test/ssl-tests/04-client_auth.conf.in

   1 # -*- mode: perl; -*-
   2
   3 ## SSL test configurations
   4
   5 package ssltests;
   6
   7 use strict;
   8 use warnings;
   9
  10 use OpenSSL::Test;
  11 use OpenSSL::Test::Utils qw(anydisabled);
  12 setup("no_test_here");
  13
  14 # We test version-flexible negotiation (undef) and each protocol version.
  15 my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2");
  16
  17 my @is_disabled = (0);
  18 push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2");
  19
  20 our @tests = ();
  21
  22 sub generate_tests() {
  23
  24     foreach (0..$#protocols) {
  25         my $protocol = $protocols[$_];
  26         my $protocol_name = $protocol || "flex";
  27         my $caalert;
  28         if (!$is_disabled[$_]) {
  29             if ($protocol_name eq "SSLv3") {
  30                 $caalert = "BadCertificate";
  31             } else {
  32                 $caalert = "UnknownCA";
  33             }
  34             my $clihash;
  35             my $clisigtype;
  36             my $clisigalgs;
  37             # TODO(TLS1.3) add TLSv1.3 versions
  38             if ($protocol_name eq "TLSv1.2") {
  39                 $clihash = "SHA256";
  40                 $clisigtype = "RSA";
  41                 $clisigalgs = "SHA256+RSA";
  42             }
  43             # Sanity-check simple handshake.
  44             push @tests, {
  45                 name => "server-auth-${protocol_name}",
  46                 server => {
  47                     "MinProtocol" => $protocol,
  48                     "MaxProtocol" => $protocol
  49                 },
  50                 client => {
  51                     "MinProtocol" => $protocol,
  52                     "MaxProtocol" => $protocol
  53                 },
  54                 test   => { "ExpectedResult" => "Success" },
  55             };
  56
  57             # Handshake with client cert requested but not required or received.
  58             push @tests, {
  59                 name => "client-auth-${protocol_name}-request",
  60                 server => {
  61                     "MinProtocol" => $protocol,
  62                     "MaxProtocol" => $protocol,
  63                     "VerifyMode" => "Request"
  64                 },
  65                 client => {
  66                     "MinProtocol" => $protocol,
  67                     "MaxProtocol" => $protocol
  68                 },
  69                 test   => { "ExpectedResult" => "Success" },
  70             };
  71
  72             # Handshake with client cert required but not present.
  73             push @tests, {
  74                 name => "client-auth-${protocol_name}-require-fail",
  75                 server => {
  76                     "MinProtocol" => $protocol,
  77                     "MaxProtocol" => $protocol,
  78                     "VerifyCAFile" => test_pem("root-cert.pem"),
  79                     "VerifyMode" => "Require",
  80                 },
  81                 client => {
  82                     "MinProtocol" => $protocol,
  83                     "MaxProtocol" => $protocol
  84                 },
  85                 test   => {
  86                     "ExpectedResult" => "ServerFail",
  87                     "ExpectedServerAlert" => "HandshakeFailure",
  88                 },
  89             };
  90
  91             # Successful handshake with client authentication.
  92             push @tests, {
  93                 name => "client-auth-${protocol_name}-require",
  94                 server => {
  95                     "MinProtocol" => $protocol,
  96                     "MaxProtocol" => $protocol,
  97                     "ClientSignatureAlgorithms" => $clisigalgs,
  98                     "VerifyCAFile" => test_pem("root-cert.pem"),
  99                     "VerifyMode" => "Request",
 100                 },
 101                 client => {
 102                     "MinProtocol" => $protocol,
 103                     "MaxProtocol" => $protocol,
 104                     "Certificate" => test_pem("ee-client-chain.pem"),
 105                     "PrivateKey"  => test_pem("ee-key.pem"),
 106                 },
 107                 test   => { "ExpectedResult" => "Success",
 108                             "ExpectedClientCertType" => "RSA",
 109                             "ExpectedClientSignType" => $clisigtype,
 110                             "ExpectedClientSignHash" => $clihash,
 111                 },
 112             };
 113
 114             # Handshake with client authentication but without the root certificate.
 115             push @tests, {
 116                 name => "client-auth-${protocol_name}-noroot",
 117                 server => {
 118                     "MinProtocol" => $protocol,
 119                     "MaxProtocol" => $protocol,
 120                     "VerifyMode" => "Require",
 121                 },
 122                 client => {
 123                     "MinProtocol" => $protocol,
 124                     "MaxProtocol" => $protocol,
 125                     "Certificate" => test_pem("ee-client-chain.pem"),
 126                     "PrivateKey"  => test_pem("ee-key.pem"),
 127                 },
 128                 test   => {
 129                     "ExpectedResult" => "ServerFail",
 130                     "ExpectedServerAlert" => $caalert,
 131                 },
 132             };
 133         }
 134     }
 135 }
 136
 137 generate_tests();