20-test_cli_fips.t 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319
  1. #! /usr/bin/env perl
  2. # Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
  3. #
  4. # Licensed under the Apache License 2.0 (the "License"). You may not use
  5. # this file except in compliance with the License. You can obtain a copy
  6. # in the file LICENSE in the source distribution or at
  7. # https://www.openssl.org/source/license.html
  8. use strict;
  9. use warnings;
  10. use File::Spec;
  11. use File::Spec::Functions qw/curdir abs2rel/;
  12. use File::Copy;
  13. use OpenSSL::Glob;
  14. use OpenSSL::Test qw/:DEFAULT srctop_dir bldtop_dir bldtop_file srctop_file data_file/;
  15. use OpenSSL::Test::Utils;
  16. BEGIN {
  17. setup("test_cli_fips");
  18. }
  19. use lib srctop_dir('Configurations');
  20. use lib bldtop_dir('.');
  21. use platform;
  22. my $no_check = disabled('fips-securitychecks');
  23. plan skip_all => "Test only supported in a fips build with security checks"
  24. if disabled("fips") || disabled("fips-securitychecks");
  25. plan tests => 13;
  26. my $fipsmodule = bldtop_file('providers', platform->dso('fips'));
  27. my $fipsconf = srctop_file("test", "fips-and-base.cnf");
  28. my $defaultconf = srctop_file("test", "default.cnf");
  29. my $tbs_data = $fipsmodule;
  30. my $bogus_data = $fipsconf;
  31. # output a fipsmodule.cnf file containing mac data
  32. ok(run(app(['openssl', 'fipsinstall', '-out', 'fipsmodule.cnf',
  33. '-module', $fipsmodule, ])),
  34. "fipsinstall");
  35. # verify the $fipsconf file
  36. ok(run(app(['openssl', 'fipsinstall', '-in', 'fipsmodule.cnf', '-module', $fipsmodule,
  37. '-verify'])),
  38. "fipsinstall verify");
  39. $ENV{OPENSSL_CONF_INCLUDE} = abs2rel(curdir());
  40. $ENV{OPENSSL_CONF} = $fipsconf;
  41. ok(run(app(['openssl', 'list', '-public-key-methods', '-verbose'])),
  42. "provider listing of public key methods");
  43. ok(run(app(['openssl', 'list', '-public-key-algorithms', '-verbose'])),
  44. "provider listing of public key algorithms");
  45. ok(run(app(['openssl', 'list', '-key-managers', '-verbose'])),
  46. "provider listing of keymanagers");
  47. ok(run(app(['openssl', 'list', '-key-exchange-algorithms', '-verbose'])),
  48. "provider listing of key exchange algorithms");
  49. ok(run(app(['openssl', 'list', '-kem-algorithms', '-verbose'])),
  50. "provider listing of key encapsulation algorithms");
  51. ok(run(app(['openssl', 'list', '-signature-algorithms', '-verbose'])),
  52. "provider listing of signature algorithms");
  53. ok(run(app(['openssl', 'list', '-asymcipher-algorithms', '-verbose'])),
  54. "provider listing of encryption algorithms");
  55. ok(run(app(['openssl', 'list', '-key-managers', '-verbose', '-select', 'DSA' ])),
  56. "provider listing of one item in the keymanager");
  57. my $tsignverify_count = 8;
  58. sub tsignverify {
  59. my $prefix = shift;
  60. my $fips_key = shift;
  61. my $nonfips_key = shift;
  62. my $fips_sigfile = $prefix.'.fips.sig';
  63. my $nonfips_sigfile = $prefix.'.nonfips.sig';
  64. my $sigfile = '';
  65. my $testtext = '';
  66. $ENV{OPENSSL_CONF} = $fipsconf;
  67. $sigfile = $fips_sigfile;
  68. $testtext = $prefix.': '.
  69. 'Sign something with a FIPS key';
  70. ok(run(app(['openssl', 'dgst', '-sha256',
  71. '-sign', $fips_key,
  72. '-out', $sigfile,
  73. $tbs_data])),
  74. $testtext);
  75. $testtext = $prefix.': '.
  76. 'Verify something with a FIPS key';
  77. ok(run(app(['openssl', 'dgst', '-sha256',
  78. '-verify', $fips_key,
  79. '-signature', $sigfile,
  80. $tbs_data])),
  81. $testtext);
  82. $testtext = $prefix.': '.
  83. 'Verify a valid signature against the wrong data with a FIPS key'.
