search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
libgo: Merge from revision 18783:00cce3a34d7e of master library.
[official-gcc.git] / libgo / go / crypto / tls / handshake_server_test.go
blob1eb420af4764c60f377ef7a9a45d76982f96526a
1 // Copyright 2009 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
4
5 package tls
6
7 import (
8 "bytes"
9 "crypto/ecdsa"
10 "crypto/elliptic"
11 "crypto/rsa"
12 "crypto/x509"
13 "encoding/hex"
14 "encoding/pem"
15 "errors"
16 "fmt"
17 "io"
18 "math/big"
19 "net"
20 "os"
21 "os/exec"
22 "path/filepath"
23 "testing"
24 "time"
25 )
26
27 // zeroSource is an io.Reader that returns an unlimited number of zero bytes.
28 type zeroSource struct{}
29
30 func (zeroSource) Read(b []byte) (n int, err error) {
31 for i := range b {
32 b[i] = 0
33 }
34
35 return len(b), nil
36 }
37
38 var testConfig *Config
39
40 func init() {
41 testConfig = &Config{
42 Time: func() time.Time { return time.Unix(0, 0) },
43 Rand: zeroSource{},
44 Certificates: make([]Certificate, 2),
45 InsecureSkipVerify: true,
46 MinVersion: VersionSSL30,
47 MaxVersion: VersionTLS12,
48 }
49 testConfig.Certificates[0].Certificate = [][]byte{testRSACertificate}
50 testConfig.Certificates[0].PrivateKey = testRSAPrivateKey
51 testConfig.Certificates[1].Certificate = [][]byte{testSNICertificate}
52 testConfig.Certificates[1].PrivateKey = testRSAPrivateKey
53 testConfig.BuildNameToCertificate()
54 }
55
56 func testClientHelloFailure(t *testing.T, m handshakeMessage, expected error) {
57 // Create in-memory network connection,
58 // send message to server. Should return
59 // expected error.
60 c, s := net.Pipe()
61 go func() {
62 cli := Client(c, testConfig)
63 if ch, ok := m.(*clientHelloMsg); ok {
64 cli.vers = ch.vers
65 }
66 cli.writeRecord(recordTypeHandshake, m.marshal())
67 c.Close()
68 }()
69 err := Server(s, testConfig).Handshake()
70 s.Close()
71 if e, ok := err.(*net.OpError); !ok || e.Err != expected {
72 t.Errorf("Got error: %s; expected: %s", err, expected)
73 }
74 }
75
76 func TestSimpleError(t *testing.T) {
77 testClientHelloFailure(t, &serverHelloDoneMsg{}, alertUnexpectedMessage)
78 }
79
80 var badProtocolVersions = []uint16{0x0000, 0x0005, 0x0100, 0x0105, 0x0200, 0x0205}
81
82 func TestRejectBadProtocolVersion(t *testing.T) {
83 for _, v := range badProtocolVersions {
84 testClientHelloFailure(t, &clientHelloMsg{vers: v}, alertProtocolVersion)
85 }
86 }
87
88 func TestNoSuiteOverlap(t *testing.T) {
89 clientHello := &clientHelloMsg{
90 vers: 0x0301,
91 cipherSuites: []uint16{0xff00},
92 compressionMethods: []uint8{0},
93 }
94 testClientHelloFailure(t, clientHello, alertHandshakeFailure)
95 }
96
97 func TestNoCompressionOverlap(t *testing.T) {
98 clientHello := &clientHelloMsg{
99 vers: 0x0301,
100 cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
101 compressionMethods: []uint8{0xff},
102 }
103 testClientHelloFailure(t, clientHello, alertHandshakeFailure)
104 }
105
106 func TestTLS12OnlyCipherSuites(t *testing.T) {
107 // Test that a Server doesn't select a TLS 1.2-only cipher suite when
108 // the client negotiates TLS 1.1.
109 var zeros [32]byte
110
111 clientHello := &clientHelloMsg{
112 vers: VersionTLS11,
113 random: zeros[:],
114 cipherSuites: []uint16{
115 // The Server, by default, will use the client's
116 // preference order. So the GCM cipher suite
117 // will be selected unless it's excluded because
118 // of the version in this ClientHello.
