diff --git a/configs/baremetal_test.h b/configs/baremetal_test.h index 82c0ed17c..b7e36f0f4 100644 --- a/configs/baremetal_test.h +++ b/configs/baremetal_test.h @@ -37,18 +37,6 @@ /* Debug output */ #define MBEDTLS_DEBUG_C -/* We don't have DER-encoded test CRTs yet. */ -#define MBEDTLS_PEM_PARSE_C -#define MBEDTLS_BASE64_C -/* We don't have Secp256r1 test CRTs at the moment. */ -#define MBEDTLS_ECP_DP_SECP384R1_ENABLED - -/* Correct ECP configuration values */ -#undef MBEDTLS_ECP_MAX_BITS -#undef MBEDTLS_MPI_MAX_SIZE -#define MBEDTLS_ECP_MAX_BITS 384 -#define MBEDTLS_MPI_MAX_SIZE 48 - /* ssl_client2 and ssl_server2 use CTR-DRBG so far. */ #define MBEDTLS_CTR_DRBG_C diff --git a/library/certs.c b/library/certs.c index b07fd8a3a..e89cfe1c5 100644 --- a/library/certs.c +++ b/library/certs.c @@ -42,6 +42,101 @@ * */ +/* Use CRTs with Secp256r1-only if Secp384r1 is disabled. + * Otherwise, fall back to previous test CRTs using both + * Secp256r1 and Secp384r1. */ +#if !defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) + +/* This is taken from tests/data_files/test-ca3.crt.pem */ +/* BEGIN FILE string macro TEST_CA_CRT_EC_PEM tests/data_files/test-ca3.crt.pem */ +#define TEST_CA_CRT_EC_PEM \ + "-----BEGIN CERTIFICATE-----\r\n" \ + "MIIBuTCCAV2gAwIBAgIBATAMBggqhkjOPQQDAgUAMDsxGjAYBgNVBAMMEVRlc3Qg\r\n" \ + "Q0EgU2VjcDI1NnIxMRAwDgYDVQQKDAdNYmVkVExTMQswCQYDVQQGEwJVSzAeFw0w\r\n" \ + "MTAxMDEwMDAwMDBaFw0zMDEyMzEyMzU5NTlaMDsxGjAYBgNVBAMMEVRlc3QgQ0Eg\r\n" \ + "U2VjcDI1NnIxMRAwDgYDVQQKDAdNYmVkVExTMQswCQYDVQQGEwJVSzBZMBMGByqG\r\n" \ + "SM49AgEGCCqGSM49AwEHA0IABLZIHgilzw/iCx1r09kyZsZfarzztX4y1km0S5Mx\r\n" \ + "rsFB67NjUhXE6/YY3W38oxeY4eIvEb516BOR/g3e3OL7Q8WjUDBOMAwGA1UdEwQF\r\n" \ + "MAMBAf8wHQYDVR0OBBYEFEpepGEzSxZIDDF4IjXW+85Q5yASMB8GA1UdIwQYMBaA\r\n" \ + "FEpepGEzSxZIDDF4IjXW+85Q5yASMAwGCCqGSM49BAMCBQADSAAwRQIhAKejV1jK\r\n" \ + "vPH1vIsZAr6/VmSvjXkxmT2rpzEP9iJvJAteAiBhCPtV7LdSF1ZUqphAK3DYh2m7\r\n" \ + "l1eSxSKXB29adbF96g==\r\n" \ + "-----END CERTIFICATE-----\r\n" +/* END FILE */ + +/* This is generated from tests/data_files/test-ca3.crt.der using `xxd -i`. */ +/* BEGIN FILE binary macro TEST_CA_CRT_EC_DER tests/data_files/test-ca3.crt.der */ +#define TEST_CA_CRT_EC_DER { \ + 0x30, 0x82, 0x01, 0xb9, 0x30, 0x82, 0x01, 0x5d, 0xa0, 0x03, 0x02, 0x01, \ + 0x02, 0x02, 0x01, 0x01, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, \ + 0x3d, 0x04, 0x03, 0x02, 0x05, 0x00, 0x30, 0x3b, 0x31, 0x1a, 0x30, 0x18, \ + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x54, 0x65, 0x73, 0x74, 0x20, \ + 0x43, 0x41, 0x20, 0x53, 0x65, 0x63, 0x70, 0x32, 0x35, 0x36, 0x72, 0x31, \ + 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x4d, \ + 0x62, 0x65, 0x64, 0x54, 0x4c, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, \ + 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x4b, 0x30, 0x1e, 0x17, 0x0d, 0x30, \ + 0x31, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, \ + 0x17, 0x0d, 0x33, 0x30, 0x31, 0x32, 0x33, 0x31, 0x32, 0x33, 0x35, 0x39, \ + 0x35, 0x39, 0x5a, 0x30, 0x3b, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, \ + 0x04, 0x03, 0x0c, 0x11, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x20, \ + 0x53, 0x65, 0x63, 0x70, 0x32, 0x35, 0x36, 0x72, 0x31, 0x31, 0x10, 0x30, \ + 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x4d, 0x62, 0x65, 0x64, \ + 0x54, 0x4c, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, \ + 0x13, 0x02, 0x55, 0x4b, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, \ + 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, \ + 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0xb6, 0x48, 0x1e, 0x08, 0xa5, \ + 0xcf, 0x0f, 0xe2, 0x0b, 0x1d, 0x6b, 0xd3, 0xd9, 0x32, 0x66, 0xc6, 0x5f, \ + 0x6a, 0xbc, 0xf3, 0xb5, 0x7e, 0x32, 0xd6, 0x49, 0xb4, 0x4b, 0x93, 0x31, \ + 0xae, 0xc1, 0x41, 0xeb, 0xb3, 0x63, 0x52, 0x15, 0xc4, 0xeb, 0xf6, 0x18, \ + 0xdd, 0x6d, 0xfc, 0xa3, 0x17, 0x98, 0xe1, 0xe2, 0x2f, 0x11, 0xbe, 0x75, \ + 0xe8, 0x13, 0x91, 0xfe, 0x0d, 0xde, 0xdc, 0xe2, 0xfb, 0x43, 0xc5, 0xa3, \ + 0x50, 0x30, 0x4e, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, \ + 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, \ + 0x04, 0x16, 0x04, 0x14, 0x4a, 0x5e, 0xa4, 0x61, 0x33, 0x4b, 0x16, 0x48, \ + 0x0c, 0x31, 0x78, 0x22, 0x35, 0xd6, 0xfb, 0xce, 0x50, 0xe7, 0x20, 0x12, \ + 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, \ + 0x14, 0x4a, 0x5e, 0xa4, 0x61, 0x33, 0x4b, 0x16, 0x48, 0x0c, 0x31, 0x78, \ + 0x22, 0x35, 0xd6, 0xfb, 0xce, 0x50, 0xe7, 0x20, 0x12, 0x30, 0x0c, 0x06, \ + 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x05, 0x00, 0x03, \ + 0x48, 0x00, 0x30, 0x45, 0x02, 0x21, 0x00, 0xa7, 0xa3, 0x57, 0x58, 0xca, \ + 0xbc, 0xf1, 0xf5, 0xbc, 0x8b, 0x19, 0x02, 0xbe, 0xbf, 0x56, 0x64, 0xaf, \ + 0x8d, 0x79, 0x31, 0x99, 0x3d, 0xab, 0xa7, 0x31, 0x0f, 0xf6, 0x22, 0x6f, \ + 0x24, 0x0b, 0x5e, 0x02, 0x20, 0x61, 0x08, 0xfb, 0x55, 0xec, 0xb7, 0x52, \ + 0x17, 0x56, 0x54, 0xaa, 0x98, 0x40, 0x2b, 0x70, 0xd8, 0x87, 0x69, 0xbb, \ + 0x97, 0x57, 0x92, 0xc5, 0x22, 0x97, 0x07, 0x6f, 0x5a, 0x75, 0xb1, 0x7d, \ + 0xea \ +} +/* END FILE */ + +/* This is taken from tests/data_files/test-ca3.key.pem */ +/* BEGIN FILE string macro TEST_CA_KEY_EC_PEM tests/data_files/test-ca3.key.pem */ +#define TEST_CA_KEY_EC_PEM \ + "-----BEGIN EC PRIVATE KEY-----\r\n" \ + "MHcCAQEEIDlfIVA04pd23r9UJhLf0kt6SkROecrhPbNWtawigBCkoAoGCCqGSM49\r\n" \ + "AwEHoUQDQgAEtkgeCKXPD+ILHWvT2TJmxl9qvPO1fjLWSbRLkzGuwUHrs2NSFcTr\r\n" \ + "9hjdbfyjF5jh4i8RvnXoE5H+Dd7c4vtDxQ==\r\n" \ + "-----END EC PRIVATE KEY-----\r\n" +/* END FILE */ + +/* This is generated from tests/data_files/test-ca3.key.der using `xxd -i`. */ +/* BEGIN FILE binary macro TEST_CA_KEY_EC_DER tests/data_files/test-ca3.key.der */ +#define TEST_CA_KEY_EC_DER { \ + 0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0x39, 0x5f, 0x21, 0x50, 0x34, \ + 0xe2, 0x97, 0x76, 0xde, 0xbf, 0x54, 0x26, 0x12, 0xdf, 0xd2, 0x4b, 0x7a, \ + 0x4a, 0x44, 0x4e, 0x79, 0xca, 0xe1, 0x3d, 0xb3, 0x56, 0xb5, 0xac, 0x22, \ + 0x80, 0x10, 0xa4, 0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, \ + 0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04, 0xb6, 0x48, 0x1e, \ + 0x08, 0xa5, 0xcf, 0x0f, 0xe2, 0x0b, 0x1d, 0x6b, 0xd3, 0xd9, 0x32, 0x66, \ + 0xc6, 0x5f, 0x6a, 0xbc, 0xf3, 0xb5, 0x7e, 0x32, 0xd6, 0x49, 0xb4, 0x4b, \ + 0x93, 0x31, 0xae, 0xc1, 0x41, 0xeb, 0xb3, 0x63, 0x52, 0x15, 0xc4, 0xeb, \ + 0xf6, 0x18, 0xdd, 0x6d, 0xfc, 0xa3, 0x17, 0x98, 0xe1, 0xe2, 0x2f, 0x11, \ + 0xbe, 0x75, 0xe8, 0x13, 0x91, 0xfe, 0x0d, 0xde, 0xdc, 0xe2, 0xfb, 0x43, \ + 0xc5 \ +} +/* END FILE */ + +#else /* !MBEDTLS_ECP_DP_SECP384R1_ENABLED */ + /* This is taken from tests/data_files/test-ca2.crt */ /* BEGIN FILE string macro TEST_CA_CRT_EC_PEM tests/data_files/test-ca2.crt */ #define TEST_CA_CRT_EC_PEM \ @@ -154,6 +249,10 @@ } /* END FILE */ +#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ + +#define TEST_CA_PWD_EC_PEM "PolarSSLTest" + /* This is taken from tests/data_files/test-ca-sha256.crt. */ /* BEGIN FILE string macro TEST_CA_CRT_RSA_SHA256_PEM tests/data_files/test-ca-sha256.crt */ #define TEST_CA_CRT_RSA_SHA256_PEM \ @@ -513,6 +612,100 @@ * - multiple EC curve types */ +/* Use CRTs with Secp256r1-only if Secp384r1 is disabled. + * Otherwise, fall back to previous test CRTs using both + * Secp256r1 and Secp384r1. */ +#if !defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) + +/* This is taken from tests/data_files/server11.crt.pem. */ +/* BEGIN FILE string macro TEST_SRV_CRT_EC_PEM tests/data_files/server11.crt.pem */ +#define TEST_SRV_CRT_EC_PEM \ + "-----BEGIN CERTIFICATE-----\r\n" \ + "MIIBrzCCAVKgAwIBAgIBATAMBggqhkjOPQQDAgUAMDsxGjAYBgNVBAMMEVRlc3Qg\r\n" \ + "Q0EgU2VjcDI1NnIxMRAwDgYDVQQKDAdNYmVkVExTMQswCQYDVQQGEwJVSzAeFw0w\r\n" \ + "MTAxMDEwMDAwMDBaFw0zMDEyMzEyMzU5NTlaMDMxEjAQBgNVBAMMCWxvY2FsaG9z\r\n" \ + "dDEQMA4GA1UECgwHTWJlZFRMUzELMAkGA1UEBhMCVUswWTATBgcqhkjOPQIBBggq\r\n" \ + "hkjOPQMBBwNCAATH4k2I+9HG/2AM4cN0pPkfO62ddKWwtDsdFezZoKxwXYm0ClZe\r\n" \ + "zZYmfpl8x5Q7+V2oGg3TXoC8TOmXjAtabfDNo00wSzAJBgNVHRMEAjAAMB0GA1Ud\r\n" \ + "DgQWBBQjXj0e2wlEVpSCbySpu2oDJgn7sjAfBgNVHSMEGDAWgBRKXqRhM0sWSAwx\r\n" \ + "eCI11vvOUOcgEjAMBggqhkjOPQQDAgUAA0kAMEYCIQCN7/F5DbM4Ug5NcKHeKFbb\r\n" \ + "3EHpsBjg0//gXa9mJ7Q4jAIhAIzio6vwCYnzrslzsTbPpmtU+6Op6SlzdGO/iR77\r\n" \ + "bcfp\r\n" \ + "-----END CERTIFICATE-----\r\n" +/* END FILE */ + +/* This is generated from tests/data_files/server11.crt.der using `xxd -i`. */ +/* BEGIN FILE binary macro TEST_SRV_CRT_EC_DER tests/data_files/server11.crt.der */ +#define TEST_SRV_CRT_EC_DER { \ + 0x30, 0x82, 0x01, 0xaf, 0x30, 0x82, 0x01, 0x52, 0xa0, 0x03, 