Merge 837f89c into 401712c

tests/serverECCert.pem

@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBbTCCARSgAwIBAgIJAPM58cskyK+yMAkGByqGSM49BAEwFDESMBAGA1UEAwwJ
+bG9jYWxob3N0MB4XDTE3MTAyMzExNDI0MVoXDTE3MTEyMjExNDI0MVowFDESMBAG
+A1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyDRjEAJe
+3F5T62MyZbhjoJnPLGL2nrTthLFymBupZ2IbnWYnqVWDkT/L6i8sQhf2zCLrlSjj
+1kn7ERqPx/KZyqNQME4wHQYDVR0OBBYEFPfFTUg9o3t6ehLsschSnC8Te8oaMB8G
+A1UdIwQYMBaAFPfFTUg9o3t6ehLsschSnC8Te8oaMAwGA1UdEwQFMAMBAf8wCQYH
+KoZIzj0EAQNIADBFAiA6p0YM5ZzfW+klHPRU2r13/IfKgeRfDR3dtBngmPvxUgIh
+APTeSDeJvYWVBLzyrKTeSerNDKKHU2Rt7sufipv76+7s
+-----END CERTIFICATE-----

tests/serverECKey.pem

@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgCOZr0Ovs0eCmh+XM
+QWDYVpsQ+sJdjiq/itp/kYnWNSahRANCAATINGMQAl7cXlPrYzJluGOgmc8sYvae
+tO2EsXKYG6lnYhudZiepVYORP8vqLyxCF/bMIuuVKOPWSfsRGo/H8pnK
+-----END PRIVATE KEY-----

tests/tlstest.py

@@ -215,6 +215,83 @@ def connect():
 
     test_no += 1
 
+    print("Test {0} - good X.509 ECDSA, SSLv3".format(test_no))
+    synchro.recv(1)
+    connection = connect()
+    settings = HandshakeSettings()
+    settings.minVersion = (3, 0)
+    settings.maxVersion = (3, 0)
+    connection.handshakeClientCert(settings=settings)
+    testConnClient(connection)
+    assert connection.session.cipherSuite in\
+            constants.CipherSuite.ecdheEcdsaSuites
+    assert isinstance(connection.session.serverCertChain, X509CertChain)
+    connection.close()
+
+    test_no += 1
+
+    print("Test {0} - good X.509 ECDSA, TLSv1.0".format(test_no))
+    synchro.recv(1)
+    connection = connect()
+    settings = HandshakeSettings()
+    settings.minVersion = (3, 1)
+    settings.maxVersion = (3, 1)
+    connection.handshakeClientCert(settings=settings)
+    testConnClient(connection)
+    assert connection.session.cipherSuite in\
+            constants.CipherSuite.ecdheEcdsaSuites
+    assert isinstance(connection.session.serverCertChain, X509CertChain)
+    connection.close()
+
+    test_no += 1
+
+    print("Test {0} - good X.509 ECDSA, TLSv1.2".format(test_no))
+    synchro.recv(1)
+    connection = connect()
+    settings = HandshakeSettings()
+    settings.minVersion = (3, 3)
+    settings.maxVersion = (3, 3)
+    connection.handshakeClientCert(settings=settings)
+    testConnClient(connection)
+    assert connection.session.cipherSuite in\
+            constants.CipherSuite.ecdheEcdsaSuites
+    assert isinstance(connection.session.serverCertChain, X509CertChain)
+    connection.close()
+
+    test_no += 1
+
+    print("Test {0} - mismatched ECDSA curve, TLSv1.2".format(test_no))
+    synchro.recv(1)
+    connection = connect()
+    settings = HandshakeSettings()
+    settings.minVersion = (3, 3)
+    settings.maxVersion = (3, 3)
+    settings.eccCurves = ["secp384r1"]
+    settings.keyShares = []
+    try:
+        connection.handshakeClientCert(settings=settings)
+        assert False
+    except TLSLocalAlert as e:
+        assert "certificate with curve" in str(e)
+    connection.close()
+
+    test_no += 1
+
+    print("Test {0} - good X.509 ECDSA, TLSv1.3".format(test_no))
+    synchro.recv(1)
+    connection = connect()
+    settings = HandshakeSettings()
+    settings.minVersion = (3, 4)
+    settings.maxVersion = (3, 4)
+    connection.handshakeClientCert(settings=settings)
+    testConnClient(connection)
+    assert connection.session.cipherSuite in\
+            constants.CipherSuite.tls13Suites
+    assert isinstance(connection.session.serverCertChain, X509CertChain)
+    connection.close()
+
+    test_no += 1
+
     print("Test {0} - good X.509, mismatched key_share".format(test_no))
     synchro.recv(1)
     connection = connect()
@@ -1069,10 +1146,11 @@ def connect():
         s.settimeout(15)
         return TLSConnection(s)
 
