1d8e059c31ad0cebac6f71a7a8081c2e87220757
[openssl.git] / test / ssl-tests / 20-cert-select.conf.in
1 # -*- mode: perl; -*-
2
3 ## SSL test configurations
4
5
6 use strict;
7 use warnings;
8
9 package ssltests;
10 use OpenSSL::Test::Utils;
11
12 my $server = {
13     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
14     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
15     "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"),
16     "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"),
17     "MaxProtocol" => "TLSv1.2"
18 };
19
20 our @tests = (
21     {
22         name => "ECDSA CipherString Selection",
23         server => $server,
24         client => {
25             "CipherString" => "aECDSA",
26             "MaxProtocol" => "TLSv1.2",
27             "RequestCAFile" => test_pem("root-cert.pem"),
28         },
29         test   => {
30             "ExpectedServerCertType" =>, "P-256",
31             "ExpectedServerSignType" =>, "EC",
32             # Note: certificate_authorities not sent for TLS < 1.3
33             "ExpectedServerCANames" =>, "empty",
34             "ExpectedResult" => "Success"
35         },
36     },
37     {
38         name => "Ed25519 CipherString and Signature Algorithm Selection",
39         server => $server,
40         client => {
41             "CipherString" => "aECDSA",
42             "MaxProtocol" => "TLSv1.2",
43             "SignatureAlgorithms" => "ed25519:ECDSA+SHA256",
44             "RequestCAFile" => test_pem("root-cert.pem"),
45         },
46         test   => {
47             "ExpectedServerCertType" =>, "Ed25519",
48             "ExpectedServerSignType" =>, "Ed25519",
49             # Note: certificate_authorities not sent for TLS < 1.3
50             "ExpectedServerCANames" =>, "empty",
51             "ExpectedResult" => "Success"
52         },
53     },
54     {
55         name => "RSA CipherString Selection",
56         server => $server,
57         client => {
58             "CipherString" => "aRSA",
59             "MaxProtocol" => "TLSv1.2",
60         },
61         test   => {
62             "ExpectedServerCertType" =>, "RSA",
63             "ExpectedServerSignType" =>, "RSA-PSS",
64             "ExpectedResult" => "Success"
65         },
66     },
67     {
68         name => "P-256 CipherString and Signature Algorithm Selection",
69         server => $server,
70         client => {
71             "CipherString" => "aECDSA",
72             "MaxProtocol" => "TLSv1.2",
73             "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
74         },
75         test   => {
76             "ExpectedServerCertType" => "P-256",
77             "ExpectedServerSignHash" => "SHA256",
78             "ExpectedServerSignType" => "EC",
79             "ExpectedResult" => "Success"
80         },
81     },
82     {
83         name => "Ed25519 CipherString and Curves Selection",
84         server => $server,
85         client => {
86             "CipherString" => "aECDSA",
87             "MaxProtocol" => "TLSv1.2",
88             "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
89             # Excluding P-256 from the supported curves list means server
90             # certificate should be Ed25519 and not P-256
91             "Curves" => "X25519"
92         },
93         test   => {
94             "ExpectedServerCertType" =>, "Ed25519",
95             "ExpectedServerSignType" =>, "Ed25519",
96             "ExpectedResult" => "Success"
97         },
98     },
99     {
100         name => "ECDSA CipherString Selection, no ECDSA certificate",
101         server => {
102             "MaxProtocol" => "TLSv1.2"
103         },
104         client => {
105             "CipherString" => "aECDSA",
106             "MaxProtocol" => "TLSv1.2"
107         },
108         test   => {
109             "ExpectedResult" => "ServerFail"
110         },
111     },
112     {
113         name => "ECDSA Signature Algorithm Selection",
114         server => $server,
115         client => {
116             "SignatureAlgorithms" => "ECDSA+SHA256",
117         },
118         test   => {
119             "ExpectedServerCertType" => "P-256",
120             "ExpectedServerSignHash" => "SHA256",
121             "ExpectedServerSignType" => "EC",
122             "ExpectedResult" => "Success"
123         },
124     },
125     {
126         name => "ECDSA Signature Algorithm Selection SHA384",
127         server => $server,
128         client => {
129             "SignatureAlgorithms" => "ECDSA+SHA384",
130         },
131         test   => {
132             "ExpectedServerCertType" => "P-256",
133             "ExpectedServerSignHash" => "SHA384",
134             "ExpectedServerSignType" => "EC",
135             "ExpectedResult" => "Success"
136         },
137     },
138     {
139         name => "ECDSA Signature Algorithm Selection SHA1",
140         server => $server,
141         client => {
142             "SignatureAlgorithms" => "ECDSA+SHA1",
143         },
144         test   => {
145             "ExpectedServerCertType" => "P-256",
146             "ExpectedServerSignHash" => "SHA1",
147             "ExpectedServerSignType" => "EC",
148             "ExpectedResult" => "Success"
149         },
150     },
151     {
152         name => "ECDSA Signature Algorithm Selection compressed point",
153         server => {
154             "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
155             "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
156             "MaxProtocol" => "TLSv1.2"
157         },
158         client => {
159             "SignatureAlgorithms" => "ECDSA+SHA256",
160         },
161         test   => {
162             "ExpectedServerCertType" => "P-256",
163             "ExpectedServerSignHash" => "SHA256",
164             "ExpectedServerSignType" => "EC",
165             "ExpectedResult" => "Success"
166         },
167     },
168     {
169         name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
170         server => {
171              "MaxProtocol" => "TLSv1.2"
172         },
173         client => {
174             "SignatureAlgorithms" => "ECDSA+SHA256",
175         },
176         test   => {
177             "ExpectedResult" => "ServerFail"
178         },
179     },
180     {
181         name => "RSA Signature Algorithm Selection",
182         server => $server,
183         client => {
184             "SignatureAlgorithms" => "RSA+SHA256",
185         },
186         test   => {
187             "ExpectedServerCertType" => "RSA",
188             "ExpectedServerSignHash" => "SHA256",
189             "ExpectedServerSignType" => "RSA",
190             "ExpectedResult" => "Success"
191         },
192     },
193     {
194         name => "RSA-PSS Signature Algorithm Selection",
195         server => $server,
196         client => {
197             "SignatureAlgorithms" => "RSA-PSS+SHA256",
198         },
199         test   => {
200             "ExpectedServerCertType" => "RSA",
201             "ExpectedServerSignHash" => "SHA256",
202             "ExpectedServerSignType" => "RSA-PSS",
203             "ExpectedResult" => "Success"
204         },
205     },
206     {
207         name => "Suite B P-256 Hash Algorithm Selection",
208         server =>  {
209             "ECDSA.Certificate" => test_pem("p256-server-cert.pem"),
210             "ECDSA.PrivateKey" => test_pem("p256-server-key.pem"),
211             "MaxProtocol" => "TLSv1.2",
212             "CipherString" => "SUITEB128"
213         },
214         client => {
215             "VerifyCAFile" => test_pem("p384-root.pem"),
216             "SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256"
217         },
218         test   => {
219             "ExpectedServerCertType" => "P-256",
220             "ExpectedServerSignHash" => "SHA256",
221             "ExpectedServerSignType" => "EC",
222             "ExpectedResult" => "Success"
223         },
224     },
225     {
226         name => "Suite B P-384 Hash Algorithm Selection",
227         server =>  {
228             "ECDSA.Certificate" => test_pem("p384-server-cert.pem"),
229             "ECDSA.PrivateKey" => test_pem("p384-server-key.pem"),
230             "MaxProtocol" => "TLSv1.2",
231             "CipherString" => "SUITEB128"
232         },
233         client => {
234             "VerifyCAFile" => test_pem("p384-root.pem"),
235             "SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384"
236         },
237         test   => {
238             "ExpectedServerCertType" => "P-384",
239             "ExpectedServerSignHash" => "SHA384",
240             "ExpectedServerSignType" => "EC",
241             "ExpectedResult" => "Success"
242         },
243     },
244     {
245         name => "TLS 1.2 Ed25519 Client Auth",
246         server => {
247             "VerifyCAFile" => test_pem("root-cert.pem"),
248             "VerifyMode" => "Require"
249         },
250         client => {
251             "EdDSA.Certificate" => test_pem("client-ed25519-cert.pem"),
252             "EdDSA.PrivateKey" => test_pem("client-ed25519-key.pem"),
253             "MinProtocol" => "TLSv1.2",
254             "MaxProtocol" => "TLSv1.2"
255         },
256         test   => {
257             "ExpectedClientCertType" => "Ed25519",
258             "ExpectedClientSignType" => "Ed25519",
259             "ExpectedResult" => "Success"
260         },
261     },
262 );
263
264
265 my $server_tls_1_3 = {
266     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
267     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
268     "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"),
269     "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"),
270     "MinProtocol" => "TLSv1.3",
271     "MaxProtocol" => "TLSv1.3"
272 };
273
274 my $client_tls_1_3 = {
275     "RSA.Certificate" => test_pem("ee-client-chain.pem"),
276     "RSA.PrivateKey" => test_pem("ee-key.pem"),
277     "ECDSA.Certificate" => test_pem("ee-ecdsa-client-chain.pem"),
278     "ECDSA.PrivateKey" => test_pem("ee-ecdsa-key.pem"),
279     "MinProtocol" => "TLSv1.3",
280     "MaxProtocol" => "TLSv1.3"
281 };
282
283 my @tests_tls_1_3 = (
284     {
285         name => "TLS 1.3 ECDSA Signature Algorithm Selection",
286         server => $server_tls_1_3,
287         client => {
288             "SignatureAlgorithms" => "ECDSA+SHA256",
289         },
290         test   => {
291             "ExpectedServerCertType" => "P-256",
292             "ExpectedServerSignHash" => "SHA256",
293             "ExpectedServerSignType" => "EC",
294             "ExpectedServerCANames" => "empty",
295             "ExpectedResult" => "Success"
296         },
297     },
298     {
299         name => "TLS 1.3 ECDSA Signature Algorithm Selection compressed point",
300         server => {
301             "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
302             "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
303             "MinProtocol" => "TLSv1.3",
304             "MaxProtocol" => "TLSv1.3"
305         },
306         client => {
307             "SignatureAlgorithms" => "ECDSA+SHA256",
308         },
309         test   => {
310             "ExpectedResult" => "ServerFail"
311         },
312     },
313     {
314         name => "TLS 1.3 ECDSA Signature Algorithm Selection SHA1",
315         server => $server_tls_1_3,
316         client => {
317             "SignatureAlgorithms" => "ECDSA+SHA1",
318         },
319         test   => {
320             "ExpectedResult" => "ServerFail"
321         },
322     },
323     {
324         name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS",
325         server => $server_tls_1_3,
326         client => {
327             "SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256",
328             "RequestCAFile" => test_pem("root-cert.pem"),
329         },
330         test   => {
331             "ExpectedServerCertType" => "P-256",
332             "ExpectedServerSignHash" => "SHA256",
333             "ExpectedServerSignType" => "EC",
334             "ExpectedServerCANames" => test_pem("root-cert.pem"),
335             "ExpectedResult" => "Success"
336         },
337     },
338     {
339         name => "TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS",
340         server => $server_tls_1_3,
341         client => {
342             "SignatureAlgorithms" => "ECDSA+SHA384:RSA-PSS+SHA384",
343         },
344         test   => {
345             "ExpectedServerCertType" => "RSA",
346             "ExpectedServerSignHash" => "SHA384",
347             "ExpectedServerSignType" => "RSA-PSS",
348             "ExpectedResult" => "Success"
349         },
350     },
351     {
352         name => "TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate",
353         server => {
354             "MinProtocol" => "TLSv1.3",
355             "MaxProtocol" => "TLSv1.3"
356         },
357         client => {
358             "SignatureAlgorithms" => "ECDSA+SHA256",
359         },
360         test   => {
361             "ExpectedResult" => "ServerFail"
362         },
363     },
364     {
365         name => "TLS 1.3 RSA Signature Algorithm Selection, no PSS",
366         server => $server_tls_1_3,
367         client => {
368             "SignatureAlgorithms" => "RSA+SHA256",
369         },
370         test   => {
371             "ExpectedResult" => "ServerFail"
372         },
373     },
374     {
375         name => "TLS 1.3 RSA-PSS Signature Algorithm Selection",
376         server => $server_tls_1_3,
377         client => {
378             "SignatureAlgorithms" => "RSA-PSS+SHA256",
379         },
380         test   => {
381             "ExpectedServerCertType" => "RSA",
382             "ExpectedServerSignHash" => "SHA256",
383             "ExpectedServerSignType" => "RSA-PSS",
384             "ExpectedResult" => "Success"
385         },
386     },
387     {
388         name => "TLS 1.3 Ed25519 Signature Algorithm Selection",
389         server => $server_tls_1_3,
390         client => {
391             "SignatureAlgorithms" => "ed25519",
392         },
393         test   => {
394             "ExpectedServerCertType" => "Ed25519",
395             "ExpectedServerSignType" => "Ed25519",
396             "ExpectedResult" => "Success"
397         },
398     },
399     {
400         name => "TLS 1.3 Ed25519 CipherString and Groups Selection",
401         server => $server_tls_1_3,
402         client => {
403             "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
404             # Excluding P-256 from the supported groups list should
405             # mean server still uses a P-256 certificate because supported
406             # groups is not used in signature selection for TLS 1.3
