test/ssl-tests/20-cert-select.conf.in

   1 # -*- mode: perl; -*-
   2
   3 ## SSL test configurations
   4
   5
   6 use strict;
   7 use warnings;
   8
   9 package ssltests;
  10 use OpenSSL::Test::Utils;
  11
  12 my $server = {
  13     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
  14     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
  15     "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
  16     "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
  17     "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
  18     "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
  19     "MaxProtocol" => "TLSv1.2"
  20 };
  21
  22 my $server_pss = {
  23     "PSS.Certificate" => test_pem("server-pss-cert.pem"),
  24     "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
  25     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
  26     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
  27     "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
  28     "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
  29     "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
  30     "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
  31     "MaxProtocol" => "TLSv1.2"
  32 };
  33
  34 my $server_pss_only = {
  35     "Certificate" => test_pem("server-pss-cert.pem"),
  36     "PrivateKey" => test_pem("server-pss-key.pem"),
  37 };
  38
  39 our @tests = (
  40     {
  41         name => "ECDSA CipherString Selection",
  42         server => $server,
  43         client => {
  44             "CipherString" => "aECDSA",
  45             "MaxProtocol" => "TLSv1.2",
  46             "RequestCAFile" => test_pem("root-cert.pem"),
  47         },
  48         test   => {
  49             "ExpectedServerCertType" =>, "P-256",
  50             "ExpectedServerSignType" =>, "EC",
  51             # Note: certificate_authorities not sent for TLS < 1.3
  52             "ExpectedServerCANames" =>, "empty",
  53             "ExpectedResult" => "Success"
  54         },
  55     },
  56     {
  57         name => "ECDSA CipherString Selection",
  58         server => {
  59             "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
  60             "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
  61             "MaxProtocol" => "TLSv1.2",
  62             #Deliberately set supported_groups to one not in the cert. This
  63             #should be tolerated
  64             "Groups" => "P-384"
  65         },
  66         client => {
  67             "CipherString" => "aECDSA",
  68             "MaxProtocol" => "TLSv1.2",
  69             "Groups" => "P-256:P-384",
  70             "RequestCAFile" => test_pem("root-cert.pem"),
  71         },
  72         test   => {
  73             "ExpectedServerCertType" =>, "P-256",
  74             "ExpectedServerSignType" =>, "EC",
  75             # Note: certificate_authorities not sent for TLS < 1.3
  76             "ExpectedServerCANames" =>, "empty",
  77             "ExpectedResult" => "Success"
  78         },
  79     },
  80     {
  81         name => "ECDSA CipherString Selection",
  82         server => {
  83             "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
  84             "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
  85             "MaxProtocol" => "TLSv1.2",
  86             "Groups" => "P-256:P-384"
  87         },
  88         client => {
  89             "CipherString" => "aECDSA",
  90             "MaxProtocol" => "TLSv1.2",
  91             #Deliberately set groups to not include the certificate group. This
  92             #should fail
  93             "Groups" => "P-384",
  94             "RequestCAFile" => test_pem("root-cert.pem"),
  95         },
  96         test   => {
  97             "ExpectedResult" => "ServerFail"
  98         },
  99     },
 100     {
 101         name => "Ed25519 CipherString and Signature Algorithm Selection",
 102         server => $server,
 103         client => {
 104             "CipherString" => "aECDSA",
 105             "MaxProtocol" => "TLSv1.2",
 106             "SignatureAlgorithms" => "ed25519:ECDSA+SHA256",
 107             "RequestCAFile" => test_pem("root-cert.pem"),
 108         },
 109         test   => {
 110             "ExpectedServerCertType" =>, "Ed25519",
