tests: Adjust for FIPS support

Signed-off-by: Jakub Jelen <[email protected]>

tests/kryoptic.nss-init.sh

@@ -23,5 +23,5 @@ export TOKENLABELURI="Kryoptic%20Soft%20Token"
 source "${TESTSSRCDIR}/kryoptic-init.sh"
 
 export TOKENCONFIGVARS="export KRYOPTIC_CONF=${TMPPDIR}/kryoptic.conf"
-export TOKENOPTIONS="pkcs11-module-quirks = no-allowed-mechanisms"
+export TOKENOPTIONS="${TOKENOPTIONS}\npkcs11-module-quirks = no-allowed-mechanisms"
 export TESTPORT="36000"

tests/setup.sh

@@ -11,6 +11,41 @@ fi
 
 TOKENTYPE=$1
 
+# defaults -- overridden below or in the per-token setup
+SUPPORT_ED25519=1
+SUPPORT_ED448=1
+SUPPORT_RSA_PKCS1_ENCRYPTION=1
+SUPPORT_RSA_KEYGEN_PUBLIC_EXPONENT=1
+SUPPORT_TLSFUZZER=1
+
+# Ed448 requires OpenSC 0.26.0, which is not available in Ubuntu and CentOS 9
+if [[ -f /etc/debian_version ]] && grep Ubuntu /etc/lsb-release; then
+    SUPPORT_ED448=0
+elif [[ -f /etc/redhat-release ]] && grep "release 9" /etc/redhat-release; then
+    SUPPORT_ED448=0
+fi
+
+# FIPS Mode
+if [[ "${OPENSSL_FORCE_FIPS_MODE}" = "1" || "$(cat /proc/sys/crypto/fips_enabled)" = "1" ]]; then
+    # We can not use Edwards curves in FIPS mode
+    SUPPORT_ED25519=0
+    SUPPORT_ED448=0
+
+    # The FIPS does not allow the RSA-PKCS1.5 encryption
+    SUPPORT_RSA_PKCS1_ENCRYPTION=0
+
+    # The FIPS does not allow to set custom public exponent during key
+    # generation
+    SUPPORT_RSA_KEYGEN_PUBLIC_EXPONENT=0
+
+    # TLS Fuzzer does not work well in FIPS mode
+    SUPPORT_TLSFUZZER=0
+
+    # We also need additional configuration in openssl.cnf to assume the token
+    # is FIPS token
+    TOKENOPTIONS="pkcs11-module-assume-fips = true"
+fi
+
 # Temporary dir and Token data dir
 TMPPDIR="${TESTBLDDIR}/${TOKENTYPE}"
 TOKDIR="$TMPPDIR/tokens"
@@ -207,8 +242,7 @@ echo ""
 
 
 ## Softtokn does not support edwards curves yet
-if [ "${TOKENTYPE}" != "softokn" ]; then
-
+if [ "${SUPPORT_ED25519}" -eq 1 ]; then
     # generate ED25519
     KEYID='0004'
     URIKEYID="%00%04"
@@ -232,37 +266,32 @@ if [ "${TOKENTYPE}" != "softokn" ]; then
     echo "${EDPUBURI}"
     echo "${EDPRIURI}"
     echo "${EDCRTURI}"
+fi
 
-    # this requires OpenSC 0.26.0, which is not available in Ubuntu and CentOS 9
-    if [[ -f /etc/debian_version ]] && grep Ubuntu /etc/lsb-release; then
-        echo "Ed448 not supported in Ubuntu's OpenSC version"
-    elif [[ -f /etc/redhat-release ]] && grep "release 9" /etc/redhat-release; then
-        echo "Ed448 not supported in EL9's OpenSC version"
-    else
-        # generate ED448
-        KEYID='0009'
-        URIKEYID="%00%09"
-        ED2CRTN="ed2Cert"
-
-        pkcs11-tool "${P11DEFARGS[@]}" --keypairgen --key-type="EC:Ed448" \
-            --label="${ED2CRTN}" --id="$KEYID"
-        ca_sign $ED2CRTN "My ED448 Cert" $KEYID
-
-        ED2BASEURIWITHPINVALUE="pkcs11:id=${URIKEYID};pin-value=${PINVALUE}"
-        ED2BASEURIWITHPINSOURCE="pkcs11:id=${URIKEYID};pin-source=file:${PINFILE}"
-        ED2BASEURI="pkcs11:id=${URIKEYID}"
-        ED2PUBURI="pkcs11:type=public;id=${URIKEYID}"
-        ED2PRIURI="pkcs11:type=private;id=${URIKEYID}"
-        ED2CRTURI="pkcs11:type=cert;object=${ED2CRTN}"
-
-        title LINE "ED448 PKCS11 URIS"
-        echo "${ED2BASEURIWITHPINVALUE}"
-        echo "${ED2BASEURIWITHPINSOURCE}"
-        echo "${ED2BASEURI}"
-        echo "${ED2PUBURI}"
-        echo "${ED2PRIURI}"
-        echo "${ED2CRTURI}"
-    fi
+if [ "${SUPPORT_ED448}" -eq 1 ]; then
+    # generate ED448
+    KEYID='0009'
+    URIKEYID="%00%09"
+    ED2CRTN="ed2Cert"
+
+    pkcs11-tool "${P11DEFARGS[@]}" --keypairgen --key-type="EC:Ed448" \
+        --label="${ED2CRTN}" --id="$KEYID"
+    ca_sign $ED2CRTN "My ED448 Cert" $KEYID
+
+    ED2BASEURIWITHPINVALUE="pkcs11:id=${URIKEYID};pin-value=${PINVALUE}"
+    ED2BASEURIWITHPINSOURCE="pkcs11:id=${URIKEYID};pin-source=file:${PINFILE}"
+    ED2BASEURI="pkcs11:id=${URIKEYID}"
+    ED2PUBURI="pkcs11:type=public;id=${URIKEYID}"
+    ED2PRIURI="pkcs11:type=private;id=${URIKEYID}"
+    ED2CRTURI="pkcs11:type=cert;object=${ED2CRTN}"
+
+    title LINE "ED448 PKCS11 URIS"
+    echo "${ED2BASEURIWITHPINVALUE}"
+    echo "${ED2BASEURIWITHPINSOURCE}"
+    echo "${ED2BASEURI}"
+    echo "${ED2PUBURI}"
+    echo "${ED2PRIURI}"
+    echo "${ED2CRTURI}"
 fi
 
 title PARA "generate RSA key pair, self-signed certificate, remove public key"
@@ -395,6 +424,12 @@ export OPENSSL_CONF="${OPENSSL_CONF}"
 export TESTSSRCDIR="${TESTSSRCDIR}"
 export TESTBLDDIR="${TESTBLDDIR}"
 
+export SUPPORT_ED25519="${SUPPORT_ED25519}"
+export SUPPORT_ED448="${SUPPORT_ED448}"
+export SUPPORT_RSA_PKCS1_ENCRYPTION="${SUPPORT_RSA_PKCS1_ENCRYPTION}"
+export SUPPORT_RSA_KEYGEN_PUBLIC_EXPONENT="${SUPPORT_RSA_KEYGEN_PUBLIC_EXPONENT}"
+export SUPPORT_TLSFUZZER="${SUPPORT_TLSFUZZER}"
+
 export TESTPORT="${TESTPORT}"
 
 export CACRT="${CACRT_PEM}"

tests/softhsm-init.sh

@@ -62,7 +62,7 @@ export TOKENLABELURI="SoftHSM%20Token"
 softhsm2-util --init-token --label "${TOKENLABEL}" --free --pin "${PINVALUE}" --so-pin "${PINVALUE}"
 
 #softhsm crashes on de-init so we need to default to this quirk
-export TOKENOPTIONS="pkcs11-module-quirks = no-deinit no-operation-state"
+export TOKENOPTIONS="${TOKENOPTIONS}\npkcs11-module-quirks = no-deinit no-operation-state"
 
 export TOKENCONFIGVARS="export SOFTHSM2_CONF=${TMPPDIR}/softhsm.conf"
 

tests/softokn-init.sh

@@ -19,7 +19,11 @@ export NSS_LIB_PARAMS="configDir=${TOKDIR}"
 export TOKENLABEL="NSS Certificate DB"
 export TOKENLABELURI="NSS%20Certificate%20DB"
 
-export TOKENOPTIONS="pkcs11-module-quirks = no-operation-state no-allowed-mechanisms"
+export TOKENOPTIONS="${TOKENOPTIONS}\npkcs11-module-quirks = no-operation-state no-allowed-mechanisms"
 export TOKENCONFIGVARS="export NSS_LIB_PARAMS=configDir=${TOKDIR}"
 
 export TESTPORT="30000"
+
+# Edward curves are not supported in NSS yet
+export SUPPORT_ED25519=0
+export SUPPORT_ED448=0

tests/tbasic

@@ -67,20 +67,21 @@ pkeyutl -verify -inkey "${PUBURI}"
                 -rawin
                 -sigfile ${TMPPDIR}/sha256-dgstsig.bin'
 
+if [[ "$SUPPORT_RSA_PKCS1_ENCRYPTION" = "1" ]]; then
+    SECRETFILE=${TMPPDIR}/rsasecret.txt
+    echo "Super Secret" > "${SECRETFILE}"
 
