test/ssl-tests/20-cert-select.conf.in

   1 # -*- mode: perl; -*-
   2
   3 ## SSL test configurations
   4
   5
   6 use strict;
   7 use warnings;
   8
   9 package ssltests;
  10 use OpenSSL::Test::Utils;
  11
  12 my $server = {
  13     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
  14     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
  15     "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"),
  16     "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"),
  17     "MaxProtocol" => "TLSv1.2"
  18 };
  19
  20 our @tests = (
  21     {
  22         name => "ECDSA CipherString Selection",
  23         server => $server,
  24         client => {
  25             "CipherString" => "aECDSA",
  26             "MaxProtocol" => "TLSv1.2",
  27             "RequestCAFile" => test_pem("root-cert.pem"),
  28         },
  29         test   => {
  30             "ExpectedServerCertType" =>, "P-256",
  31             "ExpectedServerSignType" =>, "EC",
  32             # Note: certificate_authorities not sent for TLS < 1.3
  33             "ExpectedServerCANames" =>, "empty",
  34             "ExpectedResult" => "Success"
  35         },
  36     },
  37     {
  38         name => "Ed25519 CipherString and Signature Algorithm Selection",
  39         server => $server,
  40         client => {
  41             "CipherString" => "aECDSA",
  42             "MaxProtocol" => "TLSv1.2",
  43             "SignatureAlgorithms" => "ed25519:ECDSA+SHA256",
  44             "RequestCAFile" => test_pem("root-cert.pem"),
  45         },
  46         test   => {
  47             "ExpectedServerCertType" =>, "Ed25519",
  48             "ExpectedServerSignType" =>, "Ed25519",
  49             # Note: certificate_authorities not sent for TLS < 1.3
  50             "ExpectedServerCANames" =>, "empty",
  51             "ExpectedResult" => "Success"
  52         },
  53     },
  54     {
  55         name => "RSA CipherString Selection",
  56         server => $server,
  57         client => {
  58             "CipherString" => "aRSA",
  59             "MaxProtocol" => "TLSv1.2",
  60         },
  61         test   => {
  62             "ExpectedServerCertType" =>, "RSA",
  63             "ExpectedServerSignType" =>, "RSA-PSS",
  64             "ExpectedResult" => "Success"
  65         },
  66     },
  67     {
  68         name => "P-256 CipherString and Signature Algorithm Selection",
  69         server => $server,
  70         client => {
  71             "CipherString" => "aECDSA",
  72             "MaxProtocol" => "TLSv1.2",
  73             "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
  74         },
  75         test   => {
  76             "ExpectedServerCertType" => "P-256",
  77             "ExpectedServerSignHash" => "SHA256",
  78             "ExpectedServerSignType" => "EC",
  79             "ExpectedResult" => "Success"
  80         },
  81     },
  82     {
  83         name => "Ed25519 CipherString and Curves Selection",
  84         server => $server,
  85         client => {
  86             "CipherString" => "aECDSA",
  87             "MaxProtocol" => "TLSv1.2",
  88             "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
  89             # Excluding P-256 from the supported curves list means server
  90             # certificate should be Ed25519 and not P-256
  91             "Curves" => "X25519"
  92         },
  93         test   => {
  94             "ExpectedServerCertType" =>, "Ed25519",
  95             "ExpectedServerSignType" =>, "Ed25519",
  96             "ExpectedResult" => "Success"
  97         },
  98     },
  99     {
 100         name => "ECDSA CipherString Selection, no ECDSA certificate",
 101         server => {
 102             "MaxProtocol" => "TLSv1.2"
 103         },
 104         client => {
 105             "CipherString" => "aECDSA",
 106             "MaxProtocol" => "TLSv1.2"
 107         },
 108         test   => {
 109             "ExpectedResult" => "ServerFail"
 110         },
 111     },
 112     {
