test_pkey_ec.rb: Fix the test in FIPS case, adding the file to CI.

Fix the test_ECPrivateKey_encrypted test in OpenSSL FIPS case. The password based encryption used in the PEM format uses MD5 for deriving the encryption key from the password, and MD5 is not FIPS-approved.
ruby · Sep 9, 2023 · f1bac7d · f1bac7d
1 parent c88d492
commit f1bac7d
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 2 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -182,5 +182,5 @@ jobs:
         run:  |
           bundle exec rake debug &&
             ruby -I./lib -ropenssl \
-            -e 'Dir.glob "./test/openssl/{test_fips.rb,test_pkey.rb}", &method(:require)'
+            -e 'Dir.glob "./test/openssl/{test_fips.rb,test_pkey.rb,test_pkey_ec.rb}", &method(:require)'
         if: matrix.fips-enabled
diff --git a/test/openssl/test_pkey_ec.rb b/test/openssl/test_pkey_ec.rb
@@ -241,7 +241,23 @@ def test_ECPrivateKey_encrypted
     0/dGSU5SzFG+iT9iFXCwCvv+bxyegkBOyALFje1NAsM=
     -----END EC PRIVATE KEY-----
     EOF
-    key = OpenSSL::PKey::EC.new(pem, "abcdef")
+    begin
+      key = OpenSSL::PKey::EC.new(pem, "abcdef")
+    rescue OpenSSL::PKey::ECError => e
+      raise e unless OpenSSL.fips_mode
+
+      # The password based encryption used in the PEM format uses MD5 for
+      # deriving the encryption key from the password, and MD5 is not
+      # FIPS-approved.
+      #
+      # See https://github.com/openssl/openssl/discussions/21830#discussioncomment-6865636
+      # for details.
+      #
+      # The error message is not the best. But it is expected.
+      assert_equal "OpenSSL::PKey::ECError", e.class.name
+      assert_equal "invalid curve name", e.message
+      return
+    end
     assert_same_ec p256, key
     key = OpenSSL::PKey::EC.new(pem) { "abcdef" }
     assert_same_ec p256, key