Add support for RSA KeyGen AFT tests for FIPS186-5 to ACVP tool #1234
Conversation
| const expectedType = "GDT" | ||
| if group.Type != expectedType { | ||
| return nil, fmt.Errorf("RSA KeyGen test group has type %q, but only generation tests (%q) are supported", group.Type, expectedType) | ||
| // We support both GDT and AFT tests, which are formatted the same and expect the same output. |
There was a problem hiding this comment.
Curious what the exact difference between GDT and AFT is?
There was a problem hiding this comment.
In this case, the GDT and AFT tests are exactly the same. For whatever reason, NIST renamed the test when they issued FIPS 186-5.
Most of the changes are related to how we register our capabilities with the ACVP server now. If we choose to register with the new way (under FIPS 186-5), we get vectors that are labeled as "AFT" tests. If we choose to register with the old way (under FIPS 186-4), we get vectors that are labeled as "GDT".
Other than the labels though, it appears that both the vectors that we get from NIST for RSA as well as the expected format/contents of the corresponding response vectors are the exact same as before...
You can see more details on the ACVP specifications page for RSA: https://pages.nist.gov/ACVP/draft-celi-acvp-rsa.html
billbo-yang
force-pushed
the
support_aft_rsa_acvp
branch
from
bf5a052 to
325d927
Compare
Issues:
Addresses CryptoAlg-1838
Description of changes:
FIPS 186-5 updates some things related to RSA. For ACVP, it introduces a new capabilities registration. Luckily, the format of the vectors is largely the same, but we need to enable support for "AFT" tests in order to correctly parse FIPS 186-5 compatible test vectors.
Call-outs:
N/A
Testing:
Tool passes when running against ACVP demo server.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.