[thirdparty/openssl.git] / test / recipes / 20-test_cli_fips.t

#! /usr/bin/env perl
# Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html

use strict;
use warnings;

use File::Spec;
use File::Spec::Functions qw/curdir abs2rel/;
use File::Copy;
use OpenSSL::Glob;
use OpenSSL::Test qw/:DEFAULT srctop_dir bldtop_dir bldtop_file srctop_file data_file/;
use OpenSSL::Test::Utils;

BEGIN {
    setup("test_cli_fips");
}
use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
use platform;

my $no_check = disabled("fips") || disabled('fips-securitychecks');
plan skip_all => "Test only supported in a fips build with security checks"
    if $no_check;
plan tests => 11;

my $fipsmodule = bldtop_file('providers', platform->dso('fips'));
my $fipsconf = srctop_file("test", "fips-and-base.cnf");
my $defaultconf = srctop_file("test", "default.cnf");
my $tbs_data = $fipsmodule;
my $bogus_data = $fipsconf;

$ENV{OPENSSL_CONF} = $fipsconf;

ok(run(app(['openssl', 'list', '-public-key-methods', '-verbose'])),
   "provider listing of public key methods");
ok(run(app(['openssl', 'list', '-public-key-algorithms', '-verbose'])),
   "provider listing of public key algorithms");
ok(run(app(['openssl', 'list', '-key-managers', '-verbose'])),
   "provider listing of keymanagers");
ok(run(app(['openssl', 'list', '-key-exchange-algorithms', '-verbose'])),
   "provider listing of key exchange algorithms");
ok(run(app(['openssl', 'list', '-kem-algorithms', '-verbose'])),
   "provider listing of key encapsulation algorithms");
ok(run(app(['openssl', 'list', '-signature-algorithms', '-verbose'])),
   "provider listing of signature algorithms");
ok(run(app(['openssl', 'list', '-asymcipher-algorithms', '-verbose'])),
   "provider listing of encryption algorithms");
ok(run(app(['openssl', 'list', '-key-managers', '-verbose', '-select', 'DSA' ])),
   "provider listing of one item in the keymanager");

sub pubfrompriv {
    my $prefix = shift;
    my $key = shift;
    my $pub_key = shift;
    my $type = shift;

    ok(run(app(['openssl', 'pkey',
                '-in', $key,
                '-pubout',
                '-out', $pub_key])),
        $prefix.': '."Create the public key with $type parameters");

}

my $tsignverify_count = 9;
sub tsignverify {
    my $prefix = shift;
    my $fips_key = shift;
    my $fips_pub_key = shift;
    my $nonfips_key = shift;
    my $nonfips_pub_key = shift;
    my $fips_sigfile = $prefix.'.fips.sig';
    my $nonfips_sigfile = $prefix.'.nonfips.sig';
    my $sigfile = '';
    my $testtext = '';

    $ENV{OPENSSL_CONF} = $fipsconf;

    $sigfile = $fips_sigfile;
    $testtext = $prefix.': '.
        'Sign something with a FIPS key';
    ok(run(app(['openssl', 'dgst', '-sha256',
                '-sign', $fips_key,
                '-out', $sigfile,
                $tbs_data])),
       $testtext);

    $testtext = $prefix.': '.
        'Verify something with a FIPS key';
    ok(run(app(['openssl', 'dgst', '-sha256',
                '-verify', $fips_pub_key,
                '-signature', $sigfile,
                $tbs_data])),
       $testtext);

    $testtext = $prefix.': '.
        'Verify a valid signature against the wrong data with a FIPS key'.
        ' (should fail)';
    ok(!run(app(['openssl', 'dgst', '-sha256',
                 '-verify', $fips_pub_key,
                 '-signature', $sigfile,
                 $bogus_data])),
       $testtext);

    $ENV{OPENSSL_CONF} = $defaultconf;

    SKIP : {
        skip "FIPS failure testing", 6
            if ($nonfips_key eq '');

        $sigfile = $nonfips_sigfile;
        $testtext = $prefix.': '.
            'Sign something with a non-FIPS key'.
            ' with the default provider';
        ok(run(app(['openssl', 'dgst', '-sha256',
                    '-sign', $nonfips_key,
                    '-out', $sigfile,
                    $tbs_data])),
           $testtext);

