diff options
author | Denis Kenzior <denkenz@gmail.com> | 2022-07-06 15:26:33 -0500 |
---|---|---|
committer | Denis Kenzior <denkenz@gmail.com> | 2022-07-26 20:44:00 -0500 |
commit | abb7a9eabc6dba2056d8a856a57c9e19cd75a278 (patch) | |
tree | 531e6d2e28b8602574114b728e32e2eb27a95572 | |
parent | 16718a115de7655e8d16f56533a682f9a8927d7b (diff) |
unit: Add basic EC-DSA verification test
-rw-r--r-- | .gitignore | 2 | ||||
-rw-r--r-- | Makefile.am | 39 | ||||
-rw-r--r-- | unit/test-tls.c | 22 |
3 files changed, 61 insertions, 2 deletions
@@ -67,6 +67,8 @@ unit/cert-*.csr unit/cert-*.srl unit/cert-*.crt unit/cert-*.p12 +unit/ec-cert-*.pem +unit/ec-cert-*.csr unit/key-*.dat unit/key-*.h unit/*.log diff --git a/Makefile.am b/Makefile.am index 2bf728bb..596771ad 100644 --- a/Makefile.am +++ b/Makefile.am @@ -219,6 +219,7 @@ cert_tests = unit/test-pem \ cert_files = unit/cert-chain.pem \ unit/cert-entity-int.pem \ unit/cert-server.pem \ + unit/ec-cert-server.pem \ unit/cert-server-key-pkcs8.pem \ unit/cert-client.pem \ unit/cert-client.crt \ @@ -246,6 +247,7 @@ cert_files = unit/cert-chain.pem \ cert_checks = unit/cert-intca \ unit/cert-entity-int \ unit/cert-server \ + unit/ec-cert-server \ unit/cert-client \ unit/cert-no-keyid @@ -417,15 +419,30 @@ false_redirect_openssl = 2>/dev/null unit/cert-ca-key.pem: $(AM_V_GEN)openssl genrsa -out $@ 2048 $($(AM_V_P)_redirect_openssl) +unit/ec-cert-ca-key.pem: + $(AM_V_GEN)openssl ecparam -out $@ -name secp384r1 \ + -genkey $($(AM_V_P)_redirect_openssl) + + unit/cert-ca.pem: unit/cert-ca-key.pem unit/gencerts.cnf $(AM_V_GEN)openssl req -x509 -new -nodes -extensions ca_ext \ -config $(srcdir)/unit/gencerts.cnf \ -subj '/O=International Union of Example Organizations/CN=Certificate issuer guy/emailAddress=ca@mail.example' \ -key $< -sha256 -days 10000 -out $@ +unit/ec-cert-ca.pem: unit/ec-cert-ca-key.pem unit/gencerts.cnf + $(AM_V_GEN)openssl req -x509 -new -nodes -extensions ca_ext \ + -config $(srcdir)/unit/gencerts.cnf \ + -subj '/O=International Union of Example Organizations/CN=Certificate issuer guy/emailAddress=ca@mail.example' \ + -key $< -sha256 -days 10000 -out $@ + unit/cert-server-key.pem: $(AM_V_GEN)openssl genrsa -out $@ $($(AM_V_P)_redirect_openssl) +unit/ec-cert-server-key.pem: + $(AM_V_GEN)openssl ecparam -out $@ -name secp384r1 \ + -genkey $($(AM_V_P)_redirect_openssl) + unit/cert-server-key-pkcs8.pem: unit/cert-server-key.pem $(AM_V_GEN)openssl pkcs8 -topk8 -nocrypt -in $< -out $@ @@ -435,6 +452,12 @@ unit/cert-server.csr: unit/cert-server-key.pem unit/gencerts.cnf -subj '/O=Foo Example Organization/CN=Foo Example Organization/emailAddress=foo@mail.example' \ -key $< -out $@ +unit/ec-cert-server.csr: unit/ec-cert-server-key.pem unit/gencerts.cnf + $(AM_V_GEN)openssl req -new -extensions cert_ext \ + -config $(srcdir)/unit/gencerts.cnf \ + -subj '/O=Foo