From: Denis Kenzior <denkenz@gmail.com>
To: ell@lists.linux.dev
Cc: Denis Kenzior <denkenz@gmail.com>
Subject: [PATCH 2/9] unit: Add basic EC-DSA verification test
Date: Mon, 18 Jul 2022 11:02:15 -0500 [thread overview]
Message-ID: <20220718160222.10634-2-denkenz@gmail.com> (raw)
In-Reply-To: <20220718160222.10634-1-denkenz@gmail.com>
---
.gitignore | 2 ++
Makefile.am | 39 ++++++++++++++++++++++++++++++++++++++-
unit/test-tls.c | 22 +++++++++++++++++++++-
3 files changed, 61 insertions(+), 2 deletions(-)
diff --git a/.gitignore b/.gitignore
index 346243a8f9c7..76f10aecfdd3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -67,6 +67,8 @@ unit/cert-*.csr
unit/cert-*.srl
unit/cert-*.crt
unit/cert-*.p12
+unit/ec-cert-*.pem
+unit/ec-cert-*.csr
unit/key-*.dat
unit/key-*.h
unit/*.log
diff --git a/Makefile.am b/Makefile.am
index 2bf728bbde7a..e5d7143af236 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -219,6 +219,7 @@ cert_tests = unit/test-pem \
cert_files = unit/cert-chain.pem \
unit/cert-entity-int.pem \
unit/cert-server.pem \
+ unit/ec-cert-server.pem \
unit/cert-server-key-pkcs8.pem \
unit/cert-client.pem \
unit/cert-client.crt \
@@ -246,6 +247,7 @@ cert_files = unit/cert-chain.pem \
cert_checks = unit/cert-intca \
unit/cert-entity-int \
unit/cert-server \
+ unit/ec-cert-server \
unit/cert-client \
unit/cert-no-keyid
@@ -417,15 +419,30 @@ false_redirect_openssl = 2>/dev/null
unit/cert-ca-key.pem:
$(AM_V_GEN)openssl genrsa -out $@ 2048 $($(AM_V_P)_redirect_openssl)
+unit/ec-cert-ca-key.pem:
+ $(AM_V_GEN)openssl ecparam -out $@ -name secp384r1 \
+ -genkey $($(AM_V_P)_redirect_openssl)
+
+
unit/cert-ca.pem: unit/cert-ca-key.pem unit/gencerts.cnf
$(AM_V_GEN)openssl req -x509 -new -nodes -extensions ca_ext \
-config $(srcdir)/unit/gencerts.cnf \
-subj '/O=International Union of Example Organizations/CN=Certificate issuer guy/emailAddress=ca@mail.example' \
-key $< -sha256 -days 10000 -out $@
+unit/ec-cert-ca.pem: unit/ec-cert-ca-key.pem unit/gencerts.cnf
+ $(AM_V_GEN)openssl req -x509 -new -nodes -extensions ca_ext \
+ -config $(srcdir)/unit/gencerts.cnf \
+ -subj '/O=International Union of Example Organizations/CN=Certificate issuer guy/emailAddress=ca@mail.example' \
+ -key $< -sha256 -days 10000 -out $@
+
unit/cert-server-key.pem:
$(AM_V_GEN)openssl genrsa -out $@ $($(AM_V_P)_redirect_openssl)
+unit/ec-cert-server-key.pem:
+ $(AM_V_GEN)openssl ecparam -out $@ -name secp384r1 \
+ -genkey $($(AM_V_P)_redirect_openssl)
+
unit/cert-server-key-pkcs8.pem: unit/cert-server-key.pem
$(AM_V_GEN)openssl pkcs8 -topk8 -nocrypt -in $< -out $@
@@ -435,6 +452,12 @@ unit/cert-server.csr: unit/cert-server-key.pem unit/gencerts.cnf
-subj '/O=Foo Example Organization/CN=Foo Example Organization/emailAddress=foo@mail.example' \
-key $< -out $@
+unit/ec-cert-server.csr: unit/ec-cert-server-key.pem unit/gencerts.cnf
+ $(AM_V_GEN)openssl req -new -extensions cert_ext \
+ -config $(srcdir)/unit/gencerts.cnf \
+ -subj '/O=Foo Example Organization/CN=Foo Example Organization/emailAddress=foo@mail.example' \
+ -key $< -out $@
+
unit/cert-server.pem: unit/cert-server.csr unit/cert-ca.pem unit/gencerts.cnf
$(AM_V_GEN)openssl x509 -req -extensions server_ext \
-extfile $(srcdir)/unit/gencerts.cnf \
@@ -443,9 +466,22 @@ unit/cert-server.pem: unit/cert-server.csr unit/cert-ca.pem unit/gencerts.cnf
-CAserial $(builddir)/unit/cert-ca.srl \
-CAcreateserial -sha256 -days 10000 -out $@ $($(AM_V_P)_redirect_openssl)
+unit/ec-cert-server.pem: unit/ec-cert-server.csr unit/ec-cert-ca.pem \
