test/ssl-tests/20-cert-select.conf.in

   1 # -*- mode: perl; -*-
   2
   3 ## SSL test configurations
   4
   5
   6 use strict;
   7 use warnings;
   8
   9 package ssltests;
  10 use OpenSSL::Test::Utils;
  11
  12 my $server = {
  13     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
  14     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
  15     "MaxProtocol" => "TLSv1.2"
  16 };
  17
  18 our @tests = (
  19     {
  20         name => "ECDSA CipherString Selection",
  21         server => $server,
  22         client => {
  23             "CipherString" => "aECDSA",
  24         },
  25         test   => {
  26             "ExpectedServerCertType" =>, "P-256",
  27             "ExpectedServerSignType" =>, "EC",
  28             "ExpectedResult" => "Success"
  29         },
  30     },
  31     {
  32         name => "RSA CipherString Selection",
  33         server => $server,
  34         client => {
  35             "CipherString" => "aRSA",
  36         },
  37         test   => {
  38             "ExpectedServerCertType" =>, "RSA",
  39             "ExpectedServerSignType" =>, "RSA-PSS",
  40             "ExpectedResult" => "Success"
  41         },
  42     },
  43     {
  44         name => "ECDSA CipherString Selection, no ECDSA certificate",
  45         server => {
  46             "MaxProtocol" => "TLSv1.2"
  47         },
  48         client => {
  49             "CipherString" => "aECDSA"
  50         },
  51         test   => {
  52             "ExpectedResult" => "ServerFail"
  53         },
  54     },
  55     {
  56         name => "ECDSA Signature Algorithm Selection",
  57         server => $server,
  58         client => {
  59             "SignatureAlgorithms" => "ECDSA+SHA256",
  60         },
  61         test   => {
  62             "ExpectedServerCertType" => "P-256",
  63             "ExpectedServerSignHash" => "SHA256",
  64             "ExpectedServerSignType" => "EC",
  65             "ExpectedResult" => "Success"
  66         },
  67     },
  68     {
  69         name => "ECDSA Signature Algorithm Selection SHA384",
  70         server => $server,
  71         client => {
  72             "SignatureAlgorithms" => "ECDSA+SHA384",
  73         },
  74         test   => {
  75             "ExpectedServerCertType" => "P-256",
  76             "ExpectedServerSignHash" => "SHA384",
  77             "ExpectedServerSignType" => "EC",
  78             "ExpectedResult" => "Success"
  79         },
  80     },
  81     {
  82         name => "ECDSA Signature Algorithm Selection SHA1",
  83         server => $server,
  84         client => {
  85             "SignatureAlgorithms" => "ECDSA+SHA1",
  86         },
  87         test   => {
  88             "ExpectedServerCertType" => "P-256",
  89             "ExpectedServerSignHash" => "SHA1",
  90             "ExpectedServerSignType" => "EC",
  91             "ExpectedResult" => "Success"
  92         },
  93     },
  94     {
  95         name => "ECDSA Signature Algorithm Selection compressed point",
  96         server => {
  97             "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
  98             "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
  99             "MaxProtocol" => "TLSv1.2"
 100         },
 101         client => {
 102             "SignatureAlgorithms" => "ECDSA+SHA256",
 103         },
 104         test   => {
 105             "ExpectedServerCertType" => "P-256",
 106             "ExpectedServerSignHash" => "SHA256",
 107             "ExpectedServerSignType" => "EC",
 108             "ExpectedResult" => "Success"
 109         },
 110     },
 111     {
 112         name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
 113         server => {
 114              "MaxProtocol" => "TLSv1.2"
 115         },
 116         client => {
 117             "SignatureAlgorithms" => "ECDSA+SHA256",
 118         },
 119         test   => {
 120             "ExpectedResult" => "ServerFail"
 121         },
 122     },
 123     {
 124         name => "RSA Signature Algorithm Selection",
 125         server => $server,
 126         client => {
 127             "SignatureAlgorithms" => "RSA+SHA256",
 128         },
 129         test   => {
 130             "ExpectedServerCertType" => "RSA",
 131             "ExpectedServerSignHash" => "SHA256",
 132             "ExpectedServerSignType" => "RSA",
 133             "ExpectedResult" => "Success"
 134         },
 135     },
 136     {
 137         name => "RSA-PSS Signature Algorithm Selection",
 138         server => $server,
 139         client => {
 140             "SignatureAlgorithms" => "RSA-PSS+SHA256",
 141         },
 142         test   => {
 143             "ExpectedServerCertType" => "RSA",
 144             "ExpectedServerSignHash" => "SHA256",
 145             "ExpectedServerSignType" => "RSA-PSS",
 146             "ExpectedResult" => "Success"
 147         },
 148     },
 149     {
