mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-03-14 01:26:49 +00:00
ssl-opt.sh: Test trusted certificate callback in TLS 1.3
Signed-off-by: Ronald Cron <ronald.cron@arm.com> Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
parent
cb7f63266f
commit
8d5da8f4a3
@ -2155,7 +2155,7 @@ run_test "TLS: password protected server key, two certificates" \
|
||||
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
run_test "CA callback on client" \
|
||||
"$P_SRV debug_level=3" \
|
||||
"$P_CLI force_version=tls12 ca_callback=1 debug_level=3 " \
|
||||
"$P_CLI ca_callback=1 debug_level=3 " \
|
||||
0 \
|
||||
-c "use CA callback for X.509 CRT verification" \
|
||||
-S "error" \
|
||||
@ -2165,7 +2165,7 @@ requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
|
||||
requires_hash_alg SHA_256
|
||||
run_test "CA callback on server" \
|
||||
"$P_SRV force_version=tls12 auth_mode=required" \
|
||||
"$P_SRV auth_mode=required" \
|
||||
"$P_CLI ca_callback=1 debug_level=3 crt_file=$DATA_FILES_PATH/server5.crt \
|
||||
key_file=$DATA_FILES_PATH/server5.key" \
|
||||
0 \
|
||||
@ -6308,7 +6308,7 @@ requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
run_test "Authentication, CA callback: server badcert, client required" \
|
||||
"$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
|
||||
key_file=$DATA_FILES_PATH/server5.key" \
|
||||
"$P_CLI force_version=tls12 ca_callback=1 debug_level=3 auth_mode=required" \
|
||||
"$P_CLI ca_callback=1 debug_level=3 auth_mode=required" \
|
||||
1 \
|
||||
-c "use CA callback for X.509 CRT verification" \
|
||||
-c "x509_verify_cert() returned" \
|
||||
@ -6320,7 +6320,7 @@ requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
run_test "Authentication, CA callback: server badcert, client optional" \
|
||||
"$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
|
||||
key_file=$DATA_FILES_PATH/server5.key" \
|
||||
"$P_CLI force_version=tls12 ca_callback=1 debug_level=3 auth_mode=optional" \
|
||||
"$P_CLI ca_callback=1 debug_level=3 auth_mode=optional" \
|
||||
0 \
|
||||
-c "use CA callback for X.509 CRT verification" \
|
||||
-c "x509_verify_cert() returned" \
|
||||
@ -6328,6 +6328,18 @@ run_test "Authentication, CA callback: server badcert, client optional" \
|
||||
-C "! mbedtls_ssl_handshake returned" \
|
||||
-C "X509 - Certificate verification failed"
|
||||
|
||||
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
run_test "Authentication, CA callback: server badcert, client none" \
|
||||
"$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
|
||||
key_file=$DATA_FILES_PATH/server5.key" \
|
||||
"$P_CLI ca_callback=1 debug_level=3 auth_mode=none" \
|
||||
0 \
|
||||
-C "use CA callback for X.509 CRT verification" \
|
||||
-C "x509_verify_cert() returned" \
|
||||
-C "! The certificate is not correctly signed by the trusted CA" \
|
||||
-C "! mbedtls_ssl_handshake returned" \
|
||||
-C "X509 - Certificate verification failed"
|
||||
|
||||
# The purpose of the next two tests is to test the client's behaviour when receiving a server
|
||||
# certificate with an unsupported elliptic curve. This should usually not happen because
|
||||
# the client informs the server about the supported curves - it does, though, in the
|
||||
@ -6383,7 +6395,7 @@ run_test "Authentication, CA callback: client SHA256, server required" \
|
||||
|
||||
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
run_test "Authentication, CA callback: client badcert, server required" \
|
||||
"$P_SRV force_version=tls12 ca_callback=1 debug_level=3 auth_mode=required" \
|
||||
"$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
|
||||
"$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-badsign.crt \
|
||||
key_file=$DATA_FILES_PATH/server5.key" \
|
||||
1 \
|
||||
@ -6398,7 +6410,6 @@ run_test "Authentication, CA callback: client badcert, server required" \
|
||||
-s "! The certificate is not correctly signed by the trusted CA" \
|
||||
-s "! mbedtls_ssl_handshake returned" \
|
||||
-s "send alert level=2 message=48" \
|
||||
-c "! mbedtls_ssl_handshake returned" \
|
||||
-s "X509 - Certificate verification failed"
|
||||
# We don't check that the client receives the alert because it might
|
||||
# detect that its write end of the connection is closed and abort
|
||||
@ -6406,7 +6417,7 @@ run_test "Authentication, CA callback: client badcert, server required" \
|
||||
|
||||
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
run_test "Authentication, CA callback: client cert not trusted, server required" \
|
||||
"$P_SRV force_version=tls12 ca_callback=1 debug_level=3 auth_mode=required" \
|
||||
"$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
|
||||
"$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-selfsigned.crt \
|
||||
key_file=$DATA_FILES_PATH/server5.key" \
|
||||
1 \
|
||||
@ -6420,12 +6431,11 @@ run_test "Authentication, CA callback: client cert not trusted, server requir
|
||||
-s "x509_verify_cert() returned" \
|
||||
-s "! The certificate is not correctly signed by the trusted CA" \
|
||||
-s "! mbedtls_ssl_handshake returned" \
|
||||
-c "! mbedtls_ssl_handshake returned" \
|
||||
-s "X509 - Certificate verification failed"
|
||||
|
||||
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
run_test "Authentication, CA callback: client badcert, server optional" \
|
||||
"$P_SRV force_version=tls12 ca_callback=1 debug_level=3 auth_mode=optional" \
|
||||
"$P_SRV ca_callback=1 debug_level=3 auth_mode=optional" \
|
||||
"$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-badsign.crt \
|
||||
key_file=$DATA_FILES_PATH/server5.key" \
|
||||
0 \
|
||||
@ -6448,7 +6458,7 @@ requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
run_test "Authentication, CA callback: server max_int chain, client default" \
|
||||
"$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c09.pem \
|
||||
key_file=$DATA_FILES_PATH/dir-maxpath/09.key" \
|
||||
"$P_CLI force_version=tls12 ca_callback=1 debug_level=3 server_name=CA09 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt" \
|
||||
"$P_CLI ca_callback=1 debug_level=3 server_name=CA09 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt" \
|
||||
0 \
|
||||
-c "use CA callback for X.509 CRT verification" \
|
||||
-C "X509 - A fatal error occurred"
|
||||
@ -6459,7 +6469,7 @@ requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
run_test "Authentication, CA callback: server max_int+1 chain, client default" \
|
||||
"$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
|
||||
key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
|
||||
"$P_CLI force_version=tls12 debug_level=3 ca_callback=1 server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt" \
|
||||
"$P_CLI debug_level=3 ca_callback=1 server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt" \
|
||||
1 \
|
||||
-c "use CA callback for X.509 CRT verification" \
|
||||
-c "X509 - A fatal error occurred"
|
||||
@ -6470,7 +6480,7 @@ requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
run_test "Authentication, CA callback: server max_int+1 chain, client optional" \
|
||||
"$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
|
||||
key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
|
||||
"$P_CLI force_version=tls12 ca_callback=1 server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt \
|
||||
"$P_CLI ca_callback=1 server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt \
|
||||
debug_level=3 auth_mode=optional" \
|
||||
1 \
|
||||
-c "use CA callback for X.509 CRT verification" \
|
||||
@ -6480,7 +6490,7 @@ requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
|
||||
requires_full_size_output_buffer
|
||||
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
run_test "Authentication, CA callback: client max_int+1 chain, server optional" \
|
||||
"$P_SRV force_version=tls12 ca_callback=1 debug_level=3 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=optional" \
|
||||
"$P_SRV ca_callback=1 debug_level=3 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=optional" \
|
||||
"$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
|
||||
key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
|
||||
1 \
|
||||
@ -6491,7 +6501,7 @@ requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
|
||||
requires_full_size_output_buffer
|
||||
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
run_test "Authentication, CA callback: client max_int+1 chain, server required" \
|
||||
"$P_SRV force_version=tls12 ca_callback=1 debug_level=3 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=required" \
|
||||
"$P_SRV ca_callback=1 debug_level=3 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=required" \
|
||||
"$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
|
||||
key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
|
||||
1 \
|
||||
@ -6502,7 +6512,7 @@ requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
|
||||
requires_full_size_output_buffer
|
||||
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
run_test "Authentication, CA callback: client max_int chain, server required" \
|
||||
"$P_SRV force_version=tls12 ca_callback=1 debug_level=3 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=required" \
|
||||
"$P_SRV ca_callback=1 debug_level=3 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=required" \
|
||||
"$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c09.pem \
|
||||
key_file=$DATA_FILES_PATH/dir-maxpath/09.key" \
|
||||
0 \
|
||||
|
Loading…
x
Reference in New Issue
Block a user