add rsa_pss support in wolfJSSE
parent
74101dd4b1
commit
bde37eec21
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -107,6 +107,12 @@ rm client-ecc.jks &> /dev/null
|
|||
add_cert_key "client-ecc.jks" "/client-ecc-cert.pem" "/ecc-client-key.pem" "client-ecc" "wolfSSL test"
|
||||
printf "done\n"
|
||||
|
||||
# Client cert: RSAPSS only
|
||||
printf "\tCreating client-rsapss.jks ..."
|
||||
rm client-rsapss.jks &> /dev/null
|
||||
add_cert_key "client-rsapss.jks" "/rsapss/client-rsapss.pem" "/rsapss/client-rsapss-priv.pem" "client-rsapss" "wolfSSL test"
|
||||
printf "done\n"
|
||||
|
||||
#################### SERVER KEYSTORES ####################
|
||||
|
||||
# Server cert: both RSA 2048-bit and ECC
|
||||
|
@ -134,6 +140,12 @@ rm server-ecc.jks &> /dev/null
|
|||
add_cert_key "server-ecc.jks" "/server-ecc.pem" "/ecc-key.pem" "server-ecc" "wolfSSL test"
|
||||
printf "done\n"
|
||||
|
||||
# Server cert: RSAPSS only
|
||||
printf "\tCreating server-rsapss.jks ..."
|
||||
rm server-rsapss.jks &> /dev/null
|
||||
add_cert_key "server-rsapss.jks" "/rsapss/server-rsapss.pem" "/rsapss/server-rsapss-priv.pem" "server-rsapss" "wolfSSL test"
|
||||
printf "done\n"
|
||||
|
||||
#################### CA CERT KEYSTORES ###################
|
||||
|
||||
# Contains all CA certs (RSA and ECC), verifies both client and server certs
|
||||
|
@ -150,18 +162,22 @@ printf "done\n"
|
|||
# Contains CA certs used to verify client certs:
|
||||
# client-cert.pem verifies itself (self signed)
|
||||
# client-ecc-cert.pem verifies itself (self signed)
|
||||
# client-rsapss.pem verifies itself (self signed)
|
||||
printf "\tCreating ca-client.jks ..."
|
||||
rm ca-client.jks &> /dev/null
|
||||
add_cert_key "ca-client.jks" "/client-cert.pem" "/client-key.pem" "client-rsa" "wolfSSL test"
|
||||
add_cert_key "ca-client.jks" "/client-ecc-cert.pem" "/ecc-client-key.pem" "client-ecc" "wolfSSL test"
|
||||
add_cert_key "ca-client.jks" "/rsapss/client-rsapss.pem" "/rsapss/client-rsapss-priv.pem" "client-rsapss" "wolfSSL test"
|
||||
printf "done\n"
|
||||
|
||||
# Contains CA certs used to verify server certs:
|
||||
# ca-cert.pem verifies server-cert.pem
|
||||
# ca-ecc-cert.pem verifies server-ecc.pem
|
||||
# ca-rsapss.pem verifies server-rsapss.pem
|
||||
printf "\tCreating ca-server.jks ..."
|
||||
rm ca-server.jks &> /dev/null
|
||||
add_cert_key "ca-server.jks" "/ca-cert.pem" "/ca-key.pem" "ca-rsa" "wolfSSL test"
|
||||
add_cert_key "ca-server.jks" "/ca-ecc-cert.pem" "/ca-ecc-key.pem" "ca-ecc" "wolfSSL test"
|
||||
add_cert_key "ca-server.jks" "/rsapss/ca-rsapss.pem" "/rsapss/ca-rsapss-priv.pem" "ca-rsapss" "wolfSSL test"
|
||||
printf "done\n"
|
||||
|
||||
|
|
|
@ -532,6 +532,19 @@ JNIEXPORT jboolean JNICALL Java_com_wolfssl_WolfSSL_RsaEnabled
|
|||
#endif
|
||||
}
|
||||
|
||||
JNIEXPORT jboolean JNICALL Java_com_wolfssl_WolfSSL_RsaPssEnabled
|
||||
(JNIEnv* jenv, jclass jcl)
|
||||
{
|
||||
(void)jenv;
|
||||
(void)jcl;
|
||||
|
||||
#if !defined(NO_RSA) && defined(WC_RSA_PSS)
|
||||
return JNI_TRUE;
|
||||
#else
|
||||
return JNI_FALSE;
|
||||
#endif
|
||||
}
|
||||
|
||||
JNIEXPORT jboolean JNICALL Java_com_wolfssl_WolfSSL_Curve25519Enabled
|
||||
(JNIEnv* jenv, jclass jcl)
|
||||
{
|
||||
|
|
|
@ -621,6 +621,14 @@ JNIEXPORT jboolean JNICALL Java_com_wolfssl_WolfSSL_EccEnabled
|
|||
JNIEXPORT jboolean JNICALL Java_com_wolfssl_WolfSSL_RsaEnabled
|
||||
(JNIEnv *, jclass);
|
||||
|
||||
/*
|
||||
* Class: com_wolfssl_WolfSSL
|
||||
* Method: RsaPssEnabled
|
||||
* Signature: ()Z
|
||||
*/
|
||||
JNIEXPORT jboolean JNICALL Java_com_wolfssl_WolfSSL_RsaPssEnabled
|
||||
(JNIEnv *, jclass);
|
||||
|
||||
/*
|
||||
* Class: com_wolfssl_WolfSSL
|
||||
* Method: Curve25519Enabled
|
||||
|
|
|
@ -1174,6 +1174,8 @@ JNIEXPORT jstring JNICALL Java_com_wolfssl_WolfSSLCertificate_X509_1get_1signatu
|
|||
return (*jenv)->NewStringUTF(jenv, "SHA512withECDSA");
|
||||
case CTC_ED25519:
|
||||
return (*jenv)->NewStringUTF(jenv, "ED25519");
|
||||
case CTC_RSASSAPSS:
|
||||
return (*jenv)->NewStringUTF(jenv, "RSASSA-PSS");
|
||||
|
||||
default:
|
||||
(*jenv)->ThrowNew(jenv, jcl, "Unknown signature type");
|
||||
|
|
|
@ -843,6 +843,14 @@ public class WolfSSL {
|
|||
*/
|
||||
public static native boolean RsaEnabled();
|
||||
|
||||
/**
|
||||
* Tests if RSA_PSS support has been compiled into the native wolfSSL
|
||||
* library.
|
||||
*
|
||||
* @return true if enabled, otherwise false if not compiled in.
|
||||
*/
|
||||
public static native boolean RsaPssEnabled();
|
||||
|
||||
/**
|
||||
* Tests if Curve25519/X25519 support has been compiled into the native
|
||||
* wolfSSL library.
|
||||
|
|
|
@ -222,6 +222,9 @@ public class WolfSSLEngineHelper {
|
|||
}
|
||||
if (WolfSSL.RsaEnabled()) {
|
||||
keyAlgos.add("RSA");
|
||||
if (WolfSSL.RsaPssEnabled()) {
|
||||
keyAlgos.add("RSASSA-PSS");
|
||||
}
|
||||
}
|
||||
|
||||
String[] keyTypes = new String[keyAlgos.size()];
|
||||
|
|
|
@ -293,7 +293,9 @@ public class WolfSSLKeyX509 extends X509ExtendedKeyManager
|
|||
try {
|
||||
key = (PrivateKey)store.getKey(alias, password);
|
||||
} catch (Exception e) {
|
||||
/* @TODO unable to get key */
|
||||
/* @TODO unable to get key */
|
||||
WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
|
||||
"failed to load private key: " + e);
|
||||
}
|
||||
return key;
|
||||
}
|
||||
|
|
|
@ -67,10 +67,12 @@ class WolfSSLTestFactory {
|
|||
protected String clientRSA1024JKS;
|
||||
protected String clientRSAJKS;
|
||||
protected String clientECCJKS;
|
||||
protected String clientRSAPSSJKS;
|
||||
protected static String serverJKS;
|
||||
protected String serverRSA1024JKS;
|
||||
protected String serverRSAJKS;
|
||||
protected String serverECCJKS;
|
||||
protected String serverRSAPSSJKS;
|
||||
protected String caJKS;
|
||||
protected static String caClientJKS;
|
||||
protected String caServerJKS;
|
||||
|
@ -91,10 +93,12 @@ class WolfSSLTestFactory {
|
|||
* client-rsa-1024.jks RSA 1024-bit only client cert
|
||||
* client-rsa.jks RSA 2048-bit only client cert
|
||||
* client-ecc.jks ECC only client cert
|
||||
* client-rsapss.jks RSA_PSS only client cert
|
||||
* server.jks RSA 2048-bit and ECC server certs
|
||||
* server-rsa-1024.jks RSA 1024-bit only server cert
|
||||
* server-rsa.jks RSA 2048-bit only server cert
|
||||
* server-ecc.jks ECC only server cert
|
||||
* server-rsapss.jks RSA_PSS only server cert
|
||||
* cacerts.jks All CA certs (RSA, ECC, 1024, 2048, etc)
|
||||
* ca-client.jks CA certs used to verify client certs
|
||||
* ca-server.jks CA certs used to verify server certs */
|
||||
|
@ -104,10 +108,12 @@ class WolfSSLTestFactory {
|
|||
clientRSA1024JKS = "examples/provider/client-rsa-1024.jks";
|
||||
clientRSAJKS = "examples/provider/client-rsa.jks";
|
||||
clientECCJKS = "examples/provider/client-ecc.jks";
|
||||
clientRSAPSSJKS = "examples/provider/client-rsapss.jks";
|
||||
serverJKS = "examples/provider/server.jks";
|
||||
serverRSA1024JKS = "examples/provider/server-rsa-1024.jks";
|
||||
serverRSAJKS = "examples/provider/server-rsa.jks";
|
||||
serverECCJKS = "examples/provider/server-ecc.jks";
|
||||
serverRSAPSSJKS = "examples/provider/server-rsapss.jks";
|
||||
caJKS = "examples/provider/cacerts.jks";
|
||||
caClientJKS = "examples/provider/ca-client.jks";
|
||||
caServerJKS = "examples/provider/ca-server.jks";
|
||||
|
@ -141,10 +147,12 @@ class WolfSSLTestFactory {
|
|||
clientRSA1024JKS = in.concat(clientRSA1024JKS);
|
||||
clientRSAJKS = in.concat(clientRSAJKS);
|
||||
clientECCJKS = in.concat(clientECCJKS);
|
||||
clientRSAPSSJKS = in.concat(clientRSAPSSJKS);
|
||||
serverJKS = in.concat(serverJKS);
|
||||
serverRSA1024JKS = in.concat(serverRSA1024JKS);
|
||||
serverRSAJKS = in.concat(serverRSAJKS);
|
||||
serverECCJKS = in.concat(serverECCJKS);
|
||||
serverRSAPSSJKS = in.concat(serverRSAPSSJKS);
|
||||
caJKS = in.concat(caJKS);
|
||||
caClientJKS = in.concat(caClientJKS);
|
||||
caServerJKS = in.concat(caServerJKS);
|
||||
|
|
|
@ -480,6 +480,57 @@ public class WolfSSLTrustX509Test {
|
|||
pass("\t\t\t... passed");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testVerifyRsaPss()
|
||||
throws NoSuchProviderException, NoSuchAlgorithmException,
|
||||
KeyStoreException, FileNotFoundException, IOException,
|
||||
CertificateException {
|
||||
|
||||
/* skip if RSA_PSS is not compiled in at native level */
|
||||
if (WolfSSL.RsaPssEnabled() == false) {
|
||||
return;
|
||||
}
|
||||
|
||||
TrustManager[] tm;
|
||||
X509TrustManager x509tm;
|
||||
X509Certificate cas[];
|
||||
InputStream stream;
|
||||
KeyStore ks;
|
||||
|
||||
System.out.print("\tTesting verify rsa_pss");
|
||||
|
||||
tm = tf.createTrustManager("SunX509", tf.caServerJKS, provider);
|
||||
if (tm == null) {
|
||||
error("\t\t\t... failed");
|
||||
fail("failed to create trustmanager");
|
||||
return;
|
||||
}
|
||||
|