 150         name => "Suite B P-256 Hash Algorithm Selection",
 151         server =>  {
 152             "ECDSA.Certificate" => test_pem("p256-server-cert.pem"),
 153             "ECDSA.PrivateKey" => test_pem("p256-server-key.pem"),
 154             "MaxProtocol" => "TLSv1.2",
 155             "CipherString" => "SUITEB128"
 156         },
 157         client => {
 158             "VerifyCAFile" => test_pem("p384-root.pem"),
 159             "SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256"
 160         },
 161         test   => {
 162             "ExpectedServerCertType" => "P-256",
 163             "ExpectedServerSignHash" => "SHA256",
 164             "ExpectedServerSignType" => "EC",
 165             "ExpectedResult" => "Success"
 166         },
 167     },
 168     {
 169         name => "Suite B P-384 Hash Algorithm Selection",
 170         server =>  {
 171             "ECDSA.Certificate" => test_pem("p384-server-cert.pem"),
 172             "ECDSA.PrivateKey" => test_pem("p384-server-key.pem"),
 173             "MaxProtocol" => "TLSv1.2",
 174             "CipherString" => "SUITEB128"
 175         },
 176         client => {
 177             "VerifyCAFile" => test_pem("p384-root.pem"),
 178             "SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384"
 179         },
 180         test   => {
 181             "ExpectedServerCertType" => "P-384",
 182             "ExpectedServerSignHash" => "SHA384",
 183             "ExpectedServerSignType" => "EC",
 184             "ExpectedResult" => "Success"
 185         },
 186     }
 187 );
 188
 189
 190 my $server_tls_1_3 = {
 191     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
 192     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
 193     "MinProtocol" => "TLSv1.3",
 194     "MaxProtocol" => "TLSv1.3"
 195 };
 196
 197 my $client_tls_1_3 = {
 198     "RSA.Certificate" => test_pem("ee-client-chain.pem"),
 199     "RSA.PrivateKey" => test_pem("ee-key.pem"),
 200     "ECDSA.Certificate" => test_pem("ee-ecdsa-client-chain.pem"),
 201     "ECDSA.PrivateKey" => test_pem("ee-ecdsa-key.pem"),
 202     "MinProtocol" => "TLSv1.3",
 203     "MaxProtocol" => "TLSv1.3"
 204 };
 205
 206 my @tests_tls_1_3 = (
 207     {
 208         name => "TLS 1.3 ECDSA Signature Algorithm Selection",
 209         server => $server_tls_1_3,
 210         client => {
 211             "SignatureAlgorithms" => "ECDSA+SHA256",
 212         },
 213         test   => {
 214             "ExpectedServerCertType" => "P-256",
 215             "ExpectedServerSignHash" => "SHA256",
 216             "ExpectedServerSignType" => "EC",
 217             "ExpectedResult" => "Success"
 218         },
 219     },
 220     {
 221         name => "TLS 1.3 ECDSA Signature Algorithm Selection compressed point",
 222         server => {
 223             "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
 224             "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
 225             "MinProtocol" => "TLSv1.3",
 226             "MaxProtocol" => "TLSv1.3"
 227         },
 228         client => {
 229             "SignatureAlgorithms" => "ECDSA+SHA256",
 230         },
 231         test   => {
 232             "ExpectedResult" => "ServerFail"
 233         },
 234     },
 235     {
 236         name => "TLS 1.3 ECDSA Signature Algorithm Selection SHA1",
 237         server => $server_tls_1_3,
 238         client => {
 239             "SignatureAlgorithms" => "ECDSA+SHA1",
 240         },
 241         test   => {
 242             "ExpectedResult" => "ServerFail"
 243         },
 244     },
 245     {
 246         name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS",
 247         server => $server_tls_1_3,
 248         client => {
 249             "SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256",
 250         },
 251         test   => {
 252             "ExpectedServerCertType" => "P-256",
 253             "ExpectedServerSignHash" => "SHA256",
 254             "ExpectedServerSignType" => "EC",
 255             "ExpectedResult" => "Success"
 256         },
 257     },
 258     {
 259         name => "TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS",
 260         server => $server_tls_1_3,
 261         client => {
 262             "SignatureAlgorithms" => "ECDSA+SHA384:RSA-PSS+SHA384",
 263         },
 264         test   => {
 265             "ExpectedServerCertType" => "RSA",
 266             "ExpectedServerSignHash" => "SHA384",
 267             "ExpectedServerSignType" => "RSA-PSS",
 268             "ExpectedResult" => "Success"
 269         },
 270     },
 271     {
 272         name => "TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate",
 273         server => {
 274             "MinProtocol" => "TLSv1.3",
 275             "MaxProtocol" => "TLSv1.3"
 276         },
 277         client => {
 278             "SignatureAlgorithms" => "ECDSA+SHA256",
 279         },
 280         test   => {
