fips140_test.go

     1  // Copyright 2017 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"crypto/ecdsa"
     9  	"crypto/elliptic"
    10  	"crypto/internal/boring"
    11  	"crypto/rand"
    12  	"crypto/rsa"
    13  	"crypto/x509"
    14  	"crypto/x509/pkix"
    15  	"encoding/pem"
    16  	"fmt"
    17  	"internal/obscuretestdata"
    18  	"internal/testenv"
    19  	"math/big"
    20  	"net"
    21  	"runtime"
    22  	"strings"
    23  	"testing"
    24  	"time"
    25  )
    26  
    27  func allCipherSuitesIncludingTLS13() []uint16 {
    28  	s := allCipherSuites()
    29  	for _, suite := range cipherSuitesTLS13 {
    30  		s = append(s, suite.id)
    31  	}
    32  	return s
    33  }
    34  
    35  func isTLS13CipherSuite(id uint16) bool {
    36  	for _, suite := range cipherSuitesTLS13 {
    37  		if id == suite.id {
    38  			return true
    39  		}
    40  	}
    41  	return false
    42  }
    43  
    44  func generateKeyShare(group CurveID) keyShare {
    45  	ke, err := keyExchangeForCurveID(group)
    46  	if err != nil {
    47  		panic(err)
    48  	}
    49  	_, shares, err := ke.keyShares(rand.Reader)
    50  	if err != nil {
    51  		panic(err)
    52  	}
    53  	return shares[0]
    54  }
    55  
    56  func TestFIPSServerProtocolVersion(t *testing.T) {
    57  	test := func(t *testing.T, name string, v uint16, msg string) {
    58  		t.Run(name, func(t *testing.T) {
    59  			serverConfig := testConfig.Clone()
    60  			serverConfig.MinVersion = VersionSSL30
    61  			clientConfig := testConfig.Clone()
    62  			clientConfig.MinVersion = v
    63  			clientConfig.MaxVersion = v
    64  			_, _, err := testHandshake(t, clientConfig, serverConfig)
    65  			if msg == "" {
    66  				if err != nil {
    67  					t.Fatalf("got error: %v, expected success", err)
    68  				}
    69  			} else {
    70  				if err == nil {
    71  					t.Fatalf("got success, expected error")
    72  				}
    73  				if !strings.Contains(err.Error(), msg) {
    74  					t.Fatalf("got error %v, expected %q", err, msg)
    75  				}
    76  			}
    77  		})
    78  	}
    79  
    80  	runWithFIPSDisabled(t, func(t *testing.T) {
    81  		test(t, "VersionTLS10", VersionTLS10, "")
    82  		test(t, "VersionTLS11", VersionTLS11, "")
    83  		test(t, "VersionTLS12", VersionTLS12, "")
    84  		test(t, "VersionTLS13", VersionTLS13, "")
    85  	})
    86  
    87  	runWithFIPSEnabled(t, func(t *testing.T) {
    88  		test(t, "VersionTLS10", VersionTLS10, "supported versions")
    89  		test(t, "VersionTLS11", VersionTLS11, "supported versions")
    90  		test(t, "VersionTLS12", VersionTLS12, "")
    91  		test(t, "VersionTLS13", VersionTLS13, "")
    92  	})
    93  }
    94  
    95  func isFIPSVersion(v uint16) bool {
    96  	return v == VersionTLS12 || v == VersionTLS13
    97  }
    98  
    99  func isFIPSCipherSuite(id uint16) bool {
   100  	name := CipherSuiteName(id)
   101  	if isTLS13CipherSuite(id) {
   102  		switch id {
   103  		case TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384:
   104  			return true
   105  		case TLS_CHACHA20_POLY1305_SHA256:
   106  			return false
   107  		default:
   108  			panic("unknown TLS 1.3 cipher suite: " + name)
   109  		}
   110  	}
   111  	switch id {
   112  	case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
   113  		TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
   114  		TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
   115  		TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
   116  		return true
   117  	case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
   118  		TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
   119  		// Only for the native module.
   120  		return !boring.Enabled
   121  	}
   122  	switch {
   123  	case strings.Contains(name, "CHACHA20"):
   124  		return false
   125  	case strings.HasSuffix(name, "_SHA"): // SHA-1
   126  		return false
   127  	case strings.HasPrefix(name, "TLS_RSA"): // RSA kex
   128  		return false
   129  	default:
   130  		panic("unknown cipher suite: " + name)
   131  	}
   132  }
   133  
   134  func isFIPSCurve(id CurveID) bool {
   135  	switch id {
   136  	case CurveP256, CurveP384, CurveP521:
   137  		return true
   138  	case X25519MLKEM768, SecP256r1MLKEM768, SecP384r1MLKEM1024:
   139  		// Only for the native module.
