mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-29 07:54:27 +01:00
Check keyUsage in SSL client and server
This commit is contained in:
parent
603116c570
commit
7f2a07d7b2
@ -1657,6 +1657,19 @@ static inline x509_crt *ssl_own_cert( ssl_context *ssl )
|
|||||||
return( ssl->handshake->key_cert == NULL ? NULL
|
return( ssl->handshake->key_cert == NULL ? NULL
|
||||||
: ssl->handshake->key_cert->cert );
|
: ssl->handshake->key_cert->cert );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Check usage of a certificate wrt extensions:
|
||||||
|
* keyUsage, extendedKeyUsage (later), and nSCertType (later).
|
||||||
|
*
|
||||||
|
* Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
|
||||||
|
* check a cert we received from them)!
|
||||||
|
*
|
||||||
|
* Return 0 if everything is OK, -1 if not.
|
||||||
|
*/
|
||||||
|
int ssl_check_cert_usage( const x509_crt *cert,
|
||||||
|
const ssl_ciphersuite_t *ciphersuite,
|
||||||
|
int cert_endpoint );
|
||||||
#endif /* POLARSSL_X509_CRT_PARSE_C */
|
#endif /* POLARSSL_X509_CRT_PARSE_C */
|
||||||
|
|
||||||
/* constant-time buffer comparison */
|
/* constant-time buffer comparison */
|
||||||
|
@ -797,6 +797,20 @@ static int ssl_pick_cert( ssl_context *ssl,
|
|||||||
if( ! pk_can_do( cur->key, pk_alg ) )
|
if( ! pk_can_do( cur->key, pk_alg ) )
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* This avoids sending the client a cert it'll reject based on
|
||||||
|
* keyUsage or other extensions.
|
||||||
|
*
|
||||||
|
* It also allows the user to provision different certificates for
|
||||||
|
* different uses based on keyUsage, eg if they want to avoid signing
|
||||||
|
* and decrypting with the same RSA key.
|
||||||
|
*/
|
||||||
|
if( ssl_check_cert_usage( cur->cert, ciphersuite_info,
|
||||||
|
SSL_IS_SERVER ) != 0 )
|
||||||
|
{
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
#if defined(POLARSSL_ECDSA_C)
|
#if defined(POLARSSL_ECDSA_C)
|
||||||
if( pk_alg == POLARSSL_PK_ECDSA )
|
if( pk_alg == POLARSSL_PK_ECDSA )
|
||||||
{
|
{
|
||||||
|
@ -2699,6 +2699,9 @@ int ssl_parse_certificate( ssl_context *ssl )
|
|||||||
return( POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED );
|
return( POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Main check: verify certificate
|
||||||
|
*/
|
||||||
ret = x509_crt_verify( ssl->session_negotiate->peer_cert,
|
ret = x509_crt_verify( ssl->session_negotiate->peer_cert,
|
||||||
ssl->ca_chain, ssl->ca_crl, ssl->peer_cn,
|
ssl->ca_chain, ssl->ca_crl, ssl->peer_cn,
|
||||||
&ssl->session_negotiate->verify_result,
|
&ssl->session_negotiate->verify_result,
|
||||||
@ -2708,21 +2711,35 @@ int ssl_parse_certificate( ssl_context *ssl )
|
|||||||
{
|
{
|
||||||
SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
|
SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Secondary checks: always done, but change 'ret' only if it was 0
|
||||||
|
*/
|
||||||
|
|
||||||
#if defined(POLARSSL_SSL_SET_CURVES)
|
#if defined(POLARSSL_SSL_SET_CURVES)
|
||||||
else
|
|
||||||
{
|
{
|
||||||
pk_context *pk = &ssl->session_negotiate->peer_cert->pk;
|
