Add client auth TLS 1.3 certificate selection tests
[openssl.git] / test / ssl-tests / 20-cert-select.conf.in
1 # -*- mode: perl; -*-
2
3 ## SSL test configurations
4
5
6 use strict;
7 use warnings;
8
9 package ssltests;
10 use OpenSSL::Test::Utils;
11
12 my $dir_sep = $^O ne "VMS" ? "/" : "";
13
14 my $cert_dir = "\${ENV::TEST_CERTS_DIR}${dir_sep}";
15
16 my $server = {
17     "ECDSA.Certificate" => "${cert_dir}server-ecdsa-cert.pem",
18     "ECDSA.PrivateKey" => "${cert_dir}server-ecdsa-key.pem",
19     "MaxProtocol" => "TLSv1.2"
20 };
21
22 our @tests = (
23     {
24         name => "ECDSA CipherString Selection",
25         server => $server,
26         client => {
27             "CipherString" => "aECDSA",
28         },
29         test   => {
30             "ExpectedServerCertType" =>, "P-256",
31             "ExpectedServerSignType" =>, "EC",
32             "ExpectedResult" => "Success"
33         },
34     },
35     {
36         name => "RSA CipherString Selection",
37         server => $server,
38         client => {
39             "CipherString" => "aRSA",
40         },
41         test   => {
42             "ExpectedServerCertType" =>, "RSA",
43             "ExpectedServerSignType" =>, "RSA-PSS",
44             "ExpectedResult" => "Success"
45         },
46     },
47     {
48         name => "ECDSA CipherString Selection, no ECDSA certificate",
49         server => {
50             "MaxProtocol" => "TLSv1.2"
51         },
52         client => {
53             "CipherString" => "aECDSA"
54         },
55         test   => {
56             "ExpectedResult" => "ServerFail"
57         },
58     },
59     {
60         name => "ECDSA Signature Algorithm Selection",
61         server => $server,
62         client => {
63             "SignatureAlgorithms" => "ECDSA+SHA256",
64         },
65         test   => {
66             "ExpectedServerCertType" => "P-256",
67             "ExpectedServerSignHash" => "SHA256",
68             "ExpectedServerSignType" => "EC",
69             "ExpectedResult" => "Success"
70         },
71     },
72     {
73         name => "ECDSA Signature Algorithm Selection SHA384",
74         server => $server,
75         client => {
76             "SignatureAlgorithms" => "ECDSA+SHA384",
77         },
78         test   => {
79             "ExpectedServerCertType" => "P-256",
80             "ExpectedServerSignHash" => "SHA384",
81             "ExpectedServerSignType" => "EC",
82             "ExpectedResult" => "Success"
83         },
84     },
85     {
86         name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
87         server => {
88              "MaxProtocol" => "TLSv1.2"
89         },
90         client => {
91             "SignatureAlgorithms" => "ECDSA+SHA256",
92         },
93         test   => {
94             "ExpectedResult" => "ServerFail"
95         },
96     },
97     {
98         name => "RSA Signature Algorithm Selection",
99         server => $server,
100         client => {
101             "SignatureAlgorithms" => "RSA+SHA256",
102         },
103         test   => {
104             "ExpectedServerCertType" => "RSA",
105             "ExpectedServerSignHash" => "SHA256",
106             "ExpectedServerSignType" => "RSA",
107             "ExpectedResult" => "Success"
108         },
109     },
110     {
111         name => "RSA-PSS Signature Algorithm Selection",
112         server => $server,
113         client => {
114             "SignatureAlgorithms" => "RSA-PSS+SHA256",
115         },
116         test   => {
117             "ExpectedServerCertType" => "RSA",
118             "ExpectedServerSignHash" => "SHA256",
119             "ExpectedServerSignType" => "RSA-PSS",
120             "ExpectedResult" => "Success"
121         },
122     }
123 );
124
125
126 my $server_tls_1_3 = {
127     "ECDSA.Certificate" => "${cert_dir}server-ecdsa-cert.pem",
128     "ECDSA.PrivateKey" => "${cert_dir}server-ecdsa-key.pem",
129     "MinProtocol" => "TLSv1.3",
130     "MaxProtocol" => "TLSv1.3"
131 };
132
133 my $client_tls_1_3 = {
134     "RSA.Certificate" => "${cert_dir}ee-client-chain.pem",
135     "RSA.PrivateKey" => "${cert_dir}ee-key.pem",
