aws · jmayclin · May 14, 2024 · Feb 21, 2024 · May 2, 2024 · May 3, 2024
diff --git a/tests/unit/s2n_security_policy_cert_preferences_test.c b/tests/unit/s2n_security_policy_cert_preferences_test.c
@@ -250,26 +250,6 @@ int main(int argc, char **argv)
         DEFER_CLEANUP(struct s2n_cert_chain_and_key *invalid_cert = NULL, s2n_cert_chain_and_key_ptr_free);
         EXPECT_SUCCESS(s2n_test_cert_permutation_load_server_chain(&invalid_cert, "rsae", "pss", "4096", "sha384"));
 
-        struct s2n_security_policy rfc9151_applied_locally = security_policy_rfc9151;
-        rfc9151_applied_locally.certificate_preferences_apply_locally = true;
-
-        /* s2n_connection_set_cipher_preferences looks up the security policy from the security_policy_selection table
-         * but none of our current security policies apply certificate preferences locally. So instead we rewrite the
-         * rfc9151 policy from the table to apply cert preference locally. */
-        struct s2n_security_policy_selection *rfc9151_selection = NULL;
-        const struct s2n_security_policy *original_rfc9151 = NULL;
-        for (int i = 0; security_policy_selection[i].version != NULL; i++) {
-            if (strcasecmp("rfc9151", security_policy_selection[i].version) == 0) {
-                rfc9151_selection = &security_policy_selection[i];
-                break;
-            }
-        }
-        if (rfc9151_selection == NULL) {
-            FAIL_MSG("unable to find expected security policy");
-        }
-        original_rfc9151 = rfc9151_selection->security_policy;
-        rfc9151_selection->security_policy = &rfc9151_applied_locally;
-
         /* when certificate preferences apply locally and the connection contains
          * an invalid config then s2n_connection_set_cipher_preferences fails
          */
@@ -283,9 +263,6 @@ int main(int argc, char **argv)
             EXPECT_FAILURE_WITH_ERRNO(s2n_connection_set_cipher_preferences(conn, "rfc9151"),
                     S2N_ERR_SECURITY_POLICY_INCOMPATIBLE_CERT);
         }
-
-        /* restore security_policy_selection */
-        rfc9151_selection->security_policy = original_rfc9151;
     };
 
     END_TEST();

diff --git a/tests/unit/s2n_x509_validator_test.c b/tests/unit/s2n_x509_validator_test.c
@@ -2201,20 +2201,8 @@ int main(int argc, char **argv)
         EXPECT_SUCCESS(s2n_read_test_pem_and_len(S2N_MIXED_CHAIN_CERTS, &chain_pem[0], &chain_pem_len,
                 S2N_MAX_TEST_PEM_SIZE));
 
-        const struct s2n_certificate_key *const s2n_certificate_key_preferences_list_rfc9151[] = {
-            &s2n_ec_p384,
-            &s2n_rsa_rsae_3072,
-            &s2n_rsa_rsae_4096,
-        };
-
-        const struct s2n_certificate_key_preferences s2n_certificate_key_preferences_rfc9151 = {
-            .count = s2n_array_len(s2n_certificate_key_preferences_list_rfc9151),
-            .certificate_keys = s2n_certificate_key_preferences_list_rfc9151,
-        };
-
         struct s2n_security_policy security_policy_not_local = security_policy_rfc9151;
         security_policy_not_local.certificate_preferences_apply_locally = false;
-        security_policy_not_local.certificate_key_preferences = &s2n_certificate_key_preferences_rfc9151;
 
         /* when the peer sends the full chain with a non-compliant CA, verification fails when reading in the certs */
         {

diff --git a/tls/s2n_certificate_keys.c b/tls/s2n_certificate_keys.c
@@ -17,6 +17,8 @@
 
 #include <openssl/objects.h>
 
+#include "utils/s2n_safety.h"
+
 const struct s2n_certificate_key s2n_rsa_rsae_1024 = {
     .public_key_libcrypto_nid = NID_rsaEncryption,
     .name = "rsa_1024",
@@ -82,3 +84,26 @@ const struct s2n_certificate_key s2n_ec_p521 = {
     .name = "ecdsa_p521",
     .bits = 521,
 };
+
+const struct s2n_certificate_key *s2n_certificate_keys_rfc9151[] = {
+    /**
+     *= https://www.rfc-editor.org/rfc/rfc9151#section-5.1
+     *# CNSA (D)TLS connections MUST use secp384r1
+     **/
+    &s2n_ec_p384,
+
+    /**
+     *= https://www.rfc-editor.org/rfc/rfc9151#section-5.2
+     *# CNSA specifies a minimum modulus size of 3072 bits; however, only two
+     *# modulus sizes (3072 bits and 4096 bits) are supported by this profile.
+     **/
+    &s2n_rsa_rsae_3072,
+    &s2n_rsa_rsae_4096,
+    &s2n_rsa_pss_3072,
+    &s2n_rsa_pss_4096,
+};
+
+struct s2n_certificate_key_preferences s2n_certificate_key_preferences_rfc9151 = {
+    .count = s2n_array_len(s2n_certificate_keys_rfc9151),
+    .certificate_keys = s2n_certificate_keys_rfc9151,
+};
diff --git a/tls/s2n_certificate_keys.h b/tls/s2n_certificate_keys.h
@@ -43,3 +43,5 @@ extern const struct s2n_certificate_key s2n_rsa_pss_4096;
 extern const struct s2n_certificate_key s2n_ec_p256;
 extern const struct s2n_certificate_key s2n_ec_p384;
 extern const struct s2n_certificate_key s2n_ec_p521;
+
+extern struct s2n_certificate_key_preferences s2n_certificate_key_preferences_rfc9151;
diff --git a/tls/s2n_security_policies.c b/tls/s2n_security_policies.c
@@ -994,7 +994,9 @@ const struct s2n_security_policy security_policy_rfc9151 = {
     .kem_preferences = &kem_preferences_null,
     .signature_preferences = &s2n_signature_preferences_rfc9151,
     .certificate_signature_preferences = &s2n_certificate_signature_preferences_rfc9151,
+    .certificate_key_preferences = &s2n_certificate_key_preferences_rfc9151,
     .ecc_preferences = &s2n_ecc_preferences_20210816,
+    .certificate_preferences_apply_locally = true,
 };
 
 const struct s2n_security_policy security_policy_test_all = {