feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Add alternate chain test case where peer presents chain (INT -> INT2 -> PEER) and only INT2 is loaded as trusted. Update existing alternate chain partial test cases to use INT2. Fix for test suite to allow extra newlines in .test files.

Browse Source
This commit is contained in:
David Garske
2020-06-16 14:10:05 -07:00
parent 5a5bc34aa5
commit 9be61c61f5
3 changed files with 115 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
tests/suites.c
View File

@ -509,6 +509,8 @@ static void test_harness(void* vargs)
int cliArgsSz; int cliArgsSz;
char* cursor; char* cursor;
char* comment; char* comment;
char lastChar = '\0';
int do_it = 0;
const char* fname = "tests/test.conf"; const char* fname = "tests/test.conf";
const char* addArgs = NULL; const char* addArgs = NULL;
@ -571,20 +573,27 @@ static void test_harness(void* vargs)
cliArgs[0] = args->argv[0]; cliArgs[0] = args->argv[0];
while (*cursor != 0) { while (*cursor != 0) {
int do_it = 0;
switch (*cursor) { switch (*cursor) {
case '\n': case '\n':
/* A blank line triggers test case execution or switches /* A blank line triggers test case execution or switches
to client mode if we don't have the client command yet */ to client mode if we don't have the client command yet */
if (cliMode == 0) if (lastChar != '\n' && (cliArgsSz > 1 || svrArgsSz > 1)) {
cliMode = 1; /* switch to client mode processing */ if (cliMode == 0)
/* skip extra newlines */ cliMode = 1; /* switch to client mode processing */
else else
do_it = 1; /* Do It, we have server and client */ do_it = 1; /* Do It, we have server and client */
}
#ifdef DEBUG_SUITE_TESTS
else {
/* skip extra new-lines */
printf("skipping extra new line\n");
}
#endif
lastChar = *cursor;
cursor++; cursor++;
break; break;
case '#': case '#':
lastChar = *cursor;
/* Ignore lines that start with a # */ /* Ignore lines that start with a # */
comment = XSTRSEP(&cursor, "\n"); comment = XSTRSEP(&cursor, "\n");
#ifdef DEBUG_SUITE_TESTS #ifdef DEBUG_SUITE_TESTS
@ -597,6 +606,7 @@ static void test_harness(void* vargs)
default: default:
/* Parameters start with a -. They end in either a newline /* Parameters start with a -. They end in either a newline
* or a space. Capture until either, save in Args list. */ * or a space. Capture until either, save in Args list. */
lastChar = *cursor;
if (cliMode) if (cliMode)
cliArgs[cliArgsSz++] = XSTRSEP(&cursor, " \n"); cliArgs[cliArgsSz++] = XSTRSEP(&cursor, " \n");
else else
@ -659,6 +669,7 @@ static void test_harness(void* vargs)
svrArgsSz = 1; svrArgsSz = 1;
cliArgsSz = 1; cliArgsSz = 1;
cliMode = 0; cliMode = 0;
do_it = 0;
} }
} }

