diff options
| author | Rob Percival <robpercival@google.com> | 2017-04-06 13:21:27 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2017-04-26 16:33:55 +0100 |
| commit | e23a4e98a90c448a196aede3edeb7802ed0da121 (patch) | |
| tree | e0d159de196f105dccfcd74be5bf073c88f8f78e /test/ssl-tests | |
| parent | 3626ed03a6d13fa757d3327db2d5523072063132 (diff) | |
Add SSL tests for certificates with embedded SCTs
The only SSL tests prior to this tested using certificates with no
embedded Signed Certificate Timestamps (SCTs), which meant they couldn't
confirm whether Certificate Transparency checks in "strict" mode were
working.
These tests reveal a bug in the validation of SCT timestamps, which is
fixed by the next commit.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3260)
Diffstat (limited to 'test/ssl-tests')
| -rw-r--r-- | test/ssl-tests/12-ct.conf | 176 | ||||
| -rw-r--r-- | test/ssl-tests/12-ct.conf.in | 149 |
2 files changed, 210 insertions, 115 deletions
diff --git a/test/ssl-tests/12-ct.conf b/test/ssl-tests/12-ct.conf index 22fa18dd45..2e6e9dea67 100644 --- a/test/ssl-tests/12-ct.conf +++ b/test/ssl-tests/12-ct.conf @@ -1,135 +1,191 @@ # Generated with generate_ssl_tests.pl -num_tests = 4 - -test-0 = 0-ct-permissive -test-1 = 1-ct-strict -test-2 = 2-ct-permissive-resumption -test-3 = 3-ct-strict-resumption +num_tests = 6 + +test-0 = 0-ct-permissive-without-scts +test-1 = 1-ct-permissive-with-scts +test-2 = 2-ct-strict-without-scts +test-3 = 3-ct-strict-with-scts +test-4 = 4-ct-permissive-resumption +test-5 = 5-ct-strict-resumption # =========================================================== -[0-ct-permissive] -ssl_conf = 0-ct-permissive-ssl +[0-ct-permissive-without-scts] +ssl_conf = 0-ct-permissive-without-scts-ssl -[0-ct-permissive-ssl] -server = 0-ct-permissive-server -client = 0-ct-permissive-client +[0-ct-permissive-without-scts-ssl] +server = 0-ct-permissive-without-scts-server +client = 0-ct-permissive-without-scts-client -[0-ct-permissive-server] +[0-ct-permissive-without-scts-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[0-ct-permissive-client] +[0-ct-permissive-without-scts-client] CipherString = DEFAULT VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-0] ExpectedResult = Success -client = 0-ct-permissive-client-extra +client = 0-ct-permissive-without-scts-client-extra + +[0-ct-permissive-without-scts-client-extra] +CTValidation = Permissive + + +# =========================================================== + +[1-ct-permissive-with-scts] +ssl_conf = 1-ct-permissive-with-scts-ssl + +[1-ct-permissive-with-scts-ssl] +server = 1-ct-permissive-with-scts-server +client = 1-ct-permissive-with-scts-client + +[1-ct-permissive-with-scts-server] +Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem + +[1-ct-permissive-with-scts-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem +VerifyMode = Peer + +[test-1] +ExpectedResult = Success +client = 1-ct-permissive-with-scts-client-extra -[0-ct-permissive-client-extra] +[1-ct-permissive-with-scts-client-extra] CTValidation = Permissive # =========================================================== -[1-ct-strict] -ssl_conf = 1-ct-strict-ssl +[2-ct-strict-without-scts] +ssl_conf = 2-ct-strict-without-scts-ssl -[1-ct-strict-ssl] -server = 1-ct-strict-server -client = 1-ct-strict-client +[2-ct-strict-without-scts-ssl] +server = 2-ct-strict-without-scts-server +client = 2-ct-strict-without-scts-client -[1-ct-strict-server] +[2-ct-strict-without-scts-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[1-ct-strict-client] +[2-ct-strict-without-scts-client] CipherString = DEFAULT VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-1] +[test-2] ExpectedClientAlert = HandshakeFailure ExpectedResult = ClientFail -client = 1-ct-strict-client-extra +client = 2-ct-strict-without-scts-client-extra -[1-ct-strict-client-extra] +[2-ct-strict-without-scts-client-extra] CTValidation = Strict # =========================================================== -[2-ct-permissive-resumption] -ssl_conf = 2-ct-permissive-resumption-ssl +[3-ct-strict-with-scts] +ssl_conf = 3-ct-strict-with-scts-ssl -[2-ct-permissive-resumption-ssl] -server = 2-ct-permissive-resumption-server -client = 2-ct-permissive-resumption-client -resume-server = 2-ct-permissive-resumption-server -resume-client = 2-ct-permissive-resumption-client +[3-ct-strict-with-scts-ssl] +server = 3-ct-strict-with-scts-server +client = 3-ct-strict-with-scts-client -[2-ct-permissive-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +[3-ct-strict-with-scts-server] +Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem -[2-ct-permissive-resumption-client] +[3-ct-strict-with-scts-client] CipherString = DEFAULT -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem VerifyMode = Peer -[test-2] +[test-3] +ExpectedResult = Success +client = 3-ct-strict-with-scts-client-extra + +[3-ct-strict-with-scts-client-extra] +CTValidation = Strict + + +# =========================================================== + +[4-ct-permissive-resumption] +ssl_conf = 4-ct-permissive-resumption-ssl + +[4-ct-permissive-resumption-ssl] +server = 4-ct-permissive-resumption-server +client = 4-ct-permissive-resumption-client +resume-server = 4-ct-permissive-resumption-server +resume-client = 4-ct-permissive-resumption-client + +[4-ct-permissive-resumption-server] +Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem + +[4-ct-permissive-resumption-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem +VerifyMode = Peer + +[test-4] ExpectedResult = Success HandshakeMode = Resume ResumptionExpected = Yes -client = 2-ct-permissive-resumption-client-extra -resume-client = 2-ct-permissive-resumption-client-extra +client = 4-ct-permissive-resumption-client-extra +resume-client = 4-ct-permissive-resumption-client-extra -[2-ct-permissive-resumption-client-extra] +[4-ct-permissive-resumption-client-extra] CTValidation = Permissive # =========================================================== -[3-ct-strict-resumption] -ssl_conf = 3-ct-strict-resumption-ssl +[5-ct-strict-resumption] +ssl_conf = 5-ct-strict-resumption-ssl -[3-ct-strict-resumption-ssl] -server = 3-ct-strict-resumption-server -client = 3-ct-strict-resumption-client -resume-server = 3-ct-strict-resumption-server -resume-client = 3-ct-strict-resumption-resume-client +[5-ct-strict-resumption-ssl] +server = 5-ct-strict-resumption-server +client = 5-ct-strict-resumption-client +resume-server = 5-ct-strict-resumption-server +resume-client = 5-ct-strict-resumption-resume-client -[3-ct-strict-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +[5-ct-strict-resumption-server] +Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem -[3-ct-strict-resumption-client] +[5-ct-strict-resumption-client] CipherString = DEFAULT -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem VerifyMode = Peer -[3-ct-strict-resumption-resume-client] +[5-ct-strict-resumption-resume-client] CipherString = DEFAULT VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-3] +[test-5] ExpectedResult = Success HandshakeMode = Resume ResumptionExpected = Yes -client = 3-ct-strict-resumption-client-extra -resume-client = 3-ct-strict-resumption-resume-client-extra +client = 5-ct-strict-resumption-client-extra +resume-client = 