Skip to content

Commit

Permalink
Fix s2n_ecdsa_secp521r1_sha512 + improve integ ECDSA coverage (aws#4148)
Browse files Browse the repository at this point in the history
  • Loading branch information
@lrstewart
lrstewart authored Aug 18, 2023
1 parent 074ff8b commit 1a5e406
Show file tree
Hide file tree
Showing 9 changed files with 155 additions and 17 deletions.
30 changes: 23 additions & 7 deletions tests/integrationv2/common.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,9 +93,11 @@ def __init__(self, name, prefix, location=TEST_CERT_DIRECTORY):
self.cert = location + prefix + "_cert.pem"
self.key = location + prefix + "_key.pem"
self.algorithm = 'ANY'
self.curve = None

if 'ECDSA' in name:
self.algorithm = 'EC'
self.curve = name[-3:]
elif 'RSA' in name:
self.algorithm = 'RSA'
if 'PSS' in name:
Expand All @@ -107,15 +109,15 @@ def compatible_with_cipher(self, cipher):
def compatible_with_curve(self, curve):
if self.algorithm != 'EC':
return True

return curve.name[-3:] == self.name[-3:]
return curve.name[-3:] == self.curve

def compatible_with_sigalg(self, sigalg):
if self.algorithm == 'EC':
if '384' in self.name and 'p256' in sigalg.name:
return False

return (self.algorithm == sigalg.algorithm)
if self.algorithm != sigalg.algorithm:
return False
sig_alg_has_curve = sigalg.algorithm == 'EC' and sigalg.min_protocol == Protocols.TLS13
if sig_alg_has_curve and self.curve not in sigalg.name:
return False
return True

def __str__(self):
return self.name
Expand All @@ -140,6 +142,7 @@ class Certificates(object):

ECDSA_256 = Cert("ECDSA_256", "localhost_ecdsa_p256")
ECDSA_384 = Cert("ECDSA_384", "ecdsa_p384_pkcs1")
ECDSA_521 = Cert("ECDSA_521", "ecdsa_p521")

RSA_2048_SHA256_WILDCARD = Cert(
"RSA_2048_SHA256_WILDCARD", "rsa_2048_sha256_wildcard")
Expand Down Expand Up @@ -400,6 +403,9 @@ class Signatures(object):
RSA_SHA512 = Signature('RSA+SHA512', max_protocol=Protocols.TLS12)
RSA_MD5_SHA1 = Signature('RSA+MD5_SHA1', max_protocol=Protocols.TLS11)
ECDSA_SHA224 = Signature('ECDSA+SHA224', max_protocol=Protocols.TLS12)
ECDSA_SHA256 = Signature('ECDSA+SHA256', max_protocol=Protocols.TLS12)
ECDSA_SHA384 = Signature('ECDSA+SHA384', max_protocol=Protocols.TLS12)
ECDSA_SHA512 = Signature('ECDSA+SHA512', max_protocol=Protocols.TLS12)
ECDSA_SHA1 = Signature('ECDSA+SHA1', max_protocol=Protocols.TLS12)

RSA_PSS_RSAE_SHA256 = Signature(
Expand All @@ -418,6 +424,16 @@ class Signatures(object):
min_protocol=Protocols.TLS13,
sig_type='ECDSA',
sig_digest='SHA256')
ECDSA_SECP384r1_SHA384 = Signature(
'ecdsa_secp384r1_sha384',
min_protocol=Protocols.TLS13,
sig_type='ECDSA',
sig_digest='SHA384')
ECDSA_SECP521r1_SHA512 = Signature(
'ecdsa_secp521r1_sha512',
min_protocol=Protocols.TLS13,
sig_type='ECDSA',
sig_digest='SHA512')


class Results(object):
Expand Down
3 changes: 2 additions & 1 deletion tests/integrationv2/configuration.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,8 @@
Certificates.RSA_4096_SHA512,
Certificates.ECDSA_256,
Certificates.ECDSA_384,
Certificates.RSA_PSS_2048_SHA256
Certificates.ECDSA_521,
Certificates.RSA_PSS_2048_SHA256,
]


Expand Down
15 changes: 6 additions & 9 deletions tests/integrationv2/test_signature_algorithms.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,25 +7,22 @@
from providers import Provider, S2N, OpenSSL, GnuTLS
from utils import invalid_test_parameters, get_parameter_name, get_expected_s2n_version, to_bytes

certs = [
Certificates.RSA_2048_SHA256,
Certificates.RSA_2048_SHA384,
Certificates.RSA_PSS_2048_SHA256,
Certificates.ECDSA_256,
Certificates.ECDSA_384,
]

all_sigs = [
Signatures.RSA_SHA1,
Signatures.RSA_SHA224,
Signatures.RSA_SHA256,
Signatures.RSA_SHA384,
Signatures.RSA_SHA512,
Signatures.ECDSA_SECP256r1_SHA256,
Signatures.ECDSA_SECP384r1_SHA384,
Signatures.ECDSA_SECP521r1_SHA512,
Signatures.RSA_PSS_RSAE_SHA256,
Signatures.RSA_PSS_PSS_SHA256,
Signatures.ECDSA_SHA224,
Signatures.ECDSA_SHA1,
Signatures.ECDSA_SHA224,
Signatures.ECDSA_SHA256,
Signatures.ECDSA_SHA384,
Signatures.ECDSA_SHA512,
]