-SECRETFILE=${TMPPDIR}/rsasecret.txt
-echo "Super Secret" > "${SECRETFILE}"
-
-title LINE "RSA basic encrypt and decrypt"
-ossl '
-pkeyutl -encrypt -inkey "${PUBURI}" -pubin
-                 -in ${SECRETFILE}
-                 -out ${SECRETFILE}.enc'
-ossl '
-pkeyutl -decrypt -inkey "${PRIURI}"
-                 -in ${SECRETFILE}.enc
-                 -out ${SECRETFILE}.dec'
-diff "${SECRETFILE}" "${SECRETFILE}.dec"
+    title LINE "RSA basic encrypt and decrypt"
+    ossl '
+    pkeyutl -encrypt -inkey "${PUBURI}" -pubin
+                     -in ${SECRETFILE}
+                     -out ${SECRETFILE}.enc'
+    ossl '
+    pkeyutl -decrypt -inkey "${PRIURI}"
+                     -in ${SECRETFILE}.enc
+                     -out ${SECRETFILE}.dec'
+    diff "${SECRETFILE}" "${SECRETFILE}.dec"
+fi
 
 title PARA "Test Disallow Public Export"
 ORIG_OPENSSL_CONF=${OPENSSL_CONF}

tests/tedwards

@@ -4,6 +4,10 @@
 
 source "${TESTSSRCDIR}/helpers.sh"
 
+if [[ "${SUPPORT_ED25519}" = "0" ]]; then
+    exit 77;
+fi
+
 title PARA "Export ED25519 Public key to a file"
 ossl 'pkey -in $EDPUBURI -pubin -pubout -out ${TMPPDIR}/edout.pub'
 
@@ -65,7 +69,7 @@ fi
 if [[ -n $ED2BASEURI ]]; then
     title PARA "Export ED448 Public key to a file"
     ossl 'pkey -in $ED2PUBURI -pubin -pubout -out ${TMPPDIR}/ed2out.pub'
-    
+
     title LINE "Print ED448 Public key from private"
     ossl 'pkey -in $ED2PRIURI -pubout -text' $helper_emit
     output="$helper_output"
@@ -79,7 +83,7 @@ if [[ -n $ED2BASEURI ]]; then
         echo
         exit 1
     fi
-    
+
     title PARA "DigestSign and DigestVerify with ED448"
     ossl '
     pkeyutl -sign -inkey "${ED2BASEURI}"
@@ -91,16 +95,16 @@ if [[ -n $ED2BASEURI ]]; then
                     -in ${RAND64FILE}
                     -rawin
                     -sigfile ${TMPPDIR}/sha256-eddgstsig.bin'
-    
+
     title PARA "Test CSR generation from private ED448 keys"
     ossl '
     req -new -batch -key "${ED2PRIURI}" -out ${TMPPDIR}/ed448_csr.pem'
     ossl '
     req -in ${TMPPDIR}/ed448_csr.pem -verify -noout'
-    
+
     title PARA "Test EVP_PKEY_eq on public Edwards key both on token"
     $CHECKER "${TESTBLDDIR}/tcmpkeys" "$ED2PUBURI" "$ED2PUBURI"
-    
+
     title PARA "Test EVP_PKEY_eq on public ED448 key via import"
     $CHECKER "${TESTBLDDIR}/tcmpkeys" "$ED2PUBURI" "${TMPPDIR}"/ed2out.pub
     title PARA "Match private ED448 key against public key"

tests/timported

@@ -22,8 +22,12 @@ ossl 'pkey -in ${TMPPDIR}/file.ec.key.pem
 title LINE "Generate RSA keypair in files"
 # older versions of openssl don't support -outpubkey ...
 # .. so we'll use two steps
+export OPTS=""
+if [[ "${SUPPORT_RSA_KEYGEN_PUBLIC_EXPONENT}" = "1" ]]; then
+    export OPTS="-pkeyopt rsa_keygen_pubexp:3"
+fi
 ossl 'genpkey -algorithm RSA -out ${TMPPDIR}/file.rsa.key.pem
-              -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3'
+              -pkeyopt rsa_keygen_bits:2048 ${OPTS}'
 ossl 'pkey -in ${TMPPDIR}/file.rsa.key.pem
            -pubout -out ${TMPPDIR}/file.rsa.pub.key.pem'
 

tests/tlsctx.c

@@ -107,6 +107,7 @@ static void test_pkcs1_with_tls_padding(void)
 int main(int argc, char *argv[])
 {
     SSL_CTX *ctx;
+    char *env;
 
     ctx = SSL_CTX_new(TLS_server_method());
     if (!ctx) {
@@ -119,7 +120,10 @@ int main(int argc, char *argv[])
 
     SSL_CTX_free(ctx);
 
-    test_pkcs1_with_tls_padding();
+    env = getenv("SUPPORT_RSA_PKCS1_ENCRYPTION");
+    if (env && env[0] == "1") {
+        test_pkcs1_with_tls_padding();
+    }
 
     exit(EXIT_SUCCESS);
 }

tests/ttlsfuzzer

@@ -9,6 +9,11 @@ if [[ ! -d "${TESTSSRCDIR}/../tlsfuzzer/tlsfuzzer" ]]; then
     exit 77;
 fi
 
+if [[ "${SUPPORT_TLSFUZZER}" = "0" ]]; then
+    title "TLS fuzzer does not work in FIPS Mode"
+    exit 77;
+fi
+
 TMPFILE="${TMPPDIR}/tls-fuzzer.$$.tmp"
 PORT="$TESTPORT"
 PYTHON=$(which python3)