mirror of
https://github.com/cuberite/polarssl.git
synced 2025-11-04 04:32:24 -05:00
Add tests for mbedtls_set_hs_ca_chain()
This commit is contained in:
Manuel Pégourié-Gonnard
parent
c948a798bd
commit
6ea831dcf4
@ -1941,6 +1941,19 @@ reset:
|
|||||||
else if( ret != 0 )
|
else if( ret != 0 )
|
||||||
{
|
{
|
||||||
mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", -ret );
|
mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", -ret );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
|
if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED )
|
||||||
|
{
|
||||||
|
char vrfy_buf[512];
|
||||||
|
uint32_t flags = mbedtls_ssl_get_verify_result( &ssl );
|
||||||
|
|
||||||
|
mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
|
||||||
|
|
||||||
|
mbedtls_printf( "%s\n", vrfy_buf );
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
goto reset;
|
goto reset;
|
||||||
}
|
}
|
||||||
else /* ret == 0 */
|
else /* ret == 0 */
|
||||||
|
|||||||
@ -72,7 +72,7 @@ Certificate revocation lists
|
|||||||
|
|
||||||
Signing CA in parentheses (same meaning as certificates).
|
Signing CA in parentheses (same meaning as certificates).
|
||||||
|
|
||||||
- crl-ec-sha*: (2) server6.crt
|
- crl-ec-sha*.pem: (2) server6.crt
|
||||||
- crl-future.pem: (2) server6.crt + unknown
|
- crl-future.pem: (2) server6.crt + unknown
|
||||||
- crl-rsa-pss-*.pem: (1) server9{,badsign,with-ca}.crt + cert_sha384.crt + unknown
|
- crl-rsa-pss-*.pem: (1) server9{,badsign,with-ca}.crt + cert_sha384.crt + unknown
|
||||||
- crl.pem, crl_expired.pem: (1) server1{,.cert_type,.key_usage,.v1}.crt + unknown
|
- crl.pem, crl_expired.pem: (1) server1{,.cert_type,.key_usage,.v1}.crt + unknown
|
||||||
|
|||||||
@ -1597,7 +1597,7 @@ run_test "Authentication: client badcert, server required" \
|
|||||||
-C "skip write certificate verify" \
|
-C "skip write certificate verify" \
|
||||||
-S "skip parse certificate verify" \
|
-S "skip parse certificate verify" \
|
||||||
-s "x509_verify_cert() returned" \
|
-s "x509_verify_cert() returned" \
|
||||||
-S "! The certificate is not correctly signed by the trusted CA" \
|
-s "! The certificate is not correctly signed by the trusted CA" \
|
||||||
-s "! mbedtls_ssl_handshake returned" \
|
-s "! mbedtls_ssl_handshake returned" \
|
||||||
-c "! mbedtls_ssl_handshake returned" \
|
-c "! mbedtls_ssl_handshake returned" \
|
||||||
-s "X509 - Certificate verification failed"
|
-s "X509 - Certificate verification failed"
|
||||||
@ -1750,49 +1750,49 @@ run_test "SNI: no SNI callback" \
|
|||||||
"$P_SRV debug_level=3 \
|
"$P_SRV debug_level=3 \
|
||||||
crt_file=data_files/server5.crt key_file=data_files/server5.key" \
|
crt_file=data_files/server5.crt key_file=data_files/server5.key" \
|
||||||
"$P_CLI server_name=localhost" \
|
"$P_CLI server_name=localhost" \
|
||||||
0 \
|
0 \
|
||||||
-S "parse ServerName extension" \
|
-S "parse ServerName extension" \
|
||||||
-c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
|
-c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
|
||||||
-c "subject name *: C=NL, O=PolarSSL, CN=localhost"
|
-c "subject name *: C=NL, O=PolarSSL, CN=localhost"
|
||||||
|
|
||||||
run_test "SNI: matching cert 1" \
|
run_test "SNI: matching cert 1" \
|
||||||
"$P_SRV debug_level=3 \
|
"$P_SRV debug_level=3 \
|
||||||
crt_file=data_files/server5.crt key_file=data_files/server5.key \
|
crt_file=data_files/server5.crt key_file=data_files/server5.key \
|
||||||
sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
|
sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
|
||||||
"$P_CLI server_name=localhost" \
|
"$P_CLI server_name=localhost" \
|
||||||
0 \
|
0 \
|
||||||
-s "parse ServerName extension" \
|
-s "parse ServerName extension" \
|
||||||
-c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
|
