def test_kex_sig_pair(kex_name, parametrized_sig_server, bssl_alg_to_id,
client_type, test_artifacts_dir, worker_id):
server_sig = parametrized_sig_server[0]
server_port = parametrized_sig_server[1]
if client_type == "ossl":
client_output = common.run_subprocess([
common.OSSL, 's_client', '-groups', kex_name, '-connect',
'localhost:{}'.format(server_port)
],
input='Q'.encode())
if kex_name.startswith('p256'):
kex_full_name = "{} hybrid".format(kex_name)
else:
kex_full_name = kex_name
if (not "Server Temp Key: {}".format(kex_full_name) in client_output
) or (not "Peer signature type:" in client_output) or (
not "Server certificate" in client_output):
print(client_output)
assert False
elif client_type == "bssl":
common.run_subprocess([
common.BSSL_SHIM, '-port',
str(server_port), '-expect-version', 'TLSv1.3', '-curves',
bssl_alg_to_id[kex_name], '-expect-curve-id',
bssl_alg_to_id[kex_name], '-expect-peer-signature-algorithm',
bssl_alg_to_id[server_sig], '-expect-peer-cert-file',
os.path.join(test_artifacts_dir,
'{}_{}_cert_chain'.format(worker_id, server_sig)),
'-verify-fail', '-shim-shuts-down'
])
def test_kex_sig_pair(kex_name, parametrized_sig_server, client_prog,
client_type, test_artifacts_dir, worker_id):
server_sig = parametrized_sig_server[0]
server_port = parametrized_sig_server[1]
if kex_name not in bssl_algorithms.kex_to_nid:
pytest.skip("{} is unsupported by OQS-BoringSSL.".format(kex_name))
if client_type == "ossl":
client_output = common.run_subprocess([
client_prog, 's_client', '-groups', kex_name, '-connect',
'localhost:{}'.format(server_port)
],
input='Q'.encode())
if kex_name.startswith('p256'):
kex_full_name = "{} hybrid".format(kex_name)
else:
kex_full_name = kex_name
if (not "Server Temp Key: {}".format(kex_full_name) in client_output
) or (not "issuer=C = US, O = BoringSSL" in client_output):
print(client_output)
assert False
elif client_type == "bssl":
common.run_subprocess([
client_prog, '-port',
str(server_port), '-expect-version', 'TLSv1.3', '-curves',
bssl_algorithms.kex_to_nid[kex_name], '-expect-curve-id',
bssl_algorithms.kex_to_nid[kex_name],
'-expect-peer-signature-algorithm',
bssl_algorithms.sig_to_code_point[server_sig],
'-expect-peer-cert-file',
os.path.join(test_artifacts_dir,
'{}_{}_cert_chain'.format(worker_id, server_sig)),
'-verify-fail', '-shim-shuts-down'
])
def test_kex(kex_name, bssl_alg_to_id, test_artifacts_dir,
sig_default_server_port, client_type, worker_id):
if client_type == "ossl":
client_output = common.run_subprocess([
common.OSSL, 's_client', '-groups', kex_name, '-connect',
'localhost:{}'.format(sig_default_server_port)
],
input='Q'.encode())
if kex_name.startswith('p256'):
kex_full_name = "{} hybrid".format(kex_name)
else:
kex_full_name = kex_name
if (not "Server Temp Key: {}".format(kex_full_name) in client_output
) or (not "issuer=C = US, O = BoringSSL" in client_output):
print(client_output)
assert False
elif client_type == "bssl":
common.run_subprocess([
common.BSSL_SHIM, '-port',
str(sig_default_server_port), '-expect-version',
str(common.TLS1_3_VERSION), '-curves', bssl_alg_to_id[kex_name],
'-expect-curve-id', bssl_alg_to_id[kex_name],
'-expect-peer-signature-algorithm', bssl_alg_to_id['dilithium2'],
'-expect-peer-cert-file',
os.path.join(test_artifacts_dir,
'{}_dilithium2_cert_chain'.format(worker_id)),
'-verify-fail', '-shim-shuts-down'
])
def test_sig(parametrized_sig_server, bssl_alg_to_id, client_type,
test_artifacts_dir, worker_id):
server_sig = parametrized_sig_server[0]
server_port = parametrized_sig_server[1]
if client_type == "ossl":
client_output = common.run_subprocess([
common.OSSL, 's_client', '-groups', 'frodo640aes', '-connect',
'localhost:{}'.format(server_port)
],
input='Q'.encode())
if not (("Server Temp Key: frodo640aes" in client_output) or
("issuer=C = US, O = BoringSSL" in client_output)):
print(client_output)
assert False
elif client_type == "bssl":
common.run_subprocess([
common.BSSL_SHIM, '-port',
str(server_port), '-expect-version',
str(common.TLS1_3_VERSION), '-curves',
bssl_alg_to_id['frodo640aes'], '-expect-curve-id',
bssl_alg_to_id['frodo640aes'], '-expect-peer-signature-algorithm',
bssl_alg_to_id[server_sig], '-expect-peer-cert-file',
os.path.join(test_artifacts_dir,
'{}_{}_cert_chain'.format(worker_id, server_sig)),
'-verify-fail', '-shim-shuts-down'
])
def test_sig(parametrized_sig_server, client_prog, client_type,
test_artifacts_dir, worker_id):
server_sig = parametrized_sig_server[0]
server_port = parametrized_sig_server[1]
if client_type == "ossl":
client_output = common.run_subprocess([
client_prog, 's_client', '-groups', 'oqs_kem_default', '-connect',
'localhost:{}'.format(server_port)
],
input='Q'.encode())
if not (("Server Temp Key: oqs_kem_default" in client_output) or
("issuer=C = US, O = BoringSSL" in client_output)):
print(client_output)
assert False
elif client_type == "bssl":
common.run_subprocess([
client_prog, '-port',
str(server_port), '-expect-version', 'TLSv1.3', '-curves',
bssl_algorithms.kex_to_nid['oqs_kem_default'], '-expect-curve-id',
bssl_algorithms.kex_to_nid['oqs_kem_default'],
'-expect-peer-signature-algorithm',
bssl_algorithms.sig_to_code_point[server_sig],
'-expect-peer-cert-file',
os.path.join(test_artifacts_dir,
'{}_{}_cert_chain'.format(worker_id, server_sig)),
'-verify-fail', '-shim-shuts-down'
])
def test_sigverify(ossl, ossl_config, test_artifacts_dir, sig_name, worker_id):
common.gen_keys(ossl, ossl_config, sig_name, test_artifacts_dir, worker_id)
# determine available digest algorithms
dgsts_out = common.run_subprocess([ossl, 'dgst', '-list'])
dgst_list = dgst_algs(dgsts_out)
# now pick a random digest algorithm; for EC and RSA only accept a SHA[1|2]*
test_dgst = dgst_list[random.randint(0, len(dgst_list) - 1)]
while (sig_name.startswith("ec") or sig_name.startswith("rsa")) and not (
test_dgst.startswith("-sha1") or test_dgst.startswith("-sha2")):
test_dgst = dgst_list[random.randint(0, len(dgst_list) - 1)]
# do sign/verify with the picked digest
sign_out = common.run_subprocess([
ossl, 'dgst', test_dgst, '-sign',
os.path.join(test_artifacts_dir, '{}_{}_srv.key'.format(
worker_id, sig_name)), '-out',
os.path.join(test_artifacts_dir, '{}_{}_srv.signature'.format(
worker_id, sig_name))
],
input=input_msg.encode())
verify_out = common.run_subprocess([
ossl, 'dgst', test_dgst, '-verify',
os.path.join(test_artifacts_dir, '{}_{}_srv.pubk'.format(
worker_id, sig_name)), '-signature',
os.path.join(test_artifacts_dir, '{}_{}_srv.signature'.format(
worker_id, sig_name))
],
input=input_msg.encode())
assert "Verified OK" in verify_out
def test_sig(ossl, ossl_config, test_artifacts_dir, sig_name, worker_id):
if (sys.platform.startswith("win") and ("rainbowVclassic" in sig_name)):
pytest.skip('rainbowVclassic not supported in windows')
common.gen_keys(ossl, ossl_config, sig_name, test_artifacts_dir, worker_id)
sign_out = common.run_subprocess([
ossl, 'cms', '-sign', '-signer',
os.path.join(test_artifacts_dir, '{}_{}_srv.crt'.format(
worker_id, sig_name)), '-inkey',
os.path.join(test_artifacts_dir, '{}_{}_srv.key'.format(
worker_id, sig_name)), '-nodetach', '-outform', 'pem', '-binary'
],
input=input_msg.encode())
common.run_subprocess([
ossl, 'cms', '-verify', '-CAfile',
os.path.join(test_artifacts_dir, '{}_{}_CA.crt'.format(
worker_id, sig_name)), '-inform', 'pem', '-crlfeol', '-out',
os.path.join(test_artifacts_dir, '{}_{}_verify_out'.format(
worker_id, sig_name))
],
input=sign_out.encode())
with open(
os.path.join(test_artifacts_dir,
'{}_{}_verify_out'.format(worker_id, sig_name)),
'r') as verify_out:
assert input_msg == verify_out.read(), "Signature verification failed."
def test_env_groups(ossl, sig_default_server_port, test_artifacts_dir, worker_id):
env = os.environ
env["TLS_DEFAULT_GROUPS"]="frodo640aes"
client_output = common.run_subprocess([ossl, 's_client',
'-CAfile', os.path.join(test_artifacts_dir, '{}_dilithium2_CA.crt'.format(worker_id)),
'-verify_return_error',
'-connect', 'localhost:{}'.format(sig_default_server_port)],
input='Q'.encode(), env=env)
if not "Server Temp Key: {}".format("frodo640aes") in client_output:
print(client_output)
assert False, "Server temp key missing. Failure acceptable if default groups fixed via OQS_DEFAULT_GROUPS."
def test_sig(parametrized_sig_server, ossl, test_artifacts_dir, worker_id):
server_sig = parametrized_sig_server[0]
server_port = parametrized_sig_server[1]
client_output = common.run_subprocess([ossl, 's_client',
'-groups', 'oqs_kem_default',
'-CAfile', os.path.join(test_artifacts_dir, '{}_{}_CA.crt'.format(worker_id, server_sig)),
'-verify_return_error',
'-connect', 'localhost:{}'.format(server_port)],
input='Q'.encode())
if not "Server Temp Key: oqs_kem_default" in client_output:
print(client_output)
assert False, "Server temp key missing."
def test_sig_kem_pair(ossl, server, test_artifacts_dir, kex_name, worker_id):
client_output = common.run_subprocess([
ossl, 's_client', '-groups', kex_name, '-CAfile',
os.path.join(test_artifacts_dir, '{}_{}_CA.crt'.format(
worker_id, server[0])), '-verify_return_error', '-connect',
'localhost:{}'.format(server[1])
],
input='Q'.encode())
if kex_name.startswith('p256'):
kex_full_name = "{} hybrid".format(kex_name)
else:
kex_full_name = kex_name
if not "Server Temp Key: {}".format(kex_full_name) in client_output:
assert False, "Server temp key missing."
def test_sig(ossl, ossl_config, test_artifacts_dir, sig_name, worker_id):
common.gen_keys(ossl, ossl_config, sig_name, test_artifacts_dir, worker_id)
sign_out = common.run_subprocess([
ossl, 'cms', '-sign', '-signer',
os.path.join(test_artifacts_dir, '{}_{}_srv.crt'.format(
worker_id, sig_name)), '-inkey',
os.path.join(test_artifacts_dir, '{}_{}_srv.key'.format(
worker_id, sig_name)), '-nodetach', '-outform', 'pem', '-binary'
],
input=input_msg.encode())
common.run_subprocess([
ossl, 'cms', '-verify', '-CAfile',
os.path.join(test_artifacts_dir, '{}_{}_CA.crt'.format(
worker_id, sig_name)), '-inform', 'pem', '-crlfeol', '-out',
os.path.join(test_artifacts_dir, '{}_{}_verify_out'.format(
worker_id, sig_name))
],
input=sign_out.encode())
with open(
os.path.join(test_artifacts_dir,
'{}_{}_verify_out'.format(worker_id, sig_name)),
'r') as verify_out:
assert input_msg == verify_out.read(), "Signature verification failed."
