2 * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
9 #include <openssl/ssl.h>
11 #include "helpers/ssltestlib.h"
12 #include "internal/dane.h"
15 #undef OSSL_NO_USABLE_TLS1_3
16 #if defined(OPENSSL_NO_TLS1_3) \
17 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
19 * If we don't have ec or dh then there are no built-in groups that are usable
22 # define OSSL_NO_USABLE_TLS1_3
25 static char *certsdir
= NULL
;
26 static char *rootcert
= NULL
;
27 static char *cert
= NULL
;
28 static char *privkey
= NULL
;
29 static char *cert2
= NULL
;
30 static char *privkey2
= NULL
;
31 static char *cert448
= NULL
;
32 static char *privkey448
= NULL
;
33 static char *cert25519
= NULL
;
34 static char *privkey25519
= NULL
;
35 static OSSL_LIB_CTX
*libctx
= NULL
;
36 static OSSL_PROVIDER
*defctxnull
= NULL
;
38 static const unsigned char cert_type_rpk
[] = { TLSEXT_cert_type_rpk
, TLSEXT_cert_type_x509
};
39 static const unsigned char SID_CTX
[] = { 'r', 'p', 'k' };
41 static int rpk_verify_client_cb(int ok
, X509_STORE_CTX
*ctx
)
43 int err
= X509_STORE_CTX_get_error(ctx
);
45 if (X509_STORE_CTX_get0_rpk(ctx
) != NULL
) {
46 if (err
!= X509_V_OK
) {
47 TEST_info("rpk_verify_client_cb: ok=%d err=%d", ok
, err
);
53 static int rpk_verify_server_cb(int ok
, X509_STORE_CTX
*ctx
)
55 int err
= X509_STORE_CTX_get_error(ctx
);
57 if (X509_STORE_CTX_get0_rpk(ctx
) != NULL
) {
58 if (err
!= X509_V_OK
) {
59 TEST_info("rpk_verify_server_cb: ok=%d err=%d", ok
, err
);
68 * (2) server_cert_type RPK off/on for server
69 * (2) client_cert_type RPK off/on for server
70 * (2) server_cert_type RPK off/on for client
71 * (2) client_cert_type RPK off/on for client
72 * (4) RSA vs ECDSA vs Ed25519 vs Ed448 certificates
73 * (2) TLSv1.2 vs TLSv1.3
76 * idx = 0 - is the normal success case, certificate, single peer key
77 * idx = 1 - only a private key
78 * idx = 2 - add client authentication
79 * idx = 3 - add second peer key (rootcert.pem)
80 * idx = 4 - add second peer key (different, RSA or ECDSA)
81 * idx = 5 - reverse peer keys (rootcert.pem, different order)
82 * idx = 6 - reverse peer keys (RSA or ECDSA, different order)
83 * idx = 7 - expects failure due to mismatched key (RSA or ECDSA)
84 * idx = 8 - expects failure due to no configured key on client
85 * idx = 9 - add client authentication (PHA)
86 * idx = 10 - add client authentication (privake key only)
87 * idx = 11 - simple resumption
88 * idx = 12 - simple resumption, no ticket
89 * idx = 13 - resumption with client authentication
90 * idx = 14 - resumption with client authentication, no ticket
91 * idx = 15 - like 0, but use non-default libctx
93 * 16 * 2 * 4 * 2 * 2 * 2 * 2 = 2048 tests
95 static int test_rpk(int idx
)
98 # define RPK_DIMS (2 * 4 * 2 * 2 * 2 * 2)
99 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
100 SSL
*clientssl
= NULL
, *serverssl
= NULL
;
101 EVP_PKEY
*pkey
= NULL
