From 20946b94658416d2fed0b9d9c7adfbe4b7d70515 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 8 Aug 2019 11:41:18 +0100 Subject: [PATCH] Add TLS tests for RSA-PSS Restricted certificates Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/9553) --- test/ssl-tests/20-cert-select.conf | 660 ++++++++++++++++---------- test/ssl-tests/20-cert-select.conf.in | 66 +++ 2 files changed, 464 insertions(+), 262 deletions(-) diff --git a/test/ssl-tests/20-cert-select.conf b/test/ssl-tests/20-cert-select.conf index 0bcd23d7f0..93f3a1ff68 100644 --- a/test/ssl-tests/20-cert-select.conf +++ b/test/ssl-tests/20-cert-select.conf @@ -1,6 +1,6 @@ # Generated with generate_ssl_tests.pl -num_tests = 51 +num_tests = 56 test-0 = 0-ECDSA CipherString Selection test-1 = 1-ECDSA CipherString Selection @@ -24,35 +24,40 @@ test-18 = 18-RSA-PSS Signature Algorithm Selection test-19 = 19-RSA-PSS Certificate Legacy Signature Algorithm Selection test-20 = 20-RSA-PSS Certificate Unified Signature Algorithm Selection test-21 = 21-Only RSA-PSS Certificate -test-22 = 22-RSA-PSS Certificate, no PSS signature algorithms -test-23 = 23-RSA key exchange with all RSA certificate types -test-24 = 24-RSA key exchange with only RSA-PSS certificate -test-25 = 25-Suite B P-256 Hash Algorithm Selection -test-26 = 26-Suite B P-384 Hash Algorithm Selection -test-27 = 27-TLS 1.2 Ed25519 Client Auth -test-28 = 28-TLS 1.2 Ed448 Client Auth -test-29 = 29-Only RSA-PSS Certificate, TLS v1.1 -test-30 = 30-TLS 1.3 ECDSA Signature Algorithm Selection -test-31 = 31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point -test-32 = 32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1 -test-33 = 33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS -test-34 = 34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS -test-35 = 35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate -test-36 = 36-TLS 1.3 RSA Signature Algorithm Selection, no PSS -test-37 = 37-TLS 1.3 RSA-PSS Signature Algorithm Selection -test-38 = 38-TLS 1.3 Ed25519 Signature Algorithm Selection -test-39 = 39-TLS 1.3 Ed448 Signature Algorithm Selection -test-40 = 40-TLS 1.3 Ed25519 CipherString and Groups Selection -test-41 = 41-TLS 1.3 Ed448 CipherString and Groups Selection -test-42 = 42-TLS 1.3 RSA Client Auth Signature Algorithm Selection -test-43 = 43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names -test-44 = 44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection -test-45 = 45-TLS 1.3 Ed25519 Client Auth -test-46 = 46-TLS 1.3 Ed448 Client Auth -test-47 = 47-TLS 1.3 ECDSA with brainpool -test-48 = 48-TLS 1.2 DSA Certificate Test -test-49 = 49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms -test-50 = 50-TLS 1.3 DSA Certificate Test +test-22 = 22-Only RSA-PSS Certificate Valid Signature Algorithms +test-23 = 23-RSA-PSS Certificate, no PSS signature algorithms +test-24 = 24-Only RSA-PSS Restricted Certificate +test-25 = 25-RSA-PSS Restricted Certificate Valid Signature Algorithms +test-26 = 26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm +test-27 = 27-RSA-PSS Restricted Certificate Invalid Signature Algorithms +test-28 = 28-RSA key exchange with all RSA certificate types +test-29 = 29-RSA key exchange with only RSA-PSS certificate +test-30 = 30-Suite B P-256 Hash Algorithm Selection +test-31 = 31-Suite B P-384 Hash Algorithm Selection +test-32 = 32-TLS 1.2 Ed25519 Client Auth +test-33 = 33-TLS 1.2 Ed448 Client Auth +test-34 = 34-Only RSA-PSS Certificate, TLS v1.1 +test-35 = 35-TLS 1.3 ECDSA Signature Algorithm Selection +test-36 = 36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point +test-37 = 37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1 +test-38 = 38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS +test-39 = 39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS +test-40 = 40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate +test-41 = 41-TLS 1.3 RSA Signature Algorithm Selection, no PSS +test-42 = 42-TLS 1.3 RSA-PSS Signature Algorithm Selection +test-43 = 43-TLS 1.3 Ed25519 Signature Algorithm Selection +test-44 = 44-TLS 1.3 Ed448 Signature Algorithm Selection +test-45 = 45-TLS 1.3 Ed25519 CipherString and Groups Selection +test-46 = 46-TLS 1.3 Ed448 CipherString and Groups Selection +test-47 = 47-TLS 1.3 RSA Client Auth Signature Algorithm Selection +test-48 = 48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names +test-49 = 49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection +test-50 = 50-TLS 1.3 Ed25519 Client Auth +test-51 = 51-TLS 1.3 Ed448 Client Auth +test-52 = 52-TLS 1.3 ECDSA with brainpool +test-53 = 53-TLS 1.2 DSA Certificate Test +test-54 = 54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms +test-55 = 55-TLS 1.3 DSA Certificate Test # =========================================================== [0-ECDSA CipherString Selection] @@ -775,89 +780,220 @@ ExpectedServerSignType = RSA-PSS # =========================================================== -[22-RSA-PSS Certificate, no PSS signature algorithms] -ssl_conf = 22-RSA-PSS Certificate, no PSS signature algorithms-ssl +[22-Only RSA-PSS Certificate Valid Signature Algorithms] +ssl_conf = 22-Only RSA-PSS Certificate Valid Signature Algorithms-ssl -[22-RSA-PSS Certificate, no PSS signature algorithms-ssl] -server = 22-RSA-PSS Certificate, no PSS signature algorithms-server -client = 22-RSA-PSS Certificate, no PSS signature algorithms-client +[22-Only RSA-PSS Certificate Valid Signature Algorithms-ssl] +server = 22-Only RSA-PSS Certificate Valid Signature Algorithms-server +client = 22-Only RSA-PSS Certificate Valid Signature Algorithms-client -[22-RSA-PSS Certificate, no PSS signature algorithms-server] +[22-Only