[openssl-commits] [openssl] master update
Dr. Stephen Henson
steve at openssl.org
Sun Jan 15 00:24:42 UTC 2017
The branch master has been updated
via a470f02360b147fa73f94881ba96c367c593427f (commit)
via edb8a5eb54ee54452a410a6072c584ee94ed3ebb (commit)
via 7289ab49d1c04cd9065429f75be028d7439d8248 (commit)
via 7f5f35af223f9c1d641f46446f6bbf9d1493a9e6 (commit)
from 5071824321e1bbe20b859c1a3609ea5ab09fb3f2 (commit)
- Log -----------------------------------------------------------------
commit a470f02360b147fa73f94881ba96c367c593427f
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Fri Jan 13 17:41:48 2017 +0000
Add client cert type tests
Reviewed-by: Emilia Käsper <emilia at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2224)
commit edb8a5eb54ee54452a410a6072c584ee94ed3ebb
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Thu Jan 12 14:52:31 2017 +0000
Add certificate selection tests.
Add certifcate selection tests: the certificate type is selected by cipher
string and signature algorithm.
Reviewed-by: Emilia Käsper <emilia at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2224)
commit 7289ab49d1c04cd9065429f75be028d7439d8248
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Thu Jan 12 13:58:48 2017 +0000
add ECDSA test server certificate
Reviewed-by: Emilia Käsper <emilia at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2224)
commit 7f5f35af223f9c1d641f46446f6bbf9d1493a9e6
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Sun Jan 8 19:30:41 2017 +0000
Add options to check certificate types.
Reviewed-by: Emilia Käsper <emilia at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2224)
-----------------------------------------------------------------------
Summary of changes:
test/README.ssltest.md | 3 +
test/certs/server-ecdsa-cert.pem | 15 +++
test/certs/server-ecdsa-key.pem | 5 +
test/handshake_helper.c | 39 ++++++--
test/handshake_helper.h | 4 +
test/recipes/80-test_ssl_new.t | 3 +-
test/ssl-tests/04-client_auth.conf | 4 +
test/ssl-tests/04-client_auth.conf.in | 4 +-
test/ssl-tests/20-cert-select.conf | 167 ++++++++++++++++++++++++++++++++++
test/ssl-tests/20-cert-select.conf.in | 87 ++++++++++++++++++
test/ssl_test.c | 35 +++++--
test/ssl_test_ctx.c | 36 +++++++-
test/ssl_test_ctx.h | 4 +
13 files changed, 384 insertions(+), 22 deletions(-)
create mode 100644 test/certs/server-ecdsa-cert.pem
create mode 100644 test/certs/server-ecdsa-key.pem
create mode 100644 test/ssl-tests/20-cert-select.conf
create mode 100644 test/ssl-tests/20-cert-select.conf.in
diff --git a/test/README.ssltest.md b/test/README.ssltest.md
index c1edda5..1c4c482 100644
--- a/test/README.ssltest.md
+++ b/test/README.ssltest.md
@@ -89,6 +89,9 @@ handshake.
* ExpectedTmpKeyType - the expected algorithm or curve of server temp key
+* ExpectedServerCertType, ExpectedClientCertType - the expected algorithm or
+ curve of server or client certificate
+
## Configuring the client and server
The client and server configurations can be any valid `SSL_CTX`
diff --git a/test/certs/server-ecdsa-cert.pem b/test/certs/server-ecdsa-cert.pem
new file mode 100644
index 0000000..e61026b
--- /dev/null
+++ b/test/certs/server-ecdsa-cert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICYTCCAUmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
+IENBMCAXDTE3MDExMjE0NDUwMVoYDzIxMTcwMTEzMTQ0NTAxWjAcMRowGAYDVQQD