119 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
120 TLS_RSA_WITH_RC4_128_SHA,
121 },
122 compressionMethods: []uint8{compressionNone},
123 supportedCurves: []uint16{curveP256, curveP384, curveP521},
124 supportedPoints: []uint8{pointFormatUncompressed},
125 }
126
127 c, s := net.Pipe()
128 var reply interface{}
129 var clientErr error
130 go func() {
131 cli := Client(c, testConfig)
132 cli.vers = clientHello.vers
133 cli.writeRecord(recordTypeHandshake, clientHello.marshal())
134 reply, clientErr = cli.readHandshake()
135 c.Close()
136 }()
137 config := *testConfig
138 config.CipherSuites = clientHello.cipherSuites
139 Server(s, &config).Handshake()
140 s.Close()
141 if clientErr != nil {
142 t.Fatal(clientErr)
143 }
144 serverHello, ok := reply.(*serverHelloMsg)
145 if !ok {
146 t.Fatalf("didn't get ServerHello message in reply. Got %v\n", reply)
147 }
148 if s := serverHello.cipherSuite; s != TLS_RSA_WITH_RC4_128_SHA {
149 t.Fatalf("bad cipher suite from server: %x", s)
150 }
151 }
152
153 func TestAlertForwarding(t *testing.T) {
154 c, s := net.Pipe()
155 go func() {
156 Client(c, testConfig).sendAlert(alertUnknownCA)
157 c.Close()
158 }()
159
160 err := Server(s, testConfig).Handshake()
161 s.Close()
162 if e, ok := err.(*net.OpError); !ok || e.Err != error(alertUnknownCA) {
163 t.Errorf("Got error: %s; expected: %s", err, error(alertUnknownCA))
164 }
165 }
166
167 func TestClose(t *testing.T) {
168 c, s := net.Pipe()
169 go c.Close()
170
171 err := Server(s, testConfig).Handshake()
172 s.Close()
173 if err != io.EOF {
174 t.Errorf("Got error: %s; expected: %s", err, io.EOF)
175 }
176 }
177
178 func testHandshake(clientConfig, serverConfig *Config) (state ConnectionState, err error) {
179 c, s := net.Pipe()
180 go func() {
181 cli := Client(c, clientConfig)
182 cli.Handshake()
183 c.Close()
184 }()
185 server := Server(s, serverConfig)
186 err = server.Handshake()
187 if err == nil {
188 state = server.ConnectionState()
189 }
190 s.Close()
191 return
192 }
193
194 func TestCipherSuitePreference(t *testing.T) {
195 serverConfig := &Config{
196 CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA},
197 Certificates: testConfig.Certificates,
198 MaxVersion: VersionTLS11,
199 }
200 clientConfig := &Config{
201 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_RC4_128_SHA},
202 InsecureSkipVerify: true,
203 }
204 state, err := testHandshake(clientConfig, serverConfig)
205 if err != nil {
206 t.Fatalf("handshake failed: %s", err)
207 }
208 if state.CipherSuite != TLS_RSA_WITH_AES_128_CBC_SHA {
209 // By default the server should use the client's preference.
210 t.Fatalf("Client's preference was not used, got %x", state.CipherSuite)
211 }
212
213 serverConfig.PreferServerCipherSuites = true
214 state, err = testHandshake(clientConfig, serverConfig)
215 if err != nil {
216 t.Fatalf("handshake failed: %s", err)
217 }
218 if state.CipherSuite != TLS_RSA_WITH_RC4_128_SHA {
219 t.Fatalf("Server's preference was not used, got %x", state.CipherSuite)
220 }
221 }
222
223 // Note: see comment in handshake_test.go for details of how the reference
224 // tests work.
225
226 // serverTest represents a test of the TLS server handshake against a reference
227 // implementation.
228 type serverTest struct {
229 // name is a freeform string identifying the test and the file in which
230 // the expected results will be stored.
231 name string
232 // command, if not empty, contains a series of arguments for the
233 // command to run for the reference server.
234 command []string
235 // expectedPeerCerts contains a list of PEM blocks of expected
236 // certificates from the client.
237 expectedPeerCerts []string
238 // config, if not nil, contains a custom Config to use for this test.