        $testtext = $prefix.': '.
            'Verify something with a non-FIPS key'.
            ' with the default provider';
        ok(run(app(['openssl', 'dgst', '-sha256',
                    '-verify', $nonfips_pub_key,
                    '-signature', $sigfile,
                    $tbs_data])),
           $testtext);

        $ENV{OPENSSL_CONF} = $fipsconf;

        $testtext = $prefix.': '.
            'Sign something with a non-FIPS key'.
            ' (should fail)';
        ok(!run(app(['openssl', 'dgst', '-sha256',
                     '-sign', $nonfips_key,
                     '-out', $prefix.'.nonfips.fail.sig',
                     $tbs_data])),
           $testtext);

        $testtext = $prefix.': '.
            'Verify something with a non-FIPS key'.
            ' (should fail)';
        ok(!run(app(['openssl', 'dgst', '-sha256',
                     '-verify', $nonfips_pub_key,
                     '-signature', $sigfile,
                     $tbs_data])),
           $testtext);

        $testtext = $prefix.': '.
            'Verify something with a non-FIPS key'.
		    ' in FIPS mode but with a non-FIPS property query';
        ok(run(app(['openssl', 'dgst',
				    '-provider', 'default',
				    '-propquery', '?fips!=yes',
				    '-sha256',
                    '-verify', $nonfips_pub_key,
                    '-signature', $sigfile,
                    $tbs_data])),
           $testtext);

        $testtext = $prefix.': '.
            'Verify a valid signature against the wrong data with a non-FIPS key'.
            ' (should fail)';
        ok(!run(app(['openssl', 'dgst', '-sha256',
                     '-verify', $nonfips_pub_key,
                     '-signature', $sigfile,
                     $bogus_data])),
           $testtext);
   }
}

SKIP : {
    skip "FIPS EC tests because of no ec in this build", 1
        if disabled("ec");

    subtest EC => sub {
        my $testtext_prefix = 'EC';
        my $a_fips_curve = 'prime256v1';
        my $fips_key = $testtext_prefix.'.fips.priv.pem';
        my $fips_pub_key = $testtext_prefix.'.fips.pub.pem';
        my $a_nonfips_curve = 'brainpoolP256r1';
        my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem';
        my $nonfips_pub_key = $testtext_prefix.'.nonfips.pub.pem';
        my $testtext = '';
        my $curvename = '';

        plan tests => 5 + $tsignverify_count;

        $ENV{OPENSSL_CONF} = $defaultconf;
        $curvename = $a_nonfips_curve;
        $testtext = $testtext_prefix.': '.
            'Generate a key with a non-FIPS algorithm with the default provider';
        ok(run(app(['openssl', 'genpkey', '-algorithm', 'EC',
                    '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
                    '-out', $nonfips_key])),
           $testtext);

        pubfrompriv($testtext_prefix, $nonfips_key, $nonfips_pub_key, "non-FIPS");

        $ENV{OPENSSL_CONF} = $fipsconf;

        $curvename = $a_fips_curve;
        $testtext = $testtext_prefix.': '.
            'Generate a key with a FIPS algorithm';
        ok(run(app(['openssl', 'genpkey', '-algorithm', 'EC',
                    '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
                    '-out', $fips_key])),
           $testtext);

        pubfrompriv($testtext_prefix, $fips_key, $fips_pub_key, "FIPS");

        $curvename = $a_nonfips_curve;
        $testtext = $testtext_prefix.': '.
            'Generate a key with a non-FIPS algorithm'.
            ' (should fail)';
        ok(!run(app(['openssl', 'genpkey', '-algorithm', 'EC',
                     '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
                     '-out', $testtext_prefix.'.'.$curvename.'.priv.pem'])),
           $testtext);

        tsignverify($testtext_prefix, $fips_key, $fips_pub_key, $nonfips_key,
                    $nonfips_pub_key);
    };
}

SKIP: {
    skip "FIPS RSA tests because of no rsa in this build", 1
        if disabled("rsa");

    subtest RSA => sub {
        my $testtext_prefix = 'RSA';
        my $fips_key = $testtext_prefix.'.fips.priv.pem';
        my $fips_pub_key = $testtext_prefix.'.fips.pub.pem';
        my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem';
        my $nonfips_pub_key = $testtext_prefix.'.nonfips.pub.pem';
        my $testtext = '';

        plan tests => 5 + $tsignverify_count;

