Skip to content

[FIPS] Ensure that Agent cannot present a client-side TLS certificate created with a RSA keypair of less than 2048 bits length #7912

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ycombinator merged 30 commits into from
Apr 29, 2025
Merged

[FIPS] Ensure that Agent cannot present a client-side TLS certificate created with a RSA keypair of less than 2048 bits length #7912

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
7726b46
Adding test for unsupported TLS versions sent by client
ycombinator Apr 16, 2025
fa3147b
Add TODO for second test
ycombinator Apr 16, 2025
e2da75d
Add test case for multiple versions
ycombinator Apr 16, 2025
227e4f3
Removing unused code
ycombinator Apr 16, 2025
6b9d535
Add test for config hosts validation
ycombinator Apr 16, 2025
5d0fe59
Remove hosts validation
ycombinator Apr 17, 2025
c783b06
Refactoring test cases to take in any TLS configuration, not just ver…
ycombinator Apr 17, 2025
f88560f
Add test for RSA keypair with < 2048 key length
ycombinator Apr 17, 2025
f39382e
Updating comment
ycombinator Apr 18, 2025
2d21b3c
Add test case for using certificate with RSA keypair < 2048 bits
ycombinator Apr 18, 2025
c715f30
Adding test data files
ycombinator Apr 18, 2025
93d2c73
Revert test scope
ycombinator Apr 22, 2025
fcde083
Update test to fail on handshake
ycombinator Apr 22, 2025
609acc2
Rename agent key and cert for clarity
ycombinator Apr 22, 2025
ce55f5e
Adding test case with secure Agent certificate
ycombinator Apr 22, 2025
bb1ebed
Adding README to testdata folder to explain manual generation of keys…
ycombinator Apr 22, 2025
209a660
Reverting unintended changes from conflict resolution
ycombinator Apr 22, 2025
a169966
Removing irrelevant integration test
ycombinator Apr 22, 2025
0e3de36
Remove unused variables
ycombinator Apr 22, 2025
b561b4c
Remove CA private key
ycombinator Apr 22, 2025
43a6c19
Renaming root -> CA for clarity
ycombinator Apr 22, 2025
c6eed9d
Rename files and variable to make purpose clearer
ycombinator Apr 23, 2025
f0511ae
Adding .gitignore for CA private key file
ycombinator Apr 23, 2025
064d0c8
Introduce GoDebugFIPS140() function
ycombinator Apr 24, 2025
5d0b848
Separate test cases based on GODEBUG=fips140= value
ycombinator Apr 24, 2025
7f62577
Rename test cases for clarity
ycombinator Apr 24, 2025
8681c0f
Remove test cases for GODEBUG=fips140=on
ycombinator Apr 28, 2025
d6fdd32
Adjust test cases to assume upstream Go instead of Microsoft Go
ycombinator Apr 28, 2025
2e2c22c
Be explicit in all constant types
ycombinator Apr 28, 2025
3a9c2ae
Fix data race
ycombinator Apr 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
156 changes: 156 additions & 0 deletions internal/pkg/remote/client_fips_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,16 +7,49 @@
package remote

import (
"context"
"crypto/tls"
"crypto/x509"
_ "embed"
"fmt"
"log"
"net/http"
"net/http/httptest"
"strings"
"sync"
"testing"
"time"

"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"

"github.com/elastic/elastic-agent-libs/transport/httpcommon"
"github.com/elastic/elastic-agent-libs/transport/tlscommon"
"github.com/elastic/elastic-agent/internal/pkg/testutils/fipsutils"
"github.com/elastic/elastic-agent/pkg/core/logger/loggertest"
)

//go:embed testdata/ca.crt
var caCertPEM []byte

//go:embed testdata/server.crt
var serverCertPEM []byte

//go:embed testdata/server.key
var serverKeyPEM []byte // RSA key with length = 2048 bits

//go:embed testdata/fips_invalid.key
var fipsInvalidKeyPEM []byte // RSA key with length = 1024 bits

//go:embed testdata/fips_invalid.crt
var fipsInvalidCertPEM []byte

//go:embed testdata/fips_valid.key
var fipsValidKeyPEM []byte // RSA key with length = 2048 bits

//go:embed testdata/fips_valid.crt
var fipsValidCertPEM []byte

func TestClientWithUnsupportedTLSVersions(t *testing.T) {
testLogger, _ := loggertest.New("TestClientWithUnsupportedTLSVersions")
const unsupportedErrorMsg = "invalid configuration: unsupported tls version: %s"
Expand Down Expand Up @@ -70,3 +103,126 @@ func TestClientWithUnsupportedTLSVersions(t *testing.T) {
})
}
}

type serverLog struct {
log strings.Builder
mu sync.Mutex
}

func (s *serverLog) Write(data []byte) (int, error) {
s.mu.Lock()
defer s.mu.Unlock()
return s.log.Write(data)
}

func (s *serverLog) String() string {
s.mu.Lock()
defer s.mu.Unlock()
return s.log.String()
}

func TestClientWithCertificate(t *testing.T) {
cases := map[string]struct {
clientCertificate []byte
clientKey []byte
expectedHandshakeErr string
expectedServerLog string
}{
"fips_invalid_key_fips140only": {
clientCertificate: fipsInvalidCertPEM,
clientKey: fipsInvalidKeyPEM,
expectedHandshakeErr: "use of keys smaller than 2048 bits is not allowed in FIPS 140-only mode",
expectedServerLog: "no FIPS compatible certificate chains found",
},
"fips_valid_key_fips140only": {
clientCertificate: fipsValidCertPEM,
clientKey: fipsValidKeyPEM,
expectedHandshakeErr: "",
expectedServerLog: "",
},
}

for name, test := range cases {
t.Run(name, func(t *testing.T) {
goDebugFIPS140 := fipsutils.GoDebugFIPS140()
if goDebugFIPS140 != fipsutils.GoDebugFIPS140Only {
t.Skipf(
`test expects to be run with GODEBUG=fips140=only but actual value is "%s", so skipping`,
goDebugFIPS140,
)
}

server, serverLog := startTLSServer(t)

// Create client and have it present a certificate during the
// TLS handshake with the server
testLogger, _ := loggertest.New("TestClientWithCertificate")
config := Config{
Host: server.URL,
Transport: httpcommon.HTTPTransportSettings{
TLS: &tlscommon.Config{
CAs: []string{string(caCertPEM)},
Certificate: tlscommon.CertificateConfig{
Certificate: string(test.clientCertificate),
Key: string(test.clientKey),
},
},
},
}
client, err := NewWithConfig(testLogger, config, nil)

// Use client to call fake API on HTTPS server
ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
defer cancel()

resp, err := client.Send(ctx, http.MethodGet, "/echo-hello", nil, nil, nil)

if test.expectedHandshakeErr == "" {
require.NotNil(t, resp)
require.NoError(t, err)
} else {
require.Nil(t, resp)
require.Error(t, err)
require.Contains(t, err.Error(), test.expectedHandshakeErr)
}

require.Eventually(
t,
func() bool {
return assert.Contains(t, serverLog.String(), test.expectedServerLog)
},
100*time.Millisecond, 10*time.Millisecond,
)
})
}
}

func startTLSServer(t *testing.T) (*httptest.Server, *serverLog) {
// Configure server and start it
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCertPEM)

// Create HTTPS server
const successResp = `{"message":"hello"}`
server := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
fmt.Fprint(w, successResp)
}))

serverCert, err := tls.X509KeyPair(serverCertPEM, serverKeyPEM)
require.NoError(t, err)

server.TLS = &tls.Config{
RootCAs: caCertPool,
Certificates: []tls.Certificate{serverCert},
ClientCAs: caCertPool,
ClientAuth: tls.RequireAndVerifyClientCert,
}

logger := new(serverLog)
server.Config.ErrorLog = log.New(logger, "", 0)

server.StartTLS()

return server, logger
}
1 change: 1 addition & 0 deletions internal/pkg/remote/testdata/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
ca.key
9 changes: 9 additions & 0 deletions internal/pkg/remote/testdata/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
The certificates and private keys in this folder are intended for use by unit tests in the parent folder.

In particular, the `TestClientWithCertificate` unit test uses certificates and private keys from this folder. Note
that this test is expected to run in FIPS mode due to the `requirefips` build tag on the file containing the test.
In FIPS mode, it is not possible to generate insecure keys and their corresponding certificates in test code. Therefore,
the `agent_insecure.key` and `agent_insecure.crt` have been manually generated and stored in this folder. The other keys
and certificates in this folder are all secure (from a FIPS perspective) and could be generated in test code; however,
they are also manually generated for simplifying the test code and since we already have a manually-generated insecure
key and certificate in this folder anyway.
23 changes: 23 additions & 0 deletions internal/pkg/remote/testdata/ca.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIUA9Gphn0fTO3Vuo7ePJpfebnebtgwDQYJKoZIhvcNAQEL
BQAwZDELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMSEwHwYDVQQKDBhJ
bnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxCzAJBgNVBAsMAkNBMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMjUwNDIyMjIwMTU2WhcNMzAwNDIxMjIwMTU2WjBkMQswCQYD
VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxITAfBgNVBAoMGEludGVybmV0IFdp
ZGdpdHMgUHR5IEx0ZDELMAkGA1UECwwCQ0ExEjAQBgNVBAMMCWxvY2FsaG9zdDCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIaR6W/pAoEFE5Hc6kgH2UTZ
cd0LOT5hp3xtomKfnNONS5WgXDZbOqCSUY1+ZrG6NDrzG64vDC+AdtW7Zji7s+VA
2hZ2DESbq+JBosAAyZbwzqosTCpp24on1VWXS+h8NT1nMGkvkkrKnM0fBK4Q9DVI
H9QAtKysPnLwbfyWrnAHtjMd0bIrBPlt26g16l1nJklTwm2clD0ixE4MKw7lPZWE
eJN+sK1CvA+r65huC7vDbNrL2OC+eNAiKtCH+AQR4HcB76kG9Qy/9+qfCGhizBlt
mwceLDhz6FWgxKSgXwSfmorZLc1ecBfuWjqr9rfaUhOd4oLkmfbaEPqNu2V/rw0C
AwEAAaNvMG0wHQYDVR0OBBYEFGzBvXdyHsVEY4bOAIiI3m4w7JfcMB8GA1UdIwQY
MBaAFGzBvXdyHsVEY4bOAIiI3m4w7JfcMA8GA1UdEwEB/wQFMAMBAf8wGgYDVR0R
BBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQCEbCFPgfT4
DUkl/LozK8zUPEUV6mh53rTGQLhMbPfu7l1f6aSjvb1bIzYmrEFhlv/3yke+2/BC
lGPYZrzdy2S9Xqv2ZthBoqE7cUrUGcq6U4y9helsM4gMfokpgBuNqwFVOGtSAlYy
otUTRuIJeCLqAUV51wYROe9dOnY//ICEVrnRmLN4uXl64LMlBWbx76PS2s9dktr1
5oWeF8whEhzg41FGsd6QPulKgT9h8+RR10hc3F4IFCVjtnp11E22x0/YYONbuAEH
ZxL++PbvQRAvFGpTEmxH/AIq8yGQ90V94+HB7ocqz+3y0Nl93iNoanMOAJush3uL
oIhHS8L9ENUv
-----END CERTIFICATE-----
20 changes: 20 additions & 0 deletions internal/pkg/remote/testdata/fips_invalid.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDLzCCAhegAwIBAgIUIUHef0rqBRe0SWOxT/OwncexFiwwDQYJKoZIhvcNAQEL
BQAwZDELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMSEwHwYDVQQKDBhJ
bnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxCzAJBgNVBAsMAkNBMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMjUwNDIyMjIwNjM1WhcNMzAwNDIxMjIwNjM1WjBYMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEQMA4GA1UECgwHRWxhc3RpYzEO
MAwGA1UECwwFQWdlbnQxEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAo87+PNnpbu+hNkjPigLVKSmlDStd0OqcOmUlsegElMEk
CArXkS+nDkD+p6o6QgGZ65mevmbJ9AxTV4tHQZ8YE695BgVa/MixzWNa2CjZu4OY
CXJd1q8LfvkExXjp8+RVWuAh+FY5bZYGIlw2yLSHGbrE5k3F8YlfoL6ADkAf43kC
AwEAAaNpMGcwHwYDVR0jBBgwFoAUbMG9d3IexURjhs4AiIjebjDsl9wwCQYDVR0T
BAIwADAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8AAAEwHQYDVR0OBBYEFFTZsQwH
ipBtdR1XTu9x3yUg7H9uMA0GCSqGSIb3DQEBCwUAA4IBAQAH4gJMyjTvGUBUuih9
VDcKsxxIGPhcBaoDRN7YX/qI5DapRA7/bP+1AIAoByrs6YTbMZYNB4hDEEywf59T
pHNFt+3IsWOO3RCP1IeJscKO79Ga5WeKYJyV5HeNRpgNMsjslh+shzz29Qm4voiE
Ab+x/CZYJu9Yw5JPENb035KWVAMCiN34afi3jgNcQVKYlyUwm27qVOLxTuUZU23a
RzsFIc3/DpxIUZ7hD0qgR00jOXWAynhRpptKW7/tJmnoUk5nZuJUz3XDvE4UPvHj
0KTf4RFfnNJbmO3ZVqj8QI9FdhOUYr/rJnrufyQBnCDEHmo9KIeIVynaijoBtem5
mPgS
-----END CERTIFICATE-----
16 changes: 16 additions & 0 deletions internal/pkg/remote/testdata/fips_invalid.key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAKPO/jzZ6W7voTZI
z4oC1SkppQ0rXdDqnDplJbHoBJTBJAgK15Evpw5A/qeqOkIBmeuZnr5myfQMU1eL
R0GfGBOveQYFWvzIsc1jWtgo2buDmAlyXdavC375BMV46fPkVVrgIfhWOW2WBiJc
Nsi0hxm6xOZNxfGJX6C+gA5AH+N5AgMBAAECgYAD5fw6Zyge6Aeu4FGSTy7mC3WM
ydv+8DLR99nRx6V1qeyK3yfIiHxDn4CbLYoOJTyPZRqOtuj5iVvbTO3GbIwg09tW
4MMyS2AABIaO8Ke2MdXseI1Dt9sY7TnAPs8tz6KOEPksWXYOroqrzqXXmlG/yEei
Fk9Z/UZB3ue33oq+IQJBAMm53Bi7ck2A7O4ueaeX9SkC5XpFpaUAimY5h8m+J0aB
vXUjEX0BzEj7/+ocX+KaEXE0gfvQZHl2PUY5qCwnbdkCQQDP4YUknD+1lFH7l8tJ
1whZfPEKn7MYAAS9wI5q11CTeaSkvq3z+5gX0EwLBn7WSqfcR3vQOBmyz0uzZhws
e36hAkAP+Z4Kf12v8ZPR0PBla01I8CfIJRfXF1HegpPUUDDADqo4Soyp/6hz5zD/
Ezwsr9LNykC49mnejJSRqSM+S+kRAkEAhKEZBmueBia0S7XkIJ9OF3Isg5+ybwyL
+dihxK7NHNpOXkG90F1kA0WFTr99KxGEmXkOGKHCW6AAZ1wte3/rIQJASAjYaX8z
cvqU4hUIsh0A1fQDD4j1HYrkOdsThrAoWRPu2mBDsD6IWnVmHzRB8coTZllP+mBA
JL2QoEeSSdfniw==
-----END PRIVATE KEY-----
22 changes: 22 additions & 0 deletions internal/pkg/remote/testdata/fips_valid.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDszCCApugAwIBAgIUSxVUqortuZerDjU5I76K9S9af+swDQYJKoZIhvcNAQEL
BQAwZDELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMSEwHwYDVQQKDBhJ
bnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxCzAJBgNVBAsMAkNBMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMjUwNDIyMjIzMDU2WhcNMzAwNDIxMjIzMDU2WjBYMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEQMA4GA1UECgwHRWxhc3RpYzEO
MAwGA1UECwwFQWdlbnQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAITd0KajVG1cjiT/mrnMdbgmxZCF//YalZAtZNPJ
iIUKn13vm/R44AcByROP5cPU6e/H7Z5NyJMD6blfpy0bSZ194M/7B7zTvE9GKHUj
m4bkL+F5lzFNo7bhtxyJ7AA/QWarKp3V5XxDvgUJewuuP+aBcPHPq35hRcIYCFR/
jqBJ4LBppWqKcsoc2aXQrW06k89Ix0dvObu/bSBAFMhvZVLefJo2BAUS0aPC6/Ms
iEpWMYcWTmBH+UfMWSX9vRc9qoqG7dC2gxyG1cT3mo0oOmWar9FW7Frxl9IG2l1q
lKniUNmWL86ggrNvH4ubdJ8QYi633bfVGy0JQeKDEc4y/bcCAwEAAaNpMGcwHwYD
VR0jBBgwFoAUbMG9d3IexURjhs4AiIjebjDsl9wwCQYDVR0TBAIwADAaBgNVHREE
EzARgglsb2NhbGhvc3SHBH8AAAEwHQYDVR0OBBYEFLIZKDQb0qqTKIyYb5GvkSJ4
k+egMA0GCSqGSIb3DQEBCwUAA4IBAQAqBexGLG8Um4npIRyjr7jHqQ+JowXGdMUQ
8d5b97fiCLmv+usKRF66tjEjUkz2UI/WDTntDqbE+urDMuQH41p/Bk91lfdTZavB
TP6RfWmYJOa61w6JSsEkp21sDi055LOwrSujVNZ0jt1kf7cIKdPMsV+AKKt87QbP
koSeTGlgppkL0fEzpqR636YDHJl1jMaCuvBI5zGqUjpY2SBR3cYmmyZdnir59bva
yiCXawliknw/qkih+Zqwd9goq4jj4pN+ICghgVQCm5+B3VaBCuLfRWwBcIjEKXDa
5UYPNC7QuFciBOpNrjeLSFA8ZO2Kt+WPWbkdUgozbcG/QEFgraKk
-----END CERTIFICATE-----
28 changes: 28 additions & 0 deletions internal/pkg/remote/testdata/fips_valid.key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCE3dCmo1RtXI4k
/5q5zHW4JsWQhf/2GpWQLWTTyYiFCp9d75v0eOAHAckTj+XD1Onvx+2eTciTA+m5
X6ctG0mdfeDP+we807xPRih1I5uG5C/heZcxTaO24bcciewAP0Fmqyqd1eV8Q74F
CXsLrj/mgXDxz6t+YUXCGAhUf46gSeCwaaVqinLKHNml0K1tOpPPSMdHbzm7v20g
QBTIb2VS3nyaNgQFEtGjwuvzLIhKVjGHFk5gR/lHzFkl/b0XPaqKhu3QtoMchtXE
95qNKDplmq/RVuxa8ZfSBtpdapSp4lDZli/OoIKzbx+Lm3SfEGIut9231RstCUHi
gxHOMv23AgMBAAECggEAOsqH0+R7rDSDNT3g8gvVnxmQ3AVfID/dJEHh1pDblrr/
j6pBoOiHgLI6jixjJ8cjiJU3wI98jAj0N7FqoNvtNAIKIx1Z7CTos09BAawy2npH
8YZC728CXR79TmR9CBL1Vn+wyMxn0heLkmECkEWXQuDN4EHbCX3zRxIpRXJ34taK
nAB+WFQ/ER8uzTjktWe+xLGw413qFqfkXOuQrqJkEe2G85YsvgFpGwp3YTUjR+jE
4bdaSGAL25s8G/aHDxvS6QLMiMy0v9NXlgjYD6HqJ4Th1svVaBRslhGNtxQIzIU6
2kWU041tvwpWaTviITtxsuFLwv+iYdvBxrPoVvesCQKBgQC6BDonpghSzxT1TKy3
IVer6G7aVy8qdFcxCXArFvq/TDrmagaeJd5oQDMMQXUGmqgg7msb/sZ9Q1igSa/i
RoolE2mIZ72H5nrzs92oe58lHgC699LpG3D/yIf//q9AzIpaD4jRDVPI2q+ZPZVj
RthhNif+dd7BgcwS8b6qUkWdYwKBgQC22o65N1hZDLX8zEJE06M80ns0ufOdbe6o
Jyl78W5EweZYIIzCQRHC342yzGYityOZ6PBNMY8BuAc2Uh/VssIRzcEaw9O9iyoE
klsD3sH2jges1abmEpipY2yLvkc5aU8/Yqo7aDKTOrXjsKMxMdI6R1wbx3ICDDiR
0VDz5I4onQKBgQCkRllpbGqLXxAeNbGOJOb9DU7gigBAWPArgS9LDocw68xUciwX
/E9298NdPm1wAKMcOhHjblOyigg5vfmTNkKHzaX0bdFmtDe/Awhs44e/SsjQVU4w
ySg468qXXD8/VaOVN4TXQhLNHbvX9Bf6zbUH3MDjKwsnD06/KDj+x5ttCwKBgFNk
kAz2qctLGcCmY17CasM1d01PtURKO7riyW+mZ1TiXaw5hBif1nrau+QchkQ04/6w
ls+N15vAE0H56Fzsvseh3/zV7L6YNlyJZwr3z9wjYGq5sflh58/w8TM2X4NWfPb6
h4q6db5h20xxZavs/eToYKCmsF8wtagDH3lr9k2dAoGBAKPhIYv/hxefpbcfrSlD
7sQ5jUxawiwLTyZ4joi3jvd7xndMEWEYamqR4IVEcD6zqcCHwcEmRnkqL8Exx3WY
CrLyCh4Yt+wXatkm/WvjflnhJxiPKMJDXofW76O1zrddFeWcq+1wOiWekCrH4c2d
1DeEywbz0PQhBFqY3/7wjSOj
-----END PRIVATE KEY-----
22 changes: 22 additions & 0 deletions internal/pkg/remote/testdata/server.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDtDCCApygAwIBAgIUK6IEqUE0ugQ7k5DVPFOPmX0Bis4wDQYJKoZIhvcNAQEL
BQAwZDELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMSEwHwYDVQQKDBhJ
bnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxCzAJBgNVBAsMAkNBMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMjUwNDIyMjIwNTMwWhcNMzAwNDIxMjIwNTMwWjBZMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEQMA4GA1UECgwHRWxhc3RpYzEP
MA0GA1UECwwGU2VydmVyMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQC5UaOHz3DxUmy4gMIVJ3nosjLlgJfeUDMTyQdV
4KcdO5oqaYaX3G1uhGrtc28AzXLwzIZw2ADbzYP7kjBD9SZSYsgG4N80iT6bWs/L
seYvFH62+qDx+WsCCcQUgBjS1A3xcz/XlhA7c0JCuScpkyFUN4+a8Cos9K2s2vWN
yr5BLMAcRuzROZYttqzq26o1xBwlIVpveSkJJIpJA6cVoGFIyqPMN1lXBtl4vnol
l2OGxmxqvyaFWaFnTHtkkmjd7QcspHHfmTHPbGKGqjlu0EqvxXOuEI0EudqptrEo
sFudf/uhfEhVNiQSz7cUc3NLqAnUR+cdp7CRp5I7HmxNevoFAgMBAAGjaTBnMB8G
A1UdIwQYMBaAFGzBvXdyHsVEY4bOAIiI3m4w7JfcMAkGA1UdEwQCMAAwGgYDVR0R
BBMwEYIJbG9jYWxob3N0hwR/AAABMB0GA1UdDgQWBBQrf/N8KEijOAwP0rdM13sI
1WEj1DANBgkqhkiG9w0BAQsFAAOCAQEALv/nFBYbzTonODWTqa86Hg1vEBdCVWIB
TygOdKBRlUcomSkQJlQujBFlnTc4A43yKAABsnBN+4nTbPrI8UGztgZkAbGKAIcY
uiJODJ9D63+voOurYoZwfgSSnDRe5Qu2sZnOhISiwaLpz0D4Jz2AF8P3AkIoP1Mv
Zzl3BxO/WkAUV4QYPHfUY9uj13aOrpW7CfvhsdT/0eaXREwJ4q5wI0glemyrbp6X
pusBUnviSk7tLqlzA1anU1xSMTMpAX7PmamNGT5YaX5o7aHMdMWCu7GBKhdRIb//
gy9OWNjTE10NW52qwAFGReCSIgmvlIAilCdbBN7sBVRzUboT7iISEA==
-----END CERTIFICATE-----
28 changes: 28 additions & 0 deletions internal/pkg/remote/testdata/server.key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC5UaOHz3DxUmy4
gMIVJ3nosjLlgJfeUDMTyQdV4KcdO5oqaYaX3G1uhGrtc28AzXLwzIZw2ADbzYP7
kjBD9SZSYsgG4N80iT6bWs/LseYvFH62+qDx+WsCCcQUgBjS1A3xcz/XlhA7c0JC
uScpkyFUN4+a8Cos9K2s2vWNyr5BLMAcRuzROZYttqzq26o1xBwlIVpveSkJJIpJ
A6cVoGFIyqPMN1lXBtl4vnoll2OGxmxqvyaFWaFnTHtkkmjd7QcspHHfmTHPbGKG
qjlu0EqvxXOuEI0EudqptrEosFudf/uhfEhVNiQSz7cUc3NLqAnUR+cdp7CRp5I7
HmxNevoFAgMBAAECggEABInYTGorJO3U1cvpdOUrmiRLFM3KalpiddiVgmfnD9M2
2lUNQ8jVMUCy8a/DBy0A5J7NqBPSKY/l7JJO9ksZrijXJzv4m2vFCb72mdF4hqyk
0cxfhq2KDlm44Jumf/tLgB9Hb/sv2JThCYtJRz5gMZTOwoehMMqpOjN+kgNmF2h7
bVwtK8zUi57y7GX8M+L18hOGPXM6ZlavjFlcdJplfsqEbe+T6p4p7lEvzc4AtQfD
+4q+tc+J7OCm7P/ZiSlyhv/aJ5a3OfL1WU7XpPEL6YqR6kKrixAmlMjDhVg2rL1M
eyS3rF22LqEQaOf/pccFUSEdhVeTmzLf2uat3RBo3QKBgQDyP1hcgTv34N+dSCpa
ABO+dwEiQfRG77UG0Gee8wLOwYuCgyOLznq9CL6jZYEvu21SxLUSZZshpLrTZgjh
e53wZZxd3HYuX+q0SBtXhMy98f+udbqt2CIlA6RjQR1E56kX7P84mjCp0GffezgX
YcDoFGxrFoRBV44FnFSXUrlXdwKBgQDD1u8d9B4aAFwodl2jfXBF6JaE5vHYwgPe
ONLFoPbgp3bCyctA0mI78S1HCnH+WySfQwhIq78t3oyVY2DFRM3IZBR+pgIvgu+w
b1XJ3SS/2PhrScmKrlDylrRPKc9gkSiE4/0CzC+odeKm9I+lo52WKWDiMgde1YmC
xFh2wUrRYwKBgFOSGNio2NhV4q7u43VzC1ysz15TJIOIVIpKQUUrjq9nQ8q9lPi5
PcyTBLl33g5qeXeRVupG1TLREoa1b6DiNYVmeIBE+xxaiKyzJ4OU09E/eDZmdQVe
R8E/NWnsX72SsdoIL7AGOX2L4RnO93XRimxGB3UWKoAkRWGYIfKmXjxXAoGAG8mc
hiCEQOY6LVeWM8Nxscmtyc/HEx18VQS1C2uqe/fnBv6BA4KWg7DV3tWhlRizmpF1
VHJiHw0L34qJSZRYqo1gxxOhDcLDZcJ2Zr0lIL+ViAuhODdBrxopHW5uSWJvYGPF
G6eDP6DydwQOec88ZfkbER1OJGuiJlbbwoXsqscCgYEA7haP0CvgIr5LIauBo9Ot
nk+o/dW9a6/Vl9m1YFlQxwt5GFl8ecKMEIihF6purN6OJP6mOFi7O8QH9xwx3Wtu
IZ95U4tLRiR76rFIlp/t3zMLdz8hf6SasgmfPW+MLwFHY2KtY7M9qp0aSxCGz/ff
53g0zkAP47JWRiI8gOHZcjQ=
-----END PRIVATE KEY-----
23 changes: 22 additions & 1 deletion internal/pkg/testutils/fipsutils/fipsOnlySkip.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,34 @@ import (
"testing"
)

