Add Client CA names tests
[openssl.git] / test / ssl-tests / 04-client_auth.conf.in
1 # -*- mode: perl; -*-
2
3 ## SSL test configurations
4
5 package ssltests;
6
7 use strict;
8 use warnings;
9
10 use OpenSSL::Test;
11 use OpenSSL::Test::Utils qw(anydisabled);
12 setup("no_test_here");
13
14 # We test version-flexible negotiation (undef) and each protocol version.
15 my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
16
17 my @is_disabled = (0);
18 push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2");
19
20 our @tests = ();
21
22 sub generate_tests() {
23     foreach (0..$#protocols) {
24         my $protocol = $protocols[$_];
25         my $protocol_name = $protocol || "flex";
26         my $caalert;
27         my $method;
28         if (!$is_disabled[$_]) {
29             if ($protocol_name eq "SSLv3") {
30                 $caalert = "BadCertificate";
31             } else {
32                 $caalert = "UnknownCA";
33             }
34             if ($protocol_name =~ m/^DTLS/) {
35                 $method = "DTLS";
36             }
37             my $clihash;
38             my $clisigtype;
39             my $clisigalgs;
40             # TODO(TLS1.3) add TLSv1.3 versions
41             if ($protocol_name eq "TLSv1.2") {
42                 $clihash = "SHA256";
43                 $clisigtype = "RSA";
44                 $clisigalgs = "SHA256+RSA";
45             }
46             # Sanity-check simple handshake.
47             push @tests, {
48                 name => "server-auth-${protocol_name}",
49                 server => {
50                     "MinProtocol" => $protocol,
51                     "MaxProtocol" => $protocol
52                 },
53                 client => {
54                     "MinProtocol" => $protocol,
55                     "MaxProtocol" => $protocol
56                 },
57                 test   => {
58                     "ExpectedResult" => "Success",
59                     "Method" => $method,
60                 },
61             };
62
63             # Handshake with client cert requested but not required or received.
64             push @tests, {
65                 name => "client-auth-${protocol_name}-request",
66                 server => {
67                     "MinProtocol" => $protocol,
68                     "MaxProtocol" => $protocol,
69                     "VerifyMode" => "Request"
70                 },
71                 client => {
72                     "MinProtocol" => $protocol,
73                     "MaxProtocol" => $protocol
74                 },
75                 test   => {
76                     "ExpectedResult" => "Success",
77                     "Method" => $method,
78                 },
79             };
80
81             # Handshake with client cert required but not present.
82             push @tests, {
83                 name => "client-auth-${protocol_name}-require-fail",
84                 server => {
85                     "MinProtocol" => $protocol,
86                     "MaxProtocol" => $protocol,
87                     "VerifyCAFile" => test_pem("root-cert.pem"),
88                     "VerifyMode" => "Require",
89                 },
90                 client => {
91                     "MinProtocol" => $protocol,
92                     "MaxProtocol" => $protocol
93                 },
94                 test   => {
95                     "ExpectedResult" => "ServerFail",
96                     "ExpectedServerAlert" => "HandshakeFailure",
97                     "Method" => $method,
98                 },
99             };
100
101             # Successful handshake with client authentication.
102             push @tests, {
103                 name => "client-auth-${protocol_name}-require",
104                 server => {
105                     "MinProtocol" => $protocol,
106                     "MaxProtocol" => $protocol,
107                     "ClientSignatureAlgorithms" => $clisigalgs,
108                     "VerifyCAFile" => test_pem("root-cert.pem"),
109                     "VerifyMode" => "Request",
110                 },
111                 client => {
112                     "MinProtocol" => $protocol,
113                     "MaxProtocol" => $protocol,
114                     "Certificate" => test_pem("ee-client-chain.pem"),
115                     "PrivateKey"  => test_pem("ee-key.pem"),
116                 },
117                 test   => {
118                     "ExpectedResult" => "Success",
119                     "ExpectedClientCertType" => "RSA",
120                     "ExpectedClientSignType" => $clisigtype,
121                     "ExpectedClientSignHash" => $clihash,
122                     "ExpectedClientCANames" => "empty",
123                     "Method" => $method,
124                 },
125             };
126
127             # Successful handshake with client authentication non-empty names
128             push @tests, {
129                 name => "client-auth-${protocol_name}-require-non-empty-names",
130                 server => {
131                     "MinProtocol" => $protocol,
132                     "MaxProtocol" => $protocol,
133                     "ClientSignatureAlgorithms" => $clisigalgs,
134                     "ClientCAFile" => test_pem("root-cert.pem"),
135                     "VerifyCAFile" => test_pem("root-cert.pem"),
136                     "VerifyMode" => "Request",
137                 },
138                 client => {
139                     "MinProtocol" => $protocol,
140                     "MaxProtocol" => $protocol,
141                     "Certificate" => test_pem("ee-client-chain.pem"),
142                     "PrivateKey"  => test_pem("ee-key.pem"),
143                 },
144                 test   => {
145                     "ExpectedResult" => "Success",
146                     "ExpectedClientCertType" => "RSA",
147                     "ExpectedClientSignType" => $clisigtype,
148                     "ExpectedClientSignHash" => $clihash,
149                     "ExpectedClientCANames" => test_pem("root-cert.pem"),
150                     "Method" => $method,
151                 },
152             };
153
154             # Handshake with client authentication but without the root certificate.
155             push @tests, {
156                 name => "client-auth-${protocol_name}-noroot",
157                 server => {
158                     "MinProtocol" => $protocol,
159                     "MaxProtocol" => $protocol,
160                     "VerifyMode" => "Require",
161                 },
162                 client => {
163                     "MinProtocol" => $protocol,
164                     "MaxProtocol" => $protocol,
165                     "Certificate" => test_pem("ee-client-chain.pem"),
166                     "PrivateKey"  => test_pem("ee-key.pem"),
167                 },
168                 test   => {
169                     "ExpectedResult" => "ServerFail",
170                     "ExpectedServerAlert" => $caalert,
171                     "Method" => $method,
172                 },
173             };
174         }
175     }
176 }
177
178 generate_tests();