Enable buildkite step for unit testing with GODEBUG=fips140=only (#7702)

michel-laterman · web-flow · commit 3347dc2c7d09 · 2025-04-10T21:12:16.000Z
Add a buildkite step to enable unit tests with GODEBUG=fips140=only set.
diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml
@@ -53,6 +53,26 @@ steps:
           manual:
             allowed: true
 
+      - label: "Unit tests - fips140=only Ubuntu 22.04"
+        key: "unit-tests-2204-fips140-only"
+        command: ".buildkite/scripts/steps/unit-tests.sh"
+        env:
+          FIPS: "true"
+          GODEBUG: "fips140=only"
+        artifact_paths:
+          - "build/TEST-*.html"
+          - "build/TEST-*.xml"
+          - "build/diagnostics/*"
+          - "coverage-*.out"
+        agents:
+          provider: "gcp"
+          image: "family/platform-ingest-elastic-agent-ubuntu-2204"
+        retry:
+          automatic:
+            limit: 1
+          manual:
+            allowed: true
+
       - label: "Unit tests - Ubuntu 22.04 ARM64"
         key: "unit-tests-2204-arm64"
         command: ".buildkite/scripts/steps/unit-tests.sh"
diff --git a/dev-tools/mage/gotest.go b/dev-tools/mage/gotest.go
@@ -54,6 +54,7 @@ func makeGoTestArgs(name string) GoTestArgs {
 		OutputFile:      fileName + ".out",
 		JUnitReportFile: fileName + ".xml",
 		Tags:            testTagsFromEnv(),
+		Env:             make(map[string]string),
 	}
 	if TestCoverage {
 		params.CoverageProfileFile = fileName + ".cov"
diff --git a/internal/pkg/agent/application/endpoint_component_modifier_test.go b/internal/pkg/agent/application/endpoint_component_modifier_test.go
@@ -21,6 +21,7 @@ import (
 	"github.com/elastic/elastic-agent-client/v7/pkg/proto"
 	"github.com/elastic/elastic-agent-libs/testing/certutil"
 	"github.com/elastic/elastic-agent/internal/pkg/agent/application/coordinator"
+	"github.com/elastic/elastic-agent/internal/pkg/testutils/fipsutils"
 	"github.com/elastic/elastic-agent/pkg/core/logger/loggertest"
 
 	"github.com/elastic/elastic-agent/pkg/component"
@@ -29,6 +30,7 @@ import (
 )
 
 func TestEndpointComponentModifier(t *testing.T) {
+	fipsutils.SkipIfFIPSOnly(t, "generating an encrypted private key for failure testing results in a MD5 violation.")
 	log, obs := loggertest.New("TestEndpointSignedComponentModifier")
 	defer func() {
 		if !t.Failed() {
diff --git a/internal/pkg/agent/application/info/agent_id_test.go b/internal/pkg/agent/application/info/agent_id_test.go
@@ -19,13 +19,15 @@ import (
 	"github.com/elastic/elastic-agent/internal/pkg/agent/application/secret"
 	"github.com/elastic/elastic-agent/internal/pkg/agent/storage"
 	"github.com/elastic/elastic-agent/internal/pkg/agent/vault"
+	"github.com/elastic/elastic-agent/internal/pkg/testutils/fipsutils"
 )
 
 func TestAgentIDStandaloneWorks(t *testing.T) {
 	if runtime.GOOS == "darwin" {
 		// vault requres extra perms on mac
 		t.Skip()
 	}
+	fipsutils.SkipIfFIPSOnly(t, "secret storage does not use NewGCMWithRandomNonce.")
 	// create a new encrypted disk store
 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
diff --git a/internal/pkg/agent/application/secret/secret_test.go b/internal/pkg/agent/application/secret/secret_test.go
@@ -14,6 +14,7 @@ import (
 
