test/ssl-tests/20-cert-select.conf.in

   1 # -*- mode: perl; -*-
   2
   3 ## SSL test configurations
   4
   5
   6 use strict;
   7 use warnings;
   8
   9 package ssltests;
  10 use OpenSSL::Test::Utils;
  11
  12 my $server = {
  13     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
  14     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
  15     "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"),
  16     "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"),
  17     "MaxProtocol" => "TLSv1.2"
  18 };
  19
  20 my $server_pss = {
  21     "PSS.Certificate" => test_pem("server-pss-cert.pem"),
  22     "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
  23     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
  24     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
  25     "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"),
  26     "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"),
  27     "MaxProtocol" => "TLSv1.2"
  28 };
  29
  30 my $server_pss_only = {
  31     "Certificate" => test_pem("server-pss-cert.pem"),
  32     "PrivateKey" => test_pem("server-pss-key.pem"),
  33 };
  34
  35 our @tests = (
  36     {
  37         name => "ECDSA CipherString Selection",
  38         server => $server,
  39         client => {
  40             "CipherString" => "aECDSA",
  41             "MaxProtocol" => "TLSv1.2",
  42             "RequestCAFile" => test_pem("root-cert.pem"),
  43         },
  44         test   => {
  45             "ExpectedServerCertType" =>, "P-256",
  46             "ExpectedServerSignType" =>, "EC",
  47             # Note: certificate_authorities not sent for TLS < 1.3
  48             "ExpectedServerCANames" =>, "empty",
  49             "ExpectedResult" => "Success"
  50         },
  51     },
  52     {
  53         name => "Ed25519 CipherString and Signature Algorithm Selection",
  54         server => $server,
  55         client => {
  56             "CipherString" => "aECDSA",
  57             "MaxProtocol" => "TLSv1.2",
  58             "SignatureAlgorithms" => "ed25519:ECDSA+SHA256",
  59             "RequestCAFile" => test_pem("root-cert.pem"),
  60         },
  61         test   => {
  62             "ExpectedServerCertType" =>, "Ed25519",
  63             "ExpectedServerSignType" =>, "Ed25519",
  64             # Note: certificate_authorities not sent for TLS < 1.3
  65             "ExpectedServerCANames" =>, "empty",
  66             "ExpectedResult" => "Success"
  67         },
  68     },
  69     {
  70         name => "RSA CipherString Selection",
  71         server => $server,
  72         client => {
  73             "CipherString" => "aRSA",
  74             "MaxProtocol" => "TLSv1.2",
  75         },
  76         test   => {
  77             "ExpectedServerCertType" =>, "RSA",
  78             "ExpectedServerSignType" =>, "RSA-PSS",
  79             "ExpectedResult" => "Success"
  80         },
  81     },
  82     {
  83         name => "RSA-PSS Certificate CipherString Selection",
  84         server => $server_pss,
  85         client => {
  86             "CipherString" => "aRSA",
  87             "MaxProtocol" => "TLSv1.2",
  88         },
  89         test   => {
  90             "ExpectedServerCertType" =>, "RSA-PSS",
  91             "ExpectedServerSignType" =>, "RSA-PSS",
  92             "ExpectedResult" => "Success"
  93         },
  94     },
  95     {
  96         name => "P-256 CipherString and Signature Algorithm Selection",
  97         server => $server,
  98         client => {
  99             "CipherString" => "aECDSA",
 100             "MaxProtocol" => "TLSv1.2",
 101             "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
 102         },
 103         test   => {
 104             "ExpectedServerCertType" => "P-256",
 105             "ExpectedServerSignHash" => "SHA256",
 106             "ExpectedServerSignType" => "EC",
 107             "ExpectedResult" => "Success"
 108         },
 109     },
 110     {
 111         name => "Ed25519 CipherString and Curves Selection",
 112         server => $server,
 113         client => {
 114             "CipherString" => "aECDSA",
 115             "MaxProtocol" => "TLSv1.2",
 116             "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
 117             # Excluding P-256 from the supported curves list means server
 118             # certificate should be Ed25519 and not P-256
 119             "Curves" => "X25519"
 120         },
 121         test   => {
 122             "ExpectedServerCertType" =>, "Ed25519",
 123             "ExpectedServerSignType" =>, "Ed25519",
 124             "ExpectedResult" => "Success"
