The branch master has been updated
via 6a71e06d7aa02b857c8650aa94f6efd9d6531872 (commit)
via 2094ea070a1fb6aa06b8e939e6cb735edc2c178b (commit)
from f1e793cc974094da7da52c6958ad7b972b4a446d (commit)
- Log -----------------------------------------------------------------
commit 6a71e06d7aa02b857c8650aa94f6efd9d6531872
Author: Rob Percival <[email protected]>
Date: Tue Apr 4 23:24:28 2017 +0100
CT_POLICY_EVAL_CTX_set_time expects milliseconds, but given seconds
This resulted in the SCT timestamp check always failing, because the
timestamp appeared to be in the future.
Reviewed-by: Rich Salz <[email protected]>
Reviewed-by: Andy Polyakov <[email protected]>
Reviewed-by: Richard Levitte <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/3138)
commit 2094ea070a1fb6aa06b8e939e6cb735edc2c178b
Author: Rob Percival <[email protected]>
Date: Thu Apr 6 13:21:27 2017 +0100
Add SSL tests for certificates with embedded SCTs
The only SSL tests prior to this tested using certificates with no
embedded Signed Certificate Timestamps (SCTs), which meant they couldn't
confirm whether Certificate Transparency checks in "strict" mode were
working.
These tests reveal a bug in the validation of SCT timestamps, which is
fixed by the next commit.
Reviewed-by: Rich Salz <[email protected]>
Reviewed-by: Andy Polyakov <[email protected]>
Reviewed-by: Richard Levitte <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/3138)
-----------------------------------------------------------------------
Summary of changes:
ssl/ssl_lib.c | 3 +-
test/certs/embeddedSCTs1-key.pem | 15 ++++
test/ssl-tests/12-ct.conf | 176 ++++++++++++++++++++++++++-------------
test/ssl-tests/12-ct.conf.in | 55 ++++++++++--
4 files changed, 180 insertions(+), 69 deletions(-)
create mode 100644 test/certs/embeddedSCTs1-key.pem
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 4f4eba1..4de2b47 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -4361,7 +4361,8 @@ int ssl_validate_ct(SSL *s)
CT_POLICY_EVAL_CTX_set1_cert(ctx, cert);
CT_POLICY_EVAL_CTX_set1_issuer(ctx, issuer);
CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(ctx, s->ctx->ctlog_store);
- CT_POLICY_EVAL_CTX_set_time(ctx,
SSL_SESSION_get_time(SSL_get0_session(s)));
+ CT_POLICY_EVAL_CTX_set_time(
+ ctx, (uint64_t)SSL_SESSION_get_time(SSL_get0_session(s)) * 1000);
scts = SSL_get0_peer_scts(s);
diff --git a/test/certs/embeddedSCTs1-key.pem b/test/certs/embeddedSCTs1-key.pem
new file mode 100644
index 0000000..e3e66d5
--- /dev/null
+++ b/test/certs/embeddedSCTs1-key.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQC+75jnwmh3rjhfdTJaDB0ym+3xj6r015a/BH634c4VyVui+A7k
+WL19uG+KSyUhkaeb1wDDjpwDibRc1NyaEgqyHgy0HNDnKAWkEM2cW9tdSSdyba8X
+EPYBhzd+olsaHjnu0LiBGdwVTcaPfajjDK8VijPmyVCfSgWwFAn/Xdh+tQIDAQAB
+AoGAK/daG0vt6Fkqy/hdrtSJSKUVRoGRmS2nnba4Qzlwzh1+x2kdbMFuaOu2a37g
+PvmeQclheKZ3EG1+Jb4yShwLcBCV6pkRJhOKuhvqGnjngr6uBH4gMCjpZVj7GDMf
+flYHhdJCs3Cz/TY0wKN3o1Fldil2DHR/AEOc1nImeSp5/EUCQQDjKS3W957kYtTU
+X5BeRjvg03Ug8tJq6IFuhTFvUJ+XQ5bAc0DmxAbQVKqRS7Wje59zTknVvS+MFdeQ
+pz4dGuV7AkEA1y0X2yarIls+0A/S1uwkvwRTIkfS+QwFJ1zVya8sApRdKAcidIzA
+b70hkKLilU9+LrXg5iZdFp8l752qJiw9jwJAXjItN/7mfH4fExGto+or2kbVQxxt
+9LcFNPc2UJp2ExuL37HrL8YJrUnukOF8KJaSwBWuuFsC5GwKP4maUCdfEQJAUwBR
+83c3DEmmMRvpeH4erpA8gTyzZN3+HvDwhpvLnjMcvBQEdnDUykVqbSBnxrCjO+Fs
+n1qtDczWFVf8Cj2GgQJAQ14Awx32Cn9sF+3M+sEVtlAf6CqiEbkYeYdSCbsplMmZ
+1UoaxiwXY3z+B7epsRnnPR3KaceAlAxw2/zQJMFNOQ==
+-----END RSA PRIVATE KEY-----
diff --git a/test/ssl-tests/12-ct.conf b/test/ssl-tests/12-ct.conf
index 22fa18d..2e6e9de 100644
--- a/test/ssl-tests/12-ct.conf
+++ b/test/ssl-tests/12-ct.conf
@@ -1,135 +1,191 @@
# Generated with generate_ssl_tests.pl
-num_tests = 4
-
-test-0 = 0-ct-permissive
-test-1 = 1-ct-strict
-test-2 = 2-ct-permissive-resumption
-test-3 = 3-ct-strict-resumption
+num_tests = 6
+
+test-0 = 0-ct-permissive-without-scts
+test-1 = 1-ct-permissive-with-scts
+test-2 = 2-ct-strict-without-scts
+test-3 = 3-ct-strict-with-scts
+test-4 = 4-ct-permissive-resumption
+test-5 = 5-ct-strict-resumption
# ===========================================================
-[0-ct-permissive]
