From e1e03f7e1d4258dda65d6258a04db60eb0b77f86 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Tue, 8 Aug 2017 10:56:17 +0200
Subject: tests: verify whether the RSA-PSS key is preferred on RSA-PSS sigs

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
 doc/credentials/x509/Makefile.am      |   2 +-
 doc/credentials/x509/cert-rsa-pss.pem |  42 +++++-----
 doc/credentials/x509/key-rsa-pss.pem  | 139 ++++++++++++++++++++++++++++++++++
 tests/server-multi-keys.sh            |  28 ++++++-
 4 files changed, 183 insertions(+), 28 deletions(-)
 create mode 100644 doc/credentials/x509/key-rsa-pss.pem

diff --git a/doc/credentials/x509/Makefile.am b/doc/credentials/x509/Makefile.am
index 979b3f2bb6..3dcab1c540 100644
--- a/doc/credentials/x509/Makefile.am
+++ b/doc/credentials/x509/Makefile.am
@@ -1,3 +1,3 @@
 EXTRA_DIST = ca-key.pem ca.pem cert-rsa.pem key-rsa.pem clikey.pem clicert.pem \
 	clicert-dsa.pem clikey-dsa.pem cert-dsa.pem key-dsa.pem cert-ecc.pem key-ecc.pem \
-	cert-ecc-sign.pem
+	cert-ecc-sign.pem key-rsa-pss.pem
diff --git a/doc/credentials/x509/cert-rsa-pss.pem b/doc/credentials/x509/cert-rsa-pss.pem
index 8354a45d71..a1a876acb4 100644
--- a/doc/credentials/x509/cert-rsa-pss.pem
+++ b/doc/credentials/x509/cert-rsa-pss.pem
@@ -1,26 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIEUTCCAtmgAwIBAgIIWP3fgCMnlg4wPQYJKoZIhvcNAQEKMDCgDTALBglghkgB
-ZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCASAwGTEXMBUGA1UE
-AxMOR251VExTIFRlc3QgQ0EwIBcNMTcwNDI0MTEyMDM1WhgPOTk5OTEyMzEyMzU5
-NTlaMDMxMTAvBgNVBAMTKEdudVRMUyBUZXN0IFNlcnZlciAoUlNBLVBTUyBjZXJ0
-aWZpY2F0ZSkwggGCMD0GCSqGSIb3DQEBCjAwoA0wCwYJYIZIAWUDBAIBoRowGAYJ
-KoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgEgA4IBPwAwggE6AoIBMQC0ayeYJa/B
-/x7KsH702LztQ4ZnVF3atB7CkF+DPAIR/BNyhbKIpGVBC3ZfI76Kn/55S3M7LsdL
-PL8WyZdVNRfzoXJLMMLgJ5QS81YA5s6CSxFdpB6b+vq5GypNGLW6peYMx6iooW2q
-iITclg6ybBw1qufHlD351cfCog1Ls2569whfxQnNFZMa95jfKkxmiSTtH9AWY4Fl
-pVg7oc0lYpuZgVQIFxjsfC8IojsoVzKdF0cKhvtisUGZ5vveqOogfvMb7rrqmiFk
-KZLyrXPlGQWdN1PiEZ8YXyK64osNAIyeL6eHPUC+SqKlkggMLmHAWHyameHWrIM5
-Jc8+G+3ro22dy8U43sHHbps0FL4wPoKQHrlKmnbk7zMMRqIxcvbDYQv4qmeJ9KXl
