diff --git a/tests/integrationv2/common.py b/tests/integrationv2/common.py index b550d463659..35ba091cd79 100644 --- a/tests/integrationv2/common.py +++ b/tests/integrationv2/common.py @@ -111,7 +111,20 @@ def __init__(self, name, prefix, location=TEST_CERT_DIRECTORY): self.algorithm = 'RSAPSS' def compatible_with_cipher(self, cipher): - return (self.algorithm == cipher.algorithm) or (cipher.algorithm == 'ANY') + if self.algorithm == cipher.algorithm: + return True + # TLS1.3 cipher suites do not specify auth method, so allow any auth method + if cipher.algorithm == 'ANY': + return True + if self.algorithm == 'RSAPSS': + # RSA-PSS certs can only be used by ciphers with RSA auth + if cipher.algorithm != 'RSA': + return False + # RSA-PSS certs do not support RSA key exchange, only RSA auth + # "DHE" here is intended to capture both "DHE" and "ECDHE" + if 'DHE' in cipher.name: + return True + return False def compatible_with_curve(self, curve): if self.algorithm != 'EC': @@ -442,7 +455,7 @@ class Signatures(object): RSA_PSS_PSS_SHA256 = Signature( 'rsa_pss_pss_sha256', - min_protocol=Protocols.TLS13, + min_protocol=Protocols.TLS12, sig_type='RSA-PSS-PSS', sig_digest='SHA256') diff --git a/tests/integrationv2/providers.py b/tests/integrationv2/providers.py index ae203af6e6c..185d4f08be1 100644 --- a/tests/integrationv2/providers.py +++ b/tests/integrationv2/providers.py @@ -148,22 +148,24 @@ def get_send_marker(cls): @classmethod def supports_protocol(cls, protocol, with_cert=None): - # TLS 1.3 is unsupported for openssl-1.0 + # RSA-PSS is unsupported for openssl-1.0 # libressl and boringssl are disabled because of configuration issues # see https://github.com/aws/s2n-tls/issues/3250 - TLS_13_UNSUPPORTED_LIBCRYPTOS = { + PSS_UNSUPPORTED_LIBCRYPTOS = { "libressl", "boringssl", "openssl-1.0" } - - # Disable TLS 1.3 tests for all libcryptos that don't support 1.3 - if protocol == Protocols.TLS13: - current_libcrypto = get_flag(S2N_PROVIDER_VERSION) - for unsupported_lc in TLS_13_UNSUPPORTED_LIBCRYPTOS: - # e.g. "openssl-1.0" in "openssl-1.0.2-fips" - if unsupported_lc in current_libcrypto: - return False + pss_is_unsupported = any([ + # e.g. "openssl-1.0" in "openssl-1.0.2-fips" + libcrypto in get_flag(S2N_PROVIDER_VERSION) + for libcrypto in PSS_UNSUPPORTED_LIBCRYPTOS + ]) + if pss_is_unsupported: + if protocol == Protocols.TLS13: + return False + if with_cert and with_cert.algorithm == 'RSAPSS': + return False # SSLv3 cannot be negotiated in FIPS mode with libcryptos other than AWS-LC. if all([ diff --git a/tests/integrationv2/utils.py b/tests/integrationv2/utils.py index 3d7c2022120..47842fd3bdb 100644 --- a/tests/integrationv2/utils.py +++ b/tests/integrationv2/utils.py @@ -72,9 +72,8 @@ def invalid_test_parameters(*args, **kwargs): # Always consider S2N providers.append(S2N) - # Only TLS1.3 supports RSA-PSS-PSS certificates - # (Earlier versions support RSA-PSS signatures, just via RSA-PSS-RSAE) - if protocol and protocol is not Protocols.TLS13: + # Older versions do not support RSA-PSS-PSS certificates + if protocol and protocol < Protocols.TLS12: if client_certificate and client_certificate.algorithm == 'RSAPSS': return True if certificate and certificate.algorithm == 'RSAPSS':