diff options
Diffstat (limited to 'lib/ssl/test')
| -rw-r--r-- | lib/ssl/test/Makefile | 3 | ||||
| -rw-r--r-- | lib/ssl/test/erl_make_certs.erl | 2 | ||||
| -rw-r--r-- | lib/ssl/test/ssl_ECC_SUITE.erl | 312 | ||||
| -rw-r--r-- | lib/ssl/test/ssl_basic_SUITE.erl | 41 | ||||
| -rw-r--r-- | lib/ssl/test/ssl_certificate_verify_SUITE.erl | 561 | ||||
| -rw-r--r-- | lib/ssl/test/ssl_packet_SUITE.erl | 10 | ||||
| -rw-r--r-- | lib/ssl/test/ssl_test_lib.erl | 254 | ||||
| -rw-r--r-- | lib/ssl/test/ssl_to_openssl_SUITE.erl | 3 | ||||
| -rw-r--r-- | lib/ssl/test/x509_test.erl | 343 | 
9 files changed, 898 insertions, 631 deletions
| diff --git a/lib/ssl/test/Makefile b/lib/ssl/test/Makefile index a2eb4ce449..55d45c98f6 100644 --- a/lib/ssl/test/Makefile +++ b/lib/ssl/test/Makefile @@ -56,7 +56,8 @@ MODULES = \  	ssl_upgrade_SUITE\  	ssl_sni_SUITE \  	make_certs\ -	erl_make_certs +	erl_make_certs\ +        x509_test  ERL_FILES = $(MODULES:%=%.erl) diff --git a/lib/ssl/test/erl_make_certs.erl b/lib/ssl/test/erl_make_certs.erl index a6657be995..af217efc11 100644 --- a/lib/ssl/test/erl_make_certs.erl +++ b/lib/ssl/test/erl_make_certs.erl @@ -179,7 +179,7 @@ make_tbs(SubjectKey, Opts) ->  		      subject(proplists:get_value(subject, Opts),false)  	      end, -    {#'OTPTBSCertificate'{serialNumber = trunc(random:uniform()*100000000)*10000 + 1, +    {#'OTPTBSCertificate'{serialNumber = trunc(rand:uniform()*100000000)*10000 + 1,  			  signature    = SignAlgo,  			  issuer       = Issuer,  			  validity     = validity(Opts), diff --git a/lib/ssl/test/ssl_ECC_SUITE.erl b/lib/ssl/test/ssl_ECC_SUITE.erl index f779765b18..b05e2c74db 100644 --- a/lib/ssl/test/ssl_ECC_SUITE.erl +++ b/lib/ssl/test/ssl_ECC_SUITE.erl @@ -46,7 +46,8 @@ groups() ->       {'tlsv1', [], all_versions_groups()},       {'erlang_server', [], key_cert_combinations()},       {'erlang_client', [], key_cert_combinations()}, -     {'erlang', [], key_cert_combinations() ++ misc() ++ ecc_negotiation()} +     {'erlang', [], key_cert_combinations() ++ misc()  +      ++ ecc_negotiation()}      ].  all_versions_groups ()-> @@ -56,13 +57,13 @@ all_versions_groups ()->      ].  key_cert_combinations() -> -    [client_ecdh_server_ecdh, -     client_rsa_server_ecdh, -     client_ecdh_server_rsa, -     client_rsa_server_rsa, -     client_ecdsa_server_ecdsa, -     client_ecdsa_server_rsa, -     client_rsa_server_ecdsa +    [client_ecdh_rsa_server_ecdh_rsa, +     client_ecdhe_rsa_server_ecdh_rsa, +     client_ecdh_rsa_server_ecdhe_rsa, +     client_ecdhe_rsa_server_ecdhe_rsa, +     client_ecdhe_ecdsa_server_ecdhe_rsa, +     client_ecdhe_ecdsa_server_ecdhe_ecdsa, +     client_ecdh_rsa_server_ecdhe_ecdsa      ].  misc()-> @@ -74,15 +75,15 @@ ecc_negotiation() ->       ecc_client_order,       ecc_client_order_custom_curves,       ecc_unknown_curve, -     client_ecdh_server_ecdh_ecc_server_custom, -     client_rsa_server_ecdh_ecc_server_custom, -     client_ecdh_server_rsa_ecc_server_custom, -     client_rsa_server_rsa_ecc_server_custom, -     client_ecdsa_server_ecdsa_ecc_server_custom, -     client_ecdsa_server_rsa_ecc_server_custom, -     client_rsa_server_ecdsa_ecc_server_custom, -     client_ecdsa_server_ecdsa_ecc_client_custom, -     client_rsa_server_ecdsa_ecc_client_custom +     client_ecdh_rsa_server_ecdhe_ecdsa_server_custom, +     client_ecdh_rsa_server_ecdhe_rsa_server_custom, +     client_ecdhe_rsa_server_ecdhe_ecdsa_server_custom, +     client_ecdhe_rsa_server_ecdhe_rsa_server_custom, +     client_ecdhe_rsa_server_ecdh_rsa_server_custom, +     client_ecdhe_ecdsa_server_ecdhe_ecdsa_server_custom, +     client_ecdhe_ecdsa_server_ecdhe_rsa_server_custom, +     client_ecdhe_ecdsa_server_ecdhe_ecdsa_client_custom,     +     client_ecdhe_rsa_server_ecdhe_ecdsa_client_custom      ].  %%-------------------------------------------------------------------- @@ -90,12 +91,7 @@ init_per_suite(Config0) ->      end_per_suite(Config0),      try crypto:start() of  	ok -> -	    %% make rsa certs using oppenssl -	    {ok, _} = make_certs:all(proplists:get_value(data_dir, Config0), -				     proplists:get_value(priv_dir, Config0)), -	    Config1 = ssl_test_lib:make_ecdsa_cert(Config0), -	    Config2 = ssl_test_lib:make_ecdh_rsa_cert(Config1), -	    ssl_test_lib:cert_options(Config2) +           Config0      catch _:_ ->  	    {skip, "Crypto did not start"}      end. @@ -174,70 +170,58 @@ end_per_testcase(_TestCase, Config) ->  %% Test Cases --------------------------------------------------------  %%-------------------------------------------------------------------- -client_ecdh_server_ecdh(Config) when is_list(Config) -> -    COpts =  proplists:get_value(client_ecdh_rsa_opts, Config), -    SOpts = proplists:get_value(server_ecdh_rsa_opts, Config), -    basic_test(COpts, SOpts, Config). -     -client_ecdh_server_rsa(Config)  when is_list(Config) -> -    COpts =  proplists:get_value(client_ecdh_rsa_opts, Config), -    SOpts = proplists:get_value(server_opts, Config), +%% Test diffrent certificate chain types, note that it is the servers +%% chain that affect what cipher suit that will be choosen + +%% ECDH_RSA  +client_ecdh_rsa_server_ecdh_rsa(Config) when is_list(Config) -> +    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains(ecdh_rsa, ecdh_rsa, Config),      basic_test(COpts, SOpts, Config). -   -client_rsa_server_ecdh(Config)  when is_list(Config) -> -    COpts =  proplists:get_value(client_opts, Config), -    SOpts = proplists:get_value(server_ecdh_rsa_opts, Config), + +client_ecdhe_rsa_server_ecdh_rsa(Config)  when is_list(Config) -> +    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains(ecdhe_rsa, ecdh_rsa, Config),      basic_test(COpts, SOpts, Config). -client_rsa_server_rsa(Config)  when is_list(Config) -> -    COpts =  proplists:get_value(client_opts, Config), -    SOpts = proplists:get_value(server_opts, Config), +%% ECDHE_RSA     +client_ecdh_rsa_server_ecdhe_rsa(Config)  when is_list(Config) -> +    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains(ecdh_rsa, ecdhe_rsa, Config),      basic_test(COpts, SOpts, Config). -    -client_ecdsa_server_ecdsa(Config)  when is_list(Config) -> -    COpts =  proplists:get_value(client_ecdsa_opts, Config), -    SOpts = proplists:get_value(server_ecdsa_opts, Config), + +client_ecdhe_rsa_server_ecdhe_rsa(Config)  when is_list(Config) -> +    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains(ecdhe_rsa, ecdhe_rsa, Config),      basic_test(COpts, SOpts, Config). -client_ecdsa_server_rsa(Config)  when is_list(Config) -> -    COpts =  proplists:get_value(client_ecdsa_opts, Config), -    SOpts = proplists:get_value(server_opts, Config), +client_ecdhe_ecdsa_server_ecdhe_rsa(Config)  when is_list(Config) -> +    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains(ecdh_ecdsa, ecdhe_rsa, Config), +    basic_test(COpts, SOpts, Config). +    +%% ECDHE_ECDSA +client_ecdhe_ecdsa_server_ecdhe_ecdsa(Config)  when is_list(Config) -> +    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains(ecdhe_ecdsa, ecdhe_ecdsa, Config),      basic_test(COpts, SOpts, Config). -client_rsa_server_ecdsa(Config)  when is_list(Config) -> -    COpts =  proplists:get_value(client_opts, Config), -    SOpts = proplists:get_value(server_ecdsa_opts, Config), +client_ecdh_rsa_server_ecdhe_ecdsa(Config)  when is_list(Config) -> +    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains(ecdh_rsa, ecdhe_ecdsa, Config),          basic_test(COpts, SOpts, Config).  client_ecdsa_server_ecdsa_with_raw_key(Config)  when is_list(Config) -> -    COpts =  proplists:get_value(client_ecdsa_opts, Config), -    SOpts = proplists:get_value(server_ecdsa_opts, Config), -    ServerCert = proplists:get_value(certfile, SOpts), +    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains(ecdhe_ecdsa, ecdhe_ecdsa, Config),      ServerKeyFile = proplists:get_value(keyfile, SOpts),      {ok, PemBin} = file:read_file(ServerKeyFile),      PemEntries = public_key:pem_decode(PemBin),      {'ECPrivateKey', Key, not_encrypted} = proplists:lookup('ECPrivateKey', PemEntries),      ServerKey = {'ECPrivateKey', Key}, -    ServerCA = proplists:get_value(cacertfile, SOpts), -    ClientCert = proplists:get_value(certfile, COpts), -    ClientKey = proplists:get_value(keyfile, COpts), -    ClientCA = proplists:get_value(cacertfile, COpts),      SType = proplists:get_value(server_type, Config),      CType = proplists:get_value(client_type, Config),      {Server, Port} = start_server_with_raw_key(SType, -				  ClientCA, ServerCA, -				  ServerCert, -				  ServerKey, -				  Config), -    Client = start_client(CType, Port, ServerCA, ClientCA, -			  ClientCert, -			  ClientKey, Config), +                                               [{key, ServerKey} | proplists:delete(keyfile, SOpts)], +                                               Config), +    Client = start_client(CType, Port, COpts, Config),      check_result(Server, SType, Client, CType),      close(Server, Client).  ecc_default_order(Config) -> -    COpts =  proplists:get_value(client_ecdsa_opts, Config), -    SOpts = proplists:get_value(server_ecdsa_opts, Config), +    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains(ecdhe_ecdsa, ecdhe_ecdsa, Config),         ECCOpts = [],      case supported_eccs([{eccs, [sect571r1]}]) of          true -> ecc_test(sect571r1, COpts, SOpts, [], ECCOpts, Config); @@ -245,8 +229,7 @@ ecc_default_order(Config) ->      end.  ecc_default_order_custom_curves(Config) -> -    COpts =  proplists:get_value(client_ecdsa_opts, Config), -    SOpts = proplists:get_value(server_ecdsa_opts, Config), +    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains(ecdhe_ecdsa, ecdhe_ecdsa, Config),         ECCOpts = [{eccs, [secp256r1, sect571r1]}],      case supported_eccs(ECCOpts) of          true -> ecc_test(sect571r1, COpts, SOpts, [], ECCOpts, Config); @@ -254,8 +237,7 @@ ecc_default_order_custom_curves(Config) ->      end.  ecc_client_order(Config) -> -    COpts =  proplists:get_value(client_ecdsa_opts, Config), -    SOpts = proplists:get_value(server_ecdsa_opts, Config), +    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains(ecdhe_ecdsa, ecdhe_ecdsa, Config),         ECCOpts = [{honor_ecc_order, false}],      case supported_eccs([{eccs, [sect571r1]}]) of          true -> ecc_test(sect571r1, COpts, SOpts, [], ECCOpts, Config); @@ -263,8 +245,7 @@ ecc_client_order(Config) ->      end.  ecc_client_order_custom_curves(Config) -> -    COpts =  proplists:get_value(client_ecdsa_opts, Config), -    SOpts = proplists:get_value(server_ecdsa_opts, Config), +    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains(ecdhe_ecdsa, ecdhe_ecdsa, Config),         ECCOpts = [{honor_ecc_order, false}, {eccs, [secp256r1, sect571r1]}],      case supported_eccs(ECCOpts) of          true -> ecc_test(sect571r1, COpts, SOpts, [], ECCOpts, Config); @@ -272,89 +253,75 @@ ecc_client_order_custom_curves(Config) ->      end.  ecc_unknown_curve(Config) -> -    COpts =  proplists:get_value(client_ecdsa_opts, Config), -    SOpts = proplists:get_value(server_ecdsa_opts, Config), +    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains(ecdhe_ecdsa, ecdhe_ecdsa, Config),         ECCOpts = [{eccs, ['123_fake_curve']}],      ecc_test_error(COpts, SOpts, [], ECCOpts, Config). -%% We can only expect to see a named curve on a conn with -%% a server supporting ecdsa. Otherwise the curve is selected -%% but not used and communicated to the client? -client_ecdh_server_ecdh_ecc_server_custom(Config) -> -    COpts =  proplists:get_value(client_ecdh_rsa_opts, Config), -    SOpts = proplists:get_value(server_ecdh_rsa_opts, Config), +client_ecdh_rsa_server_ecdhe_ecdsa_server_custom(Config) -> +    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains(ecdh_rsa, ecdhe_ecdsa, Config),      ECCOpts = [{honor_ecc_order, true}, {eccs, [secp256r1, sect571r1]}],      case supported_eccs(ECCOpts) of -        true -> ecc_test(undefined, COpts, SOpts, [], ECCOpts, Config); +        true -> ecc_test(secp256r1, COpts, SOpts, [], ECCOpts, Config);          false -> {skip, "unsupported named curves"}      end. -client_ecdh_server_rsa_ecc_server_custom(Config) -> -    COpts =  proplists:get_value(client_ecdh_rsa_opts, Config), -    SOpts = proplists:get_value(server_opts, Config), +client_ecdh_rsa_server_ecdhe_rsa_server_custom(Config) -> +    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains(ecdh_rsa, ecdhe_rsa, Config),      ECCOpts = [{honor_ecc_order, true}, {eccs, [secp256r1, sect571r1]}],      case supported_eccs(ECCOpts) of          true -> ecc_test(undefined, COpts, SOpts, [], ECCOpts, Config);          false -> {skip, "unsupported named curves"}      end. -client_rsa_server_ecdh_ecc_server_custom(Config) -> -    COpts =  proplists:get_value(client_opts, Config), -    SOpts = proplists:get_value(server_ecdh_rsa_opts, Config), +client_ecdhe_rsa_server_ecdhe_ecdsa_server_custom(Config) -> +    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains(ecdhe_rsa, ecdhe_ecdsa, Config),      ECCOpts = [{honor_ecc_order, true}, {eccs, [secp256r1, sect571r1]}],      case supported_eccs(ECCOpts) of -        true -> ecc_test(undefined, COpts, SOpts, [], ECCOpts, Config); +        true -> ecc_test(secp256r1, COpts, SOpts, [], ECCOpts, Config);          false -> {skip, "unsupported named curves"}      end. -client_rsa_server_rsa_ecc_server_custom(Config) -> -    COpts =  proplists:get_value(client_opts, Config), -    SOpts = proplists:get_value(server_opts, Config), +client_ecdhe_rsa_server_ecdhe_rsa_server_custom(Config) -> +   {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains(ecdhe_rsa, ecdhe_rsa, Config),      ECCOpts = [{honor_ecc_order, true}, {eccs, [secp256r1, sect571r1]}],      case supported_eccs(ECCOpts) of          true -> ecc_test(undefined, COpts, SOpts, [], ECCOpts, Config);          false -> {skip, "unsupported named curves"}      end. - -client_ecdsa_server_ecdsa_ecc_server_custom(Config) -> -    COpts =  proplists:get_value(client_ecdsa_opts, Config), -    SOpts = proplists:get_value(server_ecdsa_opts, Config), +client_ecdhe_rsa_server_ecdh_rsa_server_custom(Config) -> +   {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains(ecdhe_rsa, ecdh_rsa, Config),      ECCOpts = [{honor_ecc_order, true}, {eccs, [secp256r1, sect571r1]}],      case supported_eccs(ECCOpts) of -        true -> ecc_test(secp256r1, COpts, SOpts, [], ECCOpts, Config); +        true -> ecc_test(undefined, COpts, SOpts, [], ECCOpts, Config);          false -> {skip, "unsupported named curves"}      end. -client_ecdsa_server_rsa_ecc_server_custom(Config) -> -    COpts =  proplists:get_value(client_ecdsa_opts, Config), -    SOpts = proplists:get_value(server_opts, Config), +client_ecdhe_ecdsa_server_ecdhe_ecdsa_server_custom(Config) -> +    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains(ecdhe_ecdsa, ecdhe_ecdsa, Config),      ECCOpts = [{honor_ecc_order, true}, {eccs, [secp256r1, sect571r1]}],      case supported_eccs(ECCOpts) of -        true -> ecc_test(undefined, COpts, SOpts, [], ECCOpts, Config); +        true -> ecc_test(secp256r1, COpts, SOpts, [], ECCOpts, Config);          false -> {skip, "unsupported named curves"}      end. -client_rsa_server_ecdsa_ecc_server_custom(Config) -> -    COpts =  proplists:get_value(client_opts, Config), -    SOpts = proplists:get_value(server_ecdsa_opts, Config), +client_ecdhe_ecdsa_server_ecdhe_rsa_server_custom(Config) -> +    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains(ecdhe_ecdsa, ecdhe_rsa, Config),      ECCOpts = [{honor_ecc_order, true}, {eccs, [secp256r1, sect571r1]}],      case supported_eccs(ECCOpts) of -        true -> ecc_test(secp256r1, COpts, SOpts, [], ECCOpts, Config); +        true -> ecc_test(undefined, COpts, SOpts, [], ECCOpts, Config);          false -> {skip, "unsupported named curves"}      end. -client_ecdsa_server_ecdsa_ecc_client_custom(Config) -> -    COpts =  proplists:get_value(client_ecdsa_opts, Config), -    SOpts = proplists:get_value(server_ecdsa_opts, Config), +client_ecdhe_ecdsa_server_ecdhe_ecdsa_client_custom(Config) -> +    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains(ecdhe_ecdsa, ecdhe_ecdsa, Config),      ECCOpts = [{eccs, [secp256r1, sect571r1]}],      case supported_eccs(ECCOpts) of          true -> ecc_test(secp256r1, COpts, SOpts, ECCOpts, [], Config);          false -> {skip, "unsupported named curves"}      end. -client_rsa_server_ecdsa_ecc_client_custom(Config) -> -    COpts =  proplists:get_value(client_opts, Config), -    SOpts = proplists:get_value(server_ecdsa_opts, Config), +client_ecdhe_rsa_server_ecdhe_ecdsa_client_custom(Config) -> +    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains(ecdhe_rsa, ecdhe_ecdsa, Config),      ECCOpts = [{eccs, [secp256r1, sect571r1]}],      case supported_eccs(ECCOpts) of          true -> ecc_test(secp256r1, COpts, SOpts, ECCOpts, [], Config); @@ -365,57 +332,31 @@ client_rsa_server_ecdsa_ecc_client_custom(Config) ->  %% Internal functions ------------------------------------------------  %%--------------------------------------------------------------------  basic_test(COpts, SOpts, Config) -> -    basic_test(proplists:get_value(certfile, COpts),  -	       proplists:get_value(keyfile, COpts),  -	       proplists:get_value(cacertfile, COpts),  -	       proplists:get_value(certfile, SOpts),  -	       proplists:get_value(keyfile, SOpts),  -	       proplists:get_value(cacertfile, SOpts),  -	       Config). -     -basic_test(ClientCert, ClientKey, ClientCA, ServerCert, ServerKey, ServerCA, Config) ->      SType = proplists:get_value(server_type, Config),      CType = proplists:get_value(client_type, Config), -    {Server, Port} = start_server(SType, -				  ClientCA, ServerCA, -				  ServerCert, -				  ServerKey, -				  Config), -    Client = start_client(CType, Port, ServerCA, ClientCA, -			  ClientCert, -			  ClientKey, Config), +    {Server, Port} = start_server(SType, SOpts, Config), +    Client = start_client(CType, Port, COpts, Config),      check_result(Server, SType, Client, CType),      close(Server, Client).      