, *other_pkey
= NULL
, *root_pkey
= NULL
;
102 X509
*x509
= NULL
, *other_x509
= NULL
, *root_x509
= NULL
;
103 int testresult
= 0, ret
, expected
= 1;
104 int client_expected
= X509_V_OK
;
107 char *cert_file
= NULL
;
108 char *privkey_file
= NULL
;
109 char *other_cert_file
= NULL
;
110 SSL_SESSION
*client_sess
= NULL
;
111 SSL_SESSION
*server_sess
= NULL
;
112 int idx_server_server_rpk
, idx_server_client_rpk
;
113 int idx_client_server_rpk
, idx_client_client_rpk
;
114 int idx_cert
, idx_prot
;
117 long server_verify_result
= 0;
118 long client_verify_result
= 0;
119 OSSL_LIB_CTX
*test_libctx
= NULL
;
121 if (!TEST_int_le(idx
, RPK_TESTS
* RPK_DIMS
))
124 idx_server_server_rpk
= idx
/ (RPK_TESTS
* 2 * 4 * 2 * 2 * 2);
125 idx
%= RPK_TESTS
* 2 * 4 * 2 * 2 * 2;
126 idx_server_client_rpk
= idx
/ (RPK_TESTS
* 2 * 4 * 2 * 2);
127 idx
%= RPK_TESTS
* 2 * 4 * 2 * 2;
128 idx_client_server_rpk
= idx
/ (RPK_TESTS
* 2 * 4 * 2);
129 idx
%= RPK_TESTS
* 2 * 4 * 2;
130 idx_client_client_rpk
= idx
/ (RPK_TESTS
* 2 * 4);
131 idx
%= RPK_TESTS
* 2 * 4;
132 idx_cert
= idx
/ (RPK_TESTS
* 2);
133 idx
%= RPK_TESTS
* 2;
134 idx_prot
= idx
/ RPK_TESTS
;
137 /* Load "root" cert/pubkey */
138 root_x509
= load_cert_pem(rootcert
, NULL
);
139 if (!TEST_ptr(root_x509
))
141 root_pkey
= X509_get0_pubkey(root_x509
);
142 if (!TEST_ptr(root_pkey
))
149 privkey_file
= privkey
;
150 other_cert_file
= cert2
;
152 #ifndef OPENSSL_NO_ECDSA
156 privkey_file
= privkey2
;
157 other_cert_file
= cert
;
159 # ifndef OPENSSL_NO_ECX
163 privkey_file
= privkey448
;
164 other_cert_file
= cert
;
168 cert_file
= cert25519
;
169 privkey_file
= privkey25519
;
170 other_cert_file
= cert
;
175 testresult
= TEST_skip("EDCSA disabled");
178 /* Load primary cert */
179 x509
= load_cert_pem(cert_file
, NULL
);
182 pkey
= X509_get0_pubkey(x509
);
183 /* load other cert */
184 other_x509
= load_cert_pem(other_cert_file
, NULL
);
185 if (!TEST_ptr(other_x509
))
187 other_pkey
= X509_get0_pubkey(other_x509
);
188 #ifdef OPENSSL_NO_ECDSA
189 /* Can't get other_key if it's ECDSA */
190 if (other_pkey
== NULL
&& idx_cert
== 0
191 && (idx
== 4 || idx
== 6 || idx
== 7)) {
192 testresult
= TEST_skip("EDCSA disabled");
199 #ifdef OSSL_NO_USABLE_TLS1_3
200 testresult
= TEST_skip("TLSv1.3 disabled");
203 tls_version
= TLS1_3_VERSION
;
207 #ifdef OPENSSL_NO_TLS1_2
208 testresult
= TEST_skip("TLSv1.2 disabled");
211 tls_version
= TLS1_2_VERSION
;
219 test_libctx
= libctx
;
220 defctxnull
= OSSL_PROVIDER_load(NULL
, "null");
221 if (!TEST_ptr(defctxnull
))
224 if (!TEST_true(create_ssl_ctx_pair(test_libctx
,
225 TLS_server_method(), TLS_client_method(),
226 tls_version
, tls_version
,
227 &sctx
, &cctx
, NULL
, NULL
)))
230 if (idx_server_server_rpk
)
231 if (!TEST_true(SSL_CTX_set1_server_cert_type(sctx
, cert_type_rpk
, sizeof(cert_type_rpk
))))
233 if (idx_server_client_rpk
)
