Add SSL tests for certificates with embedded SCTs
authorRob Percival <robpercival@google.com>
Thu, 6 Apr 2017 12:21:27 +0000 (13:21 +0100)
committerRichard Levitte <levitte@openssl.org>
Wed, 12 Apr 2017 17:08:57 +0000 (19:08 +0200)
The only SSL tests prior to this tested using certificates with no
embedded Signed Certificate Timestamps (SCTs), which meant they couldn't
confirm whether Certificate Transparency checks in "strict" mode were
working.

These tests reveal a bug in the validation of SCT timestamps, which is
fixed by the next commit.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3138)

test/certs/embeddedSCTs1-key.pem [new file with mode: 0644]
test/ssl-tests/12-ct.conf
test/ssl-tests/12-ct.conf.in

diff --git a/test/certs/embeddedSCTs1-key.pem b/test/certs/embeddedSCTs1-key.pem
new file mode 100644 (file)
index 0000000..e3e66d5
--- /dev/null
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQC+75jnwmh3rjhfdTJaDB0ym+3xj6r015a/BH634c4VyVui+A7k
+WL19uG+KSyUhkaeb1wDDjpwDibRc1NyaEgqyHgy0HNDnKAWkEM2cW9tdSSdyba8X
+EPYBhzd+olsaHjnu0LiBGdwVTcaPfajjDK8VijPmyVCfSgWwFAn/Xdh+tQIDAQAB
+AoGAK/daG0vt6Fkqy/hdrtSJSKUVRoGRmS2nnba4Qzlwzh1+x2kdbMFuaOu2a37g
+PvmeQclheKZ3EG1+Jb4yShwLcBCV6pkRJhOKuhvqGnjngr6uBH4gMCjpZVj7GDMf
+flYHhdJCs3Cz/TY0wKN3o1Fldil2DHR/AEOc1nImeSp5/EUCQQDjKS3W957kYtTU
+X5BeRjvg03Ug8tJq6IFuhTFvUJ+XQ5bAc0DmxAbQVKqRS7Wje59zTknVvS+MFdeQ
+pz4dGuV7AkEA1y0X2yarIls+0A/S1uwkvwRTIkfS+QwFJ1zVya8sApRdKAcidIzA
+b70hkKLilU9+LrXg5iZdFp8l752qJiw9jwJAXjItN/7mfH4fExGto+or2kbVQxxt
+9LcFNPc2UJp2ExuL37HrL8YJrUnukOF8KJaSwBWuuFsC5GwKP4maUCdfEQJAUwBR
+83c3DEmmMRvpeH4erpA8gTyzZN3+HvDwhpvLnjMcvBQEdnDUykVqbSBnxrCjO+Fs
+n1qtDczWFVf8Cj2GgQJAQ14Awx32Cn9sF+3M+sEVtlAf6CqiEbkYeYdSCbsplMmZ
+1UoaxiwXY3z+B7epsRnnPR3KaceAlAxw2/zQJMFNOQ==
+-----END RSA PRIVATE KEY-----
index 22fa18dd45536396fc02e4df053f7d3bcd18f7f8..2e6e9dea6757359a2282b2c44cf4c3179c9b8a41 100644 (file)
 # Generated with generate_ssl_tests.pl
 
-num_tests = 4
-
-test-0 = 0-ct-permissive
-test-1 = 1-ct-strict
-test-2 = 2-ct-permissive-resumption
-test-3 = 3-ct-strict-resumption
+num_tests = 6
+
+test-0 = 0-ct-permissive-without-scts
+test-1 = 1-ct-permissive-with-scts
+test-2 = 2-ct-strict-without-scts
+test-3 = 3-ct-strict-with-scts
+test-4 = 4-ct-permissive-resumption
+test-5 = 5-ct-strict-resumption
 # ===========================================================
 
-[0-ct-permissive]
-ssl_conf = 0-ct-permissive-ssl
+[0-ct-permissive-without-scts]
+ssl_conf = 0-ct-permissive-without-scts-ssl
 
-[0-ct-permissive-ssl]
-server = 0-ct-permissive-server
-client = 0-ct-permissive-client
+[0-ct-permissive-without-scts-ssl]
+server = 0-ct-permissive-without-scts-server
+client = 0-ct-permissive-without-scts-client
 