 111             "ExpectedServerSignType" =>, "Ed25519",
 112             # Note: certificate_authorities not sent for TLS < 1.3
 113             "ExpectedServerCANames" =>, "empty",
 114             "ExpectedResult" => "Success"
 115         },
 116     },
 117     {
 118         name => "Ed448 CipherString and Signature Algorithm Selection",
 119         server => $server,
 120         client => {
 121             "CipherString" => "aECDSA",
 122             "MaxProtocol" => "TLSv1.2",
 123             "SignatureAlgorithms" => "ed448:ECDSA+SHA256",
 124             "RequestCAFile" => test_pem("root-cert.pem"),
 125         },
 126         test   => {
 127             "ExpectedServerCertType" =>, "Ed448",
 128             "ExpectedServerSignType" =>, "Ed448",
 129             # Note: certificate_authorities not sent for TLS < 1.3
 130             "ExpectedServerCANames" =>, "empty",
 131             "ExpectedResult" => "Success"
 132         },
 133     },
 134     {
 135         name => "RSA CipherString Selection",
 136         server => $server,
 137         client => {
 138             "CipherString" => "aRSA",
 139             "MaxProtocol" => "TLSv1.2",
 140         },
 141         test   => {
 142             "ExpectedServerCertType" =>, "RSA",
 143             "ExpectedServerSignType" =>, "RSA-PSS",
 144             "ExpectedResult" => "Success"
 145         },
 146     },
 147     {
 148         name => "RSA-PSS Certificate CipherString Selection",
 149         server => $server_pss,
 150         client => {
 151             "CipherString" => "aRSA",
 152             "MaxProtocol" => "TLSv1.2",
 153         },
 154         test   => {
 155             "ExpectedServerCertType" =>, "RSA-PSS",
 156             "ExpectedServerSignType" =>, "RSA-PSS",
 157             "ExpectedResult" => "Success"
 158         },
 159     },
 160     {
 161         name => "P-256 CipherString and Signature Algorithm Selection",
 162         server => $server,
 163         client => {
 164             "CipherString" => "aECDSA",
 165             "MaxProtocol" => "TLSv1.2",
 166             "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
 167         },
 168         test   => {
 169             "ExpectedServerCertType" => "P-256",
 170             "ExpectedServerSignHash" => "SHA256",
 171             "ExpectedServerSignType" => "EC",
 172             "ExpectedResult" => "Success"
 173         },
 174     },
 175     {
 176         name => "Ed25519 CipherString and Curves Selection",
 177         server => $server,
 178         client => {
 179             "CipherString" => "aECDSA",
 180             "MaxProtocol" => "TLSv1.2",
 181             "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
 182             # Excluding P-256 from the supported curves list means server
 183             # certificate should be Ed25519 and not P-256
 184             "Curves" => "X25519"
 185         },
 186         test   => {
 187             "ExpectedServerCertType" =>, "Ed25519",
 188             "ExpectedServerSignType" =>, "Ed25519",
 189             "ExpectedResult" => "Success"
 190         },
 191     },
 192     {
 193         name => "Ed448 CipherString and Curves Selection",
 194         server => $server,
 195         client => {
 196             "CipherString" => "aECDSA",
 197             "MaxProtocol" => "TLSv1.2",
 198             "SignatureAlgorithms" => "ECDSA+SHA256:ed448",
 199             # Excluding P-256 from the supported curves list means server
 200             # certificate should be Ed25519 and not P-256
 201             "Curves" => "X448"
 202         },
 203         test   => {
 204             "ExpectedServerCertType" =>, "Ed448",
 205             "ExpectedServerSignType" =>, "Ed448",
 206             "ExpectedResult" => "Success"
 207         },
 208     },
 209     {
 210         name => "ECDSA CipherString Selection, no ECDSA certificate",
 211         server => {
 212             "MaxProtocol" => "TLSv1.2"
 213         },
 214         client => {
 215             "CipherString" => "aECDSA",
 216             "MaxProtocol" => "TLSv1.2"
 217         },
 218         test   => {
 219             "ExpectedResult" => "ServerFail"
 220         },
 221     },
 222     {
 223         name => "ECDSA Signature Algorithm Selection",
 224         server => $server,
 225         client => {
 226             "SignatureAlgorithms" => "ECDSA+SHA256",
 227         },
 228         test   => {
 229             "ExpectedServerCertType" => "P-256",
 230             "ExpectedServerSignHash" => "SHA256",
 231             "ExpectedServerSignType" => "EC",
 232             "ExpectedResult" => "Success"
 233         },
 234     },
 235     {
 236         name => "ECDSA Signature Algorithm Selection SHA384",
 237         server => $server,
 238         client => {
 239             "SignatureAlgorithms" => "ECDSA+SHA384",
 240         },
 241         test   => {
 242             "ExpectedServerCertType" => "P-256",
 243             "ExpectedServerSignHash" => "SHA384",
 244             "ExpectedServerSignType" => "EC",
 245             "ExpectedResult" => "Success"
 246         },
 247     },
 248     {
 249         name => "ECDSA Signature Algorithm Selection SHA1",
 250         server => $server,
 251         client => {
 252             "SignatureAlgorithms" => "ECDSA+SHA1",
 253         },
 254         test   => {
 255             "ExpectedServerCertType" => "P-256",
 256             "ExpectedServerSignHash" => "SHA1",
 257             "ExpectedServerSignType" => "EC",
 258             "ExpectedResult" => "Success"
 259         },
 260     },
 261     {
 262         name => "ECDSA Signature Algorithm Selection compressed point",
 263         server => {
 264             "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
 265             "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
 266             "MaxProtocol" => "TLSv1.2"
 267         },
 268         client => {
 269             "SignatureAlgorithms" => "ECDSA+SHA256",
 270         },
 271         test   => {
 272             "ExpectedServerCertType" => "P-256",
 273             "ExpectedServerSignHash" => "SHA256",
 274             "ExpectedServerSignType" => "EC",
 275             "ExpectedResult" => "Success"
 276         },
 277     },
 278     {
 279         name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
 280         server => {
 281              "MaxProtocol" => "TLSv1.2"
 282         },
 283         client => {
 284             "SignatureAlgorithms" => "ECDSA+SHA256",
 285         },
 286         test   => {
 287             "ExpectedResult" => "ServerFail"
 288         },
 289     },
 290     {
 291         name => "RSA Signature Algorithm Selection",
 292         server => $server,
 293         client => {
 294             "SignatureAlgorithms" => "RSA+SHA256",
 295         },
 296         test   => {
 297             "ExpectedServerCertType" => "RSA",
 298             "ExpectedServerSignHash" => "SHA256",
 299             "ExpectedServerSignType" => "RSA",
 300             "ExpectedResult" => "Success"
 301         },
 302     },
 303     {
 304         name => "RSA-PSS Signature Algorithm Selection",
 305         server => $server,
 306         client => {
 307             "SignatureAlgorithms" => "RSA-PSS+SHA256",
 308         },
 309         test   => {
 310             "ExpectedServerCertType" => "RSA",
 311             "ExpectedServerSignHash" => "SHA256",
 312             "ExpectedServerSignType" => "RSA-PSS",
 313             "ExpectedResult" => "Success"
 314         },
 315     },
 316     {
 317         name => "RSA-PSS Certificate Legacy Signature Algorithm Selection",
 318         server => $server_pss,
 319         client => {
 320             "SignatureAlgorithms" => "RSA-PSS+SHA256",
 321         },
 322         test   => {
 323             "ExpectedServerCertType" => "RSA",
 324             "ExpectedServerSignHash" => "SHA256",
 325             "ExpectedServerSignType" => "RSA-PSS",
 326             "ExpectedResult" => "Success"
 327         },
 328     },
 329     {
 330         name => "RSA-PSS Certificate Unified Signature Algorithm Selection",
 331         server => $server_pss,
 332         client => {
 333             "SignatureAlgorithms" => "rsa_pss_pss_sha256",
 334         },
 335         test   => {
 336             "ExpectedServerCertType" => "RSA-PSS",
 337             "ExpectedServerSignHash" => "SHA256",
 338             "ExpectedServerSignType" => "RSA-PSS",
 339             "ExpectedResult" => "Success"
 340         },
