51a158dc49ebff6798b1d8569c709d077c0544d3
[openssl.git] / test / ssl-tests / 20-cert-select.conf.in
1 # -*- mode: perl; -*-
2
3 ## SSL test configurations
4
5
6 use strict;
7 use warnings;
8
9 package ssltests;
10 use OpenSSL::Test::Utils;
11
12 my $server = {
13     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
14     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
15     "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
16     "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
17     "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
18     "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
19     "MaxProtocol" => "TLSv1.2"
20 };
21
22 my $server_pss = {
23     "PSS.Certificate" => test_pem("server-pss-cert.pem"),
24     "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
25     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
26     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
27     "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
28     "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
29     "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
30     "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
31     "MaxProtocol" => "TLSv1.2"
32 };
33
34 my $server_pss_only = {
35     "Certificate" => test_pem("server-pss-cert.pem"),
36     "PrivateKey" => test_pem("server-pss-key.pem"),
37 };
38
39 our @tests = (
40     {
41         name => "ECDSA CipherString Selection",
42         server => $server,
43         client => {
44             "CipherString" => "aECDSA",
45             "MaxProtocol" => "TLSv1.2",
46             "RequestCAFile" => test_pem("root-cert.pem"),
47         },
48         test   => {
49             "ExpectedServerCertType" =>, "P-256",
50             "ExpectedServerSignType" =>, "EC",
51             # Note: certificate_authorities not sent for TLS < 1.3
52             "ExpectedServerCANames" =>, "empty",
53             "ExpectedResult" => "Success"
54         },
55     },
56     {
57         name => "ECDSA CipherString Selection",
58         server => {
59             "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
60             "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
61             "MaxProtocol" => "TLSv1.2",
62             #Deliberately set supported_groups to one not in the cert. This
63             #should be tolerated
64             "Groups" => "P-384"
65         },
66         client => {
67             "CipherString" => "aECDSA",
68             "MaxProtocol" => "TLSv1.2",
69             "Groups" => "P-256:P-384",
70             "RequestCAFile" => test_pem("root-cert.pem"),
71         },
72         test   => {
73             "ExpectedServerCertType" =>, "P-256",
74             "ExpectedServerSignType" =>, "EC",
75             # Note: certificate_authorities not sent for TLS < 1.3
76             "ExpectedServerCANames" =>, "empty",
77             "ExpectedResult" => "Success"
78         },
79     },
80     {
81         name => "ECDSA CipherString Selection",
82         server => {
83             "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
84             "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
85             "MaxProtocol" => "TLSv1.2",
86             "Groups" => "P-256:P-384"
87         },
88         client => {
89             "CipherString" => "aECDSA",
90             "MaxProtocol" => "TLSv1.2",
91             #Deliberately set groups to not include the certificate group. This
92             #should fail
93             "Groups" => "P-384",
94             "RequestCAFile" => test_pem("root-cert.pem"),
95         },
96         test   => {
97             "ExpectedResult" => "ServerFail"
98         },
99     },
100     {
101         name => "Ed25519 CipherString and Signature Algorithm Selection",
102         server => $server,
103         client => {
104             "CipherString" => "aECDSA",
105             "MaxProtocol" => "TLSv1.2",
106             "SignatureAlgorithms" => "ed25519:ECDSA+SHA256",
107             "RequestCAFile" => test_pem("root-cert.pem"),
108         },
109         test   => {
110             "ExpectedServerCertType" =>, "Ed25519",
111             "ExpectedServerSignType" =>, "Ed25519",
112             # Note: certificate_authorities not sent for TLS < 1.3
113             "ExpectedServerCANames" =>, "empty",
114             "ExpectedResult" => "Success"
115         },
116     },
117     {
118         name => "Ed448 CipherString and Signature Algorithm Selection",
119         server => $server,
120         client => {
121             "CipherString" => "aECDSA",
122             "MaxProtocol" => "TLSv1.2",
123             "SignatureAlgorithms" => "ed448:ECDSA+SHA256",
124             "RequestCAFile" => test_pem("root-cert.pem"),
125         },
126         test   => {
127             "ExpectedServerCertType" =>, "Ed448",
128             "ExpectedServerSignType" =>, "Ed448",
129             # Note: certificate_authorities not sent for TLS < 1.3
130             "ExpectedServerCANames" =>, "empty",
131             "ExpectedResult" => "Success"
132         },
133     },
134     {
135         name => "RSA CipherString Selection",
136         server => $server,
137         client => {
138             "CipherString" => "aRSA",
139             "MaxProtocol" => "TLSv1.2",
140         },
141         test   => {
142             "ExpectedServerCertType" =>, "RSA",
143             "ExpectedServerSignType" =>, "RSA-PSS",
144             "ExpectedResult" => "Success"
145         },
146     },
147     {
148         name => "RSA-PSS Certificate CipherString Selection",
149         server => $server_pss,
150         client => {
151             "CipherString" => "aRSA",
152             "MaxProtocol" => "TLSv1.2",
153         },
154         test   => {
155             "ExpectedServerCertType" =>, "RSA-PSS",
156             "ExpectedServerSignType" =>, "RSA-PSS",
157             "ExpectedResult" => "Success"
158         },
159     },
160     {
161         name => "P-256 CipherString and Signature Algorithm Selection",
162         server => $server,
163         client => {
164             "CipherString" => "aECDSA",
165             "MaxProtocol" => "TLSv1.2",
166             "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
167         },
168         test   => {
169             "ExpectedServerCertType" => "P-256",
170             "ExpectedServerSignHash" => "SHA256",
171             "ExpectedServerSignType" => "EC",
172             "ExpectedResult" => "Success"
173         },
174     },
175     {
176         name => "Ed25519 CipherString and Curves Selection",
177         server => $server,
178         client => {
179             "CipherString" => "aECDSA",
180             "MaxProtocol" => "TLSv1.2",
181             "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
182             # Excluding P-256 from the supported curves list means server
183             # certificate should be Ed25519 and not P-256
184             "Curves" => "X25519"
185         },
186         test   => {
187             "ExpectedServerCertType" =>, "Ed25519",
188             "ExpectedServerSignType" =>, "Ed25519",
189             "ExpectedResult" => "Success"
190         },
191     },
192     {
193         name => "Ed448 CipherString and Curves Selection",
194         server => $server,
195         client => {
196             "CipherString" => "aECDSA",
197             "MaxProtocol" => "TLSv1.2",
198             "SignatureAlgorithms" => "ECDSA+SHA256:ed448",
199             # Excluding P-256 from the supported curves list means server
200             # certificate should be Ed25519 and not P-256
201             "Curves" => "X448"
202         },
203         test   => {
204             "ExpectedServerCertType" =>, "Ed448",
205             "ExpectedServerSignType" =>, "Ed448",
206             "ExpectedResult" => "Success"
207         },
208     },
209     {
210         name => "ECDSA CipherString Selection, no ECDSA certificate",
211         server => {
212             "MaxProtocol" => "TLSv1.2"
213         },
214         client => {
215             "CipherString" => "aECDSA",
216             "MaxProtocol" => "TLSv1.2"
217         },
218         test   => {
219             "ExpectedResult" => "ServerFail"
220         },
221     },
222     {
223         name => "ECDSA Signature Algorithm Selection",
224         server => $server,
225         client => {
226             "SignatureAlgorithms" => "ECDSA+SHA256",
227         },
228         test   => {
229             "ExpectedServerCertType" => "P-256",
230             "ExpectedServerSignHash" => "SHA256",
231             "ExpectedServerSignType" => "EC",
232             "ExpectedResult" => "Success"
233         },
234     },
235     {
236         name => "ECDSA Signature Algorithm Selection SHA384",
237         server => $server,
238         client => {
239             "SignatureAlgorithms" => "ECDSA+SHA384",
240         },
241         test   => {
242             "ExpectedServerCertType" => "P-256",
243             "ExpectedServerSignHash" => "SHA384",
244             "ExpectedServerSignType" => "EC",
245             "ExpectedResult" => "Success"
246         },
247     },
248     {
249         name => "ECDSA Signature Algorithm Selection SHA1",
250         server => $server,
251         client => {
252             "SignatureAlgorithms" => "ECDSA+SHA1",
253         },
254         test   => {
255             "ExpectedServerCertType" => "P-256",
256             "ExpectedServerSignHash" => "SHA1",
257             "ExpectedServerSignType" => "EC",
258             "ExpectedResult" => "Success"
259         },
260     },
261     {
262         name => "ECDSA Signature Algorithm Selection compressed point",
263         server => {
264             "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
