diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 2bbfa0552b2f3f..80853547b6e70e 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -3746,6 +3746,29 @@ SignBase::Error Sign::SignFinal(const char* key_pem, if (pkey == nullptr || 0 != ERR_peek_error()) goto exit; +#ifdef NODE_FIPS_MODE + /* Validate DSA2 parameters from FIPS 186-4 */ + if (EVP_PKEY_DSA == pkey->type) { + size_t L = BN_num_bits(pkey->pkey.dsa->p); + size_t N = BN_num_bits(pkey->pkey.dsa->q); + bool result = false; + + if (L == 1024 && N == 160) + result = true; + else if (L == 2048 && N == 224) + result = true; + else if (L == 2048 && N == 256) + result = true; + else if (L == 3072 && N == 256) + result = true; + + if (!result) { + fatal = true; + goto exit; + } + } +#endif // NODE_FIPS_MODE + if (EVP_SignFinal(&mdctx_, *sig, sig_len, pkey)) fatal = false; diff --git a/test/common.js b/test/common.js index eb802cc8856377..a017275a6a627f 100644 --- a/test/common.js +++ b/test/common.js @@ -137,9 +137,17 @@ Object.defineProperty(exports, 'opensslCli', {get: function() { return opensslCli; }, enumerable: true }); -Object.defineProperty(exports, 'hasCrypto', {get: function() { - return process.versions.openssl ? true : false; -}}); +Object.defineProperty(exports, 'hasCrypto', { + get: function() { + return process.versions.openssl ? true : false; + } +}); + +Object.defineProperty(exports, 'hasFipsCrypto', { + get: function() { + return process.config.variables.openssl_fips ? true : false; + } +}); if (exports.isWindows) { exports.PIPE = '\\\\.\\pipe\\libuv-test'; diff --git a/test/fixtures/keys/Makefile b/test/fixtures/keys/Makefile index 5cd3480434425a..143986274a6b93 100644 --- a/test/fixtures/keys/Makefile +++ b/test/fixtures/keys/Makefile @@ -1,4 +1,4 @@ -all: agent1-cert.pem agent2-cert.pem agent3-cert.pem agent4-cert.pem agent5-cert.pem ca2-crl.pem ec-cert.pem dh512.pem dh1024.pem dh2048.pem rsa_private_1024.pem rsa_private_2048.pem rsa_private_4096.pem rsa_public_1024.pem rsa_public_2048.pem rsa_public_4096.pem +all: agent1-cert.pem agent2-cert.pem agent3-cert.pem agent4-cert.pem agent5-cert.pem ca2-crl.pem ec-cert.pem dh512.pem dh1024.pem dh2048.pem dsa1025.pem dsa_private_1025.pem dsa_public_1025.pem rsa_private_1024.pem rsa_private_2048.pem rsa_private_4096.pem rsa_public_1024.pem rsa_public_2048.pem rsa_public_4096.pem # @@ -267,6 +267,15 @@ dh1024.pem: dh2048.pem: openssl dhparam -out dh2048.pem 2048 +dsa1025.pem: + openssl dsaparam -out dsa1025.pem 1025 + +dsa_private_1025.pem: + openssl gendsa -out dsa_private_1025.pem dsa1025.pem + +dsa_public_1025.pem: + openssl dsa -in dsa_private_1025.pem -pubout -out dsa_public_1025.pem + rsa_private_1024.pem: openssl genrsa -out rsa_private_1024.pem 1024 diff --git a/test/fixtures/keys/dsa1025.pem b/test/fixtures/keys/dsa1025.pem new file mode 100644 index 00000000000000..1b59f5e351db15 --- /dev/null +++ b/test/fixtures/keys/dsa1025.pem @@ -0,0 +1,9 @@ +-----BEGIN DSA PARAMETERS----- +MIIBLgKBiQCtjGXOH3Rq+lM09nwe6nbShOduCyfjgZhgMZ2WfY6PYLW3gNnhNYT7 +88rZbECcyKlyzRApFgs9KMfiqWfWIhQn+FmolmeUNdRXpmkGyJAqY63GobI8S1Jn +xYbwdH7PsV1IwM56ylrnpdUDhSH7+Y95rgEIUXX9OHS503gzFFEHCmQl1/RS7Qxp +AhUApmbNUvRisdjnyjhDK6RO3pafN90CgYhQLHJ+qq+nxLX/lqQL/tCFY3P6DlYc +3ezT3Ic+3GhEMMXMBMJ+WRmRkCW5vh1grQyLVa/MLWvYgNkoUAO8eGElcloUero8 +m5Tp3bFArEqb8rJXWYM1sAlnl/Y0uFpw1AyHLuZC26z+SSeDbV9REtz14EknkFXk +su4QN55ZQKoiBv2cFDMsIf9b +-----END DSA PARAMETERS----- diff --git a/test/fixtures/keys/dsa_private_1025.pem b/test/fixtures/keys/dsa_private_1025.pem new file mode 100644 index 00000000000000..11f5e807ca8e17 --- /dev/null +++ b/test/fixtures/keys/dsa_private_1025.pem @@ -0,0 +1,12 @@ +-----BEGIN DSA PRIVATE KEY----- +MIIB0QIBAAKBiQCtjGXOH3Rq+lM09nwe6nbShOduCyfjgZhgMZ2WfY6PYLW3gNnh +NYT788rZbECcyKlyzRApFgs9KMfiqWfWIhQn+FmolmeUNdRXpmkGyJAqY63GobI8 +S1JnxYbwdH7PsV1IwM56ylrnpdUDhSH7+Y95rgEIUXX9OHS503gzFFEHCmQl1/RS +7QxpAhUApmbNUvRisdjnyjhDK6RO3pafN90CgYhQLHJ+qq+nxLX/lqQL/tCFY3P6 +DlYc3ezT3Ic+3GhEMMXMBMJ+WRmRkCW5vh1grQyLVa/MLWvYgNkoUAO8eGElcloU +ero8m5Tp3bFArEqb8rJXWYM1sAlnl/Y0uFpw1AyHLuZC26z+SSeDbV9REtz14Ekn +kFXksu4QN55ZQKoiBv2cFDMsIf9bAoGHFPpl8uRj7sNjsnIPPI9CuqlIoZXFNXeM +X9Yu7T3s5mn5Q2ATcgnryDXwqpqle630wy1LZjjmtyE84oVJd4W6YTlzHNwIv2ql +ymMzWBE5+BrRXtqIndvkaWJRSUwtZ7XPPeeCzqR5uXRAsy54azoFDoisuOO5dVOm +VZERfp4Up+Duvws5+Gq2AhQlmsEI+CInYqsDR2ha+UcwXmGJSg== +-----END DSA PRIVATE KEY----- diff --git a/test/fixtures/keys/dsa_public_1025.pem b/test/fixtures/keys/dsa_public_1025.pem new file mode 100644 index 00000000000000..e55e3d8871b211 --- /dev/null +++ b/test/fixtures/keys/dsa_public_1025.pem @@ -0,0 +1,12 @@ +-----BEGIN PUBLIC KEY----- +MIIBzTCCATsGByqGSM44BAEwggEuAoGJAK2MZc4fdGr6UzT2fB7qdtKE524LJ+OB +mGAxnZZ9jo9gtbeA2eE1hPvzytlsQJzIqXLNECkWCz0ox+KpZ9YiFCf4WaiWZ5Q1 +1FemaQbIkCpjrcahsjxLUmfFhvB0fs+xXUjAznrKWuel1QOFIfv5j3muAQhRdf04 +dLnTeDMUUQcKZCXX9FLtDGkCFQCmZs1S9GKx2OfKOEMrpE7elp833QKBiFAscn6q +r6fEtf+WpAv+0IVjc/oOVhzd7NPchz7caEQwxcwEwn5ZGZGQJbm+HWCtDItVr8wt +a9iA2ShQA7x4YSVyWhR6ujyblOndsUCsSpvysldZgzWwCWeX9jS4WnDUDIcu5kLb +rP5JJ4NtX1ES3PXgSSeQVeSy7hA3nllAqiIG/ZwUMywh/1sDgYsAAoGHFPpl8uRj +7sNjsnIPPI9CuqlIoZXFNXeMX9Yu7T3s5mn5Q2ATcgnryDXwqpqle630wy1LZjjm +tyE84oVJd4W6YTlzHNwIv2qlymMzWBE5+BrRXtqIndvkaWJRSUwtZ7XPPeeCzqR5 +uXRAsy54azoFDoisuOO5dVOmVZERfp4Up+Duvws5+Gq2 +-----END PUBLIC KEY----- diff --git a/test/parallel/test-dsa-fips-invalid-key.js b/test/parallel/test-dsa-fips-invalid-key.js new file mode 100644 index 00000000000000..0b5773411ee592 --- /dev/null +++ b/test/parallel/test-dsa-fips-invalid-key.js @@ -0,0 +1,24 @@ +'use strict'; +var common = require('../common'); +var assert = require('assert'); + +if (!common.hasFipsCrypto) { + console.log('1..0 # Skipped: node compiled without FIPS OpenSSL.'); + return; +} + +var crypto = require('crypto'); +var fs = require('fs'); + +var input = 'hello'; + +var dsapub = fs.readFileSync(common.fixturesDir + + '/keys/dsa_public_1025.pem'); +var dsapri = fs.readFileSync(common.fixturesDir + + '/keys/dsa_private_1025.pem'); +var sign = crypto.createSign('DSS1'); +sign.update(input); + +assert.throws(function() { + sign.sign(dsapri); +}, /PEM_read_bio_PrivateKey failed/);