mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-22 22:15:43 +01:00
Add ssl-opt.sh tests for trusted CA callbacks
This commit is contained in:
parent
0350d56286
commit
746aaf3f38
228
tests/ssl-opt.sh
228
tests/ssl-opt.sh
@ -941,6 +941,33 @@ run_test "Default, DTLS" \
|
||||
-s "Protocol is DTLSv1.2" \
|
||||
-s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"
|
||||
|
||||
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
run_test "CA callback on client" \
|
||||
"$P_SRV debug_level=3" \
|
||||
"$P_CLI ca_callback=1 debug_level=3 " \
|
||||
0 \
|
||||
-c "use CA callback for X.509 CRT verification"\
|
||||
-s "Protocol is TLSv1.2" \
|
||||
-s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" \
|
||||
-s "client hello v3, signature_algorithm ext: 6" \
|
||||
-s "ECDHE curve: secp521r1" \
|
||||
-S "error" \
|
||||
-C "error"
|
||||
|
||||
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
|
||||
requires_config_enabled MBEDTLS_ECDSA_C
|
||||
requires_config_enabled MBEDTLS_SHA256_C
|
||||
run_test "CA callback on server" \
|
||||
"$P_SRV auth_mode=required" \
|
||||
"$P_CLI ca_callback=1 debug_level=3 crt_file=data_files/server5.crt \
|
||||
key_file=data_files/server5.key" \
|
||||
0 \
|
||||
-c "use CA callback for X.509 CRT verification"\
|
||||
-s "Verifying peer X.509 certificate... ok" \
|
||||
-S "error" \
|
||||
-C "error"
|
||||
|
||||
# Test using an opaque private key for client authentication
|
||||
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
|
||||
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
|
||||
@ -2954,6 +2981,207 @@ run_test "Authentication: send CA list in CertificateRequest, client self sig
|
||||
-c "! mbedtls_ssl_handshake returned" \
|
||||
-s "X509 - Certificate verification failed"
|
||||
|
||||
# Tests for auth_mode, using CA callback
|
||||
|
||||
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
run_test "Authentication, CA callback: server badcert, client required" \
|
||||
"$P_SRV crt_file=data_files/server5-badsign.crt \
|
||||
key_file=data_files/server5.key" \
|
||||
"$P_CLI ca_callback=1 debug_level=3 auth_mode=required" \
|
||||
1 \
|
||||
-c "use CA callback for X.509 CRT verification"\
|
||||
-c "x509_verify_cert() returned" \
|
||||
-c "! The certificate is not correctly signed by the trusted CA" \
|
||||
-c "! mbedtls_ssl_handshake returned" \
|
||||
-c "X509 - Certificate verification failed"
|
||||
|
||||
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
run_test "Authentication, CA callback: server badcert, client optional" \
|
||||
"$P_SRV crt_file=data_files/server5-badsign.crt \
|
||||
key_file=data_files/server5.key" \
|
||||
"$P_CLI ca_callback=1 debug_level=3 auth_mode=optional" \
|
||||
0 \
|
||||
-c "use CA callback for X.509 CRT verification"\
|
||||
-c "x509_verify_cert() returned" \
|
||||
-c "! The certificate is not correctly signed by the trusted CA" \
|
||||
-C "! mbedtls_ssl_handshake returned" \
|
||||
-C "X509 - Certificate verification failed"
