TLS/SSL and crypto library
リビジョン | 39d9be390a16d3bc5c2b94ad31b705f8239af779 (tree) |
---|---|
日時 | 2020-08-24 20:49:03 |
作者 | Nicola Tuveri <nic.tuv@gmai...> |
コミッター | Nicola Tuveri |
Add CLI tests in FIPS configuration
Add positive and negative tests of CLI apps using configuration files
via environment variables to force FIPS mode.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12291)
@@ -0,0 +1,13 @@ | ||
1 | +openssl_conf = openssl_init | |
2 | + | |
3 | +.include fipsmodule.cnf | |
4 | + | |
5 | +[openssl_init] | |
6 | +providers = provider_sect | |
7 | + | |
8 | +[provider_sect] | |
9 | +fips = fips_sect | |
10 | +base = base_sect | |
11 | + | |
12 | +[base_sect] | |
13 | +activate = 1 |
@@ -0,0 +1,310 @@ | ||
1 | +#! /usr/bin/env perl | |
2 | +# Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. | |
3 | +# | |
4 | +# Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | +# this file except in compliance with the License. You can obtain a copy | |
6 | +# in the file LICENSE in the source distribution or at | |
7 | +# https://www.openssl.org/source/license.html | |
8 | + | |
9 | +use strict; | |
10 | +use warnings; | |
11 | + | |
12 | +use File::Spec; | |
13 | +use File::Spec::Functions qw/curdir abs2rel/; | |
14 | +use File::Copy; | |
15 | +use OpenSSL::Glob; | |
16 | +use OpenSSL::Test qw/:DEFAULT srctop_dir bldtop_dir bldtop_file srctop_file data_file/; | |
17 | +use OpenSSL::Test::Utils; | |
18 | + | |
19 | +BEGIN { | |
20 | + setup("test_cli_fips"); | |
21 | +} | |
22 | +use lib srctop_dir('Configurations'); | |
23 | +use lib bldtop_dir('.'); | |
24 | +use platform; | |
25 | + | |
26 | +plan skip_all => "Test only supported in a fips build" if disabled("fips"); | |
27 | + | |
28 | +plan tests => 6; | |
29 | + | |
30 | +my $fipsmodule = bldtop_file('providers', platform->dso('fips')); | |
31 | +my $fipsconf = srctop_file("test", "fips-and-base.cnf"); | |
32 | +my $defaultconf = srctop_file("test", "default.cnf"); | |
33 | +my $tbs_data = $fipsmodule; | |
34 | +my $bogus_data = $fipsconf; | |
35 | + | |
36 | +# output a fipsmodule.cnf file containing mac data | |
37 | +ok(run(app(['openssl', 'fipsinstall', '-out', 'fipsmodule.cnf', | |
38 | + '-module', $fipsmodule, ])), | |
39 | + "fipsinstall"); | |
40 | + | |
41 | +# verify the $fipsconf file | |
42 | +ok(run(app(['openssl', 'fipsinstall', '-in', 'fipsmodule.cnf', '-module', $fipsmodule, | |
43 | + '-verify'])), | |
44 | + "fipsinstall verify"); | |
45 | + | |
46 | +$ENV{OPENSSL_CONF_INCLUDE} = abs2rel(curdir()); | |
47 | +$ENV{OPENSSL_CONF} = $fipsconf; | |
48 | + | |
49 | +ok(run(app(['openssl', 'provider', '-v', 'fips'])), | |
50 | + "provider listing"); | |
51 | + | |
52 | +my $tsignverify_count = 8; | |
53 | +sub tsignverify { | |
54 | + my $prefix = shift; | |
55 | + my $fips_key = shift; | |
56 | + my $nonfips_key = shift; | |
57 | + my $fips_sigfile = $prefix.'.fips.sig'; | |
58 | + my $nonfips_sigfile = $prefix.'.nonfips.sig'; | |
59 | + my $sigfile = ''; | |
60 | + my $testtext = ''; | |
61 | + | |
62 | + $ENV{OPENSSL_CONF} = $fipsconf; | |