 125         },
 126     },
 127     {
 128         name => "ECDSA CipherString Selection, no ECDSA certificate",
 129         server => {
 130             "MaxProtocol" => "TLSv1.2"
 131         },
 132         client => {
 133             "CipherString" => "aECDSA",
 134             "MaxProtocol" => "TLSv1.2"
 135         },
 136         test   => {
 137             "ExpectedResult" => "ServerFail"
 138         },
 139     },
 140     {
 141         name => "ECDSA Signature Algorithm Selection",
 142         server => $server,
 143         client => {
 144             "SignatureAlgorithms" => "ECDSA+SHA256",
 145         },
 146         test   => {
 147             "ExpectedServerCertType" => "P-256",
 148             "ExpectedServerSignHash" => "SHA256",
 149             "ExpectedServerSignType" => "EC",
 150             "ExpectedResult" => "Success"
 151         },
 152     },
 153     {
 154         name => "ECDSA Signature Algorithm Selection SHA384",
 155         server => $server,
 156         client => {
 157             "SignatureAlgorithms" => "ECDSA+SHA384",
 158         },
 159         test   => {
 160             "ExpectedServerCertType" => "P-256",
 161             "ExpectedServerSignHash" => "SHA384",
 162             "ExpectedServerSignType" => "EC",
 163             "ExpectedResult" => "Success"
 164         },
 165     },
 166     {
 167         name => "ECDSA Signature Algorithm Selection SHA1",
 168         server => $server,
 169         client => {
 170             "SignatureAlgorithms" => "ECDSA+SHA1",
 171         },
 172         test   => {
 173             "ExpectedServerCertType" => "P-256",
 174             "ExpectedServerSignHash" => "SHA1",
 175             "ExpectedServerSignType" => "EC",
 176             "ExpectedResult" => "Success"
 177         },
 178     },
 179     {
 180         name => "ECDSA Signature Algorithm Selection compressed point",
 181         server => {
 182             "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
 183             "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
 184             "MaxProtocol" => "TLSv1.2"
 185         },
 186         client => {
 187             "SignatureAlgorithms" => "ECDSA+SHA256",
 188         },
 189         test   => {
 190             "ExpectedServerCertType" => "P-256",
 191             "ExpectedServerSignHash" => "SHA256",
 192             "ExpectedServerSignType" => "EC",
 193             "ExpectedResult" => "Success"
 194         },
 195     },
 196     {
 197         name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
 198         server => {
 199              "MaxProtocol" => "TLSv1.2"
 200         },
 201         client => {
 202             "SignatureAlgorithms" => "ECDSA+SHA256",
 203         },
 204         test   => {
 205             "ExpectedResult" => "ServerFail"
 206         },
 207     },
 208     {
 209         name => "RSA Signature Algorithm Selection",
 210         server => $server,
 211         client => {
 212             "SignatureAlgorithms" => "RSA+SHA256",
 213         },
 214         test   => {
 215             "ExpectedServerCertType" => "RSA",
 216             "ExpectedServerSignHash" => "SHA256",
 217             "ExpectedServerSignType" => "RSA",
 218             "ExpectedResult" => "Success"
 219         },
 220     },
 221     {
 222         name => "RSA-PSS Signature Algorithm Selection",
 223         server => $server,
 224         client => {
 225             "SignatureAlgorithms" => "RSA-PSS+SHA256",
 226         },
 227         test   => {
 228             "ExpectedServerCertType" => "RSA",
 229             "ExpectedServerSignHash" => "SHA256",
 230             "ExpectedServerSignType" => "RSA-PSS",
 231             "ExpectedResult" => "Success"
 232         },
 233     },
 234     {
 235         name => "RSA-PSS Certificate Signature Algorithm Selection",
 236         server => $server_pss,
 237         client => {
 238             "SignatureAlgorithms" => "RSA-PSS+SHA256",
 239         },
 240         test   => {
 241             "ExpectedServerCertType" => "RSA-PSS",
 242             "ExpectedServerSignHash" => "SHA256",
 243             "ExpectedServerSignType" => "RSA-PSS",
 244             "ExpectedResult" => "Success"
 245         },
 246     },
 247     {
 248         name => "Only RSA-PSS Certificate",
 249         server => $server_pss_only,
 250         client => {},
 251         test   => {
 252             "ExpectedServerCertType" => "RSA-PSS",
 253             "ExpectedServerSignHash" => "SHA256",
 254             "ExpectedServerSignType" => "RSA-PSS",
 255             "ExpectedResult" => "Success"
 256         },
 257     },
