Commit 2094ea07 authored by Rob Percival's avatar Rob Percival Committed by Richard Levitte
Browse files

Add SSL tests for certificates with embedded SCTs 



The only SSL tests prior to this tested using certificates with no
embedded Signed Certificate Timestamps (SCTs), which meant they couldn't
confirm whether Certificate Transparency checks in "strict" mode were
working.

These tests reveal a bug in the validation of SCT timestamps, which is
fixed by the next commit.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3138)
parent f1e793cc

test/certs/embeddedSCTs1-key.pem

0 → 100644
+15 −0
Original line number Diff line number Diff line 
-----BEGIN RSA PRIVATE KEY-----

MIICWwIBAAKBgQC+75jnwmh3rjhfdTJaDB0ym+3xj6r015a/BH634c4VyVui+A7k

WL19uG+KSyUhkaeb1wDDjpwDibRc1NyaEgqyHgy0HNDnKAWkEM2cW9tdSSdyba8X

EPYBhzd+olsaHjnu0LiBGdwVTcaPfajjDK8VijPmyVCfSgWwFAn/Xdh+tQIDAQAB

AoGAK/daG0vt6Fkqy/hdrtSJSKUVRoGRmS2nnba4Qzlwzh1+x2kdbMFuaOu2a37g

PvmeQclheKZ3EG1+Jb4yShwLcBCV6pkRJhOKuhvqGnjngr6uBH4gMCjpZVj7GDMf

flYHhdJCs3Cz/TY0wKN3o1Fldil2DHR/AEOc1nImeSp5/EUCQQDjKS3W957kYtTU

X5BeRjvg03Ug8tJq6IFuhTFvUJ+XQ5bAc0DmxAbQVKqRS7Wje59zTknVvS+MFdeQ

pz4dGuV7AkEA1y0X2yarIls+0A/S1uwkvwRTIkfS+QwFJ1zVya8sApRdKAcidIzA

b70hkKLilU9+LrXg5iZdFp8l752qJiw9jwJAXjItN/7mfH4fExGto+or2kbVQxxt

9LcFNPc2UJp2ExuL37HrL8YJrUnukOF8KJaSwBWuuFsC5GwKP4maUCdfEQJAUwBR

83c3DEmmMRvpeH4erpA8gTyzZN3+HvDwhpvLnjMcvBQEdnDUykVqbSBnxrCjO+Fs

n1qtDczWFVf8Cj2GgQJAQ14Awx32Cn9sF+3M+sEVtlAf6CqiEbkYeYdSCbsplMmZ

1UoaxiwXY3z+B7epsRnnPR3KaceAlAxw2/zQJMFNOQ==

-----END RSA PRIVATE KEY-----

test/ssl-tests/12-ct.conf

+116 −60
Original line number Diff line number Diff line 
# Generated with generate_ssl_tests.pl



num_tests = 4



test-0 = 0-ct-permissive

test-1 = 1-ct-strict

test-2 = 2-ct-permissive-resumption

test-3 = 3-ct-strict-resumption

num_tests = 6



test-0 = 0-ct-permissive-without-scts

test-1 = 1-ct-permissive-with-scts

test-2 = 2-ct-strict-without-scts

test-3 = 3-ct-strict-with-scts

test-4 = 4-ct-permissive-resumption

test-5 = 5-ct-strict-resumption

# ===========================================================



[0-ct-permissive]

ssl_conf = 0-ct-permissive-ssl

[0-ct-permissive-without-scts]

ssl_conf = 0-ct-permissive-without-scts-ssl



[0-ct-permissive-ssl]

server = 0-ct-permissive-server

client = 0-ct-permissive-client

[0-ct-permissive-without-scts-ssl]

server = 0-ct-permissive-without-scts-server

client = 0-ct-permissive-without-scts-client



[0-ct-permissive-server]

[0-ct-permissive-without-scts-server]

Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem

CipherString = DEFAULT

PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem



[0-ct-permissive-client]

[0-ct-permissive-without-scts-client]

CipherString = DEFAULT

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem

VerifyMode = Peer



[test-0]