const pk_context *pk = &ssl->session_negotiate->peer_cert->pk;
|
||||||
|
|
||||||
/* If certificate uses an EC key, make sure the curve is OK */
|
/* If certificate uses an EC key, make sure the curve is OK */
|
||||||
if( pk_can_do( pk, POLARSSL_PK_ECKEY ) &&
|
if( pk_can_do( pk, POLARSSL_PK_ECKEY ) &&
|
||||||
! ssl_curve_is_acceptable( ssl, pk_ec( *pk )->grp.id ) )
|
! ssl_curve_is_acceptable( ssl, pk_ec( *pk )->grp.id ) )
|
||||||
{
|
{
|
||||||
SSL_DEBUG_MSG( 1, ( "bad server certificate (EC key curve)" ) );
|
SSL_DEBUG_MSG( 1, ( "bad server certificate (EC key curve)" ) );
|
||||||
ret = POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE;
|
if( ret == 0 )
|
||||||
|
ret = POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
if( ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
|
||||||
|
ciphersuite_info,
|
||||||
|
! ssl->endpoint ) != 0 )
|
||||||
|
{
|
||||||
|
SSL_DEBUG_MSG( 1, ( "bad server certificate (usage ext.)" ) );
|
||||||
|
if( ret == 0 )
|
||||||
|
ret = POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE;
|
||||||
|
}
|
||||||
|
|
||||||
if( ssl->authmode != SSL_VERIFY_REQUIRED )
|
if( ssl->authmode != SSL_VERIFY_REQUIRED )
|
||||||
ret = 0;
|
ret = 0;
|
||||||
}
|
}
|
||||||
@ -4747,3 +4764,54 @@ int ssl_curve_is_acceptable( const ssl_context *ssl, ecp_group_id grp_id )
|
|||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
int ssl_check_cert_usage( const x509_crt *cert,
|
||||||
|
const ssl_ciphersuite_t *ciphersuite,
|
||||||
|
int cert_endpoint )
|
||||||
|
{
|
||||||
|
#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
|
||||||
|
int usage = 0;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
|
||||||
|
if( cert_endpoint == SSL_IS_SERVER )
|
||||||
|
{
|
||||||
|
/* Server part of the key exchange */
|
||||||
|
switch( ciphersuite->key_exchange )
|
||||||
|
{
|
||||||
|
case POLARSSL_KEY_EXCHANGE_RSA:
|
||||||
|
case POLARSSL_KEY_EXCHANGE_RSA_PSK:
|
||||||
|
usage = KU_KEY_ENCIPHERMENT;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case POLARSSL_KEY_EXCHANGE_DHE_RSA:
|
||||||
|
case POLARSSL_KEY_EXCHANGE_ECDHE_RSA:
|
||||||
|
case POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA:
|
||||||
|
usage = KU_DIGITAL_SIGNATURE;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case POLARSSL_KEY_EXCHANGE_ECDH_RSA:
|
||||||
|
case POLARSSL_KEY_EXCHANGE_ECDH_ECDSA:
|
||||||
|
usage = KU_KEY_AGREEMENT;
|
||||||
|
break;
|
||||||
|
|
||||||
|
/* Don't use default: we want warnings when adding new values */
|
||||||
|
case POLARSSL_KEY_EXCHANGE_NONE:
|
||||||
|
case POLARSSL_KEY_EXCHANGE_PSK:
|
||||||
|
case POLARSSL_KEY_EXCHANGE_DHE_PSK:
|
||||||
|
case POLARSSL_KEY_EXCHANGE_ECDHE_PSK:
|
||||||
|
usage = 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
/* Client auth: we only implement rsa_sign and ecdsa_sign for now */
|
||||||
|
usage = KU_DIGITAL_SIGNATURE;
|
||||||
|
}
|
||||||
|
|
||||||
|
if( x509_crt_check_key_usage( cert, usage ) != 0 )
|
||||||
|
return( -1 );
|
||||||
|
#endif /* POLARSSL_X509_CHECK_KEY_USAGE */
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
21
tests/data_files/server2.ku-ds.crt
Normal file
21
tests/data_files/server2.ku-ds.crt
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDijCCAnKgAwIBAgIBLDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
|
||||||
|
MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
|
||||||
|
MTQwNDA5MDg0NDUxWhcNMjQwNDA2MDg0NDUxWjA0MQswCQYDVQQGEwJOTDERMA8G
|
||||||
|
A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN
|
||||||
|
AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN
|
||||||
|
owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz
|
||||||
|
NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM
|
||||||
|
tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P
|
||||||
|
hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya
|
||||||
|
HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaOBnzCBnDAJ
|
||||||
|
BgNVHRMEAjAAMB0GA1UdDgQWBBSlBehkuNzfYA9QEk1gqGSvTYtDkzBjBgNVHSME
|
||||||
|
XDBagBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAP
|
||||||
|
BgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBggEAMAsG
|
||||||
|
A1UdDwQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEAc4kubASrFXFtplkYp6FUcnUn
|
||||||
|
Pf/6laS1htI+3y+q1UHWe2PcagZtCHTCUGBSWLeUIiaIBheaIRqv+4sSFVuXB7hV
|
||||||
|
0PGXpO5btth4R8BHzGqCdObKvPujp5BDq3xgcAFicA3HUMNsJoTDv/RYXY7je1Q5
|
||||||
|
ntVyVPeji0AWMUYQjcqHTQQPGBgdJrRTMaYglZh15IhJ16ICNd9rWIeBA0h/+r0y
|
||||||
|
QuFEBz0nfe7Dvpqct7gJCv+7/5tCujx4LT17z7oK8BZN5SePAGU2ykJsUXk8ZICT
|
||||||
|
ongaQQVQwS6/GJ6A5V8ecaUvFrTby1h9+2sOW8n2NRGiaaG5gkvxVeayemcmOQ==
|
||||||
|
-----END CERTIFICATE-----
|
21
tests/data_files/server2.ku-ds_ke.crt
Normal file
21
tests/data_files/server2.ku-ds_ke.crt
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDijCCAnKgAwIBAgIBMDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
|
||||||
|
MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
|
||||||
|
MTQwNDA5MTAwMjQ5WhcNMjQwNDA2MTAwMjQ5WjA0MQswCQYDVQQGEwJOTDERMA8G
|
||||||
|
A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN
|
||||||
|
AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN
|
||||||
|
owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz
|
||||||
|
NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM
|
||||||
|
tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P
|
||||||
|
hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya
|
||||||
|
HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaOBnzCBnDAJ
|
||||||
|
BgNVHRMEAjAAMB0GA1UdDgQWBBSlBehkuNzfYA9QEk1gqGSvTYtDkzBjBgNVHSME
|
||||||
|
XDBagBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAP
|
||||||
|
BgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBggEAMAsG
|
||||||
|
A1UdDwQEAwIFoDANBgkqhkiG9w0BAQUFAAOCAQEAnW7+h85xBP2KJzFSpWfGirVe
|
||||||
|
ApdC9bX0Z1sVMmD486N+ty9W6BP6kJRxLDX0fOuRc3x7mCy5qZg/Yj40+yQSoA0w
|
||||||
|
bTNwJjuR8iMqWIqLw9hWR+E9T4lYLZWyGJVjlVTkO4i5wifwhoJE9Doohh/6crn5
|
||||||
|
ImWgEkgT/wDVIHoamciO6KU36d0iAEEP2eYgxv2/sVHvjjsseTdvYh3D3VuOmQtS
|
||||||
|
uUvFxc6H5kYoq/yodJWDaOn3RS8pEpDsiW+abcWyxNTPtHFroJV7e9aaVmhlRSzw
|
||||||
|
sYDyD/ZyIlavoPSEiD3LTT/Tp6BIpz+zb4WHOHLEvUCsZputqxPVcNoEAi9xuA==
|
||||||
|
-----END CERTIFICATE-----
|
21
tests/data_files/server2.ku-ka.crt
Normal file
21
