diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2019-02-02 07:10:10 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-02-06 05:42:53 +0100 |
commit | daf6650142f63c0f602b99c92ba941ff1d9f851c (patch) | |
tree | 753847078224af18f0b43f3e240021c368203d7c /tests/tls12-cert-key-exchange.c | |
parent | 71afdf09b820180f3125eeefaeb787155e7333fc (diff) | |
download | gnutls-daf6650142f63c0f602b99c92ba941ff1d9f851c.tar.gz |
Enforce the certificate key usage restrictions on all cases
That is, we require a signing certificate when negotiating
TLS1.3, or when sending a client certificate (on all cases).
Before we would not perform any checks under TLS1.3 or when client
certificates are sent, assuming that the certificates used will always
be signing ones. However if the user sets up incorrectly a decryption
certificate we would use it for signing. This fix makes sure that an
error is returned early when these scenarios are detected.
Resolves: #690
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'tests/tls12-cert-key-exchange.c')
-rw-r--r-- | tests/tls12-cert-key-exchange.c | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/tests/tls12-cert-key-exchange.c b/tests/tls12-cert-key-exchange.c index 7811ae85bb..da26e87a3b 100644 --- a/tests/tls12-cert-key-exchange.c +++ b/tests/tls12-cert-key-exchange.c @@ -120,5 +120,25 @@ void doit(void) GNUTLS_E_AGAIN, GNUTLS_E_UNWANTED_ALGORITHM, &server_ca3_rsa_pss_cert, &server_ca3_rsa_pss_key, &cli_ca3_cert, &cli_ca3_key); + try_with_key_fail("TLS 1.2 with rsa encryption cert without RSA", + "NORMAL:-VERS-ALL:+VERS-TLS1.2:-RSA", + GNUTLS_E_NO_CIPHER_SUITES, GNUTLS_E_AGAIN, + &server_ca3_localhost_rsa_decrypt_cert, &server_ca3_key, NULL, NULL); + + try_with_key_fail("TLS 1.2 with (forced) rsa encryption cert and no RSA - client should detect", + "NORMAL:-VERS-ALL:+VERS-TLS1.2:-RSA:%DEBUG_ALLOW_KEY_USAGE_VIOLATIONS", + GNUTLS_E_AGAIN, GNUTLS_E_KEY_USAGE_VIOLATION, + &server_ca3_localhost_rsa_decrypt_cert, &server_ca3_key, NULL, NULL); + + try_with_key_fail("TLS 1.2 with client rsa encryption cert", + "NORMAL:-VERS-ALL:+VERS-TLS1.2", + GNUTLS_E_AGAIN, GNUTLS_E_KEY_USAGE_VIOLATION, + &server_ca3_rsa_pss_cert, &server_ca3_rsa_pss_key, &server_ca3_localhost_rsa_decrypt_cert, &server_ca3_key); + + try_with_key_fail("TLS 1.2 with (forced) client rsa encryption cert - server should detect", + "NORMAL:-VERS-ALL:+VERS-TLS1.2:%DEBUG_ALLOW_KEY_USAGE_VIOLATIONS", + GNUTLS_E_KEY_USAGE_VIOLATION, GNUTLS_E_AGAIN, + &server_ca3_rsa_pss_cert, &server_ca3_rsa_pss_key, &server_ca3_localhost_rsa_decrypt_cert, &server_ca3_key); + gnutls_global_deinit(); } |