From 24169c1c5419c7cdaf7cc7b976abfe2cd4b2a335 Mon Sep 17 00:00:00 2001 From: James Mayclin Date: Tue, 18 Jun 2024 01:26:16 +0000 Subject: [PATCH 1/7] fix: avoid cert validation on connection_set_config --- tests/unit/s2n_config_test.c | 17 ---------- ...2n_security_policy_cert_preferences_test.c | 32 +++++++++++++++++++ tls/s2n_config.c | 11 +++++++ tls/s2n_connection.c | 11 ++++--- tls/s2n_security_policies.c | 2 ++ 5 files changed, 52 insertions(+), 21 deletions(-) diff --git a/tests/unit/s2n_config_test.c b/tests/unit/s2n_config_test.c index aa4687f8138..ffcd3e0c6a6 100644 --- a/tests/unit/s2n_config_test.c +++ b/tests/unit/s2n_config_test.c @@ -255,23 +255,6 @@ int main(int argc, char **argv) EXPECT_SUCCESS(s2n_connection_free(conn)); EXPECT_SUCCESS(s2n_config_free(config)); }; - - /* Test that security policy validation is enforced on the config */ - { - DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free); - EXPECT_NOT_NULL(config); - DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER), s2n_connection_ptr_free); - EXPECT_NOT_NULL(conn); - - DEFER_CLEANUP(struct s2n_cert_chain_and_key *invalid_cert = NULL, s2n_cert_chain_and_key_ptr_free); - EXPECT_SUCCESS(s2n_test_cert_permutation_load_server_chain(&invalid_cert, "rsae", "pss", "4096", "sha384")); - EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, invalid_cert)); - struct s2n_security_policy rfc9151_applied_locally = security_policy_rfc9151; - rfc9151_applied_locally.certificate_preferences_apply_locally = true; - config->security_policy = &rfc9151_applied_locally; - - EXPECT_FAILURE_WITH_ERRNO(s2n_connection_set_config(conn, config), S2N_ERR_SECURITY_POLICY_INCOMPATIBLE_CERT); - }; }; /* s2n_config_set_session_tickets_onoff */ diff --git a/tests/unit/s2n_security_policy_cert_preferences_test.c b/tests/unit/s2n_security_policy_cert_preferences_test.c index 1c7e44dd231..448728cd03f 100644 --- a/tests/unit/s2n_security_policy_cert_preferences_test.c +++ b/tests/unit/s2n_security_policy_cert_preferences_test.c @@ -265,6 +265,38 @@ int main(int argc, char **argv) } }; + /* s2n_config invariant: always respects config->security_policy cert preferences */ + { + DEFER_CLEANUP(struct s2n_cert_chain_and_key *cert = NULL, s2n_cert_chain_and_key_ptr_free); + EXPECT_SUCCESS( + s2n_test_cert_permutation_load_server_chain(&cert, "ec", "ecdsa", "p384", "sha256")); + /* configure security policy then load an invalid cert */ + { + DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "rfc9151")); + + EXPECT_FAILURE(s2n_config_add_cert_chain_and_key_to_store(config, cert)); + + /* assert that no certs were loaded */ + uint32_t domain_certs = 0; + EXPECT_EQUAL(s2n_config_get_num_default_certs(config), 0); + EXPECT_SUCCESS(s2n_map_size(config->domain_name_to_cert_map, &domain_certs)); + EXPECT_EQUAL(domain_certs, 0); + EXPECT_EQUAL(s2n_config_get_num_default_certs(config), 0); + }; + + /* load a cert then configure an invalid security policy */ + { + DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free); + EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, cert)); + const struct s2n_security_policy *default_sp = config->security_policy; + EXPECT_FAILURE(s2n_config_set_cipher_preferences(config, "rfc9151")); + + /* assert that the security policy was not changed */ + EXPECT_EQUAL(config->security_policy, default_sp); + }; + }; + END_TEST(); return S2N_SUCCESS; } diff --git a/tls/s2n_config.c b/tls/s2n_config.c index 5683b764ef0..07c663246e3 100644 --- a/tls/s2n_config.c +++ b/tls/s2n_config.c @@ -532,6 +532,8 @@ static int s2n_config_add_cert_chain_and_key_impl(struct s2n_config *config, str POSIX_ENSURE_REF(config->domain_name_to_cert_map); POSIX_ENSURE_REF(cert_key_pair); + POSIX_GUARD_RESULT(s2n_security_policy_validate_certificate_chain(config->security_policy, cert_key_pair)); + s2n_pkey_type cert_type = s2n_cert_chain_and_key_get_pkey_type(cert_key_pair); config->is_rsa_cert_configured |= (cert_type == S2N_PKEY_TYPE_RSA); @@ -567,6 +569,11 @@ S2N_RESULT s2n_config_validate_loaded_certificates(const struct s2n_config *conf RESULT_ENSURE_REF(config); RESULT_ENSURE_REF(security_policy); + if (security_policy->certificate_key_preferences == NULL + && security_policy->certificate_signature_preferences == NULL) { + return S2N_RESULT_OK; + } + /* validate the default certs */ for (int i = 0; i < S2N_CERT_TYPE_COUNT; i++) { struct s2n_cert_chain_and_key *cert = config->default_certs_by_type.certs[i]; @@ -577,6 +584,10 @@ S2N_RESULT s2n_config_validate_loaded_certificates(const struct s2n_config *conf } /* validate the certs in the domain map */ + if (config->domain_name_to_cert_map == NULL) { + return S2N_RESULT_OK; + } + struct s2n_map_iterator iter = { 0 }; RESULT_GUARD(s2n_map_iterator_init(&iter, config->domain_name_to_cert_map)); diff --git a/tls/s2n_connection.c b/tls/s2n_connection.c index 74f1597aabb..86323d681dd 100644 --- a/tls/s2n_connection.c +++ b/tls/s2n_connection.c @@ -287,11 +287,14 @@ int s2n_connection_set_config(struct s2n_connection *conn, struct s2n_config *co return 0; } - const struct s2n_security_policy *security_policy = conn->security_policy_override; - if (!security_policy) { - security_policy = config->security_policy; + /* s2n_config invariant: any s2n_config is always in a state that respects the + * config->security_policy certificate preferences. Therefore we only need to + * validate certificates here if the connection is using a security policy override. + */ + const struct s2n_security_policy *security_policy_override = conn->security_policy_override; + if (security_policy_override) { + POSIX_GUARD_RESULT(s2n_config_validate_loaded_certificates(config, security_policy_override)); } - POSIX_GUARD_RESULT(s2n_config_validate_loaded_certificates(config, security_policy)); /* We only support one client certificate */ if (s2n_config_get_num_default_certs(config) > 1 && conn->mode == S2N_CLIENT) { diff --git a/tls/s2n_security_policies.c b/tls/s2n_security_policies.c index aa6c461d49f..c36515bd3c1 100644 --- a/tls/s2n_security_policies.c +++ b/tls/s2n_security_policies.c @@ -1278,6 +1278,8 @@ int s2n_config_set_cipher_preferences(struct s2n_config *config, const char *ver /* If the security policy's minimum version is higher than what libcrypto supports, return an error. */ POSIX_ENSURE((security_policy->minimum_protocol_version <= s2n_get_highest_fully_supported_tls_version()), S2N_ERR_PROTOCOL_VERSION_UNSUPPORTED); + /* If the config contains certificates violating the security policy cert preferences, return an error. */ + POSIX_GUARD_RESULT(s2n_config_validate_loaded_certificates(config, security_policy)); config->security_policy = security_policy; return 0; } From 80635e5db6cd63effe6e135006a3124fdcb73ad3 Mon Sep 17 00:00:00 2001 From: James Mayclin Date: Tue, 18 Jun 2024 18:09:21 +0000 Subject: [PATCH 2/7] address ci failure - forgot to include s2n_map header --- tests/unit/s2n_security_policy_cert_preferences_test.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/unit/s2n_security_policy_cert_preferences_test.c b/tests/unit/s2n_security_policy_cert_preferences_test.c index 448728cd03f..9f9f2562a5c 100644 --- a/tests/unit/s2n_security_policy_cert_preferences_test.c +++ b/tests/unit/s2n_security_policy_cert_preferences_test.c @@ -18,6 +18,7 @@ #include "tls/s2n_certificate_keys.h" #include "tls/s2n_security_policies.h" #include "tls/s2n_signature_scheme.h" +#include "utils/s2n_map.h" #define CHAIN_LENGTH 3 @@ -280,7 +281,7 @@ int main(int argc, char **argv) /* assert that no certs were loaded */ uint32_t domain_certs = 0; EXPECT_EQUAL(s2n_config_get_num_default_certs(config), 0); - EXPECT_SUCCESS(s2n_map_size(config->domain_name_to_cert_map, &domain_certs)); + EXPECT_OK(s2n_map_size(config->domain_name_to_cert_map, &domain_certs)); EXPECT_EQUAL(domain_certs, 0); EXPECT_EQUAL(s2n_config_get_num_default_certs(config), 0); }; From 1c644826bcf6a49ea3dbac72f35b9345ed660af7 Mon Sep 17 00:00:00 2001 From: James Mayclin Date: Sat, 29 Jun 2024 00:33:45 +0000 Subject: [PATCH 3/7] address pr feedback - add unit test to guard against cert preferences in default sp --- tests/pems/permutations/generate-certs.sh | 1 + .../rsae_pkcs_512_sha1/ca-cert.pem | 11 +++++++ .../rsae_pkcs_512_sha1/client-cert.pem | 11 +++++++ .../rsae_pkcs_512_sha1/client-key.pem | 10 ++++++ .../rsae_pkcs_512_sha1/server-chain.pem | 33 +++++++++++++++++++ .../rsae_pkcs_512_sha1/server-key.pem | 10 ++++++ ...2n_security_policy_cert_preferences_test.c | 20 +++++++++++ 7 files changed, 96 insertions(+) create mode 100644 tests/pems/permutations/rsae_pkcs_512_sha1/ca-cert.pem create mode 100644 tests/pems/permutations/rsae_pkcs_512_sha1/client-cert.pem create mode 100644 tests/pems/permutations/rsae_pkcs_512_sha1/client-key.pem create mode 100644 tests/pems/permutations/rsae_pkcs_512_sha1/server-chain.pem create mode 100644 tests/pems/permutations/rsae_pkcs_512_sha1/server-key.pem diff --git a/tests/pems/permutations/generate-certs.sh b/tests/pems/permutations/generate-certs.sh index bf283fb182b..df399b8f9e1 100755 --- a/tests/pems/permutations/generate-certs.sh +++ b/tests/pems/permutations/generate-certs.sh @@ -170,6 +170,7 @@ then cert-gen ec ecdsa 384 SHA384 ec_ecdsa_p384_sha384 cert-gen ec ecdsa 521 SHA384 ec_ecdsa_p521_sha384 cert-gen ec ecdsa 521 SHA512 ec_ecdsa_p521_sha512 + cert-gen rsa pkcsv1.5 512 SHA1 rsae_pkcs_512_sha1 cert-gen rsa pkcsv1.5 2048 SHA1 rsae_pkcs_2048_sha1 cert-gen rsa pkcsv1.5 2048 SHA224 rsae_pkcs_2048_sha224 cert-gen rsa pkcsv1.5 2048 SHA256 rsae_pkcs_2048_sha256 diff --git a/tests/pems/permutations/rsae_pkcs_512_sha1/ca-cert.pem b/tests/pems/permutations/rsae_pkcs_512_sha1/ca-cert.pem new file mode 100644 index 00000000000..902337052b0 --- /dev/null +++ b/tests/pems/permutations/rsae_pkcs_512_sha1/ca-cert.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBoTCCAUugAwIBAgIUOL0vNhopjHe1lGdOxUrjtr58fKwwDQYJKoZIhvcNAQEF +BQAwHDELMAkGA1UEBhMCVVMxDTALBgNVBAMMBHJvb3QwIBcNMjQwNjI4MjIyNjMx +WhgPMjIwMzEyMDQyMjI2MzFaMBwxCzAJBgNVBAYTAlVTMQ0wCwYDVQQDDARyb290 +MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAM+TK0jfOm9OxYqWEJ+NWTBzdVQQAcrr +RySqkex15wgKOMvQfbcIOvuRPOHA09Y9lRWxQzgoNXwrO/WrWJ0KcnECAwEAAaNj +MGEwHQYDVR0OBBYEFGuQv3m+EZ+g83LuhPOGIq07GvcQMB8GA1UdIwQYMBaAFGuQ +v3m+EZ+g83LuhPOGIq07GvcQMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD +AgIEMA0GCSqGSIb3DQEBBQUAA0EAe26pHHL4uRBNEqEfU8IXTMSoBMmGoHLDz7P7 +87i/Optxm7Hdb+SjtWUp+0NYIlJ4w52e/us8w3qT/S7mSaKrdQ== +-----END CERTIFICATE----- diff --git a/tests/pems/permutations/rsae_pkcs_512_sha1/client-cert.pem b/tests/pems/permutations/rsae_pkcs_512_sha1/client-cert.pem new file mode 100644 index 00000000000..060245d9538 --- /dev/null +++ b/tests/pems/permutations/rsae_pkcs_512_sha1/client-cert.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBmDCCAUKgAwIBAgIULuW63lQamjlSAZ2F4CR5WdUahtAwDQYJKoZIhvcNAQEF +BQAwHDELMAkGA1UEBhMCVVMxDTALBgNVBAMMBHJvb3QwIBcNMjQwNjI4MjIyNjMx +WhgPMjIwMzEyMDQyMjI2MzFaMB4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQDDAZjbGll +bnQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxpJOkCTsbF2qqp7r6hxJIkDsA4DX +8BewqA6lClZYFIHuYdc3SmkNT0B94jpS5ernK+1SBILf2Xt8JFCliWhbJQIDAQAB +o1gwVjAUBgNVHREEDTALgglsb2NhbGhvc3QwHQYDVR0OBBYEFHZf7DM9xxxobjgJ +JnqanzwDBJivMB8GA1UdIwQYMBaAFGuQv3m+EZ+g83LuhPOGIq07GvcQMA0GCSqG +SIb3DQEBBQUAA0EAN13P1ieJk92ck/PStGP9rki4ZPcSU+c9KyTzpnHVYt6zXbDi +JAYsrus9no+yej9TYMWakvFeIoItgrvNgHVZ7g== +-----END CERTIFICATE----- diff --git a/tests/pems/permutations/rsae_pkcs_512_sha1/client-key.pem b/tests/pems/permutations/rsae_pkcs_512_sha1/client-key.pem new file mode 100644 index 00000000000..df7e4d7a91d --- /dev/null +++ b/tests/pems/permutations/rsae_pkcs_512_sha1/client-key.pem @@ -0,0 +1,10 @@ +-----BEGIN PRIVATE KEY----- +MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAxpJOkCTsbF2qqp7r +6hxJIkDsA4DX8BewqA6lClZYFIHuYdc3SmkNT0B94jpS5ernK+1SBILf2Xt8JFCl +iWhbJQIDAQABAkAKfhqmpTzU8RIel+0xXrNCmxmdicZfSnEsQDHaXPukga1Cbt3N +QFgjmKqvQffi41K8/Zs8asmDMY9OIhTpfhqVAiEA7RNbOw4krT2TxcJbUu5ea2Sm +bhF5TaYX8WjL9OXkCXsCIQDWbB5hNRXsAyA+Ac8+S7usxF5OxK9je2LEC+teGMJ7 +3wIhAJE32hpCf5TeszXf57DU8mE2NfwWGAfIRcJKPySz7QshAiEAxqYsDwrLYHgU +6t1qTuCC4rCaXodBpfytp8sTJ33w0CkCIGJSf2hq2PgCESFXAD0NsESzQ+q5xSRU +UtqYNy6B510+ +-----END PRIVATE KEY----- diff --git a/tests/pems/permutations/rsae_pkcs_512_sha1/server-chain.pem b/tests/pems/permutations/rsae_pkcs_512_sha1/server-chain.pem new file mode 100644 index 00000000000..33629ae9953 --- /dev/null +++ b/tests/pems/permutations/rsae_pkcs_512_sha1/server-chain.pem @@ -0,0 +1,33 @@ +-----BEGIN CERTIFICATE----- +MIIBmDCCAUKgAwIBAgIUdVOeN8EEdVAEaCYb3SsqasYAclAwDQYJKoZIhvcNAQEF +BQAwHjELMAkGA1UEBhMCVVMxDzANBgNVBAMMBmJyYW5jaDAgFw0yNDA2MjgyMjI2 +MzFaGA8yMjAzMTIwNDIyMjYzMVowHDELMAkGA1UEBhMCVVMxDTALBgNVBAMMBGxl +YWYwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAzw9mmvGMx4KTf0g5pbKAEwTY3g1P +N4wIY3egdN6Jn0fOEp7C+m1bPMe7vfVOJXwf/sDtAIk1cu83641TZipLcQIDAQAB +o1gwVjAUBgNVHREEDTALgglsb2NhbGhvc3QwHQYDVR0OBBYEFM+ZjHL6FWpQf/rz +BTp47pxvzKBKMB8GA1UdIwQYMBaAFBsz11YK9dErkBvLRLnK4LnnTKbuMA0GCSqG +SIb3DQEBBQUAA0EAnltE4ACfhG1t0IqiKNh8hvpxqOOkUvvVViMV3tUP/V1Kn7nE +vdjl4sADQSBEKDMczOFJew+z/4gumtKt2vQObA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIBozCCAU2gAwIBAgIULuW63lQamjlSAZ2F4CR5WdUahs8wDQYJKoZIhvcNAQEF +BQAwHDELMAkGA1UEBhMCVVMxDTALBgNVBAMMBHJvb3QwIBcNMjQwNjI4MjIyNjMx +WhgPMjIwMzEyMDQyMjI2MzFaMB4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQDDAZicmFu +Y2gwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxGirjO1UgCfKgbGq9LqmBbKL8FIg +GLcRHOAXdkovX633ZAt9JtI8TYOM/fAzdAE++bGIdj3z2TyHo/BRppLLbwIDAQAB +o2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICBDAdBgNVHQ4EFgQU +GzPXVgr10SuQG8tEucrguedMpu4wHwYDVR0jBBgwFoAUa5C/eb4Rn6Dzcu6E84Yi +rTsa9xAwDQYJKoZIhvcNAQEFBQADQQCNLdvQISyt0SmwqfQlSxLyFaCHNs2+sA6/ +PGtZERzUpzqXmAYVrFzWlTeA4NnBC9DEbmWAHDaSMXBNslnVKhAF +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIBoTCCAUugAwIBAgIUOL0vNhopjHe1lGdOxUrjtr58fKwwDQYJKoZIhvcNAQEF +BQAwHDELMAkGA1UEBhMCVVMxDTALBgNVBAMMBHJvb3QwIBcNMjQwNjI4MjIyNjMx +WhgPMjIwMzEyMDQyMjI2MzFaMBwxCzAJBgNVBAYTAlVTMQ0wCwYDVQQDDARyb290 +MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAM+TK0jfOm9OxYqWEJ+NWTBzdVQQAcrr +RySqkex15wgKOMvQfbcIOvuRPOHA09Y9lRWxQzgoNXwrO/WrWJ0KcnECAwEAAaNj +MGEwHQYDVR0OBBYEFGuQv3m+EZ+g83LuhPOGIq07GvcQMB8GA1UdIwQYMBaAFGuQ +v3m+EZ+g83LuhPOGIq07GvcQMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD +AgIEMA0GCSqGSIb3DQEBBQUAA0EAe26pHHL4uRBNEqEfU8IXTMSoBMmGoHLDz7P7 +87i/Optxm7Hdb+SjtWUp+0NYIlJ4w52e/us8w3qT/S7mSaKrdQ== +-----END CERTIFICATE----- diff --git a/tests/pems/permutations/rsae_pkcs_512_sha1/server-key.pem b/tests/pems/permutations/rsae_pkcs_512_sha1/server-key.pem new file mode 100644 index 00000000000..ce0885c9081 --- /dev/null +++ b/tests/pems/permutations/rsae_pkcs_512_sha1/server-key.pem @@ -0,0 +1,10 @@ +-----BEGIN PRIVATE KEY----- +MIIBUwIBADANBgkqhkiG9w0BAQEFAASCAT0wggE5AgEAAkEAzw9mmvGMx4KTf0g5 +pbKAEwTY3g1PN4wIY3egdN6Jn0fOEp7C+m1bPMe7vfVOJXwf/sDtAIk1cu83641T +ZipLcQIDAQABAkBEjoHXfXCyQh6Z/wzvOtnC8lDnvJpk9t10KZCcAW6pqKBw+M8D +63YyvzM4vsyBsDAbCvtMyVvospVvjdNeU1VdAiEA/kP42+tIh+2Sd795+UHsccNV +8FwS7SMA6lgLk19xcwsCIQDQeP5EoWs7sZXFlN4omylxh6Fq9FNCKjgn0lm7or1I +8wIgM7GGCtAO8vOt74KSPcbVV1urQS62+lc/fGViFRg2bHkCID6gmoIzm+tK5ht9 +JWA9fK3GeQ+QZpKx7DzKTHq54PNRAiA2RnWEH3f1z4IRmpXU0dRZPtsGTDSmFova +GZRjCeq5UA== +-----END PRIVATE KEY----- diff --git a/tests/unit/s2n_security_policy_cert_preferences_test.c b/tests/unit/s2n_security_policy_cert_preferences_test.c index 9f9f2562a5c..6339573a443 100644 --- a/tests/unit/s2n_security_policy_cert_preferences_test.c +++ b/tests/unit/s2n_security_policy_cert_preferences_test.c @@ -298,6 +298,26 @@ int main(int argc, char **argv) }; }; + /* default policy check: ensure that the default security policy doesn't + * enforce certificate preferences. + * + * Adding certificate preferences to the default security policy would be a + * breaking change, because it would prevent customers from adding + * non-compliant certs unless they first set the security policy. + * + * This test ensures that such a breaking change would be visible and + * deliberate. + */ + { + DEFER_CLEANUP(struct s2n_cert_chain_and_key *cert = NULL, s2n_cert_chain_and_key_ptr_free); + /* use a very insecure cert that would not be included in any reasonable cert preferences */ + EXPECT_SUCCESS(s2n_test_cert_permutation_load_server_chain(&cert, "rsae", "pkcs", "512", "sha1")); + + DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free); + EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, cert)); + EXPECT_EQUAL(s2n_config_get_num_default_certs(config), 1); + }; + END_TEST(); return S2N_SUCCESS; } From 8abea265c99ae448a36cb00ad0239dc6c438b939 Mon Sep 17 00:00:00 2001 From: James Mayclin Date: Tue, 9 Jul 2024 03:59:33 +0000 Subject: [PATCH 4/7] address pr feedback - add new unit test to ensure certs aren't checked in set_config - use FAILURE_WITH_ERRNO --- tests/unit/s2n_connection_test.c | 25 +++++++++++++++++++ ...2n_security_policy_cert_preferences_test.c | 12 +++++---- 2 files changed, 32 insertions(+), 5 deletions(-) diff --git a/tests/unit/s2n_connection_test.c b/tests/unit/s2n_connection_test.c index e8252940797..7a1c4e63bdb 100644 --- a/tests/unit/s2n_connection_test.c +++ b/tests/unit/s2n_connection_test.c @@ -648,6 +648,31 @@ int main(int argc, char **argv) conn->security_policy_override = &rfc9151_applied_locally; EXPECT_FAILURE_WITH_ERRNO(s2n_connection_set_config(conn, config), S2N_ERR_SECURITY_POLICY_INCOMPATIBLE_CERT); }; + + /* s2n_connection_set_config doesn't enforce cert preferences + * + * Customers may configure large numbers of certs on each config. This test + * asserts that we don't do any validation on certificates as part of set_config, + * because that would incur a potentially large performance penalty. + */ + { + DEFER_CLEANUP(struct s2n_cert_chain_and_key *invalid_cert = NULL, s2n_cert_chain_and_key_ptr_free); + EXPECT_SUCCESS( + s2n_test_cert_permutation_load_server_chain(&invalid_cert, "ec", "ecdsa", "p384", "sha256")); + + DEFER_CLEANUP(struct s2n_config *invalid_config = s2n_config_new(), s2n_config_ptr_free); + EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(invalid_config, invalid_cert)); + + /* directly set the security policy to avoid the validation in "set_cipher_preferences" */ + const struct s2n_security_policy *security_policy = NULL; + POSIX_GUARD(s2n_find_security_policy_from_version("rfc9151", &security_policy)); + invalid_config->security_policy = security_policy; + + DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER), s2n_connection_ptr_free); + POSIX_ENSURE_REF(conn); + /* Success implies that certificates are not validated as during "set_config" */ + EXPECT_SUCCESS(s2n_connection_set_config(conn, invalid_config)); + }; }; /* Test s2n_connection_get_wire_bytes_out */ diff --git a/tests/unit/s2n_security_policy_cert_preferences_test.c b/tests/unit/s2n_security_policy_cert_preferences_test.c index 6339573a443..ebc510efb3c 100644 --- a/tests/unit/s2n_security_policy_cert_preferences_test.c +++ b/tests/unit/s2n_security_policy_cert_preferences_test.c @@ -268,15 +268,16 @@ int main(int argc, char **argv) /* s2n_config invariant: always respects config->security_policy cert preferences */ { - DEFER_CLEANUP(struct s2n_cert_chain_and_key *cert = NULL, s2n_cert_chain_and_key_ptr_free); + DEFER_CLEANUP(struct s2n_cert_chain_and_key *invalid_cert = NULL, s2n_cert_chain_and_key_ptr_free); EXPECT_SUCCESS( - s2n_test_cert_permutation_load_server_chain(&cert, "ec", "ecdsa", "p384", "sha256")); + s2n_test_cert_permutation_load_server_chain(&invalid_cert, "ec", "ecdsa", "p384", "sha256")); /* configure security policy then load an invalid cert */ { DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free); EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "rfc9151")); - EXPECT_FAILURE(s2n_config_add_cert_chain_and_key_to_store(config, cert)); + EXPECT_FAILURE_WITH_ERRNO(s2n_config_add_cert_chain_and_key_to_store(config, invalid_cert), + S2N_ERR_SECURITY_POLICY_INCOMPATIBLE_CERT); /* assert that no certs were loaded */ uint32_t domain_certs = 0; @@ -289,9 +290,10 @@ int main(int argc, char **argv) /* load a cert then configure an invalid security policy */ { DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free); - EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, cert)); + EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, invalid_cert)); const struct s2n_security_policy *default_sp = config->security_policy; - EXPECT_FAILURE(s2n_config_set_cipher_preferences(config, "rfc9151")); + EXPECT_FAILURE_WITH_ERRNO(s2n_config_set_cipher_preferences(config, "rfc9151"), + S2N_ERR_SECURITY_POLICY_INCOMPATIBLE_CERT); /* assert that the security policy was not changed */ EXPECT_EQUAL(config->security_policy, default_sp); From 66ca9f592dc93c1a5a92db1c339c2d682c4e4db6 Mon Sep 17 00:00:00 2001 From: James Mayclin Date: Wed, 10 Jul 2024 17:29:57 +0000 Subject: [PATCH 5/7] address pr feedback - whitespace fix on the ec certs --- tests/unit/s2n_security_policy_cert_preferences_test.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/unit/s2n_security_policy_cert_preferences_test.c b/tests/unit/s2n_security_policy_cert_preferences_test.c index ebc510efb3c..b245123d534 100644 --- a/tests/unit/s2n_security_policy_cert_preferences_test.c +++ b/tests/unit/s2n_security_policy_cert_preferences_test.c @@ -269,8 +269,8 @@ int main(int argc, char **argv) /* s2n_config invariant: always respects config->security_policy cert preferences */ { DEFER_CLEANUP(struct s2n_cert_chain_and_key *invalid_cert = NULL, s2n_cert_chain_and_key_ptr_free); - EXPECT_SUCCESS( - s2n_test_cert_permutation_load_server_chain(&invalid_cert, "ec", "ecdsa", "p384", "sha256")); + EXPECT_SUCCESS(s2n_test_cert_permutation_load_server_chain(&invalid_cert, + "ec", "ecdsa", "p384", "sha256")); /* configure security policy then load an invalid cert */ { DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free); From 8f3e8b1558216bf957398dc7d643508a555fcd34 Mon Sep 17 00:00:00 2001 From: James Mayclin Date: Wed, 10 Jul 2024 17:32:41 +0000 Subject: [PATCH 6/7] address pr feedback - add missing newline --- tests/unit/s2n_security_policy_cert_preferences_test.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/unit/s2n_security_policy_cert_preferences_test.c b/tests/unit/s2n_security_policy_cert_preferences_test.c index b245123d534..04583fad98a 100644 --- a/tests/unit/s2n_security_policy_cert_preferences_test.c +++ b/tests/unit/s2n_security_policy_cert_preferences_test.c @@ -271,6 +271,7 @@ int main(int argc, char **argv) DEFER_CLEANUP(struct s2n_cert_chain_and_key *invalid_cert = NULL, s2n_cert_chain_and_key_ptr_free); EXPECT_SUCCESS(s2n_test_cert_permutation_load_server_chain(&invalid_cert, "ec", "ecdsa", "p384", "sha256")); + /* configure security policy then load an invalid cert */ { DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free); From 26c6330c88f74c9474f215afaeed1273e1e131f7 Mon Sep 17 00:00:00 2001 From: James Mayclin Date: Tue, 16 Jul 2024 17:00:34 +0000 Subject: [PATCH 7/7] address ci failure - switch to 1024 bit cert --- tests/pems/permutations/generate-certs.sh | 2 +- .../rsae_pkcs_1024_sha1/ca-cert.pem | 14 +++++++ .../rsae_pkcs_1024_sha1/client-cert.pem | 14 +++++++ .../rsae_pkcs_1024_sha1/client-key.pem | 16 +++++++ .../rsae_pkcs_1024_sha1/server-chain.pem | 42 +++++++++++++++++++ .../rsae_pkcs_1024_sha1/server-key.pem | 16 +++++++ .../rsae_pkcs_512_sha1/ca-cert.pem | 11 ----- .../rsae_pkcs_512_sha1/client-cert.pem | 11 ----- .../rsae_pkcs_512_sha1/client-key.pem | 10 ----- .../rsae_pkcs_512_sha1/server-chain.pem | 33 --------------- .../rsae_pkcs_512_sha1/server-key.pem | 10 ----- ...2n_security_policy_cert_preferences_test.c | 2 +- 12 files changed, 104 insertions(+), 77 deletions(-) create mode 100644 tests/pems/permutations/rsae_pkcs_1024_sha1/ca-cert.pem create mode 100644 tests/pems/permutations/rsae_pkcs_1024_sha1/client-cert.pem create mode 100644 tests/pems/permutations/rsae_pkcs_1024_sha1/client-key.pem create mode 100644 tests/pems/permutations/rsae_pkcs_1024_sha1/server-chain.pem create mode 100644 tests/pems/permutations/rsae_pkcs_1024_sha1/server-key.pem delete mode 100644 tests/pems/permutations/rsae_pkcs_512_sha1/ca-cert.pem delete mode 100644 tests/pems/permutations/rsae_pkcs_512_sha1/client-cert.pem delete mode 100644 tests/pems/permutations/rsae_pkcs_512_sha1/client-key.pem delete mode 100644 tests/pems/permutations/rsae_pkcs_512_sha1/server-chain.pem delete mode 100644 tests/pems/permutations/rsae_pkcs_512_sha1/server-key.pem diff --git a/tests/pems/permutations/generate-certs.sh b/tests/pems/permutations/generate-certs.sh