Example Organization/CN=Foo Example Organization/emailAddress=foo@mail.example' \ + -key $< -out $@ + unit/cert-server.pem: unit/cert-server.csr unit/cert-ca.pem unit/gencerts.cnf $(AM_V_GEN)openssl x509 -req -extensions server_ext \ -extfile $(srcdir)/unit/gencerts.cnf \ @@ -443,9 +466,22 @@ unit/cert-server.pem: unit/cert-server.csr unit/cert-ca.pem unit/gencerts.cnf -CAserial $(builddir)/unit/cert-ca.srl \ -CAcreateserial -sha256 -days 10000 -out $@ $($(AM_V_P)_redirect_openssl) +unit/ec-cert-server.pem: unit/ec-cert-server.csr unit/ec-cert-ca.pem \ + unit/gencerts.cnf + $(AM_V_GEN)openssl x509 -req -extensions server_ext \ + -extfile $(srcdir)/unit/gencerts.cnf \ + -in $< -CA $(builddir)/unit/ec-cert-ca.pem \ + -CAkey $(builddir)/unit/ec-cert-ca-key.pem \ + -CAserial $(builddir)/unit/cert-ca.srl \ + -CAcreateserial -sha256 -days 10000 \ + -out $@ $($(AM_V_P)_redirect_openssl) + unit/cert-server: unit/cert-server.pem unit/cert-ca.pem $(AM_V_GEN)openssl verify -CAfile $(builddir)/unit/cert-ca.pem $< +unit/ec-cert-server: unit/ec-cert-server.pem unit/ec-cert-ca.pem + $(AM_V_GEN)openssl verify -CAfile $(builddir)/unit/ec-cert-ca.pem $< + unit/cert-client-key-pkcs1.pem: $(AM_V_GEN)openssl genrsa -out $@ $($(AM_V_P)_redirect_openssl) @@ -623,7 +659,8 @@ check-local: $(cert_checks) endif clean-local: - -rm -f unit/cert-*.pem unit/cert-*.csr unit/cert-*.srl unit/key-*.dat + -rm -f unit/ec-cert*.pem unit/ec-cert-*.csr \ + unit/cert-*.pem unit/cert-*.csr unit/cert-*.srl unit/key-*.dat maintainer-clean-local: -rm -rf build-aux diff --git a/unit/test-tls.c b/unit/test-tls.c index 7937962c..aee5b2e3 100644 --- a/unit/test-tls.c +++ b/unit/test-tls.c @@ -325,6 +325,24 @@ static void test_certificates(const void *data) l_queue_destroy(twocas, (l_queue_destroy_func_t) l_cert_free); } +static void test_ec_certificates(const void *data) +{ + struct l_queue *cacert; + struct l_certchain *chain; + + cacert = l_pem_load_certificate_list(CERTDIR "ec-cert-ca.pem"); + assert(cacert && !l_queue_isempty(cacert)); + + chain = l_pem_load_certificate_chain(CERTDIR "ec-cert-server.pem"); + assert(chain); + + assert(l_certchain_verify(chain, cacert, NULL)); + assert(l_certchain_verify(chain, NULL, NULL)); + + l_certchain_free(chain); + l_queue_destroy(cacert, (l_queue_destroy_func_t) l_cert_free); +} + struct tls_conn_test { const char *server_cert_path; const char *server_key_path; @@ -948,8 +966,10 @@ int main(int argc, char *argv[]) l_test_add("TLS 1.2 PRF with SHA512", test_tls12_prf, &tls12_prf_sha512_0); - if (l_key_is_supported(L_KEY_FEATURE_RESTRICT)) + if (l_key_is_supported(L_KEY_FEATURE_RESTRICT)) { l_test_add("Certificate chains", test_certificates, NULL); + l_test_add("ECDSA Certificates", test_ec_certificates, NULL); + } if (!l_getrandom_is_supported()) { printf("getrandom missing, skipping TLS connection tests...\n"); |