        $ENV{OPENSSL_CONF} = $defaultconf;
        $testtext = $testtext_prefix.': '.
            'Generate a key with a non-FIPS algorithm with the default provider';
        ok(run(app(['openssl', 'genpkey', '-algorithm', 'RSA',
                    '-pkeyopt', 'rsa_keygen_bits:512',
                    '-out', $nonfips_key])),
           $testtext);

        pubfrompriv($testtext_prefix, $nonfips_key, $nonfips_pub_key, "non-FIPS");

        $ENV{OPENSSL_CONF} = $fipsconf;

        $testtext = $testtext_prefix.': '.
            'Generate a key with a FIPS algorithm';
        ok(run(app(['openssl', 'genpkey', '-algorithm', 'RSA',
                    '-pkeyopt', 'rsa_keygen_bits:2048',
                    '-out', $fips_key])),
           $testtext);

        pubfrompriv($testtext_prefix, $fips_key, $fips_pub_key, "FIPS");

        $testtext = $testtext_prefix.': '.
            'Generate a key with a non-FIPS algorithm'.
            ' (should fail)';
        ok(!run(app(['openssl', 'genpkey', '-algorithm', 'RSA',
                    '-pkeyopt', 'rsa_keygen_bits:512',
                     '-out', $testtext_prefix.'.fail.priv.pem'])),
           $testtext);

        tsignverify($testtext_prefix, $fips_key, $fips_pub_key, $nonfips_key,
                    $nonfips_pub_key);
    };
}

SKIP : {
    skip "FIPS DSA tests because of no dsa in this build", 1
        if disabled("dsa");

    subtest DSA => sub {
        my $testtext_prefix = 'DSA';
        my $fips_key = $testtext_prefix.'.fips.priv.pem';
        my $fips_pub_key = $testtext_prefix.'.fips.pub.pem';
        my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem';
        my $nonfips_pub_key = $testtext_prefix.'.nonfips.pub.pem';
        my $testtext = '';
        my $fips_param = $testtext_prefix.'.fips.param.pem';
        my $nonfips_param = $testtext_prefix.'.nonfips.param.pem';
        my $shortnonfips_param = $testtext_prefix.'.shortnonfips.param.pem';

        plan tests => 13 + $tsignverify_count;

        $ENV{OPENSSL_CONF} = $defaultconf;

        $testtext = $testtext_prefix.': '.
            'Generate non-FIPS params with the default provider';
        ok(run(app(['openssl', 'genpkey', '-genparam',
                    '-algorithm', 'DSA',
                    '-pkeyopt', 'type:fips186_2',
                    '-pkeyopt', 'dsa_paramgen_bits:512',
                    '-out', $nonfips_param])),
           $testtext);

        $ENV{OPENSSL_CONF} = $fipsconf;

        $testtext = $testtext_prefix.': '.
            'Generate FIPS params';
        ok(run(app(['openssl', 'genpkey', '-genparam',
                    '-algorithm', 'DSA',
                    '-pkeyopt', 'dsa_paramgen_bits:2048',
                    '-out', $fips_param])),
           $testtext);

        $testtext = $testtext_prefix.': '.
            'Generate non-FIPS params'.
            ' (should fail)';
        ok(!run(app(['openssl', 'genpkey', '-genparam',
                     '-algorithm', 'DSA',
                    '-pkeyopt', 'dsa_paramgen_bits:512',
                     '-out', $testtext_prefix.'.fail.param.pem'])),
           $testtext);

        $testtext = $testtext_prefix.': '.
            'Generate non-FIPS params using non-FIPS property query'.
            ' (dsaparam)';
        ok(run(app(['openssl', 'dsaparam', '-provider', 'default',
                    '-propquery', '?fips!=yes',
                    '-out', $shortnonfips_param, '1024'])),
            $testtext);

        $testtext = $testtext_prefix.': '.
            'Generate non-FIPS params using non-FIPS property query'.
            ' (genpkey)';
        ok(run(app(['openssl', 'genpkey', '-provider', 'default',
                    '-propquery', '?fips!=yes',
                    '-genparam', '-algorithm', 'DSA',
                    '-pkeyopt', 'dsa_paramgen_bits:512'])),
            $testtext);

        $ENV{OPENSSL_CONF} = $defaultconf;