265             "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
266             "MaxProtocol" => "TLSv1.2"
267         },
268         client => {
269             "SignatureAlgorithms" => "ECDSA+SHA256",
270         },
271         test   => {
272             "ExpectedServerCertType" => "P-256",
273             "ExpectedServerSignHash" => "SHA256",
274             "ExpectedServerSignType" => "EC",
275             "ExpectedResult" => "Success"
276         },
277     },
278     {
279         name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
280         server => {
281              "MaxProtocol" => "TLSv1.2"
282         },
283         client => {
284             "SignatureAlgorithms" => "ECDSA+SHA256",
285         },
286         test   => {
287             "ExpectedResult" => "ServerFail"
288         },
289     },
290     {
291         name => "RSA Signature Algorithm Selection",
292         server => $server,
293         client => {
294             "SignatureAlgorithms" => "RSA+SHA256",
295         },
296         test   => {
297             "ExpectedServerCertType" => "RSA",
298             "ExpectedServerSignHash" => "SHA256",
299             "ExpectedServerSignType" => "RSA",
300             "ExpectedResult" => "Success"
301         },
302     },
303     {
304         name => "RSA-PSS Signature Algorithm Selection",
305         server => $server,
306         client => {
307             "SignatureAlgorithms" => "RSA-PSS+SHA256",
308         },
309         test   => {
310             "ExpectedServerCertType" => "RSA",
311             "ExpectedServerSignHash" => "SHA256",
312             "ExpectedServerSignType" => "RSA-PSS",
313             "ExpectedResult" => "Success"
314         },
315     },
316     {
317         name => "RSA-PSS Certificate Legacy Signature Algorithm Selection",
318         server => $server_pss,
319         client => {
320             "SignatureAlgorithms" => "RSA-PSS+SHA256",
321         },
322         test   => {
323             "ExpectedServerCertType" => "RSA",
324             "ExpectedServerSignHash" => "SHA256",
325             "ExpectedServerSignType" => "RSA-PSS",
326             "ExpectedResult" => "Success"
327         },
328     },
329     {
330         name => "RSA-PSS Certificate Unified Signature Algorithm Selection",
331         server => $server_pss,
332         client => {
333             "SignatureAlgorithms" => "rsa_pss_pss_sha256",
334         },
335         test   => {
336             "ExpectedServerCertType" => "RSA-PSS",
337             "ExpectedServerSignHash" => "SHA256",
338             "ExpectedServerSignType" => "RSA-PSS",
339             "ExpectedResult" => "Success"
340         },
341     },
342     {
343         name => "Only RSA-PSS Certificate",
344         server => $server_pss_only,
345         client => {},
346         test   => {
347             "ExpectedServerCertType" => "RSA-PSS",
348             "ExpectedServerSignHash" => "SHA256",
349             "ExpectedServerSignType" => "RSA-PSS",
350             "ExpectedResult" => "Success"
351         },
352     },
353     {
354         name => "RSA-PSS Certificate, no PSS signature algorithms",
355         server => $server_pss_only,
356         client => {
357             "SignatureAlgorithms" => "RSA+SHA256",
358         },
359         test   => {
360             "ExpectedResult" => "ServerFail"
361         },
362     },
363     {
364         name => "Suite B P-256 Hash Algorithm Selection",
365         server =>  {
366             "ECDSA.Certificate" => test_pem("p256-server-cert.pem"),
367             "ECDSA.PrivateKey" => test_pem("p256-server-key.pem"),
368             "MaxProtocol" => "TLSv1.2",
369             "CipherString" => "SUITEB128"
370         },
371         client => {
372             "VerifyCAFile" => test_pem("p384-root.pem"),
373             "SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256"
374         },
375         test   => {
376             "ExpectedServerCertType" => "P-256",
377             "ExpectedServerSignHash" => "SHA256",
378             "ExpectedServerSignType" => "EC",
379             "ExpectedResult" => "Success"
380         },
381     },
382     {
383         name => "Suite B P-384 Hash Algorithm Selection",
384         server =>  {
385             "ECDSA.Certificate" => test_pem("p384-server-cert.pem"),
386             "ECDSA.PrivateKey" => test_pem("p384-server-key.pem"),
387             "MaxProtocol" => "TLSv1.2",
388             "CipherString" => "SUITEB128"
389         },
390         client => {
391             "VerifyCAFile" => test_pem("p384-root.pem"),
392             "SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384"
393         },
394         test   => {
395             "ExpectedServerCertType" => "P-384",
396             "ExpectedServerSignHash" => "SHA384",
397             "ExpectedServerSignType" => "EC",
398             "ExpectedResult" => "Success"