234 if (!TEST_true(SSL_CTX_set1_client_cert_type(sctx
, cert_type_rpk
, sizeof(cert_type_rpk
))))
236 if (idx_client_server_rpk
)
237 if (!TEST_true(SSL_CTX_set1_server_cert_type(cctx
, cert_type_rpk
, sizeof(cert_type_rpk
))))
239 if (idx_client_client_rpk
)
240 if (!TEST_true(SSL_CTX_set1_client_cert_type(cctx
, cert_type_rpk
, sizeof(cert_type_rpk
))))
242 if (!TEST_true(SSL_CTX_set_session_id_context(sctx
, SID_CTX
, sizeof(SID_CTX
))))
244 if (!TEST_true(SSL_CTX_set_session_id_context(cctx
, SID_CTX
, sizeof(SID_CTX
))))
247 if (!TEST_int_gt(SSL_CTX_dane_enable(sctx
), 0))
249 if (!TEST_int_gt(SSL_CTX_dane_enable(cctx
), 0))
253 SSL_CTX_set_verify(cctx
, SSL_VERIFY_PEER
, rpk_verify_client_cb
);
255 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
259 if (!TEST_int_gt(SSL_dane_enable(serverssl
, NULL
), 0))
261 if (!TEST_int_gt(SSL_dane_enable(clientssl
, "example.com"), 0))
264 /* Set private key and certificate */
265 if (!TEST_int_eq(SSL_use_PrivateKey_file(serverssl
, privkey_file
, SSL_FILETYPE_PEM
), 1))
267 /* Only a private key */
269 if (idx_server_server_rpk
== 0 || idx_client_server_rpk
== 0)
272 /* Add certificate */
273 if (!TEST_int_eq(SSL_use_certificate_file(serverssl
, cert_file
, SSL_FILETYPE_PEM
), 1))
275 if (!TEST_int_eq(SSL_check_private_key(serverssl
), 1))
281 if (!TEST_true(idx
< RPK_TESTS
))
285 if (!TEST_true(SSL_add_expected_rpk(clientssl
, pkey
)))
289 if (!TEST_true(SSL_add_expected_rpk(clientssl
, pkey
)))
293 if (!TEST_true(SSL_add_expected_rpk(clientssl
, pkey
)))
295 if (!TEST_true(SSL_add_expected_rpk(serverssl
, pkey
)))
297 /* Use the same key for client auth */
298 if (!TEST_int_eq(SSL_use_PrivateKey_file(clientssl
, privkey_file
, SSL_FILETYPE_PEM
), 1))
300 if (!TEST_int_eq(SSL_use_certificate_file(clientssl
, cert_file
, SSL_FILETYPE_PEM
), 1))
302 if (!TEST_int_eq(SSL_check_private_key(clientssl
), 1))
304 SSL_set_verify(serverssl
, SSL_VERIFY_PEER
| SSL_VERIFY_FAIL_IF_NO_PEER_CERT
, rpk_verify_server_cb
);
308 if (!TEST_true(SSL_add_expected_rpk(clientssl
, pkey
)))
310 if (!TEST_true(SSL_add_expected_rpk(clientssl
, root_pkey
)))
314 if (!TEST_true(SSL_add_expected_rpk(clientssl
, pkey
)))
316 if (!TEST_true(SSL_add_expected_rpk(clientssl
, other_pkey
)))
320 if (!TEST_true(SSL_add_expected_rpk(clientssl
, root_pkey
)))
322 if (!TEST_true(SSL_add_expected_rpk(clientssl
, pkey
)))
326 if (!TEST_true(SSL_add_expected_rpk(clientssl
, other_pkey
)))
328 if (!TEST_true(SSL_add_expected_rpk(clientssl
, pkey
)))
332 if (idx_server_server_rpk
== 1 && idx_client_server_rpk
== 1)
333 client_expected
= -1;
334 if (!TEST_true(SSL_add_expected_rpk(clientssl
, other_pkey
)))
336 client_verify_result
= X509_V_ERR_DANE_NO_MATCH
;
339 if (idx_server_server_rpk
== 1 && idx_client_server_rpk
== 1)
340 client_expected
= -1;
342 client_verify_result
= X509_V_ERR_RPK_UNTRUSTED
;
345 if (tls_version
!= TLS1_3_VERSION
) {
