projects / openssl.git / blob
? search:


2038bdf23fdc5ee8b655764395cea97f5cd4665f
[openssl.git] / test / ssl-tests / 20-cert-select.conf.in
1 # -*- mode: perl; -*-
2
3 ## SSL test configurations
4
5
6 use strict;
7 use warnings;
8
9 package ssltests;
10 use OpenSSL::Test::Utils;
11
12 my $server = {
13     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
14     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
15     "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
16     "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
17     "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
18     "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
19     "MaxProtocol" => "TLSv1.2"
20 };
21
22 my $server_pss = {
23     "PSS.Certificate" => test_pem("server-pss-cert.pem"),
24     "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
25     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
26     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
27     "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
28     "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
29     "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
30     "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
31     "MaxProtocol" => "TLSv1.2"
32 };
33
34 my $server_pss_only = {
35     "Certificate" => test_pem("server-pss-cert.pem"),
36     "PrivateKey" => test_pem("server-pss-key.pem"),
37 };
38
39 my $server_rsa_all = {
40     "PSS.Certificate" => test_pem("server-pss-cert.pem"),
41     "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
42     "Certificate" => test_pem("servercert.pem"),
43     "PrivateKey" => test_pem("serverkey.pem"),
44 };
45
46 our @tests = (
47     {
48         name => "ECDSA CipherString Selection",
49         server => $server,
50         client => {
51             "CipherString" => "aECDSA",
52             "MaxProtocol" => "TLSv1.2",
53             "RequestCAFile" => test_pem("root-cert.pem"),
54         },
55         test   => {
56             "ExpectedServerCertType" =>, "P-256",
57             "ExpectedServerSignType" =>, "EC",
58             # Note: certificate_authorities not sent for TLS < 1.3
59             "ExpectedServerCANames" =>, "empty",
60             "ExpectedResult" => "Success"
61         },
62     },
63     {
64         name => "ECDSA CipherString Selection",
65         server => {
66             "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
67             "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
68             "MaxProtocol" => "TLSv1.2",
69             #Deliberately set supported_groups to one not in the cert. This
70             #should be tolerated
71             "Groups" => "P-384"
72         },
73         client => {
74             "CipherString" => "aECDSA",
75             "MaxProtocol" => "TLSv1.2",
76             "Groups" => "P-256:P-384",
77             "RequestCAFile" => test_pem("root-cert.pem"),
78         },
79         test   => {
80             "ExpectedServerCertType" =>, "P-256",
81             "ExpectedServerSignType" =>, "EC",
82             # Note: certificate_authorities not sent for TLS < 1.3
83             "ExpectedServerCANames" =>, "empty",
84             "ExpectedResult" => "Success"
85         },
86     },
87     {
88         name => "ECDSA CipherString Selection",
89         server => {
90             "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
91             "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
92             "MaxProtocol" => "TLSv1.2",
93             "Groups" => "P-256:P-384"
94         },
95         client => {
96             "CipherString" => "aECDSA",
97             "MaxProtocol" => "TLSv1.2",
98             #Deliberately set groups to not include the certificate group. This
99             #should fail
100             "Groups" => "P-384",
101             "RequestCAFile" => test_pem("root-cert.pem"),
102         },
103         test   => {
104             "ExpectedResult" => "ServerFail"
105         },
106     },
107     {
108         name => "Ed25519 CipherString and Signature Algorithm Selection",
109         server => $server,
110         client => {
111             "CipherString" => "aECDSA",
112             "MaxProtocol" => "TLSv1.2",
113             "SignatureAlgorithms" => "ed25519:ECDSA+SHA256",
114             "RequestCAFile" => test_pem("root-cert.pem"),