||||
x509tm = (X509TrustManager) tm[0];
|
||||
cas = x509tm.getAcceptedIssuers();
|
||||
if (cas == null) {
|
||||
error("\t\t\t... failed");
|
||||
fail("no CAs where found");
|
||||
return;
|
||||
}
|
||||
|
||||
ks = KeyStore.getInstance(tf.keyStoreType);
|
||||
stream = new FileInputStream(tf.serverRSAPSSJKS);
|
||||
ks.load(stream, "wolfSSL test".toCharArray());
|
||||
stream.close();
|
||||
try {
|
||||
x509tm.checkServerTrusted(new X509Certificate[] {
|
||||
(X509Certificate)ks.getCertificate("server-rsapss") }, "RSASSA-PSS");
|
||||
}
|
||||
catch (Exception e) {
|
||||
e.printStackTrace();
|
||||
error("\t\t... failed");
|
||||
fail("failed to verify");
|
||||
}
|
||||
|
||||
pass("\t\t... passed");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCheckServerTrustedWithChain()
|
||||
throws NoSuchProviderException, NoSuchAlgorithmException,
|
||||
|
@ -1447,6 +1498,65 @@ public class WolfSSLTrustX509Test {
|
|||
pass("\t... passed");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testUsingRsaPssCert()
|
||||
throws Exception {
|
||||
/* skip if RSA_PSS is not compiled in at native level */
|
||||
if (WolfSSL.RsaPssEnabled() == false) {
|
||||
return;
|
||||
}
|
||||
|
||||
System.out.print("\tTest using rsa_pss certs");
|
||||
|
||||
SSLContext srvCtx = tf.createSSLContext("TLSv1.3", provider,
|
||||
tf.createTrustManager("SunX509", tf.caClientJKS, provider),
|
||||
tf.createKeyManager("SunX509", tf.serverRSAPSSJKS, provider));
|
||||
|
||||
SSLContext cliCtx = tf.createSSLContext("TLSv1.3", provider,
|
||||
tf.createTrustManager("SunX509", tf.caServerJKS, provider),
|
||||
tf.createKeyManager("SunX509", tf.clientRSAPSSJKS, provider));
|
||||
|
||||
SSLServerSocket ss = (SSLServerSocket)srvCtx.getServerSocketFactory()
|
||||
.createServerSocket(0);
|
||||
|
||||
TestArgs serverArgs = new TestArgs(null, null, true, true, true, null);
|
||||
TestSSLSocketServer server = new TestSSLSocketServer(
|
||||
srvCtx, ss, serverArgs, 1);
|
||||
server.start();
|
||||
|
||||
TestArgs clientArgs = new TestArgs(
|
||||
"HTTPS", "www.wolfssl.com", false, false, true, null);
|
||||
TestSSLSocketClient client = new TestSSLSocketClient(
|
||||
cliCtx, ss.getLocalPort(), clientArgs);
|
||||
client.start();
|
||||
|
||||
try {
|
||||
client.join(1000);
|
||||
server.join(1000);
|
||||
} catch (InterruptedException e) {
|
||||
System.out.println("interrupt happened");
|
||||
fail("RSA_PSS cert test failed");
|
||||
}
|
||||
|
||||
/* Fail if client or server encountered exception */
|
||||
Exception srvException = server.getException();
|
||||
Exception cliException = client.getException();
|
||||
if (srvException != null || cliException != null) {
|
||||
StringWriter sw = new StringWriter();
|
||||
PrintWriter pw = new PrintWriter(sw);
|
||||
if (srvException != null) {
|
||||
srvException.printStackTrace(pw);
|
||||
}
|
||||
if (cliException != null) {
|
||||
cliException.printStackTrace(pw);
|
||||
}
|
||||
String traceString = sw.toString();
|
||||
throw new Exception(traceString);
|
||||
}
|
||||
|
||||
pass("\t... passed");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testX509ExtendedTrustManagerInternal()
|
||||
throws CertificateException, IOException, Exception {
|
||||
|
|
Loading…
Reference in New Issue