Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make crypto tests work with OpenSSL 3.0 under FIPS #61

Merged
merged 1 commit into from
Nov 14, 2022

Conversation

ueno
Copy link
Collaborator

@ueno ueno commented Oct 31, 2022

There are a few restrictions enforced when OpenSSL 3.0 is used under FIPS mode, that are incompatible with the Go tests, namely:

  • For creating signature, encrypting, and decrypting, RSA key size must be equal to or longer than 2048 bits
  • For verifying signature, RSA key size must be equal to or longer than 1024 bits
  • PKCS#1 v1.5 is not supported for encryption and decryption (signing and verification are still allowed)

This either skips the relevant tests or increases key size used for testing.

This should fix the test failures in crypto tests as mentioned in golang-fips/openssl#25.

@ueno ueno force-pushed the wip/openssl-3.0.x-fixes branch from b1a0ee7 to c91e7a7 Compare November 1, 2022 06:55
@ueno
Copy link
Collaborator Author

ueno commented Nov 1, 2022

@dbenoit17 in the latest revision I've replaced the RSA test key with newly generated 2048-bit key, so the majority of encryption/signing tests are not skipped.

@ueno ueno force-pushed the wip/openssl-3.0.x-fixes branch 2 times, most recently from 5e696d1 to faa422f Compare November 1, 2022 09:58
@ueno ueno marked this pull request as ready for review November 1, 2022 10:01
@ueno ueno force-pushed the wip/openssl-3.0.x-fixes branch 3 times, most recently from bf6df8f to 764e38c Compare November 1, 2022 15:51
There are a few restrictions enforced when OpenSSL 3.0 is used under
FIPS mode, that are incompatible with the Go tests, namely:

- For creating signature, encrypting, and decrypting, RSA key size
  must be equal to or longer than 2048 bits
- For verifying signature, RSA key size must be equal to or longer
  than 1024 bits
- PKCS#1 v1.5 is not supported for encryption and decryption (signing
  and verification are still allowed)

This either skips the relevant tests or increases key size used for
testing.

Signed-off-by: Daiki Ueno <[email protected]>
@ueno ueno force-pushed the wip/openssl-3.0.x-fixes branch from 764e38c to 2aae08c Compare November 2, 2022 01:09
@derekparker derekparker requested a review from dbenoit17 November 7, 2022 18:10
Copy link
Contributor

@derekparker derekparker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Collaborator

@dbenoit17 dbenoit17 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dbenoit17 dbenoit17 merged commit 319e6db into golang-fips:main Nov 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants