From 0706f322ba1864ab83b74e752602f7d3e1feb2c2 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Mon, 12 Apr 2021 14:21:43 +0200
Subject: ssl: Add support for EDDSA

Closes #4637
---
 lib/ssl/test/ssl_cert_SUITE.erl | 56 ++++++++++++++++++++++++++++++++---------
 1 file changed, 44 insertions(+), 12 deletions(-)

(limited to 'lib/ssl/test/ssl_cert_SUITE.erl')

diff --git a/lib/ssl/test/ssl_cert_SUITE.erl b/lib/ssl/test/ssl_cert_SUITE.erl
index a142115b55..562d12a7ab 100644
--- a/lib/ssl/test/ssl_cert_SUITE.erl
+++ b/lib/ssl/test/ssl_cert_SUITE.erl
@@ -147,7 +147,8 @@ groups() ->
      {rsa_pss_rsae_1_3, [], all_version_tests() ++ rsa_tests() ++ tls_1_3_tests() ++ tls_1_3_rsa_tests()},
      {rsa_pss_pss, [], all_version_tests() ++ rsa_tests()},
      {rsa_pss_pss_1_3, [], all_version_tests() ++ rsa_tests() ++ tls_1_3_tests() ++ tls_1_3_rsa_tests()},
-     {ecdsa_1_3, [], all_version_tests() ++ tls_1_3_tests()}
+     {ecdsa_1_3, [], all_version_tests() ++ tls_1_3_tests()},
+     {eddsa_1_3, [], all_version_tests() ++ tls_1_3_tests()}
     ].
 
 ssl_protocol_groups() ->
@@ -165,6 +166,7 @@ tls_1_2_protocol_groups() ->
 tls_1_3_protocol_groups() ->
     [{group, rsa_1_3},
      {group, ecdsa_1_3},
+     {group, eddsa_1_3},
      {group, rsa_pss_rsae_1_3},
      {group, rsa_pss_pss_1_3}
     ].
@@ -229,7 +231,6 @@ init_per_suite(Config) ->
     catch crypto:stop(),
     try crypto:start() of
 	ok ->
-	    ssl_test_lib:clean_start(),
             Config
     catch _:_ ->
 	    {skip, "Crypto did not start"}
@@ -244,6 +245,7 @@ end_per_suite(_Config) ->
 init_per_group(GroupName, Config) ->
     case ssl_test_lib:is_protocol_version(GroupName) of
         true  ->
+            ssl_test_lib:clean_start(),
             ssl_test_lib:init_per_group(GroupName, 
                                         [{client_type, erlang},
                                          {server_type, erlang},
@@ -289,7 +291,7 @@ do_init_per_group(Alg, Config) when Alg == rsa_pss_rsae;
             {skip, "Missing EC crypto support"}
     end;
 do_init_per_group(Group, Config0) when Group == ecdsa;
-                                    Group == ecdsa_1_3 ->
+                                       Group == ecdsa_1_3 ->
 
     PKAlg = crypto:supports(public_keys),
     case lists:member(ecdsa, PKAlg) andalso (lists:member(ecdh, PKAlg) orelse lists:member(dh, PKAlg)) of
@@ -307,12 +309,36 @@ do_init_per_group(Group, Config0) when Group == ecdsa;
         false ->
             {skip, "Missing EC crypto support"}
     end;
-
-do_init_per_group(Group, Config0) when Group == dsa ->
+do_init_per_group(eddsa_1_3, Config0) ->
+    PKAlg = crypto:supports(public_keys),
+    PrivDir = proplists:get_value(priv_dir, Config0),
+    case lists:member(eddsa, PKAlg) andalso (lists:member(ecdh, PKAlg)) of
+        true ->
+            Conf = public_key:pkix_test_data(#{server_chain => #{root => ssl_test_lib:eddsa_conf(),
+                                                                 intermediates => [ssl_test_lib:eddsa_conf()],
+                                                                 peer =>  ssl_test_lib:eddsa_conf()},
+                                               client_chain => #{root => ssl_test_lib:eddsa_conf(),
+                                                                 intermediates => [ssl_test_lib:eddsa_conf()],
+                                                                 peer =>  ssl_test_lib:eddsa_conf()}}),
+            [{server_config, SOpts},
+             {client_config, COpts}] = x509_test:gen_pem_config_files(Conf, filename:join(PrivDir, "client_eddsa"),
+                                                                      filename:join(PrivDir, "server_eddsa")),
+
+            [{cert_key_alg, eddsa} |
+             lists:delete(cert_key_alg,
+                          [{client_cert_opts, COpts},
+                           {server_cert_opts, SOpts} |
+                           lists:delete(server_cert_opts,
+                                        lists:delete(client_cert_opts, Config0))]
+                         )];
+        false ->
+            {skip, "Missing EC crypto support"}
+    end;
+do_init_per_group(dsa, Config0) ->
     PKAlg = crypto:supports(public_keys),
     case lists:member(dss, PKAlg) andalso lists:member(dh, PKAlg) of
         true ->
-            Config = ssl_test_lib:make_dsa_cert(Config0),    
+            Config = ssl_test_lib:make_dsa_cert(Config0),
             COpts = proplists:get_value(client_dsa_opts, Config),
             SOpts = proplists:get_value(server_dsa_opts, Config),
             [{cert_key_alg, dsa} |
@@ -324,7 +350,7 @@ do_init_per_group(Group, Config0) when Group == dsa ->
         false ->
             {skip, "Missing DSS crypto support"}
     end;
-do_init_per_group(Group, Config) ->
+do_init_per_group(_Group, Config) ->
     Config.
 
