test/ssl-tests/04-client_auth.cnf.in

   1 # -*- mode: perl; -*-
   2
   3 ## SSL test configurations
   4
   5 package ssltests;
   6
   7 use strict;
   8 use warnings;
   9
  10 use OpenSSL::Test;
  11 use OpenSSL::Test::Utils qw(anydisabled disabled);
  12 setup("no_test_here");
  13
  14 our $fips_mode;
  15
  16 my @protocols;
  17 my @is_disabled = (0);
  18
  19 # We test version-flexible negotiation (undef) and each protocol version.
  20 if ($fips_mode) {
  21     @protocols = (undef, "TLSv1.2", "DTLSv1.2");
  22     push @is_disabled, anydisabled("tls1_2", "dtls1_2");
  23 } else {
  24     @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
  25     push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2");
  26 }
  27
  28 our @tests = ();
  29
  30 sub generate_tests() {
  31     foreach (0..$#protocols) {
  32         my $protocol = $protocols[$_];
  33         my $protocol_name = $protocol || "flex";
  34         my $caalert;
  35         my $method;
  36         my $sctpenabled = 0;
  37         if (!$is_disabled[$_]) {
  38             if ($protocol_name eq "SSLv3") {
  39                 $caalert = "BadCertificate";
  40             } else {
  41                 $caalert = "UnknownCA";
  42             }
  43             if ($protocol_name =~ m/^DTLS/) {
  44                 $method = "DTLS";
  45                 $sctpenabled = 1 if !disabled("sctp");
  46             }
  47             my $clihash;
  48             my $clisigtype;
  49             my $clisigalgs;
  50             # TODO(TLS1.3) add TLSv1.3 versions
  51             if ($protocol_name eq "TLSv1.2") {
  52                 $clihash = "SHA256";
  53                 $clisigtype = "RSA";
  54                 $clisigalgs = "SHA256+RSA";
  55             }
  56             for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) {
  57                 # Sanity-check simple handshake.
  58                 push @tests, {
  59                     name => "server-auth-${protocol_name}"
  60                             .($sctp ? "-sctp" : ""),
  61                     server => {
  62                         "CipherString" => "DEFAULT:\@SECLEVEL=0",
  63                         "MinProtocol" => $protocol,
  64                         "MaxProtocol" => $protocol
  65                     },
  66                     client => {
  67                         "CipherString" => "DEFAULT:\@SECLEVEL=0",
  68                         "MinProtocol" => $protocol,
  69                         "MaxProtocol" => $protocol
  70                     },
  71                     test   => {
  72                         "ExpectedResult" => "Success",
  73                         "Method" => $method,
  74                     },
  75                 };
  76                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  77
  78                 # Handshake with client cert requested but not required or received.
  79                 push @tests, {
  80                     name => "client-auth-${protocol_name}-request"
  81                             .($sctp ? "-sctp" : ""),
  82                     server => {
  83                         "CipherString" => "DEFAULT:\@SECLEVEL=0",
  84                         "MinProtocol" => $protocol,
  85                         "MaxProtocol" => $protocol,
  86                         "VerifyMode" => "Request"
  87                     },
  88                     client => {
  89                         "CipherString" => "DEFAULT:\@SECLEVEL=0",
  90                         "MinProtocol" => $protocol,
  91                         "MaxProtocol" => $protocol
  92                     },
  93                     test   => {
  94                         "ExpectedResult" => "Success",
  95                         "Method" => $method,
  96                     },
  97                 };
  98                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  99
 100                 # Handshake with client cert required but not present.