-djehKZ+Aeap1AgMBAAGjgZAwgY0wDwYDVR0TAQH/BAUwAwEB/zAUBgNVHREEDTAL
-gglsb2NhbGhvc3QwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweg
-ADAdBgNVHQ4EFgQUSCM0UwqJMThKWurKttKm3s4dKxgwHwYDVR0jBBgwFoAUTVa3
-agBY8WeS9KZ1VRuOUwED788wPQYJKoZIhvcNAQEKMDCgDTALBglghkgBZQMEAgGh
-GjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCASADggExAHk5sqHOGPZPGMHM
-ZTseLwXOHmQUhd4B4dczk0F3Dd+/QI0EE3gn3Mm3Flhs4QeqV7oNtgjDjLTbmGzY
-qz0kecBfN83JYT/WtTHQTXdHXc2QT8GD5kO9jgRcHcnNbA+B+JFhFU2JJoAO/GlS
-LmqW+dYWZmBLZcYM7k3xebytPsik/cDVLqAC/TosubYcfRtXaELWKrXio750nw4f
-YPIgvP2wavXZAP5nlZxua5CH/zfswQ+ztf6J1UKK5nk6yfAQp/zWm2wCv4OuwaAF
-E4Kppl2/hj6IkMsCRKO3FrlLAPHDhBJWE/LFm7boRWM9CeBHTgQ2afq7Zz0Jl3Pn
-IfQuo71L8sl4BXKAuChOl5XukPqKr7V+d+JiCHijNJoOjj+gR2bKTv14kKaP6+7u
-+Pdg/c4=
+MIIDWTCCAhGgAwIBAgIIWYl7hABP8u0wDQYJKoZIhvcNAQELBQAwGTEXMBUGA1UE
+AxMOR251VExTIFRlc3QgQ0EwIBcNMTcwODA4MDg1MTE2WhgPOTk5OTEyMzEyMzU5
+NTlaMAAwggEgMAsGCSqGSIb3DQEBCgOCAQ8AMIIBCgKCAQEAndjwZ1p/m9BbCDGx
+vn/yvqINoivwaCwrCQ94/ckTUhw+sE4n2MDU23tSxf/Ac8XMFUQg9M6W6RUGsG48
+W5gUs616kJVBRRtdQ7zQWsOfK4BxqN02Aq7RSAXy284sgdcP71nl9MR77/DDCdYk
+UnWPu2N+mtnFfrPOT3TuAU6WZS38vCzz+qevnYFaAvvbU7th9cAEWDlaIPo7fQNx
+8dC9ccVVk3nRaIitrFaLs3y0Y36eXDsLkR0g9qm6RjgHjVVWjhPPAb96SBj4LjMN
+KgHRA6NtIUWB9tyyMrwcAaAp8hTZwFYjLS2tkJV0pYlfWvQSjl2I1swHrKNkheKX
+R3L3eQIDAQABo4GNMIGKMAwGA1UdEwEB/wQCMAAwFAYDVR0RBA0wC4IJbG9jYWxo
+b3N0MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8GA1UdDwEB/wQFAwMHgAAwHQYDVR0O
+BBYEFGp+ppXHKlMtWeuML0b98cYOIdspMB8GA1UdIwQYMBaAFE1Wt2oAWPFnkvSm
+dVUbjlMBA+/PMA0GCSqGSIb3DQEBCwUAA4IBMQBiV5IoE/3e/YjP7FVyjXGzp8Kz
+Zalj5fByCAMIwQ2oiWYsPYegNvJzUs42QMZ/AdCZdpXjTeFxPoN4T9pO+65ONGBL
+X2mPCRu8oB2q9BPoOTV2ENVfLJHQa507ouZsC3/7NePZW+PlPM774Yxdhbhbj+4E
+J2Onl7yQeHrXLgnbO8GzDHfjvG3Z6Zmrv80YcfGSXPtSr2vKMlXTc7yU+OD1s685
+JjiCtIw2o5UmewJO4QpPPD2wcqwIQCXcCR2bVFZhf0/6nhfNQSFEK4qhJbOr2EY8
+zesxVU2YWGCDKluoFxwEEHTpmpNUDmW8lYN3Dh8Qd2luKRQaGZUKc9Ve+M9iAzu6
+2FmF6uGPfI0eu13eIe/Mas4zvFgYB43U5wWUGgNrvRASN9cyqVBqDIcLeuLj
 -----END CERTIFICATE-----
diff --git a/doc/credentials/x509/key-rsa-pss.pem b/doc/credentials/x509/key-rsa-pss.pem
new file mode 100644