-ssl_conf = 0-ct-permissive-ssl
+[0-ct-permissive-without-scts]
+ssl_conf = 0-ct-permissive-without-scts-ssl
-[0-ct-permissive-ssl]
-server = 0-ct-permissive-server
-client = 0-ct-permissive-client
+[0-ct-permissive-without-scts-ssl]
+server = 0-ct-permissive-without-scts-server
+client = 0-ct-permissive-without-scts-client
-[0-ct-permissive-server]
+[0-ct-permissive-without-scts-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[0-ct-permissive-client]
+[0-ct-permissive-without-scts-client]
CipherString = DEFAULT
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-0]
ExpectedResult = Success
-client = 0-ct-permissive-client-extra
+client = 0-ct-permissive-without-scts-client-extra
+
+[0-ct-permissive-without-scts-client-extra]
+CTValidation = Permissive
+
+
+# ===========================================================
+
+[1-ct-permissive-with-scts]
+ssl_conf = 1-ct-permissive-with-scts-ssl
+
+[1-ct-permissive-with-scts-ssl]
+server = 1-ct-permissive-with-scts-server
+client = 1-ct-permissive-with-scts-client
+
+[1-ct-permissive-with-scts-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem
+
+[1-ct-permissive-with-scts-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem
+VerifyMode = Peer
+
+[test-1]
+ExpectedResult = Success
+client = 1-ct-permissive-with-scts-client-extra
-[0-ct-permissive-client-extra]
+[1-ct-permissive-with-scts-client-extra]
CTValidation = Permissive
# ===========================================================
-[1-ct-strict]
-ssl_conf = 1-ct-strict-ssl
+[2-ct-strict-without-scts]
+ssl_conf = 2-ct-strict-without-scts-ssl
-[1-ct-strict-ssl]
-server = 1-ct-strict-server
-client = 1-ct-strict-client
+[2-ct-strict-without-scts-ssl]
+server = 2-ct-strict-without-scts-server
+client = 2-ct-strict-without-scts-client
-[1-ct-strict-server]
+[2-ct-strict-without-scts-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[1-ct-strict-client]
+[2-ct-strict-without-scts-client]
CipherString = DEFAULT
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-1]
+[test-2]
ExpectedClientAlert = HandshakeFailure
ExpectedResult = ClientFail
-client = 1-ct-strict-client-extra
+client = 2-ct-strict-without-scts-client-extra
-[1-ct-strict-client-extra]
+[2-ct-strict-without-scts-client-extra]
CTValidation = Strict
# ===========================================================
-[2-ct-permissive-resumption]
-ssl_conf = 2-ct-permissive-resumption-ssl
+[3-ct-strict-with-scts]
+ssl_conf = 3-ct-strict-with-scts-ssl
-[2-ct-permissive-resumption-ssl]
-server = 2-ct-permissive-resumption-server
-client = 2-ct-permissive-resumption-client
-resume-server = 2-ct-permissive-resumption-server
-resume-client = 2-ct-permissive-resumption-client
+[3-ct-strict-with-scts-ssl]
+server = 3-ct-strict-with-scts-server
+client = 3-ct-strict-with-scts-client
-[2-ct-permissive-resumption-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+[3-ct-strict-with-scts-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem
CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem
-[2-ct-permissive-resumption-client]
+[3-ct-strict-with-scts-client]
CipherString = DEFAULT
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem
VerifyMode = Peer
-[test-2]
+[test-3]
+ExpectedResult = Success
+client = 3-ct-strict-with-scts-client-extra
+
+[3-ct-strict-with-scts-client-extra]
+CTValidation = Strict
+
+
+# ===========================================================
+
+[4-ct-permissive-resumption]
+ssl_conf = 4-ct-permissive-resumption-ssl
+
+[4-ct-permissive-resumption-ssl]
+server = 4-ct-permissive-resumption-server
+client = 4-ct-permissive-resumption-client
+resume-server = 4-ct-permissive-resumption-server
+resume-client = 4-ct-permissive-resumption-client
+
+[4-ct-permissive-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem
+
+[4-ct-permissive-resumption-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem
+VerifyMode = Peer
+
+[test-4]
ExpectedResult = Success
HandshakeMode = Resume
ResumptionExpected = Yes
-client = 2-ct-permissive-resumption-client-extra
-resume-client = 2-ct-permissive-resumption-client-extra
