1 |
From 5f4f350ce797a7cd2fdca84c474ee196da9d6fae Mon Sep 17 00:00:00 2001 |
2 |
From: Clemens Lang <cllang@redhat.com> |
3 |
Date: Wed, 18 May 2022 17:25:59 +0200 |
4 |
Subject: [PATCH] Deny SHA-1 signature verification in FIPS provider |
5 |
|
6 |
For RHEL, we already disable SHA-1 signatures by default in the default |
7 |
provider, so it is unexpected that the FIPS provider would have a more |
8 |
lenient configuration in this regard. Additionally, we do not think |
9 |
continuing to accept SHA-1 signatures is a good idea due to the |
10 |
published chosen-prefix collision attacks. |
11 |
|
12 |
As a consequence, disable verification of SHA-1 signatures in the FIPS |
13 |
provider. |
14 |
|
15 |
This requires adjusting a few tests that would otherwise fail: |
16 |
- 30-test_acvp: Remove the test vectors that use SHA-1. |
17 |
- 30-test_evp: Mark tests in evppkey_rsa_common.txt and |
18 |
evppkey_ecdsa.txt that use SHA-1 digests as "Availablein = default", |
19 |
which will not run them when the FIPS provider is enabled. |
20 |
- 80-test_cms: Re-create all certificates in test/smime-certificates |
21 |
with SHA256 signatures while keeping the same private keys. These |
22 |
certificates were signed with SHA-1 and thus fail verification in the |
23 |
FIPS provider. |
24 |
Fix some other tests by explicitly running them in the default |
25 |
provider, where SHA-1 is available. |
26 |
- 80-test_ssl_old: Skip tests that rely on SSLv3 and SHA-1 when run with |
27 |
the FIPS provider. |
28 |
|
29 |
Signed-off-by: Clemens Lang <cllang@redhat.com> |
30 |
--- |
31 |
providers/implementations/signature/dsa_sig.c | 4 -- |
32 |
.../implementations/signature/ecdsa_sig.c | 4 -- |
33 |
providers/implementations/signature/rsa_sig.c | 8 +-- |
34 |
test/acvp_test.inc | 20 ------- |
35 |
.../30-test_evp_data/evppkey_ecdsa.txt | 7 +++ |
36 |
.../30-test_evp_data/evppkey_rsa_common.txt | 51 +++++++++++++++- |
37 |
test/recipes/80-test_cms.t | 4 +- |
38 |
test/recipes/80-test_ssl_old.t | 4 ++ |
39 |
test/smime-certs/smdh.pem | 18 +++--- |
40 |
test/smime-certs/smdsa1.pem | 60 +++++++++---------- |
41 |
test/smime-certs/smdsa2.pem | 60 +++++++++---------- |
42 |
test/smime-certs/smdsa3.pem | 60 +++++++++---------- |
43 |
test/smime-certs/smec1.pem | 30 +++++----- |
44 |
test/smime-certs/smec2.pem | 30 +++++----- |
45 |
test/smime-certs/smec3.pem | 30 +++++----- |
46 |
test/smime-certs/smroot.pem | 38 ++++++------ |
47 |
test/smime-certs/smrsa1.pem | 38 ++++++------ |
48 |
test/smime-certs/smrsa2.pem | 38 ++++++------ |
49 |
test/smime-certs/smrsa3.pem | 38 ++++++------ |
50 |
19 files changed, 286 insertions(+), 256 deletions(-) |
51 |
|
52 |
diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c |
53 |
index fa3822f39f..c365d7b13a 100644 |
54 |
--- a/providers/implementations/signature/dsa_sig.c |
55 |
+++ b/providers/implementations/signature/dsa_sig.c |
56 |
@@ -128,11 +128,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx, |
57 |
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); |
58 |
int md_nid; |
59 |
size_t mdname_len = strlen(mdname); |
60 |
-#ifdef FIPS_MODULE |
61 |
- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); |
62 |
-#else |
63 |
int sha1_allowed = 0; |
64 |
-#endif |
65 |
md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, |
66 |
sha1_allowed); |
67 |
|
68 |
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c |
69 |
index 99b228e82c..44a22832ec 100644 |
70 |
--- a/providers/implementations/signature/ecdsa_sig.c |
71 |
+++ b/providers/implementations/signature/ecdsa_sig.c |
72 |
@@ -237,11 +237,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname, |
