diff options
| author | Pauli <pauli@openssl.org> | 2021-06-01 10:35:15 +0200 |
|---|---|---|
| committer | Pauli <pauli@openssl.org> | 2021-06-03 07:32:38 +0200 |
| commit | 64360304863b3ac93a03dfadf36f9aeffd6a29ce (patch) | |
| tree | ef79a133f9a507e404b236ee923ae2838587de14 /test | |
| parent | Add an EVP demo for signatures using EC (diff) | |
| download | openssl-64360304863b3ac93a03dfadf36f9aeffd6a29ce.tar.xz openssl-64360304863b3ac93a03dfadf36f9aeffd6a29ce.zip | |
rsa: make the maximum key strength check FIPS only.
To be reverted once key generation checks are added everywhere and a way to
disable them implemented.
Fixes #15502
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15560)
Diffstat (limited to 'test')
| -rw-r--r-- | test/recipes/15-test_genrsa.t | 30 |
1 files changed, 16 insertions, 14 deletions
diff --git a/test/recipes/15-test_genrsa.t b/test/recipes/15-test_genrsa.t index 6c67f04af9..e11ce8947a 100644 --- a/test/recipes/15-test_genrsa.t +++ b/test/recipes/15-test_genrsa.t @@ -24,8 +24,8 @@ use lib bldtop_dir('.'); my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); plan tests => - ($no_fips ? 0 : 2) # Extra FIPS related test - + 14; + ($no_fips ? 0 : 3) # Extra FIPS related tests + + 13; # We want to know that an absurdly small number of bits isn't support is(run(app([ 'openssl', 'genpkey', '-out', 'genrsatest.pem', @@ -35,12 +35,6 @@ is(run(app([ 'openssl', 'genpkey', '-out', 'genrsatest.pem', is(run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', '8'])), 0, "genrsa -3 8"); -# We want to know that an absurdly large number of bits fails the RNG check -is(run(app([ 'openssl', 'genpkey', '-out', 'genrsatest.pem', - '-algorithm', 'RSA', '-pkeyopt', 'rsa_keygen_bits:1000000000', - '-pkeyopt', 'rsa_keygen_pubexp:3'])), - 0, "genpkey 1000000000"); - # Depending on the shared library, we might have different lower limits. # Let's find it! This is a simple binary search # ------------------------------------------------------------ @@ -119,14 +113,22 @@ unless ($no_fips) { $ENV{OPENSSL_TEST_LIBCTX} = "1"; ok(run(app(['openssl', 'genpkey', @prov, - '-algorithm', 'RSA', - '-pkeyopt', 'bits:2080', - '-out', 'genrsatest2080.pem'])), + '-algorithm', 'RSA', + '-pkeyopt', 'bits:2080', + '-out', 'genrsatest2080.pem'])), "Generating RSA key with > 2048 bits and < 3072 bits"); ok(run(app(['openssl', 'genpkey', @prov, - '-algorithm', 'RSA', - '-pkeyopt', 'bits:3072', - '-out', 'genrsatest3072.pem'])), + '-algorithm', 'RSA', + '-pkeyopt', 'bits:3072', + '-out', 'genrsatest3072.pem'])), "Generating RSA key with 3072 bits"); + + # We want to know that an absurdly large number of bits fails the RNG check + is(run(app([ 'openssl', 'genpkey', + @prov, + '-algorithm', 'RSA', + '-pkeyopt', 'bits:1000000000', + '-out', 'genrsatest.pem'])), + 0, "genpkey 1000000000"); } |