ssl: Test client authentication (empty cert)

Test client authentication when client responds with empty Certificate. Change-Id: I725ae60c6d097ca13c5f4354e35377ecacf98dea
author: Péter Dimitrov <[email protected]> 2019-02-27 16:15:50 +0100
committer: Péter Dimitrov <[email protected]> 2019-03-04 16:24:53 +0100
commit: 1e06a50821bff93643f342019840e8932e151686 (patch)
tree: d4ea613aa87fb76c6ce69948afccc613e90dd9f1 /lib
parent: 85f04feeb89d12443d12c7e233712bf8c299e187 (diff)
download: otp-1e06a50821bff93643f342019840e8932e151686.tar.gz
otp-1e06a50821bff93643f342019840e8932e151686.tar.bz2
otp-1e06a50821bff93643f342019840e8932e151686.zip
2 files changed, 74 insertions, 4 deletions
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index 292916692d..5d5c23ca2c 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -281,7 +281,9 @@ tls13_test_group() ->
      tls13_1_RTT_handshake,
      tls13_basic_ssl_server_openssl_client,
      tls13_custom_groups_ssl_server_openssl_client,
-     tls13_hello_retry_request_ssl_server_openssl_client].
+     tls13_hello_retry_request_ssl_server_openssl_client,
+     tls13_client_auth_empty_cert_alert_ssl_server_openssl_client,
+     tls13_client_auth_empty_cert_ssl_server_openssl_client].
 
 %%--------------------------------------------------------------------
 init_per_suite(Config0) ->
@@ -5588,6 +5590,66 @@ tls13_hello_retry_request_ssl_server_openssl_client(Config) ->
     ssl_test_lib:close(Server),
     ssl_test_lib:close_port(Client).
 
+tls13_client_auth_empty_cert_alert_ssl_server_openssl_client() ->
+     [{doc,"TLS 1.3: Test client authentication when client sends an empty certificate and fail_if_no_peer_cert is set to true."}].
+
+tls13_client_auth_empty_cert_alert_ssl_server_openssl_client(Config) ->
+    ClientOpts0 = ssl_test_lib:ssl_options(client_rsa_opts, Config),
+    %% Delete Client Cert and Key
+    ClientOpts1 = proplists:delete(certfile, ClientOpts0),
+    ClientOpts = proplists:delete(keyfile, ClientOpts1),
+
+    ServerOpts0 = ssl_test_lib:ssl_options(server_rsa_opts, Config),
+    %% Set versions
+    ServerOpts = [{versions, ['tlsv1.2','tlsv1.3']},
+                  {verify, verify_peer},
+                  {fail_if_no_peer_cert, true}|ServerOpts0],
+    {_ClientNode, ServerNode, _Hostname} = ssl_test_lib:run_where(Config),
+
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+					{from, self()},
+					{mfa, {ssl_test_lib, send_recv_result_active, []}},
+					{options, ServerOpts}]),
+    Port = ssl_test_lib:inet_port(Server),
+
+    Client = ssl_test_lib:start_basic_client(openssl, 'tlsv1.3', Port, ClientOpts),
+
+    ssl_test_lib:check_result(Server,
+                              {error,
+                               {tls_alert,
+                                {certificate_required,
+                                 "received SERVER ALERT: Fatal - Certificate required - certificate_required"}}}),
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close_port(Client).
+
+tls13_client_auth_empty_cert_ssl_server_openssl_client() ->
+     [{doc,"TLS 1.3: Test client authentication when client sends an empty certificate and fail_if_no_peer_cert is set to false."}].
+
+tls13_client_auth_empty_cert_ssl_server_openssl_client(Config) ->
+    ClientOpts0 = ssl_test_lib:ssl_options(client_rsa_opts, Config),
+    %% Delete Client Cert and Key
+    ClientOpts1 = proplists:delete(certfile, ClientOpts0),
+    ClientOpts = proplists:delete(keyfile, ClientOpts1),
+
+    ServerOpts0 = ssl_test_lib:ssl_options(server_rsa_opts, Config),
+    %% Set versions
+    ServerOpts = [{versions, ['tlsv1.2','tlsv1.3']},
+                  {verify, verify_peer},
+                  {fail_if_no_peer_cert, false}|ServerOpts0],
+    {_ClientNode, ServerNode, _Hostname} = ssl_test_lib:run_where(Config),
+
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+					{from, self()},
+					{mfa, {ssl_test_lib, send_recv_result_active, []}},
+					{options, ServerOpts}]),
+    Port = ssl_test_lib:inet_port(Server),
+
+    Client = ssl_test_lib:start_basic_client(openssl, 'tlsv1.3', Port, ClientOpts),
+
+    ssl_test_lib:check_result(Server, ok),
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close_port(Client).
+
 
 %%--------------------------------------------------------------------
 %% Internal functions ------------------------------------------------
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index f628b4e6d4..7d83dbd382 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -1114,15 +1114,23 @@ start_basic_client(openssl, Version, Port, ClientOpts) ->
     Exe = "openssl",
     Args0 = ["s_client", "-verify", "2", "-port", integer_to_list(Port),
 	    ssl_test_lib:version_flag(Version),
-	    "-cert", Cert, "-CAfile", CA,
-	    "-key", Key, "-host","localhost", "-msg", "-debug"],
-    Args =
+	    "-CAfile", CA, "-host", "localhost", "-msg", "-debug"],
+    Args1 =
        case Groups0 of
            undefined ->
                Args0;
            G ->
                Args0 ++ ["-groups", G]
        end,
+    Args =
+       case {Cert, Key} of
+           {C, K} when C =:= undefined orelse
+                       K =:= undefined ->
+               Args0;
+           {C, K} ->
+               Args1 ++ ["-cert", C, "-key", K]
+       end,
+
     OpenSslPort = ssl_test_lib:portable_open_port(Exe, Args),
     true = port_command(OpenSslPort, "Hello world"),
     OpenSslPort.
author	Péter Dimitrov <[email protected]>	2019-02-27 16:15:50 +0100
committer	Péter Dimitrov <[email protected]>	2019-03-04 16:24:53 +0100
commit	1e06a50821bff93643f342019840e8932e151686 (patch)
tree	d4ea613aa87fb76c6ce69948afccc613e90dd9f1 /lib
parent	85f04feeb89d12443d12c7e233712bf8c299e187 (diff)
download	otp-1e06a50821bff93643f342019840e8932e151686.tar.gz otp-1e06a50821bff93643f342019840e8932e151686.tar.bz2 otp-1e06a50821bff93643f342019840e8932e151686.zip