73 |
"%s could not be fetched", mdname); |
74 |
return 0; |
75 |
} |
76 |
-#ifdef FIPS_MODULE |
77 |
- sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); |
78 |
-#else |
79 |
sha1_allowed = 0; |
80 |
-#endif |
81 |
md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, |
82 |
sha1_allowed); |
83 |
if (md_nid < 0) { |
84 |
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c |
85 |
index f66d7705c3..34f45175e8 100644 |
86 |
--- a/providers/implementations/signature/rsa_sig.c |
87 |
+++ b/providers/implementations/signature/rsa_sig.c |
88 |
@@ -292,11 +292,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, |
89 |
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); |
90 |
int md_nid; |
91 |
size_t mdname_len = strlen(mdname); |
92 |
-#ifdef FIPS_MODULE |
93 |
- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); |
94 |
-#else |
95 |
int sha1_allowed = 0; |
96 |
-#endif |
97 |
md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, |
98 |
sha1_allowed); |
99 |
|
100 |
@@ -1355,8 +1351,10 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) |
101 |
|
102 |
if (prsactx->md == NULL && pmdname == NULL |
103 |
&& pad_mode == RSA_PKCS1_PSS_PADDING) { |
104 |
+#ifdef FIPS_MODULE |
105 |
+ pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY; |
106 |
+#else |
107 |
pmdname = RSA_DEFAULT_DIGEST_NAME; |
108 |
-#ifndef FIPS_MODULE |
109 |
if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) { |
110 |
pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY; |
111 |
} |
112 |
diff --git a/test/acvp_test.inc b/test/acvp_test.inc |
113 |
index ad11d3ae1e..73b24bdb0c 100644 |
114 |
--- a/test/acvp_test.inc |
115 |
+++ b/test/acvp_test.inc |
116 |
@@ -1841,17 +1841,6 @@ static const struct rsa_sigver_st rsa_sigver_data[] = { |
117 |
NO_PSS_SALT_LEN, |
118 |
FAIL |
119 |
}, |
120 |
- { |
121 |
- "x931", |
122 |
- 3072, |
123 |
- "SHA1", |
124 |
- ITM(rsa_sigverx931_0_msg), |
125 |
- ITM(rsa_sigverx931_0_n), |
126 |
- ITM(rsa_sigverx931_0_e), |
127 |
- ITM(rsa_sigverx931_0_sig), |
128 |
- NO_PSS_SALT_LEN, |
129 |
- PASS |
130 |
- }, |
131 |
{ |
132 |
"x931", |
133 |
3072, |
134 |
diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt |
135 |
index f36982845d..51e507a61c 100644 |
136 |
--- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt |
137 |
+++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt |
138 |
@@ -37,12 +37,14 @@ PrivPubKeyPair = P-256:P-256-PUBLIC |
139 |
|
140 |
Title = ECDSA tests |
141 |
|
142 |
+Availablein = default |
143 |
Verify = P-256 |
144 |
Ctrl = digest:SHA1 |
145 |
Input = "0123456789ABCDEF1234" |
146 |
Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8 |
147 |
|
148 |
# Digest too long |
149 |
+Availablein = default |
150 |
Verify = P-256 |
151 |
Ctrl = digest:SHA1 |
152 |
Input = "0123456789ABCDEF12345" |
153 |
@@ -50,6 +52,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e |
154 |
Result = VERIFY_ERROR |
155 |
|
156 |
# Digest too short |
157 |
+Availablein = default |
158 |
Verify = P-256 |
159 |
Ctrl = digest:SHA1 |
160 |
Input = "0123456789ABCDEF123" |
161 |
@@ -57,6 +60,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e |
162 |
Result = VERIFY_ERROR |
163 |
|
164 |
# Digest invalid |
165 |
+Availablein = default |
166 |
Verify = P-256 |
167 |
Ctrl = digest:SHA1 |
168 |
Input = "0123456789ABCDEF1235" |
169 |
@@ -64,6 +68,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e |
170 |
Result = VERIFY_ERROR |
171 |
|
172 |
# Invalid signature |
173 |
+Availablein = default |
174 |
Verify = P-256 |
175 |
Ctrl = digest:SHA1 |
176 |
Input = "0123456789ABCDEF1234" |
