diff options
author | Peter Dettman <peter.dettman@bouncycastle.org> | 2022-05-10 12:54:22 +0700 |
---|---|---|
committer | Peter Dettman <peter.dettman@bouncycastle.org> | 2022-05-10 12:54:22 +0700 |
commit | 217c08cdb0359f95c40f1a09e4e545a4552509fe (patch) | |
tree | bb6418fed2a682e42ea77a82cd2da6f3e923d929 /crypto/test/src | |
parent | Avoid duplicate call (diff) | |
download | BouncyCastle.NET-ed25519-217c08cdb0359f95c40f1a09e4e545a4552509fe.tar.xz |
Improve TLS handshake hash tracking
Diffstat (limited to 'crypto/test/src')
-rw-r--r-- | crypto/test/src/tls/test/DtlsTestSuite.cs | 64 | ||||
-rw-r--r-- | crypto/test/src/tls/test/TlsTestClientImpl.cs | 13 | ||||
-rw-r--r-- | crypto/test/src/tls/test/TlsTestClientProtocol.cs | 10 | ||||
-rw-r--r-- | crypto/test/src/tls/test/TlsTestServerImpl.cs | 4 | ||||
-rw-r--r-- | crypto/test/src/tls/test/TlsTestSuite.cs | 49 |
5 files changed, 77 insertions, 63 deletions
diff --git a/crypto/test/src/tls/test/DtlsTestSuite.cs b/crypto/test/src/tls/test/DtlsTestSuite.cs index 0af2be32c..27c1ca648 100644 --- a/crypto/test/src/tls/test/DtlsTestSuite.cs +++ b/crypto/test/src/tls/test/DtlsTestSuite.cs @@ -68,63 +68,59 @@ namespace Org.BouncyCastle.Tls.Tests + "_"; /* - * NOTE: Temporarily disabled automatic test runs because of problems getting a clean exit - * of the DTLS server after a fatal alert. As of writing, manual runs show the correct - * alerts being raised - */ - -#if false - /* - * Server only declares support for SHA1/RSA, client selects MD5/RSA. Since the client is - * NOT actually tracking MD5 over the handshake, we expect fatal alert from the client. + * Server only declares support for SHA256/ECDSA, client selects SHA256/RSA, so we expect fatal alert + * from the client validation of the CertificateVerify algorithm. */ if (TlsUtilities.IsTlsV12(version)) { TlsTestConfig c = CreateDtlsTestConfig(version); c.clientAuth = C.CLIENT_AUTH_VALID; - c.clientAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.md5, SignatureAlgorithm.rsa); - c.serverCertReqSigAlgs = TlsUtilities.GetDefaultRsaSignatureAlgorithms(); + c.clientAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.sha256, SignatureAlgorithm.rsa); + c.serverCertReqSigAlgs = TlsUtilities.VectorOfOne( + new SignatureAndHashAlgorithm(HashAlgorithm.sha256, SignatureAlgorithm.ecdsa)); c.ExpectClientFatalAlert(AlertDescription.internal_error); - AddTestCase(testSuite, c, prefix + "BadCertificateVerifyHashAlg"); + AddTestCase(testSuite, c, prefix + "BadCertVerifySigAlgClient"); } /* - * Server only declares support for SHA1/ECDSA, client selects SHA1/RSA. Since the client is - * actually tracking SHA1 over the handshake, we expect fatal alert to come from the server - * when it verifies the selected algorithm against the CertificateRequest supported - * algorithms. + * Server only declares support for rsa_pss_rsae_sha256, client selects rsa_pss_rsae_sha256 but claims + * ecdsa_secp256r1_sha256, so we expect fatal alert from the server validation of the + * CertificateVerify algorithm. */ if (TlsUtilities.IsTlsV12(version)) { TlsTestConfig c = CreateDtlsTestConfig(version); c.clientAuth = C.CLIENT_AUTH_VALID; - c.clientAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.sha1, SignatureAlgorithm.rsa); - c.serverCertReqSigAlgs = TlsUtilities.GetDefaultECDsaSignatureAlgorithms(); + c.clientAuthSigAlg = SignatureScheme.GetSignatureAndHashAlgorithm(SignatureScheme.rsa_pss_rsae_sha256); + c.clientAuthSigAlgClaimed = SignatureScheme.GetSignatureAndHashAlgorithm(SignatureScheme.ecdsa_secp256r1_sha256); + c.serverCertReqSigAlgs = TlsUtilities.VectorOfOne( + SignatureScheme.GetSignatureAndHashAlgorithm(SignatureScheme.rsa_pss_rsae_sha256)); c.serverCheckSigAlgOfClientCerts = false; c.ExpectServerFatalAlert(AlertDescription.illegal_parameter); - AddTestCase(testSuite, c, prefix + "BadCertificateVerifySigAlg"); + AddTestCase(testSuite, c, prefix + "BadCertVerifySigAlgServer1"); } /* - * Server only declares support for SHA1/ECDSA, client signs with SHA1/RSA, but sends - * SHA1/ECDSA in the CertificateVerify. Since the client is actually tracking SHA1 over the - * handshake, and the claimed algorithm is in the CertificateRequest supported algorithms, - * we expect fatal alert to come from the server when it finds the claimed algorithm - * doesn't match the client certificate. + * Server declares support for rsa_pss_rsae_sha256 and ecdsa_secp256r1_sha256, client selects + * rsa_pss_rsae_sha256 but claims ecdsa_secp256r1_sha256, so we expect fatal alert from the server + * validation of the client certificate. */ if (TlsUtilities.IsTlsV12(version)) { TlsTestConfig c = CreateDtlsTestConfig(version); c.clientAuth = C.CLIENT_AUTH_VALID; - c.clientAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.sha1, SignatureAlgorithm.rsa); - c.clientAuthSigAlgClaimed = new SignatureAndHashAlgorithm(HashAlgorithm.sha1, - SignatureAlgorithm.ecdsa); - c.serverCertReqSigAlgs = TlsUtilities.GetDefaultECDsaSignatureAlgorithms(); - c.ExpectServerFatalAlert(AlertDescription.decrypt_error); + c.clientAuthSigAlg = SignatureScheme.GetSignatureAndHashAlgorithm(SignatureScheme.rsa_pss_rsae_sha256); + c.clientAuthSigAlgClaimed = SignatureScheme.GetSignatureAndHashAlgorithm(SignatureScheme.ecdsa_secp256r1_sha256); + c.serverCertReqSigAlgs = new ArrayList(2); + c.serverCertReqSigAlgs.Add( + SignatureScheme.GetSignatureAndHashAlgorithm(SignatureScheme.rsa_pss_rsae_sha256)); + c.serverCertReqSigAlgs.Add( + SignatureScheme.GetSignatureAndHashAlgorithm(SignatureScheme.ecdsa_secp256r1_sha256)); + c.ExpectServerFatalAlert(AlertDescription.bad_certificate); - AddTestCase(testSuite, c, prefix + "BadCertificateVerifySigAlgMismatch"); + AddTestCase(testSuite, c, prefix + "BadCertVerifySigAlgServer2"); } { @@ -132,7 +128,7 @@ namespace Org.BouncyCastle.Tls.Tests c.clientAuth = C.CLIENT_AUTH_INVALID_VERIFY; c.ExpectServerFatalAlert(AlertDescription.decrypt_error); - AddTestCase(testSuite, c, prefix + "BadCertificateVerifySignature"); + AddTestCase(testSuite, c, prefix + "BadCertVerifySignature"); } { @@ -161,8 +157,9 @@ namespace Org.BouncyCastle.Tls.Tests { TlsTestConfig c = CreateDtlsTestConfig(version); c.clientSendSignatureAlgorithms = false; + c.clientSendSignatureAlgorithmsCert = false; c.serverAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.sha256, SignatureAlgorithm.rsa); - c.ExpectClientFatalAlert(AlertDescription.certificate_unknown); + c.ExpectClientFatalAlert(AlertDescription.bad_certificate); AddTestCase(testSuite, c, prefix + "BadServerCertSigAlg"); } @@ -196,7 +193,6 @@ namespace Org.BouncyCastle.Tls.Tests AddTestCase(testSuite, c, prefix + "BadServerKeyExchangeSigAlg2"); } -#endif { TlsTestConfig c = CreateDtlsTestConfig(version); @@ -218,7 +214,6 @@ namespace Org.BouncyCastle.Tls.Tests AddTestCase(testSuite, c, prefix + "GoodOptionalCertReqDeclined"); } -#if false /* * Server generates downgraded (RFC 8446) ServerHello. We expect fatal alert * (illegal_parameter) from the client. @@ -232,7 +227,6 @@ namespace Org.BouncyCastle.Tls.Tests AddTestCase(testSuite, c, prefix + "BadDowngrade"); } -#endif } private static void AddTestCase(IList testSuite, TlsTestConfig config, string name) diff --git a/crypto/test/src/tls/test/TlsTestClientImpl.cs b/crypto/test/src/tls/test/TlsTestClientImpl.cs index 04c8ad0af..cb70dbc80 100644 --- a/crypto/test/src/tls/test/TlsTestClientImpl.cs +++ b/crypto/test/src/tls/test/TlsTestClientImpl.cs @@ -310,14 +310,23 @@ namespace