346 testresult
= TEST_skip("PHA requires TLSv1.3");
349 if (!TEST_true(SSL_add_expected_rpk(clientssl
, pkey
)))
351 if (!TEST_true(SSL_add_expected_rpk(serverssl
, pkey
)))
353 /* Use the same key for client auth */
354 if (!TEST_int_eq(SSL_use_PrivateKey_file(clientssl
, privkey_file
, SSL_FILETYPE_PEM
), 1))
356 if (!TEST_int_eq(SSL_use_certificate_file(clientssl
, cert_file
, SSL_FILETYPE_PEM
), 1))
358 if (!TEST_int_eq(SSL_check_private_key(clientssl
), 1))
360 SSL_set_verify(serverssl
, SSL_VERIFY_PEER
| SSL_VERIFY_FAIL_IF_NO_PEER_CERT
| SSL_VERIFY_POST_HANDSHAKE
, rpk_verify_server_cb
);
361 SSL_set_post_handshake_auth(clientssl
, 1);
365 if (!TEST_true(SSL_add_expected_rpk(clientssl
, pkey
)))
367 if (!TEST_true(SSL_add_expected_rpk(serverssl
, pkey
)))
369 /* Use the same key for client auth */
370 if (!TEST_int_eq(SSL_use_PrivateKey_file(clientssl
, privkey_file
, SSL_FILETYPE_PEM
), 1))
372 /* Since there's no cert, this is expected to fail without RPK support */
373 if (!idx_server_client_rpk
|| !idx_client_client_rpk
)
375 SSL_set_verify(serverssl
, SSL_VERIFY_PEER
| SSL_VERIFY_FAIL_IF_NO_PEER_CERT
, rpk_verify_server_cb
);
379 if (!idx_server_server_rpk
|| !idx_client_server_rpk
) {
380 testresult
= TEST_skip("Only testing resumption with server RPK");
383 if (!TEST_true(SSL_add_expected_rpk(clientssl
, pkey
)))
388 if (!idx_server_server_rpk
|| !idx_client_server_rpk
) {
389 testresult
= TEST_skip("Only testing resumption with server RPK");
392 if (!TEST_true(SSL_add_expected_rpk(clientssl
, pkey
)))
394 SSL_set_options(serverssl
, SSL_OP_NO_TICKET
);
395 SSL_set_options(clientssl
, SSL_OP_NO_TICKET
);
399 if (!idx_server_server_rpk
|| !idx_client_server_rpk
) {
400 testresult
= TEST_skip("Only testing resumption with server RPK");
403 if (!idx_server_client_rpk
|| !idx_client_client_rpk
) {
404 testresult
= TEST_skip("Only testing client authentication resumption with client RPK");
407 if (!TEST_true(SSL_add_expected_rpk(clientssl
, pkey
)))
409 if (!TEST_true(SSL_add_expected_rpk(serverssl
, pkey
)))
411 /* Use the same key for client auth */
412 if (!TEST_int_eq(SSL_use_PrivateKey_file(clientssl
, privkey_file
, SSL_FILETYPE_PEM
), 1))
414 if (!TEST_int_eq(SSL_use_certificate_file(clientssl
, cert_file
, SSL_FILETYPE_PEM
), 1))
416 if (!TEST_int_eq(SSL_check_private_key(clientssl
), 1))
418 SSL_set_verify(serverssl
, SSL_VERIFY_PEER
| SSL_VERIFY_FAIL_IF_NO_PEER_CERT
, rpk_verify_server_cb
);
423 if (!idx_server_server_rpk
|| !idx_client_server_rpk
) {
424 testresult
= TEST_skip("Only testing resumption with server RPK");
427 if (!idx_server_client_rpk
|| !idx_client_client_rpk
) {
428 testresult
= TEST_skip("Only testing client authentication resumption with client RPK");
431 if (!TEST_true(SSL_add_expected_rpk(clientssl
, pkey
)))
433 if (!TEST_true(SSL_add_expected_rpk(serverssl
, pkey
)))
435 /* Use the same key for client auth */
