def test_well_known_endpoints(managed_process, protocol, endpoint, provider,
cipher):
port = "443"
client_options = ProviderOptions(mode=Provider.ClientMode,
host=endpoint,
port=port,
insecure=False,
trust_store=TRUST_STORE_BUNDLE,
protocol=protocol,
cipher=cipher)
if get_flag(S2N_FIPS_MODE) is True:
client_options.trust_store = "../integration/trust-store/ca-bundle.trust.crt"
else:
client_options.trust_store = "../integration/trust-store/ca-bundle.crt"
client = managed_process(provider, client_options, timeout=5)
expected_result = EXPECTED_RESULTS.get((endpoint, cipher), None)
for results in client.get_results():
assert results.exception is None
assert results.exit_code == 0
if expected_result is not None:
assert bytes(
expected_result['cipher'].encode('utf-8')) in results.stdout
assert bytes(
expected_result['kem'].encode('utf-8')) in results.stdout
def test_well_known_endpoints(managed_process, protocol, endpoint, provider,
cipher):
port = "443"
client_options = ProviderOptions(mode=Provider.ClientMode,
host=endpoint,
port=port,
insecure=False,
trust_store=TRUST_STORE_BUNDLE,
protocol=protocol,
cipher=cipher)
if get_flag(S2N_FIPS_MODE) is True:
client_options.trust_store = "../integration/trust-store/ca-bundle.trust.crt"
else:
client_options.trust_store = "../integration/trust-store/ca-bundle.crt"
# expect_stderr=True because S2N sometimes receives OCSP responses:
# https://github.com/aws/s2n-tls/blob/14ed186a13c1ffae7fbb036ed5d2849ce7c17403/bin/echo.c#L180-L184
client = managed_process(provider,
client_options,
timeout=5,
expect_stderr=True)
expected_result = EXPECTED_RESULTS.get((endpoint, cipher), None)
for results in client.get_results():
results.assert_success()
if expected_result is not None:
assert to_bytes(expected_result['cipher']) in results.stdout
assert to_bytes(expected_result['kem']) in results.stdout
def test_s2n_client_signature_algorithms(managed_process, cipher, provider,
protocol, certificate, signature,
client_auth):
port = next(available_ports)
random_bytes = data_bytes(64)
client_options = ProviderOptions(mode=Provider.ClientMode,
host="localhost",
port=port,
cipher=cipher,
data_to_send=random_bytes,
insecure=True,
use_client_auth=client_auth,
key=certificate.key,
cert=certificate.cert,
protocol=protocol)
server_options = copy.copy(client_options)
server_options.data_to_send = None
server_options.mode = Provider.ServerMode
server_options.key = certificate.key
server_options.cert = certificate.cert
server_options.trust_store = certificate.cert
server_options.extra_flags = ['-sigalgs', signature.name]
if client_auth is True:
client_options.trust_store = Certificates.RSA_2048_SHA256_WILDCARD.cert
server_options.key = Certificates.RSA_2048_SHA256_WILDCARD.key
server_options.cert = Certificates.RSA_2048_SHA256_WILDCARD.cert
if signature.sig_type == 'RSA-PSS':
client_options.trust_store = Certificates.RSA_PSS_2048_SHA256.cert
server_options.key = Certificates.RSA_PSS_2048_SHA256.key
server_options.cert = Certificates.RSA_PSS_2048_SHA256.cert
elif signature.sig_type == 'ECDSA':
client_options.trust_store = Certificates.ECDSA_256.cert
server_options.key = Certificates.ECDSA_256.key
server_options.cert = Certificates.ECDSA_256.cert
server = managed_process(provider, server_options, timeout=5)
client = managed_process(S2N, client_options, timeout=5)
for results in server.get_results():
assert results.exception is None
assert results.exit_code == 0
assert bytes('Shared Signature Algorithms: {}+{}'.format(
signature.sig_type,
signature.sig_digest).encode('utf-8')) in results.stdout
assert random_bytes in results.stdout
expected_version = get_expected_s2n_version(protocol, provider)
for results in client.get_results():
assert results.exception is None
assert results.exit_code == 0
assert bytes("Actual protocol version: {}".format(
expected_version).encode('utf-8')) in results.stdout
def setup_provider_options(mode, port, cipher, curve, certificate,
data_to_send, client_psk_params):
options = ProviderOptions(host="localhost",
port=port,
cipher=cipher,
curve=curve,
insecure=True,
protocol=Protocols.TLS13,
data_to_send=data_to_send,
mode=mode,
extra_flags=client_psk_params)
if certificate:
options.key = certificate.key
options.cert = certificate.cert
options.trust_store = certificate.cert
return options
