From 2bc4315d92a70d9a5e895d60defba4f799798806 Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Fri, 19 Dec 2025 23:14:05 +0100 Subject: [PATCH] crypto/internal/fips140test: add ML-DSA to FIPS 140-3 functional tests Change-Id: I568d28d27d2bc55bbadcc678a2fcf9d36a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/731540 Reviewed-by: Roland Shoemaker Reviewed-by: Junyang Shao Auto-Submit: Filippo Valsorda LUCI-TryBot-Result: Go LUCI --- .../fips140test/cast_fips140v1.26_test.go | 16 --------- ...ips140v1.0_test.go => fips140v1.0_test.go} | 4 +++ .../internal/fips140test/fips140v1.26_test.go | 33 +++++++++++++++++++ src/crypto/internal/fips140test/fips_test.go | 2 ++ 4 files changed, 39 insertions(+), 16 deletions(-) delete mode 100644 src/crypto/internal/fips140test/cast_fips140v1.26_test.go rename src/crypto/internal/fips140test/{cast_fips140v1.0_test.go => fips140v1.0_test.go} (75%) create mode 100644 src/crypto/internal/fips140test/fips140v1.26_test.go diff --git a/src/crypto/internal/fips140test/cast_fips140v1.26_test.go b/src/crypto/internal/fips140test/cast_fips140v1.26_test.go deleted file mode 100644 index ef79068c38..0000000000 --- a/src/crypto/internal/fips140test/cast_fips140v1.26_test.go +++ /dev/null @@ -1,16 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !fips140v1.0 - -package fipstest - -import "crypto/internal/fips140/mldsa" - -func fips140v126Conditionals() { - // ML-DSA sign and verify PCT - kMLDSA := mldsa.GenerateKey44() - // ML-DSA-44 - mldsa.SignDeterministic(kMLDSA, make([]byte, 32), "") -} diff --git a/src/crypto/internal/fips140test/cast_fips140v1.0_test.go b/src/crypto/internal/fips140test/fips140v1.0_test.go similarity index 75% rename from src/crypto/internal/fips140test/cast_fips140v1.0_test.go rename to src/crypto/internal/fips140test/fips140v1.0_test.go index b9ddfe4d8b..262ef61d5c 100644 --- a/src/crypto/internal/fips140test/cast_fips140v1.0_test.go +++ b/src/crypto/internal/fips140test/fips140v1.0_test.go @@ -6,4 +6,8 @@ package fipstest +import "testing" + func fips140v126Conditionals() {} + +func testFIPS140v126(t *testing.T, plaintext []byte) {} diff --git a/src/crypto/internal/fips140test/fips140v1.26_test.go b/src/crypto/internal/fips140test/fips140v1.26_test.go new file mode 100644 index 0000000000..6cd9f4fe40 --- /dev/null +++ b/src/crypto/internal/fips140test/fips140v1.26_test.go @@ -0,0 +1,33 @@ +// Copyright 2024 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build !fips140v1.0 + +package fipstest + +import ( + "crypto/internal/fips140/mldsa" + "testing" +) + +func fips140v126Conditionals() { + // ML-DSA sign and verify PCT + kMLDSA := mldsa.GenerateKey44() + // ML-DSA-44 + mldsa.SignDeterministic(kMLDSA, make([]byte, 32), "") +} + +func testFIPS140v126(t *testing.T, plaintext []byte) { + t.Run("ML-DSA KeyGen, SigGen, SigVer", func(t *testing.T) { + ensureServiceIndicator(t) + k := mldsa.GenerateKey44() + + sig, err := mldsa.SignDeterministic(k, plaintext, "") + fatalIfErr(t, err) + t.Logf("ML-DSA signature: %x", sig) + + err = mldsa.Verify(k.PublicKey(), plaintext, sig, "") + fatalIfErr(t, err) + }) +} diff --git a/src/crypto/internal/fips140test/fips_test.go b/src/crypto/internal/fips140test/fips_test.go index 52fc9d3488..7f2824ca9a 100644 --- a/src/crypto/internal/fips140test/fips_test.go +++ b/src/crypto/internal/fips140test/fips_test.go @@ -101,6 +101,8 @@ func TestFIPS140(t *testing.T) { aesBlock, err := aes.New(aesKey) fatalIfErr(t, err) + testFIPS140v126(t, plaintext) + t.Run("AES-CTR", func(t *testing.T) { ensureServiceIndicator(t) ctr := aes.NewCTR(aesBlock, aesIV) -- 2.52.0