Merge pull request #183 from JacobBarthelmeh/fips

adjust tests for disable of DES with FIPS and add FIPS print out with…

Author: dgarske

src/tools/clu_funcs.c

@@ -1123,9 +1123,20 @@ void wolfCLU_stats(double start, int blockSize, int64_t blocks)
 /* returns WOLFCLU_SUCCESS on success */
 int wolfCLU_version(void)
 {
+#ifdef HAVE_FIPS
+    const char *isFIPS = " FIPS";
+#else
+    const char *isFIPS = "";
+#endif
+
     WOLFCLU_LOG(WOLFCLU_L0, "You are using version %s of the wolfssl Command Line Utility."
         , CLUWOLFSSL_VERSION_STRING);
-    WOLFCLU_LOG(WOLFCLU_L0, "Linked to wolfSSL version %s", LIBWOLFSSL_VERSION_STRING);
+    WOLFCLU_LOG(WOLFCLU_L0, "Linked to wolfSSL version %s%s",
+        LIBWOLFSSL_VERSION_STRING, isFIPS);
+#ifdef HAVE_FIPS
+    WOLFCLU_LOG(WOLFCLU_L0, "In FIPS builds there are algorithm restrictions "
+        "such as use of DES");
+#endif
     return WOLFCLU_SUCCESS;
 }
 

tests/pkcs/pkcs12-test.sh

@@ -12,6 +12,12 @@ then
     exit 77
 fi
 
+# Is this a FIPS build?
+if ./wolfssl -v 2>&1 | grep -q FIPS; then
+    #return 77 to indicate to automake that the test was skipped
+    exit 77
+fi
+
 RESULT=`./wolfssl pkcs12 -nodes -passin pass:"wolfSSL test" -passout pass: -in ./certs/test-servercert.p12 2>&1`
 echo "$RESULT" | grep "Recompile wolfSSL with PKCS12 support"
 if [ $? == 0 ]; then

tests/pkcs/pkcs8-test.sh

@@ -12,6 +12,12 @@ then
     exit 77
 fi
 
+# Is this a FIPS build?
+IS_FIPS=0
+if ./wolfssl -v 2>&1 | grep -q FIPS; then
+    IS_FIPS=1
+fi
+
 RESULT=`./wolfssl pkcs8 -in certs/server-keyEnc.pem -passin pass:yassl123 2>&1`
 echo "$RESULT" | grep "Recompile wolfSSL with PKCS8 support"
 if [ $? == 0 ]; then
@@ -37,9 +43,13 @@ run_fail() {
     fi
 }
 
-run "pkcs8 -in certs/server-keyEnc.pem -passin pass:yassl123 -outform DER -out keyEnc.der"
-
-run "pkcs8 -in keyEnc.der -inform DER -outform PEM -out key.pem"
+if [ ${IS_FIPS} != "1" ]; then
+    # Can only decrypt server-keyEnc.pem using DES if not a FIPS build
+    run "pkcs8 -in certs/server-keyEnc.pem -passin pass:yassl123 -outform DER -out keyEnc.der"
+    run "pkcs8 -in keyEnc.der -inform DER -outform PEM -out key.pem"
+else
+    run "pkcs8 -in certs/server-key.pem  -outform PEM -out key.pem"
+fi
 
 run "pkcs8 -in key.pem -topk8 -nocrypt"
 
@@ -55,19 +65,21 @@ rm -rf pkcs1.pem
 rm -rf key.pem
 rm -rf keyEnc.der
 
-#check stdin input
-RESULT=`cat certs/server-keyEnc.pem | ./wolfssl pkcs8 -passin pass:yassl123`
-echo $RESULT | grep "BEGIN PRIVATE"
-if [ $? != 0 ]; then
-    echo "Couldn't parse PKCS8 from stdin"
-    exit 99
-fi
+if [ ${IS_FIPS} != "1" ]; then
+    #check stdin input
+    RESULT=`cat certs/server-keyEnc.pem | ./wolfssl pkcs8 -passin pass:yassl123`
+    echo $RESULT | grep "BEGIN PRIVATE"
+    if [ $? != 0 ]; then
+        echo "Couldn't parse PKCS8 from stdin"
+        exit 99
+    fi
 
-run_fail "pkcs8 -in certs/server-cert.pem -passin pass:yassl123"
+    run_fail "pkcs8 -in certs/server-cert.pem -passin pass:yassl123"
 
-run_fail "pkcs8 -in certs/server-keyEnc.pem -passin pass:wrongPass"
+    run_fail "pkcs8 -in certs/server-keyEnc.pem -passin pass:wrongPass"
 
-run_fail "pkcs8 -in certs/server-keyEnc.pem -inform DER -passin pass:yassl123"
+    run_fail "pkcs8 -in certs/server-keyEnc.pem -inform DER -passin pass:yassl123"
+fi
 
 echo "Done"
 exit 0

tests/pkey/rsa-test.sh

@@ -12,6 +12,12 @@ then
     exit 77
 fi
 
+# Is this a FIPS build?
+IS_FIPS=0
+if ./wolfssl -v 2>&1 | grep -q FIPS; then
+    IS_FIPS=1
+fi
+
 run() {
     if [ -z "$2" ]; then
         RESULT=`./wolfssl $1`
@@ -67,30 +73,35 @@ run_fail "rsa -in ./certs/server-key.pem -pubin"
 