tests/data_files/server2.ku-ka.crt
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDijCCAnKgAwIBAgIBKjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
|
||||||
|
MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
|
||||||
|
MTQwNDA5MDg0NDIzWhcNMjQwNDA2MDg0NDIzWjA0MQswCQYDVQQGEwJOTDERMA8G
|
||||||
|
A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN
|
||||||
|
AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN
|
||||||
|
owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz
|
||||||
|
NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM
|
||||||
|
tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P
|
||||||
|
hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya
|
||||||
|
HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaOBnzCBnDAJ
|
||||||
|
BgNVHRMEAjAAMB0GA1UdDgQWBBSlBehkuNzfYA9QEk1gqGSvTYtDkzBjBgNVHSME
|
||||||
|
XDBagBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAP
|
||||||
|
BgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBggEAMAsG
|
||||||
|
A1UdDwQEAwIDCDANBgkqhkiG9w0BAQUFAAOCAQEAriPloIWfu7U8d1hls97C7OBI
|
||||||
|
OiE2xFh2UmuN/9hTK2CyW6MtBf8aG3l4jQDrsutHO0gUyoR67ug4yj+s+0S/zETZ
|
||||||
|
q6mPo7cBbVwjhGciQRiYgufFpdnbXR05HDgOVPK7qqjL6UOZnbu5caIEvIJgdwXn
|
||||||
|
n8WB9x/Ii4/2S9ysmRdRhDBYekzgH3Ac2UnHJTMh1XaSL817MW6B9BDKHt4xa7pW
|
||||||
|
cplDzrFKYbmxSSxzALE4Dr+zRvmDx4bcYpBkRRfOhnnR1caQBgaZzPcX/Vu+vw8e
|
||||||
|
qs2nyBW5RBu8MBCBU1DpqOSo6jl0QTpuq3NzQZIouG9fyckqDJS5ibrxQTutPw==
|
||||||
|
-----END CERTIFICATE-----
|
21
tests/data_files/server2.ku-ke.crt
Normal file
21
tests/data_files/server2.ku-ke.crt
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDijCCAnKgAwIBAgIBKzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
|
||||||
|
MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
|
||||||
|
MTQwNDA5MDg0NDM5WhcNMjQwNDA2MDg0NDM5WjA0MQswCQYDVQQGEwJOTDERMA8G
|
||||||
|
A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN
|
||||||
|
AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN
|
||||||
|
owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz
|
||||||
|
NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM
|
||||||
|
tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P
|
||||||
|
hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya
|
||||||
|
HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaOBnzCBnDAJ
|
||||||
|
BgNVHRMEAjAAMB0GA1UdDgQWBBSlBehkuNzfYA9QEk1gqGSvTYtDkzBjBgNVHSME
|
||||||
|
XDBagBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAP
|
||||||
|
BgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBggEAMAsG
|
||||||
|
A1UdDwQEAwIFIDANBgkqhkiG9w0BAQUFAAOCAQEAqreLAIuxeLGKbhoEROYRqXxO
|
||||||
|
ndaC6uDcpxhgmEW7B2DW6ZtX8155v3ov61MuMas8fEQjD5STDP9qERxNTePnhW3m
|
||||||
|
kDZd2jUBE3ioHhTBv47i1PYU+DRe42kY6z0jUmNPK8TsTKfdbqTGXg9THe1KYB7q
|
||||||
|
hdljqGS08IgBl/q2lK2OOSycu27xhfb9Mo0BcLBab92WgyBu+cFPQsKiL4mD7QyJ
|
||||||
|
+73Ndb21EuANUjsRDQ3NPklssJcyJB2v85eekwk1acZUG21no3wdTvjxhVE/Xrdz
|
||||||
|
zUP9WkvAVfUrwGjUzG4YHE8wkHO7xKbKixNt+nQmDhe+tHVbztZjVwFJ8010gg==
|
||||||
|
-----END CERTIFICATE-----
|
14
tests/data_files/server5.ku-ds.crt
Normal file
14
tests/data_files/server5.ku-ds.crt
