From b6a4d65a631b1d990462d01e3728d8642f8e382f Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Fri, 20 Dec 2024 14:40:01 +0100 Subject: [PATCH] tests: Create separate self-signed EC key for tlsfuzzer testing Follow up from #488 Signed-off-by: Jakub Jelen --- tests/cert.json.ecdsa.in | 16 +-------- tests/setup.sh | 71 +++++++++++++++++++++------------------- tests/tcerts | 2 +- tests/ttlsfuzzer | 5 ++- 4 files changed, 43 insertions(+), 51 deletions(-) diff --git a/tests/cert.json.ecdsa.in b/tests/cert.json.ecdsa.in index 5633a85a..3d96bfde 100644 --- a/tests/cert.json.ecdsa.in +++ b/tests/cert.json.ecdsa.in @@ -22,23 +22,9 @@ {"name" : "test-signature-algorithms.py", "arguments" : [ "-n", "0", "--ecdsa", - "-x", "duplicated 206 non-rsa schemes", "-X", "handshake_failure", - "-x", "duplicated 2346 non-rsa schemes", "-X", "handshake_failure", - "-x", "duplicated 8123 non-rsa schemes", "-X", "handshake_failure", - "-x", "duplicated 23745 non-rsa schemes", "-X", "handshake_failure", - "-x", "duplicated 32748 non-rsa schemes", "-X", "handshake_failure", - "-x", "explicit SHA-256+RSA or ECDSA", "-X", "handshake_failure", "-x", "explicit SHA-1+RSA/ECDSA", "-X", "handshake_failure", "-x", "explicit SHA-1+RSA/ECDSA", "-X", "handshake_failure", - "-x", "implicit SHA-1 check", "-X", "handshake_failure", - "-x", "tolerance 10+RSA or ECDSA method", "-X", "handshake_failure", - "-x", "tolerance 215 RSA or ECDSA methods", "-X", "handshake_failure", - "-x", "tolerance 2355 RSA or ECDSA methods", "-X", "handshake_failure", - "-x", "tolerance 8132 RSA or ECDSA methods", "-X", "handshake_failure", - "-x", "tolerance 32758 methods with sig_alg_cert", "-X", "handshake_failure", - "-x", "tolerance max 32748 number of methods with sig_alg_cert", "-X", "handshake_failure", - "-x", "tolerance none+RSA or ECDSA", "-X", "handshake_failure", - "-x", "unique and well-known sig_algs, ecdsa algorithm last", "-X", "handshake_failure" + "-x", "implicit SHA-1 check", "-X", "handshake_failure" ], "comment": "Crypto-Policies disable SHA-1." }, diff --git a/tests/setup.sh b/tests/setup.sh index 9cbd9292..c11d6628 100755 --- a/tests/setup.sh +++ b/tests/setup.sh @@ -64,7 +64,7 @@ fi P11DEFARGS=("--module=${P11LIB}" "--login" "--pin=${PINVALUE}" "--token-label=${TOKENLABEL}") # prepare certtool configuration -cat >> "${TMPPDIR}/cert.cfg" <> "${TMPPDIR}/cacert.cfg" <&1 + pkcs11-tool "${P11DEFARGS[@]}" --write-object "${TMPPDIR}/${LABEL}.crt" --type=cert \ + --id="$KEYID" --label="$LABEL" 2>&1 +} + title LINE "Creating new Self Sign CA" KEYID='0000' URIKEYID="%00%00" -CACRT="${TMPPDIR}/CAcert.crt" -CACRT_PEM="${TMPPDIR}/CAcert.pem" CACRTN="caCert" pkcs11-tool "${P11DEFARGS[@]}" --keypairgen --key-type="RSA:2048" \ --label="${CACRTN}" --id="${KEYID}" 2>&1 -"${certtool}" --generate-self-signed --outfile="${CACRT}" \ - --template="${TMPPDIR}/cert.cfg" --provider="$P11LIB" \ - --load-privkey "pkcs11:object=$CACRTN;token=$TOKENLABELURI;type=private" \ - --load-pubkey "pkcs11:object=$CACRTN;token=$TOKENLABELURI;type=public" --outder 2>&1 -pkcs11-tool "${P11DEFARGS[@]}" --write-object "${CACRT}" --type=cert \ - --id=$KEYID --label="$CACRTN" 2>&1 - -# Serial = 1 is the CA -SERIAL=2 +crt_selfsign $CACRTN "Issuer" $KEYID # convert the DER cert to PEM +CACRT_PEM="${TMPPDIR}/${CACRTN}.pem" +CACRT="${TMPPDIR}/${CACRTN}.crt" openssl x509 -inform DER -in "$CACRT" -outform PEM -out "$CACRT_PEM" +cat "${TMPPDIR}/cacert.cfg" > "${TMPPDIR}/cert.cfg" # the organization identification is not in the CA echo 'organization = "PKCS11 Provider"' >> "${TMPPDIR}/cert.cfg" # the cert_signing_key and "ca" should be only on the CA sed -e "/^cert_signing_key$/d" -e "/^ca$/d" "${sed_inplace[@]}" "${TMPPDIR}/cert.cfg" ca_sign() { - CRT=$1 - LABEL=$2 - CN=$3 - KEYID=$4 + LABEL=$1 + CN=$2 + KEYID=$3 ((SERIAL+=1)) sed -e "s|cn = .*|cn = $CN|g" \ -e "s|serial = .*|serial = $SERIAL|g" \ -e "/^ca$/d" \ "${sed_inplace[@]}" \ "${TMPPDIR}/cert.cfg" - "${certtool}" --generate-certificate --outfile="${CRT}.crt" \ + "${certtool}" --generate-certificate --outfile="${TMPPDIR}/${LABEL}.crt" \ --template="${TMPPDIR}/cert.cfg" --provider="$P11LIB" \ --load-privkey "pkcs11:object=$LABEL;token=$TOKENLABELURI;type=private" \ --load-pubkey "pkcs11:object=$LABEL;token=$TOKENLABELURI;type=public" --outder \ --load-ca-certificate "${CACRT}" --inder \ --load-ca-privkey="pkcs11:object=$CACRTN;token=$TOKENLABELURI;type=private" - pkcs11-tool "${P11DEFARGS[@]}" --write-object "${CRT}.crt" --type=cert \ + pkcs11-tool "${P11DEFARGS[@]}" --write-object "${TMPPDIR}/${LABEL}.crt" --type=cert \ --id="$KEYID" --label="$LABEL" 2>&1 } @@ -126,12 +137,11 @@ ca_sign() { # generate RSA key pair and self-signed certificate KEYID='0001' URIKEYID="%00%01" -TSTCRT="${TMPPDIR}/testcert" TSTCRTN="testCert" pkcs11-tool "${P11DEFARGS[@]}" --keypairgen --key-type="RSA:2048" \ --label="${TSTCRTN}" --id="$KEYID" -ca_sign "$TSTCRT" $TSTCRTN "My Test Cert" $KEYID +ca_sign "${TSTCRTN}" "My Test Cert" $KEYID BASEURIWITHPINVALUE="pkcs11:id=${URIKEYID}?pin-value=${PINVALUE}" BASEURIWITHPINSOURCE="pkcs11:id=${URIKEYID}?pin-source=file:${PINFILE}" @@ -152,12 +162,11 @@ echo "" # generate ECC key pair KEYID='0002' URIKEYID="%00%02" -ECCRT="${TMPPDIR}/eccert" ECCRTN="ecCert" pkcs11-tool "${P11DEFARGS[@]}" --keypairgen --key-type="EC:secp256r1" \ --label="${ECCRTN}" --id="$KEYID" -ca_sign "$ECCRT" $ECCRTN "My EC Cert" $KEYID +ca_sign $ECCRTN "My EC Cert" $KEYID ECBASEURIWITHPINVALUE="pkcs11:id=${URIKEYID}?pin-value=${PINVALUE}" ECBASEURIWITHPINSOURCE="pkcs11:id=${URIKEYID}?pin-source=file:${PINFILE}" @@ -168,12 +177,11 @@ ECCRTURI="pkcs11:type=cert;object=${ECCRTN}" KEYID='0003' URIKEYID="%00%03" -ECPEERCRT="${TMPPDIR}/ecpeercert" ECPEERCRTN="ecPeerCert" pkcs11-tool "${P11DEFARGS[@]}" --keypairgen --key-type="EC:secp256r1" \ --label="$ECPEERCRTN" --id="$KEYID" -ca_sign "$ECPEERCRT" $ECPEERCRTN "My Peer EC Cert" $KEYID +crt_selfsign $ECPEERCRTN "My Peer EC Cert" $KEYID ECPEERBASEURIWITHPINVALUE="pkcs11:id=${URIKEYID}?pin-value=${PINVALUE}" ECPEERBASEURIWITHPINSOURCE="pkcs11:id=${URIKEYID}?pin-source=file:${PINFILE}" @@ -204,12 +212,11 @@ if [ "${TOKENTYPE}" != "softokn" ]; then # generate ED25519 KEYID='0004' URIKEYID="%00%04" - EDCRT="${TMPPDIR}/edcert" EDCRTN="edCert" pkcs11-tool "${P11DEFARGS[@]}" --keypairgen --key-type="EC:edwards25519" \ --label="${EDCRTN}" --id="$KEYID" - ca_sign "$EDCRT" $EDCRTN "My ED25519 Cert" $KEYID + ca_sign $EDCRTN "My