From 2d819b42891b48cc45ef923f32c34c375b987b06 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Wed, 23 Jul 2025 14:33:40 -0600 Subject: [PATCH 1/2] adjust tests for disable of DES with FIPS and add FIPS print out with version --- src/tools/clu_funcs.c | 13 +++++++++- tests/pkcs/pkcs12-test.sh | 6 +++++ tests/pkcs/pkcs8-test.sh | 38 +++++++++++++++++++---------- tests/pkey/rsa-test.sh | 45 ++++++++++++++++++++++------------- tests/x509/expect-purpose.txt | 2 +- tests/x509/x509-req-test.sh | 31 +++++++++++++++++------- 6 files changed, 94 insertions(+), 41 deletions(-) diff --git a/src/tools/clu_funcs.c b/src/tools/clu_funcs.c index 75979950..e98bd6ee 100644 --- a/src/tools/clu_funcs.c +++ b/src/tools/clu_funcs.c @@ -1125,7 +1125,18 @@ int wolfCLU_version(void) { WOLFCLU_LOG(WOLFCLU_L0, "You are using version %s of the wolfssl Command Line Utility." , CLUWOLFSSL_VERSION_STRING); - WOLFCLU_LOG(WOLFCLU_L0, "Linked to wolfSSL version %s", LIBWOLFSSL_VERSION_STRING); + WOLFCLU_LOG(WOLFCLU_L0, "Linked to wolfSSL version %s%s", + LIBWOLFSSL_VERSION_STRING, + #ifdef HAVE_FIPS + " FIPS" + #else + "" + #endif + ); +#ifdef HAVE_FIPS + WOLFCLU_LOG(WOLFCLU_L0, "In FIPS builds there are algorithm restrictions " + "such as use of DES"); +#endif return WOLFCLU_SUCCESS; } diff --git a/tests/pkcs/pkcs12-test.sh b/tests/pkcs/pkcs12-test.sh index e2abec65..9736eac3 100755 --- a/tests/pkcs/pkcs12-test.sh +++ b/tests/pkcs/pkcs12-test.sh @@ -12,6 +12,12 @@ then exit 77 fi +# Is this a FIPS build? +if ./wolfssl -v 2>&1 | grep -q FIPS; then + #return 77 to indicate to automake that the test was skipped + exit 77 +fi + RESULT=`./wolfssl pkcs12 -nodes -passin pass:"wolfSSL test" -passout pass: -in ./certs/test-servercert.p12 2>&1` echo "$RESULT" | grep "Recompile wolfSSL with PKCS12 support" if [ $? == 0 ]; then diff --git a/tests/pkcs/pkcs8-test.sh b/tests/pkcs/pkcs8-test.sh index fdebc549..89e32123 100755 --- a/tests/pkcs/pkcs8-test.sh +++ b/tests/pkcs/pkcs8-test.sh @@ -12,6 +12,12 @@ then exit 77 fi +# Is this a FIPS build? +IS_FIPS=0 +if ./wolfssl -v 2>&1 | grep -q FIPS; then + IS_FIPS=1 +fi + RESULT=`./wolfssl pkcs8 -in certs/server-keyEnc.pem -passin pass:yassl123 2>&1` echo "$RESULT" | grep "Recompile wolfSSL with PKCS8 support" if [ $? == 0 ]; then @@ -37,9 +43,13 @@ run_fail() { fi } -run "pkcs8 -in certs/server-keyEnc.pem -passin pass:yassl123 -outform DER -out keyEnc.der" - -run "pkcs8 -in keyEnc.der -inform DER -outform PEM -out key.pem" +if [ ${IS_FIPS} != "1" ]; then + # Can only decrypt server-keyEnc.pem using DES if not a FIPS build + run "pkcs8 -in certs/server-keyEnc.pem -passin pass:yassl123 -outform DER -out keyEnc.der" + run "pkcs8 -in keyEnc.der -inform DER -outform PEM -out key.pem" +else + run "pkcs8 -in certs/server-key.pem -outform PEM -out key.pem" +fi run "pkcs8 -in key.pem -topk8 -nocrypt" @@ -55,19 +65,21 @@ rm -rf pkcs1.pem rm -rf key.pem rm -rf keyEnc.der -#check stdin input -RESULT=`cat certs/server-keyEnc.pem | ./wolfssl pkcs8 -passin pass:yassl123` -echo $RESULT | grep "BEGIN PRIVATE" -if [ $? != 0 ]; then - echo "Couldn't parse PKCS8 from stdin" - exit 99 -fi +if [ ${IS_FIPS} != "1" ]; then + #check stdin input + RESULT=`cat certs/server-keyEnc.pem | ./wolfssl pkcs8 -passin pass:yassl123` + echo $RESULT | grep "BEGIN