407             "Groups" => "X25519"
408         },
409         test   => {
410             "ExpectedServerCertType" =>, "P-256",
411             "ExpectedServerSignType" =>, "EC",
412             "ExpectedResult" => "Success"
413         },
414     },
415     {
416         name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
417         server => {
418             "ClientSignatureAlgorithms" => "PSS+SHA256",
419             "VerifyCAFile" => test_pem("root-cert.pem"),
420             "VerifyMode" => "Require"
421         },
422         client => $client_tls_1_3,
423         test   => {
424             "ExpectedClientCertType" => "RSA",
425             "ExpectedClientSignHash" => "SHA256",
426             "ExpectedClientSignType" => "RSA-PSS",
427             "ExpectedClientCANames" => "empty",
428             "ExpectedResult" => "Success"
429         },
430     },
431     {
432         name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names",
433         server => {
434             "ClientSignatureAlgorithms" => "PSS+SHA256",
435             "VerifyCAFile" => test_pem("root-cert.pem"),
436             "RequestCAFile" => test_pem("root-cert.pem"),
437             "VerifyMode" => "Require"
438         },
439         client => $client_tls_1_3,
440         test   => {
441             "ExpectedClientCertType" => "RSA",
442             "ExpectedClientSignHash" => "SHA256",
443             "ExpectedClientSignType" => "RSA-PSS",
444             "ExpectedClientCANames" => test_pem("root-cert.pem"),
445             "ExpectedResult" => "Success"
446         },
447     },
448     {
449         name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
450         server => {
451             "ClientSignatureAlgorithms" => "ECDSA+SHA256",
452             "VerifyCAFile" => test_pem("root-cert.pem"),
453             "VerifyMode" => "Require"
454         },
455         client => $client_tls_1_3,
456         test   => {
457             "ExpectedClientCertType" => "P-256",
458             "ExpectedClientSignHash" => "SHA256",
459             "ExpectedClientSignType" => "EC",
460             "ExpectedResult" => "Success"
461         },
462     },
463     {
464         name => "TLS 1.3 Ed25519 Client Auth",
465         server => {
466             "VerifyCAFile" => test_pem("root-cert.pem"),
467             "VerifyMode" => "Require"
468         },
469         client => {
470             "EdDSA.Certificate" => test_pem("client-ed25519-cert.pem"),
471             "EdDSA.PrivateKey" => test_pem("client-ed25519-key.pem"),
472             "MinProtocol" => "TLSv1.3",
473             "MaxProtocol" => "TLSv1.3"
474         },
475         test   => {
476             "ExpectedClientCertType" => "Ed25519",
477             "ExpectedClientSignType" => "Ed25519",
478             "ExpectedResult" => "Success"
479         },
480     },
481 );
482
483 push @tests, @tests_tls_1_3 unless disabled("tls1_3");
484
485 my @tests_dsa_tls_1_2 = (
486     {
487         name => "TLS 1.2 DSA Certificate Test",
488         server => {
489             "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
490             "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
491             "DHParameters" => test_pem("dhp2048.pem"),
492             "MinProtocol" => "TLSv1.2",
493             "MaxProtocol" => "TLSv1.2",
494             "CipherString" => "ALL",
495         },
496         client => {
497             "SignatureAlgorithms" => "DSA+SHA256:DSA+SHA1",
498             "CipherString" => "ALL",
499         },
500         test   => {
501             "ExpectedResult" => "Success"
502         },
503     },
504 );
505
506 my @tests_dsa_tls_1_3 = (
507     {
508         name => "TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms",
509         server => {
510             "ClientSignatureAlgorithms" => "ECDSA+SHA1:DSA+SHA256:RSA+SHA256",
511             "VerifyCAFile" => test_pem("root-cert.pem"),
512             "VerifyMode" => "Request"
513         },
514         client => {},
515         test   => {
516             "ExpectedResult" => "ServerFail"
517         },
518     },
519     {
520         name => "TLS 1.3 DSA Certificate Test",
521         server => {
522             "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
523             "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
524             "MinProtocol" => "TLSv1.3",
525             "MaxProtocol" => "TLSv1.3",
526             "CipherString" => "ALL",
527         },
528         client => {
529             "SignatureAlgorithms" => "DSA+SHA1:DSA+SHA256:ECDSA+SHA256",
530             "CipherString" => "ALL",
531         },
532         test   => {
533             "ExpectedResult" => "ServerFail"
534         },
535     },
536 );
537
538 if (!disabled("dsa")) {
539     push @tests, @tests_dsa_tls_1_2 unless disabled("dh");
540     push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
541 }