wip: tls test

rwf2 · Mar 28, 2024 · 7ba1f84 · 7ba1f84
1 parent 9c747ae
commit 7ba1f84
Show file tree

Hide file tree

Showing 7 changed files with 86 additions and 16 deletions.
diff --git a/examples/tls/Cargo.toml b/examples/tls/Cargo.toml
@@ -7,4 +7,5 @@ publish = false
 
 [dependencies]
 rocket = { path = "../../core/lib", features = ["tls", "mtls", "secrets", "http3-preview"] }
+rustls = { version = "0.23", features = ["aws_lc_rs"] }
 yansi = "1.0.1"
diff --git a/examples/tls/Rocket.toml b/examples/tls/Rocket.toml
@@ -25,6 +25,10 @@ key = "private/ecdsa_nistp256_sha256_key_pkcs8.pem"
 certs = "private/ecdsa_nistp384_sha384_cert.pem"
 key = "private/ecdsa_nistp384_sha384_key_pkcs8.pem"
 
+[ecdsa_nistp521_sha512_pkcs8.tls]
+certs = "private/ecdsa_nistp521_sha512_cert.pem"
+key = "private/ecdsa_nistp521_sha512_key_pkcs8.pem"
+
 [ecdsa_nistp256_sha256_sec1.tls]
 certs = "private/ecdsa_nistp256_sha256_cert.pem"
 key = "private/ecdsa_nistp256_sha256_key_sec1.pem"

diff --git a/examples/tls/private/ecdsa_nistp521_sha512.p12 b/examples/tls/private/ecdsa_nistp521_sha512.p12
diff --git a/examples/tls/private/ecdsa_nistp521_sha512_cert.pem b/examples/tls/private/ecdsa_nistp521_sha512_cert.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID5DCCAcygAwIBAgIUZ2n0Lhg+9cVPCOtK7Ov1D5n58GIwDQYJKoZIhvcNAQEN
+BQAwRzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQKDAlSb2NrZXQg
+Q0ExFzAVBgNVBAMMDlJvY2tldCBSb290IENBMB4XDTI0MDMyNzExMDYzMFoXDTM0
+MDMyNTExMDYzMFowPzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ8wDQYDVQQK
+DAZSb2NrZXQxEjAQBgNVBAMMCWxvY2FsaG9zdDCBmzAQBgcqhkjOPQIBBgUrgQQA
+IwOBhgAEAYXtydjaJR3BsC6NVEPD8wxIobzKO004WjyKFupkQcuQPg4DDzLTimho
+SyH3ohaYX398MBSSgxo5A1zTb0TB/Yl1AYLiP6SWmZfejRdyZuRQSNrNIH07MIId
+e+l8VD0DVSb9+Zej5eet4sRgcVgxIzfSCi1mVzSCttbwagpvZW/HBEEgo1gwVjAU
+BgNVHREEDTALgglsb2NhbGhvc3QwHQYDVR0OBBYEFMvhtxA9Tm+8JRx1MfLdJk3Z
+XW5DMB8GA1UdIwQYMBaAFEQDJSPSVPCilnYHVWae8w99S0KTMA0GCSqGSIb3DQEB
+DQUAA4ICAQCscu1VBrqQRLON5s86UQv+sCATmW9kWWLCnHn78iGfxMa9N4L9rsf4
+aFTFpfklOHYBPLK0q2Jm681rzD09FN0DTxG5t9WIsQ2PEJc2akqbzx1Sm4sMZ/td
+79oS/BLgKEOL8RDtU4dQu5DsrOqOYtDbH4ETwGs3TL3eWH+3sC9S25Sq/DJ9TFHm
+pZIzEB9rEwgXMsZ0KVYzEAByKZvJZJbp5nRFJPO4riuY+RkyeqQh+oWxRAplqk2s
+yZEgxgnJIPzVYJkZ8VxaWLF9mU2kHtJlHwlTf6Yp3LTuyr9mwVsNTY+xXco6d5p8
+bMVUBvVCxNmFHsv2maNOHF2AkxwncIkSNK00ohX5rSnZ1Tdipq3ckjpkbTccYWO2
+aEPUphZUkGNReSnJ0LKDyCW4Y4Yna3SG152DfMaIjQjflyh8jUnsrGdISxuemE/z
+2RnTzoSJLGMZvw52BsPbq9aNiZy7kM495oANFSaHwDbkEAknYKyAj2uO2740qEOH
+xhmsa67lPeofZBoU86gydkszCOWN1GzGOmoF9OFfD5H9M6mtYJ6l1h6/80ofx2Fv
+SdaksbRdERx20hVPM6tsAbfeP2mmxelVmhxwziQe5ERybrBx23w+khsfsA8Ldv+7
+hbAqYufmcmsSxdEA+Fuo18vhHOT98UmKlXx1hyERm0hbJe9rW+rGKg==
+-----END CERTIFICATE-----
diff --git a/examples/tls/private/ecdsa_nistp521_sha512_key_pkcs8.pem b/examples/tls/private/ecdsa_nistp521_sha512_key_pkcs8.pem
@@ -0,0 +1,8 @@
+-----BEGIN PRIVATE KEY-----
+MIHuAgEAMBAGByqGSM49AgEGBSuBBAAjBIHWMIHTAgEBBEIA3a6vdhcCDC8p/8yG
+eDASmWqQdkmgU9kaqqgmBh2gcLhTxxtjwAy8BxBy4UmRFo8VJtFUDLXt8ZR2vzTc
+zKybjrmhgYkDgYYABAGF7cnY2iUdwbAujVRDw/MMSKG8yjtNOFo8ihbqZEHLkD4O
+Aw8y04poaEsh96IWmF9/fDAUkoMaOQNc029Ewf2JdQGC4j+klpmX3o0XcmbkUEja
+zSB9OzCCHXvpfFQ9A1Um/fmXo+XnreLEYHFYMSM30gotZlc0grbW8GoKb2VvxwRB
+IA==
+-----END PRIVATE KEY-----
diff --git a/examples/tls/private/gen_certs.sh b/examples/tls/private/gen_certs.sh
@@ -113,15 +113,39 @@ function gen_ecdsa_nistp384_sha384() {
   rm ca_cert.srl server.csr ecdsa_nistp384_sha384_key.pem
 }
 
+function gen_ecdsa_nistp521_sha512() {
+  gen_ca_if_non_existent
+
+  openssl ecparam -out ecdsa_nistp521_sha512_key.pem -name secp521r1 -genkey
+
+  # Convert to pkcs8 format supported by rustls
+  openssl pkcs8 -topk8 -nocrypt -in ecdsa_nistp521_sha512_key.pem \
+    -out ecdsa_nistp521_sha512_key_pkcs8.pem
+
+  openssl req -new -nodes -sha512 -key ecdsa_nistp521_sha512_key_pkcs8.pem \
+    -subj "${SUBJECT}" -out server.csr
+
+  openssl x509 -req -sha512 -extfile <(printf "subjectAltName=${ALT}") -days 3650 \
+    -CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial \
+    -in server.csr -out ecdsa_nistp521_sha512_cert.pem
+
+  openssl pkcs12 -export -password pass:rocket -in ecdsa_nistp521_sha512_cert.pem \
+    -inkey ecdsa_nistp521_sha512_key_pkcs8.pem -out ecdsa_nistp521_sha512.p12
+
+  rm ca_cert.srl server.csr ecdsa_nistp521_sha512_key.pem
+}
+
 case $1 in
   ed25519) gen_ed25519 ;;
   rsa_sha256) gen_rsa_sha256 ;;
   ecdsa_nistp256_sha256) gen_ecdsa_nistp256_sha256 ;;
   ecdsa_nistp384_sha384) gen_ecdsa_nistp384_sha384 ;;
+  ecdsa_nistp521_sha512) gen_ecdsa_nistp521_sha512 ;;
   *)
     gen_ed25519
     gen_rsa_sha256
     gen_ecdsa_nistp256_sha256
     gen_ecdsa_nistp384_sha384
+    gen_ecdsa_nistp521_sha512
     ;;
 esac
diff --git a/examples/tls/src/tests.rs b/examples/tls/src/tests.rs
@@ -69,8 +69,9 @@ fn insecure_cookies() {
 fn hello_world() {
     use rocket::listener::DefaultListener;
     use rocket::config::{Config, SecretKey};
+    use rustls::crypto::aws_lc_rs;
 
-    let profiles = [
+    let mut profiles = vec![
         "rsa_sha256",
         "ecdsa_nistp256_sha256_pkcs8",
         "ecdsa_nistp384_sha384_pkcs8",
@@ -79,20 +80,29 @@ fn hello_world() {
         "ed25519",
     ];
 
-    for profile in profiles {
-        let config = Config {
-            secret_key: SecretKey::generate().unwrap(),
-            ..Config::debug_default()
-        };
-
-        let figment = Config::figment().merge(config).select(profile);
-        let client = Client::tracked_secure(super::rocket().configure(figment)).unwrap();
-        let response = client.get("/").dispatch();
-        assert_eq!(response.into_string().unwrap(), "Hello, world!");
-
-        let figment = client.rocket().figment();
-        let listener: DefaultListener = figment.extract().unwrap();
-        assert_eq!(figment.profile(), profile);
-        listener.tls.as_ref().unwrap().validate().expect("valid TLS config");
+    for use_aws_lc in [false, true] {
+        if use_aws_lc {
+            let crypto_provider = aws_lc_rs::default_provider();
+            crypto_provider.install_default().unwrap();
+
+            profiles.push("ecdsa_nistp521_sha512_pkcs8");
+        }
+
+        for profile in &profiles {
+            let config = Config {
+                secret_key: SecretKey::generate().unwrap(),
+                ..Config::debug_default()
+            };
+
+            let figment = Config::figment().merge(config).select(profile);
+            let client = Client::tracked_secure(super::rocket().configure(figment)).unwrap();
+            let response = client.get("/").dispatch();
+            assert_eq!(response.into_string().unwrap(), "Hello, world!");
+
+            let figment = client.rocket().figment();
+            let listener: DefaultListener = figment.extract().unwrap();
+            assert_eq!(figment.profile(), profile);
+            listener.tls.as_ref().unwrap().validate().expect("valid TLS config");
+        }
     }
 }