PRIVATE" + if [ $? != 0 ]; then + echo "Couldn't parse PKCS8 from stdin" + exit 99 + fi -run_fail "pkcs8 -in certs/server-cert.pem -passin pass:yassl123" + run_fail "pkcs8 -in certs/server-cert.pem -passin pass:yassl123" -run_fail "pkcs8 -in certs/server-keyEnc.pem -passin pass:wrongPass" + run_fail "pkcs8 -in certs/server-keyEnc.pem -passin pass:wrongPass" -run_fail "pkcs8 -in certs/server-keyEnc.pem -inform DER -passin pass:yassl123" + run_fail "pkcs8 -in certs/server-keyEnc.pem -inform DER -passin pass:yassl123" +fi echo "Done" exit 0 diff --git a/tests/pkey/rsa-test.sh b/tests/pkey/rsa-test.sh index a583fd48..2bb0e6c9 100755 --- a/tests/pkey/rsa-test.sh +++ b/tests/pkey/rsa-test.sh @@ -12,6 +12,12 @@ then exit 77 fi +# Is this a FIPS build? +IS_FIPS=0 +if ./wolfssl -v 2>&1 | grep -q FIPS; then + IS_FIPS=1 +fi + run() { if [ -z "$2" ]; then RESULT=`./wolfssl $1` @@ -67,30 +73,35 @@ run_fail "rsa -in ./certs/server-key.pem -pubin" # Test success cases for -RSAPublicKey_in run "rsa -in ./certs/server-keyPub.pem -RSAPublicKey_in" -run "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl123" -run_fail "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl12" -run "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl123 -noout -modulus" +if [ ${IS_FIPS} != "1" ]; then + run "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl123" + run_fail "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl12" + + run "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl123 -noout -modulus" +fi # Test success cases for -pubin run "rsa -in ./certs/server-keyPub.pem -pubin" -run "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl123" -run_fail "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl12" +if [ ${IS_FIPS} != "1" ]; then + run "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl123" + run_fail "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl12" -run "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl123 -noout -modulus" + run "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl123 -noout -modulus" -# Check that modulus was printed -echo $RESULT | grep "Modulus" -if [ $? != 0 ]; then - echo "ERROR with -modulus option" - exit 99 -fi + # Check that modulus was printed + echo $RESULT | grep "Modulus" + if [ $? != 0 ]; then + echo "ERROR with -modulus option" + exit 99 + fi -# Check that key was not printed -echo $RESULT | grep "BEGIN" -if [ $? == 0 ]; then - echo "ERROR found a key with -modulus option" - exit 99 + # Check that key was not printed + echo $RESULT | grep "BEGIN" + if [ $? == 0 ]; then + echo "ERROR found a key with -modulus option" + exit 99 + fi fi # Expexted result -RSAPublicKey_in diff --git a/tests/x509/expect-purpose.txt b/tests/x509/expect-purpose.txt index 9029b04b..6d9f0f62 100644 --- a/tests/x509/expect-purpose.txt +++ b/tests/x509/expect-purpose.txt @@ -1,7 +1,7 @@ Certificate Purpose: Any Extended Key Usage : YES TLS Web Server Authentication : YES -TLS Web Client Authentication : NO +TLS Web Client Authentication : YES OCSP Signing : YES Email Protect : YES Time Stamp Signing : YES diff --git a/tests/x509/x509-req-test.sh b/tests/x509/x509-req-test.sh index 03c2f193..b86945f4 100755 --- a/tests/x509/x509-req-test.sh +++ b/tests/x509/x509-req-test.sh @@ -12,6 +12,12 @@ then exit 77 fi +# Is