Org.BouncyCastle.Tls.Tests IList supportedSigAlgs = certificateRequest.SupportedSignatureAlgorithms; if (supportedSigAlgs != null && config.clientAuthSigAlg != null) { - supportedSigAlgs = new ArrayList(1); - supportedSigAlgs.Add(config.clientAuthSigAlg); + supportedSigAlgs = TlsUtilities.VectorOfOne(config.clientAuthSigAlg); } // TODO[tls13] Check also supportedSigAlgsCert against the chain signature(s) TlsCredentialedSigner signerCredentials = TlsTestUtilities.LoadSignerCredentials(m_context, supportedSigAlgs, SignatureAlgorithm.rsa, "x509-client-rsa.pem", "x509-client-key-rsa.pem"); + if (signerCredentials == null && supportedSigAlgs != null) + { + SignatureAndHashAlgorithm pss = SignatureScheme.GetSignatureAndHashAlgorithm( + SignatureScheme.rsa_pss_rsae_sha256); + if (TlsUtilities.ContainsSignatureAlgorithm(supportedSigAlgs, pss)) + { + signerCredentials = TlsTestUtilities.LoadSignerCredentials(m_context, + new string[]{ "x509-client-rsa.pem" }, "x509-client-key-rsa.pem", pss); + } + } if (config.clientAuth == TlsTestConfig.CLIENT_AUTH_VALID) return signerCredentials; diff --git a/crypto/test/src/tls/test/TlsTestClientProtocol.cs b/crypto/test/src/tls/test/TlsTestClientProtocol.cs index f7e94680a..879996040 100644 --- a/crypto/test/src/tls/test/TlsTestClientProtocol.cs +++ b/crypto/test/src/tls/test/TlsTestClientProtocol.cs @@ -19,6 +19,16 @@ namespace Org.BouncyCastle.Tls.Tests this.m_config = config; } + protected override void Send13CertificateVerifyMessage(DigitallySigned certificateVerify) + { + if (m_config.clientAuthSigAlgClaimed != null) + { + certificateVerify = new DigitallySigned(m_config.clientAuthSigAlgClaimed, certificateVerify.Signature); + } + + base.Send13CertificateVerifyMessage(certificateVerify); + } + protected override void SendCertificateVerifyMessage(DigitallySigned certificateVerify) { if (certificateVerify.Algorithm != null && m_config.clientAuthSigAlgClaimed != null) diff --git a/crypto/test/src/tls/test/TlsTestServerImpl.cs b/crypto/test/src/tls/test/TlsTestServerImpl.cs index 77df632fe..273de3d31 100644 --- a/crypto/test/src/tls/test/TlsTestServerImpl.cs +++ b/crypto/test/src/tls/test/TlsTestServerImpl.cs @@ -258,9 +258,7 @@ namespace Org.BouncyCastle.Tls.Tests { if (TlsUtilities.IsTlsV12(m_context) && m_config.serverAuthSigAlg != null) { - IList signatureAlgorithms = new ArrayList(1); - signatureAlgorithms.Add(m_config.serverAuthSigAlg); - return signatureAlgorithms; + return TlsUtilities.VectorOfOne(m_config.serverAuthSigAlg); } return m_context.SecurityParameters.ClientSigAlgs; diff --git a/crypto/test/src/tls/test/TlsTestSuite.cs b/crypto/test/src/tls/test/TlsTestSuite.cs index adedd8249..86a543ef0 100644 --- a/crypto/test/src/tls/test/TlsTestSuite.cs +++ b/crypto/test/src/tls/test/TlsTestSuite.cs @@ -104,56 +104,59 @@ namespace Org.BouncyCastle.Tls.Tests } /* - * Server only declares support for SHA1/RSA, client selects MD5/RSA. Since the client is - * NOT actually tracking MD5 over the handshake, we expect fatal alert from the client. + * Server only declares support for SHA256/ECDSA, client selects SHA256/RSA, so we expect fatal alert + * from the client validation of the CertificateVerify algorithm. */ if (isTlsV12Exactly) { TlsTestConfig c = CreateTlsTestConfig(version, clientCrypto, serverCrypto); c.clientAuth = C.CLIENT_AUTH_VALID; - c.clientAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.md5, SignatureAlgorithm.rsa); - c.serverCertReqSigAlgs = TlsUtilities.GetDefaultRsaSignatureAlgorithms(); - c.serverCheckSigAlgOfClientCerts = false; + c.clientAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.sha256, SignatureAlgorithm.rsa); + c.serverCertReqSigAlgs = TlsUtilities.VectorOfOne( + new