-    x509Cert = X509().parse(open(os.path.join(dir, "serverX509Cert.pem")).read())
+    with open(os.path.join(dir, "serverX509Cert.pem")) as f:
+        x509Cert = X509().parse(f.read())
     x509Chain = X509CertChain([x509Cert])
-    s = open(os.path.join(dir, "serverX509Key.pem")).read()
-    x509Key = parsePEMKey(s, private=True)
+    with open(os.path.join(dir, "serverX509Key.pem")) as f:
+        x509Key = parsePEMKey(f.read(), private=True)
 
     with open(os.path.join(dir, "serverRSAPSSSigCert.pem")) as f:
         x509CertRSAPSSSig = X509().parse(f.read())
@@ -1088,6 +1166,14 @@ def connect():
         x509KeyRSAPSS = parsePEMKey(f.read(), private=True,
                                     implementations=["python"])
 
+    with open(os.path.join(dir, "serverECCert.pem")) as f:
+        x509CertECDSA = X509().parse(f.read())
+    x509ecdsaChain = X509CertChain([x509CertECDSA])
+    assert x509CertECDSA.certAlg == "ecdsa"
+    with open(os.path.join(dir, "serverECKey.pem")) as f:
+        x509ecdsaKey = parsePEMKey(f.read(), private=True,
+                                   implementations=["python"])
+
     test_no = 0
 
     print("Test {0} - Anonymous server handshake".format(test_no))
@@ -1187,6 +1273,77 @@ def connect():
 
     test_no += 1
 
+    print("Test {0} - good X.509 ECDSA, SSLv3".format(test_no))
+    synchro.send(b'R')
+    connection = connect()
+    settings = HandshakeSettings()
+    settings.minVersion = (3, 0)
+    settings.maxVersion = (3, 0)
+    connection.handshakeServer(certChain=x509ecdsaChain,
+                               privateKey=x509ecdsaKey, settings=settings)
+    assert not connection.extendedMasterSecret
+    testConnServer(connection)
+    connection.close()
+
+    test_no += 1
+
+    print("Test {0} - good X.509 ECDSA, TLSv1.0".format(test_no))
+    synchro.send(b'R')
+    connection = connect()
+    settings = HandshakeSettings()
+    settings.minVersion = (3, 1)
+    settings.maxVersion = (3, 1)
+    connection.handshakeServer(certChain=x509ecdsaChain,
+                               privateKey=x509ecdsaKey, settings=settings)
+    assert connection.extendedMasterSecret
+    testConnServer(connection)
+    connection.close()
+
+    test_no += 1
+
+    print("Test {0} - good X.509 ECDSA, TLSv1.2".format(test_no))
+    synchro.send(b'R')
+    connection = connect()
+    settings = HandshakeSettings()
+    settings.minVersion = (3, 3)
+    settings.maxVersion = (3, 3)
+    connection.handshakeServer(certChain=x509ecdsaChain,
+                               privateKey=x509ecdsaKey, settings=settings)
+    assert connection.extendedMasterSecret
+    testConnServer(connection)
+    connection.close()
+
+    test_no += 1
+
+    print("Test {0} - mismatched ECDSA curve, TLSv1.2".format(test_no))
+    synchro.send(b'R')
+    connection = connect()
+    settings = HandshakeSettings()
+    settings.minVersion = (3, 3)
+    settings.maxVersion = (3, 3)
+    try:
+        connection.handshakeServer(certChain=x509ecdsaChain,
+                                   privateKey=x509ecdsaKey, settings=settings)
+    except TLSRemoteAlert as e:
+        assert "handshake_failure" in str(e)
+    connection.close()
+
+    test_no += 1
+
+    print("Test {0} - good X.509 ECDSA, TLSv1.3".format(test_no))
+    synchro.send(b'R')
+    connection = connect()
+    settings = HandshakeSettings()
+    settings.minVersion = (3, 4)
+    settings.maxVersion = (3, 4)
+    connection.handshakeServer(certChain=x509ecdsaChain,
+                               privateKey=x509ecdsaKey, settings=settings)
+    assert connection.extendedMasterSecret
+    testConnServer(connection)
+    connection.close()
+
+    test_no += 1
+
     print("Test {0} - good X.509, mismatched key_share".format(test_no))
     synchro.send(b'R')
     connection = connect()