summaryrefslogtreecommitdiff
path: root/lib/ssl/test/openssl_client_cert_SUITE.erl
diff options
context:
space:
mode:
Diffstat (limited to 'lib/ssl/test/openssl_client_cert_SUITE.erl')
-rw-r--r--lib/ssl/test/openssl_client_cert_SUITE.erl130
1 files changed, 77 insertions, 53 deletions
diff --git a/lib/ssl/test/openssl_client_cert_SUITE.erl b/lib/ssl/test/openssl_client_cert_SUITE.erl
index 018b49e0b7..36b098bd49 100644
--- a/lib/ssl/test/openssl_client_cert_SUITE.erl
+++ b/lib/ssl/test/openssl_client_cert_SUITE.erl
@@ -1,7 +1,7 @@
%%
%% %CopyrightBegin%
%%
-%% Copyright Ericsson AB 2019-2022. All Rights Reserved.
+%% Copyright Ericsson AB 2019-2023. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
@@ -71,7 +71,7 @@
%%--------------------------------------------------------------------
%% Common Test interface functions -----------------------------------
%%--------------------------------------------------------------------
-all() ->
+all() ->
[
{group, openssl_client}
].
@@ -99,7 +99,7 @@ groups() ->
].
protocol_groups() ->
- case ssl_test_lib:openssl_sane_dtls() of
+ case ssl_test_lib:openssl_sane_dtls() of
true ->
[{group, 'tlsv1.3'},
{group, 'tlsv1.2'},
@@ -113,7 +113,7 @@ protocol_groups() ->
{group, 'tlsv1.1'},
{group, 'tlsv1'}
]
- end.
+ end.
pre_tls_1_3_protocol_groups() ->
[{group, rsa},
@@ -168,34 +168,34 @@ init_per_group(Group, Config0) when Group == rsa;
SOpts = proplists:get_value(server_rsa_opts, Config),
%% Make sure _rsa* suite is chosen by ssl_test_lib:start_server
Version = ssl_test_lib:protocol_version(Config),
- Ciphers = ssl_cert_tests:test_ciphers(fun(dhe_rsa) ->
+ Ciphers = ssl_cert_tests:test_ciphers(fun(dhe_rsa) ->
true;
- (ecdhe_rsa) ->
+ (ecdhe_rsa) ->
true;
(_) ->
- false
- end, Version),
+ false
+ end, Version),
case Ciphers of
[_|_] ->
[{cert_key_alg, rsa} |
- lists:delete(cert_key_alg,
- [{client_cert_opts, [{ciphers, Ciphers} | COpts]},
- {server_cert_opts, SOpts} |
- lists:delete(server_cert_opts,
+ lists:delete(cert_key_alg,
+ [{client_cert_opts, [{ciphers, Ciphers} | COpts]},
+ {server_cert_opts, SOpts} |
+ lists:delete(server_cert_opts,
lists:delete(client_cert_opts, Config))])];
[] ->
{skip, {no_sup, Group, Version}}
end;
-init_per_group(Alg, Config) when
+init_per_group(Alg, Config) when
Alg == rsa_pss_rsae;
Alg == rsa_pss_pss;
Alg == rsa_pss_rsae_1_3;
Alg == rsa_pss_pss_1_3 ->
Supports = crypto:supports(),
RSAOpts = proplists:get_value(rsa_opts, Supports),
-
- case lists:member(rsa_pkcs1_pss_padding, RSAOpts)
- andalso lists:member(rsa_pss_saltlen, RSAOpts)
+
+ case lists:member(rsa_pkcs1_pss_padding, RSAOpts)
+ andalso lists:member(rsa_pss_saltlen, RSAOpts)
andalso lists:member(rsa_mgf1_md, RSAOpts)
andalso ssl_test_lib:is_sane_oppenssl_pss(rsa_alg(Alg))
of
@@ -214,9 +214,9 @@ init_per_group(Alg, Config) when
init_per_group(Group, Config0) when Group == ecdsa;
Group == ecdsa_1_3 ->
PKAlg = crypto:supports(public_keys),
- case lists:member(ecdsa, PKAlg) andalso (lists:member(ecdh, PKAlg) orelse
