test/ssl-tests/20-cert-select.conf.in

   1 # -*- mode: perl; -*-
   2
   3 ## SSL test configurations
   4
   5
   6 use strict;
   7 use warnings;
   8
   9 package ssltests;
  10 use OpenSSL::Test::Utils;
  11
  12 my $dir_sep = $^O ne "VMS" ? "/" : "";
  13
  14 my $cert_dir = "\${ENV::TEST_CERTS_DIR}${dir_sep}";
  15
  16 my $server = {
  17     "ECDSA.Certificate" => "${cert_dir}server-ecdsa-cert.pem",
  18     "ECDSA.PrivateKey" => "${cert_dir}server-ecdsa-key.pem",
  19     "MaxProtocol" => "TLSv1.2"
  20 };
  21
  22 our @tests = (
  23     {
  24         name => "ECDSA CipherString Selection",
  25         server => $server,
  26         client => {
  27             "CipherString" => "aECDSA",
  28         },
  29         test   => {
  30             "ExpectedServerCertType" =>, "P-256",
  31             "ExpectedServerSignType" =>, "EC",
  32             "ExpectedResult" => "Success"
  33         },
  34     },
  35     {
  36         name => "RSA CipherString Selection",
  37         server => $server,
  38         client => {
  39             "CipherString" => "aRSA",
  40         },
  41         test   => {
  42             "ExpectedServerCertType" =>, "RSA",
  43             "ExpectedServerSignType" =>, "RSA-PSS",
  44             "ExpectedResult" => "Success"
  45         },
  46     },
  47     {
  48         name => "ECDSA CipherString Selection, no ECDSA certificate",
  49         server => {
  50             "MaxProtocol" => "TLSv1.2"
  51         },
  52         client => {
  53             "CipherString" => "aECDSA"
  54         },
  55         test   => {
  56             "ExpectedResult" => "ServerFail"
  57         },
  58     },
  59     {
  60         name => "ECDSA Signature Algorithm Selection",
  61         server => $server,
  62         client => {
  63             "SignatureAlgorithms" => "ECDSA+SHA256",
  64         },
  65         test   => {
  66             "ExpectedServerCertType" => "P-256",
  67             "ExpectedServerSignHash" => "SHA256",
  68             "ExpectedServerSignType" => "EC",
  69             "ExpectedResult" => "Success"
  70         },
  71     },
  72     {
  73         name => "ECDSA Signature Algorithm Selection SHA384",
  74         server => $server,
  75         client => {
  76             "SignatureAlgorithms" => "ECDSA+SHA384",
  77         },
  78         test   => {
  79             "ExpectedServerCertType" => "P-256",
  80             "ExpectedServerSignHash" => "SHA384",
  81             "ExpectedServerSignType" => "EC",
  82             "ExpectedResult" => "Success"
  83         },
  84     },
  85     {
  86         name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
  87         server => {
  88              "MaxProtocol" => "TLSv1.2"
  89         },
  90         client => {
  91             "SignatureAlgorithms" => "ECDSA+SHA256",
  92         },
  93         test   => {
  94             "ExpectedResult" => "ServerFail"
  95         },
  96     },
  97     {
  98         name => "RSA Signature Algorithm Selection",
  99         server => $server,
 100         client => {
 101             "SignatureAlgorithms" => "RSA+SHA256",
 102         },
 103         test   => {
 104             "ExpectedServerCertType" => "RSA",
 105             "ExpectedServerSignHash" => "SHA256",
 106             "ExpectedServerSignType" => "RSA",
 107             "ExpectedResult" => "Success"
 108         },
 109     },
 110     {
 111         name => "RSA-PSS Signature Algorithm Selection",
 112         server => $server,
 113         client => {
 114             "SignatureAlgorithms" => "RSA-PSS+SHA256",
 115         },
 116         test   => {
 117             "ExpectedServerCertType" => "RSA",
 118             "ExpectedServerSignHash" => "SHA256",
 119             "ExpectedServerSignType" => "RSA-PSS",
 120             "ExpectedResult" => "Success"
 121         },
 122     }
 123 );
 124
 125
 126 my $server_tls_1_3 = {
 127     "ECDSA.Certificate" => "${cert_dir}server-ecdsa-cert.pem",
 128     "ECDSA.PrivateKey" => "${cert_dir}server-ecdsa-key.pem",
 129     "MinProtocol" => "TLSv1.3",
 130     "MaxProtocol" => "TLSv1.3"
 131 };
 132
 133 my $client_tls_1_3 = {
 134     "RSA.Certificate" => "${cert_dir}ee-client-chain.pem",
