diff --git a/src/crypto/rsa/pkcs1v15_test.go b/src/crypto/rsa/pkcs1v15_test.go index 60c769c..b8aae23 100644 --- a/src/crypto/rsa/pkcs1v15_test.go +++ b/src/crypto/rsa/pkcs1v15_test.go @@ -52,6 +52,7 @@ var decryptPKCS1v15Tests = []DecryptPKCS1v15Test{ } func TestDecryptPKCS1v15(t *testing.T) { + t.Skip("not supported in FIPS mode") decryptionFuncs := []func([]byte) ([]byte, error){ func(ciphertext []byte) (plaintext []byte, err error) { return DecryptPKCS1v15(nil, testRSA2048PrivateKey, ciphertext) @@ -76,6 +77,7 @@ func TestDecryptPKCS1v15(t *testing.T) { } func TestEncryptPKCS1v15(t *testing.T) { + t.Skip("not supported in FIPS mode") random := rand.Reader k := (testRSA2048PrivateKey.N.BitLen() + 7) / 8 @@ -137,6 +139,7 @@ var decryptPKCS1v15SessionKeyTests = []DecryptPKCS1v15Test{ } func TestEncryptPKCS1v15SessionKey(t *testing.T) { + t.Skip("not supported in FIPS mode") for i, test := range decryptPKCS1v15SessionKeyTests { key := []byte("FAIL") err := DecryptPKCS1v15SessionKey(nil, testRSA2048PrivateKey, decodeBase64(test.in), key) @@ -151,6 +154,7 @@ func TestEncryptPKCS1v15SessionKey(t *testing.T) { } func TestEncryptPKCS1v15DecrypterSessionKey(t *testing.T) { + t.Skip("not supported in FIPS mode") for i, test := range decryptPKCS1v15SessionKeyTests { plaintext, err := testRSA2048PrivateKey.Decrypt(rand.Reader, decodeBase64(test.in), &PKCS1v15DecryptOptions{SessionKeyLen: 4}) if err != nil { @@ -270,6 +274,7 @@ func TestUnpaddedSignature(t *testing.T) { } func TestShortSessionKey(t *testing.T) { + t.Skip("not supported in FIPS mode") // This tests that attempting to decrypt a session key where the // ciphertext is too small doesn't run outside the array bounds. var keys []*PrivateKey diff --git a/src/crypto/rsa/pss_test.go b/src/crypto/rsa/pss_test.go index 2032b4b..fdddfab 100644 --- a/src/crypto/rsa/pss_test.go +++ b/src/crypto/rsa/pss_test.go @@ -77,6 +77,7 @@ func TestEMSAPSS(t *testing.T) { // TestPSSGolden tests all the test vectors in pss-vect.txt from // ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip func TestPSSGolden(t *testing.T) { + t.Skip("SHA1 not supported in boring mode") inFile, err := os.Open("testdata/pss-vect.txt.bz2") if err != nil { t.Fatalf("Failed to open input file: %s", err) diff --git a/src/crypto/rsa/rsa_test.go b/src/crypto/rsa/rsa_test.go index cfe020e..d918841 100644 --- a/src/crypto/rsa/rsa_test.go +++ b/src/crypto/rsa/rsa_test.go @@ -123,38 +123,29 @@ func testKeyBasics(t *testing.T, priv *PrivateKey) { t.Errorf("private exponent too large") } - if boring.Enabled() { - // Cannot call encrypt/decrypt directly. Test via PKCS1v15. - msg := []byte("hi!") - // Should not accept keys smaller than 2048 bits (256 bytes) - if priv.Size() >= 256 { - enc, err := EncryptPKCS1v15(rand.Reader, &priv.PublicKey, msg) - if err != nil { - t.Errorf("EncryptPKCS1v15: %v", err) - return - } - dec, err := DecryptPKCS1v15(rand.Reader, priv, enc) - if err != nil { - t.Errorf("DecryptPKCS1v15: %v", err) - return - } - if !bytes.Equal(dec, msg) { - t.Errorf("got:%x want:%x (%+v)", dec, msg, priv) - } - } else { - enc, err := EncryptPKCS1v15(rand.Reader, &priv.PublicKey, msg) - if err == nil { - t.Errorf("EncryptPKCS1v15: Should not accept key of size %v", priv.Size() * 8) - return - } - _ , err = DecryptPKCS1v15(rand.Reader, priv, enc) - if err == nil { - t.Errorf("DecryptPKCS1v15: Should not accept key of size %v", priv.Size() * 8) - return - } - } - return - } + if boring.Enabled() { + // Cannot call encrypt/decrypt directly. Test via EncryptOAEP. + sha256 := sha256.New() + msg := []byte("hi!") + if priv.Size() >= 256 { + enc, err := EncryptOAEP(sha256, rand.Reader, &priv.PublicKey, msg, nil) + if err != nil { + t.Errorf("EncryptOAEP: %v", err) + return + } + dec, err := DecryptOAEP(sha256, rand.Reader, priv, enc, nil) + if err != nil { + t.Errorf("DecryptOAEP: %v", err) + return + } + if !bytes.Equal(dec, msg) { + t.Errorf("got:%x want:%x (%+v)", dec, msg, priv) + } + } else { + t.Logf("skipping check for unsupported key less than 2048 bits") + } + return + } pub := &priv.PublicKey m := big.NewInt(42) @@ -323,6 +314,11 @@ func TestDecryptOAEP(t *testing.T) { private.PublicKey = PublicKey{N: n, E: test.e} private.D = d + if boring.Enabled() && private.PublicKey.Size() < 256 { + t.Logf("skipping check for unsupported key less than 2048 bits") + continue; + } + t.Logf("running check for supported key size") for j, message := range test.msgs { out, err := DecryptOAEP(sha1, nil, private, message.out, nil) if err != nil {