From: Denis Kenzior <denkenz@gmail.com>
To: ell@lists.linux.dev
Cc: Denis Kenzior <denkenz@gmail.com>
Subject: [PATCH 2/9] unit: Add basic EC-DSA verification test
Date: Mon, 18 Jul 2022 11:02:15 -0500 [thread overview]
Message-ID: <20220718160222.10634-2-denkenz@gmail.com> (raw)
In-Reply-To: <20220718160222.10634-1-denkenz@gmail.com>
---
.gitignore | 2 ++
Makefile.am | 39 ++++++++++++++++++++++++++++++++++++++-
unit/test-tls.c | 22 +++++++++++++++++++++-
3 files changed, 61 insertions(+), 2 deletions(-)
diff --git a/.gitignore b/.gitignore
index 346243a8f9c7..76f10aecfdd3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -67,6 +67,8 @@ unit/cert-*.csr
unit/cert-*.srl
unit/cert-*.crt
unit/cert-*.p12
+unit/ec-cert-*.pem
+unit/ec-cert-*.csr
unit/key-*.dat
unit/key-*.h
unit/*.log
diff --git a/Makefile.am b/Makefile.am
index 2bf728bbde7a..e5d7143af236 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -219,6 +219,7 @@ cert_tests = unit/test-pem \
cert_files = unit/cert-chain.pem \
unit/cert-entity-int.pem \
unit/cert-server.pem \
+ unit/ec-cert-server.pem \
unit/cert-server-key-pkcs8.pem \
unit/cert-client.pem \
unit/cert-client.crt \
@@ -246,6 +247,7 @@ cert_files = unit/cert-chain.pem \
cert_checks = unit/cert-intca \
unit/cert-entity-int \
unit/cert-server \
+ unit/ec-cert-server \
unit/cert-client \
unit/cert-no-keyid
@@ -417,15 +419,30 @@ false_redirect_openssl = 2>/dev/null
unit/cert-ca-key.pem:
$(AM_V_GEN)openssl genrsa -out $@ 2048 $($(AM_V_P)_redirect_openssl)
+unit/ec-cert-ca-key.pem:
+ $(AM_V_GEN)openssl ecparam -out $@ -name secp384r1 \
+ -genkey $($(AM_V_P)_redirect_openssl)
+
+
unit/cert-ca.pem: unit/cert-ca-key.pem unit/gencerts.cnf
$(AM_V_GEN)openssl req -x509 -new -nodes -extensions ca_ext \
-config $(srcdir)/unit/gencerts.cnf \
-subj '/O=International Union of Example Organizations/CN=Certificate issuer guy/emailAddress=ca@mail.example' \
-key $< -sha256 -days 10000 -out $@
+unit/ec-cert-ca.pem: unit/ec-cert-ca-key.pem unit/gencerts.cnf
+ $(AM_V_GEN)openssl req -x509 -new -nodes -extensions ca_ext \
+ -config $(srcdir)/unit/gencerts.cnf \
+ -subj '/O=International Union of Example Organizations/CN=Certificate issuer guy/emailAddress=ca@mail.example' \
+ -key $< -sha256 -days 10000 -out $@
+
unit/cert-server-key.pem:
$(AM_V_GEN)openssl genrsa -out $@ $($(AM_V_P)_redirect_openssl)
+unit/ec-cert-server-key.pem:
+ $(AM_V_GEN)openssl ecparam -out $@ -name secp384r1 \
+ -genkey $($(AM_V_P)_redirect_openssl)
+
unit/cert-server-key-pkcs8.pem: unit/cert-server-key.pem
$(AM_V_GEN)openssl pkcs8 -topk8 -nocrypt -in $< -out $@
@@ -435,6 +452,12 @@ unit/cert-server.csr: unit/cert-server-key.pem unit/gencerts.cnf
-subj '/O=Foo Example Organization/CN=Foo Example Organization/emailAddress=foo@mail.example' \
-key $< -out $@
+unit/ec-cert-server.csr: unit/ec-cert-server-key.pem unit/gencerts.cnf
+ $(AM_V_GEN)openssl req -new -extensions cert_ext \
+ -config $(srcdir)/unit/gencerts.cnf \
+ -subj '/O=Foo Example Organization/CN=Foo Example Organization/emailAddress=foo@mail.example' \
+ -key $< -out $@
+
unit/cert-server.pem: unit/cert-server.csr unit/cert-ca.pem unit/gencerts.cnf
$(AM_V_GEN)openssl x509 -req -extensions server_ext \
-extfile $(srcdir)/unit/gencerts.cnf \
@@ -443,9 +466,22 @@ unit/cert-server.pem: unit/cert-server.csr unit/cert-ca.pem unit/gencerts.cnf
-CAserial $(builddir)/unit/cert-ca.srl \
-CAcreateserial -sha256 -days 10000 -out $@ $($(AM_V_P)_redirect_openssl)
+unit/ec-cert-server.pem: unit/ec-cert-server.csr unit/ec-cert-ca.pem \
