20-test_cli_fips.t 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401
  1. #! /usr/bin/env perl
  2. # Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. #
  4. # Licensed under the Apache License 2.0 (the "License"). You may not use
  5. # this file except in compliance with the License. You can obtain a copy
  6. # in the file LICENSE in the source distribution or at
  7. # https://www.openssl.org/source/license.html
  8. use strict;
  9. use warnings;
  10. use File::Spec;
  11. use File::Spec::Functions qw/curdir abs2rel/;
  12. use File::Copy;
  13. use OpenSSL::Glob;
  14. use OpenSSL::Test qw/:DEFAULT srctop_dir bldtop_dir bldtop_file srctop_file data_file/;
  15. use OpenSSL::Test::Utils;
  16. BEGIN {
  17. setup("test_cli_fips");
  18. }
  19. use lib srctop_dir('Configurations');
  20. use lib bldtop_dir('.');
  21. use platform;
  22. my $no_check = disabled("fips") || disabled('fips-securitychecks');
  23. plan skip_all => "Test only supported in a fips build with security checks"
  24. if $no_check;
  25. plan tests => 11;
  26. my $fipsmodule = bldtop_file('providers', platform->dso('fips'));
  27. my $fipsconf = srctop_file("test", "fips-and-base.cnf");
  28. my $defaultconf = srctop_file("test", "default.cnf");
  29. my $tbs_data = $fipsmodule;
  30. my $bogus_data = $fipsconf;
  31. $ENV{OPENSSL_CONF} = $fipsconf;
  32. ok(run(app(['openssl', 'list', '-public-key-methods', '-verbose'])),
  33. "provider listing of public key methods");
  34. ok(run(app(['openssl', 'list', '-public-key-algorithms', '-verbose'])),
  35. "provider listing of public key algorithms");
  36. ok(run(app(['openssl', 'list', '-key-managers', '-verbose'])),
  37. "provider listing of keymanagers");
  38. ok(run(app(['openssl', 'list', '-key-exchange-algorithms', '-verbose'])),
  39. "provider listing of key exchange algorithms");
  40. ok(run(app(['openssl', 'list', '-kem-algorithms', '-verbose'])),
  41. "provider listing of key encapsulation algorithms");
  42. ok(run(app(['openssl', 'list', '-signature-algorithms', '-verbose'])),
  43. "provider listing of signature algorithms");
  44. ok(run(app(['openssl', 'list', '-asymcipher-algorithms', '-verbose'])),
  45. "provider listing of encryption algorithms");
  46. ok(run(app(['openssl', 'list', '-key-managers', '-verbose', '-select', 'DSA' ])),
  47. "provider listing of one item in the keymanager");
  48. sub pubfrompriv {
  49. my $prefix = shift;
  50. my $key = shift;
  51. my $pub_key = shift;
  52. my $type = shift;
  53. ok(run(app(['openssl', 'pkey',
  54. '-in', $key,
  55. '-pubout',
  56. '-out', $pub_key])),
  57. $prefix.': '."Create the public key with $type parameters");
  58. }
  59. my $tsignverify_count = 9;
  60. sub tsignverify {
  61. my $prefix = shift;
  62. my $fips_key = shift;
  63. my $fips_pub_key = shift;
  64. my $nonfips_key = shift;
  65. my $nonfips_pub_key = shift;
  66. my $fips_sigfile = $prefix.'.fips.sig';
  67. my $nonfips_sigfile = $prefix.'.nonfips.sig';
  68. my $sigfile = '';
  69. my $testtext = '';
  70. $ENV{OPENSSL_CONF} = $fipsconf;
  71. $sigfile = $fips_sigfile;
  72. $testtext = $prefix.': '.
  73. 'Sign something with a FIPS key';
  74. ok(run(app(['openssl', 'dgst', '-sha256',
  75. '-sign', $fips_key,
  76. '-out', $sigfile,
  77. $tbs_data])),
  78. $testtext);
  79. $testtext = $prefix.': '.
  80. 'Verify something with a FIPS key';
  81. ok(run(app(['openssl', 'dgst', '-sha256',
  82. '-verify', $fips_pub_key,
  83. '-signature', $sigfile,
  84. $tbs_data])),
  85. $testtext);
  86. $testtext = $prefix.': '.
  87. 'Verify a valid signature against the wrong data with a FIPS key'.
