Add Suite B tests
[openssl.git] / test / ssl-tests / 20-cert-select.conf.in
1 # -*- mode: perl; -*-
2
3 ## SSL test configurations
4
5
6 use strict;
7 use warnings;
8
9 package ssltests;
10 use OpenSSL::Test::Utils;
11
12 my $server = {
13     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
14     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
15     "MaxProtocol" => "TLSv1.2"
16 };
17
18 our @tests = (
19     {
20         name => "ECDSA CipherString Selection",
21         server => $server,
22         client => {
23             "CipherString" => "aECDSA",
24         },
25         test   => {
26             "ExpectedServerCertType" =>, "P-256",
27             "ExpectedServerSignType" =>, "EC",
28             "ExpectedResult" => "Success"
29         },
30     },
31     {
32         name => "RSA CipherString Selection",
33         server => $server,
34         client => {
35             "CipherString" => "aRSA",
36         },
37         test   => {
38             "ExpectedServerCertType" =>, "RSA",
39             "ExpectedServerSignType" =>, "RSA-PSS",
40             "ExpectedResult" => "Success"
41         },
42     },
43     {
44         name => "ECDSA CipherString Selection, no ECDSA certificate",
45         server => {
46             "MaxProtocol" => "TLSv1.2"
47         },
48         client => {
49             "CipherString" => "aECDSA"
50         },
51         test   => {
52             "ExpectedResult" => "ServerFail"
53         },
54     },
55     {
56         name => "ECDSA Signature Algorithm Selection",
57         server => $server,
58         client => {
59             "SignatureAlgorithms" => "ECDSA+SHA256",
60         },
61         test   => {
62             "ExpectedServerCertType" => "P-256",
63             "ExpectedServerSignHash" => "SHA256",
64             "ExpectedServerSignType" => "EC",
65             "ExpectedResult" => "Success"
66         },
67     },
68     {
69         name => "ECDSA Signature Algorithm Selection SHA384",
70         server => $server,
71         client => {
72             "SignatureAlgorithms" => "ECDSA+SHA384",
73         },
74         test   => {
75             "ExpectedServerCertType" => "P-256",
76             "ExpectedServerSignHash" => "SHA384",
77             "ExpectedServerSignType" => "EC",
78             "ExpectedResult" => "Success"
79         },
80     },
81     {
82         name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
83         server => {
84              "MaxProtocol" => "TLSv1.2"
85         },
86         client => {
87             "SignatureAlgorithms" => "ECDSA+SHA256",
88         },
89         test   => {
90             "ExpectedResult" => "ServerFail"
91         },
92     },
93     {
94         name => "RSA Signature Algorithm Selection",
95         server => $server,
96         client => {
97             "SignatureAlgorithms" => "RSA+SHA256",
98         },
99         test   => {
100             "ExpectedServerCertType" => "RSA",
101             "ExpectedServerSignHash" => "SHA256",
102             "ExpectedServerSignType" => "RSA",
103             "ExpectedResult" => "Success"
104         },
105     },
106     {
107         name => "RSA-PSS Signature Algorithm Selection",
108         server => $server,
109         client => {
110             "SignatureAlgorithms" => "RSA-PSS+SHA256",
111         },
112         test   => {
113             "ExpectedServerCertType" => "RSA",
114             "ExpectedServerSignHash" => "SHA256",
115             "ExpectedServerSignType" => "RSA-PSS",
116             "ExpectedResult" => "Success"
117         },
118     },
119     {
120         name => "Suite B P-256 Hash Algorithm Selection",
121         server =>  {
122             "ECDSA.Certificate" => test_pem("p256-server-cert.pem"),
123             "ECDSA.PrivateKey" => test_pem("p256-server-key.pem"),
124             "MaxProtocol" => "TLSv1.2",
125             "CipherString" => "SUITEB128"
126         },
127         client => {
128             "VerifyCAFile" => test_pem("p384-root.pem"),
129             "SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256"
130         },
131         test   => {
132             "ExpectedServerCertType" => "P-256",
133             "ExpectedServerSignHash" => "SHA256",
134             "ExpectedServerSignType" => "EC",
135             "ExpectedResult" => "Success"
136         },
137     },
138     {
139         name => "Suite B P-384 Hash Algorithm Selection",
140         server =>  {
141             "ECDSA.Certificate" => test_pem("p384-server-cert.pem"),
142             "ECDSA.PrivateKey" => test_pem("p384-server-key.pem"),
143             "MaxProtocol" => "TLSv1.2",
144             "CipherString" => "SUITEB128"
145         },
146         client => {
147             "VerifyCAFile" => test_pem("p384-root.pem"),
148             "SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384"
149         },
150         test   => {
151             "ExpectedServerCertType" => "P-384",
152             "ExpectedServerSignHash" => "SHA384",
153             "ExpectedServerSignType" => "EC",
154             "ExpectedResult" => "Success"
155         },
156     }
157 );
158
159
160 my $server_tls_1_3 = {
161     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
162     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
163     "MinProtocol" => "TLSv1.3",
164     "MaxProtocol" => "TLSv1.3"
165 };
166
167 my $client_tls_1_3 = {
168     "RSA.Certificate" => test_pem("ee-client-chain.pem"),
169     "RSA.PrivateKey" => test_pem("ee-key.pem"),
170     "ECDSA.Certificate" => test_pem("ee-ecdsa-client-chain.pem"),
