feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Add alternate chain test case where peer presents chain (INT -> INT2 -> PEER) and only INT2 is loaded as trusted. Update existing alternate chain partial test cases to use INT2. Fix for test suite to allow extra newlines in .test files.

Browse Source
This commit is contained in:
David Garske
2020-06-16 14:10:05 -07:00
parent 5a5bc34aa5
commit 9be61c61f5
3 changed files with 115 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
tests/suites.c
View File

@ -509,6 +509,8 @@ static void test_harness(void* vargs)
int cliArgsSz;
char* cursor;
char* comment;
char lastChar = '\0';
int do_it = 0;
const char* fname = "tests/test.conf";
const char* addArgs = NULL;
@ -571,20 +573,27 @@ static void test_harness(void* vargs)
cliArgs[0] = args->argv[0];
while (*cursor != 0) {
int do_it = 0;
switch (*cursor) {
case '\n':
/* A blank line triggers test case execution or switches
to client mode if we don't have the client command yet */
if (lastChar != '\n' && (cliArgsSz > 1 || svrArgsSz > 1)) {
if (cliMode == 0)
cliMode = 1; /* switch to client mode processing */
/* skip extra newlines */
else
do_it = 1; /* Do It, we have server and client */
}
#ifdef DEBUG_SUITE_TESTS
else {
/* skip extra new-lines */
printf("skipping extra new line\n");
}
#endif
lastChar = *cursor;
cursor++;
break;
case '#':
lastChar = *cursor;
/* Ignore lines that start with a # */
comment = XSTRSEP(&cursor, "\n");
#ifdef DEBUG_SUITE_TESTS
@ -597,6 +606,7 @@ static void test_harness(void* vargs)
default:
/* Parameters start with a -. They end in either a newline
* or a space. Capture until either, save in Args list. */
lastChar = *cursor;
if (cliMode)
cliArgs[cliArgsSz++] = XSTRSEP(&cursor, " \n");
else
@ -659,6 +669,7 @@ static void test_harness(void* vargs)
svrArgsSz = 1;
cliArgsSz = 1;
cliMode = 0;
do_it = 0;
}
}