   140  		return !boring.Enabled
   141  	case X25519:
   142  		return false
   143  	default:
   144  		panic("unknown curve: " + id.String())
   145  	}
   146  }
   147  
   148  func isECDSA(id uint16) bool {
   149  	for _, suite := range cipherSuites {
   150  		if suite.id == id {
   151  			return suite.flags&suiteECSign == suiteECSign
   152  		}
   153  	}
   154  	return false // TLS 1.3 cipher suites are not tied to the signature algorithm.
   155  }
   156  
   157  func isFIPSSignatureScheme(alg SignatureScheme) bool {
   158  	switch alg {
   159  	case PKCS1WithSHA256,
   160  		ECDSAWithP256AndSHA256,
   161  		PKCS1WithSHA384,
   162  		ECDSAWithP384AndSHA384,
   163  		PKCS1WithSHA512,
   164  		ECDSAWithP521AndSHA512,
   165  		PSSWithSHA256,
   166  		PSSWithSHA384,
   167  		PSSWithSHA512:
   168  		return true
   169  	case Ed25519:
   170  		// Only for the native module.
   171  		return !boring.Enabled
   172  	case PKCS1WithSHA1, ECDSAWithSHA1:
   173  		return false
   174  	default:
   175  		panic("unknown signature scheme: " + alg.String())
   176  	}
   177  }
   178  
   179  func TestFIPSServerCipherSuites(t *testing.T) {
   180  	serverConfig := testConfig.Clone()
   181  	serverConfig.Certificates = make([]Certificate, 1)
   182  
   183  	for _, id := range allCipherSuitesIncludingTLS13() {
   184  		if isECDSA(id) {
   185  			serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate}
   186  			serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey
   187  		} else {
   188  			serverConfig.Certificates[0].Certificate = [][]byte{testRSACertificate}
   189  			serverConfig.Certificates[0].PrivateKey = testRSAPrivateKey
   190  		}
   191  		serverConfig.BuildNameToCertificate()
   192  		t.Run(fmt.Sprintf("suite=%s", CipherSuiteName(id)), func(t *testing.T) {
   193  			clientHello := &clientHelloMsg{
   194  				vers:                         VersionTLS12,
   195  				random:                       make([]byte, 32),
   196  				cipherSuites:                 []uint16{id},
   197  				compressionMethods:           []uint8{compressionNone},
   198  				supportedCurves:              defaultCurvePreferences(),
   199  				keyShares:                    []keyShare{generateKeyShare(CurveP256)},
   200  				supportedPoints:              []uint8{pointFormatUncompressed},
   201  				supportedVersions:            []uint16{VersionTLS12},
   202  				supportedSignatureAlgorithms: allowedSignatureAlgorithmsFIPS,
   203  			}
   204  			if isTLS13CipherSuite(id) {
   205  				clientHello.supportedVersions = []uint16{VersionTLS13}
   206  			}
   207  
   208  			runWithFIPSDisabled(t, func(t *testing.T) {
   209  				testClientHello(t, serverConfig, clientHello)
   210  			})
   211  
   212  			runWithFIPSEnabled(t, func(t *testing.T) {
   213  				msg := ""
   214  				if !isFIPSCipherSuite(id) {
   215  					msg = "no cipher suite supported by both client and server"
   216  				}
   217  				testClientHelloFailure(t, serverConfig, clientHello, msg)
   218  			})
   219  		})
   220  	}
   221  }
   222  
   223  func TestFIPSServerCurves(t *testing.T) {
   224  	serverConfig := testConfig.Clone()
   225  	serverConfig.CurvePreferences = nil
   226  	serverConfig.BuildNameToCertificate()
   227  
   228  	for _, curveid := range defaultCurvePreferences() {
   229  		t.Run(fmt.Sprintf("curve=%v", curveid), func(t *testing.T) {
   230  			clientConfig := testConfig.Clone()
   231  			clientConfig.CurvePreferences = []CurveID{curveid}
   232  
   233  			runWithFIPSDisabled(t, func(t *testing.T) {
   234  				if _, _, err := testHandshake(t, clientConfig, serverConfig); err != nil {
   235  					t.Fatalf("got error: %v, expected success", err)
   236  				}
   237  			})
   238  
   239  			// With fipstls forced, bad curves should be rejected.
