install Dependencies
         uses: ssciwr/doxygen-install@501e53b879da7648ab392ee226f5b90e42148449 # v1
         with:

.github/workflows/main-static.yml

@@ -138,6 +138,10 @@ jobs:
         run: brew install ninja curl
         if: ${{ matrix.ostype == 'macos' }}
 
+      - name: Check OpenSSL Version (Windows)
+        run: openssl version
+        if: matrix.ostype == 'windows'
+
       - name: Install Dependencies
         uses: ssciwr/doxygen-install@501e53b879da7648ab392ee226f5b90e42148449 # v1
         with:

.github/workflows/main.yml

@@ -155,6 +155,10 @@ jobs:
         run: brew install ninja curl
         if: ${{ matrix.ostype == 'macos' }}
 
+      - name: Check OpenSSL Version (Windows)
+        run: openssl version
+        if: matrix.ostype == 'windows'
+
       - name: Install Dependencies
         uses: ssciwr/doxygen-install@501e53b879da7648ab392ee226f5b90e42148449 # v1
         with:

.github/workflows/signed-plugins.yml

@@ -0,0 +1,218 @@
+name: Test Signed Plugins
+
+on:
+  push:
+    branches: [ develop, feature/dig_sig_ver, feature/* ]
+  pull_request:
+    branches: [ develop ]
+
+permissions:
+  contents: read
+
+env:
+  CTEST_OUTPUT_ON_FAILURE: 1
+
+jobs:
+  # Test signature verification in both serial and parallel configurations
+  test-signed-plugins:
+    name: "${{ matrix.config.name }}"
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        config:
+          # Serial configurations
+          - name: "Serial (Debug + Shared)"
+            build_type: Debug
+            shared: ON
+            parallel: OFF
+
+          - name: "Serial (Release + Static)"
+            build_type: Release
+            shared: OFF
+            parallel: OFF
+
+          # Parallel configurations - test MPI collective verification
+          - name: "Parallel (Debug + Shared)"
+            build_type: Debug
+            shared: ON
+            parallel: ON
+
+          - name: "Parallel (Release + Shared)"
+            build_type: Release
+            shared: ON
+            parallel: ON
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Install base dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y \
+          libssl-dev \
+          zlib1g-dev \
+          libaec-dev
+
+    - name: Install MPI dependencies
+      if: matrix.config.parallel == 'ON'
+      run: |
+        sudo apt-get install -y \
+          libopenmpi-dev \
+          openmpi-bin
+
+    - name: Generate test RSA key pair
+      run: |
+        echo "Generating test RSA key pair for CI testing..."
+        openssl genrsa -out ci-test-private.pem 2048
+        openssl rsa -in ci-test-private.pem -pubout -out ci-test-public.pem
+        echo "Test keys generated successfully"
+        ls -lh ci-test-*.pem
+
+    - name: Configure CMake
+      run: |
+        cmake -B build \
+          -DCMAKE_BUILD_TYPE=${{ matrix.config.build_type }} \
+          -DHDF5_REQUIRE_SIGNED_PLUGINS:BOOL=ON \
+          -DHDF5_PLUGIN_PUBLIC_KEY_FILE="${PWD}/ci-test-public.pem" \
+          -DHDF5_ENABLE_PARALLEL:BOOL=${{ matrix.config.parallel }} \
+          -DBUILD_SHARED_LIBS:BOOL=${{ matrix.config.shared }} \
+          -DBUILD_STATIC_LIBS:BOOL=ON \
+          -DBUILD_TESTING:BOOL=ON \
+          -DHDF5_BUILD_TOOLS:BOOL=ON \
+          -DHDF5_ENABLE_ZLIB_SUPPORT:BOOL=ON \
+          -DHDF5_ENABLE_SZIP_SUPPORT:BOOL=ON
+
+    - name: Copy private key to build directory
+      run: |
+        echo "Copying private key to build directory for plugin signing..."
+        cp ci-test-private.pem build/private.pem
+        mkdir -p build/test
+        cp ci-test-private.pem build/test/private.pem
+        ls -lh build/private.pem build/test/private.pem
+
+    - name: Build
+      run: cmake --build build --parallel 4
+
+    - name: Verify signature test binary exists
+      run: |
+        if [ -f "build/bin/test_plugin_signature" ] || [ -f "build/bin/test_plugin_signature.exe" ]; then
+          echo "✓ Plugin signature verification test binary found"
+          ls -lh build/bin/test_plugin_signature* || true
+        else
