test/ssl-tests/04-client_auth.conf.in

   1 # -*- mode: perl; -*-
   2
   3 ## SSL test configurations
   4
   5 package ssltests;
   6
   7 use strict;
   8 use warnings;
   9
  10 use OpenSSL::Test;
  11 use OpenSSL::Test::Utils qw(anydisabled disabled);
  12 setup("no_test_here");
  13
  14 # We test version-flexible negotiation (undef) and each protocol version.
  15 my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
  16
  17 my @is_disabled = (0);
  18 push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2");
  19
  20 our @tests = ();
  21
  22 sub generate_tests() {
  23     foreach (0..$#protocols) {
  24         my $protocol = $protocols[$_];
  25         my $protocol_name = $protocol || "flex";
  26         my $caalert;
  27         my $method;
  28         my $sctpenabled = 0;
  29         if (!$is_disabled[$_]) {
  30             if ($protocol_name eq "SSLv3") {
  31                 $caalert = "BadCertificate";
  32             } else {
  33                 $caalert = "UnknownCA";
  34             }
  35             if ($protocol_name =~ m/^DTLS/) {
  36                 $method = "DTLS";
  37                 $sctpenabled = 1 if !disabled("sctp");
  38             }
  39             my $clihash;
  40             my $clisigtype;
  41             my $clisigalgs;
  42             # TODO(TLS1.3) add TLSv1.3 versions
  43             if ($protocol_name eq "TLSv1.2") {
  44                 $clihash = "SHA256";
  45                 $clisigtype = "RSA";
  46                 $clisigalgs = "SHA256+RSA";
  47             }
  48             for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) {
  49                 # Sanity-check simple handshake.
  50                 push @tests, {
  51                     name => "server-auth-${protocol_name}"
  52                             .($sctp ? "-sctp" : ""),
  53                     server => {
  54                         "MinProtocol" => $protocol,
  55                         "MaxProtocol" => $protocol
  56                     },
  57                     client => {
  58                         "MinProtocol" => $protocol,
  59                         "MaxProtocol" => $protocol
  60                     },
  61                     test   => {
  62                         "ExpectedResult" => "Success",
  63                         "Method" => $method,
  64                     },
  65                 };
  66                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  67
  68                 # Handshake with client cert requested but not required or received.
  69                 push @tests, {
  70                     name => "client-auth-${protocol_name}-request"
  71                             .($sctp ? "-sctp" : ""),
  72                     server => {
  73                         "MinProtocol" => $protocol,
  74                         "MaxProtocol" => $protocol,
  75                         "VerifyMode" => "Request"
  76                     },
  77                     client => {
  78                         "MinProtocol" => $protocol,
  79                         "MaxProtocol" => $protocol
  80                     },
  81                     test   => {
  82                         "ExpectedResult" => "Success",
  83                         "Method" => $method,
  84                     },
  85                 };
  86                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  87
  88                 # Handshake with client cert required but not present.
  89                 push @tests, {
  90                     name => "client-auth-${protocol_name}-require-fail"
  91                             .($sctp ? "-sctp" : ""),
  92                     server => {
  93                         "MinProtocol" => $protocol,
  94                         "MaxProtocol" => $protocol,
  95                         "VerifyCAFile" => test_pem("root-cert.pem"),
  96                         "VerifyMode" => "Require",
  97                     },
  98                     client => {
  99                         "MinProtocol" => $protocol,
 100                         "MaxProtocol" => $protocol
 101                     },
 102                     test   => {
 103                         "ExpectedResult" => "ServerFail",
 104                         "ExpectedServerAlert" =>
 105                         ($protocol_name eq "flex" && !disabled("tls1_3"))
 106                         ? "CertificateRequired" : "HandshakeFailure",
 107                         "Method" => $method,
 108                     },
 109                 };
 110                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
 111
 112                 # Successful handshake with client authentication.
 113                 push @tests, {
 114                     name => "client-auth-${protocol_name}-require"
 115                              .($sctp ? "-sctp" : ""),
 116                     server => {
 117                         "MinProtocol" => $protocol,
 118                         "MaxProtocol" => $protocol,
 119                         "ClientSignatureAlgorithms" => $clisigalgs,
 120                         "VerifyCAFile" => test_pem("root-cert.pem"),
 121                         "VerifyMode" => "Request",
 122                     },
 123                     client => {
 124                         "MinProtocol" => $protocol,
 125                         "MaxProtocol" => $protocol,
 126                         "Certificate" => test_pem("ee-client-chain.pem"),
 127                         "PrivateKey"  => test_pem("ee-key.pem"),
 128                     },
 129                     test   => {
 130                         "ExpectedResult" => "Success",
 131                         "ExpectedClientCertType" => "RSA",
 132                         "ExpectedClientSignType" => $clisigtype,
 133                         "ExpectedClientSignHash" => $clihash,
 134                         "ExpectedClientCANames" => "empty",
 135                         "Method" => $method,
 136                     },
 137                 };
 138                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
 139
 140                 # Successful handshake with client authentication non-empty names
 141                 push @tests, {
 142                     name => "client-auth-${protocol_name}-require-non-empty-names"
 143                             .($sctp ? "-sctp" : ""),
 144                     server => {
 145                         "MinProtocol" => $protocol,
 146                         "MaxProtocol" => $protocol,
 147                         "ClientSignatureAlgorithms" => $clisigalgs,
 148                         "ClientCAFile" => test_pem("root-cert.pem"),
 149                         "VerifyCAFile" => test_pem("root-cert.pem"),
 150                         "VerifyMode" => "Request",
 151                     },
 152                     client => {
 153                         "MinProtocol" => $protocol,
 154                         "MaxProtocol" => $protocol,
 155                         "Certificate" => test_pem("ee-client-chain.pem"),
 156                         "PrivateKey"  => test_pem("ee-key.pem"),
 157                     },
 158                     test   => {
 159                         "ExpectedResult" => "Success",
 160                         "ExpectedClientCertType" => "RSA",
 161                         "ExpectedClientSignType" => $clisigtype,
 162                         "ExpectedClientSignHash" => $clihash,
 163                         "ExpectedClientCANames" => test_pem("root-cert.pem"),
 164                         "Method" => $method,
 165                     },
 166                 };
 167                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
 168
 169                 # Handshake with client authentication but without the root certificate.
 170                 push @tests, {
 171                     name => "client-auth-${protocol_name}-noroot"
 172                             .($sctp ? "-sctp" : ""),
 173                     server => {
 174                         "MinProtocol" => $protocol,
 175                         "MaxProtocol" => $protocol,
 176                         "VerifyMode" => "Require",
 177                     },
 178                     client => {
 179                         "MinProtocol" => $protocol,
 180                         "MaxProtocol" => $protocol,
 181                         "Certificate" => test_pem("ee-client-chain.pem"),
 182                         "PrivateKey"  => test_pem("ee-key.pem"),
 183                     },
 184                     test   => {
 185                         "ExpectedResult" => "ServerFail",
 186                         "ExpectedServerAlert" => $caalert,
 187                         "Method" => $method,
 188                     },
 189                 };
 190                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
 191             }
 192         }
 193     }
 194 }
 195
 196 generate_tests();