+DBFTZXJ2ZXIgRUNEU0EgY2VydDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOI7
+NNxE483tJyIKT6KOQM5Zlfrigh12BEcHxnzpudgVHYA4aL5D5JulYGFzL0LQ5Q55
+GpCub1V2j+AhyBMKPQqjgYAwfjAdBgNVHQ4EFgQUSDzlr0Ayx22BljPtY6YRLTes
+qgwwHwYDVR0jBBgwFoAUcH8uroNoWZgEIyrN6z4XzSTdAUkwCQYDVR0TBAIwADAT
+BgNVHSUEDDAKBggrBgEFBQcDATAcBgNVHREEFTATghFTZXJ2ZXIgRUNEU0EgY2Vy
+dDANBgkqhkiG9w0BAQsFAAOCAQEAOJDgr1hRNuxW1D93yDWFwP1o2KuaI0BMZVFS
+6rzzLThCo3FeS6X7DCrBP699PCYcKeyMDmQwg9mVMABSZzox2GBO3hoqtnUXjsK3
+Qxh+4O5EmIXX4v8szdSBP14O2c5krAk4lbVWxLHE78NAc8dL94VORndyTcmaXUTn
+FQeBaRJjXto3okPvwYlczPS9sq0AhuBh5hwsLOYwpLf6/loPLjl40iwPQ+iqQ1EV
+m0Sac3o+0qI0cKiz4nXgd4NkFvV3G8lwd0Um8KSS/EFuZbgJNKKD6+1+90sibM4a
+Y/JiO6weK/VTlqCLn7zV9LcDT4gU18UCn85UV1XlVYKXZlaXYQ==
+-----END CERTIFICATE-----
diff --git a/test/certs/server-ecdsa-key.pem b/test/certs/server-ecdsa-key.pem
new file mode 100644
index 0000000..b4d075d
--- /dev/null
+++ b/test/certs/server-ecdsa-key.pem
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgTI5Nzy/YCNpEuATr
+6jFtuZA5Vs15zbXOJU5EXl+JAe6hRANCAATiOzTcROPN7SciCk+ijkDOWZX64oId
+dgRHB8Z86bnYFR2AOGi+Q+SbpWBhcy9C0OUOeRqQrm9Vdo/gIcgTCj0K
+-----END PRIVATE KEY-----
diff --git a/test/handshake_helper.c b/test/handshake_helper.c
index 9ffd0bf..01a30c8 100644
--- a/test/handshake_helper.c
+++ b/test/handshake_helper.c
@@ -847,6 +847,32 @@ static char *dup_str(const unsigned char *in, size_t len)
return ret;
}
+static int pkey_type(EVP_PKEY *pkey)
+{
+ int nid = EVP_PKEY_id(pkey);
+
+#ifndef OPENSSL_NO_EC
+ if (nid == EVP_PKEY_EC) {
+ const EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
+ return EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
+ }
+#endif
+ return nid;
+}
+
+static int peer_pkey_type(SSL *s)
+{
+ X509 *x = SSL_get_peer_certificate(s);
+
+ if (x != NULL) {
+ int nid = pkey_type(X509_get0_pubkey(x));
+
+ X509_free(x);
+ return nid;
+ }
+ return NID_undef;
+}
+
/*
* Note that |extra| points to the correct client/server configuration
* within |test_ctx|. When configuring the handshake, general mode settings
@@ -1040,18 +1066,13 @@ static HANDSHAKE_RESULT *do_handshake_internal(
*session_out = SSL_get1_session(client.ssl);
if (SSL_get_server_tmp_key(client.ssl, &tmp_key)) {
- int nid = EVP_PKEY_id(tmp_key);
-
-#ifndef OPENSSL_NO_EC
- if (nid == EVP_PKEY_EC) {
- EC_KEY *ec = EVP_PKEY_get0_EC_KEY(tmp_key);
- nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
- }
-#endif
+ ret->tmp_key_type = pkey_type(tmp_key);
EVP_PKEY_free(tmp_key);
- ret->tmp_key_type = nid;
}
+ ret->server_cert_type = peer_pkey_type(client.ssl);
+ ret->client_cert_type = peer_pkey_type(server.ssl);
+
ctx_data_free_data(&server_ctx_data);
ctx_data_free_data(&server2_ctx_data);
ctx_data_free_data(&client_ctx_data);
diff --git a/test/handshake_helper.h b/test/handshake_helper.h
index 4f70592..1cdd6fa 100644
--- a/test/handshake_helper.h
+++ b/test/handshake_helper.h
@@ -45,6 +45,10 @@ typedef struct handshake_result {
int server_resumed;
/* Temporary key type */
int tmp_key_type;
+ /* server certificate key type */
+ int server_cert_type;
+ /* client certificate key type */
+ int client_cert_type;
} HANDSHAKE_RESULT;
HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void);
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
index 08ee494..fd58d5e 100644
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@@ -29,7 +29,7 @@ map { s/\.in// } @conf_files;
