diff mbox series

[v2,02/10] unit: Add basic EC-DSA verification test

Message ID 20220718180045.5845-2-denkenz@gmail.com (mailing list archive)
State New
Headers show
Series [v2,01/10] cert/key: Add support for EC based certificates | expand

Checks

Context Check Description
tedd_an/pre-ci_am success Success

Commit Message

Denis Kenzior July 18, 2022, 6 p.m. UTC
---
 .gitignore      |  2 ++
 Makefile.am     | 39 ++++++++++++++++++++++++++++++++++++++-
 unit/test-tls.c | 22 +++++++++++++++++++++-
 3 files changed, 61 insertions(+), 2 deletions(-)

Comments

Mat Martineau July 18, 2022, 7:07 p.m. UTC | #1
On Mon, 18 Jul 2022, Denis Kenzior wrote:

> ---
> .gitignore      |  2 ++
> Makefile.am     | 39 ++++++++++++++++++++++++++++++++++++++-
> unit/test-tls.c | 22 +++++++++++++++++++++-
> 3 files changed, 61 insertions(+), 2 deletions(-)
>
> diff --git a/.gitignore b/.gitignore
> index 346243a8f9c7..76f10aecfdd3 100644
> --- a/.gitignore
> +++ b/.gitignore
> @@ -67,6 +67,8 @@ unit/cert-*.csr
> unit/cert-*.srl
> unit/cert-*.crt
> unit/cert-*.p12
> +unit/ec-cert-*.pem
> +unit/ec-cert-*.csr
> unit/key-*.dat
> unit/key-*.h
> unit/*.log
> diff --git a/Makefile.am b/Makefile.am
> index 2bf728bbde7a..e5d7143af236 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -219,6 +219,7 @@ cert_tests = unit/test-pem \
> cert_files = unit/cert-chain.pem \
> 			unit/cert-entity-int.pem \
> 			unit/cert-server.pem \
> +			unit/ec-cert-server.pem \
> 			unit/cert-server-key-pkcs8.pem \
> 			unit/cert-client.pem \
> 			unit/cert-client.crt \
> @@ -246,6 +247,7 @@ cert_files = unit/cert-chain.pem \
> cert_checks = unit/cert-intca \
> 			unit/cert-entity-int \
> 			unit/cert-server \
> +			unit/ec-cert-server \
> 			unit/cert-client \
> 			unit/cert-no-keyid
>
> @@ -417,15 +419,30 @@ false_redirect_openssl = 2>/dev/null
> unit/cert-ca-key.pem:
> 	$(AM_V_GEN)openssl genrsa -out $@ 2048 $($(AM_V_P)_redirect_openssl)
>
> +unit/ec-cert-ca-key.pem:
> +	$(AM_V_GEN)openssl ecparam -out $@ -name secp384r1 \
> +				-genkey $($(AM_V_P)_redirect_openssl)
> +
> +
> unit/cert-ca.pem: unit/cert-ca-key.pem unit/gencerts.cnf
> 	$(AM_V_GEN)openssl req -x509 -new -nodes -extensions ca_ext \
> 			-config $(srcdir)/unit/gencerts.cnf \
> 			-subj '/O=International Union of Example Organizations/CN=Certificate issuer guy/emailAddress=ca@mail.example' \
> 			-key $< -sha256 -days 10000 -out $@
>
> +unit/ec-cert-ca.pem: unit/ec-cert-ca-key.pem unit/gencerts.cnf
> +	$(AM_V_GEN)openssl req -x509 -new -nodes -extensions ca_ext \
> +			-config $(srcdir)/unit/gencerts.cnf \
> +			-subj '/O=International Union of Example Organizations/CN=Certificate issuer guy/emailAddress=ca@mail.example' \
> +			-key $< -sha256 -days 10000 -out $@
> +
> unit/cert-server-key.pem:
> 	$(AM_V_GEN)openssl genrsa -out $@ $($(AM_V_P)_redirect_openssl)
>
> +unit/ec-cert-server-key.pem:
> +	$(AM_V_GEN)openssl ecparam -out $@ -name secp384r1 \
> +				-genkey $($(AM_V_P)_redirect_openssl)
> +
> unit/cert-server-key-pkcs8.pem: unit/cert-server-key.pem
> 	$(AM_V_GEN)openssl pkcs8 -topk8 -nocrypt -in $< -out $@
>
> @@ -435,6 +452,12 @@ unit/cert-server.csr: unit/cert-server-key.pem unit/gencerts.cnf
> 			-subj '/O=Foo Example Organization/CN=Foo Example Organization/emailAddress=foo@mail.example' \
> 			-key $< -out $@
>
> +unit/ec-cert-server.csr: unit/ec-cert-server-key.pem unit/gencerts.cnf
> +	$(AM_V_GEN)openssl req -new -extensions cert_ext \
> +			-config $(srcdir)/unit/gencerts.cnf \
> +			-subj '/O=Foo Example Organization/CN=Foo Example Organization/emailAddress=foo@mail.example' \
> +			-key $< -out $@
> +
> unit/cert-server.pem: unit/cert-server.csr unit/cert-ca.pem unit/gencerts.cnf
> 	$(AM_V_GEN)openssl x509 -req -extensions server_ext \
> 			-extfile $(srcdir)/unit/gencerts.cnf \
> @@ -443,9 +466,22 @@ unit/cert-server.pem: unit/cert-server.csr unit/cert-ca.pem unit/gencerts.cnf
> 			-CAserial $(builddir)/unit/cert-ca.srl \
> 			-CAcreateserial -sha256 -days 10000 -out $@ $($(AM_V_P)_redirect_openssl)
>
> +unit/ec-cert-server.pem: unit/ec-cert-server.csr unit/ec-cert-ca.pem \
> +				unit/gencerts.cnf
> +	$(AM_V_GEN)openssl x509 -req -extensions server_ext \
> +			-extfile $(srcdir)/unit/gencerts.cnf \
> +			-in $< -CA $(builddir)/unit/ec-cert-ca.pem \
> +			-CAkey $(builddir)/unit/ec-cert-ca-key.pem \
> +			-CAserial $(builddir)/unit/cert-ca.srl \
> +			-CAcreateserial -sha256 -days 10000 \
> +			-out $@ $($(AM_V_P)_redirect_openssl)
> +
> unit/cert-server: unit/cert-server.pem unit/cert-ca.pem
> 	$(AM_V_GEN)openssl verify -CAfile $(builddir)/unit/cert-ca.pem $<
>
> +unit/ec-cert-server: unit/ce-cert-server.pem unit/ce-cert-ca.pem
> +	$(AM_V_GEN)openssl verify -CAfile $(builddir)/unit/ce-cert-ca.pem $<