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIICLTCCAbKgAwIBAgIBLTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
|
||||||
|
A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
|
||||||
|
MTQwNDA5MDg0ODM1WhcNMjQwNDA2MDg0ODM1WjA0MQswCQYDVQQGEwJOTDERMA8G
|
||||||
|
A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
|
||||||
|
CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
|
||||||
|
2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgaowgacwCQYDVR0TBAIwADAd
|
||||||
|
BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB
|
||||||
|
PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh
|
||||||
|
clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAsG
|
||||||
|
A1UdDwQEAwIHgDAKBggqhkjOPQQDAgNpADBmAjEAzp4DkFMq7eDB0x5FeS9gYDaG
|
||||||
|
Ol8rVnWlRTLQzHZBQjKp+TcBdHZaBPoi8LyXtWA4AjEA6OWhsuTcv/qXOscQT0rL
|
||||||
|
eEh8wcCQeJK1uNd78lNvx3W0Pcxdb6cd7AhaAKgXL+r4
|
||||||
|
-----END CERTIFICATE-----
|
14
tests/data_files/server5.ku-ka.crt
Normal file
14
tests/data_files/server5.ku-ka.crt
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIICKzCCAbKgAwIBAgIBLjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
|
||||||
|
A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
|
||||||
|
MTQwNDA5MDg0ODUwWhcNMjQwNDA2MDg0ODUwWjA0MQswCQYDVQQGEwJOTDERMA8G
|
||||||
|
A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
|
||||||
|
CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
|
||||||
|
2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgaowgacwCQYDVR0TBAIwADAd
|
||||||
|
BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB
|
||||||
|
PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh
|
||||||
|
clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAsG
|
||||||
|
A1UdDwQEAwIDCDAKBggqhkjOPQQDAgNnADBkAjACzKQ88/NvngMQBFc9rC484+gO
|
||||||
|
BRkXP28BqRcj8sBt3EfmEGH23BuhkZuB1OFZuMICMC4/pHgbOQtaY9WZPUROUVVZ
|
||||||
|
OuO6XsVbhiE0rb/mumqmUwuOrCtC/KFdvFZol4BNGA==
|
||||||
|
-----END CERTIFICATE-----
|
14
tests/data_files/server5.ku-ke.crt
Normal file
14
tests/data_files/server5.ku-ke.crt
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIICKzCCAbKgAwIBAgIBLzAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
|
||||||
|
A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
|
||||||
|
MTQwNDA5MDg0OTA0WhcNMjQwNDA2MDg0OTA0WjA0MQswCQYDVQQGEwJOTDERMA8G
|
||||||
|
A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
|
||||||
|
CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
|
||||||
|
2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgaowgacwCQYDVR0TBAIwADAd
|
||||||
|
BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB
|
||||||
|
PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh
|
||||||
|
clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAsG
|
||||||
|
A1UdDwQEAwIFIDAKBggqhkjOPQQDAgNnADBkAjAMl0Cjv9f45bHeJTul5XpYeJeT
|
||||||
|
52ZaOLTa/uTLy948EnEIi6sj3nFb9fvsUbsOOjECMAXAMY64KOqzixefz3y3XS/d
|
||||||
|
9miyeArPOmXU2JJ3LGuNbqqj9IbABawB1OD8v8gRmg==
|
||||||
|
-----END CERTIFICATE-----
|
124
tests/ssl-opt.sh
124
tests/ssl-opt.sh
@ -151,8 +151,9 @@ run_test() {
|
|||||||
CLI_EXIT=$?
|
CLI_EXIT=$?
