1*e0c4386eSCy Schubert#! /usr/bin/env perl 2*e0c4386eSCy Schubert# Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. 3*e0c4386eSCy Schubert# 4*e0c4386eSCy Schubert# Licensed under the Apache License 2.0 (the "License"). You may not use 5*e0c4386eSCy Schubert# this file except in compliance with the License. You can obtain a copy 6*e0c4386eSCy Schubert# in the file LICENSE in the source distribution or at 7*e0c4386eSCy Schubert# https://www.openssl.org/source/license.html 8*e0c4386eSCy Schubert 9*e0c4386eSCy Schubertuse strict; 10*e0c4386eSCy Schubertuse warnings; 11*e0c4386eSCy Schubert 12*e0c4386eSCy Schubertuse File::Spec; 13*e0c4386eSCy Schubertuse File::Spec::Functions qw/curdir abs2rel/; 14*e0c4386eSCy Schubertuse File::Copy; 15*e0c4386eSCy Schubertuse OpenSSL::Glob; 16*e0c4386eSCy Schubertuse OpenSSL::Test qw/:DEFAULT srctop_dir bldtop_dir bldtop_file srctop_file data_file/; 17*e0c4386eSCy Schubertuse OpenSSL::Test::Utils; 18*e0c4386eSCy Schubert 19*e0c4386eSCy SchubertBEGIN { 20*e0c4386eSCy Schubert setup("test_cli_fips"); 21*e0c4386eSCy Schubert} 22*e0c4386eSCy Schubertuse lib srctop_dir('Configurations'); 23*e0c4386eSCy Schubertuse lib bldtop_dir('.'); 24*e0c4386eSCy Schubertuse platform; 25*e0c4386eSCy Schubert 26*e0c4386eSCy Schubertmy $no_check = disabled("fips") || disabled('fips-securitychecks'); 27*e0c4386eSCy Schubertplan skip_all => "Test only supported in a fips build with security checks" 28*e0c4386eSCy Schubert if $no_check; 29*e0c4386eSCy Schubertplan tests => 11; 30*e0c4386eSCy Schubert 31*e0c4386eSCy Schubertmy $fipsmodule = bldtop_file('providers', platform->dso('fips')); 32*e0c4386eSCy Schubertmy $fipsconf = srctop_file("test", "fips-and-base.cnf"); 33*e0c4386eSCy Schubertmy $defaultconf = srctop_file("test", "default.cnf"); 34*e0c4386eSCy Schubertmy $tbs_data = $fipsmodule; 35*e0c4386eSCy Schubertmy $bogus_data = $fipsconf; 36*e0c4386eSCy Schubert 37*e0c4386eSCy Schubert$ENV{OPENSSL_CONF} = $fipsconf; 38*e0c4386eSCy Schubert 39*e0c4386eSCy Schubertok(run(app(['openssl', 'list', '-public-key-methods', '-verbose'])), 40*e0c4386eSCy Schubert "provider listing of public key methods"); 41*e0c4386eSCy Schubertok(run(app(['openssl', 'list', '-public-key-algorithms', '-verbose'])), 42*e0c4386eSCy Schubert "provider listing of public key algorithms"); 43*e0c4386eSCy Schubertok(run(app(['openssl', 'list', '-key-managers', '-verbose'])), 44*e0c4386eSCy Schubert "provider listing of keymanagers"); 45*e0c4386eSCy Schubertok(run(app(['openssl', 'list', '-key-exchange-algorithms', '-verbose'])), 46*e0c4386eSCy Schubert "provider listing of key exchange algorithms"); 47*e0c4386eSCy Schubertok(run(app(['openssl', 'list', '-kem-algorithms', '-verbose'])), 48*e0c4386eSCy Schubert "provider listing of key encapsulation algorithms"); 49*e0c4386eSCy Schubertok(run(app(['openssl', 'list', '-signature-algorithms', '-verbose'])), 50*e0c4386eSCy Schubert "provider listing of signature algorithms"); 51*e0c4386eSCy Schubertok(run(app(['openssl', 'list', '-asymcipher-algorithms', '-verbose'])), 