Reorder key tests to skip as little as possible on FIPS systems.

Signed-off-by: Aaron Jacobs <[email protected]>

tests/testthat/test_keys_dsa.R

@@ -5,17 +5,15 @@ sk1 <- read_key("../keys/id_dsa")
 pk1 <- read_pubkey("../keys/id_dsa.pub")
 
 test_that("reading protected keys", {
-  if(fips_mode()){
-    expect_error(read_key("../keys/id_dsa.pw", password = "test"), "FIPS")
-  } else {
-    expect_error(read_key("../keys/id_dsa.pw", password = ""), "bad")
-    sk2 <- read_key("../keys/id_dsa.pw", password = "test")
-    expect_equal(sk1, sk2)
-  }
-  sk3 <- read_key("../keys/id_dsa.openssh")
-  sk4 <- read_key("../keys/id_dsa.openssh.pw", password = "test")
-
+  expect_error(read_key("../keys/id_dsa.pw", password = ""))
+  sk2 <- read_key("../keys/id_dsa.openssh")
+  sk3 <- read_key("../keys/id_dsa.openssh.pw", password = "test")
+  expect_equal(sk1, sk2)
   expect_equal(sk1, sk3)
+
+  # This key uses a MD5-hashed password, which is not permitted under FIPS-140.
+  skip_if(fips_mode())
+  sk4 <- read_key("../keys/id_dsa.pw", password = "test")
   expect_equal(sk1, sk4)
 })
 
@@ -92,17 +90,16 @@ test_that("signature path interface", {
 })
 
 test_that("dsa_keygen works", {
-  if(!fips_mode()){
-    key <- dsa_keygen(1024)
-    expect_is(key, "dsa")
-    expect_equal(as.list(key)$size, 1024)
-    rm(key)
-  }
-
   key <- dsa_keygen(2048)
   expect_is(key, "dsa")
   expect_equal(as.list(key)$size, 2048)
   rm(key)
+
+  skip_if(fips_mode())
+  key <- dsa_keygen(1024)
+  expect_is(key, "dsa")
+  expect_equal(as.list(key)$size, 1024)
+  rm(key)
 })
 
 # Cleanup

tests/testthat/test_keys_ecdsa.R

@@ -7,17 +7,15 @@ sk1 <- read_key("../keys/id_ecdsa")
 pk1 <- read_pubkey("../keys/id_ecdsa.pub")
 
 test_that("reading protected keys", {
-  if(fips_mode()){
-    expect_error(read_key("../keys/id_ecdsa.pw", password = "test"), "FIPS")
-  } else {
-    expect_error(read_key("../keys/id_ecdsa.pw", password = NULL), "bad")
-    sk2 <- read_key("../keys/id_ecdsa.pw", password = "test")
-    expect_equal(sk1, sk2)
-  }
-  sk3 <- read_key("../keys/id_ecdsa.openssh")
-  sk4 <- read_key("../keys/id_ecdsa.openssh.pw", password = "test")
-
+  expect_error(read_key("../keys/id_ecdsa.pw", password = ""))
+  sk2 <- read_key("../keys/id_ecdsa.openssh")
+  sk3 <- read_key("../keys/id_ecdsa.openssh.pw", password = "test")
+  expect_equal(sk1, sk2)
   expect_equal(sk1, sk3)
+
+  # This key uses a MD5-hashed password, which is not permitted under FIPS-140.
+  skip_if(fips_mode())
+  sk4 <- read_key("../keys/id_ecdsa.pw", password = "test")
   expect_equal(sk1, sk4)
 })
 

tests/testthat/test_keys_ecdsa384.R

@@ -7,16 +7,15 @@ sk1 <- read_key("../keys/id_ecdsa384")
 pk1 <- read_pubkey("../keys/id_ecdsa384.pub")
 