+ unit/gencerts.cnf
+ $(AM_V_GEN)openssl x509 -req -extensions server_ext \
+ -extfile $(srcdir)/unit/gencerts.cnf \
+ -in $< -CA $(builddir)/unit/ec-cert-ca.pem \
+ -CAkey $(builddir)/unit/ec-cert-ca-key.pem \
+ -CAserial $(builddir)/unit/cert-ca.srl \
+ -CAcreateserial -sha256 -days 10000 \
+ -out $@ $($(AM_V_P)_redirect_openssl)
+
unit/cert-server: unit/cert-server.pem unit/cert-ca.pem
$(AM_V_GEN)openssl verify -CAfile $(builddir)/unit/cert-ca.pem $<
+unit/ec-cert-server: unit/ce-cert-server.pem unit/ce-cert-ca.pem
+ $(AM_V_GEN)openssl verify -CAfile $(builddir)/unit/ce-cert-ca.pem $<
+
unit/cert-client-key-pkcs1.pem:
$(AM_V_GEN)openssl genrsa -out $@ $($(AM_V_P)_redirect_openssl)
@@ -623,7 +659,8 @@ check-local: $(cert_checks)
endif
clean-local:
- -rm -f unit/cert-*.pem unit/cert-*.csr unit/cert-*.srl unit/key-*.dat
+ -rm -f unit/ec-cert*.pem unit/ec-cert-*.csr \
+ unit/cert-*.pem unit/cert-*.csr unit/cert-*.srl unit/key-*.dat
maintainer-clean-local:
-rm -rf build-aux
diff --git a/unit/test-tls.c b/unit/test-tls.c
index 7937962cf8a0..aee5b2e36b78 100644
--- a/unit/test-tls.c
+++ b/unit/test-tls.c
@@ -325,6 +325,24 @@ static void test_certificates(const void *data)
l_queue_destroy(twocas, (l_queue_destroy_func_t) l_cert_free);
}
+static void test_ec_certificates(const void *data)
+{
+ struct l_queue *cacert;
+ struct l_certchain *chain;
+
+ cacert = l_pem_load_certificate_list(CERTDIR "ec-cert-ca.pem");
+ assert(cacert && !l_queue_isempty(cacert));
+
+ chain = l_pem_load_certificate_chain(CERTDIR "ec-cert-server.pem");
+ assert(chain);
+
+ assert(l_certchain_verify(chain, cacert, NULL));
+ assert(l_certchain_verify(chain, NULL, NULL));
+
+ l_certchain_free(chain);
+ l_queue_destroy(cacert, (l_queue_destroy_func_t) l_cert_free);
+}
+
struct tls_conn_test {
const char *server_cert_path;
const char *server_key_path;
@@ -948,8 +966,10 @@ int main(int argc, char *argv[])
l_test_add("TLS 1.2 PRF with SHA512", test_tls12_prf,
&tls12_prf_sha512_0);
- if (l_key_is_supported(L_KEY_FEATURE_RESTRICT))
+ if (l_key_is_supported(L_KEY_FEATURE_RESTRICT)) {
l_test_add("Certificate chains", test_certificates, NULL);
+ l_test_add("ECDSA Certificates", test_ec_certificates, NULL);
+ }
if (!l_getrandom_is_supported()) {
printf("getrandom missing, skipping TLS connection tests...\n");
--
2.35.1
next prev parent reply other threads:[~2022-07-18 16:08 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-18 16:02 [PATCH 1/9] cert/key: Add support for EC based certificates Denis Kenzior
2022-07-18 16:02 ` Denis Kenzior [this message]
2022-07-18 16:02 ` [PATCH 3/9] key: ECDSA data is given in x962 format Denis Kenzior
2022-07-18 16:02 ` [PATCH 4/9] tls: Support peer certificates that use ECDSA Denis Kenzior
2022-07-18 17:44 ` Mat Martineau
2022-07-18 17:59 ` Denis Kenzior
2022-07-18 16:02 ` [PATCH 5/9] tls: Add helper for DigitallySigned validation Denis Kenzior
2022-07-18 16:02 ` [PATCH 6/9] tls: Add helper to find hash function by id Denis Kenzior
2022-07-18 16:02 ` [PATCH 7/9] tls-suites: Add ECDSA suites from RFC 8422 Denis Kenzior
2022-07-18 17:53 ` Mat Martineau
2022-07-18 16:02 ` [PATCH 8/9] useful: Add maxsize() Denis Kenzior
2022-07-18 16:02 ` [PATCH 9/9] tls: Do not set verify_data_length unless needed Denis Kenzior
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220718160222.10634-2-denkenz@gmail.com \
--to=denkenz@gmail.com \
--cc=ell@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox