test/ssl-tests/04-client_auth.conf.in

   1 # -*- mode: perl; -*-
   2
   3 ## SSL test configurations
   4
   5 package ssltests;
   6
   7 use strict;
   8 use warnings;
   9
  10 use OpenSSL::Test;
  11 use OpenSSL::Test::Utils qw(anydisabled);
  12 setup("no_test_here");
  13
  14 # We test version-flexible negotiation (undef) and each protocol version.
  15 my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2");
  16
  17 my @is_disabled = (0);
  18 push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2");
  19
  20 our @tests = ();
  21
  22 my $dir_sep = $^O ne "VMS" ? "/" : "";
  23
  24 sub generate_tests() {
  25
  26     foreach (0..$#protocols) {
  27         my $protocol = $protocols[$_];
  28         my $protocol_name = $protocol || "flex";
  29         my $caalert;
  30         if (!$is_disabled[$_]) {
  31             if ($protocol_name eq "SSLv3") {
  32                 $caalert = "BadCertificate";
  33             } else {
  34                 $caalert = "UnknownCA";
  35             }
  36             my $clihash;
  37             my $clisigtype;
  38             my $clisigalgs;
  39             # TODO(TLS1.3) add TLSv1.3 versions
  40             if ($protocol_name eq "TLSv1.2") {
  41                 $clihash = "SHA256";
  42                 $clisigtype = "RSA";
  43                 $clisigalgs = "SHA256+RSA";
  44             }
  45             # Sanity-check simple handshake.
  46             push @tests, {
  47                 name => "server-auth-${protocol_name}",
  48                 server => {
  49                     "MinProtocol" => $protocol,
  50                     "MaxProtocol" => $protocol
  51                 },
  52                 client => {
  53                     "MinProtocol" => $protocol,
  54                     "MaxProtocol" => $protocol
  55                 },
  56                 test   => { "ExpectedResult" => "Success" },
  57             };
  58
  59             # Handshake with client cert requested but not required or received.
  60             push @tests, {
  61                 name => "client-auth-${protocol_name}-request",
  62                 server => {
  63                     "MinProtocol" => $protocol,
  64                     "MaxProtocol" => $protocol,
  65                     "VerifyMode" => "Request"
  66                 },
  67                 client => {
  68                     "MinProtocol" => $protocol,
  69                     "MaxProtocol" => $protocol
  70                 },
  71                 test   => { "ExpectedResult" => "Success" },
  72             };
  73
  74             # Handshake with client cert required but not present.
  75             push @tests, {
  76                 name => "client-auth-${protocol_name}-require-fail",
  77                 server => {
  78                     "MinProtocol" => $protocol,
  79                     "MaxProtocol" => $protocol,
  80                     "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
  81                     "VerifyMode" => "Require",
  82                 },
  83                 client => {
  84                     "MinProtocol" => $protocol,
  85                     "MaxProtocol" => $protocol
  86                 },
  87                 test   => {
  88                     "ExpectedResult" => "ServerFail",
  89                     "ExpectedServerAlert" => "HandshakeFailure",
  90                 },
  91             };
  92
  93             # Successful handshake with client authentication.
  94             push @tests, {
  95                 name => "client-auth-${protocol_name}-require",
  96                 server => {
  97                     "MinProtocol" => $protocol,
  98                     "MaxProtocol" => $protocol,
  99                     "ClientSignatureAlgorithms" => $clisigalgs,
 100                     "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
 101                     "VerifyMode" => "Request",
 102                 },
 103                 client => {
 104                     "MinProtocol" => $protocol,
 105                     "MaxProtocol" => $protocol,
 106                     "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
 107                     "PrivateKey"  => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
 108                 },
 109                 test   => { "ExpectedResult" => "Success",
 110                             "ExpectedClientCertType" => "RSA",
 111                             "ExpectedClientSignType" => $clisigtype,
 112                             "ExpectedClientSignHash" => $clihash,
 113                 },
 114             };
 115
 116             # Handshake with client authentication but without the root certificate.
 117             push @tests, {
 118                 name => "client-auth-${protocol_name}-noroot",
 119                 server => {
 120                     "MinProtocol" => $protocol,
 121                     "MaxProtocol" => $protocol,
 122                     "VerifyMode" => "Require",
 123                 },
 124                 client => {
 125                     "MinProtocol" => $protocol,
 126                     "MaxProtocol" => $protocol,
 127                     "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
 128                     "PrivateKey"  => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
 129                 },
 130                 test   => {
 131                     "ExpectedResult" => "ServerFail",
 132                     "ExpectedServerAlert" => $caalert,
 133                 },
 134             };
 135         }
 136     }
 137 }
 138
 139 generate_tests();