 113         name => "ECDSA Signature Algorithm Selection",
 114         server => $server,
 115         client => {
 116             "SignatureAlgorithms" => "ECDSA+SHA256",
 117         },
 118         test   => {
 119             "ExpectedServerCertType" => "P-256",
 120             "ExpectedServerSignHash" => "SHA256",
 121             "ExpectedServerSignType" => "EC",
 122             "ExpectedResult" => "Success"
 123         },
 124     },
 125     {
 126         name => "ECDSA Signature Algorithm Selection SHA384",
 127         server => $server,
 128         client => {
 129             "SignatureAlgorithms" => "ECDSA+SHA384",
 130         },
 131         test   => {
 132             "ExpectedServerCertType" => "P-256",
 133             "ExpectedServerSignHash" => "SHA384",
 134             "ExpectedServerSignType" => "EC",
 135             "ExpectedResult" => "Success"
 136         },
 137     },
 138     {
 139         name => "ECDSA Signature Algorithm Selection SHA1",
 140         server => $server,
 141         client => {
 142             "SignatureAlgorithms" => "ECDSA+SHA1",
 143         },
 144         test   => {
 145             "ExpectedServerCertType" => "P-256",
 146             "ExpectedServerSignHash" => "SHA1",
 147             "ExpectedServerSignType" => "EC",
 148             "ExpectedResult" => "Success"
 149         },
 150     },
 151     {
 152         name => "ECDSA Signature Algorithm Selection compressed point",
 153         server => {
 154             "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
 155             "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
 156             "MaxProtocol" => "TLSv1.2"
 157         },
 158         client => {
 159             "SignatureAlgorithms" => "ECDSA+SHA256",
 160         },
 161         test   => {
 162             "ExpectedServerCertType" => "P-256",
 163             "ExpectedServerSignHash" => "SHA256",
 164             "ExpectedServerSignType" => "EC",
 165             "ExpectedResult" => "Success"
 166         },
 167     },
 168     {
 169         name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
 170         server => {
 171              "MaxProtocol" => "TLSv1.2"
 172         },
 173         client => {
 174             "SignatureAlgorithms" => "ECDSA+SHA256",
 175         },
 176         test   => {
 177             "ExpectedResult" => "ServerFail"
 178         },
 179     },
 180     {
 181         name => "RSA Signature Algorithm Selection",
 182         server => $server,
 183         client => {
 184             "SignatureAlgorithms" => "RSA+SHA256",
 185         },
 186         test   => {
 187             "ExpectedServerCertType" => "RSA",
 188             "ExpectedServerSignHash" => "SHA256",
 189             "ExpectedServerSignType" => "RSA",
 190             "ExpectedResult" => "Success"
 191         },
 192     },
 193     {
 194         name => "RSA-PSS Signature Algorithm Selection",
 195         server => $server,
 196         client => {
 197             "SignatureAlgorithms" => "RSA-PSS+SHA256",
 198         },
 199         test   => {
 200             "ExpectedServerCertType" => "RSA",
 201             "ExpectedServerSignHash" => "SHA256",
 202             "ExpectedServerSignType" => "RSA-PSS",
 203             "ExpectedResult" => "Success"
 204         },
 205     },
 206     {
 207         name => "Suite B P-256 Hash Algorithm Selection",
 208         server =>  {
 209             "ECDSA.Certificate" => test_pem("p256-server-cert.pem"),
 210             "ECDSA.PrivateKey" => test_pem("p256-server-key.pem"),
 211             "MaxProtocol" => "TLSv1.2",
 212             "CipherString" => "SUITEB128"
 213         },
 214         client => {
 215             "VerifyCAFile" => test_pem("p384-root.pem"),
 216             "SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256"
 217         },
 218         test   => {
 219             "ExpectedServerCertType" => "P-256",
 220             "ExpectedServerSignHash" => "SHA256",
