From f0b1271a42404a481840394ca9ec0cf1f7d6c28b Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Mon, 21 Mar 2022 09:31:32 +0100 Subject: [PATCH 1/3] Support RSA Opaque PK keys in ssl_server2 Signed-off-by: Neil Armstrong --- programs/ssl/ssl_server2.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 02919b4275..24d9ea949c 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -2562,7 +2562,8 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_USE_PSA_CRYPTO) if( opt.key_opaque != 0 ) { - if ( mbedtls_pk_get_type( &pkey ) == MBEDTLS_PK_ECKEY ) + if ( mbedtls_pk_get_type( &pkey ) == MBEDTLS_PK_ECKEY || + mbedtls_pk_get_type( &pkey ) == MBEDTLS_PK_RSA ) { if( ( ret = mbedtls_pk_wrap_as_opaque( &pkey, &key_slot, PSA_ALG_ANY_HASH ) ) != 0 ) @@ -2573,7 +2574,8 @@ int main( int argc, char *argv[] ) } } - if ( mbedtls_pk_get_type( &pkey2 ) == MBEDTLS_PK_ECKEY ) + if ( mbedtls_pk_get_type( &pkey2 ) == MBEDTLS_PK_ECKEY || + mbedtls_pk_get_type( &pkey2 ) == MBEDTLS_PK_RSA ) { if( ( ret = mbedtls_pk_wrap_as_opaque( &pkey2, &key_slot2, PSA_ALG_ANY_HASH ) ) != 0 ) From 3e9a14201716466ce9d48a15b50b196c9b59dfd6 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Mon, 21 Mar 2022 10:03:46 +0100 Subject: [PATCH 2/3] Add RSA Opaque PK key tests variants in ssl-opt.sh Signed-off-by: Neil Armstrong --- tests/ssl-opt.sh | 74 ++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 68 insertions(+), 6 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 18fff9d7ea..a9f34d9cc3 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1546,13 +1546,13 @@ run_test "CA callback on server" \ -S "error" \ -C "error" -# Test using an opaque private key for client authentication +# Test using an EC opaque private key for client authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C -run_test "Opaque key for client authentication" \ +run_test "TLS-ECDHE-ECDSA Opaque key for client authentication" \ "$P_SRV auth_mode=required crt_file=data_files/server5.crt \ key_file=data_files/server5.key" \ "$P_CLI key_opaque=1 crt_file=data_files/server5.crt \ @@ -1565,13 +1565,33 @@ run_test "Opaque key for client authentication" \ -S "error" \ -C "error" -# Test using an opaque private key for server authentication +# Test using a RSA opaque private key for client authentication +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_X509_CRT_PARSE_C +requires_config_enabled MBEDTLS_ECDSA_C +requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled MBEDTLS_SHA256_C +run_test "TLS-ECDHE-RSA Opaque key for client authentication" \ + "$P_SRV auth_mode=required crt_file=data_files/server2-sha256.crt \ + key_file=data_files/server2.key" \ + "$P_CLI key_opaque=1 crt_file=data_files/server2-sha256.crt \ + key_file=data_files/server2.key" \ + 0 \ + -c "key type: Opaque" \ + -c "Ciphersuite is TLS-ECDHE-RSA" \ + -s "Verifying peer X.509 certificate... ok" \ + -s "Ciphersuite is TLS-ECDHE-RSA" \ + -S "error" \ + -C "error" + +# Test using an EC opaque private key for server authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C -run_test "Opaque key for server authentication" \ +run_test "TLS-ECDHE-ECDSA Opaque key for server authentication" \ "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server5.crt \ key_file=data_files/server5.key" \ "$P_CLI crt_file=data_files/server5.crt \ @@ -1602,13 +1622,33 @@ run_test "Opaque key for server authentication (ECDH-)" \ -S "error" \ -C "error" -# Test using an opaque private key for client/server authentication +# Test using a RSA opaque private key for server authentication +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_X509_CRT_PARSE_C +requires_config_enabled MBEDTLS_ECDSA_C +requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled MBEDTLS_SHA256_C +run_test "TLS-ECDHE-RSA Opaque key for server authentication" \ + "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server2-sha256.crt \ + key_file=data_files/server2.key" \ + "$P_CLI crt_file=data_files/server2-sha256.crt \ + key_file=data_files/server2.key" \ + 0 \ + -c "Verifying peer X.509 certificate... ok" \ + -c "Ciphersuite is TLS-ECDHE-RSA" \ + -s "key types: Opaque, none" \ + -s "Ciphersuite is TLS-ECDHE-RSA" \ + -S "error" \ + -C "error" + +# Test using an EC opaque private key for client/server authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C -run_test "Opaque key for client/server authentication" \ +run_test "TLS-ECDHE-ECDSA Opaque key for client/server authentication" \ "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server5.crt \ key_file=data_files/server5.key" \ "$P_CLI key_opaque=1 crt_file=data_files/server5.crt \ @@ -1623,6 +1663,28 @@ run_test "Opaque key for client/server authentication" \ -S "error" \ -C "error" +# Test using a RSA opaque private key for client/server authentication +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_X509_CRT_PARSE_C +requires_config_enabled MBEDTLS_ECDSA_C +requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled MBEDTLS_SHA256_C +run_test "TLS-ECDHE-RSA Opaque key for client/server authentication" \ + "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server2-sha256.crt \ + key_file=data_files/server2.key" \ + "$P_CLI key_opaque=1 crt_file=data_files/server2-sha256.crt \ + key_file=data_files/server2.key" \ + 0 \ + -c "key type: Opaque" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "Ciphersuite is TLS-ECDHE-RSA" \ + -s "key types: Opaque, none" \ + -s "Verifying peer X.509 certificate... ok" \ + -s "Ciphersuite is TLS-ECDHE-RSA" \ + -S "error" \ + -C "error" + # Test ciphersuites which we expect to be fully supported by PSA Crypto # and check that we don't fall back to Mbed TLS' internal crypto primitives. run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CCM From a4dbfddba2c4df871dd000ebd0295380990da7ff Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Mon, 21 Mar 2022 10:11:07 +0100 Subject: [PATCH 3/3] Add DHE-RSA Opaque PK key tests variants in ssl-opt.sh Signed-off-by: Neil Armstrong --- tests/ssl-opt.sh | 58 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index a9f34d9cc3..47d31a4ba6 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1585,6 +1585,24 @@ run_test "TLS-ECDHE-RSA Opaque key for client authentication" \ -S "error" \ -C "error" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_X509_CRT_PARSE_C +requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled MBEDTLS_SHA256_C +run_test "TLS-DHE-RSA Opaque key for client authentication" \ + "$P_SRV auth_mode=required crt_file=data_files/server2-sha256.crt \ + key_file=data_files/server2.key" \ + "$P_CLI key_opaque=1 crt_file=data_files/server2-sha256.crt \ + key_file=data_files/server2.key force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \ + 0 \ + -c "key type: Opaque" \ + -c "Ciphersuite is TLS-DHE-RSA" \ + -s "Verifying peer X.509 certificate... ok" \ + -s "Ciphersuite is TLS-DHE-RSA" \ + -S "error" \ + -C "error" + # Test using an EC opaque private key for server authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO @@ -1642,6 +1660,25 @@ run_test "TLS-ECDHE-RSA Opaque key for server authentication" \ -S "error" \ -C "error" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_X509_CRT_PARSE_C +requires_config_enabled MBEDTLS_ECDSA_C +requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled MBEDTLS_SHA256_C +run_test "TLS-DHE-RSA Opaque key for server authentication" \ + "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server2-sha256.crt \ + key_file=data_files/server2.key" \ + "$P_CLI crt_file=data_files/server2-sha256.crt \ + key_file=data_files/server2.key force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \ + 0 \ + -c "Verifying peer X.509 certificate... ok" \ + -c "Ciphersuite is TLS-DHE-RSA" \ + -s "key types: Opaque, none" \ + -s "Ciphersuite is TLS-DHE-RSA" \ + -S "error" \ + -C "error" + # Test using an EC opaque private key for client/server authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO @@ -1685,6 +1722,27 @@ run_test "TLS-ECDHE-RSA Opaque key for client/server authentication" \ -S "error" \ -C "error" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_X509_CRT_PARSE_C +requires_config_enabled MBEDTLS_ECDSA_C +requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled MBEDTLS_SHA256_C +run_test "TLS-DHE-RSA Opaque key for client/server authentication" \ + "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server2-sha256.crt \ + key_file=data_files/server2.key" \ + "$P_CLI key_opaque=1 crt_file=data_files/server2-sha256.crt \ + key_file=data_files/server2.key force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \ + 0 \ + -c "key type: Opaque" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "Ciphersuite is TLS-DHE-RSA" \ + -s "key types: Opaque, none" \ + -s "Verifying peer X.509 certificate... ok" \ + -s "Ciphersuite is TLS-DHE-RSA" \ + -S "error" \ + -C "error" + # Test ciphersuites which we expect to be fully supported by PSA Crypto # and check that we don't fall back to Mbed TLS' internal crypto primitives. run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CCM