 101                 push @tests, {
 102                     name => "client-auth-${protocol_name}-require-fail"
 103                             .($sctp ? "-sctp" : ""),
 104                     server => {
 105                         "CipherString" => "DEFAULT:\@SECLEVEL=0",
 106                         "MinProtocol" => $protocol,
 107                         "MaxProtocol" => $protocol,
 108                         "VerifyCAFile" => test_pem("root-cert.pem"),
 109                         "VerifyMode" => "Require",
 110                     },
 111                     client => {
 112                         "CipherString" => "DEFAULT:\@SECLEVEL=0",
 113                         "MinProtocol" => $protocol,
 114                         "MaxProtocol" => $protocol
 115                     },
 116                     test   => {
 117                         "ExpectedResult" => "ServerFail",
 118                         "ExpectedServerAlert" =>
 119                         ($protocol_name eq "flex"
 120                             && !disabled("tls1_3")
 121                             && (!disabled("ec") || !disabled("dh")))
 122                         ? "CertificateRequired" : "HandshakeFailure",
 123                         "Method" => $method,
 124                     },
 125                 };
 126                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
 127
 128                 # Successful handshake with client authentication.
 129                 push @tests, {
 130                     name => "client-auth-${protocol_name}-require"
 131                              .($sctp ? "-sctp" : ""),
 132                     server => {
 133                         "CipherString" => "DEFAULT:\@SECLEVEL=0",
 134                         "MinProtocol" => $protocol,
 135                         "MaxProtocol" => $protocol,
 136                         "ClientSignatureAlgorithms" => $clisigalgs,
 137                         "VerifyCAFile" => test_pem("root-cert.pem"),
 138                         "VerifyMode" => "Request",
 139                     },
 140                     client => {
 141                         "CipherString" => "DEFAULT:\@SECLEVEL=0",
 142                         "MinProtocol" => $protocol,
 143                         "MaxProtocol" => $protocol,
 144                         "Certificate" => test_pem("ee-client-chain.pem"),
 145                         "PrivateKey"  => test_pem("ee-key.pem"),
 146                     },
 147                     test   => {
 148                         "ExpectedResult" => "Success",
 149                         "ExpectedClientCertType" => "RSA",
 150                         "ExpectedClientSignType" => $clisigtype,
 151                         "ExpectedClientSignHash" => $clihash,
 152                         "ExpectedClientCANames" => "empty",
 153                         "Method" => $method,
 154                     },
 155                 };
 156                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
 157
 158                 # Successful handshake with client RSA-PSS cert, StrictCertCheck
 159                 push @tests, {
 160                     name => "client-auth-${protocol_name}-rsa-pss"
 161                              .($sctp ? "-sctp" : ""),
 162                     server => {
 163                         "CipherString" => "DEFAULT:\@SECLEVEL=0",
 164                         "MinProtocol" => $protocol,
 165                         "MaxProtocol" => $protocol,
 166                         "ClientCAFile" => test_pem("rootcert.pem"),
 167                         "VerifyCAFile" => test_pem("rootcert.pem"),
 168                         "VerifyMode" => "Require",
 169                     },
 170                     client => {
 171                         "CipherString" => "DEFAULT:\@SECLEVEL=0",
 172                         "MinProtocol" => $protocol,
 173                         "MaxProtocol" => $protocol,
 174                         "Certificate" => test_pem("client-pss-restrict-cert.pem"),
 175                         "PrivateKey"  => test_pem("client-pss-restrict-key.pem"),
 176                         "Options" => "StrictCertCheck",
 177                     },
 178                     test   => {
 179                         "ExpectedResult" => "Success",
 180                         "ExpectedClientCertType" => "RSA-PSS",
 181                         "ExpectedClientCANames" => test_pem("rootcert.pem"),
 182                         "Method" => $method,
 183                     },
 184                 } if $protocol_name eq "TLSv1.2" || $protocol_name eq "flex";
 185
 186                 # Failed handshake with client RSA-PSS cert, StrictCertCheck, bad CA
 187                 push @tests, {
