JNI/JCE: skip testing disallowed RSA/ECC key lengths with FIPS 140-3 …

…pilot
wolfSSL · Apr 12, 2024 · 77ce476 · 77ce476
1 parent 5c8597e
commit 77ce476
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 10 deletions.
diff --git a/src/test/java/com/wolfssl/provider/jce/test/WolfCryptKeyPairGeneratorTest.java b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptKeyPairGeneratorTest.java
@@ -55,6 +55,7 @@
 
 import com.wolfssl.wolfcrypt.Rsa;
 import com.wolfssl.wolfcrypt.Ecc;
+import com.wolfssl.wolfcrypt.Fips;
 import com.wolfssl.wolfcrypt.test.Util;
 import com.wolfssl.wolfcrypt.WolfCryptException;
 import com.wolfssl.provider.jce.WolfCryptProvider;
@@ -93,16 +94,24 @@ public class WolfCryptKeyPairGeneratorTest {
         "brainpoolp512r1"
     };
 
+    private static String supportedCurvesFIPS1403[] = {
+        "secp224r1",
+        "secp256r1",
+        "secp384r1",
+        "secp521r1",
+
+        "secp224k1",
+        "secp256k1",
+    };
+
     private static ArrayList<String> enabledCurves =
         new ArrayList<String>();
 
     private static ArrayList<Integer> enabledEccKeySizes =
         new ArrayList<Integer>();
 
     /* Test generation of these RSA key sizes */
-    private static int testedRSAKeySizes[] = {
-        1024, 2048, 3072, 4096
-    };
+    private static int testedRSAKeySizes[] = null;
 
     /* DH test params */
     private static byte[] prime = Util.h2b(
@@ -127,16 +136,35 @@ public static void testProviderInstallationAtRuntime() {
         Provider p = Security.getProvider("wolfJCE");
         assertNotNull(p);
 
+        if (Fips.enabled && Fips.fipsVersion >= 7) {
+            /* FIPS 140-3 doesn't allow generation of 1024 bit RSA keys */
+            testedRSAKeySizes = new int[] {
+                2048, 3072, 4096
+            };
+        }
+        else {
+            testedRSAKeySizes = new int[] {
+                1024, 2048, 3072, 4096
+            };
+        }
+
         /* build list of enabled curves and key sizes,
          * getCurveSizeFromName() will return 0 if curve not found */
         Ecc tmp = new Ecc();
-        for (int i = 0; i < supportedCurves.length; i++) {
+        String[] curves = null;
+
+        if (Fips.enabled && Fips.fipsVersion >= 7) {
+            curves = supportedCurvesFIPS1403;
+        } else {
+            curves = supportedCurves;
+        }
+
+        for (int i = 0; i < curves.length; i++) {
 
-            int size = tmp.getCurveSizeFromName(
-                        supportedCurves[i].toUpperCase());
+            int size = tmp.getCurveSizeFromName(curves[i].toUpperCase());
 
             if (size > 0) {
-                enabledCurves.add(supportedCurves[i]);
+                enabledCurves.add(curves[i]);
 
                 if (!enabledEccKeySizes.contains(Integer.valueOf(size))) {
                     enabledEccKeySizes.add(Integer.valueOf(size));

diff --git a/src/test/java/com/wolfssl/wolfcrypt/test/RsaTest.java b/src/test/java/com/wolfssl/wolfcrypt/test/RsaTest.java
@@ -71,9 +71,14 @@ public void constructorShouldInitializeNativeStruct() {
     @Test
     public void testMakeKey() {
 
-        Rsa key = new Rsa();
-        key.makeKey(1024, 65537, rng);
-        key.releaseNativeStruct();
+        Rsa key = null;
+
+        /* FIPS 140-3 doesn't allow 1024-bit RSA key gen */
+        if (Fips.enabled && Fips.fipsVersion < 7) {
+            key = new Rsa();
+            key.makeKey(1024, 65537, rng);
+            key.releaseNativeStruct();
+        }
 
         key = new Rsa();
         key.makeKey(2048, 65537, rng);
@@ -219,6 +224,12 @@ public void rsaPrivateToPkcs8() {
               + "4e8c3a458fe69640eb63f919863a51dd894bb0f3f99f5d289538"
               + "be35abca5ce7935334a1455d1339654246a19fcdf5bf");
 
+        /* FIPS 140-3 doesn't allow 1024-bit RSA key gen */
+        if (Fips.enabled && Fips.fipsVersion >= 7) {
+            /* skip */
+            return;
+        }
+
         /* Test that exception is thrown without private key available */
         try {
             pkcs8 = key.privateKeyEncodePKCS8();