 281             "ExpectedResult" => "ServerFail"
 282         },
 283     },
 284     {
 285         name => "TLS 1.3 RSA Signature Algorithm Selection, no PSS",
 286         server => $server_tls_1_3,
 287         client => {
 288             "SignatureAlgorithms" => "RSA+SHA256",
 289         },
 290         test   => {
 291             "ExpectedResult" => "ServerFail"
 292         },
 293     },
 294     {
 295         name => "TLS 1.3 RSA-PSS Signature Algorithm Selection",
 296         server => $server_tls_1_3,
 297         client => {
 298             "SignatureAlgorithms" => "RSA-PSS+SHA256",
 299         },
 300         test   => {
 301             "ExpectedServerCertType" => "RSA",
 302             "ExpectedServerSignHash" => "SHA256",
 303             "ExpectedServerSignType" => "RSA-PSS",
 304             "ExpectedResult" => "Success"
 305         },
 306     },
 307     {
 308         name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
 309         server => {
 310             "ClientSignatureAlgorithms" => "PSS+SHA256",
 311             "VerifyCAFile" => test_pem("root-cert.pem"),
 312             "VerifyMode" => "Require"
 313         },
 314         client => $client_tls_1_3,
 315         test   => {
 316             "ExpectedClientCertType" => "RSA",
 317             "ExpectedClientSignHash" => "SHA256",
 318             "ExpectedClientSignType" => "RSA-PSS",
 319             "ExpectedClientCANames" => "empty",
 320             "ExpectedResult" => "Success"
 321         },
 322     },
 323     {
 324         name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names",
 325         server => {
 326             "ClientSignatureAlgorithms" => "PSS+SHA256",
 327             "VerifyCAFile" => test_pem("root-cert.pem"),
 328             "ClientCAFile" => test_pem("root-cert.pem"),
 329             "VerifyMode" => "Require"
 330         },
 331         client => $client_tls_1_3,
 332         test   => {
 333             "ExpectedClientCertType" => "RSA",
 334             "ExpectedClientSignHash" => "SHA256",
 335             "ExpectedClientSignType" => "RSA-PSS",
 336             "ExpectedClientCANames" => test_pem("root-cert.pem"),
 337             "ExpectedResult" => "Success"
 338         },
 339     },
 340     {
 341         name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
 342         server => {
 343             "ClientSignatureAlgorithms" => "ECDSA+SHA256",
 344             "VerifyCAFile" => test_pem("root-cert.pem"),
 345             "VerifyMode" => "Require"
 346         },
 347         client => $client_tls_1_3,
 348         test   => {
 349             "ExpectedClientCertType" => "P-256",
 350             "ExpectedClientSignHash" => "SHA256",
 351             "ExpectedClientSignType" => "EC",
 352             "ExpectedResult" => "Success"
 353         },
 354     },
 355     {
 356         name => "TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms",
 357         server => {
 358             "ClientSignatureAlgorithms" => "ECDSA+SHA1:DSA+SHA256:RSA+SHA256",
 359             "VerifyCAFile" => test_pem("root-cert.pem"),
 360             "VerifyMode" => "Request"
 361         },
 362         client => {},
 363         test   => {
 364             "ExpectedResult" => "ServerFail"
 365         },
 366     },
 367 );
 368
 369 push @tests, @tests_tls_1_3 unless disabled("tls1_3");
 370
 371 my @tests_dsa_tls_1_2 = (
 372     {
 373         name => "TLS 1.2 DSA Certificate Test",
 374         server => {
 375             "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
 376             "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
 377             "DHParameters" => test_pem("dhp2048.pem"),
 378             "MinProtocol" => "TLSv1.2",
 379             "MaxProtocol" => "TLSv1.2",
 380             "CipherString" => "ALL",
 381         },
 382         client => {
 383             "SignatureAlgorithms" => "DSA+SHA256:DSA+SHA1",
 384             "CipherString" => "ALL",
 385         },
 386         test   => {
 387             "ExpectedResult" => "Success"
 388         },
 389     },
 390 );
 391
 392 my @tests_dsa_tls_1_3 = (
 393     {
 394         name => "TLS 1.3 DSA Certificate Test",
 395         server => {
 396             "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
 397             "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
 398             "MinProtocol" => "TLSv1.3",
 399             "MaxProtocol" => "TLSv1.3",
 400             "CipherString" => "ALL",
 401         },
 402         client => {
 403             "SignatureAlgorithms" => "DSA+SHA1:DSA+SHA256:ECDSA+SHA256",
 404             "CipherString" => "ALL",
 405         },
 406         test   => {
 407             "ExpectedResult" => "ServerFail"
 408         },
 409     },
 410 );
 411
 412 if (!disabled("dsa")) {
 413     push @tests, @tests_dsa_tls_1_2 unless disabled("dh");
 414     push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
 415 }