  88. ' (should fail)';
  89. ok(!run(app(['openssl', 'dgst', '-sha256',
  90. '-verify', $fips_pub_key,
  91. '-signature', $sigfile,
  92. $bogus_data])),
  93. $testtext);
  94. $ENV{OPENSSL_CONF} = $defaultconf;
  95. $sigfile = $nonfips_sigfile;
  96. $testtext = $prefix.': '.
  97. 'Sign something with a non-FIPS key'.
  98. ' with the default provider';
  99. ok(run(app(['openssl', 'dgst', '-sha256',
  100. '-sign', $nonfips_key,
  101. '-out', $sigfile,
  102. $tbs_data])),
  103. $testtext);
  104. $testtext = $prefix.': '.
  105. 'Verify something with a non-FIPS key'.
  106. ' with the default provider';
  107. ok(run(app(['openssl', 'dgst', '-sha256',
  108. '-verify', $nonfips_pub_key,
  109. '-signature', $sigfile,
  110. $tbs_data])),
  111. $testtext);
  112. $ENV{OPENSSL_CONF} = $fipsconf;
  113. $testtext = $prefix.': '.
  114. 'Sign something with a non-FIPS key'.
  115. ' (should fail)';
  116. ok(!run(app(['openssl', 'dgst', '-sha256',
  117. '-sign', $nonfips_key,
  118. '-out', $prefix.'.nonfips.fail.sig',
  119. $tbs_data])),
  120. $testtext);
  121. $testtext = $prefix.': '.
  122. 'Verify something with a non-FIPS key'.
  123. ' (should fail)';
  124. ok(!run(app(['openssl', 'dgst', '-sha256',
  125. '-verify', $nonfips_pub_key,
  126. '-signature', $sigfile,
  127. $tbs_data])),
  128. $testtext);
  129. $testtext = $prefix.': '.
  130. 'Verify something with a non-FIPS key'.
  131. ' in FIPS mode but with a non-FIPS property query';
  132. ok(run(app(['openssl', 'dgst',
  133. '-provider', 'default',
  134. '-propquery', '?fips!=yes',
  135. '-sha256',
  136. '-verify', $nonfips_pub_key,
  137. '-signature', $sigfile,
  138. $tbs_data])),
  139. $testtext);
  140. $testtext = $prefix.': '.
  141. 'Verify a valid signature against the wrong data with a non-FIPS key'.
  142. ' (should fail)';
  143. ok(!run(app(['openssl', 'dgst', '-sha256',
  144. '-verify', $nonfips_pub_key,
  145. '-signature', $sigfile,
  146. $bogus_data])),
  147. $testtext);
  148. }
  149. SKIP : {
  150. skip "FIPS EC tests because of no ec in this build", 1
  151. if disabled("ec");
  152. subtest EC => sub {
  153. my $testtext_prefix = 'EC';
  154. my $a_fips_curve = 'prime256v1';
  155. my $fips_key = $testtext_prefix.'.fips.priv.pem';
  156. my $fips_pub_key = $testtext_prefix.'.fips.pub.pem';
  157. my $a_nonfips_curve = 'brainpoolP256r1';
  158. my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem';
  159. my $nonfips_pub_key = $testtext_prefix.'.nonfips.pub.pem';
  160. my $testtext = '';
  161. my $curvename = '';
  162. plan tests => 5 + $tsignverify_count;
  163. $ENV{OPENSSL_CONF} = $defaultconf;
  164. $curvename = $a_nonfips_curve;
  165. $testtext = $testtext_prefix.': '.
  166. 'Generate a key with a non-FIPS algorithm with the default provider';
  167. ok(run(app(['openssl', 'genpkey', '-algorithm', 'EC',
  168. '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
  169. '-out', $nonfips_key])),
  170. $testtext);
  171. pubfrompriv($testtext_prefix, $nonfips_key, $nonfips_pub_key, "non-FIPS");
  172. $ENV{OPENSSL_CONF} = $fipsconf;
  173. $curvename = $a_fips_curve;
  174. $testtext = $testtext_prefix.': '.
  175. 'Generate a key with a FIPS algorithm';
  176. ok(run(app(['openssl', 'genpkey', '-algorithm', 'EC',
  177. '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
  178. '-out', $fips_key])),
  179. $testtext);
  180. pubfrompriv($testtext_prefix, $fips_key, $fips_pub_key, "FIPS");
  181. $curvename = $a_nonfips_curve;
  182. $testtext = $testtext_prefix.': '.
