From edb8a5eb54ee54452a410a6072c584ee94ed3ebb Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Thu, 12 Jan 2017 14:52:31 +0000 Subject: [PATCH] Add certificate selection tests. MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Add certifcate selection tests: the certificate type is selected by cipher string and signature algorithm. Reviewed-by: Emilia Käsper (Merged from https://github.com/openssl/openssl/pull/2224) --- test/recipes/80-test_ssl_new.t | 3 +- test/ssl-tests/20-cert-select.conf | 167 ++++++++++++++++++++++++++ test/ssl-tests/20-cert-select.conf.in | 87 ++++++++++++++ 3 files changed, 256 insertions(+), 1 deletion(-) create mode 100644 test/ssl-tests/20-cert-select.conf create mode 100644 test/ssl-tests/20-cert-select.conf.in diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t index 08ee494c89..fd58d5ebf4 100644 --- a/test/recipes/80-test_ssl_new.t +++ b/test/recipes/80-test_ssl_new.t @@ -29,7 +29,7 @@ map { s/\.in// } @conf_files; # We hard-code the number of tests to double-check that the globbing above # finds all files as expected. -plan tests => 19; # = scalar @conf_srcs +plan tests => 20; # = scalar @conf_srcs # Some test results depend on the configuration of enabled protocols. We only # verify generated sources in the default configuration. @@ -80,6 +80,7 @@ my %skip = ( "16-dtls-certstatus.conf" => $no_dtls || $no_ocsp, "18-dtls-renegotiate.conf" => $no_dtls, "19-mac-then-encrypt.conf" => $no_pre_tls1_3, + "20-cert-select.conf" => $no_ec, ); foreach my $conf (@conf_files) { diff --git a/test/ssl-tests/20-cert-select.conf b/test/ssl-tests/20-cert-select.conf new file mode 100644 index 0000000000..dbb339d211 --- /dev/null +++ b/test/ssl-tests/20-cert-select.conf @@ -0,0 +1,167 @@ +# Generated with generate_ssl_tests.pl + +num_tests = 6 + +test-0 = 0-ECDSA CipherString Selection +test-1 = 1-RSA CipherString Selection +test-2 = 2-ECDSA CipherString Selection, no ECDSA certificate +test-3 = 3-ECDSA Signature Algorithm Selection +test-4 = 4-ECDSA Signature Algorithm Selection, no ECDSA certificate +test-5 = 5-RSA Signature Algorithm Selection +# =========================================================== + +[0-ECDSA CipherString Selection] +ssl_conf = 0-ECDSA CipherString Selection-ssl + +[0-ECDSA CipherString Selection-ssl] +server = 0-ECDSA CipherString Selection-server +client = 0-ECDSA CipherString Selection-client + +[0-ECDSA CipherString Selection-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[0-ECDSA CipherString Selection-client] +CipherString = aECDSA +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-0] +ExpectedResult = Success +ExpectedServerCertType = P-256 + + +# =========================================================== + +[1-RSA CipherString Selection] +ssl_conf = 1-RSA CipherString Selection-ssl + +[1-RSA CipherString Selection-ssl] +server = 1-RSA CipherString Selection-server +client = 1-RSA CipherString Selection-client + +[1-RSA CipherString Selection-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[1-RSA CipherString Selection-client] +CipherString = aRSA +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-1] +ExpectedResult = Success +ExpectedServerCertType = RSA + + +# =========================================================== + +[2-ECDSA CipherString Selection, no ECDSA certificate] +ssl_conf = 2-ECDSA CipherString Selection, no ECDSA certificate-ssl + +[2-ECDSA CipherString Selection, no ECDSA certificate-ssl] +server = 2-ECDSA CipherString Selection, no ECDSA certificate-server +client = 2-ECDSA CipherString Selection, no ECDSA certificate-client + +[2-ECDSA CipherString Selection, no ECDSA certificate-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[2-ECDSA CipherString Selection, no ECDSA certificate-client] +CipherString = aECDSA +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-2] +ExpectedResult = ServerFail + + +# =========================================================== + +[3-ECDSA