From a9db85df7345723a894ac64927c15c7073294bd2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 9 Apr 2014 14:53:05 +0200 Subject: [PATCH] Add tests for keyUsage with client auth --- library/ssl_tls.c | 4 +-- tests/ssl-opt.sh | 66 +++++++++++++++++++++++++++++++++++------------ 2 files changed, 52 insertions(+), 18 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 4c8d8f9f2..588cbc4a2 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -2724,7 +2724,7 @@ int ssl_parse_certificate( ssl_context *ssl ) if( pk_can_do( pk, POLARSSL_PK_ECKEY ) && ! ssl_curve_is_acceptable( ssl, pk_ec( *pk )->grp.id ) ) { - SSL_DEBUG_MSG( 1, ( "bad server certificate (EC key curve)" ) ); + SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) ); if( ret == 0 ) ret = POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE; } @@ -2735,7 +2735,7 @@ int ssl_parse_certificate( ssl_context *ssl ) ciphersuite_info, ! ssl->endpoint ) != 0 ) { - SSL_DEBUG_MSG( 1, ( "bad server certificate (usage ext.)" ) ); + SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) ); if( ret == 0 ) ret = POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE; } diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index ec9e5499f..16748b07c 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1031,16 +1031,7 @@ run_test "keyUsage srv #6 (ECDSA, keyEncipherment -> fail)" \ -C "Ciphersuite is " # Tests for keyUsage in leaf certificates, part 2: -# client-side checks - -run_test "keyUsage cli #0 (reference, no extension)" \ - "$O_SRV -key data_files/server2.key \ - -cert data_files/server2.crt" \ - "$P_CLI debug_level=2" \ - 0 \ - -C "bad server certificate (usage ext.)" \ - -C "Processing of the Certificate handshake message failed" \ - -c "Ciphersuite is TLS-" +# client-side checking of server cert run_test "keyUsage cli #1 (DigitalSignature+KeyEncipherment, RSA: OK)" \ "$O_SRV -key data_files/server2.key \ @@ -1048,7 +1039,7 @@ run_test "keyUsage cli #1 (DigitalSignature+KeyEncipherment, RSA: OK)" \ "$P_CLI debug_level=2 \ force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ 0 \ - -C "bad server certificate (usage ext.)" \ + -C "bad certificate (usage extensions)" \ -C "Processing of the Certificate handshake message failed" \ -c "Ciphersuite is TLS-" @@ -1058,7 +1049,7 @@ run_test "keyUsage cli #2 (DigitalSignature+KeyEncipherment, DHE-RSA: OK)" \ "$P_CLI debug_level=2 \ force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \ 0 \ - -C "bad server certificate (usage ext.)" \ + -C "bad certificate (usage extensions)" \ -C "Processing of the Certificate handshake message failed" \ -c "Ciphersuite is TLS-" @@ -1068,7 +1059,7 @@ run_test "keyUsage cli #3 (KeyEncipherment, RSA: OK)" \ "$P_CLI debug_level=2 \ force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ 0 \ - -C "bad server certificate (usage ext.)" \ + -C "bad certificate (usage extensions)" \ -C "Processing of the Certificate handshake message failed" \ -c "Ciphersuite is TLS-" @@ -1078,7 +1069,7 @@ run_test "keyUsage cli #4 (KeyEncipherment, DHE-RSA: fail)" \ "$P_CLI debug_level=2 \ force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \ 1 \ - -c "bad server certificate (usage ext.)" \ + -c "bad certificate (usage extensions)" \ -c "Processing of the Certificate handshake message failed" \ -C "Ciphersuite is TLS-" @@ -1088,7 +1079,7 @@ run_test "keyUsage cli #5 (DigitalSignature, DHE-RSA: OK)" \ "$P_CLI debug_level=2 \ force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \ 0 \ - -C "bad server certificate (usage ext.)" \ + -C "bad certificate (usage extensions)" \ -C "Processing of the Certificate handshake message failed" \ -c "Ciphersuite is TLS-" @@ -1098,10 +1089,53 @@ run_test "keyUsage cli #5 (DigitalSignature, RSA: fail)" \ "$P_CLI debug_level=2 \ force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ 1 \ - -c "bad server certificate (usage ext.)" \ + -c "bad certificate (usage extensions)" \ -c "Processing of the Certificate handshake message failed" \ -C "Ciphersuite is TLS-" +# Tests for keyUsage in leaf certificates, part 3: +# server-side checking of client cert + +run_test "keyUsage cli-auth #1 (RSA, DigitalSignature: OK)" \ + "$P_SRV debug_level=2 auth_mode=optional" \ + "$O_CLI -key data_files/server2.key \ + -cert data_files/server2.ku-ds.crt" \ + 0 \ + -S "bad certificate (usage extensions)" \ + -S "Processing of the Certificate handshake message failed" + +run_test "keyUsage cli-auth #2 (RSA, KeyEncipherment: fail (soft))" \ + "$P_SRV debug_level=2 auth_mode=optional" \ + "$O_CLI -key data_files/server2.key \ + -cert data_files/server2.ku-ke.crt" \ + 0 \ + -s "bad certificate (usage extensions)" \ + -S "Processing of the Certificate handshake message failed" + +run_test "keyUsage cli-auth #3 (RSA, KeyEncipherment: fail (hard))" \ + "$P_SRV debug_level=2 auth_mode=required" \ + "$O_CLI -key data_files/server2.key \ + -cert data_files/server2.ku-ke.crt" \ + 1 \ + -s "bad certificate (usage extensions)" \ + -s "Processing of the Certificate handshake message failed" + +run_test "keyUsage cli-auth #4 (ECDSA, DigitalSignature: OK)" \ + "$P_SRV debug_level=2 auth_mode=optional" \ + "$O_CLI -key data_files/server5.key \ + -cert data_files/server5.ku-ds.crt" \ + 0 \ + -S "bad certificate (usage extensions)" \ + -S "Processing of the Certificate handshake message failed" + +run_test "keyUsage cli-auth #5 (ECDSA, KeyAgreement: fail (soft))" \ + "$P_SRV debug_level=2 auth_mode=optional" \ + "$O_CLI -key data_files/server5.key \ + -cert data_files/server5.ku-ka.crt" \ + 0 \ + -s "bad certificate (usage extensions)" \ + -S "Processing of the Certificate handshake message failed" + # Final report echo "------------------------------------------------------------------------"