index 0000000000..7c69843234
--- /dev/null
+++ b/doc/credentials/x509/key-rsa-pss.pem
@@ -0,0 +1,139 @@
+Public Key Info:
+	Public Key Algorithm: RSA-PSS
+	Key Security Level: Medium (2048 bits)
+
+modulus:
+	00:9d:d8:f0:67:5a:7f:9b:d0:5b:08:31:b1:be:7f:f2
+	be:a2:0d:a2:2b:f0:68:2c:2b:09:0f:78:fd:c9:13:52
+	1c:3e:b0:4e:27:d8:c0:d4:db:7b:52:c5:ff:c0:73:c5
+	cc:15:44:20:f4:ce:96:e9:15:06:b0:6e:3c:5b:98:14
+	b3:ad:7a:90:95:41:45:1b:5d:43:bc:d0:5a:c3:9f:2b
+	80:71:a8:dd:36:02:ae:d1:48:05:f2:db:ce:2c:81:d7
+	0f:ef:59:e5:f4:c4:7b:ef:f0:c3:09:d6:24:52:75:8f
+	bb:63:7e:9a:d9:c5:7e:b3:ce:4f:74:ee:01:4e:96:65
+	2d:fc:bc:2c:f3:fa:a7:af:9d:81:5a:02:fb:db:53:bb
+	61:f5:c0:04:58:39:5a:20:fa:3b:7d:03:71:f1:d0:bd
+	71:c5:55:93:79:d1:68:88:ad:ac:56:8b:b3:7c:b4:63
+	7e:9e:5c:3b:0b:91:1d:20:f6:a9:ba:46:38:07:8d:55
+	56:8e:13:cf:01:bf:7a:48:18:f8:2e:33:0d:2a:01:d1
+	03:a3:6d:21:45:81:f6:dc:b2:32:bc:1c:01:a0:29:f2
+	14:d9:c0:56:23:2d:2d:ad:90:95:74:a5:89:5f:5a:f4
+	12:8e:5d:88:d6:cc:07:ac:a3:64:85:e2:97:47:72:f7
+	79:
+
+public exponent:
+	01:00:01:
+
+private exponent:
+	02:9f:d5:0c:d2:47:9d:80:40:23:c7:45:bc:01:8c:ca
+	9a:61:a4:00:ed:a7:fd:28:dc:27:61:e1:69:71:99:8a
+	6b:9b:1d:4c:65:15:fd:16:46:f2:03:9c:82:b0:70:ed
+	b0:50:1c:8e:04:44:db:67:b4:8d:5f:74:f6:cc:be:2d
+	5e:b9:40:fb:58:93:11:74:dd:c0:e8:6d:31:51:c8:f9
+	31:1c:dc:5e:ac:b1:3e:98:03:d9:97:00:9b:11:0b:23
+	ed:a5:c7:f2:de:74:fe:57:14:cd:57:99:b6:5a:8a:f2
+	f8:73:53:ce:d4:df:a7:95:dd:10:8a:71:30:7a:56:25
+	5b:7b:25:1c:f4:f6:a2:0a:71:d8:cb:80:f6:f7:26:80
+	78:f0:a2:86:e5:64:ec:19:15:5a:df:e3:71:99:d8:91
+	b0:a2:aa:52:78:a2:4f:d1:57:8a:1a:b8:23:ac:74:65
+	91:a4:77:8c:13:59:f7:08:ff:2a:ae:29:91:6f:1a:de
+	9c:4b:fe:c6:f0:03:1b:ea:6c:d7:1d:be:36:a8:96:75
+	ef:ee:b3:b2:d8:37:31:c8:de:02:67:a4:97:24:65:a7
+	f0:30:b9:48:26:c5:e5:49:e8:51:8e:48:dc:ab:dd:dc
+	22:85:6c:6b:95:f7:3e:33:fa:0e:41:5c:c2:7d:d0:41
+	
+
+prime1:
+	00:b6:c2:1c:63:f6:2b:00:77:43:9f:d0:6b:3a:9d:05
+	85:d6:1d:6a:50:4d:d4:65:ea:c7:4a:3c:7a:e0:a3:b5
+	57:a1:de:78:7d:64:08:fb:ab:7c:58:26:2b:fc:b1:e2
+	de:f2:4b:9c:18:b7:89:fd:cc:31:fe:90:45:67:c5:5b
+	24:4b:9a:74:a1:eb:14:92:f7:89:b7:61:05:7b:7b:e1
