def test_kex_sig_pair(kex_name, parametrized_sig_server, bssl_alg_to_id, client_type, test_artifacts_dir, worker_id): server_sig = parametrized_sig_server[0] server_port = parametrized_sig_server[1] if client_type == "ossl": client_output = common.run_subprocess([ common.OSSL, 's_client', '-groups', kex_name, '-connect', 'localhost:{}'.format(server_port) ], input='Q'.encode()) if kex_name.startswith('p256'): kex_full_name = "{} hybrid".format(kex_name) else: kex_full_name = kex_name if (not "Server Temp Key: {}".format(kex_full_name) in client_output ) or (not "Peer signature type:" in client_output) or ( not "Server certificate" in client_output): print(client_output) assert False elif client_type == "bssl": common.run_subprocess([ common.BSSL_SHIM, '-port', str(server_port), '-expect-version', 'TLSv1.3', '-curves', bssl_alg_to_id[kex_name], '-expect-curve-id', bssl_alg_to_id[kex_name], '-expect-peer-signature-algorithm', bssl_alg_to_id[server_sig], '-expect-peer-cert-file', os.path.join(test_artifacts_dir, '{}_{}_cert_chain'.format(worker_id, server_sig)), '-verify-fail', '-shim-shuts-down' ])
def test_kex_sig_pair(kex_name, parametrized_sig_server, client_prog, client_type, test_artifacts_dir, worker_id): server_sig = parametrized_sig_server[0] server_port = parametrized_sig_server[1] if kex_name not in bssl_algorithms.kex_to_nid: pytest.skip("{} is unsupported by OQS-BoringSSL.".format(kex_name)) if client_type == "ossl": client_output = common.run_subprocess([ client_prog, 's_client', '-groups', kex_name, '-connect', 'localhost:{}'.format(server_port) ], input='Q'.encode()) if kex_name.startswith('p256'): kex_full_name = "{} hybrid".format(kex_name) else: kex_full_name = kex_name if (not "Server Temp Key: {}".format(kex_full_name) in client_output ) or (not "issuer=C = US, O = BoringSSL" in client_output): print(client_output) assert False elif client_type == "bssl": common.run_subprocess([ client_prog, '-port', str(server_port), '-expect-version', 'TLSv1.3', '-curves', bssl_algorithms.kex_to_nid[kex_name], '-expect-curve-id', bssl_algorithms.kex_to_nid[kex_name], '-expect-peer-signature-algorithm', bssl_algorithms.sig_to_code_point[server_sig], '-expect-peer-cert-file', os.path.join(test_artifacts_dir, '{}_{}_cert_chain'.format(worker_id, server_sig)), '-verify-fail', '-shim-shuts-down' ])
def test_kex(kex_name, bssl_alg_to_id, test_artifacts_dir, sig_default_server_port, client_type, worker_id): if client_type == "ossl": client_output = common.run_subprocess([ common.OSSL, 's_client', '-groups', kex_name, '-connect', 'localhost:{}'.format(sig_default_server_port) ], input='Q'.encode()) if kex_name.startswith('p256'): kex_full_name = "{} hybrid".format(kex_name) else: kex_full_name = kex_name if (not "Server Temp Key: {}".format(kex_full_name) in client_output ) or (not "issuer=C = US, O = BoringSSL" in client_output): print(client_output) assert False elif client_type == "bssl": common.run_subprocess([ common.BSSL_SHIM, '-port', str(sig_default_server_port), '-expect-version', str(common.TLS1_3_VERSION), '-curves', bssl_alg_to_id[kex_name], '-expect-curve-id', bssl_alg_to_id[kex_name], '-expect-peer-signature-algorithm', bssl_alg_to_id['dilithium2'], '-expect-peer-cert-file', os.path.join(test_artifacts_dir, '{}_dilithium2_cert_chain'.format(worker_id)), '-verify-fail', '-shim-shuts-down' ])
