TLS/SSL and crypto library
| リビジョン | 39d9be390a16d3bc5c2b94ad31b705f8239af779 (tree) |
|---|---|
| 日時 | 2020-08-24 20:49:03 |
| 作者 | Nicola Tuveri <nic.tuv@gmai...> |
| コミッター | Nicola Tuveri |
Add CLI tests in FIPS configuration
Add positive and negative tests of CLI apps using configuration files
via environment variables to force FIPS mode.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12291)
test/fips-and-base.cnf (diff) test/recipes/20-test_cli_fips.t (diff)| @@ -0,0 +1,13 @@ | ||
| 1 | +openssl_conf = openssl_init | |
| 2 | + | |
| 3 | +.include fipsmodule.cnf | |
| 4 | + | |
| 5 | +[openssl_init] | |
| 6 | +providers = provider_sect | |
| 7 | + | |
| 8 | +[provider_sect] | |
| 9 | +fips = fips_sect | |
| 10 | +base = base_sect | |
| 11 | + | |
| 12 | +[base_sect] | |
| 13 | +activate = 1 |
| @@ -0,0 +1,310 @@ | ||
| 1 | +#! /usr/bin/env perl | |
| 2 | +# Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. | |
| 3 | +# | |
| 4 | +# Licensed under the Apache License 2.0 (the "License"). You may not use | |
| 5 | +# this file except in compliance with the License. You can obtain a copy | |
| 6 | +# in the file LICENSE in the source distribution or at | |
| 7 | +# https://www.openssl.org/source/license.html | |
| 8 | + | |
| 9 | +use strict; | |
| 10 | +use warnings; | |
| 11 | + | |
| 12 | +use File::Spec; | |
| 13 | +use File::Spec::Functions qw/curdir abs2rel/; | |
| 14 | +use File::Copy; | |
| 15 | +use OpenSSL::Glob; | |
| 16 | +use OpenSSL::Test qw/:DEFAULT srctop_dir bldtop_dir bldtop_file srctop_file data_file/; | |
| 17 | +use OpenSSL::Test::Utils; | |
| 18 | + | |
| 19 | +BEGIN { | |
| 20 | + setup("test_cli_fips"); | |
| 21 | +} | |
| 22 | +use lib srctop_dir('Configurations'); | |
| 23 | +use lib bldtop_dir('.'); | |
| 24 | +use platform; | |
| 25 | + | |
| 26 | +plan skip_all => "Test only supported in a fips build" if disabled("fips"); | |
| 27 | + | |
| 28 | +plan tests => 6; | |
| 29 | + | |
| 30 | +my $fipsmodule = bldtop_file('providers', platform->dso('fips')); | |
| 31 | +my $fipsconf = srctop_file("test", "fips-and-base.cnf"); | |
| 32 | +my $defaultconf = srctop_file("test", "default.cnf"); | |
| 33 | +my $tbs_data = $fipsmodule; | |
| 34 | +my $bogus_data = $fipsconf; | |
| 35 | + | |
| 36 | +# output a fipsmodule.cnf file containing mac data | |
| 37 | +ok(run(app(['openssl', 'fipsinstall', '-out', 'fipsmodule.cnf', | |
| 38 | + '-module', $fipsmodule, ])), | |
| 39 | + "fipsinstall"); | |
| 40 | + | |
| 41 | +# verify the $fipsconf file | |
| 42 | +ok(run(app(['openssl', 'fipsinstall', '-in', 'fipsmodule.cnf', '-module', $fipsmodule, | |
| 43 | + '-verify'])), | |
| 44 | + "fipsinstall verify"); | |
| 45 | + | |
| 46 | +$ENV{OPENSSL_CONF_INCLUDE} = abs2rel(curdir()); | |
| 47 | +$ENV{OPENSSL_CONF} = $fipsconf; | |
| 48 | + | |
| 49 | +ok(run(app(['openssl', 'provider', '-v', 'fips'])), | |
| 50 | + "provider listing"); | |
| 51 | + | |
| 52 | +my $tsignverify_count = 8; | |
| 53 | +sub tsignverify { | |
| 54 | + my $prefix = shift; | |
| 55 | + my $fips_key = shift; | |
| 56 | + my $nonfips_key = shift; | |
| 57 | + my $fips_sigfile = $prefix.'.fips.sig'; | |
| 58 | + my $nonfips_sigfile = $prefix.'.nonfips.sig'; | |
| 59 | + my $sigfile = ''; | |
| 60 | + my $testtext = ''; | |
