bogo support for SCT tests

2017-07-16 12:16:39 +01:00 · 2017-07-16 12:16:39 +01:00 · b25072598e
parent b55071947c
commit b25072598e
4 changed files with 30 additions and 13 deletions
--- a/bogo/config.json
+++ b/bogo/config.json
@ -236,6 +236,7 @@
    "SendUnsolicitedSCTOnCertificate-TLS13": ":PEER_MISBEHAVIOUR:",
    "SendUnknownExtensionOnCertificate-TLS13": ":PEER_MISBEHAVIOUR:",
    "LargePlaintext": ":PEER_MISBEHAVIOUR:",
+    "SendDuplicateExtensionsOnCerts-TLS13": ":PEER_MISBEHAVIOUR:",
    "EMS-Forbidden-TLS13": ":PEER_MISBEHAVIOUR:",
    "SendExtensionOnClientCertificate-TLS13": ":PEER_MISBEHAVIOUR:",
    "ExtendedMasterSecret-NoToYes-Client": ":PEER_MISBEHAVIOUR:",
--- a/examples/internal/bogo_shim.rs
+++ b/examples/internal/bogo_shim.rs
@ -46,6 +46,7 @@ struct Options {
    min_version: Option<ProtocolVersion>,
    max_version: Option<ProtocolVersion>,
    server_ocsp_response: Vec<u8>,
+    server_sct_list: Vec<u8>,
    expect_curve: u16,
 }

@ -69,6 +70,7 @@ impl Options {
            min_version: None,
            max_version: None,
            server_ocsp_response: vec![],
+            server_sct_list: vec![],
            expect_curve: 0,
        }
    }
@ -148,7 +150,9 @@ fn make_server_cfg(opts: &Options) -> Arc<rustls::ServerConfig> {

    let cert = load_cert(&opts.cert_file);
    let key = load_key(&opts.key_file);
-    cfg.set_single_cert_with_ocsp(cert.clone(), key, opts.server_ocsp_response.clone());
+    cfg.set_single_cert_with_ocsp_and_sct(cert.clone(), key,
+                                          opts.server_ocsp_response.clone(),
+                                          opts.server_sct_list.clone());

    if opts.verify_peer || opts.offer_no_client_cas || opts.require_any_client_cert {
        cfg.client_auth_offer = true;
@ -369,6 +373,10 @@ fn main() {
                opts.server_ocsp_response = base64::decode(args.remove(0).as_bytes())
                    .expect("invalid base64");
            }
+            "-signed-cert-timestamps" => {
+                opts.server_sct_list = base64::decode(args.remove(0).as_bytes())
+                    .expect("invalid base64");
+            }
            "-select-alpn" => {
                opts.protocols.push(args.remove(0));
            }
--- a/examples/tlsserver.rs
+++ b/examples/tlsserver.rs
@ -502,7 +502,7 @@ fn make_config(args: &Args) -> Arc<rustls::ServerConfig> {
    let certs = load_certs(args.flag_certs.as_ref().expect("--certs option missing"));
    let privkey = load_private_key(args.flag_key.as_ref().expect("--key option missing"));
    let ocsp = load_ocsp(&args.flag_ocsp);
-    config.set_single_cert_with_ocsp(certs, privkey, ocsp);
+    config.set_single_cert_with_ocsp_and_sct(certs, privkey, ocsp, vec![]);

    if args.flag_auth.is_some() {
        let client_auth_roots = load_certs(args.flag_auth.as_ref().unwrap());
--- a/src/server.rs
+++ b/src/server.rs
@ -255,13 +255,17 @@ impl AlwaysResolvesChain {
        AlwaysResolvesChain(sign::CertifiedKey::new(chain, key))
    }

-    fn new_rsa_with_ocsp(chain: Vec<key::Certificate>,
-                         priv_key: &key::PrivateKey,
-                         ocsp: Vec<u8>) -> AlwaysResolvesChain {
+    fn new_rsa_with_extras(chain: Vec<key::Certificate>,
+                           priv_key: &key::PrivateKey,
+                           ocsp: Vec<u8>,
+                           scts: Vec<u8>) -> AlwaysResolvesChain {
        let mut r = AlwaysResolvesChain::new_rsa(chain, priv_key);
        if !ocsp.is_empty() {
            r.0.ocsp = Some(ocsp);
        }
+        if !scts.is_empty() {
+            r.0.sct_list = Some(scts);
+        }
        r
    }
 }
@ -323,14 +327,18 @@ impl ServerConfig {
    ///
    /// `cert_chain` is a vector of DER-encoded certificates.
    /// `key_der` is a DER-encoded RSA private key.
-    /// `ocsp` is a DER-encoded OCSP response.
-    pub fn set_single_cert_with_ocsp(&mut self,
-                                     cert_chain: Vec<key::Certificate>,
-                                     key_der: key::PrivateKey,
-                                     ocsp: Vec<u8>) {
-        self.cert_resolver = Arc::new(AlwaysResolvesChain::new_rsa_with_ocsp(cert_chain,
-                                                                             &key_der,
-                                                                             ocsp));
+    /// `ocsp` is a DER-encoded OCSP response.  Ignored if zero length.
+    /// `scts` is an `SignedCertificateTimestampList` encoding (see RFC6962)
+    /// and is ignored if empty.
+    pub fn set_single_cert_with_ocsp_and_sct(&mut self,
+                                             cert_chain: Vec<key::Certificate>,
+                                             key_der: key::PrivateKey,
+                                             ocsp: Vec<u8>,
+                                             scts: Vec<u8>) {
+        self.cert_resolver = Arc::new(AlwaysResolvesChain::new_rsa_with_extras(cert_chain,
+                                                                               &key_der,
+                                                                               ocsp,
+                                                                               scts));
    }

    /// Set the ALPN protocol list to the given protocol names.