test/ssl-tests/04-client_auth.conf.in

   1 # -*- mode: perl; -*-
   2
   3 ## SSL test configurations
   4
   5 package ssltests;
   6
   7 use strict;
   8 use warnings;
   9
  10 use OpenSSL::Test;
  11 use OpenSSL::Test::Utils qw(anydisabled);
  12 setup("no_test_here");
  13
  14 # We test version-flexible negotiation (undef) and each protocol version.
  15 my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
  16
  17 my @is_disabled = (0);
  18 push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2");
  19
  20 our @tests = ();
  21
  22 sub generate_tests() {
  23     foreach (0..$#protocols) {
  24         my $protocol = $protocols[$_];
  25         my $protocol_name = $protocol || "flex";
  26         my $caalert;
  27         my $method;
  28         if (!$is_disabled[$_]) {
  29             if ($protocol_name eq "SSLv3") {
  30                 $caalert = "BadCertificate";
  31             } else {
  32                 $caalert = "UnknownCA";
  33             }
  34             if ($protocol_name =~ m/^DTLS/) {
  35                 $method = "DTLS";
  36             }
  37             my $clihash;
  38             my $clisigtype;
  39             my $clisigalgs;
  40             # TODO(TLS1.3) add TLSv1.3 versions
  41             if ($protocol_name eq "TLSv1.2") {
  42                 $clihash = "SHA256";
  43                 $clisigtype = "RSA";
  44                 $clisigalgs = "SHA256+RSA";
  45             }
  46             # Sanity-check simple handshake.
  47             push @tests, {
  48                 name => "server-auth-${protocol_name}",
  49                 server => {
  50                     "MinProtocol" => $protocol,
  51                     "MaxProtocol" => $protocol
  52                 },
  53                 client => {
  54                     "MinProtocol" => $protocol,
  55                     "MaxProtocol" => $protocol
  56                 },
  57                 test   => {
  58                     "ExpectedResult" => "Success",
  59                     "Method" => $method,
  60                 },
  61             };
  62
  63             # Handshake with client cert requested but not required or received.
  64             push @tests, {
  65                 name => "client-auth-${protocol_name}-request",
  66                 server => {
  67                     "MinProtocol" => $protocol,
  68                     "MaxProtocol" => $protocol,
  69                     "VerifyMode" => "Request"
  70                 },
  71                 client => {
  72                     "MinProtocol" => $protocol,
  73                     "MaxProtocol" => $protocol
  74                 },
  75                 test   => {
  76                     "ExpectedResult" => "Success",
  77                     "Method" => $method,
  78                 },
  79             };
  80
  81             # Handshake with client cert required but not present.
  82             push @tests, {
  83                 name => "client-auth-${protocol_name}-require-fail",
  84                 server => {
  85                     "MinProtocol" => $protocol,
  86                     "MaxProtocol" => $protocol,
  87                     "VerifyCAFile" => test_pem("root-cert.pem"),
  88                     "VerifyMode" => "Require",
  89                 },
  90                 client => {
  91                     "MinProtocol" => $protocol,
  92                     "MaxProtocol" => $protocol
  93                 },
  94                 test   => {
  95                     "ExpectedResult" => "ServerFail",
  96                     "ExpectedServerAlert" => "HandshakeFailure",
  97                     "Method" => $method,
  98                 },
  99             };
 100
 101             # Successful handshake with client authentication.
 102             push @tests, {
 103                 name => "client-auth-${protocol_name}-require",
 104                 server => {
 105                     "MinProtocol" => $protocol,
 106                     "MaxProtocol" => $protocol,
 107                     "ClientSignatureAlgorithms" => $clisigalgs,
 108                     "VerifyCAFile" => test_pem("root-cert.pem"),
 109                     "VerifyMode" => "Request",
 110                 },
 111                 client => {
 112                     "MinProtocol" => $protocol,
 113                     "MaxProtocol" => $protocol,
 114                     "Certificate" => test_pem("ee-client-chain.pem"),
 115                     "PrivateKey"  => test_pem("ee-key.pem"),
 116                 },
 117                 test   => {
 118                     "ExpectedResult" => "Success",
 119                     "ExpectedClientCertType" => "RSA",
 120                     "ExpectedClientSignType" => $clisigtype,
 121                     "ExpectedClientSignHash" => $clihash,
 122                     "ExpectedClientCANames" => "empty",
 123                     "Method" => $method,
 124                 },
 125             };
 126
 127             # Successful handshake with client authentication non-empty names
 128             push @tests, {
 129                 name => "client-auth-${protocol_name}-require-non-empty-names",
 130                 server => {
 131                     "MinProtocol" => $protocol,
 132                     "MaxProtocol" => $protocol,
 133                     "ClientSignatureAlgorithms" => $clisigalgs,
 134                     "ClientCAFile" => test_pem("root-cert.pem"),
 135                     "VerifyCAFile" => test_pem("root-cert.pem"),
 136                     "VerifyMode" => "Request",
 137                 },
 138                 client => {
 139                     "MinProtocol" => $protocol,
 140                     "MaxProtocol" => $protocol,
 141                     "Certificate" => test_pem("ee-client-chain.pem"),
 142                     "PrivateKey"  => test_pem("ee-key.pem"),
 143                 },
 144                 test   => {
 145                     "ExpectedResult" => "Success",
 146                     "ExpectedClientCertType" => "RSA",
 147                     "ExpectedClientSignType" => $clisigtype,
 148                     "ExpectedClientSignHash" => $clihash,
 149                     "ExpectedClientCANames" => test_pem("root-cert.pem"),
 150                     "Method" => $method,
 151                 },
 152             };
 153
 154             # Handshake with client authentication but without the root certificate.
 155             push @tests, {
 156                 name => "client-auth-${protocol_name}-noroot",
 157                 server => {
 158                     "MinProtocol" => $protocol,
 159                     "MaxProtocol" => $protocol,
 160                     "VerifyMode" => "Require",
 161                 },
 162                 client => {
 163                     "MinProtocol" => $protocol,
 164                     "MaxProtocol" => $protocol,
 165                     "Certificate" => test_pem("ee-client-chain.pem"),
 166                     "PrivateKey"  => test_pem("ee-key.pem"),
 167                 },
 168                 test   => {
 169                     "ExpectedResult" => "ServerFail",
 170                     "ExpectedServerAlert" => $caalert,
 171                     "Method" => $method,
 172                 },
 173             };
 174         }
 175     }
 176 }
 177
 178 generate_tests();