Signature Algorithm Selection] +ssl_conf = 3-ECDSA Signature Algorithm Selection-ssl + +[3-ECDSA Signature Algorithm Selection-ssl] +server = 3-ECDSA Signature Algorithm Selection-server +client = 3-ECDSA Signature Algorithm Selection-client + +[3-ECDSA Signature Algorithm Selection-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[3-ECDSA Signature Algorithm Selection-client] +CipherString = DEFAULT +SignatureAlgorithms = ECDSA+SHA256 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-3] +ExpectedResult = Success +ExpectedServerCertType = P-256 + + +# =========================================================== + +[4-ECDSA Signature Algorithm Selection, no ECDSA certificate] +ssl_conf = 4-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl + +[4-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl] +server = 4-ECDSA Signature Algorithm Selection, no ECDSA certificate-server +client = 4-ECDSA Signature Algorithm Selection, no ECDSA certificate-client + +[4-ECDSA Signature Algorithm Selection, no ECDSA certificate-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[4-ECDSA Signature Algorithm Selection, no ECDSA certificate-client] +CipherString = DEFAULT +SignatureAlgorithms = ECDSA+SHA256 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-4] +ExpectedResult = ServerFail + + +# =========================================================== + +[5-RSA Signature Algorithm Selection] +ssl_conf = 5-RSA Signature Algorithm Selection-ssl + +[5-RSA Signature Algorithm Selection-ssl] +server = 5-RSA Signature Algorithm Selection-server +client = 5-RSA Signature Algorithm Selection-client + +[5-RSA Signature Algorithm Selection-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[5-RSA Signature Algorithm Selection-client] +CipherString = DEFAULT +SignatureAlgorithms = RSA+SHA256 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-5] +ExpectedResult = Success +ExpectedServerCertType = RSA + + diff --git a/test/ssl-tests/20-cert-select.conf.in b/test/ssl-tests/20-cert-select.conf.in new file mode 100644 index 0000000000..d34849108b --- /dev/null +++ b/test/ssl-tests/20-cert-select.conf.in @@ -0,0 +1,87 @@ +# -*- mode: perl; -*- + +## SSL test configurations + +package ssltests; + +use strict; +use warnings; + +use OpenSSL::Test; +use OpenSSL::Test::Utils qw(anydisabled); + +my $dir_sep = $^O ne "VMS" ? "/" : ""; + +my $server = { + "ECDSA.Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}server-ecdsa-cert.pem", + "ECDSA.PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}server-ecdsa-key.pem", + # TODO: add test cases for TLSv1.3 + "MaxProtocol" => "TLSv1.2" +}; + +our @tests = ( + { + name => "ECDSA CipherString Selection", + server => $server, + client => { + "CipherString" => "aECDSA", + }, + test => { + "ExpectedServerCertType" =>, "P-256", + "ExpectedResult" => "Success" + }, + }, + { + name => "RSA CipherString Selection", + server => $server, + client => { + "CipherString" => "aRSA", + }, + test => { + "ExpectedServerCertType" =>, "RSA", + "ExpectedResult" => "Success" + }, + }, + { + name => "ECDSA CipherString Selection, no ECDSA certificate", + server => { }, + client => { + "CipherString" => "aECDSA" + }, + test => { + "ExpectedResult" => "ServerFail" + }, + }, + { + name => "ECDSA Signature Algorithm Selection", + server => $server, + client => { + "SignatureAlgorithms" => "ECDSA+SHA256", + }, + test => { + "ExpectedServerCertType" =>, "P-256", + "ExpectedResult" => "Success" + }, + }, + { + name => "ECDSA Signature Algorithm Selection, no ECDSA certificate", + server => { }, + client => { + "SignatureAlgorithms" => "ECDSA+SHA256", + }, + test => { + "ExpectedResult" => "ServerFail" + }, + }, + { + name => "RSA Signature Algorithm Selection", + server => $server, + client => { + "SignatureAlgorithms" => "RSA+SHA256", + }, + test => { + "ExpectedServerCertType" =>, "RSA", + "ExpectedResult" => "Success" + }, + } +); -- 2.34.1