def test_sig(parametrized_sig_server, bssl_alg_to_id, client_type, test_artifacts_dir, worker_id): server_sig = parametrized_sig_server[0] server_port = parametrized_sig_server[1] if client_type == "ossl": client_output = common.run_subprocess([ common.OSSL, 's_client', '-groups', 'frodo640aes', '-connect', 'localhost:{}'.format(server_port) ], input='Q'.encode()) if not (("Server Temp Key: frodo640aes" in client_output) or ("issuer=C = US, O = BoringSSL" in client_output)): print(client_output) assert False elif client_type == "bssl": common.run_subprocess([ common.BSSL_SHIM, '-port', str(server_port), '-expect-version', str(common.TLS1_3_VERSION), '-curves', bssl_alg_to_id['frodo640aes'], '-expect-curve-id', bssl_alg_to_id['frodo640aes'], '-expect-peer-signature-algorithm', bssl_alg_to_id[server_sig], '-expect-peer-cert-file', os.path.join(test_artifacts_dir, '{}_{}_cert_chain'.format(worker_id, server_sig)), '-verify-fail', '-shim-shuts-down' ])
def test_sig(parametrized_sig_server, client_prog, client_type, test_artifacts_dir, worker_id): server_sig = parametrized_sig_server[0] server_port = parametrized_sig_server[1] if client_type == "ossl": client_output = common.run_subprocess([ client_prog, 's_client', '-groups', 'oqs_kem_default', '-connect', 'localhost:{}'.format(server_port) ], input='Q'.encode()) if not (("Server Temp Key: oqs_kem_default" in client_output) or ("issuer=C = US, O = BoringSSL" in client_output)): print(client_output) assert False elif client_type == "bssl": common.run_subprocess([ client_prog, '-port', str(server_port), '-expect-version', 'TLSv1.3', '-curves', bssl_algorithms.kex_to_nid['oqs_kem_default'], '-expect-curve-id', bssl_algorithms.kex_to_nid['oqs_kem_default'], '-expect-peer-signature-algorithm', bssl_algorithms.sig_to_code_point[server_sig], '-expect-peer-cert-file', os.path.join(test_artifacts_dir, '{}_{}_cert_chain'.format(worker_id, server_sig)), '-verify-fail', '-shim-shuts-down' ])
def test_sigverify(ossl, ossl_config, test_artifacts_dir, sig_name, worker_id): common.gen_keys(ossl, ossl_config, sig_name, test_artifacts_dir, worker_id) # determine available digest algorithms dgsts_out = common.run_subprocess([ossl, 'dgst', '-list']) dgst_list = dgst_algs(dgsts_out) # now pick a random digest algorithm; for EC and RSA only accept a SHA[1|2]* test_dgst = dgst_list[random.randint(0, len(dgst_list) - 1)] while (sig_name.startswith("ec") or sig_name.startswith("rsa")) and not ( test_dgst.startswith("-sha1") or test_dgst.startswith("-sha2")): test_dgst = dgst_list[random.randint(0, len(dgst_list) - 1)] # do sign/verify with the picked digest sign_out = common.run_subprocess([ ossl, 'dgst', test_dgst, '-sign', os.path.join(test_artifacts_dir, '{}_{}_srv.key'.format( worker_id, sig_name)), '-out', os.path.join(test_artifacts_dir, '{}_{}_srv.signature'.format( worker_id, sig_name)) ], input=input_msg.encode()) verify_out = common.run_subprocess([ ossl, 'dgst', test_dgst, '-verify', os.path.join(test_artifacts_dir, '{}_{}_srv.pubk'.format( worker_id, sig_name)), '-signature', os.path.join(test_artifacts_dir, '{}_{}_srv.signature'.format( worker_id, sig_name)) ], input=input_msg.encode()) assert "Verified OK" in verify_out
def test_sig(ossl, ossl_config, test_artifacts_dir, sig_name, worker_id): if (sys.platform.startswith("win") and ("rainbowVclassic" in sig_name)): pytest.skip('rainbowVclassic not supported in windows') common.gen_keys(ossl, ossl_config, sig_name, test_artifacts_dir, worker_id) sign_out = common.run_subprocess([ ossl, 'cms', '-sign', '-signer', os.path.join(test_artifacts_dir, '{}_{}_srv.crt'.format( worker_id, sig_name)), '-inkey', os.path.join(test_artifacts_dir, '{}_{}_srv.key'.format( worker_id, sig_name)), '-nodetach', '-outform', 'pem', '-binary' ], input=input_msg.encode()) common.run_subprocess([ ossl, 'cms', '-verify', '-CAfile', os.path.join(test_artifacts_dir, '{}_{}_CA.crt'.format( worker_id, sig_name)), '-inform', 'pem', '-crlfeol', '-out', os.path.join(test_artifacts_dir, '{}_{}_verify_out'.format( worker_id, sig_name)) ], input=sign_out.encode()) with open( os.path.join(test_artifacts_dir, '{}_{}_verify_out'.format(worker_id, sig_name)), 'r') as verify_out: assert input_msg == verify_out.read(), "Signature verification failed."