- lists:member(dh, PKAlg))
- andalso (ssl_test_lib:openssl_ecdsa_suites() =/= [])
+ case lists:member(ecdsa, PKAlg) andalso (lists:member(ecdh, PKAlg) orelse
+ lists:member(dh, PKAlg))
+ andalso (ssl_test_lib:openssl_ecdsa_suites() =/= [])
of
true ->
Config = ssl_test_lib:make_ecdsa_cert(Config0),
@@ -224,20 +224,20 @@ init_per_group(Group, Config0) when Group == ecdsa;
SOpts = proplists:get_value(server_ecdsa_opts, Config),
%% Make sure ecdh* suite is chosen by ssl_test_lib:start_server
Version = ssl_test_lib:protocol_version(Config),
- Ciphers = ssl_cert_tests:test_ciphers(fun(ecdh_ecdsa) ->
+ Ciphers = ssl_cert_tests:test_ciphers(fun(ecdh_ecdsa) ->
true;
- (ecdhe_ecdsa) ->
+ (ecdhe_ecdsa) ->
true;
(_) ->
- false
- end, Version),
+ false
+ end, Version),
case Ciphers of
[_|_] ->
[{cert_key_alg, ecdsa} |
lists:delete(cert_key_alg,
- [{client_cert_opts, [{ciphers, Ciphers} | COpts]},
- {server_cert_opts, SOpts} |
- lists:delete(server_cert_opts,
+ [{client_cert_opts, [{ciphers, Ciphers} | COpts]},
+ {server_cert_opts, SOpts} |
+ lists:delete(server_cert_opts,
lists:delete(client_cert_opts, Config))]
)];
[] ->
@@ -277,42 +277,46 @@ init_per_group(eddsa_1_3, Config0) ->
end;
init_per_group(Group, Config0) when Group == dsa ->
PKAlg = crypto:supports(public_keys),
- case lists:member(dss, PKAlg) andalso lists:member(dh, PKAlg)
- andalso (ssl_test_lib:openssl_dsa_suites() =/= []) of
+ NVersion = ssl_test_lib:n_version(proplists:get_value(version, Config0)),
+ SigAlgs = ssl_test_lib:sig_algs(dsa, NVersion),
+ case lists:member(dss, PKAlg) andalso lists:member(dh, PKAlg)
+ andalso (ssl_test_lib:openssl_dsa_suites() =/= [])
+ andalso (ssl_test_lib:check_sane_openssl_dsa(Config0))
+ of
true ->
- Config = ssl_test_lib:make_dsa_cert(Config0),
- COpts = proplists:get_value(client_dsa_opts, Config),
- SOpts = proplists:get_value(server_dsa_opts, Config),
+ Config = ssl_test_lib:make_dsa_cert(Config0),
+ COpts = SigAlgs ++ proplists:get_value(client_dsa_opts, Config),
+ SOpts = SigAlgs ++ proplists:get_value(server_dsa_opts, Config),
%% Make sure dhe_dss* suite is chosen by ssl_test_lib:start_server
Version = ssl_test_lib:protocol_version(Config),
- Ciphers = ssl_cert_tests:test_ciphers(fun(dh_dss) ->
+ Ciphers = ssl_cert_tests:test_ciphers(fun(dh_dss) ->
true;
- (dhe_dss) ->
+ (dhe_dss) ->
true;
(_) ->
- false
- end, Version),
+ false
+ end, Version),
case Ciphers of
[_|_] ->
[{cert_key_alg, dsa} |
lists:delete(cert_key_alg,
- [{client_cert_opts, [{ciphers, Ciphers} | COpts]},
- {server_cert_opts, SOpts} |
- lists:delete(server_cert_opts,
+ [{client_cert_opts, [{ciphers, Ciphers} | COpts]},
+ {server_cert_opts, [{ciphers, Ciphers} | SOpts]} |
+ lists:delete(server_cert_opts,
lists:delete(client_cert_opts, Config))])];
[] ->
{skip, {no_sup, Group, Version}}
end;
false ->
{skip, "Missing DSS crypto support"}
- end;
+ end;
init_per_group(GroupName, Config) ->
ssl_test_lib:init_per_group_openssl(GroupName, Config).
