From b2e7ed0b5d2ee90874a66fc9a054812155e50448 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 20 May 2019 14:40:31 +0200 Subject: Added profile to correspond to the future security parameter It seems that the FUTURE security level parameter was added without a corresponding verification profile. This patch address the issue by introducing it. Resolves: #770 Signed-off-by: Nikos Mavrogiannopoulos --- doc/cha-gtls-app.texi | 2 +- lib/Makefile.am | 2 +- lib/includes/gnutls/x509.h | 7 +- lib/priority.c | 47 ++++---- lib/priority_options.gperf | 1 + lib/profiles.c | 74 ++++++++++++ lib/profiles.h | 32 +++++ lib/x509/verify.c | 6 +- tests/Makefile.am | 2 +- tests/profile-tests.sh | 243 ++++++++++++++++++++++++++++++++++++++ tests/suite/certs/create-chain.sh | 11 +- 11 files changed, 393 insertions(+), 34 deletions(-) create mode 100644 lib/profiles.c create mode 100644 lib/profiles.h create mode 100755 tests/profile-tests.sh diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi index 6f605dfa1c..b304d67fb9 100644 --- a/doc/cha-gtls-app.texi +++ b/doc/cha-gtls-app.texi @@ -1610,7 +1610,7 @@ will disable CRL or OCSP checks in the verification of the certificate chain. @item %VERIFY_ALLOW_X509_V1_CA_CRT @tab will allow V1 CAs in chains. -@item %PROFILE_(LOW|LEGACY|MEDIUM|HIGH|ULTRA) @tab +@item %PROFILE_(LOW|LEGACY|MEDIUM|HIGH|ULTRA|FUTURE) @tab require a certificate verification profile the corresponds to the specified security level, see @ref{tab:key-sizes} for the mappings to values. diff --git a/lib/Makefile.am b/lib/Makefile.am index fe9cf63a2f..83b328e89a 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -72,7 +72,7 @@ COBJECTS = range.c record.c compress.c debug.c cipher.c gthreads.h handshake-tls pk.c cert-cred.c global.c constate.c anon_cred.c pkix_asn1_tab.c gnutls_asn1_tab.c \ mem.c fingerprint.c tls-sig.c ecc.c alert.c privkey_raw.c atomic.h \ system/certs.c system/threads.c system/fastopen.c system/sockets.c \ - str-iconv.c system.c \ + str-iconv.c system.c profiles.c profiles.h \ str.c str-unicode.c str-idna.c state.c cert-cred-x509.c file.c supplemental.c \ random.c crypto-api.c crypto-api.h privkey.c pcert.c pubkey.c locks.c dtls.c \ system_override.c crypto-backend.c verify-tofu.c pin.c tpm.c fips.c \ diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h index a153f7fac9..2f0a85498c 100644 --- a/lib/includes/gnutls/x509.h +++ b/lib/includes/gnutls/x509.h @@ -988,6 +988,7 @@ typedef enum gnutls_certificate_verify_flags { /** * gnutls_certificate_verification_profiles_t: + * @GNUTLS_PROFILE_UNKNOWN: An invalid/unknown profile. * @GNUTLS_PROFILE_VERY_WEAK: A verification profile that * corresponds to @GNUTLS_SEC_PARAM_VERY_WEAK (64 bits) * @GNUTLS_PROFILE_LOW: A verification profile that @@ -999,7 +1000,9 @@ typedef enum gnutls_certificate_verify_flags { * @GNUTLS_PROFILE_HIGH: A verification profile that * corresponds to @GNUTLS_SEC_PARAM_HIGH (128 bits) * @GNUTLS_PROFILE_ULTRA: A verification profile