be601a9b1b8fc1602da02a88fd46cac516827b52
[openssl.git] / test / ssl-tests / 04-client_auth.conf.in
1 # -*- mode: perl; -*-
2
3 ## SSL test configurations
4
5 package ssltests;
6
7 use strict;
8 use warnings;
9
10 use OpenSSL::Test;
11 use OpenSSL::Test::Utils qw(anydisabled);
12 setup("no_test_here");
13
14 # We test version-flexible negotiation (undef) and each protocol version.
15 my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2");
16
17 my @is_disabled = (0);
18 push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2");
19
20 our @tests = ();
21
22 my $dir_sep = $^O ne "VMS" ? "/" : "";
23
24 sub generate_tests() {
25
26     foreach (0..$#protocols) {
27         my $protocol = $protocols[$_];
28         my $protocol_name = $protocol || "flex";
29         my $caalert;
30         if (!$is_disabled[$_]) {
31             if ($protocol_name eq "SSLv3") {
32                 $caalert = "BadCertificate";
33             } else {
34                 $caalert = "UnknownCA";
35             }
36             my $clihash;
37             my $clisigtype;
38             my $clisigalgs;
39             # TODO(TLS1.3) add TLSv1.3 versions
40             if ($protocol_name eq "TLSv1.2") {
41                 $clihash = "SHA256";
42                 $clisigtype = "RSA";
43                 $clisigalgs = "SHA256+RSA";
44             }
45             # Sanity-check simple handshake.
46             push @tests, {
47                 name => "server-auth-${protocol_name}",
48                 server => {
49                     "MinProtocol" => $protocol,
50                     "MaxProtocol" => $protocol
51                 },
52                 client => {
53                     "MinProtocol" => $protocol,
54                     "MaxProtocol" => $protocol
55                 },
56                 test   => { "ExpectedResult" => "Success" },
57             };
58
59             # Handshake with client cert requested but not required or received.
60             push @tests, {
61                 name => "client-auth-${protocol_name}-request",
62                 server => {
63                     "MinProtocol" => $protocol,
64                     "MaxProtocol" => $protocol,
65                     "VerifyMode" => "Request"
66                 },
67                 client => {
68                     "MinProtocol" => $protocol,
69                     "MaxProtocol" => $protocol
70                 },
71                 test   => { "ExpectedResult" => "Success" },
72             };
73
74             # Handshake with client cert required but not present.
75             push @tests, {
76                 name => "client-auth-${protocol_name}-require-fail",
77                 server => {
78                     "MinProtocol" => $protocol,
79                     "MaxProtocol" => $protocol,
80                     "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
81                     "VerifyMode" => "Require",
82                 },
83                 client => {
84                     "MinProtocol" => $protocol,
85                     "MaxProtocol" => $protocol
86                 },
87                 test   => {
88                     "ExpectedResult" => "ServerFail",
89                     "ExpectedServerAlert" => "HandshakeFailure",
90                 },
91             };
92
93             # Successful handshake with client authentication.
94             push @tests, {
95                 name => "client-auth-${protocol_name}-require",
96                 server => {
97                     "MinProtocol" => $protocol,
98                     "MaxProtocol" => $protocol,
99                     "ClientSignatureAlgorithms" => $clisigalgs,
100                     "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
101                     "VerifyMode" => "Request",
102                 },
103                 client => {
104                     "MinProtocol" => $protocol,
105                     "MaxProtocol" => $protocol,
106                     "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
107                     "PrivateKey"  => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
108                 },
109                 test   => { "ExpectedResult" => "Success",
110                             "ExpectedClientCertType" => "RSA",
111                             "ExpectedClientSignType" => $clisigtype,
112                             "ExpectedClientSignHash" => $clihash,
113                 },
114             };
115
116             # Handshake with client authentication but without the root certificate.
117             push @tests, {
118                 name => "client-auth-${protocol_name}-noroot",
119                 server => {
120                     "MinProtocol" => $protocol,
121                     "MaxProtocol" => $protocol,
122                     "VerifyMode" => "Require",
123                 },
124                 client => {
125                     "MinProtocol" => $protocol,
126                     "MaxProtocol" => $protocol,
127                     "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
128                     "PrivateKey"  => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
129                 },
130                 test   => {
131                     "ExpectedResult" => "ServerFail",
132                     "ExpectedServerAlert" => $caalert,
133                 },
134             };
135         }
136     }
137 }
138  
139 generate_tests();