52*e0c4386eSCy Schubert "provider listing of encryption algorithms"); 53*e0c4386eSCy Schubertok(run(app(['openssl', 'list', '-key-managers', '-verbose', '-select', 'DSA' ])), 54*e0c4386eSCy Schubert "provider listing of one item in the keymanager"); 55*e0c4386eSCy Schubert 56*e0c4386eSCy Schubertsub pubfrompriv { 57*e0c4386eSCy Schubert my $prefix = shift; 58*e0c4386eSCy Schubert my $key = shift; 59*e0c4386eSCy Schubert my $pub_key = shift; 60*e0c4386eSCy Schubert my $type = shift; 61*e0c4386eSCy Schubert 62*e0c4386eSCy Schubert ok(run(app(['openssl', 'pkey', 63*e0c4386eSCy Schubert '-in', $key, 64*e0c4386eSCy Schubert '-pubout', 65*e0c4386eSCy Schubert '-out', $pub_key])), 66*e0c4386eSCy Schubert $prefix.': '."Create the public key with $type parameters"); 67*e0c4386eSCy Schubert 68*e0c4386eSCy Schubert} 69*e0c4386eSCy Schubert 70*e0c4386eSCy Schubertmy $tsignverify_count = 9; 71*e0c4386eSCy Schubertsub tsignverify { 72*e0c4386eSCy Schubert my $prefix = shift; 73*e0c4386eSCy Schubert my $fips_key = shift; 74*e0c4386eSCy Schubert my $fips_pub_key = shift; 75*e0c4386eSCy Schubert my $nonfips_key = shift; 76*e0c4386eSCy Schubert my $nonfips_pub_key = shift; 77*e0c4386eSCy Schubert my $fips_sigfile = $prefix.'.fips.sig'; 78*e0c4386eSCy Schubert my $nonfips_sigfile = $prefix.'.nonfips.sig'; 79*e0c4386eSCy Schubert my $sigfile = ''; 80*e0c4386eSCy Schubert my $testtext = ''; 81*e0c4386eSCy Schubert 82*e0c4386eSCy Schubert $ENV{OPENSSL_CONF} = $fipsconf; 83*e0c4386eSCy Schubert 84*e0c4386eSCy Schubert $sigfile = $fips_sigfile; 85*e0c4386eSCy Schubert $testtext = $prefix.': '. 86*e0c4386eSCy Schubert 'Sign something with a FIPS key'; 87*e0c4386eSCy Schubert ok(run(app(['openssl', 'dgst', '-sha256', 88*e0c4386eSCy Schubert '-sign', $fips_key, 89*e0c4386eSCy Schubert '-out', $sigfile, 90*e0c4386eSCy Schubert $tbs_data])), 91*e0c4386eSCy Schubert $testtext); 92*e0c4386eSCy Schubert 93*e0c4386eSCy Schubert $testtext = $prefix.': '. 94*e0c4386eSCy Schubert 'Verify something with a FIPS key'; 95*e0c4386eSCy Schubert ok(run(app(['openssl', 'dgst', '-sha256', 96*e0c4386eSCy Schubert '-verify', $fips_pub_key, 97*e0c4386eSCy Schubert '-signature', $sigfile, 98*e0c4386eSCy Schubert $tbs_data])), 99*e0c4386eSCy Schubert $testtext); 100*e0c4386eSCy Schubert 101*e0c4386eSCy Schubert $testtext = $prefix.': '. 102*e0c4386eSCy Schubert 'Verify a valid signature against the wrong data with a FIPS key'. 103*e0c4386eSCy Schubert ' (should fail)'; 104*e0c4386eSCy Schubert ok(!run(app(['openssl', 'dgst', '-sha256', 105*e0c4386eSCy Schubert '-verify', $fips_pub_key, 106*e0c4386eSCy Schubert '-signature', $sigfile, 107*e0c4386eSCy Schubert $bogus_data])), 108*e0c4386eSCy Schubert $testtext); 109*e0c4386eSCy Schubert 110*e0c4386eSCy Schubert $ENV{OPENSSL_CONF} = $defaultconf; 111*e0c4386eSCy Schubert 112*e0c4386eSCy Schubert SKIP : { 113*e0c4386eSCy Schubert skip "FIPS failure testing", 6 114*e0c4386eSCy Schubert if ($nonfips_key eq ''); 115*e0c4386eSCy Schubert 116*e0c4386eSCy Schubert $sigfile = $nonfips_sigfile; 117*e0c4386eSCy Schubert $testtext = $prefix.': '. 