Expand Down
16 changes: 16 additions & 0 deletions tests/pems/ecdsa_p521_cert.pem
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
-----BEGIN CERTIFICATE-----
MIICkDCCAfOgAwIBAgIUT81FWh80/yJIYrJQki2U0l8qX/8wCgYIKoZIzj0EAwIw
YTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0dGxlMQ8w
DQYDVQQKDAZBbWF6b24xDDAKBgNVBAsMA3MybjEUMBIGA1UEAwwLczJuVGVzdENl
cnQwIBcNMjMwODE1MDQyNTAxWhgPMjEyMzA3MjIwNDI1MDFaMGExCzAJBgNVBAYT
AlVTMQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRsZTEPMA0GA1UECgwGQW1h
em9uMQwwCgYDVQQLDANzMm4xFDASBgNVBAMMC3MyblRlc3RDZXJ0MIGbMBAGByqG
SM49AgEGBSuBBAAjA4GGAAQAZue+N75XLVRR85xDMdoZPvAEOpTMkUySOZjOiVhy
4HrcgoCelJ19sx6x/9ub4J9RYNO1D4jam5ElhHG7YbZlZPgAemJPt83MB3ZVUBv7
+5y3w6y8YNALQ64itu5N3hiHm/c6ZmcZUiENuYL8Tn9cOy9ZyaVVvkd+n07gRrVC
Cj75J92jRDBCMAsGA1UdDwQEAwIEsDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwFAYDVR0RBA0wC4IJbG9jYWxob3N0MAoGCCqGSM49BAMCA4GKADCBhgJB
IJh6U2UupBjtzKtTrkvGpmrKixZXqlMwKzlgMUKdViyIfpOnHleN6WY/KSKMpQv0
WuTgKIM7xGTLTRNUdW9SKBoCQWpdgspCtqZ40YCAHXaaeUNjnCB4mCmdrJWIzlpg
2OYM7tWCFNtdp1AIVs5LOWXoW+IcIAaetH+HVClILkeiLfX8
-----END CERTIFICATE-----
10 changes: 10 additions & 0 deletions tests/pems/ecdsa_p521_key.pem
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
-----BEGIN EC PARAMETERS-----
BgUrgQQAIw==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MIHcAgEBBEIAHIpljjg1sQ5+8DZjWX4hv7Ro4uor2LEP/8j3H4djz9BWSsWTOzqL
iVDYQXWjmSUKNU9SnRLqRAyaWO3BNU1OHqygBwYFK4EEACOhgYkDgYYABABm5743
vlctVFHznEMx2hk+8AQ6lMyRTJI5mM6JWHLgetyCgJ6UnX2zHrH/25vgn1Fg07UP
iNqbkSWEcbthtmVk+AB6Yk+3zcwHdlVQG/v7nLfDrLxg0AtDriK27k3eGIeb9zpm
ZxlSIQ25gvxOf1w7L1nJpVW+R36fTuBGtUIKPvkn3Q==
-----END EC PRIVATE KEY-----
2 changes: 2 additions & 0 deletions tests/testlib/s2n_testlib.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,10 +104,12 @@ S2N_RESULT s2n_connection_set_test_master_secret(struct s2n_connection *conn, co
#define S2N_RSA_2048_PKCS1_LEAF_CERT "../pems/rsa_2048_pkcs1_leaf.pem"
#define S2N_ECDSA_P256_PKCS1_CERT_CHAIN "../pems/ecdsa_p256_pkcs1_cert.pem"
#define S2N_ECDSA_P384_PKCS1_CERT_CHAIN "../pems/ecdsa_p384_pkcs1_cert.pem"
#define S2N_ECDSA_P512_CERT_CHAIN "../pems/ecdsa_p521_cert.pem"
#define S2N_RSA_CERT_CHAIN_CRLF "../pems/rsa_2048_pkcs1_cert_crlf.pem"
#define S2N_RSA_KEY_CRLF "../pems/rsa_2048_pkcs1_key_crlf.pem"
#define S2N_ECDSA_P256_PKCS1_KEY "../pems/ecdsa_p256_pkcs1_key.pem"
#define S2N_ECDSA_P384_PKCS1_KEY "../pems/ecdsa_p384_pkcs1_key.pem"
#define S2N_ECDSA_P512_KEY "../pems/ecdsa_p521_key.pem"
#define S2N_RSA_2048_PKCS1_KEY "../pems/rsa_2048_pkcs1_key.pem"
#define S2N_RSA_2048_PKCS8_KEY "../pems/rsa_2048_pkcs8_key.pem"