 258     {
 259         name => "RSA-PSS Certificate, no PSS signature algorithms",
 260         server => $server_pss_only,
 261         client => {
 262             "SignatureAlgorithms" => "RSA+SHA256",
 263         },
 264         test   => {
 265             "ExpectedResult" => "ServerFail"
 266         },
 267     },
 268     {
 269         name => "Suite B P-256 Hash Algorithm Selection",
 270         server =>  {
 271             "ECDSA.Certificate" => test_pem("p256-server-cert.pem"),
 272             "ECDSA.PrivateKey" => test_pem("p256-server-key.pem"),
 273             "MaxProtocol" => "TLSv1.2",
 274             "CipherString" => "SUITEB128"
 275         },
 276         client => {
 277             "VerifyCAFile" => test_pem("p384-root.pem"),
 278             "SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256"
 279         },
 280         test   => {
 281             "ExpectedServerCertType" => "P-256",
 282             "ExpectedServerSignHash" => "SHA256",
 283             "ExpectedServerSignType" => "EC",
 284             "ExpectedResult" => "Success"
 285         },
 286     },
 287     {
 288         name => "Suite B P-384 Hash Algorithm Selection",
 289         server =>  {
 290             "ECDSA.Certificate" => test_pem("p384-server-cert.pem"),
 291             "ECDSA.PrivateKey" => test_pem("p384-server-key.pem"),
 292             "MaxProtocol" => "TLSv1.2",
 293             "CipherString" => "SUITEB128"
 294         },
 295         client => {
 296             "VerifyCAFile" => test_pem("p384-root.pem"),
 297             "SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384"
 298         },
 299         test   => {
 300             "ExpectedServerCertType" => "P-384",
 301             "ExpectedServerSignHash" => "SHA384",
 302             "ExpectedServerSignType" => "EC",
 303             "ExpectedResult" => "Success"
 304         },
 305     },
 306     {
 307         name => "TLS 1.2 Ed25519 Client Auth",
 308         server => {
 309             "VerifyCAFile" => test_pem("root-cert.pem"),
 310             "VerifyMode" => "Require"
 311         },
 312         client => {
 313             "EdDSA.Certificate" => test_pem("client-ed25519-cert.pem"),
 314             "EdDSA.PrivateKey" => test_pem("client-ed25519-key.pem"),
 315             "MinProtocol" => "TLSv1.2",
 316             "MaxProtocol" => "TLSv1.2"
 317         },
 318         test   => {
 319             "ExpectedClientCertType" => "Ed25519",
 320             "ExpectedClientSignType" => "Ed25519",
 321             "ExpectedResult" => "Success"
 322         },
 323     },
 324 );
 325
 326 my @tests_tls_1_1 = (
 327     {
 328         name => "Only RSA-PSS Certificate, TLS v1.1",
 329         server => $server_pss_only,
 330         client => {
 331             "MaxProtocol" => "TLSv1.1",
 332         },
 333         test   => {
 334             "ExpectedResult" => "ServerFail"
 335         },
 336     },
 337 );
 338
 339 push @tests, @tests_tls_1_1 unless disabled("tls1_1");
 340
 341 my $server_tls_1_3 = {
 342     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
 343     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
 344     "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"),
 345     "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"),
 346     "MinProtocol" => "TLSv1.3",
 347     "MaxProtocol" => "TLSv1.3"
 348 };
 349
 350 my $server_tls_1_3_pss = {
 351     "PSS.Certificate" => test_pem("server-pss-cert.pem"),
 352     "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
 353     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
 354     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
 355     "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"),
 356     "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"),
 357     "MinProtocol" => "TLSv1.3",
 358     "MaxProtocol" => "TLSv1.3"
 359 };
 360
 361 my $client_tls_1_3 = {
 362     "RSA.Certificate" => test_pem("ee-client-chain.pem"),
 363     "RSA.PrivateKey" => test_pem("ee-key.pem"),
 364     "ECDSA.Certificate" => test_pem("ee-ecdsa-client-chain.pem"),
 365     "ECDSA.PrivateKey" => test_pem("ee-ecdsa-key.pem"),
 366     "MinProtocol" => "TLSv1.3",
 367     "MaxProtocol" => "TLSv1.3"
 368 };
 369
 370 my @tests_tls_1_3 = (
 371     {
 372         name => "TLS 1.3 ECDSA Signature Algorithm Selection",
 373         server => $server_tls_1_3,
 374         client => {
 375             "SignatureAlgorithms" => "ECDSA+SHA256",
 376         },
 377         test   => {
 378             "ExpectedServerCertType" => "P-256",
 379             "ExpectedServerSignHash" => "SHA256",
 380             "ExpectedServerSignType" => "EC",