        $testtext = $testtext_prefix.': '.
            'Generate a key with non-FIPS params with the default provider';
        ok(run(app(['openssl', 'genpkey',
                    '-paramfile', $nonfips_param,
                    '-pkeyopt', 'type:fips186_2',
                    '-out', $nonfips_key])),
           $testtext);

        pubfrompriv($testtext_prefix, $nonfips_key, $nonfips_pub_key, "non-FIPS");

        $ENV{OPENSSL_CONF} = $fipsconf;

        $testtext = $testtext_prefix.': '.
            'Generate a key with FIPS parameters';
        ok(run(app(['openssl', 'genpkey',
                    '-paramfile', $fips_param,
                    '-pkeyopt', 'type:fips186_4',
                    '-out', $fips_key])),
           $testtext);

        pubfrompriv($testtext_prefix, $fips_key, $fips_pub_key, "FIPS");

        $testtext = $testtext_prefix.': '.
            'Generate a key with non-FIPS parameters'.
            ' (should fail)';
        ok(!run(app(['openssl', 'genpkey',
                     '-paramfile', $nonfips_param,
                     '-pkeyopt', 'type:fips186_2',
                     '-out', $testtext_prefix.'.fail.priv.pem'])),
           $testtext);

        $testtext = $testtext_prefix.': '.
            'Generate a key with non-FIPS parameters using non-FIPS property'.
            ' query (dsaparam)';
        ok(run(app(['openssl', 'dsaparam', '-provider', 'default',
                    '-propquery', '?fips!=yes',
                    '-noout', '-genkey', '1024'])),
            $testtext);

        $testtext = $testtext_prefix.': '.
            'Generate a key with non-FIPS parameters using non-FIPS property'.
            ' query (gendsa)';
        ok(run(app(['openssl', 'gendsa', '-provider', 'default',
                    '-propquery', '?fips!=yes',
                    $shortnonfips_param])),
            $testtext);

        $testtext = $testtext_prefix.': '.
            'Generate a key with non-FIPS parameters using non-FIPS property'.
            ' query (genpkey)';
        ok(run(app(['openssl', 'genpkey', '-provider', 'default',
                    '-propquery', '?fips!=yes',
                    '-paramfile', $nonfips_param,
                    '-pkeyopt', 'type:fips186_2',
                    '-out', $testtext_prefix.'.fail.priv.pem'])),
            $testtext);