 341     },
 342     {
 343         name => "Only RSA-PSS Certificate",
 344         server => $server_pss_only,
 345         client => {},
 346         test   => {
 347             "ExpectedServerCertType" => "RSA-PSS",
 348             "ExpectedServerSignHash" => "SHA256",
 349             "ExpectedServerSignType" => "RSA-PSS",
 350             "ExpectedResult" => "Success"
 351         },
 352     },
 353     {
 354         name => "RSA-PSS Certificate, no PSS signature algorithms",
 355         server => $server_pss_only,
 356         client => {
 357             "SignatureAlgorithms" => "RSA+SHA256",
 358         },
 359         test   => {
 360             "ExpectedResult" => "ServerFail"
 361         },
 362     },
 363     {
 364         name => "Suite B P-256 Hash Algorithm Selection",
 365         server =>  {
 366             "ECDSA.Certificate" => test_pem("p256-server-cert.pem"),
 367             "ECDSA.PrivateKey" => test_pem("p256-server-key.pem"),
 368             "MaxProtocol" => "TLSv1.2",
 369             "CipherString" => "SUITEB128"
 370         },
 371         client => {
 372             "VerifyCAFile" => test_pem("p384-root.pem"),
 373             "SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256"
 374         },
 375         test   => {
 376             "ExpectedServerCertType" => "P-256",
 377             "ExpectedServerSignHash" => "SHA256",
 378             "ExpectedServerSignType" => "EC",
 379             "ExpectedResult" => "Success"
 380         },
 381     },
 382     {
 383         name => "Suite B P-384 Hash Algorithm Selection",
 384         server =>  {
 385             "ECDSA.Certificate" => test_pem("p384-server-cert.pem"),
 386             "ECDSA.PrivateKey" => test_pem("p384-server-key.pem"),
 387             "MaxProtocol" => "TLSv1.2",
 388             "CipherString" => "SUITEB128"
 389         },
 390         client => {
 391             "VerifyCAFile" => test_pem("p384-root.pem"),
 392             "SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384"
 393         },
 394         test   => {
 395             "ExpectedServerCertType" => "P-384",
 396             "ExpectedServerSignHash" => "SHA384",
 397             "ExpectedServerSignType" => "EC",
 398             "ExpectedResult" => "Success"
 399         },
 400     },
 401     {
 402         name => "TLS 1.2 Ed25519 Client Auth",
 403         server => {
 404             "VerifyCAFile" => test_pem("root-cert.pem"),
 405             "VerifyMode" => "Require"
 406         },
 407         client => {
 408             "Ed25519.Certificate" => test_pem("client-ed25519-cert.pem"),
 409             "Ed25519.PrivateKey" => test_pem("client-ed25519-key.pem"),
 410             "MinProtocol" => "TLSv1.2",
 411             "MaxProtocol" => "TLSv1.2"
 412         },
 413         test   => {
 414             "ExpectedClientCertType" => "Ed25519",
 415             "ExpectedClientSignType" => "Ed25519",
 416             "ExpectedResult" => "Success"
 417         },
 418     },
 419     {
 420         name => "TLS 1.2 Ed448 Client Auth",
 421         server => {
 422             "VerifyCAFile" => test_pem("root-cert.pem"),
 423             "VerifyMode" => "Require"
 424         },
 425         client => {
 426             "Ed448.Certificate" => test_pem("client-ed448-cert.pem"),
 427             "Ed448.PrivateKey" => test_pem("client-ed448-key.pem"),
 428             "MinProtocol" => "TLSv1.2",
 429             "MaxProtocol" => "TLSv1.2"
 430         },
 431         test   => {
 432             "ExpectedClientCertType" => "Ed448",
 433             "ExpectedClientSignType" => "Ed448",
 434             "ExpectedResult" => "Success"
 435         },
 436     },
 437 );
 438
 439 my @tests_tls_1_1 = (
 440     {
 441         name => "Only RSA-PSS Certificate, TLS v1.1",
 442         server => $server_pss_only,
 443         client => {
 444             "MaxProtocol" => "TLSv1.1",
 445         },
 446         test   => {
 447             "ExpectedResult" => "ServerFail"
 448         },
 449     },
 450 );
 451
 452 push @tests, @tests_tls_1_1 unless disabled("tls1_1");
 453
 454 my $server_tls_1_3 = {
 455     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
 456     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