0x02, 0x01, \ + 0x02, 0x02, 0x01, 0x01, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, \ + 0x3d, 0x04, 0x03, 0x02, 0x05, 0x00, 0x30, 0x3b, 0x31, 0x1a, 0x30, 0x18, \ + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x54, 0x65, 0x73, 0x74, 0x20, \ + 0x43, 0x41, 0x20, 0x53, 0x65, 0x63, 0x70, 0x32, 0x35, 0x36, 0x72, 0x31, \ + 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x4d, \ + 0x62, 0x65, 0x64, 0x54, 0x4c, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, \ + 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x4b, 0x30, 0x1e, 0x17, 0x0d, 0x30, \ + 0x31, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, \ + 0x17, 0x0d, 0x33, 0x30, 0x31, 0x32, 0x33, 0x31, 0x32, 0x33, 0x35, 0x39, \ + 0x35, 0x39, 0x5a, 0x30, 0x33, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, \ + 0x04, 0x03, 0x0c, 0x09, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, \ + 0x74, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, \ + 0x4d, 0x62, 0x65, 0x64, 0x54, 0x4c, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, \ + 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x4b, 0x30, 0x59, 0x30, 0x13, \ + 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, \ + 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0xc7, \ + 0xe2, 0x4d, 0x88, 0xfb, 0xd1, 0xc6, 0xff, 0x60, 0x0c, 0xe1, 0xc3, 0x74, \ + 0xa4, 0xf9, 0x1f, 0x3b, 0xad, 0x9d, 0x74, 0xa5, 0xb0, 0xb4, 0x3b, 0x1d, \ + 0x15, 0xec, 0xd9, 0xa0, 0xac, 0x70, 0x5d, 0x89, 0xb4, 0x0a, 0x56, 0x5e, \ + 0xcd, 0x96, 0x26, 0x7e, 0x99, 0x7c, 0xc7, 0x94, 0x3b, 0xf9, 0x5d, 0xa8, \ + 0x1a, 0x0d, 0xd3, 0x5e, 0x80, 0xbc, 0x4c, 0xe9, 0x97, 0x8c, 0x0b, 0x5a, \ + 0x6d, 0xf0, 0xcd, 0xa3, 0x4d, 0x30, 0x4b, 0x30, 0x09, 0x06, 0x03, 0x55, \ + 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, \ + 0x0e, 0x04, 0x16, 0x04, 0x14, 0x23, 0x5e, 0x3d, 0x1e, 0xdb, 0x09, 0x44, \ + 0x56, 0x94, 0x82, 0x6f, 0x24, 0xa9, 0xbb, 0x6a, 0x03, 0x26, 0x09, 0xfb, \ + 0xb2, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, \ + 0x80, 0x14, 0x4a, 0x5e, 0xa4, 0x61, 0x33, 0x4b, 0x16, 0x48, 0x0c, 0x31, \ + 0x78, 0x22, 0x35, 0xd6, 0xfb, 0xce, 0x50, 0xe7, 0x20, 0x12, 0x30, 0x0c, \ + 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x05, 0x00, \ + 0x03, 0x49, 0x00, 0x30, 0x46, 0x02, 0x21, 0x00, 0x8d, 0xef, 0xf1, 0x79, \ + 0x0d, 0xb3, 0x38, 0x52, 0x0e, 0x4d, 0x70, 0xa1, 0xde, 0x28, 0x56, 0xdb, \ + 0xdc, 0x41, 0xe9, 0xb0, 0x18, 0xe0, 0xd3, 0xff, 0xe0, 0x5d, 0xaf, 0x66, \ + 0x27, 0xb4, 0x38, 0x8c, 0x02, 0x21, 0x00, 0x8c, 0xe2, 0xa3, 0xab, 0xf0, \ + 0x09, 0x89, 0xf3, 0xae, 0xc9, 0x73, 0xb1, 0x36, 0xcf, 0xa6, 0x6b, 0x54, \ + 0xfb, 0xa3, 0xa9, 0xe9, 0x29, 0x73, 0x74, 0x63, 0xbf, 0x89, 0x1e, 0xfb, \ + 0x6d, 0xc7, 0xe9 \ +} +/* END FILE */ + +/* This is taken from tests/data_files/server11.key.pem. */ +/* BEGIN FILE string macro TEST_SRV_KEY_EC_PEM tests/data_files/server11.key.pem */ +#define TEST_SRV_KEY_EC_PEM \ + "-----BEGIN EC PRIVATE KEY-----\r\n" \ + "MHcCAQEEIGEWs7/9cQHgEI5v2qeQRGLoFhjrNK4lul6tmcqDACKuoAoGCCqGSM49\r\n" \ + "AwEHoUQDQgAEx+JNiPvRxv9gDOHDdKT5HzutnXSlsLQ7HRXs2aCscF2JtApWXs2W\r\n" \ + "Jn6ZfMeUO/ldqBoN016AvEzpl4wLWm3wzQ==\r\n" \ + "-----END EC PRIVATE KEY-----\r\n" +/* END FILE */ + +/* This is generated from tests/data_files/server11.key.der using `xxd -i`. */ +/* BEGIN FILE binary macro TEST_SRV_KEY_EC_DER tests/data_files/server11.key.der */ +#define TEST_SRV_KEY_EC_DER { \ + 0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0x61, 0x16, 0xb3, 0xbf, 0xfd, \ + 0x71, 0x01, 0xe0, 0x10, 0x8e, 0x6f, 0xda, 0xa7, 0x90, 0x44, 0x62, 0xe8, \ + 0x16, 0x18, 0xeb, 0x34, 0xae, 0x25, 0xba, 0x5e, 0xad, 0x99, 0xca, 0x83, \ + 0x00, 0x22, 0xae, 0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, \ + 0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04, 0xc7, 0xe2, 0x4d, \ + 0x88, 0xfb, 0xd1, 0xc6, 0xff, 0x60, 0x0c, 0xe1, 0xc3, 0x74, 0xa4, 0xf9, \ + 0x1f, 0x3b, 0xad, 0x9d, 0x74, 0xa5, 0xb0, 0xb4, 0x3b, 0x1d, 0x15, 0xec, \ + 0xd9, 0xa0, 0xac, 0x70, 0x5d, 0x89, 0xb4, 0x0a, 0x56, 0x5e, 0xcd, 0x96, \ + 0x26, 0x7e, 0x99, 0x7c, 0xc7, 0x94, 0x3b, 0xf9, 0x5d, 0xa8, 0x1a, 0x0d, \ + 0xd3, 0x5e, 0x80, 0xbc, 0x4c, 0xe9, 0x97, 0x8c, 0x0b, 0x5a, 0x6d, 0xf0, \ + 0xcd \ +} +/* END FILE */ + +#else /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ + /* This is taken from tests/data_files/server5.crt. */ /* BEGIN FILE string macro TEST_SRV_CRT_EC_PEM tests/data_files/server5.crt */ #define TEST_SRV_CRT_EC_PEM \ @@ -611,6 +804,8 @@ } /* END FILE */ +#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ + /* This is taken from tests/data_files/server2-sha256.crt. */ /* BEGIN FILE string macro TEST_SRV_CRT_RSA_SHA256_PEM tests/data_files/server2-sha256.crt */ #define TEST_SRV_CRT_RSA_SHA256_PEM \ @@ -962,6 +1157,101 @@ * - multiple EC curve types */ +/* Use CRTs with Secp256r1-only if Secp384r1 is disabled. + * Otherwise, fall back to previous test CRTs using both + * Secp256r1 and Secp384r1. */ +#if !defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) + +/* This is taken from tests/data_files/cli3.crt. */ +/* BEGIN FILE string macro TEST_CLI_CRT_EC_PEM tests/data_files/cli3.crt.pem */ +#define TEST_CLI_CRT_EC_PEM \ + "-----BEGIN CERTIFICATE-----\r\n" \ + "MIIBuTCCAVygAwIBAgIBATAMBggqhkjOPQQDAgUAMDsxGjAYBgNVBAMMEVRlc3Qg\r\n" \ + "Q0EgU2VjcDI1NnIxMRAwDgYDVQQKDAdNYmVkVExTMQswCQYDVQQGEwJVSzAeFw0w\r\n" \ + "MTAxMDEwMDAwMDBaFw0zMDEyMzEyMzU5NTlaMD0xHDAaBgNVBAMME1Rlc3QgQ1JU\r\n" \ + "MiBTZWNwMjU2cjExEDAOBgNVBAoMB01iZWRUTFMxCzAJBgNVBAYTAlVLMFkwEwYH\r\n" \ + "KoZIzj0CAQYIKoZIzj0DAQcDQgAEEm+TJ4LBB85IBjWNcNIodr2L06CZqLbVClmH\r\n" \ + "uxPqiZafsAZDl0lqgL6cCigF/ML2EqFyKW+Oext3uAmNkemj6aNNMEswCQYDVR0T\r\n" \ + "BAIwADAdBgNVHQ4EFgQUF9Yq9UkoSClnXwrdghuhrokH/hIwHwYDVR0jBBgwFoAU\r\n" \ + "Sl6kYTNLFkgMMXgiNdb7zlDnIBIwDAYIKoZIzj0EAwIFAANJADBGAiEAg3UsTyLd\r\n" \ + "vCPRG13gbf1R8gb85g4K1VbZ+CKl58HW2VgCIQDXk/8WFrt7vA+m3L1xJxj8iln9\r\n" \ + "wMR16i9Fqykw7cqsRw==\r\n" \ + "-----END CERTIFICATE-----\r\n" +/* END FILE */ + +/* This is generated from tests/data_files/cli3.crt.der using `xxd -i`. */ +/* BEGIN FILE binary macro TEST_CLI_CRT_EC_DER tests/data_files/cli3.crt.der */ +#define TEST_CLI_CRT_EC_DER { \ + 0x30, 0x82, 0x01, 0xb9, 0x30, 0x82, 0x01, 0x5c, 0xa0, 0x03, 0x02, 0x01, \ + 0x02, 0x02, 0x01, 0x01, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, \ + 0x3d, 0x04, 0x03, 0x02, 0x05, 0x00, 0x30, 0x3b, 0x31, 0x1a, 0x30, 0x18, \ + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x54, 0x65, 0x73, 0x74, 0x20, \ + 0x43, 0x41, 0x20, 0x53, 0x65, 0x63, 0x70, 0x32, 0x35, 0x36, 0x72, 0x31, \ + 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x4d, \ + 0x62, 0x65, 0x64, 0x54, 0x4c, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, \ + 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x4b, 0x30, 0x1e, 0x17, 0x0d, 0x30, \ + 0x31, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, \ + 0x17, 0x0d, 0x33, 0x30, 0x31, 0x32, 0x33, 0x31, 0x32, 0x33, 0x35, 0x39, \ + 0x35, 0x39, 0x5a, 0x30, 0x3d, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, \ + 0x04, 0x03, 0x0c, 0x13, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x52, 0x54, \ + 0x32, 0x20, 0x53, 0x65, 0x63, 0x70, 0x32, 0x35, 0x36, 0x72, 0x31, 0x31, \ + 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x4d, 0x62, \ + 0x65, 0x64, 0x54, 0x4c, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, \ + 0x04, 0x06, 0x13, 0x02, 0x55, 0x4b, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, \ + 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, \ + 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x12, 0x6f, 0x93, \ + 0x27, 0x82, 0xc1, 0x07, 0xce, 0x48, 0x06, 0x35, 0x8d, 0x70, 0xd2, 0x28, \ + 0x76, 0xbd, 0x8b, 0xd3, 0xa0, 0x99, 0xa8, 0xb6, 0xd5, 0x0a, 0x59, 0x87, \ + 0xbb, 0x13, 0xea, 0x89, 0x96, 0x9f, 0xb0, 0x06, 0x43, 0x97, 0x49, 0x6a, \ + 0x80, 0xbe, 0x9c, 0x0a, 0x28, 0x05, 0xfc, 0xc2, 0xf6, 0x12, 0xa1, 0x72, \ + 0x29, 0x6f, 0x8e, 0x7b, 0x1b, 0x77, 0xb8, 0x09, 0x8d, 0x91, 0xe9, 0xa3, \ + 0xe9, 0xa3, 0x4d, 0x30, 0x4b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, \ + 0x04, 0x02, 0x30, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, \ + 0x16, 0x04, 0x14, 0x17, 0xd6, 0x2a, 0xf5, 0x49, 0x28, 0x48, 0x29, 0x67, \ + 0x5f, 0x0a, 0xdd, 0x82, 0x1b, 0xa1, 0xae, 0x89, 0x07, 0xfe, 0x12, 0x30, \ + 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, \ + 0x4a, 0x5e, 0xa4, 0x61, 0x33, 0x4b, 0x16, 0x48, 0x0c, 0x31, 0x78, 0x22, \ + 0x35, 0xd6, 0xfb, 0xce, 0x50, 0xe7, 0x20, 0x12, 0x30, 0x0c, 0x06, 0x08, \ + 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x05, 0x00, 0x03, 0x49, \ + 0x00, 0x30, 0x46, 0x02, 0x21, 0x00, 0x83, 0x75, 0x2c, 0x4f, 0x22, 0xdd, \ + 0xbc, 0x23, 0xd1, 0x1b, 0x5d, 0xe0, 0x6d, 0xfd, 0x51, 0xf2, 0x06, 0xfc, \ + 0xe6, 0x0e, 0x0a, 0xd5, 0x56, 0xd9, 0xf8, 0x22, 0xa5, 0xe7, 0xc1, 0xd6, \ + 0xd9, 0x58, 0x02, 0x21, 0x00, 0xd7, 0x93, 0xff, 0x16, 0x16, 0xbb, 0x7b, \ + 0xbc, 0x0f, 0xa6, 0xdc, 0xbd, 0x71, 0x27, 0x18, 0xfc, 0x8a, 0x59, 0xfd, \ + 0xc0, 0xc4, 0x75, 0xea, 0x2f, 0x45, 0xab, 0x29, 0x30, 0xed, 0xca, 0xac, \ + 0x47 \ +} +/* END FILE */ + +/* This is taken from tests/data_files/cli3.key.pem. */ +/* BEGIN FILE string macro TEST_CLI_KEY_EC_PEM tests/data_files/cli3.key.pem */ +#define TEST_CLI_KEY_EC_PEM \ + "-----BEGIN EC PRIVATE KEY-----\r\n" \ + "MHcCAQEEIGFE8JJMBKeo1BnPGgzGae1stIrWdEaUvjo9xO8OTC5QoAoGCCqGSM49\r\n" \ + "AwEHoUQDQgAEEm+TJ4LBB85IBjWNcNIodr2L06CZqLbVClmHuxPqiZafsAZDl0lq\r\n" \ + "gL6cCigF/ML2EqFyKW+Oext3uAmNkemj6Q==\r\n" \ + "-----END EC PRIVATE KEY-----\r\n" +/* END FILE */ + +/* This is generated from tests/data_files/cli3.key.der using `xxd -i`. */ +/* BEGIN FILE binary macro TEST_CLI_KEY_EC_DER tests/data_files/cli3.key.der */ +#define TEST_CLI_KEY_EC_DER { \ + 0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0x61, 0x44, 0xf0, 0x92, 0x4c, \ + 0x04, 0xa7, 0xa8, 0xd4, 0x19, 0xcf, 0x1a, 0x0c, 0xc6, 0x69, 0xed, 0x6c, \ + 0xb4, 0x8a, 0xd6, 0x74, 0x46, 0x94, 0xbe, 0x3a, 0x3d, 0xc4, 0xef, 0x0e, \ + 0x4c, 0x2e, 0x50, 0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, \ + 0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04, 0x12, 0x6f, 0x93, \ + 0x27, 0x82, 0xc1, 0x07, 0xce, 0x48, 0x06, 0x35, 0x8d, 0x70, 0xd2, 0x28, \ + 0x76, 0xbd, 0x8b, 0xd3, 0xa0, 0x99, 0xa8, 0xb6, 0xd5, 0x0a, 0x59, 0x87, \ + 0xbb, 0x13, 0xea, 0x89, 0x96, 0x9f, 0xb0, 0x06, 0x43, 0x97, 0x49, 0x6a, \ + 0x80, 0xbe, 0x9c, 0x0a, 0x28, 0x05, 0xfc, 0xc2, 0xf6, 0x12, 0xa1, 0x72, \ + 0x29, 0x6f, 0x8e, 0x7b, 0x1b, 0x77, 0xb8, 0x09, 0x8d, 0x91, 0xe9, 0xa3, \ + 0xe9 \ +} +/* END FILE */ + +#else /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ + /* This is taken from tests/data_files/cli2.crt. */ /* BEGIN FILE string macro TEST_CLI_CRT_EC_PEM tests/data_files/cli2.crt */ #define TEST_CLI_CRT_EC_PEM \ @@ -1061,6 +1351,8 @@ } /* END FILE */ +#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ + /* This is taken from tests/data_files/cli-rsa-sha256.crt. */ /* BEGIN FILE string macro TEST_CLI_CRT_RSA_PEM tests/data_files/cli-rsa-sha256.crt */ #define TEST_CLI_CRT_RSA_PEM \ diff --git a/scripts/generate_certs.sh b/scripts/generate_certs.sh new file mode 100755 index 000000000..4de4a5324 --- /dev/null +++ b/scripts/generate_certs.sh @@ -0,0 +1,66 @@ +#!/bin/sh + +if [ -d include/mbedtls ]; then :; else + echo "$0: must be run from root" >&2 + exit 1 +fi + +CERTS="library/certs.c" +CERTS_TMP="${CERTS}.tmp" +CERTS_NEW="${CERTS}.new" + +# Remove bodies of BEGIN FILE ... END FILE blocks +SED_RM_FILE_BODIES=":o; /BEGIN FILE/!{p;n;bo}; /BEGIN FILE/{p; n; :i; /END FILE/{n; bo}; n; bi}" +sed -n "${SED_RM_FILE_BODIES}" $CERTS > ${CERTS_TMP} +while IFS= read -r line; do + echo "$line" + CMD=`echo "$line" | sed -n 's/^\/\* BEGIN FILE \([^ ]*\) \([^ ]*\) \([^ ]*\) \([^ ]*\)*.*$/\1 \2 \3 \4/p'` + if [ -n "$CMD" ]; then + enc=$(echo "$CMD" | cut -f1 -d' ' ) + type=$(echo "$CMD" | cut -f2 -d' ' ) + name=$(echo "$CMD" | cut -f3 -d' ' ) + file=$(echo "$CMD" | cut -f4 -d' ' ) + + if [ "$type" != "variable" ] && [ "$type" != "macro" ]; then + exit 1 + fi + + if [ "$enc" != "string" ] && [ "$enc" != "binary" ]; then + exit 1 + fi + + # Support 'binary' and 'string' encoding + # Support 'variable' and 'macro' types + + if [ "$enc" = "binary" ]; then + DATA=`xxd -i "$file" | tail -n +2 | head -n -2 | sed 's/^[ ]*/ /'` + elif [ "$enc" = "string" ]; then + DATA=`cat "$file" | sed 's/^/ \"/;s/$/\\r\\n\"/'` + fi + + if [ "$type" = "variable" ]; then + if [ "$enc" = "binary" ]; then + echo "const unsigned char ${name}[] = {" + xxd -i "$file" | sed 's/^[ ]*/ /' | tail -n +2 | head -n -2 + echo "};" + elif [ "$enc" = "string" ]; then + echo "const char ${name}[] =" + cat "$file" | head -n -1 | sed 's/^/ \"/;s/$/\\r\\n\"/' + cat "$file" | tail -n 1 | sed 's/^/ \"/;s/$/\\r\\n\";/' + fi + elif [ "$type" = "macro" ]; then + if [ "$enc" = "binary" ]; then + printf '%-77s\\\n' "#define ${name} {" + xxd -i "$file" | sed 's/^[ ]*/ /' | tail -n +2 | head -n -2 | + xargs -d'\n' printf '%-77s\\\n' + echo "}" + elif [ "$enc" = "string" ]; then + printf '%-75s\\\n' "#define ${name}" + cat "$file" | head -n -1 | sed 's/^/ \"/; s/$/\\r\\n\"/' | xargs -d'\n' printf '%-75s\\\n' + cat "$file" | tail -n 1 | sed 's/^/ \"/; s/$/\\r\\n\"/' + fi + fi + + echo "/* END FILE */" + fi +done < ${CERTS_TMP} > ${CERTS} diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 44496911e..2732c3021 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -15,6 +15,7 @@ OPENSSL ?= openssl FAKETIME ?= faketime MBEDTLS_CERT_WRITE ?= $(PWD)/../../programs/x509/cert_write MBEDTLS_CERT_REQ ?= $(PWD)/../../programs/x509/cert_req +MBEDTLS_GEN_KEY ?= $(PWD)/../../programs/pkey/gen_key ## Build the generated test data. Note that since the final outputs ## are committed to the repository, this target should do nothing on a @@ -146,6 +147,42 @@ all_final += cli-rsa-sha256.crt.der $(OPENSSL) pkey -in $< -out $@ -inform PEM -outform DER all_final += cli-rsa.key.der +test-ca3.key.pem: + $(MBEDTLS_GEN_KEY) type=ec ec_curve=secp256r1 format=pem filename=$@ +test-ca3.key.der: test-ca3.key.pem + $(OPENSSL) ec -inform PEM -outform DER -in $< -out $@ +test-ca3.csr: test-ca3.key.der + $(MBEDTLS_CERT_REQ) filename=$< output_file=$@ subject_name="CN=Test CA Secp256r1, O=MbedTLS, C=UK" md=SHA256 +test-ca3.crt.pem: test-ca3.csr test-ca3.key.der + $(MBEDTLS_CERT_WRITE) request_file=test-ca3.csr selfsign=1 issuer_name="CN=Test CA Secp256r1, O=MbedTLS, C=UK" is_ca=1 md=SHA256 issuer_key=test-ca3.key.der output_file=$@ +test-ca3.crt.der: test-ca3.crt.pem + $(OPENSSL) x509 -inform PEM -outform DER -in $< -out $@ +all_final += test-ca3.key.pem test-ca3.key.der test-ca3.csr test-ca3.crt.pem test-ca3.crt.der + +cli3.key.pem: + $(MBEDTLS_GEN_KEY) type=ec ec_curve=secp256r1 format=pem filename=$@ +cli3.key.der: cli3.key.pem + $(OPENSSL) ec -inform PEM -outform DER -in $< -out $@ +cli3.csr: cli3.key.der + $(MBEDTLS_CERT_REQ) filename=$< output_file=$@ subject_name="CN=Test CRT2 Secp256r1, O=MbedTLS, C=UK" md=SHA256 +cli3.crt.pem: cli3.csr test-ca3.key.der + $(MBEDTLS_CERT_WRITE) request_file=cli3.csr issuer_name="CN=Test CA Secp256r1, O=MbedTLS, C=UK" md=SHA256 issuer_key=test-ca3.key.der output_file=$@ +cli3.crt.der: cli3.crt.pem + $(OPENSSL) x509 -inform PEM -outform DER -in $< -out $@ +all_final += cli3.key.pem cli3.key.der cli3.csr cli3.crt.pem cli3.crt.der + +server11.key.pem: + $(MBEDTLS_GEN_KEY) type=ec ec_curve=secp256r1 format=pem filename=$@ +server11.key.der: server11.key.pem + $(OPENSSL) ec -inform PEM -outform DER -in $< -out $@ +server11.csr: server11.key.der + $(MBEDTLS_CERT_REQ) filename=$< output_file=$@ subject_name="CN=localhost, O=MbedTLS, C=UK" md=SHA256 +server11.crt.pem: server11.csr test-ca3.key.der + $(MBEDTLS_CERT_WRITE) request_file=server11.csr issuer_name="CN=Test CA Secp256r1, O=MbedTLS, C=UK" md=SHA256 issuer_key=test-ca3.key.der output_file=$@ +server11.crt.der: server11.crt.pem + $(OPENSSL) x509 -inform PEM -outform DER -in $< -out $@ +all_final += server11.key.pem server11.key.der server11.csr server11.crt.pem server11.crt.der + test_ca_int_rsa1 = test-int-ca.crt server7.csr: server7.key diff --git a/tests/data_files/Readme-x509.txt b/tests/data_files/Readme-x509.txt index 6f54ed0c1..388865be5 100644 --- a/tests/data_files/Readme-x509.txt +++ b/tests/data_files/Readme-x509.txt @@ -11,6 +11,8 @@ There are two main CAs for use as trusted roots: - test-ca2*.crt aka "C=NL, O=PolarSSL, CN=Polarssl Test EC CA" uses an EC key with NIST P-384 (aka secp384r1) variants used to test the keyUsage extension +- test-ca3.crt aka "CN=TestCASecp256r1, O=MbedTLS, C=UK" + uses an EC key with NIST P-256 (aka secp256r1) The files test-ca_cat12 and test-ca_cat21 contain them concatenated both ways. Two intermediate CAs are signed by them: @@ -40,6 +42,7 @@ Short information fields: - name or pattern - issuing CA: 1 -> test-ca.crt 2 -> test-ca2.crt + 3 -> test-ca3.crt I1 -> test-int-ca.crt I2 -> test-int-ca2.crt I3 -> test-int-ca3.crt @@ -57,6 +60,7 @@ List of certificates: - cert_md*.crt, cert_sha*.crt: 1 R: signature hash - cert_v1_with_ext.crt: 1 R: v1 with extensions (illegal) - cli2.crt: 2 E: basic +- cli3.crt: 3 E, secp256r1 curve - cli-rsa.key, cli-rsa-*.crt: RSA key used for test clients, signed by the RSA test CA. - enco-cert-utf8str.pem: see enco-ca-prstr.pem above @@ -102,6 +106,7 @@ List of certificates: _int3_int-ca2.crt: S10 + I3 + I2 _int3_int-ca2_ca.crt: S10 + I3 + I2 + 1 _int3_spurious_int-ca2.crt: S10 + I3 + I1(spurious) + I2 + - server11.crt: 3 E, secp256r1 curve Certificate revocation lists ---------------------------- diff --git a/tests/data_files/cli3.crt.der b/tests/data_files/cli3.crt.der new file mode 100644 index 000000000..70878cb8c Binary files /dev/null and b/tests/data_files/cli3.crt.der differ diff --git a/tests/data_files/cli3.crt.pem b/tests/data_files/cli3.crt.pem new file mode 100644 index 000000000..e823c0a23 --- /dev/null +++ b/tests/data_files/cli3.crt.