239 config *Config
240 }
241
242 var defaultClientCommand = []string{"openssl", "s_client", "-no_ticket"}
243
244 // connFromCommand starts opens a listening socket and starts the reference
245 // client to connect to it. It returns a recordingConn that wraps the resulting
246 // connection.
247 func (test *serverTest) connFromCommand() (conn *recordingConn, child *exec.Cmd, err error) {
248 l, err := net.ListenTCP("tcp", &net.TCPAddr{
249 IP: net.IPv4(127, 0, 0, 1),
250 Port: 0,
251 })
252 if err != nil {
253 return nil, nil, err
254 }
255 defer l.Close()
256
257 port := l.Addr().(*net.TCPAddr).Port
258
259 var command []string
260 command = append(command, test.command...)
261 if len(command) == 0 {
262 command = defaultClientCommand
263 }
264 command = append(command, "-connect")
265 command = append(command, fmt.Sprintf("127.0.0.1:%d", port))
266 cmd := exec.Command(command[0], command[1:]...)
267 cmd.Stdin = nil
268 var output bytes.Buffer
269 cmd.Stdout = &output
270 cmd.Stderr = &output
271 if err := cmd.Start(); err != nil {
272 return nil, nil, err
273 }
274
275 connChan := make(chan interface{})
276 go func() {
277 tcpConn, err := l.Accept()
278 if err != nil {
279 connChan <- err
280 }
281 connChan <- tcpConn
282 }()
283
284 var tcpConn net.Conn
285 select {
286 case connOrError := <-connChan:
287 if err, ok := connOrError.(error); ok {
288 return nil, nil, err
289 }
290 tcpConn = connOrError.(net.Conn)
291 case <-time.After(2 * time.Second):
292 output.WriteTo(os.Stdout)
293 return nil, nil, errors.New("timed out waiting for connection from child process")
294 }
295
296 record := &recordingConn{
297 Conn: tcpConn,
298 }
299
300 return record, cmd, nil
301 }
302
303 func (test *serverTest) dataPath() string {
304 return filepath.Join("testdata", "Server-"+test.name)
305 }
306
307 func (test *serverTest) loadData() (flows [][]byte, err error) {
308 in, err := os.Open(test.dataPath())
309 if err != nil {
310 return nil, err
311 }
312 defer in.Close()
313 return parseTestData(in)
314 }
315
316 func (test *serverTest) run(t *testing.T, write bool) {
317 var clientConn, serverConn net.Conn
318 var recordingConn *recordingConn
319 var childProcess *exec.Cmd
320
321 if write {
322 var err error
323 recordingConn, childProcess, err = test.connFromCommand()
324 if err != nil {
325 t.Fatalf("Failed to start subcommand: %s", err)
326 }
327 serverConn = recordingConn
328 } else {
329 clientConn, serverConn = net.Pipe()
330 }
331 config := test.config
332 if config == nil {
333 config = testConfig
334 }
335 server := Server(serverConn, config)
336 peerCertsChan := make(chan []*x509.Certificate, 1)
337 go func() {
338 if _, err := server.Write([]byte("hello, world\n")); err != nil {
339 t.Logf("Error from Server.Write: %s", err)
340 }
341 server.Close()
342 serverConn.Close()
343 peerCertsChan <- server.ConnectionState().PeerCertificates
344 }()
345
346 if !write {
347 flows, err := test.loadData()
348 if err != nil {
349 t.Fatalf("%s: failed to load data from %s", test.name, test.dataPath())
350 }
351 for i, b := range flows {
352 if i%2 == 0 {
353 clientConn.Write(b)
354 continue
355 }
356 bb := make([]byte, len(b))
357 n, err := io.ReadFull(clientConn, bb)
358 if err != nil {
359 t.Fatalf("%s #%d: %s\nRead %d, wanted %d, got %x, wanted %x\n", test.name, i+1, err, n, len(bb), bb[:n], b)
360 }
361 if !bytes.Equal(b, bb) {
362 t.Fatalf("%s #%d: mismatch on read: got:%x want:%x", test.name, i+1, bb, b)
363 }
364 }
365 clientConn.Close()
366 }
367
368 peerCerts := <-peerCertsChan
369 if len(peerCerts) == len(test.expectedPeerCerts) {
