test/ssl-tests/04-client_auth.conf.in

   1 # -*- mode: perl; -*-
   2
   3 ## SSL test configurations
   4
   5 package ssltests;
   6
   7 use strict;
   8 use warnings;
   9
  10 use OpenSSL::Test;
  11 use OpenSSL::Test::Utils qw(anydisabled);
  12 setup("no_test_here");
  13
  14 # We test version-flexible negotiation (undef) and each protocol version.
  15 my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2");
  16
  17 my @is_disabled = (0);
  18 push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2");
  19
  20 our @tests = ();
  21
  22 my $dir_sep = $^O ne "VMS" ? "/" : "";
  23
  24 sub generate_tests() {
  25
  26     foreach (0..$#protocols) {
  27         my $protocol = $protocols[$_];
  28         my $protocol_name = $protocol || "flex";
  29         my $caalert;
  30         if (!$is_disabled[$_]) {
  31             if ($protocol_name eq "SSLv3") {
  32                 $caalert = "BadCertificate";
  33             } else {
  34                 $caalert = "UnknownCA";
  35             }
  36             my $clihash;
  37             my $clisigalgs;
  38             # TODO add TLSv1.3 versions
  39             if ($protocol_name eq "TLSv1.2") {
  40                 $clihash = "SHA256";
  41                 $clisigalgs = "SHA256+RSA";
  42             }
  43             # Sanity-check simple handshake.
  44             push @tests, {
  45                 name => "server-auth-${protocol_name}",
  46                 server => {
  47                     "MinProtocol" => $protocol,
  48                     "MaxProtocol" => $protocol
  49                 },
  50                 client => {
  51                     "MinProtocol" => $protocol,
  52                     "MaxProtocol" => $protocol
  53                 },
  54                 test   => { "ExpectedResult" => "Success" },
  55             };
  56
  57             # Handshake with client cert requested but not required or received.
  58             push @tests, {
  59                 name => "client-auth-${protocol_name}-request",
  60                 server => {
  61                     "MinProtocol" => $protocol,
  62                     "MaxProtocol" => $protocol,
  63                     "VerifyMode" => "Request"
  64                 },
  65                 client => {
  66                     "MinProtocol" => $protocol,
  67                     "MaxProtocol" => $protocol
  68                 },
  69                 test   => { "ExpectedResult" => "Success" },
  70             };
  71
  72             # Handshake with client cert required but not present.
  73             push @tests, {
  74                 name => "client-auth-${protocol_name}-require-fail",
  75                 server => {
  76                     "MinProtocol" => $protocol,
  77                     "MaxProtocol" => $protocol,
  78                     "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
  79                     "VerifyMode" => "Require",
  80                 },
  81                 client => {
  82                     "MinProtocol" => $protocol,
  83                     "MaxProtocol" => $protocol
  84                 },
  85                 test   => {
  86                     "ExpectedResult" => "ServerFail",
  87                     "ExpectedServerAlert" => "HandshakeFailure",
  88                 },
  89             };
  90
  91             # Successful handshake with client authentication.
  92             push @tests, {
  93                 name => "client-auth-${protocol_name}-require",
  94                 server => {
  95                     "MinProtocol" => $protocol,
  96                     "MaxProtocol" => $protocol,
  97                     "ClientSignatureAlgorithms" => $clisigalgs,
  98                     "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
  99                     "VerifyMode" => "Request",
 100                 },
 101                 client => {
 102                     "MinProtocol" => $protocol,
 103                     "MaxProtocol" => $protocol,
 104                     "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
 105                     "PrivateKey"  => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
 106                 },
 107                 test   => { "ExpectedResult" => "Success",
 108                             "ExpectedClientCertType" => "RSA",
 109                             "ExpectedClientSignHash" => $clihash,
 110                 },
 111             };
 112
 113             # Handshake with client authentication but without the root certificate.
 114             push @tests, {
 115                 name => "client-auth-${protocol_name}-noroot",
 116                 server => {
 117                     "MinProtocol" => $protocol,
 118                     "MaxProtocol" => $protocol,
 119                     "VerifyMode" => "Require",
 120                 },
 121                 client => {
 122                     "MinProtocol" => $protocol,
 123                     "MaxProtocol" => $protocol,
 124                     "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
 125                     "PrivateKey"  => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
 126                 },
 127                 test   => {
 128                     "ExpectedResult" => "ServerFail",
 129                     "ExpectedServerAlert" => $caalert,
 130                 },
 131             };
 132         }
 133     }
 134 }
 135
 136 generate_tests();