test/ssl-tests/20-cert-select.conf.in

   1 # -*- mode: perl; -*-
   2
   3 ## SSL test configurations
   4
   5
   6 use strict;
   7 use warnings;
   8
   9 package ssltests;
  10 use OpenSSL::Test::Utils;
  11
  12 my $server = {
  13     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
  14     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
  15     "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"),
  16     "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"),
  17     "MaxProtocol" => "TLSv1.2"
  18 };
  19
  20 my $server_pss = {
  21     "PSS.Certificate" => test_pem("server-pss-cert.pem"),
  22     "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
  23     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
  24     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
  25     "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"),
  26     "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"),
  27     "MaxProtocol" => "TLSv1.2"
  28 };
  29
  30 my $server_pss_only = {
  31     "Certificate" => test_pem("server-pss-cert.pem"),
  32     "PrivateKey" => test_pem("server-pss-key.pem"),
  33 };
  34
  35 our @tests = (
  36     {
  37         name => "ECDSA CipherString Selection",
  38         server => $server,
  39         client => {
  40             "CipherString" => "aECDSA",
  41             "MaxProtocol" => "TLSv1.2",
  42             "RequestCAFile" => test_pem("root-cert.pem"),
  43         },
  44         test   => {
  45             "ExpectedServerCertType" =>, "P-256",
  46             "ExpectedServerSignType" =>, "EC",
  47             # Note: certificate_authorities not sent for TLS < 1.3
  48             "ExpectedServerCANames" =>, "empty",
  49             "ExpectedResult" => "Success"
  50         },
  51     },
  52     {
  53         name => "Ed25519 CipherString and Signature Algorithm Selection",
  54         server => $server,
  55         client => {
  56             "CipherString" => "aECDSA",
  57             "MaxProtocol" => "TLSv1.2",
  58             "SignatureAlgorithms" => "ed25519:ECDSA+SHA256",
  59             "RequestCAFile" => test_pem("root-cert.pem"),
  60         },
  61         test   => {
  62             "ExpectedServerCertType" =>, "Ed25519",
  63             "ExpectedServerSignType" =>, "Ed25519",
  64             # Note: certificate_authorities not sent for TLS < 1.3
  65             "ExpectedServerCANames" =>, "empty",
  66             "ExpectedResult" => "Success"
  67         },
  68     },
  69     {
  70         name => "RSA CipherString Selection",
  71         server => $server,
  72         client => {
  73             "CipherString" => "aRSA",
  74             "MaxProtocol" => "TLSv1.2",
  75         },
  76         test   => {
  77             "ExpectedServerCertType" =>, "RSA",
  78             "ExpectedServerSignType" =>, "RSA-PSS",
  79             "ExpectedResult" => "Success"
  80         },
  81     },
  82     {
  83         name => "RSA-PSS Certificate CipherString Selection",
  84         server => $server_pss,
  85         client => {
  86             "CipherString" => "aRSA",
  87             "MaxProtocol" => "TLSv1.2",
  88         },
  89         test   => {
  90             "ExpectedServerCertType" =>, "RSA-PSS",
  91             "ExpectedServerSignType" =>, "RSA-PSS",
  92             "ExpectedResult" => "Success"
  93         },
  94     },
  95     {
  96         name => "P-256 CipherString and Signature Algorithm Selection",
  97         server => $server,
  98         client => {
  99             "CipherString" => "aECDSA",
 100             "MaxProtocol" => "TLSv1.2",
 101             "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
 102         },
 103         test   => {
 104             "ExpectedServerCertType" => "P-256",
 105             "ExpectedServerSignHash" => "SHA256",
 106             "ExpectedServerSignType" => "EC",
 107             "ExpectedResult" => "Success"
 108         },
 109     },
 110     {
 111         name => "Ed25519 CipherString and Curves Selection",
 112         server => $server,
 113         client => {
 114             "CipherString" => "aECDSA",
 115             "MaxProtocol" => "TLSv1.2",
 116             "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
 117             # Excluding P-256 from the supported curves list means server
 118             # certificate should be Ed25519 and not P-256
 119             "Curves" => "X25519"
 120         },
 121         test   => {
 122             "ExpectedServerCertType" =>, "Ed25519",
 123             "ExpectedServerSignType" =>, "Ed25519",
 124             "ExpectedResult" => "Success"
