diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-05-26 08:57:11 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-05-29 08:41:21 +0200 |
commit | 47b89ad5a3077ec79f78ccf5344053867c7c3d9c (patch) | |
tree | a0457e9565dc81e8cc8e69f32b43f64fae5a0cc4 /tests | |
parent | 7cd227fef65f2208889934c30dad64763a9e791b (diff) | |
download | gnutls-47b89ad5a3077ec79f78ccf5344053867c7c3d9c.tar.gz |
tests: x509sign-verify: include ECDSA and RSA-PSS key tests
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'tests')
-rw-r--r-- | tests/x509sign-verify.c | 252 |
1 files changed, 119 insertions, 133 deletions
diff --git a/tests/x509sign-verify.c b/tests/x509sign-verify.c index c1da00ca08..c945bdee35 100644 --- a/tests/x509sign-verify.c +++ b/tests/x509sign-verify.c @@ -39,7 +39,7 @@ #include <gnutls/gnutls.h> #include <gnutls/x509.h> #include <gnutls/abstract.h> - +#include "cert-common.h" #include "utils.h" static void tls_log_func(int level, const char *str) @@ -48,14 +48,28 @@ static void tls_log_func(int level, const char *str) } /* sha1 hash of "hello" string */ -const gnutls_datum_t hash_data = { +const gnutls_datum_t sha1_hash_data = { (void *) "\xaa\xf4\xc6\x1d\xdc\xc5\xe8\xa2\xda\xbe" "\xde\x0f\x3b\x48\x2c\xd9\xae\xa9\x43\x4d", 20 }; -const gnutls_datum_t invalid_hash_data = { +const gnutls_datum_t sha256_hash_data = { + (void *) + "\x2c\xf2\x4d\xba\x5f\xb0\xa3\x0e\x26\xe8\x3b\x2a\xc5\xb9\xe2\x9e" + "\x1b\x16\x1e\x5c\x1f\xa7\x42\x5e\x73\x04\x33\x62\x93\x8b\x98\x24", + 32 +}; + +const gnutls_datum_t sha256_invalid_hash_data = { + (void *) + "\x2c\xf2\x4d\xba\x5f\xb1\xa3\x0e\x26\xe8\x3b\x2a\xc5\xb9\xe2\x9e" + "\x1b\x16\x1e\x5c\x1f\xa3\x42\x5e\x73\x04\x33\x62\x93\x8b\x98\x24", + 32 +}; + +const gnutls_datum_t sha1_invalid_hash_data = { (void *) "\xaa\xf4\xc6\x1d\xdc\xca\xe8\xa2\xda\xbe" "\xde\x0f\x3b\x48\x2c\xb9\xae\xa9\x43\x4d", @@ -67,85 +81,55 @@ const gnutls_datum_t raw_data = { 5 }; -static char pem1_cert[] = - "-----BEGIN CERTIFICATE-----\n" - "MIICHjCCAYmgAwIBAgIERiYdNzALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" - "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTI3WhcNMDgwNDE3MTMyOTI3WjAdMRsw\n" - "GQYDVQQDExJHbnVUTFMgdGVzdCBjbGllbnQwgZwwCwYJKoZIhvcNAQEBA4GMADCB\n" - "iAKBgLtmQ/Xyxde2jMzF3/WIO7HJS2oOoa0gUEAIgKFPXKPQ+GzP5jz37AR2ExeL\n" - "ZIkiW8DdU3w77XwEu4C5KL6Om8aOoKUSy/VXHqLnu7czSZ/ju0quak1o/8kR4jKN\n" - "zj2AC41179gAgY8oBAOgIo1hBAf6tjd9IQdJ0glhaZiQo1ipAgMBAAGjdjB0MAwG\n" - "A1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDwYDVR0PAQH/BAUDAweg\n" - "ADAdBgNVHQ4EFgQUTLkKm/odNON+3svSBxX+odrLaJEwHwYDVR0jBBgwFoAU6Twc\n" - "+62SbuYGpFYsouHAUyfI8pUwCwYJKoZIhvcNAQEFA4GBALujmBJVZnvaTXr9cFRJ\n" - "jpfc/3X7sLUsMvumcDE01ls/cG5mIatmiyEU9qI3jbgUf82z23ON/acwJf875D3/\n" - "U7jyOsBJ44SEQITbin2yUeJMIm1tievvdNXBDfW95AM507ShzP12sfiJkJfjjdhy\n" - "dc8Siq5JojruiMizAf0pA7in\n" "-----END