107
tests/test-altchains.conf
View File

@ -1,6 +1,7 @@
# Tests will use complete chain with intermediate CA for testing # Tests using a longer certificate chain (with intermediate CA's)
# The tests with chains have the CRL checking disabled # The tests with chains have the CRL checking disabled
# CRL's only load for trusted CA's, for a chain you must load the root and intermediate as trusted # CRL's only load for trusted CA's, for a chain you must load the root and intermediate as trusted
# For these tests we are loading root and sending intermediate and peer certs # For these tests we are loading root and sending intermediate and peer certs
# server TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Chain # server TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Chain
-v 3 -v 3
@ -82,11 +83,12 @@
-c ./certs/intermediate/client-chain-ecc.pem -c ./certs/intermediate/client-chain-ecc.pem
-C -C
# Test will load intermediate CA as trusted and only present the peer cert (partial chain) # Test will load intermediate CA as trusted and only present the peer cert (partial chain)
# server TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Partial Chain # server TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Partial Chain
-v 3 -v 3
-l DHE-RSA-AES128-GCM-SHA256 -l DHE-RSA-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int-cert.pem -A ./certs/intermediate/ca-int2-cert.pem
-k ./certs/server-key.pem -k ./certs/server-key.pem
-c ./certs/intermediate/server-int-cert.pem -c ./certs/intermediate/server-int-cert.pem
-V -V
@ -94,7 +96,7 @@
# client TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Partial Chain # client TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Partial Chain
-v 3 -v 3
-l DHE-RSA-AES128-GCM-SHA256 -l DHE-RSA-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int-cert.pem -A ./certs/intermediate/ca-int2-cert.pem
-k ./certs/client-key.pem -k ./certs/client-key.pem
-c ./certs/intermediate/client-int-cert.pem -c ./certs/intermediate/client-int-cert.pem
-C -C
@ -102,7 +104,7 @@
# server TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Partial Chain # server TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Partial Chain
-v 3 -v 3
-l ECDHE-RSA-AES128-GCM-SHA256 -l ECDHE-RSA-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int-cert.pem -A ./certs/intermediate/ca-int2-cert.pem
-k ./certs/server-key.pem -k ./certs/server-key.pem
-c ./certs/intermediate/server-int-cert.pem -c ./certs/intermediate/server-int-cert.pem
-V -V
@ -110,7 +112,7 @@
# client TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Partial Chain # client TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Partial Chain
-v 3 -v 3
-l ECDHE-RSA-AES128-GCM-SHA256 -l ECDHE-RSA-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int-cert.pem -A ./certs/intermediate/ca-int2-cert.pem
-k ./certs/client-key.pem -k ./certs/client-key.pem
-c ./certs/intermediate/client-int-cert.pem -c ./certs/intermediate/client-int-cert.pem
-C -C
@ -118,7 +120,7 @@
# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Partial Chain # server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Partial Chain
-v 3 -v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256 -l ECDHE-ECDSA-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int-ecc-cert.pem -A ./certs/intermediate/ca-int2-ecc-cert.pem
-k ./certs/ecc-key.pem -k ./certs/ecc-key.pem
-c ./certs/intermediate/server-int-ecc-cert.pem -c ./certs/intermediate/server-int-ecc-cert.pem
-V -V
@ -126,7 +128,7 @@
# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Partial Chain # client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Partial Chain
-v 3 -v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256 -l ECDHE-ECDSA-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int-ecc-cert.pem -A ./certs/intermediate/ca-int2-ecc-cert.pem
-k ./certs/ecc-client-key.pem -k ./certs/ecc-client-key.pem
-c ./certs/intermediate/client-int-ecc-cert.pem -c ./certs/intermediate/client-int-ecc-cert.pem
-C -C
@ -134,7 +136,7 @@
# server TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Partial Chain # server TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Partial Chain
-v 4 -v 4
-l TLS13-AES128-GCM-SHA256 -l TLS13-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int-cert.pem -A ./certs/intermediate/ca-int2-cert.pem
-k ./certs/server-key.pem -k ./certs/server-key.pem
-c ./certs/intermediate/server-int-cert.pem -c ./certs/intermediate/server-int-cert.pem
-V -V
@ -142,7 +144,7 @@
# client TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Partial Chain # client TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Partial Chain
-v 4 -v 4