177 |
@@ -79,12 +84,14 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e |
178 |
Result = VERIFY_ERROR |
179 |
|
180 |
# BER signature |
181 |
+Availablein = default |
182 |
Verify = P-256 |
183 |
Ctrl = digest:SHA1 |
184 |
Input = "0123456789ABCDEF1234" |
185 |
Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000 |
186 |
Result = VERIFY_ERROR |
187 |
|
188 |
+Availablein = default |
189 |
Verify = P-256-PUBLIC |
190 |
Ctrl = digest:SHA1 |
191 |
Input = "0123456789ABCDEF1234" |
192 |
diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt |
193 |
index b8d8bb2993..8dd566067b 100644 |
194 |
--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt |
195 |
+++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt |
196 |
@@ -96,6 +96,7 @@ NDL6WCBbets= |
197 |
|
198 |
Title = RSA tests |
199 |
|
200 |
+Availablein = default |
201 |
Verify = RSA-2048 |
202 |
Ctrl = digest:SHA1 |
203 |
Input = "0123456789ABCDEF1234" |
204 |
@@ -112,24 +113,28 @@ Ctrl = digest:SHA512-224 |
205 |
Input = "0123456789ABCDEF123456789ABC" |
206 |
Output = 5f720e9488139bb21e1c2f027fd5ce5993e6d31c5a8faaee833487b3a944d66891178868ace8070cad3ee2ffbe54aa4885a15fd1a7cc5166970fe1fd8c0423e72bd3e3b56fc4a53ed80aaaeca42497f0ec3c62113edc05cd006608f5eef7ce3ad4cba1069f68731dd28a524a1f93fcdc5547112d48d45586dd943ba0d443be9635720d8a61697c54c96627f0d85c5fbeaa3b4af86a65cf2fc3800dd5de34c046985f25d0efc0bb6edccc1d08b3a4fb9c8faffe181c7e68b31e374ad1440a4a664eec9ca0dc53a9d2f5bc7d9940d866f64201bcbc63612754df45727ea24b531d7de83d1bb707444859fa35521320c33bf6f4dbeb6fb56e653adbf7af15843f17 |
207 |
|
208 |
+Availablein = default |
209 |
VerifyRecover = RSA-2048 |
210 |
Ctrl = digest:SHA1 |
211 |
Input = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad |
212 |
Output = "0123456789ABCDEF1234" |
213 |
|
214 |
# Leading zero in the signature |
215 |
+Availablein = default |
216 |
Verify = RSA-2048 |
217 |
Ctrl = digest:SHA1 |
218 |
Input = "0123456789ABCDEF1234" |
219 |
Output = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad |
220 |
Result = VERIFY_ERROR |
221 |
|
222 |
+Availablein = default |
223 |
VerifyRecover = RSA-2048 |
224 |
Ctrl = digest:SHA1 |
225 |
Input = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad |
226 |
Result = KEYOP_ERROR |
227 |
|
228 |
# Mismatched digest |
229 |
+Availablein = default |
230 |
Verify = RSA-2048 |
231 |
Ctrl = digest:SHA1 |
232 |
Input = "0123456789ABCDEF1233" |
233 |
@@ -137,6 +142,7 @@ Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2 |
234 |
Result = VERIFY_ERROR |
235 |
|
236 |
# Corrupted signature |
237 |
+Availablein = default |
238 |
Verify = RSA-2048 |
239 |
Ctrl = digest:SHA1 |
240 |
Input = "0123456789ABCDEF1233" |
241 |
@@ -144,6 +150,7 @@ Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2 |
242 |
Result = VERIFY_ERROR |
243 |
|
244 |
# parameter is not NULLt |
245 |
+Availablein = default |
246 |
Verify = RSA-2048 |
247 |
Ctrl = digest:sha1 |
248 |
Input = "0123456789ABCDEF1234" |
249 |
@@ -151,42 +158,49 @@ Output = 3ec3fc29eb6e122bd7aa361cd09fe1bcbe85311096a7b9e4799cedfb2351ce0ab7fe4e7 |
250 |
Result = VERIFY_ERROR |
251 |
|
252 |
# embedded digest too long |
253 |
+Availablein = default |
254 |
Verify = RSA-2048 |
255 |
Ctrl = digest:sha1 |
256 |
Input = "0123456789ABCDEF1234" |
257 |
Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d |
258 |
Result = VERIFY_ERROR |
259 |
|
260 |
+Availablein = default |
261 |
VerifyRecover = RSA-2048 |
262 |
Ctrl = digest:sha1 |
263 |
Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d |
264 |
Result = KEYOP_ERROR |
265 |
|
266 |
# embedded digest too short |
267 |
