From f1bac7da62ada0ff17363958487dc7eee466dd51 Mon Sep 17 00:00:00 2001 From: Jun Aruga Date: Sat, 9 Sep 2023 14:29:38 +0200 Subject: [PATCH] test_pkey_ec.rb: Fix the test in FIPS case, adding the file to CI. Fix the test_ECPrivateKey_encrypted test in OpenSSL FIPS case. The password based encryption used in the PEM format uses MD5 for deriving the encryption key from the password, and MD5 is not FIPS-approved. --- .github/workflows/test.yml | 2 +- test/openssl/test_pkey_ec.rb | 18 +++++++++++++++++- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 94be99269..d65f33ace 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -182,5 +182,5 @@ jobs: run: | bundle exec rake debug && ruby -I./lib -ropenssl \ - -e 'Dir.glob "./test/openssl/{test_fips.rb,test_pkey.rb}", &method(:require)' + -e 'Dir.glob "./test/openssl/{test_fips.rb,test_pkey.rb,test_pkey_ec.rb}", &method(:require)' if: matrix.fips-enabled diff --git a/test/openssl/test_pkey_ec.rb b/test/openssl/test_pkey_ec.rb index 126c1347c..5c35c50ee 100644 --- a/test/openssl/test_pkey_ec.rb +++ b/test/openssl/test_pkey_ec.rb @@ -241,7 +241,23 @@ def test_ECPrivateKey_encrypted 0/dGSU5SzFG+iT9iFXCwCvv+bxyegkBOyALFje1NAsM= -----END EC PRIVATE KEY----- EOF - key = OpenSSL::PKey::EC.new(pem, "abcdef") + begin + key = OpenSSL::PKey::EC.new(pem, "abcdef") + rescue OpenSSL::PKey::ECError => e + raise e unless OpenSSL.fips_mode + + # The password based encryption used in the PEM format uses MD5 for + # deriving the encryption key from the password, and MD5 is not + # FIPS-approved. + # + # See https://github.com/openssl/openssl/discussions/21830#discussioncomment-6865636 + # for details. + # + # The error message is not the best. But it is expected. + assert_equal "OpenSSL::PKey::ECError", e.class.name + assert_equal "invalid curve name", e.message + return + end assert_same_ec p256, key key = OpenSSL::PKey::EC.new(pem) { "abcdef" } assert_same_ec p256, key