mirror of https://github.com/ctz/rustls
bogo support for SCT tests
This commit is contained in:
parent
b55071947c
commit
b25072598e
|
@ -236,6 +236,7 @@
|
|||
"SendUnsolicitedSCTOnCertificate-TLS13": ":PEER_MISBEHAVIOUR:",
|
||||
"SendUnknownExtensionOnCertificate-TLS13": ":PEER_MISBEHAVIOUR:",
|
||||
"LargePlaintext": ":PEER_MISBEHAVIOUR:",
|
||||
"SendDuplicateExtensionsOnCerts-TLS13": ":PEER_MISBEHAVIOUR:",
|
||||
"EMS-Forbidden-TLS13": ":PEER_MISBEHAVIOUR:",
|
||||
"SendExtensionOnClientCertificate-TLS13": ":PEER_MISBEHAVIOUR:",
|
||||
"ExtendedMasterSecret-NoToYes-Client": ":PEER_MISBEHAVIOUR:",
|
||||
|
|
|
@ -46,6 +46,7 @@ struct Options {
|
|||
min_version: Option<ProtocolVersion>,
|
||||
max_version: Option<ProtocolVersion>,
|
||||
server_ocsp_response: Vec<u8>,
|
||||
server_sct_list: Vec<u8>,
|
||||
expect_curve: u16,
|
||||
}
|
||||
|
||||
|
@ -69,6 +70,7 @@ impl Options {
|
|||
min_version: None,
|
||||
max_version: None,
|
||||
server_ocsp_response: vec![],
|
||||
server_sct_list: vec![],
|
||||
expect_curve: 0,
|
||||
}
|
||||
}
|
||||
|
@ -148,7 +150,9 @@ fn make_server_cfg(opts: &Options) -> Arc<rustls::ServerConfig> {
|
|||
|
||||
let cert = load_cert(&opts.cert_file);
|
||||
let key = load_key(&opts.key_file);
|
||||
cfg.set_single_cert_with_ocsp(cert.clone(), key, opts.server_ocsp_response.clone());
|
||||
cfg.set_single_cert_with_ocsp_and_sct(cert.clone(), key,
|
||||
opts.server_ocsp_response.clone(),
|
||||
opts.server_sct_list.clone());
|
||||
|
||||
if opts.verify_peer || opts.offer_no_client_cas || opts.require_any_client_cert {
|
||||
cfg.client_auth_offer = true;
|
||||
|
@ -369,6 +373,10 @@ fn main() {
|
|||
opts.server_ocsp_response = base64::decode(args.remove(0).as_bytes())
|
||||
.expect("invalid base64");
|
||||
}
|
||||
"-signed-cert-timestamps" => {
|
||||
opts.server_sct_list = base64::decode(args.remove(0).as_bytes())
|
||||
.expect("invalid base64");
|
||||
}
|
||||
"-select-alpn" => {
|
||||
opts.protocols.push(args.remove(0));
|
||||
}
|
||||
|
|
|
@ -502,7 +502,7 @@ fn make_config(args: &Args) -> Arc<rustls::ServerConfig> {
|
|||
let certs = load_certs(args.flag_certs.as_ref().expect("--certs option missing"));
|
||||
let privkey = load_private_key(args.flag_key.as_ref().expect("--key option missing"));
|
||||
let ocsp = load_ocsp(&args.flag_ocsp);
|
||||
config.set_single_cert_with_ocsp(certs, privkey, ocsp);
|
||||
config.set_single_cert_with_ocsp_and_sct(certs, privkey, ocsp, vec![]);
|
||||
|
||||
if args.flag_auth.is_some() {
|
||||
let client_auth_roots = load_certs(args.flag_auth.as_ref().unwrap());
|
||||
|
|
|
@ -255,13 +255,17 @@ impl AlwaysResolvesChain {
|
|||
AlwaysResolvesChain(sign::CertifiedKey::new(chain, key))
|
||||
}
|
||||
|
||||
fn new_rsa_with_ocsp(chain: Vec<key::Certificate>,
|
||||
priv_key: &key::PrivateKey,
|
||||
ocsp: Vec<u8>) -> AlwaysResolvesChain {
|
||||
fn new_rsa_with_extras(chain: Vec<key::Certificate>,
|
||||
priv_key: &key::PrivateKey,
|
||||
ocsp: Vec<u8>,
|
||||
scts: Vec<u8>) -> AlwaysResolvesChain {
|
||||
let mut r = AlwaysResolvesChain::new_rsa(chain, priv_key);
|
||||
if !ocsp.is_empty() {
|
||||
r.0.ocsp = Some(ocsp);
|
||||
}
|
||||
if !scts.is_empty() {
|
||||
r.0.sct_list = Some(scts);
|
||||
}
|
||||
r
|
||||
}
|
||||
}
|
||||
|
@ -323,14 +327,18 @@ impl ServerConfig {
|
|||
///
|
||||
/// `cert_chain` is a vector of DER-encoded certificates.
|
||||
/// `key_der` is a DER-encoded RSA private key.
|
||||
/// `ocsp` is a DER-encoded OCSP response.
|
||||
pub fn set_single_cert_with_ocsp(&mut self,
|
||||
cert_chain: Vec<key::Certificate>,
|
||||
key_der: key::PrivateKey,
|
||||
ocsp: Vec<u8>) {
|
||||
self.cert_resolver = Arc::new(AlwaysResolvesChain::new_rsa_with_ocsp(cert_chain,
|
||||
&key_der,
|
||||
ocsp));
|
||||
/// `ocsp` is a DER-encoded OCSP response. Ignored if zero length.
|
||||
/// `scts` is an `SignedCertificateTimestampList` encoding (see RFC6962)
|
||||
/// and is ignored if empty.
|
||||
pub fn set_single_cert_with_ocsp_and_sct(&mut self,
|
||||
cert_chain: Vec<key::Certificate>,
|
||||
key_der: key::PrivateKey,
|
||||
ocsp: Vec<u8>,
|
||||
scts: Vec<u8>) {
|
||||
self.cert_resolver = Arc::new(AlwaysResolvesChain::new_rsa_with_extras(cert_chain,
|
||||
&key_der,
|
||||
ocsp,
|
||||
scts));
|
||||
}
|
||||
|
||||
/// Set the ALPN protocol list to the given protocol names.
|
||||
|
|
Loading…
Reference in New Issue