 381             "ExpectedServerCANames" => "empty",
 382             "ExpectedResult" => "Success"
 383         },
 384     },
 385     {
 386         name => "TLS 1.3 ECDSA Signature Algorithm Selection compressed point",
 387         server => {
 388             "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
 389             "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
 390             "MinProtocol" => "TLSv1.3",
 391             "MaxProtocol" => "TLSv1.3"
 392         },
 393         client => {
 394             "SignatureAlgorithms" => "ECDSA+SHA256",
 395         },
 396         test   => {
 397             "ExpectedResult" => "ServerFail"
 398         },
 399     },
 400     {
 401         name => "TLS 1.3 ECDSA Signature Algorithm Selection SHA1",
 402         server => $server_tls_1_3,
 403         client => {
 404             "SignatureAlgorithms" => "ECDSA+SHA1",
 405         },
 406         test   => {
 407             "ExpectedResult" => "ServerFail"
 408         },
 409     },
 410     {
 411         name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS",
 412         server => $server_tls_1_3,
 413         client => {
 414             "SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256",
 415             "RequestCAFile" => test_pem("root-cert.pem"),
 416         },
 417         test   => {
 418             "ExpectedServerCertType" => "P-256",
 419             "ExpectedServerSignHash" => "SHA256",
 420             "ExpectedServerSignType" => "EC",
 421             "ExpectedServerCANames" => test_pem("root-cert.pem"),
 422             "ExpectedResult" => "Success"
 423         },
 424     },
 425     {
 426         name => "TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS",
 427         server => $server_tls_1_3,
 428         client => {
 429             "SignatureAlgorithms" => "ECDSA+SHA384:RSA-PSS+SHA384",
 430         },
 431         test   => {
 432             "ExpectedServerCertType" => "RSA",
 433             "ExpectedServerSignHash" => "SHA384",
 434             "ExpectedServerSignType" => "RSA-PSS",
 435             "ExpectedResult" => "Success"
 436         },
 437     },
 438     {
 439         name => "TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate",
 440         server => {
 441             "MinProtocol" => "TLSv1.3",
 442             "MaxProtocol" => "TLSv1.3"
 443         },
 444         client => {
 445             "SignatureAlgorithms" => "ECDSA+SHA256",
 446         },
 447         test   => {
 448             "ExpectedResult" => "ServerFail"
 449         },
 450     },
 451     {
 452         name => "TLS 1.3 RSA Signature Algorithm Selection, no PSS",
 453         server => $server_tls_1_3,
 454         client => {
 455             "SignatureAlgorithms" => "RSA+SHA256",
 456         },
 457         test   => {
 458             "ExpectedResult" => "ServerFail"
 459         },
 460     },
 461     {
 462         name => "TLS 1.3 RSA-PSS Signature Algorithm Selection",
 463         server => $server_tls_1_3,
 464         client => {
 465             "SignatureAlgorithms" => "RSA-PSS+SHA256",
 466         },
 467         test   => {
 468             "ExpectedServerCertType" => "RSA",
 469             "ExpectedServerSignHash" => "SHA256",
 470             "ExpectedServerSignType" => "RSA-PSS",
 471             "ExpectedResult" => "Success"
 472         },
 473     },
 474     {
 475         name => "TLS 1.3 Ed25519 Signature Algorithm Selection",
 476         server => $server_tls_1_3,
 477         client => {
 478             "SignatureAlgorithms" => "ed25519",
 479         },
 480         test   => {
 481             "ExpectedServerCertType" => "Ed25519",
 482             "ExpectedServerSignType" => "Ed25519",
 483             "ExpectedResult" => "Success"
 484         },
 485     },
 486     {
 487         name => "TLS 1.3 Ed25519 CipherString and Groups Selection",
 488         server => $server_tls_1_3,
 489         client => {
 490             "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
 491             # Excluding P-256 from the supported groups list should
 492             # mean server still uses a P-256 certificate because supported
 493             # groups is not used in signature selection for TLS 1.3
 494             "Groups" => "X25519"
 495         },
 496         test   => {
 497             "ExpectedServerCertType" =>, "P-256",
 498             "ExpectedServerSignType" =>, "EC",
 499             "ExpectedResult" => "Success"
 500         },
 501     },
 502     {
 503         name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
 504         server => {