107
tests/test-altchains.conf
View File

@ -1,6 +1,7 @@
# Tests will use complete chain with intermediate CA for testing
# Tests using a longer certificate chain (with intermediate CA's)
# The tests with chains have the CRL checking disabled
# CRL's only load for trusted CA's, for a chain you must load the root and intermediate as trusted
# For these tests we are loading root and sending intermediate and peer certs
# server TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Chain
-v 3
@ -82,11 +83,12 @@
-c ./certs/intermediate/client-chain-ecc.pem
-C
# Test will load intermediate CA as trusted and only present the peer cert (partial chain)
# server TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Partial Chain
-v 3
-l DHE-RSA-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int-cert.pem
-A ./certs/intermediate/ca-int2-cert.pem
-k ./certs/server-key.pem
-c ./certs/intermediate/server-int-cert.pem
-V
@ -94,7 +96,7 @@
# client TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Partial Chain
-v 3
-l DHE-RSA-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int-cert.pem
-A ./certs/intermediate/ca-int2-cert.pem
-k ./certs/client-key.pem
-c ./certs/intermediate/client-int-cert.pem
-C
@ -102,7 +104,7 @@
# server TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Partial Chain
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int-cert.pem
-A ./certs/intermediate/ca-int2-cert.pem
-k ./certs/server-key.pem
-c ./certs/intermediate/server-int-cert.pem
-V
@ -110,7 +112,7 @@
# client TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Partial Chain
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int-cert.pem
-A ./certs/intermediate/ca-int2-cert.pem
-k ./certs/client-key.pem
-c ./certs/intermediate/client-int-cert.pem
-C
@ -118,7 +120,7 @@
# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Partial Chain
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int-ecc-cert.pem
-A ./certs/intermediate/ca-int2-ecc-cert.pem
-k ./certs/ecc-key.pem
-c ./certs/intermediate/server-int-ecc-cert.pem
-V
@ -126,7 +128,7 @@
# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Partial Chain
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int-ecc-cert.pem
-A ./certs/intermediate/ca-int2-ecc-cert.pem
-k ./certs/ecc-client-key.pem
-c ./certs/intermediate/client-int-ecc-cert.pem
-C
@ -134,7 +136,7 @@
# server TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Partial Chain
-v 4
-l TLS13-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int-cert.pem
-A ./certs/intermediate/ca-int2-cert.pem
-k ./certs/server-key.pem
-c ./certs/intermediate/server-int-cert.pem
-V
@ -142,7 +144,7 @@
# client TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Partial Chain
-v 4
-l TLS13-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int-cert.pem
-A ./certs/intermediate/ca-int2-cert.pem
-k ./certs/client-key.pem
-c ./certs/intermediate/client-int-cert.pem
-C
@ -150,7 +152,7 @@
# server TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Partial Chain
-v 4
-l TLS13-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int-ecc-cert.pem
-A ./certs/intermediate/ca-int2-ecc-cert.pem
-k ./certs/ecc-key.pem
-c ./certs/intermediate/server-int-ecc-cert.pem
-V
@ -158,11 +160,94 @@
# client TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Partial Chain
-v 4
-l TLS13-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int-ecc-cert.pem
-A ./certs/intermediate/ca-int2-ecc-cert.pem
-k ./certs/ecc-client-key.pem
-c ./certs/intermediate/client-int-ecc-cert.pem
-C
# Test will load intermediate2 CA as trusted and present full chain (where intermediate CA is not trusted)
# server TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Partial Trusted Chain
-v 3
-l DHE-RSA-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int2-cert.pem
-k ./certs/server-key.pem
-c ./certs/intermediate/server-chain.pem
-V
# client TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Partial Trusted Chain
-v 3
-l DHE-RSA-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int2-cert.pem
-k ./certs/client-key.pem
-c ./certs/intermediate/client-chain.pem
-C
# server TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Partial Trusted Chain
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int2-cert.pem
-k ./certs/server-key.pem
-c ./certs/intermediate/server-chain.pem
-V
# client TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Partial Trusted Chain
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int2-cert.pem
-k ./certs/client-key.pem
-c ./certs/intermediate/client-chain.pem
-C
# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Partial Trusted Chain
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int2-ecc-cert.pem
-k ./certs/ecc-key.pem
-c ./certs/intermediate/server-chain-ecc.pem
-V
# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Partial Trusted Chain
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int2-ecc-cert.pem
-k ./certs/ecc-client-key.pem
-c ./certs/intermediate/client-chain-ecc.pem
-C
# server TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Partial Trusted Chain
-v 4
-l TLS13-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int2-cert.pem
-k ./certs/server-key.pem
-c ./certs/intermediate/server-chain.pem
-V
# client TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Partial Trusted Chain
-v 4
-l TLS13-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int2-cert.pem
-k ./certs/client-key.pem
-c ./certs/intermediate/client-chain.pem
-C
# server TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Partial Trusted Chain
-v 4
-l TLS13-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int2-ecc-cert.pem
-k ./certs/ecc-key.pem
-c ./certs/intermediate/server-chain-ecc.pem
-V
# client TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Partial Trusted Chain
-v 4
-l TLS13-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int2-ecc-cert.pem
-k ./certs/ecc-client-key.pem
-c ./certs/intermediate/client-chain-ecc.pem
-C
# Test will use alternate chain where chain contains extra cert
# server TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Alt Chain
-v 3

2
wolfssl/test.h
View File

@ -1729,7 +1729,7 @@ static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)
XFREE(subject, 0, DYNAMIC_TYPE_OPENSSL);
XFREE(issuer, 0, DYNAMIC_TYPE_OPENSSL);
#if defined(SHOW_CERTS) && !defined(NO_FILESYSTEM)
/* avoid printing duplicate certs */
/* avoid printing duplicate certs */
if (store->depth == 1) {
/* retrieve x509 certs and display them on stdout */
sk = wolfSSL_X509_STORE_GetCerts(store);