| 61 | + | |
| 62 | + $ENV{OPENSSL_CONF} = $fipsconf; | |
| 63 | + | |
| 64 | + $sigfile = $fips_sigfile; | |
| 65 | + $testtext = $prefix.': '. | |
| 66 | + 'Sign something with a FIPS key'; | |
| 67 | + ok(run(app(['openssl', 'dgst', '-sha256', | |
| 68 | + '-sign', $fips_key, | |
| 69 | + '-out', $sigfile, | |
| 70 | + $tbs_data])), | |
| 71 | + $testtext); | |
| 72 | + | |
| 73 | + $testtext = $prefix.': '. | |
| 74 | + 'Verify something with a FIPS key'; | |
| 75 | + ok(run(app(['openssl', 'dgst', '-sha256', | |
| 76 | + '-verify', $fips_key, | |
| 77 | + '-signature', $sigfile, | |
| 78 | + $tbs_data])), | |
| 79 | + $testtext); | |
| 80 | + | |
| 81 | + $testtext = $prefix.': '. | |
| 82 | + 'Verify a valid signature against the wrong data with a FIPS key'. | |
| 83 | + ' (should fail)'; | |
| 84 | + ok(!run(app(['openssl', 'dgst', '-sha256', | |
| 85 | + '-verify', $fips_key, | |
| 86 | + '-signature', $sigfile, | |
| 87 | + $bogus_data])), | |
| 88 | + $testtext); | |
| 89 | + | |
| 90 | + $ENV{OPENSSL_CONF} = $defaultconf; | |
| 91 | + | |
| 92 | + $sigfile = $nonfips_sigfile; | |
| 93 | + $testtext = $prefix.': '. | |
| 94 | + 'Sign something with a non-FIPS key'. | |
| 95 | + ' with the default provider'; | |
| 96 | + ok(run(app(['openssl', 'dgst', '-sha256', | |
| 97 | + '-sign', $nonfips_key, | |
| 98 | + '-out', $sigfile, | |
| 99 | + $tbs_data])), | |
| 100 | + $testtext); | |
| 101 | + | |
| 102 | + $testtext = $prefix.': '. | |
| 103 | + 'Verify something with a non-FIPS key'. | |
| 104 | + ' with the default provider'; | |
| 105 | + ok(run(app(['openssl', 'dgst', '-sha256', | |
| 106 | + '-verify', $nonfips_key, | |
| 107 | + '-signature', $sigfile, | |
| 108 | + $tbs_data])), | |
| 109 | + $testtext); | |
| 110 | + | |
| 111 | + $ENV{OPENSSL_CONF} = $fipsconf; | |
| 112 | + | |
| 113 | + $testtext = $prefix.': '. | |
| 114 | + 'Sign something with a non-FIPS key'. | |
| 115 | + ' (should fail)'; | |
| 116 | + ok(!run(app(['openssl', 'dgst', '-sha256', | |
| 117 | + '-sign', $nonfips_key, | |
| 118 | + '-out', $prefix.'.nonfips.fail.sig', | |
| 119 | + $tbs_data])), | |
| 120 | + $testtext); | |
| 121 | + | |
| 122 | + $testtext = $prefix.': '. | |
| 123 | + 'Verify something with a non-FIPS key'. | |
| 124 | + ' (should fail)'; | |
| 125 | + ok(!run(app(['openssl', 'dgst', '-sha256', | |
| 126 | + '-verify', $nonfips_key, | |
| 127 | + '-signature', $sigfile, | |
| 128 | + $tbs_data])), | |
| 129 | + $testtext); | |
| 130 | + | |
| 131 | + $testtext = $prefix.': '. | |
| 132 | + 'Verify a valid signature against the wrong data with a non-FIPS key'. | |
| 133 | + ' (should fail)'; | |
| 134 | + ok(!run(app(['openssl', 'dgst', '-sha256', | |
| 135 | + '-verify', $nonfips_key, | |
| 136 | + '-signature', $sigfile, | |
| 137 | + $bogus_data])), | |
| 138 | + $testtext); | |
| 139 | +} | |
| 140 | + | |
| 141 | +SKIP : { | |
| 142 | + skip "FIPS EC tests because of no ec in this build", 1 | |
| 143 | + if disabled("ec"); | |
| 144 | + | |
| 145 | + subtest EC => sub { | |
| 146 | + my $testtext_prefix = 'EC'; | |
| 147 | + my $a_fips_curve = 'prime256v1'; | |
| 148 | + my $fips_key = $testtext_prefix.'.fips.priv.pem'; | |
| 149 | + my $a_nonfips_curve = 'brainpoolP256r1'; | |