CERTIFICATE-----\n"; - -static char pem1_key[] = - "-----BEGIN RSA PRIVATE KEY-----\n" - "MIICXAIBAAKBgQC7ZkP18sXXtozMxd/1iDuxyUtqDqGtIFBACIChT1yj0Phsz+Y8\n" - "9+wEdhMXi2SJIlvA3VN8O+18BLuAuSi+jpvGjqClEsv1Vx6i57u3M0mf47tKrmpN\n" - "aP/JEeIyjc49gAuNde/YAIGPKAQDoCKNYQQH+rY3fSEHSdIJYWmYkKNYqQIDAQAB\n" - "AoGADpmARG5CQxS+AesNkGmpauepiCz1JBF/JwnyiX6vEzUh0Ypd39SZztwrDxvF\n" - "PJjQaKVljml1zkJpIDVsqvHdyVdse8M+Qn6hw4x2p5rogdvhhIL1mdWo7jWeVJTF\n" - "RKB7zLdMPs3ySdtcIQaF9nUAQ2KJEvldkO3m/bRJFEp54k0CQQDYy+RlTmwRD6hy\n" - "7UtMjR0H3CSZJeQ8svMCxHLmOluG9H1UKk55ZBYfRTsXniqUkJBZ5wuV1L+pR9EK\n" - "ca89a+1VAkEA3UmBelwEv2u9cAU1QjKjmwju1JgXbrjEohK+3B5y0ESEXPAwNQT9\n" - "TrDM1m9AyxYTWLxX93dI5QwNFJtmbtjeBQJARSCWXhsoaDRG8QZrCSjBxfzTCqZD\n" - "ZXtl807ymCipgJm60LiAt0JLr4LiucAsMZz6+j+quQbSakbFCACB8SLV1QJBAKZQ\n" - "YKf+EPNtnmta/rRKKvySsi3GQZZN+Dt3q0r094XgeTsAqrqujVNfPhTMeP4qEVBX\n" - "/iVX2cmMTSh3w3z8MaECQEp0XJWDVKOwcTW6Ajp9SowtmiZ3YDYo1LF9igb4iaLv\n" - "sWZGfbnU3ryjvkb6YuFjgtzbZDZHWQCo8/cOtOBmPdk=\n" - "-----END RSA PRIVATE KEY-----\n"; - -static char pem2_cert[] = - "-----BEGIN CERTIFICATE-----\n" - "MIIDbzCCAtqgAwIBAgIERiYdRTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" - "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTQxWhcNMDgwNDE3MTMyOTQxWjA3MRsw\n" - "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n" - "Lm9yZzCCAbQwggEpBgcqhkjOOAQBMIIBHAKBgLmE9VqBvhoNxYpzjwybL5u2DkvD\n" - "dBp/ZK2d8yjFoEe8m1dW8ZfVfjcD6fJM9OOLfzCjXS+7oaI3wuo1jx+xX6aiXwHx\n" - "IzYr5E8vLd2d1TqmOa96UXzSJY6XdM8exXtLdkOBBx8GFLhuWBLhkOI3b9Ib7GjF\n" - "WOLmMOBqXixjeOwHAhSfVoxIZC/+jap6bZbbBF0W7wilcQKBgGIGfuRcdgi3Rhpd\n" - "15fUKiH7HzHJ0vT6Odgn0Zv8J12nCqca/FPBL0PCN8iFfz1Mq12BMvsdXh5UERYg\n" - "xoBa2YybQ/Dda6D0w/KKnDnSHHsP7/ook4/SoSLr3OCKi60oDs/vCYXpNr2LelDV\n" - "e/clDWxgEcTvcJDP1hvru47GPjqXA4GEAAKBgA+Kh1fy0cLcrN9Liw+Luin34QPk\n" - "VfqymAfW/RKxgLz1urRQ1H+gDkPnn8l4EV/l5Awsa2qkNdy9VOVgNpox0YpZbmsc\n" - "ur0uuut8h+/ayN2h66SD5out+vqOW9c3yDI+lsI+9EPafZECD7e8+O+P90EAXpbf\n" - "DwiW3Oqy6QaCr9Ivo4GTMIGQMAwGA1UdEwEB/wQCMAAwGgYDVR0RBBMwEYIPdGVz\n" - "dC5nbnV0bHMub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8GA1UdDwEB/wQFAwMH\n" - "gAAwHQYDVR0OBBYEFL/su87Y6HtwVuzz0SuS1tSZClvzMB8GA1UdIwQYMBaAFOk8\n" - "HPutkm7mBqRWLKLhwFMnyPKVMAsGCSqGSIb3DQEBBQOBgQBCsrnfD1xzh8/Eih1f\n" - "x+M0lPoX1Re5L2ElHI6DJpHYOBPwf9glwxnet2+avzgUQDUFwUSxOhodpyeaACXD\n" - "o0gGVpcH8sOBTQ+aTdM37hGkPxoXjtIkR/LgG5nP2H2JRd5TkW8l13JdM4MJFB4W\n" - "QcDzQ8REwidsfh9uKAluk1c/KQ==\n" "-----END CERTIFICATE-----\n"; - -static char pem2_key[] = - "-----BEGIN DSA PRIVATE