118*e0c4386eSCy Schubert 'Sign something with a non-FIPS key'. 119*e0c4386eSCy Schubert ' with the default provider'; 120*e0c4386eSCy Schubert ok(run(app(['openssl', 'dgst', '-sha256', 121*e0c4386eSCy Schubert '-sign', $nonfips_key, 122*e0c4386eSCy Schubert '-out', $sigfile, 123*e0c4386eSCy Schubert $tbs_data])), 124*e0c4386eSCy Schubert $testtext); 125*e0c4386eSCy Schubert 126*e0c4386eSCy Schubert $testtext = $prefix.': '. 127*e0c4386eSCy Schubert 'Verify something with a non-FIPS key'. 128*e0c4386eSCy Schubert ' with the default provider'; 129*e0c4386eSCy Schubert ok(run(app(['openssl', 'dgst', '-sha256', 130*e0c4386eSCy Schubert '-verify', $nonfips_pub_key, 131*e0c4386eSCy Schubert '-signature', $sigfile, 132*e0c4386eSCy Schubert $tbs_data])), 133*e0c4386eSCy Schubert $testtext); 134*e0c4386eSCy Schubert 135*e0c4386eSCy Schubert $ENV{OPENSSL_CONF} = $fipsconf; 136*e0c4386eSCy Schubert 137*e0c4386eSCy Schubert $testtext = $prefix.': '. 138*e0c4386eSCy Schubert 'Sign something with a non-FIPS key'. 139*e0c4386eSCy Schubert ' (should fail)'; 140*e0c4386eSCy Schubert ok(!run(app(['openssl', 'dgst', '-sha256', 141*e0c4386eSCy Schubert '-sign', $nonfips_key, 142*e0c4386eSCy Schubert '-out', $prefix.'.nonfips.fail.sig', 143*e0c4386eSCy Schubert $tbs_data])), 144*e0c4386eSCy Schubert $testtext); 145*e0c4386eSCy Schubert 146*e0c4386eSCy Schubert $testtext = $prefix.': '. 147*e0c4386eSCy Schubert 'Verify something with a non-FIPS key'. 148*e0c4386eSCy Schubert ' (should fail)'; 149*e0c4386eSCy Schubert ok(!run(app(['openssl', 'dgst', '-sha256', 150*e0c4386eSCy Schubert '-verify', $nonfips_pub_key, 151*e0c4386eSCy Schubert '-signature', $sigfile, 152*e0c4386eSCy Schubert $tbs_data])), 153*e0c4386eSCy Schubert $testtext); 154*e0c4386eSCy Schubert 155*e0c4386eSCy Schubert $testtext = $prefix.': '. 156*e0c4386eSCy Schubert 'Verify something with a non-FIPS key'. 157*e0c4386eSCy Schubert ' in FIPS mode but with a non-FIPS property query'; 158*e0c4386eSCy Schubert ok(run(app(['openssl', 'dgst', 159*e0c4386eSCy Schubert '-provider', 'default', 160*e0c4386eSCy Schubert '-propquery', '?fips!=yes', 161*e0c4386eSCy Schubert '-sha256', 162*e0c4386eSCy Schubert '-verify', $nonfips_pub_key, 163*e0c4386eSCy Schubert '-signature', $sigfile, 164*e0c4386eSCy Schubert $tbs_data])), 165*e0c4386eSCy Schubert $testtext); 166*e0c4386eSCy Schubert 167*e0c4386eSCy Schubert $testtext = $prefix.': '. 168*e0c4386eSCy Schubert 'Verify a valid signature against the wrong data with a non-FIPS key'. 169*e0c4386eSCy Schubert ' (should fail)'; 170*e0c4386eSCy Schubert ok(!run(app(['openssl', 'dgst', '-sha256', 171*e0c4386eSCy Schubert '-verify', $nonfips_pub_key, 172*e0c4386eSCy Schubert '-signature', $sigfile, 173*e0c4386eSCy Schubert $bogus_data])), 174*e0c4386eSCy Schubert $testtext); 175*e0c4386eSCy Schubert } 176*e0c4386eSCy Schubert} 177*e0c4386eSCy Schubert 178*e0c4386eSCy SchubertSKIP : { 179*e0c4386eSCy Schubert skip "FIPS EC tests because of no ec in this build", 1 180*e0c4386eSCy Schubert if disabled("ec"); 181*e0c4386eSCy Schubert 182*e0c4386eSCy Schubert subtest EC => sub { 183*e0c4386eSCy Schubert my $testtext_prefix = 'EC'; 184*e0c4386eSCy Schubert my $a_fips_curve = 'prime256v1'; 185*e0c4386eSCy Schubert my $fips_key = $testtext_prefix.'