+Availablein = default |
268 |
Verify = RSA-2048 |
269 |
Ctrl = digest:sha1 |
270 |
Input = "0123456789ABCDEF1234" |
271 |
Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d |
272 |
Result = VERIFY_ERROR |
273 |
|
274 |
+Availablein = default |
275 |
VerifyRecover = RSA-2048 |
276 |
Ctrl = digest:sha1 |
277 |
Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d |
278 |
Result = KEYOP_ERROR |
279 |
|
280 |
# Garbage after DigestInfo |
281 |
+Availablein = default |
282 |
Verify = RSA-2048 |
283 |
Ctrl = digest:sha1 |
284 |
Input = "0123456789ABCDEF1234" |
285 |
Output = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274 |
286 |
Result = VERIFY_ERROR |
287 |
|
288 |
+Availablein = default |
289 |
VerifyRecover = RSA-2048 |
290 |
Ctrl = digest:sha1 |
291 |
Input = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274 |
292 |
Result = KEYOP_ERROR |
293 |
|
294 |
# invalid tag for parameter |
295 |
+Availablein = default |
296 |
Verify = RSA-2048 |
297 |
Ctrl = digest:sha1 |
298 |
Input = "0123456789ABCDEF1234" |
299 |
@@ -195,6 +209,7 @@ Result = VERIFY_ERROR |
300 |
|
301 |
# Verify using public key |
302 |
|
303 |
+Availablein = default |
304 |
Verify = RSA-2048-PUBLIC |
305 |
Ctrl = digest:SHA1 |
306 |
Input = "0123456789ABCDEF1234" |
307 |
@@ -370,6 +385,8 @@ Input="0123456789ABCDEF0123456789ABCDEF" |
308 |
Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A |
309 |
|
310 |
# Verify using salt length auto detect |
311 |
+# In the FIPS provider on RHEL-9, the default digest for PSS signatures is SHA-256 |
312 |
+Availablein = default |
313 |
Verify = RSA-2048-PUBLIC |
314 |
Ctrl = rsa_padding_mode:pss |
315 |
Ctrl = rsa_pss_saltlen:auto |
316 |
@@ -404,6 +421,10 @@ Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DD |
317 |
Result = VERIFY_ERROR |
318 |
|
319 |
# Verify using default parameters, explicitly setting parameters |
320 |
+# NOTE: RSA-PSS-DEFAULT contains a restriction to use SHA1 as digest, which |
321 |
+# RHEL-9 does not support in FIPS mode; all these tests are thus marked |
322 |
+# Availablein = default. |
323 |
+Availablein = default |
324 |
Verify = RSA-PSS-DEFAULT |
325 |
Ctrl = rsa_padding_mode:pss |
326 |
Ctrl = rsa_pss_saltlen:20 |
327 |
@@ -412,6 +433,7 @@ Input="0123456789ABCDEF0123" |
328 |
Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF |
329 |
|
330 |
# Verify explicitly setting parameters "digest" salt length |
331 |
+Availablein = default |
332 |
Verify = RSA-PSS-DEFAULT |
333 |
Ctrl = rsa_padding_mode:pss |
334 |
Ctrl = rsa_pss_saltlen:digest |
335 |
@@ -420,18 +442,21 @@ Input="0123456789ABCDEF0123" |
336 |
Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF |
337 |
|
338 |
# Verify using salt length larger than minimum |
339 |
+Availablein = default |
340 |
Verify = RSA-PSS-DEFAULT |
341 |
Ctrl = rsa_pss_saltlen:30 |
342 |
Input="0123456789ABCDEF0123" |
343 |
Output = 6BF7EDC63A0BA184EEEC7F3020FEC8F5EBF38C2B76481881F48BCCE5796E7AB294548BA9AE810457C7723CABD1BDE94CF59CF7C0FC7461B22760C8ED703DD98E97BFDD61FA8D1181C411F6DEE5FF159F4850746D78EDEE385A363DC28E2CB373D5CAD7953F3BD5E639BE345732C03A1BDEA268814DA036EB1891C82D4012F3B903D86636055F87B96FC98806AD1B217685A4D754046A5DE0B0D7870664BE07902153EC85BA457BE7D7F89D7FE0F626D02A9CBBB2BB479DDA1A5CAE75247FB7BF6BFB15C1D3FD9E6B1573CCDBC72011C3B97716058BB11C7EA2E4E56ADAFE1F5DE6A7FD405AC5890100F9C3408EFFB5C73BF73F48177FF743B4B819D0699D507B |
344 |
|
345 |
# Verify using maximum salt length |
346 |
+Availablein = default |
347 |
Verify = RSA-PSS-DEFAULT |
348 |
Ctrl = rsa_pss_saltlen:max |
349 |
Input="0123456789ABCDEF0123" |
350 |
