More ECH certificates
In the rejection tests, make sure the certificate served matches the
public name in the ECH config, so shims which verify the returned
certificate can make sure they are using the right name.
Previously there was a mismatch where the name to be verified was
public.example, but the certificate returned was valid for "test".
Change-Id: I511415431e01c9a83766c633cf11c34f0fa93058
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/68727
Auto-Submit: Roland Shoemaker <bracewell@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 37a36fb..8a31afa 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -17785,6 +17785,7 @@
AlwaysSendECHHelloRetryRequest: true,
ExpectMissingKeyShare: true, // Check we triggered HRR.
},
+ Credential: &echPublicCertificate,
},
flags: []string{
"-ech-config-list", base64FlagValue(CreateECHConfigList(echConfig.ECHConfig.Raw)),
@@ -18342,6 +18343,7 @@
Bugs: ProtocolBugs{
ExpectServerName: "public.example",
},
+ Credential: &echPublicCertificate,
},
flags: []string{
"-ech-config-list", base64FlagValue(CreateECHConfigList(echConfig.ECHConfig.Raw)),
@@ -18362,6 +18364,7 @@
ExpectServerName: "public.example",
ExpectMissingKeyShare: true, // Check we triggered HRR.
},
+ Credential: &echPublicCertificate,
},
flags: []string{
"-ech-config-list", base64FlagValue(CreateECHConfigList(echConfig.ECHConfig.Raw)),
@@ -18380,6 +18383,7 @@
Bugs: ProtocolBugs{
ExpectServerName: "public.example",
},
+ Credential: &echPublicCertificate,
},
flags: []string{
"-ech-config-list", base64FlagValue(CreateECHConfigList(echConfig.ECHConfig.Raw)),
@@ -18399,6 +18403,7 @@
Bugs: ProtocolBugs{
ExpectServerName: "public.example",
},
+ Credential: &echPublicCertificate,
},
flags: []string{
"-ech-config-list", base64FlagValue(CreateECHConfigList(echConfig.ECHConfig.Raw)),
@@ -18424,6 +18429,7 @@
ExpectFalseStart: true,
AlertBeforeFalseStartTest: alertAccessDenied,
},
+ Credential: &echPublicCertificate,
},
flags: []string{
"-ech-config-list", base64FlagValue(CreateECHConfigList(echConfig.ECHConfig.Raw)),
@@ -18460,6 +18466,7 @@
SendECHRetryConfigs: retryConfigs,
ExpectServerName: "public.example",
},
+ Credential: &echPublicCertificate,
},
flags: []string{
"-ech-config-list", base64FlagValue(CreateECHConfigList(echConfig.ECHConfig.Raw)),
@@ -18708,6 +18715,7 @@
MinVersion: VersionTLS13,
MaxVersion: VersionTLS13,
ClientAuth: RequireAnyClientCert,
+ Credential: &echPublicCertificate,
},
shimCertificate: &rsaCertificate,
flags: append([]string{
@@ -18725,6 +18733,7 @@
MinVersion: VersionTLS12,
MaxVersion: VersionTLS12,
ClientAuth: RequireAnyClientCert,
+ Credential: &echPublicCertificate,
},
shimCertificate: &rsaCertificate,
flags: append([]string{
@@ -18768,6 +18777,7 @@
Bugs: ProtocolBugs{
AlwaysNegotiateChannelID: true,
},
+ Credential: &echPublicCertificate,
},
flags: []string{
"-send-channel-id", channelIDKeyPath,
@@ -18788,6 +18798,7 @@
Bugs: ProtocolBugs{
AlwaysNegotiateChannelID: true,
},
+ Credential: &echPublicCertificate,
},
flags: []string{
"-send-channel-id", channelIDKeyPath,
@@ -18859,6 +18870,7 @@
config: Config{
MinVersion: VersionTLS13,
MaxVersion: VersionTLS13,
+ Credential: &echPublicCertificate,
},
flags: []string{
"-verify-peer",
@@ -18898,8 +18910,11 @@
name: prefix + "ECH-Client-Reject-EarlyDataRejected-OverrideNameOnRetry",
config: Config{
ServerECHConfigs: []ServerECHConfig{echConfig},
+ Credential: &echPublicCertificate,
},
- resumeConfig: &Config{},
+ resumeConfig: &Config{
+ Credential: &echPublicCertificate,
+ },
flags: []string{
"-verify-peer",
"-use-custom-verify-callback",