 135     "RSA.PrivateKey" => "${cert_dir}ee-key.pem",
 136     "ECDSA.Certificate" => "${cert_dir}ee-ecdsa-client-chain.pem",
 137     "ECDSA.PrivateKey" => "${cert_dir}ee-ecdsa-key.pem",
 138     "MinProtocol" => "TLSv1.3",
 139     "MaxProtocol" => "TLSv1.3"
 140 };
 141
 142 my @tests_tls_1_3 = (
 143     {
 144         name => "TLS 1.3 ECDSA Signature Algorithm Selection",
 145         server => $server_tls_1_3,
 146         client => {
 147             "SignatureAlgorithms" => "ECDSA+SHA256",
 148         },
 149         test   => {
 150             "ExpectedServerCertType" => "P-256",
 151             "ExpectedServerSignHash" => "SHA256",
 152             "ExpectedServerSignType" => "EC",
 153             "ExpectedResult" => "Success"
 154         },
 155     },
 156     {
 157         name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS",
 158         server => $server_tls_1_3,
 159         client => {
 160             "SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256",
 161         },
 162         test   => {
 163             "ExpectedServerCertType" => "P-256",
 164             "ExpectedServerSignHash" => "SHA256",
 165             "ExpectedServerSignType" => "EC",
 166             "ExpectedResult" => "Success"
 167         },
 168     },
 169     {
 170         name => "TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS",
 171         server => $server_tls_1_3,
 172         client => {
 173             "SignatureAlgorithms" => "ECDSA+SHA384:RSA-PSS+SHA384",
 174         },
 175         test   => {
 176             "ExpectedServerCertType" => "RSA",
 177             "ExpectedServerSignHash" => "SHA384",
 178             "ExpectedServerSignType" => "RSA-PSS",
 179             "ExpectedResult" => "Success"
 180         },
 181     },
 182     {
 183         name => "TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate",
 184         server => {
 185             "MinProtocol" => "TLSv1.3",
 186             "MaxProtocol" => "TLSv1.3"
 187         },
 188         client => {
 189             "SignatureAlgorithms" => "ECDSA+SHA256",
 190         },
 191         test   => {
 192             "ExpectedResult" => "ServerFail"
 193         },
 194     },
 195     {
 196         name => "TLS 1.3 RSA Signature Algorithm Selection, no PSS",
 197         server => $server_tls_1_3,
 198         client => {
 199             "SignatureAlgorithms" => "RSA+SHA256",
 200         },
 201         test   => {
 202             "ExpectedResult" => "ServerFail"
 203         },
 204     },
 205     {
 206         name => "TLS 1.3 RSA-PSS Signature Algorithm Selection",
 207         server => $server_tls_1_3,
 208         client => {
 209             "SignatureAlgorithms" => "RSA-PSS+SHA256",
 210         },
 211         test   => {
 212             "ExpectedServerCertType" => "RSA",
 213             "ExpectedServerSignHash" => "SHA256",
 214             "ExpectedServerSignType" => "RSA-PSS",
 215             "ExpectedResult" => "Success"
 216         },
 217     },
 218     {
 219         name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
 220         server => {
 221             "ClientSignatureAlgorithms" => "PSS+SHA256",
 222             "VerifyCAFile" => "${cert_dir}root-cert.pem",
 223             "VerifyMode" => "Require"
 224         },
 225         client => $client_tls_1_3,
 226         test   => {
 227             "ExpectedClientCertType" => "RSA",
 228             "ExpectedClientSignHash" => "SHA256",
 229             "ExpectedClientSignType" => "RSA-PSS",
 230             "ExpectedResult" => "Success"
 231         },
 232     },
 233     {
 234         name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
 235         server => {
 236             "ClientSignatureAlgorithms" => "ECDSA+SHA256",
 237             "VerifyCAFile" => "${cert_dir}root-cert.pem",
 238             "VerifyMode" => "Require"
 239         },
 240         client => $client_tls_1_3,
 241         test   => {
 242             "ExpectedClientCertType" => "P-256",
 243             "ExpectedClientSignHash" => "SHA256",
 244             "ExpectedClientSignType" => "EC",
 245             "ExpectedResult" => "Success"
 246         },
 247     },
 248 );
 249
 250 push @tests, @tests_tls_1_3 unless disabled("tls1_3");