        tsignverify($testtext_prefix, $fips_key, $fips_pub_key, '', '');
    };
}
Commit	Line	Data
39d9be39	1	#! /usr/bin/env perl
da1c088f	2	# Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
39d9be39 NT	3	#
	4	# Licensed under the Apache License 2.0 (the "License"). You may not use
	5	# this file except in compliance with the License. You can obtain a copy
	6	# in the file LICENSE in the source distribution or at
	7	# https://www.openssl.org/source/license.html
	8
	9	use strict;
	10	use warnings;
	11
	12	use File::Spec;
	13	use File::Spec::Functions qw/curdir abs2rel/;
	14	use File::Copy;
	15	use OpenSSL::Glob;
	16	use OpenSSL::Test qw/:DEFAULT srctop_dir bldtop_dir bldtop_file srctop_file data_file/;
	17	use OpenSSL::Test::Utils;
	18
	19	BEGIN {
	20	setup("test_cli_fips");
	21	}
	22	use lib srctop_dir('Configurations');
	23	use lib bldtop_dir('.');
	24	use platform;
	25
e25b4db7	26	my $no_check = disabled("fips") \|\| disabled('fips-securitychecks');
4605c5ab	27	plan skip_all => "Test only supported in a fips build with security checks"
e25b4db7 RL	28	if $no_check;
e25b4db7 RL	29	plan tests => 11;
39d9be39 NT	30
	31	my $fipsmodule = bldtop_file('providers', platform->dso('fips'));
	32	my $fipsconf = srctop_file("test", "fips-and-base.cnf");
	33	my $defaultconf = srctop_file("test", "default.cnf");
	34	my $tbs_data = $fipsmodule;
	35	my $bogus_data = $fipsconf;
	36
39d9be39 NT	37	$ENV{OPENSSL_CONF} = $fipsconf;
39d9be39 NT	38
fc959d71 SL	39	ok(run(app(['openssl', 'list', '-public-key-methods', '-verbose'])),
	40	"provider listing of public key methods");
	41	ok(run(app(['openssl', 'list', '-public-key-algorithms', '-verbose'])),
	42	"provider listing of public key algorithms");
	43	ok(run(app(['openssl', 'list', '-key-managers', '-verbose'])),
	44	"provider listing of keymanagers");
	45	ok(run(app(['openssl', 'list', '-key-exchange-algorithms', '-verbose'])),
	46	"provider listing of key exchange algorithms");
	47	ok(run(app(['openssl', 'list', '-kem-algorithms', '-verbose'])),
	48	"provider listing of key encapsulation algorithms");
	49	ok(run(app(['openssl', 'list', '-signature-algorithms', '-verbose'])),
	50	"provider listing of signature algorithms");
	51	ok(run(app(['openssl', 'list', '-asymcipher-algorithms', '-verbose'])),
	52	"provider listing of encryption algorithms");
	53	ok(run(app(['openssl', 'list', '-key-managers', '-verbose', '-select', 'DSA' ])),
	54	"provider listing of one item in the keymanager");
39d9be39	55
3a2171f6 MC	56	sub pubfrompriv {
	57	my $prefix = shift;
	58	my $key = shift;
	59	my $pub_key = shift;
	60	my $type = shift;
	61
	62	ok(run(app(['openssl', 'pkey',
	63	'-in', $key,
	64	'-pubout',
	65	'-out', $pub_key])),
	66	$prefix.': '."Create the public key with $type parameters");
	67
	68	}
	69
653a7706	70	my $tsignverify_count = 9;
39d9be39 NT	71	sub tsignverify {
	72	my $prefix = shift;
	73	my $fips_key = shift;
3a2171f6	74	my $fips_pub_key = shift;
39d9be39	75	my $nonfips_key = shift;
3a2171f6	76	my $nonfips_pub_key = shift;
39d9be39 NT	77	my $fips_sigfile = $prefix.'.fips.sig';
	78	my $nonfips_sigfile = $prefix.'.nonfips.sig';
	79	my $sigfile = '';
	80	my $testtext = '';
	81
	82	$ENV{OPENSSL_CONF} = $fipsconf;
	83
	84	$sigfile = $fips_sigfile;
	85	$testtext = $prefix.': '.
	86	'Sign something with a FIPS key';
	87	ok(run(app(['openssl', 'dgst', '-sha256',
	88	'-sign', $fips_key,
	89	'-out', $sigfile,
	90	$tbs_data])),
	91	$testtext);
	92
	93	$testtext = $prefix.': '.
	94	'Verify something with a FIPS key';
	95	ok(run(app(['openssl', 'dgst', '-sha256',
3a2171f6	96	'-verify', $fips_pub_key,