370 for i, peerCert := range peerCerts {
371 block, _ := pem.Decode([]byte(test.expectedPeerCerts[i]))
372 if !bytes.Equal(block.Bytes, peerCert.Raw) {
373 t.Fatalf("%s: mismatch on peer cert %d", test.name, i+1)
374 }
375 }
376 } else {
377 t.Fatalf("%s: mismatch on peer list length: %d (wanted) != %d (got)", test.name, len(test.expectedPeerCerts), len(peerCerts))
378 }
379
380 if write {
381 path := test.dataPath()
382 out, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
383 if err != nil {
384 t.Fatalf("Failed to create output file: %s", err)
385 }
386 defer out.Close()
387 recordingConn.Close()
388 if len(recordingConn.flows) < 3 {
389 childProcess.Stdout.(*bytes.Buffer).WriteTo(os.Stdout)
390 t.Fatalf("Handshake failed")
391 }
392 recordingConn.WriteTo(out)
393 fmt.Printf("Wrote %s\n", path)
394 childProcess.Wait()
395 }
396 }
397
398 func runServerTestForVersion(t *testing.T, template *serverTest, prefix, option string) {
399 test := *template
400 test.name = prefix + test.name
401 if len(test.command) == 0 {
402 test.command = defaultClientCommand
403 }
404 test.command = append([]string(nil), test.command...)
405 test.command = append(test.command, option)
406 test.run(t, *update)
407 }
408
409 func runServerTestSSLv3(t *testing.T, template *serverTest) {
410 runServerTestForVersion(t, template, "SSLv3-", "-ssl3")
411 }
412
413 func runServerTestTLS10(t *testing.T, template *serverTest) {
414 runServerTestForVersion(t, template, "TLSv10-", "-tls1")
415 }
416
417 func runServerTestTLS11(t *testing.T, template *serverTest) {
418 runServerTestForVersion(t, template, "TLSv11-", "-tls1_1")
419 }
420
421 func runServerTestTLS12(t *testing.T, template *serverTest) {
422 runServerTestForVersion(t, template, "TLSv12-", "-tls1_2")
423 }
424
425 func TestHandshakeServerRSARC4(t *testing.T) {
426 test := &serverTest{
427 name: "RSA-RC4",
428 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "RC4-SHA"},
429 }
430 runServerTestSSLv3(t, test)
431 runServerTestTLS10(t, test)
432 runServerTestTLS11(t, test)
433 runServerTestTLS12(t, test)
434 }
435
436 func TestHandshakeServerRSA3DES(t *testing.T) {
437 test := &serverTest{
438 name: "RSA-3DES",
439 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "DES-CBC3-SHA"},
440 }
441 runServerTestSSLv3(t, test)
442 runServerTestTLS10(t, test)
443 runServerTestTLS12(t, test)
444 }
445
446 func TestHandshakeServerRSAAES(t *testing.T) {
447 test := &serverTest{
448 name: "RSA-AES",
449 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA"},
450 }
451 runServerTestSSLv3(t, test)
452 runServerTestTLS10(t, test)
453 runServerTestTLS12(t, test)
454 }
455
456 func TestHandshakeServerAESGCM(t *testing.T) {
457 test := &serverTest{
458 name: "RSA-AES-GCM",
459 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-AES128-GCM-SHA256"},
460 }
461 runServerTestTLS12(t, test)
462 }
463
464 func TestHandshakeServerECDHEECDSAAES(t *testing.T) {
465 config := *testConfig
466 config.Certificates = make([]Certificate, 1)
467 config.Certificates[0].Certificate = [][]byte{testECDSACertificate}
468 config.Certificates[0].PrivateKey = testECDSAPrivateKey
469 config.BuildNameToCertificate()
470
471 test := &serverTest{
472 name: "ECDHE-ECDSA-AES",
473 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-ECDSA-AES256-SHA"},
474 config: &config,
475 }
476 runServerTestTLS10(t, test)
477 runServerTestTLS12(t, test)
478 }
479
480 // TestHandshakeServerSNI involves a client sending an SNI extension of
481 // "snitest.com", which happens to match the CN of testSNICertificate. The test
482 // verifies that the server correctly selects that certificate.