ED25519 Cert" $KEYID EDBASEURIWITHPINVALUE="pkcs11:id=${URIKEYID};pin-value=${PINVALUE}" EDBASEURIWITHPINSOURCE="pkcs11:id=${URIKEYID};pin-source=file:${PINFILE}" @@ -233,12 +240,11 @@ fi # generate ED448 #KEYID='0009' #URIKEYID="%00%09" -#ED2CRT="${TMPPDIR}/ed2cert" #ED2CRTN="ed2Cert" # # pkcs11-tool "${P11DEFARGS[@]}" --keypairgen --key-type="EC:edwards448" \ # --label="${ED2CRTN}" --id="$KEYID" -# ca_sign "$EDCRT" $ED2CRTN "My ED448 Cert" $KEYID +# ca_sign $ED2CRTN "My ED448 Cert" $KEYID # # ED2BASEURIWITHPINVALUE="pkcs11:id=${URIKEYID};pin-value=${PINVALUE}" # ED2BASEURIWITHPINSOURCE="pkcs11:id=${URIKEYID};pin-source=file:${PINFILE}" @@ -258,12 +264,11 @@ fi title PARA "generate RSA key pair, self-signed certificate, remove public key" KEYID='0005' URIKEYID="%00%05" -TSTCRT="${TMPPDIR}/testcert2" TSTCRTN="testCert2" pkcs11-tool "${P11DEFARGS[@]}" --keypairgen --key-type="RSA:2048" \ --label="${TSTCRTN}" --id="$KEYID" -ca_sign "$TSTCRT" $TSTCRTN "My Test Cert 2" $KEYID +ca_sign $TSTCRTN "My Test Cert 2" $KEYID pkcs11-tool "${P11DEFARGS[@]}" --delete-object --type pubkey --id 0005 BASE2URIWITHPINVALUE="pkcs11:id=${URIKEYID}?pin-value=${PINVALUE}" @@ -283,12 +288,11 @@ echo "" title PARA "generate EC key pair, self-signed certificate, remove public key" KEYID='0006' URIKEYID="%00%06" -TSTCRT="${TMPPDIR}/eccert2" TSTCRTN="ecCert2" pkcs11-tool "${P11DEFARGS[@]}" --keypairgen --key-type="EC:secp384r1" \ --label="${TSTCRTN}" --id="$KEYID" -ca_sign "$TSTCRT" $TSTCRTN "My EC Cert 2" $KEYID +ca_sign $TSTCRTN "My EC Cert 2" $KEYID pkcs11-tool "${P11DEFARGS[@]}" --delete-object --type pubkey --id 0006 ECBASE2URIWITHPINVALUE="pkcs11:id=${URIKEYID}?pin-value=${PINVALUE}" @@ -336,12 +340,11 @@ fi title PARA "generate EC key pair with ALWAYS AUTHENTICATE flag, self-signed certificate" KEYID='0008' URIKEYID="%00%08" -TSTCRT="${TMPPDIR}/eccert3" TSTCRTN="ecCert3" pkcs11-tool "${P11DEFARGS[@]}" --keypairgen --key-type="EC:secp521r1" \ --label="${TSTCRTN}" --id="$KEYID" --always-auth -ca_sign "$TSTCRT" $TSTCRTN "My EC Cert 3" $KEYID +ca_sign $TSTCRTN "My EC Cert 3" $KEYID ECBASE3URIWITHPINVALUE="pkcs11:id=${URIKEYID}?pin-value=${PINVALUE}" ECBASE3URIWITHPINSOURCE="pkcs11:id=${URIKEYID}?pin-source=file:${PINFILE}" diff --git a/tests/tcerts b/tests/tcerts index f4bca9ae..d7ffb2b7 100755 --- a/tests/tcerts +++ b/tests/tcerts @@ -28,7 +28,7 @@ title PARA "Use storeutl command to match specific certs via params" SUBJECTS=("/O=PKCS11 Provider/CN=My Test Cert" "/O=PKCS11 Provider/CN=My EC Cert" - "/O=PKCS11 Provider/CN=My Peer EC Cert" + "/CN=My Peer EC Cert" "/CN=Issuer") for subj in "${SUBJECTS[@]}"; do diff --git a/tests/ttlsfuzzer b/tests/ttlsfuzzer index 11c36e5c..14dc7048 100755 --- a/tests/ttlsfuzzer +++ b/tests/ttlsfuzzer @@ -58,7 +58,10 @@ run_tests() { prepare_test cert.json.rsa.in "$PRIURI" "$CRTURI" title PARA "Prepare test for ECDSA" - prepare_test cert.json.ecdsa.in "$ECPRIURI" "$ECCRTURI" + # Note, that tlsfuzzer expects the homogeneous CA and server keys + # so we are using here the self-signed peer EC Key, instead of + # the default ECC key + prepare_test cert.json.ecdsa.in "$ECPEERPRIURI" "$ECPEERCRTURI" if [[ -n "$EDBASEURI" ]]; then title PARA "Prepare test for EdDSA"