ExpectedResult = Success

client = 0-ct-permissive-client-extra

client = 0-ct-permissive-without-scts-client-extra



[0-ct-permissive-without-scts-client-extra]

CTValidation = Permissive





# ===========================================================



[1-ct-permissive-with-scts]

ssl_conf = 1-ct-permissive-with-scts-ssl



[1-ct-permissive-with-scts-ssl]

server = 1-ct-permissive-with-scts-server

client = 1-ct-permissive-with-scts-client



[1-ct-permissive-with-scts-server]

Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem

CipherString = DEFAULT

PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem



[1-ct-permissive-with-scts-client]

CipherString = DEFAULT

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem

VerifyMode = Peer



[test-1]

ExpectedResult = Success

client = 1-ct-permissive-with-scts-client-extra



[0-ct-permissive-client-extra]

[1-ct-permissive-with-scts-client-extra]

CTValidation = Permissive





# ===========================================================



[1-ct-strict]

ssl_conf = 1-ct-strict-ssl

[2-ct-strict-without-scts]

ssl_conf = 2-ct-strict-without-scts-ssl



[1-ct-strict-ssl]

server = 1-ct-strict-server

client = 1-ct-strict-client

[2-ct-strict-without-scts-ssl]

server = 2-ct-strict-without-scts-server

client = 2-ct-strict-without-scts-client



[1-ct-strict-server]

[2-ct-strict-without-scts-server]

Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem

CipherString = DEFAULT

PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem



[1-ct-strict-client]

[2-ct-strict-without-scts-client]

CipherString = DEFAULT

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem

VerifyMode = Peer



[test-1]

[test-2]

ExpectedClientAlert = HandshakeFailure

ExpectedResult = ClientFail

client = 1-ct-strict-client-extra

client = 2-ct-strict-without-scts-client-extra



[1-ct-strict-client-extra]

[2-ct-strict-without-scts-client-extra]

CTValidation = Strict





# ===========================================================



[2-ct-permissive-resumption]

ssl_conf = 2-ct-permissive-resumption-ssl

[3-ct-strict-with-scts]

ssl_conf = 3-ct-strict-with-scts-ssl



[2-ct-permissive-resumption-ssl]

server = 2-ct-permissive-resumption-server

client = 2-ct-permissive-resumption-client

resume-server = 2-ct-permissive-resumption-server

resume-client = 2-ct-permissive-resumption-client

[3-ct-strict-with-scts-ssl]

server = 3-ct-strict-with-scts-server

client = 3-ct-strict-with-scts-client



[2-ct-permissive-resumption-server]

Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem

[3-ct-strict-with-scts-server]

Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem

CipherString = DEFAULT

PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem



[2-ct-permissive-resumption-client]

[3-ct-strict-with-scts-client]

CipherString = DEFAULT

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem

VerifyMode = Peer



[test-2]

[test-3]

ExpectedResult = Success

client = 3-ct-strict-with-scts-client-extra



[3-ct-strict-with-scts-client-extra]

CTValidation = Strict





# ===========================================================



[4-ct-permissive-resumption]

ssl_conf = 4-ct-permissive-resumption-ssl



[4-ct-permissive-resumption-ssl]

server = 4-ct-permissive-resumption-server

client = 4-ct-permissive-resumption-client

resume-server = 4-ct-permissive-resumption-server

resume-client = 4-ct-permissive-resumption-client



[4-ct-permissive-resumption-server]

Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem

CipherString = DEFAULT

PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem



[4-ct-permissive-resumption-client]

CipherString = DEFAULT

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem

VerifyMode = Peer



[test-4]

ExpectedResult = Success

HandshakeMode = Resume

ResumptionExpected = Yes

client = 2-ct-permissive-resumption-client-extra

resume-client = 2-ct-permissive-resumption-client-extra

client = 4-ct-permissive-resumption-client-extra

resume-client = 4-ct-permissive-resumption-client-extra



[2-ct-permissive-resumption-client-extra]

[4-ct-permissive-resumption-client-extra]

