auth-cfg: Parse rsa/pss auth tokens
[strongswan.git] / src / libstrongswan / tests / suites / test_auth_cfg.c
1 /*
2 * Copyright (C) 2016 Tobias Brunner
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "test_suite.h"
17
18 #include <credentials/auth_cfg.h>
19
20 struct {
21 char *constraints;
22 signature_scheme_t sig[5];
23 signature_scheme_t ike[5];
24 } sig_constraints_tests[] = {
25 { "rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }, {0}},
26 { "rsa-sha256-sha512", { SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_RSA_EMSA_PKCS1_SHA2_512, 0 }, {0}},
27 { "ecdsa-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}},
28 { "rsa-sha256-ecdsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}},
29 { "pubkey-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, SIGN_BLISS_WITH_SHA2_256, 0 }, {0}},
30 { "ike:rsa-sha256", {0}, { SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }},
31 { "ike:rsa-sha256-rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }, { SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }},
32 { "rsa-sha256-ike:rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }, { SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }},
33 { "ike:pubkey-sha256", {0}, { SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, SIGN_BLISS_WITH_SHA2_256, 0 }},
34 { "rsa-ecdsa-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}},
35 { "rsa-4096-ecdsa-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}},
36 { "rsa-4096-ecdsa-256-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}},
37 { "rsa-ecdsa256-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }, {0}},
38 { "rsa4096-sha256", {0}, {0}},
39 { "sha256", {0}, {0}},
40 { "ike:sha256", {0}, {0}},
41 };
42
43 static void check_sig_constraints(auth_cfg_t *cfg, auth_rule_t type,
44 signature_scheme_t expected[])
45 {
46 enumerator_t *enumerator;
47 auth_rule_t t;
48 signature_params_t *value;
49 int i = 0;
50
51 enumerator = cfg->create_enumerator(cfg);
52 while (enumerator->enumerate(enumerator, &t, &value))
53 {
54 if (t == type)
55 {
56 ck_assert(expected[i]);
57 ck_assert_int_eq(expected[i], value->scheme);
58 i++;
59 }
60 }
61 enumerator->destroy(enumerator);
62 ck_assert(!expected[i]);
63 }
64
65 START_TEST(test_sig_contraints)
66 {
67 auth_cfg_t *cfg;
68 signature_scheme_t none[] = {0};
69
70 cfg = auth_cfg_create();
71 cfg->add_pubkey_constraints(cfg, sig_constraints_tests[_i].constraints, FALSE);
72 check_sig_constraints(cfg, AUTH_RULE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig);
73 check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, none);
74 cfg->destroy(cfg);
75
76 lib->settings->set_bool(lib->settings, "%s.signature_authentication_constraints",
77 FALSE, lib->ns);
78
79 cfg = auth_cfg_create();
80 cfg->add_pubkey_constraints(cfg, sig_constraints_tests[_i].constraints, TRUE);
81 check_sig_constraints(cfg, AUTH_RULE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig);
82 check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, sig_constraints_tests[_i].ike);
83 cfg->destroy(cfg);
84 }
85 END_TEST
86
87 START_TEST(test_ike_contraints_fallback)
88 {
89 auth_cfg_t *cfg;
90
91 lib->settings->set_bool(lib->settings, "%s.signature_authentication_constraints",
92 TRUE, lib->ns);
93
94 cfg = auth_cfg_create();
95 cfg->add_pubkey_constraints(cfg, sig_constraints_tests[_i].constraints, TRUE);
96 check_sig_constraints(cfg, AUTH_RULE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig);
97 if (sig_constraints_tests[_i].ike[0])
98 {
99 check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, sig_constraints_tests[_i].ike);
100 }
101 else
102 {
103 check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig);
104 }
105 cfg->destroy(cfg);
106 }
107 END_TEST
108
109 typedef union {
110 rsa_pss_params_t pss;
111 } signature_param_types_t;
112
113 struct {
114 char *constraints;
115 signature_scheme_t sig[5];
116 signature_param_types_t p[5];
117 } sig_constraints_params_tests[] = {
118 { "rsa/pss-sha256", { SIGN_RSA_EMSA_PSS, 0 }, {
119 { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}}},
120 { "rsa/pss-sha256-sha384", { SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PSS, 0 }, {
121 { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }},
122 { .pss = { .hash = HASH_SHA384, .mgf1_hash = HASH_SHA384, .salt_len = HASH_SIZE_SHA384, }}}},
123 { "rsa/pss-sha256-rsa-sha256", { SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }, {
124 { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}}},
125 { "rsa-sha256-rsa/pss-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_RSA_EMSA_PSS, 0 }, {
126 {},
127 { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}}},
128 { "rsa/pss", { 0 }, {}},
129 };
130
131 static void check_sig_constraints_params(auth_cfg_t *cfg, auth_rule_t type,
132 signature_scheme_t scheme[],
133 signature_param_types_t p[])
134 {
135 enumerator_t *enumerator;
136 auth_rule_t t;
137 signature_params_t *value;
138 int i = 0;
139
140 enumerator = cfg->create_enumerator(cfg);
141 while (enumerator->enumerate(enumerator, &t, &value))
142 {
143 if (t == type)
144 {
145 if (scheme[i] == SIGN_RSA_EMSA_PSS)
146 {
147 signature_params_t expected = {
148 .scheme = scheme[i],
149 .params = &p[i].pss,
150 };
151 ck_assert(signature_params_equal(value, &expected));
152 }
153 else
154 {
155 ck_assert(scheme[i]);
156 ck_assert(!value->params);
157 ck_assert_int_eq(scheme[i], value->scheme);
158 }
159 i++;
160 }
161 }
162 enumerator->destroy(enumerator);
163 ck_assert(!scheme[i]);
164 }
165
166 START_TEST(test_sig_contraints_params)
167 {
168 auth_cfg_t *cfg;
169
170 cfg = auth_cfg_create();
171 cfg->add_pubkey_constraints(cfg, sig_constraints_params_tests[_i].constraints, TRUE);
172 check_sig_constraints_params(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME,
173 sig_constraints_params_tests[_i].sig,
174 sig_constraints_params_tests[_i].p);
175 cfg->destroy(cfg);
176 }
177 END_TEST
178
179 Suite *auth_cfg_suite_create()
180 {
181 Suite *s;
182 TCase *tc;
183
184 s = suite_create("auth_cfg");
185
186 tc = tcase_create("add_pubkey_constraints");
187 tcase_add_loop_test(tc, test_sig_contraints, 0, countof(sig_constraints_tests));
188 tcase_add_loop_test(tc, test_ike_contraints_fallback, 0, countof(sig_constraints_tests));
189 suite_add_tcase(s, tc);
190
191 tc = tcase_create("add_pubkey_constraints parameters");
192 tcase_add_loop_test(tc, test_sig_contraints_params, 0, countof(sig_constraints_params_tests));
193 suite_add_tcase(s, tc);
194
195 return s;
196 }