# We hard-code the number of tests to double-check that the globbing above
# finds all files as expected.
-plan tests => 19; # = scalar @conf_srcs
+plan tests => 20; # = scalar @conf_srcs
# Some test results depend on the configuration of enabled protocols. We only
# verify generated sources in the default configuration.
@@ -80,6 +80,7 @@ my %skip = (
"16-dtls-certstatus.conf" => $no_dtls || $no_ocsp,
"18-dtls-renegotiate.conf" => $no_dtls,
"19-mac-then-encrypt.conf" => $no_pre_tls1_3,
+ "20-cert-select.conf" => $no_ec,
);
foreach my $conf (@conf_files) {
diff --git a/test/ssl-tests/04-client_auth.conf b/test/ssl-tests/04-client_auth.conf
index 0e91bed..5b725c7 100644
--- a/test/ssl-tests/04-client_auth.conf
+++ b/test/ssl-tests/04-client_auth.conf
@@ -119,6 +119,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-3]
+ExpectedClientCertType = RSA
ExpectedResult = Success
@@ -262,6 +263,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-8]
+ExpectedClientCertType = RSA
ExpectedResult = Success
@@ -409,6 +411,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-13]
+ExpectedClientCertType = RSA
ExpectedResult = Success
@@ -556,6 +559,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-18]
+ExpectedClientCertType = RSA
ExpectedResult = Success
diff --git a/test/ssl-tests/04-client_auth.conf.in b/test/ssl-tests/04-client_auth.conf.in
index cd3d42f..8738f90 100644
--- a/test/ssl-tests/04-client_auth.conf.in
+++ b/test/ssl-tests/04-client_auth.conf.in
@@ -96,7 +96,9 @@ sub generate_tests() {
"Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
"PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
},
- test => { "ExpectedResult" => "Success" },
+ test => { "ExpectedResult" => "Success",
+ "ExpectedClientCertType" => "RSA",
+ },
};
# Handshake with client authentication but without the root certificate.
diff --git a/test/ssl-tests/20-cert-select.conf b/test/ssl-tests/20-cert-select.conf
new file mode 100644
index 0000000..dbb339d
--- /dev/null
+++ b/test/ssl-tests/20-cert-select.conf
@@ -0,0 +1,167 @@
+# Generated with generate_ssl_tests.pl
+
+num_tests = 6
+
+test-0 = 0-ECDSA CipherString Selection
+test-1 = 1-RSA CipherString Selection
+test-2 = 2-ECDSA CipherString Selection, no ECDSA certificate
+test-3 = 3-ECDSA Signature Algorithm Selection
+test-4 = 4-ECDSA Signature Algorithm Selection, no ECDSA certificate
+test-5 = 5-RSA Signature Algorithm Selection
+# ===========================================================
+
+[0-ECDSA CipherString Selection]
+ssl_conf = 0-ECDSA CipherString Selection-ssl
+
+[0-ECDSA CipherString Selection-ssl]
+server = 0-ECDSA CipherString Selection-server
+client = 0-ECDSA CipherString Selection-client
+
+[0-ECDSA CipherString Selection-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[0-ECDSA CipherString Selection-client]
+CipherString = aECDSA
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-0]
+ExpectedResult = Success
+ExpectedServerCertType = P-256
+
+
+# ===========================================================
+
+[1-RSA CipherString Selection]
+ssl_conf = 1-RSA CipherString Selection-ssl
+
+[1-RSA CipherString Selection-ssl]
+server = 1-RSA CipherString Selection-server
+client = 1-RSA CipherString Selection-client
+
+[1-RSA CipherString Selection-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[1-RSA CipherString Selection-client]
+CipherString = aRSA
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-1]
+ExpectedResult = Success
+ExpectedServerCertType = RSA
+
+
+# ===========================================================
+
+[2-ECDSA CipherString Selection, no ECDSA certificate]
+ssl_conf = 2-ECDSA CipherString Selection, no ECDSA certificate-ssl
+
+[2-ECDSA CipherString Selection, no ECDSA certificate-ssl]
+server = 2-ECDSA CipherString Selection, no ECDSA certificate-server
+client = 2-ECDSA CipherString Selection, no ECDSA certificate-client
+
+[2-ECDSA CipherString Selection, no ECDSA certificate-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[2-ECDSA CipherString Selection, no ECDSA certificate-client]
+CipherString = aECDSA
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-2]
+ExpectedResult = ServerFail
+
+
+# ===========================================================
+
+[3-ECDSA Signature Algorithm Selection]
+ssl_conf = 3-ECDSA Signature Algorithm Selection-ssl
+
+[3-ECDSA Signature Algorithm Selection-ssl]
+server = 3-ECDSA Signature Algorithm Selection-server
+client = 3-ECDSA Signature Algorithm Selection-client
+
+[3-ECDSA Signature Algorithm Selection-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[3-ECDSA Signature Algorithm Selection-client]
+CipherString = DEFAULT
+SignatureAlgorithms = ECDSA+SHA256
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-3]
+ExpectedResult = Success
+ExpectedServerCertType = P-256
+
+
+# ===========================================================
+
+[4-ECDSA Signature Algorithm Selection, no ECDSA certificate]
+ssl_conf = 4-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl
+
+[4-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl]
+server = 4-ECDSA Signature Algorithm Selection, no ECDSA certificate-server
+client = 4-ECDSA Signature Algorithm Selection, no ECDSA certificate-client
+
+[4-ECDSA Signature Algorithm Selection, no ECDSA certificate-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[4-ECDSA Signature Algorithm Selection, no ECDSA certificate-client]
+CipherString = DEFAULT
+SignatureAlgorithms = ECDSA+SHA256
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-4]
+ExpectedResult = ServerFail
+
+
+# ===========================================================
+
+[5-RSA Signature Algorithm Selection]
+ssl_conf = 5-RSA Signature Algorithm Selection-ssl
+
+[5-RSA Signature Algorithm Selection-ssl]
+server = 5-RSA Signature Algorithm Selection-server
+client = 5-RSA Signature Algorithm Selection-client
+
+[5-RSA Signature Algorithm Selection-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[5-RSA Signature Algorithm Selection-client]
+CipherString = DEFAULT
+SignatureAlgorithms = RSA+SHA256
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-5]
+ExpectedResult = Success
+ExpectedServerCertType = RSA
+
+
diff --git a/test/ssl-tests/20-cert-select.conf.in b/test/ssl-tests/20-cert-select.conf.in
new file mode 100644
index 0000000..d348491
--- /dev/null
+++ b/test/ssl-tests/20-cert-select.conf.in
@@ -0,0 +1,87 @@
+# -*- mode: perl; -*-
+
+## SSL test configurations
+
+package ssltests;
+
+use strict;
+use warnings;
+
+use OpenSSL::Test;
+use OpenSSL::Test::Utils qw(anydisabled);
+
+my $dir_sep = $^O ne "VMS" ? "/" : "";
+
+my $server = {
+ "ECDSA.Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}server-ecdsa-cert.pem",
+ "ECDSA.PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}server-ecdsa-key.pem",
+ # TODO: add test cases for TLSv1.3
+ "MaxProtocol" => "TLSv1.2"
+};
+
+our @tests = (
+ {
+ name => "ECDSA CipherString Selection",
+ server => $server,
+ client => {
+ "CipherString" => "aECDSA",
+ },
+ test => {
+ "ExpectedServerCertType" =>, "P-256",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "RSA CipherString Selection",
+ server => $server,
+ client => {
+ "CipherString" => "aRSA",
+ },
+ test => {
+ "ExpectedServerCertType" =>, "RSA",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "ECDSA CipherString Selection, no ECDSA certificate",
+ server => { },
+ client => {
+ "CipherString" => "aECDSA"
+ },
+ test => {
+ "ExpectedResult" => "ServerFail"
+ },
+ },
+ {
+ name => "ECDSA Signature Algorithm Selection",
+ server => $server,
+ client => {
+ "SignatureAlgorithms" => "ECDSA+SHA256",
+ },
+ test => {
+ "ExpectedServerCertType" =>, "P-256",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
+ server => { },
+ client => {
+ "SignatureAlgorithms" => "ECDSA+SHA256",
+ },
+ test => {
+ "ExpectedResult" => "ServerFail"
+ },
+ },
+ {
+ name => "RSA Signature Algorithm Selection",
+ server => $server,
+ client => {
+ "SignatureAlgorithms" => "RSA+SHA256",
+ },
+ test => {
+ "ExpectedServerCertType" =>, "RSA",
+ "ExpectedResult" => "Success"
+ },
+ }
+);
diff --git a/test/ssl_test.c b/test/ssl_test.c
index 61850eb..0d0c35e 100644
--- a/test/ssl_test.c
+++ b/test/ssl_test.c
@@ -187,17 +187,38 @@ static int check_resumption(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx)
return 1;
}
-static int check_tmp_key(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx)
+static int check_key_type(const char *name, int expected_key_type, int key_type)
{
- if (test_ctx->expected_tmp_key_type == 0
