tlsfuzzer
diff --git a/‎scripts/tls.py‎
Lines changed: 277 additions & 18 deletions b/‎scripts/tls.py‎
Lines changed: 277 additions & 18 deletions
diff --git a/‎tests/serverX509DCKey.pem‎
Lines changed: 28 additions & 0 deletions b/‎tests/serverX509DCKey.pem‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎tests/serverX509DCPub.pem‎
Lines changed: 9 additions & 0 deletions b/‎tests/serverX509DCPub.pem‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎tests/tlstest.py‎
Lines changed: 198 additions & 5 deletions b/‎tests/tlstest.py‎
Lines changed: 198 additions & 5 deletions
diff --git a/‎tlslite/constants.py‎
Lines changed: 1 addition & 0 deletions b/‎tlslite/constants.py‎
Lines changed: 1 addition & 0 deletions
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCT/Pf92sZZd5nP
+5WUs+ilhN2GxgSx1ylXyARar2MGWfYA/b0eMPsfVf+bLpQX/Da2drrq7L1HxTaId
+NUYsh/nvPLxROkA4AmECahFZSCkJZ6VdVgO2cMu7SNE9L7vZXIo22aL+COBqZ1xn
+vjMUyVXnrs02fMfcn6c/FIO0bd2YkRUiOP2iBAhCn6GmHZeJ0/OMHB7VJ0Ozpy63
+xsONxtIBgPEimQFlTCgmMmBjDzyquTIqVZ0ajQnHNKM4BaBcsu788sttPCh3i7EQ
+4sAI8Pw8tmPxs/nb2fMNgQEd+wjvIHTss82hzu9XUTDt9CAOWHyRCUi5D9a6dMS4
+oscRpQiPAgMBAAECggEAEy4gPiiSuJnFt6o1mMS7hDwXT1g8mO+mf/0gIRmwzX5q
+ls4nacfhQoyXLyGuS0ZMkDlLPmN9rVawgjSbab4d6KHojmaMWDYGuLdilD3EA9IJ
+HrW9OXIZFab0Z4e+Qwe5ai5+74na/C91TITcPf9yQNrpAfzeMnwGwyg3gbUTmWhR
+2AriFcTdWINmZKNKbOS0Fkw/Kn7zPAidjSanvthNdQPNi1k1fob0rj05Q57kEe4d
+lOC5j79mYV3XUWlyf6g8knmoBsQ1Y0gfFyro1R3VtAJSlU8KPJ41bhlE5kpiUZYb
+cWRCJYF3anRxTxo8getRLffE19en0i+z99tZIzgwoQKBgQDOgU5/2DK6ussAm9kv
+6IPOuwr9gEaYQAMmgG08ck2CCW7J/MGAGXURtZOMf5zSsMBvHXT/xvAWBuElilbF
+9/DNHz51Ts2GvyqPSzSFHxQUo3ljV6n/qIXP+7Xb3xwzjGVzXl2CfPeI0hxVZmz+
+W6jcvczqyOXxjH+WZFmgLnzJSQKBgQC3dTFQYSWJpXb9gVNSWLRbN6ZVgoEjMbOJ
+N8Pzj+3hcKYeQJUdH1dxbGdjFUrCrkHVWEaXZ7eH5B/fWd+uTBUgwnO0FExjpkAm
+EsakhP96vdN/jtax0S7S1Jcn6Ty6YdBAzXT9JsguxAUvVE4uSpdrdxpJF/4F6key
+WdoXE9JbFwKBgG52qvgmPVS3sPm9ZFuFRGSkl0dtg9XTgBvrXQOVnTJvO01fIF8W
+vxHfEHN6m/f0RqvplPlxgGI4Ad3j93DkpXIEQZPcuIJY5jpKn2iKbGJx4/ApJ62z
+hwjve6OG4H4OnwIsu1ae5IbS5gckyC7z9wtFmEULfD1Oy702Jt9RnrzJAoGAbtug
+SwQJHN4hwxpM8SutAJnmJzHPOycjaD2MaTeF9X6OwyUfdhOkUWPCLbuGC5IlMfg/
+3+nKm5EcOWkjoz1SXxNhu2Wwq16g0ODzrCK6Br+CeEgmMBlJhBj2piVoju/gWehN
+U1QGD0xgHbOB8rMcQNIdziFzXLuvS3TENsHBkU0CgYBg4mTavRdbMwDUN07aRpt8
++EaJJnmxWRl0wD9yIvFVZa0wPRYd54/HOMj5dqHHklgn1eb+HwxdyEYw/kUMn+oC
+roPHTA4hYXDMqAHkXMC6sDmG5MVgP6ozWEYVbiK/5y6QsTozLciNpwA0STGHmtcC
+kQpskxTgLWPCkzB6RvWqzw==
+-----END PRIVATE KEY-----
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAk/z3/drGWXeZz+VlLPop
+YTdhsYEsdcpV8gEWq9jBln2AP29HjD7H1X/my6UF/w2tna66uy9R8U2iHTVGLIf5
+7zy8UTpAOAJhAmoRWUgpCWelXVYDtnDLu0jRPS+72VyKNtmi/gjgamdcZ74zFMlV
+567NNnzH3J+nPxSDtG3dmJEVIjj9ogQIQp+hph2XidPzjBwe1SdDs6cut8bDjcbS
+AYDxIpkBZUwoJjJgYw88qrkyKlWdGo0JxzSjOAWgXLLu/PLLbTwod4uxEOLACPD8
+PLZj8bP529nzDYEBHfsI7yB07LPNoc7vV1Ew7fQgDlh8kQlIuQ/WunTEuKLHEaUI
+jwIDAQAB
+-----END PUBLIC KEY-----
@@ -19,32 +19,39 @@
 import socket
 import time
 import timeit
-import getopt
+import hashlib
 from tempfile import mkstemp
+
+from tlslite.x509 import DelegatedCredential, Credential
 try:
     from BaseHTTPServer import HTTPServer
     from SimpleHTTPServer import SimpleHTTPRequestHandler
 except ImportError:
     from http.server import HTTPServer, SimpleHTTPRequestHandler
 
 from tlslite import TLSConnection, Fault, HandshakeSettings, \
-    X509, X509CertChain, IMAP4_TLS, VerifierDB, Session, SessionCache, \
+    X509, X509CertChain, IMAP4_TLS, VerifierDB, SessionCache, \
     parsePEMKey, constants, \
     AlertDescription, HTTPTLSConnection, TLSSocketServerMixIn, \
     POP3_TLS, m2cryptoLoaded, pycryptoLoaded, gmpyLoaded, tackpyLoaded, \
     Checker, __version__
-from tlslite.handshakesettings import VirtualHost, Keypair
+from tlslite.handshakesettings import VirtualHost, Keypair, DC_VALID_TIME
 
 from tlslite.errors import *
-from tlslite.utils.cryptomath import prngName, getRandomBytes
+from tlslite.utils.cryptomath import prngName, getRandomBytes, \
+    numberToByteArray
 try:
     import xmlrpclib
 except ImportError:
     # Python 3
     from xmlrpc import client as xmlrpclib
 import ssl
 from tlslite import *
-from tlslite.constants import KeyUpdateMessageType, ECPointFormat, SignatureScheme
+from tlslite.constants import TLS_1_3_BRAINPOOL_SIG_SCHEMES, \
+    HashAlgorithm, KeyUpdateMessageType, ECPointFormat, \
+    SignatureAlgorithm, SignatureScheme
+from tlslite.utils.pem import dePem
+from tlslite.utils.codec import Parser
 
 try:
     from tack.structures.Tack import Tack
@@ -1910,6 +1917,84 @@ def heartbeat_response_check(message):
 
     test_no += 1
 
+    print("Test {0} - Delegated Credential test: RSA cert".format(test_no))
+    synchro.recv(1)
+    connection = connect()
+    settings = HandshakeSettings()
+    settings.maxVersion = (3, 4)
+    settings.dc_sig_algs = [SignatureScheme.rsa_pss_pss_sha256]
+    connection.handshakeClientCert(settings=settings)
+    assert connection.session.delegated_credential is not None
+    assert isinstance(connection.session.delegated_credential,
+                      DelegatedCredential)
+    assert connection.session.delegated_credential.algorithm == SignatureScheme.rsa_pss_pss_sha256
+    testConnClient(connection)
+    connection.close()
+
+    test_no += 1
+
+    print("Test {0} - Delegated Credential test: ECDSA cert".format(test_no))
+    synchro.recv(1)
+    connection = connect()
+    settings = HandshakeSettings()
+    settings.maxVersion = (3, 4)
+    settings.dc_sig_algs = [SignatureScheme.rsa_pss_pss_sha256]
+    connection.handshakeClientCert(settings=settings)
+    assert connection.session.delegated_credential is not None
+    assert isinstance(connection.session.delegated_credential,
+                      DelegatedCredential)
+    assert connection.session.delegated_credential.algorithm == SignatureScheme.ecdsa_secp256r1_sha256
+    testConnClient(connection)
+    connection.close()
+
+    test_no += 1
+
+    print("Test {0} - Delegated Credential test: Ed2551 cert".format(test_no))
+    synchro.recv(1)
+    connection = connect()
+    settings = HandshakeSettings()
+    settings.maxVersion = (3, 4)
+    settings.dc_sig_algs = [SignatureScheme.rsa_pss_pss_sha256]
+    connection.handshakeClientCert(settings=settings)
+    assert connection.session.delegated_credential is not None
+    assert isinstance(connection.session.delegated_credential,
+                      DelegatedCredential)
+    assert connection.session.delegated_credential.algorithm == SignatureScheme.ed25519
+    testConnClient(connection)
+    connection.close()
+
+    test_no += 1
+
+    print("Test {0} - Delegated Credential test: brainpoolP256r1tls13 cert".format(test_no))
+    synchro.recv(1)
+    connection = connect()
+    settings = HandshakeSettings()
+    settings.maxVersion = (3, 4)
+    settings.dc_sig_algs = [SignatureScheme.rsa_pss_pss_sha256]
+    connection.handshakeClientCert(settings=settings)
+    assert connection.session.delegated_credential is not None
+    assert isinstance(connection.session.delegated_credential,
+                      DelegatedCredential)
+    assert connection.session.delegated_credential.algorithm == SignatureScheme.ecdsa_brainpoolP256r1tls13_sha256
+    testConnClient(connection)
+    connection.close()
+
+    test_no += 1
+
+    print("Test {0} - good X.509 TLSv1.3, no DC on client side)".format(test_no))
+    synchro.recv(1)
+    settings = HandshakeSettings()
+    settings.certificate_compression_receive = []
+    settings.certificate_compression_send = []
+    settings.dc_sig_algs = [SignatureScheme.rsa_pss_pss_sha256]
+    connection = connect()
+    connection.handshakeClientCert(serverName=address[0],
+                                   settings=settings)
+    testConnClient(connection)
+    assert connection.server_cert_compression_algo is None
+    assert connection.client_cert_compression_algo is None
+    connection.close()
+
     print('Test {0} - good standard XMLRPC https client'.format(test_no))
     address = address[0], address[1]+1
     synchro.recv(1)
@@ -1967,6 +2052,8 @@ def heartbeat_response_check(message):
         print("Non-critical error: socket error trying to reach internet "
               "server: ", e)
 
+
+
     synchro.close()
 
     if not badFault:
@@ -2119,6 +2206,12 @@ def connect():
     with open(os.path.join(dir, "serverEd448Key.pem")) as f:
         x509Ed448Key = parsePEMKey(f.read(), private=True,
                                    implementations=["python"])
+    with open(os.path.join(dir, "serverX509DCKey.pem")) as f:
+        x509DCKey = parsePEMKey(f.read(), private=True,
+                                implementations=["python"])
+
+    with open(os.path.join(dir, "serverX509DCPub.pem")) as f:
+        X509DCPub = dePem(f.read(), "PUBLIC KEY")
 
     test_no = 0
 
@@ -3655,6 +3748,106 @@ def heartbeat_response_check(message):
 