type GoDebugFIPS140Value string

const (
GoDebugFIPS140NotSet GoDebugFIPS140Value = ""
GoDebugFIPS140On GoDebugFIPS140Value = "on"
GoDebugFIPS140Only GoDebugFIPS140Value = "only"
)

// SkipIfFIPSOnly will mark the passed test as skipped if GODEBUG=fips140=only is detected.
// If GODBUG=fips140=on, go may call non-compliant algorithms and the test does not need to be skipped.
func SkipIfFIPSOnly(t *testing.T, msg string) {
// NOTE: This only checks env var; at the time of writing fips140 can only be set via env
// other GODEBUG settings can be set via embedded comments or in go.mod, we may need to account for this in the future.
if GoDebugFIPS140() == GoDebugFIPS140Only {
t.Skip("GODEBUG=fips140=only detected, skipping test:", msg)
}
}

// GoDebugFIPS140 returns one of "on", "only", or "" depending on
// whether the GODEBUG environment variable contains fips140=on or
// fips140=only, or neither.
func GoDebugFIPS140() GoDebugFIPS140Value {
s := os.Getenv("GODEBUG")
if strings.Contains(s, "fips140=only") {
t.Skip("GODEBUG=fips140=only detected, skipping test:", msg)
return GoDebugFIPS140Only
}
if strings.Contains(s, "fips140=on") {
return GoDebugFIPS140On
Comment thread
ycombinator marked this conversation as resolved.
}
return GoDebugFIPS140NotSet
}