 	"github.com/elastic/elastic-agent/internal/pkg/agent/vault"
 	"github.com/elastic/elastic-agent/internal/pkg/agent/vault/aesgcm"
+	"github.com/elastic/elastic-agent/internal/pkg/testutils/fipsutils"
 )
 
 func getTestVaultPath(t *testing.T) string {
@@ -29,6 +30,7 @@ func getTestOptions(t *testing.T) []vault.OptionFunc {
 }
 
 func TestCreate(t *testing.T) {
+	fipsutils.SkipIfFIPSOnly(t, "secret storage does not use NewGCMWithRandomNonce.")
 	opts := getTestOptions(t)
 
 	ctx, cn := context.WithCancel(context.Background())
diff --git a/internal/pkg/agent/application/upgrade/artifact/download/fs/verifier_test.go b/internal/pkg/agent/application/upgrade/artifact/download/fs/verifier_test.go
@@ -21,6 +21,7 @@ import (
 	"github.com/elastic/elastic-agent/internal/pkg/agent/application/upgrade/artifact"
 	"github.com/elastic/elastic-agent/internal/pkg/agent/application/upgrade/artifact/download"
 	"github.com/elastic/elastic-agent/internal/pkg/release"
+	"github.com/elastic/elastic-agent/internal/pkg/testutils/fipsutils"
 	"github.com/elastic/elastic-agent/pkg/core/logger"
 	"github.com/elastic/elastic-agent/pkg/core/logger/loggertest"
 	agtversion "github.com/elastic/elastic-agent/pkg/version"
@@ -36,6 +37,7 @@ var agentSpec = artifact.Artifact{
 }
 
 func TestFetchVerify(t *testing.T) {
+	fipsutils.SkipIfFIPSOnly(t, "verifier being tested uses an OpenPGP key which results in a SHA-1 violation.")
 	// See docs/pgp-sign-verify-artifact.md for how to generate a key, export
 	// the public key, sign a file and verify it.
 
@@ -192,6 +194,7 @@ func prepareFetchVerifyTests(
 }
 
 func TestVerify(t *testing.T) {
+	fipsutils.SkipIfFIPSOnly(t, "verifier being tested uses an OpenPGP key which results in a SHA-1 violation.")
 	tt := []struct {
 		Name             string
 		RemotePGPUris    []string
diff --git a/internal/pkg/agent/application/upgrade/artifact/download/http/downloader_test.go b/internal/pkg/agent/application/upgrade/artifact/download/http/downloader_test.go
@@ -24,6 +24,7 @@ import (
 
 	"github.com/elastic/elastic-agent/internal/pkg/agent/application/upgrade/artifact"
 	"github.com/elastic/elastic-agent/internal/pkg/agent/application/upgrade/details"
+	"github.com/elastic/elastic-agent/internal/pkg/testutils/fipsutils"
 	"github.com/elastic/elastic-agent/pkg/core/logger"
 	"github.com/elastic/elastic-agent/pkg/core/logger/loggertest"
 	agtversion "github.com/elastic/elastic-agent/pkg/version"
@@ -36,6 +37,7 @@ import (
 )
 
 func TestDownload(t *testing.T) {
+	fipsutils.SkipIfFIPSOnly(t, "elastic.co test server generates an OpenPGP key which results in a SHA-1 violation.")
 	targetDir, err := os.MkdirTemp(os.TempDir(), "")
 	if err != nil {
 		t.Fatal(err)
diff --git a/internal/pkg/agent/application/upgrade/artifact/download/http/verifier_test.go b/internal/pkg/agent/application/upgrade/artifact/download/http/verifier_test.go
@@ -21,11 +21,13 @@ import (
 	"github.com/elastic/elastic-agent-libs/transport/httpcommon"
 	"github.com/elastic/elastic-agent/internal/pkg/agent/application/upgrade/artifact"
 	"github.com/elastic/elastic-agent/internal/pkg/agent/application/upgrade/details"
+	"github.com/elastic/elastic-agent/internal/pkg/testutils/fipsutils"
 	"github.com/elastic/elastic-agent/pkg/core/logger"
 	"github.com/elastic/elastic-agent/testing/proxytest"
 )
 
 func TestVerify(t *testing.T) {
+	fipsutils.SkipIfFIPSOnly(t, "elastic.co test server generates an OpenPGP key which results in a SHA-1 violation.")
 	targetDir := t.TempDir()
 
 	log, _ := logger.New("", false)
diff --git a/internal/pkg/agent/install/uninstall_test.go b/internal/pkg/agent/install/uninstall_test.go
@@ -28,6 +28,7 @@ import (
 	"github.com/elastic/elastic-agent/internal/pkg/agent/vault"
 	"github.com/elastic/elastic-agent/internal/pkg/fleetapi"
 	"github.com/elastic/elastic-agent/internal/pkg/remote"
+	"github.com/elastic/elastic-agent/internal/pkg/testutils/fipsutils"
 )
 
 func Test_checkForUnprivilegedVault(t *testing.T) {
@@ -115,6 +116,7 @@ func Test_checkForUnprivilegedVault(t *testing.T) {
 }
 
 func initFileVault(t *testing.T, ctx context.Context, testVaultPath string, keys map[string][]byte) {
+	fipsutils.SkipIfFIPSOnly(t, "file vault does not use NewGCMWithRandomNonce.")
 	opts, err := vault.ApplyOptions(vault.WithVaultPath(testVaultPath))
 	require.NoError(t, err)
 	newFileVault, err := vault.NewFileVault(ctx, opts)
diff --git a/internal/pkg/agent/migration/migrate_config_test.go b/internal/pkg/agent/migration/migrate_config_test.go
@@ -22,6 +22,7 @@ import (
 	"github.com/elastic/elastic-agent/internal/pkg/agent/application/secret"
 	"github.com/elastic/elastic-agent/internal/pkg/agent/storage"
 	"github.com/elastic/elastic-agent/internal/pkg/agent/vault"
+	"github.com/elastic/elastic-agent/internal/pkg/testutils/fipsutils"
 )
 
 type configfile struct {
@@ -105,6 +106,7 @@ func TestMigrateToEncryptedConfig(t *testing.T) {
 
 	for _, tc := range testcases {
 		t.Run(tc.name, func(t *testing.T) {
+			fipsutils.SkipIfFIPSOnly(t, "encrypted config does not use NewGCMWithRandomNonce.")
 			//setup begin
 			top := t.TempDir()
 			paths.SetTop(top)
@@ -200,6 +202,7 @@ func TestErrorMigrateToEncryptedConfig(t *testing.T) {
 	}
 	for _, tc := range testcases {
 		t.Run(tc.name, func(t *testing.T) {
+			fipsutils.SkipIfFIPSOnly(t, "vault does not use NewGCMWithRandomNonce.")
 			//setup begin
 			top := t.TempDir()
 			paths.SetTop(top)
diff --git a/internal/pkg/agent/storage/encrypted_disk_storage_windows_linux_test.go b/internal/pkg/agent/storage/encrypted_disk_storage_windows_linux_test.go
@@ -21,6 +21,7 @@ import (
 
 	"github.com/elastic/elastic-agent/internal/pkg/agent/application/secret"
 	"github.com/elastic/elastic-agent/internal/pkg/agent/vault"
+	"github.com/elastic/elastic-agent/internal/pkg/testutils/fipsutils"
 )
 
 const (
@@ -29,6 +30,7 @@ const (
 )
 
 func TestEncryptedDiskStorageWindowsLinuxLoad(t *testing.T) {
+	fipsutils.SkipIfFIPSOnly(t, "encrypted disk storage does not use NewGCMWithRandomNonce.")
 	dir := t.TempDir()
 
 	ctx, cn := context.WithCancel(context.Background())
diff --git a/internal/pkg/agent/storage/store/state_store_test.go b/internal/pkg/agent/storage/store/state_store_test.go
@@ -20,6 +20,7 @@ import (
 	"github.com/elastic/elastic-agent/internal/pkg/agent/storage"
 	"github.com/elastic/elastic-agent/internal/pkg/agent/vault"
 	"github.com/elastic/elastic-agent/internal/pkg/fleetapi"
+	"github.com/elastic/elastic-agent/internal/pkg/testutils/fipsutils"
 	"github.com/elastic/elastic-agent/pkg/core/logger/loggertest"
 )
 