   240  			runWithFIPSEnabled(t, func(t *testing.T) {
   241  				_, _, err := testHandshake(t, clientConfig, serverConfig)
   242  				if err != nil && isFIPSCurve(curveid) {
   243  					t.Fatalf("got error: %v, expected success", err)
   244  				} else if err == nil && !isFIPSCurve(curveid) {
   245  					t.Fatalf("got success, expected error")
   246  				}
   247  			})
   248  		})
   249  	}
   250  }
   251  
   252  func fipsHandshake(t *testing.T, clientConfig, serverConfig *Config) (clientErr, serverErr error) {
   253  	c, s := localPipe(t)
   254  	client := Client(c, clientConfig)
   255  	server := Server(s, serverConfig)
   256  	done := make(chan error, 1)
   257  	go func() {
   258  		done <- client.Handshake()
   259  		c.Close()
   260  	}()
   261  	serverErr = server.Handshake()
   262  	s.Close()
   263  	clientErr = <-done
   264  	return
   265  }
   266  
   267  func TestFIPSServerSignatureAndHash(t *testing.T) {
   268  	defer func() {
   269  		testingOnlySupportedSignatureAlgorithms = nil
   270  	}()
   271  	testenv.SetGODEBUG(t, "tlssha1=1")
   272  
   273  	for _, sigHash := range defaultSupportedSignatureAlgorithms() {
   274  		t.Run(fmt.Sprintf("%v", sigHash), func(t *testing.T) {
   275  			serverConfig := testConfig.Clone()
   276  			serverConfig.Certificates = make([]Certificate, 1)
   277  
   278  			testingOnlySupportedSignatureAlgorithms = []SignatureScheme{sigHash}
   279  
   280  			sigType, _, _ := typeAndHashFromSignatureScheme(sigHash)
   281  			switch sigType {
   282  			case signaturePKCS1v15, signatureRSAPSS:
   283  				serverConfig.CipherSuites = []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}
   284  				serverConfig.Certificates[0].Certificate = [][]byte{testRSAPSS2048Certificate}
   285  				serverConfig.Certificates[0].PrivateKey = testRSAPSS2048PrivateKey
   286  			case signatureEd25519:
   287  				serverConfig.CipherSuites = []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}
   288  				serverConfig.Certificates[0].Certificate = [][]byte{testEd25519Certificate}
   289  				serverConfig.Certificates[0].PrivateKey = testEd25519PrivateKey
   290  			case signatureECDSA:
   291  				serverConfig.CipherSuites = []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}
   292  				serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate}
   293  				serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey
   294  			}
   295  			serverConfig.BuildNameToCertificate()
   296  			// PKCS#1 v1.5 signature algorithms can't be used standalone in TLS
   297  			// 1.3, and the ECDSA ones bind to the curve used.
   298  			serverConfig.MaxVersion = VersionTLS12
   299  
   300  			runWithFIPSDisabled(t, func(t *testing.T) {
   301  				clientErr, serverErr := fipsHandshake(t, testConfig, serverConfig)
   302  				if clientErr != nil {
   303  					t.Fatalf("expected handshake with %v to succeed; client error: %v; server error: %v", sigHash, clientErr, serverErr)
   304  				}
   305  			})
   306  
   307  			// With fipstls forced, bad curves should be rejected.
   308  			runWithFIPSEnabled(t, func(t *testing.T) {
   309  				clientErr, _ := fipsHandshake(t, testConfig, serverConfig)
   310  				if isFIPSSignatureScheme(sigHash) {
   311  					if clientErr != nil {
   312  						t.Fatalf("expected handshake with %v to succeed; err=%v", sigHash, clientErr)
   313  					}
   314  				} else {
   315  					if clientErr == nil {
   316  						t.Fatalf("expected handshake with %v to fail, but it succeeded", sigHash)
   317  					}
   318  				}
   319  			})
   320  		})
   321  	}
   322  }
   323  
   324  func TestFIPSClientHello(t *testing.T) {
   325  	runWithFIPSEnabled(t, testFIPSClientHello)
   326  }
   327  
   328  func testFIPSClientHello(t *testing.T) {
   329  	// Test that no matter what we put in the client config,
   330  	// the client does not offer non-FIPS configurations.