 test_that("reading protected keys", {
-  if(fips_mode()){
-    expect_error(read_key("../keys/id_ecdsa384.pw", password = "test"), "FIPS")
-  } else {
-    expect_error(read_key("../keys/id_ecdsa384.pw", password = NULL), "bad")
-    sk2 <- read_key("../keys/id_ecdsa384.pw", password = "test")
-    expect_equal(sk1, sk2)
-  }
-  sk3 <- read_key("../keys/id_ecdsa384.openssh")
-  sk4 <- read_key("../keys/id_ecdsa384.openssh.pw", password = "test")
+  expect_error(read_key("../keys/id_ecdsa384.pw", password = NULL))
+  sk2 <- read_key("../keys/id_ecdsa384.openssh")
+  sk3 <- read_key("../keys/id_ecdsa384.openssh.pw", password = "test")
+  expect_equal(sk1, sk2)
   expect_equal(sk1, sk3)
+
+  # This key uses a MD5-hashed password, which is not permitted under FIPS-140.
+  skip_if(fips_mode())
+  sk4 <- read_key("../keys/id_ecdsa384.pw", password = "test")
   expect_equal(sk1, sk4)
 })
 

tests/testthat/test_keys_ecdsa521.R

@@ -7,16 +7,15 @@ sk1 <- read_key("../keys/id_ecdsa521")
 pk1 <- read_pubkey("../keys/id_ecdsa521.pub")
 
 test_that("reading protected keys", {
-  if(fips_mode()){
-    expect_error(read_key("../keys/id_ecdsa521.pw", password = "test"), "FIPS")
-  } else {
-    expect_error(read_key("../keys/id_ecdsa521.pw", password = NULL), "bad")
-    sk2 <- read_key("../keys/id_ecdsa521.pw", password = "test")
-    expect_equal(sk1, sk2)
-  }
-  sk3 <- read_key("../keys/id_ecdsa521.openssh")
-  sk4 <- read_key("../keys/id_ecdsa521.openssh.pw", password = "test")
+  expect_error(read_key("../keys/id_ecdsa521.pw", password = NULL))
+  sk2 <- read_key("../keys/id_ecdsa521.openssh")
+  sk3 <- read_key("../keys/id_ecdsa521.openssh.pw", password = "test")
+  expect_equal(sk1, sk2)
   expect_equal(sk1, sk3)
+
+  # This key uses a MD5-hashed password, which is not permitted under FIPS-140.
+  skip_if(fips_mode())
+  sk4 <- read_key("../keys/id_ecdsa521.pw", password = "test")
   expect_equal(sk1, sk4)
 })
 

tests/testthat/test_keys_rsa.R

@@ -5,17 +5,15 @@ sk1 <- read_key("../keys/id_rsa")
 pk1 <- read_pubkey("../keys/id_rsa.pub")
 
 test_that("reading protected keys", {
-  if(fips_mode()){
-    expect_error(read_key("../keys/id_rsa.pw", password = "test"), "FIPS")
-  } else {
-    expect_error(read_key("../keys/id_rsa.pw", password = ""), "bad")
-    sk2 <- read_key("../keys/id_rsa.pw", password = "test")
-    expect_equal(sk1, sk2)
-  }
-
-  sk3 <- read_key("../keys/id_rsa.openssh")
-  sk4 <- read_key("../keys/id_rsa.openssh.pw", password = "test")
+  expect_error(read_key("../keys/id_rsa.pw", password = ""))
+  sk2 <- read_key("../keys/id_rsa.openssh")
+  sk3 <- read_key("../keys/id_rsa.openssh.pw", password = "test")
+  expect_equal(sk1, sk2)
   expect_equal(sk1, sk3)
+
+  # This key uses a MD5-hashed password, which is not permitted under FIPS-140.
+  skip_if(fips_mode())
+  sk4 <- read_key("../keys/id_rsa.pw", password = "test")
   expect_equal(sk1, sk4)
 })
 
@@ -90,14 +88,15 @@ test_that("signature path interface", {
 })
 
 test_that("rsa_keygen works", {
-  key <- rsa_keygen(1024)
+  key <- rsa_keygen(2048)
   expect_is(key, "rsa")
-  expect_equal(as.list(key)$size, 1024)
+  expect_equal(as.list(key)$size, 2048)
   rm(key)
 
-  key <- rsa_keygen(2048)
+  skip_if(fips_mode())
+  key <- rsa_keygen(1024)
   expect_is(key, "rsa")
-  expect_equal(as.list(key)$size, 2048)
+  expect_equal(as.list(key)$size, 1024)
   rm(key)
 })