 221             "ExpectedServerSignType" => "EC",
 222             "ExpectedResult" => "Success"
 223         },
 224     },
 225     {
 226         name => "Suite B P-384 Hash Algorithm Selection",
 227         server =>  {
 228             "ECDSA.Certificate" => test_pem("p384-server-cert.pem"),
 229             "ECDSA.PrivateKey" => test_pem("p384-server-key.pem"),
 230             "MaxProtocol" => "TLSv1.2",
 231             "CipherString" => "SUITEB128"
 232         },
 233         client => {
 234             "VerifyCAFile" => test_pem("p384-root.pem"),
 235             "SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384"
 236         },
 237         test   => {
 238             "ExpectedServerCertType" => "P-384",
 239             "ExpectedServerSignHash" => "SHA384",
 240             "ExpectedServerSignType" => "EC",
 241             "ExpectedResult" => "Success"
 242         },
 243     },
 244     {
 245         name => "TLS 1.2 Ed25519 Client Auth",
 246         server => {
 247             "VerifyCAFile" => test_pem("root-cert.pem"),
 248             "VerifyMode" => "Require"
 249         },
 250         client => {
 251             "EdDSA.Certificate" => test_pem("client-ed25519-cert.pem"),
 252             "EdDSA.PrivateKey" => test_pem("client-ed25519-key.pem"),
 253             "MinProtocol" => "TLSv1.2",
 254             "MaxProtocol" => "TLSv1.2"
 255         },
 256         test   => {
 257             "ExpectedClientCertType" => "Ed25519",
 258             "ExpectedClientSignType" => "Ed25519",
 259             "ExpectedResult" => "Success"
 260         },
 261     },
 262 );
 263
 264
 265 my $server_tls_1_3 = {
 266     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
 267     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
 268     "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"),
 269     "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"),
 270     "MinProtocol" => "TLSv1.3",
 271     "MaxProtocol" => "TLSv1.3"
 272 };
 273
 274 my $client_tls_1_3 = {
 275     "RSA.Certificate" => test_pem("ee-client-chain.pem"),
 276     "RSA.PrivateKey" => test_pem("ee-key.pem"),
 277     "ECDSA.Certificate" => test_pem("ee-ecdsa-client-chain.pem"),
 278     "ECDSA.PrivateKey" => test_pem("ee-ecdsa-key.pem"),
 279     "MinProtocol" => "TLSv1.3",
 280     "MaxProtocol" => "TLSv1.3"
 281 };
 282
 283 my @tests_tls_1_3 = (
 284     {
 285         name => "TLS 1.3 ECDSA Signature Algorithm Selection",
 286         server => $server_tls_1_3,
 287         client => {
 288             "SignatureAlgorithms" => "ECDSA+SHA256",
 289         },
 290         test   => {
 291             "ExpectedServerCertType" => "P-256",
 292             "ExpectedServerSignHash" => "SHA256",
 293             "ExpectedServerSignType" => "EC",
 294             "ExpectedServerCANames" => "empty",
 295             "ExpectedResult" => "Success"
 296         },
 297     },
 298     {
 299         name => "TLS 1.3 ECDSA Signature Algorithm Selection compressed point",
 300         server => {
 301             "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
 302             "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
 303             "MinProtocol" => "TLSv1.3",
 304             "MaxProtocol" => "TLSv1.3"
 305         },
 306         client => {
 307             "SignatureAlgorithms" => "ECDSA+SHA256",
 308         },
 309         test   => {
 310             "ExpectedResult" => "ServerFail"
 311         },
 312     },
 313     {
 314         name => "TLS 1.3 ECDSA Signature Algorithm Selection SHA1",
 315         server => $server_tls_1_3,
 316         client => {
 317             "SignatureAlgorithms" => "ECDSA+SHA1",
 318         },
 319         test   => {
 320             "ExpectedResult" => "ServerFail"
 321         },
 322     },
 323     {
 324         name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS",
 325         server => $server_tls_1_3,
 326         client => {
 327             "SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256",
 328             "RequestCAFile" => test_pem("root-cert.pem"),
 329         },
 330         test   => {
 331             "ExpectedServerCertType" => "P-256",
 332             "ExpectedServerSignHash" => "SHA256",
 333             "ExpectedServerSignType" => "EC",
 334             "ExpectedServerCANames" => test_pem("root-cert.pem"),
 335             "ExpectedResult" => "Success"
 336         },
 337     },
 338     {
 339         name => "TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS",
 340         server => $server_tls_1_3,
 341         client => {
 342             "SignatureAlgorithms" => "ECDSA+SHA384:RSA-PSS+SHA384",
 343         },
 344         test   => {
 345             "ExpectedServerCertType" => "RSA",
 346             "ExpectedServerSignHash" => "SHA384",
 347             "ExpectedServerSignType" => "RSA-PSS",
 348             "ExpectedResult" => "Success"
 349         },
 350     },
 351     {
 352         name => "TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate",
 353         server => {
 354             "MinProtocol" => "TLSv1.3",
 355             "MaxProtocol" => "TLSv1.3"
 356         },
 357         client => {
 358             "SignatureAlgorithms" => "ECDSA+SHA256",
 359         },
 360         test   => {
 361             "ExpectedResult" => "ServerFail"
 362         },
 363     },
 364     {
 365         name => "TLS 1.3 RSA Signature Algorithm Selection, no PSS",
 366         server => $server_tls_1_3,
 367         client => {
 368             "SignatureAlgorithms" => "RSA+SHA256",
 369         },
 370         test   => {
 371             "ExpectedResult" => "ServerFail"
 372         },
 373     },
 374     {
 375         name => "TLS 1.3 RSA-PSS Signature Algorithm Selection",
 376         server => $server_tls_1_3,
 377         client => {
 378             "SignatureAlgorithms" => "RSA-PSS+SHA256",
 379         },
 380         test   => {
 381             "ExpectedServerCertType" => "RSA",
 382             "ExpectedServerSignHash" => "SHA256",
 383             "ExpectedServerSignType" => "RSA-PSS",
 384             "ExpectedResult" => "Success"
 385         },
 386     },
 387     {
 388         name => "TLS 1.3 Ed25519 Signature Algorithm Selection",
 389         server => $server_tls_1_3,
 390         client => {
 391             "SignatureAlgorithms" => "ed25519",
 392         },
 393         test   => {
 394             "ExpectedServerCertType" => "Ed25519",
 395             "ExpectedServerSignType" => "Ed25519",
 396             "ExpectedResult" => "Success"
 397         },
 398     },
 399     {
 400         name => "TLS 1.3 Ed25519 CipherString and Groups Selection",
 401         server => $server_tls_1_3,
 402         client => {
 403             "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
 404             # Excluding P-256 from the supported groups list should
 405             # mean server still uses a P-256 certificate because supported
 406             # groups is not used in signature selection for TLS 1.3
 407             "Groups" => "X25519"
 408         },
 409         test   => {
 410             "ExpectedServerCertType" =>, "P-256",
 411             "ExpectedServerSignType" =>, "EC",
 412             "ExpectedResult" => "Success"
 413         },
 414     },
 415     {
 416         name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
 417         server => {
 418             "ClientSignatureAlgorithms" => "PSS+SHA256",
 419             "VerifyCAFile" => test_pem("root-cert.pem"),
 420             "VerifyMode" => "Require"
 421         },
 422         client => $client_tls_1_3,
 423         test   => {
 424             "ExpectedClientCertType" => "RSA",
 425             "ExpectedClientSignHash" => "SHA256",
 426             "ExpectedClientSignType" => "RSA-PSS",
 427             "ExpectedClientCANames" => "empty",
 428             "ExpectedResult" => "Success"
 429         },
 430     },
 431     {
 432         name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names",
 433         server => {