5-ct-strict-resumption-resume-client-extra -[3-ct-strict-resumption-client-extra] -CTValidation = Permissive +[5-ct-strict-resumption-client-extra] +CTValidation = Strict -[3-ct-strict-resumption-resume-client-extra] +[5-ct-strict-resumption-resume-client-extra] CTValidation = Strict diff --git a/test/ssl-tests/12-ct.conf.in b/test/ssl-tests/12-ct.conf.in index 9964d013c2..7c0304995f 100644 --- a/test/ssl-tests/12-ct.conf.in +++ b/test/ssl-tests/12-ct.conf.in @@ -16,65 +16,104 @@ package ssltests; our @tests = ( - # Currently only have tests for certs without SCTs. { - name => "ct-permissive", - server => { }, - client => { - extra => { - "CTValidation" => "Permissive", - }, - }, - test => { - "ExpectedResult" => "Success", - }, - }, + name => "ct-permissive-without-scts", + server => { }, + client => { + extra => { + "CTValidation" => "Permissive", + }, + }, + test => { + "ExpectedResult" => "Success", + }, + }, + { + name => "ct-permissive-with-scts", + server => { + "Certificate" => test_pem("embeddedSCTs1.pem"), + "PrivateKey" => test_pem("embeddedSCTs1-key.pem"), + }, + client => { + "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"), + extra => { + "CTValidation" => "Permissive", + }, + }, + test => { + "ExpectedResult" => "Success", + }, + }, { - name => "ct-strict", - server => { }, - client => { - extra => { - "CTValidation" => "Strict", - }, - }, - test => { - "ExpectedResult" => "ClientFail", - "ExpectedClientAlert" => "HandshakeFailure", - }, + name => "ct-strict-without-scts", + server => { }, + client => { + extra => { + "CTValidation" => "Strict", + }, + }, + test => { + "ExpectedResult" => "ClientFail", + "ExpectedClientAlert" => "HandshakeFailure", + }, }, { - name => "ct-permissive-resumption", - server => { }, - client => { - extra => { - "CTValidation" => "Permissive", - }, - }, - test => { - "HandshakeMode" => "Resume", - "ResumptionExpected" => "Yes", - "ExpectedResult" => "Success", - }, - }, + name => "ct-strict-with-scts", + server => { + "Certificate" => test_pem("embeddedSCTs1.pem"), + "PrivateKey" => test_pem("embeddedSCTs1-key.pem"), + }, + client => { + "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"), + extra => { + "CTValidation" => "Strict", + }, + }, + test => { + "ExpectedResult" => "Success", + }, + }, + { + name => "ct-permissive-resumption", + server => { + "Certificate" => test_pem("embeddedSCTs1.pem"), + "PrivateKey" => test_pem("embeddedSCTs1-key.pem"), + }, + client => { + "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"), + extra => { + "CTValidation" => "Permissive", + }, + }, + test => { + "HandshakeMode" => "Resume", + "ResumptionExpected" => "Yes", + "ExpectedResult" => "Success", + }, + }, { - name => "ct-strict-resumption", - server => { }, - client => { - extra => { - "CTValidation" => "Permissive", - }, - }, - # SCTs are not present during resumption, so the resumption - # should succeed. - resume_client => { - extra => { - "CTValidation" => "Strict", - }, - }, - test => { - "HandshakeMode" => "Resume", - "ResumptionExpected" => "Yes", - "ExpectedResult" => "Success", - }, + name => "ct-strict-resumption", + server => { + "Certificate" => test_pem("embeddedSCTs1.pem"), + "PrivateKey" => test_pem("embeddedSCTs1-key.pem"), + }, + client => { + "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"), + extra => { + "CTValidation" => "Strict", + }, + }, + # SCTs are not present during resumption, so the resumption + # should succeed. + resume_client => { + extra => { + "CTValidation" => "Strict", + }, + }, + test => { + "HandshakeMode" => "Resume", + "ResumptionExpected" => "Yes", + "ExpectedResult" => "Success", + }, }, ); |