that - * corresponds to @GNUTLS_SEC_PARAM_ULTRA (256 bits) + * corresponds to @GNUTLS_SEC_PARAM_ULTRA (192 bits) + * @GNUTLS_PROFILE_FUTURE: A verification profile that + * corresponds to @GNUTLS_SEC_PARAM_FUTURE (256 bits) % * @GNUTLS_PROFILE_SUITEB128: A verification profile that * applies the SUITEB128 rules * @GNUTLS_PROFILE_SUITEB192: A verification profile that @@ -1008,12 +1011,14 @@ typedef enum gnutls_certificate_verify_flags { * Enumeration of different certificate verification profiles. */ typedef enum gnutls_certificate_verification_profiles_t { + GNUTLS_PROFILE_UNKNOWN = 0, GNUTLS_PROFILE_VERY_WEAK = 1, GNUTLS_PROFILE_LOW = 2, GNUTLS_PROFILE_LEGACY = 4, GNUTLS_PROFILE_MEDIUM = 5, GNUTLS_PROFILE_HIGH = 6, GNUTLS_PROFILE_ULTRA = 7, + GNUTLS_PROFILE_FUTURE = 9, GNUTLS_PROFILE_SUITEB128=32, GNUTLS_PROFILE_SUITEB192=33 diff --git a/lib/priority.c b/lib/priority.c index 900bbf7783..1ed5d84927 100644 --- a/lib/priority.c +++ b/lib/priority.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2004-2015 Free Software Foundation, Inc. - * Copyright (C) 2015-2017 Red Hat, Inc. + * Copyright (C) 2015-2019 Red Hat, Inc. * * Author: Nikos Mavrogiannopoulos * @@ -36,10 +36,17 @@ #include "errno.h" #include "ext/srp.h" #include +#include "profiles.h" #include "c-strcase.h" #define MAX_ELEMENTS 64 +#define ENABLE_PROFILE(c, profile) do { \ + c->additional_verify_flags &= 0x00ffffff; \ + c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(profile); \ + c->level = _gnutls_profile_to_sec_level(profile); \ + } while(0) + /* This function is used by the test suite */ char *_gnutls_resolve_priorities(const char* priorities); const char *_gnutls_default_priority_string = DEFAULT_PRIORITY_STRING; @@ -839,51 +846,39 @@ static void disable_wildcards(gnutls_priority_t c) } static void enable_profile_very_weak(gnutls_priority_t c) { - c->additional_verify_flags &= 0x00ffffff; - c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_VERY_WEAK); - c->level = GNUTLS_SEC_PARAM_VERY_WEAK; + ENABLE_PROFILE(c, GNUTLS_PROFILE_VERY_WEAK); } static void enable_profile_low(gnutls_priority_t c) { - c->additional_verify_flags &= 0x00ffffff; - c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_LOW); - c->level = GNUTLS_SEC_PARAM_LOW; + ENABLE_PROFILE(c, GNUTLS_PROFILE_LOW); } static void enable_profile_legacy(gnutls_priority_t c) { - c->additional_verify_flags &= 0x00ffffff; - c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_LEGACY); - c->level = GNUTLS_SEC_PARAM_LEGACY; + ENABLE_PROFILE(c, GNUTLS_PROFILE_LEGACY); +} +static void enable_profile_medium(gnutls_priority_t c) +{ + ENABLE_PROFILE(c, GNUTLS_PROFILE_MEDIUM); } static void enable_profile_high(gnutls_priority_t c) { - c->additional_verify_flags &= 0x00ffffff; - c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_HIGH); - c->level = GNUTLS_SEC_PARAM_HIGH; + ENABLE_PROFILE(c, GNUTLS_PROFILE_HIGH); } static void enable_profile_ultra(gnutls_priority_t c) { - c->additional_verify_flags &= 0x00ffffff; - c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA); - c->level = GNUTLS_SEC_PARAM_ULTRA; + ENABLE_PROFILE(c, GNUTLS_PROFILE_ULTRA); } -static void enable_profile_medium(gnutls_priority_t c) +static void enable_profile_future(gnutls_priority_t c) { - c->additional_verify_flags &= 0x00ffffff; - c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM); - c->level = GNUTLS_SEC_PARAM_MEDIUM; + ENABLE_PROFILE(c, GNUTLS_PROFILE_FUTURE); } static void enable_profile_suiteb128(gnutls_priority_t c) { - c->additional_verify_flags &= 0x00ffffff; - c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_SUITEB128); - c->level = GNUTLS_SEC_PARAM_HIGH; + ENABLE_PROFILE(c, GNUTLS_PROFILE_SUITEB128); } static void enable_profile_suiteb192(gnutls_priority_t c) { - c->additional_verify_flags &= 0x00ffffff; - c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_SUITEB192); - c->level = GNUTLS_SEC_PARAM_ULTRA; + ENABLE_PROFILE(c, GNUTLS_PROFILE_SUITEB128); } static void enable_safe_renegotiation(gnutls_priority_t c) { diff --git a/lib/priority_options.gperf b/lib/priority_options.gperf index a955ec85e6..c0524e5a09 100644 --- a/lib/priority_options.gperf +++ b/lib/priority_options.gperf @@ -33,6 +33,7 @@ PROFILE_LEGACY, enable_profile_legacy PROFILE_MEDIUM, enable_profile_medium PROFILE_HIGH, enable_profile_high PROFILE_ULTRA, enable_profile_ultra +PROFILE_FUTURE, enable_profile_future PROFILE_SUITEB128, enable_profile_suiteb128 PROFILE_SUITEB192, enable_profile_suiteb192 NEW_PADDING, dummy_func diff --git a/lib/profiles.c b/lib/profiles.c new file mode 100644 index 0000000000..729ae51a0d --- /dev/null +++ b/lib/profiles.c @@ -0,0 +1,74 @@ +/* + * Copyright (C) 2019 Red Hat, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * The GnuTLS is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public License + * as published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see + * + */ + +#include "gnutls_int.h" +#include +#include "errors.h" +#include +#include "c-strcase.h" +#include "profiles.h" + +typedef struct { + const char *name; + gnutls_certificate_verification_profiles_t profile; + gnutls_sec_param_t sec_param; +} gnutls_profile_entry; + +static const gnutls_profile_entry profiles[] = { + {"Very weak", GNUTLS_PROFILE_VERY_WEAK, GNUTLS_SEC_PARAM_VERY_WEAK}, + {"Low", GNUTLS_PROFILE_LOW, GNUTLS_SEC_PARAM_LOW}, + {"Legacy", GNUTLS_PROFILE_LEGACY, GNUTLS_SEC_PARAM_LEGACY}, + {"Medium", GNUTLS_PROFILE_MEDIUM, GNUTLS_SEC_PARAM_MEDIUM}, + {"High", GNUTLS_PROFILE_HIGH, GNUTLS_SEC_PARAM_HIGH}, + {"Ultra", GNUTLS_PROFILE_ULTRA, GNUTLS_SEC_PARAM_ULTRA}, + {"Future", GNUTLS_PROFILE_FUTURE, GNUTLS_SEC_PARAM_FUTURE}, + {"SuiteB128", GNUTLS_PROFILE_SUITEB128, GNUTLS_SEC_PARAM_HIGH}, + {"SuiteB192", GNUTLS_PROFILE_SUITEB192, GNUTLS_SEC_PARAM_ULTRA}, + {NULL, 0, 0} +}; + +gnutls_sec_param_t _gnutls_profile_to_sec_level(gnutls_certificate_verification_profiles_t profile) +{ + const gnutls_profile_entry *p; + + for(p = profiles; p->name != NULL; p++) { + if (profile == p->profile) + return p->sec_param; + } + + return GNUTLS_SEC_PARAM_UNKNOWN; +} + +gnutls_certificate_verification_profiles_t _gnutls_profile_get_id(const char *name) +{ + const gnutls_profile_entry *p; + + if (name == NULL) + return GNUTLS_PROFILE_UNKNOWN; + + for(p = profiles; p->name != NULL; p++) { + if (c_strcasecmp(p->name, name) == 0) + return p->profile; + } + + return GNUTLS_PROFILE_UNKNOWN; +} diff --git a/lib/profiles.h b/lib/profiles.h new file mode 100644 index 0000000000..a2aae2a687 --- /dev/null +++ b/lib/profiles.h @@ -0,0 +1,32 @@ +/* + * Copyright (C) 2019 Red Hat, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * The GnuTLS is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public License + * as published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see + * + */ + +#ifndef GNUTLS_LIB_PROFILES_H +#define GNUTLS_LIB_PROFILES_H + +#include +#include + +gnutls_certificate_verification_profiles_t _gnutls_profile_get_id(const char *name) __GNUTLS_PURE__; +gnutls_sec_param_t _gnutls_profile_to_sec_level(gnutls_certificate_verification_profiles_t profile) __GNUTLS_PURE__; + +#endif /* GNUTLS_LIB_PROFILES_H */ diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 17404022f8..e6577cad03 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -461,7 +461,7 @@ static unsigned is_level_acceptable( gnutls_sec_param_t sp; int hash; - if (profile == 0) + if (profile == GNUTLS_PROFILE_UNKNOWN) return 1; pkalg = gnutls_x509_crt_get_pk_algorithm(crt, &bits); @@ -481,6 +481,7 @@ static unsigned is_level_acceptable( CASE_SEC_PARAM(GNUTLS_PROFILE_MEDIUM, GNUTLS_SEC_PARAM_MEDIUM); CASE_SEC_PARAM(GNUTLS_PROFILE_HIGH, GNUTLS_SEC_PARAM_HIGH); CASE_SEC_PARAM(GNUTLS_PROFILE_ULTRA, GNUTLS_SEC_PARAM_ULTRA); + CASE_SEC_PARAM(GNUTLS_PROFILE_FUTURE, GNUTLS_SEC_PARAM_FUTURE); case GNUTLS_PROFILE_SUITEB128: case GNUTLS_PROFILE_SUITEB192: { unsigned curve, issuer_curve; @@ -563,6 +564,9 @@ static unsigned is_level_acceptable( } break; + case GNUTLS_PROFILE_UNKNOWN: /* already checked; avoid compiler warnings */ + _gnutls_debug_log("An unknown profile (%d) was encountered\n", (int)profile); + return gnutls_assert_val(0); } } diff --git a/tests/Makefile.am b/tests/Makefile.am index 551c029c1f..f3602e7009 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -481,7 +481,7 @@ dist_check_SCRIPTS += fastopen.sh pkgconfig.sh starttls.sh starttls-ftp.sh start ocsp-tests/ocsp-test cipher-listings.sh sni-hostname.sh server-multi-keys.sh \ psktool.sh ocsp-tests/ocsp-load-chain gnutls-cli-save-data.sh gnutls-cli-debug.sh \ sni-resume.sh ocsp-tests/ocsptool cert-reencoding.sh pkcs7-cat.sh long-crl.sh \ - serv-udp.sh logfile-option.sh gnutls-cli-resume.sh + serv-udp.sh logfile-option.sh gnutls-cli-resume.sh profile-tests.sh dist_check_SCRIPTS += gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh diff --git a/tests/profile-tests.sh b/tests/profile-tests.sh new file mode 100755 index 0000000000..71295fd5a6 --- /dev/null +++ b/tests/profile-tests.sh @@ -0,0 +1,243 @@ +#!/bin/sh + +# Copyright (C) 2019 Red Hat, Inc. +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see +# + +# This program tests whether the profile keywords work as expected + +srcdir="${srcdir:-.}" +SERV="${SERV:-../src/gnutls-serv${EXEEXT}}" +CLI="${CLI:-../src/gnutls-cli${EXEEXT}}" +TMPFILE=config.$$.tmp +export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 + +if ! test -x "${SERV}"; then + exit 77 +fi + +if ! test -x "${CLI}"; then + exit 77 +fi + +if test "${WINDIR}" != ""; then + exit 77 +fi + +. "${srcdir}/scripts/common.sh" + +CAFILE="./profile-ca.$$.tmp" +CERT="./profile-cert.$$.tmp" + + +echo "Testing with a 256 bit ECDSA key" + +cat >${CAFILE} <<_EOF_ +-----BEGIN CERTIFICATE----- +MIIBZjCCAQugAwIBAgIUT/9x+s6cBhBHWoZH5fBi9c0aBPswCgYIKoZIzj0EAwIw +DzENMAsGA1UEAxMEQ0EtMDAgFw0xOTA1MjAxMzAxNTdaGA85OTk5MTIzMTIzNTk1 +OVowDzENMAsGA1UEAxMEQ0EtMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABI7d +qggkXNbYfXi5rMqdvvX26GJ02A63B5sueaS0w1LITLeMb0mhx4trpXMkJ3lr05lY +JCfr6sUTAlYLMBLZJ+ajQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUD +AwcGADAdBgNVHQ4EFgQUUkk7xPS5Uf53q8YLEhz5KGqeZH0wCgYIKoZIzj0EAwID +SQAwRgIhAKL/lPu6hOTwA/FfB+dMkkVeeZA+6CeXgbnxeA6HXy3bAiEAvO3+1VhR +RIHc3JBuIsLlrwaovXAZHgXNGV2WalixDHI= +-----END CERTIFICATE----- +_EOF_ +cat >${CERT} <<_EOF_ +-----BEGIN CERTIFICATE----- +MIIBnTCCAUOgAwIBAgIUUoqE4mD73XmLCryaMad6AXl6TjAwCgYIKoZIzj0EAwIw +DzENMAsGA1UEAxMEQ0EtMDAgFw0xOTA1MjAxMzAxNTdaGA85OTk5MTIzMTIzNTk1 +OVowEzERMA8GA1UEAxMIc2VydmVyLTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC +AAScHgQMZCm5GLjGs64tN8hmK+KmDOTBU0fyqc9Tle6WjgFFBzPeHv8vLcrp5HTI +mNtKFNCaLN73r9h8xk3qG2pno3cwdTAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuC +CWxvY2FsaG9zdDAPBgNVHQ8BAf8EBQMDB4AAMB0GA1UdDgQWBBRpzYoZdeLYgscj +yokMBbda3FnghzAfBgNVHSMEGDAWgBRSSTvE9LlR/nerxgsSHPkoap5kfTAKBggq +hkjOPQQDAgNIADBFAiATJTdJ176UocB1BGDTTwJAuNKurPFZzlEaeYHS3tetXAIh +AP/RStdc8DV/AtHZOF1/FF3fB/tS3d+vb2f0QsTbcl5f +-----END CERTIFICATE----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIG5Gt+KTDxw5cevzwL0Sfo2AJZNeVtu3GHSnpICvsSiBoAoGCCqGSM49 +AwEHoUQDQgAEnB4EDGQpuRi4xrOuLTfIZivipgzkwVNH8qnPU5Xulo4BRQcz3h7/ +Ly3K6eR0yJjbShTQmize96/YfMZN6htqZw== +-----END EC PRIVATE KEY----- +_EOF_ +KEY="${CERT}" + +eval "${GETPORT}" +launch_server $$ --echo --priority "NORMAL" --x509keyfile ${KEY} --x509certfile ${CERT} +PID=$! +wait_server ${PID} + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_VERY_WEAK --verify-hostname localhost --x509cafile "${CAFILE}" /dev/null || + fail ${PID} "expected connection to succeed (1)" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_LOW --verify-hostname localhost --x509cafile "${CAFILE}" /dev/null || + fail ${PID} "expected connection to succeed (2)" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_LEGACY --verify-hostname localhost --x509cafile "${CAFILE}" /dev/null || + fail ${PID} "expected connection to succeed (3)" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_HIGH --verify-hostname localhost --x509cafile "${CAFILE}" /dev/null || + fail ${PID} "expected connection to succeed (4)" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_ULTRA --verify-hostname localhost --x509cafile "${CAFILE}" /dev/null && + fail ${PID} "expected connection to fail (1)" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_FUTURE --verify-hostname localhost --x509cafile "${CAFILE}" /dev/null && + fail ${PID} "expected connection to fail (2)" + +kill ${PID} +wait + + +echo "Testing with a 384 bit ECDSA key" + +cat >${CAFILE} <<_EOF_ +-----BEGIN CERTIFICATE----- +MIIBojCCASigAwIBAgIUFMelLI8WwXyoyKjZGXXXcLb4N1EwCgYIKoZIzj0EAwMw +DzENMAsGA1UEAxMEQ0EtMDAgFw0xOTA1MjAxMzA2MDNaGA85OTk5MTIzMTIzNTk1 +OVowDzENMAsGA1UEAxMEQ0EtMDB2MBAGByqGSM49AgEGBSuBBAAiA2IABNxXKt1I +dpBTxQ5oefACUoUgdEwLNkbrjMeEYbB1Wz9d5Uk9nJPjQOGx85ct3FysauMxzBGy +BKnBEYViamZiffXu3zzNlIZY+tCbc3MUqs6q60CuNIw4UjakKhgD6II2MKNDMEEw +DwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwYAMB0GA1UdDgQWBBQJ9QXM +rPF8/z2VviCfhSp2ezf1AjAKBggqhkjOPQQDAwNoADBlAjEA5nmuJqRQFLgHYnN5 +MRmMfT+TvkLL+MPBo9lK8cbFzweV/PdySLRKNylOH4y70UyzAjBk3kFH7KC1AGMz ++A87+Rx+7BHOIdKIp91wx8LhMIdbeX9yi3w6YRsjHoLxKtJ8FYE= +-----END CERTIFICATE----- +_EOF_ +cat >${CERT} <<_EOF_ +-----BEGIN CERTIFICATE----- +MIIB2DCCAWCgAwIBAgIUJiHZy9J/MQzCJPjaP3Zy+JTXHgowCgYIKoZIzj0EAwMw +DzENMAsGA1UEAxMEQ0EtMDAgFw0xOTA1MjAxMzA2MDNaGA85OTk5MTIzMTIzNTk1 +OVowEzERMA8GA1UEAxMIc2VydmVyLTEwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATP +agsLKT6MLGFsxWyBjDmyrfcAreBZtGDe9tS8jYItbM8y/ulvjCnwW/dwmVBe6UKX +n7WIJ7nxvp/j0k59TwpMxfpSn51NhiaViMQ4ZxA34qm+H3gUl8r1GC9I/EPTYe2j +dzB1MAwGA1UdEwEB/wQCMAAwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA8GA1UdDwEB +/wQFAwMHgAAwHQYDVR0OBBYEFO2V2sn+n3Kj0sA2leiLp/RQDmt/MB8GA1UdIwQY +MBaAFAn1Bcys8Xz/PZW+IJ+FKnZ7N/UCMAoGCCqGSM49BAMDA2YAMGMCL37ZZOM0 +fKI8jzlZRF64IOB/hVbvMD5WOMqFN/M8BjbPSywuRy9/JIq0KiFw3IKUAjAJZSsJ +fd8/9po81LJwyfUF/fTwPa7CNExb4BoDRtDDc7s/ciXI/13rxwkJnlAytwI= +-----END CERTIFICATE----- +-----BEGIN EC PRIVATE KEY----- +MIGlAgEBBDEAtrbWqGFyxd+qLlU0VHGvS5CpuAg0fPvODXzu8qHGREvxMYJL5d0I +YfU7emquAuq/oAcGBSuBBAAioWQDYgAEz2oLCyk+jCxhbMVsgYw5sq33AK3gWbRg +3vbUvI2CLWzPMv7pb4wp8Fv3cJlQXulCl5+1iCe58b6f49JOfU8KTMX6Up+dTYYm +lYjEOGcQN+Kpvh94FJfK9RgvSPxD02Ht +-----END EC PRIVATE KEY----- +_EOF_ +KEY="${CERT}" + +eval "${GETPORT}" +launch_server $$ --echo --priority "NORMAL" --x509keyfile ${KEY} --x509certfile ${CERT} +PID=$! +wait_server ${PID} + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_VERY_WEAK --verify-hostname localhost --x509cafile "${CAFILE}" /dev/null || + fail ${PID} "expected connection to succeed (1)" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_LOW --verify-hostname localhost --x509cafile "${CAFILE}" /dev/null || + fail ${PID} "expected connection to succeed (2)" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_LEGACY --verify-hostname localhost --x509cafile "${CAFILE}" /dev/null || + fail ${PID} "expected connection to succeed (3)" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_HIGH --verify-hostname localhost --x509cafile "${CAFILE}" /dev/null || + fail ${PID} "expected connection to succeed (4)" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_ULTRA --verify-hostname localhost --x509cafile "${CAFILE}" /dev/null || + fail ${PID} "expected connection to succeed (5)" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_FUTURE --verify-hostname localhost --x509cafile "${CAFILE}" /dev/null && + fail ${PID} "expected connection to fail (1)" + +kill ${PID} +wait + +echo "Testing with a 521 bit ECDSA key" + +cat >${CAFILE} <<_EOF_ +-----BEGIN CERTIFICATE----- +MIIB7TCCAU6gAwIBAgIUW9MXlkeIARoHEeP+DmgMfSOh9xkwCgYIKoZIzj0EAwQw +DzENMAsGA1UEAxMEQ0EtMDAgFw0xOTA1MjAxMzE4MDVaGA85OTk5MTIzMTIzNTk1 +OVowDzENMAsGA1UEAxMEQ0EtMDCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEASRD +p6ArQF3bkC7rMzUo6RGle3LCDVkrVrcS0vMRKz6D436g/yO0+om5Xbny/z3Weo4x +E8dat+dQp2sHurso6ByhAbm08MqxKUqaU4G69xvTYTOSMljDtx/3upsF955J5/CT +/F8czPBR9jebQZOCXWI0clpFSTGTYFnqHVlyTTwCgd87o0MwQTAPBgNVHRMBAf8E +BTADAQH/MA8GA1UdDwEB/wQFAwMHBgAwHQYDVR0OBBYEFI2SeRAmyVkAAEabKWfy +SREfJqJfMAoGCCqGSM49BAMEA4GMADCBiAJCAc8sUwRR5Q5u52YSdaEiHgnWlNTJ +nP7ckTAiSCEmhp2L8wdvG2274oTjvw3gbUHLc310AAoIvUcZfaXB6zooIpl9AkIB +NK1JHzm60+USUDxJoQngtl8KdM9jR9UmjZ5hVhd/k5FeNYbb6Z+kuIasE4SlnJnd +VIEgdnjXtlI3n052VLjDKg4= +-----END CERTIFICATE----- +_EOF_ +cat >${CERT} <<_EOF_ +-----BEGIN CERTIFICATE----- +MIICJDCCAYagAwIBAgIUTNrzhsX4+TV92p8tYrrUclDsYsUwCgYIKoZIzj0EAwQw +DzENMAsGA1UEAxMEQ0EtMDAgFw0xOTA1MjAxMzE4MDVaGA85OTk5MTIzMTIzNTk1 +OVowEzERMA8GA1UEAxMIc2VydmVyLTEwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA +BAGAb9ToCqbQ8wImyiIN3Zf3T8WrwB/R28f0w8wq0W5a71FGayY0VU5exSBV7nnj +X8xFwUb+BpIVRQ4ZsryQCDDANACxXE3hwae59mqO9JhrTUQL7KyDaZ8W6KbACn8h +fYsOay/3ub0wdNdG8aJIcZzmrX1DNM0Jt/rW1d2nzuv6lZqCfqN3MHUwDAYDVR0T +AQH/BAIwADAUBgNVHREEDTALgglsb2NhbGhvc3QwDwYDVR0PAQH/BAUDAweAADAd +BgNVHQ4EFgQUv46ZnyF9oFn6yVCPl8WJ2InprhowHwYDVR0jBBgwFoAUjZJ5ECbJ +WQAARpspZ/JJER8mol8wCgYIKoZIzj0EAwQDgYsAMIGHAkIAh0/UdYPTSWmtTRNZ +d1VGCBW+Pw9aMkSTd8byWgle8+z1aQdZYQF46MHDuRC3zkooAYXPjbYCbLba5W/x +K1MVvfoCQThH3TCLj/Qci1788SNJ2bvN4bGe9m71cRhJWOXx5GRUHjvRJ5dttllq +dPzh992Fym1fGoyKne2xm172IG2LvTI0 +-----END CERTIFICATE----- +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIBZEu+h1ouDy17i0vGtm39PIrwWCGmjiQkCp1HnPSGod6SM2O3j4Mf +PH5pp8dPYx0LmHXTe+/P/oiIf128sSlsIGCgBwYFK4EEACOhgYkDgYYABAGAb9To +CqbQ8wImyiIN3Zf3T8WrwB/R28f0w8wq0W5a71FGayY0VU5exSBV7nnjX8xFwUb+ +BpIVRQ4ZsryQCDDANACxXE3hwae59mqO9JhrTUQL7KyDaZ8W6KbACn8hfYsOay/3 +ub0wdNdG8aJIcZzmrX1DNM0Jt/rW1d2nzuv6lZqCfg== +-----END EC PRIVATE KEY----- +_EOF_ +KEY="${CERT}" + +eval "${GETPORT}" +launch_server $$ --echo --priority "NORMAL" --x509keyfile ${KEY} --x509certfile ${CERT} +PID=$! +wait_server ${PID} + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_VERY_WEAK --verify-hostname localhost --x509cafile "${CAFILE}" /dev/null || + fail ${PID} "expected connection to succeed (1)" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_LOW --verify-hostname localhost --x509cafile "${CAFILE}" /dev/null || + fail ${PID} "expected connection to succeed (2)" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_LEGACY --verify-hostname localhost --x509cafile "${CAFILE}" /dev/null || + fail ${PID} "expected connection to succeed (3)" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_HIGH --verify-hostname localhost --x509cafile "${CAFILE}" /dev/null || + fail ${PID} "expected connection to succeed (4)" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_ULTRA --verify-hostname localhost --x509cafile "${CAFILE}" /dev/null || + fail ${PID} "expected connection to succeed (5)" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_FUTURE --verify-hostname localhost --x509cafile "${CAFILE}" /dev/null || + fail ${PID} "expected connection to succeed (6)" + +kill ${PID} +wait + +rm -f ${TMPFILE} ${CAFILE} ${CERT} + +exit 0 diff --git a/tests/suite/certs/create-chain.sh b/tests/suite/certs/create-chain.sh index 494a5d92e5..c616189e63 100755 --- a/tests/suite/certs/create-chain.sh +++ b/tests/suite/certs/create-chain.sh @@ -16,6 +16,11 @@ LAST=`expr ${NUM} - 1` rm -rf "${OUTPUT}" mkdir -p "${OUTPUT}" +#KEY_TYPE_ROOT="--key-type rsa-pss --bits 2048 --hash sha384 --salt-size 64" +KEY_TYPE_ROOT="--key-type ecdsa --curve secp521r1" +KEY_TYPE_SUBCA="--key-type rsa-pss --bits 2048 --hash sha256 --salt-size 64" +KEY_TYPE="--key-type ecdsa --curve secp521r1" + counter=0 while test ${counter} -lt ${NUM}; do if test ${counter} = ${LAST}; then @@ -25,7 +30,7 @@ while test ${counter} -lt ${NUM}; do fi if test ${counter} = 0; then - "${CERTTOOL}" --key-type rsa-pss --bits 2048 --hash sha256 --salt-size 64 --generate-privkey >"${OUTPUT}/${name}.key" 2>/dev/null + "${CERTTOOL}" ${KEY_TYPE} --generate-privkey >"${OUTPUT}/${name}.key" 2>/dev/null # ROOT CA echo "cn = ${name}" >"${TEMPLATE}" echo "ca" >>"${TEMPLATE}" @@ -40,7 +45,7 @@ while test ${counter} -lt ${NUM}; do "${OUTPUT}/${name}.crl" --template "${TEMPLATE}" 2>/dev/null else if test ${counter} = ${LAST}; then - "${CERTTOOL}" --key-type rsa --bits 2048 --generate-privkey >"${OUTPUT}/${name}.key" 2>/dev/null + "${CERTTOOL}" ${KEY_TYPE} --generate-privkey >"${OUTPUT}/${name}.key" 2>/dev/null # END certificate echo "cn = ${name}" >"${TEMPLATE}" echo "dns_name = localhost" >>"${TEMPLATE}" @@ -52,7 +57,7 @@ while test ${counter} -lt ${NUM}; do --load-ca-privkey "${OUTPUT}/${prev_name}.key" \ --outfile "${OUTPUT}/${name}.crt" --template "${TEMPLATE}" -d 4 #2>/dev/null else - "${CERTTOOL}" --key-type rsa-pss --bits 2048 --hash sha384 --salt-size 48 --generate-privkey >"${OUTPUT}/${name}.key" -d 4 #2>/dev/null + "${CERTTOOL}" ${KEY_TYPE_SUBCA} --generate-privkey >"${OUTPUT}/${name}.key" -d 4 #2>/dev/null # intermediate CA echo "cn = ${name}" >"${TEMPLATE}" echo "ca" >>"${TEMPLATE}" -- cgit v1.2.1