test/ssl-tests/20-cert-select.conf.in

   1 # -*- mode: perl; -*-
   2
   3 ## SSL test configurations
   4
   5
   6 use strict;
   7 use warnings;
   8
   9 package ssltests;
  10 use OpenSSL::Test::Utils;
  11
  12 my $server = {
  13     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
  14     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
  15     "MaxProtocol" => "TLSv1.2"
  16 };
  17
  18 our @tests = (
  19     {
  20         name => "ECDSA CipherString Selection",
  21         server => $server,
  22         client => {
  23             "CipherString" => "aECDSA",
  24             "RequestCAFile" => test_pem("root-cert.pem"),
  25         },
  26         test   => {
  27             "ExpectedServerCertType" =>, "P-256",
  28             "ExpectedServerSignType" =>, "EC",
  29             # Note: certificate_authorities not sent for TLS < 1.3
  30             "ExpectedServerCANames" =>, "empty",
  31             "ExpectedResult" => "Success"
  32         },
  33     },
  34     {
  35         name => "RSA CipherString Selection",
  36         server => $server,
  37         client => {
  38             "CipherString" => "aRSA",
  39         },
  40         test   => {
  41             "ExpectedServerCertType" =>, "RSA",
  42             "ExpectedServerSignType" =>, "RSA-PSS",
  43             "ExpectedResult" => "Success"
  44         },
  45     },
  46     {
  47         name => "ECDSA CipherString Selection, no ECDSA certificate",
  48         server => {
  49             "MaxProtocol" => "TLSv1.2"
  50         },
  51         client => {
  52             "CipherString" => "aECDSA"
  53         },
  54         test   => {
  55             "ExpectedResult" => "ServerFail"
  56         },
  57     },
  58     {
  59         name => "ECDSA Signature Algorithm Selection",
  60         server => $server,
  61         client => {
  62             "SignatureAlgorithms" => "ECDSA+SHA256",
  63         },
  64         test   => {
  65             "ExpectedServerCertType" => "P-256",
  66             "ExpectedServerSignHash" => "SHA256",
  67             "ExpectedServerSignType" => "EC",
  68             "ExpectedResult" => "Success"
  69         },
  70     },
  71     {
  72         name => "ECDSA Signature Algorithm Selection SHA384",
  73         server => $server,
  74         client => {
  75             "SignatureAlgorithms" => "ECDSA+SHA384",
  76         },
  77         test   => {
  78             "ExpectedServerCertType" => "P-256",
  79             "ExpectedServerSignHash" => "SHA384",
  80             "ExpectedServerSignType" => "EC",
  81             "ExpectedResult" => "Success"
  82         },
  83     },
  84     {
  85         name => "ECDSA Signature Algorithm Selection SHA1",
  86         server => $server,
  87         client => {
  88             "SignatureAlgorithms" => "ECDSA+SHA1",
  89         },
  90         test   => {
  91             "ExpectedServerCertType" => "P-256",
  92             "ExpectedServerSignHash" => "SHA1",
  93             "ExpectedServerSignType" => "EC",
  94             "ExpectedResult" => "Success"
  95         },
  96     },
  97     {
  98         name => "ECDSA Signature Algorithm Selection compressed point",
  99         server => {
 100             "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
 101             "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
 102             "MaxProtocol" => "TLSv1.2"
 103         },
 104         client => {
 105             "SignatureAlgorithms" => "ECDSA+SHA256",
 106         },
 107         test   => {
 108             "ExpectedServerCertType" => "P-256",
 109             "ExpectedServerSignHash" => "SHA256",
 110             "ExpectedServerSignType" => "EC",
 111             "ExpectedResult" => "Success"
 112         },
 113     },
 114     {
 115         name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
 116         server => {
 117              "MaxProtocol" => "TLSv1.2"
 118         },
 119         client => {
 120             "SignatureAlgorithms" => "ECDSA+SHA256",
 121         },
 122         test   => {
 123             "ExpectedResult" => "ServerFail"
 124         },
 125     },
 126     {
 127         name => "RSA Signature Algorithm Selection",
 128         server => $server,
 129         client => {
 130             "SignatureAlgorithms" => "RSA+SHA256",
 131         },
 132         test   => {
 133             "ExpectedServerCertType" => "RSA",
 134             "ExpectedServerSignHash" => "SHA256",
 135             "ExpectedServerSignType" => "RSA",
 136             "ExpectedResult" => "Success"
 137         },
 138     },
 139     {
 140         name => "RSA-PSS Signature Algorithm Selection",
 141         server => $server,
 142         client => {
 143             "SignatureAlgorithms" => "RSA-PSS+SHA256",
 144         },
 145         test   => {
 146             "ExpectedServerCertType" => "RSA",
 147             "ExpectedServerSignHash" => "SHA256",
 148             "ExpectedServerSignType" => "RSA-PSS",
 149             "ExpectedResult" => "Success"
