Add tests for keyUsage with client auth
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 4c8d8f9..588cbc4 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2724,7 +2724,7 @@
if( pk_can_do( pk, POLARSSL_PK_ECKEY ) &&
! ssl_curve_is_acceptable( ssl, pk_ec( *pk )->grp.id ) )
{
- SSL_DEBUG_MSG( 1, ( "bad server certificate (EC key curve)" ) );
+ SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
if( ret == 0 )
ret = POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE;
}
@@ -2735,7 +2735,7 @@
ciphersuite_info,
! ssl->endpoint ) != 0 )
{
- SSL_DEBUG_MSG( 1, ( "bad server certificate (usage ext.)" ) );
+ SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
if( ret == 0 )
ret = POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE;
}
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index ec9e549..16748b0 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -1031,16 +1031,7 @@
-C "Ciphersuite is "
# Tests for keyUsage in leaf certificates, part 2:
-# client-side checks
-
-run_test "keyUsage cli #0 (reference, no extension)" \
- "$O_SRV -key data_files/server2.key \
- -cert data_files/server2.crt" \
- "$P_CLI debug_level=2" \
- 0 \
- -C "bad server certificate (usage ext.)" \
- -C "Processing of the Certificate handshake message failed" \
- -c "Ciphersuite is TLS-"
+# client-side checking of server cert
run_test "keyUsage cli #1 (DigitalSignature+KeyEncipherment, RSA: OK)" \
"$O_SRV -key data_files/server2.key \
@@ -1048,7 +1039,7 @@
"$P_CLI debug_level=2 \
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
0 \
- -C "bad server certificate (usage ext.)" \
+ -C "bad certificate (usage extensions)" \
-C "Processing of the Certificate handshake message failed" \
-c "Ciphersuite is TLS-"
@@ -1058,7 +1049,7 @@
"$P_CLI debug_level=2 \
force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
0 \
- -C "bad server certificate (usage ext.)" \
+ -C "bad certificate (usage extensions)" \
-C "Processing of the Certificate handshake message failed" \
-c "Ciphersuite is TLS-"
@@ -1068,7 +1059,7 @@
"$P_CLI debug_level=2 \
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
0 \
- -C "bad server certificate (usage ext.)" \
+ -C "bad certificate (usage extensions)" \
-C "Processing of the Certificate handshake message failed" \
-c "Ciphersuite is TLS-"
@@ -1078,7 +1069,7 @@
"$P_CLI debug_level=2 \
force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
1 \
- -c "bad server certificate (usage ext.)" \
+ -c "bad certificate (usage extensions)" \
-c "Processing of the Certificate handshake message failed" \
-C "Ciphersuite is TLS-"
@@ -1088,7 +1079,7 @@
"$P_CLI debug_level=2 \
force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
0 \
- -C "bad server certificate (usage ext.)" \
+ -C "bad certificate (usage extensions)" \
-C "Processing of the Certificate handshake message failed" \
-c "Ciphersuite is TLS-"
@@ -1098,10 +1089,53 @@
"$P_CLI debug_level=2 \
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
1 \
- -c "bad server certificate (usage ext.)" \
+ -c "bad certificate (usage extensions)" \
-c "Processing of the Certificate handshake message failed" \
-C "Ciphersuite is TLS-"
+# Tests for keyUsage in leaf certificates, part 3:
+# server-side checking of client cert
+
+run_test "keyUsage cli-auth #1 (RSA, DigitalSignature: OK)" \
+ "$P_SRV debug_level=2 auth_mode=optional" \
+ "$O_CLI -key data_files/server2.key \
+ -cert data_files/server2.ku-ds.crt" \
+ 0 \
+ -S "bad certificate (usage extensions)" \
+ -S "Processing of the Certificate handshake message failed"
+
+run_test "keyUsage cli-auth #2 (RSA, KeyEncipherment: fail (soft))" \
+ "$P_SRV debug_level=2 auth_mode=optional" \
+ "$O_CLI -key data_files/server2.key \
+ -cert data_files/server2.ku-ke.crt" \
+ 0 \
+ -s "bad certificate (usage extensions)" \
+ -S "Processing of the Certificate handshake message failed"
+
+run_test "keyUsage cli-auth #3 (RSA, KeyEncipherment: fail (hard))" \
+ "$P_SRV debug_level=2 auth_mode=required" \
+ "$O_CLI -key data_files/server2.key \
+ -cert data_files/server2.ku-ke.crt" \
+ 1 \
+ -s "bad certificate (usage extensions)" \
+ -s "Processing of the Certificate handshake message failed"
+
+run_test "keyUsage cli-auth #4 (ECDSA, DigitalSignature: OK)" \
+ "$P_SRV debug_level=2 auth_mode=optional" \
+ "$O_CLI -key data_files/server5.key \
+ -cert data_files/server5.ku-ds.crt" \
+ 0 \
+ -S "bad certificate (usage extensions)" \
+ -S "Processing of the Certificate handshake message failed"
+
+run_test "keyUsage cli-auth #5 (ECDSA, KeyAgreement: fail (soft))" \
+ "$P_SRV debug_level=2 auth_mode=optional" \
+ "$O_CLI -key data_files/server5.key \
+ -cert data_files/server5.ku-ka.crt" \
+ 0 \
+ -s "bad certificate (usage extensions)" \
+ -S "Processing of the Certificate handshake message failed"
+
# Final report
echo "------------------------------------------------------------------------"