def test_sig(parametrized_sig_server, ossl, test_artifacts_dir, worker_id):
server_sig = parametrized_sig_server[0]
if (sys.platform.startswith("win") and ("rainbowVclassic" in server_sig)):
pytest.skip('rainbowVclassic not supported in windows')
server_port = parametrized_sig_server[1]
client_output = common.run_subprocess([ossl, 's_client',
'-groups', 'frodo640aes',
'-CAfile', os.path.join(test_artifacts_dir, '{}_{}_CA.crt'.format(worker_id, server_sig)),
'-verify_return_error',
'-connect', 'localhost:{}'.format(server_port)],
input='Q'.encode())
if not "Server Temp Key: frodo640aes" in client_output:
print(client_output)
assert False, "Server temp key missing."
def test_kem(ossl, sig_default_server_port, test_artifacts_dir, kex_name, worker_id):
if (sys.platform.startswith("win") and ("bike" in kex_name)):
pytest.skip('BIKE not supported in windows')
client_output = common.run_subprocess([ossl, 's_client',
'-groups', kex_name,
'-CAfile', os.path.join(test_artifacts_dir, '{}_dilithium2_CA.crt'.format(worker_id)),
'-verify_return_error',
'-connect', 'localhost:{}'.format(sig_default_server_port)],
input='Q'.encode())
if kex_name.startswith('p256'):
kex_full_name = "{} hybrid".format(kex_name)
else:
kex_full_name = kex_name
if not "Server Temp Key: {}".format(kex_full_name) in client_output:
print(client_output)
assert False, "Server temp key missing."
def gen_cert(sig_alg):
# first check whether we already have a root CA; if not create it
if not os.path.exists(CAROOTDIR):
os.mkdir(CAROOTDIR)
common.run_subprocess([
OPENSSL, 'req', '-x509', '-new', '-newkey', "rsa:4096", '-keyout',
os.path.join(CAROOTDIR, "CA.key"), '-out',
os.path.join(CAROOTDIR, "CA.crt"), '-nodes', '-subj',
'/CN=oqstest_CA', '-days', '500', '-config', OPENSSL_CNF
])
print("New root cert residing in %s." %
(os.path.join(CAROOTDIR, "CA.crt")))
# now generate suitable server keys signed by that root; adapt algorithm names to std ossl
if sig_alg == 'rsa3072':
ossl_sig_alg_arg = 'rsa:3072'
elif sig_alg == 'ecdsap256':
common.run_subprocess([
OPENSSL, "ecparam", "-name", "prime256v1", "-out",
os.path.join(PKIPATH, "prime256v1.pem")
])
ossl_sig_alg_arg = 'ec:{}'.format(
os.path.join(PKIPATH, "prime256v1.pem"))
else:
ossl_sig_alg_arg = sig_alg
# generate server key and CSR
common.run_subprocess([
OPENSSL, 'req', '-new', '-newkey', ossl_sig_alg_arg, '-keyout',
os.path.join(PKIPATH, '{}_srv.key'.format(sig_alg)), '-out',
os.path.join(PKIPATH, '{}_srv.csr'.format(sig_alg)), '-nodes', '-subj',
'/CN=' + TESTFQDN, '-config', OPENSSL_CNF
])
# generate server cert off common root
common.run_subprocess([
OPENSSL, 'x509', '-req', '-in',
os.path.join(PKIPATH, '{}_srv.csr'.format(sig_alg)), '-out',
os.path.join(PKIPATH, '{}_srv.crt'.format(sig_alg)), '-CA',
os.path.join(CAROOTDIR, 'CA.crt'), '-CAkey',
os.path.join(CAROOTDIR, 'CA.key'), '-CAcreateserial', '-extfile',
'ext-csr.conf', '-extensions', 'v3_req', '-days', '365'
])
def test_sig_speed(ossl, ossl_config, test_artifacts_dir, sig_name):
common.run_subprocess([ossl, 'speed', '-seconds', '1', sig_name])