+	3e:a9:22:4f:5a:51:44:e8:ea:9b:27:f0:5b:f5:d1:60
+	df:f5:f0:70:9c:ad:56:23:13:cd:45:52:70:5b:f0:83
+	4d:d9:91:71:19:c0:52:88:fb:47:9e:4b:74:0e:2c:c3
+	59:
+
+prime2:
+	00:dd:1b:20:cf:08:51:40:65:42:2d:4e:6b:b2:af:6f
+	49:c3:e5:8d:76:5f:3e:30:ef:71:ed:06:4f:2a:95:32
+	f8:b3:ec:b0:8a:2b:5a:8f:a6:2e:35:ef:31:66:7a:a9
+	4c:2e:62:8e:5b:ab:23:54:47:60:a4:43:ba:f3:de:4b
+	08:dc:8a:78:52:19:e9:f5:2d:df:b7:37:e2:d1:73:7d
+	8b:b5:94:5a:51:d9:42:ad:fa:3c:ef:33:ad:ab:a8:6b
+	ce:07:0e:dc:4c:aa:12:2d:e7:e2:5d:6a:c7:90:6e:55
+	bf:c6:6e:02:9b:99:d7:26:70:f2:da:73:dd:e8:1f:f1
+	21:
+
+coefficient:
+	4b:33:76:ee:7c:57:77:e1:6b:c8:21:db:97:3b:76:c6
+	78:92:52:2c:10:4a:22:45:45:97:48:de:df:bc:b0:a4
+	d2:eb:c8:2d:cc:f6:df:13:3b:69:79:ce:08:77:7c:bb
+	40:32:f8:26:4f:66:7c:44:29:74:30:ed:a3:21:9b:a7
+	a4:9f:6b:1e:b1:46:bf:67:9e:9a:15:a3:66:b2:7b:eb
+	87:cc:bc:26:70:71:16:06:8e:6b:7a:ad:2f:64:62:ef
+	be:3f:fa:1a:e5:af:07:6b:5a:e4:e2:f8:f2:7e:4a:9c
+	65:24:f8:08:78:ad:4c:92:d0:80:dc:10:50:f3:11:92
+	
+
+exp1:
+	00:a0:9a:fb:0a:19:95:f6:a5:d8:86:c4:48:c7:4c:a0
+	42:da:44:25:5e:86:d7:05:ed:89:cf:42:51:15:c2:a8
+	25:67:b9:b3:17:36:66:f2:8b:e4:0d:2f:16:6e:ce:00
+	ba:be:21:15:ff:5e:a3:e4:a6:a2:b4:bc:22:52:2c:4c
+	89:1b:eb:93:5d:8b:d2:1b:c9:6f:7b:f8:c6:31:9b:4e
+	f9:9a:f6:ec:d7:49:1e:0e:b5:c5:3e:16:eb:29:9e:23
+	cd:0d:3b:8c:2b:13:e4:e3:94:8e:4a:c2:44:bd:77:22
+	5c:b2:bb:2e:b2:5b:a1:ec:81:2e:91:fc:6a:f3:de:00
+	99:
+
+exp2:
+	00:83:02:7f:fe:2c:3f:78:98:87:0d:b1:59:bf:16:94
+	2a:71:18:a3:29:70:65:b9:39:27:97:fa:15:0e:76:39
+	2d:83:ee:ca:ec:13:a4:25:59:a2:27:f3:02:a2:66:2b
+	ca:27:f1:dd:c8:13:2f:6b:d0:9f:42:b5:9f:20:c0:a6
+	55:29:d8:22:53:03:67:cd:0e:d1:70:0e:7d:26:fd:f7
+	75:c0:b1:96:92:c8:d8:e9:9d:4c:5d:af:91:48:15:13
+	4b:90:83:0d:a5:9f:60:06:33:4f:bd:6a:77:b4:ec:ab
+	82:66:60:e8:ca:a9:ed:01:aa:0b:3b:c5:4b:c7:2e:a6
+	01:
+
+Validation parameters:
+	Hash: SHA384
+	Seed: b5a6fc31ca1b2310a2f1ecb6812d933873b64f2b995b893a48737c97fecbf6b7
+
+Public Key PIN:
+	pin-sha256:NN1idWI1043ahir5N4qSOKf/6IXzP/X1Kj4Ki5Z97xo=
+Public Key ID:
+	sha256:34dd62756235d38dda862af9378a9238a7ffe885f33ff5f52a3e0a8b967def1a