+ unit/gencerts.cnf
+ $(AM_V_GEN)openssl x509 -req -extensions server_ext \
+ -extfile $(srcdir)/unit/gencerts.cnf \
+ -in $< -CA $(builddir)/unit/ec-cert-ca.pem \
+ -CAkey $(builddir)/unit/ec-cert-ca-key.pem \
+ -CAserial $(builddir)/unit/cert-ca.srl \
+ -CAcreateserial -sha256 -days 10000 \
+ -out $@ $($(AM_V_P)_redirect_openssl)
+
unit/cert-server: unit/cert-server.pem unit/cert-ca.pem
$(AM_V_GEN)openssl verify -CAfile $(builddir)/unit/cert-ca.pem $<
+unit/ec-cert-server: unit/ce-cert-server.pem unit/ce-cert-ca.pem
+ $(AM_V_GEN)openssl verify -CAfile $(builddir)/unit/ce-cert-ca.pem $<
+
unit/cert-client-key-pkcs1.pem:
$(AM_V_GEN)openssl genrsa -out $@ $($(AM_V_P)_redirect_openssl)
@@ -623,7 +659,8 @@ check-local: $(cert_checks)
endif
clean-local:
- -rm -f unit/cert-*.pem unit/cert-*.csr unit/cert-*.srl unit/key-*.dat
+ -rm -f unit/ec-cert*.pem unit/ec-cert-*.csr \
+ unit/cert-*.pem unit/cert-*.csr unit/cert-*.srl unit/key-*.dat
maintainer-clean-local:
-rm -rf build-aux
diff --git a/unit/test-tls.c b/unit/test-tls.c
index 7937962cf8a0..aee5b2e36b78 100644
--- a/unit/test-tls.c
+++ b/unit/test-tls.c
@@ -325,6 +325,24 @@ static void test_certificates(const void *data)
l_queue_destroy(twocas, (l_queue_destroy_func_t) l_cert_free);
}
+static void test_ec_certificates(const void *data)
+{
+ struct l_queue *cacert;
+ struct l_certchain *chain;
+
+ cacert = l_pem_load_certificate_list(CERTDIR "ec-cert-ca.pem");
+ assert(cacert && !l_queue_isempty(cacert));
+
+ chain = l_pem_load_certificate_chain(CERTDIR "ec-cert-server.pem");
+ assert(chain);
+
+ assert(l_certchain_verify(chain, cacert, NULL));
+ assert(l_certchain_verify(chain, NULL, NULL));
+
+ l_certchain_free(chain);
+ l_queue_destroy(cacert, (l_queue_destroy_func_t) l_cert_free);
+}
+
struct tls_conn_test {
const char *server_cert_path;
const char *server_key_path;
@@ -948,8 +966,10 @@ int main(int argc, char *argv[])
l_test_add("TLS 1.2 PRF with SHA512", test_tls12_prf,
&tls12_prf_sha512_0);
- if (l_key_is_supported(L_KEY_FEATURE_RESTRICT))
+ if (l_key_is_supported(L_KEY_FEATURE_RESTRICT)) {
l_test_add("Certificate chains", test_certificates, NULL);
+ l_test_add("ECDSA Certificates", test_ec_certificates, NULL);
+ }
if (!l_getrandom_is_supported()) {
printf("getrandom missing, skipping TLS connection tests...\n");
--
2.35.1
next prev parent reply other threads:[~2022-07-18 16:08 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-18 16:02 [PATCH 1/9] cert/key: Add support for EC based certificates Denis Kenzior
2022-07-18 16:02 ` Denis Kenzior [this message]
2022-07-18 16:02 ` [PATCH 3/9] key: ECDSA data is given in x962 format Denis Kenzior
2022-07-18 16:02 ` [PATCH 4/9] tls: Support peer certificates that use ECDSA Denis Kenzior
2022-07-18 17:44 ` Mat Martineau
2022-07-18 17:59 ` Denis Kenzior
2022-07-18 16:02 ` [PATCH 5/9] tls: Add helper for DigitallySigned validation Denis Kenzior
2022-07-18 16:02 ` [PATCH 6/9] tls: Add helper to find hash function by id Denis Kenzior
2022-07-18 16:02 ` [PATCH 7/9] tls-suites: Add ECDSA suites from RFC 8422 Denis Kenzior
2022-07-18 17:53 ` Mat Martineau
2022-07-18 16:02 ` [PATCH 8/9] useful: Add maxsize() Denis Kenzior
2022-07-18 16:02 ` [PATCH 9/9] tls: Do not set verify_data_length unless needed Denis Kenzior
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220718160222.10634-2-denkenz@gmail.com \
--to=denkenz@gmail.com \
--cc=ell@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.