Skip to content

Commit

Permalink
tests: Create separate self-signed EC key for tlsfuzzer testing
Browse files Browse the repository at this point in the history
Follow up from #488

Signed-off-by: Jakub Jelen <[email protected]>
  • Loading branch information
Jakuje committed Dec 20, 2024
1 parent d7b1339 commit e34aea4
Show file tree
Hide file tree
Showing 4 changed files with 43 additions and 51 deletions.
16 changes: 1 addition & 15 deletions tests/cert.json.ecdsa.in
Original file line number Diff line number Diff line change
Expand Up @@ -22,23 +22,9 @@
{"name" : "test-signature-algorithms.py",
"arguments" : [
"-n", "0", "--ecdsa",
"-x", "duplicated 206 non-rsa schemes", "-X", "handshake_failure",
"-x", "duplicated 2346 non-rsa schemes", "-X", "handshake_failure",
"-x", "duplicated 8123 non-rsa schemes", "-X", "handshake_failure",
"-x", "duplicated 23745 non-rsa schemes", "-X", "handshake_failure",
"-x", "duplicated 32748 non-rsa schemes", "-X", "handshake_failure",
"-x", "explicit SHA-256+RSA or ECDSA", "-X", "handshake_failure",
"-x", "explicit SHA-1+RSA/ECDSA", "-X", "handshake_failure",
"-x", "explicit SHA-1+RSA/ECDSA", "-X", "handshake_failure",
"-x", "implicit SHA-1 check", "-X", "handshake_failure",
"-x", "tolerance 10+RSA or ECDSA method", "-X", "handshake_failure",
"-x", "tolerance 215 RSA or ECDSA methods", "-X", "handshake_failure",
"-x", "tolerance 2355 RSA or ECDSA methods", "-X", "handshake_failure",
"-x", "tolerance 8132 RSA or ECDSA methods", "-X", "handshake_failure",
"-x", "tolerance 32758 methods with sig_alg_cert", "-X", "handshake_failure",
"-x", "tolerance max 32748 number of methods with sig_alg_cert", "-X", "handshake_failure",
"-x", "tolerance none+RSA or ECDSA", "-X", "handshake_failure",
"-x", "unique and well-known sig_algs, ecdsa algorithm last", "-X", "handshake_failure"
"-x", "implicit SHA-1 check", "-X", "handshake_failure"
],
"comment": "Crypto-Policies disable SHA-1."
},
Expand Down
71 changes: 37 additions & 34 deletions tests/setup.sh
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ fi
P11DEFARGS=("--module=${P11LIB}" "--login" "--pin=${PINVALUE}" "--token-label=${TOKENLABEL}")

# prepare certtool configuration
cat >> "${TMPPDIR}/cert.cfg" <<HEREDOC
cat >> "${TMPPDIR}/cacert.cfg" <<HEREDOC
ca
cn = "Issuer"
serial = 1
Expand All @@ -75,63 +75,73 @@ encryption_key
cert_signing_key
HEREDOC

# Serial = 1 is the CA
SERIAL=1

ca_selfsign() {
LABEL=$1
CN=$2
KEYID=$3
((SERIAL+=1))
sed -e "s|cn = .*|cn = $CN|g" \
-e "s|serial = .*|serial = $SERIAL|g" \
"${sed_inplace[@]}" "${TMPPDIR}/cacert.cfg"
"${certtool}" --generate-self-signed --outfile="${TMPPDIR}/${LABEL}.crt" \
--template="${TMPPDIR}/cacert.cfg" --provider="$P11LIB" \
--load-privkey "pkcs11:object=$LABEL;token=$TOKENLABELURI;type=private" \
--load-pubkey "pkcs11:object=$LABEL;token=$TOKENLABELURI;type=public" --outder 2>&1
pkcs11-tool "${P11DEFARGS[@]}" --write-object "${TMPPDIR}/${LABEL}.crt" --type=cert \
--id="$KEYID" --label="$LABEL" 2>&1
}

title LINE "Creating new Self Sign CA"
KEYID='0000'
URIKEYID="%00%00"
CACRT="${TMPPDIR}/CAcert.crt"
CACRT_PEM="${TMPPDIR}/CAcert.pem"
CACRTN="caCert"
pkcs11-tool "${P11DEFARGS[@]}" --keypairgen --key-type="RSA:2048" \
--label="${CACRTN}" --id="${KEYID}" 2>&1
"${certtool}" --generate-self-signed --outfile="${CACRT}" \
--template="${TMPPDIR}/cert.cfg" --provider="$P11LIB" \
--load-privkey "pkcs11:object=$CACRTN;token=$TOKENLABELURI;type=private" \
--load-pubkey "pkcs11:object=$CACRTN;token=$TOKENLABELURI;type=public" --outder 2>&1
pkcs11-tool "${P11DEFARGS[@]}" --write-object "${CACRT}" --type=cert \
--id=$KEYID --label="$CACRTN" 2>&1

