Source file
src/crypto/tls/auth_test.go
1
2
3
4
5 package tls
6
7 import (
8 "crypto"
9 "testing"
10 )
11
12 func TestSignatureSelection(t *testing.T) {
13 rsaCert := &Certificate{
14 Certificate: [][]byte{testRSACertificate},
15 PrivateKey: testRSAPrivateKey,
16 }
17 pkcs1Cert := &Certificate{
18 Certificate: [][]byte{testRSACertificate},
19 PrivateKey: testRSAPrivateKey,
20 SupportedSignatureAlgorithms: []SignatureScheme{PKCS1WithSHA1, PKCS1WithSHA256},
21 }
22 ecdsaCert := &Certificate{
23 Certificate: [][]byte{testP256Certificate},
24 PrivateKey: testP256PrivateKey,
25 }
26 ed25519Cert := &Certificate{
27 Certificate: [][]byte{testEd25519Certificate},
28 PrivateKey: testEd25519PrivateKey,
29 }
30
31 tests := []struct {
32 cert *Certificate
33 peerSigAlgs []SignatureScheme
34 tlsVersion uint16
35
36 expectedSigAlg SignatureScheme
37 expectedSigType uint8
38 expectedHash crypto.Hash
39 }{
40 {rsaCert, []SignatureScheme{PKCS1WithSHA1, PKCS1WithSHA256}, VersionTLS12, PKCS1WithSHA1, signaturePKCS1v15, crypto.SHA1},
41 {rsaCert, []SignatureScheme{PKCS1WithSHA512, PKCS1WithSHA1}, VersionTLS12, PKCS1WithSHA512, signaturePKCS1v15, crypto.SHA512},
42 {rsaCert, []SignatureScheme{PSSWithSHA256, PKCS1WithSHA256}, VersionTLS12, PSSWithSHA256, signatureRSAPSS, crypto.SHA256},
43 {pkcs1Cert, []SignatureScheme{PSSWithSHA256, PKCS1WithSHA256}, VersionTLS12, PKCS1WithSHA256, signaturePKCS1v15, crypto.SHA256},
44 {rsaCert, []SignatureScheme{PSSWithSHA384, PKCS1WithSHA1}, VersionTLS13, PSSWithSHA384, signatureRSAPSS, crypto.SHA384},
45 {ecdsaCert, []SignatureScheme{ECDSAWithSHA1}, VersionTLS12, ECDSAWithSHA1, signatureECDSA, crypto.SHA1},
46 {ecdsaCert, []SignatureScheme{ECDSAWithP256AndSHA256}, VersionTLS12, ECDSAWithP256AndSHA256, signatureECDSA, crypto.SHA256},
47 {ecdsaCert, []SignatureScheme{ECDSAWithP256AndSHA256}, VersionTLS13, ECDSAWithP256AndSHA256, signatureECDSA, crypto.SHA256},
48 {ed25519Cert, []SignatureScheme{Ed25519}, VersionTLS12, Ed25519, signatureEd25519, directSigning},
49 {ed25519Cert, []SignatureScheme{Ed25519}, VersionTLS13, Ed25519, signatureEd25519, directSigning},
50
51
52 {rsaCert, nil, VersionTLS12, PKCS1WithSHA1, signaturePKCS1v15, crypto.SHA1},
53 {ecdsaCert, nil, VersionTLS12, ECDSAWithSHA1, signatureECDSA, crypto.SHA1},
54
55
56 {ecdsaCert, []SignatureScheme{ECDSAWithP384AndSHA384}, VersionTLS12, ECDSAWithP384AndSHA384, signatureECDSA, crypto.SHA384},
57 }
58
59 for testNo, test := range tests {
60 sigAlg, err := selectSignatureScheme(test.tlsVersion, test.cert, test.peerSigAlgs)
61 if err != nil {
62 t.Errorf("test[%d]: unexpected selectSignatureScheme error: %v", testNo, err)
63 }
64 if test.expectedSigAlg != sigAlg {
65 t.Errorf("test[%d]: expected signature scheme %v, got %v", testNo, test.expectedSigAlg, sigAlg)
66 }
67 sigType, hashFunc, err := typeAndHashFromSignatureScheme(sigAlg)
68 if err != nil {
69 t.Errorf("test[%d]: unexpected typeAndHashFromSignatureScheme error: %v", testNo, err)
70 }
71 if test.expectedSigType != sigType {
72 t.Errorf("test[%d]: expected signature algorithm %#x, got %#x", testNo, test.expectedSigType, sigType)
73 }
74 if test.expectedHash != hashFunc {
75 t.Errorf("test[%d]: expected hash function %#x, got %#x", testNo, test.expectedHash, hashFunc)
76 }
77 }
78
79 brokenCert := &Certificate{
80 Certificate: [][]byte{testRSACertificate},
81 PrivateKey: testRSAPrivateKey,
82 SupportedSignatureAlgorithms: []SignatureScheme{Ed25519},
83 }
84
85 badTests := []struct {
86 cert *Certificate
87 peerSigAlgs []SignatureScheme
88 tlsVersion uint16
89 }{
90 {rsaCert, []SignatureScheme{ECDSAWithP256AndSHA256, ECDSAWithSHA1}, VersionTLS12},
91 {ecdsaCert, []SignatureScheme{PKCS1WithSHA256, PKCS1WithSHA1}, VersionTLS12},
92 {rsaCert, []SignatureScheme{0}, VersionTLS12},
93 {ed25519Cert, []SignatureScheme{ECDSAWithP256AndSHA256, ECDSAWithSHA1}, VersionTLS12},
94 {ecdsaCert, []SignatureScheme{Ed25519}, VersionTLS12},
95 {brokenCert, []SignatureScheme{Ed25519}, VersionTLS12},
96 {brokenCert, []SignatureScheme{PKCS1WithSHA256}, VersionTLS12},
97
98
99
100 {ed25519Cert, nil, VersionTLS12},
101
102 {rsaCert, nil, VersionTLS13},
103 {ecdsaCert, nil, VersionTLS13},
104 {ed25519Cert, nil, VersionTLS13},
105
106 {ecdsaCert, []SignatureScheme{ECDSAWithP384AndSHA384}, VersionTLS13},
107
108 {rsaCert, []SignatureScheme{PKCS1WithSHA256}, VersionTLS13},
109 {pkcs1Cert, []SignatureScheme{PSSWithSHA256, PKCS1WithSHA256}, VersionTLS13},
110 {ecdsaCert, []SignatureScheme{ECDSAWithSHA1}, VersionTLS13},
111
112 {rsaCert, []SignatureScheme{PSSWithSHA512}, VersionTLS12},
113 }
114
115 for testNo, test := range badTests {
116 sigAlg, err := selectSignatureScheme(test.tlsVersion, test.cert, test.peerSigAlgs)
117 if err == nil {
118 t.Errorf("test[%d]: unexpected success, got %v", testNo, sigAlg)
119 }
120 }
121 }
122
123 func TestLegacyTypeAndHash(t *testing.T) {
124 sigType, hashFunc, err := legacyTypeAndHashFromPublicKey(testRSAPrivateKey.Public())
125 if err != nil {
126 t.Errorf("RSA: unexpected error: %v", err)
127 }
128 if expectedSigType := signaturePKCS1v15; expectedSigType != sigType {
129 t.Errorf("RSA: expected signature type %#x, got %#x", expectedSigType, sigType)
130 }
131 if expectedHashFunc := crypto.MD5SHA1; expectedHashFunc != hashFunc {
132 t.Errorf("RSA: expected hash %#x, got %#x", expectedHashFunc, hashFunc)
133 }
134
135 sigType, hashFunc, err = legacyTypeAndHashFromPublicKey(testECDSAPrivateKey.Public())
136 if err != nil {
137 t.Errorf("ECDSA: unexpected error: %v", err)
138 }
139 if expectedSigType := signatureECDSA; expectedSigType != sigType {
140 t.Errorf("ECDSA: expected signature type %#x, got %#x", expectedSigType, sigType)
141 }
142 if expectedHashFunc := crypto.SHA1; expectedHashFunc != hashFunc {
143 t.Errorf("ECDSA: expected hash %#x, got %#x", expectedHashFunc, hashFunc)
144 }
145
146
147 _, _, err = legacyTypeAndHashFromPublicKey(testEd25519PrivateKey.Public())
148 if err == nil {
149 t.Errorf("Ed25519: unexpected success")
150 }
151 }
152
153
154
155 func TestSupportedSignatureAlgorithms(t *testing.T) {
156 for _, sigAlg := range supportedSignatureAlgorithms {
157 sigType, hash, err := typeAndHashFromSignatureScheme(sigAlg)
158 if err != nil {
159 t.Errorf("%v: unexpected error: %v", sigAlg, err)
160 }
161 if sigType == 0 {
162 t.Errorf("%v: missing signature type", sigAlg)
163 }
164 if hash == 0 && sigAlg != Ed25519 {
165 t.Errorf("%v: missing hash", sigAlg)
166 }
167 }
168 }
169
View as plain text