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBuTCCAVygAwIBAgIBATAMBggqhkjOPQQDAgUAMDsxGjAYBgNVBAMMEVRlc3Qg +Q0EgU2VjcDI1NnIxMRAwDgYDVQQKDAdNYmVkVExTMQswCQYDVQQGEwJVSzAeFw0w +MTAxMDEwMDAwMDBaFw0zMDEyMzEyMzU5NTlaMD0xHDAaBgNVBAMME1Rlc3QgQ1JU +MiBTZWNwMjU2cjExEDAOBgNVBAoMB01iZWRUTFMxCzAJBgNVBAYTAlVLMFkwEwYH +KoZIzj0CAQYIKoZIzj0DAQcDQgAEEm+TJ4LBB85IBjWNcNIodr2L06CZqLbVClmH +uxPqiZafsAZDl0lqgL6cCigF/ML2EqFyKW+Oext3uAmNkemj6aNNMEswCQYDVR0T +BAIwADAdBgNVHQ4EFgQUF9Yq9UkoSClnXwrdghuhrokH/hIwHwYDVR0jBBgwFoAU +Sl6kYTNLFkgMMXgiNdb7zlDnIBIwDAYIKoZIzj0EAwIFAANJADBGAiEAg3UsTyLd +vCPRG13gbf1R8gb85g4K1VbZ+CKl58HW2VgCIQDXk/8WFrt7vA+m3L1xJxj8iln9 +wMR16i9Fqykw7cqsRw== +-----END CERTIFICATE----- diff --git a/tests/data_files/cli3.csr b/tests/data_files/cli3.csr new file mode 100644 index 000000000..501bc3088 --- /dev/null +++ b/tests/data_files/cli3.csr @@ -0,0 +1,8 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIH6MIGfAgEAMD0xHDAaBgNVBAMME1Rlc3QgQ1JUMiBTZWNwMjU2cjExEDAOBgNV +BAoMB01iZWRUTFMxCzAJBgNVBAYTAlVLMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD +QgAEEm+TJ4LBB85IBjWNcNIodr2L06CZqLbVClmHuxPqiZafsAZDl0lqgL6cCigF +/ML2EqFyKW+Oext3uAmNkemj6aAAMAwGCCqGSM49BAMCBQADSAAwRQIgPbHQgHvW +f/gN4jV+GHIkQGhI4OAa7d82/dVzxXbYxnACIQCoqAs7agETcK6jp7A36pnKT9Jc +Lck5I3roXwDPXMtzSg== +-----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/cli3.key.der b/tests/data_files/cli3.key.der new file mode 100644 index 000000000..0a1851e6e Binary files /dev/null and b/tests/data_files/cli3.key.der differ diff --git a/tests/data_files/cli3.key.pem b/tests/data_files/cli3.key.pem new file mode 100644 index 000000000..3d1cd1a82 --- /dev/null +++ b/tests/data_files/cli3.key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIGFE8JJMBKeo1BnPGgzGae1stIrWdEaUvjo9xO8OTC5QoAoGCCqGSM49 +AwEHoUQDQgAEEm+TJ4LBB85IBjWNcNIodr2L06CZqLbVClmHuxPqiZafsAZDl0lq +gL6cCigF/ML2EqFyKW+Oext3uAmNkemj6Q== +-----END EC PRIVATE KEY----- diff --git a/tests/data_files/server11.crt.der b/tests/data_files/server11.crt.der new file mode 100644 index 000000000..e47f10ffe Binary files /dev/null and b/tests/data_files/server11.crt.der differ diff --git a/tests/data_files/server11.crt.pem b/tests/data_files/server11.crt.pem new file mode 100644 index 000000000..ad1a2ff38 --- /dev/null +++ b/tests/data_files/server11.crt.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBrzCCAVKgAwIBAgIBATAMBggqhkjOPQQDAgUAMDsxGjAYBgNVBAMMEVRlc3Qg +Q0EgU2VjcDI1NnIxMRAwDgYDVQQKDAdNYmVkVExTMQswCQYDVQQGEwJVSzAeFw0w +MTAxMDEwMDAwMDBaFw0zMDEyMzEyMzU5NTlaMDMxEjAQBgNVBAMMCWxvY2FsaG9z +dDEQMA4GA1UECgwHTWJlZFRMUzELMAkGA1UEBhMCVUswWTATBgcqhkjOPQIBBggq +hkjOPQMBBwNCAATH4k2I+9HG/2AM4cN0pPkfO62ddKWwtDsdFezZoKxwXYm0ClZe +zZYmfpl8x5Q7+V2oGg3TXoC8TOmXjAtabfDNo00wSzAJBgNVHRMEAjAAMB0GA1Ud +DgQWBBQjXj0e2wlEVpSCbySpu2oDJgn7sjAfBgNVHSMEGDAWgBRKXqRhM0sWSAwx +eCI11vvOUOcgEjAMBggqhkjOPQQDAgUAA0kAMEYCIQCN7/F5DbM4Ug5NcKHeKFbb +3EHpsBjg0//gXa9mJ7Q4jAIhAIzio6vwCYnzrslzsTbPpmtU+6Op6SlzdGO/iR77 +bcfp +-----END CERTIFICATE----- diff --git a/tests/data_files/server11.csr b/tests/data_files/server11.csr new file mode 100644 index 000000000..5978e34c6 --- /dev/null +++ b/tests/data_files/server11.csr @@ -0,0 +1,8 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIHwMIGVAgEAMDMxEjAQBgNVBAMMCWxvY2FsaG9zdDEQMA4GA1UECgwHTWJlZFRM +UzELMAkGA1UEBhMCVUswWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATH4k2I+9HG +/2AM4cN0pPkfO62ddKWwtDsdFezZoKxwXYm0ClZezZYmfpl8x5Q7+V2oGg3TXoC8 +TOmXjAtabfDNoAAwDAYIKoZIzj0EAwIFAANIADBFAiB8fjrx5Y4vietqCbuB1/1y +1UMETwhDoCr5uRlPmOME/AIhAKr7gJJguJcXvyWPBBLJ7Ig4ingF8UGirfeWu6es +4t3v +-----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/server11.key.der b/tests/data_files/server11.key.der new file mode 100644 index 000000000..894b8fb52 Binary files /dev/null and b/tests/data_files/server11.key.der differ diff --git a/tests/data_files/server11.key.pem b/tests/data_files/server11.key.pem new file mode 100644 index 000000000..ec7587513 --- /dev/null +++ b/tests/data_files/server11.key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIGEWs7/9cQHgEI5v2qeQRGLoFhjrNK4lul6tmcqDACKuoAoGCCqGSM49 +AwEHoUQDQgAEx+JNiPvRxv9gDOHDdKT5HzutnXSlsLQ7HRXs2aCscF2JtApWXs2W +Jn6ZfMeUO/ldqBoN016AvEzpl4wLWm3wzQ== +-----END EC PRIVATE KEY----- diff --git a/tests/data_files/test-ca3.crt.der b/tests/data_files/test-ca3.crt.der new file mode 100644 index 000000000..75ba4bc9f Binary files /dev/null and b/tests/data_files/test-ca3.crt.der differ diff --git a/tests/data_files/test-ca3.crt.pem b/tests/data_files/test-ca3.crt.pem new file mode 100644 index 000000000..66c233522 --- /dev/null +++ b/tests/data_files/test-ca3.crt.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBuTCCAV2gAwIBAgIBATAMBggqhkjOPQQDAgUAMDsxGjAYBgNVBAMMEVRlc3Qg +Q0EgU2VjcDI1NnIxMRAwDgYDVQQKDAdNYmVkVExTMQswCQYDVQQGEwJVSzAeFw0w +MTAxMDEwMDAwMDBaFw0zMDEyMzEyMzU5NTlaMDsxGjAYBgNVBAMMEVRlc3QgQ0Eg +U2VjcDI1NnIxMRAwDgYDVQQKDAdNYmVkVExTMQswCQYDVQQGEwJVSzBZMBMGByqG +SM49AgEGCCqGSM49AwEHA0IABLZIHgilzw/iCx1r09kyZsZfarzztX4y1km0S5Mx +rsFB67NjUhXE6/YY3W38oxeY4eIvEb516BOR/g3e3OL7Q8WjUDBOMAwGA1UdEwQF +MAMBAf8wHQYDVR0OBBYEFEpepGEzSxZIDDF4IjXW+85Q5yASMB8GA1UdIwQYMBaA +FEpepGEzSxZIDDF4IjXW+85Q5yASMAwGCCqGSM49BAMCBQADSAAwRQIhAKejV1jK +vPH1vIsZAr6/VmSvjXkxmT2rpzEP9iJvJAteAiBhCPtV7LdSF1ZUqphAK3DYh2m7 +l1eSxSKXB29adbF96g== +-----END CERTIFICATE----- diff --git a/tests/data_files/test-ca3.csr b/tests/data_files/test-ca3.csr new file mode 100644 index 000000000..b79b65578 --- /dev/null +++ b/tests/data_files/test-ca3.csr @@ -0,0 +1,8 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIH5MIGdAgEAMDsxGjAYBgNVBAMMEVRlc3QgQ0EgU2VjcDI1NnIxMRAwDgYDVQQK +DAdNYmVkVExTMQswCQYDVQQGEwJVSzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA +BLZIHgilzw/iCx1r09kyZsZfarzztX4y1km0S5MxrsFB67NjUhXE6/YY3W38oxeY +4eIvEb516BOR/g3e3OL7Q8WgADAMBggqhkjOPQQDAgUAA0kAMEYCIQD55eBPVcht +2trIK3YYWKJbGXIoKF0930KQh8eFAcFD8AIhAI2exrMqoNF8JDoUS2m3Vv0ZFYRG +982wT8Ok59LiWCOX +-----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/test-ca3.key.der b/tests/data_files/test-ca3.key.der new file mode 100644 index 000000000..f5d2972f4 Binary files /dev/null and b/tests/data_files/test-ca3.key.der differ diff --git a/tests/data_files/test-ca3.key.pem b/tests/data_files/test-ca3.key.pem new file mode 100644 index 000000000..e67005f00 --- /dev/null +++ b/tests/data_files/test-ca3.key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIDlfIVA04pd23r9UJhLf0kt6SkROecrhPbNWtawigBCkoAoGCCqGSM49 +AwEHoUQDQgAEtkgeCKXPD+ILHWvT2TJmxl9qvPO1fjLWSbRLkzGuwUHrs2NSFcTr +9hjdbfyjF5jh4i8RvnXoE5H+Dd7c4vtDxQ== +-----END EC PRIVATE KEY----- diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 71dba368e..57d915878 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1139,14 +1139,14 @@ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 run_test "CertificateRequest with empty CA list, TLS 1.1 (GnuTLS server)" \ "$G_SRV"\ - "$P_CLI force_version=tls1_1" \ + "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \ 0 requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1 run_test "CertificateRequest with empty CA list, TLS 1.0 (GnuTLS server)" \ "$G_SRV"\ - "$P_CLI force_version=tls1" \ + "$P_CLI force_version=tls1 ca_file=data_files/test-ca2.crt" \ 0 # Tests for SHA-1 support @@ -2187,7 +2187,7 @@ run_test "Fallback SCSV: enabled, max version" \ requires_openssl_with_fallback_scsv run_test "Fallback SCSV: default, openssl server" \ "$O_SRV" \ - "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \ + "$P_CLI debug_level=3 force_version=tls1_1 fallback=0 ca_file=data_files/test-ca2.crt" \ 0 \ -C "adding FALLBACK_SCSV" \ -C "is a fatal alert message (msg 86)" @@ -2195,7 +2195,7 @@ run_test "Fallback SCSV: default, openssl server" \ requires_openssl_with_fallback_scsv run_test "Fallback SCSV: enabled, openssl server" \ "$O_SRV" \ - "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \ + "$P_CLI debug_level=3 force_version=tls1_1 fallback=1 ca_file=data_files/test-ca2.crt" \ 1 \ -c "adding FALLBACK_SCSV" \ -c "is a fatal alert message (msg 86)" @@ -2426,7 +2426,7 @@ requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: openssl server" \ "$O_SRV" \ - "$P_CLI debug_level=3 tickets=1 reconnect=1" \ + "$P_CLI debug_level=3 tickets=1 reconnect=1 ca_file=data_files/test-ca2.crt" \ 0 \ -c "client hello, adding session ticket extension" \ -c "found session_ticket extension" \ @@ -2517,7 +2517,7 @@ requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets, DTLS: openssl server" \ "$O_SRV -dtls1" \ - "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \ + "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1 ca_file=data_files/test-ca2.crt" \ 0 \ -c "client hello, adding session ticket extension" \ -c "found session_ticket extension" \ @@ -2658,7 +2658,7 @@ requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE run_test "Session resume using cache: openssl server" \ "$O_SRV" \ - "$P_CLI debug_level=3 tickets=0 reconnect=1" \ + "$P_CLI debug_level=3 tickets=0 reconnect=1 ca_file=data_files/test-ca2.crt" \ 0 \ -C "found session_ticket extension" \ -C "parse new session ticket" \ @@ -2784,7 +2784,7 @@ requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE run_test "Session resume using cache, DTLS: openssl server" \ "$O_SRV -dtls1" \ - "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \ + "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 ca_file=data_files/test-ca2.crt" \ 0 \ -C "found session_ticket extension" \ -C "parse new session ticket" \ @@ -2893,7 +2893,7 @@ requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_gnutls run_test "Max fragment length: gnutls server" \ "$G_SRV" \ - "$P_CLI debug_level=3 max_frag_len=4096" \ + "$P_CLI debug_level=3 max_frag_len=4096 ca_file=data_files/test-ca2.crt" \ 0 \ -c "Maximum fragment length is 4096" \ -c "client hello, adding max_fragment_length extension" \ @@ -3235,7 +3235,7 @@ run_test "Renegotiation: nbio, server-initiated" \ requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: openssl server, client-initiated" \ "$O_SRV -www" \ - "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \ + "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \ 0 \ -c "client hello, adding renegotiation extension" \ -c "found renegotiation extension" \ @@ -3248,7 +3248,7 @@ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: gnutls server strict, client-initiated" \ "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \ - "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \ + "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \ 0 \ -c "client hello, adding renegotiation extension" \ -c "found renegotiation extension" \ @@ -3261,7 +3261,7 @@ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: gnutls server unsafe, client-initiated default" \ "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \ - "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \ + "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \ 1 \ -c "client hello, adding renegotiation extension" \ -C "found renegotiation extension" \ @@ -3274,7 +3274,7 @@ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \ "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \ - "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \ + "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt \ allow_legacy=0" \ 1 \ -c "client hello, adding renegotiation extension" \ @@ -3288,7 +3288,7 @@ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \ "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \ - "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \ + "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt \ allow_legacy=1" \ 0 \ -c "client hello, adding renegotiation extension" \ @@ -3345,7 +3345,7 @@ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: DTLS, gnutls server, client-initiated" \ "$G_SRV -u --mtu 4096" \ - "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \ + "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \ 0 \ -c "client hello, adding renegotiation extension" \ -c "found renegotiation extension" \ @@ -3359,7 +3359,7 @@ run_test "Renegotiation: DTLS, gnutls server, client-initiated" \ requires_gnutls run_test "Renego ext: gnutls server strict, client default" \ "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \ - "$P_CLI debug_level=3" \ + "$P_CLI debug_level=3 ca_file=data_files/test-ca2.crt" \ 0 \ -c "found renegotiation extension" \ -C "error" \ @@ -3368,7 +3368,7 @@ run_test "Renego ext: gnutls server strict, client default" \ requires_gnutls run_test "Renego ext: gnutls server unsafe, client default" \ "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \ - "$P_CLI debug_level=3" \ + "$P_CLI debug_level=3 ca_file=data_files/test-ca2.crt" \ 0 \ -C "found renegotiation extension" \ -C "error" \ @@ -3385,7 +3385,7 @@ run_test "Renego ext: gnutls server unsafe, client break legacy" \ requires_gnutls run_test "Renego ext: gnutls client strict, server default" \ - "$P_SRV debug_level=3" \ + "$P_SRV debug_level=3 crt_file=data_files/server5.crt key_file=data_files/server5.key" \ "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION localhost" \ 0 \ -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \ @@ -3393,7 +3393,7 @@ run_test "Renego ext: gnutls client strict, server default" \ requires_gnutls run_test "Renego ext: gnutls client unsafe, server default" \ - "$P_SRV debug_level=3" \ + "$P_SRV debug_level=3 crt_file=data_files/server5.crt key_file=data_files/server5.key" \ "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \ 0 \ -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \ @@ -3401,7 +3401,7 @@ run_test "Renego ext: gnutls client unsafe, server default" \ requires_gnutls run_test "Renego ext: gnutls client unsafe, server break legacy" \ - "$P_SRV debug_level=3 allow_legacy=-1" \ + "$P_SRV debug_level=3 allow_legacy=-1 crt_file=data_files/server5.crt key_file=data_files/server5.key" \ "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \ 1 \ -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \ @@ -3550,7 +3550,7 @@ run_test "Authentication: server badcert, client none" \ -C "X509 - Certificate verification failed" run_test "Authentication: client SHA256, server required" \ - "$P_SRV auth_mode=required" \ + "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \ "$P_CLI debug_level=3 crt_file=data_files/server6.crt \ key_file=data_files/server6.key \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \ @@ -3558,7 +3558,7 @@ run_test "Authentication: client SHA256, server required" \ -c "Supported Signature Algorithm found: 5," run_test "Authentication: client SHA384, server required" \ - "$P_SRV auth_mode=required" \ + "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \ "$P_CLI debug_level=3 crt_file=data_files/server6.crt \ key_file=data_files/server6.key \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \ @@ -3692,7 +3692,7 @@ run_test "Authentication: client no cert, server optional" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO run_test "Authentication: openssl client no cert, server optional" \ - "$P_SRV debug_level=3 auth_mode=optional" \ + "$P_SRV debug_level=3 auth_mode=optional ca_file=data_files/test-ca2.crt" \ "$O_CLI" \ 0 \ -S "skip write certificate request" \ @@ -3703,7 +3703,7 @@ run_test "Authentication: openssl client no cert, server optional" \ run_test "Authentication: client no cert, openssl server optional" \ "$O_SRV -verify 10" \ - "$P_CLI debug_level=3 crt_file=none key_file=none" \ + "$P_CLI debug_level=3 crt_file=none key_file=none ca_file=data_files/test-ca2.crt" \ 0 \ -C "skip parse certificate request" \ -c "got a certificate request" \ @@ -3713,7 +3713,7 @@ run_test "Authentication: client no cert, openssl server optional" \ run_test "Authentication: client no cert, openssl server required" \ "$O_SRV -Verify 10" \ - "$P_CLI debug_level=3 crt_file=none key_file=none" \ + "$P_CLI debug_level=3 crt_file=none key_file=none ca_file=data_files/test-ca2.crt" \ 1 \ -C "skip parse certificate request" \ -c "got a certificate request" \ @@ -3827,14 +3827,14 @@ run_test "Authentication: client max_int chain, server required" \ # Tests for CA list in CertificateRequest messages run_test "Authentication: send CA list in CertificateRequest (default)" \ - "$P_SRV debug_level=3 auth_mode=required" \ + "$P_SRV debug_level=3 auth_mode=required ca_file=data_files/test-ca2.crt" \ "$P_CLI crt_file=data_files/server6.crt \ key_file=data_files/server6.key" \ 0 \ -s "requested DN" run_test "Authentication: do not send CA list in CertificateRequest" \ - "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \ + "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0 ca_file=data_files/test-ca2.crt" \ "$P_CLI crt_file=data_files/server6.crt \ key_file=data_files/server6.key" \ 0 \ @@ -3861,7 +3861,7 @@ run_test "Certificate hash: client TLS 1.2 -> SHA-2" \ key_file=data_files/server5.key \ crt_file2=data_files/server5-sha1.crt \ key_file2=data_files/server5.key" \ - "$P_CLI force_version=tls1_2" \ + "$P_CLI force_version=tls1_2 ca_file=data_files/test-ca2.crt" \ 0 \ -c "signed using.