ecc_test(Expect, COpts, SOpts, CECCOpts, SECCOpts, Config) -> -    CCA = proplists:get_value(cacertfile, COpts), -    CCert = proplists:get_value(certfile, COpts), -    CKey = proplists:get_value(keyfile, COpts), -    SCA = proplists:get_value(cacertfile, SOpts), -    SCert = proplists:get_value(certfile, SOpts), -    SKey = proplists:get_value(keyfile, SOpts), -    {Server, Port} = start_server_ecc(erlang, CCA, SCA, SCert, SKey, Expect, SECCOpts, Config), -    Client = start_client_ecc(erlang, Port, SCA, CCA, CCert, CKey, Expect, CECCOpts, Config), +    {Server, Port} = start_server_ecc(erlang, SOpts, Expect, SECCOpts, Config), +    Client = start_client_ecc(erlang, Port, COpts, Expect, CECCOpts, Config),      ssl_test_lib:check_result(Server, ok, Client, ok),      close(Server, Client).  ecc_test_error(COpts, SOpts, CECCOpts, SECCOpts, Config) -> -    CCA = proplists:get_value(cacertfile, COpts), -    CCert = proplists:get_value(certfile, COpts), -    CKey = proplists:get_value(keyfile, COpts), -    SCA = proplists:get_value(cacertfile, SOpts), -    SCert = proplists:get_value(certfile, SOpts), -    SKey = proplists:get_value(keyfile, SOpts), -    {Server, Port} = start_server_ecc_error(erlang, CCA, SCA, SCert, SKey, SECCOpts, Config), -    Client = start_client_ecc_error(erlang, Port, SCA, CCA, CCert, CKey, CECCOpts, Config), +    {Server, Port} = start_server_ecc_error(erlang, SOpts, SECCOpts, Config), +    Client = start_client_ecc_error(erlang, Port, COpts, CECCOpts, Config),      Error = {error, {tls_alert, "insufficient security"}},      ssl_test_lib:check_result(Server, Error, Client, Error). -start_client(openssl, Port, PeerCA, OwnCa, Cert, Key, Config) -> -    PrivDir = proplists:get_value(priv_dir, Config), -    CA = new_openssl_ca(filename:join(PrivDir, "openssl_client_ca.pem"), PeerCA, OwnCa), +start_client(openssl, Port, ClientOpts, _Config) -> +    Cert = proplists:get_value(certfile, ClientOpts), +    Key = proplists:get_value(keyfile, ClientOpts), +    CA = proplists:get_value(cacertfile, ClientOpts),      Version = tls_record:protocol_version(tls_record:highest_protocol_version([])),      Exe = "openssl",      Args = ["s_client", "-verify", "2", "-port", integer_to_list(Port), @@ -426,21 +367,17 @@ start_client(openssl, Port, PeerCA, OwnCa, Cert, Key, Config) ->      OpenSslPort = ssl_test_lib:portable_open_port(Exe, Args),       true = port_command(OpenSslPort, "Hello world"),      OpenSslPort; -start_client(erlang, Port, PeerCA, OwnCa, Cert, Key, Config) -> -    PrivDir = proplists:get_value(priv_dir, Config), -    CA = new_ca(filename:join(PrivDir,"erlang_client_ca.pem"), PeerCA, OwnCa), + +start_client(erlang, Port, ClientOpts, Config) ->      {ClientNode, _, Hostname} = ssl_test_lib:run_where(Config),      ssl_test_lib:start_client([{node, ClientNode}, {port, Port},  			       {host, Hostname},  			       {from, self()},  			       {mfa, {ssl_test_lib, send_recv_result_active, []}}, -			       {options, [{verify, verify_peer},  -					  {cacertfile, CA}, -					  {certfile, Cert}, {keyfile, Key}]}]). +			       {options, [{verify, verify_peer} | ClientOpts]}]). -start_client_ecc(erlang, Port, PeerCA, OwnCa, Cert, Key, Expect, ECCOpts, Config) -> -    CA = new_ca("erlang_client_ca", PeerCA, OwnCa), +start_client_ecc(erlang, Port, ClientOpts, Expect, ECCOpts, Config) ->      {ClientNode, _, Hostname} = ssl_test_lib:run_where(Config),      ssl_test_lib:start_client([{node, ClientNode}, {port, Port},                                 {host, Hostname}, @@ -448,26 +385,22 @@ start_client_ecc(erlang, Port, PeerCA, OwnCa, Cert, Key, Expect, ECCOpts, Config                                 {mfa, {?MODULE, check_ecc, [client, Expect]}},                                 {options,                                  ECCOpts ++ -                                [{verify, verify_peer}, -                                 {cacertfile, CA}, -                                 {certfile, Cert}, {keyfile, Key}]}]). +                                [{verify, verify_peer} | ClientOpts]}]). -start_client_ecc_error(erlang, Port, PeerCA, OwnCa, Cert, Key, ECCOpts, Config) -> -    CA = new_ca("erlang_client_ca", PeerCA, OwnCa), +start_client_ecc_error(erlang, Port, ClientOpts, ECCOpts, Config) ->      {ClientNode, _, Hostname} = ssl_test_lib:run_where(Config),      ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port},                                       {host, Hostname},                                       {from, self()},                                       {options,                                        ECCOpts ++ -                                      [{verify, verify_peer}, -                                       {cacertfile, CA}, -                                       {certfile, Cert}, {keyfile, Key}]}]). +                                      [{verify, verify_peer} | ClientOpts]}]). -start_server(openssl, PeerCA, OwnCa, Cert, Key, Config) -> -    PrivDir = proplists:get_value(priv_dir, Config), -    CA = new_openssl_ca(filename:join(PrivDir,"openssl_server_ca.pem"), PeerCA, OwnCa), +start_server(openssl, ServerOpts, _Config) -> +    Cert = proplists:get_value(certfile, ServerOpts), +    Key = proplists:get_value(keyfile, ServerOpts), +    CA = proplists:get_value(cacertfile, ServerOpts),      Port = ssl_test_lib:inet_port(node()),      Version = tls_record:protocol_version(tls_record:highest_protocol_version([])),      Exe = "openssl", @@ -477,23 +410,17 @@ start_server(openssl, PeerCA, OwnCa, Cert, Key, Config) ->      OpenSslPort = ssl_test_lib:portable_open_port(Exe, Args),      true = port_command(OpenSslPort, "Hello world"),      {OpenSslPort, Port}; -start_server(erlang, PeerCA, OwnCa, Cert, Key, Config) -> -     PrivDir = proplists:get_value(priv_dir, Config), -    CA = new_ca(filename:join(PrivDir,"erlang_server_ca.pem"), PeerCA, OwnCa),     +start_server(erlang, ServerOpts, Config) ->      {_, ServerNode, _} = ssl_test_lib:run_where(Config),      Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, -			       {from, self()}, -			       {mfa, {ssl_test_lib, -				      send_recv_result_active, -				      []}}, -			       {options, -				[{verify, verify_peer}, {cacertfile, CA}, -				 {certfile, Cert}, {keyfile, Key}]}]), +                                        {from, self()}, +                                        {mfa, {ssl_test_lib, +                                               send_recv_result_active, +                                               []}}, +                                        {options, [{verify, verify_peer} | ServerOpts]}]),      {Server, ssl_test_lib:inet_port(Server)}. -start_server_with_raw_key(erlang, PeerCA, OwnCa, Cert, Key, Config) -> -    PrivDir = proplists:get_value(priv_dir, Config), -    CA = new_ca(filename:join(PrivDir, "erlang_server_ca.pem"), PeerCA, OwnCa), +start_server_with_raw_key(erlang, ServerOpts, Config) ->      {_, ServerNode, _} = ssl_test_lib:run_where(Config),      Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},  					{from, self()}, @@ -501,31 +428,26 @@ start_server_with_raw_key(erlang, PeerCA, OwnCa, Cert, Key, Config) ->  					       send_recv_result_active,  					       []}},  					{options, -					 [{verify, verify_peer}, {cacertfile, CA}, -					  {certfile, Cert}, {key, Key}]}]), +					 [{verify, verify_peer} | ServerOpts]}]),      {Server, ssl_test_lib:inet_port(Server)}. -start_server_ecc(erlang, PeerCA, OwnCa, Cert, Key, Expect, ECCOpts, Config) -> -    CA = new_ca("erlang_server_ca", PeerCA, OwnCa), +start_server_ecc(erlang, ServerOpts, Expect, ECCOpts, Config) ->      {_, ServerNode, _} = ssl_test_lib:run_where(Config),      Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},                                          {from, self()},                                          {mfa, {?MODULE, check_ecc, [server, Expect]}},                                          {options,                                           ECCOpts ++ -                                         [{verify, verify_peer}, {cacertfile, CA}, -                                          {certfile, Cert}, {keyfile, Key}]}]), +                                         [{verify, verify_peer} | ServerOpts]}]),      {Server, ssl_test_lib:inet_port(Server)}. -start_server_ecc_error(erlang, PeerCA, OwnCa, Cert, Key, ECCOpts, Config) -> -    CA = new_ca("erlang_server_ca", PeerCA, OwnCa), +start_server_ecc_error(erlang, ServerOpts, ECCOpts, Config) ->      {_, ServerNode, _} = ssl_test_lib:run_where(Config),      Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},                                                {from, self()},                                                {options,                                                 ECCOpts ++ -                                               [{verify, verify_peer}, {cacertfile, CA}, -                                                {certfile, Cert}, {keyfile, Key}]}]), +                                               [{verify, verify_peer} | ServerOpts]}]),      {Server, ssl_test_lib:inet_port(Server)}.  check_result(Server, erlang, Client, erlang) -> @@ -561,24 +483,6 @@ close(Client, Server)  ->      ssl_test_lib:close(Server),      ssl_test_lib:close(Client). -new_ca(FileName, CA, OwnCa) -> -    {ok, P1} = file:read_file(CA), -    E1 = public_key:pem_decode(P1), -    {ok, P2} = file:read_file(OwnCa), -    E2 = public_key:pem_decode(P2), -    Pem = public_key:pem_encode(E1 ++E2), -    file:write_file(FileName,  Pem), -    FileName. - -new_openssl_ca(FileName, CA, OwnCa) -> -    {ok, P1} = file:read_file(CA), -    E1 = public_key:pem_decode(P1), -    {ok, P2} = file:read_file(OwnCa), -    E2 = public_key:pem_decode(P2), -    Pem = public_key:pem_encode(E2 ++E1), -    file:write_file(FileName,  Pem), -    FileName. -  supported_eccs(Opts) ->      ToCheck = proplists:get_value(eccs, Opts, []),      Supported = ssl:eccs(), diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl index 86426bdb60..4eabe544d7 100644 --- a/lib/ssl/test/ssl_basic_SUITE.erl +++ b/lib/ssl/test/ssl_basic_SUITE.erl @@ -148,6 +148,7 @@ options_tests_tls() ->  api_tests() ->      [connection_info, +     secret_connection_info,       connection_information,       peercert,       peercert_with_client_cert, @@ -611,7 +612,7 @@ prf(Config) when is_list(Config) ->  %%--------------------------------------------------------------------  connection_info() -> -    [{doc,"Test the API function ssl:connection_information/1"}]. +    [{doc,"Test the API function ssl:connection_information/2"}].  connection_info(Config) when is_list(Config) ->       ClientOpts = ssl_test_lib:ssl_options(client_verification_opts, Config),      ServerOpts = ssl_test_lib:ssl_options(server_verification_opts, Config), @@ -645,6 +646,38 @@ connection_info(Config) when is_list(Config) ->  %%-------------------------------------------------------------------- +secret_connection_info() -> +    [{doc,"Test the API function ssl:connection_information/2"}]. +secret_connection_info(Config) when is_list(Config) ->  +    ClientOpts = ssl_test_lib:ssl_options(client_verification_opts, Config), +    ServerOpts = ssl_test_lib:ssl_options(server_verification_opts, Config), +    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), + +    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},  +					{from, self()},  +					{mfa, {?MODULE, secret_connection_info_result, []}}, +					{options, ServerOpts}]), +     +    Port = ssl_test_lib:inet_port(Server), +    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, +					{host, Hostname}, +                                        {from, self()},  +                                        {mfa, {?MODULE, secret_connection_info_result, []}}, +                                        {options, ClientOpts}]), +     +    ct:log("Testcase ~p, Client ~p  Server ~p ~n", +		       [self(), Client, Server]), + +    Version = ssl_test_lib:protocol_version(Config),     +			    +    ssl_test_lib:check_result(Server, true, Client, true), +     +    ssl_test_lib:close(Server), +    ssl_test_lib:close(Client). + + +%%-------------------------------------------------------------------- +  connection_information() ->      [{doc,"Test the API function ssl:connection_information/1"}].  connection_information(Config) when is_list(Config) ->  @@ -3414,7 +3447,6 @@ listen_socket(Config) ->      {error, enotconn} = ssl:connection_information(ListenSocket),      {error, enotconn} = ssl:peername(ListenSocket),      {error, enotconn} = ssl:peercert(ListenSocket), -    {error, enotconn} = ssl:session_info(ListenSocket),      {error, enotconn} = ssl:renegotiate(ListenSocket),      {error, enotconn} = ssl:prf(ListenSocket, 'master_secret', <<"Label">>, client_random, 256),      {error, enotconn} = ssl:shutdown(ListenSocket, read_write), @@ -4638,6 +4670,11 @@ version_info_result(Socket) ->      {ok, [{version, Version}]} = ssl:connection_information(Socket, [version]),      {ok, Version}. +secret_connection_info_result(Socket) -> +    {ok, [{client_random, ClientRand}, {server_random, ServerRand}, {master_secret, MasterSecret}]}  +        = ssl:connection_information(Socket, [client_random, server_random, master_secret]), +    is_binary(ClientRand) andalso is_binary(ServerRand) andalso is_binary(MasterSecret).  +      connect_dist_s(S) ->      Msg = term_to_binary({erlang,term}),      ok = ssl:send(S, Msg). diff --git a/lib/ssl/test/ssl_certificate_verify_SUITE.erl b/lib/ssl/test/ssl_certificate_verify_SUITE.erl index 66b0c09b73..45bcdf1f78 100644 --- a/lib/ssl/test/ssl_certificate_verify_SUITE.erl +++ b/lib/ssl/test/ssl_certificate_verify_SUITE.erl @@ -74,7 +74,7 @@ tests() ->       cert_expired,       invalid_signature_client,       invalid_signature_server, -     extended_key_usage_verify_client, +     extended_key_usage_verify_both,       extended_key_usage_verify_server,       critical_extension_verify_client,       critical_extension_verify_server, @@ -88,18 +88,14 @@ error_handling_tests()->       unknown_server_ca_accept_verify_peer,       unknown_server_ca_accept_backwardscompatibility,       no_authority_key_identifier, -     no_authority_key_identifier_and_nonstandard_encoding]. +     no_authority_key_identifier_keyEncipherment]. -init_per_suite(Config0) -> +init_per_suite(Config) ->      catch crypto:stop(),      try crypto:start() of  	ok -> -            ssl_test_lib:clean_start(), -	    %% make rsa certs using oppenssl -	    {ok, _} = make_certs:all(proplists:get_value(data_dir, Config0), -				     proplists:get_value(priv_dir, Config0)), -	    Config = ssl_test_lib:make_dsa_cert(Config0), -	    ssl_test_lib:cert_options(Config) +            ssl_test_lib:clean_start(),  +            ssl_test_lib:make_rsa_cert(Config)                  catch _:_ ->  	    {skip, "Crypto did not start"}      end. @@ -108,49 +104,39 @@ end_per_suite(_Config) ->      ssl:stop(),      application:stop(crypto). -init_per_group(tls, Config) -> +init_per_group(tls, Config0) ->      Version = tls_record:protocol_version(tls_record:highest_protocol_version([])),      ssl:stop(),      application:load(ssl),      application:set_env(ssl, protocol_version, Version), -    application:set_env(ssl, bypass_pem_cache, Version),      ssl:start(), -    NewConfig = proplists:delete(protocol, Config), -    [{protocol, tls}, {version, tls_record:protocol_version(Version)} | NewConfig]; +    Config = proplists:delete(protocol, Config0), +    [{protocol, tls}, {version, tls_record:protocol_version(Version)} | Config]; -init_per_group(dtls, Config) -> +init_per_group(dtls, Config0) ->      Version = dtls_record:protocol_version(dtls_record:highest_protocol_version([])),      ssl:stop(),      application:load(ssl),      application:set_env(ssl, protocol_version, Version), -    application:set_env(ssl, bypass_pem_cache, Version),      ssl:start(), -    NewConfig = proplists:delete(protocol_opts, proplists:delete(protocol, Config)), -    [{protocol, dtls}, {protocol_opts, [{protocol, dtls}]}, {version, dtls_record:protocol_version(Version)} | NewConfig]; +    Config = proplists:delete(protocol_opts, proplists:delete(protocol, Config0)), +    [{protocol, dtls}, {protocol_opts, [{protocol, dtls}]}, {version, dtls_record:protocol_version(Version)} | Config];  init_per_group(active, Config) -> -    [{active, true}, {receive_function, send_recv_result_active}  | Config]; +    [{active, true}, {receive_function, send_recv_result_active} | Config];  init_per_group(active_once, Config) -> -    [{active, once}, {receive_function, send_recv_result_active_once}  | Config]; +    [{active, once}, {receive_function, send_recv_result_active_once} | Config];  init_per_group(passive, Config) -> -    [{active, false}, {receive_function, send_recv_result} |  Config]; +    [{active, false}, {receive_function, send_recv_result} | Config]; +init_per_group(error_handling, Config) -> +    [{active, false}, {receive_function, send_recv_result} | Config]; +  init_per_group(_, Config) ->      Config.  end_per_group(_GroupName, Config) ->      Config. -init_per_testcase(TestCase, Config) when TestCase == cert_expired; -					 TestCase == invalid_signature_client; -					 TestCase == invalid_signature_server; -					 TestCase == extended_key_usage_verify_none; -					 TestCase == extended_key_usage_verify_peer; -					 TestCase == critical_extension_verify_none; -					 TestCase == critical_extension_verify_peer; -					 TestCase == no_authority_key_identifier; -					 TestCase == no_authority_key_identifier_and_nonstandard_encoding-> -    ssl:clear_pem_cache(), -    init_per_testcase(common, Config);  init_per_testcase(_TestCase, Config) ->      ssl:stop(),      ssl:start(), @@ -168,23 +154,23 @@ end_per_testcase(_TestCase, Config) ->  verify_peer() ->      [{doc,"Test option verify_peer"}].  verify_peer(Config) when is_list(Config) -> -    ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), -    ServerOpts = ssl_test_lib:ssl_options(server_verification_opts, Config), +    ClientOpts = ssl_test_lib:ssl_options(client_rsa_opts, Config), +    ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config),      Active = proplists:get_value(active, Config),      ReceiveFunction =  proplists:get_value(receive_function, Config),      {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),      Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},  					{from, self()}, -			   {mfa, {ssl_test_lib, ReceiveFunction, []}}, -			   {options, [{active, Active}, {verify, verify_peer} -				      | ServerOpts]}]), +                                        {mfa, {ssl_test_lib, ReceiveFunction, []}}, +                                        {options, [{active, Active}, {verify, verify_peer} +                                                   | ServerOpts]}]),      Port  = ssl_test_lib:inet_port(Server),      Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},  					{host, Hostname}, -			   {from, self()}, -			   {mfa, {ssl_test_lib, ReceiveFunction, []}}, -			   {options, [{active, Active} | ClientOpts]}]), - +                                        {from, self()}, +                                        {mfa, {ssl_test_lib, ReceiveFunction, []}}, +                                        {options, [{active, Active}, {verify, verify_peer} | ClientOpts]}]), +          ssl_test_lib:check_result(Server, ok, Client, ok),      ssl_test_lib:close(Server),      ssl_test_lib:close(Client). @@ -194,23 +180,24 @@ verify_none() ->      [{doc,"Test option verify_none"}].  verify_none(Config) when is_list(Config) -> -    ClientOpts =  ssl_test_lib:ssl_options(client_verification_opts, Config), -    ServerOpts =  ssl_test_lib:ssl_options(server_verification_opts, Config), +    ClientOpts =  ssl_test_lib:ssl_options(client_rsa_opts, Config), +    ServerOpts =  ssl_test_lib:ssl_options(server_rsa_opts, Config),      Active = proplists:get_value(active, Config),      ReceiveFunction =  proplists:get_value(receive_function, Config),      {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),      Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},  					{from, self()}, -			   {mfa, {ssl_test_lib, ReceiveFunction, []}}, -			   {options, [{active, Active}, {verify, verify_none} -				      | ServerOpts]}]), +                                        {mfa, {ssl_test_lib, ReceiveFunction, []}}, +                                        {options, [{active, Active}, {verify, verify_none} +                                                   | ServerOpts]}]),      Port  = ssl_test_lib:inet_port(Server),      Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},  					{host, Hostname}, -			   {from, self()}, -			   {mfa, {ssl_test_lib, ReceiveFunction, []}}, -			   {options, [{active, Active} | ClientOpts]}]), +                                        {from, self()}, +                                        {mfa, {ssl_test_lib, ReceiveFunction, []}}, +                                        {options, [{active, Active},  +                                                   {verify, verify_none} | ClientOpts]}]),      ssl_test_lib:check_result(Server, ok, Client, ok),      ssl_test_lib:close(Server), @@ -222,8 +209,8 @@ server_verify_client_once() ->      [{doc,"Test server option verify_client_once"}].  server_verify_client_once(Config) when is_list(Config) -> -    ClientOpts = ssl_test_lib:ssl_options(client_opts, []), -    ServerOpts =  ssl_test_lib:ssl_options(server_verification_opts, Config), +    ClientOpts = ssl_test_lib:ssl_options(client_rsa_opts, []), +    ServerOpts =  ssl_test_lib:ssl_options(server_rsa_opts, Config),      Active = proplists:get_value(active, Config),      ReceiveFunction =  proplists:get_value(receive_function, Config), @@ -239,7 +226,7 @@ server_verify_client_once(Config) when is_list(Config) ->  					{host, Hostname},  					{from, self()},  					{mfa, {ssl_test_lib, ReceiveFunction, []}}, -					{options, [{active, Active} | ClientOpts]}]), +                                         {options, [{active, Active} | ClientOpts]}]),      ssl_test_lib:check_result(Server, ok, Client0, ok),      Server ! {listen, {mfa, {ssl_test_lib, no_result, []}}}, @@ -261,8 +248,8 @@ server_require_peer_cert_ok() ->  server_require_peer_cert_ok(Config) when is_list(Config) ->      ServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true} -		  | ssl_test_lib:ssl_options(server_verification_opts, Config)], -    ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), +		  | ssl_test_lib:ssl_options(server_rsa_opts, Config)], +    ClientOpts = ssl_test_lib:ssl_options(client_rsa_opts, Config),      Active = proplists:get_value(active, Config),      ReceiveFunction =  proplists:get_value(receive_function, Config),      {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), @@ -290,20 +277,21 @@ server_require_peer_cert_fail() ->  server_require_peer_cert_fail(Config) when is_list(Config) ->      ServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true} -		  | ssl_test_lib:ssl_options(server_verification_opts, Config)], +		  | ssl_test_lib:ssl_options(server_rsa_opts, Config)],      BadClientOpts = ssl_test_lib:ssl_options(empty_client_opts, Config), +    Active = proplists:get_value(active, Config),      {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),      Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},  					      {from, self()}, -			   {options, [{active, false} | ServerOpts]}]), +			   {options, [{active, Active} | ServerOpts]}]),      Port  = ssl_test_lib:inet_port(Server),      Client = ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port},  					      {host, Hostname},  					      {from, self()}, -					      {options, [{active, false} | BadClientOpts]}]), +					      {options, [{active, Active} | BadClientOpts]}]),      receive  	{Server, {error, {tls_alert, "handshake failure"}}} ->  	    receive @@ -321,24 +309,25 @@ server_require_peer_cert_partial_chain() ->  server_require_peer_cert_partial_chain(Config) when is_list(Config) ->      ServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true} -		  | ssl_test_lib:ssl_options(server_verification_opts, Config)], -    ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), +		  | ssl_test_lib:ssl_options(server_rsa_opts, Config)], +    ClientOpts = ssl_test_lib:ssl_options(client_rsa_opts, Config), +    Active = proplists:get_value(active, Config),      {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),      {ok, ClientCAs} = file:read_file(proplists:get_value(cacertfile, ClientOpts)), -    [{_,RootCA,_}, {_, _, _}] = public_key:pem_decode(ClientCAs), +    [{_,RootCA,_} | _] = public_key:pem_decode(ClientCAs),      Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},  					      {from, self()},  					      {mfa, {ssl_test_lib, no_result, []}}, -					      {options, [{active, false} | ServerOpts]}]), +					      {options, [{active, Active} | ServerOpts]}]),      Port = ssl_test_lib:inet_port(Server),      Client = ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port},  					      {host, Hostname},  					      {from, self()},  					      {mfa, {ssl_test_lib, no_result, []}}, -					      {options, [{active, false}, +					      {options, [{active, Active},  							 {cacerts, [RootCA]} |  							 proplists:delete(cacertfile, ClientOpts)]}]),      receive @@ -356,14 +345,14 @@ server_require_peer_cert_allow_partial_chain() ->  server_require_peer_cert_allow_partial_chain(Config) when is_list(Config) ->      ServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true} -		  | ssl_test_lib:ssl_options(server_verification_opts, Config)], -    ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), +		  | ssl_test_lib:ssl_options(server_rsa_opts, Config)], +    ClientOpts = ssl_test_lib:ssl_options(client_rsa_opts, Config),      {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),      Active = proplists:get_value(active, Config),      ReceiveFunction =  proplists:get_value(receive_function, Config),      {ok, ClientCAs} = file:read_file(proplists:get_value(cacertfile, ClientOpts)), -    [{_,_,_}, {_, IntermidiateCA, _}] = public_key:pem_decode(ClientCAs), +    [{_,_,_}, {_, IntermidiateCA, _} | _] = public_key:pem_decode(ClientCAs),      PartialChain =  fun(CertChain) ->  			    case lists:member(IntermidiateCA, CertChain) of @@ -398,12 +387,12 @@ server_require_peer_cert_do_not_allow_partial_chain() ->  server_require_peer_cert_do_not_allow_partial_chain(Config) when is_list(Config) ->      ServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true} -		  | ssl_test_lib:ssl_options(server_verification_opts, Config)], -    ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), +		  | ssl_test_lib:ssl_options(server_rsa_opts, Config)], +    ClientOpts = ssl_test_lib:ssl_options(client_rsa_opts, Config),      {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),      {ok, ServerCAs} = file:read_file(proplists:get_value(cacertfile, ServerOpts)), -    [{_,_,_}, {_, IntermidiateCA, _}] = public_key:pem_decode(ServerCAs), +    [{_,_,_}, {_, IntermidiateCA, _} | _] = public_key:pem_decode(ServerCAs),      PartialChain =  fun(_CertChain) ->  			    unknown_ca @@ -439,12 +428,12 @@ server_require_peer_cert_partial_chain_fun_fail() ->  server_require_peer_cert_partial_chain_fun_fail(Config) when is_list(Config) ->      ServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true} -		  | ssl_test_lib:ssl_options(server_verification_opts, Config)], -    ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), +		  | ssl_test_lib:ssl_options(server_rsa_opts, Config)], +    ClientOpts = ssl_test_lib:ssl_options(client_rsa_opts, Config),      {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),      {ok, ServerCAs} = file:read_file(proplists:get_value(cacertfile, ServerOpts)), -    [{_,_,_}, {_, IntermidiateCA, _}] = public_key:pem_decode(ServerCAs), +    [{_,_,_}, {_, IntermidiateCA, _} | _] = public_key:pem_decode(ServerCAs),      PartialChain =  fun(_CertChain) ->  			   ture = false %% crash on purpose @@ -479,8 +468,8 @@ verify_fun_always_run_client() ->      [{doc,"Verify that user verify_fun is always run (for valid and valid_peer not only unknown_extension)"}].  verify_fun_always_run_client(Config) when is_list(Config) -> -    ClientOpts =  ssl_test_lib:ssl_options(client_verification_opts, Config), -    ServerOpts =  ssl_test_lib:ssl_options(server_opts, Config), +    ClientOpts =  ssl_test_lib:ssl_options(client_rsa_opts, Config), +    ServerOpts =  ssl_test_lib:ssl_options(server_rsa_opts, Config),      {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),      Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},  					      {from, self()}, @@ -524,8 +513,8 @@ verify_fun_always_run_client(Config) when is_list(Config) ->  verify_fun_always_run_server() ->      [{doc,"Verify that user verify_fun is always run (for valid and valid_peer not only unknown_extension)"}].  verify_fun_always_run_server(Config) when is_list(Config) -> -    ClientOpts =  ssl_test_lib:ssl_options(client_opts, Config), -    ServerOpts =  ssl_test_lib:ssl_options(server_verification_opts, Config), +    ClientOpts =  ssl_test_lib:ssl_options(client_rsa_opts, Config), +    ServerOpts =  ssl_test_lib:ssl_options(server_rsa_verify_opts, Config),      {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),      %% If user verify fun is called correctly we fail the connection. @@ -573,63 +562,28 @@ cert_expired() ->      [{doc,"Test server with expired certificate"}].  cert_expired(Config) when is_list(Config) -> -    ClientOpts = ssl_test_lib:ssl_options(client_verification_opts, Config), -    ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), -    PrivDir = proplists:get_value(priv_dir, Config), - -    KeyFile = filename:join(PrivDir, "otpCA/private/key.pem"), -    [KeyEntry] = ssl_test_lib:pem_to_der(KeyFile), -    Key = ssl_test_lib:public_key(public_key:pem_entry_decode(KeyEntry)), - -    ServerCertFile = proplists:get_value(certfile, ServerOpts), -    NewServerCertFile = filename:join(PrivDir, "server/expired_cert.pem"), -    [{'Certificate', DerCert, _}] = ssl_test_lib:pem_to_der(ServerCertFile), -    OTPCert = public_key:pkix_decode_cert(DerCert, otp), -    OTPTbsCert = OTPCert#'OTPCertificate'.tbsCertificate, -      {Year, Month, Day} = date(), -    {Hours, Min, Sec} = time(), -    NotBeforeStr = lists:flatten(io_lib:format("~p~s~s~s~s~sZ",[Year-2, -								two_digits_str(Month), -								two_digits_str(Day), -								two_digits_str(Hours), -								two_digits_str(Min), -								two_digits_str(Sec)])), -    NotAfterStr = lists:flatten(io_lib:format("~p~s~s~s~s~sZ",[Year-1, -							       two_digits_str(Month), -							       two_digits_str(Day), -							       two_digits_str(Hours), -							       two_digits_str(Min), -							       two_digits_str(Sec)])), -    NewValidity = {'Validity', {generalTime, NotBeforeStr}, {generalTime, NotAfterStr}}, - -    ct:log("Validity: ~p ~n NewValidity: ~p ~n", -		       [OTPTbsCert#'OTPTBSCertificate'.validity, NewValidity]), - -    NewOTPTbsCert =  OTPTbsCert#'OTPTBSCertificate'{validity = NewValidity}, -    NewServerDerCert = public_key:pkix_sign(NewOTPTbsCert, Key), -    ssl_test_lib:der_to_pem(NewServerCertFile, [{'Certificate', NewServerDerCert, not_encrypted}]), -    NewServerOpts = [{certfile, NewServerCertFile} | proplists:delete(certfile, ServerOpts)], - +    Active = proplists:get_value(active, Config), +    {ClientOpts0, ServerOpts0} = ssl_test_lib:make_rsa_cert_chains([{server_ca_0,  +                                                                     [{validity, {{Year-2, Month, Day},  +                                                                                  {Year-1, Month, Day}}}]}],  +                                                                   Config, "_expired"), +    ClientOpts = ssl_test_lib:ssl_options(ClientOpts0, Config), +    ServerOpts = ssl_test_lib:ssl_options(ServerOpts0, Config),                                                      +          {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),      Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},  					      {from, self()}, -					      {options, NewServerOpts}]), +					      {options, [{active, Active}| ServerOpts]}]),      Port = ssl_test_lib:inet_port(Server),      Client = ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port},  					      {host, Hostname},  					      {from, self()}, -					      {options, [{verify, verify_peer} | ClientOpts]}]),     -     receive -	{Client, {error, {tls_alert, "certificate expired"}}} -> -	    receive -		{Server, {error, {tls_alert, "certificate expired"}}} -> -		    ok; -		{Server, {error, closed}} -> -		    ok -	    end -    end. +					      {options, [{verify, verify_peer}, {active, Active}  | ClientOpts]}]),     +     +    tcp_delivery_workaround(Server, {error, {tls_alert, "certificate expired"}}, +			    Client, {error, {tls_alert, "certificate expired"}}).  two_digits_str(N) when N < 10 ->      lists:flatten(io_lib:format("0~p", [N])); @@ -638,60 +592,32 @@ two_digits_str(N) ->  %%--------------------------------------------------------------------  extended_key_usage_verify_server() -> -    [{doc,"Test cert that has a critical extended_key_usage extension in verify_peer mode for server"}]. - -extended_key_usage_verify_server(Config) when is_list(Config) -> -    ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), -    ServerOpts = ssl_test_lib:ssl_options(server_verification_opts, Config), -    PrivDir = proplists:get_value(priv_dir, Config), +    [{doc,"Test cert that has a critical extended_key_usage extension in server cert"}]. + +extended_key_usage_verify_server(Config) when is_list(Config) ->  +    {ClientOpts0, ServerOpts0} = ssl_test_lib:make_rsa_cert_chains([{server_peer_opts,  +                                                                     [{extensions,  +                                                                       [{?'id-ce-extKeyUsage', +                                                                         [?'id-kp-serverAuth'], true}] +                                                                      }]}], Config, "_keyusage_server"), +    ClientOpts = ssl_test_lib:ssl_options(ClientOpts0, Config), +    ServerOpts = ssl_test_lib:ssl_options(ServerOpts0, Config),                                                           Active = proplists:get_value(active, Config),      ReceiveFunction =  proplists:get_value(receive_function, Config), -    KeyFile = filename:join(PrivDir, "otpCA/private/key.pem"), -    [KeyEntry] = ssl_test_lib:pem_to_der(KeyFile), -    Key = ssl_test_lib:public_key(public_key:pem_entry_decode(KeyEntry)), - -    ServerCertFile = proplists:get_value(certfile, ServerOpts), -    NewServerCertFile = filename:join(PrivDir, "server/new_cert.pem"), -    [{'Certificate', ServerDerCert, _}] = ssl_test_lib:pem_to_der(ServerCertFile), -    ServerOTPCert = public_key:pkix_decode_cert(ServerDerCert, otp), -    ServerExtKeyUsageExt = {'Extension', ?'id-ce-extKeyUsage', true, [?'id-kp-serverAuth']}, -    ServerOTPTbsCert = ServerOTPCert#'OTPCertificate'.tbsCertificate, -    ServerExtensions =  ServerOTPTbsCert#'OTPTBSCertificate'.extensions, -    NewServerOTPTbsCert = ServerOTPTbsCert#'OTPTBSCertificate'{extensions = -							       [ServerExtKeyUsageExt | -								ServerExtensions]}, -    NewServerDerCert = public_key:pkix_sign(NewServerOTPTbsCert, Key), -    ssl_test_lib:der_to_pem(NewServerCertFile, [{'Certificate', NewServerDerCert, not_encrypted}]), -    NewServerOpts = [{certfile, NewServerCertFile} | proplists:delete(certfile, ServerOpts)], - -    ClientCertFile = proplists:get_value(certfile, ClientOpts), -    NewClientCertFile = filename:join(PrivDir, "client/new_cert.pem"), -    [{'Certificate', ClientDerCert, _}] = ssl_test_lib:pem_to_der(ClientCertFile), -    ClientOTPCert = public_key:pkix_decode_cert(ClientDerCert, otp), -    ClientExtKeyUsageExt = {'Extension', ?'id-ce-extKeyUsage', true, [?'id-kp-clientAuth']}, -    ClientOTPTbsCert = ClientOTPCert#'OTPCertificate'.tbsCertificate, -    ClientExtensions =  ClientOTPTbsCert#'OTPTBSCertificate'.extensions, -    NewClientOTPTbsCert = ClientOTPTbsCert#'OTPTBSCertificate'{extensions = -							       [ClientExtKeyUsageExt | -								ClientExtensions]}, -    NewClientDerCert = public_key:pkix_sign(NewClientOTPTbsCert, Key), -    ssl_test_lib:der_to_pem(NewClientCertFile, [{'Certificate', NewClientDerCert, not_encrypted}]), -    NewClientOpts = [{certfile, NewClientCertFile} | proplists:delete(certfile, ClientOpts)], -      {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),      Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},  					{from, self()},  			   {mfa, {ssl_test_lib,  ReceiveFunction, []}}, -			   {options, [{verify, verify_peer}, {active, Active} | NewServerOpts]}]), +			   {options, [{verify, verify_none}, {active, Active} | ServerOpts]}]),      Port = ssl_test_lib:inet_port(Server),      Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},  					{host, Hostname},  			   {from, self()},  			   {mfa, {ssl_test_lib, ReceiveFunction, []}}, -					{options, [{verify, verify_none}, {active, Active} | -						   NewClientOpts]}]), +					{options, [{verify, verify_peer}, {active, Active} | +						   ClientOpts]}]),      ssl_test_lib:check_result(Server, ok, Client, ok), @@ -699,60 +625,35 @@ extended_key_usage_verify_server(Config) when is_list(Config) ->      ssl_test_lib:close(Client).  %%-------------------------------------------------------------------- -extended_key_usage_verify_client() -> +extended_key_usage_verify_both() ->      [{doc,"Test cert that has a critical extended_key_usage extension in client verify_peer mode"}]. -extended_key_usage_verify_client(Config) when is_list(Config) -> -    ClientOpts = ssl_test_lib:ssl_options(client_verification_opts, Config), -    ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), -    PrivDir = proplists:get_value(priv_dir, Config), +extended_key_usage_verify_both(Config) when is_list(Config) -> +     {ClientOpts0, ServerOpts0} = ssl_test_lib:make_rsa_cert_chains([{server_peer_opts,  +                                                                      [{extensions, [{?'id-ce-extKeyUsage', +                                                                                      [?'id-kp-serverAuth'], true}] +                                                                      }]}, +                                                                     {client_peer_opts,  +                                                                      [{extensions, [{?'id-ce-extKeyUsage', +                                                                                      [?'id-kp-clientAuth'], true}] +                                                                      }]}], Config, "_keyusage_both"), +    ClientOpts = ssl_test_lib:ssl_options(ClientOpts0, Config), +    ServerOpts = ssl_test_lib:ssl_options(ServerOpts0, Config),              Active = proplists:get_value(active, Config),      ReceiveFunction =  proplists:get_value(receive_function, Config), -    KeyFile = filename:join(PrivDir, "otpCA/private/key.pem"), -    [KeyEntry] = ssl_test_lib:pem_to_der(KeyFile), -    Key = ssl_test_lib:public_key(public_key:pem_entry_decode(KeyEntry)), - -    ServerCertFile = proplists:get_value(certfile, ServerOpts), -    NewServerCertFile = filename:join(PrivDir, "server/new_cert.pem"), -    [{'Certificate', ServerDerCert, _}] = ssl_test_lib:pem_to_der(ServerCertFile), -    ServerOTPCert = public_key:pkix_decode_cert(ServerDerCert, otp), -    ServerExtKeyUsageExt = {'Extension', ?'id-ce-extKeyUsage', true, [?'id-kp-serverAuth']}, -    ServerOTPTbsCert = ServerOTPCert#'OTPCertificate'.tbsCertificate, -    ServerExtensions =  ServerOTPTbsCert#'OTPTBSCertificate'.extensions, -    NewServerOTPTbsCert = ServerOTPTbsCert#'OTPTBSCertificate'{extensions = -							       [ServerExtKeyUsageExt | -								ServerExtensions]}, -    NewServerDerCert = public_key:pkix_sign(NewServerOTPTbsCert, Key), -    ssl_test_lib:der_to_pem(NewServerCertFile, [{'Certificate', NewServerDerCert, not_encrypted}]), -    NewServerOpts = [{certfile, NewServerCertFile} | proplists:delete(certfile, ServerOpts)], - -    ClientCertFile = proplists:get_value(certfile, ClientOpts), -    NewClientCertFile = filename:join(PrivDir, "client/new_cert.pem"), -    [{'Certificate', ClientDerCert, _}] = ssl_test_lib:pem_to_der(ClientCertFile), -    ClientOTPCert = public_key:pkix_decode_cert(ClientDerCert, otp), -    ClientExtKeyUsageExt = {'Extension', ?'id-ce-extKeyUsage', true, [?'id-kp-clientAuth']}, -    ClientOTPTbsCert = ClientOTPCert#'OTPCertificate'.tbsCertificate, -    ClientExtensions =  ClientOTPTbsCert#'OTPTBSCertificate'.extensions, -    NewClientOTPTbsCert = ClientOTPTbsCert#'OTPTBSCertificate'{extensions = -								   [ClientExtKeyUsageExt | -								    ClientExtensions]}, -    NewClientDerCert = public_key:pkix_sign(NewClientOTPTbsCert, Key), -    ssl_test_lib:der_to_pem(NewClientCertFile, [{'Certificate', NewClientDerCert, not_encrypted}]), -    NewClientOpts = [{certfile, NewClientCertFile} | proplists:delete(certfile, ClientOpts)], -      {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),      Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},  					{from, self()},  			   {mfa, {ssl_test_lib, ReceiveFunction, []}}, -			   {options, [{verify, verify_none}, {active, Active} | NewServerOpts]}]), +			   {options, [{verify, verify_peer}, {active, Active} | ServerOpts]}]),      Port = ssl_test_lib:inet_port(Server),      Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},  					{host, Hostname},  			   {from, self()},  			   {mfa, {ssl_test_lib, ReceiveFunction, []}}, -					{options, [{verify, verify_none}, {active, Active} | NewClientOpts]}]), +					{options, [{verify, verify_peer}, {active, Active} | ClientOpts]}]),      ssl_test_lib:check_result(Server, ok, Client, ok), @@ -764,132 +665,103 @@ critical_extension_verify_server() ->      [{doc,"Test cert that has a critical unknown extension in verify_peer mode"}].  critical_extension_verify_server(Config) when is_list(Config) -> -    ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), -    ServerOpts = ssl_test_lib:ssl_options(server_verification_opts, Config), -    PrivDir = proplists:get_value(priv_dir, Config), +    {ClientOpts0, ServerOpts0} = ssl_test_lib:make_rsa_cert_chains([{client_peer_opts,  +                                                                     [{extensions, [{{2,16,840,1,113730,1,1}, +                                                                                      <<3,2,6,192>>, true}] +                                                                      }]}], Config, "_client_unknown_extension"), +    ClientOpts = ssl_test_lib:ssl_options(ClientOpts0, Config), +    ServerOpts = ssl_test_lib:ssl_options(ServerOpts0, Config),                    Active = proplists:get_value(active, Config),      ReceiveFunction =  proplists:get_value(receive_function, Config), -    KeyFile = filename:join(PrivDir, "otpCA/private/key.pem"), -    NewCertName = integer_to_list(erlang:unique_integer()) ++ ".pem", - -    ServerCertFile = proplists:get_value(certfile, ServerOpts), -    NewServerCertFile = filename:join([PrivDir, "server", NewCertName]), -    add_critical_netscape_cert_type(ServerCertFile, NewServerCertFile, KeyFile), -    NewServerOpts = [{certfile, NewServerCertFile} | proplists:delete(certfile, ServerOpts)], - -    ClientCertFile = proplists:get_value(certfile, ClientOpts), -    NewClientCertFile = filename:join([PrivDir, "client", NewCertName]), -    add_critical_netscape_cert_type(ClientCertFile, NewClientCertFile, KeyFile), -    NewClientOpts = [{certfile, NewClientCertFile} | proplists:delete(certfile, ClientOpts)], -      {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),      Server = ssl_test_lib:start_server_error(                 [{node, ServerNode}, {port, 0},                  {from, self()},                  {mfa, {ssl_test_lib,  ReceiveFunction, []}}, -                {options, [{verify, verify_peer}, {active, Active} | NewServerOpts]}]), +                {options, [{verify, verify_peer}, {active, Active} | ServerOpts]}]),      Port = ssl_test_lib:inet_port(Server),      Client = ssl_test_lib:start_client_error(                 [{node, ClientNode}, {port, Port},                  {host, Hostname},                  {from, self()},                  {mfa, {ssl_test_lib, ReceiveFunction, []}}, -                {options, [{verify, verify_none}, {active, Active} | NewClientOpts]}]), +                {options, [{verify, verify_none}, {active, Active} | ClientOpts]}]),      %% This certificate has a critical extension that we don't -    %% understand.  Therefore, verification should fail. -    tcp_delivery_workaround(Server, {error, {tls_alert, "unsupported certificate"}}, -                            Client, {error, {tls_alert, "unsupported certificate"}}), +    %% understand.  Therefore, verification should fail.       -    ssl_test_lib:close(Server), -    ok. +    tcp_delivery_workaround(Server, {error, {tls_alert, "unsupported certificate"}}, +			    Client, {error, {tls_alert, "unsupported certificate"}}), +     +    ssl_test_lib:close(Server).  %%--------------------------------------------------------------------  critical_extension_verify_client() ->      [{doc,"Test cert that has a critical unknown extension in verify_peer mode"}].  critical_extension_verify_client(Config) when is_list(Config) -> -    ClientOpts = ssl_test_lib:ssl_options(client_verification_opts, Config), -    ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), -    PrivDir = proplists:get_value(priv_dir, Config), +    {ClientOpts0, ServerOpts0} = ssl_test_lib:make_rsa_cert_chains([{server_peer_opts,  +                                                                     [{extensions, [{{2,16,840,1,113730,1,1}, +                                                                                     <<3,2,6,192>>, true}] +                                                                      }]}], Config, "_server_unknown_extensions"), +    ClientOpts = ssl_test_lib:ssl_options(ClientOpts0, Config), +    ServerOpts = ssl_test_lib:ssl_options(ServerOpts0, Config),                    Active = proplists:get_value(active, Config),      ReceiveFunction =  proplists:get_value(receive_function, Config), -    KeyFile = filename:join(PrivDir, "otpCA/private/key.pem"), -    NewCertName = integer_to_list(erlang:unique_integer()) ++ ".pem", - -    ServerCertFile = proplists:get_value(certfile, ServerOpts), -    NewServerCertFile = filename:join([PrivDir, "server", NewCertName]), -    add_critical_netscape_cert_type(ServerCertFile, NewServerCertFile, KeyFile), -    NewServerOpts = [{certfile, NewServerCertFile} | proplists:delete(certfile, ServerOpts)], - -    ClientCertFile = proplists:get_value(certfile, ClientOpts), -    NewClientCertFile = filename:join([PrivDir, "client", NewCertName]), -    add_critical_netscape_cert_type(ClientCertFile, NewClientCertFile, KeyFile), -    NewClientOpts = [{certfile, NewClientCertFile} | proplists:delete(certfile, ClientOpts)], -      {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),      Server = ssl_test_lib:start_server_error(                 [{node, ServerNode}, {port, 0},                  {from, self()},                  {mfa, {ssl_test_lib,  ReceiveFunction, []}}, -                {options, [{verify, verify_none}, {active, Active} | NewServerOpts]}]), +                {options, [{verify, verify_none}, {active, Active} | ServerOpts]}]),      Port = ssl_test_lib:inet_port(Server),      Client = ssl_test_lib:start_client_error(                 [{node, ClientNode}, {port, Port},                  {host, Hostname},                  {from, self()},                  {mfa, {ssl_test_lib, ReceiveFunction, []}}, -                {options, [{verify, verify_peer}, {active, Active} | NewClientOpts]}]), +                {options, [{verify, verify_peer}, {active, Active} | ClientOpts]}]),      %% This certificate has a critical extension that we don't      %% understand.  