483 func TestHandshakeServerSNI(t *testing.T) {
484 test := &serverTest{
485 name: "SNI",
486 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-servername", "snitest.com"},
487 }
488 runServerTestTLS12(t, test)
489 }
490
491 // TestCipherSuiteCertPreferance ensures that we select an RSA ciphersuite with
492 // an RSA certificate and an ECDSA ciphersuite with an ECDSA certificate.
493 func TestCipherSuiteCertPreferance(t *testing.T) {
494 config := *testConfig
495 config.CipherSuites = []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA}
496 config.PreferServerCipherSuites = true
497
498 test := &serverTest{
499 name: "CipherSuiteCertPreferenceRSA",
500 config: &config,
501 }
502 runServerTestTLS12(t, test)
503
504 config = *testConfig
505 config.CipherSuites = []uint16{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA}
506 config.Certificates = []Certificate{
507 Certificate{
508 Certificate: [][]byte{testECDSACertificate},
509 PrivateKey: testECDSAPrivateKey,
510 },
511 }
512 config.BuildNameToCertificate()
513 config.PreferServerCipherSuites = true
514
515 test = &serverTest{
516 name: "CipherSuiteCertPreferenceECDSA",
517 config: &config,
518 }
519 runServerTestTLS12(t, test)
520 }
521
522 func TestResumption(t *testing.T) {
523 sessionFilePath := tempFile("")
524 defer os.Remove(sessionFilePath)
525
526 test := &serverTest{
527 name: "IssueTicket",
528 command: []string{"openssl", "s_client", "-cipher", "RC4-SHA", "-sess_out", sessionFilePath},
529 }
530 runServerTestTLS12(t, test)
531
532 test = &serverTest{
533 name: "Resume",
534 command: []string{"openssl", "s_client", "-cipher", "RC4-SHA", "-sess_in", sessionFilePath},
535 }
536 runServerTestTLS12(t, test)
537 }
538
539 // cert.pem and key.pem were generated with generate_cert.go
540 // Thus, they have no ExtKeyUsage fields and trigger an error
541 // when verification is turned on.
542
543 const clientCertificatePEM = `
544 -----BEGIN CERTIFICATE-----
545 MIIB7TCCAVigAwIBAgIBADALBgkqhkiG9w0BAQUwJjEQMA4GA1UEChMHQWNtZSBD
546 bzESMBAGA1UEAxMJMTI3LjAuMC4xMB4XDTExMTIwODA3NTUxMloXDTEyMTIwNzA4
547 MDAxMlowJjEQMA4GA1UEChMHQWNtZSBDbzESMBAGA1UEAxMJMTI3LjAuMC4xMIGc
548 MAsGCSqGSIb3DQEBAQOBjAAwgYgCgYBO0Hsx44Jk2VnAwoekXh6LczPHY1PfZpIG
549 hPZk1Y/kNqcdK+izIDZFI7Xjla7t4PUgnI2V339aEu+H5Fto5OkOdOwEin/ekyfE
550 ARl6vfLcPRSr0FTKIQzQTW6HLlzF0rtNS0/Otiz3fojsfNcCkXSmHgwa2uNKWi7e
551 E5xMQIhZkwIDAQABozIwMDAOBgNVHQ8BAf8EBAMCAKAwDQYDVR0OBAYEBAECAwQw
552 DwYDVR0jBAgwBoAEAQIDBDALBgkqhkiG9w0BAQUDgYEANh+zegx1yW43RmEr1b3A
553 p0vMRpqBWHyFeSnIyMZn3TJWRSt1tukkqVCavh9a+hoV2cxVlXIWg7nCto/9iIw4
554 hB2rXZIxE0/9gzvGnfERYraL7KtnvshksBFQRlgXa5kc0x38BvEO5ZaoDPl4ILdE
555 GFGNEH5PlGffo05wc46QkYU=
556 -----END CERTIFICATE-----`
557
558 const clientKeyPEM = `
559 -----BEGIN RSA PRIVATE KEY-----
560 MIICWgIBAAKBgE7QezHjgmTZWcDCh6ReHotzM8djU99mkgaE9mTVj+Q2px0r6LMg
561 NkUjteOVru3g9SCcjZXff1oS74fkW2jk6Q507ASKf96TJ8QBGXq98tw9FKvQVMoh
