test/ssl-tests/04-client_auth.cnf.in

   1 # -*- mode: perl; -*-
   2
   3 ## SSL test configurations
   4
   5 package ssltests;
   6
   7 use strict;
   8 use warnings;
   9
  10 use OpenSSL::Test;
  11 use OpenSSL::Test::Utils qw(anydisabled disabled);
  12 setup("no_test_here");
  13
  14 our $fips_mode;
  15
  16 my @protocols;
  17 my @is_disabled = (0);
  18 push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2");
  19
  20 # We test version-flexible negotiation (undef) and each protocol version.
  21 if ($fips_mode) {
  22     @protocols = (undef, "TLSv1.2", "DTLSv1.2");
  23 } else {
  24     @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
  25 }
  26
  27 our @tests = ();
  28
  29 sub generate_tests() {
  30     foreach (0..$#protocols) {
  31         my $protocol = $protocols[$_];
  32         my $protocol_name = $protocol || "flex";
  33         my $caalert;
  34         my $method;
  35         my $sctpenabled = 0;
  36         if (!$is_disabled[$_]) {
  37             if ($protocol_name eq "SSLv3") {
  38                 $caalert = "BadCertificate";
  39             } else {
  40                 $caalert = "UnknownCA";
  41             }
  42             if ($protocol_name =~ m/^DTLS/) {
  43                 $method = "DTLS";
  44                 $sctpenabled = 1 if !disabled("sctp");
  45             }
  46             my $clihash;
  47             my $clisigtype;
  48             my $clisigalgs;
  49             # TODO(TLS1.3) add TLSv1.3 versions
  50             if ($protocol_name eq "TLSv1.2") {
  51                 $clihash = "SHA256";
  52                 $clisigtype = "RSA";
  53                 $clisigalgs = "SHA256+RSA";
  54             }
  55             for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) {
  56                 # Sanity-check simple handshake.
  57                 push @tests, {
  58                     name => "server-auth-${protocol_name}"
  59                             .($sctp ? "-sctp" : ""),
  60                     server => {
  61                         "MinProtocol" => $protocol,
  62                         "MaxProtocol" => $protocol
  63                     },
  64                     client => {
  65                         "MinProtocol" => $protocol,
  66                         "MaxProtocol" => $protocol
  67                     },
  68                     test   => {
  69                         "ExpectedResult" => "Success",
  70                         "Method" => $method,
  71                     },
  72                 };
  73                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  74
  75                 # Handshake with client cert requested but not required or received.
  76                 push @tests, {
  77                     name => "client-auth-${protocol_name}-request"
  78                             .($sctp ? "-sctp" : ""),
  79                     server => {
  80                         "MinProtocol" => $protocol,
  81                         "MaxProtocol" => $protocol,
  82                         "VerifyMode" => "Request"
  83                     },
  84                     client => {
  85                         "MinProtocol" => $protocol,
  86                         "MaxProtocol" => $protocol
  87                     },
  88                     test   => {
  89                         "ExpectedResult" => "Success",
  90                         "Method" => $method,
  91                     },
  92                 };
  93                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  94
  95                 # Handshake with client cert required but not present.
  96                 push @tests, {
  97                     name => "client-auth-${protocol_name}-require-fail"
  98                             .($sctp ? "-sctp" : ""),
  99                     server => {
 100                         "MinProtocol" => $protocol,
 101                         "MaxProtocol" => $protocol,
 102                         "VerifyCAFile" => test_pem("root-cert.pem"),
 103                         "VerifyMode" => "Require",
 104                     },
 105                     client => {
 106                         "MinProtocol" => $protocol,
 107                         "MaxProtocol" => $protocol
 108                     },
 109                     test   => {
 110                         "ExpectedResult" => "ServerFail",
 111                         "ExpectedServerAlert" =>
 112                         ($protocol_name eq "flex" && !disabled("tls1_3"))
 113                         ? "CertificateRequired" : "HandshakeFailure",
 114                         "Method" => $method,
 115                     },
 116                 };
 117                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
 118
 119                 # Successful handshake with client authentication.
 120                 push @tests, {
 121                     name => "client-auth-${protocol_name}-require"
 122                              .($sctp ? "-sctp" : ""),
 123                     server => {
 124                         "MinProtocol" => $protocol,
 125                         "MaxProtocol" => $protocol,
 126                         "ClientSignatureAlgorithms" => $clisigalgs,
 127                         "VerifyCAFile" => test_pem("root-cert.pem"),
 128                         "VerifyMode" => "Request",
 129                     },
 130                     client => {
 131                         "MinProtocol" => $protocol,
 132                         "MaxProtocol" => $protocol,
 133                         "Certificate" => test_pem("ee-client-chain.pem"),
 134                         "PrivateKey"  => test_pem("ee-key.pem"),
 135                     },
 136                     test   => {
 137                         "ExpectedResult" => "Success",
 138                         "ExpectedClientCertType" => "RSA",
 139                         "ExpectedClientSignType" => $clisigtype,
 140                         "ExpectedClientSignHash" => $clihash,
 141                         "ExpectedClientCANames" => "empty",
 142                         "Method" => $method,
 143                     },
 144                 };
 145                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
 146
 147                 # Successful handshake with client authentication non-empty names
 148                 push @tests, {
 149                     name => "client-auth-${protocol_name}-require-non-empty-names"
 150                             .($sctp ? "-sctp" : ""),
 151                     server => {
 152                         "MinProtocol" => $protocol,
 153                         "MaxProtocol" => $protocol,
 154                         "ClientSignatureAlgorithms" => $clisigalgs,
 155                         "ClientCAFile" => test_pem("root-cert.pem"),
 156                         "VerifyCAFile" => test_pem("root-cert.pem"),
 157                         "VerifyMode" => "Request",
 158                     },
 159                     client => {
 160                         "MinProtocol" => $protocol,
 161                         "MaxProtocol" => $protocol,
 162                         "Certificate" => test_pem("ee-client-chain.pem"),
 163                         "PrivateKey"  => test_pem("ee-key.pem"),
 164                     },
 165                     test   => {
 166                         "ExpectedResult" => "Success",
 167                         "ExpectedClientCertType" => "RSA",
 168                         "ExpectedClientSignType" => $clisigtype,
 169                         "ExpectedClientSignHash" => $clihash,
 170                         "ExpectedClientCANames" => test_pem("root-cert.pem"),
 171                         "Method" => $method,
 172                     },
 173                 };
 174                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
 175
 176                 # Handshake with client authentication but without the root certificate.
 177                 push @tests, {
 178                     name => "client-auth-${protocol_name}-noroot"
 179                             .($sctp ? "-sctp" : ""),
 180                     server => {
 181                         "MinProtocol" => $protocol,
 182                         "MaxProtocol" => $protocol,
 183                         "VerifyMode" => "Require",
 184                     },
 185                     client => {
 186                         "MinProtocol" => $protocol,
 187                         "MaxProtocol" => $protocol,
 188                         "Certificate" => test_pem("ee-client-chain.pem"),
 189                         "PrivateKey"  => test_pem("ee-key.pem"),
 190                     },
 191                     test   => {
 192                         "ExpectedResult" => "ServerFail",
 193                         "ExpectedServerAlert" => $caalert,
 194                         "Method" => $method,
 195                     },
 196                 };
 197                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
 198             }
 199         }
 200     }
 201 }
 202
 203 generate_tests();