 125         },
 126     },
 127     {
 128         name => "ECDSA CipherString Selection, no ECDSA certificate",
 129         server => {
 130             "MaxProtocol" => "TLSv1.2"
 131         },
 132         client => {
 133             "CipherString" => "aECDSA",
 134             "MaxProtocol" => "TLSv1.2"
 135         },
 136         test   => {
 137             "ExpectedResult" => "ServerFail"
 138         },
 139     },
 140     {
 141         name => "ECDSA Signature Algorithm Selection",
 142         server => $server,
 143         client => {
 144             "SignatureAlgorithms" => "ECDSA+SHA256",
 145         },
 146         test   => {
 147             "ExpectedServerCertType" => "P-256",
 148             "ExpectedServerSignHash" => "SHA256",
 149             "ExpectedServerSignType" => "EC",
 150             "ExpectedResult" => "Success"
 151         },
 152     },
 153     {
 154         name => "ECDSA Signature Algorithm Selection SHA384",
 155         server => $server,
 156         client => {
 157             "SignatureAlgorithms" => "ECDSA+SHA384",
 158         },
 159         test   => {
 160             "ExpectedServerCertType" => "P-256",
 161             "ExpectedServerSignHash" => "SHA384",
 162             "ExpectedServerSignType" => "EC",
 163             "ExpectedResult" => "Success"
 164         },
 165     },
 166     {
 167         name => "ECDSA Signature Algorithm Selection SHA1",
 168         server => $server,
 169         client => {
 170             "SignatureAlgorithms" => "ECDSA+SHA1",
 171         },
 172         test   => {
 173             "ExpectedServerCertType" => "P-256",
 174             "ExpectedServerSignHash" => "SHA1",
 175             "ExpectedServerSignType" => "EC",
 176             "ExpectedResult" => "Success"
 177         },
 178     },
 179     {
 180         name => "ECDSA Signature Algorithm Selection compressed point",
 181         server => {
 182             "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
 183             "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
 184             "MaxProtocol" => "TLSv1.2"
 185         },
 186         client => {
 187             "SignatureAlgorithms" => "ECDSA+SHA256",
 188         },
 189         test   => {
 190             "ExpectedServerCertType" => "P-256",
 191             "ExpectedServerSignHash" => "SHA256",
 192             "ExpectedServerSignType" => "EC",
 193             "ExpectedResult" => "Success"
 194         },
 195     },
 196     {
 197         name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
 198         server => {
 199              "MaxProtocol" => "TLSv1.2"
 200         },
 201         client => {
 202             "SignatureAlgorithms" => "ECDSA+SHA256",
 203         },
 204         test   => {
 205             "ExpectedResult" => "ServerFail"
 206         },
 207     },
 208     {
 209         name => "RSA Signature Algorithm Selection",
 210         server => $server,
 211         client => {
 212             "SignatureAlgorithms" => "RSA+SHA256",
 213         },
 214         test   => {
 215             "ExpectedServerCertType" => "RSA",
 216             "ExpectedServerSignHash" => "SHA256",
 217             "ExpectedServerSignType" => "RSA",
 218             "ExpectedResult" => "Success"
 219         },
 220     },
 221     {
 222         name => "RSA-PSS Signature Algorithm Selection",
 223         server => $server,
 224         client => {
 225             "SignatureAlgorithms" => "RSA-PSS+SHA256",
 226         },
 227         test   => {
 228             "ExpectedServerCertType" => "RSA",
 229             "ExpectedServerSignHash" => "SHA256",
 230             "ExpectedServerSignType" => "RSA-PSS",
 231             "ExpectedResult" => "Success"
 232         },
 233     },
 234     {
 235         name => "RSA-PSS Certificate Signature Algorithm Selection",
 236         server => $server_pss,
 237         client => {
 238             "SignatureAlgorithms" => "RSA-PSS+SHA256",
 239         },
 240         test   => {
 241             "ExpectedServerCertType" => "RSA-PSS",
 242             "ExpectedServerSignHash" => "SHA256",
 243             "ExpectedServerSignType" => "RSA-PSS",
 244             "ExpectedResult" => "Success"
 245         },
 246     },
 247     {
 248         name => "Only RSA-PSS Certificate",
 249         server => $server_pss_only,
 250         client => {},
 251         test   => {
 252             "ExpectedServerCertType" => "RSA-PSS",
 253             "ExpectedServerSignHash" => "SHA256",
 254             "ExpectedServerSignType" => "RSA-PSS",
 255             "ExpectedResult" => "Success"