RSA-PSS Certificate Valid Signature Algorithms-server] Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem -[22-RSA-PSS Certificate, no PSS signature algorithms-client] +[22-Only RSA-PSS Certificate Valid Signature Algorithms-client] CipherString = DEFAULT -SignatureAlgorithms = RSA+SHA256 +SignatureAlgorithms = rsa_pss_pss_sha512 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-22] +ExpectedResult = Success +ExpectedServerCertType = RSA-PSS +ExpectedServerSignHash = SHA512 +ExpectedServerSignType = RSA-PSS + + +# =========================================================== + +[23-RSA-PSS Certificate, no PSS signature algorithms] +ssl_conf = 23-RSA-PSS Certificate, no PSS signature algorithms-ssl + +[23-RSA-PSS Certificate, no PSS signature algorithms-ssl] +server = 23-RSA-PSS Certificate, no PSS signature algorithms-server +client = 23-RSA-PSS Certificate, no PSS signature algorithms-client + +[23-RSA-PSS Certificate, no PSS signature algorithms-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem + +[23-RSA-PSS Certificate, no PSS signature algorithms-client] +CipherString = DEFAULT +SignatureAlgorithms = RSA+SHA256 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-23] +ExpectedResult = ServerFail + + +# =========================================================== + +[24-Only RSA-PSS Restricted Certificate] +ssl_conf = 24-Only RSA-PSS Restricted Certificate-ssl + +[24-Only RSA-PSS Restricted Certificate-ssl] +server = 24-Only RSA-PSS Restricted Certificate-server +client = 24-Only RSA-PSS Restricted Certificate-client + +[24-Only RSA-PSS Restricted Certificate-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem + +[24-Only RSA-PSS Restricted Certificate-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-24] +ExpectedResult = Success +ExpectedServerCertType = RSA-PSS +ExpectedServerSignHash = SHA256 +ExpectedServerSignType = RSA-PSS + + +# =========================================================== + +[25-RSA-PSS Restricted Certificate Valid Signature Algorithms] +ssl_conf = 25-RSA-PSS Restricted Certificate Valid Signature Algorithms-ssl + +[25-RSA-PSS Restricted Certificate Valid Signature Algorithms-ssl] +server = 25-RSA-PSS Restricted Certificate Valid Signature Algorithms-server +client = 25-RSA-PSS Restricted Certificate Valid Signature Algorithms-client + +[25-RSA-PSS Restricted Certificate Valid Signature Algorithms-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem + +[25-RSA-PSS Restricted Certificate Valid Signature Algorithms-client] +CipherString = DEFAULT +SignatureAlgorithms = rsa_pss_pss_sha256:rsa_pss_pss_sha512 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-25] +ExpectedResult = Success +ExpectedServerCertType = RSA-PSS +ExpectedServerSignHash = SHA256 +ExpectedServerSignType = RSA-PSS + + +# =========================================================== + +[26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm] +ssl_conf = 26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-ssl + +[26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-ssl] +server = 26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-server +client = 26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-client + +[26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem + +[26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-client] +CipherString = DEFAULT +SignatureAlgorithms = rsa_pss_pss_sha512:rsa_pss_pss_sha256 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-26] +ExpectedResult = Success +ExpectedServerCertType = RSA-PSS +ExpectedServerSignHash = SHA256 +ExpectedServerSignType = RSA-PSS + + +# =========================================================== + +[27-RSA-PSS Restricted Certificate Invalid Signature Algorithms] +ssl_conf = 27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-ssl + +[27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-ssl] +server = 27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-server +client = 27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-client + +[27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem + +[27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-client] +CipherString = DEFAULT +SignatureAlgorithms = rsa_pss_pss_sha512 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-27] ExpectedResult = ServerFail # =========================================================== -[23-RSA key exchange with all RSA certificate types] -ssl_conf = 23-RSA key exchange with all RSA certificate types-ssl +[28-RSA key exchange with all RSA certificate types] +ssl_conf = 28-RSA key exchange with all RSA certificate types-ssl -[23-RSA key exchange with all RSA certificate types-ssl] -server = 23-RSA key exchange with all RSA certificate types-server -client = 23-RSA key exchange with all RSA certificate types-client +[28-RSA key exchange with all RSA certificate types-ssl] +server = 28-RSA key exchange with all RSA certificate types-server +client = 28-RSA key exchange with all RSA certificate types-client -[23-RSA key exchange with all RSA certificate types-server] +[28-RSA key exchange with all RSA certificate types-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[23-RSA key exchange with all RSA certificate types-client] +[28-RSA key exchange with all RSA certificate types-client] CipherString = kRSA MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-23] +[test-28] ExpectedResult = Success ExpectedServerCertType = RSA # =========================================================== -[24-RSA key exchange with only RSA-PSS certificate] -ssl_conf = 24-RSA key exchange with only RSA-PSS certificate-ssl +[29-RSA key exchange with only RSA-PSS certificate] +ssl_conf = 29-RSA