Add RSA-PSS certificate type TLS tests
[openssl.git] / test / ssl-tests / 20-cert-select.conf.in
1 # -*- mode: perl; -*-
2
3 ## SSL test configurations
4
5
6 use strict;
7 use warnings;
8
9 package ssltests;
10 use OpenSSL::Test::Utils;
11
12 my $server = {
13     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
14     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
15     "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"),
16     "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"),
17     "MaxProtocol" => "TLSv1.2"
18 };
19
20 my $server_pss = {
21     "PSS.Certificate" => test_pem("server-pss-cert.pem"),
22     "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
23     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
24     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
25     "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"),
26     "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"),
27     "MaxProtocol" => "TLSv1.2"
28 };
29
30 my $server_pss_only = {
31     "Certificate" => test_pem("server-pss-cert.pem"),
32     "PrivateKey" => test_pem("server-pss-key.pem"),
33 };
34
35 our @tests = (
36     {
37         name => "ECDSA CipherString Selection",
38         server => $server,
39         client => {
40             "CipherString" => "aECDSA",
41             "MaxProtocol" => "TLSv1.2",
42             "RequestCAFile" => test_pem("root-cert.pem"),
43         },
44         test   => {
45             "ExpectedServerCertType" =>, "P-256",
46             "ExpectedServerSignType" =>, "EC",
47             # Note: certificate_authorities not sent for TLS < 1.3
48             "ExpectedServerCANames" =>, "empty",
49             "ExpectedResult" => "Success"
50         },
51     },
52     {
53         name => "Ed25519 CipherString and Signature Algorithm Selection",
54         server => $server,
55         client => {
56             "CipherString" => "aECDSA",
57             "MaxProtocol" => "TLSv1.2",
58             "SignatureAlgorithms" => "ed25519:ECDSA+SHA256",
59             "RequestCAFile" => test_pem("root-cert.pem"),
60         },
61         test   => {
62             "ExpectedServerCertType" =>, "Ed25519",
63             "ExpectedServerSignType" =>, "Ed25519",
64             # Note: certificate_authorities not sent for TLS < 1.3
65             "ExpectedServerCANames" =>, "empty",
66             "ExpectedResult" => "Success"
67         },
68     },
69     {
70         name => "RSA CipherString Selection",
71         server => $server,
72         client => {
73             "CipherString" => "aRSA",
74             "MaxProtocol" => "TLSv1.2",
75         },
76         test   => {
77             "ExpectedServerCertType" =>, "RSA",
78             "ExpectedServerSignType" =>, "RSA-PSS",
79             "ExpectedResult" => "Success"
80         },
81     },
82     {
83         name => "RSA-PSS Certificate CipherString Selection",
84         server => $server_pss,
85         client => {
86             "CipherString" => "aRSA",
87             "MaxProtocol" => "TLSv1.2",
88         },
89         test   => {
90             "ExpectedServerCertType" =>, "RSA-PSS",
91             "ExpectedServerSignType" =>, "RSA-PSS",
92             "ExpectedResult" => "Success"
93         },
94     },
95     {
96         name => "P-256 CipherString and Signature Algorithm Selection",
97         server => $server,
98         client => {
99             "CipherString" => "aECDSA",
100             "MaxProtocol" => "TLSv1.2",
101             "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
102         },
103         test   => {
104             "ExpectedServerCertType" => "P-256",
105             "ExpectedServerSignHash" => "SHA256",
106             "ExpectedServerSignType" => "EC",
107             "ExpectedResult" => "Success"
108         },
109     },
110     {
111         name => "Ed25519 CipherString and Curves Selection",
112         server => $server,
113         client => {
114             "CipherString" => "aECDSA",
115             "MaxProtocol" => "TLSv1.2",
116             "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
117             # Excluding P-256 from the supported curves list means server
118             # certificate should be Ed25519 and not P-256
119             "Curves" => "X25519"
120         },
121         test   => {
122             "ExpectedServerCertType" =>, "Ed25519",
123             "ExpectedServerSignType" =>, "Ed25519",
124             "ExpectedResult" => "Success"
125         },
126     },