Expand Down
47 changes: 47 additions & 0 deletions tests/unit/s2n_ecdsa_test.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,11 @@
#include "tls/s2n_connection.h"
#include "utils/s2n_safety.h"

static uint8_t s2n_test_noop_verify_host_fn(const char *host_name, size_t host_name_len, void *data)
{
return true;
}

static uint8_t unmatched_private_key[] =
"-----BEGIN EC PRIVATE KEY-----\n"
"MIIB+gIBAQQwuenHFMJsDm5tCQgthH8kGXQ1dHkKACmHH3ZqIGteoghhGow6vGmr\n"
Expand Down Expand Up @@ -203,5 +208,47 @@ int main(int argc, char **argv)
free(cert_chain_pem);
free(private_key_pem);

EXPECT_SUCCESS(s2n_reset_tls13_in_test());

/* Self-Talk test */
{
const char *ecdsa_certs[][2] = {
{ S2N_ECDSA_P256_PKCS1_CERT_CHAIN, S2N_ECDSA_P256_PKCS1_KEY },
{ S2N_ECDSA_P384_PKCS1_CERT_CHAIN, S2N_ECDSA_P384_PKCS1_KEY },
{ S2N_ECDSA_P512_CERT_CHAIN, S2N_ECDSA_P512_KEY },
};

for (size_t i = 0; i < s2n_array_len(ecdsa_certs); i++) {
DEFER_CLEANUP(struct s2n_cert_chain_and_key *chain_and_key = NULL,
s2n_cert_chain_and_key_ptr_free);
EXPECT_SUCCESS(s2n_test_cert_chain_and_key_new(&chain_and_key,
ecdsa_certs[i][0], ecdsa_certs[i][1]));

DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(),
s2n_config_ptr_free);
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "test_all"));
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key));
EXPECT_SUCCESS(s2n_config_set_verification_ca_location(config,
ecdsa_certs[i][0], NULL));
EXPECT_SUCCESS(s2n_config_set_verify_host_callback(config,
s2n_test_noop_verify_host_fn, NULL));

DEFER_CLEANUP(struct s2n_connection *client = s2n_connection_new(S2N_CLIENT),
s2n_connection_ptr_free);
EXPECT_SUCCESS(s2n_connection_set_config(client, config));

DEFER_CLEANUP(struct s2n_connection *server = s2n_connection_new(S2N_SERVER),
s2n_connection_ptr_free);
EXPECT_SUCCESS(s2n_connection_set_config(server, config));

DEFER_CLEANUP(struct s2n_test_io_pair io_pair = { 0 },
s2n_io_pair_close);
EXPECT_SUCCESS(s2n_io_pair_init_non_blocking(&io_pair));
EXPECT_SUCCESS(s2n_connections_set_io_pair(client, server, &io_pair));

EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server, client));
}
};

END_TEST();
}
48 changes: 48 additions & 0 deletions tests/unit/s2n_signature_scheme_test.c
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/

#include "tls/s2n_signature_scheme.c"

#include "s2n_test.h"

int main(int argc, char **argv)
{
BEGIN_TEST();

/* Test all signature schemes */
size_t policy_i = 0;
while (security_policy_selection[policy_i].version != NULL) {
const struct s2n_signature_preferences *sig_prefs =
security_policy_selection[policy_i].security_policy->signature_preferences;
for (size_t sig_i = 0; sig_i < sig_prefs->count; sig_i++) {
const struct s2n_signature_scheme *const sig_scheme = sig_prefs->signature_schemes[sig_i];

EXPECT_NOT_EQUAL(sig_scheme->iana_value, 0);
EXPECT_NOT_EQUAL(sig_scheme->hash_alg, S2N_HASH_NONE);
EXPECT_NOT_EQUAL(sig_scheme->sig_alg, S2N_SIGNATURE_ANONYMOUS);
EXPECT_NOT_EQUAL(sig_scheme->libcrypto_nid, 0);

if (sig_scheme->sig_alg == S2N_SIGNATURE_ECDSA
&& sig_scheme->minimum_protocol_version == S2N_TLS13) {
EXPECT_NOT_NULL(sig_scheme->signature_curve);
} else {
EXPECT_NULL(sig_scheme->signature_curve);
}
}
policy_i++;
}

END_TEST();
}
1 change: 1 addition & 0 deletions tls/s2n_signature_scheme.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,7 @@ const struct s2n_signature_scheme s2n_ecdsa_secp521r1_sha512 = {
.iana_value = TLS_SIGNATURE_SCHEME_ECDSA_SECP521R1_SHA512,
.hash_alg = S2N_HASH_SHA512,
.sig_alg = S2N_SIGNATURE_ECDSA,
.libcrypto_nid = NID_ecdsa_with_SHA512,
.signature_curve = &s2n_ecc_curve_secp521r1, /* Hardcoded as of TLS 1.3 */
.minimum_protocol_version = S2N_TLS13,
};
Expand Down

0 comments on commit 1a5e406

Please sign in to comment.