-
Notifications
You must be signed in to change notification settings - Fork 171
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix test_pkey_rsa.rb in FIPS. #790
Conversation
@rhenium I have a question. I am trying to fix the I had to change the RSA bits from 1024 to 2048 to support FIPS. And I need to adjust the value of the
openssl-master case (non-FIPS),https://github.com/ruby/openssl/actions/runs/10422253508/job/28866328411?pr=790#step:10:637
openssl-master with fips providerhttps://github.com/ruby/openssl/actions/runs/10422253508/job/28866333229?pr=790#step:11:218
|
The test case is for the salt length chosen with Please see the |
67180ac
to
20459f7
Compare
Thanks for your info with the reference of the document. I was able to fix the
I still don't understand the calculation for the salt length (sLen) is like that.
According to the reference of the document. https://datatracker.ietf.org/doc/html/rfc8017#section-9.1.1
That means if What I don't understand are below. Could you explain more about these things?
And how about the following error in FIPS cases?
|
I was able to debug this issue by the following minimal script with
At the following part, the
|
No, it comes from the RSA key size.
SHA-256's output is 32 octets long. According to the comment and https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf, the NIST standard introduces additional constraints to RFC 8017. It sounds like that |
All right! So, the calculation of the salt_length is like this.
All right. I couldn't find the written part in the https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf. However, I will skip the assertion in FIPS with adding a comment. |
8aad46c
to
895ef23
Compare
@rhenium I fixed all the tests in |
895ef23
to
d00ce20
Compare
@rhenium I fixed all the items that you mentioned, except for the one thing whether we can drop the |
d00ce20
to
cb85a7e
Compare
I fixed all the items that you mentioned! |
* test_sign_verify I created the signature text (`signature_encoded.txt`), that is used as a text to create the `signature0` in the `test_sign_verify` by the following steps with the `openssl` CLI on FIPS module. ``` $ OPENSSL_DIR="${HOME}/.local/openssl-3.4.0-dev-fips-debug-3c6e114959" $ export OPENSSL_CONF="${OPENSSL_DIR}/ssl/openssl_fips.cnf" $ echo -n "Sign me!" > data.txt $ "${OPENSSL_DIR}/bin/openssl" dgst -sha256 -sign test/openssl/fixtures/pkey/rsa2048.pem data.txt > signature.txt $ cat signature.txt | base64 > signature_encoded.txt ```
cb85a7e
to
091f3eb
Compare
Sorry for the delay - it looks good to me. Thank you! |
Thank you for reviewing my PR! |
This is a
draftPR to fix thetest_pkey_rsa.rb
in FIPS. The 1st commit is a temporary workaround to fix another test failure that is same with the #789 .