Denis -

A few typos here: "ce-cert" instead of "ec-cert". This showed up as:

make[2]: *** No rule to make target 'unit/ce-cert-server.pem', needed by 'unit/ec-cert-server'.  Stop.

after the testsuite summary when running "make check".


Other than that, v2 looks good on my system. I didn't try out the kernel 
patch you mention in patch 1, I assume that's why I had the test failures 
with "tls-suites: Add ECDSA suites from RFC 8422".


- Mat

> +
> unit/cert-client-key-pkcs1.pem:
> 	$(AM_V_GEN)openssl genrsa -out $@ $($(AM_V_P)_redirect_openssl)
>
> @@ -623,7 +659,8 @@ check-local: $(cert_checks)
> endif
>
> clean-local:
> -	-rm -f unit/cert-*.pem unit/cert-*.csr unit/cert-*.srl unit/key-*.dat
> +	-rm -f unit/ec-cert*.pem unit/ec-cert-*.csr \
> +		unit/cert-*.pem unit/cert-*.csr unit/cert-*.srl unit/key-*.dat
>
> maintainer-clean-local:
> 	-rm -rf build-aux
> diff --git a/unit/test-tls.c b/unit/test-tls.c
> index 7937962cf8a0..aee5b2e36b78 100644
> --- a/unit/test-tls.c
> +++ b/unit/test-tls.c
> @@ -325,6 +325,24 @@ static void test_certificates(const void *data)
> 	l_queue_destroy(twocas, (l_queue_destroy_func_t) l_cert_free);
> }
>
> +static void test_ec_certificates(const void *data)
> +{
> +	struct l_queue *cacert;
> +	struct l_certchain *chain;
> +
> +	cacert = l_pem_load_certificate_list(CERTDIR "ec-cert-ca.pem");
> +	assert(cacert && !l_queue_isempty(cacert));
> +
> +	chain = l_pem_load_certificate_chain(CERTDIR "ec-cert-server.pem");
> +	assert(chain);
> +
> +	assert(l_certchain_verify(chain, cacert, NULL));
> +	assert(l_certchain_verify(chain, NULL, NULL));
> +
> +	l_certchain_free(chain);
> +	l_queue_destroy(cacert, (l_queue_destroy_func_t) l_cert_free);
> +}
> +
> struct tls_conn_test {
> 	const char *server_cert_path;
> 	const char *server_key_path;
> @@ -948,8 +966,10 @@ int main(int argc, char *argv[])
> 	l_test_add("TLS 1.2 PRF with SHA512", test_tls12_prf,
> 			&tls12_prf_sha512_0);
>
> -	if (l_key_is_supported(L_KEY_FEATURE_RESTRICT))
> +	if (l_key_is_supported(L_KEY_FEATURE_RESTRICT)) {
> 		l_test_add("Certificate chains", test_certificates, NULL);
> +		l_test_add("ECDSA Certificates", test_ec_certificates, NULL);
> +	}
>
> 	if (!l_getrandom_is_supported()) {
> 		printf("getrandom missing, skipping TLS connection tests...\n");
> -- 
> 2.35.1
>
>
>

