Add client auth tests.

Change-Id: If3ecae4c97f67085b9880ffa49dd616f1436ce97 Reviewed-on: https://boringssl-review.googlesource.com/1112 Reviewed-by: Adam Langley <agl@google.com>
author: David Benjamin <davidben@chromium.org> 2014-07-09 01:59:18 +0400
committer: Adam Langley <agl@google.com> 2014-07-10 01:04:06 +0400
commit: 636293bf25a4ef2c0e47b23cbfd1f8180d2c2d9f (patch)
tree: c6ca6d07a087bcc51219008c95145254b54c32d8
parent: 7b030511036c384ddae481345bdb52b27609bf2a (diff)
1 files changed, 56 insertions, 0 deletions
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 7b1462a3..27876fa4 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -181,6 +181,14 @@ var testCases = []testCase{
 			CertTypeECDSASign,
 		})},
 	},
+	{
+		name: "NoClientCertificate",
+		config: Config{
+			ClientAuth: RequireAnyClientCert,
+		},
+		shouldFail:         true,
+		expectedLocalError: "client didn't provide a certificate",
+	},
 }
 
 func doExchange(tlsConn *Conn, messageLen int) error {
@@ -488,6 +496,53 @@ func addCBCPaddingTests() {
 	})
 }
 
+func addClientAuthTests() {
+	for _, ver := range tlsVersions {
+		if ver.version == VersionSSL30 {
+			// TODO(davidben): The Go implementation does not
+			// correctly compute CertificateVerify hashes for SSLv3.
+			continue
+		}
+
+		var cipherSuites []uint16
+		if ver.version >= VersionTLS12 {
+			// Pick a SHA-256 cipher suite. The Go implementation
+			// does not correctly handle client auth with a SHA-384
+			// cipher suite.
+			cipherSuites = []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}
+		}
+
+		testCases = append(testCases, testCase{
+			testType: clientTest,
+			name:     ver.name + "-ClientAuth-RSA",
+			config: Config{
+				MinVersion:   ver.version,
+				MaxVersion:   ver.version,
+				CipherSuites: cipherSuites,
+				ClientAuth:   RequireAnyClientCert,
+			},
+			flags: []string{
+				"-cert-file", rsaCertificateFile,
+				"-key-file", rsaKeyFile,
+			},
+		})
+		testCases = append(testCases, testCase{
+			testType: clientTest,
+			name:     ver.name + "-ClientAuth-ECDSA",
+			config: Config{
+				MinVersion:   ver.version,
+				MaxVersion:   ver.version,
+				CipherSuites: cipherSuites,
+				ClientAuth:   RequireAnyClientCert,
+			},
+			flags: []string{
+				"-cert-file", ecdsaCertificateFile,
+				"-key-file", ecdsaKeyFile,
+			},
+		})
+	}
+}
+
 func worker(statusChan chan statusMsg, c chan *testCase, wg *sync.WaitGroup) {
 	defer wg.Done()
 
@@ -535,6 +590,7 @@ func main() {
 	addCipherSuiteTests()
 	addBadECDSASignatureTests()
 	addCBCPaddingTests()
+	addClientAuthTests()
 
 	var wg sync.WaitGroup
author	David Benjamin <davidben@chromium.org>	2014-07-09 01:59:18 +0400
committer	Adam Langley <agl@google.com>	2014-07-10 01:04:06 +0400
commit	636293bf25a4ef2c0e47b23cbfd1f8180d2c2d9f (patch)
tree	c6ca6d07a087bcc51219008c95145254b54c32d8
parent	7b030511036c384ddae481345bdb52b27609bf2a (diff)