[PATCH v5 4/4] doc: add readme file for acvp_tool
Aaron Conole
aconole at redhat.com
Fri Mar 24 14:34:02 CET 2023
jspewock at iol.unh.edu writes:
> From: Brandon Lo <blo at iol.unh.edu>
>
> This readme file contains instructions to set up
> and use the acvp_tool.
>
> Signed-off-by: Brandon Lo <blo at iol.unh.edu>
>
> doc: updated out-of-date acvp_tool readme
>
> Signed-off-by: Jeremy Spewock <jspewock at iol.unh.edu>
> ---
This part of the signature looks a bit strange - was it intended to be
two patches? Or was it two patches squashed together?
> tools/acvp/README | 129 ++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 129 insertions(+)
> create mode 100644 tools/acvp/README
>
> diff --git a/tools/acvp/README b/tools/acvp/README
> new file mode 100644
> index 0000000..23a1aef
> --- /dev/null
> +++ b/tools/acvp/README
> @@ -0,0 +1,129 @@
> +The ACVP tool is a general tool for interacting with the NIST ACVP API
> +in order to test different cryptographic implementations.
> +
> +It produces machine-readable output for parsing in a CI environment.
> +
> +Supported Algorithms
> +--------------------
> +* AES-CBC
> +* AES-CMAC
> +* AES-GMAC
> +* HMAC-SHA-1
> +* TDES-CBC
> +* AES-CTR
> +
> +Requirements
> +------------
> +
> +There are also python packages you need to download from the requirements.txt file:
> +* pyotp
> +* requests
> +
> +Along with these, you will also need to install the `nasm` package using your local package manager.
> +
> +The tool expects that you have all the credential files from NIST:
> +* Client certificate (usually a .cer file from NIST)
> +* Key file for the certificate
> +* Time-based one-time password seed file (usually a .txt file from NIST)
> +
> +The path to each file must be stored in an environment variable:
> +* $ACVP_SEED_FILE = Path to the TOTP seed .txt file (given by NIST).
> +* $ACVP_CERT_FILE = Path to the client .cer/.crt file (given by NIST).
> +* $ACVP_KEY_FILE = Path to the certificate key file (generated by user).
> +
> +If you do not have the required files from NIST, you must email them
> +to create demo credentials.
> +https://pages.nist.gov/ACVP/#access
> +
> +
> +Setup
> +-----
> +
> +After setting the environment variables as described in the
> +"Requirements" section, you will need to edit the acvp_config.json file.
> +
> +The acvp_config.json file is expected to be a json object
> +containing two keys: "url" and "algorithms"
> +
> +"url" must be the base URL string of the API you want to use.
> +"algorithms" must be an array of algorithm objects as detailed in the
> +ACVP API specification here:
> +https://github.com/usnistgov/ACVP/wiki/ACVTS-End-User-Documentation . In the case of the supported algorithms listed above, the only thing that will need to change in the config file is the `"algorithm"` field to match the name of the algorithm you would like to test.
> +* In order to test AES-CTR you'll also have to remove the key `"ivGenMode"`
> +
> +Now you can use the acvp_tool.py script to register a test session,
> +upload the results, and download the verdict.
> +
> +In order to run the DPDK sample application, there are a few libraries which must be installed:
> +* Intel IPSec Multi-buffer (v1.3)
> +```
> +git clone https://github.com/intel/intel-ipsec-mb.git
> +cd intel-ipsec-mb
> +git checkout v1.3
> +make -j 4
> +make install
> +```
> +* FIPS Object Module
> +```
> +curl -o openssl-fips-2.0.16.tar.gz https://www.openssl.org/source/openssl-fips-2.0.16.tar.gz
> +tar xvfm openssl-fips-2.0.16.tar.gz
> +cd openssl-fips-2.0.16
> +./config
> +make
> +make install
> +```
> +* OpenSSL library
> +```
> +curl -o openssl-1.0.2o.tar.gz https://www.openssl.org/source/openssl-1.0.2o.tar.gz
> +export CFLAGS='-fPIC'
> +tar xvfm openssl-1.0.2o.tar.gz
> +cd openssl-1.0.2o
> +./config shared fips
> +make depend
> +make
> +```
> +Usage
> +-----
> +### Interacting with ACVP API
> +To see all options available, use the --help flag.
> +
> +First, register and download a new test session with the tool:
> +
> + acvp_tool.py --request $DOWNLOAD_PATH
> +The file written to $DOWNLOAD_PATH will contain both the session information and the test vectors.
> +
> +You should use the DPDK FIPS validation example application to test
> +the vectors in this file. The example application will generate
> +the result file which is uploaded back to the ACVP API.
> +
> +After running tests with the vector file, you can submit the result:
> +
> + acvp_tool.py --response $RESULT_PATH --upload
> +where $RESULT_PATH is the path of the file containing the answers.
> +
> +Once you submit your results, you can do
> +
> + acvp_tool.py --response $RESULT_PATH --verdict $VERDICT_PATH
> +where $VERDICT_PATH is where you want to save the verdict information.
> +The verdict file will contain the result of each test case submitted.
> +
> +You can also combine the options:
> +
> + acvp_tool.py --response $RESULT_PATH --upload --verdict $VERDICT_PATH
> +
> +### Using the DPDK FIPS Validation Example Application
> +First, you have to make sure that you configure DPDK to build the FIPS sample application before you compile with ninja
> +```
> +#inside dpdk/
> +meson build --werror
> +meson configure -Dexamples=fips_validation build
> +sudo ninja -C build
> +```
> +Once this has finished, you can now run the sample application and validate the test vectors. In order to run this validation step, you have to supply a valid crypto device and either a `*.json` or `*.req` file with vectors for validation. You can use the virtual device `crypto_aesni_mb` provided by the Intel IPSec Multi-buffer library and pass the JSON file containing test vectors from the ACVP API using `--req-file`.
> +
> +Example usage:
> +
> + #inside dpdk/
> + build/examples/dpdk-fips_validation --vdev crypto_aesni_mb -- --req-file aes-cbc-vectors.json --rsp-file aes-cbc-answers.rsp --cryptodev crypto_aesni_mb`
> +
> +The file path passed into `--rsp-file` will contain the validated vectors from the sample applications and can be passed to the ACVP API to receive a verdict on your results.
> \ No newline at end of file
More information about the ci
mailing list