127     {
128         name => "ECDSA CipherString Selection, no ECDSA certificate",
129         server => {
130             "MaxProtocol" => "TLSv1.2"
131         },
132         client => {
133             "CipherString" => "aECDSA",
134             "MaxProtocol" => "TLSv1.2"
135         },
136         test   => {
137             "ExpectedResult" => "ServerFail"
138         },
139     },
140     {
141         name => "ECDSA Signature Algorithm Selection",
142         server => $server,
143         client => {
144             "SignatureAlgorithms" => "ECDSA+SHA256",
145         },
146         test   => {
147             "ExpectedServerCertType" => "P-256",
148             "ExpectedServerSignHash" => "SHA256",
149             "ExpectedServerSignType" => "EC",
150             "ExpectedResult" => "Success"
151         },
152     },
153     {
154         name => "ECDSA Signature Algorithm Selection SHA384",
155         server => $server,
156         client => {
157             "SignatureAlgorithms" => "ECDSA+SHA384",
158         },
159         test   => {
160             "ExpectedServerCertType" => "P-256",
161             "ExpectedServerSignHash" => "SHA384",
162             "ExpectedServerSignType" => "EC",
163             "ExpectedResult" => "Success"
164         },
165     },
166     {
167         name => "ECDSA Signature Algorithm Selection SHA1",
168         server => $server,
169         client => {
170             "SignatureAlgorithms" => "ECDSA+SHA1",
171         },
172         test   => {
173             "ExpectedServerCertType" => "P-256",
174             "ExpectedServerSignHash" => "SHA1",
175             "ExpectedServerSignType" => "EC",
176             "ExpectedResult" => "Success"
177         },
178     },
179     {
180         name => "ECDSA Signature Algorithm Selection compressed point",
181         server => {
182             "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
183             "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
184             "MaxProtocol" => "TLSv1.2"
185         },
186         client => {
187             "SignatureAlgorithms" => "ECDSA+SHA256",
188         },
189         test   => {
190             "ExpectedServerCertType" => "P-256",
191             "ExpectedServerSignHash" => "SHA256",
192             "ExpectedServerSignType" => "EC",
193             "ExpectedResult" => "Success"
194         },
195     },
196     {
197         name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
198         server => {
199              "MaxProtocol" => "TLSv1.2"
200         },
201         client => {
202             "SignatureAlgorithms" => "ECDSA+SHA256",
203         },
204         test   => {
205             "ExpectedResult" => "ServerFail"
206         },
207     },
208     {
209         name => "RSA Signature Algorithm Selection",
210         server => $server,
211         client => {
212             "SignatureAlgorithms" => "RSA+SHA256",
213         },
214         test   => {
215             "ExpectedServerCertType" => "RSA",
216             "ExpectedServerSignHash" => "SHA256",
217             "ExpectedServerSignType" => "RSA",
218             "ExpectedResult" => "Success"
219         },
220     },
221     {
222         name => "RSA-PSS Signature Algorithm Selection",
223         server => $server,
224         client => {
225             "SignatureAlgorithms" => "RSA-PSS+SHA256",
226         },
227         test   => {
228             "ExpectedServerCertType" => "RSA",
229             "ExpectedServerSignHash" => "SHA256",
230             "ExpectedServerSignType" => "RSA-PSS",
231             "ExpectedResult" => "Success"
232         },
233     },
234     {
235         name => "RSA-PSS Certificate Signature Algorithm Selection",
236         server => $server_pss,
237         client => {
238             "SignatureAlgorithms" => "RSA-PSS+SHA256",
239         },
240         test   => {
241             "ExpectedServerCertType" => "RSA-PSS",
242             "ExpectedServerSignHash" => "SHA256",
243             "ExpectedServerSignType" => "RSA-PSS",
244             "ExpectedResult" => "Success"
245         },
246     },
247     {
248         name => "Only RSA-PSS Certificate",
249         server => $server_pss_only,
250         client => {},
251         test   => {
252             "ExpectedServerCertType" => "RSA-PSS",
253             "ExpectedServerSignHash" => "SHA256",
254             "ExpectedServerSignType" => "RSA-PSS",
255             "ExpectedResult" => "Success"
256         },
257     },