 457     "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
 458     "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
 459     "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
 460     "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
 461     "MinProtocol" => "TLSv1.3",
 462     "MaxProtocol" => "TLSv1.3"
 463 };
 464
 465 my $server_tls_1_3_pss = {
 466     "PSS.Certificate" => test_pem("server-pss-cert.pem"),
 467     "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
 468     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
 469     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
 470     "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
 471     "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
 472     "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
 473     "Ed448.PrivateKey" => test_pem("server-ed449-key.pem"),
 474     "MinProtocol" => "TLSv1.3",
 475     "MaxProtocol" => "TLSv1.3"
 476 };
 477
 478 my $client_tls_1_3 = {
 479     "RSA.Certificate" => test_pem("ee-client-chain.pem"),
 480     "RSA.PrivateKey" => test_pem("ee-key.pem"),
 481     "ECDSA.Certificate" => test_pem("ee-ecdsa-client-chain.pem"),
 482     "ECDSA.PrivateKey" => test_pem("ee-ecdsa-key.pem"),
 483     "MinProtocol" => "TLSv1.3",
 484     "MaxProtocol" => "TLSv1.3"
 485 };
 486
 487 my @tests_tls_1_3 = (
 488     {
 489         name => "TLS 1.3 ECDSA Signature Algorithm Selection",
 490         server => $server_tls_1_3,
 491         client => {
 492             "SignatureAlgorithms" => "ECDSA+SHA256",
 493         },
 494         test   => {
 495             "ExpectedServerCertType" => "P-256",
 496             "ExpectedServerSignHash" => "SHA256",
 497             "ExpectedServerSignType" => "EC",
 498             "ExpectedServerCANames" => "empty",
 499             "ExpectedResult" => "Success"
 500         },
 501     },
 502     {
 503         name => "TLS 1.3 ECDSA Signature Algorithm Selection compressed point",
 504         server => {
 505             "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
 506             "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
 507             "MinProtocol" => "TLSv1.3",
 508             "MaxProtocol" => "TLSv1.3"
 509         },
 510         client => {
 511             "SignatureAlgorithms" => "ECDSA+SHA256",
 512         },
 513         test   => {
 514             "ExpectedResult" => "ServerFail"
 515         },
 516     },
 517     {
 518         name => "TLS 1.3 ECDSA Signature Algorithm Selection SHA1",
 519         server => $server_tls_1_3,
 520         client => {
 521             "SignatureAlgorithms" => "ECDSA+SHA1",
 522         },
 523         test   => {
 524             "ExpectedResult" => "ServerFail"
 525         },
 526     },
 527     {
 528         name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS",
 529         server => $server_tls_1_3,
 530         client => {
 531             "SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256",
 532             "RequestCAFile" => test_pem("root-cert.pem"),
 533         },
 534         test   => {
 535             "ExpectedServerCertType" => "P-256",
 536             "ExpectedServerSignHash" => "SHA256",
 537             "ExpectedServerSignType" => "EC",
 538             "ExpectedServerCANames" => test_pem("root-cert.pem"),
 539             "ExpectedResult" => "Success"
 540         },
 541     },
 542     {
 543         name => "TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS",
 544         server => $server_tls_1_3,
 545         client => {
 546             "SignatureAlgorithms" => "ECDSA+SHA384:RSA-PSS+SHA384",
 547         },
 548         test   => {
 549             "ExpectedServerCertType" => "RSA",
 550             "ExpectedServerSignHash" => "SHA384",
 551             "ExpectedServerSignType" => "RSA-PSS",
 552             "ExpectedResult" => "Success"
 553         },
 554     },
 555     {
 556         name => "TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate",
 557         server => {
 558             "MinProtocol" => "TLSv1.3",
 559             "MaxProtocol" => "TLSv1.3"
 560         },
 561         client => {
 562             "SignatureAlgorithms" => "ECDSA+SHA256",
 563         },
 564         test   => {
 565             "ExpectedResult" => "ServerFail"
 566         },
 567     },
 568     {
 569         name => "TLS 1.3 RSA Signature Algorithm Selection, no PSS",
 570         server => $server_tls_1_3,
 571         client => {
 572             "SignatureAlgorithms" => "RSA+SHA256",
 573         },
 574         test   => {
 575             "ExpectedResult" => "ServerFail"
 576         },
 577     },
 578     {
 579         name => "TLS 1.3 RSA-PSS Signature Algorithm Selection",
 580         server => $server_tls_1_3,
 581         client => {
 582             "SignatureAlgorithms" => "RSA-PSS+SHA256",
 583         },
 584         test   => {
 585             "ExpectedServerCertType" => "RSA",
 586             "ExpectedServerSignHash" => "SHA256",
 587             "ExpectedServerSignType" => "RSA-PSS",
 588             "ExpectedResult" => "Success"
 589         },
 590     },
 591     {
 592         name => "TLS 1.3 Ed25519 Signature Algorithm Selection",
 593         server => $server_tls_1_3,
 594         client => {
 595             "SignatureAlgorithms" => "ed25519",
 596         },
 597         test   => {
 598             "ExpectedServerCertType" => "Ed25519",
 599             "ExpectedServerSignType" => "Ed25519",
 600             "ExpectedResult" => "Success"
 601         },
 602     },
 603     {
 604         name => "TLS 1.3 Ed448 Signature Algorithm Selection",
 605         server => $server_tls_1_3,
 606         client => {
 607             "SignatureAlgorithms" => "ed448",
 608         },
 609         test   => {
 610             "ExpectedServerCertType" => "Ed448",
 611             "ExpectedServerSignType" => "Ed448",
 612             "ExpectedResult" => "Success"
 613         },
 614     },
 615     {
 616         name => "TLS 1.3 Ed25519 CipherString and Groups Selection",
 617         server => $server_tls_1_3,
 618         client => {
 619             "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
 620             # Excluding P-256 from the supported groups list should
 621             # mean server still uses a P-256 certificate because supported
 622             # groups is not used in signature selection for TLS 1.3
 623             "Groups" => "X25519"
 624         },
 625         test   => {
 626             "ExpectedServerCertType" =>, "P-256",
 627             "ExpectedServerSignType" =>, "EC",
 628             "ExpectedResult" => "Success"
 629         },
 630     },
 631     {
 632         name => "TLS 1.3 Ed448 CipherString and Groups Selection",
 633         server => $server_tls_1_3,
 634         client => {
 635             "SignatureAlgorithms" => "ECDSA+SHA256:ed448",
 636             # Excluding P-256 from the supported groups list should
 637             # mean server still uses a P-256 certificate because supported
 638             # groups is not used in signature selection for TLS 1.3
 639             "Groups" => "X448"
 640         },
 641         test   => {
 642             "ExpectedServerCertType" =>, "P-256",
 643             "ExpectedServerSignType" =>, "EC",
 644             "ExpectedResult" => "Success"
 645         },
 646     },
 647     {
 648         name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
 649         server => {
 650             "ClientSignatureAlgorithms" => "PSS+SHA256",
 651             "VerifyCAFile" => test_pem("root-cert.pem"),
 652             "VerifyMode" => "Require"
 653         },
 654         client => $client_tls_1_3,
 655         test   => {
 656             "ExpectedClientCertType" => "RSA",
 657             "ExpectedClientSignHash" => "SHA256",
 658             "ExpectedClientSignType" => "RSA-PSS",
 659             "ExpectedClientCANames" => "empty",
 660             "ExpectedResult" => "Success"
 661         },
 662     },
 663     {
 664         name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names",
 665         server => {
 666             "ClientSignatureAlgorithms" => "PSS+SHA256",
 667             "VerifyCAFile" => test_pem("root-cert.pem"),
 668             "RequestCAFile" => test_pem("root-cert.pem"),
 669             "VerifyMode" => "Require"
 670         },
 671         client => $client_tls_1_3,
 672         test   => {
 673             "ExpectedClientCertType" => "RSA",
 674             "ExpectedClientSignHash" => "SHA256",
 675             "ExpectedClientSignType" => "RSA-PSS",
 676             "ExpectedClientCANames" => test_pem("root-cert.pem"),
 677             "ExpectedResult" => "Success"
 678         },
 679     },
 680     {
 681         name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
 682         server => {
 683             "ClientSignatureAlgorithms" => "ECDSA+SHA256",
 684             "VerifyCAFile" => test_pem("root-cert.pem"),
 685             "VerifyMode" => "Require"
 686         },
 687         client => $client_tls_1_3,
 688         test   => {
 689             "ExpectedClientCertType" => "P-256",
 690             "ExpectedClientSignHash" => "SHA256",
 691             "ExpectedClientSignType" => "EC",
 692             "ExpectedResult" => "Success"
 693         },
 694     },
 695     {
 696         name => "TLS 1.3 Ed25519 Client Auth",
 697         server => {
 698             "VerifyCAFile" => test_pem("root-cert.pem"),
 699             "VerifyMode" => "Require"
 700         },
 701         client => {
 702             "EdDSA.Certificate" => test_pem("client-ed25519-cert.pem"),
 703             "EdDSA.PrivateKey" => test_pem("client-ed25519-key.pem"),
 704             "MinProtocol" => "TLSv1.3",
 705             "MaxProtocol" => "TLSv1.3"
 706         },
 707         test   => {
 708             "ExpectedClientCertType" => "Ed25519",
 709             "ExpectedClientSignType" => "Ed25519",
 710             "ExpectedResult" => "Success"
 711         },
 712     },
 713     {
 714         name => "TLS 1.3 Ed448 Client Auth",
 715         server => {
 716             "VerifyCAFile" => test_pem("root-cert.pem"),
 717             "VerifyMode" => "Require"
 718         },
 719         client => {
 720             "EdDSA.Certificate" => test_pem("client-ed448-cert.pem"),
 721             "EdDSA.PrivateKey" => test_pem("client-ed448-key.pem"),
 722             "MinProtocol" => "TLSv1.3",
 723             "MaxProtocol" => "TLSv1.3"
 724         },
 725         test   => {
 726             "ExpectedClientCertType" => "Ed448",
 727             "ExpectedClientSignType" => "Ed448",
 728             "ExpectedResult" => "Success"
 729         },
 730     },
 731 );
 732
 733 push @tests, @tests_tls_1_3 unless disabled("tls1_3");
 734
 735 my @tests_dsa_tls_1_2 = (
 736     {
 737         name => "TLS 1.2 DSA Certificate Test",
 738         server => {
 739             "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
 740             "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
 741             "DHParameters" => test_pem("dhp2048.pem"),
 742             "MinProtocol" => "TLSv1.2",
 743             "MaxProtocol" => "TLSv1.2",
 744             "CipherString" => "ALL",
 745         },
 746         client => {
 747             "SignatureAlgorithms" => "DSA+SHA256:DSA+SHA1",
 748             "CipherString" => "ALL",
 749         },
 750         test   => {
 751             "ExpectedResult" => "Success"
 752         },
 753     },
 754 );
 755
 756 my @tests_dsa_tls_1_3 = (
 757     {
 758         name => "TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms",
 759         server => {
 760             "ClientSignatureAlgorithms" => "ECDSA+SHA1:DSA+SHA256:RSA+SHA256",
 761             "VerifyCAFile" => test_pem("root-cert.pem"),
 762             "VerifyMode" => "Request"
 763         },
 764         client => {},
 765         test   => {
 766             "ExpectedResult" => "ServerFail"
 767         },
 768     },
 769     {
 770         name => "TLS 1.3 DSA Certificate Test",
 771         server => {
 772             "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
 773             "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
 774             "MinProtocol" => "TLSv1.3",
 775             "MaxProtocol" => "TLSv1.3",
 776             "CipherString" => "ALL",
 777         },
 778         client => {
 779             "SignatureAlgorithms" => "DSA+SHA1:DSA+SHA256:ECDSA+SHA256",
 780             "CipherString" => "ALL",
 781         },
 782         test   => {
 783             "ExpectedResult" => "ServerFail"
 784         },
 785     },
 786 );
 787
 788 if (!disabled("dsa")) {
 789     push @tests, @tests_dsa_tls_1_2 unless disabled("dh");
 790     push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
 791 }