Update client authentication tests (63936115) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

test/certs/ee-client-chain.pem

0 → 100644

+37 −0

Original line number	Diff line number	Diff line
		-----BEGIN CERTIFICATE-----
		MIIDIDCCAgigAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
		Fw0xNjAxMTUwODE5NTBaGA8yMTE2MDExNjA4MTk1MFowGTEXMBUGA1UEAwwOc2Vy
		dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
		YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
		5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
		Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
		U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
		ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
		iIQPYf55NB9KiR+3AgMBAAGjfTB7MB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi
		l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA
		MBMGA1UdJQQMMAoGCCsGAQUFBwMCMBkGA1UdEQQSMBCCDnNlcnZlci5leGFtcGxl
		MA0GCSqGSIb3DQEBCwUAA4IBAQB+x23yjviJ9/n0G65xjntoPCLpsZtqId+WvN/9
		sXGqRZyAnBWPFpWrf9qXdxXZpTw7KRfywnEVsUQP12XKCc9JH4tG4l/wCDaHi9qO
		pLstQskcXk40gWaU83ojjchdtDFBaxR5KxC83SR669Rw9mn66bWz/6zpK9VYohVh
		A5/3RqteQaeQETFbZdlb6e7jAjiGp6DmAiH/WLrVvMY8k0z81TD0+UjJqI9097mF
		VtNX0l+46/tR4zvyA4yYqxK+L8M57SjfwxvwUpDxxVVnRsf3kHhudeAc+UDWzqws
		n5P71o+AfbkYzhHsSFIZyYUnGv+JApFpcGEMEiHL2iBhCRdx
		-----END CERTIFICATE-----
		-----BEGIN CERTIFICATE-----
		MIIC7DCCAdSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
		IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjANMQswCQYDVQQD
		DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd
		j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz
		n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W
		l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l
		YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc
		ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9
		CLNNsUcCAwEAAaNQME4wHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G
		A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wDQYJ
		KoZIhvcNAQELBQADggEBADnZ9uXGAdwfNC3xuERIlBwgLROeBRGgcfHWdXZB/tWk
		IM9ox88wYKWynanPbra4n0zhepooKt+naeY2HLR8UgwT6sTi0Yfld9mjytA8/DP6
		AcqtIDDf60vNI00sgxjgZqofVayA9KShzIPzjBec4zI1sg5YzoSNyH28VXFstEpi
		8CVtmRYQHhc2gDI9MGge4sHRYwaIFkegzpwcEUnp6tTVe9ZvHawgsXF/rCGfH4M6
		uNO0D+9Md1bdW7382yOtWbkyibsugqnfBYCUH6hAhDlfYzpba2Smb0roc6Crq7HR
		5HpEYY6qEir9wFMkD5MZsWrNRGRuzd5am82J+aaHz/4=
		-----END CERTIFICATE-----

test/recipes/80-test_ssl_new.t

+1 −1

Original line number	Diff line number	Diff line
		@@ -42,7 +42,7 @@ foreach my $conf (@conf_files) {

		# We hard-code the number of tests to double-check that the globbing above
		# finds all files as expected.
		plan tests => 3; # = scalar @conf_srcs
		plan tests => 4; # = scalar @conf_srcs

		sub test_conf {
		plan tests => 3;

test/recipes/80-test_ssl_old.t

+29 −60

Original line number	Diff line number	Diff line
		@@ -311,11 +311,8 @@ sub testss {
		}

		sub testssl {
		my $key = shift \|\| bldtop_file("apps","server.pem");
		my $cert = shift \|\| bldtop_file("apps","server.pem");
		my $CAtmp = shift;
		my ($key, $cert, $CAtmp) = @_;
		my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", bldtop_dir("certs"));
		my @extra = @_;

		my @ssltest = ("ssltest_old",
		"-s_key", $key, "-s_cert", $cert,
		@@ -334,47 +331,19 @@ sub testssl {

		subtest 'standard SSL tests' => sub {
		######################################################################
		plan tests => 29;
		plan tests => 21;

		SKIP: {
		skip "SSLv3 is not supported by this OpenSSL build", 4
		if disabled("ssl3");

		ok(run(test([@ssltest, "-ssl3", @extra])),
		'test sslv3');
		ok(run(test([@ssltest, "-ssl3", "-server_auth", @CA, @extra])),
		'test sslv3 with server authentication');
		ok(run(test([@ssltest, "-ssl3", "-client_auth", @CA, @extra])),
		'test sslv3 with client authentication');
		ok(run(test([@ssltest, "-ssl3", "-server_auth", "-client_auth", @CA, @extra])),
		'test sslv3 with both server and client authentication');
		}