 256         },
 257     },
 258     {
 259         name => "RSA-PSS Certificate, no PSS signature algorithms",
 260         server => $server_pss_only,
 261         client => {
 262             "SignatureAlgorithms" => "RSA+SHA256",
 263         },
 264         test   => {
 265             "ExpectedResult" => "ServerFail"
 266         },
 267     },
 268     {
 269         name => "Only RSA-PSS Certificate, TLS v1.1",
 270         server => $server_pss_only,
 271         client => {
 272             "MaxProtocol" => "TLSv1.1",
 273         },
 274         test   => {
 275             "ExpectedResult" => "ServerFail"
 276         },
 277     },
 278     {
 279         name => "Suite B P-256 Hash Algorithm Selection",
 280         server =>  {
 281             "ECDSA.Certificate" => test_pem("p256-server-cert.pem"),
 282             "ECDSA.PrivateKey" => test_pem("p256-server-key.pem"),
 283             "MaxProtocol" => "TLSv1.2",
 284             "CipherString" => "SUITEB128"
 285         },
 286         client => {
 287             "VerifyCAFile" => test_pem("p384-root.pem"),
 288             "SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256"
 289         },
 290         test   => {
 291             "ExpectedServerCertType" => "P-256",
 292             "ExpectedServerSignHash" => "SHA256",
 293             "ExpectedServerSignType" => "EC",
 294             "ExpectedResult" => "Success"
 295         },
 296     },
 297     {
 298         name => "Suite B P-384 Hash Algorithm Selection",
 299         server =>  {
 300             "ECDSA.Certificate" => test_pem("p384-server-cert.pem"),
 301             "ECDSA.PrivateKey" => test_pem("p384-server-key.pem"),
 302             "MaxProtocol" => "TLSv1.2",
 303             "CipherString" => "SUITEB128"
 304         },
 305         client => {
 306             "VerifyCAFile" => test_pem("p384-root.pem"),
 307             "SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384"
 308         },
 309         test   => {
 310             "ExpectedServerCertType" => "P-384",
 311             "ExpectedServerSignHash" => "SHA384",
 312             "ExpectedServerSignType" => "EC",
 313             "ExpectedResult" => "Success"
 314         },
 315     },
 316     {
 317         name => "TLS 1.2 Ed25519 Client Auth",
 318         server => {
 319             "VerifyCAFile" => test_pem("root-cert.pem"),
 320             "VerifyMode" => "Require"
 321         },
 322         client => {
 323             "EdDSA.Certificate" => test_pem("client-ed25519-cert.pem"),
 324             "EdDSA.PrivateKey" => test_pem("client-ed25519-key.pem"),
 325             "MinProtocol" => "TLSv1.2",
 326             "MaxProtocol" => "TLSv1.2"
 327         },
 328         test   => {
 329             "ExpectedClientCertType" => "Ed25519",
 330             "ExpectedClientSignType" => "Ed25519",
 331             "ExpectedResult" => "Success"
 332         },
 333     },
 334 );
 335
 336 my $server_tls_1_3 = {
 337     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
 338     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
 339     "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"),
 340     "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"),
 341     "MinProtocol" => "TLSv1.3",
 342     "MaxProtocol" => "TLSv1.3"
 343 };
 344
 345 my $server_tls_1_3_pss = {
 346     "PSS.Certificate" => test_pem("server-pss-cert.pem"),
 347     "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
 348     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
 349     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
 350     "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"),
 351     "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"),
 352     "MinProtocol" => "TLSv1.3",
 353     "MaxProtocol" => "TLSv1.3"
 354 };
 355
 356 my $client_tls_1_3 = {
 357     "RSA.Certificate" => test_pem("ee-client-chain.pem"),
 358     "RSA.PrivateKey" => test_pem("ee-key.pem"),
 359     "ECDSA.Certificate" => test_pem("ee-ecdsa-client-chain.pem"),
 360     "ECDSA.PrivateKey" => test_pem("ee-ecdsa-key.pem"),
 361     "MinProtocol" => "TLSv1.3",
 362     "MaxProtocol" => "TLSv1.3"
 363 };
 364
 365 my @tests_tls_1_3 = (
 366     {
 367         name => "TLS 1.3 ECDSA Signature Algorithm Selection",
 368         server => $server_tls_1_3,
 369         client => {
 370             "SignatureAlgorithms" => "ECDSA+SHA256",
 371         },
 372         test   => {
 373             "ExpectedServerCertType" => "P-256",
 374             "ExpectedServerSignHash" => "SHA256",
 375             "ExpectedServerSignType" => "EC",