   331  
   332  	c, s := net.Pipe()
   333  	defer c.Close()
   334  	defer s.Close()
   335  
   336  	clientConfig := testConfig.Clone()
   337  	// All sorts of traps for the client to avoid.
   338  	clientConfig.MinVersion = VersionSSL30
   339  	clientConfig.MaxVersion = VersionTLS13
   340  	clientConfig.CipherSuites = allCipherSuites()
   341  	clientConfig.CurvePreferences = defaultCurvePreferences()
   342  
   343  	go Client(c, clientConfig).Handshake()
   344  	srv := Server(s, testConfig)
   345  	msg, err := srv.readHandshake(nil)
   346  	if err != nil {
   347  		t.Fatal(err)
   348  	}
   349  	hello, ok := msg.(*clientHelloMsg)
   350  	if !ok {
   351  		t.Fatalf("unexpected message type %T", msg)
   352  	}
   353  
   354  	if !isFIPSVersion(hello.vers) {
   355  		t.Errorf("client vers=%#x", hello.vers)
   356  	}
   357  	for _, v := range hello.supportedVersions {
   358  		if !isFIPSVersion(v) {
   359  			t.Errorf("client offered disallowed version %#x", v)
   360  		}
   361  	}
   362  	for _, id := range hello.cipherSuites {
   363  		if !isFIPSCipherSuite(id) {
   364  			t.Errorf("client offered disallowed suite %v", CipherSuiteName(id))
   365  		}
   366  	}
   367  	for _, id := range hello.supportedCurves {
   368  		if !isFIPSCurve(id) {
   369  			t.Errorf("client offered disallowed curve %v", id)
   370  		}
   371  	}
   372  	for _, sigHash := range hello.supportedSignatureAlgorithms {
   373  		if !isFIPSSignatureScheme(sigHash) {
   374  			t.Errorf("client offered disallowed signature-and-hash %v", sigHash)
   375  		}
   376  	}
   377  }
   378  
   379  func TestFIPSCertAlgs(t *testing.T) {
   380  	// arm and wasm time out generating keys. Nothing in this test is
   381  	// architecture-specific, so just don't bother on those.
   382  	if testenv.CPUIsSlow() {
   383  		t.Skipf("skipping on %s/%s because key generation takes too long", runtime.GOOS, runtime.GOARCH)
   384  	}
   385  
   386  	// Set up some roots, intermediate CAs, and leaf certs with various algorithms.
   387  	// X_Y is X signed by Y.
   388  	R1 := fipsCert(t, "R1", fipsRSAKey(t, 2048), nil, fipsCertCA|fipsCertFIPSOK)
   389  	R2 := fipsCert(t, "R2", fipsRSAKey(t, 1024), nil, fipsCertCA)
   390  	R3 := fipsCert(t, "R3", fipsRSAKey(t, 4096), nil, fipsCertCA|fipsCertFIPSOK)
   391  
   392  	M1_R1 := fipsCert(t, "M1_R1", fipsECDSAKey(t, elliptic.P256()), R1, fipsCertCA|fipsCertFIPSOK)
   393  	M2_R1 := fipsCert(t, "M2_R1", fipsECDSAKey(t, elliptic.P224()), R1, fipsCertCA)
   394  
   395  	I_R1 := fipsCert(t, "I_R1", fipsRSAKey(t, 3072), R1, fipsCertCA|fipsCertFIPSOK)
   396  	I_R2 := fipsCert(t, "I_R2", I_R1.key, R2, fipsCertCA|fipsCertFIPSOK)
   397  	I_M1 := fipsCert(t, "I_M1", I_R1.key, M1_R1, fipsCertCA|fipsCertFIPSOK)
   398  	I_M2 := fipsCert(t, "I_M2", I_R1.key, M2_R1, fipsCertCA|fipsCertFIPSOK)
   399  
   400  	I_R3 := fipsCert(t, "I_R3", fipsRSAKey(t, 3072), R3, fipsCertCA|fipsCertFIPSOK)
   401  	fipsCert(t, "I_R3", I_R3.key, R3, fipsCertCA|fipsCertFIPSOK)
   402  
   403  	L1_I := fipsCert(t, "L1_I", fipsECDSAKey(t, elliptic.P384()), I_R1, fipsCertLeaf|fipsCertFIPSOK)
   404  	L2_I := fipsCert(t, "L2_I", fipsRSAKey(t, 1024), I_R1, fipsCertLeaf)
   405  
   406  	// client verifying server cert
   407  	testServerCert := func(t *testing.T, desc string, pool *x509.CertPool, key any, list [][]byte, ok bool) {
   408  		clientConfig := testConfig.Clone()
   409  		clientConfig.RootCAs = pool
   410  		clientConfig.InsecureSkipVerify = false
   411  		clientConfig.ServerName = "example.com"
   412  
   413  		serverConfig := testConfig.Clone()
   414  		serverConfig.Certificates = []Certificate{{Certificate: list, PrivateKey: key}}
   415  		serverConfig.BuildNameToCertificate()
   416  
   417  		clientErr, _ := fipsHandshake(t, clientConfig, serverConfig)
   418  
