tests: allow TLS1.2 with RSA-PSS certs in integ tests (aws#4949)

goatgoose · Dec 10, 2024 · 3c4ea72 · 3c4ea72
1 parent a004f2b
commit 3c4ea72
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 15 deletions.
diff --git a/tests/integrationv2/common.py b/tests/integrationv2/common.py
@@ -111,7 +111,20 @@ def __init__(self, name, prefix, location=TEST_CERT_DIRECTORY):
             self.algorithm = 'RSAPSS'
 
     def compatible_with_cipher(self, cipher):
-        return (self.algorithm == cipher.algorithm) or (cipher.algorithm == 'ANY')
+        if self.algorithm == cipher.algorithm:
+            return True
+        # TLS1.3 cipher suites do not specify auth method, so allow any auth method
+        if cipher.algorithm == 'ANY':
+            return True
+        if self.algorithm == 'RSAPSS':
+            # RSA-PSS certs can only be used by ciphers with RSA auth
+            if cipher.algorithm != 'RSA':
+                return False
+            # RSA-PSS certs do not support RSA key exchange, only RSA auth
+            # "DHE" here is intended to capture both "DHE" and "ECDHE"
+            if 'DHE' in cipher.name:
+                return True
+        return False
 
     def compatible_with_curve(self, curve):
         if self.algorithm != 'EC':
@@ -442,7 +455,7 @@ class Signatures(object):
 
     RSA_PSS_PSS_SHA256 = Signature(
         'rsa_pss_pss_sha256',
-        min_protocol=Protocols.TLS13,
+        min_protocol=Protocols.TLS12,
         sig_type='RSA-PSS-PSS',
         sig_digest='SHA256')
 

diff --git a/tests/integrationv2/providers.py b/tests/integrationv2/providers.py
@@ -148,22 +148,24 @@ def get_send_marker(cls):
 
     @classmethod
     def supports_protocol(cls, protocol, with_cert=None):
-        # TLS 1.3 is unsupported for openssl-1.0
+        # RSA-PSS is unsupported for openssl-1.0
         # libressl and boringssl are disabled because of configuration issues
         # see https://github.com/aws/s2n-tls/issues/3250
-        TLS_13_UNSUPPORTED_LIBCRYPTOS = {
+        PSS_UNSUPPORTED_LIBCRYPTOS = {
             "libressl",
             "boringssl",
             "openssl-1.0"
         }
-
-        # Disable TLS 1.3 tests for all libcryptos that don't support 1.3
-        if protocol == Protocols.TLS13:
-            current_libcrypto = get_flag(S2N_PROVIDER_VERSION)
-            for unsupported_lc in TLS_13_UNSUPPORTED_LIBCRYPTOS:
-                # e.g. "openssl-1.0" in "openssl-1.0.2-fips"
-                if unsupported_lc in current_libcrypto:
-                    return False
+        pss_is_unsupported = any([
+            # e.g. "openssl-1.0" in "openssl-1.0.2-fips"
+            libcrypto in get_flag(S2N_PROVIDER_VERSION)
+            for libcrypto in PSS_UNSUPPORTED_LIBCRYPTOS
+        ])
+        if pss_is_unsupported:
+            if protocol == Protocols.TLS13:
+                return False
+            if with_cert and with_cert.algorithm == 'RSAPSS':
+                return False
 
         # SSLv3 cannot be negotiated in FIPS mode with libcryptos other than AWS-LC.
         if all([

diff --git a/tests/integrationv2/utils.py b/tests/integrationv2/utils.py
@@ -72,9 +72,8 @@ def invalid_test_parameters(*args, **kwargs):
     # Always consider S2N
     providers.append(S2N)
 
-    # Only TLS1.3 supports RSA-PSS-PSS certificates
-    # (Earlier versions support RSA-PSS signatures, just via RSA-PSS-RSAE)
-    if protocol and protocol is not Protocols.TLS13:
+    # Older versions do not support RSA-PSS-PSS certificates
+    if protocol and protocol < Protocols.TLS12:
         if client_certificate and client_certificate.algorithm == 'RSAPSS':
             return True
         if certificate and certificate.algorithm == 'RSAPSS':