115         },
116         test   => {
117             "ExpectedServerCertType" =>, "Ed25519",
118             "ExpectedServerSignType" =>, "Ed25519",
119             # Note: certificate_authorities not sent for TLS < 1.3
120             "ExpectedServerCANames" =>, "empty",
121             "ExpectedResult" => "Success"
122         },
123     },
124     {
125         name => "Ed448 CipherString and Signature Algorithm Selection",
126         server => $server,
127         client => {
128             "CipherString" => "aECDSA",
129             "MaxProtocol" => "TLSv1.2",
130             "SignatureAlgorithms" => "ed448:ECDSA+SHA256",
131             "RequestCAFile" => test_pem("root-cert.pem"),
132         },
133         test   => {
134             "ExpectedServerCertType" =>, "Ed448",
135             "ExpectedServerSignType" =>, "Ed448",
136             # Note: certificate_authorities not sent for TLS < 1.3
137             "ExpectedServerCANames" =>, "empty",
138             "ExpectedResult" => "Success"
139         },
140     },
141     {
142         name => "RSA CipherString Selection",
143         server => $server,
144         client => {
145             "CipherString" => "aRSA",
146             "MaxProtocol" => "TLSv1.2",
147         },
148         test   => {
149             "ExpectedServerCertType" =>, "RSA",
150             "ExpectedServerSignType" =>, "RSA-PSS",
151             "ExpectedResult" => "Success"
152         },
153     },
154     {
155         name => "RSA-PSS Certificate CipherString Selection",
156         server => $server_pss,
157         client => {
158             "CipherString" => "aRSA",
159             "MaxProtocol" => "TLSv1.2",
160         },
161         test   => {
162             "ExpectedServerCertType" =>, "RSA-PSS",
163             "ExpectedServerSignType" =>, "RSA-PSS",
164             "ExpectedResult" => "Success"
165         },
166     },
167     {
168         name => "P-256 CipherString and Signature Algorithm Selection",
169         server => $server,
170         client => {
171             "CipherString" => "aECDSA",
172             "MaxProtocol" => "TLSv1.2",
173             "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
174         },
175         test   => {
176             "ExpectedServerCertType" => "P-256",
177             "ExpectedServerSignHash" => "SHA256",
178             "ExpectedServerSignType" => "EC",
179             "ExpectedResult" => "Success"
180         },
181     },
182     {
183         name => "Ed25519 CipherString and Curves Selection",
184         server => $server,
185         client => {
186             "CipherString" => "aECDSA",
187             "MaxProtocol" => "TLSv1.2",
188             "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
189             # Excluding P-256 from the supported curves list means server
190             # certificate should be Ed25519 and not P-256
191             "Curves" => "X25519"
192         },
193         test   => {
194             "ExpectedServerCertType" =>, "Ed25519",
195             "ExpectedServerSignType" =>, "Ed25519",
196             "ExpectedResult" => "Success"
197         },
198     },
199     {
200         name => "Ed448 CipherString and Curves Selection",
201         server => $server,
202         client => {
203             "CipherString" => "aECDSA",
204             "MaxProtocol" => "TLSv1.2",
205             "SignatureAlgorithms" => "ECDSA+SHA256:ed448",
206             # Excluding P-256 from the supported curves list means server
207             # certificate should be Ed25519 and not P-256
208             "Curves" => "X448"
209         },
210         test   => {
211             "ExpectedServerCertType" =>, "Ed448",
212             "ExpectedServerSignType" =>, "Ed448",
213             "ExpectedResult" => "Success"
214         },
215     },
216     {
217         name => "ECDSA CipherString Selection, no ECDSA certificate",
218         server => {
219             "MaxProtocol" => "TLSv1.2"
220         },
221         client => {
222             "CipherString" => "aECDSA",
223             "MaxProtocol" => "TLSv1.2"
224         },
225         test   => {
226             "ExpectedResult" => "ServerFail"
227         },
228     },
229     {
230         name => "ECDSA Signature Algorithm Selection",
231         server => $server,
232         client => {
233             "SignatureAlgorithms" => "ECDSA+SHA256",
234         },
235         test   => {
236             "ExpectedServerCertType" => "P-256",
237             "ExpectedServerSignHash" => "SHA256",
238             "ExpectedServerSignType" => "EC",
239             "ExpectedResult" => "Success"
240         },
241     },
242     {
243         name => "ECDSA Signature Algorithm Selection SHA384",
244         server => $server,
245         client => {
246             "SignatureAlgorithms" => "ECDSA+SHA384",
247         },
248         test   => {
249             "ExpectedServerCertType" => "P-256",
250             "ExpectedServerSignHash" => "SHA384",
251             "ExpectedServerSignType" => "EC",
252             "ExpectedResult" => "Success"
253         },
254     },
255     {
256         name => "ECDSA Signature Algorithm Selection SHA1",
257         server => $server,
258         client => {
259             "SignatureAlgorithms" => "ECDSA+SHA1",
260         },
261         test   => {
262             "ExpectedServerCertType" => "P-256",
263             "ExpectedServerSignHash" => "SHA1",
264             "ExpectedServerSignType" => "EC",
265             "ExpectedResult" => "Success"
266         },
267     },
268     {
269         name => "ECDSA Signature Algorithm Selection compressed point",
270         server => {
271             "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
272             "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
273             "MaxProtocol" => "TLSv1.2"
274         },
275         client => {
276             "SignatureAlgorithms" => "ECDSA+SHA256",
277         },
278         test   => {
279             "ExpectedServerCertType" => "P-256",
280             "ExpectedServerSignHash" => "SHA256",
281             "ExpectedServerSignType" => "EC",
282             "ExpectedResult" => "Success"
283         },
284     },
285     {
286         name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
287         server => {
288              "MaxProtocol" => "TLSv1.2"
289         },
290         client => {
291             "SignatureAlgorithms" => "ECDSA+SHA256",
292         },
293         test   => {
294             "ExpectedResult" => "ServerFail"
295         },
296     },
297     {
298         name => "RSA Signature Algorithm Selection",
299         server => $server,
300         client => {
301             "SignatureAlgorithms" => "RSA+SHA256",
302         },
303         test   => {
304             "ExpectedServerCertType" => "RSA",
305             "ExpectedServerSignHash" => "SHA256",
306             "ExpectedServerSignType" => "RSA",
307             "ExpectedResult" => "Success"
308         },
309     },
310     {
311         name => "RSA-PSS Signature Algorithm Selection",
312         server => $server,
313         client => {
314             "SignatureAlgorithms" => "RSA-PSS+SHA256",
315         },
316         test   => {
317             "ExpectedServerCertType" => "RSA",
318             "ExpectedServerSignHash" => "SHA256",
319             "ExpectedServerSignType" => "RSA-PSS",
320             "ExpectedResult" => "Success"
321         },
322     },
323     {
324         name => "RSA-PSS Certificate Legacy Signature Algorithm Selection",
325         server => $server_pss,
326         client => {
327             "SignatureAlgorithms" => "RSA-PSS+SHA256",
328         },
329         test   => {
330             "ExpectedServerCertType" => "RSA",
331             "ExpectedServerSignHash" => "SHA256",
332             "ExpectedServerSignType" => "RSA-PSS",
333             "ExpectedResult" => "Success"
334         },
335     },
336     {
337         name => "RSA-PSS Certificate Unified Signature Algorithm Selection",
338         server => $server_pss,
339         client => {
340             "SignatureAlgorithms" => "rsa_pss_pss_sha256",
341         },
342         test   => {
343             "ExpectedServerCertType" => "RSA-PSS",
344             "ExpectedServerSignHash" => "SHA256",
345             "ExpectedServerSignType" => "RSA-PSS",
346             "ExpectedResult" => "Success"
347         },
348     },
349     {
350         name => "Only RSA-PSS Certificate",
351         server => $server_pss_only,
352         client => {},
353         test   => {
354             "ExpectedServerCertType" => "RSA-PSS",
355             "ExpectedServerSignHash" => "SHA256",
