Skip to content

Commit

Permalink
tests: allow TLS1.2 with RSA-PSS certs in integ tests
Browse files Browse the repository at this point in the history
  • Loading branch information
lrstewart committed Dec 6, 2024
1 parent c426395 commit 1b6544a
Show file tree
Hide file tree
Showing 3 changed files with 25 additions and 15 deletions.
13 changes: 11 additions & 2 deletions tests/integrationv2/common.py
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,16 @@ def __init__(self, name, prefix, location=TEST_CERT_DIRECTORY):
self.algorithm = 'RSAPSS'

def compatible_with_cipher(self, cipher):
return (self.algorithm == cipher.algorithm) or (cipher.algorithm == 'ANY')
if self.algorithm == cipher.algorithm:
return True
if cipher.algorithm == 'ANY':
return True
if self.algorithm == 'RSAPSS':
if cipher.algorithm != 'RSA':
return False
if 'ECDHE' in cipher.name:
return True
return False

def compatible_with_curve(self, curve):
if self.algorithm != 'EC':
Expand Down Expand Up @@ -442,7 +451,7 @@ class Signatures(object):

RSA_PSS_PSS_SHA256 = Signature(
'rsa_pss_pss_sha256',
min_protocol=Protocols.TLS13,
min_protocol=Protocols.TLS12,
sig_type='RSA-PSS-PSS',
sig_digest='SHA256')

Expand Down
22 changes: 12 additions & 10 deletions tests/integrationv2/providers.py
Original file line number Diff line number Diff line change
Expand Up @@ -148,22 +148,24 @@ def get_send_marker(cls):

@classmethod
def supports_protocol(cls, protocol, with_cert=None):
# TLS 1.3 is unsupported for openssl-1.0
# RSA-PSS is unsupported for openssl-1.0
# libressl and boringssl are disabled because of configuration issues
# see https://github.com/aws/s2n-tls/issues/3250
TLS_13_UNSUPPORTED_LIBCRYPTOS = {
PSS_UNSUPPORTED_LIBCRYPTOS = {
"libressl",
"boringssl",
"openssl-1.0"
}

# Disable TLS 1.3 tests for all libcryptos that don't support 1.3
if protocol == Protocols.TLS13:
current_libcrypto = get_flag(S2N_PROVIDER_VERSION)
for unsupported_lc in TLS_13_UNSUPPORTED_LIBCRYPTOS:
# e.g. "openssl-1.0" in "openssl-1.0.2-fips"
if unsupported_lc in current_libcrypto:
return False
pss_is_unsupported = any([
# e.g. "openssl-1.0" in "openssl-1.0.2-fips"
libcrypto in get_flag(S2N_PROVIDER_VERSION)
for libcrypto in PSS_UNSUPPORTED_LIBCRYPTOS
])
if pss_is_unsupported:
if protocol == Protocols.TLS13:
return False
if with_cert and with_cert.algorithm == 'RSAPSS':
return False

# SSLv3 cannot be negotiated in FIPS mode with libcryptos other than AWS-LC.
if all([
Expand Down
5 changes: 2 additions & 3 deletions tests/integrationv2/utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -72,9 +72,8 @@ def invalid_test_parameters(*args, **kwargs):
# Always consider S2N
providers.append(S2N)

# Only TLS1.3 supports RSA-PSS-PSS certificates
# (Earlier versions support RSA-PSS signatures, just via RSA-PSS-RSAE)
if protocol and protocol is not Protocols.TLS13:
# Older versions do not support RSA-PSS-PSS certificates
if protocol and protocol < Protocols.TLS12:
if client_certificate and client_certificate.algorithm == 'RSAPSS':
return True
if certificate and certificate.algorithm == 'RSAPSS':
Expand Down

0 comments on commit 1b6544a

Please sign in to comment.