@@ -41,6 +42,7 @@ func TestStateStore(t *testing.T) {
 }
 
 func createAgentVaultAndSecret(t *testing.T, ctx context.Context, tempDir string) string {
+	fipsutils.SkipIfFIPSOnly(t, "vault does not use NewGCMWithRandomNonce.")
 	vaultPath := filepath.Join(tempDir, "vault")
 
 	err := os.MkdirAll(vaultPath, 0o750)
diff --git a/internal/pkg/agent/vault/aesgcm/aesgcm_test.go b/internal/pkg/agent/vault/aesgcm/aesgcm_test.go
@@ -13,6 +13,8 @@ import (
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
+
+	"github.com/elastic/elastic-agent/internal/pkg/testutils/fipsutils"
 )
 
 var testKeyTypes []AESKeyType = []AESKeyType{AES128, AES192, AES256}
@@ -47,6 +49,7 @@ func TestNewKeyHexString(t *testing.T) {
 }
 
 func TestEncryptDecrypt(t *testing.T) {
+	fipsutils.SkipIfFIPSOnly(t, "aesgcm does not use NewGCMWithRandomNonce.")
 	tests := []struct {
 		name string
 		data []byte
@@ -100,6 +103,7 @@ func TestEncryptDecrypt(t *testing.T) {
 }
 
 func TestEncryptDecryptDifferentLengths(t *testing.T) {
+	fipsutils.SkipIfFIPSOnly(t, "aesgcm does not use NewGCMWithRandomNonce.")
 	const maxDataSize = 55 // test for sufficient length for the key and a bit more
 	for _, kt := range testKeyTypes {
 		t.Run(kt.String(), func(t *testing.T) {
@@ -142,6 +146,7 @@ func TestEncryptDecryptDifferentLengths(t *testing.T) {
 }
 
 func TestEncryptDecryptHex(t *testing.T) {
+	fipsutils.SkipIfFIPSOnly(t, "aesgcm does not use NewGCMWithRandomNonce.")
 	aes256Key, err := NewKeyHexString(AES256)
 	if err != nil {
 		t.Fatal(err)
diff --git a/internal/pkg/agent/vault/vault_file_fips_test.go b/internal/pkg/agent/vault/vault_file_fips_test.go
@@ -14,9 +14,12 @@ import (
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
+
+	"github.com/elastic/elastic-agent/internal/pkg/testutils/fipsutils"
 )
 
 func TestFileVaultRekey(t *testing.T) {
+	fipsutils.SkipIfFIPSOnly(t, "vault does not use NewGCMWithRandomNonce.")
 	const key = "foo"
 
 	ctx, cn := context.WithCancel(context.Background())
diff --git a/internal/pkg/agent/vault/vault_file_test.go b/internal/pkg/agent/vault/vault_file_test.go
@@ -17,6 +17,7 @@ import (
 	"golang.org/x/sync/errgroup"
 
 	"github.com/elastic/elastic-agent/internal/pkg/agent/vault/aesgcm"
+	"github.com/elastic/elastic-agent/internal/pkg/testutils/fipsutils"
 )
 
 func getTestFileVaultPath(t *testing.T) string {
@@ -25,6 +26,7 @@ func getTestFileVaultPath(t *testing.T) string {
 }
 
 func TestFileVault(t *testing.T) {
+	fipsutils.SkipIfFIPSOnly(t, "vault does not use NewGCMWithRandomNonce.")
 	vaultPath := getTestFileVaultPath(t)
 
 	ctx, cn := context.WithCancel(context.Background())
@@ -131,6 +133,7 @@ type secret struct {
 }
 