def test_env_groups(ossl, sig_default_server_port, test_artifacts_dir, worker_id): env = os.environ env["TLS_DEFAULT_GROUPS"]="frodo640aes" client_output = common.run_subprocess([ossl, 's_client', '-CAfile', os.path.join(test_artifacts_dir, '{}_dilithium2_CA.crt'.format(worker_id)), '-verify_return_error', '-connect', 'localhost:{}'.format(sig_default_server_port)], input='Q'.encode(), env=env) if not "Server Temp Key: {}".format("frodo640aes") in client_output: print(client_output) assert False, "Server temp key missing. Failure acceptable if default groups fixed via OQS_DEFAULT_GROUPS."
def test_sig(parametrized_sig_server, ossl, test_artifacts_dir, worker_id): server_sig = parametrized_sig_server[0] server_port = parametrized_sig_server[1] client_output = common.run_subprocess([ossl, 's_client', '-groups', 'oqs_kem_default', '-CAfile', os.path.join(test_artifacts_dir, '{}_{}_CA.crt'.format(worker_id, server_sig)), '-verify_return_error', '-connect', 'localhost:{}'.format(server_port)], input='Q'.encode()) if not "Server Temp Key: oqs_kem_default" in client_output: print(client_output) assert False, "Server temp key missing."
def test_sig_kem_pair(ossl, server, test_artifacts_dir, kex_name, worker_id): client_output = common.run_subprocess([ ossl, 's_client', '-groups', kex_name, '-CAfile', os.path.join(test_artifacts_dir, '{}_{}_CA.crt'.format( worker_id, server[0])), '-verify_return_error', '-connect', 'localhost:{}'.format(server[1]) ], input='Q'.encode()) if kex_name.startswith('p256'): kex_full_name = "{} hybrid".format(kex_name) else: kex_full_name = kex_name if not "Server Temp Key: {}".format(kex_full_name) in client_output: assert False, "Server temp key missing."
def test_sig(ossl, ossl_config, test_artifacts_dir, sig_name, worker_id): common.gen_keys(ossl, ossl_config, sig_name, test_artifacts_dir, worker_id) sign_out = common.run_subprocess([ ossl, 'cms', '-sign', '-signer', os.path.join(test_artifacts_dir, '{}_{}_srv.crt'.format( worker_id, sig_name)), '-inkey', os.path.join(test_artifacts_dir, '{}_{}_srv.key'.format( worker_id, sig_name)), '-nodetach', '-outform', 'pem', '-binary' ], input=input_msg.encode()) common.run_subprocess([ ossl, 'cms', '-verify', '-CAfile', os.path.join(test_artifacts_dir, '{}_{}_CA.crt'.format( worker_id, sig_name)), '-inform', 'pem', '-crlfeol', '-out', os.path.join(test_artifacts_dir, '{}_{}_verify_out'.format( worker_id, sig_name)) ], input=sign_out.encode()) with open( os.path.join(test_artifacts_dir, '{}_{}_verify_out'.format(worker_id, sig_name)), 'r') as verify_out: assert input_msg == verify_out.read(), "Signature verification failed."
