Make DelegatedCredentials-KeyMismatch test less confusing This is passing in a different TLS version, but the TLS version is both nonsense and doesn't figure into the delegated credential anyway. All this test is doing is generating a different keypair and mixing them up. Probably we should move it to ssl_test, as it's not really testing anything about the protocol, but I've just left it alone and fixed the test. Also fix another issue in the test: the getSigner / signMessage chord should just be a plain signMessage call. There were a few other issues of that shape, but they'll be fixed in a follow-up change because they reveal a deeper problem with https://boringssl-review.googlesource.com/c/34884 Change-Id: I090b41a081f694b4ff8d97f3895645d6a620904d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/66549 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com>
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go index c5554dc..5e34dbd 100644 --- a/ssl/test/runner/runner.go +++ b/ssl/test/runner/runner.go
@@ -294,9 +294,6 @@ // dcAlgo is the signature scheme that should be used with this delegated // credential. If zero, ECDSA with P-256 is assumed. dcAlgo signatureAlgorithm - // tlsVersion is the version of TLS that should be used with this delegated - // credential. If zero, TLS 1.3 is assumed. - tlsVersion uint16 // algo is the signature algorithm that the delegated credential itself is // signed with. Cannot be zero. algo signatureAlgorithm @@ -372,14 +369,6 @@ if lifetimeSecs > 1<<32 { return nil, nil, fmt.Errorf("lifetime %s is too long to be expressed", lifetime) } - tlsVersion := config.tlsVersion - if tlsVersion == 0 { - tlsVersion = VersionTLS13 - } - - if tlsVersion < VersionTLS13 { - return nil, nil, fmt.Errorf("delegated credentials require TLS 1.3") - } // https://www.rfc-editor.org/rfc/rfc9345.html#section-4 dc = append(dc, byte(lifetimeSecs>>24), byte(lifetimeSecs>>16), byte(lifetimeSecs>>8), byte(lifetimeSecs)) @@ -394,12 +383,7 @@ dc = append(dc, pubBytes...) var dummyConfig Config - parentSigner, err := getSigner(tlsVersion, parentPriv, &dummyConfig, config.algo, false /* not for verification */) - if err != nil { - return nil, nil, err - } - - parentSignature, err := parentSigner.signMessage(parentPriv, &dummyConfig, delegatedCredentialSignedMessage(dc, config.algo, parentDER)) + parentSignature, err := signMessage(VersionTLS13, parentPriv, &dummyConfig, config.algo, delegatedCredentialSignedMessage(dc, config.algo, parentDER)) if err != nil { return nil, nil, err } @@ -16520,26 +16504,17 @@ }, }) - // This flag value has mismatched public and private keys which should cause a - // configuration error in the shim. - _, badTLSVersionPKCS8, err := createDelegatedCredential(delegatedCredentialConfig{ - algo: signatureRSAPSSWithSHA256, - tlsVersion: 0x1234, + // Generate another delegated credential, so we can get the keys out of sync. + _, ecdsaPKCS8Wrong, err := createDelegatedCredential(delegatedCredentialConfig{ + algo: signatureRSAPSSWithSHA256, }, rsaCertificate.Leaf.Raw, rsaCertificate.PrivateKey) if err != nil { panic(err) } - mismatchFlagValue := fmt.Sprintf("%x,%x", ecdsaDC, badTLSVersionPKCS8) + mismatchFlagValue := fmt.Sprintf("%x,%x", ecdsaDC, ecdsaPKCS8Wrong) testCases = append(testCases, testCase{ testType: serverTest, name: "DelegatedCredentials-KeyMismatch", - config: Config{ - MinVersion: VersionTLS13, - MaxVersion: VersionTLS13, - Bugs: ProtocolBugs{ - FailIfDelegatedCredentials: true, - }, - }, flags: []string{ "-delegated-credential", mismatchFlagValue, },