 func TestFileVaultConcurrent(t *testing.T) {
+	fipsutils.SkipIfFIPSOnly(t, "vault does not use NewGCMWithRandomNonce.")
 	const (
 		parallel   = 15
 		iterations = 7
diff --git a/internal/pkg/core/authority/ca.go b/internal/pkg/core/authority/ca.go
@@ -7,8 +7,11 @@ package authority
 import (
 	"bytes"
 	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/rsa"
+	"crypto/sha256"
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
@@ -54,6 +57,7 @@ func NewCA() (*CertificateAuthority, error) {
 
 	privateKey, _ := rsa.GenerateKey(rand.Reader, 2048)
 	publicKey := &privateKey.PublicKey
+	ca.SubjectKeyId = generateSubjectKeyID(publicKey)
 	caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, publicKey, privateKey)
 	if err != nil {
 		log.Println("create ca failed", err)
@@ -96,6 +100,23 @@ func NewCA() (*CertificateAuthority, error) {
 	}, nil
 }
 
+func generateSubjectKeyID(pub crypto.PublicKey) []byte {
+	// SubjectKeyId generated using method 1 in RFC 7093, Section 2:
+	//   1) The keyIdentifier is composed of the leftmost 160-bits of the
+	//   SHA-256 hash of the value of the BIT STRING subjectPublicKey
+	//   (excluding the tag, length, and number of unused bits).
+	var publicKeyBytes []byte
+	switch publicKey := pub.(type) {
+	case *rsa.PublicKey:
+		publicKeyBytes = x509.MarshalPKCS1PublicKey(publicKey)
+	case *ecdsa.PublicKey:
+		//nolint:staticcheck // no alternative
+		publicKeyBytes = elliptic.Marshal(publicKey.Curve, publicKey.X, publicKey.Y)
+	}
+	h := sha256.Sum256(publicKeyBytes)
+	return h[:20]
+}
+
 // GeneratePair generates child certificate
 func (c *CertificateAuthority) GeneratePair() (*Pair, error) {
 	return c.GeneratePairWithName("localhost")
diff --git a/internal/pkg/crypto/io_test.go b/internal/pkg/crypto/io_test.go
@@ -11,9 +11,12 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
+
+	"github.com/elastic/elastic-agent/internal/pkg/testutils/fipsutils"
 )
 
 func TestIO(t *testing.T) {
+	fipsutils.SkipIfFIPSOnly(t, "crypto io does not use NewGCMWithRandomNonce.")
 	t.Run("encode and decode with the right password", func(t *testing.T) {
 		passwd := bytes.Repeat([]byte("hello"), 10)
 		msg := []byte("bonjour la famille")
diff --git a/internal/pkg/testutils/fipsutils/fipsOnlySkip.go b/internal/pkg/testutils/fipsutils/fipsOnlySkip.go
@@ -0,0 +1,22 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0;
+// you may not use this file except in compliance with the Elastic License 2.0.
+
+package fipsutils
+
+import (
+	"os"
+	"strings"
+	"testing"
+)
+
+// SkipIfFIPSOnly will mark the passed test as skipped if GODEBUG=fips140=only is detected.
+// If GODBUG=fips140=on, go may call non-compliant algorithms and the test does not need to be skipped.
+func SkipIfFIPSOnly(t *testing.T, msg string) {
+	// NOTE: This only checks env var; at the time of writing fips140 can only be set via env
+	// other GODEBUG settings can be set via embedded comments or in go.mod, we may need to account for this in the future.
+	s := os.Getenv("GODEBUG")
+	if strings.Contains(s, "fips140=only") {
+		t.Skip("GODEBUG=fips140=only detected, skipping test:", msg)
+	}
+}
diff --git a/internal/pkg/testutils/testutils.go b/internal/pkg/testutils/testutils.go
@@ -16,13 +16,15 @@ import (
 
 	"github.com/elastic/elastic-agent/internal/pkg/agent/application/secret"
 	"github.com/elastic/elastic-agent/internal/pkg/agent/storage"
+	"github.com/elastic/elastic-agent/internal/pkg/testutils/fipsutils"
 )
 
