test/ssl-tests/20-cert-select.conf.in

   1 # -*- mode: perl; -*-
   2
   3 ## SSL test configurations
   4
   5
   6 use strict;
   7 use warnings;
   8
   9 package ssltests;
  10 use OpenSSL::Test::Utils;
  11
  12 my $server = {
  13     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
  14     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
  15     "MaxProtocol" => "TLSv1.2"
  16 };
  17
  18 our @tests = (
  19     {
  20         name => "ECDSA CipherString Selection",
  21         server => $server,
  22         client => {
  23             "CipherString" => "aECDSA",
  24         },
  25         test   => {
  26             "ExpectedServerCertType" =>, "P-256",
  27             "ExpectedServerSignType" =>, "EC",
  28             "ExpectedResult" => "Success"
  29         },
  30     },
  31     {
  32         name => "RSA CipherString Selection",
  33         server => $server,
  34         client => {
  35             "CipherString" => "aRSA",
  36         },
  37         test   => {
  38             "ExpectedServerCertType" =>, "RSA",
  39             "ExpectedServerSignType" =>, "RSA-PSS",
  40             "ExpectedResult" => "Success"
  41         },
  42     },
  43     {
  44         name => "ECDSA CipherString Selection, no ECDSA certificate",
  45         server => {
  46             "MaxProtocol" => "TLSv1.2"
  47         },
  48         client => {
  49             "CipherString" => "aECDSA"
  50         },
  51         test   => {
  52             "ExpectedResult" => "ServerFail"
  53         },
  54     },
  55     {
  56         name => "ECDSA Signature Algorithm Selection",
  57         server => $server,
  58         client => {
  59             "SignatureAlgorithms" => "ECDSA+SHA256",
  60         },
  61         test   => {
  62             "ExpectedServerCertType" => "P-256",
  63             "ExpectedServerSignHash" => "SHA256",
  64             "ExpectedServerSignType" => "EC",
  65             "ExpectedResult" => "Success"
  66         },
  67     },
  68     {
  69         name => "ECDSA Signature Algorithm Selection SHA384",
  70         server => $server,
  71         client => {
  72             "SignatureAlgorithms" => "ECDSA+SHA384",
  73         },
  74         test   => {
  75             "ExpectedServerCertType" => "P-256",
  76             "ExpectedServerSignHash" => "SHA384",
  77             "ExpectedServerSignType" => "EC",
  78             "ExpectedResult" => "Success"
  79         },
  80     },
  81     {
  82         name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
  83         server => {
  84              "MaxProtocol" => "TLSv1.2"
  85         },
  86         client => {
  87             "SignatureAlgorithms" => "ECDSA+SHA256",
  88         },
  89         test   => {
  90             "ExpectedResult" => "ServerFail"
  91         },
  92     },
  93     {
  94         name => "RSA Signature Algorithm Selection",
  95         server => $server,
  96         client => {
  97             "SignatureAlgorithms" => "RSA+SHA256",
  98         },
  99         test   => {
 100             "ExpectedServerCertType" => "RSA",
 101             "ExpectedServerSignHash" => "SHA256",
 102             "ExpectedServerSignType" => "RSA",
 103             "ExpectedResult" => "Success"
 104         },
 105     },
 106     {
 107         name => "RSA-PSS Signature Algorithm Selection",
 108         server => $server,
 109         client => {
 110             "SignatureAlgorithms" => "RSA-PSS+SHA256",
 111         },
 112         test   => {
 113             "ExpectedServerCertType" => "RSA",
 114             "ExpectedServerSignHash" => "SHA256",
 115             "ExpectedServerSignType" => "RSA-PSS",
 116             "ExpectedResult" => "Success"
 117         },
 118     },
 119     {
 120         name => "Suite B P-256 Hash Algorithm Selection",
 121         server =>  {
 122             "ECDSA.Certificate" => test_pem("p256-server-cert.pem"),
 123             "ECDSA.PrivateKey" => test_pem("p256-server-key.pem"),
 124             "MaxProtocol" => "TLSv1.2",
 125             "CipherString" => "SUITEB128"
 126         },
 127         client => {
 128             "VerifyCAFile" => test_pem("p384-root.pem"),
 129             "SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256"
 130         },
 131         test   => {
 132             "ExpectedServerCertType" => "P-256",
 133             "ExpectedServerSignHash" => "SHA256",
 134             "ExpectedServerSignType" => "EC",
 135             "ExpectedResult" => "Success"
 136         },
 137     },
 138     {
 139         name => "Suite B P-384 Hash Algorithm Selection",
 140         server =>  {
 141             "ECDSA.Certificate" => test_pem("p384-server-cert.pem"),
 142             "ECDSA.PrivateKey" => test_pem("p384-server-key.pem"),
 143             "MaxProtocol" => "TLSv1.2",
 144             "CipherString" => "SUITEB128"
 145         },
 146         client => {
 147             "VerifyCAFile" => test_pem("p384-root.pem"),
 148             "SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384"
 149         },
 150         test   => {
 151             "ExpectedServerCertType" => "P-384",
 152             "ExpectedServerSignHash" => "SHA384",
 153             "ExpectedServerSignType" => "EC",
 154             "ExpectedResult" => "Success"
 155         },
 156     }
 157 );
 158
 159
 160 my $server_tls_1_3 = {
 161     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
 162     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
 163     "MinProtocol" => "TLSv1.3",
 164     "MaxProtocol" => "TLSv1.3"
 165 };
 166
 167 my $client_tls_1_3 = {
 168     "RSA.Certificate" => test_pem("ee-client-chain.pem"),
 169     "RSA.PrivateKey" => test_pem("ee-key.pem"),
