From: Rob Percival Date: Thu, 6 Apr 2017 12:21:27 +0000 (+0100) Subject: Add SSL tests for certificates with embedded SCTs X-Git-Tag: OpenSSL_1_1_0f~43 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=e23a4e98a90c448a196aede3edeb7802ed0da121;p=oweals%2Fopenssl.git Add SSL tests for certificates with embedded SCTs The only SSL tests prior to this tested using certificates with no embedded Signed Certificate Timestamps (SCTs), which meant they couldn't confirm whether Certificate Transparency checks in "strict" mode were working. These tests reveal a bug in the validation of SCT timestamps, which is fixed by the next commit. Reviewed-by: Rich Salz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/3260) --- diff --git a/test/certs/embeddedSCTs1-key.pem b/test/certs/embeddedSCTs1-key.pem new file mode 100644 index 0000000000..e3e66d55c5 --- /dev/null +++ b/test/certs/embeddedSCTs1-key.pem @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICWwIBAAKBgQC+75jnwmh3rjhfdTJaDB0ym+3xj6r015a/BH634c4VyVui+A7k +WL19uG+KSyUhkaeb1wDDjpwDibRc1NyaEgqyHgy0HNDnKAWkEM2cW9tdSSdyba8X +EPYBhzd+olsaHjnu0LiBGdwVTcaPfajjDK8VijPmyVCfSgWwFAn/Xdh+tQIDAQAB +AoGAK/daG0vt6Fkqy/hdrtSJSKUVRoGRmS2nnba4Qzlwzh1+x2kdbMFuaOu2a37g +PvmeQclheKZ3EG1+Jb4yShwLcBCV6pkRJhOKuhvqGnjngr6uBH4gMCjpZVj7GDMf +flYHhdJCs3Cz/TY0wKN3o1Fldil2DHR/AEOc1nImeSp5/EUCQQDjKS3W957kYtTU +X5BeRjvg03Ug8tJq6IFuhTFvUJ+XQ5bAc0DmxAbQVKqRS7Wje59zTknVvS+MFdeQ +pz4dGuV7AkEA1y0X2yarIls+0A/S1uwkvwRTIkfS+QwFJ1zVya8sApRdKAcidIzA +b70hkKLilU9+LrXg5iZdFp8l752qJiw9jwJAXjItN/7mfH4fExGto+or2kbVQxxt +9LcFNPc2UJp2ExuL37HrL8YJrUnukOF8KJaSwBWuuFsC5GwKP4maUCdfEQJAUwBR +83c3DEmmMRvpeH4erpA8gTyzZN3+HvDwhpvLnjMcvBQEdnDUykVqbSBnxrCjO+Fs +n1qtDczWFVf8Cj2GgQJAQ14Awx32Cn9sF+3M+sEVtlAf6CqiEbkYeYdSCbsplMmZ +1UoaxiwXY3z+B7epsRnnPR3KaceAlAxw2/zQJMFNOQ== +-----END RSA PRIVATE KEY----- diff --git a/test/ssl-tests/12-ct.conf b/test/ssl-tests/12-ct.conf index 22fa18dd45..2e6e9dea67 100644 --- a/test/ssl-tests/12-ct.conf +++ b/test/ssl-tests/12-ct.conf @@ -1,135 +1,191 @@ # Generated with generate_ssl_tests.pl -num_tests = 4 - -test-0 = 0-ct-permissive -test-1 = 1-ct-strict -test-2 = 2-ct-permissive-resumption -test-3 = 3-ct-strict-resumption +num_tests = 6 + +test-0 = 0-ct-permissive-without-scts +test-1 = 1-ct-permissive-with-scts +test-2 = 2-ct-strict-without-scts +test-3 = 3-ct-strict-with-scts +test-4 = 4-ct-permissive-resumption +test-5 = 5-ct-strict-resumption # =========================================================== -[0-ct-permissive] -ssl_conf = 0-ct-permissive-ssl +[0-ct-permissive-without-scts] +ssl_conf = 0-ct-permissive-without-scts-ssl -[0-ct-permissive-ssl] -server = 0-ct-permissive-server -client = 0-ct-permissive-client +[0-ct-permissive-without-scts-ssl] +server = 0-ct-permissive-without-scts-server +client = 0-ct-permissive-without-scts-client -[0-ct-permissive-server] +[0-ct-permissive-without-scts-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[0-ct-permissive-client] +[0-ct-permissive-without-scts-client] CipherString = DEFAULT VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-0] ExpectedResult = Success -client = 0-ct-permissive-client-extra +client = 0-ct-permissive-without-scts-client-extra + +[0-ct-permissive-without-scts-client-extra] +CTValidation = Permissive + + +# =========================================================== + +[1-ct-permissive-with-scts] +ssl_conf = 1-ct-permissive-with-scts-ssl + +[1-ct-permissive-with-scts-ssl] +server = 1-ct-permissive-with-scts-server +client = 1-ct-permissive-with-scts-client + +[1-ct-permissive-with-scts-server] +Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem + +[1-ct-permissive-with-scts-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem +VerifyMode = Peer + +[test-1] +ExpectedResult = Success +client = 1-ct-permissive-with-scts-client-extra -[0-ct-permissive-client-extra] +[1-ct-permissive-with-scts-client-extra] CTValidation = Permissive # =========================================================== -[1-ct-strict] -ssl_conf = 1-ct-strict-ssl +[2-ct-strict-without-scts] +ssl_conf = 2-ct-strict-without-scts-ssl -[1-ct-strict-ssl] -server = 1-ct-strict-server -client = 1-ct-strict-client +[2-ct-strict-without-scts-ssl] +server = 2-ct-strict-without-scts-server +client = 2-ct-strict-without-scts-client -[1-ct-strict-server] +[2-ct-strict-without-scts-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[1-ct-strict-client] +[2-ct-strict-without-scts-client] CipherString = DEFAULT VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-1] +[test-2] ExpectedClientAlert = HandshakeFailure ExpectedResult = ClientFail -client = 1-ct-strict-client-extra +client = 2-ct-strict-without-scts-client-extra -[1-ct-strict-client-extra] +[2-ct-strict-without-scts-client-extra] CTValidation = Strict # =========================================================== -[2-ct-permissive-resumption] -ssl_conf = 2-ct-permissive-resumption-ssl +[3-ct-strict-with-scts] +ssl_conf = 3-ct-strict-with-scts-ssl -[2-ct-permissive-resumption-ssl] -server = 2-ct-permissive-resumption-server -client = 2-ct-permissive-resumption-client -resume-server = 2-ct-permissive-resumption-server -resume-client = 2-ct-permissive-resumption-client +[3-ct-strict-with-scts-ssl] +server = 3-ct-strict-with-scts-server +client = 3-ct-strict-with-scts-client -[2-ct-permissive-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +[3-ct-strict-with-scts-server] +Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem -[2-ct-permissive-resumption-client] +[3-ct-strict-with-scts-client] CipherString = DEFAULT -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem VerifyMode = Peer -[test-2] +[test-3] +ExpectedResult = Success +client = 3-ct-strict-with-scts-client-extra + +[3-ct-strict-with-scts-client-extra] +CTValidation = Strict + + +# =========================================================== + +[4-ct-permissive-resumption] +ssl_conf = 4-ct-permissive-resumption-ssl + +[4-ct-permissive-resumption-ssl] +server = 4-ct-permissive-resumption-server +client = 4-ct-permissive-resumption-client +resume-server = 4-ct-permissive-resumption-server +resume-client = 4-ct-permissive-resumption-client + +[4-ct-permissive-resumption-server] +Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem + +[4-ct-permissive-resumption-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem +VerifyMode = Peer + +[test-4] ExpectedResult = Success HandshakeMode = Resume ResumptionExpected = Yes -client = 2-ct-permissive-resumption-client-extra -resume-client = 2-ct-permissive-resumption-client-extra +client = 4-ct-permissive-resumption-client-extra +resume-client = 4-ct-permissive-resumption-client-extra -[2-ct-permissive-resumption-client-extra] +[4-ct-permissive-resumption-client-extra] CTValidation = Permissive # =========================================================== -[3-ct-strict-resumption] -ssl_conf = 3-ct-strict-resumption-ssl +[5-ct-strict-resumption] +ssl_conf = 5-ct-strict-resumption-ssl -[3-ct-strict-resumption-ssl] -server = 3-ct-strict-resumption-server -client = 3-ct-strict-resumption-client -resume-server = 3-ct-strict-resumption-server -resume-client = 3-ct-strict-resumption-resume-client +[5-ct-strict-resumption-ssl] +server = 5-ct-strict-resumption-server +client = 5-ct-strict-resumption-client +resume-server = 5-ct-strict-resumption-server +resume-client = 5-ct-strict-resumption-resume-client -[3-ct-strict-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +[5-ct-strict-resumption-server] +Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem -[3-ct-strict-resumption-client] +[5-ct-strict-resumption-client] CipherString = DEFAULT -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem VerifyMode = Peer -[3-ct-strict-resumption-resume-client] +[5-ct-strict-resumption-resume-client] CipherString = DEFAULT VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-3] +[test-5] ExpectedResult = Success HandshakeMode = Resume ResumptionExpected = Yes -client = 3-ct-strict-resumption-client-extra -resume-client = 3-ct-strict-resumption-resume-client-extra +client = 5-ct-strict-resumption-client-extra +resume-client = 5-ct-strict-resumption-resume-client-extra -[3-ct-strict-resumption-client-extra] -CTValidation = Permissive +[5-ct-strict-resumption-client-extra] +CTValidation = Strict -[3-ct-strict-resumption-resume-client-extra] +[5-ct-strict-resumption-resume-client-extra] CTValidation = Strict diff --git a/test/ssl-tests/12-ct.conf.in b/test/ssl-tests/12-ct.conf.in index 9964d013c2..7c0304995f 100644 --- a/test/ssl-tests/12-ct.conf.in +++ b/test/ssl-tests/12-ct.conf.in @@ -16,65 +16,104 @@ package ssltests; our @tests = ( - # Currently only have tests for certs without SCTs. { - name => "ct-permissive", - server => { }, - client => { - extra => { - "CTValidation" => "Permissive", - }, - }, - test => { - "ExpectedResult" => "Success", - }, - }, + name => "ct-permissive-without-scts", + server => { }, + client => { + extra => { + "CTValidation" => "Permissive", + }, + }, + test => { + "ExpectedResult" => "Success", + }, + }, + { + name => "ct-permissive-with-scts", + server => { + "Certificate" => test_pem("embeddedSCTs1.pem"), + "PrivateKey" => test_pem("embeddedSCTs1-key.pem"), + }, + client => { + "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"), + extra => { + "CTValidation" => "Permissive", + }, + }, + test => { + "ExpectedResult" => "Success", + }, + }, { - name => "ct-strict", - server => { }, - client => { - extra => { - "CTValidation" => "Strict", - }, - }, - test => { - "ExpectedResult" => "ClientFail", - "ExpectedClientAlert" => "HandshakeFailure", - }, + name => "ct-strict-without-scts", + server => { }, + client => { + extra => { + "CTValidation" => "Strict", + }, + }, + test => { + "ExpectedResult" => "ClientFail", + "ExpectedClientAlert" => "HandshakeFailure", + }, }, { - name => "ct-permissive-resumption", - server => { }, - client => { - extra => { - "CTValidation" => "Permissive", - }, - }, - test => { - "HandshakeMode" => "Resume", - "ResumptionExpected" => "Yes", - "ExpectedResult" => "Success", - }, - }, + name => "ct-strict-with-scts", + server => { + "Certificate" => test_pem("embeddedSCTs1.pem"), + "PrivateKey" => test_pem("embeddedSCTs1-key.pem"), + }, + client => { + "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"), + extra => { + "CTValidation" => "Strict", + }, + }, + test => { + "ExpectedResult" => "Success", + }, + }, + { + name => "ct-permissive-resumption", + server => { + "Certificate" => test_pem("embeddedSCTs1.pem"), + "PrivateKey" => test_pem("embeddedSCTs1-key.pem"), + }, + client => { + "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"), + extra => { + "CTValidation" => "Permissive", + }, + }, + test => { + "HandshakeMode" => "Resume", + "ResumptionExpected" => "Yes", + "ExpectedResult" => "Success", + }, + }, { - name => "ct-strict-resumption", - server => { }, - client => { - extra => { - "CTValidation" => "Permissive", - }, - }, - # SCTs are not present during resumption, so the resumption - # should succeed. - resume_client => { - extra => { - "CTValidation" => "Strict", - }, - }, - test => { - "HandshakeMode" => "Resume", - "ResumptionExpected" => "Yes", - "ExpectedResult" => "Success", - }, + name => "ct-strict-resumption", + server => { + "Certificate" => test_pem("embeddedSCTs1.pem"), + "PrivateKey" => test_pem("embeddedSCTs1-key.pem"), + }, + client => { + "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"), + extra => { + "CTValidation" => "Strict", + }, + }, + # SCTs are not present during resumption, so the resumption + # should succeed. + resume_client => { + extra => { + "CTValidation" => "Strict", + }, + }, + test => { + "HandshakeMode" => "Resume", + "ResumptionExpected" => "Yes", + "ExpectedResult" => "Success", + }, }, );