Output = 4470DCFE812DEE2E58E4301D4ED274AB348FE040B724B2CD1D8CD0914BFF375F0B86FCB32BFA8AEA9BD22BD7C4F1ADD4F3D215A5CFCC99055BAFECFC23800E9BECE19A08C66BEBC5802122D13A732E5958FC228DCC0B49B5B4B1154F032D8FA2F3564AA949C1310CC9266B0C47F86D449AC9D2E7678347E7266E2D7C888CCE1ADF44A109A293F8516AE2BD94CE220F26E137DB8E7A66BB9FCE052CDC1D0BE24D8CEBB20D10125F26B069F117044B9E1D16FDDAABCA5340AE1702F37D0E1C08A2E93801C0A41035C6C73DA02A0E32227EAFB0B85E79107B59650D0EE7DC32A6772CCCE90F06369B2880FE87ED76997BA61F5EA818091EE88F8B0D6F24D02A3FC6 |
351 |
|
352 |
# Attempt to change salt length below minimum |
353 |
+Availablein = default |
354 |
Verify = RSA-PSS-DEFAULT |
355 |
Ctrl = rsa_pss_saltlen:0 |
356 |
Result = PKEY_CTRL_ERROR |
357 |
@@ -439,21 +464,25 @@ Result = PKEY_CTRL_ERROR |
358 |
# Attempt to change padding mode |
359 |
# Note this used to return PKEY_CTRL_INVALID |
360 |
# but it is limited because setparams only returns 0 or 1. |
361 |
+Availablein = default |
362 |
Verify = RSA-PSS-DEFAULT |
363 |
Ctrl = rsa_padding_mode:pkcs1 |
364 |
Result = PKEY_CTRL_ERROR |
365 |
|
366 |
# Attempt to change digest |
367 |
+Availablein = default |
368 |
Verify = RSA-PSS-DEFAULT |
369 |
Ctrl = digest:sha256 |
370 |
Result = PKEY_CTRL_ERROR |
371 |
|
372 |
# Invalid key: rejected when we try to init |
373 |
+Availablein = default |
374 |
Verify = RSA-PSS-BAD |
375 |
Result = KEYOP_INIT_ERROR |
376 |
Reason = invalid salt length |
377 |
|
378 |
# Invalid key: rejected when we try to init |
379 |
+Availablein = default |
380 |
Verify = RSA-PSS-BAD2 |
381 |
Result = KEYOP_INIT_ERROR |
382 |
Reason = invalid salt length |
383 |
@@ -472,36 +501,42 @@ CAltWyuLbfXWce9jd8CSHLI8Jwpw4lmOb/idGfEFrMLT8Ms18pKA4Thrb2TE7yLh |
384 |
4fINDOjP+yJJvZohNwIDAQAB |
385 |
-----END PUBLIC KEY----- |
386 |
|
387 |
+Availablein = default |
388 |
Verify=RSA-PSS-1 |
389 |
Ctrl = rsa_padding_mode:pss |
390 |
Ctrl = rsa_mgf1_md:sha1 |
391 |
Input=cd8b6538cb8e8de566b68bd067569dbf1ee2718e |
392 |
Output=9074308fb598e9701b2294388e52f971faac2b60a5145af185df5287b5ed2887e57ce7fd44dc8634e407c8e0e4360bc226f3ec227f9d9e54638e8d31f5051215df6ebb9c2f9579aa77598a38f914b5b9c1bd83c4e2f9f382a0d0aa3542ffee65984a601bc69eb28deb27dca12c82c2d4c3f66cd500f1ff2b994d8a4e30cbb33c |
393 |
|
394 |
+Availablein = default |
395 |
Verify=RSA-PSS-1 |
396 |
Ctrl = rsa_padding_mode:pss |
397 |
Ctrl = rsa_mgf1_md:sha1 |
398 |
Input=e35befc17a1d160b9ce35fbd8eb16e7ee491d3fd |
399 |
Output=3ef7f46e831bf92b32274142a585ffcefbdca7b32ae90d10fb0f0c729984f04ef29a9df0780775ce43739b97838390db0a5505e63de927028d9d29b219ca2c4517832558a55d694a6d25b9dab66003c4cccd907802193be5170d26147d37b93590241be51c25055f47ef62752cfbe21418fafe98c22c4d4d47724fdb5669e843 |
400 |
|
401 |
+Availablein = default |
402 |
Verify=RSA-PSS-1 |
403 |
Ctrl = rsa_padding_mode:pss |
404 |
Ctrl = rsa_mgf1_md:sha1 |
405 |
Input=0652ec67bcee30f9d2699122b91c19abdba89f91 |
406 |
Output=666026fba71bd3e7cf13157cc2c51a8e4aa684af9778f91849f34335d141c00154c4197621f9624a675b5abc22ee7d5baaffaae1c9baca2cc373b3f33e78e6143c395a91aa7faca664eb733afd14d8827259d99a7550faca501ef2b04e33c23aa51f4b9e8282efdb728cc0ab09405a91607c6369961bc8270d2d4f39fce612b1 |
407 |
|
408 |
+Availablein = default |
409 |
Verify=RSA-PSS-1 |
410 |
Ctrl = rsa_padding_mode:pss |
411 |
Ctrl = rsa_mgf1_md:sha1 |
412 |
Input=39c21c4cceda9c1adf839c744e1212a6437575ec |
413 |
Output=4609793b23e9d09362dc21bb47da0b4f3a7622649a47d464019b9aeafe53359c178c91cd58ba6bcb78be0346a7bc637f4b873d4bab38ee661f199634c547a1ad8442e03da015b136e543f7ab07c0c13e4225b8de8cce25d4f6eb8400f81f7e1833b7ee6e334d370964ca79fdb872b4d75223b5eeb08101591fb532d155a6de87 |
414 |
|