 170     "ECDSA.Certificate" => test_pem("ee-ecdsa-client-chain.pem"),
 171     "ECDSA.PrivateKey" => test_pem("ee-ecdsa-key.pem"),
 172     "MinProtocol" => "TLSv1.3",
 173     "MaxProtocol" => "TLSv1.3"
 174 };
 175
 176 my @tests_tls_1_3 = (
 177     {
 178         name => "TLS 1.3 ECDSA Signature Algorithm Selection",
 179         server => $server_tls_1_3,
 180         client => {
 181             "SignatureAlgorithms" => "ECDSA+SHA256",
 182         },
 183         test   => {
 184             "ExpectedServerCertType" => "P-256",
 185             "ExpectedServerSignHash" => "SHA256",
 186             "ExpectedServerSignType" => "EC",
 187             "ExpectedResult" => "Success"
 188         },
 189     },
 190     {
 191         name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS",
 192         server => $server_tls_1_3,
 193         client => {
 194             "SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256",
 195         },
 196         test   => {
 197             "ExpectedServerCertType" => "P-256",
 198             "ExpectedServerSignHash" => "SHA256",
 199             "ExpectedServerSignType" => "EC",
 200             "ExpectedResult" => "Success"
 201         },
 202     },
 203     {
 204         name => "TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS",
 205         server => $server_tls_1_3,
 206         client => {
 207             "SignatureAlgorithms" => "ECDSA+SHA384:RSA-PSS+SHA384",
 208         },
 209         test   => {
 210             "ExpectedServerCertType" => "RSA",
 211             "ExpectedServerSignHash" => "SHA384",
 212             "ExpectedServerSignType" => "RSA-PSS",
 213             "ExpectedResult" => "Success"
 214         },
 215     },
 216     {
 217         name => "TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate",
 218         server => {
 219             "MinProtocol" => "TLSv1.3",
 220             "MaxProtocol" => "TLSv1.3"
 221         },
 222         client => {
 223             "SignatureAlgorithms" => "ECDSA+SHA256",
 224         },
 225         test   => {
 226             "ExpectedResult" => "ServerFail"
 227         },
 228     },
 229     {
 230         name => "TLS 1.3 RSA Signature Algorithm Selection, no PSS",
 231         server => $server_tls_1_3,
 232         client => {
 233             "SignatureAlgorithms" => "RSA+SHA256",
 234         },
 235         test   => {
 236             "ExpectedResult" => "ServerFail"
 237         },
 238     },
 239     {
 240         name => "TLS 1.3 RSA-PSS Signature Algorithm Selection",
 241         server => $server_tls_1_3,
 242         client => {
 243             "SignatureAlgorithms" => "RSA-PSS+SHA256",
 244         },
 245         test   => {
 246             "ExpectedServerCertType" => "RSA",
 247             "ExpectedServerSignHash" => "SHA256",
 248             "ExpectedServerSignType" => "RSA-PSS",
 249             "ExpectedResult" => "Success"
 250         },
 251     },
 252     {
 253         name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
 254         server => {
 255             "ClientSignatureAlgorithms" => "PSS+SHA256",
 256             "VerifyCAFile" => test_pem("root-cert.pem"),
 257             "VerifyMode" => "Require"
 258         },
 259         client => $client_tls_1_3,
 260         test   => {
 261             "ExpectedClientCertType" => "RSA",
 262             "ExpectedClientSignHash" => "SHA256",
 263             "ExpectedClientSignType" => "RSA-PSS",
 264             "ExpectedResult" => "Success"
 265         },
 266     },
 267     {
 268         name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
 269         server => {
 270             "ClientSignatureAlgorithms" => "ECDSA+SHA256",
 271             "VerifyCAFile" => test_pem("root-cert.pem"),
 272             "VerifyMode" => "Require"
 273         },
 274         client => $client_tls_1_3,
 275         test   => {
 276             "ExpectedClientCertType" => "P-256",
 277             "ExpectedClientSignHash" => "SHA256",
 278             "ExpectedClientSignType" => "EC",
 279             "ExpectedResult" => "Success"
 280         },
 281     },
 282 );
 283
 284 push @tests, @tests_tls_1_3 unless disabled("tls1_3");
 285
 286 my @tests_dsa_tls_1_2 = (
 287     {
 288         name => "TLS 1.2 DSA Certificate Test",
 289         server => {
 290             "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
 291             "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
 292             "DHParameters" => test_pem("dhp2048.pem"),
 293             "MinProtocol" => "TLSv1.2",
 294             "MaxProtocol" => "TLSv1.2",
 295             "CipherString" => "ALL",
 296         },
 297         client => {
 298             "SignatureAlgorithms" => "DSA+SHA256:DSA+SHA1",
 299             "CipherString" => "ALL",
 300         },
 301         test   => {
 302             "ExpectedResult" => "Success"
 303         },
 304     },
 305 );
 306
 307 my @tests_dsa_tls_1_3 = (
 308     {
 309         name => "TLS 1.3 DSA Certificate Test",
 310         server => {
 311             "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
 312             "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
 313             "MinProtocol" => "TLSv1.3",
 314             "MaxProtocol" => "TLSv1.3",
 315             "CipherString" => "ALL",
 316         },
 317         client => {
 318             "SignatureAlgorithms" => "DSA+SHA1:DSA+SHA256",
 319             "CipherString" => "ALL",
 320         },
 321         test   => {
 322             "ExpectedResult" => "ServerFail"
 323         },
 324     },
 325 );
 326
 327 if (!disabled("dsa")) {
 328     push @tests, @tests_dsa_tls_1_2 unless disabled("dh");
 329     push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
 330 }