end_per_group(GroupName, Config) ->
ssl_test_lib:end_per_group(GroupName, Config).
-init_per_testcase(TestCase, Config) when
+init_per_testcase(TestCase, Config) when
TestCase == client_auth_empty_cert_accepted;
TestCase == client_auth_empty_cert_rejected ->
Version = ssl_test_lib:protocol_version(Config),
@@ -323,7 +327,7 @@ init_per_testcase(TestCase, Config) when
%% instead of sending EMPTY cert message in SSL-3.0 so empty cert test are not
%% relevant
{skip, openssl_behaves_differently};
- _ ->
+ _ ->
ssl_test_lib:ct_log_supported_protocol_versions(Config),
ct:timetrap({seconds, 30}),
Config
@@ -333,7 +337,7 @@ init_per_testcase(_TestCase, Config) ->
ct:timetrap({seconds, 30}),
Config.
-end_per_testcase(_TestCase, Config) ->
+end_per_testcase(_TestCase, Config) ->
Config.
%%--------------------------------------------------------------------
@@ -366,10 +370,15 @@ client_auth_use_partial_chain() ->
[{doc, "Server does not trust an intermediat CA and fails the connetion as ROOT has expired"}].
client_auth_use_partial_chain(Config) when is_list(Config) ->
Prop = proplists:get_value(tc_group_properties, Config),
- DefaultCertConf = ssl_test_lib:default_ecc_cert_chain_conf(proplists:get_value(name, Prop)),
+ Group = proplists:get_value(name, Prop),
+ Version = ssl_test_lib:n_version(proplists:get_value(version, Config)),
+ Alg = proplists:get_value(cert_key_alg, Config),
+ DefaultCertConf = ssl_test_lib:default_ecc_cert_chain_conf(Group),
+ Ciphers = appropriate_ciphers(Group, Version),
+
{Year, Month, Day} = date(),
#{client_config := ClientOpts0,
- server_config := ServerOpts0} = ssl_test_lib:make_cert_chains_pem(proplists:get_value(cert_key_alg, Config),
+ server_config := ServerOpts0} = ssl_test_lib:make_cert_chains_pem(Alg,
[{client_chain,
[[{validity, {{Year-2, Month, Day},
{Year-1, Month, Day}}}],
@@ -391,7 +400,7 @@ client_auth_use_partial_chain(Config) when is_list(Config) ->
end
end,
ServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true}, {partial_chain, PartialChain} |
- ssl_test_lib:ssl_options(extra_server, ServerOpts0, Config)],
+ ssl_test_lib:ssl_options(extra_server, [{ciphers, Ciphers} | ServerOpts0], Config)],
ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config).
%%--------------------------------------------------------------------
%% Have to use partial chain functionality on side running Erlang (we are not testing OpenSSL features)
@@ -399,10 +408,15 @@ client_auth_do_not_use_partial_chain() ->
ssl_cert_tests:client_auth_do_not_use_partial_chain().