 434             "ClientSignatureAlgorithms" => "PSS+SHA256",
 435             "VerifyCAFile" => test_pem("root-cert.pem"),
 436             "RequestCAFile" => test_pem("root-cert.pem"),
 437             "VerifyMode" => "Require"
 438         },
 439         client => $client_tls_1_3,
 440         test   => {
 441             "ExpectedClientCertType" => "RSA",
 442             "ExpectedClientSignHash" => "SHA256",
 443             "ExpectedClientSignType" => "RSA-PSS",
 444             "ExpectedClientCANames" => test_pem("root-cert.pem"),
 445             "ExpectedResult" => "Success"
 446         },
 447     },
 448     {
 449         name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
 450         server => {
 451             "ClientSignatureAlgorithms" => "ECDSA+SHA256",
 452             "VerifyCAFile" => test_pem("root-cert.pem"),
 453             "VerifyMode" => "Require"
 454         },
 455         client => $client_tls_1_3,
 456         test   => {
 457             "ExpectedClientCertType" => "P-256",
 458             "ExpectedClientSignHash" => "SHA256",
 459             "ExpectedClientSignType" => "EC",
 460             "ExpectedResult" => "Success"
 461         },
 462     },
 463     {
 464         name => "TLS 1.3 Ed25519 Client Auth",
 465         server => {
 466             "VerifyCAFile" => test_pem("root-cert.pem"),
 467             "VerifyMode" => "Require"
 468         },
 469         client => {
 470             "EdDSA.Certificate" => test_pem("client-ed25519-cert.pem"),
 471             "EdDSA.PrivateKey" => test_pem("client-ed25519-key.pem"),
 472             "MinProtocol" => "TLSv1.3",
 473             "MaxProtocol" => "TLSv1.3"
 474         },
 475         test   => {
 476             "ExpectedClientCertType" => "Ed25519",
 477             "ExpectedClientSignType" => "Ed25519",
 478             "ExpectedResult" => "Success"
 479         },
 480     },
 481 );
 482
 483 push @tests, @tests_tls_1_3 unless disabled("tls1_3");
 484
 485 my @tests_dsa_tls_1_2 = (
 486     {
 487         name => "TLS 1.2 DSA Certificate Test",
 488         server => {
 489             "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
 490             "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
 491             "DHParameters" => test_pem("dhp2048.pem"),
 492             "MinProtocol" => "TLSv1.2",
 493             "MaxProtocol" => "TLSv1.2",
 494             "CipherString" => "ALL",
 495         },
 496         client => {
 497             "SignatureAlgorithms" => "DSA+SHA256:DSA+SHA1",
 498             "CipherString" => "ALL",
 499         },
 500         test   => {
 501             "ExpectedResult" => "Success"
 502         },
 503     },
 504 );
 505
 506 my @tests_dsa_tls_1_3 = (
 507     {
 508         name => "TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms",
 509         server => {
 510             "ClientSignatureAlgorithms" => "ECDSA+SHA1:DSA+SHA256:RSA+SHA256",
 511             "VerifyCAFile" => test_pem("root-cert.pem"),
 512             "VerifyMode" => "Request"
 513         },
 514         client => {},
 515         test   => {
 516             "ExpectedResult" => "ServerFail"
 517         },
 518     },
 519     {
 520         name => "TLS 1.3 DSA Certificate Test",
 521         server => {
 522             "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
 523             "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
 524             "MinProtocol" => "TLSv1.3",
 525             "MaxProtocol" => "TLSv1.3",
 526             "CipherString" => "ALL",
 527         },
 528         client => {
 529             "SignatureAlgorithms" => "DSA+SHA1:DSA+SHA256:ECDSA+SHA256",
 530             "CipherString" => "ALL",
 531         },
 532         test   => {
 533             "ExpectedResult" => "ServerFail"
 534         },
 535     },
 536 );
 537
 538 if (!disabled("dsa")) {
 539     push @tests, @tests_dsa_tls_1_2 unless disabled("dh");
 540     push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
 541 }