436 if (!TEST_int_eq(SSL_use_PrivateKey_file(clientssl
, privkey_file
, SSL_FILETYPE_PEM
), 1))
438 if (!TEST_int_eq(SSL_use_certificate_file(clientssl
, cert_file
, SSL_FILETYPE_PEM
), 1))
440 if (!TEST_int_eq(SSL_check_private_key(clientssl
), 1))
442 SSL_set_verify(serverssl
, SSL_VERIFY_PEER
| SSL_VERIFY_FAIL_IF_NO_PEER_CERT
, rpk_verify_server_cb
);
443 SSL_set_options(serverssl
, SSL_OP_NO_TICKET
);
444 SSL_set_options(clientssl
, SSL_OP_NO_TICKET
);
449 if (!TEST_true(SSL_add_expected_rpk(clientssl
, pkey
)))
454 ret
= create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
);
455 if (!TEST_int_eq(expected
, ret
))
458 /* Make sure client gets RPK or certificate as configured */
460 if (idx_server_server_rpk
&& idx_client_server_rpk
) {
461 if (!TEST_long_eq(SSL_get_verify_result(clientssl
), client_verify_result
))
463 if (!TEST_ptr(SSL_get0_peer_rpk(clientssl
)))
465 if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(serverssl
), TLSEXT_cert_type_rpk
))
467 if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(clientssl
), TLSEXT_cert_type_rpk
))
470 if (!TEST_ptr(SSL_get0_peer_certificate(clientssl
)))
472 if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(serverssl
), TLSEXT_cert_type_x509
))
474 if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(clientssl
), TLSEXT_cert_type_x509
))
480 /* Make PHA happen... */
481 if (!TEST_true(SSL_verify_client_post_handshake(serverssl
)))
483 if (!TEST_true(SSL_do_handshake(serverssl
)))
485 if (!TEST_int_le(SSL_read(clientssl
, NULL
, 0), 0))
487 if (!TEST_int_le(SSL_read(serverssl
, NULL
, 0), 0))
491 /* Make sure server gets an RPK or certificate as configured */
493 if (idx_server_client_rpk
&& idx_client_client_rpk
) {
494 if (!TEST_long_eq(SSL_get_verify_result(serverssl
), server_verify_result
))
496 if (!TEST_ptr(SSL_get0_peer_rpk(serverssl
)))
498 if (!TEST_int_eq(SSL_get_negotiated_client_cert_type(serverssl
), TLSEXT_cert_type_rpk
))
500 if (!TEST_int_eq(SSL_get_negotiated_client_cert_type(clientssl
), TLSEXT_cert_type_rpk
))
503 /* only if connection is expected to succeed */
504 if (expected
== 1 && !TEST_ptr(SSL_get0_peer_certificate(serverssl
)))
506 if (!TEST_int_eq(SSL_get_negotiated_client_cert_type(serverssl
), TLSEXT_cert_type_x509
))
508 if (!TEST_int_eq(SSL_get_negotiated_client_cert_type(clientssl
), TLSEXT_cert_type_x509
))
514 EVP_PKEY
*client_pkey
= NULL
;
515 EVP_PKEY
*server_pkey
= NULL
;
517 if (!TEST_ptr((client_sess
= SSL_get1_session(clientssl
)))
518 || !TEST_ptr((client_pkey
= SSL_SESSION_get0_peer_rpk(client_sess
))))
521 if (!TEST_ptr((server_sess
= SSL_get1_session(serverssl
)))
522 || !TEST_ptr((server_pkey
= SSL_SESSION_get0_peer_rpk(server_sess
))))
525 SSL_shutdown(clientssl
);
526 SSL_shutdown(serverssl
);
529 serverssl
= clientssl
= NULL
;
531 if (!TEST_true(create_ssl_objects(sctx
, cctx
, &serverssl
, &clientssl