  84. ' (should fail)';
  85. ok(!run(app(['openssl', 'dgst', '-sha256',
  86. '-verify', $fips_key,
  87. '-signature', $sigfile,
  88. $bogus_data])),
  89. $testtext);
  90. $ENV{OPENSSL_CONF} = $defaultconf;
  91. $sigfile = $nonfips_sigfile;
  92. $testtext = $prefix.': '.
  93. 'Sign something with a non-FIPS key'.
  94. ' with the default provider';
  95. ok(run(app(['openssl', 'dgst', '-sha256',
  96. '-sign', $nonfips_key,
  97. '-out', $sigfile,
  98. $tbs_data])),
  99. $testtext);
  100. $testtext = $prefix.': '.
  101. 'Verify something with a non-FIPS key'.
  102. ' with the default provider';
  103. ok(run(app(['openssl', 'dgst', '-sha256',
  104. '-verify', $nonfips_key,
  105. '-signature', $sigfile,
  106. $tbs_data])),
  107. $testtext);
  108. $ENV{OPENSSL_CONF} = $fipsconf;
  109. $testtext = $prefix.': '.
  110. 'Sign something with a non-FIPS key'.
  111. ' (should fail)';
  112. ok(!run(app(['openssl', 'dgst', '-sha256',
  113. '-sign', $nonfips_key,
  114. '-out', $prefix.'.nonfips.fail.sig',
  115. $tbs_data])),
  116. $testtext);
  117. $testtext = $prefix.': '.
  118. 'Verify something with a non-FIPS key'.
  119. ' (should fail)';
  120. ok(!run(app(['openssl', 'dgst', '-sha256',
  121. '-verify', $nonfips_key,
  122. '-signature', $sigfile,
  123. $tbs_data])),
  124. $testtext);
  125. $testtext = $prefix.': '.
  126. 'Verify a valid signature against the wrong data with a non-FIPS key'.
  127. ' (should fail)';
  128. ok(!run(app(['openssl', 'dgst', '-sha256',
  129. '-verify', $nonfips_key,
  130. '-signature', $sigfile,
  131. $bogus_data])),
  132. $testtext);
  133. }
  134. SKIP : {
  135. skip "FIPS EC tests because of no ec in this build", 1
  136. if disabled("ec");
  137. subtest EC => sub {
  138. my $testtext_prefix = 'EC';
  139. my $a_fips_curve = 'prime256v1';
  140. my $fips_key = $testtext_prefix.'.fips.priv.pem';
  141. my $a_nonfips_curve = 'brainpoolP256r1';
  142. my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem';
  143. my $testtext = '';
  144. my $curvename = '';
  145. plan tests => 3 + $tsignverify_count;
  146. $ENV{OPENSSL_CONF} = $defaultconf;
  147. $curvename = $a_nonfips_curve;
  148. $testtext = $testtext_prefix.': '.
  149. 'Generate a key with a non-FIPS algorithm with the default provider';
  150. ok(run(app(['openssl', 'genpkey', '-algorithm', 'EC',
  151. '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
  152. '-out', $nonfips_key])),
  153. $testtext);
  154. $ENV{OPENSSL_CONF} = $fipsconf;
  155. $curvename = $a_fips_curve;
  156. $testtext = $testtext_prefix.': '.
  157. 'Generate a key with a FIPS algorithm';
  158. ok(run(app(['openssl', 'genpkey', '-algorithm', 'EC',
  159. '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
  160. '-out', $fips_key])),
  161. $testtext);
  162. $curvename = $a_nonfips_curve;
  163. $testtext = $testtext_prefix.': '.
  164. 'Generate a key with a non-FIPS algorithm'.
  165. ' (should fail)';
  166. ok(!run(app(['openssl', 'genpkey', '-algorithm', 'EC',
  167. '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
  168. '-out', $testtext_prefix.'.'.$curvename.'.priv.pem'])),
  169. $testtext);
  170. tsignverify($testtext_prefix, $fips_key, $nonfips_key);
  171. };
  172. }
  173. SKIP: {
  174. skip "FIPS RSA tests because of no rsa in this build", 1
  175. if disabled("rsa");
  176. subtest RSA => sub {
  177. my $testtext_prefix = 'RSA';
  178. my $fips_key = $testtext_prefix.'.fips.priv.pem';
  179. my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem';
  180. my $testtext = '';
  181. plan tests => 3 + $tsignverify_count;
  182. $ENV{OPENSSL_CONF} = $defaultconf;
  183. $testtext = $testtext_prefix.': '.