562 DNBNbocuXMXSu01LT862LPd+iOx81wKRdKYeDBra40paLt4TnExAiFmTAgMBAAEC
563 gYBxvXd8yNteFTns8A/2yomEMC4yeosJJSpp1CsN3BJ7g8/qTnrVPxBy+RU+qr63
564 t2WquaOu/cr5P8iEsa6lk20tf8pjKLNXeX0b1RTzK8rJLbS7nGzP3tvOhL096VtQ
565 dAo4ROEaro0TzYpHmpciSvxVIeEIAAdFDObDJPKqcJAxyQJBAJizfYgK8Gzx9fsx
566 hxp+VteCbVPg2euASH5Yv3K5LukRdKoSzHE2grUVQgN/LafC0eZibRanxHegYSr7
567 7qaswKUCQQCEIWor/X4XTMdVj3Oj+vpiw75y/S9gh682+myZL+d/02IEkwnB098P
568 RkKVpenBHyrGg0oeN5La7URILWKj7CPXAkBKo6F+d+phNjwIFoN1Xb/RA32w/D1I
569 saG9sF+UEhRt9AxUfW/U/tIQ9V0ZHHcSg1XaCM5Nvp934brdKdvTOKnJAkBD5h/3
570 Rybatlvg/fzBEaJFyq09zhngkxlZOUtBVTqzl17RVvY2orgH02U4HbCHy4phxOn7
571 qTdQRYlHRftgnWK1AkANibn9PRYJ7mJyJ9Dyj2QeNcSkSTzrt0tPvUMf4+meJymN
572 1Ntu5+S1DLLzfxlaljWG6ylW6DNxujCyuXIV2rvA
573 -----END RSA PRIVATE KEY-----`
574
575 const clientECDSACertificatePEM = `
576 -----BEGIN CERTIFICATE-----
577 MIIB/DCCAV4CCQCaMIRsJjXZFzAJBgcqhkjOPQQBMEUxCzAJBgNVBAYTAkFVMRMw
578 EQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0
579 eSBMdGQwHhcNMTIxMTE0MTMyNTUzWhcNMjIxMTEyMTMyNTUzWjBBMQswCQYDVQQG
580 EwJBVTEMMAoGA1UECBMDTlNXMRAwDgYDVQQHEwdQeXJtb250MRIwEAYDVQQDEwlK
581 b2VsIFNpbmcwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABACVjJF1FMBexFe01MNv
582 ja5oHt1vzobhfm6ySD6B5U7ixohLZNz1MLvT/2XMW/TdtWo+PtAd3kfDdq0Z9kUs
583 jLzYHQFMH3CQRnZIi4+DzEpcj0B22uCJ7B0rxE4wdihBsmKo+1vx+U56jb0JuK7q
584 ixgnTy5w/hOWusPTQBbNZU6sER7m8TAJBgcqhkjOPQQBA4GMADCBiAJCAOAUxGBg
585 C3JosDJdYUoCdFzCgbkWqD8pyDbHgf9stlvZcPE4O1BIKJTLCRpS8V3ujfK58PDa
586 2RU6+b0DeoeiIzXsAkIBo9SKeDUcSpoj0gq+KxAxnZxfvuiRs9oa9V2jI/Umi0Vw
587 jWVim34BmT0Y9hCaOGGbLlfk+syxis7iI6CH8OFnUes=
588 -----END CERTIFICATE-----`
589
590 const clientECDSAKeyPEM = `
591 -----BEGIN EC PARAMETERS-----
592 BgUrgQQAIw==
593 -----END EC PARAMETERS-----
594 -----BEGIN EC PRIVATE KEY-----
595 MIHcAgEBBEIBkJN9X4IqZIguiEVKMqeBUP5xtRsEv4HJEtOpOGLELwO53SD78Ew8
596 k+wLWoqizS3NpQyMtrU8JFdWfj+C57UNkOugBwYFK4EEACOhgYkDgYYABACVjJF1
597 FMBexFe01MNvja5oHt1vzobhfm6ySD6B5U7ixohLZNz1MLvT/2XMW/TdtWo+PtAd
598 3kfDdq0Z9kUsjLzYHQFMH3CQRnZIi4+DzEpcj0B22uCJ7B0rxE4wdihBsmKo+1vx
599 +U56jb0JuK7qixgnTy5w/hOWusPTQBbNZU6sER7m8Q==
600 -----END EC PRIVATE KEY-----`
601
602 func TestClientAuth(t *testing.T) {
603 var certPath, keyPath, ecdsaCertPath, ecdsaKeyPath string
604
605 if *update {
606 certPath = tempFile(clientCertificatePEM)
607 defer os.Remove(certPath)
608 keyPath = tempFile(clientKeyPEM)
609 defer os.Remove(keyPath)
610 ecdsaCertPath = tempFile(clientECDSACertificatePEM)
611 defer os.Remove(ecdsaCertPath)
612 ecdsaKeyPath = tempFile(clientECDSAKeyPEM)
613 defer os.Remove(ecdsaKeyPath)
614 }
615
616 config := *testConfig
617 config.ClientAuth = RequestClientCert
618
619 test := &serverTest{
620 name: "ClientAuthRequestedNotGiven",
621 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "RC4-SHA"},
622 config: &config,
623 }
624 runServerTestTLS12(t, test)
625
626 test = &serverTest{
627 name: "ClientAuthRequestedAndGiven",