--
Mat Martineau
Intel
Denis Kenzior July 18, 2022, 8:21 p.m. UTC | #2
Hi Mat,

> A few typos here: "ce-cert" instead of "ec-cert". This showed up as:
> 

Ok, I fixed this in my local copy now.

> 
> Other than that, v2 looks good on my system. I didn't try out the kernel patch 

Excellent, thanks for testing.

> you mention in patch 1, I assume that's why I had the test failures with 
> "tls-suites: Add ECDSA suites from RFC 8422".

The reason is that kernel upstream only supports signature verification and not 
the sign operation itself.  Not sure why.  I'll try to fix that eventually, but 
for now we're limited to ECDSA use in anonymous client mode only.  The test 
assumes that both client + server side is implemented.  Hence the need for patch 
8/10.

Regards,
-Denis
diff mbox series

Patch

diff --git a/.gitignore b/.gitignore
index 346243a8f9c7..76f10aecfdd3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -67,6 +67,8 @@  unit/cert-*.csr
 unit/cert-*.srl
 unit/cert-*.crt
 unit/cert-*.p12
+unit/ec-cert-*.pem
+unit/ec-cert-*.csr
 unit/key-*.dat
 unit/key-*.h
 unit/*.log
diff --git a/Makefile.am b/Makefile.am
index 2bf728bbde7a..e5d7143af236 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -219,6 +219,7 @@  cert_tests = unit/test-pem \
 cert_files = unit/cert-chain.pem \
 			unit/cert-entity-int.pem \
 			unit/cert-server.pem \
+			unit/ec-cert-server.pem \
 			unit/cert-server-key-pkcs8.pem \
 			unit/cert-client.pem \
 			unit/cert-client.crt \
@@ -246,6 +247,7 @@  cert_files = unit/cert-chain.pem \
 cert_checks = unit/cert-intca \
 			unit/cert-entity-int \
 			unit/cert-server \
+			unit/ec-cert-server \
 			unit/cert-client \
 			unit/cert-no-keyid
 
@@ -417,15 +419,30 @@  false_redirect_openssl = 2>/dev/null
 unit/cert-ca-key.pem:
 	$(AM_V_GEN)openssl genrsa -out $@ 2048 $($(AM_V_P)_redirect_openssl)
 
+unit/ec-cert-ca-key.pem:
+	$(AM_V_GEN)openssl ecparam -out $@ -name secp384r1 \
+				-genkey $($(AM_V_P)_redirect_openssl)
+
+
 unit/cert-ca.pem: unit/cert-ca-key.pem unit/gencerts.cnf
 	$(AM_V_GEN)openssl req -x509 -new -nodes -extensions ca_ext \
 			-config $(srcdir)/unit/gencerts.cnf \
 			-subj '/O=International Union of Example Organizations/CN=Certificate issuer guy/emailAddress=ca@mail.example' \
 			-key $< -sha256 -days 10000 -out $@
 
+unit/ec-cert-ca.pem: unit/ec-cert-ca-key.pem unit/gencerts.cnf
+	$(AM_V_GEN)openssl req -x509 -new -nodes -extensions ca_ext \
+			-config $(srcdir)/unit/gencerts.cnf \
+			-subj '/O=International Union of Example Organizations/CN=Certificate issuer guy/emailAddress=ca@mail.example' \
+			-key $< -sha256 -days 10000 -out $@
+
 unit/cert-server-key.pem:
 	$(AM_V_GEN)openssl genrsa -out $@ $($(AM_V_P)_redirect_openssl)
 
+unit/ec-cert-server-key.pem:
+	$(AM_V_GEN)openssl ecparam -out $@ -name secp384r1 \
+				-genkey $($(AM_V_P)_redirect_openssl)
+
 unit/cert-server-key-pkcs8.pem: unit/cert-server-key.pem
 	$(AM_V_GEN)openssl pkcs8 -topk8 -nocrypt -in $< -out $@
 
@@ -435,6 +452,12 @@  unit/cert-server.csr: unit/cert-server-key.pem unit/gencerts.cnf
 			-subj '/O=Foo Example Organization/CN=Foo Example Organization/emailAddress=foo@mail.example' \
 			-key $< -out $@
 