   419  		if (clientErr == nil) == ok {
   420  			if ok {
   421  				t.Logf("%s: accept", desc)
   422  			} else {
   423  				t.Logf("%s: reject", desc)
   424  			}
   425  		} else {
   426  			if ok {
   427  				t.Errorf("%s: BAD reject (%v)", desc, clientErr)
   428  			} else {
   429  				t.Errorf("%s: BAD accept", desc)
   430  			}
   431  		}
   432  	}
   433  
   434  	// server verifying client cert
   435  	testClientCert := func(t *testing.T, desc string, pool *x509.CertPool, key any, list [][]byte, ok bool) {
   436  		clientConfig := testConfig.Clone()
   437  		clientConfig.ServerName = "example.com"
   438  		clientConfig.Certificates = []Certificate{{Certificate: list, PrivateKey: key}}
   439  
   440  		serverConfig := testConfig.Clone()
   441  		serverConfig.ClientCAs = pool
   442  		serverConfig.ClientAuth = RequireAndVerifyClientCert
   443  
   444  		_, serverErr := fipsHandshake(t, clientConfig, serverConfig)
   445  
   446  		if (serverErr == nil) == ok {
   447  			if ok {
   448  				t.Logf("%s: accept", desc)
   449  			} else {
   450  				t.Logf("%s: reject", desc)
   451  			}
   452  		} else {
   453  			if ok {
   454  				t.Errorf("%s: BAD reject (%v)", desc, serverErr)
   455  			} else {
   456  				t.Errorf("%s: BAD accept", desc)
   457  			}
   458  		}
   459  	}
   460  
   461  	// Run simple basic test with known answers before proceeding to
   462  	// exhaustive test with computed answers.
   463  	r1pool := x509.NewCertPool()
   464  	r1pool.AddCert(R1.cert)
   465  
   466  	runWithFIPSDisabled(t, func(t *testing.T) {
   467  		testServerCert(t, "basic", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, true)
   468  		testClientCert(t, "basic (client cert)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, true)
   469  	})
   470  
   471  	runWithFIPSEnabled(t, func(t *testing.T) {
   472  		testServerCert(t, "basic (fips)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, false)
   473  		testClientCert(t, "basic (fips, client cert)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, false)
   474  	})
   475  
   476  	if t.Failed() {
   477  		t.Fatal("basic test failed, skipping exhaustive test")
   478  	}
   479  
   480  	if testing.Short() {
   481  		t.Logf("basic test passed; skipping exhaustive test in -short mode")
   482  		return
   483  	}
   484  
   485  	for l := 1; l <= 2; l++ {
   486  		leaf := L1_I
   487  		if l == 2 {
   488  			leaf = L2_I
   489  		}
   490  		for i := 0; i < 64; i++ {
   491  			reachable := map[string]bool{leaf.parentOrg: true}
   492  			reachableFIPS := map[string]bool{leaf.parentOrg: leaf.fipsOK}
   493  			list := [][]byte{leaf.der}
   494  			listName := leaf.name
   495  			addList := func(cond int, c *fipsCertificate) {
   496  				if cond != 0 {
   497  					list = append(list, c.der)
   498  					listName += "," + c.name
   499  					if reachable[c.org] {
   500  						reachable[c.parentOrg] = true
   501  					}
   502  					if reachableFIPS[c.org] && c.fipsOK {
   503  						reachableFIPS[c.parentOrg] = true
   504  					}
   505  				}
   506  			}
   507  			addList(i&1, I_R1)
   508  			addList(i&2, I_R2)
   509  			addList(i&4, I_M1)
   510  			addList(i&8, I_M2)
   511  			addList(i&16, M1_R1)
   512  			addList(i&32, M2_R1)
   513  
   514  			for r := 1; r <= 3; r++ {
   515  				pool := x509.NewCertPool()
   516  				rootName := ","
   517  				shouldVerify := false
   518  				shouldVerifyFIPS := false
   519  				addRoot := func(cond int, c *fipsCertificate) {
   520  					if cond != 0 {
   521  						rootName += "," + c.name
   522  						pool.AddCert(c.cert)
   523  						if reachable[c.org] {
   524  							shouldVerify = true
   525  						}
   526  						if reachableFIPS[c.org] && c.fipsOK {
   527  							shouldVerifyFIPS = true
   528  						}
   529  					}
   530  				}
   531  				addRoot(r&1, R1)
   532  				addRoot(r&2, R2)
   533  				rootName = rootName[1:] // strip leading comma
   534  
   535  				runWithFIPSDisabled(t, func(t *testing.T) {
   536  					testServerCert(t, listName+"->"+rootName[1:], pool, leaf.key, list, shouldVerify)
   537  					testClientCert(t, listName+"->"+rootName[1:]+"(client cert)", pool, leaf.key, list, shouldVerify)
   538  				})
   539  
   540  				runWithFIPSEnabled(t, func(t *testing.T) {
   541  					testServerCert(t, listName+"->"+rootName[1:]+" (fips)", pool, leaf.key, list, shouldVerifyFIPS)
   542  					testClientCert(t, listName+"->"+rootName[1:]+" (fips, client cert)", pool, leaf.key, list, shouldVerifyFIPS)
   543  				})
   544  			}
   545  		}
   546  	}
   547  }
   548  
   549  const (
   550  	fipsCertCA = iota
   551  	fipsCertLeaf
   552  	fipsCertFIPSOK = 0x80
   553  )
   554  
   555  func fipsRSAKey(t *testing.T, size int) *rsa.PrivateKey {
   556  	k, err := rsa.GenerateKey(rand.Reader, size)
   557  	if err != nil {
   558  		t.Fatal(err)
   559  	}
   560  	return k
   561  }
   562  
   563  func fipsECDSAKey(t *testing.T, curve elliptic.Curve) *ecdsa.PrivateKey {
   564  	k, err := ecdsa.GenerateKey(curve, rand.Reader)
   565  	if err != nil {
   566  		t.Fatal(err)
   567  	}
   568  	return k
   569  }
   570  
   571  type fipsCertificate struct {
   572  	name      string
   573  	org       string
   574  	parentOrg string
   575  	der       []byte
   576  	cert      *x509.Certificate
   577  	key       any
   578  	fipsOK    bool
   579  }
   580  
   581  func fipsCert(t *testing.T, name string, key any, parent *fipsCertificate, mode int) *fipsCertificate {
   582  	org := name
   583  	parentOrg := ""
   584  	if i := strings.Index(org, "_"); i >= 0 {
   585  		org = org[:i]
   586  		parentOrg = name[i+1:]
   587  	}
   588  	tmpl := &x509.Certificate{
   589  		SerialNumber: big.NewInt(1),
   590  		Subject: pkix.Name{
   591  			Organization: []string{org},
   592  		},
   593  		NotBefore: time.Unix(0, 0),
   594  		NotAfter:  time.Unix(0, 0),
   595  
   596  		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
   597  		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
   598  		BasicConstraintsValid: true,
   599  	}
   600  	if mode&^fipsCertFIPSOK == fipsCertLeaf {
   601  		tmpl.DNSNames = []string{"example.com"}
   602  	} else {
   603  		tmpl.IsCA = true
   604  		tmpl.KeyUsage |= x509.KeyUsageCertSign
   605  	}
   606  
   607  	var pcert *x509.Certificate
   608  	var pkey any
   609  	if parent != nil {
   610  		pcert = parent.cert
   611  		pkey = parent.key
   612  	} else {
   613  		pcert = tmpl
   614  		pkey = key
   615  	}
   616  
   617  	var pub any
   618  	var desc string
   619  	switch k := key.(type) {
   620  	case *rsa.PrivateKey:
   621  		pub = &k.PublicKey
   622  		desc = fmt.Sprintf("RSA-%d", k.N.BitLen())
   623  	case *ecdsa.PrivateKey:
   624  		pub = &k.PublicKey
   625  		desc = "ECDSA-" + k.Curve.Params().Name
   626  	default:
   627  		t.Fatalf("invalid key %T", key)
   628  	}
   629  
   630  	der, err := x509.CreateCertificate(rand.Reader, tmpl, pcert, pub, pkey)
   631  	if err != nil {
   632  		t.Fatal(err)
   633  	}
   634  	cert, err := x509.ParseCertificate(der)
   635  	if err != nil {
   636  		t.Fatal(err)
   637  	}
   638  
   639  	fipsOK := mode&fipsCertFIPSOK != 0
   640  	runWithFIPSEnabled(t, func(t *testing.T) {
   641  		if isCertificateAllowedFIPS(cert) != fipsOK {
   642  			t.Errorf("fipsAllowCert(cert with %s key) = %v, want %v", desc, !fipsOK, fipsOK)
   643  		}
   644  	})
   645  
   646  	return &fipsCertificate{name, org, parentOrg, der, cert, key, fipsOK}
   647  }
   648  
   649  // A self-signed test certificate with an RSA key of size 2048, for testing
   650  // RSA-PSS with SHA512. SAN of example.golang.