 505             "ClientSignatureAlgorithms" => "PSS+SHA256",
 506             "VerifyCAFile" => test_pem("root-cert.pem"),
 507             "VerifyMode" => "Require"
 508         },
 509         client => $client_tls_1_3,
 510         test   => {
 511             "ExpectedClientCertType" => "RSA",
 512             "ExpectedClientSignHash" => "SHA256",
 513             "ExpectedClientSignType" => "RSA-PSS",
 514             "ExpectedClientCANames" => "empty",
 515             "ExpectedResult" => "Success"
 516         },
 517     },
 518     {
 519         name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names",
 520         server => {
 521             "ClientSignatureAlgorithms" => "PSS+SHA256",
 522             "VerifyCAFile" => test_pem("root-cert.pem"),
 523             "RequestCAFile" => test_pem("root-cert.pem"),
 524             "VerifyMode" => "Require"
 525         },
 526         client => $client_tls_1_3,
 527         test   => {
 528             "ExpectedClientCertType" => "RSA",
 529             "ExpectedClientSignHash" => "SHA256",
 530             "ExpectedClientSignType" => "RSA-PSS",
 531             "ExpectedClientCANames" => test_pem("root-cert.pem"),
 532             "ExpectedResult" => "Success"
 533         },
 534     },
 535     {
 536         name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
 537         server => {
 538             "ClientSignatureAlgorithms" => "ECDSA+SHA256",
 539             "VerifyCAFile" => test_pem("root-cert.pem"),
 540             "VerifyMode" => "Require"
 541         },
 542         client => $client_tls_1_3,
 543         test   => {
 544             "ExpectedClientCertType" => "P-256",
 545             "ExpectedClientSignHash" => "SHA256",
 546             "ExpectedClientSignType" => "EC",
 547             "ExpectedResult" => "Success"
 548         },
 549     },
 550     {
 551         name => "TLS 1.3 Ed25519 Client Auth",
 552         server => {
 553             "VerifyCAFile" => test_pem("root-cert.pem"),
 554             "VerifyMode" => "Require"
 555         },
 556         client => {
 557             "EdDSA.Certificate" => test_pem("client-ed25519-cert.pem"),
 558             "EdDSA.PrivateKey" => test_pem("client-ed25519-key.pem"),
 559             "MinProtocol" => "TLSv1.3",
 560             "MaxProtocol" => "TLSv1.3"
 561         },
 562         test   => {
 563             "ExpectedClientCertType" => "Ed25519",
 564             "ExpectedClientSignType" => "Ed25519",
 565             "ExpectedResult" => "Success"
 566         },
 567     },
 568 );
 569
 570 push @tests, @tests_tls_1_3 unless disabled("tls1_3");
 571
 572 my @tests_dsa_tls_1_2 = (
 573     {
 574         name => "TLS 1.2 DSA Certificate Test",
 575         server => {
 576             "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
 577             "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
 578             "DHParameters" => test_pem("dhp2048.pem"),
 579             "MinProtocol" => "TLSv1.2",
 580             "MaxProtocol" => "TLSv1.2",
 581             "CipherString" => "ALL",
 582         },
 583         client => {
 584             "SignatureAlgorithms" => "DSA+SHA256:DSA+SHA1",
 585             "CipherString" => "ALL",
 586         },
 587         test   => {
 588             "ExpectedResult" => "Success"
 589         },
 590     },
 591 );
 592
 593 my @tests_dsa_tls_1_3 = (
 594     {
 595         name => "TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms",
 596         server => {
 597             "ClientSignatureAlgorithms" => "ECDSA+SHA1:DSA+SHA256:RSA+SHA256",
 598             "VerifyCAFile" => test_pem("root-cert.pem"),
 599             "VerifyMode" => "Request"
 600         },
 601         client => {},
 602         test   => {
 603             "ExpectedResult" => "ServerFail"
 604         },
 605     },
 606     {
 607         name => "TLS 1.3 DSA Certificate Test",
 608         server => {
 609             "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
 610             "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
 611             "MinProtocol" => "TLSv1.3",
 612             "MaxProtocol" => "TLSv1.3",
 613             "CipherString" => "ALL",
 614         },
 615         client => {
 616             "SignatureAlgorithms" => "DSA+SHA1:DSA+SHA256:ECDSA+SHA256",
 617             "CipherString" => "ALL",
 618         },
 619         test   => {
 620             "ExpectedResult" => "ServerFail"
 621         },
 622     },
 623 );
 624
 625 if (!disabled("dsa")) {
 626     push @tests, @tests_dsa_tls_1_2 unless disabled("dh");
 627     push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
 628 }