From 2094ea070a1fb6aa06b8e939e6cb735edc2c178b Mon Sep 17 00:00:00 2001 From: Rob Percival Date: Thu, 6 Apr 2017 13:21:27 +0100 Subject: [PATCH] Add SSL tests for certificates with embedded SCTs The only SSL tests prior to this tested using certificates with no embedded Signed Certificate Timestamps (SCTs), which meant they couldn't confirm whether Certificate Transparency checks in "strict" mode were working. These tests reveal a bug in the validation of SCT timestamps, which is fixed by the next commit. Reviewed-by: Rich Salz Reviewed-by: Andy Polyakov Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/3138) --- test/certs/embeddedSCTs1-key.pem | 15 +++ test/ssl-tests/12-ct.conf | 176 ++++++++++++++++++++----------- test/ssl-tests/12-ct.conf.in | 55 ++++++++-- 3 files changed, 178 insertions(+), 68 deletions(-) create mode 100644 test/certs/embeddedSCTs1-key.pem diff --git a/test/certs/embeddedSCTs1-key.pem b/test/certs/embeddedSCTs1-key.pem new file mode 100644 index 0000000000..e3e66d55c5 --- /dev/null +++ b/test/certs/embeddedSCTs1-key.pem @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICWwIBAAKBgQC+75jnwmh3rjhfdTJaDB0ym+3xj6r015a/BH634c4VyVui+A7k +WL19uG+KSyUhkaeb1wDDjpwDibRc1NyaEgqyHgy0HNDnKAWkEM2cW9tdSSdyba8X +EPYBhzd+olsaHjnu0LiBGdwVTcaPfajjDK8VijPmyVCfSgWwFAn/Xdh+tQIDAQAB +AoGAK/daG0vt6Fkqy/hdrtSJSKUVRoGRmS2nnba4Qzlwzh1+x2kdbMFuaOu2a37g +PvmeQclheKZ3EG1+Jb4yShwLcBCV6pkRJhOKuhvqGnjngr6uBH4gMCjpZVj7GDMf +flYHhdJCs3Cz/TY0wKN3o1Fldil2DHR/AEOc1nImeSp5/EUCQQDjKS3W957kYtTU +X5BeRjvg03Ug8tJq6IFuhTFvUJ+XQ5bAc0DmxAbQVKqRS7Wje59zTknVvS+MFdeQ +pz4dGuV7AkEA1y0X2yarIls+0A/S1uwkvwRTIkfS+QwFJ1zVya8sApRdKAcidIzA +b70hkKLilU9+LrXg5iZdFp8l752qJiw9jwJAXjItN/7mfH4fExGto+or2kbVQxxt +9LcFNPc2UJp2ExuL37HrL8YJrUnukOF8KJaSwBWuuFsC5GwKP4maUCdfEQJAUwBR +83c3DEmmMRvpeH4erpA8gTyzZN3+HvDwhpvLnjMcvBQEdnDUykVqbSBnxrCjO+Fs +n1qtDczWFVf8Cj2GgQJAQ14Awx32Cn9sF+3M+sEVtlAf6CqiEbkYeYdSCbsplMmZ +1UoaxiwXY3z+B7epsRnnPR3KaceAlAxw2/zQJMFNOQ== +-----END RSA PRIVATE KEY----- diff --git a/test/ssl-tests/12-ct.conf b/test/ssl-tests/12-ct.conf index 22fa18dd45..2e6e9dea67 100644 --- a/test/ssl-tests/12-ct.conf +++ b/test/ssl-tests/12-ct.conf @@ -1,135 +1,191 @@ # Generated with generate_ssl_tests.pl -num_tests = 4 - -test-0 = 0-ct-permissive -test-1 = 1-ct-strict -test-2 = 2-ct-permissive-resumption -test-3 = 3-ct-strict-resumption +num_tests = 6 + +test-0 = 0-ct-permissive-without-scts +test-1 = 1-ct-permissive-with-scts +test-2 = 2-ct-strict-without-scts +test-3 = 3-ct-strict-with-scts +test-4 = 4-ct-permissive-resumption +test-5 = 5-ct-strict-resumption # =========================================================== -[0-ct-permissive] -ssl_conf = 0-ct-permissive-ssl +[0-ct-permissive-without-scts] +ssl_conf = 0-ct-permissive-without-scts-ssl -[0-ct-permissive-ssl] -server = 0-ct-permissive-server -client = 0-ct-permissive-client +[0-ct-permissive-without-scts-ssl] +server = 0-ct-permissive-without-scts-server +client = 0-ct-permissive-without-scts-client -[0-ct-permissive-server] +[0-ct-permissive-without-scts-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[0-ct-permissive-client] +[0-ct-permissive-without-scts-client] CipherString = DEFAULT VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-0] ExpectedResult = Success -client = 0-ct-permissive-client-extra +client = 0-ct-permissive-without-scts-client-extra + +[0-ct-permissive-without-scts-client-extra] +CTValidation = Permissive + + +# =========================================================== + +[1-ct-permissive-with-scts] +ssl_conf = 1-ct-permissive-with-scts-ssl + +[1-ct-permissive-with-scts-ssl] +server = 1-ct-permissive-with-scts-server +client = 1-ct-permissive-with-scts-client + +[1-ct-permissive-with-scts-server] +Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem + +[1-ct-permissive-with-scts-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem +VerifyMode = Peer + +[test-1] +ExpectedResult = Success +client = 1-ct-permissive-with-scts-client-extra -[0-ct-permissive-client-extra] +[1-ct-permissive-with-scts-client-extra] CTValidation = Permissive # =========================================================== -[1-ct-strict] -ssl_conf = 1-ct-strict-ssl +[2-ct-strict-without-scts] +ssl_conf = 2-ct-strict-without-scts-ssl -[1-ct-strict-ssl] -server = 1-ct-strict-server -client = 1-ct-strict-client +[2-ct-strict-without-scts-ssl] +server = 2-ct-strict-without-scts-server +client = 2-ct-strict-without-scts-client -[1-ct-strict-server] +[2-ct-strict-without-scts-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[1-ct-strict-client] +[2-ct-strict-without-scts-client] CipherString = DEFAULT VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-1] +[test-2] ExpectedClientAlert = HandshakeFailure ExpectedResult = ClientFail -client = 1-ct-strict-client-extra +client = 2-ct-strict-without-scts-client-extra -[1-ct-strict-client-extra] +[2-ct-strict-without-scts-client-extra] CTValidation = Strict # =========================================================== -[2-ct-permissive-resumption] -ssl_conf = 2-ct-permissive-resumption-ssl +[3-ct-strict-with-scts] +ssl_conf = 3-ct-strict-with-scts-ssl -[2-ct-permissive-resumption-ssl] -server = 2-ct-permissive-resumption-server -client = 2-ct-permissive-resumption-client -resume-server = 2-ct-permissive-resumption-server -resume-client = 2-ct-permissive-resumption-client +[3-ct-strict-with-scts-ssl] +server = 3-ct-strict-with-scts-server +client = 3-ct-strict-with-scts-client -[2-ct-permissive-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +[3-ct-strict-with-scts-server] +Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem -[2-ct-permissive-resumption-client] +[3-ct-strict-with-scts-client] CipherString = DEFAULT -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem VerifyMode = Peer -[test-2] +[test-3] +ExpectedResult = Success +client = 3-ct-strict-with-scts-client-extra + +[3-ct-strict-with-scts-client-extra] +CTValidation = Strict + + +# =========================================================== + +[4-ct-permissive-resumption] +ssl_conf = 4-ct-permissive-resumption-ssl + +[4-ct-permissive-resumption-ssl] +server = 4-ct-permissive-resumption-server +client = 4-ct-permissive-resumption-client +resume-server = 4-ct-permissive-resumption-server +resume-client = 4-ct-permissive-resumption-client + +[4-ct-permissive-resumption-server] +Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem + +[4-ct-permissive-resumption-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem +VerifyMode = Peer + +[test-4] ExpectedResult = Success HandshakeMode = Resume ResumptionExpected = Yes -client = 2-ct-permissive-resumption-client-extra -resume-client = 2-ct-permissive-resumption-client-extra +client = 4-ct-permissive-resumption-client-extra +resume-client = 4-ct-permissive-resumption-client-extra -[2-ct-permissive-resumption-client-extra] +[4-ct-permissive-resumption-client-extra] CTValidation = Permissive # =========================================================== -[3-ct-strict-resumption] -ssl_conf = 3-ct-strict-resumption-ssl +[5-ct-strict-resumption] +ssl_conf = 5-ct-strict-resumption-ssl -[3-ct-strict-resumption-ssl] -server = 3-ct-strict-resumption-server -client = 3-ct-strict-resumption-client -resume-server = 3-ct-strict-resumption-server -resume-client = 3-ct-strict-resumption-resume-client +[5-ct-strict-resumption-ssl] +server = 5-ct-strict-resumption-server +client = 5-ct-strict-resumption-client +resume-server = 5-ct-strict-resumption-server +resume-client = 5-ct-strict-resumption-resume-client -[3-ct-strict-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +[5-ct-strict-resumption-server] +Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem -[3-ct-strict-resumption-client] +[5-ct-strict-resumption-client] CipherString = DEFAULT -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem VerifyMode = Peer -[3-ct-strict-resumption-resume-client] +[5-ct-strict-resumption-resume-client] CipherString = DEFAULT VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-3] +[test-5] ExpectedResult = Success HandshakeMode = Resume ResumptionExpected = Yes -client = 3-ct-strict-resumption-client-extra -resume-client = 3-ct-strict-resumption-resume-client-extra +client = 5-ct-strict-resumption-client-extra +resume-client = 5-ct-strict-resumption-resume-client-extra -[3-ct-strict-resumption-client-extra] -CTValidation = Permissive +[5-ct-strict-resumption-client-extra] +CTValidation = Strict -[3-ct-strict-resumption-resume-client-extra] +[5-ct-strict-resumption-resume-client-extra] CTValidation = Strict diff --git a/test/ssl-tests/12-ct.conf.in b/test/ssl-tests/12-ct.conf.in index c27e0911ff..7c0304995f 100644 --- a/test/ssl-tests/12-ct.conf.in +++ b/test/ssl-tests/12-ct.conf.in @@ -16,9 +16,8 @@ package ssltests; our @tests = ( - # Currently only have tests for certs without SCTs. { - name => "ct-permissive", + name => "ct-permissive-without-scts", server => { }, client => { extra => { @@ -28,9 +27,25 @@ our @tests = ( test => { "ExpectedResult" => "Success", }, - }, + }, { - name => "ct-strict", + name => "ct-permissive-with-scts", + server => { + "Certificate" => test_pem("embeddedSCTs1.pem"), + "PrivateKey" => test_pem("embeddedSCTs1-key.pem"), + }, + client => { + "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"), + extra => { + "CTValidation" => "Permissive", + }, + }, + test => { + "ExpectedResult" => "Success", + }, + }, + { + name => "ct-strict-without-scts", server => { }, client => { extra => { @@ -42,10 +57,30 @@ our @tests = ( "ExpectedClientAlert" => "HandshakeFailure", }, }, + { + name => "ct-strict-with-scts", + server => { + "Certificate" => test_pem("embeddedSCTs1.pem"), + "PrivateKey" => test_pem("embeddedSCTs1-key.pem"), + }, + client => { + "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"), + extra => { + "CTValidation" => "Strict", + }, + }, + test => { + "ExpectedResult" => "Success", + }, + }, { name => "ct-permissive-resumption", - server => { }, + server => { + "Certificate" => test_pem("embeddedSCTs1.pem"), + "PrivateKey" => test_pem("embeddedSCTs1-key.pem"), + }, client => { + "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"), extra => { "CTValidation" => "Permissive", }, @@ -55,13 +90,17 @@ our @tests = ( "ResumptionExpected" => "Yes", "ExpectedResult" => "Success", }, - }, + }, { name => "ct-strict-resumption", - server => { }, + server => { + "Certificate" => test_pem("embeddedSCTs1.pem"), + "PrivateKey" => test_pem("embeddedSCTs1-key.pem"), + }, client => { + "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"), extra => { - "CTValidation" => "Permissive", + "CTValidation" => "Strict", }, }, # SCTs are not present during resumption, so the resumption -- 2.25.1