 150         },
 151     },
 152     {
 153         name => "Suite B P-256 Hash Algorithm Selection",
 154         server =>  {
 155             "ECDSA.Certificate" => test_pem("p256-server-cert.pem"),
 156             "ECDSA.PrivateKey" => test_pem("p256-server-key.pem"),
 157             "MaxProtocol" => "TLSv1.2",
 158             "CipherString" => "SUITEB128"
 159         },
 160         client => {
 161             "VerifyCAFile" => test_pem("p384-root.pem"),
 162             "SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256"
 163         },
 164         test   => {
 165             "ExpectedServerCertType" => "P-256",
 166             "ExpectedServerSignHash" => "SHA256",
 167             "ExpectedServerSignType" => "EC",
 168             "ExpectedResult" => "Success"
 169         },
 170     },
 171     {
 172         name => "Suite B P-384 Hash Algorithm Selection",
 173         server =>  {
 174             "ECDSA.Certificate" => test_pem("p384-server-cert.pem"),
 175             "ECDSA.PrivateKey" => test_pem("p384-server-key.pem"),
 176             "MaxProtocol" => "TLSv1.2",
 177             "CipherString" => "SUITEB128"
 178         },
 179         client => {
 180             "VerifyCAFile" => test_pem("p384-root.pem"),
 181             "SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384"
 182         },
 183         test   => {
 184             "ExpectedServerCertType" => "P-384",
 185             "ExpectedServerSignHash" => "SHA384",
 186             "ExpectedServerSignType" => "EC",
 187             "ExpectedResult" => "Success"
 188         },
 189     }
 190 );
 191
 192
 193 my $server_tls_1_3 = {
 194     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
 195     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
 196     "MinProtocol" => "TLSv1.3",
 197     "MaxProtocol" => "TLSv1.3"
 198 };
 199
 200 my $client_tls_1_3 = {
 201     "RSA.Certificate" => test_pem("ee-client-chain.pem"),
 202     "RSA.PrivateKey" => test_pem("ee-key.pem"),
 203     "ECDSA.Certificate" => test_pem("ee-ecdsa-client-chain.pem"),
 204     "ECDSA.PrivateKey" => test_pem("ee-ecdsa-key.pem"),
 205     "MinProtocol" => "TLSv1.3",
 206     "MaxProtocol" => "TLSv1.3"
 207 };
 208
 209 my @tests_tls_1_3 = (
 210     {
 211         name => "TLS 1.3 ECDSA Signature Algorithm Selection",
 212         server => $server_tls_1_3,
 213         client => {
 214             "SignatureAlgorithms" => "ECDSA+SHA256",
 215         },
 216         test   => {
 217             "ExpectedServerCertType" => "P-256",
 218             "ExpectedServerSignHash" => "SHA256",
 219             "ExpectedServerSignType" => "EC",
 220             "ExpectedServerCANames" => "empty",
 221             "ExpectedResult" => "Success"
 222         },
 223     },
 224     {
 225         name => "TLS 1.3 ECDSA Signature Algorithm Selection compressed point",
 226         server => {
 227             "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
 228             "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
 229             "MinProtocol" => "TLSv1.3",
 230             "MaxProtocol" => "TLSv1.3"
 231         },
 232         client => {
 233             "SignatureAlgorithms" => "ECDSA+SHA256",
 234         },
 235         test   => {
 236             "ExpectedResult" => "ServerFail"
 237         },
 238     },
 239     {
 240         name => "TLS 1.3 ECDSA Signature Algorithm Selection SHA1",
 241         server => $server_tls_1_3,
 242         client => {
 243             "SignatureAlgorithms" => "ECDSA+SHA1",
 244         },
 245         test   => {
 246             "ExpectedResult" => "ServerFail"
 247         },
 248     },
 249     {
 250         name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS",
 251         server => $server_tls_1_3,
 252         client => {
 253             "SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256",
 254             "RequestCAFile" => test_pem("root-cert.pem"),
 255         },
 256         test   => {
 257             "ExpectedServerCertType" => "P-256",
 258             "ExpectedServerSignHash" => "SHA256",
 259             "ExpectedServerSignType" => "EC",
 260             "ExpectedServerCANames" => test_pem("root-cert.pem"),
 261             "ExpectedResult" => "Success"
 262         },
 263     },
 264     {
 265         name => "TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS",
 266         server => $server_tls_1_3,
 267         client => {
 268             "SignatureAlgorithms" => "ECDSA+SHA384:RSA-PSS+SHA384",
 269         },
 270         test   => {
 271             "ExpectedServerCertType" => "RSA",
 272             "ExpectedServerSignHash" => "SHA384",
 273             "ExpectedServerSignType" => "RSA-PSS",
 274             "ExpectedResult" => "Success"
 275         },
 276     },
 277     {
 278         name => "TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate",
 279         server => {
 280             "MinProtocol" => "TLSv1.3",
 281             "MaxProtocol" => "TLSv1.3"
 282         },
 283         client => {
