lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-29 11:41:15 +03:00
Code Activity

Add key_opaque option to ssl_server2.c + test

Browse Source 
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
This commit is contained in:
Przemyslaw Stekiel
2021-10-04 11:13:22 +02:00
parent cd51e76583
commit 0483e3d652
2 changed files with 46 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
programs/ssl/ssl_server2.c
View File

@ -80,6 +80,7 @@ int main( void )
#define DFL_CA_PATH "" #define DFL_CA_PATH ""
#define DFL_CRT_FILE "" #define DFL_CRT_FILE ""
#define DFL_KEY_FILE "" #define DFL_KEY_FILE ""
#define DFL_KEY_OPAQUE 0
#define DFL_KEY_PWD "" #define DFL_KEY_PWD ""
#define DFL_CRT_FILE2 "" #define DFL_CRT_FILE2 ""
#define DFL_KEY_FILE2 "" #define DFL_KEY_FILE2 ""
@ -200,6 +201,13 @@ int main( void )
#else #else
#define USAGE_IO "" #define USAGE_IO ""
#endif /* MBEDTLS_X509_CRT_PARSE_C */ #endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_X509_CRT_PARSE_C)
#define USAGE_KEY_OPAQUE \
" key_opaque=%%d Handle your private key as if it were opaque\n" \
" default: 0 (disabled)\n"
#else
#define USAGE_KEY_OPAQUE ""
#endif
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
#define USAGE_SSL_ASYNC \ #define USAGE_SSL_ASYNC \
@ -483,6 +491,7 @@ int main( void )
" cert_req_ca_list=%%d default: 1 (send ca list)\n" \ " cert_req_ca_list=%%d default: 1 (send ca list)\n" \
" options: 1 (send ca list), 0 (don't send)\n" \ " options: 1 (send ca list), 0 (don't send)\n" \
USAGE_IO \ USAGE_IO \
USAGE_KEY_OPAQUE \
"\n" \ "\n" \
USAGE_PSK \ USAGE_PSK \
USAGE_CA_CALLBACK \ USAGE_CA_CALLBACK \
@ -567,6 +576,7 @@ struct options
const char *ca_path; /* the path with the CA certificate(s) reside */ const char *ca_path; /* the path with the CA certificate(s) reside */
const char *crt_file; /* the file with the server certificate */ const char *crt_file; /* the file with the server certificate */
const char *key_file; /* the file with the server key */ const char *key_file; /* the file with the server key */
int key_opaque; /* handle private key as if it were opaque */
const char *key_pwd; /* the password for the server key */ const char *key_pwd; /* the password for the server key */
const char *crt_file2; /* the file with the 2nd server certificate */ const char *crt_file2; /* the file with the 2nd server certificate */
const char *key_file2; /* the file with the 2nd server key */ const char *key_file2; /* the file with the 2nd server key */
@ -1315,6 +1325,9 @@ int main( int argc, char *argv[] )
mbedtls_pk_context pkey; mbedtls_pk_context pkey;
mbedtls_x509_crt srvcert2; mbedtls_x509_crt srvcert2;
mbedtls_pk_context pkey2; mbedtls_pk_context pkey2;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_key_id_t key_slot = 0; /* invalid key slot */
#endif
int key_cert_init = 0, key_cert_init2 = 0; int key_cert_init = 0, key_cert_init2 = 0;
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
ssl_async_key_context_t ssl_async_keys; ssl_async_key_context_t ssl_async_keys;
@ -1491,6 +1504,7 @@ int main( int argc, char *argv[] )
opt.ca_path = DFL_CA_PATH; opt.ca_path = DFL_CA_PATH;
opt.crt_file = DFL_CRT_FILE; opt.crt_file = DFL_CRT_FILE;
opt.key_file = DFL_KEY_FILE; opt.key_file = DFL_KEY_FILE;
opt.key_opaque = DFL_KEY_OPAQUE;
opt.key_pwd = DFL_KEY_PWD; opt.key_pwd = DFL_KEY_PWD;
opt.crt_file2 = DFL_CRT_FILE2; opt.crt_file2 = DFL_CRT_FILE2;
opt.key_file2 = DFL_KEY_FILE2; opt.key_file2 = DFL_KEY_FILE2;
@ -1622,6 +1636,10 @@ int main( int argc, char *argv[] )
opt.key_file = q; opt.key_file = q;
else if( strcmp( p, "key_pwd" ) == 0 ) else if( strcmp( p, "key_pwd" ) == 0 )
opt.key_pwd = q; opt.key_pwd = q;
#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_X509_CRT_PARSE_C)
else if( strcmp( p, "key_opaque" ) == 0 )
opt.key_opaque = atoi( q );
#endif
else if( strcmp( p, "crt_file2" ) == 0 ) else if( strcmp( p, "crt_file2" ) == 0 )
opt.crt_file2 = q; opt.crt_file2 = q;
else if( strcmp( p, "key_file2" ) == 0 ) else if( strcmp( p, "key_file2" ) == 0 )
@ -2473,11 +2491,23 @@ int main( int argc, char *argv[] )
(unsigned int) -ret ); (unsigned int) -ret );
goto exit; goto exit;
} }
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if( opt.key_opaque != 0 )
{
if( ( ret = mbedtls_pk_wrap_as_opaque( &pkey2, &key_slot,
PSA_ALG_SHA_256 ) ) != 0 )
{
mbedtls_printf( " failed\n ! "
"mbedtls_pk_wrap_as_opaque returned -0x%x\n\n", (unsigned int) -ret );
goto exit;
}
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
key_cert_init2 = 2; key_cert_init2 = 2;
#endif /* MBEDTLS_ECDSA_C */ #endif /* MBEDTLS_ECDSA_C */
} }
mbedtls_printf( " ok\n" ); mbedtls_printf( " ok (key type: %s)\n", mbedtls_pk_get_name( &pkey2 ) );
#endif /* MBEDTLS_X509_CRT_PARSE_C */ #endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO) #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO)

15
tests/ssl-opt.sh
View File

@ -1444,6 +1444,21 @@ run_test "Opaque key for client authentication" \
-S "error" \ -S "error" \
-C "error" -C "error"
# Test using an opaque private key for server authentication
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_SHA256_C
run_test "Opaque key for server authentication" \
"$P_SRV auth_mode=required key_opaque=1" \
"$P_CLI crt_file=data_files/server5.crt \
key_file=data_files/server5.key" \
0 \
-c "Verifying peer X.509 certificate... ok" \
-s "key type: Opaque" \
-S "error" \
-C "error"
# Test ciphersuites which we expect to be fully supported by PSA Crypto # Test ciphersuites which we expect to be fully supported by PSA Crypto
# and check that we don't fall back to Mbed TLS' internal crypto primitives. # and check that we don't fall back to Mbed TLS' internal crypto primitives.
run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CCM run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CCM