# Serial = 1 is the CA
SERIAL=2
ca_selfsign $CACRTN "Issuer" $KEYID

# convert the DER cert to PEM
CACRT_PEM="${TMPPDIR}/${CACRTN}.pem"
CACRT="${TMPPDIR}/${CACRTN}.crt"
openssl x509 -inform DER -in "$CACRT" -outform PEM -out "$CACRT_PEM"

cat "${TMPPDIR}/cacert.cfg" > "${TMPPDIR}/cert.cfg"
# the organization identification is not in the CA
echo 'organization = "PKCS11 Provider"' >> "${TMPPDIR}/cert.cfg"
# the cert_signing_key and "ca" should be only on the CA
sed -e "/^cert_signing_key$/d" -e "/^ca$/d" "${sed_inplace[@]}" "${TMPPDIR}/cert.cfg"

ca_sign() {
CRT=$1
LABEL=$2
CN=$3
KEYID=$4
LABEL=$1
CN=$2
KEYID=$3
((SERIAL+=1))
sed -e "s|cn = .*|cn = $CN|g" \
-e "s|serial = .*|serial = $SERIAL|g" \
-e "/^ca$/d" \
"${sed_inplace[@]}" \
"${TMPPDIR}/cert.cfg"
"${certtool}" --generate-certificate --outfile="${CRT}.crt" \
"${certtool}" --generate-certificate --outfile="${TMPPDIR}/${LABEL}.crt" \
--template="${TMPPDIR}/cert.cfg" --provider="$P11LIB" \
--load-privkey "pkcs11:object=$LABEL;token=$TOKENLABELURI;type=private" \
--load-pubkey "pkcs11:object=$LABEL;token=$TOKENLABELURI;type=public" --outder \
--load-ca-certificate "${CACRT}" --inder \
--load-ca-privkey="pkcs11:object=$CACRTN;token=$TOKENLABELURI;type=private"
pkcs11-tool "${P11DEFARGS[@]}" --write-object "${CRT}.crt" --type=cert \
pkcs11-tool "${P11DEFARGS[@]}" --write-object "${TMPPDIR}/${LABEL}.crt" --type=cert \
--id="$KEYID" --label="$LABEL" 2>&1
}


# generate RSA key pair and self-signed certificate
KEYID='0001'
URIKEYID="%00%01"
TSTCRT="${TMPPDIR}/testcert"
TSTCRTN="testCert"

pkcs11-tool "${P11DEFARGS[@]}" --keypairgen --key-type="RSA:2048" \
--label="${TSTCRTN}" --id="$KEYID"
ca_sign "$TSTCRT" $TSTCRTN "My Test Cert" $KEYID
ca_sign "${TSTCRTN}" "My Test Cert" $KEYID

BASEURIWITHPINVALUE="pkcs11:id=${URIKEYID}?pin-value=${PINVALUE}"
BASEURIWITHPINSOURCE="pkcs11:id=${URIKEYID}?pin-source=file:${PINFILE}"
Expand All @@ -152,12 +162,11 @@ echo ""
# generate ECC key pair
KEYID='0002'
URIKEYID="%00%02"
ECCRT="${TMPPDIR}/eccert"
ECCRTN="ecCert"

pkcs11-tool "${P11DEFARGS[@]}" --keypairgen --key-type="EC:secp256r1" \
--label="${ECCRTN}" --id="$KEYID"
ca_sign "$ECCRT" $ECCRTN "My EC Cert" $KEYID
ca_sign $ECCRTN "My EC Cert" $KEYID

ECBASEURIWITHPINVALUE="pkcs11:id=${URIKEYID}?pin-value=${PINVALUE}"
ECBASEURIWITHPINSOURCE="pkcs11:id=${URIKEYID}?pin-source=file:${PINFILE}"
Expand All @@ -168,12 +177,11 @@ ECCRTURI="pkcs11:type=cert;object=${ECCRTN}"

KEYID='0003'
URIKEYID="%00%03"
ECPEERCRT="${TMPPDIR}/ecpeercert"
ECPEERCRTN="ecPeerCert"

pkcs11-tool "${P11DEFARGS[@]}" --keypairgen --key-type="EC:secp256r1" \
--label="$ECPEERCRTN" --id="$KEYID"
ca_sign "$ECPEERCRT" $ECPEERCRTN "My Peer EC Cert" $KEYID
ca_selfsign $ECPEERCRTN "My Peer EC Cert" $KEYID

ECPEERBASEURIWITHPINVALUE="pkcs11:id=${URIKEYID}?pin-value=${PINVALUE}"
ECPEERBASEURIWITHPINSOURCE="pkcs11:id=${URIKEYID}?pin-source=file:${PINFILE}"
Expand Down Expand Up @@ -204,12 +212,11 @@ if [ "${TOKENTYPE}" != "softokn" ]; then
# generate ED25519
KEYID='0004'
URIKEYID="%00%04"
EDCRT="${TMPPDIR}/edcert"
EDCRTN="edCert"

pkcs11-tool "${P11DEFARGS[@]}" --keypairgen --key-type="EC:edwards25519" \
--label="${EDCRTN}" --id="$KEYID"
ca_sign "$EDCRT" $EDCRTN "My ED25519 Cert" $KEYID
ca_sign $EDCRTN "My ED25519 Cert" $KEYID