628 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "RC4-SHA", "-cert", certPath, "-key", keyPath},
629 config: &config,
630 expectedPeerCerts: []string{clientCertificatePEM},
631 }
632 runServerTestTLS12(t, test)
633
634 test = &serverTest{
635 name: "ClientAuthRequestedAndECDSAGiven",
636 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "RC4-SHA", "-cert", ecdsaCertPath, "-key", ecdsaKeyPath},
637 config: &config,
638 expectedPeerCerts: []string{clientECDSACertificatePEM},
639 }
640 runServerTestTLS12(t, test)
641 }
642
643 func bigFromString(s string) *big.Int {
644 ret := new(big.Int)
645 ret.SetString(s, 10)
646 return ret
647 }
648
649 func fromHex(s string) []byte {
650 b, _ := hex.DecodeString(s)
651 return b
652 }
653
654 var testRSACertificate = fromHex("308202b030820219a00302010202090085b0bba48a7fb8ca300d06092a864886f70d01010505003045310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c7464301e170d3130303432343039303933385a170d3131303432343039303933385a3045310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c746430819f300d06092a864886f70d010101050003818d0030818902818100bb79d6f517b5e5bf4610d0dc69bee62b07435ad0032d8a7a4385b71452e7a5654c2c78b8238cb5b482e5de1f953b7e62a52ca533d6fe125c7a56fcf506bffa587b263fb5cd04d3d0c921964ac7f4549f5abfef427100fe1899077f7e887d7df10439c4a22edb51c97ce3c04c3b326601cfafb11db8719a1ddbdb896baeda2d790203010001a381a73081a4301d0603551d0e04160414b1ade2855acfcb28db69ce2369ded3268e18883930750603551d23046e306c8014b1ade2855acfcb28db69ce2369ded3268e188839a149a4473045310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c746482090085b0bba48a7fb8ca300c0603551d13040530030101ff300d06092a864886f70d010105050003818100086c4524c76bb159ab0c52ccf2b014d7879d7a6475b55a9566e4c52b8eae12661feb4f38b36e60d392fdf74108b52513b1187a24fb301dbaed98b917ece7d73159db95d31d78ea50565cd5825a2d5a5f33c4b6d8c97590968c0f5298b5cd981f89205ff2a01ca31b9694dda9fd57e970e8266d71999b266e3850296c90a7bdd9")
655
656 var testECDSACertificate = fromHex("3082020030820162020900b8bf2d47a0d2ebf4300906072a8648ce3d04013045310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c7464301e170d3132313132323135303633325a170d3232313132303135303633325a3045310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c746430819b301006072a8648ce3d020106052b81040023038186000400c4a1edbe98f90b4873367ec316561122f23d53c33b4d213dcd6b75e6f6b0dc9adf26c1bcb287f072327cb3642f1c90bcea6823107efee325c0483a69e0286dd33700ef0462dd0da09c706283d881d36431aa9e9731bd96b068c09b23de76643f1a5c7fe9120e5858b65f70dd9bd8ead5d7f5d5ccb9b69f30665b669a20e227e5bffe3b300906072a8648ce3d040103818c0030818802420188a24febe245c5487d1bacf5ed989dae4770c05e1bb62fbdf1b64db76140d311a2ceee0b7e927eff769dc33b7ea53fcefa10e259ec472d7cacda4e970e15a06fd00242014dfcbe67139c2d050ebd3fa38c25c13313830d9406bbd4377af6ec7ac9862eddd711697f857c56defb31782be4c7780daecbbe9e4e3624317b6a0f399512078f2a")
657