.fips.priv.pem'; 186*e0c4386eSCy Schubert my $fips_pub_key = $testtext_prefix.'.fips.pub.pem'; 187*e0c4386eSCy Schubert my $a_nonfips_curve = 'brainpoolP256r1'; 188*e0c4386eSCy Schubert my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem'; 189*e0c4386eSCy Schubert my $nonfips_pub_key = $testtext_prefix.'.nonfips.pub.pem'; 190*e0c4386eSCy Schubert my $testtext = ''; 191*e0c4386eSCy Schubert my $curvename = ''; 192*e0c4386eSCy Schubert 193*e0c4386eSCy Schubert plan tests => 5 + $tsignverify_count; 194*e0c4386eSCy Schubert 195*e0c4386eSCy Schubert $ENV{OPENSSL_CONF} = $defaultconf; 196*e0c4386eSCy Schubert $curvename = $a_nonfips_curve; 197*e0c4386eSCy Schubert $testtext = $testtext_prefix.': '. 198*e0c4386eSCy Schubert 'Generate a key with a non-FIPS algorithm with the default provider'; 199*e0c4386eSCy Schubert ok(run(app(['openssl', 'genpkey', '-algorithm', 'EC', 200*e0c4386eSCy Schubert '-pkeyopt', 'ec_paramgen_curve:'.$curvename, 201*e0c4386eSCy Schubert '-out', $nonfips_key])), 202*e0c4386eSCy Schubert $testtext); 203*e0c4386eSCy Schubert 204*e0c4386eSCy Schubert pubfrompriv($testtext_prefix, $nonfips_key, $nonfips_pub_key, "non-FIPS"); 205*e0c4386eSCy Schubert 206*e0c4386eSCy Schubert $ENV{OPENSSL_CONF} = $fipsconf; 207*e0c4386eSCy Schubert 208*e0c4386eSCy Schubert $curvename = $a_fips_curve; 209*e0c4386eSCy Schubert $testtext = $testtext_prefix.': '. 210*e0c4386eSCy Schubert 'Generate a key with a FIPS algorithm'; 211*e0c4386eSCy Schubert ok(run(app(['openssl', 'genpkey', '-algorithm', 'EC', 212*e0c4386eSCy Schubert '-pkeyopt', 'ec_paramgen_curve:'.$curvename, 213*e0c4386eSCy Schubert '-out', $fips_key])), 214*e0c4386eSCy Schubert $testtext); 215*e0c4386eSCy Schubert 216*e0c4386eSCy Schubert pubfrompriv($testtext_prefix, $fips_key, $fips_pub_key, "FIPS"); 217*e0c4386eSCy Schubert 218*e0c4386eSCy Schubert $curvename = $a_nonfips_curve; 219*e0c4386eSCy Schubert $testtext = $testtext_prefix.': '. 220*e0c4386eSCy Schubert 'Generate a key with a non-FIPS algorithm'. 221*e0c4386eSCy Schubert ' (should fail)'; 222*e0c4386eSCy Schubert ok(!run(app(['openssl', 'genpkey', '-algorithm', 'EC', 223*e0c4386eSCy Schubert '-pkeyopt', 'ec_paramgen_curve:'.$curvename, 224*e0c4386eSCy Schubert '-out', $testtext_prefix.'.'.$curvename.'.priv.pem'])), 225*e0c4386eSCy Schubert $testtext); 226*e0c4386eSCy Schubert 227*e0c4386eSCy Schubert tsignverify($testtext_prefix, $fips_key, $fips_pub_key, $nonfips_key, 228*e0c4386eSCy Schubert $nonfips_pub_key); 229*e0c4386eSCy Schubert }; 230*e0c4386eSCy Schubert} 231*e0c4386eSCy Schubert 232*e0c4386eSCy SchubertSKIP: { 233*e0c4386eSCy Schubert skip "FIPS RSA tests because of no rsa in this build", 1 234*e0c4386eSCy Schubert if disabled("rsa"); 235*e0c4386eSCy Schubert 236*e0c4386eSCy Schubert subtest RSA => sub { 237*e0c4386eSCy Schubert my $testtext_prefix = 'RSA'; 238*e0c4386eSCy Schubert my $fips_key = $testtext_prefix.'