|
||||||
echo "EXIT: $CLI_EXIT" >> cli_out
|
echo "EXIT: $CLI_EXIT" >> cli_out
|
||||||
|
|
||||||
|
# psk is usefull when server only has bad certs
|
||||||
if is_polar "$SRV_CMD"; then
|
if is_polar "$SRV_CMD"; then
|
||||||
"$P_CLI" request_page=SERVERQUIT tickets=0 auth_mode=none \
|
"$P_CLI" request_page=SERVERQUIT tickets=0 auth_mode=none psk=abc123 \
|
||||||
crt_file=data_files/cli2.crt key_file=data_files/cli2.key \
|
crt_file=data_files/cli2.crt key_file=data_files/cli2.key \
|
||||||
>/dev/null
|
>/dev/null
|
||||||
else
|
else
|
||||||
@ -980,6 +981,127 @@ run_test "ALPN #6 (both, no common)" \
|
|||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Tests for keyUsage in leaf certificates, part 1:
|
||||||
|
# server-side certificate/suite selection
|
||||||
|
|
||||||
|
run_test "keyUsage srv #1 (RSA, digitalSignature -> ECDHE-RSA)" \
|
||||||
|
"$P_SRV key_file=data_files/server2.key \
|
||||||
|
crt_file=data_files/server2.ku-ds.crt" \
|
||||||
|
"$P_CLI" \
|
||||||
|
0 \
|
||||||
|
-c "Ciphersuite is TLS-ECDHE-RSA-WITH-"
|
||||||
|
|
||||||
|
|
||||||
|
run_test "keyUsage srv #2 (RSA, keyEncipherment -> RSA)" \
|
||||||
|
"$P_SRV key_file=data_files/server2.key \
|
||||||
|
crt_file=data_files/server2.ku-ke.crt" \
|
||||||
|
"$P_CLI" \
|
||||||
|
0 \
|
||||||
|
-c "Ciphersuite is TLS-RSA-WITH-"
|
||||||
|
|
||||||
|
# add psk to leave an option for client to send SERVERQUIT
|
||||||
|
run_test "keyUsage srv #3 (RSA, keyAgreement -> fail)" \
|
||||||
|
"$P_SRV psk=abc123 key_file=data_files/server2.key \
|
||||||
|
crt_file=data_files/server2.ku-ka.crt" \
|
||||||
|
"$P_CLI psk=badbad" \
|
||||||
|
1 \
|
||||||
|
-C "Ciphersuite is "
|
||||||
|
|
||||||
|
run_test "keyUsage srv #4 (ECDSA, digitalSignature -> ECDHE-ECDSA)" \
|
||||||
|
"$P_SRV key_file=data_files/server5.key \
|
||||||
|
crt_file=data_files/server5.ku-ds.crt" \
|
||||||
|
"$P_CLI" \
|
||||||
|
0 \
|
||||||
|
-c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
|
||||||
|
|
||||||
|
|
||||||
|
run_test "keyUsage srv #5 (ECDSA, keyAgreement -> ECDH-)" \
|
||||||
|
"$P_SRV key_file=data_files/server5.key \
|
||||||
|
crt_file=data_files/server5.ku-ka.crt" \
|
||||||
|
"$P_CLI" \
|
||||||
|
0 \
|
||||||
|
-c "Ciphersuite is TLS-ECDH-"
|
||||||
|
|
||||||
|
# add psk to leave an option for client to send SERVERQUIT
|
||||||
|
run_test "keyUsage srv #6 (ECDSA, keyEncipherment -> fail)" \
|
||||||
|
"$P_SRV psk=abc123 key_file=data_files/server5.key \
|
||||||
|
crt_file=data_files/server5.ku-ke.crt" \
|
||||||
|
"$P_CLI psk=badbad" \
|
||||||
|
1 \
|
||||||
|
-C "Ciphersuite is "
|
||||||
|
|
||||||
|
# Tests for keyUsage in leaf certificates, part 2:
|
||||||
|
# client-side checks
|
||||||
|
|
||||||
|
run_test "keyUsage cli #0 (reference, no extension)" \
|
||||||
|
"$O_SRV -key data_files/server2.key \
|
||||||
|
-cert data_files/server2.crt" \
|
||||||
|
"$P_CLI debug_level=2" \
|
||||||
|
0 \
|
||||||
|
-C "bad server certificate (usage ext.)" \
|
||||||
|
-C "Processing of the Certificate handshake message failed" \
|
||||||
|
-c "Ciphersuite is TLS-"
|
||||||
|
|
||||||
|
run_test "keyUsage cli #1 (DigitalSignature+KeyEncipherment, RSA: OK)" \
|
||||||
|
"$O_SRV -key data_files/server2.key \
|
||||||
|
-cert data_files/server2.ku-ds_ke.crt" \
|
||||||
|
"$P_CLI debug_level=2 \
|
||||||
|
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
||||||
|
0 \
|
||||||
|
-C "bad server certificate (usage ext.)" \
|
||||||
|
-C "Processing of the Certificate handshake message failed" \
|
||||||
|
-c "Ciphersuite is TLS-"
|
||||||
|
|
||||||
|
run_test "keyUsage cli #2 (DigitalSignature+KeyEncipherment, DHE-RSA: OK)" \
|
||||||
|
"$O_SRV -key data_files/server2.key \
|
||||||
|
-cert data_files/server2.ku-ds_ke.crt" \
|
||||||
|
"$P_CLI debug_level=2 \
|
||||||
|
force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
|
||||||
|
0 \
|
||||||
|
-C "bad server certificate (usage ext.)" \
|
||||||
|
-C "Processing of the Certificate handshake message failed" \
|
||||||
|
-c "Ciphersuite is TLS-"
|
||||||
|
|
||||||
|
run_test "keyUsage cli #3 (KeyEncipherment, RSA: OK)" \
|
||||||
|
"$O_SRV -key data_files/server2.key \
|
||||||
|
-cert data_files/server2.ku-ke.crt" \
|
||||||
|
"$P_CLI debug_level=2 \
|
||||||
|
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
||||||
|
0 \
|
||||||
|
-C "bad server certificate (usage ext.)" \
|
||||||
|
-C "Processing of the Certificate handshake message failed" \
|
||||||
|
-c "Ciphersuite is TLS-"
|
||||||
|
|
||||||
|
run_test "keyUsage cli #4 (KeyEncipherment, DHE-RSA: fail)" \
|
||||||
|
"$O_SRV -key data_files/server2.key \
|
||||||
|
-cert data_files/server2.ku-ke.crt" \
|
||||||
|
"$P_CLI debug_level=2 \
|
||||||
|
force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
|
||||||
|
1 \
|
||||||
|
-c "bad server certificate (usage ext.)" \
|
||||||
|
-c "Processing of the Certificate handshake message failed" \
|
||||||
|
-C "Ciphersuite is TLS-"
|
||||||
|
|
||||||
|
run_test "keyUsage cli #5 (DigitalSignature, DHE-RSA: OK)" \
|
||||||
|
"$O_SRV -key data_files/server2.key \
|
||||||
|
-cert data_files/server2.ku-ds.crt" \
|
||||||
|
"$P_CLI debug_level=2 \
|
||||||
|
force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
|
||||||
|
0 \
|
||||||
|
-C "bad server certificate (usage ext.)" \
|
||||||
|
-C "Processing of the Certificate handshake message failed" \
|
||||||
|
-c "Ciphersuite is TLS-"
|
||||||
|
|
||||||
|
run_test "keyUsage cli #5 (DigitalSignature, RSA: fail)" \
|
||||||
|
"$O_SRV -key data_files/server2.key \
|
||||||
|
-cert data_files/server2.ku-ds.crt" \
|
||||||
|
"$P_CLI debug_level=2 \
|
||||||
|
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
||||||
|
1 \
|
||||||
|
-c "bad server certificate (usage ext.)" \
|
||||||
|
-c "Processing of the Certificate handshake message failed" \
|
||||||
|
-C "Ciphersuite is TLS-"
|
||||||
|
|
||||||
# Final report
|
# Final report
|
||||||
|
|
||||||
echo "------------------------------------------------------------------------"
|
echo "------------------------------------------------------------------------"
|
||||||
|
Loading…
Reference in New Issue
Block a user