diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc index a6ca0ab96..4d56d3728 100644 --- a/ssl/ssl_lib.cc +++ b/ssl/ssl_lib.cc @@ -687,7 +687,7 @@ SSL_CONFIG::SSL_CONFIG(SSL *ssl_arg) signed_cert_timestamps_enabled(false), ocsp_stapling_enabled(false), channel_id_enabled(false), - enforce_rsa_key_usage(true), + enforce_rsa_key_usage(false), retain_only_sha256_of_client_certs(false), handoff(false), shed_handshake_config(false), diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go index 655226ca7..5c6ef4f1d 100644 --- a/ssl/test/runner/runner.go +++ b/ssl/test/runner/runner.go @@ -15613,6 +15613,9 @@ func addRSAKeyUsageTests() { }, shouldFail: true, expectedError: ":KEY_USAGE_BIT_INCORRECT:", + flags: []string{ + "-enforce-rsa-key-usage", + }, }) testCases = append(testCases, testCase{ @@ -15624,6 +15627,9 @@ func addRSAKeyUsageTests() { Certificates: []Certificate{dsCert}, CipherSuites: dsSuites, }, + flags: []string{ + "-enforce-rsa-key-usage", + }, }) // TLS 1.3 removes the encipherment suites. @@ -15637,6 +15643,9 @@ func addRSAKeyUsageTests() { Certificates: []Certificate{encCert}, CipherSuites: encSuites, }, + flags: []string{ + "-enforce-rsa-key-usage", + }, }) testCases = append(testCases, testCase{ @@ -15650,6 +15659,9 @@ func addRSAKeyUsageTests() { }, shouldFail: true, expectedError: ":KEY_USAGE_BIT_INCORRECT:", + flags: []string{ + "-enforce-rsa-key-usage", + }, }) // In 1.2 and below, we should not enforce without the enforce-rsa-key-usage flag. @@ -15662,7 +15674,6 @@ func addRSAKeyUsageTests() { Certificates: []Certificate{dsCert}, CipherSuites: encSuites, }, - flags: []string{"-no-enforce-rsa-key-usage"}, }) testCases = append(testCases, testCase{ @@ -15674,22 +15685,20 @@ func addRSAKeyUsageTests() { Certificates: []Certificate{encCert}, CipherSuites: dsSuites, }, - flags: []string{"-no-enforce-rsa-key-usage"}, }) } if ver.version >= VersionTLS13 { - // In 1.3 and above, we enforce keyUsage even when disabled. + // In 1.3 and above, we enforce keyUsage even without the flag. testCases = append(testCases, testCase{ testType: clientTest, - name: "RSAKeyUsage-Client-WantSignature-GotEncipherment-AlwaysEnforced" + ver.name, + name: "RSAKeyUsage-Client-WantSignature-GotEncipherment-Enforced" + ver.name, config: Config{ MinVersion: ver.version, MaxVersion: ver.version, Certificates: []Certificate{encCert}, CipherSuites: dsSuites, }, - flags: []string{"-no-enforce-rsa-key-usage"}, shouldFail: true, expectedError: ":KEY_USAGE_BIT_INCORRECT:", }) diff --git a/ssl/test/test_config.cc b/ssl/test/test_config.cc index cb79dea10..2671370bb 100644 --- a/ssl/test/test_config.cc +++ b/ssl/test/test_config.cc @@ -364,8 +364,7 @@ std::vector SortedFlags() { IntFlag("-install-one-cert-compression-alg", &TestConfig::install_one_cert_compression_alg), BoolFlag("-reverify-on-resume", &TestConfig::reverify_on_resume), - BoolFlag("-no-enforce-rsa-key-usage", - &TestConfig::no_enforce_rsa_key_usage), + BoolFlag("-enforce-rsa-key-usage", &TestConfig::enforce_rsa_key_usage), BoolFlag("-is-handshaker-supported", &TestConfig::is_handshaker_supported), BoolFlag("-handshaker-resume", &TestConfig::handshaker_resume), @@ -1743,8 +1742,8 @@ bssl::UniquePtr TestConfig::NewSSL( if (reverify_on_resume) { SSL_CTX_set_reverify_on_resume(ssl_ctx, 1); } - if (no_enforce_rsa_key_usage) { - SSL_set_enforce_rsa_key_usage(ssl.get(), 0); + if (enforce_rsa_key_usage) { + SSL_set_enforce_rsa_key_usage(ssl.get(), 1); } if (no_tls13) { SSL_set_options(ssl.get(), SSL_OP_NO_TLSv1_3); diff --git a/ssl/test/test_config.h b/ssl/test/test_config.h index 6b158911c..1a21ac147 100644 --- a/ssl/test/test_config.h +++ b/ssl/test/test_config.h @@ -177,7 +177,7 @@ struct TestConfig { bool install_cert_compression_algs = false; int install_one_cert_compression_alg = 0; bool reverify_on_resume = false; - bool no_enforce_rsa_key_usage = false; + bool enforce_rsa_key_usage = false; bool is_handshaker_supported = false; bool handshaker_resume = false; std::string handshaker_path;