Add FIPS-compliant key generation that calls check_fips for RSA and EC.
Change-Id: Ie466b7b55bdd679c5baf2127bd8de4a5058fc3b7
Reviewed-on: https://boringssl-review.googlesource.com/16346
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/fipsoracle/cavp_ecdsa2_keypair_test.cc b/fipsoracle/cavp_ecdsa2_keypair_test.cc
index bc8b6c1..5cb0f5b 100644
--- a/fipsoracle/cavp_ecdsa2_keypair_test.cc
+++ b/fipsoracle/cavp_ecdsa2_keypair_test.cc
@@ -48,7 +48,7 @@
bssl::UniquePtr<BIGNUM> qx(BN_new()), qy(BN_new());
bssl::UniquePtr<EC_KEY> key(EC_KEY_new_by_curve_name(nid));
if (!key ||
- !EC_KEY_generate_key(key.get()) ||
+ !EC_KEY_generate_key_fips(key.get()) ||
!EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(key.get()),
EC_KEY_get0_public_key(key.get()),
qx.get(), qy.get(), nullptr)) {
diff --git a/fipsoracle/cavp_ecdsa2_siggen_test.cc b/fipsoracle/cavp_ecdsa2_siggen_test.cc
index e97d161..2d6c79e 100644
--- a/fipsoracle/cavp_ecdsa2_siggen_test.cc
+++ b/fipsoracle/cavp_ecdsa2_siggen_test.cc
@@ -41,7 +41,7 @@
bssl::UniquePtr<EC_KEY> key(EC_KEY_new_by_curve_name(nid));
std::vector<uint8_t> msg;
if (!qx || !qy || !key ||
- !EC_KEY_generate_key(key.get()) ||
+ !EC_KEY_generate_key_fips(key.get()) ||
!EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(key.get()),
EC_KEY_get0_public_key(key.get()),
qx.get(), qy.get(), nullptr) ||
diff --git a/fipsoracle/cavp_rsa2_keygen_test.cc b/fipsoracle/cavp_rsa2_keygen_test.cc
index d831cfb..a96404d 100644
--- a/fipsoracle/cavp_rsa2_keygen_test.cc
+++ b/fipsoracle/cavp_rsa2_keygen_test.cc
@@ -41,12 +41,10 @@
size_t bits = strtoul(mod_str.c_str(), nullptr, 0);
size_t count = strtoul(count_str.c_str(), nullptr, 0);
for (size_t i = 0; i < count; i++) {
- bssl::UniquePtr<BIGNUM> gen_e(BN_new());
bssl::UniquePtr<RSA> key(RSA_new());
if (key == nullptr ||
bits == 0 ||
- !BN_set_word(gen_e.get(), RSA_F4) ||
- !RSA_generate_key_ex(key.get(), bits, gen_e.get(), nullptr)) {
+ !RSA_generate_key_fips(key.get(), bits, nullptr)) {
return 0;
}
diff --git a/fipsoracle/cavp_rsa2_siggen_test.cc b/fipsoracle/cavp_rsa2_siggen_test.cc
index 069adad..ad32c68 100644
--- a/fipsoracle/cavp_rsa2_siggen_test.cc
+++ b/fipsoracle/cavp_rsa2_siggen_test.cc
@@ -50,21 +50,19 @@
if (t->IsAtNewInstructionBlock()) {
int mod_bits = strtoul(mod_str.c_str(), nullptr, 0);
ctx->key = bssl::UniquePtr<RSA>(RSA_new());
- bssl::UniquePtr<BIGNUM> e(BN_new());
if (ctx->key == nullptr ||
mod_bits == 0 ||
- !BN_set_word(e.get(), RSA_F4) ||
- !RSA_generate_key_ex(ctx->key.get(), mod_bits, e.get(), nullptr)) {
+ !RSA_generate_key_fips(ctx->key.get(), mod_bits, nullptr)) {
return false;
}
- const BIGNUM *n;
- RSA_get0_key(ctx->key.get(), &n, nullptr, nullptr);
+ const BIGNUM *n, *e;
+ RSA_get0_key(ctx->key.get(), &n, &e, nullptr);
std::vector<uint8_t> n_bytes(BN_num_bytes(n));
- std::vector<uint8_t> e_bytes(BN_num_bytes(e.get()));
+ std::vector<uint8_t> e_bytes(BN_num_bytes(e));
if (!BN_bn2bin_padded(n_bytes.data(), n_bytes.size(), n) ||
- !BN_bn2bin_padded(e_bytes.data(), e_bytes.size(), e.get())) {
+ !BN_bn2bin_padded(e_bytes.data(), e_bytes.size(), e)) {
return false;
}