client_auth_do_not_use_partial_chain(Config) when is_list(Config) ->
Prop = proplists:get_value(tc_group_properties, Config),
- DefaultCertConf = ssl_test_lib:default_ecc_cert_chain_conf(proplists:get_value(name, Prop)),
+ Group = proplists:get_value(name, Prop),
+ DefaultCertConf = ssl_test_lib:default_ecc_cert_chain_conf(Group),
+ Version = ssl_test_lib:n_version(proplists:get_value(version, Config)),
+ Alg = proplists:get_value(cert_key_alg, Config),
+ Ciphers = appropriate_ciphers(Group, Version),
+
{Year, Month, Day} = date(),
#{client_config := ClientOpts0,
- server_config := ServerOpts0} = ssl_test_lib:make_cert_chains_pem(proplists:get_value(cert_key_alg, Config),
+ server_config := ServerOpts0} = ssl_test_lib:make_cert_chains_pem(Alg,
[{client_chain,
[[{validity, {{Year-2, Month, Day},
{Year-1, Month, Day}}}],
@@ -415,7 +429,7 @@ client_auth_do_not_use_partial_chain(Config) when is_list(Config) ->
end,
ClientOpts = ssl_test_lib:ssl_options(extra_client, ClientOpts0, Config),
ServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true}, {partial_chain, PartialChain} |
- ssl_test_lib:ssl_options(extra_server, ServerOpts0, Config)],
+ ssl_test_lib:ssl_options(extra_server, [{ciphers, Ciphers} | ServerOpts0], Config)],
ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, certificate_expired).
%%--------------------------------------------------------------------
@@ -423,24 +437,29 @@ client_auth_do_not_use_partial_chain(Config) when is_list(Config) ->
client_auth_partial_chain_fun_fail() ->
ssl_cert_tests:client_auth_partial_chain_fun_fail().
client_auth_partial_chain_fun_fail(Config) when is_list(Config) ->
- Prop = proplists:get_value(tc_group_properties, Config),
- DefaultCertConf = ssl_test_lib:default_ecc_cert_chain_conf(proplists:get_value(name, Prop)),
+ Prop = proplists:get_value(tc_group_properties, Config),
+ Group = proplists:get_value(name, Prop),
+ DefaultCertConf = ssl_test_lib:default_ecc_cert_chain_conf(Group),
+ Version = ssl_test_lib:n_version(proplists:get_value(version, Config)),
+ Alg = proplists:get_value(cert_key_alg, Config),
+ Ciphers = appropriate_ciphers(Group, Version),
+
{Year, Month, Day} = date(),
#{client_config := ClientOpts0,
- server_config := ServerOpts0} = ssl_test_lib:make_cert_chains_pem(proplists:get_value(cert_key_alg, Config),
+ server_config := ServerOpts0} = ssl_test_lib:make_cert_chains_pem(Alg,
[{client_chain,
[[{validity, {{Year-2, Month, Day},
{Year-1, Month, Day}}}],
[],
[]
]},
- {server_chain, DefaultCertConf}], Config, "do_not_use_partial_chain"),
+ {server_chain, DefaultCertConf}], Config, "partial_chain_fun_fail"),
PartialChain = fun(_CertChain) ->
error(crash_on_purpose)
end,
ClientOpts = ssl_test_lib:ssl_options(extra_client, ClientOpts0, Config),
ServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true}, {partial_chain, PartialChain} |
- ssl_test_lib:ssl_options(extra_server, ServerOpts0, Config)],
+ ssl_test_lib:ssl_options(extra_server, [{ciphers, Ciphers} | ServerOpts0], Config)],
ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, certificate_expired).
%%--------------------------------------------------------------------
@@ -509,3 +528,8 @@ openssl_sig_algs(rsa_pss_pss_1_3) ->
[{sigalgs, "rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_pss_sha256"}];
openssl_sig_algs(rsa_pss_rsae_1_3) ->
[{sigalgs,"rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256"}].
+
+appropriate_ciphers(dsa, Version) ->
+ ssl:cipher_suites(all, Version);
+appropriate_ciphers(_, Version) ->
+ ssl:cipher_suites(default, Version).
View Lorry Controller Status