ssl-opt.sh: TLS 1.3 opaque key: Add test with unsuitable sig alg
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
parent
277cdcbcde
commit
50969e3af5
4 changed files with 51 additions and 13 deletions
|
@ -347,7 +347,8 @@ int main( void )
|
||||||
#define USAGE_KEY_OPAQUE_ALGS \
|
#define USAGE_KEY_OPAQUE_ALGS \
|
||||||
" key_opaque_algs=%%s Allowed opaque key algorithms.\n" \
|
" key_opaque_algs=%%s Allowed opaque key algorithms.\n" \
|
||||||
" comma-separated pair of values among the following:\n" \
|
" comma-separated pair of values among the following:\n" \
|
||||||
" rsa-sign-pkcs1, rsa-sign-pss, rsa-decrypt,\n" \
|
" rsa-sign-pkcs1, rsa-sign-pss, rsa-sign-pss-sha256,\n" \
|
||||||
|
" rsa-sign-pss-sha384, rsa-sign-pss-sha512, rsa-decrypt,\n" \
|
||||||
" ecdsa-sign, ecdh, none (only acceptable for\n" \
|
" ecdsa-sign, ecdh, none (only acceptable for\n" \
|
||||||
" the second value).\n" \
|
" the second value).\n" \
|
||||||
|
|
||||||
|
|
|
@ -460,12 +460,14 @@ int main( void )
|
||||||
#define USAGE_KEY_OPAQUE_ALGS \
|
#define USAGE_KEY_OPAQUE_ALGS \
|
||||||
" key_opaque_algs=%%s Allowed opaque key 1 algorithms.\n" \
|
" key_opaque_algs=%%s Allowed opaque key 1 algorithms.\n" \
|
||||||
" comma-separated pair of values among the following:\n" \
|
" comma-separated pair of values among the following:\n" \
|
||||||
" rsa-sign-pkcs1, rsa-sign-pss, rsa-decrypt,\n" \
|
" rsa-sign-pkcs1, rsa-sign-pss, rsa-sign-pss-sha256,\n" \
|
||||||
|
" rsa-sign-pss-sha384, rsa-sign-pss-sha512, rsa-decrypt,\n" \
|
||||||
" ecdsa-sign, ecdh, none (only acceptable for\n" \
|
" ecdsa-sign, ecdh, none (only acceptable for\n" \
|
||||||
" the second value).\n" \
|
" the second value).\n" \
|
||||||
" key_opaque_algs2=%%s Allowed opaque key 2 algorithms.\n" \
|
" key_opaque_algs2=%%s Allowed opaque key 2 algorithms.\n" \
|
||||||
" comma-separated pair of values among the following:\n" \
|
" comma-separated pair of values among the following:\n" \
|
||||||
" rsa-sign-pkcs1, rsa-sign-pss, rsa-decrypt,\n" \
|
" rsa-sign-pkcs1, rsa-sign-pss, rsa-sign-pss-sha256,\n" \
|
||||||
|
" rsa-sign-pss-sha384, rsa-sign-pss-sha512, rsa-decrypt,\n" \
|
||||||
" ecdsa-sign, ecdh, none (only acceptable for\n" \
|
" ecdsa-sign, ecdh, none (only acceptable for\n" \
|
||||||
" the second value).\n"
|
" the second value).\n"
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
|
||||||
|
|
|
@ -205,6 +205,9 @@ int key_opaque_alg_parse( const char *arg, const char **alg1, const char **alg2
|
||||||
|
|
||||||
if( strcmp( *alg1, "rsa-sign-pkcs1" ) != 0 &&
|
if( strcmp( *alg1, "rsa-sign-pkcs1" ) != 0 &&
|
||||||
strcmp( *alg1, "rsa-sign-pss" ) != 0 &&
|
strcmp( *alg1, "rsa-sign-pss" ) != 0 &&
|
||||||
|
strcmp( *alg1, "rsa-sign-pss-sha256" ) != 0 &&
|
||||||
|
strcmp( *alg1, "rsa-sign-pss-sha384" ) != 0 &&
|
||||||
|
strcmp( *alg1, "rsa-sign-pss-sha512" ) != 0 &&
|
||||||
strcmp( *alg1, "rsa-decrypt" ) != 0 &&
|
strcmp( *alg1, "rsa-decrypt" ) != 0 &&
|
||||||
strcmp( *alg1, "ecdsa-sign" ) != 0 &&
|
strcmp( *alg1, "ecdsa-sign" ) != 0 &&
|
||||||
strcmp( *alg1, "ecdh" ) != 0 )
|
strcmp( *alg1, "ecdh" ) != 0 )
|
||||||
|
