From e23a4e98a90c448a196aede3edeb7802ed0da121 Mon Sep 17 00:00:00 2001 From: Rob Percival Date: Thu, 6 Apr 2017 13:21:27 +0100 Subject: [PATCH] Add SSL tests for certificates with embedded SCTs The only SSL tests prior to this tested using certificates with no embedded Signed Certificate Timestamps (SCTs), which meant they couldn't confirm whether Certificate Transparency checks in "strict" mode were working. These tests reveal a bug in the validation of SCT timestamps, which is fixed by the next commit. Reviewed-by: Rich Salz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/3260) --- test/certs/embeddedSCTs1-key.pem | 15 +++ test/ssl-tests/12-ct.conf | 176 ++++++++++++++++++++----------- test/ssl-tests/12-ct.conf.in | 149 ++++++++++++++++---------- 3 files changed, 225 insertions(+), 115 deletions(-) create mode 100644 test/certs/embeddedSCTs1-key.pem diff --git a/test/certs/embeddedSCTs1-key.pem b/test/certs/embeddedSCTs1-key.pem new file mode 100644 index 0000000000..e3e66d55c5 --- /dev/null +++ b/test/certs/embeddedSCTs1-key.pem @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICWwIBAAKBgQC+75jnwmh3rjhfdTJaDB0ym+3xj6r015a/BH634c4VyVui+A7k +WL19uG+KSyUhkaeb1wDDjpwDibRc1NyaEgqyHgy0HNDnKAWkEM2cW9tdSSdyba8X +EPYBhzd+olsaHjnu0LiBGdwVTcaPfajjDK8VijPmyVCfSgWwFAn/Xdh+tQIDAQAB +AoGAK/daG0vt6Fkqy/hdrtSJSKUVRoGRmS2nnba4Qzlwzh1+x2kdbMFuaOu2a37g +PvmeQclheKZ3EG1+Jb4yShwLcBCV6pkRJhOKuhvqGnjngr6uBH4gMCjpZVj7GDMf +flYHhdJCs3Cz/TY0wKN3o1Fldil2DHR/AEOc1nImeSp5/EUCQQDjKS3W957kYtTU +X5BeRjvg03Ug8tJq6IFuhTFvUJ+XQ5bAc0DmxAbQVKqRS7Wje59zTknVvS+MFdeQ +pz4dGuV7AkEA1y0X2yarIls+0A/S1uwkvwRTIkfS+QwFJ1zVya8sApRdKAcidIzA +b70hkKLilU9+LrXg5iZdFp8l752qJiw9jwJAXjItN/7mfH4fExGto+or2kbVQxxt +9LcFNPc2UJp2ExuL37HrL8YJrUnukOF8KJaSwBWuuFsC5GwKP4maUCdfEQJAUwBR +83c3DEmmMRvpeH4erpA8gTyzZN3+HvDwhpvLnjMcvBQEdnDUykVqbSBnxrCjO+Fs +n1qtDczWFVf8Cj2GgQJAQ14Awx32Cn9sF+3M+sEVtlAf6CqiEbkYeYdSCbsplMmZ +1UoaxiwXY3z+B7epsRnnPR3KaceAlAxw2/zQJMFNOQ== +-----END RSA PRIVATE KEY----- diff --git a/test/ssl-tests/12-ct.conf b/test/ssl-tests/12-ct.conf index 22fa18dd45..2e6e9dea67 100644 --- a/test/ssl-tests/12-ct.conf +++ b/test/ssl-tests/12-ct.conf @@ -1,135 +1,191 @@ # Generated with generate_ssl_tests.pl -num_tests = 4 - -test-0 = 0-ct-permissive -test-1 = 1-ct-strict -test-2 = 2-ct-permissive-resumption -test-3 = 3-ct-strict-resumption +num_tests = 6 + +test-0 = 0-ct-permissive-without-scts +test-1 = 1-ct-permissive-with-scts +test-2 = 2-ct-strict-without-scts +test-3 = 3-ct-strict-with-scts +test-4 = 4-ct-permissive-resumption +test-5 = 5-ct-strict-resumption # =========================================================== -[0-ct-permissive] -ssl_conf = 0-ct-permissive-ssl +[0-ct-permissive-without-scts] +ssl_conf = 0-ct-permissive-without-scts-ssl -[0-ct-permissive-ssl] -server = 0-ct-permissive-server -client = 0-ct-permissive-client +[0-ct-permissive-without-scts-ssl] +server = 0-ct-permissive-without-scts-server +client = 0-ct-permissive-without-scts-client -[0-ct-permissive-server] +[0-ct-permissive-without-scts-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[0-ct-permissive-client] +[0-ct-permissive-without-scts-client] CipherString = DEFAULT VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-0] ExpectedResult = Success -client = 0-ct-permissive-client-extra +client = 0-ct-permissive-without-scts-client-extra + +[0-ct-permissive-without-scts-client-extra] +CTValidation = Permissive + + +# =========================================================== + +[1-ct-permissive-with-scts] +ssl_conf = 1-ct-permissive-with-scts-ssl + +[1-ct-permissive-with-scts-ssl] +server = 1-ct-permissive-with-scts-server +client = 1-ct-permissive-with-scts-client + +[1-ct-permissive-with-scts-server] +Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem + +[1-ct-permissive-with-scts-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem +VerifyMode = Peer + +[test-1] +ExpectedResult = Success +client = 1-ct-permissive-with-scts-client-extra -[0-ct-permissive-client-extra] +[1-ct-permissive-with-scts-client-extra] CTValidation = Permissive # =========================================================== -[1-ct-strict] -ssl_conf = 1-ct-strict-ssl +[2-ct-strict-without-scts] +ssl_conf = 2-ct-strict-without-scts-ssl -[1-ct-strict-ssl] -server = 1-ct-strict-server -client = 1-ct-strict-client +[2-ct-strict-without-scts-ssl] +server = 2-ct-strict-without-scts-server +client = 2-ct-strict-without-scts-client -[1-ct-strict-server] +[2-ct-strict-without-scts-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[1-ct-strict-client] +[2-ct-strict-without-scts-client] CipherString = DEFAULT VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-1] +[test-2] ExpectedClientAlert = HandshakeFailure ExpectedResult = ClientFail -client = 1-ct-strict-client-extra +client = 2-ct-strict-without-scts-client-extra -[1-ct-strict-client-extra] +[2-ct-strict-without-scts-client-extra] CTValidation = Strict # =========================================================== -[2-ct-permissive-resumption] -ssl_conf = 2-ct-permissive-resumption-ssl +[3-ct-strict-with-scts] +ssl_conf = 3-ct-strict-with-scts-ssl -[2-ct-permissive-resumption-ssl] -server = 2-ct-permissive-resumption-server -client = 2-ct-permissive-resumption-client -resume-server = 2-ct-permissive-resumption-server -resume-client = 2-ct-permissive-resumption-client +[3-ct-strict-with-scts-ssl] +server = 3-ct-strict-with-scts-server +client = 3-ct-strict-with-scts-client -[2-ct-permissive-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +[3-ct-strict-with-scts-server] +Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem -[2-ct-permissive-resumption-client] +[3-ct-strict-with-scts-client] CipherString = DEFAULT -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem VerifyMode = Peer -[test-2] +[test-3] +ExpectedResult = Success +client = 3-ct-strict-with-scts-client-extra + +[3-ct-strict-with-scts-client-extra] +CTValidation = Strict + + +# =========================================================== + +[4-ct-permissive-resumption] +ssl_conf = 4-ct-permissive-resumption-ssl + +[4-ct-permissive-resumption-ssl] +server = 4-ct-permissive-resumption-server +client = 4-ct-permissive-resumption-client +resume-server = 4-ct-permissive-resumption-server +resume-client = 4-ct-permissive-resumption-client + +[4-ct-permissive-resumption-server] +Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem + +[4-ct-permissive-resumption-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem +VerifyMode = Peer + +[test-4] ExpectedResult = Success HandshakeMode = Resume ResumptionExpected = Yes -client = 2-ct-permissive-resumption-client-extra -resume-client = 2-ct-permissive-resumption-client-extra +client = 4-ct-permissive-resumption-client-extra +resume-client = 4-ct-permissive-resumption-client-extra -[2-ct-permissive-resumption-client-extra] +[4-ct-permissive-resumption-client-extra] CTValidation = Permissive # =========================================================== -[3-ct-strict-resumption] -ssl_conf = 3-ct-strict-resumption-ssl +[5-ct-strict-resumption] +ssl_conf = 5-ct-strict-resumption-ssl -[3-ct-strict-resumption-ssl] -server = 3-ct-strict-resumption-server -client = 3-ct-strict-resumption-client -resume-server = 3-ct-strict-resumption-server -resume-client = 3-ct-strict-resumption-resume-client +[5-ct-strict-resumption-ssl] +server = 5-ct-strict-resumption-server +client = 5-ct-strict-resumption-client +resume-server = 5-ct-strict-resumption-server +resume-client = 5-ct-strict-resumption-resume-client -[3-ct-strict-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +[5-ct-strict-resumption-server] +Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem -[3-ct-strict-resumption-client] +[5-ct-strict-resumption-client] CipherString = DEFAULT -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem VerifyMode = Peer -[3-ct-strict-resumption-resume-client] +[5-ct-strict-resumption-resume-client] CipherString = DEFAULT VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-3] +[test-5] ExpectedResult = Success HandshakeMode = Resume ResumptionExpected = Yes -client = 3-ct-strict-resumption-client-extra -resume-client = 3-ct-strict-resumption-resume-client-extra +client = 5-ct-strict-resumption-client-extra +resume-client = 5-ct-strict-resumption-resume-client-extra -[3-ct-strict-resumption-client-extra] -CTValidation = Permissive +[5-ct-strict-resumption-client-extra] +CTValidation = Strict -[3-ct-strict-resumption-resume-client-extra] +[5-ct-strict-resumption-resume-client-extra] CTValidation = Strict diff --git a/test/ssl-tests/12-ct.conf.in b/test/ssl-tests/12-ct.conf.in index 9964d013c2..7c0304995f 100644 --- a/test/ssl-tests/12-ct.conf.in +++ b/test/ssl-tests/12-ct.conf.in @@ -16,65 +16,104 @@ package ssltests; our @tests = ( - # Currently only have tests for certs without SCTs. { - name => "ct-permissive", - server => { }, - client => { - extra => { - "CTValidation" => "Permissive", - }, - }, - test => { - "ExpectedResult" => "Success", - }, - }, + name => "ct-permissive-without-scts", + server => { }, + client => { + extra => { + "CTValidation" => "Permissive", + }, + }, + test => { + "ExpectedResult" => "Success", + }, + }, + { + name => "ct-permissive-with-scts", + server => { + "Certificate" => test_pem("embeddedSCTs1.pem"), + "PrivateKey" => test_pem("embeddedSCTs1-key.pem"), + }, + client => { + "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"), + extra => { + "CTValidation" => "Permissive", + }, + }, + test => { + "ExpectedResult" => "Success", + }, + }, { - name => "ct-strict", - server => { }, - client => { - extra => { - "CTValidation" => "Strict", - }, - }, - test => { - "ExpectedResult" => "ClientFail", - "ExpectedClientAlert" => "HandshakeFailure", - }, + name => "ct-strict-without-scts", + server => { }, + client => { + extra => { + "CTValidation" => "Strict", + }, + }, + test => { + "ExpectedResult" => "ClientFail", + "ExpectedClientAlert" => "HandshakeFailure", + }, }, { - name => "ct-permissive-resumption", - server => { }, - client => { - extra => { - "CTValidation" => "Permissive", - }, - }, - test => { - "HandshakeMode" => "Resume", - "ResumptionExpected" => "Yes", - "ExpectedResult" => "Success", - }, - }, + name => "ct-strict-with-scts", + server => { + "Certificate" => test_pem("embeddedSCTs1.pem"), + "PrivateKey" => test_pem("embeddedSCTs1-key.pem"), + }, + client => { + "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"), + extra => { + "CTValidation" => "Strict", + }, + }, + test => { + "ExpectedResult" => "Success", + }, + }, + { + name => "ct-permissive-resumption", + server => { + "Certificate" => test_pem("embeddedSCTs1.pem"), + "PrivateKey" => test_pem("embeddedSCTs1-key.pem"), + }, + client => { + "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"), + extra => { + "CTValidation" => "Permissive", + }, + }, + test => { + "HandshakeMode" => "Resume", + "ResumptionExpected" => "Yes", + "ExpectedResult" => "Success", + }, + }, { - name => "ct-strict-resumption", - server => { }, - client => { - extra => { - "CTValidation" => "Permissive", - }, - }, - # SCTs are not present during resumption, so the resumption - # should succeed. - resume_client => { - extra => { - "CTValidation" => "Strict", - }, - }, - test => { - "HandshakeMode" => "Resume", - "ResumptionExpected" => "Yes", - "ExpectedResult" => "Success", - }, + name => "ct-strict-resumption", + server => { + "Certificate" => test_pem("embeddedSCTs1.pem"), + "PrivateKey" => test_pem("embeddedSCTs1-key.pem"), + }, + client => { + "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"), + extra => { + "CTValidation" => "Strict", + }, + }, + # SCTs are not present during resumption, so the resumption + # should succeed. + resume_client => { + extra => { + "CTValidation" => "Strict", + }, + }, + test => { + "HandshakeMode" => "Resume", + "ResumptionExpected" => "Yes", + "ExpectedResult" => "Success", + }, }, ); -- 2.25.1