diff --git a/rustls-libssl/src/evp_pkey.rs b/rustls-libssl/src/evp_pkey.rs index c32e45c..1e5d417 100644 --- a/rustls-libssl/src/evp_pkey.rs +++ b/rustls-libssl/src/evp_pkey.rs @@ -170,6 +170,55 @@ impl EvpScheme for RsaPss { unsafe impl Sync for RsaPss {} unsafe impl Send for RsaPss {} +pub fn ed25519() -> Box { + Box::new(Ed25519) +} + +#[derive(Debug)] +struct Ed25519; + +impl EvpScheme for Ed25519 { + fn digest(&self) -> *mut EVP_MD { + // "When calling EVP_DigestSignInit() or EVP_DigestVerifyInit(), the + // digest type parameter MUST be set to NULL." + // + ptr::null_mut() + } + + fn configure_ctx(&self, _: &mut SignCtx) -> Option<()> { + // "No additional parameters can be set during one-shot signing or verification." + Some(()) + } +} + +pub fn ecdsa_sha256() -> Box { + Box::new(Ecdsa(unsafe { EVP_sha256() })) +} + +pub fn ecdsa_sha384() -> Box { + Box::new(Ecdsa(unsafe { EVP_sha384() })) +} + +pub fn ecdsa_sha512() -> Box { + Box::new(Ecdsa(unsafe { EVP_sha512() })) +} + +#[derive(Debug)] +struct Ecdsa(*const EVP_MD); + +impl EvpScheme for Ecdsa { + fn digest(&self) -> *mut EVP_MD { + self.0 as *mut EVP_MD + } + + fn configure_ctx(&self, _: &mut SignCtx) -> Option<()> { + Some(()) + } +} + +unsafe impl Sync for Ecdsa {} +unsafe impl Send for Ecdsa {} + /// Owning wrapper for a signing `EVP_MD_CTX` pub(crate) struct SignCtx { md_ctx: *mut EVP_MD_CTX, diff --git a/rustls-libssl/src/sign.rs b/rustls-libssl/src/sign.rs index c852587..89f6414 100644 --- a/rustls-libssl/src/sign.rs +++ b/rustls-libssl/src/sign.rs @@ -10,8 +10,8 @@ use rustls::{SignatureAlgorithm, SignatureScheme}; use crate::error; use crate::evp_pkey::{ - rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, rsa_pss_sha256, rsa_pss_sha384, - rsa_pss_sha512, EvpPkey, EvpScheme, + ecdsa_sha256, ecdsa_sha384, ecdsa_sha512, ed25519, rsa_pkcs1_sha256, rsa_pkcs1_sha384, + rsa_pkcs1_sha512, rsa_pss_sha256, rsa_pss_sha384, rsa_pss_sha512, EvpPkey, EvpScheme, }; use crate::x509::OwnedX509Stack; @@ -205,6 +205,42 @@ impl sign::SigningKey for OpenSslKey { None } + SignatureAlgorithm::ED25519 => { + if offered.contains(&SignatureScheme::ED25519) { + return Some(Box::new(OpenSslSigner { + pkey: self.0.clone(), + pscheme: ed25519(), + scheme: SignatureScheme::ED25519, + })); + } + + None + } + SignatureAlgorithm::ECDSA => { + if offered.contains(&SignatureScheme::ECDSA_NISTP256_SHA256) { + return Some(Box::new(OpenSslSigner { + pkey: self.0.clone(), + pscheme: ecdsa_sha256(), + scheme: SignatureScheme::ECDSA_NISTP256_SHA256, + })); + } + if offered.contains(&SignatureScheme::ECDSA_NISTP384_SHA384) { + return Some(Box::new(OpenSslSigner { + pkey: self.0.clone(), + pscheme: ecdsa_sha384(), + scheme: SignatureScheme::ECDSA_NISTP384_SHA384, + })); + } + if offered.contains(&SignatureScheme::ECDSA_NISTP521_SHA512) { + return Some(Box::new(OpenSslSigner { + pkey: self.0.clone(), + pscheme: ecdsa_sha512(), + scheme: SignatureScheme::ECDSA_NISTP521_SHA512, + })); + } + + None + } _ => None, } } diff --git a/rustls-libssl/test-ca/ecdsa-p256/ca.cert b/rustls-libssl/test-ca/ecdsa-p256/ca.cert new file mode 100644 index 0000000..0666d8f --- /dev/null +++ b/rustls-libssl/test-ca/ecdsa-p256/ca.cert @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBtzCCAV2gAwIBAgIBBDAKBggqhkjOPQQDAjAhMR8wHQYDVQQDDBZwb255dG93 +biBFQ0RTQSBwMjU2IENBMCAXDTc1MDEwMTAwMDAwMFoYDzQwOTYwMTAxMDAwMDAw +WjAhMR8wHQYDVQQDDBZwb255dG93biBFQ0RTQSBwMjU2IENBMFkwEwYHKoZIzj0C +AQYIKoZIzj0DAQcDQgAEt7wL3biRoR6fSefjp0t08cudi2zQUounGCxjHQY1brlh +IVUp2VfP/FhPKBX7VgHRHTJoukAAtg12Aks7cqalEKOBgzCBgDAfBgNVHSMEGDAW +gBRfW6pxJGPHn4+tADqUNDV6Uo8xyDAOBgNVHQ8BAf8EBAMCAf4wHQYDVR0lBBYw +FAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBRfW6pxJGPHn4+tADqUNDV6 +Uo8xyDAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIFZel8Z3muq9 +cA5ZQfnoPyXbPv5yf0aT+VsXDk0mirdoAiEAjzViKYx3OOYAnlRSvlDabDbqXy2f +Vezw14zRbrDN9D4= +-----END CERTIFICATE----- diff --git a/rustls-libssl/test-ca/ecdsa-p256/server.cert b/rustls-libssl/test-ca/ecdsa-p256/server.cert new file mode 100644 index 0000000..953f3c9 --- /dev/null +++ b/rustls-libssl/test-ca/ecdsa-p256/server.cert @@ -0,0 +1,36 @@ +-----BEGIN CERTIFICATE----- +MIIBxjCCAW2gAwIBAgIBEjAKBggqhkjOPQQDAjAzMTEwLwYDVQQDDChwb255dG93 +biBFQ0RTQSBwMjU2IGxldmVsIDIgaW50ZXJtZWRpYXRlMCAXDTc1MDEwMTAwMDAw +MFoYDzQwOTYwMTAxMDAwMDAwWjAZMRcwFQYDVQQDDA50ZXN0c2VydmVyLmNvbTBZ +MBMGByqGSM49AgEGCCqGSM49AwEHA0IABNjZ6JNt+53aq8bcp33lKeJGPSZZRzHg +fuFuCBQyC1Yx0s8ff4MUQcnzrwqde++6eKiQkwy8oC4v60tsICflmY+jgYkwgYYw +HwYDVR0jBBgwFoAU0jOcpG97skCpDmP1BEpFfjcVnHIwUwYDVR0RBEwwSoIOdGVz +dHNlcnZlci5jb22CFXNlY29uZC50ZXN0c2VydmVyLmNvbYIJbG9jYWxob3N0hwTG +M2QBhxAgAQ24AAAAAAAAAAAAAAABMA4GA1UdDwEB/wQEAwIGwDAKBggqhkjOPQQD +AgNHADBEAiAoZIrzdGAMX4UJ6Nq9pfKk8s95OmY6sPv2cMQX68JmRQIgCkMJNt5R +4tHOCXLj/2duxXss95/Q+r3sXrOJDn/96dk= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIByDCCAW+gAwIBAgIBCzAKBggqhkjOPQQDAjAhMR8wHQYDVQQDDBZwb255dG93 +biBFQ0RTQSBwMjU2IENBMCAXDTc1MDEwMTAwMDAwMFoYDzQwOTYwMTAxMDAwMDAw +WjAzMTEwLwYDVQQDDChwb255dG93biBFQ0RTQSBwMjU2IGxldmVsIDIgaW50ZXJt +ZWRpYXRlMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtj1/NrV2DF8pdu0nbz8e +GWJC9loBDlmVy0SCKcBezKOErTzNV6PvE3qPy2vNJgzkEKZYpgjEMYKvDImZlOE2 +OqOBgzCBgDAfBgNVHSMEGDAWgBRfW6pxJGPHn4+tADqUNDV6Uo8xyDAOBgNVHQ8B +Af8EBAMCAf4wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQW +BBTSM5ykb3uyQKkOY/UESkV+NxWccjAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49 +BAMCA0cAMEQCIBKOv7CRDiJ/zXyxL6hJwlxrBSoSSrZBeTyVND5jqAvSAiBu3OSo +KaMUQcDSi8/dXkxIC/Wpp8D0IUV2AyEC+7kBZA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIBtzCCAV2gAwIBAgIBBDAKBggqhkjOPQQDAjAhMR8wHQYDVQQDDBZwb255dG93 +biBFQ0RTQSBwMjU2IENBMCAXDTc1MDEwMTAwMDAwMFoYDzQwOTYwMTAxMDAwMDAw +WjAhMR8wHQYDVQQDDBZwb255dG93biBFQ0RTQSBwMjU2IENBMFkwEwYHKoZIzj0C +AQYIKoZIzj0DAQcDQgAEt7wL3biRoR6fSefjp0t08cudi2zQUounGCxjHQY1brlh +IVUp2VfP/FhPKBX7VgHRHTJoukAAtg12Aks7cqalEKOBgzCBgDAfBgNVHSMEGDAW +gBRfW6pxJGPHn4+tADqUNDV6Uo8xyDAOBgNVHQ8BAf8EBAMCAf4wHQYDVR0lBBYw +FAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBRfW6pxJGPHn4+tADqUNDV6 +Uo8xyDAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIFZel8Z3muq9 +cA5ZQfnoPyXbPv5yf0aT+VsXDk0mirdoAiEAjzViKYx3OOYAnlRSvlDabDbqXy2f +Vezw14zRbrDN9D4= +-----END CERTIFICATE----- diff --git a/rustls-libssl/test-ca/ecdsa-p256/server.key b/rustls-libssl/test-ca/ecdsa-p256/server.key new file mode 100644 index 0000000..af85610 --- /dev/null +++ b/rustls-libssl/test-ca/ecdsa-p256/server.key @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgMyvFQ1aDiQcxbZAT +EtOOXL91NxQ9mwzZojvaJF276kihRANCAATY2eiTbfud2qvG3Kd95SniRj0mWUcx +4H7hbggUMgtWMdLPH3+DFEHJ868KnXvvuniokJMMvKAuL+tLbCAn5ZmP +-----END PRIVATE KEY----- diff --git a/rustls-libssl/test-ca/ecdsa-p384/ca.cert b/rustls-libssl/test-ca/ecdsa-p384/ca.cert new file mode 100644 index 0000000..87c137d --- /dev/null +++ b/rustls-libssl/test-ca/ecdsa-p384/ca.cert @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB9DCCAXqgAwIBAgIBBTAKBggqhkjOPQQDAzAhMR8wHQYDVQQDDBZwb255dG93 +biBFQ0RTQSBwMzg0IENBMCAXDTc1MDEwMTAwMDAwMFoYDzQwOTYwMTAxMDAwMDAw +WjAhMR8wHQYDVQQDDBZwb255dG93biBFQ0RTQSBwMzg0IENBMHYwEAYHKoZIzj0C +AQYFK4EEACIDYgAEDEC6KiN/ndgCEKUK+opKyRctlbb6R62CMqPF2y/oGfZlIqNT +yfmY6tQ0eqR6fo0KAxinwU6mbfydyu0+pIGW0lqf3NhQENMErSRrdCUDNxh47Xef +StgVMDD+dMI1PwFjo4GDMIGAMB8GA1UdIwQYMBaAFEwlemtPJLok55o6Szy1gNQz +72dpMA4GA1UdDwEB/wQEAwIB/jAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH +AwIwHQYDVR0OBBYEFEwlemtPJLok55o6Szy1gNQz72dpMA8GA1UdEwEB/wQFMAMB +Af8wCgYIKoZIzj0EAwMDaAAwZQIxALb7BmuYs0vF5QUupqaNhTIUgxNNa39N+1GR +E1QCnUUd6tXj/UawVBBrei3CbUxC2wIwRW5RrYosKIIZtnxkQsPrapY3mxIitRqC +lpd7Vf2wBvi1Kf3LtWLSG6NMIB8TO7Rs +-----END CERTIFICATE----- diff --git a/rustls-libssl/test-ca/ecdsa-p384/server.cert b/rustls-libssl/test-ca/ecdsa-p384/server.cert new file mode 100644 index 0000000..da3c589 --- /dev/null +++ b/rustls-libssl/test-ca/ecdsa-p384/server.cert @@ -0,0 +1,39 @@ +-----BEGIN CERTIFICATE----- +MIICBTCCAYqgAwIBAgIBEzAKBggqhkjOPQQDAzAzMTEwLwYDVQQDDChwb255dG93 +biBFQ0RTQSBwMzg0IGxldmVsIDIgaW50ZXJtZWRpYXRlMCAXDTc1MDEwMTAwMDAw +MFoYDzQwOTYwMTAxMDAwMDAwWjAZMRcwFQYDVQQDDA50ZXN0c2VydmVyLmNvbTB2 +MBAGByqGSM49AgEGBSuBBAAiA2IABO+9bzwsp+UMJE9q1hZHotYJ6HYIT0wz3nML +54iNzsZlA9f1yIqf2aL+BMfSD2pCHfVgWTEZFp7WEvIhrDu+WcUXHoRQ31p9lw6X +MzJWXihbN0OU5nBOPPcyImL5TIhIWKOBiTCBhjAfBgNVHSMEGDAWgBR7EQhJDBu8 ++OtZdw2OB7lPdAz7NDBTBgNVHREETDBKgg50ZXN0c2VydmVyLmNvbYIVc2Vjb25k +LnRlc3RzZXJ2ZXIuY29tgglsb2NhbGhvc3SHBMYzZAGHECABDbgAAAAAAAAAAAAA +AAEwDgYDVR0PAQH/BAQDAgbAMAoGCCqGSM49BAMDA2kAMGYCMQDkM+CEeHnsf4Ww +YNDUjNlodcpJDxEk4PTsIECvu2EdQjLXHt0vrogZeAVvHhUMixcCMQDB/pZCcjsW +ly7qVSS2f9PJE/LY7dLv9Gg2gLQyhAj3hG1zVC8psFK/KRKME6ypVZ0= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICBjCCAYygAwIBAgIBDDAKBggqhkjOPQQDAzAhMR8wHQYDVQQDDBZwb255dG93 +biBFQ0RTQSBwMzg0IENBMCAXDTc1MDEwMTAwMDAwMFoYDzQwOTYwMTAxMDAwMDAw +WjAzMTEwLwYDVQQDDChwb255dG93biBFQ0RTQSBwMzg0IGxldmVsIDIgaW50ZXJt +ZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEkFxZ96EGr/pFtojEWPXSTqfE +tD4VAwDKrmvL2H9zLt5ze2E0fohwpJWQ29EtgFbKwndwIHXh6Rh9H5yhKGTfgEQp +p6wlVb7BNaE7C1mCNwlY2Qbolmvz3AF8U2mVokuEo4GDMIGAMB8GA1UdIwQYMBaA +FEwlemtPJLok55o6Szy1gNQz72dpMA4GA1UdDwEB/wQEAwIB/jAdBgNVHSUEFjAU +BggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFHsRCEkMG7z461l3DY4HuU90 +DPs0MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwMDaAAwZQIxAJX7SRwwOwlD +yQdga5IK5GbPuQQLAeQiWuQROtjikqpDfrsqbO8+cMCYXSUYRPmYjQIwIqzzADyz ++51kgssYK3Sq1hJ4glZ3vTjyxv1ihafzMCkgjmSqxAwnlfQolPRKVdHl +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIB9DCCAXqgAwIBAgIBBTAKBggqhkjOPQQDAzAhMR8wHQYDVQQDDBZwb255dG93 +biBFQ0RTQSBwMzg0IENBMCAXDTc1MDEwMTAwMDAwMFoYDzQwOTYwMTAxMDAwMDAw +WjAhMR8wHQYDVQQDDBZwb255dG93biBFQ0RTQSBwMzg0IENBMHYwEAYHKoZIzj0C +AQYFK4EEACIDYgAEDEC6KiN/ndgCEKUK+opKyRctlbb6R62CMqPF2y/oGfZlIqNT +yfmY6tQ0eqR6fo0KAxinwU6mbfydyu0+pIGW0lqf3NhQENMErSRrdCUDNxh47Xef +StgVMDD+dMI1PwFjo4GDMIGAMB8GA1UdIwQYMBaAFEwlemtPJLok55o6Szy1gNQz +72dpMA4GA1UdDwEB/wQEAwIB/jAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH +AwIwHQYDVR0OBBYEFEwlemtPJLok55o6Szy1gNQz72dpMA8GA1UdEwEB/wQFMAMB +Af8wCgYIKoZIzj0EAwMDaAAwZQIxALb7BmuYs0vF5QUupqaNhTIUgxNNa39N+1GR +E1QCnUUd6tXj/UawVBBrei3CbUxC2wIwRW5RrYosKIIZtnxkQsPrapY3mxIitRqC +lpd7Vf2wBvi1Kf3LtWLSG6NMIB8TO7Rs +-----END CERTIFICATE----- diff --git a/rustls-libssl/test-ca/ecdsa-p384/server.key b/rustls-libssl/test-ca/ecdsa-p384/server.key new file mode 100644 index 0000000..7c183fa --- /dev/null +++ b/rustls-libssl/test-ca/ecdsa-p384/server.key @@ -0,0 +1,6 @@ +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDA9ijAQuSTgVl10LcJO +f9UA7L8jb9N0bxvCjAvGWzzojcYD6sWFkq9Fyc7YNa0K9YihZANiAATvvW88LKfl +DCRPatYWR6LWCeh2CE9MM95zC+eIjc7GZQPX9ciKn9mi/gTH0g9qQh31YFkxGRae +1hLyIaw7vlnFFx6EUN9afZcOlzMyVl4oWzdDlOZwTjz3MiJi+UyISFg= +-----END PRIVATE KEY----- diff --git a/rustls-libssl/test-ca/ecdsa-p521/ca.cert b/rustls-libssl/test-ca/ecdsa-p521/ca.cert new file mode 100644 index 0000000..3082bfe --- /dev/null +++ b/rustls-libssl/test-ca/ecdsa-p521/ca.cert @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICPjCCAaCgAwIBAgIBBjAKBggqhkjOPQQDBDAhMR8wHQYDVQQDDBZwb255dG93 +biBFQ0RTQSBwNTIxIENBMCAXDTc1MDEwMTAwMDAwMFoYDzQwOTYwMTAxMDAwMDAw +WjAhMR8wHQYDVQQDDBZwb255dG93biBFQ0RTQSBwNTIxIENBMIGbMBAGByqGSM49 +AgEGBSuBBAAjA4GGAAQBNE6id6TKt03nKiz09bDEM1h1f2JJ0QjWgiCovHNbjEWw +FI5PQ0MqAMjhbeoRBvvOXEQLd41J0XcbCXg0GwZqmdgArcmTlO8IAdoVQCg3jp3w +3s9SHxk/ebZqyd6iNsyYGCwIVr7FtBGUm39ONNS8nxrcIUpP00hpUF9jdhaSbssF +K82jgYMwgYAwHwYDVR0jBBgwFoAUOjnapNNhlEVqJx92t5jbBm9XsMwwDgYDVR0P +AQH/BAQDAgH+MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4E +FgQUOjnapNNhlEVqJx92t5jbBm9XsMwwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjO +PQQDBAOBiwAwgYcCQRlgAuUKnW527uUTyEjsaZcsssAu37olCWXuduP9tNyhLYPr +lYlu+ltLmR250DdikBXAl3unkpYEAdQam9lc1nMxAkIBVBah69psNw9vjrR9jNtp +Ql22JD6hpeJsWFe0gdDhNZjIS+sKPXrDj3YfmRHLm9JsgVKinMaVMfI8DstuIaET +IzE= +-----END CERTIFICATE----- diff --git a/rustls-libssl/test-ca/ecdsa-p521/server.cert b/rustls-libssl/test-ca/ecdsa-p521/server.cert new file mode 100644 index 0000000..ea8d7b0 --- /dev/null +++ b/rustls-libssl/test-ca/ecdsa-p521/server.cert @@ -0,0 +1,45 @@ +-----BEGIN CERTIFICATE----- +MIICTzCCAbCgAwIBAgIBFDAKBggqhkjOPQQDBDAzMTEwLwYDVQQDDChwb255dG93 +biBFQ0RTQSBwNTIxIGxldmVsIDIgaW50ZXJtZWRpYXRlMCAXDTc1MDEwMTAwMDAw +MFoYDzQwOTYwMTAxMDAwMDAwWjAZMRcwFQYDVQQDDA50ZXN0c2VydmVyLmNvbTCB +mzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAIeQ9nmRpEKiaPHndWHt+MHk0HhYKJ68 +mRNXyqIV2h2PdBRnX2LOMFUG6soS0C+DwY6PJnxggheUAUFfPuj7FO5eABouUuKS +wO7BsOQgWk0tJBPMWpE1M+nqab3Sq79B2bdtZaoMciP1fMO7Y92RMWJHTEWuo+cV +V2TOPN6QsMPA17sno4GJMIGGMB8GA1UdIwQYMBaAFKzEA+eqUyatDn0QF2/CitNP +hRQ0MFMGA1UdEQRMMEqCDnRlc3RzZXJ2ZXIuY29tghVzZWNvbmQudGVzdHNlcnZl +ci5jb22CCWxvY2FsaG9zdIcExjNkAYcQIAENuAAAAAAAAAAAAAAAATAOBgNVHQ8B +Af8EBAMCBsAwCgYIKoZIzj0EAwQDgYwAMIGIAkIAyxKBhR9HWpLZ5WFPB72MZB2s +pBWkSl60DkryT+YkB26LjJdEYHFifDjqc0f0Aq4hDvHGtcACGSMh3cbm7PsxUqUC +QgHEGiQxY/i1EYYGCLDI44Ov67Cx7wH0Hg3XN8N2szuNdzfyIIM6m0rD63MBFXEM +kTsk0uE5jRRt2e+0yE3X0em3YA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICUDCCAbKgAwIBAgIBDTAKBggqhkjOPQQDBDAhMR8wHQYDVQQDDBZwb255dG93 +biBFQ0RTQSBwNTIxIENBMCAXDTc1MDEwMTAwMDAwMFoYDzQwOTYwMTAxMDAwMDAw +WjAzMTEwLwYDVQQDDChwb255dG93biBFQ0RTQSBwNTIxIGxldmVsIDIgaW50ZXJt +ZWRpYXRlMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBecdhU3/ueIjmAf2NPGZH +dT44+uxq+rc7aZXy+6ucFRRHq5OdFSh3Z/qSFlk9n682wLQJRG+8hi230pnPwM7E +j5ABAAcyK6nDHPKBZK4+YXuiUYsKBbD82Gn4zXff2dyahjlKtuBjjqlLaMCwgADO +QdGfF5/peH4i46dN7xm6HHWULVujgYMwgYAwHwYDVR0jBBgwFoAUOjnapNNhlEVq +Jx92t5jbBm9XsMwwDgYDVR0PAQH/BAQDAgH+MB0GA1UdJQQWMBQGCCsGAQUFBwMB +BggrBgEFBQcDAjAdBgNVHQ4EFgQUrMQD56pTJq0OfRAXb8KK00+FFDQwDwYDVR0T +AQH/BAUwAwEB/zAKBggqhkjOPQQDBAOBiwAwgYcCQXhkIhVuUfxQqafd3jG75ugN +vg4nZdHZx715Du1cKErBfN5x1Ib1fQMKe+Y4qZ8R1S3uLfoHlOzirLwCzeRaExne +AkIBVkovuBx1n/y5HK+uRIQTpGRjH4srgvW4Q2PxsXjVEe2jP1R2smUwz8+VamPo +j1CGz5rAaj99YdMqNKXG8/avL9Q= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICPjCCAaCgAwIBAgIBBjAKBggqhkjOPQQDBDAhMR8wHQYDVQQDDBZwb255dG93 +biBFQ0RTQSBwNTIxIENBMCAXDTc1MDEwMTAwMDAwMFoYDzQwOTYwMTAxMDAwMDAw +WjAhMR8wHQYDVQQDDBZwb255dG93biBFQ0RTQSBwNTIxIENBMIGbMBAGByqGSM49 +AgEGBSuBBAAjA4GGAAQBNE6id6TKt03nKiz09bDEM1h1f2JJ0QjWgiCovHNbjEWw +FI5PQ0MqAMjhbeoRBvvOXEQLd41J0XcbCXg0GwZqmdgArcmTlO8IAdoVQCg3jp3w +3s9SHxk/ebZqyd6iNsyYGCwIVr7FtBGUm39ONNS8nxrcIUpP00hpUF9jdhaSbssF +K82jgYMwgYAwHwYDVR0jBBgwFoAUOjnapNNhlEVqJx92t5jbBm9XsMwwDgYDVR0P +AQH/BAQDAgH+MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4E +FgQUOjnapNNhlEVqJx92t5jbBm9XsMwwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjO +PQQDBAOBiwAwgYcCQRlgAuUKnW527uUTyEjsaZcsssAu37olCWXuduP9tNyhLYPr +lYlu+ltLmR250DdikBXAl3unkpYEAdQam9lc1nMxAkIBVBah69psNw9vjrR9jNtp +Ql22JD6hpeJsWFe0gdDhNZjIS+sKPXrDj3YfmRHLm9JsgVKinMaVMfI8DstuIaET +IzE= +-----END CERTIFICATE----- diff --git a/rustls-libssl/test-ca/ecdsa-p521/server.key b/rustls-libssl/test-ca/ecdsa-p521/server.key new file mode 100644 index 0000000..e907642 --- /dev/null +++ b/rustls-libssl/test-ca/ecdsa-p521/server.key @@ -0,0 +1,8 @@ +-----BEGIN PRIVATE KEY----- +MIHuAgEAMBAGByqGSM49AgEGBSuBBAAjBIHWMIHTAgEBBEIA2udCT3jmo9pjJThF +nw5rUTOWEUsJqvOSGi9huhY6K4q3vMk7oOdRke3UiR6CebOdv0drE8aYVEJM6+yD +eu8752ihgYkDgYYABACHkPZ5kaRComjx53Vh7fjB5NB4WCievJkTV8qiFdodj3QU +Z19izjBVBurKEtAvg8GOjyZ8YIIXlAFBXz7o+xTuXgAaLlLiksDuwbDkIFpNLSQT +zFqRNTPp6mm90qu/Qdm3bWWqDHIj9XzDu2PdkTFiR0xFrqPnFVdkzjzekLDDwNe7 +Jw== +-----END PRIVATE KEY----- diff --git a/rustls-libssl/test-ca/ed25519/ca.cert b/rustls-libssl/test-ca/ed25519/ca.cert new file mode 100644 index 0000000..c8a6223 --- /dev/null +++ b/rustls-libssl/test-ca/ed25519/ca.cert @@ -0,0 +1,9 @@ +-----BEGIN CERTIFICATE----- +MIIBTDCB/6ADAgECAhR5rwmHkOFPLTkaLT9cqTrVZXkY9DAFBgMrZXAwHDEaMBgG +A1UEAwwRcG9ueXRvd24gRWREU0EgQ0EwHhcNMjMxMjIxMTcyMzE1WhcNMzMxMjE4 +MTcyMzE1WjAcMRowGAYDVQQDDBFwb255dG93biBFZERTQSBDQTAqMAUGAytlcAMh +AJgNZ3ibDQ9rV85DZPPAnnwyuWh8rm3jX9ZCsU/WgG7Io1MwUTAdBgNVHQ4EFgQU +OFqGAvTdFHBY3OVdI0UB5kzHKpwwHwYDVR0jBBgwFoAUOFqGAvTdFHBY3OVdI0UB +5kzHKpwwDwYDVR0TAQH/BAUwAwEB/zAFBgMrZXADQQAsRwN+gYyaM5yN45Uo+R1y +tbiv8+TrEH0W8/oE/RCeRiPGV5qXpr2DqicljjNmNGixJ6ELuymaQ/1oMGuUDkEF +-----END CERTIFICATE----- diff --git a/rustls-libssl/test-ca/ed25519/server.cert b/rustls-libssl/test-ca/ed25519/server.cert new file mode 100644 index 0000000..f1d9cbe --- /dev/null +++ b/rustls-libssl/test-ca/ed25519/server.cert @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIB0DCCAYKgAwIBAgICAcgwBQYDK2VwMC4xLDAqBgNVBAMMI3Bvbnl0b3duIEVk +RFNBIGxldmVsIDIgaW50ZXJtZWRpYXRlMB4XDTIzMTIyMTE3MjMxNVoXDTI5MDYx +MjE3MjMxNVowGTEXMBUGA1UEAwwOdGVzdHNlcnZlci5jb20wKjAFBgMrZXADIQBG +aQQnDqqVjKAWWubCZJrG6S2ZZcI9/ZO65doj0GcDBqOB2DCB1TAMBgNVHRMBAf8E +AjAAMAsGA1UdDwQEAwIGwDAdBgNVHQ4EFgQUmyF3DidQEKhYUCk+ITezcqPhqAsw +RAYDVR0jBD0wO4AUxwg1gMsAfyEa6sLP1y4o71kifi6hIKQeMBwxGjAYBgNVBAMM +EXBvbnl0b3duIEVkRFNBIENBggF7MFMGA1UdEQRMMEqCDnRlc3RzZXJ2ZXIuY29t +hwTGM2QBghVzZWNvbmQudGVzdHNlcnZlci5jb22HECABDbgAAAAAAAAAAAAAAAGC +CWxvY2FsaG9zdDAFBgMrZXADQQA5X4Gdwo2e2TmhjgMcFB5SVbo/IPh3i8FaqKYc +k+O941Y4S0aBC/7zGZDZx2m0VAThR0eHsyGGnsKUB/uH1MoG +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIBeDCCASqgAwIBAgIBezAFBgMrZXAwHDEaMBgGA1UEAwwRcG9ueXRvd24gRWRE +U0EgQ0EwHhcNMjMxMjIxMTcyMzE1WhcNMzMxMjE4MTcyMzE1WjAuMSwwKgYDVQQD +DCNwb255dG93biBFZERTQSBsZXZlbCAyIGludGVybWVkaWF0ZTAqMAUGAytlcAMh +AEZ0Q6H7K8Blul4086JDZCRWtzRM1Qh/Ppu4d5j+9duJo38wfTAdBgNVHQ4EFgQU +xwg1gMsAfyEa6sLP1y4o71kifi4wIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsG +AQUFBwMCMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgH+MB8GA1UdIwQYMBaAFDha +hgL03RRwWNzlXSNFAeZMxyqcMAUGAytlcANBAFPdVYhESKRDGyoWLR3aqDaLN0nn +jxWzGRPtiLBxZLBmxKS4j5J6dCtKKX85E90oSmV/ElorbpGznBk2l+ky6wY= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIBTDCB/6ADAgECAhR5rwmHkOFPLTkaLT9cqTrVZXkY9DAFBgMrZXAwHDEaMBgG +A1UEAwwRcG9ueXRvd24gRWREU0EgQ0EwHhcNMjMxMjIxMTcyMzE1WhcNMzMxMjE4 +MTcyMzE1WjAcMRowGAYDVQQDDBFwb255dG93biBFZERTQSBDQTAqMAUGAytlcAMh +AJgNZ3ibDQ9rV85DZPPAnnwyuWh8rm3jX9ZCsU/WgG7Io1MwUTAdBgNVHQ4EFgQU +OFqGAvTdFHBY3OVdI0UB5kzHKpwwHwYDVR0jBBgwFoAUOFqGAvTdFHBY3OVdI0UB +5kzHKpwwDwYDVR0TAQH/BAUwAwEB/zAFBgMrZXADQQAsRwN+gYyaM5yN45Uo+R1y +tbiv8+TrEH0W8/oE/RCeRiPGV5qXpr2DqicljjNmNGixJ6ELuymaQ/1oMGuUDkEF +-----END CERTIFICATE----- diff --git a/rustls-libssl/test-ca/ed25519/server.key b/rustls-libssl/test-ca/ed25519/server.key new file mode 100644 index 0000000..58a361d --- /dev/null +++ b/rustls-libssl/test-ca/ed25519/server.key @@ -0,0 +1,3 @@ +-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VwBCIEIFAeJeUKTXguiUHfGJmqh5nG8AdqjNDKQy9nctnekBE3 +-----END PRIVATE KEY----- diff --git a/rustls-libssl/tests/runner.rs b/rustls-libssl/tests/runner.rs index b3bd610..4dc107d 100644 --- a/rustls-libssl/tests/runner.rs +++ b/rustls-libssl/tests/runner.rs @@ -297,6 +297,7 @@ fn server() { "test-ca/rsa/server.key", "test-ca/rsa/server.cert", "unauth", + "internal+external", ]) .stdout(Stdio::piped()) .spawn() @@ -315,6 +316,7 @@ fn server() { "test-ca/rsa/server.key", "test-ca/rsa/server.cert", "unauth", + "internal+external", ]) .stdout(Stdio::piped()) .spawn() @@ -327,6 +329,84 @@ fn server() { assert_eq!(openssl_output, rustls_output); } +fn server_with_key_algorithm(key_type: &str, sig_algs: &str, version_flag: &str) { + fn connect(key_type: &str, sig_algs: &str, version_flag: &str) { + Command::new("openssl") + .env("LD_LIBRARY_PATH", "") + .args([ + "s_client", + "-connect", + "localhost:5556", + "-sigalgs", + sig_algs, + "-CAfile", + &format!("test-ca/{key_type}/ca.cert"), + "-verify", + "1", + version_flag, + ]) + .stdout(Stdio::piped()) + .output() + .map(print_output) + .unwrap(); + } + + let mut openssl_server = KillOnDrop(Some( + Command::new("tests/maybe-valgrind.sh") + .env("LD_LIBRARY_PATH", "") + .args([ + "target/server", + "5556", + &format!("test-ca/{key_type}/server.key"), + &format!("test-ca/{key_type}/server.cert"), + "unauth", + "none", + ]) + .stdout(Stdio::piped()) + .spawn() + .unwrap(), + )); + wait_for_stdout(openssl_server.0.as_mut().unwrap(), b"listening\n"); + connect(key_type, sig_algs, version_flag); + + let openssl_output = print_output(openssl_server.take_inner().wait_with_output().unwrap()); + + let mut rustls_server = KillOnDrop(Some( + Command::new("tests/maybe-valgrind.sh") + .args([ + "target/server", + "5556", + &format!("test-ca/{key_type}/server.key"), + &format!("test-ca/{key_type}/server.cert"), + "unauth", + "none", + ]) + .stdout(Stdio::piped()) + .spawn() + .unwrap(), + )); + wait_for_stdout(rustls_server.0.as_mut().unwrap(), b"listening\n"); + connect(key_type, sig_algs, version_flag); + + let rustls_output = print_output(rustls_server.take_inner().wait_with_output().unwrap()); + assert_eq!(openssl_output, rustls_output); +} + +#[test] +#[ignore] +fn server_key_algorithms() { + server_with_key_algorithm("rsa", "rsa_pss_rsae_sha256", "-tls1_3"); + server_with_key_algorithm("rsa", "rsa_pss_rsae_sha384", "-tls1_3"); + server_with_key_algorithm("rsa", "rsa_pss_rsae_sha512", "-tls1_3"); + server_with_key_algorithm("rsa", "rsa_pkcs1_sha256", "-tls1_2"); + server_with_key_algorithm("rsa", "rsa_pkcs1_sha384", "-tls1_2"); + server_with_key_algorithm("rsa", "rsa_pkcs1_sha512", "-tls1_2"); + server_with_key_algorithm("ed25519", "ed25519", "-tls1_3"); + server_with_key_algorithm("ecdsa-p256", "ecdsa_secp256r1_sha256", "-tls1_3"); + server_with_key_algorithm("ecdsa-p384", "ecdsa_secp384r1_sha384", "-tls1_3"); + server_with_key_algorithm("ecdsa-p521", "ecdsa_secp521r1_sha512", "-tls1_3"); +} + const NGINX_LOG_LEVEL: &str = "info"; #[test] diff --git a/rustls-libssl/tests/server.c b/rustls-libssl/tests/server.c index 9e80647..9356a55 100644 --- a/rustls-libssl/tests/server.c +++ b/rustls-libssl/tests/server.c @@ -98,14 +98,15 @@ static void sess_remove_callback(SSL_CTX *ctx, SSL_SESSION *sess) { } int main(int argc, char **argv) { - if (argc != 5) { - printf("%s |unauth\n\n", + if (argc != 6) { + printf("%s |unauth " + "none|internal|external|internal+external\n\n", argv[0]); return 1; } const char *port = argv[1], *keyfile = argv[2], *certfile = argv[3], - *cacert = argv[4]; + *cacert = argv[4], *cache = argv[5]; int listener = TRACE(socket(AF_INET, SOCK_STREAM, 0)); struct sockaddr_in us, them; @@ -151,12 +152,21 @@ int main(int argc, char **argv) { SSL_CTX_set_tlsext_servername_arg(ctx, &sni_cookie); dump_openssl_error_stack(); - SSL_CTX_sess_set_new_cb(ctx, sess_new_callback); - SSL_CTX_sess_set_get_cb(ctx, sess_get_callback); - SSL_CTX_sess_set_remove_cb(ctx, sess_remove_callback); - TRACE(SSL_CTX_sess_set_cache_size(ctx, 10)); - TRACE(SSL_CTX_sess_get_cache_size(ctx)); - TRACE(SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER)); + if (strstr(cache, "external")) { + SSL_CTX_sess_set_new_cb(ctx, sess_new_callback); + SSL_CTX_sess_set_get_cb(ctx, sess_get_callback); + SSL_CTX_sess_set_remove_cb(ctx, sess_remove_callback); + } + + if (strstr(cache, "internal")) { + TRACE(SSL_CTX_sess_set_cache_size(ctx, 10)); + TRACE(SSL_CTX_sess_get_cache_size(ctx)); + TRACE(SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER)); + } + + if (strcmp(cache, "none") == 0) { + TRACE(SSL_CTX_set_session_cache_mode(ctx, 0)); + } X509 *server_cert = NULL; EVP_PKEY *server_key = NULL;