-[0-ct-permissive-server]
+[0-ct-permissive-without-scts-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[0-ct-permissive-client]
+[0-ct-permissive-without-scts-client]
 CipherString = DEFAULT
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-0]
 ExpectedResult = Success
-client = 0-ct-permissive-client-extra
+client = 0-ct-permissive-without-scts-client-extra
+
+[0-ct-permissive-without-scts-client-extra]
+CTValidation = Permissive
+
+
+# ===========================================================
+
+[1-ct-permissive-with-scts]
+ssl_conf = 1-ct-permissive-with-scts-ssl
+
+[1-ct-permissive-with-scts-ssl]
+server = 1-ct-permissive-with-scts-server
+client = 1-ct-permissive-with-scts-client
+
+[1-ct-permissive-with-scts-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem
+
+[1-ct-permissive-with-scts-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem
+VerifyMode = Peer
+
+[test-1]
+ExpectedResult = Success
+client = 1-ct-permissive-with-scts-client-extra
 
-[0-ct-permissive-client-extra]
+[1-ct-permissive-with-scts-client-extra]
 CTValidation = Permissive
 
 
 # ===========================================================
 
-[1-ct-strict]
-ssl_conf = 1-ct-strict-ssl
+[2-ct-strict-without-scts]
+ssl_conf = 2-ct-strict-without-scts-ssl
 
-[1-ct-strict-ssl]
-server = 1-ct-strict-server
-client = 1-ct-strict-client
+[2-ct-strict-without-scts-ssl]
+server = 2-ct-strict-without-scts-server
+client = 2-ct-strict-without-scts-client
 
-[1-ct-strict-server]
+[2-ct-strict-without-scts-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[1-ct-strict-client]
+[2-ct-strict-without-scts-client]
 CipherString = DEFAULT
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-1]
+[test-2]
 ExpectedClientAlert = HandshakeFailure
 ExpectedResult = ClientFail
-client = 1-ct-strict-client-extra
+client = 2-ct-strict-without-scts-client-extra
 
-[1-ct-strict-client-extra]
+[2-ct-strict-without-scts-client-extra]
 CTValidation = Strict
 
 
 # ===========================================================
 
-[2-ct-permissive-resumption]
-ssl_conf = 2-ct-permissive-resumption-ssl
+[3-ct-strict-with-scts]
+ssl_conf = 3-ct-strict-with-scts-ssl
 
-[2-ct-permissive-resumption-ssl]
-server = 2-ct-permissive-resumption-server
-client = 2-ct-permissive-resumption-client
-resume-server = 2-ct-permissive-resumption-server
-resume-client = 2-ct-permissive-resumption-client
+[3-ct-strict-with-scts-ssl]
+server = 3-ct-strict-with-scts-server
+client = 3-ct-strict-with-scts-client
 
-[2-ct-permissive-resumption-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+[3-ct-strict-with-scts-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem
 CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem
 
-[2-ct-permissive-resumption-client]
+[3-ct-strict-with-scts-client]
 CipherString = DEFAULT
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem
 VerifyMode = Peer
 
-[test-2]
+[test-3]
+ExpectedResult = Success
+client = 3-ct-strict-with-scts-client-extra
+
+[3-ct-strict-with-scts-client-extra]
+CTValidation = Strict
+
+
+# ===========================================================
+
+[4-ct-permissive-resumption]
+ssl_conf = 4-ct-permissive-resumption-ssl
+
+[4-ct-permissive-resumption-ssl]
+server = 4-ct-permissive-resumption-server
+client = 4-ct-permissive-resumption-client
+resume-server = 4-ct-permissive-resumption-server
+resume-client = 4-ct-permissive-resumption-client
+
+[4-ct-permissive-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem
+
+[4-ct-permissive-resumption-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem
+VerifyMode = Peer
+
+[test-4]
 ExpectedResult = Success
 HandshakeMode = Resume
 ResumptionExpected = Yes
-client = 2-ct-permissive-resumption-client-extra
-resume-client = 2-ct-permissive-resumption-client-extra
+client = 4-ct-permissive-resumption-client-extra
+resume-client = 4-ct-permissive-resumption-client-extra
 
-[2-ct-permissive-resumption-client-extra]
+[4-ct-permissive-resumption-client-extra]
 CTValidation = Permissive
 