key exchange with only RSA-PSS certificate-ssl -[24-RSA key exchange with only RSA-PSS certificate-ssl] -server = 24-RSA key exchange with only RSA-PSS certificate-server -client = 24-RSA key exchange with only RSA-PSS certificate-client +[29-RSA key exchange with only RSA-PSS certificate-ssl] +server = 29-RSA key exchange with only RSA-PSS certificate-server +client = 29-RSA key exchange with only RSA-PSS certificate-client -[24-RSA key exchange with only RSA-PSS certificate-server] +[29-RSA key exchange with only RSA-PSS certificate-server] Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem -[24-RSA key exchange with only RSA-PSS certificate-client] +[29-RSA key exchange with only RSA-PSS certificate-client] CipherString = kRSA MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-24] +[test-29] ExpectedResult = ServerFail # =========================================================== -[25-Suite B P-256 Hash Algorithm Selection] -ssl_conf = 25-Suite B P-256 Hash Algorithm Selection-ssl +[30-Suite B P-256 Hash Algorithm Selection] +ssl_conf = 30-Suite B P-256 Hash Algorithm Selection-ssl -[25-Suite B P-256 Hash Algorithm Selection-ssl] -server = 25-Suite B P-256 Hash Algorithm Selection-server -client = 25-Suite B P-256 Hash Algorithm Selection-client +[30-Suite B P-256 Hash Algorithm Selection-ssl] +server = 30-Suite B P-256 Hash Algorithm Selection-server +client = 30-Suite B P-256 Hash Algorithm Selection-client -[25-Suite B P-256 Hash Algorithm Selection-server] +[30-Suite B P-256 Hash Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = SUITEB128 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p256-server-cert.pem @@ -865,13 +1001,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p256-server-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[25-Suite B P-256 Hash Algorithm Selection-client] +[30-Suite B P-256 Hash Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA384:ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem VerifyMode = Peer -[test-25] +[test-30] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA256 @@ -880,14 +1016,14 @@ ExpectedServerSignType = EC # =========================================================== -[26-Suite B P-384 Hash Algorithm Selection] -ssl_conf = 26-Suite B P-384 Hash Algorithm Selection-ssl +[31-Suite B P-384 Hash Algorithm Selection] +ssl_conf = 31-Suite B P-384 Hash Algorithm Selection-ssl -[26-Suite B P-384 Hash Algorithm Selection-ssl] -server = 26-Suite B P-384 Hash Algorithm Selection-server -client = 26-Suite B P-384 Hash Algorithm Selection-client +[31-Suite B P-384 Hash Algorithm Selection-ssl] +server = 31-Suite B P-384 Hash Algorithm Selection-server +client = 31-Suite B P-384 Hash Algorithm Selection-client -[26-Suite B P-384 Hash Algorithm Selection-server] +[31-Suite B P-384 Hash Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = SUITEB128 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem @@ -895,13 +1031,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[26-Suite B P-384 Hash Algorithm Selection-client] +[31-Suite B P-384 Hash Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem VerifyMode = Peer -[test-26] +[test-31] ExpectedResult = Success ExpectedServerCertType = P-384 ExpectedServerSignHash = SHA384 @@ -910,21 +1046,21 @@ ExpectedServerSignType = EC # =========================================================== -[27-TLS 1.2 Ed25519 Client Auth] -ssl_conf = 27-TLS 1.2 Ed25519 Client Auth-ssl +[32-TLS 1.2 Ed25519 Client Auth] +ssl_conf = 32-TLS 1.2 Ed25519 Client Auth-ssl -[27-TLS 1.2 Ed25519 Client Auth-ssl] -server = 27-TLS 1.2 Ed25519 Client Auth-server -client = 27-TLS 1.2 Ed25519 Client Auth-client +[32-TLS 1.2 Ed25519 Client Auth-ssl] +server = 32-TLS 1.2 Ed25519 Client Auth-server +client = 32-TLS 1.2 Ed25519 Client Auth-client -[27-TLS 1.2 Ed25519 Client Auth-server] +[32-TLS 1.2 Ed25519 Client Auth-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[27-TLS 1.2 Ed25519 Client Auth-client] +[32-TLS 1.2 Ed25519 Client Auth-client] CipherString = DEFAULT Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed25519-cert.pem Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed25519-key.pem @@ -933,7 +1069,7 @@ MinProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-27] +[test-32] ExpectedClientCertType = Ed25519 ExpectedClientSignType = Ed25519 ExpectedResult = Success @@ -941,21 +1077,21 @@ ExpectedResult = Success # =========================================================== -[28-TLS 1.2 Ed448 Client Auth] -ssl_conf = 28-TLS 1.2 Ed448 Client Auth-ssl +[33-TLS 1.2 Ed448 Client Auth] +ssl_conf = 33-TLS 1.2 Ed448 Client Auth-ssl -[28-TLS 1.2 Ed448 Client Auth-ssl] -server = 28-TLS 1.2 Ed448 Client Auth-server -client = 28-TLS 1.2 Ed448 Client Auth-client +[33-TLS 1.2 Ed448 Client Auth-ssl] +server = 33-TLS 1.2 Ed448 Client Auth-server +client = 33-TLS 1.2 Ed448 Client Auth-client -[28-TLS 1.2 Ed448 Client Auth-server] +[33-TLS 1.2 Ed448 Client Auth-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[28-TLS 1.2 Ed448 Client Auth-client] +[33-TLS 1.2 Ed448 Client Auth-client] CipherString = DEFAULT Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed448-cert.pem Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed448-key.pem @@ -964,7 +1100,7 @@ MinProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-28] +[test-33] ExpectedClientCertType = Ed448 ExpectedClientSignType = Ed448 ExpectedResult = Success @@ -972,38 +1108,38 @@ ExpectedResult = Success # =========================================================== -[29-Only RSA-PSS Certificate, TLS v1.1] -ssl_conf = 29-Only RSA-PSS Certificate, TLS v1.1-ssl +[34-Only RSA-PSS Certificate, TLS v1.1] +ssl_conf = 34-Only