| 150 | + my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem'; | |
| 151 | + my $testtext = ''; | |
| 152 | + my $curvename = ''; | |
| 153 | + | |
| 154 | + plan tests => 3 + $tsignverify_count; | |
| 155 | + | |
| 156 | + $ENV{OPENSSL_CONF} = $defaultconf; | |
| 157 | + $curvename = $a_nonfips_curve; | |
| 158 | + $testtext = $testtext_prefix.': '. | |
| 159 | + 'Generate a key with a non-FIPS algorithm with the default provider'; | |
| 160 | + ok(run(app(['openssl', 'genpkey', '-algorithm', 'EC', | |
| 161 | + '-pkeyopt', 'ec_paramgen_curve:'.$curvename, | |
| 162 | + '-out', $nonfips_key])), | |
| 163 | + $testtext); | |
| 164 | + | |
| 165 | + $ENV{OPENSSL_CONF} = $fipsconf; | |
| 166 | + | |
| 167 | + $curvename = $a_fips_curve; | |
| 168 | + $testtext = $testtext_prefix.': '. | |
| 169 | + 'Generate a key with a FIPS algorithm'; | |
| 170 | + ok(run(app(['openssl', 'genpkey', '-algorithm', 'EC', | |
| 171 | + '-pkeyopt', 'ec_paramgen_curve:'.$curvename, | |
| 172 | + '-out', $fips_key])), | |
| 173 | + $testtext); | |
| 174 | + | |
| 175 | + $curvename = $a_nonfips_curve; | |
| 176 | + $testtext = $testtext_prefix.': '. | |
| 177 | + 'Generate a key with a non-FIPS algorithm'. | |
| 178 | + ' (should fail)'; | |
| 179 | + ok(!run(app(['openssl', 'genpkey', '-algorithm', 'EC', | |
| 180 | + '-pkeyopt', 'ec_paramgen_curve:'.$curvename, | |
| 181 | + '-out', $testtext_prefix.'.'.$curvename.'.priv.pem'])), | |
| 182 | + $testtext); | |
| 183 | + | |
| 184 | + tsignverify($testtext_prefix, $fips_key, $nonfips_key); | |
| 185 | + }; | |
| 186 | +} | |
| 187 | + | |
| 188 | +SKIP: { | |
| 189 | + skip "FIPS RSA tests because of no rsa in this build", 1 | |
| 190 | + if disabled("rsa"); | |
| 191 | + | |
| 192 | + subtest RSA => sub { | |
| 193 | + my $testtext_prefix = 'RSA'; | |
| 194 | + my $fips_key = $testtext_prefix.'.fips.priv.pem'; | |
| 195 | + my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem'; | |
| 196 | + my $testtext = ''; | |
| 197 | + | |
| 198 | + plan tests => 3 + $tsignverify_count; | |
| 199 | + | |
| 200 | + $ENV{OPENSSL_CONF} = $defaultconf; | |
| 201 | + $testtext = $testtext_prefix.': '. | |
| 202 | + 'Generate a key with a non-FIPS algorithm with the default provider'; | |
| 203 | + ok(run(app(['openssl', 'genpkey', '-algorithm', 'RSA', | |
| 204 | + '-pkeyopt', 'rsa_keygen_bits:512', | |
| 205 | + '-out', $nonfips_key])), | |
| 206 | + $testtext); | |
| 207 | + | |
| 208 | + $ENV{OPENSSL_CONF} = $fipsconf; | |
| 209 | + | |
| 210 | + $testtext = $testtext_prefix.': '. | |
| 211 | + 'Generate a key with a FIPS algorithm'; | |
| 212 | + ok(run(app(['openssl', 'genpkey', '-algorithm', 'RSA', | |
| 213 | + '-pkeyopt', 'rsa_keygen_bits:2048', | |
| 214 | + '-out', $fips_key])), | |
| 215 | + $testtext); | |
| 216 | + | |
| 217 | + $testtext = $testtext_prefix.': '. | |
| 218 | + 'Generate a key with a non-FIPS algorithm'. | |
| 219 | + ' (should fail)'; | |
| 220 | + ok(!run(app(['openssl', 'genpkey', '-algorithm', 'RSA', | |
| 221 | + '-pkeyopt', 'rsa_keygen_bits:512', | |
| 222 | + '-out', $testtext_prefix.'.fail.priv.pem'])), | |
| 223 | + $testtext); | |
| 224 | + | |
| 225 | + TODO : { | |
| 226 | + local $TODO = "see issue #12629"; | |
| 227 | + tsignverify($testtext_prefix, $fips_key, $nonfips_key); | |