|
||||
|
||||
# The purpose of the next two tests is to test the client's behaviour when receiving a server
|
||||
# certificate with an unsupported elliptic curve. This should usually not happen because
|
||||
# the client informs the server about the supported curves - it does, though, in the
|
||||
# corner case of a static ECDH suite, because the server doesn't check the curve on that
|
||||
# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
|
||||
# different means to have the server ignoring the client's supported curve list.
|
||||
|
||||
requires_config_enabled MBEDTLS_ECP_C
|
||||
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
run_test "Authentication, CA callback: server ECDH p256v1, client required, p256v1 unsupported" \
|
||||
"$P_SRV debug_level=1 key_file=data_files/server5.key \
|
||||
crt_file=data_files/server5.ku-ka.crt" \
|
||||
"$P_CLI ca_callback=1 debug_level=3 auth_mode=required curves=secp521r1" \
|
||||
1 \
|
||||
-c "use CA callback for X.509 CRT verification"\
|
||||
-c "bad certificate (EC key curve)"\
|
||||
-c "! Certificate verification flags"\
|
||||
-C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
|
||||
|
||||
requires_config_enabled MBEDTLS_ECP_C
|
||||
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
run_test "Authentication, CA callback: server ECDH p256v1, client optional, p256v1 unsupported" \
|
||||
"$P_SRV debug_level=1 key_file=data_files/server5.key \
|
||||
crt_file=data_files/server5.ku-ka.crt" \
|
||||
"$P_CLI ca_callback=1 debug_level=3 auth_mode=optional curves=secp521r1" \
|
||||
1 \
|
||||
-c "use CA callback for X.509 CRT verification"\
|
||||
-c "bad certificate (EC key curve)"\
|
||||
-c "! Certificate verification flags"\
|
||||
-c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
|
||||
|
||||
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
run_test "Authentication, CA callback: client SHA256, server required" \
|
||||
"$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
|
||||
"$P_CLI debug_level=3 crt_file=data_files/server6.crt \
|
||||
key_file=data_files/server6.key \
|
||||
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
|
||||
0 \
|
||||
-s "use CA callback for X.509 CRT verification"\
|
||||
-c "Supported Signature Algorithm found: 4," \
|
||||
-c "Supported Signature Algorithm found: 5,"
|
||||
|
||||
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
run_test "Authentication, CA callback: client SHA384, server required" \
|
||||
"$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
|
||||
"$P_CLI debug_level=3 crt_file=data_files/server6.crt \
|
||||
key_file=data_files/server6.key \
|
||||
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
|
||||
0 \
|
||||
-s "use CA callback for X.509 CRT verification"\
|
||||
-c "Supported Signature Algorithm found: 4," \
|
||||
-c "Supported Signature Algorithm found: 5,"
|
||||
|
||||
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
run_test "Authentication, CA callback: client badcert, server required" \
|
||||
"$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
|
||||
"$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
|
||||
key_file=data_files/server5.key" \
|
||||
1 \
|
||||
-s "use CA callback for X.509 CRT verification"\
|
||||
-S "skip write certificate request" \
|
||||
-C "skip parse certificate request" \
|
||||
-c "got a certificate request" \
|
||||
-C "skip write certificate" \
|
||||
-C "skip write certificate verify" \
|
||||
-S "skip parse certificate verify" \
|
||||
-s "x509_verify_cert() returned" \
|
||||
-s "! The certificate is not correctly signed by the trusted CA" \
|
||||
-s "! mbedtls_ssl_handshake returned" \
|
||||
-s "send alert level=2 message=48" \
|
||||
-c "! mbedtls_ssl_handshake returned" \
|
||||
-s "X509 - Certificate verification failed"