 
 # ===========================================================
 
-[3-ct-strict-resumption]
-ssl_conf = 3-ct-strict-resumption-ssl
+[5-ct-strict-resumption]
+ssl_conf = 5-ct-strict-resumption-ssl
 
-[3-ct-strict-resumption-ssl]
-server = 3-ct-strict-resumption-server
-client = 3-ct-strict-resumption-client
-resume-server = 3-ct-strict-resumption-server
-resume-client = 3-ct-strict-resumption-resume-client
+[5-ct-strict-resumption-ssl]
+server = 5-ct-strict-resumption-server
+client = 5-ct-strict-resumption-client
+resume-server = 5-ct-strict-resumption-server
+resume-client = 5-ct-strict-resumption-resume-client
 
-[3-ct-strict-resumption-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+[5-ct-strict-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem
 CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem
 
-[3-ct-strict-resumption-client]
+[5-ct-strict-resumption-client]
 CipherString = DEFAULT
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem
 VerifyMode = Peer
 
-[3-ct-strict-resumption-resume-client]
+[5-ct-strict-resumption-resume-client]
 CipherString = DEFAULT
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-3]
+[test-5]
 ExpectedResult = Success
 HandshakeMode = Resume
 ResumptionExpected = Yes
-client = 3-ct-strict-resumption-client-extra
-resume-client = 3-ct-strict-resumption-resume-client-extra
+client = 5-ct-strict-resumption-client-extra
+resume-client = 5-ct-strict-resumption-resume-client-extra
 
-[3-ct-strict-resumption-client-extra]
-CTValidation = Permissive
+[5-ct-strict-resumption-client-extra]
+CTValidation = Strict
 
-[3-ct-strict-resumption-resume-client-extra]
+[5-ct-strict-resumption-resume-client-extra]
 CTValidation = Strict
 
 
index c27e0911ffc1148b8f705c33877f51817d003613..7c0304995ff9b580db568c301ada9cdd93243d73 100644 (file)
@@ -16,9 +16,8 @@ package ssltests;
 
 
 our @tests = (
-    # Currently only have tests for certs without SCTs.
     {
-        name => "ct-permissive",
+        name => "ct-permissive-without-scts",
         server => { },
         client => {
             extra => {
@@ -28,9 +27,25 @@ our @tests = (
         test => {
             "ExpectedResult" => "Success",
         },
-    }, 
+    },
     {
-        name => "ct-strict",
+        name => "ct-permissive-with-scts",
+        server => {
+            "Certificate" => test_pem("embeddedSCTs1.pem"),
+            "PrivateKey"  => test_pem("embeddedSCTs1-key.pem"),
+        },
+        client => {
+            "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"),
+            extra => {
+                "CTValidation" => "Permissive",
+            },
+        },
+        test => {
+            "ExpectedResult" => "Success",
+        },
+    },
+    {
+        name => "ct-strict-without-scts",
         server => { },
         client => {
             extra => {
@@ -42,10 +57,30 @@ our @tests = (
             "ExpectedClientAlert" => "HandshakeFailure",
         },
     },
+    {
+        name => "ct-strict-with-scts",
+        server => {
+            "Certificate" => test_pem("embeddedSCTs1.pem"),
+            "PrivateKey"  => test_pem("embeddedSCTs1-key.pem"),
+        },
+        client => {
+            "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"),
+            extra => {
+                "CTValidation" => "Strict",
+            },
+        },
+        test => {
+            "ExpectedResult" => "Success",
+        },
+    },
     {
         name => "ct-permissive-resumption",
-        server => { },
+        server => {
+            "Certificate" => test_pem("embeddedSCTs1.pem"),
+            "PrivateKey"  => test_pem("embeddedSCTs1-key.pem"),
+        },
         client => {
+            "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"),
             extra => {
                 "CTValidation" => "Permissive",
             },
@@ -55,13 +90,17 @@ our @tests = (
             "ResumptionExpected" => "Yes",
             "ExpectedResult" => "Success",
         },
-    }, 
+    },
     {
         name => "ct-strict-resumption",
-        server => { },
+        server => {
+            "Certificate" => test_pem("embeddedSCTs1.pem"),
+            "PrivateKey"  => test_pem("embeddedSCTs1-key.pem"),
+        },
         client => {
+            "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"),
             extra => {
-                "CTValidation" => "Permissive",
+                "CTValidation" => "Strict",
             },
         },
         # SCTs are not present during resumption, so the resumption