| 228 | + } | |
| 229 | + }; | |
| 230 | +} | |
| 231 | + | |
| 232 | +SKIP : { | |
| 233 | + skip "FIPS DSA tests because of no dsa in this build", 1 | |
| 234 | + if disabled("dsa"); | |
| 235 | + | |
| 236 | + subtest DSA => sub { | |
| 237 | + my $testtext_prefix = 'DSA'; | |
| 238 | + my $fips_key = $testtext_prefix.'.fips.priv.pem'; | |
| 239 | + my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem'; | |
| 240 | + my $testtext = ''; | |
| 241 | + my $fips_param = $testtext_prefix.'.fips.param.pem'; | |
| 242 | + my $nonfips_param = $testtext_prefix.'.nonfips.param.pem'; | |
| 243 | + | |
| 244 | + plan tests => 6 + $tsignverify_count; | |
| 245 | + | |
| 246 | + $ENV{OPENSSL_CONF} = $defaultconf; | |
| 247 | + | |
| 248 | + $testtext = $testtext_prefix.': '. | |
| 249 | + 'Generate non-FIPS params with the default provider'; | |
| 250 | + ok(run(app(['openssl', 'genpkey', '-genparam', | |
| 251 | + '-algorithm', 'DSA', | |
| 252 | + '-pkeyopt', 'type:fips186_2', | |
| 253 | + '-pkeyopt', 'dsa_paramgen_bits:512', | |
| 254 | + '-out', $nonfips_param])), | |
| 255 | + $testtext); | |
| 256 | + | |
| 257 | + $ENV{OPENSSL_CONF} = $fipsconf; | |
| 258 | + | |
| 259 | + $testtext = $testtext_prefix.': '. | |
| 260 | + 'Generate FIPS params'; | |
| 261 | + ok(run(app(['openssl', 'genpkey', '-genparam', | |
| 262 | + '-algorithm', 'DSA', | |
| 263 | + '-pkeyopt', 'dsa_paramgen_bits:2048', | |
| 264 | + '-out', $fips_param])), | |
| 265 | + $testtext); | |
| 266 | + | |
| 267 | + $testtext = $testtext_prefix.': '. | |
| 268 | + 'Generate non-FIPS params'. | |
| 269 | + ' (should fail)'; | |
| 270 | + ok(!run(app(['openssl', 'genpkey', '-genparam', | |
| 271 | + '-algorithm', 'DSA', | |
| 272 | + '-pkeyopt', 'dsa_paramgen_bits:512', | |
| 273 | + '-out', $testtext_prefix.'.fail.param.pem'])), | |
| 274 | + $testtext); | |
| 275 | + | |
| 276 | + $ENV{OPENSSL_CONF} = $defaultconf; | |
| 277 | + | |
| 278 | + $testtext = $testtext_prefix.': '. | |
| 279 | + 'Generate a key with non-FIPS params with the default provider'; | |
| 280 | + ok(run(app(['openssl', 'genpkey', | |
| 281 | + '-paramfile', $nonfips_param, | |
| 282 | + '-pkeyopt', 'type:fips186_2', | |
| 283 | + '-out', $nonfips_key])), | |
| 284 | + $testtext); | |
| 285 | + | |
| 286 | + $ENV{OPENSSL_CONF} = $fipsconf; | |
| 287 | + | |
| 288 | + $testtext = $testtext_prefix.': '. | |
| 289 | + 'Generate a key with FIPS parameters'; | |
| 290 | + ok(run(app(['openssl', 'genpkey', | |
| 291 | + '-paramfile', $fips_param, | |
| 292 | + '-pkeyopt', 'type:fips186_4', | |
| 293 | + '-out', $fips_key])), | |
| 294 | + $testtext); | |
| 295 | + | |
| 296 | + $testtext = $testtext_prefix.': '. | |
| 297 | + 'Generate a key with non-FIPS parameters'. | |
| 298 | + ' (should fail)'; | |
| 299 | + ok(!run(app(['openssl', 'genpkey', | |
| 300 | + '-paramfile', $nonfips_param, | |
| 301 | + '-pkeyopt', 'type:fips186_2', | |
| 302 | + '-out', $testtext_prefix.'.fail.priv.pem'])), | |
| 303 | + $testtext); | |
| 304 | + | |
| 305 | + TODO : { | |
| 306 | + local $TODO = "see issues #12626, #12627"; | |
| 307 | + tsignverify($testtext_prefix, $fips_key, $nonfips_key); | |
| 308 | + } | |
| 309 | + }; | |
| 310 | +} |
Fork
bdcloud2020/openssl