index df399b8f9e1..8491ba8f8a1 100755 --- a/tests/pems/permutations/generate-certs.sh +++ b/tests/pems/permutations/generate-certs.sh @@ -170,7 +170,7 @@ then cert-gen ec ecdsa 384 SHA384 ec_ecdsa_p384_sha384 cert-gen ec ecdsa 521 SHA384 ec_ecdsa_p521_sha384 cert-gen ec ecdsa 521 SHA512 ec_ecdsa_p521_sha512 - cert-gen rsa pkcsv1.5 512 SHA1 rsae_pkcs_512_sha1 + cert-gen rsa pkcsv1.5 1024 SHA1 rsae_pkcs_1024_sha1 cert-gen rsa pkcsv1.5 2048 SHA1 rsae_pkcs_2048_sha1 cert-gen rsa pkcsv1.5 2048 SHA224 rsae_pkcs_2048_sha224 cert-gen rsa pkcsv1.5 2048 SHA256 rsae_pkcs_2048_sha256 diff --git a/tests/pems/permutations/rsae_pkcs_1024_sha1/ca-cert.pem b/tests/pems/permutations/rsae_pkcs_1024_sha1/ca-cert.pem new file mode 100644 index 00000000000..3a21510a09a --- /dev/null +++ b/tests/pems/permutations/rsae_pkcs_1024_sha1/ca-cert.pem @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICJjCCAY+gAwIBAgIUQDCl/x6VIdw2yTd5txSGLknYLO4wDQYJKoZIhvcNAQEF +BQAwHDELMAkGA1UEBhMCVVMxDTALBgNVBAMMBHJvb3QwIBcNMjQwNzE2MTY1NzU3 +WhgPMjIwMzEyMjIxNjU3NTdaMBwxCzAJBgNVBAYTAlVTMQ0wCwYDVQQDDARyb290 +MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDH6oo3EzDAAN+1zmpMkxEw2EP6 +E8Zh2wjVvC4VGjCgjysjwswxQmteLO+ZXgIDqXfRw9nC6VXZkSRqVMY07t5OFre+ +6eDDPW6jugtDveqJfFWgCNuOnFlVTC5GflS+8pC3mcnyRdTmlxK0wDAGQQmZMsNN +cKDAoTNq0StR0E/1ZwIDAQABo2MwYTAdBgNVHQ4EFgQUAh7fvcT9sUislNuEPeSQ +X9xO5HcwHwYDVR0jBBgwFoAUAh7fvcT9sUislNuEPeSQX9xO5HcwDwYDVR0TAQH/ +BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAgQwDQYJKoZIhvcNAQEFBQADgYEAj5ht0bxM +ebIpeYJSpvA7L+J9Vttn3iGuw+j52y4wAWIQ6OZEJQAu5WDn6Tox0nJ33/v/yPu2 ++LN5dtQm8P1rBRo9zJ3QKv/HhvhcZ+eWaWpwX8ccDT/9jXRTS2tGGg8Mr5x97W4A +EyqOVM1cZOUjuDlibMNJoPU/n1uuyclkjqw= +-----END CERTIFICATE----- diff --git a/tests/pems/permutations/rsae_pkcs_1024_sha1/client-cert.pem b/tests/pems/permutations/rsae_pkcs_1024_sha1/client-cert.pem new file mode 100644 index 00000000000..99a98f4d519 --- /dev/null +++ b/tests/pems/permutations/rsae_pkcs_1024_sha1/client-cert.pem @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICHTCCAYagAwIBAgIUPinmIrgv3ehEP79tmkXGXv2WXdUwDQYJKoZIhvcNAQEF +BQAwHDELMAkGA1UEBhMCVVMxDTALBgNVBAMMBHJvb3QwIBcNMjQwNzE2MTY1NzU3 +WhgPMjIwMzEyMjIxNjU3NTdaMB4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQDDAZjbGll +bnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMLoQlvRxBoqr+/5dTcSFHZd +1obX8MLtFK42bbwxdoehTe9k0UtBi0DAaVGOmntntn4QMoAiyyXkIqIWnv3rnKKl +rZNotl8lZR8JfNhR869uVtmUHO4bupknHFigW16R/RMsYyGaBPTfpJlRQtTC0uQf +M+amPpxxPSQpzWlpnd/bAgMBAAGjWDBWMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDAd +BgNVHQ4EFgQUPqmkeXae2pEeEmTnayyPDjkey2AwHwYDVR0jBBgwFoAUAh7fvcT9 +sUislNuEPeSQX9xO5HcwDQYJKoZIhvcNAQEFBQADgYEAGUDGe/OyqzSuIT7dZSec +ypIK8llt4X7ceZrTKVFWxl3oyTFJVzzmHTiIrUmqcrDi3i664Wjd/ni2k3/piKVt +e23E4pFmXOQ0i95C/nqyKNmio4saxUUEX6bf6u7kxYC8OVmD4/fnulQtfJijnQA2 +gJRedJcj+ppZ7+H9TxCzXdM= +-----END CERTIFICATE----- diff --git a/tests/pems/permutations/rsae_pkcs_1024_sha1/client-key.pem b/tests/pems/permutations/rsae_pkcs_1024_sha1/client-key.pem new file mode 100644 index 00000000000..af729c66c2b --- /dev/null +++ b/tests/pems/permutations/rsae_pkcs_1024_sha1/client-key.pem @@ -0,0 +1,16 @@ +-----BEGIN PRIVATE KEY----- +MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAMLoQlvRxBoqr+/5 +dTcSFHZd1obX8MLtFK42bbwxdoehTe9k0UtBi0DAaVGOmntntn4QMoAiyyXkIqIW +nv3rnKKlrZNotl8lZR8JfNhR869uVtmUHO4bupknHFigW16R/RMsYyGaBPTfpJlR +QtTC0uQfM+amPpxxPSQpzWlpnd/bAgMBAAECgYB6XAMkz5iz8K6JEeuDSidsc9a0 +yqYMSXgdMnBLoCXQWfSqYHmALEK2wNSdbdAPvvlzRMnfZXhxbjpL1bW0pRCsdkml +4llm3S+VlZVjSu6kYM7Dwvfm2VqbJq8MnMXVNxeU77PF2fddhOTtV0uHIJLVY6X2 +Nqr5vtA3xDXqNzLewQJBAOtzeR+S1wS9BxU1dS6fJc0pvFOEDFLpFoHNjiLvlTDI +nkeNpAmknJz90wtutqbZFwU6RD8jsWtGyUzT1EOs9CECQQDT6vFZkEnLztJtIgFK +usdlA0wrXOhFydkAeWYVWIKlbSczo9JJfd9PxXRn6Ix3MYid7vIMmiDdhKv17yU0 +MhR7AkEAilhzVyYEyXf4bXHXxOkmYQKg8cGpLB5hZyvM1KJJ2zxGJG0JcdETZPuP +wivvjuIIML4n06G5YftZ1JazJoC9gQJBAIjBxHDtGYKJ/OfqmvTT5lt8rkoJked/ +pCeXMFa0INOKxlKf9NPyhAshvMZVn1hIQgbRraiOSolJ1gNHCjZN30MCQQCnIwaq +5R6/tN/UxDZIMPo2K6mqQUXfYVOec0ARoB0J845qZd6rG0E8g5w45ipcu6LVBhd9 +CnEVAXHfnuMzNzjN +-----END PRIVATE KEY----- diff --git a/tests/pems/permutations/rsae_pkcs_1024_sha1/server-chain.pem b/tests/pems/permutations/rsae_pkcs_1024_sha1/server-chain.pem new file mode 100644 index 00000000000..d3abfc6686c --- /dev/null +++ b/tests/pems/permutations/rsae_pkcs_1024_sha1/server-chain.pem @@ -0,0 +1,42 @@ +-----BEGIN CERTIFICATE----- +MIICHTCCAYagAwIBAgIUVSkc16/rtMXmETH/wnscN+VGY+EwDQYJKoZIhvcNAQEF +BQAwHjELMAkGA1UEBhMCVVMxDzANBgNVBAMMBmJyYW5jaDAgFw0yNDA3MTYxNjU3 +NTdaGA8yMjAzMTIyMjE2NTc1N1owHDELMAkGA1UEBhMCVVMxDTALBgNVBAMMBGxl +YWYwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMqhP+hZTU2XpYsT/+IfDeq9 +gqRmMC2RXsymsrgSwU8GmIKuHbb0Dd7hHDUQ4yYOwhQs67C2zCfFudaQ7xT7h87j +Jwxr2QuJZWWCic2N1r7FdtHFiYU7l+UQuzfhtaExZhJx0kpSQQNR6RQpjliHgsuw +ZLSHA5raSyW/jkzwOdp7AgMBAAGjWDBWMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDAd +BgNVHQ4EFgQU0bnFIDqssv+4WHdQHtAjIrTBLV0wHwYDVR0jBBgwFoAUr4RQk79w +CfTtpMZ8oBogqWzdWcswDQYJKoZIhvcNAQEFBQADgYEADu69a05cs0qgDa17FjtT +nvzk9djKbg4R2fyUn1jpW9IGgrTQStqv8KXtV+czRPeaiPst7+nZOCXNH/LVhm/P +oCrZd7z5WP5RMXPvEjrNzoXZZRaz2jwD56HpIzM5afzsdYABIQ2pwAhD1KkVhw2g +Npt/QuOuyfy8AnHigRKsTVs= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICKDCCAZGgAwIBAgIUPinmIrgv3ehEP79tmkXGXv2WXdQwDQYJKoZIhvcNAQEF +BQAwHDELMAkGA1UEBhMCVVMxDTALBgNVBAMMBHJvb3QwIBcNMjQwNzE2MTY1NzU3 +WhgPMjIwMzEyMjIxNjU3NTdaMB4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQDDAZicmFu +Y2gwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALz0PVnrhX4YVPLkzgcf7arr +aoA2md5rDVoIQKIJtxihwodByUMLYJFtttEiul6QSLZhPWNnFDh9e50bKXucgcFH +Tlf1XM6W69VED+ZCd9Q4+jewRK7iXxH1C/L0LreF68Gkq+c6VdwSQLyQkUp/AaPf +iH45dUv33ftd4EE0lQbrAgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P +AQH/BAQDAgIEMB0GA1UdDgQWBBSvhFCTv3AJ9O2kxnygGiCpbN1ZyzAfBgNVHSME +GDAWgBQCHt+9xP2xSKyU24Q95JBf3E7kdzANBgkqhkiG9w0BAQUFAAOBgQBj3USi +VsO2XKx+5R+V6673/T16yAub61pb126ZGzHzgT7ol7m0Oe4X/pKwcN6ya2iUQkrh +eCbXJ/gK5VE+X95mng+n1v2o8UB7pTMRVA/U+vQfohzQaSsC4HordJLjTKI19bAB +qVfrFvFGMgTeaypoFSmDZTxwCVr974kU9YWrvw== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICJjCCAY+gAwIBAgIUQDCl/x6VIdw2yTd5txSGLknYLO4wDQYJKoZIhvcNAQEF +BQAwHDELMAkGA1UEBhMCVVMxDTALBgNVBAMMBHJvb3QwIBcNMjQwNzE2MTY1NzU3 +WhgPMjIwMzEyMjIxNjU3NTdaMBwxCzAJBgNVBAYTAlVTMQ0wCwYDVQQDDARyb290 +MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDH6oo3EzDAAN+1zmpMkxEw2EP6 +E8Zh2wjVvC4VGjCgjysjwswxQmteLO+ZXgIDqXfRw9nC6VXZkSRqVMY07t5OFre+ +6eDDPW6jugtDveqJfFWgCNuOnFlVTC5GflS+8pC3mcnyRdTmlxK0wDAGQQmZMsNN +cKDAoTNq0StR0E/1ZwIDAQABo2MwYTAdBgNVHQ4EFgQUAh7fvcT9sUislNuEPeSQ +X9xO5HcwHwYDVR0jBBgwFoAUAh7fvcT9sUislNuEPeSQX9xO5HcwDwYDVR0TAQH/ +BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAgQwDQYJKoZIhvcNAQEFBQADgYEAj5ht0bxM +ebIpeYJSpvA7L+J9Vttn3iGuw+j52y4wAWIQ6OZEJQAu5WDn6Tox0nJ33/v/yPu2 ++LN5dtQm8P1rBRo9zJ3QKv/HhvhcZ+eWaWpwX8ccDT/9jXRTS2tGGg8Mr5x97W4A +EyqOVM1cZOUjuDlibMNJoPU/n1uuyclkjqw= +-----END CERTIFICATE----- diff --git a/tests/pems/permutations/rsae_pkcs_1024_sha1/server-key.pem b/tests/pems/permutations/rsae_pkcs_1024_sha1/server-key.pem new file mode 100644 index 00000000000..d9853e99c28 --- /dev/null +++ b/tests/pems/permutations/rsae_pkcs_1024_sha1/server-key.pem @@ -0,0 +1,16 @@ +-----BEGIN PRIVATE KEY----- +MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMqhP+hZTU2XpYsT +/+IfDeq9gqRmMC2RXsymsrgSwU8GmIKuHbb0Dd7hHDUQ4yYOwhQs67C2zCfFudaQ +7xT7h87jJwxr2QuJZWWCic2N1r7FdtHFiYU7l+UQuzfhtaExZhJx0kpSQQNR6RQp +jliHgsuwZLSHA5raSyW/jkzwOdp7AgMBAAECgYEAnRWAq6l/SiXDyhvJBQ06Br6/ +pp8pvkmyCkk4x4aSoablWHmOw6RTlHNDIMhkr75FKsrgNHChuDuKpBJbphKQ5qrE +yiBpWq1nIw3VZtikR5lfg5NMNJwQ7koqAom+f4E/OuOtvZYlNyURZZIoj4/2WhIS +GIgzN7vhaIDDK24j3uECQQDseFFBZbqlSBi6aKYVCOqGXHsH/eZZFGoJD8D++y5L +jy7DxFffa/zUcBYZeGfT7HXlravBlBoAsU5vi8KzvG2pAkEA211zf5FsFikWnr+w +1riaxBIPdTMj5aPT5fqhTaVZp6MXD401xvnC+BfxQaqlXoNUJadpONMj8IWIah9c +XeP1gwJAIGMaPerA9YI6YM2Uca0W8fAYqa+MrQauvy75L/MXFCI4NXfe0SrpJe90 +F2j2T4BDZYGz1H+EUDP4mi56LEPSgQJBANU8gDtvRxw7kKt8NxBinr8dtzz8G1bs +69xQx1/M7dvQ42fQoofq3aWA0Jo+oUXAb5mypMwCIpt5kmNmXMlAALUCQHG5eN03 +COl3DU1wTHOuFqejLcp+exARlCYN/BcGL6Qnrjk9sXOo9Ojfsj24zSuIMp3KJuUl +fYSKMUAftnb+KH4= +-----END PRIVATE KEY----- diff --git a/tests/pems/permutations/rsae_pkcs_512_sha1/ca-cert.pem b/tests/pems/permutations/rsae_pkcs_512_sha1/ca-cert.pem deleted file mode 100644 index 902337052b0..00000000000 --- a/tests/pems/permutations/rsae_pkcs_512_sha1/ca-cert.pem +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBoTCCAUugAwIBAgIUOL0vNhopjHe1lGdOxUrjtr58fKwwDQYJKoZIhvcNAQEF -BQAwHDELMAkGA1UEBhMCVVMxDTALBgNVBAMMBHJvb3QwIBcNMjQwNjI4MjIyNjMx -WhgPMjIwMzEyMDQyMjI2MzFaMBwxCzAJBgNVBAYTAlVTMQ0wCwYDVQQDDARyb290 -MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAM+TK0jfOm9OxYqWEJ+NWTBzdVQQAcrr -RySqkex15wgKOMvQfbcIOvuRPOHA09Y9lRWxQzgoNXwrO/WrWJ0KcnECAwEAAaNj -MGEwHQYDVR0OBBYEFGuQv3m+EZ+g83LuhPOGIq07GvcQMB8GA1UdIwQYMBaAFGuQ -v3m+EZ+g83LuhPOGIq07GvcQMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD -AgIEMA0GCSqGSIb3DQEBBQUAA0EAe26pHHL4uRBNEqEfU8IXTMSoBMmGoHLDz7P7 -87i/Optxm7Hdb+SjtWUp+0NYIlJ4w52e/us8w3qT/S7mSaKrdQ== ------END CERTIFICATE----- diff --git a/tests/pems/permutations/rsae_pkcs_512_sha1/client-cert.pem b/tests/pems/permutations/rsae_pkcs_512_sha1/client-cert.pem deleted file mode 100644 index 060245d9538..00000000000 --- a/tests/pems/permutations/rsae_pkcs_512_sha1/client-cert.pem +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBmDCCAUKgAwIBAgIULuW63lQamjlSAZ2F4CR5WdUahtAwDQYJKoZIhvcNAQEF -BQAwHDELMAkGA1UEBhMCVVMxDTALBgNVBAMMBHJvb3QwIBcNMjQwNjI4MjIyNjMx -WhgPMjIwMzEyMDQyMjI2MzFaMB4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQDDAZjbGll -bnQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxpJOkCTsbF2qqp7r6hxJIkDsA4DX -8BewqA6lClZYFIHuYdc3SmkNT0B94jpS5ernK+1SBILf2Xt8JFCliWhbJQIDAQAB -o1gwVjAUBgNVHREEDTALgglsb2NhbGhvc3QwHQYDVR0OBBYEFHZf7DM9xxxobjgJ -JnqanzwDBJivMB8GA1UdIwQYMBaAFGuQv3m+EZ+g83LuhPOGIq07GvcQMA0GCSqG -SIb3DQEBBQUAA0EAN13P1ieJk92ck/PStGP9rki4ZPcSU+c9KyTzpnHVYt6zXbDi -JAYsrus9no+yej9TYMWakvFeIoItgrvNgHVZ7g== ------END CERTIFICATE----- diff --git a/tests/pems/permutations/rsae_pkcs_512_sha1/client-key.pem b/tests/pems/permutations/rsae_pkcs_512_sha1/client-key.pem deleted file mode 100644 index df7e4d7a91d..00000000000 --- a/tests/pems/permutations/rsae_pkcs_512_sha1/client-key.pem +++ /dev/null @@ -1,10 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAxpJOkCTsbF2qqp7r -6hxJIkDsA4DX8BewqA6lClZYFIHuYdc3SmkNT0B94jpS5ernK+1SBILf2Xt8JFCl -iWhbJQIDAQABAkAKfhqmpTzU8RIel+0xXrNCmxmdicZfSnEsQDHaXPukga1Cbt3N -QFgjmKqvQffi41K8/Zs8asmDMY9OIhTpfhqVAiEA7RNbOw4krT2TxcJbUu5ea2Sm -bhF5TaYX8WjL9OXkCXsCIQDWbB5hNRXsAyA+Ac8+S7usxF5OxK9je2LEC+teGMJ7 -3wIhAJE32hpCf5TeszXf57DU8mE2NfwWGAfIRcJKPySz7QshAiEAxqYsDwrLYHgU -6t1qTuCC4rCaXodBpfytp8sTJ33w0CkCIGJSf2hq2PgCESFXAD0NsESzQ+q5xSRU -UtqYNy6B510+ ------END PRIVATE KEY----- diff --git a/tests/pems/permutations/rsae_pkcs_512_sha1/server-chain.pem b/tests/pems/permutations/rsae_pkcs_512_sha1/server-chain.pem deleted file mode 100644 index 33629ae9953..00000000000 --- a/tests/pems/permutations/rsae_pkcs_512_sha1/server-chain.pem +++ /dev/null @@ -1,33 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBmDCCAUKgAwIBAgIUdVOeN8EEdVAEaCYb3SsqasYAclAwDQYJKoZIhvcNAQEF -BQAwHjELMAkGA1UEBhMCVVMxDzANBgNVBAMMBmJyYW5jaDAgFw0yNDA2MjgyMjI2 -MzFaGA8yMjAzMTIwNDIyMjYzMVowHDELMAkGA1UEBhMCVVMxDTALBgNVBAMMBGxl -YWYwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAzw9mmvGMx4KTf0g5pbKAEwTY3g1P -N4wIY3egdN6Jn0fOEp7C+m1bPMe7vfVOJXwf/sDtAIk1cu83641TZipLcQIDAQAB -o1gwVjAUBgNVHREEDTALgglsb2NhbGhvc3QwHQYDVR0OBBYEFM+ZjHL6FWpQf/rz -BTp47pxvzKBKMB8GA1UdIwQYMBaAFBsz11YK9dErkBvLRLnK4LnnTKbuMA0GCSqG -SIb3DQEBBQUAA0EAnltE4ACfhG1t0IqiKNh8hvpxqOOkUvvVViMV3tUP/V1Kn7nE -vdjl4sADQSBEKDMczOFJew+z/4gumtKt2vQObA== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIBozCCAU2gAwIBAgIULuW63lQamjlSAZ2F4CR5WdUahs8wDQYJKoZIhvcNAQEF -BQAwHDELMAkGA1UEBhMCVVMxDTALBgNVBAMMBHJvb3QwIBcNMjQwNjI4MjIyNjMx -WhgPMjIwMzEyMDQyMjI2MzFaMB4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQDDAZicmFu -Y2gwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxGirjO1UgCfKgbGq9LqmBbKL8FIg -GLcRHOAXdkovX633ZAt9JtI8TYOM/fAzdAE++bGIdj3z2TyHo/BRppLLbwIDAQAB -o2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICBDAdBgNVHQ4EFgQU -GzPXVgr10SuQG8tEucrguedMpu4wHwYDVR0jBBgwFoAUa5C/eb4Rn6Dzcu6E84Yi -rTsa9xAwDQYJKoZIhvcNAQEFBQADQQCNLdvQISyt0SmwqfQlSxLyFaCHNs2+sA6/ -PGtZERzUpzqXmAYVrFzWlTeA4NnBC9DEbmWAHDaSMXBNslnVKhAF ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIBoTCCAUugAwIBAgIUOL0vNhopjHe1lGdOxUrjtr58fKwwDQYJKoZIhvcNAQEF -BQAwHDELMAkGA1UEBhMCVVMxDTALBgNVBAMMBHJvb3QwIBcNMjQwNjI4MjIyNjMx -WhgPMjIwMzEyMDQyMjI2MzFaMBwxCzAJBgNVBAYTAlVTMQ0wCwYDVQQDDARyb290 -MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAM+TK0jfOm9OxYqWEJ+NWTBzdVQQAcrr -RySqkex15wgKOMvQfbcIOvuRPOHA09Y9lRWxQzgoNXwrO/WrWJ0KcnECAwEAAaNj -MGEwHQYDVR0OBBYEFGuQv3m+EZ+g83LuhPOGIq07GvcQMB8GA1UdIwQYMBaAFGuQ -v3m+EZ+g83LuhPOGIq07GvcQMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD -AgIEMA0GCSqGSIb3DQEBBQUAA0EAe26pHHL4uRBNEqEfU8IXTMSoBMmGoHLDz7P7 -87i/Optxm7Hdb+SjtWUp+0NYIlJ4w52e/us8w3qT/S7mSaKrdQ== ------END CERTIFICATE----- diff --git a/tests/pems/permutations/rsae_pkcs_512_sha1/server-key.pem b/tests/pems/permutations/rsae_pkcs_512_sha1/server-key.pem deleted file mode 100644 index ce0885c9081..00000000000 --- a/tests/pems/permutations/rsae_pkcs_512_sha1/server-key.pem +++ /dev/null @@ -1,10 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIBUwIBADANBgkqhkiG9w0BAQEFAASCAT0wggE5AgEAAkEAzw9mmvGMx4KTf0g5 -pbKAEwTY3g1PN4wIY3egdN6Jn0fOEp7C+m1bPMe7vfVOJXwf/sDtAIk1cu83641T -ZipLcQIDAQABAkBEjoHXfXCyQh6Z/wzvOtnC8lDnvJpk9t10KZCcAW6pqKBw+M8D -63YyvzM4vsyBsDAbCvtMyVvospVvjdNeU1VdAiEA/kP42+tIh+2Sd795+UHsccNV -8FwS7SMA6lgLk19xcwsCIQDQeP5EoWs7sZXFlN4omylxh6Fq9FNCKjgn0lm7or1I -8wIgM7GGCtAO8vOt74KSPcbVV1urQS62+lc/fGViFRg2bHkCID6gmoIzm+tK5ht9 -JWA9fK3GeQ+QZpKx7DzKTHq54PNRAiA2RnWEH3f1z4IRmpXU0dRZPtsGTDSmFova -GZRjCeq5UA== ------END PRIVATE KEY----- diff --git a/tests/unit/s2n_security_policy_cert_preferences_test.c b/tests/unit/s2n_security_policy_cert_preferences_test.c index 04583fad98a..14b06121de9 100644 --- a/tests/unit/s2n_security_policy_cert_preferences_test.c +++ b/tests/unit/s2n_security_policy_cert_preferences_test.c @@ -314,7 +314,7 @@ int main(int argc, char **argv) { DEFER_CLEANUP(struct s2n_cert_chain_and_key *cert = NULL, s2n_cert_chain_and_key_ptr_free); /* use a very insecure cert that would not be included in any reasonable cert preferences */ - EXPECT_SUCCESS(s2n_test_cert_permutation_load_server_chain(&cert, "rsae", "pkcs", "512", "sha1")); + EXPECT_SUCCESS(s2n_test_cert_permutation_load_server_chain(&cert, "rsae", "pkcs", "1024", "sha1")); DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, cert));