From 3c405a9ddf979f80de45d54844cfba88185d050e Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Wed, 15 Jan 2025 15:02:35 +0100 Subject: [PATCH] tests: Adjust for FIPS support Signed-off-by: Jakub Jelen --- tests/kryoptic.nss-init.sh | 2 +- tests/setup.sh | 99 ++++++++++++++++++++++++++------------ tests/softhsm-init.sh | 2 +- tests/softokn-init.sh | 6 ++- tests/tbasic | 27 ++++++----- tests/tedwards | 14 ++++-- tests/timported | 6 ++- tests/tlsctx.c | 5 +- tests/ttlsfuzzer | 5 ++ 9 files changed, 111 insertions(+), 55 deletions(-) diff --git a/tests/kryoptic.nss-init.sh b/tests/kryoptic.nss-init.sh index 14c00320..9fd87b8b 100644 --- a/tests/kryoptic.nss-init.sh +++ b/tests/kryoptic.nss-init.sh @@ -23,5 +23,5 @@ export TOKENLABELURI="Kryoptic%20Soft%20Token" source "${TESTSSRCDIR}/kryoptic-init.sh" export TOKENCONFIGVARS="export KRYOPTIC_CONF=${TMPPDIR}/kryoptic.conf" -export TOKENOPTIONS="pkcs11-module-quirks = no-allowed-mechanisms" +export TOKENOPTIONS="${TOKENOPTIONS}\npkcs11-module-quirks = no-allowed-mechanisms" export TESTPORT="36000" diff --git a/tests/setup.sh b/tests/setup.sh index 2b4dbea1..b1062709 100755 --- a/tests/setup.sh +++ b/tests/setup.sh @@ -11,6 +11,41 @@ fi TOKENTYPE=$1 +# defaults -- overridden below or in the per-token setup +SUPPORT_ED25519=1 +SUPPORT_ED448=1 +SUPPORT_RSA_PKCS1_ENCRYPTION=1 +SUPPORT_RSA_KEYGEN_PUBLIC_EXPONENT=1 +SUPPORT_TLSFUZZER=1 + +# Ed448 requires OpenSC 0.26.0, which is not available in Ubuntu and CentOS 9 +if [[ -f /etc/debian_version ]] && grep Ubuntu /etc/lsb-release; then + SUPPORT_ED448=0 +elif [[ -f /etc/redhat-release ]] && grep "release 9" /etc/redhat-release; then + SUPPORT_ED448=0 +fi + +# FIPS Mode +if [[ "${OPENSSL_FORCE_FIPS_MODE}" = "1" || "$(cat /proc/sys/crypto/fips_enabled)" = "1" ]]; then + # We can not use Edwards curves in FIPS mode + SUPPORT_ED25519=0 + SUPPORT_ED448=0 + + # The FIPS does not allow the RSA-PKCS1.5 encryption + SUPPORT_RSA_PKCS1_ENCRYPTION=0 + + # The FIPS does not allow to set custom public exponent during key + # generation + SUPPORT_RSA_KEYGEN_PUBLIC_EXPONENT=0 + + # TLS Fuzzer does not work well in FIPS mode + SUPPORT_TLSFUZZER=0 + + # We also need additional configuration in openssl.cnf to assume the token + # is FIPS token + TOKENOPTIONS="pkcs11-module-assume-fips = true" +fi + # Temporary dir and Token data dir TMPPDIR="${TESTBLDDIR}/${TOKENTYPE}" TOKDIR="$TMPPDIR/tokens" @@ -207,8 +242,7 @@ echo "" ## Softtokn does not support edwards curves yet -if [ "${TOKENTYPE}" != "softokn" ]; then - +if [ "${SUPPORT_ED25519}" -eq 1 ]; then # generate ED25519 KEYID='0004' URIKEYID="%00%04" @@ -232,37 +266,32 @@ if [ "${TOKENTYPE}" != "softokn" ]; then echo "${EDPUBURI}" echo "${EDPRIURI}" echo "${EDCRTURI}" +fi - # this requires OpenSC 0.26.0, which is not available in Ubuntu and CentOS 9 - if [[ -f /etc/debian_version ]] && grep Ubuntu /etc/lsb-release; then - echo "Ed448 not supported in Ubuntu's OpenSC version" - elif [[ -f /etc/redhat-release ]] && grep "release 9" /etc/redhat-release; then - echo "Ed448 not supported in EL9's OpenSC version" - else - # generate ED448 - KEYID='0009' - URIKEYID="%00%09" - ED2CRTN="ed2Cert" - - pkcs11-tool "${P11DEFARGS[@]}" --keypairgen --key-type="EC:Ed448" \ - --label="${ED2CRTN}" --id="$KEYID" - ca_sign $ED2CRTN "My ED448 Cert" $KEYID - - ED2BASEURIWITHPINVALUE="pkcs11:id=${URIKEYID};pin-value=${PINVALUE}" - ED2BASEURIWITHPINSOURCE="pkcs11:id=${URIKEYID};pin-source=file:${PINFILE}" - ED2BASEURI="pkcs11:id=${URIKEYID}" - ED2PUBURI="pkcs11:type=public;id=${URIKEYID}" - ED2PRIURI="pkcs11:type=private;id=${URIKEYID}" - ED2CRTURI="pkcs11:type=cert;object=${ED2CRTN}" - - title LINE "ED448 PKCS11 URIS" - echo "${ED2BASEURIWITHPINVALUE}" - echo "${ED2BASEURIWITHPINSOURCE}" - echo "${ED2BASEURI}" - echo "${ED2PUBURI}" - echo "${ED2PRIURI}" - echo "${ED2CRTURI}" - fi +if [ "${SUPPORT_ED448}" -eq 1 ]; then + # generate ED448 + KEYID='0009' + URIKEYID="%00%09" + ED2CRTN="ed2Cert" + + pkcs11-tool "${P11DEFARGS[@]}" --keypairgen --key-type="EC:Ed448" \ + --label="${ED2CRTN}" --id="$KEYID" + ca_sign $ED2CRTN "My ED448 Cert" $KEYID + + ED2BASEURIWITHPINVALUE="pkcs11:id=${URIKEYID};pin-value=${PINVALUE}" + ED2BASEURIWITHPINSOURCE="pkcs11:id=${URIKEYID};pin-source=file:${PINFILE}" + ED2BASEURI="pkcs11:id=${URIKEYID}" + ED2PUBURI="pkcs11:type=public;id=${URIKEYID}" + ED2PRIURI="pkcs11:type=private;id=${URIKEYID}" + ED2CRTURI="pkcs11:type=cert;object=${ED2CRTN}" + + title LINE "ED448 PKCS11 URIS" + echo "${ED2BASEURIWITHPINVALUE}" + echo "${ED2BASEURIWITHPINSOURCE}" + echo "${ED2BASEURI}" + echo "${ED2PUBURI}" + echo "${ED2PRIURI}" + echo "${ED2CRTURI}" fi title PARA "generate RSA key pair, self-signed certificate, remove public key" @@ -395,6 +424,12 @@ export OPENSSL_CONF="${OPENSSL_CONF}" export TESTSSRCDIR="${TESTSSRCDIR}" export TESTBLDDIR="${TESTBLDDIR}" +export SUPPORT_ED25519="${SUPPORT_ED25519}" +export SUPPORT_ED448="${SUPPORT_ED448}" +export SUPPORT_RSA_PKCS1_ENCRYPTION="${SUPPORT_RSA_PKCS1_ENCRYPTION}" +export SUPPORT_RSA_KEYGEN_PUBLIC_EXPONENT="${SUPPORT_RSA_KEYGEN_PUBLIC_EXPONENT}" +export SUPPORT_TLSFUZZER="${SUPPORT_TLSFUZZER}" + export TESTPORT="${TESTPORT}" export CACRT="${CACRT_PEM}" diff --git