   651  var (
   652  	testRSAPSS2048Certificate []byte
   653  	testRSAPSS2048PrivateKey  *rsa.PrivateKey
   654  )
   655  
   656  func init() {
   657  	block, _ := pem.Decode(obscuretestdata.Rot13([]byte(`
   658  -----ORTVA PREGVSVPNGR-----
   659  ZVVP/mPPNrrtNjVONtVENYUUK/xu4+4mZH9QnemORpDjQDLWXbMVuipANDRYODNj
   660  RwRDZN4TN1HRPuZUDJAgMFOQomNrSj0kZGNkZQRkAGN0ZQInSj0lZQRlZwxkAGN0
   661  ZQInZOVkRQNBOtAIONbGO0SwoJHtD28jttRvZN0TPFdTFVo3QDRONDHNN4VOQjNj
   662  ttRXNbVONDPs8sx0A6vrPOK4VBIVsXvgg4xTpBDYrvzPsfwddUplfZVITRgSFZ6R
   663  4Nl141s/7VdqJ0HgVdAo4CKuEBVQ7lQkE284kY6KoPhi/g5uC3HpruLp3uzYvlIq
   664  ZxMDvMJgsHHWs/1dBgZ+buAt59YEJc4q+6vK0yn1WY3RjPVpxxAwW9uDoS7Co2PF
   665  +RF9Lb55XNnc8XBoycpE8ZOFA38odajwsDqPKiBRBwnz2UHkXmRSK5ZN+sN0zr4P
   666  vbPpPEYJXy+TbA9S8sNOsbM+G+2rny4QYhB95eKE8FeBVIOu3KSBe/EIuwgKpAIS
   667  MXpiQg6q68I6wNXNLXz5ayw9TCcq4i+eNtZONNTwHQOBZN4TN1HqQjRO/jDRNjVS
   668  bQNGOtAIUFHRQQNXOtteOtRSODpQNGNZOtAIUEZONs8RNwNNZOxTN1HqRDDFZOPP
   669  QzI4LJ1joTHhM29fLJ5aZN0TPFdTFVo3QDROPjHNN4VONDPBbLfIpSPOuobdr3JU
   670  qP6I7KKKRPzawu01e8u80li0AE379aFQ3pj2Z+UXinKlfJdey5uwTIXj0igjQ81e
   671  I4WmQh7VsVbt5z8+DAP+7YdQMfm88iQXBefblFIBzHPtzPXSKrj+YN+rB/vDRWGe
   672  7rafqqBrKWRc27Rq5iJ+xzJJ3Dztyp2Tjl8jSeZQVdaeaBmON4bPaQRtgKWg0mbt
   673  aEjosRZNJv1nDEl5qG9XN3FC9zb5FrGSFmTTUvR4f4tUHr7wifNSS2dtgQ6+jU6f
   674  m9o6fukaP7t5VyOXuV7FIO/Hdg2lqW+xU1LowZpVd6ANZ5rAZXtMhWe3+mjfFtju
   675  TAnR
   676  -----RAQ PREGVSVPNGR-----`)))
   677  	testRSAPSS2048Certificate = block.Bytes
   678  
   679  	block, _ = pem.Decode(obscuretestdata.Rot13([]byte(`
   680  -----ORTVA EFN CEVINGR XRL-----
   681  ZVVRcNVONNXPNDRNa/U5AQrbattI+PQyFUlbeorWOaQxP3bcta7V6du3ZeQPSEuY
   682  EHwBuBNZgrAK/+lXaIgSYFXwJ+Q14HGvN+8t8HqiBZF+y2jee/7rLG91UUbJUA4M
   683  v4fyKGWTHVzIeK1SPK/9nweGCdVGLBsF0IdrUshby9WJgFF9kZNvUWWQLlsLHTkr
