| // Copyright 2021 Google LLC |
| // |
| // Licensed under the Apache License, Version 2.0 (the "License"); |
| // you may not use this file except in compliance with the License. |
| // You may obtain a copy of the License at |
| // |
| // http://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, software |
| // distributed under the License is distributed on an "AS IS" BASIS, |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| // See the License for the specific language governing permissions and |
| // limitations under the License. |
| // |
| //////////////////////////////////////////////////////////////////////////////// |
| package com.google.crypto.tink.config.internal; |
| |
| import static com.google.common.truth.Truth.assertThat; |
| |
| import org.junit.Assume; |
| import org.junit.Test; |
| import org.junit.runner.RunWith; |
| import org.junit.runners.JUnit4; |
| |
| /** |
| * Tests for TinkFipsUtil. The tests here check the behavior of Tink when built with or without the |
| * --use_only_fips flag. In order to get complete coverage a build should be tested with: 1) Build |
| * without the --use_only_fips flag. 2) Build with the --use_only_fips flag, and BoringCrypto not |
| * being available. 3) Build with the --use_only_fips flag, and BoringCrypto being available. |
| */ |
| @RunWith(JUnit4.class) |
| public final class TinkFipsUtilTest { |
| |
| @Test |
| public void testFipsOnlyModeDisabledAlgorithmCompatibility() { |
| // Test behavior when FIPS-only mode is not used. |
| Assume.assumeFalse(TinkFipsUtil.useOnlyFips()); |
| assertThat(TinkFipsUtil.AlgorithmFipsCompatibility.ALGORITHM_NOT_FIPS.isCompatible()).isTrue(); |
| assertThat( |
| TinkFipsUtil.AlgorithmFipsCompatibility.ALGORITHM_REQUIRES_BORINGCRYPTO.isCompatible()) |
| .isTrue(); |
| } |
| |
| @Test |
| public void testFipsOnlyModeEnabledAlgorithmCompatibility() { |
| // Test behavior when FIPS-only mode is used. |
| Assume.assumeTrue(TinkFipsUtil.useOnlyFips()); |
| assertThat(TinkFipsUtil.AlgorithmFipsCompatibility.ALGORITHM_NOT_FIPS.isCompatible()).isFalse(); |
| |
| // BoringCrypto is available, therefore an algorithm which has a FIPS validated |
| // implementation is compatible. |
| Assume.assumeTrue(TinkFipsUtil.fipsModuleAvailable()); |
| assertThat( |
| TinkFipsUtil.AlgorithmFipsCompatibility.ALGORITHM_REQUIRES_BORINGCRYPTO.isCompatible()) |
| .isTrue(); |
| } |
| |
| @Test |
| public void testFipsOnlyModeEnabledAlgorithmCompatibilityNoBoringCrypto() { |
| // Test behavior when FIPS-only mode is used. |
| Assume.assumeTrue(TinkFipsUtil.useOnlyFips()); |
| assertThat(TinkFipsUtil.AlgorithmFipsCompatibility.ALGORITHM_NOT_FIPS.isCompatible()).isFalse(); |
| |
| // BoringCrypto is not available, therefore no validated implementation is available and |
| // the compatibility check must fail. |
| Assume.assumeTrue(!TinkFipsUtil.fipsModuleAvailable()); |
| assertThat( |
| TinkFipsUtil.AlgorithmFipsCompatibility.ALGORITHM_REQUIRES_BORINGCRYPTO.isCompatible()) |
| .isFalse(); |
| } |
| |
| @Test |
| public void testFipsOnlyModeEnabledAtRuntimeAlgorithmCompatibility() { |
| // Test behavior when FIPS-only mode is set at runtime. |
| Assume.assumeFalse(TinkFipsUtil.useOnlyFips()); |
| TinkFipsUtil.setFipsRestricted(); |
| |
| assertThat(TinkFipsUtil.AlgorithmFipsCompatibility.ALGORITHM_NOT_FIPS.isCompatible()).isFalse(); |
| |
| // BoringCrypto is available, therefore an algorithm which has a FIPS validated |
| // implementation is compatible. |
| Assume.assumeTrue(TinkFipsUtil.fipsModuleAvailable()); |
| assertThat( |
| TinkFipsUtil.AlgorithmFipsCompatibility.ALGORITHM_REQUIRES_BORINGCRYPTO.isCompatible()) |
| .isTrue(); |
| } |
| |
| @Test |
| public void testFipsOnlyModeEnabledAtRuntimeAlgorithmCompatibilityNoBoringCrypto() { |
| // Test behavior when FIPS-only mode is set at runtime. |
| Assume.assumeFalse(TinkFipsUtil.useOnlyFips()); |
| TinkFipsUtil.setFipsRestricted(); |
| |
| assertThat(TinkFipsUtil.AlgorithmFipsCompatibility.ALGORITHM_NOT_FIPS.isCompatible()).isFalse(); |
| |
| // BoringCrypto is not available, therefore no validated implementation is available and |
| // the compatibility check must fail. |
| Assume.assumeTrue(!TinkFipsUtil.fipsModuleAvailable()); |
| assertThat( |
| TinkFipsUtil.AlgorithmFipsCompatibility.ALGORITHM_REQUIRES_BORINGCRYPTO.isCompatible()) |
| .isFalse(); |
| } |
| } |