-c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
|
||||||
-c "subject name *: C=NL, O=PolarSSL, CN=localhost"
|
-c "subject name *: C=NL, O=PolarSSL, CN=localhost"
|
||||||
|
|
||||||
run_test "SNI: matching cert 2" \
|
run_test "SNI: matching cert 2" \
|
||||||
"$P_SRV debug_level=3 \
|
"$P_SRV debug_level=3 \
|
||||||
crt_file=data_files/server5.crt key_file=data_files/server5.key \
|
crt_file=data_files/server5.crt key_file=data_files/server5.key \
|
||||||
sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
|
sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
|
||||||
"$P_CLI server_name=polarssl.example" \
|
"$P_CLI server_name=polarssl.example" \
|
||||||
0 \
|
0 \
|
||||||
-s "parse ServerName extension" \
|
-s "parse ServerName extension" \
|
||||||
-c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
|
-c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
|
||||||
-c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
|
-c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
|
||||||
|
|
||||||
run_test "SNI: no matching cert" \
|
run_test "SNI: no matching cert" \
|
||||||
"$P_SRV debug_level=3 \
|
"$P_SRV debug_level=3 \
|
||||||
crt_file=data_files/server5.crt key_file=data_files/server5.key \
|
crt_file=data_files/server5.crt key_file=data_files/server5.key \
|
||||||
sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
|
sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
|
||||||
"$P_CLI server_name=nonesuch.example" \
|
"$P_CLI server_name=nonesuch.example" \
|
||||||
1 \
|
1 \
|
||||||
-s "parse ServerName extension" \
|
-s "parse ServerName extension" \
|
||||||
-s "ssl_sni_wrapper() returned" \
|
-s "ssl_sni_wrapper() returned" \
|
||||||
-s "mbedtls_ssl_handshake returned" \
|
-s "mbedtls_ssl_handshake returned" \
|
||||||
-c "mbedtls_ssl_handshake returned" \
|
-c "mbedtls_ssl_handshake returned" \
|
||||||
-c "SSL - A fatal alert message was received from our peer"
|
-c "SSL - A fatal alert message was received from our peer"
|
||||||
|
|
||||||
run_test "SNI: client auth no override: optional" \
|
run_test "SNI: client auth no override: optional" \
|
||||||
"$P_SRV debug_level=3 auth_mode=optional \
|
"$P_SRV debug_level=3 auth_mode=optional \
|
||||||
crt_file=data_files/server5.crt key_file=data_files/server5.key \
|
crt_file=data_files/server5.crt key_file=data_files/server5.key \
|
||||||
sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
|
sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
|
||||||
"$P_CLI debug_level=3 server_name=localhost" \
|
"$P_CLI debug_level=3 server_name=localhost" \
|
||||||
0 \
|
0 \
|
||||||
-S "skip write certificate request" \
|
-S "skip write certificate request" \
|
||||||
-C "skip parse certificate request" \
|
-C "skip parse certificate request" \
|
||||||
-c "got a certificate request" \
|
-c "got a certificate request" \
|
||||||
@ -1805,7 +1805,7 @@ run_test "SNI: client auth override: none -> optional" \
|
|||||||
crt_file=data_files/server5.crt key_file=data_files/server5.key \
|
crt_file=data_files/server5.crt key_file=data_files/server5.key \
|
||||||
sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
|
sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
|
||||||
"$P_CLI debug_level=3 server_name=localhost" \
|
"$P_CLI debug_level=3 server_name=localhost" \
|
||||||
0 \
|
0 \
|
||||||
-S "skip write certificate request" \
|
-S "skip write certificate request" \
|
||||||
-C "skip parse certificate request" \
|
-C "skip parse certificate request" \
|
||||||
-c "got a certificate request" \
|
-c "got a certificate request" \
|
||||||
@ -1818,7 +1818,7 @@ run_test "SNI: client auth override: optional -> none" \
|
|||||||
crt_file=data_files/server5.crt key_file=data_files/server5.key \
|
crt_file=data_files/server5.crt key_file=data_files/server5.key \