356             "ExpectedServerSignType" => "RSA-PSS",
357             "ExpectedResult" => "Success"
358         },
359     },
360     {
361         name => "RSA-PSS Certificate, no PSS signature algorithms",
362         server => $server_pss_only,
363         client => {
364             "SignatureAlgorithms" => "RSA+SHA256",
365         },
366         test   => {
367             "ExpectedResult" => "ServerFail"
368         },
369     },
370     {
371         name => "RSA key exchange with all RSA certificate types",
372         server => $server_rsa_all,
373         client => {
374             "CipherString" => "kRSA",
375             "MaxProtocol" => "TLSv1.2",
376         },
377         test   => {
378             "ExpectedServerCertType" =>, "RSA",
379             "ExpectedResult" => "Success"
380         },
381     },
382     {
383         name => "RSA key exchange with only RSA-PSS certificate",
384         server => $server_pss_only,
385         client => {
386             "CipherString" => "kRSA",
387             "MaxProtocol" => "TLSv1.2",
388         },
389         test   => {
390             "ExpectedResult" => "ServerFail"
391         },
392     },
393     {
394         name => "Suite B P-256 Hash Algorithm Selection",
395         server =>  {
396             "ECDSA.Certificate" => test_pem("p256-server-cert.pem"),
397             "ECDSA.PrivateKey" => test_pem("p256-server-key.pem"),
398             "MaxProtocol" => "TLSv1.2",
399             "CipherString" => "SUITEB128"
400         },
401         client => {
402             "VerifyCAFile" => test_pem("p384-root.pem"),
403             "SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256"
404         },
405         test   => {
406             "ExpectedServerCertType" => "P-256",
407             "ExpectedServerSignHash" => "SHA256",
408             "ExpectedServerSignType" => "EC",
409             "ExpectedResult" => "Success"
410         },
411     },
412     {
413         name => "Suite B P-384 Hash Algorithm Selection",
414         server =>  {
415             "ECDSA.Certificate" => test_pem("p384-server-cert.pem"),
416             "ECDSA.PrivateKey" => test_pem("p384-server-key.pem"),
417             "MaxProtocol" => "TLSv1.2",
418             "CipherString" => "SUITEB128"
419         },
420         client => {
421             "VerifyCAFile" => test_pem("p384-root.pem"),
422             "SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384"
423         },
424         test   => {
425             "ExpectedServerCertType" => "P-384",
426             "ExpectedServerSignHash" => "SHA384",
427             "ExpectedServerSignType" => "EC",
428             "ExpectedResult" => "Success"
429         },
430     },
431     {
432         name => "TLS 1.2 Ed25519 Client Auth",
433         server => {
434             "VerifyCAFile" => test_pem("root-cert.pem"),
435             "VerifyMode" => "Require"
436         },
437         client => {
438             "Ed25519.Certificate" => test_pem("client-ed25519-cert.pem"),
439             "Ed25519.PrivateKey" => test_pem("client-ed25519-key.pem"),
440             "MinProtocol" => "TLSv1.2",
441             "MaxProtocol" => "TLSv1.2"
442         },
443         test   => {
444             "ExpectedClientCertType" => "Ed25519",
445             "ExpectedClientSignType" => "Ed25519",
446             "ExpectedResult" => "Success"
447         },
448     },
449     {
450         name => "TLS 1.2 Ed448 Client Auth",
451         server => {
452             "VerifyCAFile" => test_pem("root-cert.pem"),
453             "VerifyMode" => "Require"
454         },
455         client => {
456             "Ed448.Certificate" => test_pem("client-ed448-cert.pem"),
457             "Ed448.PrivateKey" => test_pem("client-ed448-key.pem"),
458             "MinProtocol" => "TLSv1.2",
459             "MaxProtocol" => "TLSv1.2"
460         },
461         test   => {
462             "ExpectedClientCertType" => "Ed448",
463             "ExpectedClientSignType" => "Ed448",
464             "ExpectedResult" => "Success"
465         },
466     },
467 );
468
469 my @tests_tls_1_1 = (
470     {
471         name => "Only RSA-PSS Certificate, TLS v1.1",
472         server => $server_pss_only,
473         client => {
474             "MaxProtocol" => "TLSv1.1",
475         },
476         test   => {
477             "ExpectedResult" => "ServerFail"