SignatureAndHashAlgorithm(HashAlgorithm.sha256, SignatureAlgorithm.ecdsa)); c.ExpectClientFatalAlert(AlertDescription.internal_error); - AddTestCase(testSuite, c, prefix + "BadCertificateVerifyHashAlg"); + AddTestCase(testSuite, c, prefix + "BadCertVerifySigAlgClient"); } /* - * Server only declares support for SHA1/ECDSA, client selects SHA1/RSA. Since the client is - * actually tracking SHA1 over the handshake, we expect fatal alert to come from the server - * when it verifies the selected algorithm against the CertificateRequest supported - * algorithms. + * Server only declares support for rsa_pss_rsae_sha256, client selects rsa_pss_rsae_sha256 but claims + * ecdsa_secp256r1_sha256, so we expect fatal alert from the server validation of the + * CertificateVerify algorithm. */ if (isTlsV12) { TlsTestConfig c = CreateTlsTestConfig(version, clientCrypto, serverCrypto); c.clientAuth = C.CLIENT_AUTH_VALID; - c.clientAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.sha1, SignatureAlgorithm.rsa); - c.serverCertReqSigAlgs = TlsUtilities.GetDefaultECDsaSignatureAlgorithms(); + c.clientAuthSigAlg = SignatureScheme.GetSignatureAndHashAlgorithm(SignatureScheme.rsa_pss_rsae_sha256); + c.clientAuthSigAlgClaimed = SignatureScheme.GetSignatureAndHashAlgorithm(SignatureScheme.ecdsa_secp256r1_sha256); + c.serverCertReqSigAlgs = TlsUtilities.VectorOfOne( + SignatureScheme.GetSignatureAndHashAlgorithm(SignatureScheme.rsa_pss_rsae_sha256)); c.serverCheckSigAlgOfClientCerts = false; c.ExpectServerFatalAlert(AlertDescription.illegal_parameter); - AddTestCase(testSuite, c, prefix + "BadCertificateVerifySigAlg"); + AddTestCase(testSuite, c, prefix + "BadCertVerifySigAlgServer1"); } /* - * Server only declares support for SHA1/ECDSA, client signs with SHA1/RSA, but sends - * SHA1/ECDSA in the CertificateVerify. Since the client is actually tracking SHA1 over the - * handshake, and the claimed algorithm is in the CertificateRequest supported algorithms, - * we expect fatal alert to come from the server when it finds the claimed algorithm - * doesn't match the client certificate. + * Server declares support for rsa_pss_rsae_sha256 and ecdsa_secp256r1_sha256, client selects + * rsa_pss_rsae_sha256 but claims ecdsa_secp256r1_sha256, so we expect fatal alert from the server + * validation of the client certificate. */ if (isTlsV12) { TlsTestConfig c = CreateTlsTestConfig(version, clientCrypto, serverCrypto); c.clientAuth = C.CLIENT_AUTH_VALID; - c.clientAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.sha1, SignatureAlgorithm.rsa); - c.clientAuthSigAlgClaimed = new SignatureAndHashAlgorithm(HashAlgorithm.sha1, SignatureAlgorithm.ecdsa); - c.serverCertReqSigAlgs = TlsUtilities.GetDefaultECDsaSignatureAlgorithms(); + c.clientAuthSigAlg = SignatureScheme.GetSignatureAndHashAlgorithm(SignatureScheme.rsa_pss_rsae_sha256); + c.clientAuthSigAlgClaimed = SignatureScheme.GetSignatureAndHashAlgorithm(SignatureScheme.ecdsa_secp256r1_sha256); + c.serverCertReqSigAlgs = new ArrayList(2); + c.serverCertReqSigAlgs.Add( + SignatureScheme.GetSignatureAndHashAlgorithm(SignatureScheme.rsa_pss_rsae_sha256)); + c.serverCertReqSigAlgs.Add( + SignatureScheme.GetSignatureAndHashAlgorithm(SignatureScheme.ecdsa_secp256r1_sha256)); c.ExpectServerFatalAlert(AlertDescription.bad_certificate); - AddTestCase(testSuite, c, prefix + "BadCertificateVerifySigAlgMismatch"); + AddTestCase(testSuite, c, prefix + "BadCertVerifySigAlgServer2"); } { @@ -161,7 +164,7 @@ namespace Org.BouncyCastle.Tls.Tests c.clientAuth = C.CLIENT_AUTH_INVALID_VERIFY; c.ExpectServerFatalAlert(AlertDescription.decrypt_error); - AddTestCase(testSuite, c, prefix + "BadCertificateVerifySignature"); + AddTestCase(testSuite, c, prefix + "BadCertVerifySignature"); } { |