From 38e80d18ea41b01d8902f4accc04dd95e911af19 Mon Sep 17 00:00:00 2001
From: Anthony Hu <anthony@wolfssl.com>
Date: Tue, 27 Aug 2024 15:32:40 -0400
Subject: [PATCH] Allow the X9.146 examples to build against fips-ready.

---
 X9.146/README.md                           |  2 +-
 X9.146/gen_dual_keysig_cert.c              | 28 ++++++++++++++++++++++
 X9.146/gen_ecdsa_falcon_dual_keysig_cert.c | 28 ++++++++++++++++++++++
 X9.146/gen_ecdsa_mldsa_dual_keysig_cert.c  | 28 ++++++++++++++++++++++
 X9.146/gen_rsa_falcon_dual_keysig_cert.c   | 28 ++++++++++++++++++++++
 X9.146/gen_rsa_mldsa_dual_keysig_cert.c    | 28 ++++++++++++++++++++++
 6 files changed, 141 insertions(+), 1 deletion(-)

diff --git a/X9.146/README.md b/X9.146/README.md
index 89635aa9..5664ae6b 100644
--- a/X9.146/README.md
+++ b/X9.146/README.md
@@ -65,7 +65,7 @@ the call to `DoTls13Certificate()`, please search for the following messages to
 confirm that the alternative signature was verified:
 
 ```
-Alternative signature has been verified!
+Alt signature has been verified!
 Verified Peer's cert
 ```
 
diff --git a/X9.146/gen_dual_keysig_cert.c b/X9.146/gen_dual_keysig_cert.c
index c8a548f2..a90428d3 100644
--- a/X9.146/gen_dual_keysig_cert.c
+++ b/X9.146/gen_dual_keysig_cert.c
@@ -50,6 +50,22 @@
 #define SUBJECT_EMAIL "server@YourDomain.com"
 #endif
 
+#ifdef HAVE_FIPS
+    #include <wolfssl/wolfcrypt/fips_test.h>
+
+    static void myFipsCb(int ok, int err, const char* hash)
+    {
+        printf("in my Fips callback, ok = %d, err = %d\n", ok, err);
+        printf("message = %s\n", wc_GetErrorString(err));
+        printf("hash = %s\n", hash);
+
+        if (err == IN_CORE_FIPS_E) {
+            printf("In core integrity hash check failure, copy above hash\n");
+            printf("into verifyCore[] in fips_test.c and rebuild\n");
+        }
+    }
+#endif
+
 static int do_certgen(int argc, char** argv)
 {
     int ret = 0;
@@ -111,6 +127,18 @@ static int do_certgen(int argc, char** argv)
     wolfSSL_Debugging_ON();
 #endif
 
+#ifdef WC_RNG_SEED_CB
+ wc_SetSeed_Cb(wc_GenerateSeed);
+#endif
+
+#if defined(HAVE_FIPS)
+    wolfCrypt_SetCb_fips(myFipsCb);
+    #if FIPS_VERSION3_GE(6,0,0)
+        printf("FIPS module version in use: %s\n",
+               wolfCrypt_GetVersion_fips());
+    #endif
+#endif
+
     ret = wc_InitRng(&rng);
     if (ret != 0) goto exit;
     initRng = 1;
diff --git a/X9.146/gen_ecdsa_falcon_dual_keysig_cert.c b/X9.146/gen_ecdsa_falcon_dual_keysig_cert.c
index 22f48b42..c79981aa 100644
--- a/X9.146/gen_ecdsa_falcon_dual_keysig_cert.c
+++ b/X9.146/gen_ecdsa_falcon_dual_keysig_cert.c
@@ -74,6 +74,22 @@ int readFileIntoBuffer(char *fname, byte *buf, int *sz)
     return ret;
 }
 
+#ifdef HAVE_FIPS
+    #include <wolfssl/wolfcrypt/fips_test.h>
+
+    static void myFipsCb(int ok, int err, const char* hash)
+    {
+        printf("in my Fips callback, ok = %d, err = %d\n", ok, err);
+        printf("message = %s\n", wc_GetErrorString(err));
+        printf("hash = %s\n", hash);
+
+        if (err == IN_CORE_FIPS_E) {
+            printf("In core integrity hash check failure, copy above hash\n");
+            printf("into verifyCore[] in fips_test.c and rebuild\n");
+        }
+    }
+#endif
+
 static int do_certgen(int argc, char** argv)
 {
     int ret = 0;
@@ -141,6 +157,18 @@ static int do_certgen(int argc, char** argv)
     wolfSSL_Debugging_ON();
 #endif
 
+#ifdef WC_RNG_SEED_CB
+ wc_SetSeed_Cb(wc_GenerateSeed);
+#endif
+
+#if defined(HAVE_FIPS)
+    wolfCrypt_SetCb_fips(myFipsCb);
+    #if FIPS_VERSION3_GE(6,0,0)
+        printf("FIPS module version in use: %s\n",
+               wolfCrypt_GetVersion_fips());
+    #endif
+#endif
+
     if (argc != 2)
         usage(argv[0]);
 
diff --git a/X9.146/gen_ecdsa_mldsa_dual_keysig_cert.c b/X9.146/gen_ecdsa_mldsa_dual_keysig_cert.c
index 4ec41d3f..a1aa792d 100644
--- a/X9.146/gen_ecdsa_mldsa_dual_keysig_cert.c
+++ b/X9.146/gen_ecdsa_mldsa_dual_keysig_cert.c
@@ -74,6 +74,22 @@ int readFileIntoBuffer(char *fname, byte *buf, int *sz)
     return ret;
 }
 