CTValidation = Permissive





# ===========================================================



[3-ct-strict-resumption]

ssl_conf = 3-ct-strict-resumption-ssl

[5-ct-strict-resumption]

ssl_conf = 5-ct-strict-resumption-ssl



[3-ct-strict-resumption-ssl]

server = 3-ct-strict-resumption-server

client = 3-ct-strict-resumption-client

resume-server = 3-ct-strict-resumption-server

resume-client = 3-ct-strict-resumption-resume-client

[5-ct-strict-resumption-ssl]

server = 5-ct-strict-resumption-server

client = 5-ct-strict-resumption-client

resume-server = 5-ct-strict-resumption-server

resume-client = 5-ct-strict-resumption-resume-client



[3-ct-strict-resumption-server]

Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem

[5-ct-strict-resumption-server]

Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem

CipherString = DEFAULT

PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem



[3-ct-strict-resumption-client]

[5-ct-strict-resumption-client]

CipherString = DEFAULT

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem

VerifyMode = Peer



[3-ct-strict-resumption-resume-client]

[5-ct-strict-resumption-resume-client]

CipherString = DEFAULT

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem

VerifyMode = Peer



[test-3]

[test-5]

ExpectedResult = Success

HandshakeMode = Resume

ResumptionExpected = Yes

client = 3-ct-strict-resumption-client-extra

resume-client = 3-ct-strict-resumption-resume-client-extra

client = 5-ct-strict-resumption-client-extra

resume-client = 5-ct-strict-resumption-resume-client-extra



[3-ct-strict-resumption-client-extra]

CTValidation = Permissive

[5-ct-strict-resumption-client-extra]

CTValidation = Strict



[3-ct-strict-resumption-resume-client-extra]

[5-ct-strict-resumption-resume-client-extra]

CTValidation = Strict

test/ssl-tests/12-ct.conf.in

+47 −8
Original line number Diff line number Diff line
@@ -16,9 +16,8 @@ package ssltests; 




our @tests = (

    # Currently only have tests for certs without SCTs.

    {

        name => "ct-permissive",

        name => "ct-permissive-without-scts",

        server => { },

        client => {

            extra => {
@@ -30,7 +29,23 @@ our @tests = ( 
        },

    },

    {

        name => "ct-strict",

        name => "ct-permissive-with-scts",

        server => {

            "Certificate" => test_pem("embeddedSCTs1.pem"),

            "PrivateKey"  => test_pem("embeddedSCTs1-key.pem"),

        },

        client => {

            "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"),

            extra => {

                "CTValidation" => "Permissive",

            },

        },

        test => {

            "ExpectedResult" => "Success",

        },

    },

    {

        name => "ct-strict-without-scts",

        server => { },

        client => {

            extra => {
@@ -42,10 +57,30 @@ our @tests = ( 
            "ExpectedClientAlert" => "HandshakeFailure",

        },

    },

    {

        name => "ct-strict-with-scts",

        server => {

            "Certificate" => test_pem("embeddedSCTs1.pem"),

            "PrivateKey"  => test_pem("embeddedSCTs1-key.pem"),

        },

        client => {

            "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"),

            extra => {

                "CTValidation" => "Strict",

            },

        },

        test => {

            "ExpectedResult" => "Success",

        },

    },

    {

        name => "ct-permissive-resumption",

        server => { },

        server => {

            "Certificate" => test_pem("embeddedSCTs1.pem"),

            "PrivateKey"  => test_pem("embeddedSCTs1-key.pem"),

        },

        client => {

            "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"),

            extra => {

                "CTValidation" => "Permissive",

            },
@@ -58,10 +93,14 @@ our @tests = ( 
    },

    {

        name => "ct-strict-resumption",

        server => { },

        server => {

            "Certificate" => test_pem("embeddedSCTs1.pem"),

            "PrivateKey"  => test_pem("embeddedSCTs1-key.pem"),

        },

        client => {

            "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"),

            extra => {

                "CTValidation" => "Permissive",

                "CTValidation" => "Strict",

            },

        },

        # SCTs are not present during resumption, so the resumption