2 * Copyright (C) 2016 Tobias Brunner
3 * Hochschule fuer Technik Rapperswil
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 #include "test_suite.h"
18 #include <credentials/auth_cfg.h>
22 signature_scheme_t sig
[5];
23 signature_scheme_t ike
[5];
24 } sig_constraints_tests
[] = {
25 { "rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256
, 0 }, {0}},
26 { "rsa-sha256-sha512", { SIGN_RSA_EMSA_PKCS1_SHA2_256
, SIGN_RSA_EMSA_PKCS1_SHA2_512
, 0 }, {0}},
27 { "ecdsa-sha256", { SIGN_ECDSA_WITH_SHA256_DER
, SIGN_ECDSA_256
, 0 }, {0}},
28 { "rsa-sha256-ecdsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256
, SIGN_ECDSA_WITH_SHA256_DER
, SIGN_ECDSA_256
, 0 }, {0}},
29 { "pubkey-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256
, SIGN_ECDSA_WITH_SHA256_DER
, SIGN_ECDSA_256
, SIGN_BLISS_WITH_SHA2_256
, 0 }, {0}},
30 { "ike:rsa-sha256", {0}, { SIGN_RSA_EMSA_PKCS1_SHA2_256
, 0 }},
31 { "ike:rsa-sha256-rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256
, 0 }, { SIGN_RSA_EMSA_PKCS1_SHA2_256
, 0 }},
32 { "rsa-sha256-ike:rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256
, 0 }, { SIGN_RSA_EMSA_PKCS1_SHA2_256
, 0 }},
33 { "ike:pubkey-sha256", {0}, { SIGN_RSA_EMSA_PKCS1_SHA2_256
, SIGN_ECDSA_WITH_SHA256_DER
, SIGN_ECDSA_256
, SIGN_BLISS_WITH_SHA2_256
, 0 }},
34 { "rsa-ecdsa-sha256", { SIGN_ECDSA_WITH_SHA256_DER
, SIGN_ECDSA_256
, 0 }, {0}},
35 { "rsa-4096-ecdsa-sha256", { SIGN_ECDSA_WITH_SHA256_DER
, SIGN_ECDSA_256
, 0 }, {0}},
36 { "rsa-4096-ecdsa-256-sha256", { SIGN_ECDSA_WITH_SHA256_DER
, SIGN_ECDSA_256
, 0 }, {0}},
37 { "rsa-ecdsa256-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256
, 0 }, {0}},
38 { "rsa4096-sha256", {0}, {0}},
39 { "sha256", {0}, {0}},
40 { "ike:sha256", {0}, {0}},
43 static void check_sig_constraints(auth_cfg_t
*cfg
, auth_rule_t type
,
44 signature_scheme_t expected
[])
46 enumerator_t
*enumerator
;
48 signature_params_t
*value
;
51 enumerator
= cfg
->create_enumerator(cfg
);
52 while (enumerator
->enumerate(enumerator
, &t
, &value
))
56 ck_assert(expected
[i
]);
57 ck_assert_int_eq(expected
[i
], value
->scheme
);
61 enumerator
->destroy(enumerator
);
62 ck_assert(!expected
[i
]);
65 START_TEST(test_sig_contraints
)
68 signature_scheme_t none
[] = {0};
70 cfg
= auth_cfg_create();
71 cfg
->add_pubkey_constraints(cfg
, sig_constraints_tests
[_i
].constraints
, FALSE
);
72 check_sig_constraints(cfg
, AUTH_RULE_SIGNATURE_SCHEME
, sig_constraints_tests
[_i
].sig
);
73 check_sig_constraints(cfg
, AUTH_RULE_IKE_SIGNATURE_SCHEME
, none
);
76 lib
->settings
->set_bool(lib
->settings
, "%s.signature_authentication_constraints",
79 cfg
= auth_cfg_create();
80 cfg
->add_pubkey_constraints(cfg
, sig_constraints_tests
[_i
].constraints
, TRUE
);
81 check_sig_constraints(cfg
, AUTH_RULE_SIGNATURE_SCHEME
, sig_constraints_tests
[_i
].sig
);
82 check_sig_constraints(cfg
, AUTH_RULE_IKE_SIGNATURE_SCHEME
, sig_constraints_tests
[_i
].ike
);
87 START_TEST(test_ike_contraints_fallback
)
91 lib
->settings
->set_bool(lib
->settings
, "%s.signature_authentication_constraints",
94 cfg
= auth_cfg_create();
95 cfg
->add_pubkey_constraints(cfg
, sig_constraints_tests
[_i
].constraints
, TRUE
);
96 check_sig_constraints(cfg
, AUTH_RULE_SIGNATURE_SCHEME
, sig_constraints_tests
[_i
].sig
);
97 if (sig_constraints_tests
[_i
].ike
[0])
99 check_sig_constraints(cfg
, AUTH_RULE_IKE_SIGNATURE_SCHEME
, sig_constraints_tests
[_i
].ike
);
103 check_sig_constraints(cfg
, AUTH_RULE_IKE_SIGNATURE_SCHEME
, sig_constraints_tests
[_i
].sig
);
110 rsa_pss_params_t pss
;
111 } signature_param_types_t
