diff --git a/tests/serverBrainpoolP256r1ECCert.pem b/tests/serverBrainpoolP256r1ECCert.pem new file mode 100644 index 00000000..9a382a10 --- /dev/null +++ b/tests/serverBrainpoolP256r1ECCert.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBfTCCASSgAwIBAgIUdcPtlDRLVcVmWcQ3V31oeAXDS1UwCgYIKoZIzj0EAwIw +FDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIwMTAyMjE5NTQzNloXDTMwMTAyMDE5 +NTQzNlowFDESMBAGA1UEAwwJbG9jYWxob3N0MFowFAYHKoZIzj0CAQYJKyQDAwII +AQEHA0IABAJ7rqWzCX/dPvyygGHSay+KSoyatGdA4/mciwqar+GdmwSWTzB9l0R3 +I4/rpCZ+Ri7CemspDWiZSYmZSMn3HESjUzBRMB0GA1UdDgQWBBT7XD/anl1lj1RP +LVFQlaeWiC2nvjAfBgNVHSMEGDAWgBT7XD/anl1lj1RPLVFQlaeWiC2nvjAPBgNV +HRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0cAMEQCIAj6K/bwKOM26tKSNcLHPIr+ +XWZmSjaBCcaHeLuZcX8RAiBb6QIWftn0txlVwcNEay8d69XFJD1obZmKO4gxGe4K +gQ== +-----END CERTIFICATE----- diff --git a/tests/serverBrainpoolP256r1ECKey.pem b/tests/serverBrainpoolP256r1ECKey.pem new file mode 100644 index 00000000..b19cbf50 --- /dev/null +++ b/tests/serverBrainpoolP256r1ECKey.pem @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BgkrJAMDAggBAQc= +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHgCAQEEIH0gSdkrNpsObfPorvjAmllMjBXy9x9pnJ8vwmY7s9n/oAsGCSskAwMC +CAEBB6FEA0IABAJ7rqWzCX/dPvyygGHSay+KSoyatGdA4/mciwqar+GdmwSWTzB9 +l0R3I4/rpCZ+Ri7CemspDWiZSYmZSMn3HEQ= +-----END EC PRIVATE KEY----- diff --git a/tests/serverBrainpoolP384r1ECCert.pem b/tests/serverBrainpoolP384r1ECCert.pem new file mode 100644 index 00000000..8b4702d5 --- /dev/null +++ b/tests/serverBrainpoolP384r1ECCert.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBvTCCAUSgAwIBAgIUPG1vSTSQmFemI8UU7EhB6tLSDmUwCgYIKoZIzj0EAwIw +FDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIwMTAyMjIxMTAyOFoXDTMwMTAyMDIx +MTAyOFowFDESMBAGA1UEAwwJbG9jYWxob3N0MHowFAYHKoZIzj0CAQYJKyQDAwII +AQELA2IABECMinC3tQTHVKMyUu5CPqDeq3VS9EuGuiP+5U6rzDto/eW/av1PGa0i +hThpbl3YUIQB/670LMBj9LIZE45py5nbGdSTl593j8f8BvMzK0h9gPlqjp+rx297 +u8+C+qZoH6NTMFEwHQYDVR0OBBYEFGrfLfFHE9VToCpWErYcETRg7D8kMB8GA1Ud +IwQYMBaAFGrfLfFHE9VToCpWErYcETRg7D8kMA8GA1UdEwEB/wQFMAMBAf8wCgYI +KoZIzj0EAwIDZwAwZAIwNmu55BssK8gA093oUmKl9md2mc90RpEr5jWdxNj7gQJU +QVumzJ9wVcJKmMah6hTRAjAC3mRQ7/gIdetJDMHRWECKhRhv9x42KdkCZFYR/o03 +q7CXY9Zb0VRk5fn2Prfb2MU= +-----END CERTIFICATE----- diff --git a/tests/serverBrainpoolP384r1ECKey.pem b/tests/serverBrainpoolP384r1ECKey.pem new file mode 100644 index 00000000..ebc011d5 --- /dev/null +++ b/tests/serverBrainpoolP384r1ECKey.pem @@ -0,0 +1,9 @@ +-----BEGIN EC PARAMETERS----- +BgkrJAMDAggBAQs= +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MIGoAgEBBDAYnSS9f9KTYKoFQoxWmVdmAwUOTlK6hcj73SrBeLHq/AtaAMAklNGv +M/Lf0iTbm8+gCwYJKyQDAwIIAQELoWQDYgAEQIyKcLe1BMdUozJS7kI+oN6rdVL0 +S4a6I/7lTqvMO2j95b9q/U8ZrSKFOGluXdhQhAH/rvQswGP0shkTjmnLmdsZ1JOX +n3ePx/wG8zMrSH2A+WqOn6vHb3u7z4L6pmgf +-----END EC PRIVATE KEY----- diff --git a/tests/serverBrainpoolP512r1ECCert.pem b/tests/serverBrainpoolP512r1ECCert.pem new file mode 100644 index 00000000..38c371f7 --- /dev/null +++ b/tests/serverBrainpoolP512r1ECCert.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIICAjCCAWagAwIBAgIUFgWkgS+N65P1N20PV1aABz2g62cwCgYIKoZIzj0EAwIw +FDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIwMTAyMjIxMTA1OFoXDTMwMTAyMDIx +MTA1OFowFDESMBAGA1UEAwwJbG9jYWxob3N0MIGbMBQGByqGSM49AgEGCSskAwMC +CAEBDQOBggAEeB8B7ZJPBeo2Dn1J5u3IZ6r4SX7256TZRGCdbakwqq/CM8bCRxL2 +aR1lg1CKnV/MzpVkwdRyOw7ArLyDv38PaiU2vLxmpLqftcUPfhQqnDabfB+TLaoJ +Mzaphp4Ry9sPl6Rne0d+TKYAAIJm2VovcpL8THgeJX4SkXVxUTuU+FGjUzBRMB0G +A1UdDgQWBBSY5cFYRVDd4uI47QW9EGcztkFgjzAfBgNVHSMEGDAWgBSY5cFYRVDd +4uI47QW9EGcztkFgjzAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA4GJADCB +hQJAN7IS6Gff8Sc+tBz5U3EmKmM/epQX8SHiah2qkza+Qli5MblOY9JP7qaDBEiR +FCxzOXgW+PyyN6nXBNpcCGTNtwJBAKrF0UXRpb7ayHkWZ0DNRYEhGxYtbc/nhwHv +ODc6CjTi4qDrSoZZNWGU/JADelB48b9E6gW54vcpUFT1WgLbgyo= +-----END CERTIFICATE----- diff --git a/tests/serverBrainpoolP512r1ECKey.pem b/tests/serverBrainpoolP512r1ECKey.pem new file mode 100644 index 00000000..6b14e494 --- /dev/null +++ b/tests/serverBrainpoolP512r1ECKey.pem @@ -0,0 +1,10 @@ +-----BEGIN EC PARAMETERS----- +BgkrJAMDAggBAQ0= +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MIHaAgEBBEAcA+aaUOXU1dX/R0BnzGkLs88hB507uszFBmWussX7HylhsbNTToxW +F8H5HC5dZEnIKFLQStSpI3z7pcVyaGb4oAsGCSskAwMCCAEBDaGBhQOBggAEeB8B +7ZJPBeo2Dn1J5u3IZ6r4SX7256TZRGCdbakwqq/CM8bCRxL2aR1lg1CKnV/MzpVk +wdRyOw7ArLyDv38PaiU2vLxmpLqftcUPfhQqnDabfB+TLaoJMzaphp4Ry9sPl6Rn +e0d+TKYAAIJm2VovcpL8THgeJX4SkXVxUTuU+FE= +-----END EC PRIVATE KEY----- diff --git a/tests/tlstest.py b/tests/tlstest.py index 9dd8a6f3..d12f8f29 100755 --- a/tests/tlstest.py +++ b/tests/tlstest.py @@ -303,6 +303,26 @@ def connect(): test_no += 1 + for curve, keySize in (("brainpoolP256r1", 256), + ("brainpoolP384r1", 384), + ("brainpoolP512r1", 512)): + print("Test {0} - Two good ECDSA certs - {1}, TLSv1.2".format(test_no, curve)) + synchro.recv(1) + connection = connect() + settings = HandshakeSettings() + settings.minVersion = (3, 3) + settings.maxVersion = (3, 3) + settings.eccCurves = [curve] + settings.keyShares = [curve] + connection.handshakeClientCert(settings=settings) + testConnClient(connection) + assert isinstance(connection.session.serverCertChain, X509CertChain) + assert