  183. 'Generate a key with a non-FIPS algorithm'.
  184. ' (should fail)';
  185. ok(!run(app(['openssl', 'genpkey', '-algorithm', 'EC',
  186. '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
  187. '-out', $testtext_prefix.'.'.$curvename.'.priv.pem'])),
  188. $testtext);
  189. tsignverify($testtext_prefix, $fips_key, $fips_pub_key, $nonfips_key,
  190. $nonfips_pub_key);
  191. };
  192. }
  193. SKIP: {
  194. skip "FIPS RSA tests because of no rsa in this build", 1
  195. if disabled("rsa");
  196. subtest RSA => sub {
  197. my $testtext_prefix = 'RSA';
  198. my $fips_key = $testtext_prefix.'.fips.priv.pem';
  199. my $fips_pub_key = $testtext_prefix.'.fips.pub.pem';
  200. my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem';
  201. my $nonfips_pub_key = $testtext_prefix.'.nonfips.pub.pem';
  202. my $testtext = '';
  203. plan tests => 5 + $tsignverify_count;
  204. $ENV{OPENSSL_CONF} = $defaultconf;
  205. $testtext = $testtext_prefix.': '.
  206. 'Generate a key with a non-FIPS algorithm with the default provider';
  207. ok(run(app(['openssl', 'genpkey', '-algorithm', 'RSA',
  208. '-pkeyopt', 'rsa_keygen_bits:512',
  209. '-out', $nonfips_key])),
  210. $testtext);
  211. pubfrompriv($testtext_prefix, $nonfips_key, $nonfips_pub_key, "non-FIPS");
  212. $ENV{OPENSSL_CONF} = $fipsconf;
  213. $testtext = $testtext_prefix.': '.
  214. 'Generate a key with a FIPS algorithm';
  215. ok(run(app(['openssl', 'genpkey', '-algorithm', 'RSA',
  216. '-pkeyopt', 'rsa_keygen_bits:2048',
  217. '-out', $fips_key])),
  218. $testtext);
  219. pubfrompriv($testtext_prefix, $fips_key, $fips_pub_key, "FIPS");
  220. $testtext = $testtext_prefix.': '.
  221. 'Generate a key with a non-FIPS algorithm'.
  222. ' (should fail)';
  223. ok(!run(app(['openssl', 'genpkey', '-algorithm', 'RSA',
  224. '-pkeyopt', 'rsa_keygen_bits:512',
  225. '-out', $testtext_prefix.'.fail.priv.pem'])),
  226. $testtext);
  227. tsignverify($testtext_prefix, $fips_key, $fips_pub_key, $nonfips_key,
  228. $nonfips_pub_key);
  229. };
  230. }
  231. SKIP : {
  232. skip "FIPS DSA tests because of no dsa in this build", 1
  233. if disabled("dsa");
  234. subtest DSA => sub {
  235. my $testtext_prefix = 'DSA';
  236. my $fips_key = $testtext_prefix.'.fips.priv.pem';
  237. my $fips_pub_key = $testtext_prefix.'.fips.pub.pem';
  238. my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem';
  239. my $nonfips_pub_key = $testtext_prefix.'.nonfips.pub.pem';
  240. my $testtext = '';
  241. my $fips_param = $testtext_prefix.'.fips.param.pem';
  242. my $nonfips_param = $testtext_prefix.'.nonfips.param.pem';
  243. my $shortnonfips_param = $testtext_prefix.'.shortnonfips.param.pem';
  244. plan tests => 13 + $tsignverify_count;
  245. $ENV{OPENSSL_CONF} = $defaultconf;
  246. $testtext = $testtext_prefix.': '.
  247. 'Generate non-FIPS params with the default provider';
  248. ok(run(app(['openssl', 'genpkey', '-genparam',
  249. '-algorithm', 'DSA',
  250. '-pkeyopt', 'type:fips186_2',
  251. '-pkeyopt', 'dsa_paramgen_bits:512',
  252. '-out', $nonfips_param])),
  253. $testtext);
  254. $ENV{OPENSSL_CONF} = $fipsconf;
  255. $testtext = $testtext_prefix.': '.