 188                     name => "client-auth-${protocol_name}-rsa-pss-bad"
 189                              .($sctp ? "-sctp" : ""),
 190                     server => {
 191                         "CipherString" => "DEFAULT:\@SECLEVEL=0",
 192                         "MinProtocol" => $protocol,
 193                         "MaxProtocol" => $protocol,
 194                         "ClientCAFile" => test_pem("rootCA.pem"),
 195                         "VerifyCAFile" => test_pem("rootCA.pem"),
 196                         "VerifyMode" => "Require",
 197                     },
 198                     client => {
 199                         "CipherString" => "DEFAULT:\@SECLEVEL=0",
 200                         "MinProtocol" => $protocol,
 201                         "MaxProtocol" => $protocol,
 202                         "Certificate" => test_pem("client-pss-restrict-cert.pem"),
 203                         "PrivateKey"  => test_pem("client-pss-restrict-key.pem"),
 204                         "Options" => "StrictCertCheck",
 205                     },
 206                     test   => {
 207                         "ExpectedResult" => "ServerFail",
 208                         "ExpectedServerAlert" =>
 209                         ($protocol_name eq "flex"
 210                             && !disabled("tls1_3")
 211                             && (!disabled("ec") || !disabled("dh")))
 212                         ? "CertificateRequired" : "HandshakeFailure",
 213                         "Method" => $method,
 214                     },
 215                 } if $protocol_name eq "TLSv1.2" || $protocol_name eq "flex";
 216
 217                 # Successful handshake with client authentication non-empty names
 218                 push @tests, {
 219                     name => "client-auth-${protocol_name}-require-non-empty-names"
 220                             .($sctp ? "-sctp" : ""),
 221                     server => {
 222                         "CipherString" => "DEFAULT:\@SECLEVEL=0",
 223                         "MinProtocol" => $protocol,
 224                         "MaxProtocol" => $protocol,
 225                         "ClientSignatureAlgorithms" => $clisigalgs,
 226                         "ClientCAFile" => test_pem("root-cert.pem"),
 227                         "VerifyCAFile" => test_pem("root-cert.pem"),
 228                         "VerifyMode" => "Request",
 229                     },
 230                     client => {
 231                         "CipherString" => "DEFAULT:\@SECLEVEL=0",
 232                         "MinProtocol" => $protocol,
 233                         "MaxProtocol" => $protocol,
 234                         "Certificate" => test_pem("ee-client-chain.pem"),
 235                         "PrivateKey"  => test_pem("ee-key.pem"),
 236                     },
 237                     test   => {
 238                         "ExpectedResult" => "Success",
 239                         "ExpectedClientCertType" => "RSA",
 240                         "ExpectedClientSignType" => $clisigtype,
 241                         "ExpectedClientSignHash" => $clihash,
 242                         "ExpectedClientCANames" => test_pem("root-cert.pem"),
 243                         "Method" => $method,
 244                     },
 245                 };
 246                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
 247
 248                 # Handshake with client authentication but without the root certificate.
 249                 push @tests, {
 250                     name => "client-auth-${protocol_name}-noroot"
 251                             .($sctp ? "-sctp" : ""),
 252                     server => {
 253                         "CipherString" => "DEFAULT:\@SECLEVEL=0",
 254                         "MinProtocol" => $protocol,
 255                         "MaxProtocol" => $protocol,
 256                         "VerifyMode" => "Require",
 257                     },
 258                     client => {
 259                         "CipherString" => "DEFAULT:\@SECLEVEL=0",
 260                         "MinProtocol" => $protocol,
 261                         "MaxProtocol" => $protocol,
 262                         "Certificate" => test_pem("ee-client-chain.pem"),
 263                         "PrivateKey"  => test_pem("ee-key.pem"),
 264                     },
 265                     test   => {
 266                         "ExpectedResult" => "ServerFail",
 267                         "ExpectedServerAlert" => $caalert,
 268                         "Method" => $method,
 269                     },
 270                 };
 271                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
 272             }
 273         }
 274     }
 275 }
 276
 277 generate_tests();