test/ssl-tests/04-client_auth.conf.in

   1 # -*- mode: perl; -*-
   2
   3 ## SSL test configurations
   4
   5 package ssltests;
   6
   7 use strict;
   8 use warnings;
   9
  10 use OpenSSL::Test;
  11 use OpenSSL::Test::Utils qw(anydisabled disabled);
  12 setup("no_test_here");
  13
  14 # We test version-flexible negotiation (undef) and each protocol version.
  15 my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
  16
  17 my @is_disabled = (0);
  18 push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2");
  19
  20 our @tests = ();
  21
  22 sub generate_tests() {
  23     foreach (0..$#protocols) {
  24         my $protocol = $protocols[$_];
  25         my $protocol_name = $protocol || "flex";
  26         my $caalert;
  27         my $method;
  28         my $sctpenabled = 0;
  29         if (!$is_disabled[$_]) {
  30             if ($protocol_name eq "SSLv3") {
  31                 $caalert = "BadCertificate";
  32             } else {
  33                 $caalert = "UnknownCA";
  34             }
  35             if ($protocol_name =~ m/^DTLS/) {
  36                 $method = "DTLS";
  37                 $sctpenabled = 1 if !disabled("sctp");
  38             }
  39             my $clihash;
  40             my $clisigtype;
  41             my $clisigalgs;
  42             # TODO(TLS1.3) add TLSv1.3 versions
  43             if ($protocol_name eq "TLSv1.2") {
  44                 $clihash = "SHA256";
  45                 $clisigtype = "RSA";
  46                 $clisigalgs = "SHA256+RSA";
  47             }
  48             for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) {
  49                 # Sanity-check simple handshake.
  50                 push @tests, {
  51                     name => "server-auth-${protocol_name}"
  52                             .($sctp ? "-sctp" : ""),
  53                     server => {
  54                         "MinProtocol" => $protocol,
  55                         "MaxProtocol" => $protocol
  56                     },
  57                     client => {
  58                         "MinProtocol" => $protocol,
  59                         "MaxProtocol" => $protocol
  60                     },
  61                     test   => {
  62                         "ExpectedResult" => "Success",
  63                         "Method" => $method,
  64                     },
  65                 };
  66                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  67
  68                 # Handshake with client cert requested but not required or received.
  69                 push @tests, {
  70                     name => "client-auth-${protocol_name}-request"
  71                             .($sctp ? "-sctp" : ""),
  72                     server => {
  73                         "MinProtocol" => $protocol,
  74                         "MaxProtocol" => $protocol,
  75                         "VerifyMode" => "Request"
  76                     },
  77                     client => {
  78                         "MinProtocol" => $protocol,
  79                         "MaxProtocol" => $protocol
  80                     },
  81                     test   => {
  82                         "ExpectedResult" => "Success",
  83                         "Method" => $method,
  84                     },
  85                 };
  86                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  87
  88                 # Handshake with client cert required but not present.
  89                 push @tests, {
  90                     name => "client-auth-${protocol_name}-require-fail"
  91                             .($sctp ? "-sctp" : ""),
  92                     server => {
  93                         "MinProtocol" => $protocol,
  94                         "MaxProtocol" => $protocol,
  95                         "VerifyCAFile" => test_pem("root-cert.pem"),
  96                         "VerifyMode" => "Require",
  97                     },
  98                     client => {
  99                         "MinProtocol" => $protocol,
 100                         "MaxProtocol" => $protocol
 101                     },
 102                     test   => {
 103                         "ExpectedResult" => "ServerFail",
 104                         "ExpectedServerAlert" => "HandshakeFailure",
 105                         "Method" => $method,
 106                     },
 107                 };
 108                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
 109
 110                 # Successful handshake with client authentication.
 111                 push @tests, {
 112                     name => "client-auth-${protocol_name}-require"
 113                              .($sctp ? "-sctp" : ""),
 114                     server => {
 115                         "MinProtocol" => $protocol,
 116                         "MaxProtocol" => $protocol,
 117                         "ClientSignatureAlgorithms" => $clisigalgs,
 118                         "VerifyCAFile" => test_pem("root-cert.pem"),
 119                         "VerifyMode" => "Request",
 120                     },
 121                     client => {
 122                         "MinProtocol" => $protocol,
 123                         "MaxProtocol" => $protocol,
 124                         "Certificate" => test_pem("ee-client-chain.pem"),
 125                         "PrivateKey"  => test_pem("ee-key.pem"),
 126                     },
 127                     test   => {
 128                         "ExpectedResult" => "Success",
 129                         "ExpectedClientCertType" => "RSA",
 130                         "ExpectedClientSignType" => $clisigtype,
 131                         "ExpectedClientSignHash" => $clihash,
 132                         "ExpectedClientCANames" => "empty",
 133                         "Method" => $method,
 134                     },
 135                 };
 136                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
 137
 138                 # Successful handshake with client authentication non-empty names
 139                 push @tests, {
 140                     name => "client-auth-${protocol_name}-require-non-empty-names"
 141                             .($sctp ? "-sctp" : ""),
 142                     server => {
 143                         "MinProtocol" => $protocol,
 144                         "MaxProtocol" => $protocol,
 145                         "ClientSignatureAlgorithms" => $clisigalgs,
 146                         "ClientCAFile" => test_pem("root-cert.pem"),
 147                         "VerifyCAFile" => test_pem("root-cert.pem"),
 148                         "VerifyMode" => "Request",
 149                     },
 150                     client => {
 151                         "MinProtocol" => $protocol,
 152                         "MaxProtocol" => $protocol,
 153                         "Certificate" => test_pem("ee-client-chain.pem"),
 154                         "PrivateKey"  => test_pem("ee-key.pem"),
 155                     },
 156                     test   => {
 157                         "ExpectedResult" => "Success",
 158                         "ExpectedClientCertType" => "RSA",
 159                         "ExpectedClientSignType" => $clisigtype,
 160                         "ExpectedClientSignHash" => $clihash,
 161                         "ExpectedClientCANames" => test_pem("root-cert.pem"),
 162                         "Method" => $method,
 163                     },
 164                 };
 165                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
 166
 167                 # Handshake with client authentication but without the root certificate.
 168                 push @tests, {
 169                     name => "client-auth-${protocol_name}-noroot"
 170                             .($sctp ? "-sctp" : ""),
 171                     server => {
 172                         "MinProtocol" => $protocol,
 173                         "MaxProtocol" => $protocol,
 174                         "VerifyMode" => "Require",
 175                     },
 176                     client => {
 177                         "MinProtocol" => $protocol,
 178                         "MaxProtocol" => $protocol,
 179                         "Certificate" => test_pem("ee-client-chain.pem"),
 180                         "PrivateKey"  => test_pem("ee-key.pem"),
 181                     },
 182                     test   => {
 183                         "ExpectedResult" => "ServerFail",
 184                         "ExpectedServerAlert" => $caalert,
 185                         "Method" => $method,
 186                     },
 187                 };
 188                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
 189             }
 190         }
 191     }
 192 }
 193
 194 generate_tests();