KEY-----\n" - "MIIBugIBAAKBgQC5hPVagb4aDcWKc48Mmy+btg5Lw3Qaf2StnfMoxaBHvJtXVvGX\n" - "1X43A+nyTPTji38wo10vu6GiN8LqNY8fsV+mol8B8SM2K+RPLy3dndU6pjmvelF8\n" - "0iWOl3TPHsV7S3ZDgQcfBhS4blgS4ZDiN2/SG+xoxVji5jDgal4sY3jsBwIVAJ9W\n" - "jEhkL/6NqnptltsEXRbvCKVxAoGAYgZ+5Fx2CLdGGl3Xl9QqIfsfMcnS9Po52CfR\n" - "m/wnXacKpxr8U8EvQ8I3yIV/PUyrXYEy+x1eHlQRFiDGgFrZjJtD8N1roPTD8oqc\n" - "OdIcew/v+iiTj9KhIuvc4IqLrSgOz+8Jhek2vYt6UNV79yUNbGARxO9wkM/WG+u7\n" - "jsY+OpcCgYAPiodX8tHC3KzfS4sPi7op9+ED5FX6spgH1v0SsYC89bq0UNR/oA5D\n" - "55/JeBFf5eQMLGtqpDXcvVTlYDaaMdGKWW5rHLq9LrrrfIfv2sjdoeukg+aLrfr6\n" - "jlvXN8gyPpbCPvRD2n2RAg+3vPjvj/dBAF6W3w8IltzqsukGgq/SLwIUS5/r/2ya\n" - "AoNBXjeBjgCGMei2m8E=\n" "-----END DSA PRIVATE KEY-----\n"; - -const gnutls_datum_t cert_dat[] = { - {(void *) pem1_cert, sizeof(pem1_cert)} - , - {(void *) pem2_cert, sizeof(pem2_cert)} +struct tests_st { + const char *name; + gnutls_datum_t key; + gnutls_datum_t cert; + gnutls_pk_algorithm_t pk; + unsigned digest; + unsigned sigalgo; + unsigned sign_flags; }; -const gnutls_datum_t key_dat[] = { - {(void *) pem1_key, sizeof(pem1_key)} - , - {(void *) pem2_key, sizeof(pem2_key)} +struct tests_st tests[] = { + { + .name = "rsa key", + .cert = {(void *) cli_ca3_cert_pem, sizeof(cli_ca3_cert_pem)-1}, + .key = {(void *) cli_ca3_key_pem, sizeof(cli_ca3_key_pem)-1}, + .pk = GNUTLS_PK_RSA, + .digest = GNUTLS_DIG_SHA256, + .sigalgo = GNUTLS_SIGN_RSA_SHA256 + }, + { + .name = "dsa key", + .key = {(void *) clidsa_ca3_key_pem, sizeof(clidsa_ca3_key_pem)-1}, + .cert = {(void *) clidsa_ca3_cert_pem, sizeof(clidsa_ca3_cert_pem)-1}, + .pk = GNUTLS_PK_DSA, + .digest = GNUTLS_DIG_SHA1, + .sigalgo = GNUTLS_SIGN_DSA_SHA1 + }, + { + .name = "ecdsa key", + .key = {(void *) server_ca3_ecc_key_pem, sizeof(server_ca3_ecc_key_pem)-1}, + .cert = {(void *) server_localhost_ca3_ecc_cert_pem, sizeof(server_localhost_ca3_ecc_cert_pem)-1}, + .pk = GNUTLS_PK_ECDSA, + .digest = GNUTLS_DIG_SHA256, + .sigalgo = GNUTLS_SIGN_ECDSA_SHA256 + }, + { + .name = "rsa pss key", + .key = {(void *) server_ca3_rsa_pss_key_pem, sizeof(server_ca3_rsa_pss_key_pem)-1}, + .cert = {(void *) server_ca3_rsa_pss_cert_pem, sizeof(server_ca3_rsa_pss_cert_pem)-1}, + .pk = GNUTLS_PK_RSA_PSS, + .digest = GNUTLS_DIG_SHA256, + .sign_flags = GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS, + .sigalgo = GNUTLS_SIGN_RSA_PSS_SHA256 + } }; +#define testfail(fmt, ...) \ + fail("%s: "fmt, tests[i].name, ##__VA_ARGS__) + void doit(void) { gnutls_x509_privkey_t key; @@ -157,6 +141,8 @@ void doit(void) gnutls_datum_t signature2; int ret; size_t i; + const gnutls_datum_t *hash_data; + const gnutls_datum_t *invalid_hash_data; global_init(); @@ -164,101 +150,101 @@ void doit(void) if (debug) gnutls_global_set_log_level(6); - for (i = 0; i < sizeof(key_dat) / sizeof(key_dat[0]); i++) { + for (i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) { if (debug) success("loop %d\n", (int) i); + if (tests[i].digest == GNUTLS_DIG_SHA1) { + hash_data = &sha1_hash_data; + invalid_hash_data = &sha1_invalid_hash_data; + } else { + hash_data = &sha256_hash_data; + invalid_hash_data = &sha256_invalid_hash_data; + } + ret = gnutls_x509_privkey_init(&key); if (ret < 0) - fail("gnutls_x509_privkey_init\n"); + testfail("gnutls_x509_privkey_init\n"); ret = - gnutls_x509_privkey_import(key, &key_dat[i], + gnutls_x509_privkey_import(key, &tests[i].key, GNUTLS_X509_FMT_PEM); if (ret < 0) - fail("gnutls_x509_privkey_import\n"); + testfail("gnutls_x509_privkey_import\n"); ret = gnutls_pubkey_init(&pubkey); if (ret < 0) - fail("gnutls_privkey_init\n"); + testfail("gnutls_privkey_init\n"); ret = gnutls_privkey_init(&privkey); if (ret < 0) - fail("gnutls_pubkey_init\n"); + testfail("gnutls_pubkey_init\n"); ret = gnutls_privkey_import_x509(privkey, key, 0); if (ret < 0) - fail("gnutls_privkey_import_x509\n"); + testfail("gnutls_privkey_import_x509\n"); - ret = gnutls_privkey_sign_hash(privkey, GNUTLS_DIG_SHA1, 0, - &hash_data, &signature2); + ret = gnutls_privkey_sign_hash(privkey, tests[i].digest, tests[i].sign_flags, + hash_data, &signature2); if (ret < 0) - fail("gnutls_privkey_sign_hash\n"); + testfail("gnutls_privkey_sign_hash\n"); - ret = gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA1, 0, + ret = gnutls_privkey_sign_data(privkey, tests[i].digest, tests[i].sign_flags, &raw_data, &signature); if (ret < 0) - fail("gnutls_x509_privkey_sign_hash\n"); + testfail("gnutls_x509_privkey_sign_hash\n"); ret = gnutls_x509_crt_init(&crt); if (ret < 0) - fail("gnutls_x509_crt_init\n"); + testfail("gnutls_x509_crt_init\n"); ret = - gnutls_x509_crt_import(crt, &cert_dat[i], + gnutls_x509_crt_import(crt, &tests[i].cert, GNUTLS_X509_FMT_PEM); if (ret < 0) - fail("gnutls_x509_crt_import\n"); + testfail("gnutls_x509_crt_import\n"); ret = gnutls_pubkey_import_x509(pubkey, crt, 0); if (ret < 0) - fail("gnutls_x509_pubkey_import\n"); + testfail("gnutls_x509_pubkey_import\n"); ret = - gnutls_x509_crt_get_signature_algorithm(crt); - if (ret != GNUTLS_SIGN_RSA_SHA1) - fail("gnutls_crt_get_signature_algorithm\n"); - - if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL) == - GNUTLS_PK_RSA) { - ret = - gnutls_pubkey_verify_hash2(pubkey, GNUTLS_SIGN_RSA_SHA1, 0, &hash_data, - &signature); - if (ret < 0) - fail("gnutls_x509_pubkey_verify_hash2\n"); + gnutls_pubkey_verify_hash2(pubkey, tests[i].sigalgo, 0, hash_data, + &signature); + if (ret < 0) + testfail("gnutls_x509_pubkey_verify_hash2\n"); - ret = - gnutls_pubkey_verify_hash2(pubkey, GNUTLS_SIGN_RSA_SHA1, 0, &hash_data, - &signature2); - if (ret < 0) - fail("gnutls_x509_pubkey_verify_hash-1 (hashed data)\n"); + ret = + gnutls_pubkey_verify_hash2(pubkey, tests[i].sigalgo, 0, hash_data, + &signature2); + if (ret < 0) + testfail("gnutls_x509_pubkey_verify_hash-1 (hashed data)\n"); - /* should fail */ - ret = - gnutls_pubkey_verify_hash2(pubkey, GNUTLS_SIGN_RSA_SHA1, 0, - &invalid_hash_data, - &signature2); - if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) - fail("gnutls_x509_pubkey_verify_hash-2 (hashed data)\n"); - } + /* should fail */ + ret = + gnutls_pubkey_verify_hash2(pubkey, tests[i].sigalgo, 0, + invalid_hash_data, + &signature2); + if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) + testfail("gnutls_x509_pubkey_verify_hash-2 (hashed data)\n"); sign_algo = gnutls_pk_to_sign(gnutls_pubkey_get_pk_algorithm - (pubkey, NULL), GNUTLS_DIG_SHA1); + (pubkey, NULL), tests[i].digest); ret = gnutls_pubkey_verify_hash2(pubkey, sign_algo, 0, - &hash_data, &signature2); + hash_data, &signature2); if (ret < 0) - fail("gnutls_x509_pubkey_verify_hash2-1 (hashed data)\n"); + testfail("gnutls_x509_pubkey_verify_hash2-1 (hashed data)\n"); /* should fail */ ret = gnutls_pubkey_verify_hash2(pubkey, sign_algo, 0, - &invalid_hash_data, + invalid_hash_data, &signature2); if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) - fail("gnutls_x509_pubkey_verify_hash2-2 (hashed data)\n"); + testfail("gnutls_x509_pubkey_verify_hash2-2 (hashed data)\n"); /* test the raw interface */ gnutls_free(signature.data); @@ -269,44 +255,44 @@ void doit(void) ret = gnutls_privkey_sign_hash(privkey, - GNUTLS_DIG_SHA1, + tests[i].digest, GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA, - &hash_data, + hash_data, &signature); if (ret < 0) - fail("gnutls_privkey_sign_hash: %s\n", + testfail("gnutls_privkey_sign_hash: %s\n", gnutls_strerror(ret)); sign_algo = gnutls_pk_to_sign (gnutls_pubkey_get_pk_algorithm(pubkey, NULL), - GNUTLS_DIG_SHA1); + tests[i].digest); ret = gnutls_pubkey_verify_hash2(pubkey, sign_algo, GNUTLS_PUBKEY_VERIFY_FLAG_TLS1_RSA, - &hash_data, + hash_data, &signature); if (ret < 0) - fail("gnutls_pubkey_verify_hash-3 (raw hashed data)\n"); + testfail("gnutls_pubkey_verify_hash-3 (raw hashed data)\n"); gnutls_free(signature.data); /* test the legacy API */ ret = gnutls_privkey_sign_raw_data(privkey, 0, - &hash_data, + hash_data, &signature); if (ret < 0) - fail("gnutls_privkey_sign_raw_data: %s\n", + testfail("gnutls_privkey_sign_raw_data: %s\n", gnutls_strerror(ret)); ret = gnutls_pubkey_verify_hash2(pubkey, sign_algo, GNUTLS_PUBKEY_VERIFY_FLAG_TLS1_RSA, - &hash_data, + hash_data, &signature); if (ret < 0) - fail("gnutls_pubkey_verify_hash-4 (legacy raw hashed data)\n"); + testfail("gnutls_pubkey_verify_hash-4 (legacy raw hashed data)\n"); } gnutls_free(signature.data); gnutls_free(signature2.data); |