- || test_ctx->expected_tmp_key_type == result->tmp_key_type)
+ if (expected_key_type == 0 || expected_key_type == key_type)
return 1;
- fprintf(stderr, "Tmp key type mismatch, %s vs %s\n",
- OBJ_nid2ln(test_ctx->expected_tmp_key_type),
- OBJ_nid2ln(result->tmp_key_type));
+ fprintf(stderr, "%s type mismatch, %s vs %s\n",
+ name, OBJ_nid2ln(expected_key_type),
+ key_type == NID_undef ? "absent" : OBJ_nid2ln(key_type));
return 0;
}
+static int check_tmp_key(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx)
+{
+ return check_key_type("Tmp key", test_ctx->expected_tmp_key_type,
+ result->tmp_key_type);
+}
+
+static int check_server_cert_type(HANDSHAKE_RESULT *result,
+ SSL_TEST_CTX *test_ctx)
+{
+ return check_key_type("Server certificate",
+ test_ctx->expected_server_cert_type,
+ result->server_cert_type);
+}
+
+static int check_client_cert_type(HANDSHAKE_RESULT *result,
+ SSL_TEST_CTX *test_ctx)
+{
+ return check_key_type("Client certificate",
+ test_ctx->expected_client_cert_type,
+ result->client_cert_type);
+}
+
/*
* This could be further simplified by constructing an expected
* HANDSHAKE_RESULT, and implementing comparison methods for
@@ -219,6 +240,8 @@ static int check_test(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx)
ret &= check_alpn(result, test_ctx);
ret &= check_resumption(result, test_ctx);
ret &= check_tmp_key(result, test_ctx);
+ ret &= check_server_cert_type(result, test_ctx);
+ ret &= check_client_cert_type(result, test_ctx);
}
return ret;
}
diff --git a/test/ssl_test_ctx.c b/test/ssl_test_ctx.c
index 2c5ba1e..f8d5ecd 100644
--- a/test/ssl_test_ctx.c
+++ b/test/ssl_test_ctx.c
@@ -433,17 +433,21 @@ IMPLEMENT_SSL_TEST_INT_OPTION(SSL_TEST_CTX, test, app_data_size)
IMPLEMENT_SSL_TEST_INT_OPTION(SSL_TEST_CTX, test, max_fragment_size)
/***********************/
-/* ExpectedTmpKeyType */
+/* Expected key types */
/***********************/
-__owur static int parse_expected_tmp_key_type(SSL_TEST_CTX *test_ctx,
- const char *value)
+__owur static int parse_expected_key_type(int *ptype, const char *value)
{
int nid;
+ const EVP_PKEY_ASN1_METHOD *ameth;
if (value == NULL)
return 0;
- nid = OBJ_sn2nid(value);
+ ameth = EVP_PKEY_asn1_find_str(NULL, value, -1);
+ if (ameth != NULL)
+ EVP_PKEY_asn1_get0_info(&nid, NULL, NULL, NULL, NULL, ameth);
+ else
+ nid = OBJ_sn2nid(value);
if (nid == NID_undef)
nid = OBJ_ln2nid(value);
#ifndef OPENSSL_NO_EC
@@ -452,10 +456,30 @@ __owur static int parse_expected_tmp_key_type(SSL_TEST_CTX *test_ctx,
#endif
if (nid == NID_undef)
return 0;
- test_ctx->expected_tmp_key_type = nid;
+ *ptype = nid;
return 1;
}
+__owur static int parse_expected_tmp_key_type(SSL_TEST_CTX *test_ctx,
+ const char *value)
+{
+ return parse_expected_key_type(&test_ctx->expected_tmp_key_type, value);
+}
+
+__owur static int parse_expected_server_cert_type(SSL_TEST_CTX *test_ctx,
+ const char *value)
+{
+ return parse_expected_key_type(&test_ctx->expected_server_cert_type,
+ value);
+}
+
+__owur static int parse_expected_client_cert_type(SSL_TEST_CTX *test_ctx,
+ const char *value)
+{
+ return parse_expected_key_type(&test_ctx->expected_client_cert_type,
+ value);
+}
+
/*************************************************************/
/* Known test options and their corresponding parse methods. */
/*************************************************************/
@@ -481,6 +505,8 @@ static const ssl_test_ctx_option ssl_test_ctx_options[] = {
{ "ApplicationData", &parse_test_app_data_size },
{ "MaxFragmentSize", &parse_test_max_fragment_size },
{ "ExpectedTmpKeyType", &parse_expected_tmp_key_type },
+ { "ExpectedServerCertType", &parse_expected_server_cert_type },
+ { "ExpectedClientCertType", &parse_expected_client_cert_type },
};
/* Nested client options. */
diff --git a/test/ssl_test_ctx.h b/test/ssl_test_ctx.h
index 995d518..f67f01a 100644
--- a/test/ssl_test_ctx.h
+++ b/test/ssl_test_ctx.h
@@ -161,6 +161,10 @@ typedef struct {
int resumption_expected;
/* Expected temporary key type */
int expected_tmp_key_type;
+ /* Expected server certificate key type */
+ int expected_server_cert_type;
+ /* Expected client certificate key type */
+ int expected_client_cert_type;
} SSL_TEST_CTX;
const char *ssl_test_result_name(ssl_test_result_t result);
More information about the openssl-commits
mailing list