,
533 || !TEST_true(SSL_set_session(clientssl
, client_sess
)))
536 /* Set private key (and maybe certificate) */
537 if (!TEST_int_eq(SSL_use_PrivateKey_file(serverssl
, privkey_file
, SSL_FILETYPE_PEM
), 1))
539 if (!TEST_int_eq(SSL_use_certificate_file(serverssl
, cert_file
, SSL_FILETYPE_PEM
), 1))
541 if (!TEST_int_eq(SSL_check_private_key(serverssl
), 1))
543 if (!TEST_int_gt(SSL_dane_enable(serverssl
, "example.com"), 0))
545 if (!TEST_int_gt(SSL_dane_enable(clientssl
, "example.com"), 0))
552 if (!TEST_true(SSL_add_expected_rpk(clientssl
, client_pkey
)))
556 if (!TEST_true(SSL_add_expected_rpk(clientssl
, client_pkey
)))
558 SSL_set_options(clientssl
, SSL_OP_NO_TICKET
);
559 SSL_set_options(serverssl
, SSL_OP_NO_TICKET
);
562 if (!TEST_true(SSL_add_expected_rpk(clientssl
, client_pkey
)))
564 if (!TEST_true(SSL_add_expected_rpk(serverssl
, server_pkey
)))
566 /* Use the same key for client auth */
567 if (!TEST_int_eq(SSL_use_PrivateKey_file(clientssl
, privkey_file
, SSL_FILETYPE_PEM
), 1))
569 if (!TEST_int_eq(SSL_use_certificate_file(clientssl
, cert_file
, SSL_FILETYPE_PEM
), 1))
571 if (!TEST_int_eq(SSL_check_private_key(clientssl
), 1))
573 SSL_set_verify(serverssl
, SSL_VERIFY_PEER
| SSL_VERIFY_FAIL_IF_NO_PEER_CERT
, rpk_verify_server_cb
);
576 if (!TEST_true(SSL_add_expected_rpk(clientssl
, client_pkey
)))
578 if (!TEST_true(SSL_add_expected_rpk(serverssl
, server_pkey
)))
580 /* Use the same key for client auth */
581 if (!TEST_int_eq(SSL_use_PrivateKey_file(clientssl
, privkey_file
, SSL_FILETYPE_PEM
), 1))
583 if (!TEST_int_eq(SSL_use_certificate_file(clientssl
, cert_file
, SSL_FILETYPE_PEM
), 1))
585 if (!TEST_int_eq(SSL_check_private_key(clientssl
), 1))
587 SSL_set_verify(serverssl
, SSL_VERIFY_PEER
| SSL_VERIFY_FAIL_IF_NO_PEER_CERT
, rpk_verify_server_cb
);
588 SSL_set_options(serverssl
, SSL_OP_NO_TICKET
);
589 SSL_set_options(clientssl
, SSL_OP_NO_TICKET
);
593 ret
= create_ssl_connection(serverssl
, clientssl
, SSL_ERROR_NONE
);
594 if (!TEST_int_eq(expected
, ret
))
596 verify
= SSL_get_verify_result(clientssl
);
597 if (!TEST_int_eq(client_expected
, verify
))
599 if (!TEST_true(SSL_session_reused(clientssl
)))
602 if (!TEST_ptr(SSL_get0_peer_rpk(clientssl
)))
604 if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(serverssl
), TLSEXT_cert_type_rpk
))
606 if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(clientssl
), TLSEXT_cert_type_rpk
))
610 if (!TEST_ptr(SSL_get0_peer_rpk(serverssl
)))
612 if (!TEST_int_eq(SSL_get_negotiated_client_cert_type(serverssl
), TLSEXT_cert_type_rpk
))
614 if (!TEST_int_eq(SSL_get_negotiated_client_cert_type(clientssl
), TLSEXT_cert_type_rpk
))
622 OSSL_PROVIDER_unload(defctxnull
);
624 SSL_SESSION_free(client_sess
);
625 SSL_SESSION_free(server_sess
);
631 X509_free(other_x509
);
632 X509_free(root_x509
);
634 if (testresult
== 0) {