Therefore, verification should fail. -    tcp_delivery_workaround(Server, {error, {tls_alert, "unsupported certificate"}}, -                            Client, {error, {tls_alert, "unsupported certificate"}}), +    ssl_test_lib:check_result(Server, {error, {tls_alert, "unsupported certificate"}}, +                              Client, {error, {tls_alert, "unsupported certificate"}}), + +    ssl_test_lib:close(Server). -    ssl_test_lib:close(Server), -    ok.  %%--------------------------------------------------------------------  critical_extension_verify_none() ->      [{doc,"Test cert that has a critical unknown extension in verify_none mode"}].  critical_extension_verify_none(Config) when is_list(Config) -> -    ClientOpts = ssl_test_lib:ssl_options(client_verification_opts, Config), -    ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), -    PrivDir = proplists:get_value(priv_dir, Config), +    {ClientOpts0, ServerOpts0} = ssl_test_lib:make_rsa_cert_chains([{client_peer_opts,  +                                                                     [{extensions,  +                                                                       [{{2,16,840,1,113730,1,1}, +                                                                          <<3,2,6,192>>, true}] +                                                                      }]}], Config, "_unknown_extensions"), +    ClientOpts = ssl_test_lib:ssl_options(ClientOpts0, Config), +    ServerOpts = ssl_test_lib:ssl_options(ServerOpts0, Config),                   Active = proplists:get_value(active, Config),      ReceiveFunction =  proplists:get_value(receive_function, Config), -    KeyFile = filename:join(PrivDir, "otpCA/private/key.pem"), -    NewCertName = integer_to_list(erlang:unique_integer()) ++ ".pem", - -    ServerCertFile = proplists:get_value(certfile, ServerOpts), -    NewServerCertFile = filename:join([PrivDir, "server", NewCertName]), -    add_critical_netscape_cert_type(ServerCertFile, NewServerCertFile, KeyFile), -    NewServerOpts = [{certfile, NewServerCertFile} | proplists:delete(certfile, ServerOpts)], - -    ClientCertFile = proplists:get_value(certfile, ClientOpts), -    NewClientCertFile = filename:join([PrivDir, "client", NewCertName]), -    add_critical_netscape_cert_type(ClientCertFile, NewClientCertFile, KeyFile), -    NewClientOpts = [{certfile, NewClientCertFile} | proplists:delete(certfile, ClientOpts)], -      {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),      Server = ssl_test_lib:start_server(                 [{node, ServerNode}, {port, 0},                  {from, self()},                  {mfa, {ssl_test_lib, ReceiveFunction, []}}, -                {options, [{verify, verify_none}, {active, Active} | NewServerOpts]}]), +                {options, [{verify, verify_none}, {active, Active} | ServerOpts]}]),      Port = ssl_test_lib:inet_port(Server),      Client = ssl_test_lib:start_client(                 [{node, ClientNode}, {port, Port},                  {host, Hostname},                  {from, self()},                  {mfa, {ssl_test_lib, ReceiveFunction, []}}, -                {options, [{verify, verify_none}, {active, Active} | NewClientOpts]}]), +                {options, [{verify, verify_none}, {active, Active} | ClientOpts]}]),      %% This certificate has a critical extension that we don't      %% understand.  But we're using `verify_none', so verification @@ -897,28 +769,7 @@ critical_extension_verify_none(Config) when is_list(Config) ->      ssl_test_lib:check_result(Server, ok, Client, ok),      ssl_test_lib:close(Server), -    ssl_test_lib:close(Client), -    ok. - -add_critical_netscape_cert_type(CertFile, NewCertFile, KeyFile) -> -    [KeyEntry] = ssl_test_lib:pem_to_der(KeyFile), -    Key = ssl_test_lib:public_key(public_key:pem_entry_decode(KeyEntry)), - -    [{'Certificate', DerCert, _}] = ssl_test_lib:pem_to_der(CertFile), -    OTPCert = public_key:pkix_decode_cert(DerCert, otp), -    %% This is the "Netscape Cert Type" extension, telling us that the -    %% certificate can be used for SSL clients and SSL servers. -    NetscapeCertTypeExt = #'Extension'{ -                             extnID = {2,16,840,1,113730,1,1}, -                             critical = true, -                             extnValue = <<3,2,6,192>>}, -    OTPTbsCert = OTPCert#'OTPCertificate'.tbsCertificate, -    Extensions =  OTPTbsCert#'OTPTBSCertificate'.extensions, -    NewOTPTbsCert = OTPTbsCert#'OTPTBSCertificate'{ -                      extensions = [NetscapeCertTypeExt] ++ Extensions}, -    NewDerCert = public_key:pkix_sign(NewOTPTbsCert, Key), -    ssl_test_lib:der_to_pem(NewCertFile, [{'Certificate', NewDerCert, not_encrypted}]), -    ok. +    ssl_test_lib:close(Client).  %%--------------------------------------------------------------------  no_authority_key_identifier() -> @@ -926,35 +777,21 @@ no_authority_key_identifier() ->        " but are present in trusted certs db."}].  no_authority_key_identifier(Config) when is_list(Config) -> -    ClientOpts = ssl_test_lib:ssl_options(client_verification_opts, Config), -    ServerOpts = ssl_test_lib:ssl_options(server_verification_opts, Config), -    PrivDir = proplists:get_value(priv_dir, Config), - -    KeyFile = filename:join(PrivDir, "otpCA/private/key.pem"), -    [KeyEntry] = ssl_test_lib:pem_to_der(KeyFile), -    Key = ssl_test_lib:public_key(public_key:pem_entry_decode(KeyEntry)), - -    CertFile = proplists:get_value(certfile, ServerOpts), -    NewCertFile = filename:join(PrivDir, "server/new_cert.pem"), -    [{'Certificate', DerCert, _}] = ssl_test_lib:pem_to_der(CertFile), -    OTPCert = public_key:pkix_decode_cert(DerCert, otp), -    OTPTbsCert = OTPCert#'OTPCertificate'.tbsCertificate, -    Extensions =  OTPTbsCert#'OTPTBSCertificate'.extensions, -    NewExtensions =  delete_authority_key_extension(Extensions, []), -    NewOTPTbsCert =  OTPTbsCert#'OTPTBSCertificate'{extensions = NewExtensions}, - -    ct:log("Extensions ~p~n, NewExtensions: ~p~n", [Extensions, NewExtensions]), - -    NewDerCert = public_key:pkix_sign(NewOTPTbsCert, Key), -    ssl_test_lib:der_to_pem(NewCertFile, [{'Certificate', NewDerCert, not_encrypted}]), -    NewServerOpts = [{certfile, NewCertFile} | proplists:delete(certfile, ServerOpts)], +   {ClientOpts0, ServerOpts0} = ssl_test_lib:make_rsa_cert_chains([{server_peer_opts,  +                                                                      [{extensions, [{auth_key_id, undefined}] +                                                                      }]}, +                                                                     {client_peer_opts,  +                                                                      [{extensions, [{auth_key_id, undefined}] +                                                                       }]}], Config, "_peer_no_auth_key_id"), +    ClientOpts = ssl_test_lib:ssl_options(ClientOpts0, Config), +    ServerOpts = ssl_test_lib:ssl_options(ServerOpts0, Config),              {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),      Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},  					{from, self()},  			   {mfa, {ssl_test_lib, send_recv_result_active, []}}, -			   {options, NewServerOpts}]), +			   {options, ServerOpts}]),      Port = ssl_test_lib:inet_port(Server),      Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},  					{host, Hostname}, @@ -970,53 +807,35 @@ no_authority_key_identifier(Config) when is_list(Config) ->  delete_authority_key_extension([], Acc) ->      lists:reverse(Acc);  delete_authority_key_extension([#'Extension'{extnID = ?'id-ce-authorityKeyIdentifier'} | Rest], -			       Acc) -> + 			       Acc) ->      delete_authority_key_extension(Rest, Acc);  delete_authority_key_extension([Head | Rest], Acc) ->      delete_authority_key_extension(Rest, [Head | Acc]).  %%-------------------------------------------------------------------- -no_authority_key_identifier_and_nonstandard_encoding() -> -    [{doc, "Test cert with nonstandard encoding that does not have" -      " authorityKeyIdentifier extension but are present in trusted certs db."}]. - -no_authority_key_identifier_and_nonstandard_encoding(Config) when is_list(Config) -> -    ClientOpts = ssl_test_lib:ssl_options(client_verification_opts, Config), -    ServerOpts = ssl_test_lib:ssl_options(server_verification_opts, Config), -    PrivDir = proplists:get_value(priv_dir, Config), - -    KeyFile = filename:join(PrivDir, "otpCA/private/key.pem"), -    [KeyEntry] = ssl_test_lib:pem_to_der(KeyFile), -    Key = ssl_test_lib:public_key(public_key:pem_entry_decode(KeyEntry)), - -    CertFile = proplists:get_value(certfile, ServerOpts), -    NewCertFile = filename:join(PrivDir, "server/new_cert.pem"), -    [{'Certificate', DerCert, _}] = ssl_test_lib:pem_to_der(CertFile), -    ServerCert = public_key:pkix_decode_cert(DerCert, plain), -    ServerTbsCert = ServerCert#'Certificate'.tbsCertificate, -    Extensions0 =  ServerTbsCert#'TBSCertificate'.extensions, -    %% need to remove authorityKeyIdentifier extension to cause DB lookup by signature -    Extensions = delete_authority_key_extension(Extensions0, []), -    NewExtensions = replace_key_usage_extension(Extensions, []), -    NewServerTbsCert = ServerTbsCert#'TBSCertificate'{extensions = NewExtensions}, - -    ct:log("Extensions ~p~n, NewExtensions: ~p~n", [Extensions, NewExtensions]), - -    TbsDer = public_key:pkix_encode('TBSCertificate', NewServerTbsCert, plain), -    Sig = public_key:sign(TbsDer, md5, Key), -    NewServerCert = ServerCert#'Certificate'{tbsCertificate = NewServerTbsCert, signature = Sig}, -    NewDerCert = public_key:pkix_encode('Certificate', NewServerCert, plain), -    ssl_test_lib:der_to_pem(NewCertFile, [{'Certificate', NewDerCert, not_encrypted}]), -    NewServerOpts = [{certfile, NewCertFile} | proplists:delete(certfile, ServerOpts)], - +no_authority_key_identifier_keyEncipherment() -> +    [{doc, "Test cert with keyEncipherment key_usage an no" +      " authorityKeyIdentifier extension, but are present in trusted certs db."}]. + +no_authority_key_identifier_keyEncipherment(Config) when is_list(Config) -> +    {ClientOpts0, ServerOpts0} = ssl_test_lib:make_rsa_cert_chains([{server_peer_opts,  +                                                                      [{extensions, [{auth_key_id, undefined}, +                                                                                     {key_usage, [digitalSignature, +                                                                                                  keyEncipherment]}] +                                                                      }]}, +                                                                     {client_peer_opts,  +                                                                      [{extensions, [{auth_key_id, undefined}] +                                                                       }]}], Config, "_peer_keyEncipherment"), +    ClientOpts = ssl_test_lib:ssl_options(ClientOpts0, Config), +    ServerOpts = ssl_test_lib:ssl_options(ServerOpts0, Config),              {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),      Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},  					{from, self()},  					{mfa, {ssl_test_lib,  					       send_recv_result_active, []}}, -					{options, [{active, true} | NewServerOpts]}]), +					{options, [{active, true} | ServerOpts]}]),      Port = ssl_test_lib:inet_port(Server),      Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},  					{host, Hostname}, @@ -1028,14 +847,6 @@ no_authority_key_identifier_and_nonstandard_encoding(Config) when is_list(Config      ssl_test_lib:close(Server),      ssl_test_lib:close(Client). -replace_key_usage_extension([], Acc) -> -    lists:reverse(Acc); -replace_key_usage_extension([#'Extension'{extnID = ?'id-ce-keyUsage'} = E | Rest], Acc) -> -    %% A nonstandard DER encoding of [digitalSignature, keyEncipherment] -    Val = <<3, 2, 0, 16#A0>>, -    replace_key_usage_extension(Rest, [E#'Extension'{extnValue = Val} | Acc]); -replace_key_usage_extension([Head | Rest], Acc) -> -    replace_key_usage_extension(Rest, [Head | Acc]).  %%-------------------------------------------------------------------- @@ -1043,16 +854,16 @@ invalid_signature_server() ->      [{doc,"Test client with invalid signature"}].  invalid_signature_server(Config) when is_list(Config) -> -    ClientOpts = ssl_test_lib:ssl_options(client_verification_opts, Config), -    ServerOpts = ssl_test_lib:ssl_options(server_verification_opts, Config), +    ClientOpts = ssl_test_lib:ssl_options(client_rsa_opts, Config), +    ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config),      PrivDir = proplists:get_value(priv_dir, Config), -    KeyFile = filename:join(PrivDir, "server/key.pem"), +    KeyFile =  proplists:get_value(keyfile, ServerOpts),      [KeyEntry] = ssl_test_lib:pem_to_der(KeyFile),      Key = ssl_test_lib:public_key(public_key:pem_entry_decode(KeyEntry)),      ServerCertFile = proplists:get_value(certfile, ServerOpts), -    NewServerCertFile = filename:join(PrivDir, "server/invalid_cert.pem"), +    NewServerCertFile = filename:join(PrivDir, "server_invalid_cert.pem"),      [{'Certificate', ServerDerCert, _}] = ssl_test_lib:pem_to_der(ServerCertFile),      ServerOTPCert = public_key:pkix_decode_cert(ServerDerCert, otp),      ServerOTPTbsCert = ServerOTPCert#'OTPCertificate'.tbsCertificate, @@ -1071,8 +882,8 @@ invalid_signature_server(Config) when is_list(Config) ->  					      {from, self()},  					      {options, [{verify, verify_peer} | ClientOpts]}]), -    tcp_delivery_workaround(Server, {error, {tls_alert, "bad certificate"}}, -			    Client, {error, {tls_alert, "bad certificate"}}). +    tcp_delivery_workaround(Server, {error, {tls_alert, "unknown ca"}}, +			    Client, {error, {tls_alert, "unknown ca"}}).  %%-------------------------------------------------------------------- @@ -1080,16 +891,16 @@ invalid_signature_client() ->      [{doc,"Test server with invalid signature"}].  invalid_signature_client(Config) when is_list(Config) -> -    ClientOpts = ssl_test_lib:ssl_options(client_verification_opts, Config), -    ServerOpts = ssl_test_lib:ssl_options(server_verification_opts, Config), +    ClientOpts = ssl_test_lib:ssl_options(client_rsa_opts, Config), +    ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config),      PrivDir = proplists:get_value(priv_dir, Config), -    KeyFile = filename:join(PrivDir, "client/key.pem"), +    KeyFile =  proplists:get_value(keyfile, ClientOpts),      [KeyEntry] = ssl_test_lib:pem_to_der(KeyFile),      Key = ssl_test_lib:public_key(public_key:pem_entry_decode(KeyEntry)),      ClientCertFile = proplists:get_value(certfile, ClientOpts), -    NewClientCertFile = filename:join(PrivDir, "client/invalid_cert.pem"), +    NewClientCertFile = filename:join(PrivDir, "client_invalid_cert.pem"),      [{'Certificate', ClientDerCert, _}] = ssl_test_lib:pem_to_der(ClientCertFile),      ClientOTPCert = public_key:pkix_decode_cert(ClientDerCert, otp),      ClientOTPTbsCert = ClientOTPCert#'OTPCertificate'.tbsCertificate, @@ -1108,8 +919,8 @@ invalid_signature_client(Config) when is_list(Config) ->  					      {from, self()},  					      {options, NewClientOpts}]), -    tcp_delivery_workaround(Server, {error, {tls_alert, "bad certificate"}}, -			    Client, {error, {tls_alert, "bad certificate"}}). +    tcp_delivery_workaround(Server, {error, {tls_alert, "unknown ca"}}, +			    Client, {error, {tls_alert, "unknown ca"}}).  %%-------------------------------------------------------------------- @@ -1118,8 +929,14 @@ client_with_cert_cipher_suites_handshake() ->      [{doc, "Test that client with a certificate without keyEncipherment usage "      " extension can connect to a server with restricted cipher suites "}].  client_with_cert_cipher_suites_handshake(Config) when is_list(Config) -> -    ClientOpts =  ssl_test_lib:ssl_options(client_verification_opts_digital_signature_only, Config), -    ServerOpts =  ssl_test_lib:ssl_options(server_verification_opts, Config), +  {ClientOpts0, ServerOpts0} = ssl_test_lib:make_rsa_cert_chains([{client_peer_opts,  +                                                                     [{extensions,  +                                                                       [{key_usage, [digitalSignature]}] +                                                                      }]}], Config, "_sign_only_extensions"), +     + +    ClientOpts =  ssl_test_lib:ssl_options(ClientOpts0, Config), +    ServerOpts =  ssl_test_lib:ssl_options(ServerOpts0, Config),      {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),      Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, @@ -1148,7 +965,7 @@ client_with_cert_cipher_suites_handshake(Config) when is_list(Config) ->  server_verify_no_cacerts() ->      [{doc,"Test server must have cacerts if it wants to verify client"}].  