Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tests: allow TLS1.2 with RSA-PSS certs in integ tests #4949

Merged
merged 4 commits into from
Dec 10, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 15 additions & 2 deletions tests/integrationv2/common.py
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,20 @@ def __init__(self, name, prefix, location=TEST_CERT_DIRECTORY):
self.algorithm = 'RSAPSS'

def compatible_with_cipher(self, cipher):
return (self.algorithm == cipher.algorithm) or (cipher.algorithm == 'ANY')
if self.algorithm == cipher.algorithm:
return True
# TLS1.3 cipher suites do not specify auth method, so allow any auth method
if cipher.algorithm == 'ANY':
return True
if self.algorithm == 'RSAPSS':
# RSA-PSS certs can only be used by ciphers with RSA auth
if cipher.algorithm != 'RSA':
lrstewart marked this conversation as resolved.
Show resolved Hide resolved
return False
# RSA-PSS certs do not support RSA key exchange, only RSA auth
# "DHE" here is intended to capture both "DHE" and "ECDHE"
if 'DHE' in cipher.name:
return True
return False

def compatible_with_curve(self, curve):
if self.algorithm != 'EC':
Expand Down Expand Up @@ -442,7 +455,7 @@ class Signatures(object):

RSA_PSS_PSS_SHA256 = Signature(
'rsa_pss_pss_sha256',
min_protocol=Protocols.TLS13,
min_protocol=Protocols.TLS12,
sig_type='RSA-PSS-PSS',
sig_digest='SHA256')

Expand Down
22 changes: 12 additions & 10 deletions tests/integrationv2/providers.py
Original file line number Diff line number Diff line change
Expand Up @@ -148,22 +148,24 @@ def get_send_marker(cls):

@classmethod
def supports_protocol(cls, protocol, with_cert=None):
# TLS 1.3 is unsupported for openssl-1.0
# RSA-PSS is unsupported for openssl-1.0
# libressl and boringssl are disabled because of configuration issues
# see https://github.com/aws/s2n-tls/issues/3250
TLS_13_UNSUPPORTED_LIBCRYPTOS = {
PSS_UNSUPPORTED_LIBCRYPTOS = {
"libressl",
"boringssl",
"openssl-1.0"
}

# Disable TLS 1.3 tests for all libcryptos that don't support 1.3
if protocol == Protocols.TLS13:
current_libcrypto = get_flag(S2N_PROVIDER_VERSION)
for unsupported_lc in TLS_13_UNSUPPORTED_LIBCRYPTOS:
# e.g. "openssl-1.0" in "openssl-1.0.2-fips"
if unsupported_lc in current_libcrypto:
return False
pss_is_unsupported = any([
# e.g. "openssl-1.0" in "openssl-1.0.2-fips"
libcrypto in get_flag(S2N_PROVIDER_VERSION)
for libcrypto in PSS_UNSUPPORTED_LIBCRYPTOS
])
if pss_is_unsupported:
if protocol == Protocols.TLS13:
return False
if with_cert and with_cert.algorithm == 'RSAPSS':
return False

# SSLv3 cannot be negotiated in FIPS mode with libcryptos other than AWS-LC.
if all([
Expand Down
5 changes: 2 additions & 3 deletions tests/integrationv2/utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -72,9 +72,8 @@ def invalid_test_parameters(*args, **kwargs):
# Always consider S2N
providers.append(S2N)

# Only TLS1.3 supports RSA-PSS-PSS certificates
# (Earlier versions support RSA-PSS signatures, just via RSA-PSS-RSAE)
if protocol and protocol is not Protocols.TLS13:
# Older versions do not support RSA-PSS-PSS certificates
if protocol and protocol < Protocols.TLS12:
if client_certificate and client_certificate.algorithm == 'RSAPSS':
return True
if certificate and certificate.algorithm == 'RSAPSS':
Expand Down
Loading