len(connection.session.serverCertChain.getEndEntityPublicKey()) \ + == keySize + connection.close() + + test_no += 1 + print("Test {0} - Two good ECDSA certs - secp256r1, TLSv1.2".format(test_no)) synchro.recv(1) connection = connect() @@ -1646,6 +1666,28 @@ def connect(): x509ecdsaP521Key = parsePEMKey(f.read(), private=True, implementations=["python"]) + with open(os.path.join(dir, "serverBrainpoolP256r1ECCert.pem")) as f: + x509CertBrainpoolP256r1ECDSA = X509().parse(f.read()) + x509ecdsaBrainpoolP256r1Chain = X509CertChain([x509CertBrainpoolP256r1ECDSA]) + assert x509CertBrainpoolP256r1ECDSA.certAlg == "ecdsa" + with open(os.path.join(dir, "serverBrainpoolP256r1ECKey.pem")) as f: + x509ecdsaBrainpoolP256r1Key = parsePEMKey(f.read(), private=True, + implementations=["python"]) + with open(os.path.join(dir, "serverBrainpoolP384r1ECCert.pem")) as f: + x509CertBrainpoolP384r1ECDSA = X509().parse(f.read()) + x509ecdsaBrainpoolP384r1Chain = X509CertChain([x509CertBrainpoolP384r1ECDSA]) + assert x509CertBrainpoolP384r1ECDSA.certAlg == "ecdsa" + with open(os.path.join(dir, "serverBrainpoolP384r1ECKey.pem")) as f: + x509ecdsaBrainpoolP384r1Key = parsePEMKey(f.read(), private=True, + implementations=["python"]) + with open(os.path.join(dir, "serverBrainpoolP512r1ECCert.pem")) as f: + x509CertBrainpoolP512r1ECDSA = X509().parse(f.read()) + x509ecdsaBrainpoolP512r1Chain = X509CertChain([x509CertBrainpoolP512r1ECDSA]) + assert x509CertBrainpoolP512r1ECDSA.certAlg == "ecdsa" + with open(os.path.join(dir, "serverBrainpoolP512r1ECKey.pem")) as f: + x509ecdsaBrainpoolP512r1Key = parsePEMKey(f.read(), private=True, + implementations=["python"]) + with open(os.path.join(dir, "serverRSANonCACert.pem")) as f: x509CertRSANonCA = X509().parse(f.read()) x509ChainRSANonCA = X509CertChain([x509CertRSANonCA]) @@ -1835,6 +1877,29 @@ def connect(): test_no += 1 + for curve, certChain, key in (("brainpoolP256r1", x509ecdsaBrainpoolP256r1Chain, x509ecdsaBrainpoolP256r1Key), + ("brainpoolP384r1", x509ecdsaBrainpoolP384r1Chain, x509ecdsaBrainpoolP384r1Key), + ("brainpoolP512r1", x509ecdsaBrainpoolP512r1Chain, x509ecdsaBrainpoolP512r1Key)): + print("Test {0} - Two good ECDSA certs - {1}, TLSv1.2".format(test_no, curve)) + synchro.send(b'R') + connection = connect() + settings = HandshakeSettings() + settings.minVersion = (3, 3) + settings.maxVersion = (3, 3) + settings.eccCurves = [curve, "secp256r1"] + settings.keyShares = [curve, "secp256r1"] + v_host = VirtualHost() + v_host.keys = [Keypair(x509ecdsaKey, x509ecdsaChain.x509List)] + settings.virtual_hosts = [v_host] + connection.handshakeServer(certChain=certChain, + privateKey=key, settings=settings) + assert connection.extendedMasterSecret + assert connection.session.serverCertChain == certChain + testConnServer(connection) + connection.close() + + test_no += 1 + for curve, exp_chain in (("secp256r1", x509ecdsaChain), ("secp384r1", x509ecdsaP384Chain)): print("Test {0} - Two good ECDSA certs - {1}, TLSv1.2" diff --git a/tlslite/handshakesettings.py b/tlslite/handshakesettings.py index 345b767c..685d74ab 100644 --- a/tlslite/handshakesettings.py +++ b/tlslite/handshakesettings.py @@ -35,9 +35,8 @@ # so place it as the last one CURVE_NAMES = ["x25519", "x448", "secp384r1", "secp256r1", "secp521r1"] -ALL_CURVE_NAMES = CURVE_NAMES + ["secp256k1", "brainpoolP512r1", "brainpoolP320r1", - "brainpoolP384r1", "brainpoolP320r1", "brainpoolP256r1", - "brainpoolP224r1", "brainpoolP192r1"] +ALL_CURVE_NAMES = CURVE_NAMES + ["secp256k1", "brainpoolP512r1", + "brainpoolP384r1", "brainpoolP256r1"] if ecdsaAllCurves: ALL_CURVE_NAMES += ["secp224r1", "secp192r1"] ALL_DH_GROUP_NAMES = ["ffdhe2048", "ffdhe3072", "ffdhe4096", "ffdhe6144", @@ -48,11 +47,7 @@ "secp256k1": ('SECP256k1',), "secp192r1": ('NIST192p', 'P-192'), "secp224r1": ('NIST224p', 'P-224'), - "brainpoolP160r1": ('BRAINPOOLP160r1',), - "brainpoolP192r1": ('BRAINPOOLP192r1',), - "brainpoolP224r1": ('BRAINPOOLP224r1',), "brainpoolP256r1": ('BRAINPOOLP256r1',), - "brainpoolP320r1": ('BRAINPOOLP320r1',), "brainpoolP384r1": ('BRAINPOOLP384r1',), "brainpoolP512r1": ('BRAINPOOLP512r1',)} KNOWN_VERSIONS = ((3, 0), (3, 1), (3, 2), (3, 3), (3, 4)) diff --git a/tlslite/utils/ecc.py b/tlslite/utils/ecc.py index 00e1c900..484362ea 100644 --- a/tlslite/utils/ecc.py +++ b/tlslite/utils/ecc.py @@ -38,11 +38,7 @@ def getCurveByName(curveName): 'secp384r1':ecdsa.NIST384p, 'secp521r1':ecdsa.NIST521p, 'secp256k1':ecdsa.SECP256k1, - 'brainpoolP160r1': ecdsa.BRAINPOOLP160r1, - 'brainpoolP192r1': ecdsa.BRAINPOOLP192r1, - 'brainpoolP224r1': ecdsa.BRAINPOOLP224r1, 'brainpoolP256r1': ecdsa.BRAINPOOLP256r1, - 'brainpoolP320r1': ecdsa.BRAINPOOLP320r1, 'brainpoolP384r1': ecdsa.BRAINPOOLP384r1, 'brainpoolP512r1': ecdsa.BRAINPOOLP512r1} if ecdsaAllCurves: @@ -60,11 +56,7 @@ def getPointByteSize(point): ecdsa.NIST384p.curve: 384//8, ecdsa.NIST521p.curve: (521+7)//8, ecdsa.SECP256k1.curve: 256//8, - ecdsa.BRAINPOOLP160r1.curve: 160//8, - ecdsa.BRAINPOOLP192r1.curve: 192//8, - ecdsa.BRAINPOOLP224r1.curve: 224//8, ecdsa.BRAINPOOLP256r1.curve: 256//8, - ecdsa.BRAINPOOLP320r1.curve: 320//8, ecdsa.BRAINPOOLP384r1.curve: 384//8, ecdsa.BRAINPOOLP512r1.curve: 512//8} if ecdsaAllCurves: