tls: test multiple certificates with client preference selection

Add tests to verify that when multiple certificates (RSA and ECDSA) are
configured, the server correctly selects the certificate based on the
client's signature algorithm preferences.

Assisted-by: Claude <noreply@anthropic.com>

Author: allisonkarlitskaya

src/tls/test-server.c

@@ -31,6 +31,8 @@
 /* this has a corresponding mock-server.key */
 #define CERTFILE SRCDIR "/test/data/mock-server.crt"
 #define KEYFILE SRCDIR "/test/data/mock-server.key"
+#define ECC_CERTFILE SRCDIR "/test/data/mock-ecc.crt"
+#define ECC_KEYFILE SRCDIR "/test/data/mock-ecc.key"
 
 #define CLIENT_CERTFILE SRCDIR "/src/tls/ca/alice.pem"
 #define CLIENT_KEYFILE SRCDIR "/src/tls/ca/alice.key"
@@ -50,11 +52,15 @@ typedef struct {
 typedef struct {
   const char *certfile;
   const char *keyfile;
+  const char *certfile2;
+  const char *keyfile2;
   int cert_request_mode;
   int idle_timeout;
   const char *client_crt;
   const char *client_key;
   const char *client_fingerprint;
+  const char *priority;
+  int expected_pk_algo;
 } TestFixture;
 
 static const TestFixture fixture_separate_crt_key = {
@@ -93,6 +99,24 @@ static const TestFixture fixture_run_idle = {
   .idle_timeout = 1,
 };
 
+static const TestFixture fixture_multiple_certs_ecdsa = {
+  .certfile = CERTFILE,
+  .keyfile = KEYFILE,
+  .certfile2 = ECC_CERTFILE,
+  .keyfile2 = ECC_KEYFILE,
+  .priority = "NORMAL:-SIGN-ALL:+SIGN-ECDSA-SECP256R1-SHA256",
+  .expected_pk_algo = GNUTLS_PK_ECDSA,
+};
+
+static const TestFixture fixture_multiple_certs_rsa = {
+  .certfile = CERTFILE,
+  .keyfile = KEYFILE,
+  .certfile2 = ECC_CERTFILE,
+  .keyfile2 = ECC_KEYFILE,
+  .priority = "NORMAL:-SIGN-ALL:+SIGN-RSA-SHA256:+SIGN-RSA-PSS-RSAE-SHA256",
+  .expected_pk_algo = GNUTLS_PK_RSA,
+};
+
 /* for forking test cases, where server's SIGCHLD handling gets in the way */
 static void
 block_sigchld (void)
@@ -296,7 +320,10 @@ assert_https_outcome (TestCase *tc,
 
       g_assert_cmpint (gnutls_init (&session, GNUTLS_CLIENT), ==, GNUTLS_E_SUCCESS);
       gnutls_transport_set_int (session, fd);
-      g_assert_cmpint (gnutls_set_default_priority (session), ==, GNUTLS_E_SUCCESS);
+      if (fixture && fixture->priority)
+        g_assert_cmpint (gnutls_priority_set_direct (session, fixture->priority, NULL), ==, GNUTLS_E_SUCCESS);
+      else
+        g_assert_cmpint (gnutls_set_default_priority (session), ==, GNUTLS_E_SUCCESS);
       gnutls_handshake_set_timeout(session, 5000);
       g_assert_cmpint (gnutls_certificate_allocate_credentials (&xcred), ==, GNUTLS_E_SUCCESS);
       g_assert_cmpint (gnutls_certificate_set_x509_system_trust (xcred), >=, 0);
@@ -325,6 +352,17 @@ assert_https_outcome (TestCase *tc,
       g_assert (server_certs);
       g_assert_cmpuint (server_certs_len, ==, expected_server_certs);
 
+      /* check server certificate algorithm if requested */
+      if (fixture && fixture->expected_pk_algo)
+        {
+          gnutls_x509_crt_t cert;
+          g_assert_cmpint (gnutls_x509_crt_init (&cert), ==, GNUTLS_E_SUCCESS);
+          g_assert_cmpint (gnutls_x509_crt_import (cert, &server_certs[0], GNUTLS_X509_FMT_DER),
+                           ==, GNUTLS_E_SUCCESS);
+          g_assert_cmpint (gnutls_x509_crt_get_pk_algorithm (cert, NULL), ==, fixture->expected_pk_algo);
+          gnutls_x509_crt_deinit (cert);
+        }
+
       /* send request, read response */
       len = gnutls_record_send (session, request, sizeof (request));
       if (len < 0 && expect_tls_failure)
@@ -435,14 +473,23 @@ setup (TestCase *tc, gconstpointer data)
 
   if (fixture && fixture->certfile)
     {
-      /* Set up certs.d directory with 0.cert and 0.key */
+      /* Set up certs.d directory with 0.crt and 0.key */
       g_autofree gchar *certs_dir = g_build_filename (tc->runtime_dir, "certs.d", NULL);
       g_assert_cmpint (g_mkdir (certs_dir, 0700), ==, 0);
       g_autofree gchar *cert_link = g_build_filename (certs_dir, "0.crt", NULL);
       g_autofree gchar *key_link = g_build_filename (certs_dir, "0.key", NULL);
       g_assert_cmpint (symlink (fixture->certfile, cert_link), ==, 0);
       g_assert_cmpint (symlink (fixture->keyfile, key_link), ==, 0);
 
+      /* Set up secondary certificate if present */
+      if (fixture->certfile2)
+        {
+          g_autofree gchar *cert_link2 = g_build_filename (certs_dir, "1.crt", NULL);
+          g_autofree gchar *key_link2 = g_build_filename (certs_dir, "1.key", NULL);
+          g_assert_cmpint (symlink (fixture->certfile2, cert_link2), ==, 0);
+          g_assert_cmpint (symlink (fixture->keyfile2, key_link2), ==, 0);
+        }
+
       int cert_dirfd = open (certs_dir, O_RDONLY | O_DIRECTORY | O_CLOEXEC);
       g_assert_cmpint (cert_dirfd, >=, 0);
       connection_crypto_init (cert_dirfd, false, fixture->cert_request_mode);
@@ -500,8 +547,12 @@ teardown (TestCase *tc, gconstpointer data)
     {
       g_autofree gchar *cert_file = g_build_filename (certs_dir, "0.crt", NULL);
       g_autofree gchar *key_file = g_build_filename (certs_dir, "0.key", NULL);
+      g_autofree gchar *cert_file2 = g_build_filename (certs_dir, "1.crt", NULL);
+      g_autofree gchar *key_file2 = g_build_filename (certs_dir, "1.key", NULL);
       g_unlink (cert_file);
       g_unlink (key_file);
+      g_unlink (cert_file2);
+      g_unlink (key_file2);
       g_assert_cmpint (g_rmdir (certs_dir), ==, 0);
     }
 
@@ -911,6 +962,10 @@ main (int argc, char *argv[])
               setup, test_tls_blocked_handshake, teardown);
   g_test_add ("/server/mixed-protocols", TestCase, &fixture_separate_crt_key,
               setup, test_mixed_protocols, teardown);
+  g_test_add ("/server/tls/multiple-certs/ecdsa", TestCase, &fixture_multiple_certs_ecdsa,
+              setup, test_tls_no_client_cert, teardown);
+  g_test_add ("/server/tls/multiple-certs/rsa", TestCase, &fixture_multiple_certs_rsa,
+              setup, test_tls_no_client_cert, teardown);
   g_test_add ("/server/run-idle", TestCase, &fixture_run_idle,
               setup, test_run_idle, teardown);
   g_test_add ("/server/ipv4/connection", TestCase, NULL,