		SKIP: {
		skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 4
		if $no_anytls;

		ok(run(test([@ssltest, @extra])),
		'test sslv2/sslv3');
		ok(run(test([@ssltest, "-server_auth", @CA, @extra])),
		'test sslv2/sslv3 with server authentication');
		ok(run(test([@ssltest, "-client_auth", @CA, @extra])),
		'test sslv2/sslv3 with client authentication');
		ok(run(test([@ssltest, "-server_auth", "-client_auth", @CA, @extra])),
		'test sslv2/sslv3 with both server and client authentication');
		}

		SKIP: {
		skip "SSLv3 is not supported by this OpenSSL build", 4
		if disabled("ssl3");

		ok(run(test([@ssltest, "-bio_pair", "-ssl3", @extra])),
		ok(run(test([@ssltest, "-bio_pair", "-ssl3"])),
		'test sslv3 via BIO pair');
		ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", @CA, @extra])),
		ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", @CA])),
		'test sslv3 with server authentication via BIO pair');
		ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-client_auth", @CA, @extra])),
		ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-client_auth", @CA])),
		'test sslv3 with client authentication via BIO pair');
		ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", "-client_auth", @CA, @extra])),
		ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", "-client_auth", @CA])),
		'test sslv3 with both server and client authentication via BIO pair');
		}

		@@ -382,7 +351,7 @@ sub testssl {
		skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 1
		if $no_anytls;

		ok(run(test([@ssltest, "-bio_pair", @extra])),
		ok(run(test([@ssltest, "-bio_pair"])),
		'test sslv2/sslv3 via BIO pair');
		}

		@@ -390,13 +359,13 @@ sub testssl {
		skip "DTLSv1 is not supported by this OpenSSL build", 4
		if disabled("dtls1");

		ok(run(test([@ssltest, "-dtls1", @extra])),
		ok(run(test([@ssltest, "-dtls1"])),
		'test dtlsv1');
		ok(run(test([@ssltest, "-dtls1", "-server_auth", @CA, @extra])),
		ok(run(test([@ssltest, "-dtls1", "-server_auth", @CA])),
		'test dtlsv1 with server authentication');
		ok(run(test([@ssltest, "-dtls1", "-client_auth", @CA, @extra])),
		ok(run(test([@ssltest, "-dtls1", "-client_auth", @CA])),
		'test dtlsv1 with client authentication');
		ok(run(test([@ssltest, "-dtls1", "-server_auth", "-client_auth", @CA, @extra])),
		ok(run(test([@ssltest, "-dtls1", "-server_auth", "-client_auth", @CA])),
		'test dtlsv1 with both server and client authentication');
		}

		@@ -404,13 +373,13 @@ sub testssl {
		skip "DTLSv1.2 is not supported by this OpenSSL build", 4
		if disabled("dtls1_2");

		ok(run(test([@ssltest, "-dtls12", @extra])),
		ok(run(test([@ssltest, "-dtls12"])),
		'test dtlsv1.2');
		ok(run(test([@ssltest, "-dtls12", "-server_auth", @CA, @extra])),
		ok(run(test([@ssltest, "-dtls12", "-server_auth", @CA])),
		'test dtlsv1.2 with server authentication');
		ok(run(test([@ssltest, "-dtls12", "-client_auth", @CA, @extra])),
		ok(run(test([@ssltest, "-dtls12", "-client_auth", @CA])),
		'test dtlsv1.2 with client authentication');
		ok(run(test([@ssltest, "-dtls12", "-server_auth", "-client_auth", @CA, @extra])),
		ok(run(test([@ssltest, "-dtls12", "-server_auth", "-client_auth", @CA])),
		'test dtlsv1.2 with both server and client authentication');
		}

		@@ -421,32 +390,32 @@ sub testssl {
		SKIP: {
		skip "skipping test of sslv2/sslv3 w/o (EC)DHE test", 1 if $dsa_cert;

		ok(run(test([@ssltest, "-bio_pair", "-no_dhe", "-no_ecdhe", @extra])),
		ok(run(test([@ssltest, "-bio_pair", "-no_dhe", "-no_ecdhe"])),
		'test sslv2/sslv3 w/o (EC)DHE via BIO pair');
		}

		ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v", @extra])),
		ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])),
		'test sslv2/sslv3 with 1024bit DHE via BIO pair');
		ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA, @extra])),
		ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])),
		'test sslv2/sslv3 with server authentication');
		ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA, @extra])),
		ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])),
		'test sslv2/sslv3 with client authentication via BIO pair');
		ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", @CA, @extra])),
		ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", @CA])),
		'test sslv2/sslv3 with both client and server authentication via BIO pair');
		ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA, @extra])),
		ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])),
		'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify');

		SKIP: {
		skip "No IPv4 available on this machine", 1
		unless !disabled("sock") && have_IPv4();
		ok(run(test([@ssltest, "-ipv4", @extra])),
		ok(run(test([@ssltest, "-ipv4"])),
		'test TLS via IPv4');
		}