399         },
400     },
401     {
402         name => "TLS 1.2 Ed25519 Client Auth",
403         server => {
404             "VerifyCAFile" => test_pem("root-cert.pem"),
405             "VerifyMode" => "Require"
406         },
407         client => {
408             "Ed25519.Certificate" => test_pem("client-ed25519-cert.pem"),
409             "Ed25519.PrivateKey" => test_pem("client-ed25519-key.pem"),
410             "MinProtocol" => "TLSv1.2",
411             "MaxProtocol" => "TLSv1.2"
412         },
413         test   => {
414             "ExpectedClientCertType" => "Ed25519",
415             "ExpectedClientSignType" => "Ed25519",
416             "ExpectedResult" => "Success"
417         },
418     },
419     {
420         name => "TLS 1.2 Ed448 Client Auth",
421         server => {
422             "VerifyCAFile" => test_pem("root-cert.pem"),
423             "VerifyMode" => "Require"
424         },
425         client => {
426             "Ed448.Certificate" => test_pem("client-ed448-cert.pem"),
427             "Ed448.PrivateKey" => test_pem("client-ed448-key.pem"),
428             "MinProtocol" => "TLSv1.2",
429             "MaxProtocol" => "TLSv1.2"
430         },
431         test   => {
432             "ExpectedClientCertType" => "Ed448",
433             "ExpectedClientSignType" => "Ed448",
434             "ExpectedResult" => "Success"
435         },
436     },
437 );
438
439 my @tests_tls_1_1 = (
440     {
441         name => "Only RSA-PSS Certificate, TLS v1.1",
442         server => $server_pss_only,
443         client => {
444             "MaxProtocol" => "TLSv1.1",
445         },
446         test   => {
447             "ExpectedResult" => "ServerFail"
448         },
449     },
450 );
451
452 push @tests, @tests_tls_1_1 unless disabled("tls1_1");
453
454 my $server_tls_1_3 = {
455     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
456     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
457     "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
458     "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
459     "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
460     "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
461     "MinProtocol" => "TLSv1.3",
462     "MaxProtocol" => "TLSv1.3"
463 };
464
465 my $server_tls_1_3_pss = {
466     "PSS.Certificate" => test_pem("server-pss-cert.pem"),
467     "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
468     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
469     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
470     "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
471     "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
472     "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
473     "Ed448.PrivateKey" => test_pem("server-ed449-key.pem"),
474     "MinProtocol" => "TLSv1.3",
475     "MaxProtocol" => "TLSv1.3"
476 };
477
478 my $client_tls_1_3 = {
479     "RSA.Certificate" => test_pem("ee-client-chain.pem"),
480     "RSA.PrivateKey" => test_pem("ee-key.pem"),
481     "ECDSA.Certificate" => test_pem("ee-ecdsa-client-chain.pem"),
482     "ECDSA.PrivateKey" => test_pem("ee-ecdsa-key.pem"),
483     "MinProtocol" => "TLSv1.3",
484     "MaxProtocol" => "TLSv1.3"
485 };
486
487 my @tests_tls_1_3 = (
488     {
489         name => "TLS 1.3 ECDSA Signature Algorithm Selection",
490         server => $server_tls_1_3,
491         client => {
492             "SignatureAlgorithms" => "ECDSA+SHA256",
493         },
494         test   => {
495             "ExpectedServerCertType" => "P-256",
496             "ExpectedServerSignHash" => "SHA256",
497             "ExpectedServerSignType" => "EC",
498             "ExpectedServerCANames" => "empty",
499             "ExpectedResult" => "Success"
500         },
501     },
502     {
503         name => "TLS 1.3 ECDSA Signature Algorithm Selection compressed point",
504         server => {
505             "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
506             "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
507             "MinProtocol" => "TLSv1.3",
508             "MaxProtocol" => "TLSv1.3"
509         },
510         client => {
511             "SignatureAlgorithms" => "ECDSA+SHA256",
512         },
513         test   => {
514             "ExpectedServerCertType" => "P-256",
515             "ExpectedServerSignHash" => "SHA256",
516             "ExpectedServerSignType" => "EC",
517             "ExpectedServerCANames" => "empty",
518             "ExpectedResult" => "Success"
519         },
520     },
521     {
522         name => "TLS 1.3 ECDSA Signature Algorithm Selection SHA1",
523         server => $server_tls_1_3,
524         client => {
525             "SignatureAlgorithms" => "ECDSA+SHA1",
526         },
527         test   => {
528             "ExpectedResult" => "ServerFail"
529         },
530     },
531     {
532         name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS",
533         server => $server_tls_1_3,
534         client => {
535             "SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256",
536             "RequestCAFile" => test_pem("root-cert.pem"),
537         },
538         test   => {
539             "ExpectedServerCertType" => "P-256",
540             "ExpectedServerSignHash" => "SHA256",
541             "ExpectedServerSignType" => "EC",
542             "ExpectedServerCANames" => test_pem("root-cert.pem"),
543             "ExpectedResult" => "Success"
544         },
545     },
546     {
547         name => "TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS",
548         server => $server_tls_1_3,
549         client => {
550             "SignatureAlgorithms" => "ECDSA+SHA384:RSA-PSS+SHA384",
551         },
552         test   => {
553             "ExpectedServerCertType" => "RSA",
554             "ExpectedServerSignHash" => "SHA384",
555             "ExpectedServerSignType" => "RSA-PSS",
556             "ExpectedResult" => "Success"
557         },
558     },
559     {
560         name => "TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate",
561         server => {
562             "MinProtocol" => "TLSv1.3",
563             "MaxProtocol" => "TLSv1.3"
564         },
565         client => {
566             "SignatureAlgorithms" => "ECDSA+SHA256",
567         },
568         test   => {
569             "ExpectedResult" => "ServerFail"
570         },
571     },
572     {
573         name => "TLS 1.3 RSA Signature Algorithm Selection, no PSS",
574         server => $server_tls_1_3,
575         client => {
576             "SignatureAlgorithms" => "RSA+SHA256",
577         },
578         test   => {
579             "ExpectedResult" => "ServerFail"
580         },
581     },
582     {
583         name => "TLS 1.3 RSA-PSS Signature Algorithm Selection",
584         server => $server_tls_1_3,
585         client => {
586             "SignatureAlgorithms" => "RSA-PSS+SHA256",
587         },
588         test   => {
589             "ExpectedServerCertType" => "RSA",
590             "ExpectedServerSignHash" => "SHA256",
591             "ExpectedServerSignType" => "RSA-PSS",
592             "ExpectedResult" => "Success"
593         },
594     },
595     {
596         name => "TLS 1.3 Ed25519 Signature Algorithm Selection",
597         server => $server_tls_1_3,
598         client => {
599             "SignatureAlgorithms" => "ed25519",
600         },
601         test   => {
602             "ExpectedServerCertType" => "Ed25519",
603             "ExpectedServerSignType" => "Ed25519",
604             "ExpectedResult" => "Success"
605         },
606     },
607     {
608         name => "TLS 1.3 Ed448 Signature Algorithm Selection",
609         server => $server_tls_1_3,
610         client => {
611             "SignatureAlgorithms" => "ed448",
612         },
613         test   => {
614             "ExpectedServerCertType" => "Ed448",
615             "ExpectedServerSignType" => "Ed448",
616             "ExpectedResult" => "Success"
617         },
618     },
619     {
620         name => "TLS 1.3 Ed25519 CipherString and Groups Selection",
621         server => $server_tls_1_3,
622         client => {
623             "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
624             # Excluding P-256 from the supported groups list should
625             # mean server still uses a P-256 certificate because supported
626             # groups is not used in signature selection for TLS 1.3
627             "Groups" => "X25519"
628         },
629         test   => {
630             "ExpectedServerCertType" =>, "P-256",
631             "ExpectedServerSignType" =>, "EC",
632             "ExpectedResult" => "Success"
633         },
634     },
635     {
636         name => "TLS 1.3 Ed448 CipherString and Groups Selection",
637         server => $server_tls_1_3,
638         client => {
639             "SignatureAlgorithms" => "ECDSA+SHA256:ed448",
640             # Excluding P-256 from the supported groups list should
641             # mean server still uses a P-256 certificate because supported
642             # groups is not used in signature selection for TLS 1.3
643             "Groups" => "X448"
644         },
645         test   => {
646             "ExpectedServerCertType" =>, "P-256",
647             "ExpectedServerSignType" =>, "EC",
648             "ExpectedResult" => "Success"
649         },
650     },
651     {
652         name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
653         server => {
654             "ClientSignatureAlgorithms" => "PSS+SHA256",
655             "VerifyCAFile" => test_pem("root-cert.pem"),
656             "VerifyMode" => "Require"
657         },
658         client => $client_tls_1_3,
659         test   => {
660             "ExpectedClientCertType" => "RSA",
661             "ExpectedClientSignHash" => "SHA256",
662             "ExpectedClientSignType" => "RSA-PSS",
663             "ExpectedClientCANames" => "empty",
664             "ExpectedResult" => "Success"
665         },
666     },
667     {
668         name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names",
669         server => {
670             "ClientSignatureAlgorithms" => "PSS+SHA256",
671             "VerifyCAFile" => test_pem("root-cert.pem"),
672             "RequestCAFile" => test_pem("root-cert.pem"),
673             "VerifyMode" => "Require"
674         },
675         client => $client_tls_1_3,
676         test   => {
677             "ExpectedClientCertType" => "RSA",
678             "ExpectedClientSignHash" => "SHA256",
679             "ExpectedClientSignType" => "RSA-PSS",
680             "ExpectedClientCANames" => test_pem("root-cert.pem"),
681             "ExpectedResult" => "Success"
682         },
683     },
684     {
685         name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
686         server => {
687             "ClientSignatureAlgorithms" => "ECDSA+SHA256",
688             "VerifyCAFile" => test_pem("root-cert.pem"),
689             "VerifyMode" => "Require"
690         },
691         client => $client_tls_1_3,
692         test   => {
693             "ExpectedClientCertType" => "P-256",
694             "ExpectedClientSignHash" => "SHA256",
695             "ExpectedClientSignType" => "EC",
696             "ExpectedResult" => "Success"
697         },
698     },
699     {
700         name => "TLS 1.3 Ed25519 Client Auth",
701         server => {
702             "VerifyCAFile" => test_pem("root-cert.pem"),
703             "VerifyMode" => "Require"
704         },
705         client => {
706             "EdDSA.Certificate" => test_pem("client-ed25519-cert.pem"),
707             "EdDSA.PrivateKey" => test_pem("client-ed25519-key.pem"),
708             "MinProtocol" => "TLSv1.3",
709             "MaxProtocol" => "TLSv1.3"
710         },
711         test   => {
712             "ExpectedClientCertType" => "Ed25519",
713             "ExpectedClientSignType" => "Ed25519",
714             "ExpectedResult" => "Success"
715         },
716     },
717     {
718         name => "TLS 1.3 Ed448 Client Auth",
719         server => {
720             "VerifyCAFile" => test_pem("root-cert.pem"),
721             "VerifyMode" => "Require"
722         },
723         client => {
724             "EdDSA.Certificate" => test_pem("client-ed448-cert.pem"),
725             "EdDSA.PrivateKey" => test_pem("client-ed448-key.pem"),
726             "MinProtocol" => "TLSv1.3",
727             "MaxProtocol" => "TLSv1.3"
728         },
729         test   => {
730             "ExpectedClientCertType" => "Ed448",
731             "ExpectedClientSignType" => "Ed448",
732             "ExpectedResult" => "Success"
733         },
734     },
735 );
736
737 push @tests, @tests_tls_1_3 unless disabled("tls1_3");
738
739 my @tests_dsa_tls_1_2 = (
740     {
741         name => "TLS 1.2 DSA Certificate Test",
742         server => {
743             "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
744             "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
745             "DHParameters" => test_pem("dhp2048.pem"),
746             "MinProtocol" => "TLSv1.2",
747             "MaxProtocol" => "TLSv1.2",
748             "CipherString" => "ALL",
749         },
750         client => {
751             "SignatureAlgorithms" => "DSA+SHA256:DSA+SHA1",
752             "CipherString" => "ALL",
753         },
754         test   => {
755             "ExpectedResult" => "Success"
756         },
757     },
758 );
759
760 my @tests_dsa_tls_1_3 = (
761     {
762         name => "TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms",
763         server => {
764             "ClientSignatureAlgorithms" => "ECDSA+SHA1:DSA+SHA256:RSA+SHA256",
765             "VerifyCAFile" => test_pem("root-cert.pem"),
766             "VerifyMode" => "Request"
767         },
768         client => {},
769         test   => {
770             "ExpectedResult" => "ServerFail"
771         },
772     },
773     {
774         name => "TLS 1.3 DSA Certificate Test",
775         server => {
776             "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
777             "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
778             "MinProtocol" => "TLSv1.3",
779             "MaxProtocol" => "TLSv1.3",
780             "CipherString" => "ALL",
781         },
782         client => {
783             "SignatureAlgorithms" => "DSA+SHA1:DSA+SHA256:ECDSA+SHA256",
784             "CipherString" => "ALL",
785         },
786         test   => {
787             "ExpectedResult" => "ServerFail"
788         },
789     },
790 );
791
792 if (!disabled("dsa")) {
793     push @tests, @tests_dsa_tls_1_2 unless disabled("dh");
794     push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
795 }