136     "ECDSA.Certificate" => "${cert_dir}ee-ecdsa-client-chain.pem",
137     "ECDSA.PrivateKey" => "${cert_dir}ee-ecdsa-key.pem",
138     "MinProtocol" => "TLSv1.3",
139     "MaxProtocol" => "TLSv1.3"
140 };
141
142 my @tests_tls_1_3 = (
143     {
144         name => "TLS 1.3 ECDSA Signature Algorithm Selection",
145         server => $server_tls_1_3,
146         client => {
147             "SignatureAlgorithms" => "ECDSA+SHA256",
148         },
149         test   => {
150             "ExpectedServerCertType" => "P-256",
151             "ExpectedServerSignHash" => "SHA256",
152             "ExpectedServerSignType" => "EC",
153             "ExpectedResult" => "Success"
154         },
155     },
156     {
157         name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS",
158         server => $server_tls_1_3,
159         client => {
160             "SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256",
161         },
162         test   => {
163             "ExpectedServerCertType" => "P-256",
164             "ExpectedServerSignHash" => "SHA256",
165             "ExpectedServerSignType" => "EC",
166             "ExpectedResult" => "Success"
167         },
168     },
169     {
170         name => "TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS",
171         server => $server_tls_1_3,
172         client => {
173             "SignatureAlgorithms" => "ECDSA+SHA384:RSA-PSS+SHA384",
174         },
175         test   => {
176             "ExpectedServerCertType" => "RSA",
177             "ExpectedServerSignHash" => "SHA384",
178             "ExpectedServerSignType" => "RSA-PSS",
179             "ExpectedResult" => "Success"
180         },
181     },
182     {
183         name => "TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate",
184         server => {
185             "MinProtocol" => "TLSv1.3",
186             "MaxProtocol" => "TLSv1.3"
187         },
188         client => {
189             "SignatureAlgorithms" => "ECDSA+SHA256",
190         },
191         test   => {
192             "ExpectedResult" => "ServerFail"
193         },
194     },
195     {
196         name => "TLS 1.3 RSA Signature Algorithm Selection, no PSS",
197         server => $server_tls_1_3,
198         client => {
199             "SignatureAlgorithms" => "RSA+SHA256",
200         },
201         test   => {
202             "ExpectedResult" => "ServerFail"
203         },
204     },
205     {
206         name => "TLS 1.3 RSA-PSS Signature Algorithm Selection",
207         server => $server_tls_1_3,
208         client => {
209             "SignatureAlgorithms" => "RSA-PSS+SHA256",
210         },
211         test   => {
212             "ExpectedServerCertType" => "RSA",
213             "ExpectedServerSignHash" => "SHA256",
214             "ExpectedServerSignType" => "RSA-PSS",
215             "ExpectedResult" => "Success"
216         },
217     },
218     {
219         name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
220         server => {
221             "ClientSignatureAlgorithms" => "PSS+SHA256",
222             "VerifyCAFile" => "${cert_dir}root-cert.pem",
223             "VerifyMode" => "Require"
224         },
225         client => $client_tls_1_3,
226         test   => {
227             "ExpectedClientCertType" => "RSA",
228             "ExpectedClientSignHash" => "SHA256",
229             "ExpectedClientSignType" => "RSA-PSS",
230             "ExpectedResult" => "Success"
231         },
232     },
233     {
234         name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
235         server => {
236             "ClientSignatureAlgorithms" => "ECDSA+SHA256",
237             "VerifyCAFile" => "${cert_dir}root-cert.pem",
238             "VerifyMode" => "Require"
239         },
240         client => $client_tls_1_3,
241         test   => {
242             "ExpectedClientCertType" => "P-256",
243             "ExpectedClientSignHash" => "SHA256",
244             "ExpectedClientSignType" => "EC",
245             "ExpectedResult" => "Success"
246         },
247     },
248 );
249
250 push @tests, @tests_tls_1_3 unless disabled("tls1_3");