EDBASEURIWITHPINVALUE="pkcs11:id=${URIKEYID};pin-value=${PINVALUE}"
EDBASEURIWITHPINSOURCE="pkcs11:id=${URIKEYID};pin-source=file:${PINFILE}"
Expand All @@ -233,12 +240,11 @@ fi
# generate ED448
#KEYID='0009'
#URIKEYID="%00%09"
#ED2CRT="${TMPPDIR}/ed2cert"
#ED2CRTN="ed2Cert"
#
# pkcs11-tool "${P11DEFARGS[@]}" --keypairgen --key-type="EC:edwards448" \
# --label="${ED2CRTN}" --id="$KEYID"
# ca_sign "$EDCRT" $ED2CRTN "My ED448 Cert" $KEYID
# ca_sign $ED2CRTN "My ED448 Cert" $KEYID
#
# ED2BASEURIWITHPINVALUE="pkcs11:id=${URIKEYID};pin-value=${PINVALUE}"
# ED2BASEURIWITHPINSOURCE="pkcs11:id=${URIKEYID};pin-source=file:${PINFILE}"
Expand All @@ -258,12 +264,11 @@ fi
title PARA "generate RSA key pair, self-signed certificate, remove public key"
KEYID='0005'
URIKEYID="%00%05"
TSTCRT="${TMPPDIR}/testcert2"
TSTCRTN="testCert2"

pkcs11-tool "${P11DEFARGS[@]}" --keypairgen --key-type="RSA:2048" \
--label="${TSTCRTN}" --id="$KEYID"
ca_sign "$TSTCRT" $TSTCRTN "My Test Cert 2" $KEYID
ca_sign $TSTCRTN "My Test Cert 2" $KEYID
pkcs11-tool "${P11DEFARGS[@]}" --delete-object --type pubkey --id 0005

BASE2URIWITHPINVALUE="pkcs11:id=${URIKEYID}?pin-value=${PINVALUE}"
Expand All @@ -283,12 +288,11 @@ echo ""
title PARA "generate EC key pair, self-signed certificate, remove public key"
KEYID='0006'
URIKEYID="%00%06"
TSTCRT="${TMPPDIR}/eccert2"
TSTCRTN="ecCert2"

pkcs11-tool "${P11DEFARGS[@]}" --keypairgen --key-type="EC:secp384r1" \
--label="${TSTCRTN}" --id="$KEYID"
ca_sign "$TSTCRT" $TSTCRTN "My EC Cert 2" $KEYID
ca_sign $TSTCRTN "My EC Cert 2" $KEYID
pkcs11-tool "${P11DEFARGS[@]}" --delete-object --type pubkey --id 0006

ECBASE2URIWITHPINVALUE="pkcs11:id=${URIKEYID}?pin-value=${PINVALUE}"
Expand Down Expand Up @@ -336,12 +340,11 @@ fi
title PARA "generate EC key pair with ALWAYS AUTHENTICATE flag, self-signed certificate"
KEYID='0008'
URIKEYID="%00%08"
TSTCRT="${TMPPDIR}/eccert3"
TSTCRTN="ecCert3"

pkcs11-tool "${P11DEFARGS[@]}" --keypairgen --key-type="EC:secp521r1" \
--label="${TSTCRTN}" --id="$KEYID" --always-auth
ca_sign "$TSTCRT" $TSTCRTN "My EC Cert 3" $KEYID
ca_sign $TSTCRTN "My EC Cert 3" $KEYID

ECBASE3URIWITHPINVALUE="pkcs11:id=${URIKEYID}?pin-value=${PINVALUE}"
ECBASE3URIWITHPINSOURCE="pkcs11:id=${URIKEYID}?pin-source=file:${PINFILE}"
Expand Down
2 changes: 1 addition & 1 deletion tests/tcerts
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ title PARA "Use storeutl command to match specific certs via params"

SUBJECTS=("/O=PKCS11 Provider/CN=My Test Cert"
"/O=PKCS11 Provider/CN=My EC Cert"
"/O=PKCS11 Provider/CN=My Peer EC Cert"
"/CN=My Peer EC Cert"
"/CN=Issuer")

for subj in "${SUBJECTS[@]}"; do
Expand Down
5 changes: 4 additions & 1 deletion tests/ttlsfuzzer
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,10 @@ run_tests() {
prepare_test cert.json.rsa.in "$PRIURI" "$CRTURI"

title PARA "Prepare test for ECDSA"
prepare_test cert.json.ecdsa.in "$ECPRIURI" "$ECCRTURI"
# Note, that tlsfuzzer expects the homogenous CA and server keys
# so we are using here the self-signed peer EC Key, instead of
# the default ECC key
prepare_test cert.json.ecdsa.in "$ECPEERPRIURI" "$ECPEERCRTURI"

if [[ -n "$EDBASEURI" ]]; then
title PARA "Prepare test for EdDSA"
Expand Down

0 comments on commit e34aea4

Please sign in to comment.