+          echo "WARNING: Plugin signature verification test binary not found"
+          echo "This might be expected if HDF5_REQUIRE_SIGNED_PLUGINS is OFF"
+        fi
+
+    - name: Run Tests (Serial)
+      if: matrix.config.parallel == 'OFF'
+      run: |
+        cd build
+        ctest --parallel 4 --output-on-failure
+
+        # Explicitly run plugin signature verification test
+        echo ""
+        echo "Running plugin signature verification test..."
+        ctest --tests-regex "H5PLUGIN-signature-verification" --verbose
+
+    - name: Run Tests (Parallel)
+      if: matrix.config.parallel == 'ON'
+      run: |
+        cd build
+        # Run all tests including parallel tests
+        ctest --parallel 4 --output-on-failure
+
+        # Specifically test MPI tests to ensure collective verification is exercised
+        echo "Running MPI-specific tests..."
+        ctest --tests-regex "MPI_TEST" --verbose || echo "MPI tests completed"
+
+        # Explicitly run plugin signature verification test
+        echo ""
+        echo "Running plugin signature verification test..."
+        ctest --tests-regex "H5PLUGIN-signature-verification" --verbose
+
+  # Comprehensive test to verify signature verification logic paths
+  verify-signature-paths:
+    name: "Verify Signature Logic Paths"
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Install dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y \
+          libssl-dev \
+          zlib1g-dev \
+          libaec-dev \
+          libopenmpi-dev \
+          openmpi-bin
+
+    - name: Generate test RSA key pair
+      run: |
+        echo "Generating test RSA key pair for CI testing..."
+        openssl genrsa -out ci-test-private.pem 2048
+        openssl rsa -in ci-test-private.pem -pubout -out ci-test-public.pem
+        echo "Test keys generated successfully"
+        ls -lh ci-test-*.pem
+
+    - name: Configure CMake (Parallel with all features)
+      run: |
+        cmake -B build \
+          -DCMAKE_BUILD_TYPE=Debug \
+          -DHDF5_REQUIRE_SIGNED_PLUGINS:BOOL=ON \
+          -DHDF5_PLUGIN_PUBLIC_KEY_FILE="${PWD}/ci-test-public.pem" \
+          -DHDF5_ENABLE_PARALLEL:BOOL=ON \
+          -DBUILD_SHARED_LIBS:BOOL=ON \
+          -DBUILD_TESTING:BOOL=ON \
+          -DHDF5_BUILD_TOOLS:BOOL=ON \
+          -DHDF5_ENABLE_ZLIB_SUPPORT:BOOL=ON
+
+    - name: Copy private key to build directory
+      run: |
+        echo "Copying private key to build directory for plugin signing..."
+        cp ci-test-private.pem build/private.pem
+        mkdir -p build/test
+        cp ci-test-private.pem build/test/private.pem
+        ls -lh build/private.pem build/test/private.pem
+
+    - name: Build
+      run: cmake --build build --parallel 4
+
+    - name: Verify H5PL__verify_plugin_signature is compiled
+      run: |
+        echo "Checking that signature verification function is present..."
+        grep -r "H5PL__verify_plugin_signature" build/src/ || true
+
+    - name: Verify serial path compiled
+      run: |
+        echo "Checking serial signature verification path..."
+        grep -A 5 "Serial mode: always verify" src/H5PLint.c
+
+    - name: Verify parallel path compiled
+      run: |
+        echo "Checking parallel signature verification path..."
+        grep -A 10 "Collective: root verifies" src/H5PLint.c
+        grep -A 5 "Independent: each rank verifies" src/H5PLint.c
+
+    - name: Run comprehensive tests
+      run: |
+        cd build
+        # Run full test suite
+        ctest --output-on-failure --verbose
+
+    - name: Verify plugin signature tests execute
+      run: |
+        cd build
+        echo "========================================"
+        echo "Running Plugin Signature Verification Tests"
+        echo "========================================"
+
+        # Run signature verification tests explicitly and fail on any error
+        ctest --tests-regex "H5PLUGIN-signature-verification" --verbose
+
+        echo ""
+        echo "Plugin signature verification tests completed successfully!"