258     {
259         name => "RSA-PSS Certificate, no PSS signature algorithms",
260         server => $server_pss_only,
261         client => {
262             "SignatureAlgorithms" => "RSA+SHA256",
263         },
264         test   => {
265             "ExpectedResult" => "ServerFail"
266         },
267     },
268     {
269         name => "Only RSA-PSS Certificate, TLS v1.1",
270         server => $server_pss_only,
271         client => {
272             "MaxProtocol" => "TLSv1.1",
273         },
274         test   => {
275             "ExpectedResult" => "ServerFail"
276         },
277     },
278     {
279         name => "Suite B P-256 Hash Algorithm Selection",
280         server =>  {
281             "ECDSA.Certificate" => test_pem("p256-server-cert.pem"),
282             "ECDSA.PrivateKey" => test_pem("p256-server-key.pem"),
283             "MaxProtocol" => "TLSv1.2",
284             "CipherString" => "SUITEB128"
285         },
286         client => {
287             "VerifyCAFile" => test_pem("p384-root.pem"),
288             "SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256"
289         },
290         test   => {
291             "ExpectedServerCertType" => "P-256",
292             "ExpectedServerSignHash" => "SHA256",
293             "ExpectedServerSignType" => "EC",
294             "ExpectedResult" => "Success"
295         },
296     },
297     {
298         name => "Suite B P-384 Hash Algorithm Selection",
299         server =>  {
300             "ECDSA.Certificate" => test_pem("p384-server-cert.pem"),
301             "ECDSA.PrivateKey" => test_pem("p384-server-key.pem"),
302             "MaxProtocol" => "TLSv1.2",
303             "CipherString" => "SUITEB128"
304         },
305         client => {
306             "VerifyCAFile" => test_pem("p384-root.pem"),
307             "SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384"
308         },
309         test   => {
310             "ExpectedServerCertType" => "P-384",
311             "ExpectedServerSignHash" => "SHA384",
312             "ExpectedServerSignType" => "EC",
313             "ExpectedResult" => "Success"
314         },
315     },
316     {
317         name => "TLS 1.2 Ed25519 Client Auth",
318         server => {
319             "VerifyCAFile" => test_pem("root-cert.pem"),
320             "VerifyMode" => "Require"
321         },
322         client => {
323             "EdDSA.Certificate" => test_pem("client-ed25519-cert.pem"),
324             "EdDSA.PrivateKey" => test_pem("client-ed25519-key.pem"),
325             "MinProtocol" => "TLSv1.2",
326             "MaxProtocol" => "TLSv1.2"
327         },
328         test   => {
329             "ExpectedClientCertType" => "Ed25519",
330             "ExpectedClientSignType" => "Ed25519",
331             "ExpectedResult" => "Success"
332         },
333     },
334 );
335
336 my $server_tls_1_3 = {
337     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
338     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
339     "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"),
340     "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"),
341     "MinProtocol" => "TLSv1.3",
342     "MaxProtocol" => "TLSv1.3"
343 };
344
345 my $server_tls_1_3_pss = {
346     "PSS.Certificate" => test_pem("server-pss-cert.pem"),
347     "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
348     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
349     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
350     "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"),
351     "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"),
352     "MinProtocol" => "TLSv1.3",
353     "MaxProtocol" => "TLSv1.3"
354 };
355
356 my $client_tls_1_3 = {
357     "RSA.Certificate" => test_pem("ee-client-chain.pem"),
358     "RSA.PrivateKey" => test_pem("ee-key.pem"),
359     "ECDSA.Certificate" => test_pem("ee-ecdsa-client-chain.pem"),
360     "ECDSA.PrivateKey" => test_pem("ee-ecdsa-key.pem"),
361     "MinProtocol" => "TLSv1.3",
362     "MaxProtocol" => "TLSv1.3"
363 };
364
365 my @tests_tls_1_3 = (
366     {
367         name => "TLS 1.3 ECDSA Signature Algorithm Selection",
368         server => $server_tls_1_3,
369         client => {
370             "SignatureAlgorithms" => "ECDSA+SHA256",
371         },
372         test   => {
373             "ExpectedServerCertType" => "P-256",
374             "ExpectedServerSignHash" => "SHA256",
375             "ExpectedServerSignType" => "EC",
376             "ExpectedServerCANames" => "empty",
