fix(integrationv2): Skip RSA PSS client auth cert tests for unsupport…

…ed libcryptos
aws · Feb 6, 2025 · 6eabe5a · 6eabe5a
1 parent 806830d
commit 6eabe5a
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 18 deletions.
diff --git a/codebuild/spec/buildspec_ubuntu_integrationv2.yml b/codebuild/spec/buildspec_ubuntu_integrationv2.yml
@@ -36,7 +36,7 @@ batch:
             - openssl-1.1.1_gcc9
             - openssl-3.0
           INTEGV2_TEST:
-            - "test_dynamic_record_sizes test_sslyze test_sslv2_client_hello"
+            - "test_client_authentication test_dynamic_record_sizes test_sslyze test_sslv2_client_hello"
             - "test_happy_path"
             - "test_cross_compatibility"
             - "test_early_data test_well_known_endpoints test_hello_retry_requests test_sni_match test_pq_handshake test_fragmentation test_key_update"

diff --git a/tests/integrationv2/providers.py b/tests/integrationv2/providers.py
@@ -5,7 +5,7 @@
 import pytest
 import threading
 
-from common import ProviderOptions, Ciphers, Curves, Protocols, Signatures
+from common import ProviderOptions, Ciphers, Curves, Protocols, Signatures, Cert
 from global_flags import get_flag, S2N_PROVIDER_VERSION, S2N_FIPS_MODE
 from stat import S_IMODE
 
@@ -72,7 +72,7 @@ def get_send_marker(cls):
         return None
 
     @classmethod
-    def supports_protocol(cls, protocol, with_cert=None):
+    def supports_protocol(cls, protocol):
         raise NotImplementedError
 
     @classmethod
@@ -94,6 +94,10 @@ def set_provider_ready(self):
             self._provider_ready = True
             self._provider_ready_condition.notify()
 
+    @classmethod
+    def supports_certificate(cls, cert: Cert):
+        return True
+
 
 class Tcpdump(Provider):
     """
@@ -147,7 +151,7 @@ def get_send_marker(cls):
         return 's2n is ready'
 
     @classmethod
-    def supports_protocol(cls, protocol, with_cert=None):
+    def _pss_supported(cls):
         # RSA-PSS is unsupported for openssl-1.0
         # libressl and boringssl are disabled because of configuration issues
         # see https://github.com/aws/s2n-tls/issues/3250
@@ -156,16 +160,21 @@ def supports_protocol(cls, protocol, with_cert=None):
             "boringssl",
             "openssl-1.0"
         }
-        pss_is_unsupported = any([
-            # e.g. "openssl-1.0" in "openssl-1.0.2-fips"
-            libcrypto in get_flag(S2N_PROVIDER_VERSION)
-            for libcrypto in PSS_UNSUPPORTED_LIBCRYPTOS
-        ])
-        if pss_is_unsupported:
-            if protocol == Protocols.TLS13:
-                return False
-            if with_cert and with_cert.algorithm == 'RSAPSS':
+        for libcrypto in PSS_UNSUPPORTED_LIBCRYPTOS:
+            if libcrypto in get_flag(S2N_PROVIDER_VERSION):
                 return False
+        return True
+
+    @classmethod
+    def supports_certificate(cls, cert: Cert):
+        if not cls._pss_supported() and cert.algorithm == 'RSAPSS':
+            return False
+        return True
+
+    @classmethod
+    def supports_protocol(cls, protocol):
+        if not cls._pss_supported() and protocol == Protocols.TLS13:
+            return False
 
         # SSLv3 cannot be negotiated in FIPS mode with libcryptos other than AWS-LC.
         if all([
@@ -391,7 +400,7 @@ def get_version(cls):
         return get_flag(S2N_PROVIDER_VERSION)
 
     @classmethod
-    def supports_protocol(cls, protocol, with_cert=None):
+    def supports_protocol(cls, protocol):
         if protocol is Protocols.SSLv3:
             return False
 
@@ -552,7 +561,7 @@ def _override_libssl(self, options: ProviderOptions):
         options.env_overrides = override_env_vars
 
     @classmethod
-    def supports_protocol(cls, protocol, with_cert=None):
+    def supports_protocol(cls, protocol):
         if protocol is Protocols.SSLv3:
             return True
         return False
@@ -572,7 +581,7 @@ def get_send_marker(cls):
         return "Starting handshake"
 
     @classmethod
-    def supports_protocol(cls, protocol, with_cert=None):
+    def supports_protocol(cls, protocol):
         # https://aws.amazon.com/blogs/opensource/tls-1-0-1-1-changes-in-openjdk-and-amazon-corretto/
         if protocol is Protocols.SSLv3 or protocol is Protocols.TLS10 or protocol is Protocols.TLS11:
             return False
@@ -879,7 +888,7 @@ def setup_server(self):
         return cmd_line
 
     @classmethod
-    def supports_protocol(cls, protocol, with_cert=None):
+    def supports_protocol(cls, protocol):
         return GnuTLS.protocol_to_priority_str(protocol) is not None
 
     @classmethod

diff --git a/tests/integrationv2/utils.py b/tests/integrationv2/utils.py
@@ -72,6 +72,8 @@ def invalid_test_parameters(*args, **kwargs):
     # Always consider S2N
     providers.append(S2N)
 
+    certificates = [certificate_ for certificate_ in [certificate, client_certificate] if certificate_]
+
     # Older versions do not support RSA-PSS-PSS certificates
     if protocol and protocol < Protocols.TLS12:
         if client_certificate and client_certificate.algorithm == 'RSAPSS':
@@ -83,6 +85,10 @@ def invalid_test_parameters(*args, **kwargs):
         if not provider_.supports_protocol(protocol):
             return True
 
+        for certificate_ in certificates:
+            if not provider_.supports_certificate(certificate_):
+                return True
+
     if cipher is not None:
         # If the selected protocol doesn't allow the cipher, don't test
         if protocol is not None:
@@ -107,7 +113,7 @@ def invalid_test_parameters(*args, **kwargs):
     if certificate is not None:
         if protocol is not None:
             for provider_ in providers:
-                if provider_.supports_protocol(protocol, with_cert=certificate) is False:
+                if provider_.supports_protocol(protocol) is False:
                     return True
         if cipher is not None and certificate.compatible_with_cipher(cipher) is False:
             return True