diff options
| author | Kazuki Yamaguchi <[email protected]> | 2024-07-31 01:05:32 +0900 |
|---|---|---|
| committer | git <[email protected]> | 2024-08-06 06:38:03 +0000 |
| commit | 65e3717db7bfd957660a5b3d9c5ac4fd22e8d858 (patch) | |
| tree | 5ff18d63b18d6d3c80fae92c21a8f66ec0d934df | |
| parent | 30be7fb85ddcb59b531f22b7627e77624ef05c4e (diff) | |
[ruby/openssl] test/openssl/test_pkey_dsa.rb: skip all tests in FIPS mode
OpenSSL running in the FIPS mode will stop supporting DSA key
generation and signature generation due to a FIPS 140-3 requirement.
Although it appears that FIPS 186-5 still allows signature
verification in some cases, there would be little point in writing such
a specific test case.
DSA will still be tested if OpenSSL is not running in the FIPS mode.
test_generate_on_non_fips is merged to test_generate again.
https://github.com/ruby/openssl/commit/3651884fd2
| -rw-r--r-- | test/openssl/test_pkey_dsa.rb | 23 |
1 files changed, 10 insertions, 13 deletions
diff --git a/test/openssl/test_pkey_dsa.rb b/test/openssl/test_pkey_dsa.rb index 4c93f2869d..3e8a83b2d0 100644 --- a/test/openssl/test_pkey_dsa.rb +++ b/test/openssl/test_pkey_dsa.rb @@ -4,6 +4,11 @@ require_relative 'utils' if defined?(OpenSSL) && defined?(OpenSSL::PKey::DSA) class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase + def setup + # May not be available in FIPS mode as DSA has been deprecated in FIPS 186-5 + omit_on_fips + end + def test_private key = Fixtures.pkey("dsa1024") assert_equal true, key.private? @@ -31,6 +36,11 @@ class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase def test_generate # DSA.generate used to call DSA_generate_parameters_ex(), which adjusts the # size of q according to the size of p + key1024 = OpenSSL::PKey::DSA.generate(1024) + assert_predicate key1024, :private? + assert_equal 1024, key1024.p.num_bits + assert_equal 160, key1024.q.num_bits + key2048 = OpenSSL::PKey::DSA.generate(2048) assert_equal 2048, key2048.p.num_bits assert_equal 256, key2048.q.num_bits @@ -42,17 +52,6 @@ class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase end end - def test_generate_on_non_fips - # DSA with 1024 bits is invalid on FIPS 186-4. - # https://github.com/openssl/openssl/commit/49ed5ba8f62875074f04417189147fd3dda072ab - omit_on_fips - - key1024 = OpenSSL::PKey::DSA.generate(1024) - assert_predicate key1024, :private? - assert_equal 1024, key1024.p.num_bits - assert_equal 160, key1024.q.num_bits - end - def test_sign_verify # The DSA valid size is 2048 or 3072 on FIPS. # https://github.com/openssl/openssl/blob/7649b5548e5c0352b91d9d3ed695e42a2ac1e99c/providers/common/securitycheck.c#L185-L188 @@ -135,8 +134,6 @@ class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase end def test_DSAPrivateKey_encrypted - omit_on_fips - # key = abcdef dsa512 = Fixtures.pkey("dsa512") pem = <<~EOF |