Add tests for keyUsage with client auth

This commit is contained in:
Manuel Pégourié-Gonnard 2014-04-09 14:53:05 +02:00 committed by Paul Bakker
parent 490047cc44
commit a9db85df73
2 changed files with 52 additions and 18 deletions

View file

@ -2724,7 +2724,7 @@ int ssl_parse_certificate( ssl_context *ssl )
if( pk_can_do( pk, POLARSSL_PK_ECKEY ) && if( pk_can_do( pk, POLARSSL_PK_ECKEY ) &&
! ssl_curve_is_acceptable( ssl, pk_ec( *pk )->grp.id ) ) ! ssl_curve_is_acceptable( ssl, pk_ec( *pk )->grp.id ) )
{ {
SSL_DEBUG_MSG( 1, ( "bad server certificate (EC key curve)" ) ); SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
if( ret == 0 ) if( ret == 0 )
ret = POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE; ret = POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE;
} }
@ -2735,7 +2735,7 @@ int ssl_parse_certificate( ssl_context *ssl )
ciphersuite_info, ciphersuite_info,
! ssl->endpoint ) != 0 ) ! ssl->endpoint ) != 0 )
{ {
SSL_DEBUG_MSG( 1, ( "bad server certificate (usage ext.)" ) ); SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
if( ret == 0 ) if( ret == 0 )
ret = POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE; ret = POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE;
} }

View file

@ -1031,16 +1031,7 @@ run_test "keyUsage srv #6 (ECDSA, keyEncipherment -> fail)" \
-C "Ciphersuite is " -C "Ciphersuite is "
# Tests for keyUsage in leaf certificates, part 2: # Tests for keyUsage in leaf certificates, part 2:
# client-side checks # client-side checking of server cert
run_test "keyUsage cli #0 (reference, no extension)" \
"$O_SRV -key data_files/server2.key \
-cert data_files/server2.crt" \
"$P_CLI debug_level=2" \
0 \
-C "bad server certificate (usage ext.)" \
-C "Processing of the Certificate handshake message failed" \
-c "Ciphersuite is TLS-"
run_test "keyUsage cli #1 (DigitalSignature+KeyEncipherment, RSA: OK)" \ run_test "keyUsage cli #1 (DigitalSignature+KeyEncipherment, RSA: OK)" \
"$O_SRV -key data_files/server2.key \ "$O_SRV -key data_files/server2.key \
@ -1048,7 +1039,7 @@ run_test "keyUsage cli #1 (DigitalSignature+KeyEncipherment, RSA: OK)" \
"$P_CLI debug_level=2 \ "$P_CLI debug_level=2 \
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
0 \ 0 \
-C "bad server certificate (usage ext.)" \ -C "bad certificate (usage extensions)" \
-C "Processing of the Certificate handshake message failed" \ -C "Processing of the Certificate handshake message failed" \
-c "Ciphersuite is TLS-" -c "Ciphersuite is TLS-"
@ -1058,7 +1049,7 @@ run_test "keyUsage cli #2 (DigitalSignature+KeyEncipherment, DHE-RSA: OK)" \
"$P_CLI debug_level=2 \ "$P_CLI debug_level=2 \
force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \ force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
0 \ 0 \
-C "bad server certificate (usage ext.)" \ -C "bad certificate (usage extensions)" \
-C "Processing of the Certificate handshake message failed" \ -C "Processing of the Certificate handshake message failed" \
-c "Ciphersuite is TLS-" -c "Ciphersuite is TLS-"
@ -1068,7 +1059,7 @@ run_test "keyUsage cli #3 (KeyEncipherment, RSA: OK)" \
"$P_CLI debug_level=2 \ "$P_CLI debug_level=2 \
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
0 \ 0 \
-C "bad server certificate (usage ext.)" \ -C "bad certificate (usage extensions)" \
-C "Processing of the Certificate handshake message failed" \ -C "Processing of the Certificate handshake message failed" \
-c "Ciphersuite is TLS-" -c "Ciphersuite is TLS-"
@ -1078,7 +1069,7 @@ run_test "keyUsage cli #4 (KeyEncipherment, DHE-RSA: fail)" \
"$P_CLI debug_level=2 \ "$P_CLI debug_level=2 \
force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \ force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
1 \ 1 \
-c "bad server certificate (usage ext.)" \ -c "bad certificate (usage extensions)" \
-c "Processing of the Certificate handshake message failed" \ -c "Processing of the Certificate handshake message failed" \
-C "Ciphersuite is TLS-" -C "Ciphersuite is TLS-"
@ -1088,7 +1079,7 @@ run_test "keyUsage cli #5 (DigitalSignature, DHE-RSA: OK)" \
"$P_CLI debug_level=2 \ "$P_CLI debug_level=2 \
force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \ force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
0 \ 0 \
-C "bad server certificate (usage ext.)" \ -C "bad certificate (usage extensions)" \
-C "Processing of the Certificate handshake message failed" \ -C "Processing of the Certificate handshake message failed" \
-c "Ciphersuite is TLS-" -c "Ciphersuite is TLS-"
@ -1098,10 +1089,53 @@ run_test "keyUsage cli #5 (DigitalSignature, RSA: fail)" \
"$P_CLI debug_level=2 \ "$P_CLI debug_level=2 \
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
1 \ 1 \
-c "bad server certificate (usage ext.)" \ -c "bad certificate (usage extensions)" \
-c "Processing of the Certificate handshake message failed" \ -c "Processing of the Certificate handshake message failed" \
-C "Ciphersuite is TLS-" -C "Ciphersuite is TLS-"
# Tests for keyUsage in leaf certificates, part 3:
# server-side checking of client cert
run_test "keyUsage cli-auth #1 (RSA, DigitalSignature: OK)" \
"$P_SRV debug_level=2 auth_mode=optional" \
"$O_CLI -key data_files/server2.key \
-cert data_files/server2.ku-ds.crt" \
0 \
-S "bad certificate (usage extensions)" \
-S "Processing of the Certificate handshake message failed"
run_test "keyUsage cli-auth #2 (RSA, KeyEncipherment: fail (soft))" \
"$P_SRV debug_level=2 auth_mode=optional" \
"$O_CLI -key data_files/server2.key \
-cert data_files/server2.ku-ke.crt" \
0 \
-s "bad certificate (usage extensions)" \
-S "Processing of the Certificate handshake message failed"
run_test "keyUsage cli-auth #3 (RSA, KeyEncipherment: fail (hard))" \
"$P_SRV debug_level=2 auth_mode=required" \
"$O_CLI -key data_files/server2.key \
-cert data_files/server2.ku-ke.crt" \
1 \
-s "bad certificate (usage extensions)" \
-s "Processing of the Certificate handshake message failed"
run_test "keyUsage cli-auth #4 (ECDSA, DigitalSignature: OK)" \
"$P_SRV debug_level=2 auth_mode=optional" \
"$O_CLI -key data_files/server5.key \
-cert data_files/server5.ku-ds.crt" \
0 \
-S "bad certificate (usage extensions)" \
-S "Processing of the Certificate handshake message failed"
run_test "keyUsage cli-auth #5 (ECDSA, KeyAgreement: fail (soft))" \
"$P_SRV debug_level=2 auth_mode=optional" \
"$O_CLI -key data_files/server5.key \
-cert data_files/server5.ku-ka.crt" \
0 \
-s "bad certificate (usage extensions)" \
-S "Processing of the Certificate handshake message failed"
# Final report # Final report
echo "------------------------------------------------------------------------" echo "------------------------------------------------------------------------"