 // InitStorage prepares storage for testing.
 // disabled on Darwin.
 func InitStorage(t *testing.T) {
 	storage.DisableEncryptionDarwin()
 	if runtime.GOOS != "darwin" {
+		fipsutils.SkipIfFIPSOnly(t, "secret storage does not use NewGCMWithRandomNonce.")
 		err := secret.CreateAgentSecret(context.Background())
 		if err != nil {
 			t.Fatal(err)
diff --git a/magefile.go b/magefile.go
@@ -501,6 +501,14 @@ func (Test) Unit(ctx context.Context) error {
 	return devtools.GoTest(ctx, params)
 }
 
+// FIPSOnlyUnit runs all the unit tests with GODEBUG=fips140=only.
+func (Test) FIPSOnlyUnit(ctx context.Context) error {
+	mg.Deps(Prepare.Env, Build.TestBinaries)
+	params := devtools.DefaultGoTestUnitArgs()
+	params.Env["GODEBUG"] = "fips140=only"
+	return devtools.GoTest(ctx, params)
+}
+
 // Coverage takes the coverages report from running all the tests and display the results in the browser.
 func (Test) Coverage() error {
 	mg.Deps(Prepare.Env, Build.TestBinaries)

Original file line number	Diff line number	Diff line change
`@@ -54,6 +54,7 @@ func makeGoTestArgs(name string) GoTestArgs {`
`54`	`54`	`OutputFile: fileName + ".out",`
`55`	`55`	`JUnitReportFile: fileName + ".xml",`
`56`	`56`	`Tags: testTagsFromEnv(),`
	`57`	`+ Env: make(map[string]string),`
`57`	`58`	`}`
`58`	`59`	`if TestCoverage {`
`59`	`60`	`params.CoverageProfileFile = fileName + ".cov"`
Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,7 @@ import (`
`14`	`14`
`15`	`15`	`"github.com/elastic/elastic-agent/internal/pkg/agent/vault"`
`16`	`16`	`"github.com/elastic/elastic-agent/internal/pkg/agent/vault/aesgcm"`
	`17`	`+ "github.com/elastic/elastic-agent/internal/pkg/testutils/fipsutils"`
`17`	`18`	`)`
`18`	`19`
`19`	`20`	`func getTestVaultPath(t *testing.T) string {`
`@@ -29,6 +30,7 @@ func getTestOptions(t *testing.T) []vault.OptionFunc {`
`29`	`30`	`}`
`30`	`31`
`31`	`32`	`func TestCreate(t *testing.T) {`
	`33`	`+ fipsutils.SkipIfFIPSOnly(t, "secret storage does not use NewGCMWithRandomNonce.")`
`32`	`34`	`opts := getTestOptions(t)`
`33`	`35`
`34`	`36`	`ctx, cn := context.WithCancel(context.Background())`
Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,7 @@ import (`
`28`	`28`	`"github.com/elastic/elastic-agent/internal/pkg/agent/vault"`
`29`	`29`	`"github.com/elastic/elastic-agent/internal/pkg/fleetapi"`
`30`	`30`	`"github.com/elastic/elastic-agent/internal/pkg/remote"`
	`31`	`+ "github.com/elastic/elastic-agent/internal/pkg/testutils/fipsutils"`
`31`	`32`	`)`
`32`	`33`
`33`	`34`	`func Test_checkForUnprivilegedVault(t *testing.T) {`
`@@ -115,6 +116,7 @@ func Test_checkForUnprivilegedVault(t *testing.T) {`
`115`	`116`	`}`
`116`	`117`
`117`	`118`	`func initFileVault(t *testing.T, ctx context.Context, testVaultPath string, keys map[string][]byte) {`
	`119`	`+ fipsutils.SkipIfFIPSOnly(t, "file vault does not use NewGCMWithRandomNonce.")`
`118`	`120`	`opts, err := vault.ApplyOptions(vault.WithVaultPath(testVaultPath))`
`119`	`121`	`require.NoError(t, err)`
`120`	`122`	`newFileVault, err := vault.NewFileVault(ctx, opts)`