.fips.priv.pem'; 239*e0c4386eSCy Schubert my $fips_pub_key = $testtext_prefix.'.fips.pub.pem'; 240*e0c4386eSCy Schubert my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem'; 241*e0c4386eSCy Schubert my $nonfips_pub_key = $testtext_prefix.'.nonfips.pub.pem'; 242*e0c4386eSCy Schubert my $testtext = ''; 243*e0c4386eSCy Schubert 244*e0c4386eSCy Schubert plan tests => 5 + $tsignverify_count; 245*e0c4386eSCy Schubert 246*e0c4386eSCy Schubert $ENV{OPENSSL_CONF} = $defaultconf; 247*e0c4386eSCy Schubert $testtext = $testtext_prefix.': '. 248*e0c4386eSCy Schubert 'Generate a key with a non-FIPS algorithm with the default provider'; 249*e0c4386eSCy Schubert ok(run(app(['openssl', 'genpkey', '-algorithm', 'RSA', 250*e0c4386eSCy Schubert '-pkeyopt', 'rsa_keygen_bits:512', 251*e0c4386eSCy Schubert '-out', $nonfips_key])), 252*e0c4386eSCy Schubert $testtext); 253*e0c4386eSCy Schubert 254*e0c4386eSCy Schubert pubfrompriv($testtext_prefix, $nonfips_key, $nonfips_pub_key, "non-FIPS"); 255*e0c4386eSCy Schubert 256*e0c4386eSCy Schubert $ENV{OPENSSL_CONF} = $fipsconf; 257*e0c4386eSCy Schubert 258*e0c4386eSCy Schubert $testtext = $testtext_prefix.': '. 259*e0c4386eSCy Schubert 'Generate a key with a FIPS algorithm'; 260*e0c4386eSCy Schubert ok(run(app(['openssl', 'genpkey', '-algorithm', 'RSA', 261*e0c4386eSCy Schubert '-pkeyopt', 'rsa_keygen_bits:2048', 262*e0c4386eSCy Schubert '-out', $fips_key])), 263*e0c4386eSCy Schubert $testtext); 264*e0c4386eSCy Schubert 265*e0c4386eSCy Schubert pubfrompriv($testtext_prefix, $fips_key, $fips_pub_key, "FIPS"); 266*e0c4386eSCy Schubert 267*e0c4386eSCy Schubert $testtext = $testtext_prefix.': '. 268*e0c4386eSCy Schubert 'Generate a key with a non-FIPS algorithm'. 269*e0c4386eSCy Schubert ' (should fail)'; 270*e0c4386eSCy Schubert ok(!run(app(['openssl', 'genpkey', '-algorithm', 'RSA', 271*e0c4386eSCy Schubert '-pkeyopt', 'rsa_keygen_bits:512', 272*e0c4386eSCy Schubert '-out', $testtext_prefix.'.fail.priv.pem'])), 273*e0c4386eSCy Schubert $testtext); 274*e0c4386eSCy Schubert 275*e0c4386eSCy Schubert tsignverify($testtext_prefix, $fips_key, $fips_pub_key, $nonfips_key, 276*e0c4386eSCy Schubert $nonfips_pub_key); 277*e0c4386eSCy Schubert }; 278*e0c4386eSCy Schubert} 279*e0c4386eSCy Schubert 280*e0c4386eSCy SchubertSKIP : { 281*e0c4386eSCy Schubert skip "FIPS DSA tests because of no dsa in this build", 1 282*e0c4386eSCy Schubert if disabled("dsa"); 283*e0c4386eSCy Schubert 284*e0c4386eSCy Schubert subtest DSA => sub { 285*e0c4386eSCy Schubert my $testtext_prefix = 'DSA'; 286*e0c4386eSCy Schubert my $fips_key = $testtext_prefix.'.fips.priv.pem'; 287*e0c4386eSCy Schubert my $fips_pub_key = $testtext_prefix.'.fips.pub.pem'; 288*e0c4386eSCy Schubert my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem'; 289*e0c4386eSCy Schubert my $nonfips_pub_key = $testtext_prefix.'.nonfips.pub.pem'; 290*e0c4386eSCy Schubert my $testtext = ''; 291*e0c4386eSCy Schubert my $fips_param = $testtext_prefix.'