 end_per_group(GroupName, Config) ->
@@ -491,7 +517,9 @@ missing_root_cert_auth_user_verify_fun_reject(Config) ->
 incomplete_chain_auth() ->
     [{doc,"Test that we can verify an incompleat chain when we have the certs to rebuild it"}].
 incomplete_chain_auth(Config) when is_list(Config) ->
-    DefaultCertConf = ssl_test_lib:default_cert_chain_conf(),
+    Prop = proplists:get_value(tc_group_properties, Config),
+    Group = proplists:get_value(name, Prop),
+    DefaultCertConf = ssl_test_lib:default_ecc_cert_chain_conf(Group),
     #{client_config := ClientOpts0,
       server_config := ServerOpts0} = ssl_test_lib:make_cert_chains_der(proplists:get_value(cert_key_alg, Config),
                                                                         [{server_chain, DefaultCertConf},
@@ -608,7 +636,8 @@ critical_extension_auth() ->
     [{doc,"Test cert that has a critical unknown extension in verify_peer mode"}].
 
 critical_extension_auth(Config) when is_list(Config) ->
-    DefaultCertConf = ssl_test_lib:default_cert_chain_conf(),
+    Prop = proplists:get_value(tc_group_properties, Config),
+    DefaultCertConf = ssl_test_lib:default_ecc_cert_chain_conf(proplists:get_value(name, Prop)),
     Ext = x509_test:extensions([{{2,16,840,1,113730,1,1}, <<3,2,6,192>>, true}]),
     #{client_config := ClientOpts0,
       server_config := ServerOpts0}  = ssl_test_lib:make_cert_chains_der(proplists:get_value(cert_key_alg, Config),
@@ -674,7 +703,8 @@ critical_extension_no_auth() ->
     [{doc,"Test cert that has a critical unknown extension in verify_none mode"}].
 
 critical_extension_no_auth(Config) when is_list(Config) ->
-    DefaultCertConf = ssl_test_lib:default_cert_chain_conf(),
+    Prop = proplists:get_value(tc_group_properties, Config),
+    DefaultCertConf = ssl_test_lib:default_ecc_cert_chain_conf(proplists:get_value(name, Prop)),
     Ext = x509_test:extensions([{{2,16,840,1,113730,1,1}, <<3,2,6,192>>, true}]),
     #{client_config := ClientOpts0,
       server_config := ServerOpts0}  = ssl_test_lib:make_cert_chains_der(proplists:get_value(cert_key_alg, Config),
@@ -692,7 +722,8 @@ extended_key_usage_auth() ->
     [{doc,"Test cert that has a critical extended_key_usage extension in server cert"}].
 
 extended_key_usage_auth(Config) when is_list(Config) -> 
-    DefaultCertConf = ssl_test_lib:default_cert_chain_conf(),
+    Prop = proplists:get_value(tc_group_properties, Config),
+    DefaultCertConf = ssl_test_lib:default_ecc_cert_chain_conf(proplists:get_value(name, Prop)),
     Ext = x509_test:extensions([{?'id-ce-extKeyUsage',
                                  [?'id-kp-serverAuth'], true}]),
     #{client_config := ClientOpts0,
@@ -762,7 +793,8 @@ cert_expired() ->
     [{doc,"Test server with expired certificate"}].
 
 cert_expired(Config) when is_list(Config) ->
-    DefaultCertConf = ssl_test_lib:default_cert_chain_conf(),
+    Prop = proplists:get_value(tc_group_properties, Config),
+    DefaultCertConf = ssl_test_lib:default_ecc_cert_chain_conf(proplists:get_value(name, Prop)),
     {Year, Month, Day} = date(),
     #{client_config := ClientOpts0,
       server_config := ServerOpts0} = ssl_test_lib:make_cert_chains_der(proplists:get_value(cert_key_alg, Config),
-- 
cgit v1.2.1