 376             "ExpectedServerCANames" => "empty",
 377             "ExpectedResult" => "Success"
 378         },
 379     },
 380     {
 381         name => "TLS 1.3 ECDSA Signature Algorithm Selection compressed point",
 382         server => {
 383             "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
 384             "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
 385             "MinProtocol" => "TLSv1.3",
 386             "MaxProtocol" => "TLSv1.3"
 387         },
 388         client => {
 389             "SignatureAlgorithms" => "ECDSA+SHA256",
 390         },
 391         test   => {
 392             "ExpectedResult" => "ServerFail"
 393         },
 394     },
 395     {
 396         name => "TLS 1.3 ECDSA Signature Algorithm Selection SHA1",
 397         server => $server_tls_1_3,
 398         client => {
 399             "SignatureAlgorithms" => "ECDSA+SHA1",
 400         },
 401         test   => {
 402             "ExpectedResult" => "ServerFail"
 403         },
 404     },
 405     {
 406         name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS",
 407         server => $server_tls_1_3,
 408         client => {
 409             "SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256",
 410             "RequestCAFile" => test_pem("root-cert.pem"),
 411         },
 412         test   => {
 413             "ExpectedServerCertType" => "P-256",
 414             "ExpectedServerSignHash" => "SHA256",
 415             "ExpectedServerSignType" => "EC",
 416             "ExpectedServerCANames" => test_pem("root-cert.pem"),
 417             "ExpectedResult" => "Success"
 418         },
 419     },
 420     {
 421         name => "TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS",
 422         server => $server_tls_1_3,
 423         client => {
 424             "SignatureAlgorithms" => "ECDSA+SHA384:RSA-PSS+SHA384",
 425         },
 426         test   => {
 427             "ExpectedServerCertType" => "RSA",
 428             "ExpectedServerSignHash" => "SHA384",
 429             "ExpectedServerSignType" => "RSA-PSS",
 430             "ExpectedResult" => "Success"
 431         },
 432     },
 433     {
 434         name => "TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate",
 435         server => {
 436             "MinProtocol" => "TLSv1.3",
 437             "MaxProtocol" => "TLSv1.3"
 438         },
 439         client => {
 440             "SignatureAlgorithms" => "ECDSA+SHA256",
 441         },
 442         test   => {
 443             "ExpectedResult" => "ServerFail"
 444         },
 445     },
 446     {
 447         name => "TLS 1.3 RSA Signature Algorithm Selection, no PSS",
 448         server => $server_tls_1_3,
 449         client => {
 450             "SignatureAlgorithms" => "RSA+SHA256",
 451         },
 452         test   => {
 453             "ExpectedResult" => "ServerFail"
 454         },
 455     },
 456     {
 457         name => "TLS 1.3 RSA-PSS Signature Algorithm Selection",
 458         server => $server_tls_1_3,
 459         client => {
 460             "SignatureAlgorithms" => "RSA-PSS+SHA256",
 461         },
 462         test   => {
 463             "ExpectedServerCertType" => "RSA",
 464             "ExpectedServerSignHash" => "SHA256",
 465             "ExpectedServerSignType" => "RSA-PSS",
 466             "ExpectedResult" => "Success"
 467         },
 468     },
 469     {
 470         name => "TLS 1.3 Ed25519 Signature Algorithm Selection",
 471         server => $server_tls_1_3,
 472         client => {
 473             "SignatureAlgorithms" => "ed25519",
 474         },
 475         test   => {
 476             "ExpectedServerCertType" => "Ed25519",
 477             "ExpectedServerSignType" => "Ed25519",
 478             "ExpectedResult" => "Success"
 479         },
 480     },
 481     {
 482         name => "TLS 1.3 Ed25519 CipherString and Groups Selection",
 483         server => $server_tls_1_3,
 484         client => {
 485             "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
 486             # Excluding P-256 from the supported groups list should
 487             # mean server still uses a P-256 certificate because supported
 488             # groups is not used in signature selection for TLS 1.3
 489             "Groups" => "X25519"
 490         },
 491         test   => {
 492             "ExpectedServerCertType" =>, "P-256",
 493             "ExpectedServerSignType" =>, "EC",
 494             "ExpectedResult" => "Success"
 495         },
 496     },
 497     {
 498         name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
 499         server => {