this a FIPS build? +IS_FIPS=0 +if ./wolfssl -v 2>&1 | grep -q FIPS; then + IS_FIPS=1 +fi + run_success() { if [ -z "$2" ]; then RESULT=`./wolfssl $1` @@ -218,13 +224,16 @@ if [ $? != 0 ]; then fi rm -f tmp.cert -run_success "req -new -newkey rsa:2048 -config ./test.conf -x509 -out tmp.cert -passout stdin" "long test password" -echo $RESULT | grep "ENCRYPTED" -if [ $? -ne 0 ]; then - echo "no encrypted key found in result" - exit 99 + +if [ ${IS_FIPS} != "1" ]; then + run_success "req -new -newkey rsa:2048 -config ./test.conf -x509 -out tmp.cert -passout stdin" "long test password" + echo $RESULT | grep "ENCRYPTED" + if [ $? -ne 0 ]; then + echo "no encrypted key found in result" + exit 99 + fi + rm -f tmp.cert fi -rm -f tmp.cert #testing hash and key algos run_success "req -new -days 3650 -rsa -key ./certs/server-key.pem -config ./test.conf -out tmp.cert -x509" @@ -242,7 +251,9 @@ rm -f tmp.cert run_success "req -new -days 3650 -sha512 -key ./certs/server-key.pem -config ./test.conf -out tmp.cert -x509" rm -f tmp.cert -run_success "req -new -newkey rsa:2048 -keyout new-key.pem -config ./test.conf -x509 -out tmp.cert -passout stdin" "long test password" +if [ ${IS_FIPS} != "1" ]; then + run_success "req -new -newkey rsa:2048 -keyout new-key.pem -config ./test.conf -x509 -out tmp.cert -passout stdin" "long test password" +fi run_success "req -new -key ./certs/ca-key.pem -config ./test.conf -extensions v3_alt_req_full -out tmp.cert" run_success "req -in ./tmp.cert -noout -text" @@ -252,9 +263,11 @@ if [ $? -ne 0 ]; then exit 99 fi +if [ ${IS_FIPS} != "1" ]; then #test passout -run_success "req -newkey rsa:2048 -keyout new-key.pem -config ./test.conf -out tmp.cert -passout pass:123456789wolfssl -outform pem -sha256" -run_success "rsa -in new-key.pem -passin pass:123456789wolfssl" + run_success "req -newkey rsa:2048 -keyout new-key.pem -config ./test.conf -out tmp.cert -passout pass:123456789wolfssl -outform pem -sha256" + run_success "rsa -in new-key.pem -passin pass:123456789wolfssl" +fi run_success "req -new -x509 -key ./certs/ca-key.pem -config ./test-prompt.conf -out tmp.cert" "AA" run_fail "req -new -x509 -key ./certs/ca-key.pem -config ./test-prompt.conf -out tmp.cert" "LONG" From f7b440de96a40f53f8e945fcb366e82827c94781 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Wed, 23 Jul 2025 14:42:46 -0600 Subject: [PATCH 2/2] account for macro expansion issue on windows build --- src/tools/clu_funcs.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/tools/clu_funcs.c b/src/tools/clu_funcs.c index e98bd6ee..b8df7825 100644 --- a/src/tools/clu_funcs.c +++ b/src/tools/clu_funcs.c @@ -1123,16 +1123,16 @@ void wolfCLU_stats(double start, int blockSize, int64_t blocks) /* returns WOLFCLU_SUCCESS on success */ int wolfCLU_version(void) { +#ifdef HAVE_FIPS + const char *isFIPS = " FIPS"; +#else + const char *isFIPS = ""; +#endif + WOLFCLU_LOG(WOLFCLU_L0, "You are using version %s of the wolfssl Command Line Utility." , CLUWOLFSSL_VERSION_STRING); WOLFCLU_LOG(WOLFCLU_L0, "Linked to wolfSSL version %s%s", - LIBWOLFSSL_VERSION_STRING, - #ifdef HAVE_FIPS - " FIPS" - #else - "" - #endif - ); + LIBWOLFSSL_VERSION_STRING, isFIPS); #ifdef HAVE_FIPS WOLFCLU_LOG(WOLFCLU_L0, "In FIPS builds there are algorithm restrictions " "such as use of DES");