RSA-PSS Certificate, TLS v1.1-ssl -[29-Only RSA-PSS Certificate, TLS v1.1-ssl] -server = 29-Only RSA-PSS Certificate, TLS v1.1-server -client = 29-Only RSA-PSS Certificate, TLS v1.1-client +[34-Only RSA-PSS Certificate, TLS v1.1-ssl] +server = 34-Only RSA-PSS Certificate, TLS v1.1-server +client = 34-Only RSA-PSS Certificate, TLS v1.1-client -[29-Only RSA-PSS Certificate, TLS v1.1-server] +[34-Only RSA-PSS Certificate, TLS v1.1-server] Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem -[29-Only RSA-PSS Certificate, TLS v1.1-client] +[34-Only RSA-PSS Certificate, TLS v1.1-client] CipherString = DEFAULT MaxProtocol = TLSv1.1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-29] +[test-34] ExpectedResult = ServerFail # =========================================================== -[30-TLS 1.3 ECDSA Signature Algorithm Selection] -ssl_conf = 30-TLS 1.3 ECDSA Signature Algorithm Selection-ssl +[35-TLS 1.3 ECDSA Signature Algorithm Selection] +ssl_conf = 35-TLS 1.3 ECDSA Signature Algorithm Selection-ssl -[30-TLS 1.3 ECDSA Signature Algorithm Selection-ssl] -server = 30-TLS 1.3 ECDSA Signature Algorithm Selection-server -client = 30-TLS 1.3 ECDSA Signature Algorithm Selection-client +[35-TLS 1.3 ECDSA Signature Algorithm Selection-ssl] +server = 35-TLS 1.3 ECDSA Signature Algorithm Selection-server +client = 35-TLS 1.3 ECDSA Signature Algorithm Selection-client -[30-TLS 1.3 ECDSA Signature Algorithm Selection-server] +[35-TLS 1.3 ECDSA Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -1016,13 +1152,13 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[30-TLS 1.3 ECDSA Signature Algorithm Selection-client] +[35-TLS 1.3 ECDSA Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-30] +[test-35] ExpectedResult = Success ExpectedServerCANames = empty ExpectedServerCertType = P-256 @@ -1032,14 +1168,14 @@ ExpectedServerSignType = EC # =========================================================== -[31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point] -ssl_conf = 31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-ssl +[36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point] +ssl_conf = 36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-ssl -[31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-ssl] -server = 31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-server -client = 31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-client +[36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-ssl] +server = 36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-server +client = 36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-client -[31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-server] +[36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-cecdsa-cert.pem @@ -1048,13 +1184,13 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-client] +[36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-31] +[test-36] ExpectedResult = Success ExpectedServerCANames = empty ExpectedServerCertType = P-256 @@ -1064,14 +1200,14 @@ ExpectedServerSignType = EC # =========================================================== -[32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1] -ssl_conf = 32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-ssl +[37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1] +ssl_conf = 37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-ssl -[32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-ssl] -server = 32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-server -client = 32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-client +[37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-ssl] +server = 37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-server +client = 37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-client -[32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-server] +[37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -1084,26 +1220,26 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-client] +[37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-32] +[test-37] ExpectedResult = ServerFail # =========================================================== -[33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS] -ssl_conf = 33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-ssl +[38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS] +ssl_conf = 38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-ssl -[33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-ssl] -server = 33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-server -client = 33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-client +[38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-ssl] +server = 38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-server +client = 38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-client -[33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-server] +[38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -1116,14 +1252,14 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-client] +[38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-client] CipherString = DEFAULT RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem SignatureAlgorithms = ECDSA+SHA256:RSA-PSS+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-33] +[test-38] ExpectedResult = Success ExpectedServerCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem ExpectedServerCertType = P-256 @@ -1133,14 +1269,14 @@ ExpectedServerSignType = EC # =========================================================== -[34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS] -ssl_conf = 34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-ssl +[39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS] +ssl_conf = 39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-ssl -[34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-ssl] -server = 34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-server -client = 34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-client +[39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-ssl] +server = 39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-server +client = 39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-client -[34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-server] +[39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -1153,13 +1289,13 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-client] +[39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA384:RSA-PSS+SHA384 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-34] +[test-39] ExpectedResult = Success ExpectedServerCertType = RSA ExpectedServerSignHash = SHA384 @@ -1168,40 +1304,40 @@ ExpectedServerSignType = RSA-PSS # =========================================================== -[35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate] -ssl_conf = 35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl +[40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate] +ssl_conf = 40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl -[35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl] -server = 35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-server -client = 35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-client +[40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl] +server = 40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-server +client = 40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-client -[35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-server] +[40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-client] +[40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-35] +[test-40] ExpectedResult = ServerFail # =========================================================== -[36-TLS 1.3 RSA Signature Algorithm Selection, no PSS] -ssl_conf = 36-TLS 1.3 RSA Signature Algorithm Selection, no PSS-ssl +[41-TLS 1.3 RSA Signature Algorithm Selection, no PSS] +ssl_conf = 41-TLS 1.3 RSA Signature Algorithm Selection, no PSS-ssl -[36-TLS 1.3 RSA Signature Algorithm Selection, no PSS-ssl] -server = 36-TLS 1.3 RSA Signature Algorithm Selection, no PSS-server -client = 36-TLS 1.3 RSA Signature Algorithm Selection, no PSS-client +[41-TLS 1.3 RSA Signature Algorithm Selection, no PSS-ssl] +server = 41-TLS 1.3 RSA Signature Algorithm Selection, no PSS-server +client = 41-TLS 1.3 RSA Signature Algorithm Selection, no PSS-client -[36-TLS 1.3 RSA Signature Algorithm Selection, no PSS-server] +[41-TLS 1.3 RSA Signature Algorithm Selection, no PSS-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -1214,26 +1350,26 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[36-TLS 1.3 RSA Signature Algorithm Selection, no PSS-client] +[41-TLS 1.3 RSA Signature Algorithm Selection, no PSS-client] CipherString = DEFAULT SignatureAlgorithms = RSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-36] +[test-41] ExpectedResult = ServerFail # =========================================================== -[37-TLS 1.3 RSA-PSS Signature Algorithm Selection] -ssl_conf = 37-TLS 1.3 RSA-PSS Signature Algorithm Selection-ssl +[42-TLS 1.3 RSA-PSS Signature Algorithm Selection] +ssl_conf = 42-TLS 1.3 RSA-PSS Signature Algorithm Selection-ssl -[37-TLS 1.3 RSA-PSS Signature Algorithm Selection-ssl] -server = 37-TLS 1.3 RSA-PSS Signature Algorithm Selection-server -client = 37-TLS 1.3 RSA-PSS Signature Algorithm Selection-client +[42-TLS 1.3 RSA-PSS Signature Algorithm Selection-ssl] +server = 42-TLS 1.3 RSA-PSS Signature Algorithm Selection-server +client = 42-TLS 1.3 RSA-PSS Signature Algorithm Selection-client -[37-TLS 1.3 RSA-PSS Signature Algorithm Selection-server] +[42-TLS 1.3 RSA-PSS Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -1246,13 +1382,13 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[37-TLS 1.3 RSA-PSS Signature Algorithm Selection-client] +[42-TLS 1.3 RSA-PSS Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = RSA-PSS+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-37] +[test-42] ExpectedResult = Success ExpectedServerCertType = RSA ExpectedServerSignHash = SHA256 @@ -1261,14 +1397,14 @@ ExpectedServerSignType = RSA-PSS # =========================================================== -[38-TLS 1.3 Ed25519 Signature Algorithm Selection] -ssl_conf = 38-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl +[43-TLS 1.3 Ed25519 Signature Algorithm Selection] +ssl_conf = 43-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl -[38-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl] -server = 38-TLS 1.3 Ed25519 Signature Algorithm Selection-server -client = 38-TLS 1.3 Ed25519 Signature Algorithm Selection-client +[43-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl] +server = 43-TLS 1.3 Ed25519 Signature Algorithm Selection-server +client = 43-TLS 1.3 Ed25519 Signature Algorithm Selection-client -[38-TLS 1.3 Ed25519 Signature Algorithm Selection-server] +[43-TLS 1.3 Ed25519 Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -1281,13 +1417,13 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[38-TLS 1.3 Ed25519 Signature Algorithm Selection-client] +[43-TLS 1.3 Ed25519 Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ed25519 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-38] +[test-43] ExpectedResult = Success ExpectedServerCertType = Ed25519 ExpectedServerSignType = Ed25519 @@ -1295,14 +1431,14 @@ ExpectedServerSignType = Ed25519 # =========================================================== -[39-TLS 1.3 Ed448 Signature Algorithm Selection] -ssl_conf = 39-TLS 1.3 Ed448 Signature Algorithm Selection-ssl +[44-TLS 1.3 Ed448 Signature Algorithm Selection] +ssl_conf = 44-TLS 1.3 Ed448 Signature Algorithm Selection-ssl -[39-TLS 1.3 Ed448 Signature Algorithm Selection-ssl] -server = 39-TLS 1.3 Ed448 Signature Algorithm Selection-server -client = 39-TLS 1.3 Ed448 Signature Algorithm Selection-client +[44-TLS 1.3 Ed448 Signature Algorithm Selection-ssl] +server = 44-TLS 1.3 Ed448 Signature Algorithm Selection-server +client = 44-TLS 1.3 Ed448 Signature Algorithm Selection-client -[39-TLS 1.3 Ed448 Signature Algorithm Selection-server] +[44-TLS 1.3 Ed448 Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -1315,13 +1451,13 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[39-TLS 1.3 Ed448 Signature Algorithm Selection-client] +[44-TLS 1.3 Ed448 Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ed448 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-39] +[test-44] ExpectedResult = Success ExpectedServerCertType = Ed448 ExpectedServerSignType = Ed448 @@ -1329,14 +1465,14 @@ ExpectedServerSignType = Ed448 # =========================================================== -[40-TLS 1.3 Ed25519 CipherString and Groups Selection] -ssl_conf = 40-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl +[45-TLS 1.3 Ed25519 CipherString and Groups Selection] +ssl_conf = 45-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl -[40-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl] -server = 40-TLS 1.3 Ed25519 CipherString and Groups Selection-server -client = 40-TLS 1.3 Ed25519 CipherString and Groups Selection-client +[45-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl] +server = 45-TLS 1.3 Ed25519 CipherString and Groups Selection-server +client = 45-TLS 1.3 Ed25519 CipherString and Groups Selection-client -[40-TLS 1.3 Ed25519 CipherString and Groups Selection-server] +[45-TLS 1.3 Ed25519 CipherString and Groups Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -1349,14 +1485,14 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[40-TLS 1.3 Ed25519 CipherString and Groups Selection-client] +[45-TLS 1.3 Ed25519 CipherString and Groups Selection-client] CipherString = DEFAULT Groups = X25519 SignatureAlgorithms = ECDSA+SHA256:ed25519 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-40] +[test-45] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignType = EC @@ -1364,14 +1500,14 @@ ExpectedServerSignType = EC # =========================================================== -[41-TLS 1.3 Ed448 CipherString and Groups Selection] -ssl_conf = 41-TLS 1.3 Ed448 CipherString and Groups Selection-ssl +[46-TLS 1.3 Ed448 CipherString and Groups Selection] +ssl_conf = 46-TLS 1.3 Ed448 CipherString and Groups Selection-ssl -[41-TLS 1.3 Ed448 CipherString and Groups Selection-ssl] -server = 41-TLS 1.3 Ed448 CipherString and Groups Selection-server -client = 41-TLS 1.3 Ed448 CipherString and Groups Selection-client +[46-TLS 1.3 Ed448 CipherString and Groups Selection-ssl] +server = 46-TLS 1.3 Ed448 CipherString and Groups Selection-server +client = 46-TLS 1.3 Ed448 CipherString and Groups Selection-client -[41-TLS 1.3 Ed448 CipherString and Groups Selection-server] +[46-TLS 1.3 Ed448 CipherString and Groups Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -1384,14 +1520,14 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[41-TLS 1.3 Ed448 CipherString and Groups Selection-client] +[46-TLS 1.3 Ed448 CipherString and Groups Selection-client] CipherString = DEFAULT Groups = X448 SignatureAlgorithms = ECDSA+SHA256:ed448 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-41] +[test-46] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignType = EC @@ -1399,14 +1535,14 @@ ExpectedServerSignType = EC # =========================================================== -[42-TLS 1.3 RSA Client Auth Signature Algorithm Selection] -ssl_conf = 42-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl +[47-TLS 1.3 RSA Client Auth Signature Algorithm Selection] +ssl_conf = 47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl -[42-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl] -server = 42-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server -client = 42-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client +[47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl] +server = 47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server +client = 47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client -[42-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server] +[47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ClientSignatureAlgorithms = PSS+SHA256 @@ -1414,7 +1550,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[42-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client] +[47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client] CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem @@ -1425,7 +1561,7 @@ RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-42] +[test-47] ExpectedClientCANames = empty ExpectedClientCertType = RSA ExpectedClientSignHash = SHA256 @@ -1435,14 +1571,14 @@ ExpectedResult = Success # =========================================================== -[43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names] -ssl_conf = 43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl +[48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names] +ssl_conf = 48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl -[43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl] -server = 43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server -client = 43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client +[48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl] +server = 48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server +client = 48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client -[43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server] +[48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ClientSignatureAlgorithms = PSS+SHA256 @@ -1451,7 +1587,7 @@ RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client] +[48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client] CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem @@ -1462,7 +1598,7 @@ RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-43] +[test-48] ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem ExpectedClientCertType = RSA ExpectedClientSignHash = SHA256 @@ -1472,14 +1608,14 @@ ExpectedResult = Success # =========================================================== -[44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection] -ssl_conf = 44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl +[49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection] +ssl_conf = 49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl -[44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl] -server = 44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server -client = 44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client +[49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl] +server = 49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server +client = 49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client -[44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server] +[49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ClientSignatureAlgorithms = ECDSA+SHA256 @@ -1487,7 +1623,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client] +[49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client] CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem @@ -1498,7 +1634,7 @@ RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-44] +[test-49] ExpectedClientCertType = P-256 ExpectedClientSignHash = SHA256 ExpectedClientSignType = EC @@ -1507,21 +1643,21 @@ ExpectedResult = Success # =========================================================== -[45-TLS 1.3 Ed25519 Client Auth] -ssl_conf = 45-TLS 1.3 Ed25519 Client Auth-ssl +[50-TLS 1.3 Ed25519 Client Auth] +ssl_conf = 50-TLS 1.3 Ed25519 Client Auth-ssl -[45-TLS 1.3 Ed25519 Client Auth-ssl] -server = 45-TLS 1.3 Ed25519 Client Auth-server -client = 45-TLS 1.3 Ed25519 Client Auth-client +[50-TLS 1.3 Ed25519 Client Auth-ssl] +server = 50-TLS 1.3 Ed25519 Client Auth-server +client = 50-TLS 1.3 Ed25519 Client Auth-client -[45-TLS 1.3 Ed25519 Client Auth-server] +[50-TLS 1.3 Ed25519 Client Auth-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[45-TLS 1.3 Ed25519 Client Auth-client] +[50-TLS 1.3 Ed25519 Client Auth-client] CipherString = DEFAULT EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed25519-cert.pem EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed25519-key.pem @@ -1530,7 +1666,7 @@ MinProtocol = TLSv1.3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-45] +[test-50] ExpectedClientCertType = Ed25519 ExpectedClientSignType = Ed25519 ExpectedResult = Success @@ -1538,21 +1674,21 @@ ExpectedResult = Success # =========================================================== -[46-TLS 1.3 Ed448 Client Auth] -ssl_conf = 46-TLS 1.3 Ed448 Client Auth-ssl +[51-TLS 1.3 Ed448 Client Auth] +ssl_conf = 51-TLS 1.3 Ed448 Client Auth-ssl -[46-TLS 1.3 Ed448 Client Auth-ssl] -server = 46-TLS 1.3 Ed448 Client Auth-server -client = 46-TLS 1.3 Ed448 Client Auth-client +[51-TLS 1.3 Ed448 Client Auth-ssl] +server = 51-TLS 1.3 Ed448 Client Auth-server +client = 51-TLS 1.3 Ed448 Client Auth-client -[46-TLS 1.3 Ed448 Client Auth-server] +[51-TLS 1.3 Ed448 Client Auth-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[46-TLS 1.3 Ed448 Client Auth-client] +[51-TLS 1.3 Ed448 Client Auth-client] CipherString = DEFAULT EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed448-cert.pem EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed448-key.pem @@ -1561,7 +1697,7 @@ MinProtocol = TLSv1.3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-46] +[test-51] ExpectedClientCertType = Ed448 ExpectedClientSignType = Ed448 ExpectedResult = Success @@ -1569,20 +1705,20 @@ ExpectedResult = Success # =========================================================== -[47-TLS 1.3 ECDSA with brainpool] -ssl_conf = 47-TLS 1.3 ECDSA with brainpool-ssl +[52-TLS 1.3 ECDSA with brainpool] +ssl_conf = 52-TLS 1.3 ECDSA with brainpool-ssl -[47-TLS 1.3 ECDSA with brainpool-ssl] -server = 47-TLS 1.3 ECDSA with brainpool-server -client = 47-TLS 1.3 ECDSA with brainpool-client +[52-TLS 1.3 ECDSA with brainpool-ssl] +server = 52-TLS 1.3 ECDSA with brainpool-server +client = 52-TLS 1.3 ECDSA with brainpool-client -[47-TLS 1.3 ECDSA with brainpool-server] +[52-TLS 1.3 ECDSA with brainpool-server] Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem CipherString = DEFAULT Groups = brainpoolP256r1 PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem -[47-TLS 1.3 ECDSA with brainpool-client] +[52-TLS 1.3 ECDSA with brainpool-client] CipherString = DEFAULT Groups = brainpoolP256r1 MaxProtocol = TLSv1.3 @@ -1591,20 +1727,20 @@ RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-47] +[test-52] ExpectedResult = ServerFail # =========================================================== -[48-TLS 1.2 DSA Certificate Test] -ssl_conf = 48-TLS 1.2 DSA Certificate Test-ssl +[53-TLS 1.2 DSA Certificate Test] +ssl_conf = 53-TLS 