171     "ECDSA.PrivateKey" => test_pem("ee-ecdsa-key.pem"),
172     "MinProtocol" => "TLSv1.3",
173     "MaxProtocol" => "TLSv1.3"
174 };
175
176 my @tests_tls_1_3 = (
177     {
178         name => "TLS 1.3 ECDSA Signature Algorithm Selection",
179         server => $server_tls_1_3,
180         client => {
181             "SignatureAlgorithms" => "ECDSA+SHA256",
182         },
183         test   => {
184             "ExpectedServerCertType" => "P-256",
185             "ExpectedServerSignHash" => "SHA256",
186             "ExpectedServerSignType" => "EC",
187             "ExpectedResult" => "Success"
188         },
189     },
190     {
191         name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS",
192         server => $server_tls_1_3,
193         client => {
194             "SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256",
195         },
196         test   => {
197             "ExpectedServerCertType" => "P-256",
198             "ExpectedServerSignHash" => "SHA256",
199             "ExpectedServerSignType" => "EC",
200             "ExpectedResult" => "Success"
201         },
202     },
203     {
204         name => "TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS",
205         server => $server_tls_1_3,
206         client => {
207             "SignatureAlgorithms" => "ECDSA+SHA384:RSA-PSS+SHA384",
208         },
209         test   => {
210             "ExpectedServerCertType" => "RSA",
211             "ExpectedServerSignHash" => "SHA384",
212             "ExpectedServerSignType" => "RSA-PSS",
213             "ExpectedResult" => "Success"
214         },
215     },
216     {
217         name => "TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate",
218         server => {
219             "MinProtocol" => "TLSv1.3",
220             "MaxProtocol" => "TLSv1.3"
221         },
222         client => {
223             "SignatureAlgorithms" => "ECDSA+SHA256",
224         },
225         test   => {
226             "ExpectedResult" => "ServerFail"
227         },
228     },
229     {
230         name => "TLS 1.3 RSA Signature Algorithm Selection, no PSS",
231         server => $server_tls_1_3,
232         client => {
233             "SignatureAlgorithms" => "RSA+SHA256",
234         },
235         test   => {
236             "ExpectedResult" => "ServerFail"
237         },
238     },
239     {
240         name => "TLS 1.3 RSA-PSS Signature Algorithm Selection",
241         server => $server_tls_1_3,
242         client => {
243             "SignatureAlgorithms" => "RSA-PSS+SHA256",
244         },
245         test   => {
246             "ExpectedServerCertType" => "RSA",
247             "ExpectedServerSignHash" => "SHA256",
248             "ExpectedServerSignType" => "RSA-PSS",
249             "ExpectedResult" => "Success"
250         },
251     },
252     {
253         name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
254         server => {
255             "ClientSignatureAlgorithms" => "PSS+SHA256",
256             "VerifyCAFile" => test_pem("root-cert.pem"),
257             "VerifyMode" => "Require"
258         },
259         client => $client_tls_1_3,
260         test   => {
261             "ExpectedClientCertType" => "RSA",
262             "ExpectedClientSignHash" => "SHA256",
263             "ExpectedClientSignType" => "RSA-PSS",
264             "ExpectedResult" => "Success"
265         },
266     },
267     {
268         name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
269         server => {
270             "ClientSignatureAlgorithms" => "ECDSA+SHA256",
271             "VerifyCAFile" => test_pem("root-cert.pem"),
272             "VerifyMode" => "Require"
273         },
274         client => $client_tls_1_3,
275         test   => {
276             "ExpectedClientCertType" => "P-256",
277             "ExpectedClientSignHash" => "SHA256",
278             "ExpectedClientSignType" => "EC",
279             "ExpectedResult" => "Success"
280         },
281     },
282 );
283
284 push @tests, @tests_tls_1_3 unless disabled("tls1_3");
285
286 my @tests_dsa_tls_1_2 = (
287     {
288         name => "TLS 1.2 DSA Certificate Test",
289         server => {
290             "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
291             "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
292             "DHParameters" => test_pem("dhp2048.pem"),
293             "MinProtocol" => "TLSv1.2",
294             "MaxProtocol" => "TLSv1.2",
295             "CipherString" => "ALL",
296         },
297         client => {
298             "SignatureAlgorithms" => "DSA+SHA256:DSA+SHA1",
299             "CipherString" => "ALL",
300         },
301         test   => {
302             "ExpectedResult" => "Success"
303         },
304     },
305 );
306
307 my @tests_dsa_tls_1_3 = (
308     {
309         name => "TLS 1.3 DSA Certificate Test",
310         server => {
311             "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
312             "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
313             "MinProtocol" => "TLSv1.3",
314             "MaxProtocol" => "TLSv1.3",
315             "CipherString" => "ALL",
316         },
317         client => {
318             "SignatureAlgorithms" => "DSA+SHA1:DSA+SHA256",
319             "CipherString" => "ALL",
320         },
321         test   => {
322             "ExpectedResult" => "ServerFail"
323         },
324     },
325 );
326
327 if (!disabled("dsa")) {
328     push @tests, @tests_dsa_tls_1_2 unless disabled("dh");
329     push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
330 }