*ECDSA with SHA256" \ -C "signed using.*ECDSA with SHA1" @@ -3872,7 +3872,7 @@ run_test "Certificate hash: client TLS 1.1 -> SHA-1" \ key_file=data_files/server5.key \ crt_file2=data_files/server5-sha1.crt \ key_file2=data_files/server5.key" \ - "$P_CLI force_version=tls1_1" \ + "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \ 0 \ -C "signed using.*ECDSA with SHA256" \ -c "signed using.*ECDSA with SHA1" @@ -3883,7 +3883,7 @@ run_test "Certificate hash: client TLS 1.0 -> SHA-1" \ key_file=data_files/server5.key \ crt_file2=data_files/server5-sha1.crt \ key_file2=data_files/server5.key" \ - "$P_CLI force_version=tls1" \ + "$P_CLI force_version=tls1 ca_file=data_files/test-ca2.crt" \ 0 \ -C "signed using.*ECDSA with SHA256" \ -c "signed using.*ECDSA with SHA1" @@ -3894,7 +3894,7 @@ run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \ key_file=data_files/server5.key \ crt_file2=data_files/server6.crt \ key_file2=data_files/server6.key" \ - "$P_CLI force_version=tls1_1" \ + "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \ 0 \ -c "serial number.*09" \ -c "signed using.*ECDSA with SHA256" \ @@ -3906,7 +3906,7 @@ run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \ key_file=data_files/server6.key \ crt_file2=data_files/server5.crt \ key_file2=data_files/server5.key" \ - "$P_CLI force_version=tls1_1" \ + "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \ 0 \ -c "serial number.*0A" \ -c "signed using.*ECDSA with SHA256" \ @@ -3918,7 +3918,7 @@ requires_config_disabled MBEDTLS_X509_REMOVE_INFO run_test "SNI: no SNI callback" \ "$P_SRV debug_level=3 \ crt_file=data_files/server5.crt key_file=data_files/server5.key" \ - "$P_CLI server_name=localhost" \ + "$P_CLI server_name=localhost ca_file=data_files/test-ca2.crt" \ 0 \ -S "parse ServerName extension" \ -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \ @@ -3930,7 +3930,7 @@ run_test "SNI: matching cert 1" \ "$P_SRV debug_level=3 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ - "$P_CLI server_name=localhost" \ + "$P_CLI server_name=localhost ca_file=data_files/test-ca.crt" \ 0 \ -s "parse ServerName extension" \ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ @@ -4068,7 +4068,7 @@ requires_config_disabled MBEDTLS_X509_REMOVE_INFO run_test "SNI: DTLS, no SNI callback" \ "$P_SRV debug_level=3 dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key" \ - "$P_CLI server_name=localhost dtls=1" \ + "$P_CLI server_name=localhost dtls=1 ca_file=data_files/test-ca2.crt" \ 0 \ -S "parse ServerName extension" \ -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \ @@ -4080,7 +4080,7 @@ run_test "SNI: DTLS, matching cert 1" \ "$P_SRV debug_level=3 dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ - "$P_CLI server_name=localhost dtls=1" \ + "$P_CLI server_name=localhost dtls=1 ca_file=data_files/test-ca.crt" \ 0 \ -s "parse ServerName extension" \ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ @@ -4092,7 +4092,7 @@ run_test "SNI: DTLS, matching cert 2" \ "$P_SRV debug_level=3 dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ - "$P_CLI server_name=polarssl.example dtls=1" \ + "$P_CLI server_name=polarssl.example dtls=1 ca_file=data_files/test-ca.crt" \ 0 \ -s "parse ServerName extension" \ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ @@ -4568,7 +4568,7 @@ run_test "keyUsage srv: RSA, keyAgreement -> fail" \ run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \ "$P_SRV key_file=data_files/server5.key \ crt_file=data_files/server5.ku-ds.crt" \ - "$P_CLI" \ + "$P_CLI ca_file=data_files/test-ca2.crt" \ 0 \ -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-" @@ -4576,14 +4576,14 @@ run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \ run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \ "$P_SRV key_file=data_files/server5.key \ crt_file=data_files/server5.ku-ka.crt" \ - "$P_CLI" \ + "$P_CLI ca_file=data_files/test-ca2.crt" \ 0 \ -c "Ciphersuite is TLS-ECDH-" run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \ "$P_SRV key_file=data_files/server5.key \ crt_file=data_files/server5.ku-ke.crt" \ - "$P_CLI" \ + "$P_CLI ca_file=data_files/test-ca2.crt" \ 1 \ -C "Ciphersuite is " @@ -4722,25 +4722,25 @@ run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \ run_test "extKeyUsage srv: serverAuth -> OK" \ "$P_SRV key_file=data_files/server5.key \ crt_file=data_files/server5.eku-srv.crt" \ - "$P_CLI" \ + "$P_CLI ca_file=data_files/test-ca2.crt" \ 0 run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \ "$P_SRV key_file=data_files/server5.key \ crt_file=data_files/server5.eku-srv.crt" \ - "$P_CLI" \ + "$P_CLI ca_file=data_files/test-ca2.crt" \ 0 run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \ "$P_SRV key_file=data_files/server5.key \ crt_file=data_files/server5.eku-cs_any.crt" \ - "$P_CLI" \ + "$P_CLI ca_file=data_files/test-ca2.crt" \ 0 run_test "extKeyUsage srv: codeSign -> fail" \ "$P_SRV key_file=data_files/server5.key \ crt_file=data_files/server5.eku-cli.crt" \ - "$P_CLI" \ + "$P_CLI ca_file=data_files/test-ca2.crt" \ 1 # Tests for extendedKeyUsage, part 2: client-side checking of server cert @@ -4748,7 +4748,7 @@ run_test "extKeyUsage srv: codeSign -> fail" \ run_test "extKeyUsage cli: serverAuth -> OK" \ "$O_SRV -key data_files/server5.key \ -cert data_files/server5.eku-srv.crt" \ - "$P_CLI debug_level=1" \ + "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \ 0 \ -C "bad certificate (usage extensions)" \ -C "Processing of the Certificate handshake message failed" \ @@ -4757,7 +4757,7 @@ run_test "extKeyUsage cli: serverAuth -> OK" \ run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \ "$O_SRV -key data_files/server5.key \ -cert data_files/server5.eku-srv_cli.crt" \ - "$P_CLI debug_level=1" \ + "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \ 0 \ -C "bad certificate (usage extensions)" \ -C "Processing of the Certificate handshake message failed" \ @@ -4766,7 +4766,7 @@ run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \ run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \ "$O_SRV -key data_files/server5.key \ -cert data_files/server5.eku-cs_any.crt" \ - "$P_CLI debug_level=1" \ + "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \ 0 \ -C "bad certificate (usage extensions)" \ -C "Processing of the Certificate handshake message failed" \ @@ -4775,7 +4775,7 @@ run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \ run_test "extKeyUsage cli: codeSign -> fail" \ "$O_SRV -key data_files/server5.key \ -cert data_files/server5.eku-cs.crt" \ - "$P_CLI debug_level=1" \ + "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \ 1 \ -c "bad certificate (usage extensions)" \ -c "Processing of the Certificate handshake message failed" \ @@ -4816,7 +4816,7 @@ run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \ -S "Processing of the Certificate handshake message failed" run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \ - "$P_SRV debug_level=1 auth_mode=required" \ + "$P_SRV debug_level=1 auth_mode=required ca_file=data_files/test-ca2.crt" \ "$O_CLI -key data_files/server5.key \ -cert data_files/server5.eku-cs.crt" \ 1 \ @@ -6182,7 +6182,7 @@ run_test "Large server packet TLS 1.2 AEAD shorter tag" \ requires_config_enabled MBEDTLS_ECP_RESTARTABLE run_test "EC restart: TLS, default" \ - "$P_SRV auth_mode=required" \ + "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=data_files/server5.key crt_file=data_files/server5.crt \ debug_level=1" \ @@ -6194,7 +6194,7 @@ run_test "EC restart: TLS, default" \ requires_config_enabled MBEDTLS_ECP_RESTARTABLE run_test "EC restart: TLS, max_ops=0" \ - "$P_SRV auth_mode=required" \ + "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=data_files/server5.key crt_file=data_files/server5.crt \ debug_level=1 ec_max_ops=0" \ @@ -6206,7 +6206,7 @@ run_test "EC restart: TLS, max_ops=0" \ requires_config_enabled MBEDTLS_ECP_RESTARTABLE run_test "EC restart: TLS, max_ops=65535" \ - "$P_SRV auth_mode=required" \ + "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=data_files/server5.key crt_file=data_files/server5.crt \ debug_level=1 ec_max_ops=65535" \ @@ -6218,7 +6218,7 @@ run_test "EC restart: TLS, max_ops=65535" \ requires_config_enabled MBEDTLS_ECP_RESTARTABLE run_test "EC restart: TLS, max_ops=1000" \ - "$P_SRV auth_mode=required" \ + "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=data_files/server5.key crt_file=data_files/server5.crt \ debug_level=1 ec_max_ops=1000" \ @@ -6231,11 +6231,11 @@ run_test "EC restart: TLS, max_ops=1000" \ requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_disabled MBEDTLS_X509_REMOVE_INFO run_test "EC restart: TLS, max_ops=1000, badsign" \ - "$P_SRV auth_mode=required \ + "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \ crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ + key_file=data_files/server5.key crt_file=data_files/server5.crt ca_file=data_files/test-ca2.crt \ debug_level=1 ec_max_ops=1000" \ 1 \ -c "x509_verify_cert.