|
||||||
sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
|
sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
|
||||||
"$P_CLI debug_level=3 server_name=localhost" \
|
"$P_CLI debug_level=3 server_name=localhost" \
|
||||||
0 \
|
0 \
|
||||||
-s "skip write certificate request" \
|
-s "skip write certificate request" \
|
||||||
-C "skip parse certificate request" \
|
-C "skip parse certificate request" \
|
||||||
-c "got no certificate request" \
|
-c "got no certificate request" \
|
||||||
@ -1826,6 +1826,60 @@ run_test "SNI: client auth override: optional -> none" \
|
|||||||
-c "skip write certificate verify" \
|
-c "skip write certificate verify" \
|
||||||
-s "skip parse certificate verify"
|
-s "skip parse certificate verify"
|
||||||
|
|
||||||
|
run_test "SNI: CA no override" \
|
||||||
|
"$P_SRV debug_level=3 auth_mode=optional \
|
||||||
|
crt_file=data_files/server5.crt key_file=data_files/server5.key \
|
||||||
|
ca_file=data_files/test-ca.crt \
|
||||||
|
sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
|
||||||
|
"$P_CLI debug_level=3 server_name=localhost \
|
||||||
|
crt_file=data_files/server6.crt key_file=data_files/server6.key" \
|
||||||
|
1 \
|
||||||
|
-S "skip write certificate request" \
|
||||||
|
-C "skip parse certificate request" \
|
||||||
|
-c "got a certificate request" \
|
||||||
|
-C "skip write certificate" \
|
||||||
|
-C "skip write certificate verify" \
|
||||||
|
-S "skip parse certificate verify" \
|
||||||
|
-s "x509_verify_cert() returned" \
|
||||||
|
-s "! The certificate is not correctly signed by the trusted CA" \
|
||||||
|
-S "The certificate has been revoked (is on a CRL)"
|
||||||
|
|
||||||
|
run_test "SNI: CA override" \
|
||||||
|
"$P_SRV debug_level=3 auth_mode=optional \
|
||||||
|
crt_file=data_files/server5.crt key_file=data_files/server5.key \
|
||||||
|
ca_file=data_files/test-ca.crt \
|
||||||
|
sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
|
||||||
|
"$P_CLI debug_level=3 server_name=localhost \
|
||||||
|
crt_file=data_files/server6.crt key_file=data_files/server6.key" \
|
||||||
|
0 \
|
||||||
|
-S "skip write certificate request" \
|
||||||
|
-C "skip parse certificate request" \
|
||||||
|
-c "got a certificate request" \
|
||||||
|
-C "skip write certificate" \
|
||||||
|
-C "skip write certificate verify" \
|
||||||
|
-S "skip parse certificate verify" \
|
||||||
|
-S "x509_verify_cert() returned" \
|
||||||
|
-S "! The certificate is not correctly signed by the trusted CA" \
|
||||||
|
-S "The certificate has been revoked (is on a CRL)"
|
||||||
|
|
||||||
|
run_test "SNI: CA override with CRL" \
|
||||||
|
"$P_SRV debug_level=3 auth_mode=optional \
|
||||||
|
crt_file=data_files/server5.crt key_file=data_files/server5.key \
|
||||||
|
ca_file=data_files/test-ca.crt \
|
||||||
|
sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
|
||||||
|
"$P_CLI debug_level=3 server_name=localhost \
|
||||||
|
crt_file=data_files/server6.crt key_file=data_files/server6.key" \
|
||||||
|
1 \
|
||||||
|
-S "skip write certificate request" \
|
||||||
|
-C "skip parse certificate request" \
|
||||||
|
-c "got a certificate request" \
|
||||||
|
-C "skip write certificate" \
|
||||||
|
-C "skip write certificate verify" \
|
||||||
|
-S "skip parse certificate verify" \
|
||||||
|
-s "x509_verify_cert() returned" \
|
||||||
|
-S "! The certificate is not correctly signed by the trusted CA" \
|
||||||
|
-s "The certificate has been revoked (is on a CRL)"
|
||||||
|
|
||||||
# Tests for non-blocking I/O: exercise a variety of handshake flows
|
# Tests for non-blocking I/O: exercise a variety of handshake flows
|
||||||
|
|
||||||
run_test "Non-blocking I/O: basic handshake" \
|
run_test "Non-blocking I/O: basic handshake" \
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user