415 |
+Availablein = default |
416 |
Verify=RSA-PSS-1 |
417 |
Ctrl = rsa_padding_mode:pss |
418 |
Ctrl = rsa_mgf1_md:sha1 |
419 |
Input=36dae913b77bd17cae6e7b09453d24544cebb33c |
420 |
Output=1d2aad221ca4d31ddf13509239019398e3d14b32dc34dc5af4aeaea3c095af73479cf0a45e5629635a53a018377615b16cb9b13b3e09d671eb71e387b8545c5960da5a64776e768e82b2c93583bf104c3fdb23512b7b4e89f633dd0063a530db4524b01c3f384c09310e315a79dcd3d684022a7f31c865a664e316978b759fad |
421 |
|
422 |
+Availablein = default |
423 |
Verify=RSA-PSS-1 |
424 |
Ctrl = rsa_padding_mode:pss |
425 |
Ctrl = rsa_mgf1_md:sha1 |
426 |
@@ -517,36 +552,42 @@ swU7R97S7NSkyu/WFIM9yLtiLzF+0Ha4BX/o3j+ESArV6D5KYZBKTySPs5cCc1fh |
427 |
0w5GMTmBXG/U/VrFuBcqRSMOy2MYoE8UVdhOWosCAwEAAQ== |
428 |
-----END PUBLIC KEY----- |
429 |
|
430 |
+Availablein = default |
431 |
Verify=RSA-PSS-9 |
432 |
Ctrl = rsa_padding_mode:pss |
433 |
Ctrl = rsa_mgf1_md:sha1 |
434 |
Input=2715a49b8b0012cd7aee84c116446e6dfe3faec0 |
435 |
Output=586107226c3ce013a7c8f04d1a6a2959bb4b8e205ba43a27b50f124111bc35ef589b039f5932187cb696d7d9a32c0c38300a5cdda4834b62d2eb240af33f79d13dfbf095bf599e0d9686948c1964747b67e89c9aba5cd85016236f566cc5802cb13ead51bc7ca6bef3b94dcbdbb1d570469771df0e00b1a8a06777472d2316279edae86474668d4e1efff95f1de61c6020da32ae92bbf16520fef3cf4d88f61121f24bbd9fe91b59caf1235b2a93ff81fc403addf4ebdea84934a9cdaf8e1a9e |
436 |
|
437 |
+Availablein = default |
438 |
Verify=RSA-PSS-9 |
439 |
Ctrl = rsa_padding_mode:pss |
440 |
Ctrl = rsa_mgf1_md:sha1 |
441 |
Input=2dac956d53964748ac364d06595827c6b4f143cd |
442 |
Output=80b6d643255209f0a456763897ac9ed259d459b49c2887e5882ecb4434cfd66dd7e1699375381e51cd7f554f2c271704b399d42b4be2540a0eca61951f55267f7c2878c122842dadb28b01bd5f8c025f7e228418a673c03d6bc0c736d0a29546bd67f786d9d692ccea778d71d98c2063b7a71092187a4d35af108111d83e83eae46c46aa34277e06044589903788f1d5e7cee25fb485e92949118814d6f2c3ee361489016f327fb5bc517eb50470bffa1afa5f4ce9aa0ce5b8ee19bf5501b958 |
443 |
|
444 |
+Availablein = default |
445 |
Verify=RSA-PSS-9 |
446 |
Ctrl = rsa_padding_mode:pss |
447 |
Ctrl = rsa_mgf1_md:sha1 |
448 |
Input=28d98c46cccafbd3bc04e72f967a54bd3ea12298 |
449 |
Output=484408f3898cd5f53483f80819efbf2708c34d27a8b2a6fae8b322f9240237f981817aca1846f1084daa6d7c0795f6e5bf1af59c38e1858437ce1f7ec419b98c8736adf6dd9a00b1806d2bd3ad0a73775e05f52dfef3a59ab4b08143f0df05cd1ad9d04bececa6daa4a2129803e200cbc77787caf4c1d0663a6c5987b605952019782caf2ec1426d68fb94ed1d4be816a7ed081b77e6ab330b3ffc073820fecde3727fcbe295ee61a050a343658637c3fd659cfb63736de32d9f90d3c2f63eca |
450 |
|
451 |
+Availablein = default |
452 |
Verify=RSA-PSS-9 |
453 |
Ctrl = rsa_padding_mode:pss |
454 |
Ctrl = rsa_mgf1_md:sha1 |
455 |
Input=0866d2ff5a79f25ef668cd6f31b42dee421e4c0e |
456 |
Output=84ebeb481be59845b46468bafb471c0112e02b235d84b5d911cbd1926ee5074ae0424495cb20e82308b8ebb65f419a03fb40e72b78981d88aad143053685172c97b29c8b7bf0ae73b5b2263c403da0ed2f80ff7450af7828eb8b86f0028bd2a8b176a4d228cccea18394f238b09ff758cc00bc04301152355742f282b54e663a919e709d8da24ade5500a7b9aa50226e0ca52923e6c2d860ec50ff480fa57477e82b0565f4379f79c772d5c2da80af9fbf325ece6fc20b00961614bee89a183e |
457 |
|
458 |
+Availablein = default |
459 |
Verify=RSA-PSS-9 |
460 |
Ctrl = rsa_padding_mode:pss |
461 |
Ctrl = rsa_mgf1_md:sha1 |
462 |
Input=6a5b4be4cd36cc97dfde9995efbf8f097a4a991a |
463 |
Output=82102df8cb91e7179919a04d26d335d64fbc2f872c44833943241de8454810274cdf3db5f42d423db152af7135f701420e39b494a67cbfd19f9119da233a23da5c6439b5ba0d2bc373eee3507001378d4a4073856b7fe2aba0b5ee93b27f4afec7d4d120921c83f606765b02c19e4d6a1a3b95fa4c422951be4f52131077ef17179729cddfbdb56950dbaceefe78cb16640a099ea56d24389eef10f8fecb31ba3ea3b227c0a86698bb89e3e9363905bf22777b2a3aa521b65b4cef76d83bde4c |