+	sha1:6a7ea695c72a532d59eb8c2f46fdf1c60e21db29
+
+-----BEGIN PRIVATE KEY-----
+MIIE/QIBADALBgkqhkiG9w0BAQoEggSoMIIEpAIBAAKCAQEAndjwZ1p/m9BbCDGx
+vn/yvqINoivwaCwrCQ94/ckTUhw+sE4n2MDU23tSxf/Ac8XMFUQg9M6W6RUGsG48
+W5gUs616kJVBRRtdQ7zQWsOfK4BxqN02Aq7RSAXy284sgdcP71nl9MR77/DDCdYk
+UnWPu2N+mtnFfrPOT3TuAU6WZS38vCzz+qevnYFaAvvbU7th9cAEWDlaIPo7fQNx
+8dC9ccVVk3nRaIitrFaLs3y0Y36eXDsLkR0g9qm6RjgHjVVWjhPPAb96SBj4LjMN
+KgHRA6NtIUWB9tyyMrwcAaAp8hTZwFYjLS2tkJV0pYlfWvQSjl2I1swHrKNkheKX
+R3L3eQIDAQABAoIBAAKf1QzSR52AQCPHRbwBjMqaYaQA7af9KNwnYeFpcZmKa5sd
+TGUV/RZG8gOcgrBw7bBQHI4ERNtntI1fdPbMvi1euUD7WJMRdN3A6G0xUcj5MRzc
+XqyxPpgD2ZcAmxELI+2lx/LedP5XFM1XmbZaivL4c1PO1N+nld0QinEwelYlW3sl
+HPT2ogpx2MuA9vcmgHjwooblZOwZFVrf43GZ2JGwoqpSeKJP0VeKGrgjrHRlkaR3
+jBNZ9wj/Kq4pkW8a3pxL/sbwAxvqbNcdvjaolnXv7rOy2DcxyN4CZ6SXJGWn8DC5
+SCbF5UnoUY5I3Kvd3CKFbGuV9z4z+g5BXMJ90EECgYEAtsIcY/YrAHdDn9BrOp0F
+hdYdalBN1GXqx0o8euCjtVeh3nh9ZAj7q3xYJiv8seLe8kucGLeJ/cwx/pBFZ8Vb
+JEuadKHrFJL3ibdhBXt74T6pIk9aUUTo6psn8Fv10WDf9fBwnK1WIxPNRVJwW/CD
+TdmRcRnAUoj7R55LdA4sw1kCgYEA3RsgzwhRQGVCLU5rsq9vScPljXZfPjDvce0G
+TyqVMviz7LCKK1qPpi417zFmeqlMLmKOW6sjVEdgpEO6895LCNyKeFIZ6fUt37c3
+4tFzfYu1lFpR2UKt+jzvM62rqGvOBw7cTKoSLefiXWrHkG5Vv8ZuApuZ1yZw8tpz
+3egf8SECgYEAoJr7ChmV9qXYhsRIx0ygQtpEJV6G1wXtic9CURXCqCVnubMXNmby
+i+QNLxZuzgC6viEV/16j5KaitLwiUixMiRvrk12L0hvJb3v4xjGbTvma9uzXSR4O
+tcU+FuspniPNDTuMKxPk45SOSsJEvXciXLK7LrJboeyBLpH8avPeAJkCgYEAgwJ/
+/iw/eJiHDbFZvxaUKnEYoylwZbk5J5f6FQ52OS2D7srsE6QlWaIn8wKiZivKJ/Hd
+yBMva9CfQrWfIMCmVSnYIlMDZ80O0XAOfSb993XAsZaSyNjpnUxdr5FIFRNLkIMN
+pZ9gBjNPvWp3tOyrgmZg6Mqp7QGqCzvFS8cupgECgYBLM3bufFd34WvIIduXO3bG
+eJJSLBBKIkVFl0je37ywpNLryC3M9t8TO2l5zgh3fLtAMvgmT2Z8RCl0MO2jIZun
+pJ9rHrFGv2eemhWjZrJ764fMvCZwcRYGjmt6rS9kYu++P/oa5a8Ha1rk4vjyfkqc
+ZST4CHitTJLQgNwQUPMRkqA/MD0GCisGAQQBkggSCAExLzAtBglghkgBZQMEAgIE
+ILWm/DHKGyMQovHstoEtkzhztk8rmVuJOkhzfJf+y/a3
+-----END PRIVATE KEY-----
diff --git a/tests/server-multi-keys.sh b/tests/server-multi-keys.sh
index ce04f8506f..25ab601a13 100755
--- a/tests/server-multi-keys.sh
+++ b/tests/server-multi-keys.sh
@@ -54,22 +54,44 @@ KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem
 CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem
 KEY2=${srcdir}/../doc/credentials/x509/key-ecc.pem
 CERT2=${srcdir}/../doc/credentials/x509/cert-ecc.pem
+KEY3=${srcdir}/../doc/credentials/x509/key-rsa-pss.pem
+CERT3=${srcdir}/../doc/credentials/x509/cert-rsa-pss.pem
 CAFILE=${srcdir}/../doc/credentials/x509/ca.pem
+TMPFILE=outcert.$$.tmp
 
 eval "${GETPORT}"
 launch_server $$ --echo --priority "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA" --x509keyfile ${KEY1} --x509certfile ${CERT1} \
-	--x509keyfile ${KEY2} --x509certfile ${CERT2}
+	--x509keyfile ${KEY2} --x509certfile ${CERT2} --x509keyfile ${KEY3} --x509certfile ${CERT3}
 PID=$!
 wait_server ${PID}
 
-timeout 1800 datefudge "2016-09-2" \
+timeout 1800 datefudge "2017-08-9" \
 "${CLI}" -p "${PORT}" localhost --x509cafile ${CAFILE} --priority "NORMAL:-KX-ALL:+ECDHE-RSA" </dev/null || \
 	fail ${PID} "1. handshake with RSA should have succeeded!"
 
-timeout 1800 datefudge "2016-09-2" \
+timeout 1800 datefudge "2017-08-9" \
 "${CLI}" -p "${PORT}" localhost --x509cafile ${CAFILE} --priority "NORMAL:-KX-ALL:+ECDHE-ECDSA" </dev/null || \
 	fail ${PID} "2. handshake with ECC should have succeeded!"
 
+timeout 1800 datefudge "2017-08-9" \
+"${CLI}" -p "${PORT}" localhost --x509cafile ${CAFILE} --priority "NORMAL:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-SHA256" --save-cert ${TMPFILE} </dev/null || \
+	fail ${PID} "3. handshake with RSA should have succeeded!"
+
+cmp ${TMPFILE} ${CERT1}
+if test $? != 0;then
+	fail ${PID} "3. the certificate used by server was not the expected"
+fi
+
+
+# check whether the server used the RSA-PSS certificate when we asked for RSA-PSS signature
+timeout 1800 datefudge "2017-08-9" \
+"${CLI}" -p "${PORT}" localhost --x509cafile ${CAFILE} --priority "NORMAL:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256" --save-cert ${TMPFILE} </dev/null || \
+	fail ${PID} "4. handshake with RSA-PSS and SHA256 should have succeeded!"
+
+cmp ${TMPFILE} ${CERT3}
+if test $? != 0;then
+	fail ${PID} "4. the certificate used by server was not the expected"
+fi
 
 kill ${PID}
 wait
-- 
cgit v1.2.1