summaryrefslogtreecommitdiff
path: root/tests/pkcs11/tls-neg-pkcs11-key.c
diff options
context:
space:
mode:
Diffstat (limited to 'tests/pkcs11/tls-neg-pkcs11-key.c')
-rw-r--r--tests/pkcs11/tls-neg-pkcs11-key.c81
1 files changed, 78 insertions, 3 deletions
diff --git a/tests/pkcs11/tls-neg-pkcs11-key.c b/tests/pkcs11/tls-neg-pkcs11-key.c
index c32dee27a6..c003e762aa 100644
--- a/tests/pkcs11/tls-neg-pkcs11-key.c
+++ b/tests/pkcs11/tls-neg-pkcs11-key.c
@@ -56,6 +56,22 @@ static void tls_log_func(int level, const char *str)
#define testfail(fmt, ...) \
fail("%s: "fmt, name, ##__VA_ARGS__)
+static unsigned verify_eddsa_presence(void)
+{
+ unsigned i;
+ unsigned long mechanism;
+ int ret;
+
+ i = 0;
+ do {
+ ret = gnutls_pkcs11_token_get_mechanism("pkcs11:", i++, &mechanism);
+ if (ret >= 0 && mechanism == 0x1057 /* CKM_EDDSA */)
+ return 1;
+ } while(ret>=0);
+
+ return 0;
+}
+
static gnutls_privkey_t load_virt_privkey(const char *name, const gnutls_datum_t *txtkey, int exp_key_err)
{
gnutls_privkey_t privkey;
@@ -243,6 +259,7 @@ typedef struct test_st {
gnutls_kx_algorithm_t exp_kx;
int exp_key_err;
int exp_serv_err;
+ int needs_eddsa;
unsigned requires_pkcs11_pss;
} test_st;
@@ -292,13 +309,66 @@ static const test_st tests[] = {
.exp_kx = GNUTLS_KX_ECDHE_RSA,
.exp_serv_err = GNUTLS_E_NO_CIPHER_SUITES
},
- {.name = "tls1.2: ed25519 cert, ed25519 key", /* we cannot import that key */
+ {.name = "tls1.2: ed25519 cert, ed25519 key",
.pk = GNUTLS_PK_EDDSA_ED25519,
+ .needs_eddsa = 1,
.prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA",
.cert = &server_ca3_eddsa_cert,
.key = &server_ca3_eddsa_key,
.exp_kx = GNUTLS_KX_ECDHE_RSA,
- .exp_key_err = GNUTLS_E_INVALID_REQUEST
+ },
+ {.name = "tls1.3: ecc key",
+ .pk = GNUTLS_PK_ECDSA,
+ .prio = "NORMAL:-KX-ALL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.3",
+ .cert = &server_ca3_localhost_ecc_cert,
+ .key = &server_ca3_ecc_key,
+ .exp_kx = GNUTLS_KX_ECDHE_RSA
+ },
+ {.name = "tls1.3: rsa-sign key",
+ .pk = GNUTLS_PK_RSA,
+ .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.3",
+ .cert = &server_ca3_localhost_cert,
+ .key = &server_ca3_key,
+ .exp_kx = GNUTLS_KX_ECDHE_RSA
+ },
+ {.name = "tls1.3: rsa-sign key with rsa-pss sigs prioritized",
+ .pk = GNUTLS_PK_RSA,
+ .prio = "NORMAL:-SIGN-ALL:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512:+SIGN-RSA-PSS-RSAE-SHA256:+SIGN-RSA-PSS-RSAE-SHA384:+SIGN-RSA-PSS-RSAE-SHA512:-VERS-TLS-ALL:+VERS-TLS1.3",
+ .cert = &server_ca3_localhost_cert,
+ .key = &server_ca3_key,
+ .exp_kx = GNUTLS_KX_ECDHE_RSA
+ },
+ {.name = "tls1.3: rsa-pss-sign key",
+ .pk = GNUTLS_PK_RSA_PSS,
+ .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.3",
+ .cert = &server_ca3_rsa_pss2_cert,
+ .key = &server_ca3_rsa_pss2_key,
+ .exp_kx = GNUTLS_KX_ECDHE_RSA,
+ .requires_pkcs11_pss = 1,
+ },
+ {.name = "tls1.3: rsa-pss cert, rsa-sign key",
+ .pk = GNUTLS_PK_RSA,
+ .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.3",
+ .cert = &server_ca3_rsa_pss_cert,
+ .key = &server_ca3_rsa_pss_key,
+ .exp_kx = GNUTLS_KX_ECDHE_RSA,
+ .requires_pkcs11_pss = 1,
+ },
+ {.name = "tls1.3: rsa-pss cert, rsa-sign key no PSS signatures",
+ .pk = GNUTLS_PK_RSA,
+ .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.3:-SIGN-RSA-PSS-SHA256:-SIGN-RSA-PSS-SHA384:-SIGN-RSA-PSS-SHA512:-SIGN-RSA-PSS-RSAE-SHA256:-SIGN-RSA-PSS-RSAE-SHA384:-SIGN-RSA-PSS-RSAE-SHA512",
+ .cert = &server_ca3_rsa_pss_cert,
+ .key = &server_ca3_rsa_pss_key,
+ .exp_kx = GNUTLS_KX_ECDHE_RSA,
+ .exp_serv_err = GNUTLS_E_NO_CIPHER_SUITES
+ },
+ {.name = "tls1.3: ed25519 cert, ed25519 key",
+ .needs_eddsa = 1,
+ .pk = GNUTLS_PK_EDDSA_ED25519,
+ .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA",
+ .cert = &server_ca3_eddsa_cert,
+ .key = &server_ca3_eddsa_key,
+ .exp_kx = GNUTLS_KX_ECDHE_RSA
}
};
@@ -322,7 +392,7 @@ void doit(void)
gnutls_privkey_t privkey;
const char *bin, *lib;
char buf[512];
- unsigned int i;
+ unsigned int i, have_eddsa;
int ret;
#ifdef _WIN32
@@ -351,7 +421,12 @@ void doit(void)
gnutls_strerror(ret));
}
+ have_eddsa = verify_eddsa_presence();
+
for (i=0;i<sizeof(tests)/sizeof(tests[0]);i++) {
+ if (tests[i].needs_eddsa && !have_eddsa)
+ continue;
+
success("checking: %s\n", tests[i].name);
if (tests[i].requires_pkcs11_pss) {
View Lorry Controller Status