Test: sigalgs passed to cert resolution are cs-compatible

Otherwise we'll induce `ResolvesServerCert` implementors to select server certs that are in fact incompatible with the already-selected ciphersuite. These tests fail.
2019-09-04 21:52:14 +01:00 · 2019-09-04 21:52:14 +01:00 · 2029e08939
parent f022189734
commit 2029e08939
1 changed files with 63 additions and 6 deletions
--- a/rustls/tests/api.rs
+++ b/rustls/tests/api.rs
@ -311,13 +311,15 @@ fn client_close_notify() {
 }

 struct ServerCheckCertResolve {
-    expected: String
+    expected_sni: String,
+    expected_sigalgs: Option<Vec<SignatureScheme>>,
 }

 impl ServerCheckCertResolve {
-    fn new(expect: &str) -> ServerCheckCertResolve {
+    fn new(expected_sni: &str) -> ServerCheckCertResolve {
        ServerCheckCertResolve {
-            expected: expect.to_string()
+            expected_sni: expected_sni.to_string(),
+            expected_sigalgs: None,
        }
    }
 }
@ -329,17 +331,25 @@ impl ResolvesServerCert for ServerCheckCertResolve {
        -> Option<sign::CertifiedKey> {
        if let Some(got_dns_name) = server_name {
            let got: &str = got_dns_name.into();
-            if got != self.expected {
-                panic!("unexpected dns name (wanted '{}' got '{:?}')", &self.expected, got_dns_name);
+            if got != self.expected_sni {
+                panic!("unexpected dns name (wanted '{}' got '{:?}')",
+                       &self.expected_sni, got_dns_name);
            }
        } else {
-            panic!("dns name not provided (wanted '{}')", &self.expected);
+            panic!("dns name not provided (wanted '{}')", &self.expected_sni);
        }

        if sigschemes.len() == 0 {
            panic!("no signature schemes shared by client");
        }

+        if let Some(expected_sigalgs) = &self.expected_sigalgs {
+            if expected_sigalgs != &sigschemes {
+                panic!("unexpected signature schemes (wanted {:?} got {:?})",
+                       self.expected_sigalgs, sigschemes);
+            }
+        }
+
        None
    }
 }
@ -360,6 +370,53 @@ fn server_cert_resolve_with_sni() {
    }
 }

+fn check_sigalgs_reduced_by_ciphersuite(kt: KeyType, suite: CipherSuite,
+                                        expected_sigalgs: Vec<SignatureScheme>) {
+    let mut client_config = make_client_config(kt);
+    client_config.ciphersuites = vec![ find_suite(suite) ];
+
+    let mut server_config = make_server_config(kt);
+
+    server_config.cert_resolver = Arc::new(ServerCheckCertResolve {
+        expected_sni: "sni-value".into(),
+        expected_sigalgs: Some(expected_sigalgs),
+    });
+
+    let mut client = ClientSession::new(&Arc::new(client_config), dns_name("sni-value"));
+    let mut server = ServerSession::new(&Arc::new(server_config));
+
+    let err = do_handshake_until_error(&mut client, &mut server);
+    assert_eq!(err.is_err(), true);
+}
+
+#[test]
+fn server_cert_resolve_reduces_sigalgs_for_rsa_ciphersuite() {
+    check_sigalgs_reduced_by_ciphersuite(
+        KeyType::RSA,
+        CipherSuite::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+        vec![
+            SignatureScheme::RSA_PSS_SHA512,
+            SignatureScheme::RSA_PSS_SHA384,
+            SignatureScheme::RSA_PSS_SHA256,
+            SignatureScheme::RSA_PKCS1_SHA512,
+            SignatureScheme::RSA_PKCS1_SHA384,
+            SignatureScheme::RSA_PKCS1_SHA256,
+        ]
+    );
+}
+
+#[test]
+fn server_cert_resolve_reduces_sigalgs_for_ecdsa_ciphersuite() {
+    check_sigalgs_reduced_by_ciphersuite(
+        KeyType::ECDSA,
+        CipherSuite::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+        vec![
+            SignatureScheme::ECDSA_NISTP384_SHA384,
+            SignatureScheme::ECDSA_NISTP256_SHA256,
+        ]
+    );
+}
+
 struct ServerCheckNoSNI {}

 impl ResolvesServerCert for ServerCheckNoSNI {