		SKIP: {
		skip "No IPv6 available on this machine", 1
		unless !disabled("sock") && have_IPv6();
		ok(run(test([@ssltest, "-ipv6", @extra])),
		ok(run(test([@ssltest, "-ipv6"])),
		'test TLS via IPv6');
		}
		}
		@@ -525,7 +494,7 @@ sub testssl {
		skip "skipping anonymous DH tests", 1
		if ($no_dh);

		ok(run(test([@ssltest, "-v", "-bio_pair", "-tls1", "-cipher", "ADH", "-dhe1024dsa", "-num", "10", "-f", "-time", @extra])),
		ok(run(test([@ssltest, "-v", "-bio_pair", "-tls1", "-cipher", "ADH", "-dhe1024dsa", "-num", "10", "-f", "-time"])),
		'test tlsv1 with 1024bit anonymous DH, multiple handshakes');
		}

		@@ -533,13 +502,13 @@ sub testssl {
		skip "skipping RSA tests", 2
		if $no_rsa;

		ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time", @extra])),
		ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time"])),
		'test tlsv1 with 1024bit RSA, no (EC)DHE, multiple handshakes');

		skip "skipping RSA+DHE tests", 1
		if $no_dh;

		ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time", @extra])),
		ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time"])),
		'test tlsv1 with 1024bit RSA, 1024bit DHE, multiple handshakes');
		}

		@@ -547,10 +516,10 @@ sub testssl {
		skip "skipping PSK tests", 2
		if ($no_psk);

		ok(run(test([@ssltest, "-tls1", "-cipher", "PSK", "-psk", "abc123", @extra])),
		ok(run(test([@ssltest, "-tls1", "-cipher", "PSK", "-psk", "abc123"])),
		'test tls1 with PSK');

		ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123", @extra])),
		ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123"])),
		'test tls1 with PSK via BIO pair');
		}
		}
		@@ -702,7 +671,7 @@ sub testssl {
		if $no_anytls;

		skip "skipping multi-buffer tests", 2
		if @extra \|\| (POSIX::uname())[4] ne "x86_64";
		if (POSIX::uname())[4] ne "x86_64";

		ok(run(test([@ssltest, "-cipher", "AES128-SHA", "-bytes", "8m"])));

test/ssl-tests/04-client_auth.conf

0 → 100644

+602 −0

File added.

Preview size limit exceeded, changes collapsed.

test/ssl-tests/04-client_auth.conf.in

0 → 100644

+109 −0

Original line number	Diff line number	Diff line
		# -- mode: perl; --

		## SSL test configurations

		package ssltests;

		use strict;
		use warnings;

		use OpenSSL::Test;
		use OpenSSL::Test::Utils qw(anydisabled);
		setup("no_test_here");

		# We test version-flexible negotiation (undef) and each protocol version.
		my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2");

		my @is_disabled = (0);
		push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2");

		our @tests = ();

		my $dir_sep = $^O ne "VMS" ? "/" : "";

		sub generate_tests() {

		foreach (0..$#protocols) {
		my $protocol = $protocols[$_];
		my $protocol_name = $protocol \|\| "flex";
		if (!$is_disabled[$_]) {
		# Sanity-check simple handshake.
		push @tests, {
		name => "server-auth-${protocol_name}",
		server => {
		"Protocol" => $protocol
		},
		client => {
		"Protocol" => $protocol
		},
		test => { "ExpectedResult" => "Success" },
		};

		# Handshake with client cert requested but not required or received.
		push @tests, {
		name => "client-auth-${protocol_name}-request",
		server => {
		"Protocol" => $protocol,
		"VerifyMode" => "Request",
		},
		client => {
		"Protocol" => $protocol
		},
		test => { "ExpectedResult" => "Success" },
		};

		# Handshake with client cert required but not present.
		push @tests, {
		name => "client-auth-${protocol_name}-require-fail",
		server => {
		"Protocol" => $protocol,
		"VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
		"VerifyMode" => "Require",
		},
		client => {
		"Protocol" => $protocol,
		},
		test => {
		"ExpectedResult" => "ServerFail",
		"ServerAlert" => "HandshakeFailure",
		},
		};

		# Successful handshake with client authentication.
		push @tests, {
		name => "client-auth-${protocol_name}-require",
		server => {
		"Protocol" => $protocol,
		"VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
		"VerifyMode" => "Request",
		},
		client => {
		"Protocol" => $protocol,
		"Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
		"PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
		},
		test => { "ExpectedResult" => "Success" },
		};

		# Handshake with client authentication but without the root certificate.
		push @tests, {
		name => "client-auth-${protocol_name}-noroot",
		server => {
		"Protocol" => $protocol,
		"VerifyMode" => "Require",
		},
		client => {
		"Protocol" => $protocol,
		"Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
		"PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
		},
		test => {
		"ExpectedResult" => "ServerFail",
		"ServerAlert" => "UnknownCA",
		},
		};
		}
		}
		}

		generate_tests();