server_verify_no_cacerts(Config) when is_list(Config) -> -    ServerOpts =  proplists:delete(cacertfile, ssl_test_lib:ssl_options(server_opts, Config)), +    ServerOpts =  proplists:delete(cacertfile, ssl_test_lib:ssl_options(server_rsa_opts, Config)),      {_, ServerNode, _} = ssl_test_lib:run_where(Config),      Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},  					      {from, self()}, @@ -1163,7 +980,7 @@ unknown_server_ca_fail() ->      [{doc,"Test that the client fails if the ca is unknown in verify_peer mode"}].  unknown_server_ca_fail(Config) when is_list(Config) ->      ClientOpts = ssl_test_lib:ssl_options(empty_client_opts, Config), -    ServerOpts =  ssl_test_lib:ssl_options(server_verification_opts, Config), +    ServerOpts =  ssl_test_lib:ssl_options(server_rsa_verify_opts, Config),      {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),      Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},  					      {from, self()}, @@ -1207,7 +1024,7 @@ unknown_server_ca_accept_verify_none() ->      [{doc,"Test that the client succeds if the ca is unknown in verify_none mode"}].  unknown_server_ca_accept_verify_none(Config) when is_list(Config) ->      ClientOpts = ssl_test_lib:ssl_options(empty_client_opts, Config), -    ServerOpts =  ssl_test_lib:ssl_options(server_verification_opts, Config), +    ServerOpts =  ssl_test_lib:ssl_options(server_rsa_verify_opts, Config),      {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),      Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},  					{from, self()}, @@ -1232,7 +1049,7 @@ unknown_server_ca_accept_verify_peer() ->       " with a verify_fun that accepts the unknown ca error"}].  unknown_server_ca_accept_verify_peer(Config) when is_list(Config) ->      ClientOpts = ssl_test_lib:ssl_options(empty_client_opts, Config), -    ServerOpts = ssl_test_lib:ssl_options(server_verification_opts, Config), +    ServerOpts = ssl_test_lib:ssl_options(server_rsa_verify_opts, Config),      {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),      Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},  					{from, self()}, @@ -1271,7 +1088,7 @@ unknown_server_ca_accept_backwardscompatibility() ->      [{doc,"Test that old style verify_funs will work"}].  unknown_server_ca_accept_backwardscompatibility(Config) when is_list(Config) ->      ClientOpts = ssl_test_lib:ssl_options(empty_client_opts, Config), -    ServerOpts =  ssl_test_lib:ssl_options(server_verification_opts, Config), +    ServerOpts =  ssl_test_lib:ssl_options(server_rsa_verify_opts, Config),      {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),      Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},  					{from, self()}, diff --git a/lib/ssl/test/ssl_packet_SUITE.erl b/lib/ssl/test/ssl_packet_SUITE.erl index 3446a566c4..c8caa9c11a 100644 --- a/lib/ssl/test/ssl_packet_SUITE.erl +++ b/lib/ssl/test/ssl_packet_SUITE.erl @@ -1973,14 +1973,14 @@ passive_recv_packet(Socket, _, 0) ->  	    {error, timeout} = ssl:recv(Socket, 0, 500),  	    ok;  	Other -> -	    {other, Other, ssl:session_info(Socket), 0} +	    {other, Other, ssl:connection_information(Socket, [session_id, cipher_suite]), 0}      end;  passive_recv_packet(Socket, Data, N) ->      case ssl:recv(Socket, 0) of  	{ok, Data} ->   	    passive_recv_packet(Socket, Data, N-1);  	Other -> -	    {other, Other, ssl:session_info(Socket), N} +	    {other, Other, ssl:connection_information(Socket, [session_id, cipher_suite]), N}      end.  send(Socket,_, 0) -> @@ -2032,7 +2032,7 @@ active_once_packet(Socket,_, 0) ->  	{ssl, Socket, []} ->  	    ok;  	{ssl, Socket, Other} -> -	    {other, Other, ssl:session_info(Socket), 0} +	    {other, Other, ssl:connection_information(Socket,  [session_id, cipher_suite]), 0}      end;  active_once_packet(Socket, Data, N) ->      receive 	 @@ -2077,7 +2077,7 @@ active_packet(Socket, _, 0) ->  	{ssl, Socket, []} ->  	    ok;  	Other -> -	    {other, Other, ssl:session_info(Socket), 0} +	    {other, Other, ssl:connection_information(Socket,  [session_id, cipher_suite]), 0}      end;  active_packet(Socket, Data, N) ->      receive  @@ -2089,7 +2089,7 @@ active_packet(Socket, Data, N) ->  	{ssl, Socket, Data} ->  	    active_packet(Socket, Data, N -1);  	Other -> -	    {other, Other, ssl:session_info(Socket),N} +	    {other, Other, ssl:connection_information(Socket,  [session_id, cipher_suite]),N}      end.  assert_packet_opt(Socket, Type) -> diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl index 4b740c79db..b8fd5dc975 100644 --- a/lib/ssl/test/ssl_test_lib.erl +++ b/lib/ssl/test/ssl_test_lib.erl @@ -485,29 +485,115 @@ make_dsa_cert(Config) ->  		       {certfile, ClientCertFile}, {keyfile, ClientKeyFile}]}       | Config]. +make_rsa_cert_chains(ChainConf, Config, Suffix) -> +   CryptoSupport = crypto:supports(), +    KeyGenSpec = key_gen_info(rsa, rsa), +    ClientFileBase = filename:join([proplists:get_value(priv_dir, Config), "rsa" ++ Suffix]), +    ServerFileBase = filename:join([proplists:get_value(priv_dir, Config), "rsa" ++ Suffix]), +    GenCertData = x509_test:gen_test_certs([{digest, appropriate_sha(CryptoSupport)} | KeyGenSpec] ++ ChainConf), +    [{server_config, ServerConf},  +     {client_config, ClientConf}] =  +        x509_test:gen_pem_config_files(GenCertData, ClientFileBase, ServerFileBase),                +    {[{verify, verify_peer} | ClientConf], +     [{reuseaddr, true}, {verify, verify_peer} | ServerConf] +    }. + +make_ec_cert_chains(ClientChainType, ServerChainType, Config) -> +    CryptoSupport = crypto:supports(), +    KeyGenSpec = key_gen_info(ClientChainType, ServerChainType), +    ClientFileBase = filename:join([proplists:get_value(priv_dir, Config), atom_to_list(ClientChainType)]), +    ServerFileBase = filename:join([proplists:get_value(priv_dir, Config), atom_to_list(ServerChainType)]), +    GenCertData = x509_test:gen_test_certs([{digest, appropriate_sha(CryptoSupport)} | KeyGenSpec]), +    [{server_config, ServerConf},  +     {client_config, ClientConf}] =  +        x509_test:gen_pem_config_files(GenCertData, ClientFileBase, ServerFileBase),                +    {[{verify, verify_peer} | ClientConf], +     [{reuseaddr, true}, {verify, verify_peer} | ServerConf] +    }. + +key_gen_info(ClientChainType, ServerChainType) -> +    key_gen_spec("client", ClientChainType) ++ key_gen_spec("server", ServerChainType). + +key_gen_spec(Role, ecdh_rsa) -> +    CurveOid = hd(tls_v1:ecc_curves(0)), +    [{list_to_atom(Role ++ "_key_gen"),  {namedCurve, CurveOid}}, +     {list_to_atom(Role ++ "_key_gen_chain"),  [hardcode_rsa_key(1), +                                                {namedCurve, CurveOid}]} +    ]; +key_gen_spec(Role, ecdhe_ecdsa) -> +    CurveOid = hd(tls_v1:ecc_curves(0)), +     [{list_to_atom(Role ++ "_key_gen"),  {namedCurve, CurveOid}}, +      {list_to_atom(Role ++ "_key_gen_chain"),  [{namedCurve, CurveOid}, +                                                 {namedCurve, CurveOid}]} +    ]; +key_gen_spec(Role, ecdh_ecdsa) -> +    CurveOid = hd(tls_v1:ecc_curves(0)), +    [{list_to_atom(Role ++ "_key_gen"),  {namedCurve, CurveOid}}, +     {list_to_atom(Role ++ "_key_gen_chain"),  [{namedCurve, CurveOid}, +                                                {namedCurve, CurveOid}]} +    ]; +key_gen_spec(Role, ecdhe_rsa) -> +    [{list_to_atom(Role ++ "_key_gen"),  hardcode_rsa_key(1)}, +     {list_to_atom(Role ++ "_key_gen_chain"),  [hardcode_rsa_key(2), +                                                hardcode_rsa_key(3)]} +    ]; +key_gen_spec(Role, rsa) -> +    [{list_to_atom(Role ++ "_key_gen"),  hardcode_rsa_key(1)}, +     {list_to_atom(Role ++ "_key_gen_chain"),  [hardcode_rsa_key(2), +                                                hardcode_rsa_key(3)]} +    ].  make_ecdsa_cert(Config) ->      CryptoSupport = crypto:supports(),      case proplists:get_bool(ecdsa, proplists:get_value(public_keys, CryptoSupport)) of -	    true -> -	    {ServerCaCertFile, ServerCertFile, ServerKeyFile} =  -		make_cert_files("server", Config, ec, ec, "", [{digest, appropriate_sha(CryptoSupport)}]), -	    {ClientCaCertFile, ClientCertFile, ClientKeyFile} =  -		make_cert_files("client", Config, ec, ec, "", [{digest, appropriate_sha(CryptoSupport)}]), -	    [{server_ecdsa_opts, [{ssl_imp, new},{reuseaddr, true}, -				  {cacertfile, ServerCaCertFile}, -				  {certfile, ServerCertFile}, {keyfile, ServerKeyFile}]}, -	     {server_ecdsa_verify_opts, [{ssl_imp, new},{reuseaddr, true}, -					 {cacertfile, ClientCaCertFile}, -					 {certfile, ServerCertFile}, {keyfile, ServerKeyFile}, -					 {verify, verify_peer}]}, -	     {client_ecdsa_opts, [{ssl_imp, new}, -				  {cacertfile, ClientCaCertFile}, -				  {certfile, ClientCertFile}, {keyfile, ClientKeyFile}]} +        true -> +            ClientFileBase = filename:join([proplists:get_value(priv_dir, Config), "ecdsa"]), +            ServerFileBase = filename:join([proplists:get_value(priv_dir, Config), "ecdsa"]), +            CurveOid = hd(tls_v1:ecc_curves(0)), +            GenCertData = x509_test:gen_test_certs([{server_key_gen, {namedCurve, CurveOid}},  +                                                    {client_key_gen, {namedCurve, CurveOid}}, +                                                    {server_key_gen_chain, [{namedCurve, CurveOid}, +                                                                            {namedCurve, CurveOid}]}, +                                                    {client_key_gen_chain, [{namedCurve, CurveOid}, +                                                                            {namedCurve, CurveOid}]}, +                                                    {digest, appropriate_sha(CryptoSupport)}]), +            [{server_config, ServerConf},  +             {client_config, ClientConf}] =  +                x509_test:gen_pem_config_files(GenCertData, ClientFileBase, ServerFileBase),                +	    [{server_ecdsa_opts, [{ssl_imp, new},{reuseaddr, true} | ServerConf]}, +              +	     {server_ecdsa_verify_opts, [{ssl_imp, new}, {reuseaddr, true}, +					 {verify, verify_peer} | ServerConf]}, +	     {client_ecdsa_opts, ClientConf}  	     | Config]; -	_ -> +	false -> +	    Config +    end. +make_rsa_cert(Config) -> +    CryptoSupport = crypto:supports(), +    case proplists:get_bool(rsa, proplists:get_value(public_keys, CryptoSupport)) of +        true -> +            ClientFileBase = filename:join([proplists:get_value(priv_dir, Config), "rsa"]), +            ServerFileBase = filename:join([proplists:get_value(priv_dir, Config), "rsa"]), +            GenCertData = x509_test:gen_test_certs([{server_key_gen, hardcode_rsa_key(1)},  +                                                    {client_key_gen, hardcode_rsa_key(2)}, +                                                    {server_key_gen_chain, [hardcode_rsa_key(3), +                                                                            hardcode_rsa_key(4)]}, +                                                    {client_key_gen_chain, [hardcode_rsa_key(5), +                                                                            hardcode_rsa_key(6)]}, +                                                    {digest, appropriate_sha(CryptoSupport)}]), +            [{server_config, ServerConf},  +             {client_config, ClientConf}] =  +                x509_test:gen_pem_config_files(GenCertData, ClientFileBase, ServerFileBase),                +	    [{server_rsa_opts, [{ssl_imp, new},{reuseaddr, true} | ServerConf]}, +              +	     {server_rsa_verify_opts, [{ssl_imp, new}, {reuseaddr, true}, +					 {verify, verify_peer} | ServerConf]}, +	     {client_rsa_opts, ClientConf}, +             {client_rsa_verify_opts,  [{verify, verify_peer} |ClientConf]} +	     | Config]; +	false ->  	    Config      end. -  appropriate_sha(CryptoSupport) ->      case proplists:get_bool(sha256, CryptoSupport) of  	true -> @@ -524,21 +610,30 @@ make_ecdh_rsa_cert(Config) ->      CryptoSupport = crypto:supports(),      case proplists:get_bool(ecdh, proplists:get_value(public_keys, CryptoSupport)) of  	true -> -	    {ServerCaCertFile, ServerCertFile, ServerKeyFile} =  -		make_cert_files("server", Config, rsa, ec, "rsa_", []), -	    {ClientCaCertFile, ClientCertFile, ClientKeyFile} =  -		make_cert_files("client", Config, rsa, ec, "rsa_",[]), -	    [{server_ecdh_rsa_opts, [{ssl_imp, new},{reuseaddr, true}, -				     {cacertfile, ServerCaCertFile}, -				     {certfile, ServerCertFile}, {keyfile, ServerKeyFile}]}, -	     {server_ecdh_rsa_verify_opts, [{ssl_imp, new},{reuseaddr, true}, -					    {cacertfile, ClientCaCertFile}, -					    {certfile, ServerCertFile}, {keyfile, ServerKeyFile}, -					    {verify, verify_peer}]}, -	     {client_ecdh_rsa_opts, [{ssl_imp, new}, -				     {cacertfile, ClientCaCertFile}, -				     {certfile, ClientCertFile}, {keyfile, ClientKeyFile}]} -	     | Config]; +            ClientFileBase = filename:join([proplists:get_value(priv_dir, Config), "ecdh_rsa"]), +            ServerFileBase = filename:join([proplists:get_value(priv_dir, Config), "ecdh_rsa"]), +            CurveOid = hd(tls_v1:ecc_curves(0)), +            GenCertData = x509_test:gen_test_certs([{server_key_gen, {namedCurve, CurveOid}},  +                                                    {client_key_gen, {namedCurve, CurveOid}}, +                                                    {server_key_gen_chain, [hardcode_rsa_key(1), +                                                                            {namedCurve, CurveOid} +                                                                           ]}, +                                                    {client_key_gen_chain, [hardcode_rsa_key(2), +                                                                            {namedCurve, CurveOid} +                                                                           ]}, +                                                    {digest, appropriate_sha(CryptoSupport)}]), +            [{server_config, ServerConf},  +             {client_config, ClientConf}] =  +                x509_test:gen_pem_config_files(GenCertData, ClientFileBase, ServerFileBase), + +	    [{server_ecdh_rsa_opts, [{ssl_imp, new},{reuseaddr, true} | ServerConf]}, +				     +	     {server_ecdh_rsa_verify_opts, [{ssl_imp, new},{reuseaddr, true}, 	  +                                            {verify, verify_peer} | ServerConf]}, +					 +	     {client_ecdh_rsa_opts, ClientConf} +				    +             | Config];  	_ ->  	    Config      end. @@ -782,18 +877,18 @@ no_result(_) ->      no_result_msg.  trigger_renegotiate(Socket, [ErlData, N]) -> -    [{session_id, Id} | _ ] = ssl:session_info(Socket), +     {ok, [{session_id, Id}]} = ssl:connection_information(Socket,  [session_id]),      trigger_renegotiate(Socket, ErlData, N, Id).  trigger_renegotiate(Socket, _, 0, Id) ->      ct:sleep(1000), -    case ssl:session_info(Socket) of -	[{session_id, Id} | _ ] -> +    case ssl:connection_information(Socket,  [session_id]) of +        {ok, [{session_id, Id}]} ->  	    fail_session_not_renegotiated;  	%% Tests that uses this function will not reuse  	%% sessions so if we get a new session id the  	%% renegotiation has succeeded. -       	[{session_id, _} | _ ] ->  +        {ok, [{session_id, _}]} ->   	    ok;  	{error, closed} ->  	    fail_session_fatal_alert_during_renegotiation; @@ -858,9 +953,9 @@ available_suites(Version) ->  rsa_non_signed_suites(Version) ->      lists:filter(fun({rsa, _, _}) -> -			 true; +			 false;  		    (_) -> -			 false +			 true  		 end,  		 available_suites(Version)). @@ -998,8 +1093,8 @@ cipher_result(Socket, Result) ->      end.  session_info_result(Socket) -> -    ssl:session_info(Socket). - +    {ok, Info} = ssl:connection_information(Socket,  [session_id, cipher_suite]), +    Info.  public_key(#'PrivateKeyInfo'{privateKeyAlgorithm =  				 #'PrivateKeyInfo_privateKeyAlgorithm'{algorithm = ?rsaEncryption}, @@ -1317,14 +1412,17 @@ do_supports_ssl_tls_version(Port) ->  		false ->  		    do_supports_ssl_tls_version(Port)  	    end -    after 500 -> +    after 1000 ->  	    true      end. -ssl_options(Option, Config) -> +ssl_options(Option, Config) when is_atom(Option) ->      ProtocolOpts = proplists:get_value(protocol_opts, Config, []),      Opts = proplists:get_value(Option, Config, []), -    Opts ++ ProtocolOpts. +    Opts ++ ProtocolOpts; +ssl_options(Options, Config) -> +    ProtocolOpts = proplists:get_value(protocol_opts, Config, []), +    Options ++ ProtocolOpts.  