377             "ExpectedResult" => "Success"
378         },
379     },
380     {
381         name => "TLS 1.3 ECDSA Signature Algorithm Selection compressed point",
382         server => {
383             "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
384             "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
385             "MinProtocol" => "TLSv1.3",
386             "MaxProtocol" => "TLSv1.3"
387         },
388         client => {
389             "SignatureAlgorithms" => "ECDSA+SHA256",
390         },
391         test   => {
392             "ExpectedResult" => "ServerFail"
393         },
394     },
395     {
396         name => "TLS 1.3 ECDSA Signature Algorithm Selection SHA1",
397         server => $server_tls_1_3,
398         client => {
399             "SignatureAlgorithms" => "ECDSA+SHA1",
400         },
401         test   => {
402             "ExpectedResult" => "ServerFail"
403         },
404     },
405     {
406         name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS",
407         server => $server_tls_1_3,
408         client => {
409             "SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256",
410             "RequestCAFile" => test_pem("root-cert.pem"),
411         },
412         test   => {
413             "ExpectedServerCertType" => "P-256",
414             "ExpectedServerSignHash" => "SHA256",
415             "ExpectedServerSignType" => "EC",
416             "ExpectedServerCANames" => test_pem("root-cert.pem"),
417             "ExpectedResult" => "Success"
418         },
419     },
420     {
421         name => "TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS",
422         server => $server_tls_1_3,
423         client => {
424             "SignatureAlgorithms" => "ECDSA+SHA384:RSA-PSS+SHA384",
425         },
426         test   => {
427             "ExpectedServerCertType" => "RSA",
428             "ExpectedServerSignHash" => "SHA384",
429             "ExpectedServerSignType" => "RSA-PSS",
430             "ExpectedResult" => "Success"
431         },
432     },
433     {
434         name => "TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate",
435         server => {
436             "MinProtocol" => "TLSv1.3",
437             "MaxProtocol" => "TLSv1.3"
438         },
439         client => {
440             "SignatureAlgorithms" => "ECDSA+SHA256",
441         },
442         test   => {
443             "ExpectedResult" => "ServerFail"
444         },
445     },
446     {
447         name => "TLS 1.3 RSA Signature Algorithm Selection, no PSS",
448         server => $server_tls_1_3,
449         client => {
450             "SignatureAlgorithms" => "RSA+SHA256",
451         },
452         test   => {
453             "ExpectedResult" => "ServerFail"
454         },
455     },
456     {
457         name => "TLS 1.3 RSA-PSS Signature Algorithm Selection",
458         server => $server_tls_1_3,
459         client => {
460             "SignatureAlgorithms" => "RSA-PSS+SHA256",
461         },
462         test   => {
463             "ExpectedServerCertType" => "RSA",
464             "ExpectedServerSignHash" => "SHA256",
465             "ExpectedServerSignType" => "RSA-PSS",
466             "ExpectedResult" => "Success"
467         },
468     },
469     {
470         name => "TLS 1.3 Ed25519 Signature Algorithm Selection",
471         server => $server_tls_1_3,
472         client => {
473             "SignatureAlgorithms" => "ed25519",
474         },
475         test   => {
476             "ExpectedServerCertType" => "Ed25519",
477             "ExpectedServerSignType" => "Ed25519",
478             "ExpectedResult" => "Success"
479         },
480     },
481     {
482         name => "TLS 1.3 Ed25519 CipherString and Groups Selection",
483         server => $server_tls_1_3,
484         client => {
485             "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
486             # Excluding P-256 from the supported groups list should
487             # mean server still uses a P-256 certificate because supported
488             # groups is not used in signature selection for TLS 1.3
489             "Groups" => "X25519"
490         },
491         test   => {
492             "ExpectedServerCertType" =>, "P-256",
493             "ExpectedServerSignType" =>, "EC",
494             "ExpectedResult" => "Success"
495         },
496     },
497     {
498         name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
499         server => {
500             "ClientSignatureAlgorithms" => "PSS+SHA256",
