Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make crypto tests work with OpenSSL 3.0 under FIPS #61

Merged
merged 1 commit into from
Nov 14, 2022
Merged

Make crypto tests work with OpenSSL 3.0 under FIPS #61

merged 1 commit into from
Nov 14, 2022

Conversation

ueno
Copy link
Collaborator

@ueno ueno commented Oct 31, 2022

There are a few restrictions enforced when OpenSSL 3.0 is used under FIPS mode, that are incompatible with the Go tests, namely:

  • For creating signature, encrypting, and decrypting, RSA key size must be equal to or longer than 2048 bits
  • For verifying signature, RSA key size must be equal to or longer than 1024 bits
  • PKCS#1 v1.5 is not supported for encryption and decryption (signing and verification are still allowed)

This either skips the relevant tests or increases key size used for testing.

This should fix the test failures in crypto tests as mentioned in golang-fips/openssl#25.

@ueno
Copy link
Collaborator Author

ueno commented Nov 1, 2022

@dbenoit17 in the latest revision I've replaced the RSA test key with newly generated 2048-bit key, so the majority of encryption/signing tests are not skipped.

@ueno ueno force-pushed the wip/openssl-3.0.x-fixes branch 2 times, most recently from 5e696d1 to faa422f Compare November 1, 2022 09:58
@ueno ueno marked this pull request as ready for review November 1, 2022 10:01
@ueno ueno force-pushed the wip/openssl-3.0.x-fixes branch 3 times, most recently from bf6df8f to 764e38c Compare November 1, 2022 15:51
@ueno
Make crypto tests work with OpenSSL 3.0 under FIPS
2aae08c 
There are a few restrictions enforced when OpenSSL 3.0 is used under
FIPS mode, that are incompatible with the Go tests, namely:

- For creating signature, encrypting, and decrypting, RSA key size
  must be equal to or longer than 2048 bits
- For verifying signature, RSA key size must be equal to or longer
  than 1024 bits
- PKCS#1 v1.5 is not supported for encryption and decryption (signing
  and verification are still allowed)

This either skips the relevant tests or increases key size used for
testing.

Signed-off-by: Daiki Ueno <[email protected]>
derekparker
derekparker approved these changes Nov 7, 2022
View reviewed changes
Copy link
Contributor

@derekparker derekparker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

dbenoit17
dbenoit17 approved these changes Nov 14, 2022
View reviewed changes
Copy link
Collaborator

@dbenoit17 dbenoit17 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dbenoit17 dbenoit17 merged commit 319e6db into golang-fips:main Nov 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@derekparker derekparker derekparker approved these changes

@dbenoit17 dbenoit17 dbenoit17 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ueno @derekparker @dbenoit17