;
115 signature_scheme_t sig
[5];
116 signature_param_types_t p
[5];
117 } sig_constraints_params_tests
[] = {
118 { "rsa/pss-sha256", { SIGN_RSA_EMSA_PSS
, 0 }, {
119 { .pss
= { .hash
= HASH_SHA256
, .mgf1_hash
= HASH_SHA256
, .salt_len
= HASH_SIZE_SHA256
, }}}},
120 { "rsa/pss-sha256-sha384", { SIGN_RSA_EMSA_PSS
, SIGN_RSA_EMSA_PSS
, 0 }, {
121 { .pss
= { .hash
= HASH_SHA256
, .mgf1_hash
= HASH_SHA256
, .salt_len
= HASH_SIZE_SHA256
, }},
122 { .pss
= { .hash
= HASH_SHA384
, .mgf1_hash
= HASH_SHA384
, .salt_len
= HASH_SIZE_SHA384
, }}}},
123 { "rsa/pss-sha256-rsa-sha256", { SIGN_RSA_EMSA_PSS
, SIGN_RSA_EMSA_PKCS1_SHA2_256
, 0 }, {
124 { .pss
= { .hash
= HASH_SHA256
, .mgf1_hash
= HASH_SHA256
, .salt_len
= HASH_SIZE_SHA256
, }}}},
125 { "rsa-sha256-rsa/pss-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256
, SIGN_RSA_EMSA_PSS
, 0 }, {
127 { .pss
= { .hash
= HASH_SHA256
, .mgf1_hash
= HASH_SHA256
, .salt_len
= HASH_SIZE_SHA256
, }}}},
128 { "rsa/pss", { 0 }, {}},
131 static void check_sig_constraints_params(auth_cfg_t
*cfg
, auth_rule_t type
,
132 signature_scheme_t scheme
[],
133 signature_param_types_t p
[])
135 enumerator_t
*enumerator
;
137 signature_params_t
*value
;
140 enumerator
= cfg
->create_enumerator(cfg
);
141 while (enumerator
->enumerate(enumerator
, &t
, &value
))
145 if (scheme
[i
] == SIGN_RSA_EMSA_PSS
)
147 signature_params_t expected
= {
151 ck_assert(signature_params_equal(value
, &expected
));
155 ck_assert(scheme
[i
]);
156 ck_assert(!value
->params
);
157 ck_assert_int_eq(scheme
[i
], value
->scheme
);
162 enumerator
->destroy(enumerator
);
163 ck_assert(!scheme
[i
]);
166 START_TEST(test_sig_contraints_params
)
170 cfg
= auth_cfg_create();
171 cfg
->add_pubkey_constraints(cfg
, sig_constraints_params_tests
[_i
].constraints
, TRUE
);
172 check_sig_constraints_params(cfg
, AUTH_RULE_IKE_SIGNATURE_SCHEME
,
173 sig_constraints_params_tests
[_i
].sig
,
174 sig_constraints_params_tests
[_i
].p
);
181 signature_scheme_t sig
[6];
182 signature_param_types_t p
[6];
183 } sig_constraints_rsa_pss_tests
[] = {
184 { "pubkey-sha256", { SIGN_RSA_EMSA_PSS
, SIGN_RSA_EMSA_PKCS1_SHA2_256
, SIGN_ECDSA_WITH_SHA256_DER
, SIGN_ECDSA_256
, SIGN_BLISS_WITH_SHA2_256
, 0 }, {
185 { .pss
= { .hash
= HASH_SHA256
, .mgf1_hash
= HASH_SHA256
, .salt_len
= HASH_SIZE_SHA256
, }}, {}, {}, {}, {}}},
186 { "rsa-sha256", { SIGN_RSA_EMSA_PSS
, SIGN_RSA_EMSA_PKCS1_SHA2_256
, 0 }, {
187 { .pss
= { .hash
= HASH_SHA256
, .mgf1_hash
= HASH_SHA256
, .salt_len
= HASH_SIZE_SHA256
, }}, {}}},
190 START_TEST(test_sig_contraints_rsa_pss
)
194 lib
->settings
->set_bool(lib
->settings
, "%s.rsa_pss", TRUE
, lib
->ns
);
196 cfg
= auth_cfg_create();
197 cfg
->add_pubkey_constraints(cfg
, sig_constraints_rsa_pss_tests
[_i
].constraints
, TRUE
);
198 check_sig_constraints_params(cfg
, AUTH_RULE_IKE_SIGNATURE_SCHEME
,
199 sig_constraints_rsa_pss_tests
[_i
].sig
,
200 sig_constraints_rsa_pss_tests
[_i
].p
);
205 Suite
*auth_cfg_suite_create()
210 s
= suite_create("auth_cfg");
212 tc
= tcase_create("add_pubkey_constraints");
213 tcase_add_loop_test(tc
, test_sig_contraints
, 0, countof(sig_constraints_tests
));
214 tcase_add_loop_test(tc
, test_ike_contraints_fallback
, 0, countof(sig_constraints_tests
));
215 suite_add_tcase(s
, tc
);
217 tc
= tcase_create("add_pubkey_constraints parameters");
218 tcase_add_loop_test(tc
, test_sig_contraints_params
, 0, countof(sig_constraints_params_tests
));
219 tcase_add_loop_test(tc
, test_sig_contraints_rsa_pss
, 0, countof(sig_constraints_rsa_pss_tests
));
220 suite_add_tcase(s
, tc
);