 284             "SignatureAlgorithms" => "ECDSA+SHA256",
 285         },
 286         test   => {
 287             "ExpectedResult" => "ServerFail"
 288         },
 289     },
 290     {
 291         name => "TLS 1.3 RSA Signature Algorithm Selection, no PSS",
 292         server => $server_tls_1_3,
 293         client => {
 294             "SignatureAlgorithms" => "RSA+SHA256",
 295         },
 296         test   => {
 297             "ExpectedResult" => "ServerFail"
 298         },
 299     },
 300     {
 301         name => "TLS 1.3 RSA-PSS Signature Algorithm Selection",
 302         server => $server_tls_1_3,
 303         client => {
 304             "SignatureAlgorithms" => "RSA-PSS+SHA256",
 305         },
 306         test   => {
 307             "ExpectedServerCertType" => "RSA",
 308             "ExpectedServerSignHash" => "SHA256",
 309             "ExpectedServerSignType" => "RSA-PSS",
 310             "ExpectedResult" => "Success"
 311         },
 312     },
 313     {
 314         name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
 315         server => {
 316             "ClientSignatureAlgorithms" => "PSS+SHA256",
 317             "VerifyCAFile" => test_pem("root-cert.pem"),
 318             "VerifyMode" => "Require"
 319         },
 320         client => $client_tls_1_3,
 321         test   => {
 322             "ExpectedClientCertType" => "RSA",
 323             "ExpectedClientSignHash" => "SHA256",
 324             "ExpectedClientSignType" => "RSA-PSS",
 325             "ExpectedClientCANames" => "empty",
 326             "ExpectedResult" => "Success"
 327         },
 328     },
 329     {
 330         name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names",
 331         server => {
 332             "ClientSignatureAlgorithms" => "PSS+SHA256",
 333             "VerifyCAFile" => test_pem("root-cert.pem"),
 334             "RequestCAFile" => test_pem("root-cert.pem"),
 335             "VerifyMode" => "Require"
 336         },
 337         client => $client_tls_1_3,
 338         test   => {
 339             "ExpectedClientCertType" => "RSA",
 340             "ExpectedClientSignHash" => "SHA256",
 341             "ExpectedClientSignType" => "RSA-PSS",
 342             "ExpectedClientCANames" => test_pem("root-cert.pem"),
 343             "ExpectedResult" => "Success"
 344         },
 345     },
 346     {
 347         name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
 348         server => {
 349             "ClientSignatureAlgorithms" => "ECDSA+SHA256",
 350             "VerifyCAFile" => test_pem("root-cert.pem"),
 351             "VerifyMode" => "Require"
 352         },
 353         client => $client_tls_1_3,
 354         test   => {
 355             "ExpectedClientCertType" => "P-256",
 356             "ExpectedClientSignHash" => "SHA256",
 357             "ExpectedClientSignType" => "EC",
 358             "ExpectedResult" => "Success"
 359         },
 360     },
 361     {
 362         name => "TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms",
 363         server => {
 364             "ClientSignatureAlgorithms" => "ECDSA+SHA1:DSA+SHA256:RSA+SHA256",
 365             "VerifyCAFile" => test_pem("root-cert.pem"),
 366             "VerifyMode" => "Request"
 367         },
 368         client => {},
 369         test   => {
 370             "ExpectedResult" => "ServerFail"
 371         },
 372     },
 373 );
 374
 375 push @tests, @tests_tls_1_3 unless disabled("tls1_3");
 376
 377 my @tests_dsa_tls_1_2 = (
 378     {
 379         name => "TLS 1.2 DSA Certificate Test",
 380         server => {
 381             "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
 382             "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
 383             "DHParameters" => test_pem("dhp2048.pem"),
 384             "MinProtocol" => "TLSv1.2",
 385             "MaxProtocol" => "TLSv1.2",
 386             "CipherString" => "ALL",
 387         },
 388         client => {
 389             "SignatureAlgorithms" => "DSA+SHA256:DSA+SHA1",
 390             "CipherString" => "ALL",
 391         },
 392         test   => {
 393             "ExpectedResult" => "Success"
 394         },
 395     },
 396 );
 397
 398 my @tests_dsa_tls_1_3 = (
 399     {
 400         name => "TLS 1.3 DSA Certificate Test",
 401         server => {
 402             "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
 403             "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
 404             "MinProtocol" => "TLSv1.3",
 405             "MaxProtocol" => "TLSv1.3",
 406             "CipherString" => "ALL",
 407         },
 408         client => {
 409             "SignatureAlgorithms" => "DSA+SHA1:DSA+SHA256:ECDSA+SHA256",
 410             "CipherString" => "ALL",
 411         },
 412         test   => {
 413             "ExpectedResult" => "ServerFail"
 414         },
 415     },
 416 );
 417
 418 if (!disabled("dsa")) {
 419     push @tests, @tests_dsa_tls_1_2 unless disabled("dh");
 420     push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
 421 }