39d9be39 NT	97	'-signature', $sigfile,
	98	$tbs_data])),
	99	$testtext);
	100
	101	$testtext = $prefix.': '.
	102	'Verify a valid signature against the wrong data with a FIPS key'.
	103	' (should fail)';
	104	ok(!run(app(['openssl', 'dgst', '-sha256',
3a2171f6	105	'-verify', $fips_pub_key,
39d9be39 NT	106	'-signature', $sigfile,
	107	$bogus_data])),
	108	$testtext);
	109
	110	$ENV{OPENSSL_CONF} = $defaultconf;
	111
71cf587e P	112	SKIP : {
	113	skip "FIPS failure testing", 6
	114	if ($nonfips_key eq '');
	115
	116	$sigfile = $nonfips_sigfile;
	117	$testtext = $prefix.': '.
	118	'Sign something with a non-FIPS key'.
	119	' with the default provider';
	120	ok(run(app(['openssl', 'dgst', '-sha256',
	121	'-sign', $nonfips_key,
	122	'-out', $sigfile,
	123	$tbs_data])),
	124	$testtext);
39d9be39	125
71cf587e P	126	$testtext = $prefix.': '.
	127	'Verify something with a non-FIPS key'.
	128	' with the default provider';
	129	ok(run(app(['openssl', 'dgst', '-sha256',
	130	'-verify', $nonfips_pub_key,
	131	'-signature', $sigfile,
	132	$tbs_data])),
	133	$testtext);
39d9be39	134
71cf587e	135	$ENV{OPENSSL_CONF} = $fipsconf;
39d9be39	136
71cf587e P	137	$testtext = $prefix.': '.
	138	'Sign something with a non-FIPS key'.
	139	' (should fail)';
	140	ok(!run(app(['openssl', 'dgst', '-sha256',
	141	'-sign', $nonfips_key,
	142	'-out', $prefix.'.nonfips.fail.sig',
	143	$tbs_data])),
	144	$testtext);
39d9be39	145
71cf587e P	146	$testtext = $prefix.': '.
	147	'Verify something with a non-FIPS key'.
	148	' (should fail)';
	149	ok(!run(app(['openssl', 'dgst', '-sha256',
	150	'-verify', $nonfips_pub_key,
	151	'-signature', $sigfile,
	152	$tbs_data])),
	153	$testtext);
39d9be39	154
71cf587e P	155	$testtext = $prefix.': '.
	156	'Verify something with a non-FIPS key'.
	157	' in FIPS mode but with a non-FIPS property query';
	158	ok(run(app(['openssl', 'dgst',
	159	'-provider', 'default',
	160	'-propquery', '?fips!=yes',
	161	'-sha256',
	162	'-verify', $nonfips_pub_key,
	163	'-signature', $sigfile,
	164	$tbs_data])),
	165	$testtext);
653a7706	166
71cf587e P	167	$testtext = $prefix.': '.
	168	'Verify a valid signature against the wrong data with a non-FIPS key'.
	169	' (should fail)';
	170	ok(!run(app(['openssl', 'dgst', '-sha256',
	171	'-verify', $nonfips_pub_key,
	172	'-signature', $sigfile,
	173	$bogus_data])),
	174	$testtext);
	175	}
39d9be39 NT	176	}
	177
	178	SKIP : {
	179	skip "FIPS EC tests because of no ec in this build", 1
	180	if disabled("ec");
	181
	182	subtest EC => sub {
	183	my $testtext_prefix = 'EC';
	184	my $a_fips_curve = 'prime256v1';
	185	my $fips_key = $testtext_prefix.'.fips.priv.pem';
3a2171f6	186	my $fips_pub_key = $testtext_prefix.'.fips.pub.pem';
39d9be39 NT	187	my $a_nonfips_curve = 'brainpoolP256r1';
39d9be39 NT	188	my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem';
3a2171f6	189	my $nonfips_pub_key = $testtext_prefix.'.nonfips.pub.pem';
39d9be39 NT	190	my $testtext = '';
	191	my $curvename = '';
	192
3a2171f6	193	plan tests => 5 + $tsignverify_count;
39d9be39 NT	194
	195	$ENV{OPENSSL_CONF} = $defaultconf;
	196	$curvename = $a_nonfips_curve;
	197	$testtext = $testtext_prefix.': '.
	198	'Generate a key with a non-FIPS algorithm with the default provider';
	199	ok(run(app(['openssl', 'genpkey', '-algorithm', 'EC',
	200	'-pkeyopt', 'ec_paramgen_curve:'.$curvename,
	201	'-out', $nonfips_key])),
	202	$testtext);
	203
3a2171f6 MC	204	pubfrompriv($testtext_prefix, $nonfips_key, $nonfips_pub_key, "non-FIPS");
3a2171f6 MC	205
39d9be39 NT	206	$ENV{OPENSSL_CONF} = $fipsconf;
	207
	208	$curvename = $a_fips_curve;
