ssl: Correct signature algorithm selection for client certificate verify

2 files changed, 44 insertions, 4 deletions

diff --git a/lib/ssl/test/property_test/ssl_eqc_chain.erl b/lib/ssl/test/property_test/ssl_eqc_chain.erl
index e78dc3fc0e..e108591776 100644
--- a/lib/ssl/test/property_test/ssl_eqc_chain.erl
+++ b/lib/ssl/test/property_test/ssl_eqc_chain.erl
@@ -124,6 +124,23 @@ prop_tls_extraneous_and_unordered_path() ->
             end
            ).
 
+prop_client_cert_auth() ->
+    ?FORALL({ClientOptions, ServerOptions}, ?LET(Version, tls_version(), client_cert_auth_opts(Version)),
+            try
+                [TLSVersion] = proplists:get_value(versions, ClientOptions),
+                 ssl_test_lib:basic_test(ClientOptions, ServerOptions, [{server_type, erlang},
+                                                                        {client_type, erlang},
+                                                                        {version, TLSVersion}
+                                                                       ])
+            of
+                 _ ->
+                     true
+            catch
+                _:_ ->
+                    false
+            end
+           ).
+
 %%--------------------------------------------------------------------
 %% Chain Generators  -----------------------------------------------
 %%--------------------------------------------------------------------
@@ -232,6 +249,9 @@ unordered_extraneous_options(Version) ->
 der_extraneous_and_unorder_options(Version) ->
     ?LET(Alg, key_alg(Version), der_extraneous_and_unorder_chain(Version, Alg)).
 
+client_cert_auth_opts(Version) ->
+    ?LET({SAlg, CAlg}, {key_alg(Version), key_alg(Version)}, der_cert_chains(Version, CAlg,SAlg)).
+
 extraneous_der_cert_chain_opts(Version, Alg) ->
     #{cert := OrgSRoot} = SRoot = public_key:pkix_test_root_cert("OTP test server ROOT", root_key(Alg)), 
     #{cert := OrgCRoot} = CRoot = public_key:pkix_test_root_cert("OTP test client ROOT", root_key(Alg)), 
@@ -275,7 +295,6 @@ extraneous_pem_cert_chain_opts(Version, Alg, PrivDir) ->
                                  extraneous_pem_conf(ServerChain, ClientRoot, OrgCRoot, ServerConf0, PrivDir)]}. 
 
 extra_extraneous_der_cert_chain_opts(Version, Alg) ->
-    
     #{cert := OrgSRoot} = SRoot = public_key:pkix_test_root_cert("OTP test server ROOT", root_key(Alg)), 
     #{cert := OrgCRoot} = CRoot = public_key:pkix_test_root_cert("OTP test client ROOT", root_key(Alg)), 
 
@@ -304,7 +323,6 @@ extra_extraneous_der_cert_chain_opts(Version, Alg) ->
 
 
 der_extraneous_and_unorder_chain(Version, Alg) ->
-    
     #{cert := OrgSRoot} = SRoot = public_key:pkix_test_root_cert("OTP test server ROOT", root_key(Alg)), 
     #{cert := OrgCRoot} = CRoot = public_key:pkix_test_root_cert("OTP test client ROOT", root_key(Alg)), 
 
@@ -331,6 +349,20 @@ der_extraneous_and_unorder_chain(Version, Alg) ->
      server_options(Version) ++ [protocol(Version), {versions, [Version]} | 
                                  extraneous_der_conf(ServerChain, ClientRoot1, [OrgCRoot, ClientRoot0], ServerConf0)]}. 
 
+der_cert_chains(Version, CAlg, SAlg) ->
+    SRoot = public_key:pkix_test_root_cert("OTP test server ROOT", root_key(SAlg)),
+    CRoot = public_key:pkix_test_root_cert("OTP test client ROOT", root_key(CAlg)),
+
+    #{server_config := ServerConf,
+      client_config := ClientConf} = public_key:pkix_test_data(#{server_chain => #{root => SRoot,
+                                                                                    intermediates => intermediates(SAlg, 1),
+                                                                                    peer => peer_key(SAlg)},
+                                                                  client_chain => #{root => CRoot,
+                                                                                    intermediates => intermediates(CAlg, 1),
+                                                                                    peer => peer_key(CAlg)}}),
+    {client_options(Version) ++ [protocol(Version), {versions, [Version]} | ClientConf],
+     server_options(Version) ++ [protocol(Version), {versions, [Version]} | ServerConf]}.
+
 chain_and_root(Config) ->
     OwnCert = proplists:get_value(cert, Config),
     {ok, ExtractedCAs} = ssl_pkix_db:extract_trusted_certs({der, proplists:get_value(cacerts, Config)}),
diff --git a/lib/ssl/test/ssl_eqc_SUITE.erl b/lib/ssl/test/ssl_eqc_SUITE.erl
index 3c9a1d0ab0..4bfff1585e 100644
--- a/lib/ssl/test/ssl_eqc_SUITE.erl
+++ b/lib/ssl/test/ssl_eqc_SUITE.erl
@@ -39,7 +39,8 @@
          tls_unorded_chains/1,
          tls_extraneous_chain/1,
          tls_extraneous_chains/1,
-         tls_extraneous_and_unorder_chains/1
+         tls_extraneous_and_unorder_chains/1,
+         tls_client_cert_auth/1
          ]).
 
 %%--------------------------------------------------------------------
@@ -56,7 +57,8 @@ all() ->
      tls_unorded_chains,
      tls_extraneous_chain,
      tls_extraneous_chains,
-     tls_extraneous_and_unorder_chains
+     tls_extraneous_and_unorder_chains,
+     tls_client_cert_auth
     ].
 
 %%--------------------------------------------------------------------
@@ -123,3 +125,9 @@ tls_extraneous_and_unorder_chains(Config) when is_list(Config) ->
     ssl:start(),
     true = ct_property_test:quickcheck(ssl_eqc_chain:prop_tls_extraneous_and_unordered_path(),
                                        Config).
+
+tls_client_cert_auth(Config) when is_list(Config) ->
+    %% manual test:  proper:quickcheck(ssl_eqc_chain:prop_client_cert_auth()
+    ssl:start(),
+    true = ct_property_test:quickcheck(ssl_eqc_chain:prop_client_cert_auth(),
+                                       Config).