+#ifdef HAVE_FIPS
+    #include <wolfssl/wolfcrypt/fips_test.h>
+
+    static void myFipsCb(int ok, int err, const char* hash)
+    {
+        printf("in my Fips callback, ok = %d, err = %d\n", ok, err);
+        printf("message = %s\n", wc_GetErrorString(err));
+        printf("hash = %s\n", hash);
+
+        if (err == IN_CORE_FIPS_E) {
+            printf("In core integrity hash check failure, copy above hash\n");
+            printf("into verifyCore[] in fips_test.c and rebuild\n");
+        }
+    }
+#endif
+
 static int do_certgen(int argc, char** argv)
 {
     int ret = 0;
@@ -144,6 +160,18 @@ static int do_certgen(int argc, char** argv)
     wolfSSL_Debugging_ON();
 #endif
 
+#ifdef WC_RNG_SEED_CB
+ wc_SetSeed_Cb(wc_GenerateSeed);
+#endif
+
+#if defined(HAVE_FIPS)
+    wolfCrypt_SetCb_fips(myFipsCb);
+    #if FIPS_VERSION3_GE(6,0,0)
+        printf("FIPS module version in use: %s\n",
+               wolfCrypt_GetVersion_fips());
+    #endif
+#endif
+
     if (argc != 2)
         usage(argv[0]);
 
diff --git a/X9.146/gen_rsa_falcon_dual_keysig_cert.c b/X9.146/gen_rsa_falcon_dual_keysig_cert.c
index 6b97cd73..bbcda058 100644
--- a/X9.146/gen_rsa_falcon_dual_keysig_cert.c
+++ b/X9.146/gen_rsa_falcon_dual_keysig_cert.c
@@ -67,6 +67,22 @@ int readFileIntoBuffer(char *fname, byte *buf, int *sz)
     return ret;
 }
 
+#ifdef HAVE_FIPS
+    #include <wolfssl/wolfcrypt/fips_test.h>
+
+    static void myFipsCb(int ok, int err, const char* hash)
+    {
+        printf("in my Fips callback, ok = %d, err = %d\n", ok, err);
+        printf("message = %s\n", wc_GetErrorString(err));
+        printf("hash = %s\n", hash);
+
+        if (err == IN_CORE_FIPS_E) {
+            printf("In core integrity hash check failure, copy above hash\n");
+            printf("into verifyCore[] in fips_test.c and rebuild\n");
+        }
+    }
+#endif
+
 static int do_certgen(int argc, char** argv)
 {
     int ret = 0;
@@ -128,6 +144,18 @@ static int do_certgen(int argc, char** argv)
     wolfSSL_Debugging_ON();
 #endif
 
+#ifdef WC_RNG_SEED_CB
+ wc_SetSeed_Cb(wc_GenerateSeed);
+#endif
+
+#if defined(HAVE_FIPS)
+    wolfCrypt_SetCb_fips(myFipsCb);
+    #if FIPS_VERSION3_GE(6,0,0)
+        printf("FIPS module version in use: %s\n",
+               wolfCrypt_GetVersion_fips());
+    #endif
+#endif
+
     ret = wc_InitRng(&rng);
     if (ret != 0) goto exit;
     initRng = 1;
diff --git a/X9.146/gen_rsa_mldsa_dual_keysig_cert.c b/X9.146/gen_rsa_mldsa_dual_keysig_cert.c
index 33fad5ac..d24ccffd 100644
--- a/X9.146/gen_rsa_mldsa_dual_keysig_cert.c
+++ b/X9.146/gen_rsa_mldsa_dual_keysig_cert.c
@@ -67,6 +67,22 @@ int readFileIntoBuffer(char *fname, byte *buf, int *sz)
     return ret;
 }
 
+#ifdef HAVE_FIPS
+    #include <wolfssl/wolfcrypt/fips_test.h>
+
+    static void myFipsCb(int ok, int err, const char* hash)
+    {
+        printf("in my Fips callback, ok = %d, err = %d\n", ok, err);
+        printf("message = %s\n", wc_GetErrorString(err));
+        printf("hash = %s\n", hash);
+
+        if (err == IN_CORE_FIPS_E) {
+            printf("In core integrity hash check failure, copy above hash\n");
+            printf("into verifyCore[] in fips_test.c and rebuild\n");
+        }
+    }
+#endif
+
 static int do_certgen(int argc, char** argv)
 {
     int ret = 0;
@@ -128,6 +144,18 @@ static int do_certgen(int argc, char** argv)
     wolfSSL_Debugging_ON();
 #endif
 
+#ifdef WC_RNG_SEED_CB
+ wc_SetSeed_Cb(wc_GenerateSeed);
+#endif
+
+#if defined(HAVE_FIPS)
+    wolfCrypt_SetCb_fips(myFipsCb);
+    #if FIPS_VERSION3_GE(6,0,0)
+        printf("FIPS module version in use: %s\n",
+               wolfCrypt_GetVersion_fips());
+    #endif
+#endif
+
     ret = wc_InitRng(&rng);
     if (ret != 0) goto exit;
     initRng = 1;