464 |
|
465 |
+Availablein = default |
466 |
Verify=RSA-PSS-9 |
467 |
Ctrl = rsa_padding_mode:pss |
468 |
Ctrl = rsa_mgf1_md:sha1 |
469 |
@@ -564,36 +605,42 @@ F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5kGWC7IsXS9WNXR89dnxhNyGu |
470 |
BQIDAQAB |
471 |
-----END PUBLIC KEY----- |
472 |
|
473 |
+Availablein = default |
474 |
Verify=RSA-PSS-10 |
475 |
Ctrl = rsa_padding_mode:pss |
476 |
Ctrl = rsa_mgf1_md:sha1 |
477 |
Input=9596bb630cf6a8d4ea4600422b9eba8b13675dd4 |
478 |
Output=82c2b160093b8aa3c0f7522b19f87354066c77847abf2a9fce542d0e84e920c5afb49ffdfdace16560ee94a1369601148ebad7a0e151cf16331791a5727d05f21e74e7eb811440206935d744765a15e79f015cb66c532c87a6a05961c8bfad741a9a6657022894393e7223739796c02a77455d0f555b0ec01ddf259b6207fd0fd57614cef1a5573baaff4ec00069951659b85f24300a25160ca8522dc6e6727e57d019d7e63629b8fe5e89e25cc15beb3a647577559299280b9b28f79b0409000be25bbd96408ba3b43cc486184dd1c8e62553fa1af4040f60663de7f5e49c04388e257f1ce89c95dab48a315d9b66b1b7628233876ff2385230d070d07e1666 |
479 |
|
480 |
+Availablein = default |
481 |
Verify=RSA-PSS-10 |
482 |
Ctrl = rsa_padding_mode:pss |
483 |
Ctrl = rsa_mgf1_md:sha1 |
484 |
Input=b503319399277fd6c1c8f1033cbf04199ea21716 |
485 |
Output=14ae35d9dd06ba92f7f3b897978aed7cd4bf5ff0b585a40bd46ce1b42cd2703053bb9044d64e813d8f96db2dd7007d10118f6f8f8496097ad75e1ff692341b2892ad55a633a1c55e7f0a0ad59a0e203a5b8278aec54dd8622e2831d87174f8caff43ee6c46445345d84a59659bfb92ecd4c818668695f34706f66828a89959637f2bf3e3251c24bdba4d4b7649da0022218b119c84e79a6527ec5b8a5f861c159952e23ec05e1e717346faefe8b1686825bd2b262fb2531066c0de09acde2e4231690728b5d85e115a2f6b92b79c25abc9bd9399ff8bcf825a52ea1f56ea76dd26f43baafa18bfa92a504cbd35699e26d1dcc5a2887385f3c63232f06f3244c3 |
486 |
|
487 |
+Availablein = default |
488 |
Verify=RSA-PSS-10 |
489 |
Ctrl = rsa_padding_mode:pss |
490 |
Ctrl = rsa_mgf1_md:sha1 |
491 |
Input=50aaede8536b2c307208b275a67ae2df196c7628 |
492 |
Output=6e3e4d7b6b15d2fb46013b8900aa5bbb3939cf2c095717987042026ee62c74c54cffd5d7d57efbbf950a0f5c574fa09d3fc1c9f513b05b4ff50dd8df7edfa20102854c35e592180119a70ce5b085182aa02d9ea2aa90d1df03f2daae885ba2f5d05afdac97476f06b93b5bc94a1a80aa9116c4d615f333b098892b25fface266f5db5a5a3bcc10a824ed55aad35b727834fb8c07da28fcf416a5d9b2224f1f8b442b36f91e456fdea2d7cfe3367268de0307a4c74e924159ed33393d5e0655531c77327b89821bdedf880161c78cd4196b5419f7acc3f13e5ebf161b6e7c6724716ca33b85c2e25640192ac2859651d50bde7eb976e51cec828b98b6563b86bb |
493 |
|
494 |
+Availablein = default |
495 |
Verify=RSA-PSS-10 |
496 |
Ctrl = rsa_padding_mode:pss |
497 |
Ctrl = rsa_mgf1_md:sha1 |
498 |
Input=aa0b72b8b371ddd10c8ae474425ccccf8842a294 |
499 |
Output=34047ff96c4dc0dc90b2d4ff59a1a361a4754b255d2ee0af7d8bf87c9bc9e7ddeede33934c63ca1c0e3d262cb145ef932a1f2c0a997aa6a34f8eaee7477d82ccf09095a6b8acad38d4eec9fb7eab7ad02da1d11d8e54c1825e55bf58c2a23234b902be124f9e9038a8f68fa45dab72f66e0945bf1d8bacc9044c6f07098c9fcec58a3aab100c805178155f030a124c450e5acbda47d0e4f10b80a23f803e774d023b0015c20b9f9bbe7c91296338d5ecb471cafb032007b67a60be5f69504a9f01abb3cb467b260e2bce860be8d95bf92c0c8e1496ed1e528593a4abb6df462dde8a0968dffe4683116857a232f5ebf6c85be238745ad0f38f767a5fdbf486fb |
500 |
|
501 |
+Availablein = default |
502 |
Verify=RSA-PSS-10 |
503 |
Ctrl = rsa_padding_mode:pss |
504 |
Ctrl = rsa_mgf1_md:sha1 |
505 |
Input=fad3902c9750622a2bc672622c48270cc57d3ea8 |
506 |