a/tests/softhsm-init.sh b/tests/softhsm-init.sh index 41d40437..1bf47412 100755 --- a/tests/softhsm-init.sh +++ b/tests/softhsm-init.sh @@ -62,7 +62,7 @@ export TOKENLABELURI="SoftHSM%20Token" softhsm2-util --init-token --label "${TOKENLABEL}" --free --pin "${PINVALUE}" --so-pin "${PINVALUE}" #softhsm crashes on de-init so we need to default to this quirk -export TOKENOPTIONS="pkcs11-module-quirks = no-deinit no-operation-state" +export TOKENOPTIONS="${TOKENOPTIONS}\npkcs11-module-quirks = no-deinit no-operation-state" export TOKENCONFIGVARS="export SOFTHSM2_CONF=${TMPPDIR}/softhsm.conf" diff --git a/tests/softokn-init.sh b/tests/softokn-init.sh index 026156a2..bf1e4980 100755 --- a/tests/softokn-init.sh +++ b/tests/softokn-init.sh @@ -19,7 +19,11 @@ export NSS_LIB_PARAMS="configDir=${TOKDIR}" export TOKENLABEL="NSS Certificate DB" export TOKENLABELURI="NSS%20Certificate%20DB" -export TOKENOPTIONS="pkcs11-module-quirks = no-operation-state no-allowed-mechanisms" +export TOKENOPTIONS="${TOKENOPTIONS}\npkcs11-module-quirks = no-operation-state no-allowed-mechanisms" export TOKENCONFIGVARS="export NSS_LIB_PARAMS=configDir=${TOKDIR}" export TESTPORT="30000" + +# Edward curves are not supported in NSS yet +SUPPORT_ED25519=0 +SUPPORT_ED448=0 diff --git a/tests/tbasic b/tests/tbasic index 02c9ac88..6125a749 100755 --- a/tests/tbasic +++ b/tests/tbasic @@ -67,20 +67,21 @@ pkeyutl -verify -inkey "${PUBURI}" -rawin -sigfile ${TMPPDIR}/sha256-dgstsig.bin' +if [[ "$SUPPORT_RSA_PKCS1_ENCRYPTION" = "1" ]]; then + SECRETFILE=${TMPPDIR}/rsasecret.txt + echo "Super Secret" > "${SECRETFILE}" -SECRETFILE=${TMPPDIR}/rsasecret.txt -echo "Super Secret" > "${SECRETFILE}" - -title LINE "RSA basic encrypt and decrypt" -ossl ' -pkeyutl -encrypt -inkey "${PUBURI}" -pubin - -in ${SECRETFILE} - -out ${SECRETFILE}.enc' -ossl ' -pkeyutl -decrypt -inkey "${PRIURI}" - -in ${SECRETFILE}.enc - -out ${SECRETFILE}.dec' -diff "${SECRETFILE}" "${SECRETFILE}.dec" + title LINE "RSA basic encrypt and decrypt" + ossl ' + pkeyutl -encrypt -inkey "${PUBURI}" -pubin + -in ${SECRETFILE} + -out ${SECRETFILE}.enc' + ossl ' + pkeyutl -decrypt -inkey "${PRIURI}" + -in ${SECRETFILE}.enc + -out ${SECRETFILE}.dec' + diff "${SECRETFILE}" "${SECRETFILE}.dec" +fi title PARA "Test Disallow Public Export" ORIG_OPENSSL_CONF=${OPENSSL_CONF} diff --git a/tests/tedwards b/tests/tedwards index b16b6342..198ea4ac 100755 --- a/tests/tedwards +++ b/tests/tedwards @@ -4,6 +4,10 @@ source "${TESTSSRCDIR}/helpers.sh" +if [[ "${SUPPORT_ED25519}" = "0" ]]; then + exit 77; +fi + title PARA "Export ED25519 Public key to a file" ossl 'pkey -in $EDPUBURI -pubin -pubout -out ${TMPPDIR}/edout.pub' @@ -65,7 +69,7 @@ fi if [[ -n $ED2BASEURI ]]; then title PARA "Export ED448 Public key to a file" ossl 'pkey -in $ED2PUBURI -pubin -pubout -out ${TMPPDIR}/ed2out.pub' - + title LINE "Print ED448 Public key from private" ossl 'pkey -in $ED2PRIURI -pubout -text' $helper_emit output="$helper_output" @@ -79,7 +83,7 @@ if [[ -n $ED2BASEURI ]]; then echo exit 1 fi - + title PARA "DigestSign and DigestVerify with ED448" ossl ' pkeyutl -sign -inkey "${ED2BASEURI}" @@ -91,16 +95,16 @@ if [[ -n $ED2BASEURI ]]; then -in ${RAND64FILE} -rawin -sigfile ${TMPPDIR}/sha256-eddgstsig.bin' - + title PARA "Test CSR generation from private ED448 keys" ossl ' req -new -batch -key "${ED2PRIURI}" -out ${TMPPDIR}/ed448_csr.pem' ossl ' req -in ${TMPPDIR}/ed448_csr.pem -verify -noout' - + title PARA "Test EVP_PKEY_eq on public Edwards key both on token" $CHECKER "${TESTBLDDIR}/tcmpkeys" "$ED2PUBURI" "$ED2PUBURI" - + title PARA "Test EVP_PKEY_eq on public ED448 key via import" $CHECKER "${TESTBLDDIR}/tcmpkeys" "$ED2PUBURI" "${TMPPDIR}"/ed2out.pub title PARA "Match private ED448 key against public key" diff --git a/tests/timported b/tests/timported index 88640ef4..c4fe1b0e 100755 --- a/tests/timported +++ b/tests/timported @@ -22,8 +22,12 @@ ossl 'pkey -in ${TMPPDIR}/file.ec.key.pem title LINE "Generate RSA keypair in files" # older versions of openssl don't support -outpubkey ... # .. so we'll use two steps +OPTS="" +if [[ "${SUPPORT_RSA_KEYGEN_PUBLIC_EXPONENT}" = "1" ]]; then + OPTS="-pkeyopt rsa_keygen_pubexp:3" +fi ossl 'genpkey -algorithm RSA -out ${TMPPDIR}/file.rsa.key.pem - -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3' + -pkeyopt rsa_keygen_bits:2048 ${OPTS}' ossl 'pkey -in ${TMPPDIR}/file.rsa.key.pem -pubout -out ${TMPPDIR}/file.rsa.pub.key.pem' diff --git a/tests/tlsctx.c b/tests/tlsctx.c index 374a6c80..3390b35a 100644 --- a/tests/tlsctx.c +++ b/tests/tlsctx.c @@ -5,6 +5,7 @@ #include #include #include +#include #include #include #include "util.h" @@ -119,7 +120,9 @@ int main(int argc, char *argv[]) SSL_CTX_free(ctx); - test_pkcs1_with_tls_padding(); + if (!FIPS_mode()) { + test_pkcs1_with_tls_padding(); + } exit(EXIT_SUCCESS); } diff --git a/tests/ttlsfuzzer b/tests/ttlsfuzzer index 14dc7048..8ea710d3 100755 --- a/tests/ttlsfuzzer +++ b/tests/ttlsfuzzer @@ -9,6 +9,11 @@ if [[ ! -d "${TESTSSRCDIR}/../tlsfuzzer/tlsfuzzer" ]]; then exit 77; fi +if [[ "${SUPPORT_TLSFUZZER}" = "0" ]]; then + title "TLS fuzzer does not work in FIPS Mode" + exit 77; +fi + TMPFILE="${TMPPDIR}/tls-fuzzer.$$.tmp" PORT="$TESTPORT" PYTHON=$(which python3)