Google Git
Sign in
boringssl/boringssl.git/109650a4fef9eac2ba10468f509e7246d457c7ce^!/.
commit
109650a4fef9eac2ba10468f509e7246d457c7ce
[log]
author
Adam Langley <agl@imperialviolet.org>
Fri Nov 07 15:27:29 2025 +0000
committer
Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>
Tue Nov 11 08:25:19 2025 -0800
tree
bd5b2abd4ad61f93b24a26b4a8834716f4f9dd40
parent
ab6994097a157944e406d83c253b756080eaf6a2 [diff]
Add some documentation for updating ACVP tests.

Change-Id: I8d4ef555cb25558474d27d4f621a3047fb95166c
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/83787
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Auto-Submit: Adam Langley <agl@google.com>

diff --git a/util/fipstools/acvp/acvptool/test/README.md b/util/fipstools/acvp/acvptool/test/README.md
new file mode 100644
index 0000000..fbf24a8
--- /dev/null
+++ b/util/fipstools/acvp/acvptool/test/README.md

@@ -0,0 +1,19 @@
+# ACVP unit tests
+
+This directory contains tests for the ACVP infrastructure itself. These tests consist of test vector files and their expected outputs. The test vectors are stored as bzip2 compressed JSON in the `vector/` directory, and the corresponding expected output is the file with the same name in the `expected/` directory.
+
+`tests.json` contains a list of all the tests: their input and output files, and the module wrapper to use with them. Some tests use the standard BoringSSL module wrapper, which we use for ACVP validations, called `modulewrapper`. But some tests use algorithms that we don't support in BoringSSL and, for those, there's a special test-only module wrapper written in Go called `testmodulewrapper`.
+
+## Adding tests
+
+When adding support for a new algorithm, the process for adding tests is:
+
+1. Go to the parent directory of this file. (I.e. `acvptool/`.)
+1. Get the implementation working such that NIST's server accepts the results.
+2. Generally fetch a set of test vectors from the NIST demo server. Access to the demo server requires permission from NIST, although you can also ask an NVLAP lab to fetch a demo set of vectors for you. The vectors are generally huge—larger than we would want to check in, even compressed—so `test/trim_vectors.go` can be used to keep only a (hopefully valid) subset of them.
+3. Copy the trimmed vectors into `test/vectors/`, named after the algorithm and without any `json` suffix.
+4. Run `bzip2 -9 test/vectors/ALGO`. This will produce the `.bz2` file. Delete the original.
+5. Run `./acvptool -json /tmp/trimmed_vectors.json > test/expected/ALGO` in the parent directory to generate the expected results. (If you need to use the test-only module wrapper then use the `-wrapper` argument.)
+6. Run `bzip2 -9 test/expected/ALGO` and delete the original.
+7. Update `test/tests.json` to include the new test.
+8. Run `ninja -C build run_tests` in the top-level directory to ensure that everything is working.