crypto/internal/fips140test: add a test for a non-approved function

Change-Id: I6a6a46560bfca588e5874f3769f33b561c33096a
Reviewed-on: https://go-review.googlesource.com/c/go/+/652415
Reviewed-by: Robert Griesemer <gri@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>

diff --git a/src/crypto/internal/fips140test/fips_test.go b/src/crypto/internal/fips140test/fips_test.go
index 81ccd0cf7fdd1ddf031b70be3b689d1332c0b52d..3ed6152ea380d02284ba2a9a89c16ceda5e1b63b 100644 (file)
--- a/src/crypto/internal/fips140test/fips_test.go
+++ b/src/crypto/internal/fips140test/fips_test.go
@@ -240,6 +240,13 @@ func TestFIPS140(t *testing.T) {
                fatalIfErr(t, err)
        })
 
+       t.Run("RSA KeyGen w/ small key [NOT APPROVED]", func(t *testing.T) {
+               ensureServiceIndicatorFalse(t)
+               _, err := rsa.GenerateKey(rand.Reader, 512)
+               fatalIfErr(t, err)
+               t.Log("RSA key generated")
+       })
+
        t.Run("KTS IFC OAEP", func(t *testing.T) {
                ensureServiceIndicator(t)
                c, err := rsa.EncryptOAEP(sha256.New(), sha256.New(), rand.Reader, rsaKey.PublicKey(), plaintextSHA256, nil)
@@ -423,6 +430,17 @@ func ensureServiceIndicator(t *testing.T) {
        })
 }
 
+func ensureServiceIndicatorFalse(t *testing.T) {
+       fips140.ResetServiceIndicator()
+       t.Cleanup(func() {
+               if !fips140.ServiceIndicator() {
+                       t.Logf("Service indicator is not set")
+               } else {
+                       t.Errorf("Service indicator is set")
+               }
+       })
+}
+
 func fatalIfErr(t *testing.T, err error) {
        t.Helper()
        if err != nil {