478         },
479     },
480 );
481
482 push @tests, @tests_tls_1_1 unless disabled("tls1_1");
483
484 my $server_tls_1_3 = {
485     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
486     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
487     "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
488     "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
489     "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
490     "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
491     "MinProtocol" => "TLSv1.3",
492     "MaxProtocol" => "TLSv1.3"
493 };
494
495 my $server_tls_1_3_pss = {
496     "PSS.Certificate" => test_pem("server-pss-cert.pem"),
497     "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
498     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
499     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
500     "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
501     "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
502     "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
503     "Ed448.PrivateKey" => test_pem("server-ed449-key.pem"),
504     "MinProtocol" => "TLSv1.3",
505     "MaxProtocol" => "TLSv1.3"
506 };
507
508 my $client_tls_1_3 = {
509     "RSA.Certificate" => test_pem("ee-client-chain.pem"),
510     "RSA.PrivateKey" => test_pem("ee-key.pem"),
511     "ECDSA.Certificate" => test_pem("ee-ecdsa-client-chain.pem"),
512     "ECDSA.PrivateKey" => test_pem("ee-ecdsa-key.pem"),
513     "MinProtocol" => "TLSv1.3",
514     "MaxProtocol" => "TLSv1.3"
515 };
516
517 my @tests_tls_1_3 = (
518     {
519         name => "TLS 1.3 ECDSA Signature Algorithm Selection",
520         server => $server_tls_1_3,
521         client => {
522             "SignatureAlgorithms" => "ECDSA+SHA256",
523         },
524         test   => {
525             "ExpectedServerCertType" => "P-256",
526             "ExpectedServerSignHash" => "SHA256",
527             "ExpectedServerSignType" => "EC",
528             "ExpectedServerCANames" => "empty",
529             "ExpectedResult" => "Success"
530         },
531     },
532     {
533         name => "TLS 1.3 ECDSA Signature Algorithm Selection compressed point",
534         server => {
535             "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
536             "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
537             "MinProtocol" => "TLSv1.3",
538             "MaxProtocol" => "TLSv1.3"
539         },
540         client => {
541             "SignatureAlgorithms" => "ECDSA+SHA256",
542         },
543         test   => {
544             "ExpectedServerCertType" => "P-256",
545             "ExpectedServerSignHash" => "SHA256",
546             "ExpectedServerSignType" => "EC",
547             "ExpectedServerCANames" => "empty",
548             "ExpectedResult" => "Success"
549         },
550     },
551     {
552         name => "TLS 1.3 ECDSA Signature Algorithm Selection SHA1",
553         server => $server_tls_1_3,
554         client => {
555             "SignatureAlgorithms" => "ECDSA+SHA1",
556         },
557         test   => {
558             "ExpectedResult" => "ServerFail"
559         },
560     },
561     {
562         name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS",
563         server => $server_tls_1_3,
564         client => {
565             "SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256",
566             "RequestCAFile" => test_pem("root-cert.pem"),
567         },
568         test   => {
569             "ExpectedServerCertType" => "P-256",
570             "ExpectedServerSignHash" => "SHA256",
571             "ExpectedServerSignType" => "EC",
572             "ExpectedServerCANames" => test_pem("root-cert.pem"),
573             "ExpectedResult" => "Success"
574         },
575     },
576     {
577         name => "TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS",
578         server => $server_tls_1_3,
579         client => {
580             "SignatureAlgorithms" => "ECDSA+SHA384:RSA-PSS+SHA384",
581         },
582         test   => {
583             "ExpectedServerCertType" => "RSA",
584             "ExpectedServerSignHash" => "SHA384",
585             "ExpectedServerSignType" => "RSA-PSS",
586             "ExpectedResult" => "Success"
587         },
588     },
589     {
590         name => "TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate",