  256. 'Generate FIPS params';
  257. ok(run(app(['openssl', 'genpkey', '-genparam',
  258. '-algorithm', 'DSA',
  259. '-pkeyopt', 'dsa_paramgen_bits:2048',
  260. '-out', $fips_param])),
  261. $testtext);
  262. $testtext = $testtext_prefix.': '.
  263. 'Generate non-FIPS params'.
  264. ' (should fail)';
  265. ok(!run(app(['openssl', 'genpkey', '-genparam',
  266. '-algorithm', 'DSA',
  267. '-pkeyopt', 'dsa_paramgen_bits:512',
  268. '-out', $testtext_prefix.'.fail.param.pem'])),
  269. $testtext);
  270. $testtext = $testtext_prefix.': '.
  271. 'Generate non-FIPS params using non-FIPS property query'.
  272. ' (dsaparam)';
  273. ok(run(app(['openssl', 'dsaparam', '-provider', 'default',
  274. '-propquery', '?fips!=yes',
  275. '-out', $shortnonfips_param, '1024'])),
  276. $testtext);
  277. $testtext = $testtext_prefix.': '.
  278. 'Generate non-FIPS params using non-FIPS property query'.
  279. ' (genpkey)';
  280. ok(run(app(['openssl', 'genpkey', '-provider', 'default',
  281. '-propquery', '?fips!=yes',
  282. '-genparam', '-algorithm', 'DSA',
  283. '-pkeyopt', 'dsa_paramgen_bits:512'])),
  284. $testtext);
  285. $ENV{OPENSSL_CONF} = $defaultconf;
  286. $testtext = $testtext_prefix.': '.
  287. 'Generate a key with non-FIPS params with the default provider';
  288. ok(run(app(['openssl', 'genpkey',
  289. '-paramfile', $nonfips_param,
  290. '-pkeyopt', 'type:fips186_2',
  291. '-out', $nonfips_key])),
  292. $testtext);
  293. pubfrompriv($testtext_prefix, $nonfips_key, $nonfips_pub_key, "non-FIPS");
  294. $ENV{OPENSSL_CONF} = $fipsconf;
  295. $testtext = $testtext_prefix.': '.
  296. 'Generate a key with FIPS parameters';
  297. ok(run(app(['openssl', 'genpkey',
  298. '-paramfile', $fips_param,
  299. '-pkeyopt', 'type:fips186_4',
  300. '-out', $fips_key])),
  301. $testtext);
  302. pubfrompriv($testtext_prefix, $fips_key, $fips_pub_key, "FIPS");
  303. $testtext = $testtext_prefix.': '.
  304. 'Generate a key with non-FIPS parameters'.
  305. ' (should fail)';
  306. ok(!run(app(['openssl', 'genpkey',
  307. '-paramfile', $nonfips_param,
  308. '-pkeyopt', 'type:fips186_2',
  309. '-out', $testtext_prefix.'.fail.priv.pem'])),
  310. $testtext);
  311. $testtext = $testtext_prefix.': '.
  312. 'Generate a key with non-FIPS parameters using non-FIPS property'.
  313. ' query (dsaparam)';
  314. ok(run(app(['openssl', 'dsaparam', '-provider', 'default',
  315. '-propquery', '?fips!=yes',
  316. '-noout', '-genkey', '1024'])),
  317. $testtext);
  318. $testtext = $testtext_prefix.': '.
  319. 'Generate a key with non-FIPS parameters using non-FIPS property'.
  320. ' query (gendsa)';
  321. ok(run(app(['openssl', 'gendsa', '-provider', 'default',
  322. '-propquery', '?fips!=yes',
  323. $shortnonfips_param])),
  324. $testtext);
  325. $testtext = $testtext_prefix.': '.
  326. 'Generate a key with non-FIPS parameters using non-FIPS property'.
  327. ' query (genpkey)';
  328. ok(run(app(['openssl', 'genpkey', '-provider', 'default',
  329. '-propquery', '?fips!=yes',
  330. '-paramfile', $nonfips_param,
  331. '-pkeyopt', 'type:fips186_2',
  332. '-out', $testtext_prefix.'.fail.priv.pem'])),
  333. $testtext);
  334. tsignverify($testtext_prefix, $fips_key, $fips_pub_key, $nonfips_key,
  335. $nonfips_pub_key);
  336. };
  337. }