@ -212,6 +215,9 @@ int key_opaque_alg_parse( const char *arg, const char **alg1, const char **alg2
|
||||||
|
|
||||||
if( strcmp( *alg2, "rsa-sign-pkcs1" ) != 0 &&
|
if( strcmp( *alg2, "rsa-sign-pkcs1" ) != 0 &&
|
||||||
strcmp( *alg2, "rsa-sign-pss" ) != 0 &&
|
strcmp( *alg2, "rsa-sign-pss" ) != 0 &&
|
||||||
|
strcmp( *alg1, "rsa-sign-pss-sha256" ) != 0 &&
|
||||||
|
strcmp( *alg1, "rsa-sign-pss-sha384" ) != 0 &&
|
||||||
|
strcmp( *alg1, "rsa-sign-pss-sha512" ) != 0 &&
|
||||||
strcmp( *alg2, "rsa-decrypt" ) != 0 &&
|
strcmp( *alg2, "rsa-decrypt" ) != 0 &&
|
||||||
strcmp( *alg2, "ecdsa-sign" ) != 0 &&
|
strcmp( *alg2, "ecdsa-sign" ) != 0 &&
|
||||||
strcmp( *alg2, "ecdh" ) != 0 &&
|
strcmp( *alg2, "ecdh" ) != 0 &&
|
||||||
|
@ -245,6 +251,21 @@ int key_opaque_set_alg_usage( const char *alg1, const char *alg2,
|
||||||
*psa_algs[i] = PSA_ALG_RSA_PSS( PSA_ALG_ANY_HASH );
|
*psa_algs[i] = PSA_ALG_RSA_PSS( PSA_ALG_ANY_HASH );
|
||||||
*usage |= PSA_KEY_USAGE_SIGN_HASH;
|
*usage |= PSA_KEY_USAGE_SIGN_HASH;
|
||||||
}
|
}
|
||||||
|
else if( strcmp( algs[i], "rsa-sign-pss-sha256" ) == 0 )
|
||||||
|
{
|
||||||
|
*psa_algs[i] = PSA_ALG_RSA_PSS( PSA_ALG_SHA_256 );
|
||||||
|
*usage |= PSA_KEY_USAGE_SIGN_HASH;
|
||||||
|
}
|
||||||
|
else if( strcmp( algs[i], "rsa-sign-pss-sha384" ) == 0 )
|
||||||
|
{
|
||||||
|
*psa_algs[i] = PSA_ALG_RSA_PSS( PSA_ALG_SHA_384 );
|
||||||
|
*usage |= PSA_KEY_USAGE_SIGN_HASH;
|
||||||
|
}
|
||||||
|
else if( strcmp( algs[i], "rsa-sign-pss-sha512" ) == 0 )
|
||||||
|
{
|
||||||
|
*psa_algs[i] = PSA_ALG_RSA_PSS( PSA_ALG_SHA_512 );
|
||||||
|
*usage |= PSA_KEY_USAGE_SIGN_HASH;
|
||||||
|
}
|
||||||
else if( strcmp( algs[i], "rsa-decrypt" ) == 0 )
|
else if( strcmp( algs[i], "rsa-decrypt" ) == 0 )
|
||||||
{
|
{
|
||||||
*psa_algs[i] = PSA_ALG_RSA_PKCS1V15_CRYPT;
|
*psa_algs[i] = PSA_ALG_RSA_PKCS1V15_CRYPT;
|
||||||
|
|
|
@ -2068,6 +2068,20 @@ run_test "TLS 1.3 opaque key: suitable algorithm found" \
|
||||||
-C "error" \
|
-C "error" \
|
||||||
-S "error" \
|
-S "error" \
|
||||||
|
|
||||||
|
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
|
||||||
|
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
|
||||||
|
requires_config_enabled MBEDTLS_RSA_C
|
||||||
|
run_test "TLS 1.3 opaque key: first client sig alg not suitable" \
|
||||||
|
"$P_SRV debug_level=4 force_version=tls13 auth_mode=required key_opaque=1 key_opaque_algs=rsa-sign-pss-sha512,none" \
|
||||||
|
"$P_CLI debug_level=4 sig_algs=rsa_pss_rsae_sha256,rsa_pss_rsae_sha512" \
|
||||||
|
0 \
|
||||||
|
-s "The SSL configuration is tls13 only" \
|
||||||
|
-s "key types: Opaque, Opaque" \
|
||||||
|
-s "CertificateVerify signature failed with rsa_pss_rsae_sha256" \
|
||||||
|
-s "CertificateVerify signature with rsa_pss_rsae_sha512" \
|
||||||
|
-C "error" \
|
||||||
|
-S "error" \
|
||||||
|
|
||||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
|
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
|
||||||
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
|
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
|
||||||
requires_config_enabled MBEDTLS_RSA_C
|
requires_config_enabled MBEDTLS_RSA_C
|
||||||
|
|
Loading…
Reference in a new issue