def test_sig(parametrized_sig_server, ossl, test_artifacts_dir, worker_id): server_sig = parametrized_sig_server[0] if (sys.platform.startswith("win") and ("rainbowVclassic" in server_sig)): pytest.skip('rainbowVclassic not supported in windows') server_port = parametrized_sig_server[1] client_output = common.run_subprocess([ossl, 's_client', '-groups', 'frodo640aes', '-CAfile', os.path.join(test_artifacts_dir, '{}_{}_CA.crt'.format(worker_id, server_sig)), '-verify_return_error', '-connect', 'localhost:{}'.format(server_port)], input='Q'.encode()) if not "Server Temp Key: frodo640aes" in client_output: print(client_output) assert False, "Server temp key missing."
def test_kem(ossl, sig_default_server_port, test_artifacts_dir, kex_name, worker_id): if (sys.platform.startswith("win") and ("bike" in kex_name)): pytest.skip('BIKE not supported in windows') client_output = common.run_subprocess([ossl, 's_client', '-groups', kex_name, '-CAfile', os.path.join(test_artifacts_dir, '{}_dilithium2_CA.crt'.format(worker_id)), '-verify_return_error', '-connect', 'localhost:{}'.format(sig_default_server_port)], input='Q'.encode()) if kex_name.startswith('p256'): kex_full_name = "{} hybrid".format(kex_name) else: kex_full_name = kex_name if not "Server Temp Key: {}".format(kex_full_name) in client_output: print(client_output) assert False, "Server temp key missing."
def gen_cert(sig_alg): # first check whether we already have a root CA; if not create it if not os.path.exists(CAROOTDIR): os.mkdir(CAROOTDIR) common.run_subprocess([ OPENSSL, 'req', '-x509', '-new', '-newkey', "rsa:4096", '-keyout', os.path.join(CAROOTDIR, "CA.key"), '-out', os.path.join(CAROOTDIR, "CA.crt"), '-nodes', '-subj', '/CN=oqstest_CA', '-days', '500', '-config', OPENSSL_CNF ]) print("New root cert residing in %s." % (os.path.join(CAROOTDIR, "CA.crt"))) # now generate suitable server keys signed by that root; adapt algorithm names to std ossl if sig_alg == 'rsa3072': ossl_sig_alg_arg = 'rsa:3072' elif sig_alg == 'ecdsap256': common.run_subprocess([ OPENSSL, "ecparam", "-name", "prime256v1", "-out", os.path.join(PKIPATH, "prime256v1.pem") ]) ossl_sig_alg_arg = 'ec:{}'.format( os.path.join(PKIPATH, "prime256v1.pem")) else: ossl_sig_alg_arg = sig_alg # generate server key and CSR common.run_subprocess([ OPENSSL, 'req', '-new', '-newkey', ossl_sig_alg_arg, '-keyout', os.path.join(PKIPATH, '{}_srv.key'.format(sig_alg)), '-out', os.path.join(PKIPATH, '{}_srv.csr'.format(sig_alg)), '-nodes', '-subj', '/CN=' + TESTFQDN, '-config', OPENSSL_CNF ]) # generate server cert off common root common.run_subprocess([ OPENSSL, 'x509', '-req', '-in', os.path.join(PKIPATH, '{}_srv.csr'.format(sig_alg)), '-out', os.path.join(PKIPATH, '{}_srv.crt'.format(sig_alg)), '-CA', os.path.join(CAROOTDIR, 'CA.crt'), '-CAkey', os.path.join(CAROOTDIR, 'CA.key'), '-CAcreateserial', '-extfile', 'ext-csr.conf', '-extensions', 'v3_req', '-days', '365' ])
def test_sig_speed(ossl, ossl_config, test_artifacts_dir, sig_name): common.run_subprocess([ossl, 'speed', '-seconds', '1', sig_name])