ssl: Test root cert is allowed to use any signature.

erlang · Jun 25, 2024 · d24edf3 · d24edf3
1 parent bc61d42
commit d24edf3
Showing 1 changed file with 45 additions and 1 deletion.
diff --git a/lib/ssl/test/ssl_api_SUITE.erl b/lib/ssl/test/ssl_api_SUITE.erl
@@ -58,6 +58,8 @@
          select_best_cert/1,
          select_sha1_cert/0,
          select_sha1_cert/1,
+         root_any_sign/0,
+         root_any_sign/1,
          connection_information/0,
          connection_information/1,
          secret_connection_info/0,
@@ -274,7 +276,8 @@ since_1_2() ->
      conf_signature_algs,
      no_common_signature_algs,
      versions_option_based_on_sni,
-     ciphers_option_based_on_sni
+     ciphers_option_based_on_sni,
+     root_any_sign
     ].
 
 pre_1_3() ->
@@ -597,6 +600,46 @@ select_sha1_cert(Config) when is_list(Config) ->
                                                    {key, {namedCurve, secp256r1}}]}}),
     test_sha1_cert_conf(Version, TestConfRSA, TestConfECDSA, Config).
 
+%%--------------------------------------------------------------------
+root_any_sign() ->
+    [{doc,"Use cert signed with unsported signature for the root will suceed, as it is not verified"}].
+
+root_any_sign(Config) when is_list(Config) ->
+    #{client_config := CSucess, server_config := SSucess} =
+        public_key:pkix_test_data(#{server_chain =>
+                                         #{root => [{digest, sha},
+                                                    {key, ssl_test_lib:hardcode_rsa_key(1)}],
+                                           intermediates => [[{digest, sha256},
+                                                              {key, ssl_test_lib:hardcode_rsa_key(2)}]],
+                                           peer =>  [{digest, sha256}, {key, ssl_test_lib:hardcode_rsa_key(3)}]
+                                          },
+                                     client_chain =>
+                                         #{root => [{digest, sha},
+                                                   {key, ssl_test_lib:hardcode_rsa_key(3)}],
+                                           intermediates => [[{digest, sha256},
+                                                              {key, ssl_test_lib:hardcode_rsa_key(2)}]],
+                                           peer => [{digest, sha256},
+                                                    {key, ssl_test_lib:hardcode_rsa_key(1)}]}}),
+
+    #{client_config := CFail, server_config := SFail} =
+        public_key:pkix_test_data(#{server_chain =>
+                                        #{root => [{digest, sha256},
+                                                   {key, ssl_test_lib:hardcode_rsa_key(1)}],
+                                          intermediates => [[{digest, sha},
+                                                             {key, ssl_test_lib:hardcode_rsa_key(2)}]],
+                                          peer =>  [{digest, sha256}, {key, ssl_test_lib:hardcode_rsa_key(3)}]
+                                         },
+                                    client_chain =>
+                                        #{root => [{digest, sha256},
+                                                   {key, ssl_test_lib:hardcode_rsa_key(3)}],
+                                          intermediates => [[{digest, sha},
+                                                             {key, ssl_test_lib:hardcode_rsa_key(2)}]],
+                                          peer => [{digest, sha256},
+                                                   {key, ssl_test_lib:hardcode_rsa_key(1)}]}}),
+
+    ssl_test_lib:basic_test(CSucess, [{verify, verify_peer} | SSucess], Config),
+    ssl_test_lib:basic_alert(CFail, [{verify, verify_peer} | SFail], Config, unsupported_certificate).
+
 %%--------------------------------------------------------------------
 connection_information() ->
     [{doc,"Test the API function ssl:connection_information/1"}].
@@ -4648,3 +4691,4 @@ suite_check(Socket, Version) ->
         Other ->
             ct:fail({expected, Suite, got, Other})
     end.
+