crypto/internal/fips140test: add KDA HKDF ACVP tests

Adds ACVP test coverage for the SP 800-56Crev2 HKDF KDA based on the NIST spec: https://pages.nist.gov/ACVP/draft-hammett-acvp-kas-kdf-hkdf.html Updates #69642 Change-Id: Ie4f48f9b0181eaf6c2201a9796d366a31c474eba Reviewed-on: https://go-review.googlesource.com/c/go/+/636115 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Filippo Valsorda <filippo@golang.org> Auto-Submit: Filippo Valsorda <filippo@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org>
2025-10-19 11:03:18 +00:00 · 2024-12-13 16:21:45 -05:00 · 2024-12-13 16:21:45 -05:00 · 0580e2a496
commit 0580e2a496
parent 035d3c8f53
3 changed files with 33 additions and 1 deletions
--- a/src/crypto/internal/fips140test/acvp_capabilities.json
+++ b/src/crypto/internal/fips140test/acvp_capabilities.json
@ -26,6 +26,8 @@
  {"algorithm":"HMAC-SHA3-384","keyLen":[{"increment":8,"max":524288,"min":8}],"macLen":[{"increment":8,"max":384,"min":32}],"revision":"1.0"},
  {"algorithm":"HMAC-SHA3-512","keyLen":[{"increment":8,"max":524288,"min":8}],"macLen":[{"increment":8,"max":512,"min":32}],"revision":"1.0"},

+  {"algorithm":"KDA","mode":"HKDF","revision":"Sp800-56Cr1","fixedInfoPattern":"uPartyInfo||vPartyInfo","encoding":["concatenation"],"hmacAlg":["SHA2-224","SHA2-256","SHA2-384","SHA2-512","SHA2-512/224","SHA2-512/256","SHA3-224","SHA3-256","SHA3-384","SHA3-512"],"macSaltMethods":["default","random"],"l":2048,"z":[{"min":224,"max":65336,"increment":8}]},
+
  {"algorithm":"PBKDF","capabilities":[{"iterationCount":[{"min":1,"max":10000,"increment":1}],"keyLen":[{"min":112,"max":4096,"increment":8}],"passwordLen":[{"min":8,"max":64,"increment":1}],"saltLen":[{"min":128,"max":512,"increment":8}],"hmacAlg":["SHA2-224","SHA2-256","SHA2-384","SHA2-512","SHA2-512/224","SHA2-512/256","SHA3-224","SHA3-256","SHA3-384","SHA3-512"]}],"revision":"1.0"},

  {"algorithm":"ML-KEM","mode":"keyGen","revision":"FIPS203","parameterSets":["ML-KEM-768","ML-KEM-1024"]},
--- a/src/crypto/internal/fips140test/acvp_test.config.json
+++ b/src/crypto/internal/fips140test/acvp_test.config.json
@ -21,6 +21,8 @@
  {"Wrapper": "go", "In": "vectors/HMAC-SHA2-512-224.bz2", "Out": "expected/HMAC-SHA2-512-224.bz2"},
  {"Wrapper": "go", "In": "vectors/HMAC-SHA2-512-256.bz2", "Out": "expected/HMAC-SHA2-512-256.bz2"},

+  {"Wrapper": "go", "In": "vectors/KDA.bz2", "Out": "expected/KDA.bz2"},
+
  {"Wrapper": "go", "In": "vectors/HMAC-SHA3-224.bz2", "Out": "expected/HMAC-SHA3-224.bz2"},
  {"Wrapper": "go", "In": "vectors/HMAC-SHA3-256.bz2", "Out": "expected/HMAC-SHA3-256.bz2"},
  {"Wrapper": "go", "In": "vectors/HMAC-SHA3-384.bz2", "Out": "expected/HMAC-SHA3-384.bz2"},
@ -41,4 +43,4 @@
  {"Wrapper": "go", "In": "vectors/ACVP-AES-GCM.bz2", "Out": "expected/ACVP-AES-GCM.bz2"},

  {"Wrapper": "go", "In": "vectors/CMAC-AES.bz2", "Out": "expected/CMAC-AES.bz2"}
-]
+]
--- a/src/crypto/internal/fips140test/acvp_test.go
+++ b/src/crypto/internal/fips140test/acvp_test.go
@ -29,6 +29,7 @@ import (
 	"crypto/internal/fips140/ecdsa"
 	"crypto/internal/fips140/ed25519"
 	"crypto/internal/fips140/edwards25519"
+	"crypto/internal/fips140/hkdf"
 	"crypto/internal/fips140/hmac"
 	"crypto/internal/fips140/mlkem"
 	"crypto/internal/fips140/pbkdf2"
@ -111,6 +112,8 @@ var (
 	//   https://pages.nist.gov/ACVP/draft-fussell-acvp-ecdsa.html#section-7
 	// AES algorithm capabilities:
 	//   https://pages.nist.gov/ACVP/draft-celi-acvp-symmetric.html#section-7.3
+	// HKDF KDA algorithm capabilities:
+	//   https://pages.nist.gov/ACVP/draft-hammett-acvp-kas-kdf-hkdf.html#section-7.3
 	//go:embed acvp_capabilities.json
 	capabilitiesJson []byte

@ -164,6 +167,17 @@ var (
 		"HMAC-SHA3-384":     cmdHmacAft(func() fips140.Hash { return sha3.New384() }),
 		"HMAC-SHA3-512":     cmdHmacAft(func() fips140.Hash { return sha3.New512() }),

+		"HKDF/SHA2-224":     cmdHkdfAft(func() fips140.Hash { return sha256.New224() }),
+		"HKDF/SHA2-256":     cmdHkdfAft(func() fips140.Hash { return sha256.New() }),
+		"HKDF/SHA2-384":     cmdHkdfAft(func() fips140.Hash { return sha512.New384() }),
+		"HKDF/SHA2-512":     cmdHkdfAft(func() fips140.Hash { return sha512.New() }),
+		"HKDF/SHA2-512/224": cmdHkdfAft(func() fips140.Hash { return sha512.New512_224() }),
+		"HKDF/SHA2-512/256": cmdHkdfAft(func() fips140.Hash { return sha512.New512_256() }),
+		"HKDF/SHA3-224":     cmdHkdfAft(func() fips140.Hash { return sha3.New224() }),
+		"HKDF/SHA3-256":     cmdHkdfAft(func() fips140.Hash { return sha3.New256() }),
+		"HKDF/SHA3-384":     cmdHkdfAft(func() fips140.Hash { return sha3.New384() }),
+		"HKDF/SHA3-512":     cmdHkdfAft(func() fips140.Hash { return sha3.New512() }),
+
 		"PBKDF": cmdPbkdf(),

 		"ML-KEM-768/keyGen":  cmdMlKem768KeyGenAft(),
@ -500,6 +514,20 @@ func cmdHmacAft(h func() fips140.Hash) command {
 	}
 }

+func cmdHkdfAft(h func() fips140.Hash) command {
+	return command{
+		requiredArgs: 4, // Key, salt, info, length bytes
+		handler: func(args [][]byte) ([][]byte, error) {
+			key := args[0]
+			salt := args[1]
+			info := args[2]
+			keyLen := int(binary.LittleEndian.Uint32(args[3]))
+
+			return [][]byte{hkdf.Key(h, key, salt, string(info), keyLen)}, nil
+		},
+	}
+}
+
 func cmdPbkdf() command {
 	return command{
 		// Hash name, key length, salt, password, iteration count