501             "VerifyCAFile" => test_pem("root-cert.pem"),
502             "VerifyMode" => "Require"
503         },
504         client => $client_tls_1_3,
505         test   => {
506             "ExpectedClientCertType" => "RSA",
507             "ExpectedClientSignHash" => "SHA256",
508             "ExpectedClientSignType" => "RSA-PSS",
509             "ExpectedClientCANames" => "empty",
510             "ExpectedResult" => "Success"
511         },
512     },
513     {
514         name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names",
515         server => {
516             "ClientSignatureAlgorithms" => "PSS+SHA256",
517             "VerifyCAFile" => test_pem("root-cert.pem"),
518             "RequestCAFile" => test_pem("root-cert.pem"),
519             "VerifyMode" => "Require"
520         },
521         client => $client_tls_1_3,
522         test   => {
523             "ExpectedClientCertType" => "RSA",
524             "ExpectedClientSignHash" => "SHA256",
525             "ExpectedClientSignType" => "RSA-PSS",
526             "ExpectedClientCANames" => test_pem("root-cert.pem"),
527             "ExpectedResult" => "Success"
528         },
529     },
530     {
531         name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
532         server => {
533             "ClientSignatureAlgorithms" => "ECDSA+SHA256",
534             "VerifyCAFile" => test_pem("root-cert.pem"),
535             "VerifyMode" => "Require"
536         },
537         client => $client_tls_1_3,
538         test   => {
539             "ExpectedClientCertType" => "P-256",
540             "ExpectedClientSignHash" => "SHA256",
541             "ExpectedClientSignType" => "EC",
542             "ExpectedResult" => "Success"
543         },
544     },
545     {
546         name => "TLS 1.3 Ed25519 Client Auth",
547         server => {
548             "VerifyCAFile" => test_pem("root-cert.pem"),
549             "VerifyMode" => "Require"
550         },
551         client => {
552             "EdDSA.Certificate" => test_pem("client-ed25519-cert.pem"),
553             "EdDSA.PrivateKey" => test_pem("client-ed25519-key.pem"),
554             "MinProtocol" => "TLSv1.3",
555             "MaxProtocol" => "TLSv1.3"
556         },
557         test   => {
558             "ExpectedClientCertType" => "Ed25519",
559             "ExpectedClientSignType" => "Ed25519",
560             "ExpectedResult" => "Success"
561         },
562     },
563 );
564
565 push @tests, @tests_tls_1_3 unless disabled("tls1_3");
566
567 my @tests_dsa_tls_1_2 = (
568     {
569         name => "TLS 1.2 DSA Certificate Test",
570         server => {
571             "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
572             "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
573             "DHParameters" => test_pem("dhp2048.pem"),
574             "MinProtocol" => "TLSv1.2",
575             "MaxProtocol" => "TLSv1.2",
576             "CipherString" => "ALL",
577         },
578         client => {
579             "SignatureAlgorithms" => "DSA+SHA256:DSA+SHA1",
580             "CipherString" => "ALL",
581         },
582         test   => {
583             "ExpectedResult" => "Success"
584         },
585     },
586 );
587
588 my @tests_dsa_tls_1_3 = (
589     {
590         name => "TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms",
591         server => {
592             "ClientSignatureAlgorithms" => "ECDSA+SHA1:DSA+SHA256:RSA+SHA256",
593             "VerifyCAFile" => test_pem("root-cert.pem"),
594             "VerifyMode" => "Request"
595         },
596         client => {},
597         test   => {
598             "ExpectedResult" => "ServerFail"
599         },
600     },
601     {
602         name => "TLS 1.3 DSA Certificate Test",
603         server => {
604             "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
605             "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
606             "MinProtocol" => "TLSv1.3",
607             "MaxProtocol" => "TLSv1.3",
608             "CipherString" => "ALL",
609         },
610         client => {
611             "SignatureAlgorithms" => "DSA+SHA1:DSA+SHA256:ECDSA+SHA256",
612             "CipherString" => "ALL",
613         },
614         test   => {
615             "ExpectedResult" => "ServerFail"
616         },
617     },
618 );
619
620 if (!disabled("dsa")) {
621     push @tests, @tests_dsa_tls_1_2 unless disabled("dh");
622     push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
623 }