 # Test success cases for -RSAPublicKey_in
 run "rsa -in ./certs/server-keyPub.pem -RSAPublicKey_in"
-run "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl123"
-run_fail "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl12"
 
-run "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl123 -noout -modulus"
+if [ ${IS_FIPS} != "1" ]; then
+    run "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl123"
+    run_fail "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl12"
+
+    run "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl123 -noout -modulus"
+fi
 
 # Test success cases for -pubin
 run "rsa -in ./certs/server-keyPub.pem -pubin"
-run "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl123"
-run_fail "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl12"
+if [ ${IS_FIPS} != "1" ]; then
+    run "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl123"
+    run_fail "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl12"
 
-run "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl123 -noout -modulus"
+    run "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl123 -noout -modulus"
 
-# Check that modulus was printed
-echo $RESULT | grep "Modulus"
-if [ $? != 0 ]; then
-    echo "ERROR with -modulus option"
-    exit 99
-fi
+    # Check that modulus was printed
+    echo $RESULT | grep "Modulus"
+    if [ $? != 0 ]; then
+        echo "ERROR with -modulus option"
+        exit 99
+    fi
 
-# Check that key was not printed
-echo $RESULT | grep "BEGIN"
-if [ $? == 0 ]; then
-    echo "ERROR found a key with -modulus option"
-    exit 99
+    # Check that key was not printed
+    echo $RESULT | grep "BEGIN"
+    if [ $? == 0 ]; then
+        echo "ERROR found a key with -modulus option"
+        exit 99
+    fi
 fi
 
 # Expexted result -RSAPublicKey_in

tests/x509/expect-purpose.txt

@@ -1,7 +1,7 @@
 Certificate Purpose:
 Any Extended Key Usage : YES
 TLS Web Server Authentication : YES
-TLS Web Client Authentication : NO
+TLS Web Client Authentication : YES
 OCSP Signing : YES
 Email Protect : YES
 Time Stamp Signing : YES

tests/x509/x509-req-test.sh

@@ -12,6 +12,12 @@ then
     exit 77
 fi
 
+# Is this a FIPS build?
+IS_FIPS=0
+if ./wolfssl -v 2>&1 | grep -q FIPS; then
+    IS_FIPS=1
+fi
+
 run_success() {
     if [ -z "$2" ]; then
         RESULT=`./wolfssl $1`
@@ -218,13 +224,16 @@ if [ $? != 0 ]; then
 fi
 rm -f tmp.cert
 
-run_success "req -new -newkey rsa:2048 -config ./test.conf -x509 -out tmp.cert -passout stdin" "long test password"
-echo $RESULT | grep "ENCRYPTED"
-if [ $? -ne 0 ]; then
-    echo "no encrypted key found in result"
-    exit 99
+
+if [ ${IS_FIPS} != "1" ]; then
+    run_success "req -new -newkey rsa:2048 -config ./test.conf -x509 -out tmp.cert -passout stdin" "long test password"
+    echo $RESULT | grep "ENCRYPTED"
+    if [ $? -ne 0 ]; then
+        echo "no encrypted key found in result"
+        exit 99
+    fi
+    rm -f tmp.cert
 fi
-rm -f tmp.cert
 
 #testing hash and key algos
 run_success "req -new -days 3650 -rsa -key ./certs/server-key.pem -config ./test.conf -out tmp.cert -x509"
@@ -242,7 +251,9 @@ rm -f tmp.cert
 run_success "req -new -days 3650 -sha512 -key ./certs/server-key.pem -config ./test.conf -out tmp.cert -x509"
 rm -f tmp.cert
 
-run_success "req -new -newkey rsa:2048 -keyout new-key.pem -config ./test.conf -x509 -out tmp.cert -passout stdin" "long test password"
+if [ ${IS_FIPS} != "1" ]; then
+    run_success "req -new -newkey rsa:2048 -keyout new-key.pem -config ./test.conf -x509 -out tmp.cert -passout stdin" "long test password"
+fi
 
 run_success "req -new -key ./certs/ca-key.pem -config ./test.conf -extensions v3_alt_req_full -out tmp.cert"
 run_success "req -in ./tmp.cert -noout -text"
@@ -252,9 +263,11 @@ if [ $? -ne 0 ]; then
     exit 99
 fi
 
+if [ ${IS_FIPS} != "1" ]; then
 #test passout
-run_success "req -newkey rsa:2048 -keyout new-key.pem -config ./test.conf -out tmp.cert -passout pass:123456789wolfssl -outform pem -sha256"
-run_success "rsa -in new-key.pem -passin pass:123456789wolfssl"
+    run_success "req -newkey rsa:2048 -keyout new-key.pem -config ./test.conf -out tmp.cert -passout pass:123456789wolfssl -outform pem -sha256"
+    run_success "rsa -in new-key.pem -passin pass:123456789wolfssl"
+fi
 
 run_success "req -new -x509 -key ./certs/ca-key.pem -config ./test-prompt.conf -out tmp.cert" "AA"
 run_fail "req -new -x509 -key ./certs/ca-key.pem -config ./test-prompt.conf -out tmp.cert" "LONG"