diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-03-06 15:09:50 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-03-09 17:01:10 +0100 |
commit | 51d21634c9329463a8d7def24550ef268bc9b88c (patch) | |
tree | 49a8e2370b632040c8fbdbd03b9f8b51cef34677 /tests/tls-neg-ext-key.c | |
parent | 02354f173e66df3dad4ac9447e4965aecfad65e8 (diff) | |
download | gnutls-51d21634c9329463a8d7def24550ef268bc9b88c.tar.gz |
signatures: distinguish RSA-PSS signatures with RSA PKCS#1 1.5 certificates from "pure"
This change enhances signature algorithms to have a private key algorithm
parameter. That is, to allow signature algorithms operating with a private
key of type X while the public key is of type Y. That is useful for the
RSA-PSS signatures which are of two types; one which is seen from servers
having PKCS#1 1.5 certificates, the other with RSA-PSS certificates, while
both utilize RSA-PSS private keys.
This is a draft-ietf-tls-tls13-23 change.
Resolves #400
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'tests/tls-neg-ext-key.c')
-rw-r--r-- | tests/tls-neg-ext-key.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/tests/tls-neg-ext-key.c b/tests/tls-neg-ext-key.c index a02c6b0034..f8b4877a58 100644 --- a/tests/tls-neg-ext-key.c +++ b/tests/tls-neg-ext-key.c @@ -295,7 +295,7 @@ static const test_st tests[] = { }, {.name = "rsa-sign key with rsa-pss sigs prioritized", .pk = GNUTLS_PK_RSA, - .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512", + .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-SIGN-ALL:+SIGN-RSA-PSS-RSAE-SHA256:+SIGN-RSA-PSS-RSAE-SHA384:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512", .cert = &server_ca3_localhost_cert, .key = &server_ca3_key, .exp_kx = GNUTLS_KX_ECDHE_RSA @@ -308,9 +308,9 @@ static const test_st tests[] = { .exp_kx = GNUTLS_KX_ECDHE_RSA, .exp_key_err = GNUTLS_E_INVALID_REQUEST }, - {.name = "rsa-pss cert, rsa-sign key", /* we expect the server to refuse negotiating */ + {.name = "rsa-pss cert, rsa-sign key, no rsa-pss-rsae sigs", /* we expect the server to refuse negotiating */ .pk = GNUTLS_PK_RSA, - .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA", + .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512", .cert = &server_ca3_rsa_pss_cert, .key = &server_ca3_rsa_pss_key, .exp_kx = GNUTLS_KX_ECDHE_RSA, |