.fips.param.pem'; 292*e0c4386eSCy Schubert my $nonfips_param = $testtext_prefix.'.nonfips.param.pem'; 293*e0c4386eSCy Schubert my $shortnonfips_param = $testtext_prefix.'.shortnonfips.param.pem'; 294*e0c4386eSCy Schubert 295*e0c4386eSCy Schubert plan tests => 13 + $tsignverify_count; 296*e0c4386eSCy Schubert 297*e0c4386eSCy Schubert $ENV{OPENSSL_CONF} = $defaultconf; 298*e0c4386eSCy Schubert 299*e0c4386eSCy Schubert $testtext = $testtext_prefix.': '. 300*e0c4386eSCy Schubert 'Generate non-FIPS params with the default provider'; 301*e0c4386eSCy Schubert ok(run(app(['openssl', 'genpkey', '-genparam', 302*e0c4386eSCy Schubert '-algorithm', 'DSA', 303*e0c4386eSCy Schubert '-pkeyopt', 'type:fips186_2', 304*e0c4386eSCy Schubert '-pkeyopt', 'dsa_paramgen_bits:512', 305*e0c4386eSCy Schubert '-out', $nonfips_param])), 306*e0c4386eSCy Schubert $testtext); 307*e0c4386eSCy Schubert 308*e0c4386eSCy Schubert $ENV{OPENSSL_CONF} = $fipsconf; 309*e0c4386eSCy Schubert 310*e0c4386eSCy Schubert $testtext = $testtext_prefix.': '. 311*e0c4386eSCy Schubert 'Generate FIPS params'; 312*e0c4386eSCy Schubert ok(run(app(['openssl', 'genpkey', '-genparam', 313*e0c4386eSCy Schubert '-algorithm', 'DSA', 314*e0c4386eSCy Schubert '-pkeyopt', 'dsa_paramgen_bits:2048', 315*e0c4386eSCy Schubert '-out', $fips_param])), 316*e0c4386eSCy Schubert $testtext); 317*e0c4386eSCy Schubert 318*e0c4386eSCy Schubert $testtext = $testtext_prefix.': '. 319*e0c4386eSCy Schubert 'Generate non-FIPS params'. 320*e0c4386eSCy Schubert ' (should fail)'; 321*e0c4386eSCy Schubert ok(!run(app(['openssl', 'genpkey', '-genparam', 322*e0c4386eSCy Schubert '-algorithm', 'DSA', 323*e0c4386eSCy Schubert '-pkeyopt', 'dsa_paramgen_bits:512', 324*e0c4386eSCy Schubert '-out', $testtext_prefix.'.fail.param.pem'])), 325*e0c4386eSCy Schubert $testtext); 326*e0c4386eSCy Schubert 327*e0c4386eSCy Schubert $testtext = $testtext_prefix.': '. 328*e0c4386eSCy Schubert 'Generate non-FIPS params using non-FIPS property query'. 329*e0c4386eSCy Schubert ' (dsaparam)'; 330*e0c4386eSCy Schubert ok(run(app(['openssl', 'dsaparam', '-provider', 'default', 331*e0c4386eSCy Schubert '-propquery', '?fips!=yes', 332*e0c4386eSCy Schubert '-out', $shortnonfips_param, '1024'])), 333*e0c4386eSCy Schubert $testtext); 334*e0c4386eSCy Schubert 335*e0c4386eSCy Schubert $testtext = $testtext_prefix.': '. 336*e0c4386eSCy Schubert 'Generate non-FIPS params using non-FIPS property query'. 337*e0c4386eSCy Schubert ' (genpkey)'; 338*e0c4386eSCy Schubert ok(run(app(['openssl', 'genpkey', '-provider', 'default', 339*e0c4386eSCy Schubert '-propquery', '?fips!=yes', 340*e0c4386eSCy Schubert '-genparam', '-algorithm', 'DSA', 341*e0c4386eSCy Schubert '-pkeyopt', 'dsa_paramgen_bits:512'])), 342*e0c4386eSCy Schubert $testtext); 343*e0c4386eSCy Schubert 344*e0c4386eSCy Schubert $ENV{OPENSSL_CONF} = $defaultconf; 345*e0c4386eSCy Schubert 346*e0c4386eSCy Schubert $testtext = $testtext_prefix.': '. 