     test_no +=1
 
+    print("Test {0}-{1} - Delegated Credential test".format(test_no, test_no + 3))
+    cert_alg = [(x509Chain, x509Key, SignatureScheme.rsa_pss_pss_sha256),
+                (x509ecdsaChain, x509ecdsaKey, SignatureScheme.ecdsa_secp256r1_sha256),
+                (x509Ed25519Chain, x509Ed25519Key, SignatureScheme.ed25519),
+                (x509ecdsaBrainpoolP256r1Chain,
+                 x509ecdsaBrainpoolP256r1Key,
+                 SignatureScheme.ecdsa_brainpoolP256r1tls13_sha256)
+    ]
+    for value in cert_alg:
+        synchro.send(b'R')
+        connection = connect()
+
+        cert_chain, private_key, sig_alg = value
+        scheme = SignatureScheme.toRepr(sig_alg)
+        dc_sig_alg = SignatureScheme.rsa_pss_pss_sha256
+
+        cert_bytes = cert_chain.x509List[0].bytes
+        valid_time = int(time.time()) + DC_VALID_TIME
+        cred_bytes = bytearray(numberToByteArray(valid_time) +
+                            numberToByteArray(dc_sig_alg[0]) +
+                            numberToByteArray(dc_sig_alg[1]) +
+                            X509DCPub)
+        cred = Credential(valid_time=valid_time,
+                        dc_cert_verify_algorithm=dc_sig_alg,
+                        subject_public_key_info=X509DCPub,
+                        bytes=cred_bytes)
+
+        bytes_to_sign = DelegatedCredential.compute_certificate_dc_sig_context(
+            cert_bytes,
+            cred_bytes,
+            sig_alg)
+
+        if sig_alg in (SignatureScheme.ed25519,
+                SignatureScheme.ed448):
+            hashName = "intrinsic"
+            padType = None
+            saltLen = None
+            sig_func = private_key.hashAndSign
+            ver_func = private_key.hashAndVerify
+        elif sig_alg[1] == SignatureAlgorithm.ecdsa:
+            hashName = HashAlgorithm.toRepr(sig_alg[0])
+            padType = None
+            saltLen = None
+            sig_func = private_key.hashAndSign
+            ver_func = private_key.hashAndVerify
+        elif sig_alg in TLS_1_3_BRAINPOOL_SIG_SCHEMES:
+            hashName = SignatureScheme.getHash(scheme)
+            padType = None
+            saltLen = None
+            sig_func = private_key.hashAndSign
+            ver_func = private_key.hashAndVerify
+        else:
+            padType = SignatureScheme.getPadding(scheme)
+            hashName = SignatureScheme.getHash(scheme)
+            saltLen = getattr(hashlib, hashName)().digest_size
+            sig_func = private_key.hashAndSign
+            ver_func = private_key.hashAndVerify
+
+        signature = sig_func(bytes_to_sign,
+                            padType,
+                            hashName,
+                            saltLen)
+        if not ver_func(signature, bytes_to_sign,
+                        padType,
+                        hashName,
+                        saltLen):
+            raise ValueError("Delegated Credential signature failed")
+
+
+        delegated_credential = DelegatedCredential(cred=cred,
+                                                    algorithm=sig_alg,
+                                                    signature=signature)
+
+        settings = HandshakeSettings()
+        settings.maxVersion = (3, 4)
+        settings.dc_sig_algs = [SignatureScheme.rsa_pss_pss_sha256]
+        connection.handshakeServer(certChain=cert_chain,
+                                privateKey=None,
+                                dc_key=x509DCKey,
+                                del_cred=delegated_credential,
+                                settings=settings)
+        assert connection.session.delegated_credential is not None
+        assert isinstance(connection.session.delegated_credential,
+                        DelegatedCredential)
+        testConnServer(connection)
+        connection.close()
+
+    test_no += 4
+
+    print("Test {0} - good X.509 TLSv1.3 (no DC on client side)".format(test_no))
+    synchro.send(b'R')
+    connection = connect()
+    connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
+    assert connection.server_cert_compression_algo is None
+    assert connection.client_cert_compression_algo is None
+    testConnServer(connection)
+    connection.close()
+
+    test_no += 1
+
     print("Tests {0}-{1} - XMLRPXC server".format(test_no, test_no + 2))
 
     address = address[0], address[1]+1
 
@@ -181,6 +181,7 @@ class ExtensionType(TLSEnum):
     post_handshake_auth = 49  # TLS 1.3
     signature_algorithms_cert = 50  # TLS 1.3
     key_share = 51  # TLS 1.3
+    delegated_credential = 34 # TLS 1.3, RFC 9345
     supports_npn = 13172
     tack = 0xF300
     renegotiation_info = 0xff01  # RFC 5746