b9c014d2c0d9f2135362ea1797543804af90e34e
[openssl.git] / test / ssl-tests / 04-client_auth.conf.in
1 # -*- mode: perl; -*-
2
3 ## SSL test configurations
4
5 package ssltests;
6
7 use strict;
8 use warnings;
9
10 use OpenSSL::Test;
11 use OpenSSL::Test::Utils qw(anydisabled disabled);
12 setup("no_test_here");
13
14 # We test version-flexible negotiation (undef) and each protocol version.
15 my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
16
17 my @is_disabled = (0);
18 push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2");
19
20 our @tests = ();
21
22 sub generate_tests() {
23     foreach (0..$#protocols) {
24         my $protocol = $protocols[$_];
25         my $protocol_name = $protocol || "flex";
26         my $caalert;
27         my $method;
28         my $sctpenabled = 0;
29         if (!$is_disabled[$_]) {
30             if ($protocol_name eq "SSLv3") {
31                 $caalert = "BadCertificate";
32             } else {
33                 $caalert = "UnknownCA";
34             }
35             if ($protocol_name =~ m/^DTLS/) {
36                 $method = "DTLS";
37                 $sctpenabled = 1 if !disabled("sctp");
38             }
39             my $clihash;
40             my $clisigtype;
41             my $clisigalgs;
42             # TODO(TLS1.3) add TLSv1.3 versions
43             if ($protocol_name eq "TLSv1.2") {
44                 $clihash = "SHA256";
45                 $clisigtype = "RSA";
46                 $clisigalgs = "SHA256+RSA";
47             }
48             for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) {
49                 # Sanity-check simple handshake.
50                 push @tests, {
51                     name => "server-auth-${protocol_name}"
52                             .($sctp ? "-sctp" : ""),
53                     server => {
54                         "MinProtocol" => $protocol,
55                         "MaxProtocol" => $protocol
56                     },
57                     client => {
58                         "MinProtocol" => $protocol,
59                         "MaxProtocol" => $protocol
60                     },
61                     test   => {
62                         "ExpectedResult" => "Success",
63                         "Method" => $method,
64                     },
65                 };
66                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
67
68                 # Handshake with client cert requested but not required or received.
69                 push @tests, {
70                     name => "client-auth-${protocol_name}-request"
71                             .($sctp ? "-sctp" : ""),
72                     server => {
73                         "MinProtocol" => $protocol,
74                         "MaxProtocol" => $protocol,
75                         "VerifyMode" => "Request"
76                     },
77                     client => {
78                         "MinProtocol" => $protocol,
79                         "MaxProtocol" => $protocol
80                     },
81                     test   => {
82                         "ExpectedResult" => "Success",
83                         "Method" => $method,
84                     },
85                 };
86                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
87
88                 # Handshake with client cert required but not present.
89                 push @tests, {
90                     name => "client-auth-${protocol_name}-require-fail"
91                             .($sctp ? "-sctp" : ""),
92                     server => {
93                         "MinProtocol" => $protocol,
94                         "MaxProtocol" => $protocol,
95                         "VerifyCAFile" => test_pem("root-cert.pem"),
96                         "VerifyMode" => "Require",
97                     },
98                     client => {
99                         "MinProtocol" => $protocol,
100                         "MaxProtocol" => $protocol
101                     },
102                     test   => {
103                         "ExpectedResult" => "ServerFail",
104                         "ExpectedServerAlert" =>
105                         ($protocol_name eq "flex" && !disabled("tls1_3"))
106                         ? "CertificateRequired" : "HandshakeFailure",
107                         "Method" => $method,
108                     },
109                 };
110                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
111
112                 # Successful handshake with client authentication.
113                 push @tests, {
114                     name => "client-auth-${protocol_name}-require"
115                              .($sctp ? "-sctp" : ""),
116                     server => {
117                         "MinProtocol" => $protocol,
118                         "MaxProtocol" => $protocol,
119                         "ClientSignatureAlgorithms" => $clisigalgs,
120                         "VerifyCAFile" => test_pem("root-cert.pem"),
121                         "VerifyMode" => "Request",
122                     },
123                     client => {
124                         "MinProtocol" => $protocol,
125                         "MaxProtocol" => $protocol,
126                         "Certificate" => test_pem("ee-client-chain.pem"),
127                         "PrivateKey"  => test_pem("ee-key.pem"),
128                     },
129                     test   => {
130                         "ExpectedResult" => "Success",
131                         "ExpectedClientCertType" => "RSA",
132                         "ExpectedClientSignType" => $clisigtype,
133                         "ExpectedClientSignHash" => $clihash,
134                         "ExpectedClientCANames" => "empty",
135                         "Method" => $method,
136                     },
137                 };
138                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
139
140                 # Successful handshake with client authentication non-empty names
141                 push @tests, {
142                     name => "client-auth-${protocol_name}-require-non-empty-names"
143                             .($sctp ? "-sctp" : ""),
144                     server => {
145                         "MinProtocol" => $protocol,
146                         "MaxProtocol" => $protocol,
147                         "ClientSignatureAlgorithms" => $clisigalgs,
148                         "ClientCAFile" => test_pem("root-cert.pem"),
149                         "VerifyCAFile" => test_pem("root-cert.pem"),
150                         "VerifyMode" => "Request",
151                     },
152                     client => {
153                         "MinProtocol" => $protocol,
154                         "MaxProtocol" => $protocol,
155                         "Certificate" => test_pem("ee-client-chain.pem"),
156                         "PrivateKey"  => test_pem("ee-key.pem"),
157                     },
158                     test   => {
159                         "ExpectedResult" => "Success",
160                         "ExpectedClientCertType" => "RSA",
161                         "ExpectedClientSignType" => $clisigtype,
162                         "ExpectedClientSignHash" => $clihash,
163                         "ExpectedClientCANames" => test_pem("root-cert.pem"),
164                         "Method" => $method,
165                     },
166                 };
167                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
168
169                 # Handshake with client authentication but without the root certificate.
170                 push @tests, {
171                     name => "client-auth-${protocol_name}-noroot"
172                             .($sctp ? "-sctp" : ""),
173                     server => {
174                         "MinProtocol" => $protocol,
175                         "MaxProtocol" => $protocol,
176                         "VerifyMode" => "Require",
177                     },
178                     client => {
179                         "MinProtocol" => $protocol,
180                         "MaxProtocol" => $protocol,
181                         "Certificate" => test_pem("ee-client-chain.pem"),
182                         "PrivateKey"  => test_pem("ee-key.pem"),
183                     },
184                     test   => {
185                         "ExpectedResult" => "ServerFail",
186                         "ExpectedServerAlert" => $caalert,
187                         "Method" => $method,
188                     },
189                 };
190                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
191             }
192         }
193     }
194 }
195
196 generate_tests();