  184. 'Generate a key with a non-FIPS algorithm with the default provider';
  185. ok(run(app(['openssl', 'genpkey', '-algorithm', 'RSA',
  186. '-pkeyopt', 'rsa_keygen_bits:512',
  187. '-out', $nonfips_key])),
  188. $testtext);
  189. $ENV{OPENSSL_CONF} = $fipsconf;
  190. $testtext = $testtext_prefix.': '.
  191. 'Generate a key with a FIPS algorithm';
  192. ok(run(app(['openssl', 'genpkey', '-algorithm', 'RSA',
  193. '-pkeyopt', 'rsa_keygen_bits:2048',
  194. '-out', $fips_key])),
  195. $testtext);
  196. $testtext = $testtext_prefix.': '.
  197. 'Generate a key with a non-FIPS algorithm'.
  198. ' (should fail)';
  199. ok(!run(app(['openssl', 'genpkey', '-algorithm', 'RSA',
  200. '-pkeyopt', 'rsa_keygen_bits:512',
  201. '-out', $testtext_prefix.'.fail.priv.pem'])),
  202. $testtext);
  203. tsignverify($testtext_prefix, $fips_key, $nonfips_key);
  204. };
  205. }
  206. SKIP : {
  207. skip "FIPS DSA tests because of no dsa in this build", 1
  208. if disabled("dsa");
  209. subtest DSA => sub {
  210. my $testtext_prefix = 'DSA';
  211. my $fips_key = $testtext_prefix.'.fips.priv.pem';
  212. my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem';
  213. my $testtext = '';
  214. my $fips_param = $testtext_prefix.'.fips.param.pem';
  215. my $nonfips_param = $testtext_prefix.'.nonfips.param.pem';
  216. plan tests => 6 + $tsignverify_count;
  217. $ENV{OPENSSL_CONF} = $defaultconf;
  218. $testtext = $testtext_prefix.': '.
  219. 'Generate non-FIPS params with the default provider';
  220. ok(run(app(['openssl', 'genpkey', '-genparam',
  221. '-algorithm', 'DSA',
  222. '-pkeyopt', 'type:fips186_2',
  223. '-pkeyopt', 'dsa_paramgen_bits:512',
  224. '-out', $nonfips_param])),
  225. $testtext);
  226. $ENV{OPENSSL_CONF} = $fipsconf;
  227. $testtext = $testtext_prefix.': '.
  228. 'Generate FIPS params';
  229. ok(run(app(['openssl', 'genpkey', '-genparam',
  230. '-algorithm', 'DSA',
  231. '-pkeyopt', 'dsa_paramgen_bits:2048',
  232. '-out', $fips_param])),
  233. $testtext);
  234. $testtext = $testtext_prefix.': '.
  235. 'Generate non-FIPS params'.
  236. ' (should fail)';
  237. ok(!run(app(['openssl', 'genpkey', '-genparam',
  238. '-algorithm', 'DSA',
  239. '-pkeyopt', 'dsa_paramgen_bits:512',
  240. '-out', $testtext_prefix.'.fail.param.pem'])),
  241. $testtext);
  242. $ENV{OPENSSL_CONF} = $defaultconf;
  243. $testtext = $testtext_prefix.': '.
  244. 'Generate a key with non-FIPS params with the default provider';
  245. ok(run(app(['openssl', 'genpkey',
  246. '-paramfile', $nonfips_param,
  247. '-pkeyopt', 'type:fips186_2',
  248. '-out', $nonfips_key])),
  249. $testtext);
  250. $ENV{OPENSSL_CONF} = $fipsconf;
  251. $testtext = $testtext_prefix.': '.
  252. 'Generate a key with FIPS parameters';
  253. ok(run(app(['openssl', 'genpkey',
  254. '-paramfile', $fips_param,
  255. '-pkeyopt', 'type:fips186_4',
  256. '-out', $fips_key])),
  257. $testtext);
  258. $testtext = $testtext_prefix.': '.
  259. 'Generate a key with non-FIPS parameters'.
  260. ' (should fail)';
  261. ok(!run(app(['openssl', 'genpkey',
  262. '-paramfile', $nonfips_param,
  263. '-pkeyopt', 'type:fips186_2',
  264. '-out', $testtext_prefix.'.fail.priv.pem'])),
  265. $testtext);
  266. tsignverify($testtext_prefix, $fips_key, $nonfips_key);
  267. };
  268. }