crypto/internal/fips140test: add a test for a non-approved function

Change-Id: I6a6a46560bfca588e5874f3769f33b561c33096a Reviewed-on: https://go-review.googlesource.com/c/go/+/652415 Reviewed-by: Robert Griesemer <gri@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Auto-Submit: Filippo Valsorda <filippo@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com>
2025-02-25 18:13:29 +01:00 · 2025-02-25 18:13:29 +01:00 · c441eecbe9
parent 973a9eb8bf
commit c441eecbe9
1 changed files with 18 additions and 0 deletions
--- a/src/crypto/internal/fips140test/fips_test.go
+++ b/src/crypto/internal/fips140test/fips_test.go
@ -240,6 +240,13 @@ func TestFIPS140(t *testing.T) {
 		fatalIfErr(t, err)
 	})

+	t.Run("RSA KeyGen w/ small key [NOT APPROVED]", func(t *testing.T) {
+		ensureServiceIndicatorFalse(t)
+		_, err := rsa.GenerateKey(rand.Reader, 512)
+		fatalIfErr(t, err)
+		t.Log("RSA key generated")
+	})
+
 	t.Run("KTS IFC OAEP", func(t *testing.T) {
 		ensureServiceIndicator(t)
 		c, err := rsa.EncryptOAEP(sha256.New(), sha256.New(), rand.Reader, rsaKey.PublicKey(), plaintextSHA256, nil)
@ -423,6 +430,17 @@ func ensureServiceIndicator(t *testing.T) {
 	})
 }

+func ensureServiceIndicatorFalse(t *testing.T) {
+	fips140.ResetServiceIndicator()
+	t.Cleanup(func() {
+		if !fips140.ServiceIndicator() {
+			t.Logf("Service indicator is not set")
+		} else {
+			t.Errorf("Service indicator is set")
+		}
+	})
+}
+
 func fatalIfErr(t *testing.T, err error) {
 	t.Helper()
 	if err != nil {