658 var testSNICertificate = fromHex("308201f23082015da003020102020100300b06092a864886f70d01010530283110300e060355040a130741636d6520436f311430120603550403130b736e69746573742e636f6d301e170d3132303431313137343033355a170d3133303431313137343533355a30283110300e060355040a130741636d6520436f311430120603550403130b736e69746573742e636f6d30819d300b06092a864886f70d01010103818d0030818902818100bb79d6f517b5e5bf4610d0dc69bee62b07435ad0032d8a7a4385b71452e7a5654c2c78b8238cb5b482e5de1f953b7e62a52ca533d6fe125c7a56fcf506bffa587b263fb5cd04d3d0c921964ac7f4549f5abfef427100fe1899077f7e887d7df10439c4a22edb51c97ce3c04c3b326601cfafb11db8719a1ddbdb896baeda2d790203010001a3323030300e0603551d0f0101ff0404030200a0300d0603551d0e0406040401020304300f0603551d2304083006800401020304300b06092a864886f70d0101050381810089c6455f1c1f5ef8eb1ab174ee2439059f5c4259bb1a8d86cdb1d056f56a717da40e95ab90f59e8deaf627c157995094db0802266eb34fc6842dea8a4b68d9c1389103ab84fb9e1f85d9b5d23ff2312c8670fbb540148245a4ebafe264d90c8a4cf4f85b0fac12ac2fc4a3154bad52462868af96c62c6525d652b6e31845bdcc")
659
660 var testRSAPrivateKey = &rsa.PrivateKey{
661 PublicKey: rsa.PublicKey{
662 N: bigFromString("131650079503776001033793877885499001334664249354723305978524647182322416328664556247316495448366990052837680518067798333412266673813370895702118944398081598789828837447552603077848001020611640547221687072142537202428102790818451901395596882588063427854225330436740647715202971973145151161964464812406232198521"),
663 E: 65537,
664 },
665 D: bigFromString("29354450337804273969007277378287027274721892607543397931919078829901848876371746653677097639302788129485893852488285045793268732234230875671682624082413996177431586734171663258657462237320300610850244186316880055243099640544518318093544057213190320837094958164973959123058337475052510833916491060913053867729"),
666 Primes: []*big.Int{
667 bigFromString("11969277782311800166562047708379380720136961987713178380670422671426759650127150688426177829077494755200794297055316163155755835813760102405344560929062149"),
668 bigFromString("10998999429884441391899182616418192492905073053684657075974935218461686523870125521822756579792315215543092255516093840728890783887287417039645833477273829"),
669 },
670 }
671
672 var testECDSAPrivateKey = &ecdsa.PrivateKey{
673 PublicKey: ecdsa.PublicKey{
674 Curve: elliptic.P521(),
675 X: bigFromString("2636411247892461147287360222306590634450676461695221912739908880441342231985950069527906976759812296359387337367668045707086543273113073382714101597903639351"),
676 Y: bigFromString("3204695818431246682253994090650952614555094516658732116404513121125038617915183037601737180082382202488628239201196033284060130040574800684774115478859677243"),
677 },
678 D: bigFromString("5477294338614160138026852784385529180817726002953041720191098180813046231640184669647735805135001309477695746518160084669446643325196003346204701381388769751"),
679 }
Mirror of the offical gcc git repository hosted at gcc.gnu.org