347*e0c4386eSCy Schubert 'Generate a key with non-FIPS params with the default provider'; 348*e0c4386eSCy Schubert ok(run(app(['openssl', 'genpkey', 349*e0c4386eSCy Schubert '-paramfile', $nonfips_param, 350*e0c4386eSCy Schubert '-pkeyopt', 'type:fips186_2', 351*e0c4386eSCy Schubert '-out', $nonfips_key])), 352*e0c4386eSCy Schubert $testtext); 353*e0c4386eSCy Schubert 354*e0c4386eSCy Schubert pubfrompriv($testtext_prefix, $nonfips_key, $nonfips_pub_key, "non-FIPS"); 355*e0c4386eSCy Schubert 356*e0c4386eSCy Schubert $ENV{OPENSSL_CONF} = $fipsconf; 357*e0c4386eSCy Schubert 358*e0c4386eSCy Schubert $testtext = $testtext_prefix.': '. 359*e0c4386eSCy Schubert 'Generate a key with FIPS parameters'; 360*e0c4386eSCy Schubert ok(run(app(['openssl', 'genpkey', 361*e0c4386eSCy Schubert '-paramfile', $fips_param, 362*e0c4386eSCy Schubert '-pkeyopt', 'type:fips186_4', 363*e0c4386eSCy Schubert '-out', $fips_key])), 364*e0c4386eSCy Schubert $testtext); 365*e0c4386eSCy Schubert 366*e0c4386eSCy Schubert pubfrompriv($testtext_prefix, $fips_key, $fips_pub_key, "FIPS"); 367*e0c4386eSCy Schubert 368*e0c4386eSCy Schubert $testtext = $testtext_prefix.': '. 369*e0c4386eSCy Schubert 'Generate a key with non-FIPS parameters'. 370*e0c4386eSCy Schubert ' (should fail)'; 371*e0c4386eSCy Schubert ok(!run(app(['openssl', 'genpkey', 372*e0c4386eSCy Schubert '-paramfile', $nonfips_param, 373*e0c4386eSCy Schubert '-pkeyopt', 'type:fips186_2', 374*e0c4386eSCy Schubert '-out', $testtext_prefix.'.fail.priv.pem'])), 375*e0c4386eSCy Schubert $testtext); 376*e0c4386eSCy Schubert 377*e0c4386eSCy Schubert $testtext = $testtext_prefix.': '. 378*e0c4386eSCy Schubert 'Generate a key with non-FIPS parameters using non-FIPS property'. 379*e0c4386eSCy Schubert ' query (dsaparam)'; 380*e0c4386eSCy Schubert ok(run(app(['openssl', 'dsaparam', '-provider', 'default', 381*e0c4386eSCy Schubert '-propquery', '?fips!=yes', 382*e0c4386eSCy Schubert '-noout', '-genkey', '1024'])), 383*e0c4386eSCy Schubert $testtext); 384*e0c4386eSCy Schubert 385*e0c4386eSCy Schubert $testtext = $testtext_prefix.': '. 386*e0c4386eSCy Schubert 'Generate a key with non-FIPS parameters using non-FIPS property'. 387*e0c4386eSCy Schubert ' query (gendsa)'; 388*e0c4386eSCy Schubert ok(run(app(['openssl', 'gendsa', '-provider', 'default', 389*e0c4386eSCy Schubert '-propquery', '?fips!=yes', 390*e0c4386eSCy Schubert $shortnonfips_param])), 391*e0c4386eSCy Schubert $testtext); 392*e0c4386eSCy Schubert 393*e0c4386eSCy Schubert $testtext = $testtext_prefix.': '. 394*e0c4386eSCy Schubert 'Generate a key with non-FIPS parameters using non-FIPS property'. 395*e0c4386eSCy Schubert ' query (genpkey)'; 396*e0c4386eSCy Schubert ok(run(app(['openssl', 'genpkey', '-provider', 'default', 397*e0c4386eSCy Schubert '-propquery', '?fips!=yes', 398*e0c4386eSCy Schubert '-paramfile', $nonfips_param, 399*e0c4386eSCy Schubert '-pkeyopt', 'type:fips186_2', 400*e0c4386eSCy Schubert '-out', $testtext_prefix.'.fail.priv.pem'])), 401*e0c4386eSCy Schubert $testtext); 402*e0c4386eSCy Schubert 403*e0c4386eSCy Schubert tsignverify($testtext_prefix, $fips_key, $fips_pub_key, '', ''); 404*e0c4386eSCy Schubert }; 405*e0c4386eSCy Schubert} 406