   684  m29txiuRiJXBrFtTdsPwz5nKRsQNHwq/T6c8V30UDy7muQb2cgu1ZFfkOI+GNCaj
   685  AWahNbdNaNxF1vcsudQsEsUjNK6Tsx/gazcrNl7wirn10sRdmvSDLq1kGd/0ILL7
   686  I3QIEJFaYj7rariSrbjPtTPchM5L/Ew6KrY/djVQNDNONbVONDPAcZMvsq/it42u
   687  UqPiYhMnLF0E7FhaSycbKRfygTqYSfac0VsbWM/htSDOFNVVsYjZhzH6bKN1m7Hi
   688  98nVLI61QrCeGPQIQSOfUoAzC8WNb8JgohfRojq5mlbO7YLT2+pyxWxyJR73XdHd
   689  ezV+HWrlFpy2Tva7MGkOKm1JCOx9IjpajxrnKctNFVOJ23suRPZ9taLRRjnOrm5G
   690  6Zr8q1gUgLDi7ifXr7eb9j9/UXeEKrwdLXX1YkxusSevlI+z8YMWMa2aKBn6T3tS
   691  Ao8Dx1Hx5CHORAOzlZSWuG4Z/hhFd4LgZeeB2tv8D+sCuhTmp5FfuLXEOc0J4C5e
   692  zgIPgRSENbTONZRAOVSYeI2+UfTw0kLSnfXbi/DCr6UFGE1Uu2VMBAc+bX4bfmJR
   693  wOG4IpaVGzcy6gP1Jl4TpekwAtXVSMNw+1k1YHHYqbeKxhT8le0gNuT9mAlsJfFl
   694  CeFbiP0HIome8Wkkyn+xDIkRDDdJDkCyRIhY8xKnVQN6Ylg1Uchn2YiCNbTONADM
   695  p6Yd2G7+OkYkAqv2z8xMmrw5xtmOc/KqIfoSJEyroVK2XeSUfeUmG9CHx3QR1iMX
   696  Z6cmGg94aDuJFxQtPnj1FbuRyW3USVSjphfS1FWNp3cDrcq8ht6VLqycQZYgOw/C
   697  /5C6OIHgtb05R4+V/G3vLngztyDkGgyM0ExFI2yyNbTONYBKxXSK7nuCis0JxfQu
   698  hGshSBGCbbjtDT0RctJ0jEqPkrt/WYvp3yFQ0tfggDI2JfErpelJpknryEt10EzB
   699  38OobtzunS4kitfFihwBsvMGR8bX1G43Z+6AXfVyZY3LVYocH/9nWkCJl0f2QdQe
   700  pDWuMeyx+cmwON7Oas/HEqjkNbTNXE/PAj14Q+zeY3LYoovPKvlqdkIjki5cqMqm
   701  8guv3GApfJP4vTHEqpIdosHvaICqWvKr/Xnp3JTPrEWnSItoXNBkYgv1EO5ZxVut
   702  Q8rlhcOdx4J1Y1txekdfqw4GSykxjZljwy2R2F4LlD8COg6I04QbIEMfVXmdm+CS
   703  HvbaCd0PtLOPLKidvbWuCrjxBd/L5jeQOrMJ1SDX5DQ9J5Z8/5mkq4eqiWgwuoWc
   704  bBegiZqey6hcl9Um4OWQ3SKjISvCSR7wdrAdv0S21ivYkOCZZQ3HBQS6YY5RlYvE
   705  9I4kIZF8XKkit7ekfhdmZCfpIvnJHY6JAIOufQ2+92qUkFKmm5RWXD==
   706  -----RAQ EFN CEVINGR XRL-----`)))
   707  	var err error
   708  	testRSAPSS2048PrivateKey, err = x509.ParsePKCS1PrivateKey(block.Bytes)
   709  	if err != nil {
   710  		panic(err)
   711  	}
   712  }
   713
View as plain text