Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove test_ed25519_not_approved_on_fips. #789

Merged
merged 1 commit into from
Aug 16, 2024
Merged

Remove test_ed25519_not_approved_on_fips. #789

merged 1 commit into from
Aug 16, 2024

Conversation

junaruga
Copy link
Member

This PR fixes #787.

This commit fixes the following failure on OpenSSL master FIPS case.

1) Failure: test_ed25519_not_approved_on_fips(OpenSSL::TestPKey): OpenSSL::PKey::PKeyError expected but nothing was raised.
/home/runner/work/openssl/openssl/vendor/bundle/ruby/3.0.0/gems/test-unit-ruby-core-1.0.6/lib/core_assertions.rb:462:in `assert_raise'
/home/runner/work/openssl/openssl/test/openssl/test_pkey.rb:174:in `test_ed25519_not_approved_on_fips'
     171:     MC4CAQAwBQYDK2VwBCIEIEzNCJso/5banbbDRuwRTg9bijGfNaumJNqM9u1PuKb7
     172:     -----END PRIVATE KEY-----
     173:     EOF
  => 174:     assert_raise(OpenSSL::PKey::PKeyError) do
     175:       OpenSSL::PKey.read(priv_pem)
     176:     end
     177:   end

Because FIPS compliance is a continually moving target. According to the [1], FIPS 140-3 currently allows ED25519. The ED25519 is allowed again with the latest OpenSSL FIPS by the commit [2], while it is not allowed in OpenSSL stable version 3.x FIPS.

Remove this test because we want to keep our tests stable.

[1] openssl/openssl#22054
[2] openssl/openssl@5f04124

@junaruga
Remove test_ed25519_not_approved_on_fips.
d43904b 
This commit fixes the following failure on OpenSSL master FIPS case.

```
1) Failure: test_ed25519_not_approved_on_fips(OpenSSL::TestPKey): OpenSSL::PKey::PKeyError expected but nothing was raised.
/home/runner/work/openssl/openssl/vendor/bundle/ruby/3.0.0/gems/test-unit-ruby-core-1.0.6/lib/core_assertions.rb:462:in `assert_raise'
/home/runner/work/openssl/openssl/test/openssl/test_pkey.rb:174:in `test_ed25519_not_approved_on_fips'
     171:     MC4CAQAwBQYDK2VwBCIEIEzNCJso/5banbbDRuwRTg9bijGfNaumJNqM9u1PuKb7
     172:     -----END PRIVATE KEY-----
     173:     EOF
  => 174:     assert_raise(OpenSSL::PKey::PKeyError) do
     175:       OpenSSL::PKey.read(priv_pem)
     176:     end
     177:   end
```

Because FIPS compliance is a continually moving target. According to the [1],
FIPS 140-3 *currently* allows ED25519. The ED25519 is allowed again with the
latest OpenSSL FIPS by the commit [2], while it is not allowed in OpenSSL stable
version 3.x FIPS.

Remove this test because we want to keep our tests stable.

[1] openssl/openssl#22054
[2] openssl/openssl@5f04124
This was referenced Aug 16, 2024
Closed
Merged
@rhenium rhenium merged commit 13b03ba into ruby:master Aug 16, 2024
56 checks passed
@rhenium
Copy link
Member

rhenium commented Aug 16, 2024

Looks good to me!

@junaruga junaruga deleted the wip/remove-ed25519-fips-not-approved branch August 19, 2024 10:03
@junaruga
Copy link
Member Author

Thanks for reviewing the PR!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
2 participants
@junaruga @rhenium