1 // Copyright 2023 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ////////////////////////////////////////////////////////////////////////////////
16
17 #include "tink/config/key_gen_fips_140_2.h"
18
19 #include "gmock/gmock.h"
20 #include "gtest/gtest.h"
21 #include "tink/aead/aead_key_templates.h"
22 #include "tink/aead/aes_ctr_hmac_aead_key_manager.h"
23 #include "tink/aead/aes_gcm_key_manager.h"
24 #include "tink/internal/fips_utils.h"
25 #include "tink/internal/key_gen_configuration_impl.h"
26 #include "tink/keyset_handle.h"
27 #include "tink/mac/aes_cmac_key_manager.h"
28 #include "tink/mac/hmac_key_manager.h"
29 #include "tink/prf/hmac_prf_key_manager.h"
30 #include "tink/signature/ecdsa_verify_key_manager.h"
31 #include "tink/signature/rsa_ssa_pkcs1_verify_key_manager.h"
32 #include "tink/signature/rsa_ssa_pss_verify_key_manager.h"
33 #include "tink/util/test_matchers.h"
34
35 namespace crypto {
36 namespace tink {
37 namespace {
38
39 using ::crypto::tink::test::IsOk;
40 using ::crypto::tink::test::StatusIs;
41
42 class KeyGenFips1402Test : public testing::Test {
43 protected:
TearDown()44 void TearDown() override { internal::UnSetFipsRestricted(); }
45 };
46
TEST_F(KeyGenFips1402Test,KeyManagers)47 TEST_F(KeyGenFips1402Test, KeyManagers) {
48 if (!internal::IsFipsEnabledInSsl()) {
49 GTEST_SKIP() << "Only test in FIPS mode";
50 }
51
52 util::StatusOr<const internal::KeyTypeInfoStore*> store =
53 internal::KeyGenConfigurationImpl::GetKeyTypeInfoStore(
54 KeyGenConfigFips140_2());
55 ASSERT_THAT(store, IsOk());
56
57 EXPECT_THAT((*store)->Get(HmacKeyManager().get_key_type()), IsOk());
58 EXPECT_THAT((*store)->Get(AesCtrHmacAeadKeyManager().get_key_type()), IsOk());
59 EXPECT_THAT((*store)->Get(AesGcmKeyManager().get_key_type()), IsOk());
60 EXPECT_THAT((*store)->Get(HmacPrfKeyManager().get_key_type()), IsOk());
61 EXPECT_THAT((*store)->Get(EcdsaVerifyKeyManager().get_key_type()), IsOk());
62 EXPECT_THAT((*store)->Get(RsaSsaPssVerifyKeyManager().get_key_type()),
63 IsOk());
64 EXPECT_THAT((*store)->Get(RsaSsaPkcs1VerifyKeyManager().get_key_type()),
65 IsOk());
66 }
67
TEST_F(KeyGenFips1402Test,FailsInNonFipsMode)68 TEST_F(KeyGenFips1402Test, FailsInNonFipsMode) {
69 if (internal::IsFipsEnabledInSsl()) {
70 GTEST_SKIP() << "Only test in non-FIPS mode";
71 }
72
73 EXPECT_DEATH_IF_SUPPORTED(
74 KeyGenConfigFips140_2(),
75 "BoringSSL not built with the BoringCrypto module.");
76 }
77
TEST_F(KeyGenFips1402Test,NonFipsTypeNotPresent)78 TEST_F(KeyGenFips1402Test, NonFipsTypeNotPresent) {
79 if (!internal::IsFipsEnabledInSsl()) {
80 GTEST_SKIP() << "Only test in FIPS mode";
81 }
82
83 util::StatusOr<const internal::KeyTypeInfoStore*> store =
84 internal::KeyGenConfigurationImpl::GetKeyTypeInfoStore(
85 KeyGenConfigFips140_2());
86 ASSERT_THAT(store, IsOk());
87 EXPECT_THAT((*store)->Get(AesCmacKeyManager().get_key_type()).status(),
88 StatusIs(absl::StatusCode::kNotFound));
89 }
90
TEST_F(KeyGenFips1402Test,GenerateNewKeysetHandle)91 TEST_F(KeyGenFips1402Test, GenerateNewKeysetHandle) {
92 if (!internal::IsFipsEnabledInSsl()) {
93 GTEST_SKIP() << "Only test in FIPS mode";
94 }
95
96 EXPECT_THAT(KeysetHandle::GenerateNew(AeadKeyTemplates::Aes128Gcm(),
97 KeyGenConfigFips140_2()),
98 IsOk());
99 }
100
101 } // namespace
102 } // namespace tink
103 } // namespace crypto
104