protocol_version(Config) ->     protocol_version(Config, atom). @@ -1401,6 +1499,76 @@ tls_version('dtlsv1.2' = Atom) ->  tls_version(Atom) ->      tls_record:protocol_version(Atom). +hardcode_rsa_key(1) -> +    {'RSAPrivateKey',0, +                 23995666614853919027835084074500048897452890537492185072956789802729257783422306095699263934587064480357348855732149402060270996295002843755712064937715826848741191927820899197493902093529581182351132392364214171173881547273475904587683433713767834856230531387991145055273426806331200574039205571401702219159773947658558490957010003143162250693492642996408861265758000254664396313741422909188635443907373976005987612936763564996605457102336549804831742940035613780926178523017685712710473543251580072875247250504243621640157403744718833162626193206685233710319205099867303242759099560438381385658382486042995679707669, +                 17, +                 11292078406990079542510627799764728892919007311761028269626724613049062486316379339152594792746853873109340637991599718616598115903530750002688030558925094987642913848386305504703012749896273497577003478759630198199473669305165131570674557041773098755873191241407597673069847908861741446606684974777271632545629600685952292605647052193819136445675100211504432575554351515262198132231537860917084269870590492135731720141577986787033006338680118008484613510063003323516659048210893001173583018220214626635609151105287049126443102976056146630518124476470236027123782297108342869049542023328584384300970694412006494684657, +                 169371138592582642967021557955633494538845517070305333860805485424261447791289944610138334410987654265476540480228705481960508520379619587635662291973699651583489223555422528867090299996446070521801757353675026048850480903160224210802452555900007597342687137394192939372218903554801584969667104937092080815197, +                 141675062317286527042995673340952251894209529891636708844197799307963834958115010129693036021381525952081167155681637592199810112261679449166276939178032066869788822014115556349519329537177920752776047051833616197615329017439297361972726138285974555338480581117881706656603857310337984049152655480389797687577, +                 119556097830058336212015217380447172615655659108450823901745048534772786676204666783627059584226579481512852103690850928442711896738555003036938088452023283470698275450886490965004917644550167427154181661417665446247398284583687678213495921811770068712485038160606780733330990744565824684470897602653233516609, +                 41669135975672507953822256864985956439473391144599032012999352737636422046504414744027363535700448809435637398729893409470532385959317485048904982111185902020526124121798693043976273393287623750816484427009887116945685005129205106462566511260580751570141347387612266663707016855981760014456663376585234613993, +                 76837684977089699359024365285678488693966186052769523357232308621548155587515525857011429902602352279058920284048929101483304120686557782043616693940283344235057989514310975192908256494992960578961614059245280827077951132083993754797053182279229469590276271658395444955906108899267024101096069475145863928441, +                 asn1_NOVALUE}; + +hardcode_rsa_key(2) -> +{'RSAPrivateKey',0, +                 21343679768589700771839799834197557895311746244621307033143551583788179817796325695589283169969489517156931770973490560582341832744966317712674900833543896521418422508485833901274928542544381247956820115082240721897193055368570146764204557110415281995205343662628196075590438954399631753508888358737971039058298703003743872818150364935790613286541190842600031570570099801682794056444451081563070538409720109449780410837763602317050353477918147758267825417201591905091231778937606362076129350476690460157227101296599527319242747999737801698427160817755293383890373574621116766934110792127739174475029121017282777887777, +                 17, +                 18832658619343853622211588088997845201745658451136447382185486691577805721584993260814073385267196632785528033211903435807948675951440868570007265441362261636545666919252206383477878125774454042314841278013741813438699754736973658909592256273895837054592950290554290654932740253882028017801960316533503857992358685308186680144968293076156011747178275038098868263178095174694099811498968993700538293188879611375604635940554394589807673542938082281934965292051746326331046224291377703201248790910007232374006151098976879987912446997911775904329728563222485791845480864283470332826504617837402078265424772379987120023773, +                 146807662748886761089048448970170315054939768171908279335181627815919052012991509112344782731265837727551849787333310044397991034789843793140419387740928103541736452627413492093463231242466386868459637115999163097726153692593711599245170083315894262154838974616739452594203727376460632750934355508361223110419, +                 145385325050081892763917667176962991350872697916072592966410309213561884732628046256782356731057378829876640317801978404203665761131810712267778698468684631707642938779964806354584156202882543264893826268426566901882487709510744074274965029453915224310656287149777603803201831202222853023280023478269485417083, +                 51814469205489445090252393754177758254684624060673510353593515699736136004585238510239335081623236845018299924941168250963996835808180162284853901555621683602965806809675350150634081614988136541809283687999704622726877773856604093851236499993845033701707873394143336209718962603456693912094478414715725803677, +                 51312467664734785681382706062457526359131540440966797517556579722433606376221663384746714140373192528191755406283051201483646739222992016094510128871300458249756331334105225772206172777487956446433115153562317730076172132768497908567634716277852432109643395464627389577600646306666889302334125933506877206029, +                 30504662229874176232343608562807118278893368758027179776313787938167236952567905398252901545019583024374163153775359371298239336609182249464886717948407152570850677549297935773605431024166978281486607154204888016179709037883348099374995148481968169438302456074511782717758301581202874062062542434218011141540, + asn1_NOVALUE}; + +hardcode_rsa_key(3) ->  +{'RSAPrivateKey',0, +                 25089040456112869869472694987833070928503703615633809313972554887193090845137746668197820419383804666271752525807484521370419854590682661809972833718476098189250708650325307850184923546875260207894844301992963978994451844985784504212035958130279304082438876764367292331581532569155681984449177635856426023931875082020262146075451989132180409962870105455517050416234175675478291534563995772675388370042873175344937421148321291640477650173765084699931690748536036544188863178325887393475703801759010864779559318631816411493486934507417755306337476945299570726975433250753415110141783026008347194577506976486290259135429, +                 17, +                 8854955455098659953931539407470495621824836570223697404931489960185796768872145882893348383311931058684147950284994536954265831032005645344696294253579799360912014817761873358888796545955974191021709753644575521998041827642041589721895044045980930852625485916835514940558187965584358347452650930302268008446431977397918214293502821599497633970075862760001650736520566952260001423171553461362588848929781360590057040212831994258783694027013289053834376791974167294527043946669963760259975273650548116897900664646809242902841107022557239712438496384819445301703021164043324282687280801738470244471443835900160721870265, +                 171641816401041100605063917111691927706183918906535463031548413586331728772311589438043965564336865070070922328258143588739626712299625805650832695450270566547004154065267940032684307994238248203186986569945677705100224518137694769557564475390859269797990555863306972197736879644001860925483629009305104925823, +                 146170909759497809922264016492088453282310383272504533061020897155289106805616042710009332510822455269704884883705830985184223718261139908416790475825625309815234508695722132706422885088219618698987115562577878897003573425367881351537506046253616435685549396767356003663417208105346307649599145759863108910523, +                 60579464612132153154728441333538327425711971378777222246428851853999433684345266860486105493295364142377972586444050678378691780811632637288529186629507258781295583787741625893888579292084087601124818789392592131211843947578009918667375697196773859928702549128225990187436545756706539150170692591519448797349, +                 137572620950115585809189662580789132500998007785886619351549079675566218169991569609420548245479957900898715184664311515467504676010484619686391036071176762179044243478326713135456833024206699951987873470661533079532774988581535389682358631768109586527575902839864474036157372334443583670210960715165278974609, +                 15068630434698373319269196003209754243798959461311186548759287649485250508074064775263867418602372588394608558985183294561315208336731894947137343239541687540387209051236354318837334154993136528453613256169847839789803932725339395739618592522865156272771578671216082079933457043120923342632744996962853951612, + asn1_NOVALUE}; +hardcode_rsa_key(4) ->  +{'RSAPrivateKey',0, +                 28617237755030755643854803617273584643843067580642149032833640135949799721163782522787597288521902619948688786051081993247908700824196122780349730169173433743054172191054872553484065655968335396052034378669869864779940355219732200954630251223541048434478476115391643898092650304645086338265930608997389611376417609043761464100338332976874588396803891301015812818307951159858145399281035705713082131199940309445719678087542976246147777388465712394062188801177717719764254900022006288880246925156931391594131839991579403409541227225173269459173129377291869028712271737734702830877034334838181789916127814298794576266389, +                 17, +                 26933870828264240605980991639786903194205240075898493207372837775011576208154148256741268036255908348187001210401018346586267012540419880263858569570986761169933338532757527109161473558558433313931326474042230460969355628442100895016122589386862163232450330461545076609969553227901257730132640573174013751883368376011370428995523268034111482031427024082719896108094847702954695363285832195666458915142143884210891427766607838346722974883433132513540317964796373298134261669479023445911856492129270184781873446960437310543998533283339488055776892320162032014809906169940882070478200435536171854883284366514852906334641, +                 177342190816702392178883147766999616783253285436834252111702533617098994535049411784501174309695427674025956656849179054202187436663487378682303508229883753383891163725167367039879190685255046547908384208614573353917213168937832054054779266431207529839577747601879940934691505396807977946728204814969824442867, +                 161367340863680900415977542864139121629424927689088951345472941851682581254789586032968359551717004797621579428672968948552429138154521719743297455351687337112710712475376510559020211584326773715482918387500187602625572442687231345855402020688502483137168684570635690059254866684191216155909970061793538842967, +                 62591361464718491357252875682470452982324688977706206627659717747211409835899792394529826226951327414362102349476180842659595565881230839534930649963488383547255704844176717778780890830090016428673547367746320007264898765507470136725216211681602657590439205035957626212244060728285168687080542875871702744541, +                 28476589564178982426348978152495139111074987239250991413906989738532220221433456358759122273832412611344984605059935696803369847909621479954699550944415412431654831613301737157474154985469430655673456186029444871051571607533040825739188591886206320553618003159523945304574388238386685203984112363845918619347, +                 34340318160575773065401929915821192439103777558577109939078671096408836197675640654693301707202885840826672396546056002756167635035389371579540325327619480512374920136684787633921441576901246290213545161954865184290700344352088099063404416346968182170720521708773285279884132629954461545103181082503707725012, + asn1_NOVALUE}; +hardcode_rsa_key(5) ->  +{'RSAPrivateKey',0, +                 26363170152814518327068346871197765236382539835597898797762992537312221863402655353436079974302838986536256364057947538018476963115004626096654613827403121905035011992899481598437933532388248462251770039307078647864188314916665766359828262009578648593031111569685489178543405615478739906285223620987558499488359880003693226535420421293716164794046859453204135383236667988765227190694994861629971618548127529849059769249520775574008363789050621665120207265361610436965088511042779948238320901918522125988916609088415989475825860046571847719492980547438560049874493788767083330042728150253120940100665370844282489982633, +                 17, +                 10855423004100095781734025182257903332628104638187370093196526338893267826106975733767797636477639582691399679317978398007608161282648963686857782164224814902073240232370374775827384395689278778574258251479385325591136364965685903795223402003944149420659869469870495544106108194608892902588033255700759382142132115013969680562678811046675523365751498355532768935784747314021422035957153013494814430893022253205880275287307995039363642554998244274484818208792520243113824379110193356010059999642946040953102866271737127640405568982049887176990990501963784502429481034227543991366980671390566584211881030995602076468001, +                 163564135568104310461344551909369650951960301778977149705601170951529791054750122905880591964737953456660497440730575925978769763154927541340839715938951226089095007207042122512586007411328664679011914120351043948122025612160733403945093961374276707993674792189646478659304624413958625254578122842556295400709, +                 161179405627326572739107057023381254841260287988433675196680483761672455172873134522398837271764104320975746111042211695289319249471386600030523328069395763313848583139553961129874895374324504709512019736703349829576024049432816885712623938437949550266365056310544300920756181033500610331519029869549723159637, +                 115457036871603042678596154288966812436677860079277988027483179495197499568058910286503947269226790675289762899339230065396778656344654735064122152427494983121714122734382674714766593466820233891067233496718383963380253373289929461608301619793607087995535147427985749641862087821617853120878674947686796753441, +                 142217122612346975946270932667689342506994371754500301644129838613240401623123353990351915239791856753802128921507833848784693455415929352968108818884760967629866396887841730408713142977345151214275311532385308673155315337734838428569962298621720191411498579097539089047726042088382891468987379296661520434973, +                 40624877259097915043489529504071755460170951428490878553842519165800720914888257733191322215286203357356050737713125202129282154441426952501134581314792133018830748896123382106683994268028624341502298766844710276939303555637478596035491641473828661569958212421472263269629366559343208764012473880251174832392, + asn1_NOVALUE}; +hardcode_rsa_key(6) ->  +{'RSAPrivateKey',0, +                 22748888494866396715768692484866595111939200209856056370972713870125588774286266397044592487895293134537316190976192161177144143633669641697309689280475257429554879273045671863645233402796222694405634510241820106743648116753479926387434021380537483429927516962909367257212902212159798399531316965145618774905828756510318897899298783143203190245236381440043169622358239226123652592179006905016804587837199618842875361941208299410035232803124113612082221121192550063791073372276763648926636149384299189072950588522522800393261949880796214514243704858378436010975184294077063518776479282353562934591448646412389762167039, +                 17, +                 6690849557313646092873144848490175032923294179369428344403739373566349639495960705013115437616262686628622409110644753287395336362844012263914614494257428655751435080307550548130951000822418439531068973600535325512837681398082331290421770994275730420566916753796872722709677121223470117509210872101652580854566448661533030419787125312956120661097410038933324613372774190658239039998357548275441758790939430824924502690997433186652165055694361752689819209062683281242276039100201318203707142383491769671330743466041394101421674581185260900666085723130684175548215193875544802254923825103844262661010117443222587769713, +                 