*4b00" \ @@ -6249,11 +6249,12 @@ run_test "EC restart: TLS, max_ops=1000, badsign" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_enabled MBEDTLS_ECP_RESTARTABLE run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \ - "$P_SRV auth_mode=required \ + "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \ crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=data_files/server5.key crt_file=data_files/server5.crt \ + ca_file=data_files/test-ca2.crt \ debug_level=1 ec_max_ops=1000 auth_mode=optional" \ 0 \ -c "x509_verify_cert.*4b00" \ @@ -6267,10 +6268,11 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_enabled MBEDTLS_ECP_RESTARTABLE run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \ - "$P_SRV auth_mode=required \ + "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \ crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ + ca_file=data_files/test-ca2.crt \ key_file=data_files/server5.key crt_file=data_files/server5.crt \ debug_level=1 ec_max_ops=1000 auth_mode=none" \ 0 \ @@ -6284,7 +6286,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \ requires_config_enabled MBEDTLS_ECP_RESTARTABLE run_test "EC restart: DTLS, max_ops=1000" \ - "$P_SRV auth_mode=required dtls=1" \ + "$P_SRV auth_mode=required dtls=1 ca_file=data_files/test-ca2.crt" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=data_files/server5.key crt_file=data_files/server5.crt \ dtls=1 debug_level=1 ec_max_ops=1000" \ @@ -6450,7 +6452,7 @@ run_test "SSL async private: slot 0 used with key1" \ async_operations=s async_private_delay1=1 \ key_file=data_files/server5.key crt_file=data_files/server5.crt \ key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \ - "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \ + "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 ca_file=data_files/test-ca2.crt" \ 0 \ -s "Async sign callback: using key slot 0," \ -s "Async resume (slot 0): call 0 more times." \ @@ -6853,7 +6855,7 @@ run_test "DTLS wrong PSK: badmac alert" \ requires_gnutls run_test "DTLS reassembly: no fragmentation (gnutls server)" \ "$G_SRV -u --mtu 2048 -a" \ - "$P_CLI dtls=1 debug_level=2" \ + "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \ 0 \ -C "found fragmented DTLS handshake message" \ -C "error" @@ -6861,7 +6863,7 @@ run_test "DTLS reassembly: no fragmentation (gnutls server)" \ requires_gnutls run_test "DTLS reassembly: some fragmentation (gnutls server)" \ "$G_SRV -u --mtu 512" \ - "$P_CLI dtls=1 debug_level=2" \ + "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \ 0 \ -c "found fragmented DTLS handshake message" \ -C "error" @@ -6869,7 +6871,7 @@ run_test "DTLS reassembly: some fragmentation (gnutls server)" \ requires_gnutls run_test "DTLS reassembly: more fragmentation (gnutls server)" \ "$G_SRV -u --mtu 128" \ - "$P_CLI dtls=1 debug_level=2" \ + "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \ 0 \ -c "found fragmented DTLS handshake message" \ -C "error" @@ -6877,7 +6879,7 @@ run_test "DTLS reassembly: more fragmentation (gnutls server)" \ requires_gnutls run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \ "$G_SRV -u --mtu 128" \ - "$P_CLI dtls=1 nbio=2 debug_level=2" \ + "$P_CLI dtls=1 nbio=2 debug_level=2 ca_file=data_files/test-ca2.crt" \ 0 \ -c "found fragmented DTLS handshake message" \ -C "error" @@ -6886,7 +6888,7 @@ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \ "$G_SRV -u --mtu 256" \ - "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \ + "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \ 0 \ -c "found fragmented DTLS handshake message" \ -c "client hello, adding renegotiation extension" \ @@ -6900,7 +6902,7 @@ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \ "$G_SRV -u --mtu 256" \ - "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \ + "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \ 0 \ -c "found fragmented DTLS handshake message" \ -c "client hello, adding renegotiation extension" \ @@ -6912,28 +6914,28 @@ run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \ run_test "DTLS reassembly: no fragmentation (openssl server)" \ "$O_SRV -dtls1 -mtu 2048" \ - "$P_CLI dtls=1 debug_level=2" \ + "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \ 0 \ -C "found fragmented DTLS handshake message" \ -C "error" run_test "DTLS reassembly: some fragmentation (openssl server)" \ "$O_SRV -dtls1 -mtu 768" \ - "$P_CLI dtls=1 debug_level=2" \ + "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \ 0 \ -c "found fragmented DTLS handshake message" \ -C "error" run_test "DTLS reassembly: more fragmentation (openssl server)" \ "$O_SRV -dtls1 -mtu 256" \ - "$P_CLI dtls=1 debug_level=2" \ + "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \ 0 \ -c "found fragmented DTLS handshake message" \ -C "error" run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \ "$O_SRV -dtls1 -mtu 256" \ - "$P_CLI dtls=1 nbio=2 debug_level=2" \ + "$P_CLI dtls=1 nbio=2 debug_level=2 ca_file=data_files/test-ca2.crt" \ 0 \ -c "found fragmented DTLS handshake message" \ -C "error" @@ -6958,11 +6960,13 @@ run_test "DTLS fragmenting: none (for reference)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ max_frag_len=4096" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=2500-60000 \ max_frag_len=4096" \ 0 \ @@ -6978,11 +6982,13 @@ run_test "DTLS fragmenting: server only (max_frag_len)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ max_frag_len=1024" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=2500-60000 \ max_frag_len=2048" \ 0 \ @@ -7002,11 +7008,13 @@ run_test "DTLS fragmenting: server only (more) (max_frag_len)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ max_frag_len=512" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=2500-60000 \ max_frag_len=4096" \ 0 \ @@ -7022,11 +7030,13 @@ run_test "DTLS fragmenting: client-initiated, server only (max_frag_len)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=none \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ max_frag_len=2048" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=2500-60000 \ max_frag_len=1024" \ 0 \ @@ -7050,11 +7060,13 @@ run_test "DTLS fragmenting: client-initiated, server only (max_frag_len), pro "$P_SRV dtls=1 debug_level=2 auth_mode=none \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ max_frag_len=2048" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=2500-60000 \ max_frag_len=1024" \ 0 \ @@ -7070,11 +7082,13 @@ run_test "DTLS fragmenting: client-initiated, both (max_frag_len)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ max_frag_len=2048" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=2500-60000 \ max_frag_len=1024" \ 0 \ @@ -7098,11 +7112,13 @@ run_test "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU" "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ max_frag_len=2048" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=2500-60000 \ max_frag_len=1024" \ 0 \ @@ -7117,11 +7133,13 @@ run_test "DTLS fragmenting: none (for reference) (MTU)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ mtu=4096" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=2500-60000 \ mtu=4096" \ 0 \ @@ -7136,11 +7154,13 @@ run_test "DTLS fragmenting: client (MTU)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=3500-60000 \ mtu=4096" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=3500-60000 \ mtu=1024" \ 0 \ @@ -7155,11 +7175,13 @@ run_test "DTLS fragmenting: server (MTU)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ mtu=512" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=2500-60000 \ mtu=2048" \ 0 \ @@ -7175,11 +7197,13 @@ run_test "DTLS fragmenting: both (MTU=1024)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ mtu=1024" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=2500-60000 \ mtu=1024" \ 0 \ @@ -7200,11 +7224,13 @@ run_test "DTLS fragmenting: both (MTU=512)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ mtu=512" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=2500-60000 \ mtu=512" \ @@ -7231,10 +7257,12 @@ run_test "DTLS fragmenting: proxy MTU: auto-reduction" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=400-3200" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=400-3200" \ 0 \ @@ -7255,10 +7283,12 @@ run_test "DTLS fragmenting: proxy MTU: auto-reduction" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=250-10000" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=250-10000" \ 0 \ @@ -7278,11 +7308,13 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=10000-60000 \ mtu=1024" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=10000-60000 \ mtu=1024" \ 0 \ @@ -7307,11 +7339,13 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=512)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=10000-60000 \ mtu=512" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=10000-60000 \ mtu=512" \ @@ -7330,11 +7364,13 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=10000-60000 \ mtu=1024 nbio=2" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=10000-60000 \ mtu=1024 nbio=2" \ 0 \ @@ -7356,11 +7392,13 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=512)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=10000-60000 \ mtu=512 nbio=2" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=10000-60000 \ mtu=512 nbio=2" \ @@ -7392,11 +7430,13 @@ run_test "DTLS fragmenting: proxy MTU, resumed handshake" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=10000-60000 \ mtu=1450" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=10000-60000 \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ mtu=1450 reconnect=1 reco_delay=1" \ @@ -7421,12 +7461,14 @@ run_test "DTLS fragmenting: proxy MTU, ChachaPoly renego" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ exchanges=2 renegotiation=1 \ hs_timeout=10000-60000 \ mtu=512" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ exchanges=2 renegotiation=1 renegotiate=1 \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=10000-60000 \ @@ -7453,12 +7495,14 @@ run_test "DTLS fragmenting: proxy MTU, AES-GCM renego" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ exchanges=2 renegotiation=1 \ hs_timeout=10000-60000 \ mtu=512" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ exchanges=2 renegotiation=1 renegotiate=1 \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=10000-60000 \ @@ -7485,6 +7529,7 @@ run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ exchanges=2 renegotiation=1 \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \ hs_timeout=10000-60000 \ @@ -7492,6 +7537,7 @@ run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ exchanges=2 renegotiation=1 renegotiate=1 \ hs_timeout=10000-60000 \ mtu=1024" \ @@ -7518,6 +7564,7 @@ run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ exchanges=2 renegotiation=1 \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 \ hs_timeout=10000-60000 \ @@ -7525,6 +7572,7 @@ run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ exchanges=2 renegotiation=1 renegotiate=1 \ hs_timeout=10000-60000 \ mtu=1024" \ @@ -7550,6 +7598,7 @@ run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ exchanges=2 renegotiation=1 \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 etm=0 \ hs_timeout=10000-60000 \ @@ -7557,6 +7606,7 @@ run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ exchanges=2 renegotiation=1 renegotiate=1 \ hs_timeout=10000-60000 \ mtu=1024" \ @@ -7579,10 +7629,12 @@ run_test "DTLS fragmenting: proxy MTU + 3d" \ "$P_SRV dgram_packing=0 dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=250-10000 mtu=512" \ "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=250-10000 mtu=512" \ 0 \ @@ -7603,10 +7655,12 @@ run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=250-10000 mtu=512 nbio=2" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=250-10000 mtu=512 nbio=2" \ 0 \ @@ -7628,6 +7682,7 @@ run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ mtu=512 force_version=dtls1_2" \ 0 \ -c "fragmenting handshake message" \ @@ -7643,6 +7698,7 @@ run_test "DTLS fragmenting: gnutls server, DTLS 1.0" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ mtu=512 force_version=dtls1" \ 0 \ -c "fragmenting handshake message" \ @@ -7665,6 +7721,7 @@ run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \ "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca2.crt \ mtu=512 force_version=dtls1_2" \ "$G_CLI -u --insecure 127.0.0.1" \ 0 \ @@ -7681,6 +7738,7 @@ run_test "DTLS fragmenting: gnutls client, DTLS 1.0" \ "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca2.crt \ mtu=512 force_version=dtls1" \ "$G_CLI -u --insecure 127.0.0.1" \ 0 \ @@ -7695,6 +7753,7 @@ run_test "DTLS fragmenting: openssl server, DTLS 1.2" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ mtu=512 force_version=dtls1_2" \ 0 \ -c "fragmenting handshake message" \ @@ -7709,6 +7768,7 @@ run_test "DTLS fragmenting: openssl server, DTLS 1.0" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ mtu=512 force_version=dtls1" \ 0 \ -c "fragmenting handshake message" \ @@ -7722,6 +7782,7 @@ run_test "DTLS fragmenting: openssl client, DTLS 1.2" \ "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca2.crt \ mtu=512 force_version=dtls1_2" \ "$O_CLI -dtls1_2" \ 0 \ @@ -7735,6 +7796,7 @@ run_test "DTLS fragmenting: openssl client, DTLS 1.0" \ "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca2.crt \ mtu=512 force_version=dtls1" \ "$O_CLI -dtls1" \ 0 \ @@ -7756,6 +7818,7 @@ run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \ "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \ 0 \ -c "fragmenting handshake message" \ @@ -7773,6 +7836,7 @@ run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.0" \ "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=250-60000 mtu=512 force_version=dtls1" \ 0 \ -c "fragmenting handshake message" \ @@ -7789,6 +7853,7 @@ run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \ "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \ "$G_NEXT_CLI -u --insecure 127.0.0.1" \ 0 \ @@ -7805,6 +7870,7 @@ run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.0" \ "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=250-60000 mtu=512 force_version=dtls1" \ "$G_NEXT_CLI -u --insecure 127.0.0.1" \ 0 \ @@ -7827,6 +7893,7 @@ run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \ 0 \ -c "fragmenting handshake message" \ @@ -7844,6 +7911,7 @@ run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.0" \ "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=250-60000 mtu=512 force_version=dtls1" \ 0 \ -c "fragmenting handshake message" \ @@ -7860,6 +7928,7 @@ run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \ "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \ "$O_CLI -dtls1_2" \ 0 \ @@ -7878,6 +7947,7 @@ run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.0" \ "$P_SRV dgram_packing=0 dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=250-60000 mtu=512 force_version=dtls1" \ "$O_CLI -nbio -dtls1" \ 0 \ @@ -8381,7 +8451,7 @@ not_with_valgrind # risk of non-mbedtls peer timing out run_test "DTLS proxy: 3d, gnutls server" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$G_SRV -u --mtu 2048 -a" \ - "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000" \ + "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 ca_file=data_files/test-ca2.crt" \ 0 \ -s "Extra-header:" \ -c "Extra-header:" @@ -8392,7 +8462,7 @@ not_with_valgrind # risk of non-mbedtls peer timing out run_test "DTLS proxy: 3d, gnutls server, fragmentation" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$G_NEXT_SRV -u --mtu 512" \ - "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000" \ + "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 ca_file=data_files/test-ca2.crt" \ 0 \ -s "Extra-header:" \ -c "Extra-header:" @@ -8403,7 +8473,7 @@ not_with_valgrind # risk of non-mbedtls peer timing out run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$G_NEXT_SRV -u --mtu 512" \ - "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2" \ + "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2 ca_file=data_files/test-ca2.crt" \ 0 \ -s "Extra-header:" \ -c "Extra-header:"