ssl-opt.sh: Test trusted certificate callback in TLS 1.3
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 10cb3b8..5537662 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -2155,7 +2155,7 @@
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
run_test "CA callback on client" \
"$P_SRV debug_level=3" \
- "$P_CLI force_version=tls12 ca_callback=1 debug_level=3 " \
+ "$P_CLI ca_callback=1 debug_level=3 " \
0 \
-c "use CA callback for X.509 CRT verification" \
-S "error" \
@@ -2165,7 +2165,7 @@
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_hash_alg SHA_256
run_test "CA callback on server" \
- "$P_SRV force_version=tls12 auth_mode=required" \
+ "$P_SRV auth_mode=required" \
"$P_CLI ca_callback=1 debug_level=3 crt_file=$DATA_FILES_PATH/server5.crt \
key_file=$DATA_FILES_PATH/server5.key" \
0 \
@@ -6308,7 +6308,7 @@
run_test "Authentication, CA callback: server badcert, client required" \
"$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
key_file=$DATA_FILES_PATH/server5.key" \
- "$P_CLI force_version=tls12 ca_callback=1 debug_level=3 auth_mode=required" \
+ "$P_CLI ca_callback=1 debug_level=3 auth_mode=required" \
1 \
-c "use CA callback for X.509 CRT verification" \
-c "x509_verify_cert() returned" \
@@ -6320,7 +6320,7 @@
run_test "Authentication, CA callback: server badcert, client optional" \
"$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
key_file=$DATA_FILES_PATH/server5.key" \
- "$P_CLI force_version=tls12 ca_callback=1 debug_level=3 auth_mode=optional" \
+ "$P_CLI ca_callback=1 debug_level=3 auth_mode=optional" \
0 \
-c "use CA callback for X.509 CRT verification" \
-c "x509_verify_cert() returned" \
@@ -6328,6 +6328,18 @@
-C "! mbedtls_ssl_handshake returned" \
-C "X509 - Certificate verification failed"
+requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
+run_test "Authentication, CA callback: server badcert, client none" \
+ "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
+ key_file=$DATA_FILES_PATH/server5.key" \
+ "$P_CLI ca_callback=1 debug_level=3 auth_mode=none" \
+ 0 \
+ -C "use CA callback for X.509 CRT verification" \
+ -C "x509_verify_cert() returned" \
+ -C "! The certificate is not correctly signed by the trusted CA" \
+ -C "! mbedtls_ssl_handshake returned" \
+ -C "X509 - Certificate verification failed"
+
# The purpose of the next two tests is to test the client's behaviour when receiving a server
# certificate with an unsupported elliptic curve. This should usually not happen because
# the client informs the server about the supported curves - it does, though, in the
@@ -6383,7 +6395,7 @@
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
run_test "Authentication, CA callback: client badcert, server required" \
- "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 auth_mode=required" \
+ "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
"$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-badsign.crt \
key_file=$DATA_FILES_PATH/server5.key" \
1 \
@@ -6398,7 +6410,6 @@
-s "! The certificate is not correctly signed by the trusted CA" \
-s "! mbedtls_ssl_handshake returned" \
-s "send alert level=2 message=48" \
- -c "! mbedtls_ssl_handshake returned" \
-s "X509 - Certificate verification failed"
# We don't check that the client receives the alert because it might
# detect that its write end of the connection is closed and abort
@@ -6406,7 +6417,7 @@
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
run_test "Authentication, CA callback: client cert not trusted, server required" \
- "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 auth_mode=required" \
+ "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
"$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-selfsigned.crt \
key_file=$DATA_FILES_PATH/server5.key" \
1 \
@@ -6420,12 +6431,11 @@
-s "x509_verify_cert() returned" \
-s "! The certificate is not correctly signed by the trusted CA" \
-s "! mbedtls_ssl_handshake returned" \
- -c "! mbedtls_ssl_handshake returned" \
-s "X509 - Certificate verification failed"
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
run_test "Authentication, CA callback: client badcert, server optional" \
- "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 auth_mode=optional" \
+ "$P_SRV ca_callback=1 debug_level=3 auth_mode=optional" \
"$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-badsign.crt \
key_file=$DATA_FILES_PATH/server5.key" \
0 \
@@ -6448,7 +6458,7 @@
run_test "Authentication, CA callback: server max_int chain, client default" \
"$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c09.pem \
key_file=$DATA_FILES_PATH/dir-maxpath/09.key" \
- "$P_CLI force_version=tls12 ca_callback=1 debug_level=3 server_name=CA09 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt" \
+ "$P_CLI ca_callback=1 debug_level=3 server_name=CA09 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt" \
0 \
-c "use CA callback for X.509 CRT verification" \
-C "X509 - A fatal error occurred"
@@ -6459,7 +6469,7 @@
run_test "Authentication, CA callback: server max_int+1 chain, client default" \
"$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
- "$P_CLI force_version=tls12 debug_level=3 ca_callback=1 server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt" \
+ "$P_CLI debug_level=3 ca_callback=1 server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt" \
1 \
-c "use CA callback for X.509 CRT verification" \
-c "X509 - A fatal error occurred"
@@ -6470,7 +6480,7 @@
run_test "Authentication, CA callback: server max_int+1 chain, client optional" \
"$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
- "$P_CLI force_version=tls12 ca_callback=1 server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt \
+ "$P_CLI ca_callback=1 server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt \
debug_level=3 auth_mode=optional" \
1 \
-c "use CA callback for X.509 CRT verification" \
@@ -6480,7 +6490,7 @@
requires_full_size_output_buffer
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
run_test "Authentication, CA callback: client max_int+1 chain, server optional" \
- "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=optional" \
+ "$P_SRV ca_callback=1 debug_level=3 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=optional" \
"$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
1 \
@@ -6491,7 +6501,7 @@
requires_full_size_output_buffer
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
run_test "Authentication, CA callback: client max_int+1 chain, server required" \
- "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=required" \
+ "$P_SRV ca_callback=1 debug_level=3 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=required" \
"$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
1 \
@@ -6502,7 +6512,7 @@
requires_full_size_output_buffer
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
run_test "Authentication, CA callback: client max_int chain, server required" \
- "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=required" \
+ "$P_SRV ca_callback=1 debug_level=3 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=required" \
"$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c09.pem \
key_file=$DATA_FILES_PATH/dir-maxpath/09.key" \
0 \