+unit/ec-cert-server.csr: unit/ec-cert-server-key.pem unit/gencerts.cnf
+	$(AM_V_GEN)openssl req -new -extensions cert_ext \
+			-config $(srcdir)/unit/gencerts.cnf \
+			-subj '/O=Foo Example Organization/CN=Foo Example Organization/emailAddress=foo@mail.example' \
+			-key $< -out $@
+
 unit/cert-server.pem: unit/cert-server.csr unit/cert-ca.pem unit/gencerts.cnf
 	$(AM_V_GEN)openssl x509 -req -extensions server_ext \
 			-extfile $(srcdir)/unit/gencerts.cnf \
@@ -443,9 +466,22 @@  unit/cert-server.pem: unit/cert-server.csr unit/cert-ca.pem unit/gencerts.cnf
 			-CAserial $(builddir)/unit/cert-ca.srl \
 			-CAcreateserial -sha256 -days 10000 -out $@ $($(AM_V_P)_redirect_openssl)
 
+unit/ec-cert-server.pem: unit/ec-cert-server.csr unit/ec-cert-ca.pem \
+				unit/gencerts.cnf
+	$(AM_V_GEN)openssl x509 -req -extensions server_ext \
+			-extfile $(srcdir)/unit/gencerts.cnf \
+			-in $< -CA $(builddir)/unit/ec-cert-ca.pem \
+			-CAkey $(builddir)/unit/ec-cert-ca-key.pem \
+			-CAserial $(builddir)/unit/cert-ca.srl \
+			-CAcreateserial -sha256 -days 10000 \
+			-out $@ $($(AM_V_P)_redirect_openssl)
+
 unit/cert-server: unit/cert-server.pem unit/cert-ca.pem
 	$(AM_V_GEN)openssl verify -CAfile $(builddir)/unit/cert-ca.pem $<
 
+unit/ec-cert-server: unit/ce-cert-server.pem unit/ce-cert-ca.pem
+	$(AM_V_GEN)openssl verify -CAfile $(builddir)/unit/ce-cert-ca.pem $<
+
 unit/cert-client-key-pkcs1.pem:
 	$(AM_V_GEN)openssl genrsa -out $@ $($(AM_V_P)_redirect_openssl)
 
@@ -623,7 +659,8 @@  check-local: $(cert_checks)
 endif
 
 clean-local:
-	-rm -f unit/cert-*.pem unit/cert-*.csr unit/cert-*.srl unit/key-*.dat
+	-rm -f unit/ec-cert*.pem unit/ec-cert-*.csr \
+		unit/cert-*.pem unit/cert-*.csr unit/cert-*.srl unit/key-*.dat
 
 maintainer-clean-local:
 	-rm -rf build-aux
diff --git a/unit/test-tls.c b/unit/test-tls.c
index 7937962cf8a0..aee5b2e36b78 100644
--- a/unit/test-tls.c
+++ b/unit/test-tls.c
@@ -325,6 +325,24 @@  static void test_certificates(const void *data)
 	l_queue_destroy(twocas, (l_queue_destroy_func_t) l_cert_free);
 }
 
+static void test_ec_certificates(const void *data)
+{
+	struct l_queue *cacert;
+	struct l_certchain *chain;
+
+	cacert = l_pem_load_certificate_list(CERTDIR "ec-cert-ca.pem");
+	assert(cacert && !l_queue_isempty(cacert));
+
+	chain = l_pem_load_certificate_chain(CERTDIR "ec-cert-server.pem");
+	assert(chain);
+
+	assert(l_certchain_verify(chain, cacert, NULL));
+	assert(l_certchain_verify(chain, NULL, NULL));
+
+	l_certchain_free(chain);
+	l_queue_destroy(cacert, (l_queue_destroy_func_t) l_cert_free);
+}
+
 struct tls_conn_test {
 	const char *server_cert_path;
 	const char *server_key_path;
@@ -948,8 +966,10 @@  int main(int argc, char *argv[])
 	l_test_add("TLS 1.2 PRF with SHA512", test_tls12_prf,
 			&tls12_prf_sha512_0);
 
-	if (l_key_is_supported(L_KEY_FEATURE_RESTRICT))
+	if (l_key_is_supported(L_KEY_FEATURE_RESTRICT)) {
 		l_test_add("Certificate chains", test_certificates, NULL);
+		l_test_add("ECDSA Certificates", test_ec_certificates, NULL);
+	}
 
 	if (!l_getrandom_is_supported()) {
 		printf("getrandom missing, skipping TLS connection tests...\n");