63 | + | |
64 | + $sigfile = $fips_sigfile; | |
65 | + $testtext = $prefix.': '. | |
66 | + 'Sign something with a FIPS key'; | |
67 | + ok(run(app(['openssl', 'dgst', '-sha256', | |
68 | + '-sign', $fips_key, | |
69 | + '-out', $sigfile, | |
70 | + $tbs_data])), | |
71 | + $testtext); | |
72 | + | |
73 | + $testtext = $prefix.': '. | |
74 | + 'Verify something with a FIPS key'; | |
75 | + ok(run(app(['openssl', 'dgst', '-sha256', | |
76 | + '-verify', $fips_key, | |
77 | + '-signature', $sigfile, | |
78 | + $tbs_data])), | |
79 | + $testtext); | |
80 | + | |
81 | + $testtext = $prefix.': '. | |
82 | + 'Verify a valid signature against the wrong data with a FIPS key'. | |
83 | + ' (should fail)'; | |
84 | + ok(!run(app(['openssl', 'dgst', '-sha256', | |
85 | + '-verify', $fips_key, | |
86 | + '-signature', $sigfile, | |
87 | + $bogus_data])), | |
88 | + $testtext); | |
89 | + | |
90 | + $ENV{OPENSSL_CONF} = $defaultconf; | |
91 | + | |
92 | + $sigfile = $nonfips_sigfile; | |
93 | + $testtext = $prefix.': '. | |
94 | + 'Sign something with a non-FIPS key'. | |
95 | + ' with the default provider'; | |
96 | + ok(run(app(['openssl', 'dgst', '-sha256', | |
97 | + '-sign', $nonfips_key, | |
98 | + '-out', $sigfile, | |
99 | + $tbs_data])), | |
100 | + $testtext); | |
101 | + | |
102 | + $testtext = $prefix.': '. | |
103 | + 'Verify something with a non-FIPS key'. | |
104 | + ' with the default provider'; | |
105 | + ok(run(app(['openssl', 'dgst', '-sha256', | |
106 | + '-verify', $nonfips_key, | |
107 | + '-signature', $sigfile, | |
108 | + $tbs_data])), | |
109 | + $testtext); | |
110 | + | |
111 | + $ENV{OPENSSL_CONF} = $fipsconf; | |
112 | + | |
113 | + $testtext = $prefix.': '. | |
114 | + 'Sign something with a non-FIPS key'. | |
115 | + ' (should fail)'; | |
116 | + ok(!run(app(['openssl', 'dgst', '-sha256', | |
117 | + '-sign', $nonfips_key, | |
118 | + '-out', $prefix.'.nonfips.fail.sig', | |
119 | + $tbs_data])), | |
120 | + $testtext); | |
121 | + | |
122 | + $testtext = $prefix.': '. | |
123 | + 'Verify something with a non-FIPS key'. | |
124 | + ' (should fail)'; | |
125 | + ok(!run(app(['openssl', 'dgst', '-sha256', | |
126 | + '-verify', $nonfips_key, | |
127 | + '-signature', $sigfile, | |
128 | + $tbs_data])), | |
129 | + $testtext); | |
130 | + | |
131 | + $testtext = $prefix.': '. | |
132 | + 'Verify a valid signature against the wrong data with a non-FIPS key'. | |
133 | + ' (should fail)'; | |
134 | + ok(!run(app(['openssl', 'dgst', '-sha256', | |
135 | + '-verify', $nonfips_key, | |
136 | + '-signature', $sigfile, | |
137 | + $bogus_data])), | |
138 | + $testtext); | |
139 | +} | |
140 | + | |
141 | +SKIP : { | |
142 | + skip "FIPS EC tests because of no ec in this build", 1 | |
143 | + if disabled("ec"); | |
144 | + | |
145 | + subtest EC => sub { | |
146 | + my $testtext_prefix = 'EC'; | |
147 | + my $a_fips_curve = 'prime256v1'; | |
148 | + my $fips_key = $testtext_prefix.'.fips.priv.pem'; | |
149 | + my $a_nonfips_curve = 'brainpoolP256r1'; | |
150 | + my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem'; | |
151 | + my $testtext = ''; | |
152 | + my $curvename = ''; | |
153 | + | |
154 | + plan tests => 3 + $tsignverify_count; | |
155 | + | |
156 | + $ENV{OPENSSL_CONF} = $defaultconf; | |
157 | + $curvename = $a_nonfips_curve; | |
158 | + $testtext = $testtext_prefix.': '. | |
159 | + 'Generate a key with a non-FIPS algorithm with the default provider'; | |
160 | + ok(run(app(['openssl', 'genpkey', '-algorithm', 'EC', | |
161 | + '-pkeyopt', 'ec_paramgen_curve:'.$curvename, | |
162 | + '-out', $nonfips_key])), | |
163 | + $testtext); | |
164 | + | |
165 | + $ENV{OPENSSL_CONF} = $fipsconf; | |
166 | + | |
167 | + $curvename = $a_fips_curve; | |
168 | + $testtext = $testtext_prefix.': '. | |
169 | + 'Generate a key with a FIPS algorithm'; | |
170 | + ok(run(app(['openssl', 'genpkey', '-algorithm', 'EC', | |
171 | + '-pkeyopt', 'ec_paramgen_curve:'.$curvename, | |
172 | + '-out', $fips_key])), | |
173 | + $testtext); | |
174 | + | |
175 | + $curvename = $a_nonfips_curve; | |
176 | + $testtext = $testtext_prefix.': '. | |
177 | + 'Generate a key with a non-FIPS algorithm'. | |
178 | + ' (should fail)'; | |
179 | + ok(!run(app(['openssl', 'genpkey', '-algorithm', 'EC', | |
180 | + '-pkeyopt', 'ec_paramgen_curve:'.$curvename, | |
181 | + '-out', $testtext_prefix.'.'.$curvename.'.priv.pem'])), | |
182 | + $testtext); | |
183 | + | |
184 | + tsignverify($testtext_prefix, $fips_key, $nonfips_key); | |
185 | + }; | |
186 | +} | |
187 | + | |
188 | +SKIP: { | |
189 | + skip "FIPS RSA tests because of no rsa in this build", 1 | |
190 | + if disabled("rsa"); | |
191 | + | |
192 | + subtest RSA => sub { | |
193 | + my $testtext_prefix = 'RSA'; | |
194 | + my $fips_key = $testtext_prefix.'.fips.priv.pem'; | |
195 | + my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem'; | |
196 | + my $testtext = ''; | |
197 | + | |
198 | + plan tests => 3 + $tsignverify_count; | |
199 | + | |
200 | + $ENV{OPENSSL_CONF} = $defaultconf; | |
201 | + $testtext = $testtext_prefix.': '. | |
202 | + 'Generate a key with a non-FIPS algorithm with the default provider'; | |
203 | + ok(run(app(['openssl', 'genpkey', '-algorithm', 'RSA', | |
204 | + '-pkeyopt', 'rsa_keygen_bits:512', | |
205 | + '-out', $nonfips_key])), | |
206 | + $testtext); | |
207 | + | |
208 | + $ENV{OPENSSL_CONF} = $fipsconf; | |
209 | + | |
210 | + $testtext = $testtext_prefix.': '. | |
211 | + 'Generate a key with a FIPS algorithm'; | |
212 | + ok(run(app(['openssl', 'genpkey', '-algorithm', 'RSA', | |
213 | + '-pkeyopt', 'rsa_keygen_bits:2048', | |
214 | + '-out', $fips_key])), | |
215 | + $testtext); | |
216 | + | |
217 | + $testtext = $testtext_prefix.': '. | |
218 | + 'Generate a key with a non-FIPS algorithm'. | |
219 | + ' (should fail)'; | |
220 | + ok(!run(app(['openssl', 'genpkey', '-algorithm', 'RSA', | |
221 | + '-pkeyopt', 'rsa_keygen_bits:512', | |
222 | + '-out', $testtext_prefix.'.fail.priv.pem'])), | |
223 | + $testtext); | |
224 | + | |
225 | + TODO : { | |
226 | + local $TODO = "see issue #12629"; | |
227 | + tsignverify($testtext_prefix, $fips_key, $nonfips_key); | |
228 | + } | |
229 | + }; | |
230 | +} | |
231 | + | |
232 | +SKIP : { | |
233 | + skip "FIPS DSA tests because of no dsa in this build", 1 | |
234 | + if disabled("dsa"); | |
235 | + | |
236 | + subtest DSA => sub { | |
237 | + my $testtext_prefix = 'DSA'; | |
238 | + my $fips_key = $testtext_prefix.'.fips.priv.pem'; | |
239 | + my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem'; | |
240 | + my $testtext = ''; | |
241 | + my $fips_param = $testtext_prefix.'.fips.param.pem'; | |
242 | + my $nonfips_param = $testtext_prefix.'.nonfips.param.pem'; | |
243 | + | |
244 | + plan tests => 6 + $tsignverify_count; | |
245 | + | |
246 | + $ENV{OPENSSL_CONF} = $defaultconf; | |
247 | + | |
248 | + $testtext = $testtext_prefix.': '. | |
249 | + 'Generate non-FIPS params with the default provider'; | |
250 | + ok(run(app(['openssl', 'genpkey', '-genparam', | |
251 | + '-algorithm', 'DSA', | |
252 | + '-pkeyopt', 'type:fips186_2', | |
253 | + '-pkeyopt', 'dsa_paramgen_bits:512', | |
254 | + '-out', $nonfips_param])), | |
255 | + $testtext); | |
256 | + | |
257 | + $ENV{OPENSSL_CONF} = $fipsconf; | |
258 | + | |
259 | + $testtext = $testtext_prefix.': '. | |
260 | + 'Generate FIPS params'; | |
261 | + ok(run(app(['openssl', 'genpkey', '-genparam', | |
262 | + '-algorithm', 'DSA', | |
263 | + '-pkeyopt', 'dsa_paramgen_bits:2048', | |
264 | + '-out', $fips_param])), | |
265 | + $testtext); | |
266 | + | |
267 | + $testtext = $testtext_prefix.': '. | |
268 | + 'Generate non-FIPS params'. | |
269 | + ' (should fail)'; | |
270 | + ok(!run(app(['openssl', 'genpkey', '-genparam', | |
271 | + '-algorithm', 'DSA', | |
272 | + '-pkeyopt', 'dsa_paramgen_bits:512', | |
273 | + '-out', $testtext_prefix.'.fail.param.pem'])), | |
274 | + $testtext); | |
275 | + | |
276 | + $ENV{OPENSSL_CONF} = $defaultconf; | |
277 | + | |
278 | + $testtext = $testtext_prefix.': '. | |
279 | + 'Generate a key with non-FIPS params with the default provider'; | |
280 | + ok(run(app(['openssl', 'genpkey', | |
281 | + '-paramfile', $nonfips_param, | |
282 | + '-pkeyopt', 'type:fips186_2', | |
283 | + '-out', $nonfips_key])), | |
284 | + $testtext); | |
285 | + | |
286 | + $ENV{OPENSSL_CONF} = $fipsconf; | |
287 | + | |
288 | + $testtext = $testtext_prefix.': '. | |
289 | + 'Generate a key with FIPS parameters'; | |
290 | + ok(run(app(['openssl', 'genpkey', | |
291 | + '-paramfile', $fips_param, | |
292 | + '-pkeyopt', 'type:fips186_4', | |
293 | + '-out', $fips_key])), | |
294 | + $testtext); | |
295 | + | |
296 | + $testtext = $testtext_prefix.': '. | |
297 | + 'Generate a key with non-FIPS parameters'. | |
298 | + ' (should fail)'; | |
299 | + ok(!run(app(['openssl', 'genpkey', | |
300 | + '-paramfile', $nonfips_param, | |
301 | + '-pkeyopt', 'type:fips186_2', | |
302 | + '-out', $testtext_prefix.'.fail.priv.pem'])), | |
303 | + $testtext); | |
304 | + | |
305 | + TODO : { | |
306 | + local $TODO = "see issues #12626, #12627"; | |
307 | + tsignverify($testtext_prefix, $fips_key, $nonfips_key); | |
308 | + } | |
309 | + }; | |
310 | +} |