635 TEST_info("idx_ss_rpk=%d, idx_sc_rpk=%d, idx_cs_rpk=%d, idx_cc_rpk=%d, idx_cert=%d, idx_prot=%d, idx=%d",
636 idx_server_server_rpk
, idx_server_client_rpk
,
637 idx_client_server_rpk
, idx_client_client_rpk
,
638 idx_cert
, idx_prot
, idx
);
643 static int test_rpk_api(void)
646 SSL_CTX
*cctx
= NULL
, *sctx
= NULL
;
647 unsigned char cert_type_dups
[] = { TLSEXT_cert_type_rpk
,
648 TLSEXT_cert_type_x509
,
649 TLSEXT_cert_type_x509
};
650 unsigned char cert_type_bad
[] = { 0xFF };
651 unsigned char cert_type_extra
[] = { TLSEXT_cert_type_rpk
,
652 TLSEXT_cert_type_x509
,
654 unsigned char cert_type_unsup
[] = { TLSEXT_cert_type_pgp
,
655 TLSEXT_cert_type_1609dot2
};
656 unsigned char cert_type_just_x509
[] = { TLSEXT_cert_type_x509
};
657 unsigned char cert_type_just_rpk
[] = { TLSEXT_cert_type_rpk
};
659 if (!TEST_true(create_ssl_ctx_pair(NULL
,
660 TLS_server_method(), TLS_client_method(),
661 TLS1_2_VERSION
, TLS1_2_VERSION
,
662 &sctx
, &cctx
, NULL
, NULL
)))
665 if (!TEST_false(SSL_CTX_set1_server_cert_type(sctx
, cert_type_dups
, sizeof(cert_type_dups
))))
668 if (!TEST_false(SSL_CTX_set1_server_cert_type(sctx
, cert_type_bad
, sizeof(cert_type_bad
))))
671 if (!TEST_false(SSL_CTX_set1_server_cert_type(sctx
, cert_type_extra
, sizeof(cert_type_extra
))))
674 if (!TEST_false(SSL_CTX_set1_server_cert_type(sctx
, cert_type_unsup
, sizeof(cert_type_unsup
))))
677 if (!TEST_true(SSL_CTX_set1_server_cert_type(sctx
, cert_type_just_x509
, sizeof(cert_type_just_x509
))))
680 if (!TEST_true(SSL_CTX_set1_server_cert_type(sctx
, cert_type_just_rpk
, sizeof(cert_type_just_rpk
))))
689 OPT_TEST_DECLARE_USAGE("certdir\n")
691 int setup_tests(void)
693 if (!test_skip_common_options()) {
694 TEST_error("Error parsing test options\n");
698 if (!TEST_ptr(certsdir
= test_get_argument(0)))
701 rootcert
= test_mk_file_path(certsdir
, "rootcert.pem");
702 if (rootcert
== NULL
)
705 cert
= test_mk_file_path(certsdir
, "servercert.pem");
709 privkey
= test_mk_file_path(certsdir
, "serverkey.pem");
713 cert2
= test_mk_file_path(certsdir
, "server-ecdsa-cert.pem");
717 privkey2
= test_mk_file_path(certsdir
, "server-ecdsa-key.pem");
718 if (privkey2
== NULL
)
721 cert448
= test_mk_file_path(certsdir
, "server-ed448-cert.pem");
725 privkey448
= test_mk_file_path(certsdir
, "server-ed448-key.pem");
726 if (privkey2
== NULL
)
729 cert25519
= test_mk_file_path(certsdir
, "server-ed25519-cert.pem");
733 privkey25519
= test_mk_file_path(certsdir
, "server-ed25519-key.pem");
734 if (privkey2
== NULL
)
737 libctx
= OSSL_LIB_CTX_new();
741 ADD_TEST(test_rpk_api
);
742 ADD_ALL_TESTS(test_rpk
, RPK_TESTS
* RPK_DIMS
);
749 void cleanup_tests(void)
751 OPENSSL_free(rootcert
);
753 OPENSSL_free(privkey
);
755 OPENSSL_free(privkey2
);
756 OPENSSL_free(cert448
);
757 OPENSSL_free(privkey448
);
758 OPENSSL_free(cert25519
);
759 OPENSSL_free(privkey25519
);
760 OSSL_LIB_CTX_free(libctx
);