Bug 1325035 - Streamline session ticket key wrapping, r=ttaubert

Differential Revision: https://nss-review.dev.mozaws.net/D127
author: Martin Thomson <martin.thomson@gmail.com> 2017-01-26 06:41:37 +0900
committer: Martin Thomson <martin.thomson@gmail.com> 2017-01-26 06:41:37 +0900
commit: 1aaea1ef4ff9a9d5e77badd418b07060bb0e9de1 (patch)
tree: 740e79d5dc03ad0df0535b775a621d618fa1c569 /gtests/ssl_gtest/tls_connect.cc
parent: 4b6df262a3d4f54e4a1f631d1e4c8973e9b22d86 (diff)
download: nss-hg-1aaea1ef4ff9a9d5e77badd418b07060bb0e9de1.tar.gz
1 files changed, 19 insertions, 4 deletions
diff --git a/gtests/ssl_gtest/tls_connect.cc b/gtests/ssl_gtest/tls_connect.cc
index 2b122e5cb..dd50056db 100644
--- a/gtests/ssl_gtest/tls_connect.cc
+++ b/gtests/ssl_gtest/tls_connect.cc
@@ -13,6 +13,7 @@ extern "C" {
 
 #include "databuffer.h"
 #include "gtest_utils.h"
+#include "scoped_ptrs.h"
 #include "sslproto.h"
 
 extern std::string g_working_dir_path;
@@ -345,6 +346,13 @@ void TlsConnectTestBase::CheckKeys(SSLKEAType kea_type,
       scheme = ssl_sig_none;
       break;
     case ssl_auth_rsa_sign:
+      if (version_ >= SSL_LIBRARY_VERSION_TLS_1_2) {
+        scheme = ssl_sig_rsa_pss_sha256;
+      } else {
+        scheme = ssl_sig_rsa_pkcs1_sha256;
+      }
+      break;
+    case ssl_auth_rsa_pss:
       scheme = ssl_sig_rsa_pss_sha256;
       break;
     case ssl_auth_ecdsa:
@@ -390,6 +398,7 @@ void TlsConnectTestBase::ConnectExpectFailOneSide(TlsAgent::Role failing_side) {
 }
 
 void TlsConnectTestBase::ConfigureVersion(uint16_t version) {
+  version_ = version;
   client_->SetVersionRange(version, version);
   server_->SetVersionRange(version, version);
 }
@@ -440,10 +449,16 @@ void TlsConnectTestBase::ConfigureSessionCache(SessionResumptionMode client,
   client_->ConfigureSessionCache(client);
   server_->ConfigureSessionCache(server);
   if ((server & RESUME_TICKET) != 0) {
-    // This is an abomination.  NSS encrypts session tickets with the server's
-    // RSA public key.  That means we need the server to have an RSA certificate
-    // even if it won't be used for the connection.
-    server_->ConfigServerCert(TlsAgent::kServerRsaDecrypt);
+    ScopedCERTCertificate cert;
+    ScopedSECKEYPrivateKey privKey;
+    ASSERT_TRUE(TlsAgent::LoadCertificate(TlsAgent::kServerRsaDecrypt, &cert,
+                                          &privKey));
+
+    ScopedSECKEYPublicKey pubKey(CERT_ExtractPublicKey(cert.get()));
+    ASSERT_TRUE(pubKey);
+
+    EXPECT_EQ(SECSuccess,
+              SSL_SetSessionTicketKeyPair(pubKey.get(), privKey.get()));
   }
 }
author	Martin Thomson <martin.thomson@gmail.com>	2017-01-26 06:41:37 +0900
committer	Martin Thomson <martin.thomson@gmail.com>	2017-01-26 06:41:37 +0900
commit	1aaea1ef4ff9a9d5e77badd418b07060bb0e9de1 (patch)
tree	740e79d5dc03ad0df0535b775a621d618fa1c569 /gtests/ssl_gtest/tls_connect.cc
parent	4b6df262a3d4f54e4a1f631d1e4c8973e9b22d86 (diff)
download	nss-hg-1aaea1ef4ff9a9d5e77badd418b07060bb0e9de1.tar.gz