164748737139489923768181260808494855987398781964531448608652166632780898215212977127034263859971474195908846263894581556691971503119888726148555271179103885786024920582830105413607436718060544856016793981261118694063993837665813285582095833772675610567592660039821387740255651489996976698808018635344299728063, +                 138082323967104548254375818343885141517788525705334488282154811252858957969378263753268344088034079842223206527922445018725900110643394926788280539200323021781309918753249061620424428562366627334409266756720941754364262467100514166396917565961434203543659974860389803369482625510495464845206228470088664021953, +                 19382204369351755737433089506881747763223386113474288071606137250915399790025056132592266336467232258342217207517009594904937823896457497193947678962247515974826461245038835931012639613889475865413740468383661022831058098548919210068481862796785365949128548239978986792971253116470232552800943368864035262125, +                 48734937870742781736838524121371226418043009072470995864289933383361985165662916618800592031070851709019955245149098241903258862580021738866451955011878713569874088971734962924855680669070574353320917678842685325069739694270769705787147376221682660074232932303666989424523279591939575827719845342384234360689, +                 81173034184183681160439870161505779100040258708276674532866007896310418779840630960490793104541748007902477778658270784073595697910785917474138815202903114440800310078464142273778315781957021015333260021813037604142367434117205299831740956310682461174553260184078272196958146289378701001596552915990080834227, +                 asn1_NOVALUE}. + +  dtls_hello() ->      [1,       <<0,1,4>>, diff --git a/lib/ssl/test/ssl_to_openssl_SUITE.erl b/lib/ssl/test/ssl_to_openssl_SUITE.erl index 48fd2b7eab..60faad3fe1 100644 --- a/lib/ssl/test/ssl_to_openssl_SUITE.erl +++ b/lib/ssl/test/ssl_to_openssl_SUITE.erl @@ -984,8 +984,6 @@ ssl2_erlang_server_openssl_client(Config) when is_list(Config) ->      {_, ServerNode, _} = ssl_test_lib:run_where(Config), -    Data = "From openssl to erlang", -      Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},   					      {from, self()},   					      {options, ServerOpts}]), @@ -996,7 +994,6 @@ ssl2_erlang_server_openssl_client(Config) when is_list(Config) ->  	"-ssl2", "-msg"],      OpenSslPort = ssl_test_lib:portable_open_port(Exe, Args),   -    true = port_command(OpenSslPort, Data),      ct:log("Ports ~p~n", [[erlang:port_info(P) || P <- erlang:ports()]]),       consume_port_exit(OpenSslPort), diff --git a/lib/ssl/test/x509_test.erl b/lib/ssl/test/x509_test.erl new file mode 100644 index 0000000000..c36e96013b --- /dev/null +++ b/lib/ssl/test/x509_test.erl @@ -0,0 +1,343 @@ +%% +%% %CopyrightBegin% +%% +%% Copyright Ericsson AB 2017-2017. All Rights Reserved. +%% +%% Licensed under the Apache License, Version 2.0 (the "License"); +%% you may not use this file except in compliance with the License. +%% You may obtain a copy of the License at +%% +%%     http://www.apache.org/licenses/LICENSE-2.0 +%% +%% Unless required by applicable law or agreed to in writing, software +%% distributed under the License is distributed on an "AS IS" BASIS, +%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +%% See the License for the specific language governing permissions and +%% limitations under the License. +%% +%% %CopyrightEnd% +%% + +%% + + -module(x509_test). + + -include_lib("public_key/include/public_key.hrl"). + + -export([gen_test_certs/1, gen_pem_config_files/3]). + + gen_test_certs(Opts) -> +     SRootKey = gen_key(proplists:get_value(server_key_gen, Opts)), +     CRootKey = gen_key(proplists:get_value(client_key_gen, Opts)), +     ServerRoot = root_cert("server", SRootKey, Opts), +     ClientRoot = root_cert("client", CRootKey, Opts), +     [{ServerCert, ServerKey} | ServerCAsKeys] = config(server, ServerRoot, SRootKey, Opts), +     [{ClientCert, ClientKey} | ClientCAsKeys] = config(client, ClientRoot, CRootKey, Opts), +     ServerCAs = ca_config(ClientRoot, ServerCAsKeys), +     ClientCAs = ca_config(ServerRoot, ClientCAsKeys), +     [{server_config, [{cert, ServerCert}, {key, ServerKey}, {cacerts, ServerCAs}]},  +      {client_config, [{cert, ClientCert}, {key, ClientKey}, {cacerts, ClientCAs}]}]. + +gen_pem_config_files(GenCertData, ClientBase, ServerBase) -> +    ServerConf = proplists:get_value(server_config, GenCertData), +    ClientConf = proplists:get_value(client_config, GenCertData), +     +    ServerCaCertFile = ServerBase ++ "_server_cacerts.pem", +    ServerCertFile = ServerBase ++ "_server_cert.pem", +    ServerKeyFile = ServerBase ++ "_server_key.pem", +     +    ClientCaCertFile = ClientBase ++ "_client_cacerts.pem", +    ClientCertFile =  ClientBase ++ "_client_cert.pem", +    ClientKeyFile = ClientBase ++ "_client_key.pem", + +    do_gen_pem_config_files(ServerConf, +                            ServerCertFile, +                            ServerKeyFile, +                            ServerCaCertFile),         +    do_gen_pem_config_files(ClientConf, +                            ClientCertFile, +                            ClientKeyFile, +                            ClientCaCertFile), +    [{server_config, [{certfile, ServerCertFile},  +                      {keyfile, ServerKeyFile}, {cacertfile, ServerCaCertFile}]},  +     {client_config, [{certfile, ClientCertFile},  +                      {keyfile, ClientKeyFile}, {cacertfile, ClientCaCertFile}]}]. + + + do_gen_pem_config_files(Config, CertFile, KeyFile, CAFile) -> +     CAs = proplists:get_value(cacerts, Config), +     Cert = proplists:get_value(cert, Config), +     Key = proplists:get_value(key, Config), +     der_to_pem(CertFile, [cert_entry(Cert)]), +     der_to_pem(KeyFile, [key_entry(Key)]), +     der_to_pem(CAFile, ca_entries(CAs)). + + cert_entry(Cert) -> +     {'Certificate', Cert, not_encrypted}. + + key_entry(Key = #'RSAPrivateKey'{}) -> +     Der = public_key:der_encode('RSAPrivateKey', Key), +     {'RSAPrivateKey', Der, not_encrypted}; + key_entry(Key = #'DSAPrivateKey'{}) -> +     Der =  public_key:der_encode('DSAPrivateKey', Key), +     {'DSAPrivateKey', Der, not_encrypted}; + key_entry(Key = #'ECPrivateKey'{}) -> +     Der =  public_key:der_encode('ECPrivateKey', Key), +     {'ECPrivateKey', Der, not_encrypted}. + + ca_entries(CAs) -> +     [{'Certificate', CACert, not_encrypted} || CACert <- CAs]. + + gen_key(KeyGen) -> +     case is_key(KeyGen) of +         true -> +             KeyGen; +         false -> +             public_key:generate_key(KeyGen) +     end. + +root_cert(Role, PrivKey, Opts) -> +     TBS = cert_template(), +     Issuer = issuer("root", Role, " ROOT CA"), +     OTPTBS = TBS#'OTPTBSCertificate'{ +                signature = sign_algorithm(PrivKey, Opts), +                issuer = Issuer, +                validity = validity(Opts),   +                subject = Issuer, +                subjectPublicKeyInfo = public_key(PrivKey), +                extensions = extensions(ca, Opts) +               }, +     public_key:pkix_sign(OTPTBS, PrivKey). + +config(Role, Root, Key, Opts) -> +    KeyGenOpt = list_to_atom(atom_to_list(Role) ++ "_key_gen_chain"), +    KeyGens = proplists:get_value(KeyGenOpt, Opts, default_key_gen()), +    Keys = lists:map(fun gen_key/1, KeyGens), +    cert_chain(Role, Root, Key, Opts, Keys). + +cert_template() -> +    #'OTPTBSCertificate'{ +       version = v3,               +       serialNumber = trunc(rand:uniform()*100000000)*10000 + 1, +       issuerUniqueID = asn1_NOVALUE,        +       subjectUniqueID = asn1_NOVALUE +      }. + +issuer(Contact, Role, Name) -> +  subject(Contact, Role ++ Name). + +subject(Contact, Name) -> +    Opts = [{email, Contact ++ "@erlang.org"}, +	    {name,  Name}, +	    {city, "Stockholm"}, +	    {country, "SE"}, +	    {org, "erlang"}, +	    {org_unit, "automated testing"}], +    subject(Opts). + +subject(SubjectOpts) when is_list(SubjectOpts) -> +    Encode = fun(Opt) -> +		     {Type,Value} = subject_enc(Opt), +		     [#'AttributeTypeAndValue'{type=Type, value=Value}] +	     end, +    {rdnSequence, [Encode(Opt) || Opt <- SubjectOpts]}. + +subject_enc({name,  Name}) ->        +    {?'id-at-commonName', {printableString, Name}}; +subject_enc({email, Email}) ->       +    {?'id-emailAddress', Email}; +subject_enc({city,  City}) ->        +    {?'id-at-localityName', {printableString, City}}; +subject_enc({state, State}) ->       +    {?'id-at-stateOrProvinceName', {printableString, State}}; +subject_enc({org, Org}) ->           +    {?'id-at-organizationName', {printableString, Org}}; +subject_enc({org_unit, OrgUnit}) ->  +    {?'id-at-organizationalUnitName', {printableString, OrgUnit}}; +subject_enc({country, Country}) ->   +    {?'id-at-countryName', Country}; +subject_enc({serial, Serial}) ->     +    {?'id-at-serialNumber', Serial}; +subject_enc({title, Title}) ->       +    {?'id-at-title', {printableString, Title}}; +subject_enc({dnQualifer, DnQ}) ->    +    {?'id-at-dnQualifier', DnQ}; +subject_enc(Other) ->  +    Other. + +validity(Opts) -> +    DefFrom0 = calendar:gregorian_days_to_date(calendar:date_to_gregorian_days(date())-1), +    DefTo0   = calendar:gregorian_days_to_date(calendar:date_to_gregorian_days(date())+7), +    {DefFrom, DefTo} = proplists:get_value(validity, Opts, {DefFrom0, DefTo0}), +    Format = fun({Y,M,D}) ->  +                     lists:flatten(io_lib:format("~w~2..0w~2..0w000000Z",[Y,M,D]))  +             end, +    #'Validity'{notBefore={generalTime, Format(DefFrom)}, +		notAfter ={generalTime, Format(DefTo)}}. + +extensions(Type, Opts) -> +    Exts  = proplists:get_value(extensions, Opts, []), +    lists:flatten([extension(Ext) || Ext <- default_extensions(Type, Exts)]). + +%% Common extension: name_constraints, policy_constraints, ext_key_usage, inhibit_any,  +%% auth_key_id, subject_key_id, policy_mapping, + +default_extensions(ca, Exts) -> +    Def = [{key_usage,  [keyCertSign, cRLSign]},  +	   {basic_constraints, default}], +    add_default_extensions(Def, Exts); + +default_extensions(peer, Exts) -> +    Def = [{key_usage, [digitalSignature, keyAgreement]}], +    add_default_extensions(Def, Exts). +     +add_default_extensions(Def, Exts) -> +    Filter = fun({Key, _}, D) ->  +                     lists:keydelete(Key, 1, D);  +                ({Key, _, _}, D) ->  +                     lists:keydelete(Key, 1, D) +             end, +    Exts ++ lists:foldl(Filter, Def, Exts). + +extension({_, undefined}) -> +    []; +extension({basic_constraints, Data}) -> +    case Data of +	default -> +	    #'Extension'{extnID = ?'id-ce-basicConstraints', +			 extnValue = #'BasicConstraints'{cA=true}, +			 critical=true}; +	false ->  +	    []; +	Len when is_integer(Len) -> +	    #'Extension'{extnID = ?'id-ce-basicConstraints', +			 extnValue = #'BasicConstraints'{cA=true, pathLenConstraint = Len}, +			 critical = true}; +	_ -> +	    #'Extension'{extnID = ?'id-ce-basicConstraints', +			 extnValue = Data} +    end; +extension({auth_key_id, {Oid, Issuer, SNr}}) -> +    #'Extension'{extnID = ?'id-ce-authorityKeyIdentifier', +                 extnValue = #'AuthorityKeyIdentifier'{ +                                keyIdentifier = Oid,	     +                                authorityCertIssuer = Issuer,      +                                authorityCertSerialNumber = SNr}, +                 critical = false}; +extension({key_usage, Value}) -> +    #'Extension'{extnID = ?'id-ce-keyUsage', +                 extnValue = Value, +                 critical = false}; +extension({Id, Data, Critical}) -> +    #'Extension'{extnID = Id, extnValue = Data, critical = Critical}. + +public_key(#'RSAPrivateKey'{modulus=N, publicExponent=E}) -> +    Public = #'RSAPublicKey'{modulus=N, publicExponent=E}, +    Algo = #'PublicKeyAlgorithm'{algorithm= ?rsaEncryption, parameters='NULL'}, +    #'OTPSubjectPublicKeyInfo'{algorithm = Algo, +			       subjectPublicKey = Public}; +public_key(#'DSAPrivateKey'{p=P, q=Q, g=G, y=Y}) -> +    Algo = #'PublicKeyAlgorithm'{algorithm= ?'id-dsa',  +				 parameters={params, #'Dss-Parms'{p=P, q=Q, g=G}}}, +    #'OTPSubjectPublicKeyInfo'{algorithm = Algo, subjectPublicKey = Y}; +public_key(#'ECPrivateKey'{version = _Version, +			  privateKey = _PrivKey, +			  parameters = Params, +			  publicKey = PubKey}) -> +    Algo = #'PublicKeyAlgorithm'{algorithm= ?'id-ecPublicKey', parameters=Params}, +    #'OTPSubjectPublicKeyInfo'{algorithm = Algo, +			       subjectPublicKey = #'ECPoint'{point = PubKey}}. + +sign_algorithm(#'RSAPrivateKey'{}, Opts) -> +    Type = rsa_digest_oid(proplists:get_value(digest, Opts, sha1)), +    #'SignatureAlgorithm'{algorithm  = Type, +                          parameters = 'NULL'}; +sign_algorithm(#'DSAPrivateKey'{p=P, q=Q, g=G}, _Opts) -> +    #'SignatureAlgorithm'{algorithm  = ?'id-dsa-with-sha1', +                          parameters = {params,#'Dss-Parms'{p=P, q=Q, g=G}}}; +sign_algorithm(#'ECPrivateKey'{parameters = Parms}, Opts) -> +    Type = ecdsa_digest_oid(proplists:get_value(digest, Opts, sha1)), +    #'SignatureAlgorithm'{algorithm  = Type, +                          parameters = Parms}. + +rsa_digest_oid(sha1) -> +    ?'sha1WithRSAEncryption'; +rsa_digest_oid(sha512) -> +    ?'sha512WithRSAEncryption'; +rsa_digest_oid(sha384) -> +    ?'sha384WithRSAEncryption'; +rsa_digest_oid(sha256) -> +    ?'sha256WithRSAEncryption'; +rsa_digest_oid(md5) -> +   ?'md5WithRSAEncryption'. + +ecdsa_digest_oid(sha1) -> +    ?'ecdsa-with-SHA1'; +ecdsa_digest_oid(sha512) -> +    ?'ecdsa-with-SHA512'; +ecdsa_digest_oid(sha384) -> +    ?'ecdsa-with-SHA384'; +ecdsa_digest_oid(sha256) -> +    ?'ecdsa-with-SHA256'. + +ca_config(Root, CAsKeys) -> +    [Root | [CA || {CA, _}  <- CAsKeys]]. + +cert_chain(Role, Root, RootKey, Opts, Keys) -> +    cert_chain(Role, Root, RootKey, Opts, Keys, 0, []). + +cert_chain(Role, IssuerCert, IssuerKey, Opts, [Key], _, Acc) -> +    PeerOpts = list_to_atom(atom_to_list(Role) ++ "_peer_opts"), +    Cert = cert(Role, public_key:pkix_decode_cert(IssuerCert, otp),  +                IssuerKey, Key, "admin", " Peer cert", Opts, PeerOpts, peer), +    [{Cert, Key}, {IssuerCert, IssuerKey} | Acc]; +cert_chain(Role, IssuerCert, IssuerKey, Opts, [Key | Keys], N, Acc) -> +    CAOpts = list_to_atom(atom_to_list(Role) ++ "_ca_" ++ integer_to_list(N)), +    Cert = cert(Role, public_key:pkix_decode_cert(IssuerCert, otp), IssuerKey, Key, "webadmin",  +                " Intermidiate CA " ++ integer_to_list(N), Opts, CAOpts, ca), +    cert_chain(Role, Cert, Key, Opts, Keys, N+1, [{IssuerCert, IssuerKey} | Acc]). +         +cert(Role, #'OTPCertificate'{tbsCertificate = #'OTPTBSCertificate'{subject = Issuer, +                                                                   serialNumber = SNr +                                                                  }},  +     PrivKey, Key, Contact, Name, Opts, CertOptsName, Type) -> +    CertOpts = proplists:get_value(CertOptsName, Opts, []), +    TBS = cert_template(),          +    OTPTBS = TBS#'OTPTBSCertificate'{ +               signature = sign_algorithm(PrivKey, Opts), +               issuer =  Issuer, +               validity = validity(CertOpts),   +               subject = subject(Contact, atom_to_list(Role) ++ Name), +               subjectPublicKeyInfo = public_key(Key), +               extensions = extensions(Type,  +                                       add_default_extensions([{auth_key_id, {auth_key_oid(Role), Issuer, SNr}}], +                                                              CertOpts)) +              }, +    public_key:pkix_sign(OTPTBS, PrivKey). + +is_key(#'DSAPrivateKey'{}) -> +    true; +is_key(#'RSAPrivateKey'{}) -> +    true; +is_key(#'ECPrivateKey'{}) -> +    true; +is_key(_) -> +    false. + +der_to_pem(File, Entries) -> +    PemBin = public_key:pem_encode(Entries), +    file:write_file(File, PemBin). + +default_key_gen() -> +    case tls_v1:ecc_curves(0) of +        [] -> +            [{rsa, 2048, 17}, {rsa, 2048, 17}]; +        [_|_] -> +            [{namedCurve, hd(tls_v1:ecc_curves(0))}, +             {namedCurve, hd(tls_v1:ecc_curves(0))}] +    end. + +auth_key_oid(server) -> +    ?'id-kp-serverAuth'; +auth_key_oid(client) -> +    ?'id-kp-clientAuth'. | 