Output=7e0935ea18f4d6c1d17ce82eb2b3836c55b384589ce19dfe743363ac9948d1f346b7bfddfe92efd78adb21faefc89ade42b10f374003fe122e67429a1cb8cbd1f8d9014564c44d120116f4990f1a6e38774c194bd1b8213286b077b0499d2e7b3f434ab12289c556684deed78131934bb3dd6537236f7c6f3dcb09d476be07721e37e1ceed9b2f7b406887bd53157305e1c8b4f84d733bc1e186fe06cc59b6edb8f4bd7ffefdf4f7ba9cfb9d570689b5a1a4109a746a690893db3799255a0cb9215d2d1cd490590e952e8c8786aa0011265252470c041dfbc3eec7c3cbf71c24869d115c0cb4a956f56d530b80ab589acfefc690751ddf36e8d383f83cedd2cc |
507 |
|
508 |
+Availablein = default |
509 |
Verify=RSA-PSS-10 |
510 |
Ctrl = rsa_padding_mode:pss |
511 |
Ctrl = rsa_mgf1_md:sha1 |
512 |
@@ -1329,11 +1376,13 @@ Title = RSA FIPS tests |
513 |
|
514 |
# FIPS tests |
515 |
|
516 |
-# Verifying with SHA1 is permitted in fips mode for older applications |
517 |
+# Verifying with SHA1 is not permitted on RHEL-9 in FIPS mode |
518 |
+Availablein = fips |
519 |
DigestVerify = SHA1 |
520 |
Key = RSA-2048 |
521 |
Input = "Hello " |
522 |
Output = 87ea0e2226ef35e5a2aec9ca1222fcbe39ba723f05b3203564f671dd3601271806ead3240e61d424359ee3b17bd3e32f54b82df83998a8ac4148410710361de0400f9ddf98278618fbc87747a0531972543e6e5f18ab2fdfbfda02952f6ac69690e43864690af271bf43d4be9705b303d4ff994ab3abd4d5851562b73e59be3edc01cec41a4cc13b68206329bad1a46c6608d3609e951faa321d0fdbc765d54e9a7c59248d2f67913c9903e932b769c9c8a45520cabea06e8c0b231dd3bcc7f7ec55b46b0157ccb5fc5011fa57353cd3df32edcbadcb8d168133cbd0acfb64444cb040e1298f621508a38f79e14ae8c2c5c857f90aa9d24ef5fc07d34bf23859 |
523 |
+Result = DIGESTVERIFYINIT_ERROR |
524 |
|
525 |
# Verifying with a 1024 bit key is permitted in fips mode for older applications |
526 |
DigestVerify = SHA256 |
527 |
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t |
528 |
index 48a92f735d..34afe91b88 100644 |
529 |
--- a/test/recipes/80-test_cms.t |
530 |
+++ b/test/recipes/80-test_cms.t |
531 |
@@ -162,7 +162,7 @@ my @smime_pkcs7_tests = ( |
532 |
[ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1", |
533 |
"-certfile", $smroot, |
534 |
"-signer", $smrsa1, "-out", "{output}.cms" ], |
535 |
- [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", |
536 |
+ [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", |
537 |
"-CAfile", $smroot, "-out", "{output}.txt" ], |
538 |
\&final_compare |
539 |
], |
540 |
@@ -170,7 +170,7 @@ my @smime_pkcs7_tests = ( |
541 |
[ "signed zero-length content S/MIME format, RSA key SHA1", |
542 |
[ "{cmd1}", @defaultprov, "-sign", "-in", $smcont_zero, "-md", "sha1", |
543 |
"-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ], |
544 |
- [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", |
545 |
+ [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", |
546 |
"-CAfile", $smroot, "-out", "{output}.txt" ], |
547 |
\&zero_compare |
548 |
], |
549 |
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t |
550 |
index 8c52b637fc..ff75c5b6ec 100644 |
551 |
--- a/test/recipes/80-test_ssl_old.t |
552 |
+++ b/test/recipes/80-test_ssl_old.t |
553 |
@@ -394,6 +394,9 @@ sub testssl { |
554 |
'test sslv2/sslv3 with 1024bit DHE via BIO pair'); |
555 |
} |
556 |
|
557 |
+ SKIP: { |
558 |
+ skip "SSLv3 is not supported by the FIPS provider", 4 |
559 |
+ if $provider eq "fips"; |
560 |
ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])), |
561 |
'test sslv2/sslv3 with server authentication'); |
562 |
ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])), |
563 |
@@ -402,6 +405,7 @@ sub testssl { |
564 |
'test sslv2/sslv3 with both client and server authentication via BIO pair'); |
565 |
ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])), |
566 |
'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify'); |
567 |
+ } |
568 |
|
569 |
SKIP: { |
570 |
skip "No IPv4 available on this machine", 4 |