	209	$testtext = $testtext_prefix.': '.
	210	'Generate a key with a FIPS algorithm';
	211	ok(run(app(['openssl', 'genpkey', '-algorithm', 'EC',
	212	'-pkeyopt', 'ec_paramgen_curve:'.$curvename,
	213	'-out', $fips_key])),
	214	$testtext);
	215
3a2171f6 MC	216	pubfrompriv($testtext_prefix, $fips_key, $fips_pub_key, "FIPS");
3a2171f6 MC	217
39d9be39 NT	218	$curvename = $a_nonfips_curve;
	219	$testtext = $testtext_prefix.': '.
	220	'Generate a key with a non-FIPS algorithm'.
	221	' (should fail)';
	222	ok(!run(app(['openssl', 'genpkey', '-algorithm', 'EC',
	223	'-pkeyopt', 'ec_paramgen_curve:'.$curvename,
	224	'-out', $testtext_prefix.'.'.$curvename.'.priv.pem'])),
	225	$testtext);
	226
3a2171f6 MC	227	tsignverify($testtext_prefix, $fips_key, $fips_pub_key, $nonfips_key,
3a2171f6 MC	228	$nonfips_pub_key);
39d9be39 NT	229	};
	230	}
	231
	232	SKIP: {
	233	skip "FIPS RSA tests because of no rsa in this build", 1
	234	if disabled("rsa");
	235
	236	subtest RSA => sub {
	237	my $testtext_prefix = 'RSA';
	238	my $fips_key = $testtext_prefix.'.fips.priv.pem';
3a2171f6	239	my $fips_pub_key = $testtext_prefix.'.fips.pub.pem';
39d9be39	240	my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem';
3a2171f6	241	my $nonfips_pub_key = $testtext_prefix.'.nonfips.pub.pem';
39d9be39 NT	242	my $testtext = '';
39d9be39 NT	243
3a2171f6	244	plan tests => 5 + $tsignverify_count;
39d9be39 NT	245
	246	$ENV{OPENSSL_CONF} = $defaultconf;
	247	$testtext = $testtext_prefix.': '.
	248	'Generate a key with a non-FIPS algorithm with the default provider';
	249	ok(run(app(['openssl', 'genpkey', '-algorithm', 'RSA',
	250	'-pkeyopt', 'rsa_keygen_bits:512',
	251	'-out', $nonfips_key])),
	252	$testtext);
	253
3a2171f6 MC	254	pubfrompriv($testtext_prefix, $nonfips_key, $nonfips_pub_key, "non-FIPS");
3a2171f6 MC	255
39d9be39 NT	256	$ENV{OPENSSL_CONF} = $fipsconf;
	257
	258	$testtext = $testtext_prefix.': '.
	259	'Generate a key with a FIPS algorithm';
	260	ok(run(app(['openssl', 'genpkey', '-algorithm', 'RSA',
	261	'-pkeyopt', 'rsa_keygen_bits:2048',
	262	'-out', $fips_key])),
	263	$testtext);
	264
3a2171f6 MC	265	pubfrompriv($testtext_prefix, $fips_key, $fips_pub_key, "FIPS");
3a2171f6 MC	266
39d9be39 NT	267	$testtext = $testtext_prefix.': '.
	268	'Generate a key with a non-FIPS algorithm'.
	269	' (should fail)';
	270	ok(!run(app(['openssl', 'genpkey', '-algorithm', 'RSA',
	271	'-pkeyopt', 'rsa_keygen_bits:512',
	272	'-out', $testtext_prefix.'.fail.priv.pem'])),
	273	$testtext);
	274
3a2171f6 MC	275	tsignverify($testtext_prefix, $fips_key, $fips_pub_key, $nonfips_key,
3a2171f6 MC	276	$nonfips_pub_key);
39d9be39 NT	277	};
	278	}
	279
	280	SKIP : {
	281	skip "FIPS DSA tests because of no dsa in this build", 1
	282	if disabled("dsa");
	283
	284	subtest DSA => sub {
	285	my $testtext_prefix = 'DSA';
	286	my $fips_key = $testtext_prefix.'.fips.priv.pem';
3a2171f6	287	my $fips_pub_key = $testtext_prefix.'.fips.pub.pem';
39d9be39	288	my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem';
3a2171f6	289	my $nonfips_pub_key = $testtext_prefix.'.nonfips.pub.pem';
39d9be39 NT	290	my $testtext = '';
	291	my $fips_param = $testtext_prefix.'.fips.param.pem';
	292	my $nonfips_param = $testtext_prefix.'.nonfips.param.pem';
30b2c359	293	my $shortnonfips_param = $testtext_prefix.'.shortnonfips.param.pem';
39d9be39	294
30b2c359	295	plan tests => 13 + $tsignverify_count;
39d9be39 NT	296
	297	$ENV{OPENSSL_CONF} = $defaultconf;
	298
	299	$testtext = $testtext_prefix.': '.
	300	'Generate non-FIPS params with the default provider';
	301	ok(run(app(['openssl', 'genpkey', '-genparam',