1.2 DSA Certificate Test-ssl -[48-TLS 1.2 DSA Certificate Test-ssl] -server = 48-TLS 1.2 DSA Certificate Test-server -client = 48-TLS 1.2 DSA Certificate Test-client +[53-TLS 1.2 DSA Certificate Test-ssl] +server = 53-TLS 1.2 DSA Certificate Test-server +client = 53-TLS 1.2 DSA Certificate Test-client -[48-TLS 1.2 DSA Certificate Test-server] +[53-TLS 1.2 DSA Certificate Test-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = ALL DHParameters = ${ENV::TEST_CERTS_DIR}/dhp2048.pem @@ -1614,26 +1750,26 @@ MaxProtocol = TLSv1.2 MinProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[48-TLS 1.2 DSA Certificate Test-client] +[53-TLS 1.2 DSA Certificate Test-client] CipherString = ALL SignatureAlgorithms = DSA+SHA256:DSA+SHA1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-48] +[test-53] ExpectedResult = Success # =========================================================== -[49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms] -ssl_conf = 49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-ssl +[54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms] +ssl_conf = 54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-ssl -[49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-ssl] -server = 49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-server -client = 49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-client +[54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-ssl] +server = 54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-server +client = 54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-client -[49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-server] +[54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ClientSignatureAlgorithms = ECDSA+SHA1:DSA+SHA256:RSA+SHA256 @@ -1641,25 +1777,25 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Request -[49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-client] +[54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-client] CipherString = DEFAULT VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-49] +[test-54] ExpectedResult = ServerFail # =========================================================== -[50-TLS 1.3 DSA Certificate Test] -ssl_conf = 50-TLS 1.3 DSA Certificate Test-ssl +[55-TLS 1.3 DSA Certificate Test] +ssl_conf = 55-TLS 1.3 DSA Certificate Test-ssl -[50-TLS 1.3 DSA Certificate Test-ssl] -server = 50-TLS 1.3 DSA Certificate Test-server -client = 50-TLS 1.3 DSA Certificate Test-client +[55-TLS 1.3 DSA Certificate Test-ssl] +server = 55-TLS 1.3 DSA Certificate Test-server +client = 55-TLS 1.3 DSA Certificate Test-client -[50-TLS 1.3 DSA Certificate Test-server] +[55-TLS 1.3 DSA Certificate Test-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = ALL DSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-dsa-cert.pem @@ -1668,13 +1804,13 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[50-TLS 1.3 DSA Certificate Test-client] +[55-TLS 1.3 DSA Certificate Test-client] CipherString = ALL SignatureAlgorithms = DSA+SHA1:DSA+SHA256:ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-50] +[test-55] ExpectedResult = ServerFail diff --git a/test/ssl-tests/20-cert-select.conf.in b/test/ssl-tests/20-cert-select.conf.in index bdf53c6e1e..5e9bfede5d 100644 --- a/test/ssl-tests/20-cert-select.conf.in +++ b/test/ssl-tests/20-cert-select.conf.in @@ -36,6 +36,12 @@ my $server_pss_only = { "PrivateKey" => test_pem("server-pss-key.pem"), }; +my $server_pss_restrict_only = { + "Certificate" => test_pem("server-pss-restrict-cert.pem"), + "PrivateKey" => test_pem("server-pss-restrict-key.pem"), +}; + + my $server_rsa_all = { "PSS.Certificate" => test_pem("server-pss-cert.pem"), "PSS.PrivateKey" => test_pem("server-pss-key.pem"), @@ -379,6 +385,19 @@ our @tests = ( "ExpectedResult" => "Success" }, }, + { + name => "Only RSA-PSS Certificate Valid Signature Algorithms", + server => $server_pss_only, + client => { + "SignatureAlgorithms" => "rsa_pss_pss_sha512", + }, + test => { + "ExpectedServerCertType" => "RSA-PSS", + "ExpectedServerSignHash" => "SHA512", + "ExpectedServerSignType" => "RSA-PSS", + "ExpectedResult" => "Success" + }, + }, { name => "RSA-PSS Certificate, no PSS signature algorithms", server => $server_pss_only, @@ -389,6 +408,53 @@ our @tests = ( "ExpectedResult" => "ServerFail" }, }, + { + name => "Only RSA-PSS Restricted Certificate", + server => $server_pss_restrict_only, + client => {}, + test => { + "ExpectedServerCertType" => "RSA-PSS", + "ExpectedServerSignHash" => "SHA256", + "ExpectedServerSignType" => "RSA-PSS", + "ExpectedResult" => "Success" + }, + }, + { + name => "RSA-PSS Restricted Certificate Valid Signature Algorithms", + server => $server_pss_restrict_only, + client => { + "SignatureAlgorithms" => "rsa_pss_pss_sha256:rsa_pss_pss_sha512", + }, + test => { + "ExpectedServerCertType" => "RSA-PSS", + "ExpectedServerSignHash" => "SHA256", + "ExpectedServerSignType" => "RSA-PSS", + "ExpectedResult" => "Success" + }, + }, + { + name => "RSA-PSS Restricted Cert client prefers invalid Signature Algorithm", + server => $server_pss_restrict_only, + client => { + "SignatureAlgorithms" => "rsa_pss_pss_sha512:rsa_pss_pss_sha256", + }, + test => { + "ExpectedServerCertType" => "RSA-PSS", + "ExpectedServerSignHash" => "SHA256", + "ExpectedServerSignType" => "RSA-PSS", + "ExpectedResult" => "Success" + }, + }, + { + name => "RSA-PSS Restricted Certificate Invalid Signature Algorithms", + server => $server_pss_restrict_only, + client => { + "SignatureAlgorithms" => "rsa_pss_pss_sha512", + }, + test => { + "ExpectedResult" => "ServerFail" + }, + }, { name => "RSA key exchange with all RSA certificate types", server => $server_rsa_all, -- 2.34.1