README
¶
ACVP Wrapper Repro Guide
This folder contains the embedded ACVP wrapper used by clickhouse-backup-acvp
and clickhouse-backup acvp.
The tracked config for public-Go-API validation is:
pkg/acvpwrapper/acvp_test_fips140v1.26.public.config.json
It intentionally excludes ML-KEM and ML-DSA vector suites because those
ACVP paths rely on internal Go crypto APIs that are not publicly exposed in
Go 1.26.
Compliance Scope
- This wrapper is a reproducibility harness for ACVP expected-output tests.
- It is not itself a CMVP certificate artifact.
- The compliance-relevant cryptographic implementation is Go's native
crypto/internal/fips140/...module when run withGODEBUG=fips140=on(oronly), per Go's FIPS documentation.
Certificate And Security Policy Context
- Go's official FIPS status and validation lifecycle is documented here: FIPS 140-3 Compliance (Go docs).
- As documented by Go, module validations are tracked in CMVP lists; at the time of writing, v1.26.0 is listed as "Implementation Under Test" and v1.0.0 is listed as "In Process" (with CAVP certificate A6650).
- Go's published FIPS documentation and blog post are the authoritative public references for certificate/security-policy context:
Reference Traceability (Claim -> Source)
| Claim | Source |
|---|---|
Go supports native FIPS 140-3 mode in the standard toolchain and documents GODEBUG=fips140=... behavior. |
Go FIPS 140-3 compliance docs |
The relevant cryptographic implementation is Go's crypto/internal/fips140/... module in FIPS mode. |
Go FIPS 140-3 compliance docs |
| Go module-validation lifecycle/status is tracked via CMVP lists (Validated / In Process / IUT). | Go FIPS 140-3 compliance docs, CMVP MIP list, CMVP validated modules search |
| Go Cryptographic Module v1.0.0 has CAVP certificate A6650 and entered CMVP in-process workflow. | Go FIPS blog, CAVP A6650, CMVP MIP list |
Pins used by this repo's ACVP repro (baaf868e6e8f, d893de8b8b1c) come from upstream Go fips140test ACVP test constants. |
Upstream Go source: src/crypto/internal/fips140test/acvp_test.go (constants bsslVersion and goAcvpVersion) |
| This repo's tracked config is a public-API-only derivative of Go's v1.26 ACVP config. | Upstream Go source: src/crypto/internal/fips140test/acvp_test_fips140v1.26.config.json, local tracked file pkg/acvpwrapper/acvp_test_fips140v1.26.public.config.json |
The reproducibility result target in this repo is 38 ACVP tests matched expectations. |
Local reproducibility flow in pkg/acvpwrapper/run.sh and command output from check_expected.go |
Pinned Version Provenance
Pins used by run.sh are taken from upstream Go's ACVP test setup for the
v1.26 stream:
boringsslcommit:baaf868e6e8f- From
bsslVersion = v0.0.0-20251111011041-baaf868e6e8fin Gocrypto/internal/fips140test/acvp_test.go.
- From
acvp-testdatacommit:d893de8b8b1c- From
goAcvpVersion = v0.0.0-20251201200548-d893de8b8b1cin the same Go test.
- From
- Upstream config source:
src/crypto/internal/fips140test/acvp_test_fips140v1.26.config.jsonin Go source.
- This repo's tracked config:
pkg/acvpwrapper/acvp_test_fips140v1.26.public.config.json- Derived from Go's v1.26 config, with
ML-KEMandML-DSAsuites removed to keep the run strictly on public Go crypto APIs.
Reproduce The Current Result
Run from the repository root.
One-command repro
bash pkg/acvpwrapper/run.sh
Expected output includes:
38 ACVP tests matched expectations
Manual step-by-step
1) Build the wrapper binary
docker run --rm \
-v "$PWD:/work" \
-w /work \
golang:1.26-alpine \
sh -lc 'export PATH=$PATH:/usr/local/go/bin && CGO_ENABLED=0 go build -o clickhouse-backup ./cmd/clickhouse-backup && ln -sf clickhouse-backup clickhouse-backup-acvp'
2) Fetch pinned upstream inputs
rm -rf /tmp/boringssl /tmp/acvp-testdata
git clone https://boringssl.googlesource.com/boringssl /tmp/boringssl
git -C /tmp/boringssl checkout baaf868e6e8f
git clone https://github.com/geomys/acvp-testdata /tmp/acvp-testdata
git -C /tmp/acvp-testdata checkout d893de8b8b1c
3) Build pinned acvptool
docker run --rm \
-v /tmp/boringssl:/src \
-w /src \
golang:1.26-alpine \
sh -lc 'export PATH=$PATH:/usr/local/go/bin && go build -o /src/acvptool-pinned ./util/fipstools/acvp/acvptool'
4) Run the expected-output check
docker run --rm \
-e ACVP_WRAPPER=1 \
-e GODEBUG=fips140=on \
-v "$PWD:/work" \
-v /tmp/boringssl:/tmp/boringssl:ro \
-v /tmp/acvp-testdata:/tmp/acvp-testdata:rw \
-w /tmp/acvp-testdata \
golang:1.26-alpine \
sh -lc 'export PATH=$PATH:/usr/local/go/bin && go run /tmp/boringssl/util/fipstools/acvp/acvptool/test/check_expected.go -tool /tmp/boringssl/acvptool-pinned -module-wrappers go:/work/clickhouse-backup-acvp -tests /work/pkg/acvpwrapper/acvp_test_fips140v1.26.public.config.json'
Expected output includes:
38 ACVP tests matched expectations
Documentation
¶
Overview ¶
Package acvpwrapper implements ACVP module-wrapper protocol handlers that are embedded into the clickhouse-backup binary.
Files are split by concern:
- wrapper.go: base modulewrapper command set and protocol loop.
- official_compat.go: shared command handlers modeled after Go fips140test behavior where public APIs allow.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
This section is empty.
Source Files
Click to show internal directories.
Click to hide internal directories.