Google Git
Sign in
boringssl/boringssl/8f95b8279e45946f9b0ae14449f00fb0c0baceb5^!/.
commit
8f95b8279e45946f9b0ae14449f00fb0c0baceb5
[log] [tgz]
author
Roland Shoemaker <bracewell@google.com>
Tue Apr 23 09:36:38 2024 -0700
committer
Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>
Tue Apr 23 17:46:16 2024 +0000
tree
cb6bdfff08d44ea90e50e3af489df7e42eaa0738
parent
d8d1c6a2d034df2a62bcf75604a4824f0e20e19e [diff]
Add certificates to a couple of tests

Add certificates to a couple of tests which expect
a specific host name, but were using the default
certificate which had a different host name.

Change-Id: I03e3be21e1e47313e5dbd5b8bba937b6968533c6
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/67947
Commit-Queue: Roland Shoemaker <bracewell@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Auto-Submit: Roland Shoemaker <bracewell@google.com>

diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 45693d1..e18bfd3 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go

@@ -6732,6 +6732,18 @@
 }
 
 func addExtensionTests() {
+	exampleCertificate := generateSingleCertChain(&x509.Certificate{
+		SerialNumber: big.NewInt(57005),
+		Subject: pkix.Name{
+			CommonName: "test cert",
+		},
+		NotBefore:             time.Now().Add(-time.Hour),
+		NotAfter:              time.Now().Add(time.Hour),
+		DNSNames:              []string{"example.com"},
+		IsCA:                  true,
+		BasicConstraintsValid: true,
+	}, &ecdsaP256Key)
+
 	// Repeat extensions tests at all versions.
 	for _, protocol := range []protocol{tls, dtls, quic} {
 		for _, ver := range allVersions(protocol) {
@@ -6775,6 +6787,7 @@
 					Bugs: ProtocolBugs{
 						ExpectServerName: "example.com",
 					},
+					Credential: &exampleCertificate,
 				},
 				flags: []string{"-host-name", "example.com"},
 			})
@@ -6814,6 +6827,7 @@
 					Bugs: ProtocolBugs{
 						SendServerNameAck: true,
 					},
+					Credential: &exampleCertificate,
 				},
 				flags:         []string{"-host-name", "example.com"},
 				resumeSession: true,
@@ -16756,6 +16770,40 @@
 	echConfig3 := generateServerECHConfig(&ECHConfig{ConfigID: 45})
 	echConfigRepeatID := generateServerECHConfig(&ECHConfig{ConfigID: 42})
 
+	echSecretCertificate := generateSingleCertChain(&x509.Certificate{
+		SerialNumber: big.NewInt(57005),
+		Subject: pkix.Name{
+			CommonName: "test cert",
+		},
+		NotBefore:             time.Now().Add(-time.Hour),
+		NotAfter:              time.Now().Add(time.Hour),
+		DNSNames:              []string{"secret.example"},
+		IsCA:                  true,
+		BasicConstraintsValid: true,
+	}, &ecdsaP256Key)
+	echPublicCertificate := generateSingleCertChain(&x509.Certificate{
+		SerialNumber: big.NewInt(57005),
+		Subject: pkix.Name{
+			CommonName: "test cert",
+		},
+		NotBefore:             time.Now().Add(-time.Hour),
+		NotAfter:              time.Now().Add(time.Hour),
+		DNSNames:              []string{"public.example"},
+		IsCA:                  true,
+		BasicConstraintsValid: true,
+	}, &ecdsaP256Key)
+	echLongNameCertificate := generateSingleCertChain(&x509.Certificate{
+		SerialNumber: big.NewInt(57005),
+		Subject: pkix.Name{
+			CommonName: "test cert",
+		},
+		NotBefore:             time.Now().Add(-time.Hour),
+		NotAfter:              time.Now().Add(time.Hour),
+		DNSNames:              []string{"test0123456789.example"},
+		IsCA:                  true,
+		BasicConstraintsValid: true,
+	}, &ecdsaP256Key)
+
 	for _, protocol := range []protocol{tls, quic} {
 		prefix := protocol.String() + "-"
 
@@ -17260,6 +17308,7 @@
 				name:     prefix + "ECH-Client-Cipher-" + cipher.name,
 				config: Config{
 					ServerECHConfigs: []ServerECHConfig{cipherConfig},
+					Credential:       &echSecretCertificate,
 				},
 				flags: []string{
 					"-ech-config-list", base64FlagValue(CreateECHConfigList(cipherConfig.ECHConfig.Raw)),
@@ -17853,6 +17902,7 @@
 					ExpectServerName:      "secret.example",
 					ExpectOuterServerName: "public.example",
 				},
+				Credential: &echSecretCertificate,
 			},
 			flags: []string{
 				"-ech-config-list", base64FlagValue(CreateECHConfigList(echConfig.ECHConfig.Raw)),
@@ -17876,6 +17926,7 @@
 					ExpectOuterServerName: "public.example",
 					ExpectMissingKeyShare: true, // Check we triggered HRR.
 				},
+				Credential: &echSecretCertificate,
 			},
 			resumeSession: true,
 			flags: []string{
@@ -17899,6 +17950,7 @@
 				Bugs: ProtocolBugs{
 					ExpectServerName: "secret.example",
 				},
+				Credential: &echSecretCertificate,
 			},
 			flags: []string{
 				"-ech-config-list", base64FlagValue(CreateECHConfigList(echConfig.ECHConfig.Raw)),
@@ -18223,6 +18275,7 @@
 					ExpectServerName:                "public.example",
 					ExpectOuterServerName:           "public.example",
 				},
+				Credential: &echPublicCertificate,
 			},
 			flags: []string{
 				"-ech-config-list", base64FlagValue(CreateECHConfigList(echConfig.ECHConfig.Raw)),
@@ -18267,6 +18320,7 @@
 				Bugs: ProtocolBugs{
 					ExpectServerName: "test0123456789.example",
 				},
+				Credential: &echLongNameCertificate,
 			},
 			flags: []string{
 				"-ech-config-list", base64FlagValue(CreateECHConfigList(maxNameLen10.ECHConfig.Raw)),
@@ -18579,6 +18633,7 @@
 					ExpectNoClientECH: true,
 					ExpectServerName:  "secret.example",
 				},
+				Credential: &echSecretCertificate,
 			},
 			flags: []string{
 				"-ech-config-list", base64FlagValue(CreateECHConfigList(invalidPublicName.ECHConfig.Raw)),
@@ -18596,6 +18651,7 @@
 					ExpectOuterServerName: "public.example",
 					ExpectServerName:      "secret.example",
 				},
+				Credential: &echSecretCertificate,
 			},
 			flags: []string{
 				"-ech-config-list", base64FlagValue(CreateECHConfigList(invalidPublicName.ECHConfig.Raw, echConfig.ECHConfig.Raw)),