591         server => {
592             "MinProtocol" => "TLSv1.3",
593             "MaxProtocol" => "TLSv1.3"
594         },
595         client => {
596             "SignatureAlgorithms" => "ECDSA+SHA256",
597         },
598         test   => {
599             "ExpectedResult" => "ServerFail"
600         },
601     },
602     {
603         name => "TLS 1.3 RSA Signature Algorithm Selection, no PSS",
604         server => $server_tls_1_3,
605         client => {
606             "SignatureAlgorithms" => "RSA+SHA256",
607         },
608         test   => {
609             "ExpectedResult" => "ServerFail"
610         },
611     },
612     {
613         name => "TLS 1.3 RSA-PSS Signature Algorithm Selection",
614         server => $server_tls_1_3,
615         client => {
616             "SignatureAlgorithms" => "RSA-PSS+SHA256",
617         },
618         test   => {
619             "ExpectedServerCertType" => "RSA",
620             "ExpectedServerSignHash" => "SHA256",
621             "ExpectedServerSignType" => "RSA-PSS",
622             "ExpectedResult" => "Success"
623         },
624     },
625     {
626         name => "TLS 1.3 Ed25519 Signature Algorithm Selection",
627         server => $server_tls_1_3,
628         client => {
629             "SignatureAlgorithms" => "ed25519",
630         },
631         test   => {
632             "ExpectedServerCertType" => "Ed25519",
633             "ExpectedServerSignType" => "Ed25519",
634             "ExpectedResult" => "Success"
635         },
636     },
637     {
638         name => "TLS 1.3 Ed448 Signature Algorithm Selection",
639         server => $server_tls_1_3,
640         client => {
641             "SignatureAlgorithms" => "ed448",
642         },
643         test   => {
644             "ExpectedServerCertType" => "Ed448",
645             "ExpectedServerSignType" => "Ed448",
646             "ExpectedResult" => "Success"
647         },
648     },
649     {
650         name => "TLS 1.3 Ed25519 CipherString and Groups Selection",
651         server => $server_tls_1_3,
652         client => {
653             "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
654             # Excluding P-256 from the supported groups list should
655             # mean server still uses a P-256 certificate because supported
656             # groups is not used in signature selection for TLS 1.3
657             "Groups" => "X25519"
658         },
659         test   => {
660             "ExpectedServerCertType" =>, "P-256",
661             "ExpectedServerSignType" =>, "EC",
662             "ExpectedResult" => "Success"
663         },
664     },
665     {
666         name => "TLS 1.3 Ed448 CipherString and Groups Selection",
667         server => $server_tls_1_3,
668         client => {
669             "SignatureAlgorithms" => "ECDSA+SHA256:ed448",
670             # Excluding P-256 from the supported groups list should
671             # mean server still uses a P-256 certificate because supported
672             # groups is not used in signature selection for TLS 1.3
673             "Groups" => "X448"
674         },
675         test   => {
676             "ExpectedServerCertType" =>, "P-256",
677             "ExpectedServerSignType" =>, "EC",
678             "ExpectedResult" => "Success"
679         },
680     },
681     {
682         name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
683         server => {
684             "ClientSignatureAlgorithms" => "PSS+SHA256",
685             "VerifyCAFile" => test_pem("root-cert.pem"),
686             "VerifyMode" => "Require"
687         },
688         client => $client_tls_1_3,
689         test   => {
690             "ExpectedClientCertType" => "RSA",
691             "ExpectedClientSignHash" => "SHA256",
692             "ExpectedClientSignType" => "RSA-PSS",
693             "ExpectedClientCANames" => "empty",
694             "ExpectedResult" => "Success"
695         },
696     },
697     {
698         name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names",
699         server => {
700             "ClientSignatureAlgorithms" => "PSS+SHA256",
701             "VerifyCAFile" => test_pem("root-cert.pem"),
702             "RequestCAFile" => test_pem("root-cert.pem"),
703             "VerifyMode" => "Require"
704         },
705         client => $client_tls_1_3,
706         test   => {
707             "ExpectedClientCertType" => "RSA",
708             "ExpectedClientSignHash" => "SHA256",
709             "ExpectedClientSignType" => "RSA-PSS",
710             "ExpectedClientCANames" => test_pem("root-cert.pem"),
711             "ExpectedResult" => "Success"
712         },
713     },
714     {
715         name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
716         server => {
717             "ClientSignatureAlgorithms" => "ECDSA+SHA256",
718             "VerifyCAFile" => test_pem("root-cert.pem"),
719             "VerifyMode" => "Require"
720         },
721         client => $client_tls_1_3,
722         test   => {
723             "ExpectedClientCertType" => "P-256",
724             "ExpectedClientSignHash" => "SHA256",
725             "ExpectedClientSignType" => "EC",
726             "ExpectedResult" => "Success"
727         },
728     },
729     {
730         name => "TLS 1.3 Ed25519 Client Auth",
731         server => {
732             "VerifyCAFile" => test_pem("root-cert.pem"),
733             "VerifyMode" => "Require"
734         },
735         client => {
736             "EdDSA.Certificate" => test_pem("client-ed25519-cert.pem"),
737             "EdDSA.PrivateKey" => test_pem("client-ed25519-key.pem"),
738             "MinProtocol" => "TLSv1.3",
739             "MaxProtocol" => "TLSv1.3"
740         },
741         test   => {
742             "ExpectedClientCertType" => "Ed25519",
743             "ExpectedClientSignType" => "Ed25519",
744             "ExpectedResult" => "Success"
745         },
746     },
747     {
748         name => "TLS 1.3 Ed448 Client Auth",
749         server => {
750             "VerifyCAFile" => test_pem("root-cert.pem"),
751             "VerifyMode" => "Require"
752         },
753         client => {
754             "EdDSA.Certificate" => test_pem("client-ed448-cert.pem"),
755             "EdDSA.PrivateKey" => test_pem("client-ed448-key.pem"),
756             "MinProtocol" => "TLSv1.3",
757             "MaxProtocol" => "TLSv1.3"
758         },
759         test   => {
760             "ExpectedClientCertType" => "Ed448",
761             "ExpectedClientSignType" => "Ed448",
762             "ExpectedResult" => "Success"
763         },
764     },
765 );
766
767 push @tests, @tests_tls_1_3 unless disabled("tls1_3");
768
769 my @tests_dsa_tls_1_2 = (
770     {
771         name => "TLS 1.2 DSA Certificate Test",
772         server => {
773             "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
774             "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
775             "DHParameters" => test_pem("dhp2048.pem"),
776             "MinProtocol" => "TLSv1.2",
777             "MaxProtocol" => "TLSv1.2",
778             "CipherString" => "ALL",
779         },
780         client => {
781             "SignatureAlgorithms" => "DSA+SHA256:DSA+SHA1",
782             "CipherString" => "ALL",
783         },
784         test   => {
785             "ExpectedResult" => "Success"
786         },
787     },
788 );
789
790 my @tests_dsa_tls_1_3 = (
791     {
792         name => "TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms",
793         server => {
794             "ClientSignatureAlgorithms" => "ECDSA+SHA1:DSA+SHA256:RSA+SHA256",
795             "VerifyCAFile" => test_pem("root-cert.pem"),
796             "VerifyMode" => "Request"
797         },
798         client => {},
799         test   => {
800             "ExpectedResult" => "ServerFail"
801         },
802     },
803     {
804         name => "TLS 1.3 DSA Certificate Test",
805         server => {
806             "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
807             "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
808             "MinProtocol" => "TLSv1.3",
809             "MaxProtocol" => "TLSv1.3",
810             "CipherString" => "ALL",
811         },
812         client => {
813             "SignatureAlgorithms" => "DSA+SHA1:DSA+SHA256:ECDSA+SHA256",
814             "CipherString" => "ALL",
815         },
816         test   => {
817             "ExpectedResult" => "ServerFail"
818         },
819     },
820 );
821
822 if (!disabled("dsa")) {
823     push @tests, @tests_dsa_tls_1_2 unless disabled("dh");
824     push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
825 }
Unnamed repository; edit this file 'description' to name the repository.