diff options
Diffstat (limited to 'lib/ssl/test/ssl_cert_tests.erl')
| -rw-r--r-- | lib/ssl/test/ssl_cert_tests.erl | 37 |
1 files changed, 21 insertions, 16 deletions
diff --git a/lib/ssl/test/ssl_cert_tests.erl b/lib/ssl/test/ssl_cert_tests.erl index b6fb9f4724..a551025ea5 100644 --- a/lib/ssl/test/ssl_cert_tests.erl +++ b/lib/ssl/test/ssl_cert_tests.erl @@ -1,7 +1,7 @@ %% %% %CopyrightBegin% %% -%% Copyright Ericsson AB 2019-2022. All Rights Reserved. +%% Copyright Ericsson AB 2019-2023. All Rights Reserved. %% %% Licensed under the Apache License, Version 2.0 (the "License"); %% you may not use this file except in compliance with the License. @@ -102,9 +102,10 @@ client_auth_empty_cert_accepted() -> [{doc,"Client sends empty cert chain as no cert is configured and server allows it"}]. client_auth_empty_cert_accepted(Config) -> - ClientOpts = proplists:delete(keyfile, - proplists:delete(certfile, - ssl_test_lib:ssl_options(extra_client, client_cert_opts, Config))), + ClientOpts = [{verify, verify_peer} | + proplists:delete(keyfile, + proplists:delete(certfile, + ssl_test_lib:ssl_options(extra_client, client_cert_opts, Config)))], ServerOpts0 = ssl_test_lib:ssl_options(extra_server, server_cert_opts, Config), ServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, false} | ServerOpts0], @@ -115,8 +116,8 @@ client_auth_empty_cert_rejected() -> client_auth_empty_cert_rejected(Config) -> ServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true} - | ssl_test_lib:ssl_options(extra_server, server_cert_opts, Config)], - ClientOpts0 = ssl_test_lib:ssl_options(extra_client, [], Config), + | ssl_test_lib:ssl_options(extra_server, server_cert_opts, Config)], + ClientOpts0 = [{verify, verify_none} | ssl_test_lib:ssl_options(extra_client, [], Config)], %% Delete Client Cert and Key ClientOpts1 = proplists:delete(certfile, ClientOpts0), ClientOpts = proplists:delete(keyfile, ClientOpts1), @@ -140,11 +141,11 @@ client_auth_no_suitable_chain(Config) when is_list(Config) -> client_chain => #{root => CRoot, intermediates => [[]], peer => []}}), - ClientOpts = ssl_test_lib:ssl_options(extra_client, ClientOpts0, Config), + ClientOpts = [{verify, verify_none} | ssl_test_lib:ssl_options(extra_client, ClientOpts0, Config)], ServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true} - | ssl_test_lib:ssl_options(extra_server, server_cert_opts, Config)], + | ssl_test_lib:ssl_options(extra_server, server_cert_opts, Config)], Version = proplists:get_value(version, Config), - + case Version of 'tlsv1.3' -> ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, certificate_required); @@ -274,10 +275,14 @@ client_auth_seelfsigned_peer(Config) when is_list(Config) -> #{cert := Cert, key := Key} = public_key:pkix_test_root_cert("OTP test server ROOT", [{key, ssl_test_lib:hardcode_rsa_key(6)}, {extensions, Ext}]), + Version = ssl_test_lib:n_version(proplists:get_value(version, Config)), DerKey = public_key:der_encode('RSAPrivateKey', Key), - ssl_test_lib:basic_alert(ssl_test_lib:ssl_options(extra_client, [{verify, verify_peer}, {cacerts , [Cert]}], Config), + ssl_test_lib:basic_alert(ssl_test_lib:ssl_options(extra_client, [{verify, verify_peer}, {cacerts , [Cert]}] ++ + ssl_test_lib:sig_algs(rsa, Version), Config), ssl_test_lib:ssl_options(extra_server, [{cert, Cert}, - {key, {'RSAPrivateKey', DerKey}}], Config), Config, bad_certificate). + {key, {'RSAPrivateKey', DerKey}}] ++ + ssl_test_lib:sig_algs(rsa, Version), Config), + Config, bad_certificate). %%-------------------------------------------------------------------- missing_root_cert_no_auth() -> [{doc,"Test that the client succeeds if the ROOT CA is unknown in verify_none mode"}]. @@ -285,12 +290,12 @@ missing_root_cert_no_auth() -> missing_root_cert_no_auth(Config) -> ClientOpts = [{verify, verify_none} | ssl_test_lib:ssl_options(extra_client, client_cert_opts, Config)], ServerOpts = [{verify, verify_none} | ssl_test_lib:ssl_options(extra_server, server_cert_opts, Config)], - + ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config). %%-------------------------------------------------------------------- invalid_signature_client() -> - [{doc,"Test server with invalid signature"}]. + [{doc,"Test that server detects invalid client signature"}]. invalid_signature_client(Config) when is_list(Config) -> ClientOpts0 = ssl_test_lib:ssl_options(extra_client, client_cert_opts, Config), @@ -314,7 +319,7 @@ invalid_signature_client(Config) when is_list(Config) -> %%-------------------------------------------------------------------- invalid_signature_server() -> - [{doc,"Test client with invalid signature"}]. + [{doc,"Test that client detects invalid server signature"}]. invalid_signature_server(Config) when is_list(Config) -> ClientOpts0 = ssl_test_lib:ssl_options(extra_client, client_cert_opts, Config), @@ -462,8 +467,8 @@ test_ciphers(_, 'tlsv1.3' = Version) -> end, Ciphers); test_ciphers(_, Version) when Version == 'dtlsv1'; Version == 'dtlsv1.2' -> - {_, Minor} = dtls_record:protocol_version(Version), - Ciphers = [ssl_cipher_format:suite_bin_to_map(Bin) || Bin <- dtls_v1:suites(Minor)], + NVersion = dtls_record:protocol_version_name(Version), + Ciphers = [ssl_cipher_format:suite_bin_to_map(Bin) || Bin <- dtls_v1:suites(NVersion)], ct:log("Version ~p Testing ~p~n", [Version, Ciphers]), OpenSSLCiphers = openssl_ciphers(), ct:log("OpenSSLCiphers ~p~n", [OpenSSLCiphers]), |