|
||||
# We don't check that the client receives the alert because it might
|
||||
# detect that its write end of the connection is closed and abort
|
||||
# before reading the alert message.
|
||||
|
||||
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
run_test "Authentication, CA callback: client cert not trusted, server required" \
|
||||
"$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
|
||||
"$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
|
||||
key_file=data_files/server5.key" \
|
||||
1 \
|
||||
-s "use CA callback for X.509 CRT verification"\
|
||||
-S "skip write certificate request" \
|
||||
-C "skip parse certificate request" \
|
||||
-c "got a certificate request" \
|
||||
-C "skip write certificate" \
|
||||
-C "skip write certificate verify" \
|
||||
-S "skip parse certificate verify" \
|
||||
-s "x509_verify_cert() returned" \
|
||||
-s "! The certificate is not correctly signed by the trusted CA" \
|
||||
-s "! mbedtls_ssl_handshake returned" \
|
||||
-c "! mbedtls_ssl_handshake returned" \
|
||||
-s "X509 - Certificate verification failed"
|
||||
|
||||
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
run_test "Authentication, CA callback: client badcert, server optional" \
|
||||
"$P_SRV ca_callback=1 debug_level=3 auth_mode=optional" \
|
||||
"$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
|
||||
key_file=data_files/server5.key" \
|
||||
0 \
|
||||
-s "use CA callback for X.509 CRT verification"\
|
||||
-S "skip write certificate request" \
|
||||
-C "skip parse certificate request" \
|
||||
-c "got a certificate request" \
|
||||
-C "skip write certificate" \
|
||||
-C "skip write certificate verify" \
|
||||
-S "skip parse certificate verify" \
|
||||
-s "x509_verify_cert() returned" \
|
||||
-s "! The certificate is not correctly signed by the trusted CA" \
|
||||
-S "! mbedtls_ssl_handshake returned" \
|
||||
-C "! mbedtls_ssl_handshake returned" \
|
||||
-S "X509 - Certificate verification failed"
|
||||
|
||||
requires_full_size_output_buffer
|
||||
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
run_test "Authentication, CA callback: server max_int chain, client default" \
|
||||
"$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
|
||||
key_file=data_files/dir-maxpath/09.key" \
|
||||
"$P_CLI ca_callback=1 debug_level=3 server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
|
||||
0 \
|
||||
-c "use CA callback for X.509 CRT verification"\
|
||||
-C "X509 - A fatal error occurred"
|
||||
|
||||
requires_full_size_output_buffer
|
||||
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
run_test "Authentication, CA callback: server max_int+1 chain, client default" \
|
||||
"$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
|
||||
key_file=data_files/dir-maxpath/10.key" \
|
||||
"$P_CLI debug_level=3 ca_callback=1 server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
|
||||
1 \
|
||||
-c "use CA callback for X.509 CRT verification"\
|
||||
-c "X509 - A fatal error occurred"
|
||||
|
||||
requires_full_size_output_buffer
|
||||
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
run_test "Authentication, CA callback: server max_int+1 chain, client optional" \
|
||||
"$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
|
||||
key_file=data_files/dir-maxpath/10.key" \
|
||||
"$P_CLI ca_callback=1 server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
|
||||
debug_level=3 auth_mode=optional" \
|
||||
1 \
|
||||
-c "use CA callback for X.509 CRT verification"\
|
||||
-c "X509 - A fatal error occurred"
|
||||
|
||||
requires_full_size_output_buffer
|
||||
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
run_test "Authentication, CA callback: client max_int+1 chain, server optional" \
|
||||
"$P_SRV ca_callback=1 debug_level=3 ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
|
||||
"$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
|
||||
key_file=data_files/dir-maxpath/10.key" \
|
||||
1 \
|
||||
-s "use CA callback for X.509 CRT verification"\
|
||||
-s "X509 - A fatal error occurred"
|
||||
|
||||
requires_full_size_output_buffer
|
||||
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
run_test "Authentication, CA callback: client max_int+1 chain, server required" \
|
||||
"$P_SRV ca_callback=1 debug_level=3 ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
|
||||
"$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
|
||||
key_file=data_files/dir-maxpath/10.key" \
|
||||
1 \
|
||||
-s "use CA callback for X.509 CRT verification"\
|
||||
-s "X509 - A fatal error occurred"
|
||||
|
||||
requires_full_size_output_buffer
|
||||
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
run_test "Authentication, CA callback: client max_int chain, server required" \
|
||||
"$P_SRV ca_callback=1 debug_level=3 ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
|
||||
"$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
|
||||
key_file=data_files/dir-maxpath/09.key" \
|
||||
0 \
|
||||
-s "use CA callback for X.509 CRT verification"\
|
||||
-S "X509 - A fatal error occurred"
|
||||
|
||||
# Tests for certificate selection based on SHA verson
|
||||
|
||||
run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
|
||||
|
Loading…
Reference in New Issue
Block a user