+client = 4-ct-permissive-resumption-client-extra
+resume-client = 4-ct-permissive-resumption-client-extra
-[2-ct-permissive-resumption-client-extra]
+[4-ct-permissive-resumption-client-extra]
CTValidation = Permissive
# ===========================================================
-[3-ct-strict-resumption]
-ssl_conf = 3-ct-strict-resumption-ssl
+[5-ct-strict-resumption]
+ssl_conf = 5-ct-strict-resumption-ssl
-[3-ct-strict-resumption-ssl]
-server = 3-ct-strict-resumption-server
-client = 3-ct-strict-resumption-client
-resume-server = 3-ct-strict-resumption-server
-resume-client = 3-ct-strict-resumption-resume-client
+[5-ct-strict-resumption-ssl]
+server = 5-ct-strict-resumption-server
+client = 5-ct-strict-resumption-client
+resume-server = 5-ct-strict-resumption-server
+resume-client = 5-ct-strict-resumption-resume-client
-[3-ct-strict-resumption-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+[5-ct-strict-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem
CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem
-[3-ct-strict-resumption-client]
+[5-ct-strict-resumption-client]
CipherString = DEFAULT
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem
VerifyMode = Peer
-[3-ct-strict-resumption-resume-client]
+[5-ct-strict-resumption-resume-client]
CipherString = DEFAULT
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-3]
+[test-5]
ExpectedResult = Success
HandshakeMode = Resume
ResumptionExpected = Yes
-client = 3-ct-strict-resumption-client-extra
-resume-client = 3-ct-strict-resumption-resume-client-extra
+client = 5-ct-strict-resumption-client-extra
+resume-client = 5-ct-strict-resumption-resume-client-extra
-[3-ct-strict-resumption-client-extra]
-CTValidation = Permissive
+[5-ct-strict-resumption-client-extra]
+CTValidation = Strict
-[3-ct-strict-resumption-resume-client-extra]
+[5-ct-strict-resumption-resume-client-extra]
CTValidation = Strict
diff --git a/test/ssl-tests/12-ct.conf.in b/test/ssl-tests/12-ct.conf.in
index c27e091..7c03049 100644
--- a/test/ssl-tests/12-ct.conf.in
+++ b/test/ssl-tests/12-ct.conf.in
@@ -16,9 +16,8 @@ package ssltests;
our @tests = (
- # Currently only have tests for certs without SCTs.
{
- name => "ct-permissive",
+ name => "ct-permissive-without-scts",
server => { },
client => {
extra => {
@@ -28,9 +27,25 @@ our @tests = (
test => {
"ExpectedResult" => "Success",
},
- },
+ },
{
- name => "ct-strict",
+ name => "ct-permissive-with-scts",
+ server => {
+ "Certificate" => test_pem("embeddedSCTs1.pem"),
+ "PrivateKey" => test_pem("embeddedSCTs1-key.pem"),
+ },
+ client => {
+ "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"),
+ extra => {
+ "CTValidation" => "Permissive",
+ },
+ },
+ test => {
+ "ExpectedResult" => "Success",
+ },
+ },
+ {
+ name => "ct-strict-without-scts",
server => { },
client => {
extra => {
@@ -43,9 +58,29 @@ our @tests = (
},
},
{
+ name => "ct-strict-with-scts",
+ server => {
+ "Certificate" => test_pem("embeddedSCTs1.pem"),
+ "PrivateKey" => test_pem("embeddedSCTs1-key.pem"),
+ },
+ client => {
+ "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"),
+ extra => {
+ "CTValidation" => "Strict",
+ },
+ },
+ test => {
+ "ExpectedResult" => "Success",
+ },
+ },
+ {
name => "ct-permissive-resumption",
- server => { },
+ server => {
+ "Certificate" => test_pem("embeddedSCTs1.pem"),
+ "PrivateKey" => test_pem("embeddedSCTs1-key.pem"),
+ },
client => {
+ "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"),
extra => {
"CTValidation" => "Permissive",
},
@@ -55,13 +90,17 @@ our @tests = (
"ResumptionExpected" => "Yes",
"ExpectedResult" => "Success",
},
- },
+ },
{
name => "ct-strict-resumption",
- server => { },
+ server => {
+ "Certificate" => test_pem("embeddedSCTs1.pem"),
+ "PrivateKey" => test_pem("embeddedSCTs1-key.pem"),
+ },
client => {
+ "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"),
extra => {
- "CTValidation" => "Permissive",
+ "CTValidation" => "Strict",
},
},
# SCTs are not present during resumption, so the resumption
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