-l TLS13-AES128-GCM-SHA256 -l TLS13-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int-cert.pem -A ./certs/intermediate/ca-int2-cert.pem
-k ./certs/client-key.pem -k ./certs/client-key.pem
-c ./certs/intermediate/client-int-cert.pem -c ./certs/intermediate/client-int-cert.pem
-C -C
@ -150,7 +152,7 @@
# server TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Partial Chain # server TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Partial Chain
-v 4 -v 4
-l TLS13-AES128-GCM-SHA256 -l TLS13-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int-ecc-cert.pem -A ./certs/intermediate/ca-int2-ecc-cert.pem
-k ./certs/ecc-key.pem -k ./certs/ecc-key.pem
-c ./certs/intermediate/server-int-ecc-cert.pem -c ./certs/intermediate/server-int-ecc-cert.pem
-V -V
@ -158,11 +160,94 @@
# client TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Partial Chain # client TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Partial Chain
-v 4 -v 4
-l TLS13-AES128-GCM-SHA256 -l TLS13-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int-ecc-cert.pem -A ./certs/intermediate/ca-int2-ecc-cert.pem
-k ./certs/ecc-client-key.pem -k ./certs/ecc-client-key.pem
-c ./certs/intermediate/client-int-ecc-cert.pem -c ./certs/intermediate/client-int-ecc-cert.pem
-C -C
# Test will load intermediate2 CA as trusted and present full chain (where intermediate CA is not trusted)
# server TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Partial Trusted Chain
-v 3
-l DHE-RSA-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int2-cert.pem
-k ./certs/server-key.pem
-c ./certs/intermediate/server-chain.pem
-V
# client TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Partial Trusted Chain
-v 3
-l DHE-RSA-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int2-cert.pem
-k ./certs/client-key.pem
-c ./certs/intermediate/client-chain.pem
-C
# server TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Partial Trusted Chain
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int2-cert.pem
-k ./certs/server-key.pem
-c ./certs/intermediate/server-chain.pem
-V
# client TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Partial Trusted Chain
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int2-cert.pem
-k ./certs/client-key.pem
-c ./certs/intermediate/client-chain.pem
-C
# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Partial Trusted Chain
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int2-ecc-cert.pem
-k ./certs/ecc-key.pem
-c ./certs/intermediate/server-chain-ecc.pem
-V
# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Partial Trusted Chain
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int2-ecc-cert.pem
-k ./certs/ecc-client-key.pem
-c ./certs/intermediate/client-chain-ecc.pem
-C
# server TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Partial Trusted Chain
-v 4
-l TLS13-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int2-cert.pem
-k ./certs/server-key.pem
-c ./certs/intermediate/server-chain.pem
-V
# client TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Partial Trusted Chain
-v 4
-l TLS13-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int2-cert.pem
-k ./certs/client-key.pem
-c ./certs/intermediate/client-chain.pem
-C
# server TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Partial Trusted Chain
-v 4
-l TLS13-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int2-ecc-cert.pem
-k ./certs/ecc-key.pem
-c ./certs/intermediate/server-chain-ecc.pem
-V
# client TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Partial Trusted Chain
-v 4
-l TLS13-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int2-ecc-cert.pem
-k ./certs/ecc-client-key.pem
-c ./certs/intermediate/client-chain-ecc.pem
-C
# Test will use alternate chain where chain contains extra cert # Test will use alternate chain where chain contains extra cert
# server TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Alt Chain # server TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Alt Chain
-v 3 -v 3

2
wolfssl/test.h
View File

@ -1729,7 +1729,7 @@ static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)
XFREE(subject, 0, DYNAMIC_TYPE_OPENSSL); XFREE(subject, 0, DYNAMIC_TYPE_OPENSSL);
XFREE(issuer, 0, DYNAMIC_TYPE_OPENSSL); XFREE(issuer, 0, DYNAMIC_TYPE_OPENSSL);
#if defined(SHOW_CERTS) && !defined(NO_FILESYSTEM) #if defined(SHOW_CERTS) && !defined(NO_FILESYSTEM)
/* avoid printing duplicate certs */ /* avoid printing duplicate certs */
if (store->depth == 1) { if (store->depth == 1) {
/* retrieve x509 certs and display them on stdout */ /* retrieve x509 certs and display them on stdout */
sk = wolfSSL_X509_STORE_GetCerts(store); sk = wolfSSL_X509_STORE_GetCerts(store);