	302	'-algorithm', 'DSA',
	303	'-pkeyopt', 'type:fips186_2',
	304	'-pkeyopt', 'dsa_paramgen_bits:512',
	305	'-out', $nonfips_param])),
	306	$testtext);
	307
	308	$ENV{OPENSSL_CONF} = $fipsconf;
	309
	310	$testtext = $testtext_prefix.': '.
	311	'Generate FIPS params';
	312	ok(run(app(['openssl', 'genpkey', '-genparam',
	313	'-algorithm', 'DSA',
	314	'-pkeyopt', 'dsa_paramgen_bits:2048',
	315	'-out', $fips_param])),
	316	$testtext);
	317
	318	$testtext = $testtext_prefix.': '.
	319	'Generate non-FIPS params'.
	320	' (should fail)';
	321	ok(!run(app(['openssl', 'genpkey', '-genparam',
	322	'-algorithm', 'DSA',
	323	'-pkeyopt', 'dsa_paramgen_bits:512',
	324	'-out', $testtext_prefix.'.fail.param.pem'])),
	325	$testtext);
	326
30b2c359 CL	327	$testtext = $testtext_prefix.': '.
	328	'Generate non-FIPS params using non-FIPS property query'.
	329	' (dsaparam)';
	330	ok(run(app(['openssl', 'dsaparam', '-provider', 'default',
	331	'-propquery', '?fips!=yes',
	332	'-out', $shortnonfips_param, '1024'])),
	333	$testtext);
	334
	335	$testtext = $testtext_prefix.': '.
	336	'Generate non-FIPS params using non-FIPS property query'.
	337	' (genpkey)';
	338	ok(run(app(['openssl', 'genpkey', '-provider', 'default',
	339	'-propquery', '?fips!=yes',
	340	'-genparam', '-algorithm', 'DSA',
	341	'-pkeyopt', 'dsa_paramgen_bits:512'])),
	342	$testtext);
	343
39d9be39 NT	344	$ENV{OPENSSL_CONF} = $defaultconf;
	345
	346	$testtext = $testtext_prefix.': '.
	347	'Generate a key with non-FIPS params with the default provider';
	348	ok(run(app(['openssl', 'genpkey',
	349	'-paramfile', $nonfips_param,
	350	'-pkeyopt', 'type:fips186_2',
	351	'-out', $nonfips_key])),
	352	$testtext);
	353
3a2171f6 MC	354	pubfrompriv($testtext_prefix, $nonfips_key, $nonfips_pub_key, "non-FIPS");
3a2171f6 MC	355
39d9be39 NT	356	$ENV{OPENSSL_CONF} = $fipsconf;
	357
	358	$testtext = $testtext_prefix.': '.
	359	'Generate a key with FIPS parameters';
	360	ok(run(app(['openssl', 'genpkey',
	361	'-paramfile', $fips_param,
	362	'-pkeyopt', 'type:fips186_4',
	363	'-out', $fips_key])),
	364	$testtext);
	365
3a2171f6 MC	366	pubfrompriv($testtext_prefix, $fips_key, $fips_pub_key, "FIPS");
3a2171f6 MC	367
39d9be39 NT	368	$testtext = $testtext_prefix.': '.
	369	'Generate a key with non-FIPS parameters'.
	370	' (should fail)';
	371	ok(!run(app(['openssl', 'genpkey',
	372	'-paramfile', $nonfips_param,
	373	'-pkeyopt', 'type:fips186_2',
	374	'-out', $testtext_prefix.'.fail.priv.pem'])),
	375	$testtext);
	376
30b2c359 CL	377	$testtext = $testtext_prefix.': '.
	378	'Generate a key with non-FIPS parameters using non-FIPS property'.
	379	' query (dsaparam)';
	380	ok(run(app(['openssl', 'dsaparam', '-provider', 'default',
	381	'-propquery', '?fips!=yes',
	382	'-noout', '-genkey', '1024'])),
	383	$testtext);
	384
	385	$testtext = $testtext_prefix.': '.
	386	'Generate a key with non-FIPS parameters using non-FIPS property'.
	387	' query (gendsa)';
	388	ok(run(app(['openssl', 'gendsa', '-provider', 'default',
	389	'-propquery', '?fips!=yes',
	390	$shortnonfips_param])),
	391	$testtext);
	392
	393	$testtext = $testtext_prefix.': '.
	394	'Generate a key with non-FIPS parameters using non-FIPS property'.
	395	' query (genpkey)';
	396	ok(run(app(['openssl', 'genpkey', '-provider', 'default',
	397	'-propquery', '?fips!=yes',
	398	'-paramfile', $nonfips_param,
	399	'-pkeyopt', 'type:fips186_2',
	400	'-out', $testtext_prefix.'.fail.priv.pem'])),
	401	$testtext);
	402
71cf587e	403	tsignverify($testtext_prefix, $fips_key, $fips_pub_key, '', '');
39d9be39 NT	404	};
39d9be39 NT	405	}