Source file
src/crypto/tls/auth_test.go
1
2
3
4
5 package tls
6
7 import (
8 "crypto"
9 "crypto/tls/internal/fips140tls"
10 "testing"
11 )
12
13 func TestSignatureSelection(t *testing.T) {
14 rsaCert := &Certificate{
15 Certificate: [][]byte{testRSACertificate},
16 PrivateKey: testRSAPrivateKey,
17 }
18 pkcs1Cert := &Certificate{
19 Certificate: [][]byte{testRSACertificate},
20 PrivateKey: testRSAPrivateKey,
21 SupportedSignatureAlgorithms: []SignatureScheme{PKCS1WithSHA1, PKCS1WithSHA256},
22 }
23 ecdsaCert := &Certificate{
24 Certificate: [][]byte{testP256Certificate},
25 PrivateKey: testP256PrivateKey,
26 }
27 ed25519Cert := &Certificate{
28 Certificate: [][]byte{testEd25519Certificate},
29 PrivateKey: testEd25519PrivateKey,
30 }
31
32 tests := []struct {
33 cert *Certificate
34 peerSigAlgs []SignatureScheme
35 tlsVersion uint16
36
37 expectedSigAlg SignatureScheme
38 expectedSigType uint8
39 expectedHash crypto.Hash
40 }{
41 {rsaCert, []SignatureScheme{PKCS1WithSHA1, PKCS1WithSHA256}, VersionTLS12, PKCS1WithSHA1, signaturePKCS1v15, crypto.SHA1},
42 {rsaCert, []SignatureScheme{PKCS1WithSHA512, PKCS1WithSHA1}, VersionTLS12, PKCS1WithSHA512, signaturePKCS1v15, crypto.SHA512},
43 {rsaCert, []SignatureScheme{PSSWithSHA256, PKCS1WithSHA256}, VersionTLS12, PSSWithSHA256, signatureRSAPSS, crypto.SHA256},
44 {pkcs1Cert, []SignatureScheme{PSSWithSHA256, PKCS1WithSHA256}, VersionTLS12, PKCS1WithSHA256, signaturePKCS1v15, crypto.SHA256},
45 {rsaCert, []SignatureScheme{PSSWithSHA384, PKCS1WithSHA1}, VersionTLS13, PSSWithSHA384, signatureRSAPSS, crypto.SHA384},
46 {ecdsaCert, []SignatureScheme{ECDSAWithSHA1}, VersionTLS12, ECDSAWithSHA1, signatureECDSA, crypto.SHA1},
47 {ecdsaCert, []SignatureScheme{ECDSAWithP256AndSHA256}, VersionTLS12, ECDSAWithP256AndSHA256, signatureECDSA, crypto.SHA256},
48 {ecdsaCert, []SignatureScheme{ECDSAWithP256AndSHA256}, VersionTLS13, ECDSAWithP256AndSHA256, signatureECDSA, crypto.SHA256},
49 {ed25519Cert, []SignatureScheme{Ed25519}, VersionTLS12, Ed25519, signatureEd25519, directSigning},
50 {ed25519Cert, []SignatureScheme{Ed25519}, VersionTLS13, Ed25519, signatureEd25519, directSigning},
51
52
53 {rsaCert, nil, VersionTLS12, PKCS1WithSHA1, signaturePKCS1v15, crypto.SHA1},
54 {ecdsaCert, nil, VersionTLS12, ECDSAWithSHA1, signatureECDSA, crypto.SHA1},
55
56
57 {ecdsaCert, []SignatureScheme{ECDSAWithP384AndSHA384}, VersionTLS12, ECDSAWithP384AndSHA384, signatureECDSA, crypto.SHA384},
58 }
59
60 for testNo, test := range tests {
61 if fips140tls.Required() && (test.expectedHash == crypto.SHA1 || test.expectedSigAlg == Ed25519) {
62 t.Logf("skipping test[%d] - not compatible with TLS FIPS mode", testNo)
63 continue
64 }
65
66 sigAlg, err := selectSignatureScheme(test.tlsVersion, test.cert, test.peerSigAlgs)
67 if err != nil {
68 t.Errorf("test[%d]: unexpected selectSignatureScheme error: %v", testNo, err)
69 }
70 if test.expectedSigAlg != sigAlg {
71 t.Errorf("test[%d]: expected signature scheme %v, got %v", testNo, test.expectedSigAlg, sigAlg)
72 }
73 sigType, hashFunc, err := typeAndHashFromSignatureScheme(sigAlg)
74 if err != nil {
75 t.Errorf("test[%d]: unexpected typeAndHashFromSignatureScheme error: %v", testNo, err)
76 }
77 if test.expectedSigType != sigType {
78 t.Errorf("test[%d]: expected signature algorithm %#x, got %#x", testNo, test.expectedSigType, sigType)
79 }
80 if test.expectedHash != hashFunc {
81 t.Errorf("test[%d]: expected hash function %#x, got %#x", testNo, test.expectedHash, hashFunc)
82 }
83 }
84
85 brokenCert := &Certificate{
86 Certificate: [][]byte{testRSACertificate},
87 PrivateKey: testRSAPrivateKey,
88 SupportedSignatureAlgorithms: []SignatureScheme{Ed25519},
89 }
90
91 badTests := []struct {
92 cert *Certificate
93 peerSigAlgs []SignatureScheme
94 tlsVersion uint16
95 }{
96 {rsaCert, []SignatureScheme{ECDSAWithP256AndSHA256, ECDSAWithSHA1}, VersionTLS12},
97 {ecdsaCert, []SignatureScheme{PKCS1WithSHA256, PKCS1WithSHA1}, VersionTLS12},
98 {rsaCert, []SignatureScheme{0}, VersionTLS12},
99 {ed25519Cert, []SignatureScheme{ECDSAWithP256AndSHA256, ECDSAWithSHA1}, VersionTLS12},
100 {ecdsaCert, []SignatureScheme{Ed25519}, VersionTLS12},
101 {brokenCert, []SignatureScheme{Ed25519}, VersionTLS12},
102 {brokenCert, []SignatureScheme{PKCS1WithSHA256}, VersionTLS12},
103
104
105
106 {ed25519Cert, nil, VersionTLS12},
107
108 {rsaCert, nil, VersionTLS13},
109 {ecdsaCert, nil, VersionTLS13},
110 {ed25519Cert, nil, VersionTLS13},
111
112 {ecdsaCert, []SignatureScheme{ECDSAWithP384AndSHA384}, VersionTLS13},
113
114 {rsaCert, []SignatureScheme{PKCS1WithSHA256}, VersionTLS13},
115 {pkcs1Cert, []SignatureScheme{PSSWithSHA256, PKCS1WithSHA256}, VersionTLS13},
116 {ecdsaCert, []SignatureScheme{ECDSAWithSHA1}, VersionTLS13},
117
118 {rsaCert, []SignatureScheme{PSSWithSHA512}, VersionTLS12},
119 }
120
121 for testNo, test := range badTests {
122 sigAlg, err := selectSignatureScheme(test.tlsVersion, test.cert, test.peerSigAlgs)
123 if err == nil {
124 t.Errorf("test[%d]: unexpected success, got %v", testNo, sigAlg)
125 }
126 }
127 }
128
129 func TestLegacyTypeAndHash(t *testing.T) {
130 sigType, hashFunc, err := legacyTypeAndHashFromPublicKey(testRSAPrivateKey.Public())
131 if err != nil {
132 t.Errorf("RSA: unexpected error: %v", err)
133 }
134 if expectedSigType := signaturePKCS1v15; expectedSigType != sigType {
135 t.Errorf("RSA: expected signature type %#x, got %#x", expectedSigType, sigType)
136 }
137 if expectedHashFunc := crypto.MD5SHA1; expectedHashFunc != hashFunc {
138 t.Errorf("RSA: expected hash %#x, got %#x", expectedHashFunc, hashFunc)
139 }
140
141 sigType, hashFunc, err = legacyTypeAndHashFromPublicKey(testECDSAPrivateKey.Public())
142 if err != nil {
143 t.Errorf("ECDSA: unexpected error: %v", err)
144 }
145 if expectedSigType := signatureECDSA; expectedSigType != sigType {
146 t.Errorf("ECDSA: expected signature type %#x, got %#x", expectedSigType, sigType)
147 }
148 if expectedHashFunc := crypto.SHA1; expectedHashFunc != hashFunc {
149 t.Errorf("ECDSA: expected hash %#x, got %#x", expectedHashFunc, hashFunc)
150 }
151
152
153 _, _, err = legacyTypeAndHashFromPublicKey(testEd25519PrivateKey.Public())
154 if err == nil {
155 t.Errorf("Ed25519: unexpected success")
156 }
157 }
158
159
160
161 func TestSupportedSignatureAlgorithms(t *testing.T) {
162 for _, sigAlg := range supportedSignatureAlgorithms() {
163 sigType, hash, err := typeAndHashFromSignatureScheme(sigAlg)
164 if err != nil {
165 t.Errorf("%v: unexpected error: %v", sigAlg, err)
166 }
167 if sigType == 0 {
168 t.Errorf("%v: missing signature type", sigAlg)
169 }
170 if hash == 0 && sigAlg != Ed25519 {
171 t.Errorf("%v: missing hash", sigAlg)
172 }
173 }
174 }
175
View as plain text