 500             "ClientSignatureAlgorithms" => "PSS+SHA256",
 501             "VerifyCAFile" => test_pem("root-cert.pem"),
 502             "VerifyMode" => "Require"
 503         },
 504         client => $client_tls_1_3,
 505         test   => {
 506             "ExpectedClientCertType" => "RSA",
 507             "ExpectedClientSignHash" => "SHA256",
 508             "ExpectedClientSignType" => "RSA-PSS",
 509             "ExpectedClientCANames" => "empty",
 510             "ExpectedResult" => "Success"
 511         },
 512     },
 513     {
 514         name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names",
 515         server => {
 516             "ClientSignatureAlgorithms" => "PSS+SHA256",
 517             "VerifyCAFile" => test_pem("root-cert.pem"),
 518             "RequestCAFile" => test_pem("root-cert.pem"),
 519             "VerifyMode" => "Require"
 520         },
 521         client => $client_tls_1_3,
 522         test   => {
 523             "ExpectedClientCertType" => "RSA",
 524             "ExpectedClientSignHash" => "SHA256",
 525             "ExpectedClientSignType" => "RSA-PSS",
 526             "ExpectedClientCANames" => test_pem("root-cert.pem"),
 527             "ExpectedResult" => "Success"
 528         },
 529     },
 530     {
 531         name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
 532         server => {
 533             "ClientSignatureAlgorithms" => "ECDSA+SHA256",
 534             "VerifyCAFile" => test_pem("root-cert.pem"),
 535             "VerifyMode" => "Require"
 536         },
 537         client => $client_tls_1_3,
 538         test   => {
 539             "ExpectedClientCertType" => "P-256",
 540             "ExpectedClientSignHash" => "SHA256",
 541             "ExpectedClientSignType" => "EC",
 542             "ExpectedResult" => "Success"
 543         },
 544     },
 545     {
 546         name => "TLS 1.3 Ed25519 Client Auth",
 547         server => {
 548             "VerifyCAFile" => test_pem("root-cert.pem"),
 549             "VerifyMode" => "Require"
 550         },
 551         client => {
 552             "EdDSA.Certificate" => test_pem("client-ed25519-cert.pem"),
 553             "EdDSA.PrivateKey" => test_pem("client-ed25519-key.pem"),
 554             "MinProtocol" => "TLSv1.3",
 555             "MaxProtocol" => "TLSv1.3"
 556         },
 557         test   => {
 558             "ExpectedClientCertType" => "Ed25519",
 559             "ExpectedClientSignType" => "Ed25519",
 560             "ExpectedResult" => "Success"
 561         },
 562     },
 563 );
 564
 565 push @tests, @tests_tls_1_3 unless disabled("tls1_3");
 566
 567 my @tests_dsa_tls_1_2 = (
 568     {
 569         name => "TLS 1.2 DSA Certificate Test",
 570         server => {
 571             "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
 572             "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
 573             "DHParameters" => test_pem("dhp2048.pem"),
 574             "MinProtocol" => "TLSv1.2",
 575             "MaxProtocol" => "TLSv1.2",
 576             "CipherString" => "ALL",
 577         },
 578         client => {
 579             "SignatureAlgorithms" => "DSA+SHA256:DSA+SHA1",
 580             "CipherString" => "ALL",
 581         },
 582         test   => {
 583             "ExpectedResult" => "Success"
 584         },
 585     },
 586 );
 587
 588 my @tests_dsa_tls_1_3 = (
 589     {
 590         name => "TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms",
 591         server => {
 592             "ClientSignatureAlgorithms" => "ECDSA+SHA1:DSA+SHA256:RSA+SHA256",
 593             "VerifyCAFile" => test_pem("root-cert.pem"),
 594             "VerifyMode" => "Request"
 595         },
 596         client => {},
 597         test   => {
 598             "ExpectedResult" => "ServerFail"
 599         },
 600     },
 601     {
 602         name => "TLS 1.3 DSA Certificate Test",
 603         server => {
 604             "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
 605             "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
 606             "MinProtocol" => "TLSv1.3",
 607             "MaxProtocol" => "TLSv1.3",
 608             "CipherString" => "ALL",
 609         },
 610         client => {
 611             "SignatureAlgorithms" => "DSA+SHA1:DSA+SHA256:ECDSA+SHA256",
 612             "CipherString" => "ALL",
 613         },
 614         test   => {
 615             "ExpectedResult" => "ServerFail"
 616         },
 617     },
 618 );
 619
 620 if (!disabled("dsa")) {
 621     push @tests, @tests_dsa_tls_1_2 unless disabled("dh");
 622     push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
 623 }