Add Ed25519 TLS 1.3 and 1.2 tests
[openssl.git] / test / ssl-tests / 20-cert-select.conf.in
1 # -*- mode: perl; -*-
2
3 ## SSL test configurations
4
5
6 use strict;
7 use warnings;
8
9 package ssltests;
10 use OpenSSL::Test::Utils;
11
12 my $server = {
13     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
14     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
15     "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"),
16     "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"),
17     "MaxProtocol" => "TLSv1.2"
18 };
19
20 our @tests = (
21     {
22         name => "ECDSA CipherString Selection",
23         server => $server,
24         client => {
25             "CipherString" => "aECDSA",
26             "MaxProtocol" => "TLSv1.2",
27             "RequestCAFile" => test_pem("root-cert.pem"),
28         },
29         test   => {
30             "ExpectedServerCertType" =>, "P-256",
31             "ExpectedServerSignType" =>, "EC",
32             # Note: certificate_authorities not sent for TLS < 1.3
33             "ExpectedServerCANames" =>, "empty",
34             "ExpectedResult" => "Success"
35         },
36     },
37     {
38         name => "Ed25519 CipherString and Signature Algorithm Selection",
39         server => $server,
40         client => {
41             "CipherString" => "aECDSA",
42             "MaxProtocol" => "TLSv1.2",
43             "SignatureAlgorithms" => "ed25519:ECDSA+SHA256",
44             "RequestCAFile" => test_pem("root-cert.pem"),
45         },
46         test   => {
47             "ExpectedServerCertType" =>, "Ed25519",
48             "ExpectedServerSignType" =>, "Ed25519",
49             # Note: certificate_authorities not sent for TLS < 1.3
50             "ExpectedServerCANames" =>, "empty",
51             "ExpectedResult" => "Success"
52         },
53     },
54     {
55         name => "RSA CipherString Selection",
56         server => $server,
57         client => {
58             "CipherString" => "aRSA",
59             "MaxProtocol" => "TLSv1.2",
60         },
61         test   => {
62             "ExpectedServerCertType" =>, "RSA",
63             "ExpectedServerSignType" =>, "RSA-PSS",
64             "ExpectedResult" => "Success"
65         },
66     },
67     {
68         name => "ECDSA CipherString Selection, no ECDSA certificate",
69         server => {
70             "MaxProtocol" => "TLSv1.2"
71         },
72         client => {
73             "CipherString" => "aECDSA",
74             "MaxProtocol" => "TLSv1.2"
75         },
76         test   => {
77             "ExpectedResult" => "ServerFail"
78         },
79     },
80     {
81         name => "ECDSA Signature Algorithm Selection",
82         server => $server,
83         client => {
84             "SignatureAlgorithms" => "ECDSA+SHA256",
85         },
86         test   => {
87             "ExpectedServerCertType" => "P-256",
88             "ExpectedServerSignHash" => "SHA256",
89             "ExpectedServerSignType" => "EC",
90             "ExpectedResult" => "Success"
91         },
92     },
93     {
94         name => "ECDSA Signature Algorithm Selection SHA384",
95         server => $server,
96         client => {
97             "SignatureAlgorithms" => "ECDSA+SHA384",
98         },
99         test   => {
100             "ExpectedServerCertType" => "P-256",
101             "ExpectedServerSignHash" => "SHA384",
102             "ExpectedServerSignType" => "EC",
103             "ExpectedResult" => "Success"
104         },
105     },
106     {
107         name => "ECDSA Signature Algorithm Selection SHA1",
108         server => $server,
109         client => {
110             "SignatureAlgorithms" => "ECDSA+SHA1",
111         },
112         test   => {
113             "ExpectedServerCertType" => "P-256",
114             "ExpectedServerSignHash" => "SHA1",
115             "ExpectedServerSignType" => "EC",
116             "ExpectedResult" => "Success"
117         },
118     },
119     {
120         name => "ECDSA Signature Algorithm Selection compressed point",
121         server => {
122             "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
123             "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
124             "MaxProtocol" => "TLSv1.2"
125         },
126         client => {
127             "SignatureAlgorithms" => "ECDSA+SHA256",
128         },
129         test   => {
130             "ExpectedServerCertType" => "P-256",
131             "ExpectedServerSignHash" => "SHA256",
132             "ExpectedServerSignType" => "EC",
133             "ExpectedResult" => "Success"
134         },
135     },
136     {
137         name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
138         server => {
139              "MaxProtocol" => "TLSv1.2"
140         },
141         client => {
142             "SignatureAlgorithms" => "ECDSA+SHA256",
143         },
144         test   => {
145             "ExpectedResult" => "ServerFail"
146         },
147     },
148     {
149         name => "RSA Signature Algorithm Selection",
150         server => $server,
151         client => {
152             "SignatureAlgorithms" => "RSA+SHA256",
153         },
154         test   => {
155             "ExpectedServerCertType" => "RSA",
156             "ExpectedServerSignHash" => "SHA256",
157             "ExpectedServerSignType" => "RSA",
158             "ExpectedResult" => "Success"
159         },
160     },
161     {
162         name => "RSA-PSS Signature Algorithm Selection",
163         server => $server,
164         client => {
165             "SignatureAlgorithms" => "RSA-PSS+SHA256",
166         },
167         test   => {
168             "ExpectedServerCertType" => "RSA",
169             "ExpectedServerSignHash" => "SHA256",
170             "ExpectedServerSignType" => "RSA-PSS",
171             "ExpectedResult" => "Success"
172         },
173     },
174     {
175         name => "Suite B P-256 Hash Algorithm Selection",
176         server =>  {
177             "ECDSA.Certificate" => test_pem("p256-server-cert.pem"),
178             "ECDSA.PrivateKey" => test_pem("p256-server-key.pem"),
179             "MaxProtocol" => "TLSv1.2",
180             "CipherString" => "SUITEB128"
181         },
182         client => {
183             "VerifyCAFile" => test_pem("p384-root.pem"),
184             "SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256"
185         },
186         test   => {
187             "ExpectedServerCertType" => "P-256",
188             "ExpectedServerSignHash" => "SHA256",
189             "ExpectedServerSignType" => "EC",
190             "ExpectedResult" => "Success"
191         },
192     },
193     {
194         name => "Suite B P-384 Hash Algorithm Selection",
195         server =>  {
196             "ECDSA.Certificate" => test_pem("p384-server-cert.pem"),
197             "ECDSA.PrivateKey" => test_pem("p384-server-key.pem"),
198             "MaxProtocol" => "TLSv1.2",
199             "CipherString" => "SUITEB128"
200         },
201         client => {
202             "VerifyCAFile" => test_pem("p384-root.pem"),
203             "SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384"
204         },
205         test   => {
206             "ExpectedServerCertType" => "P-384",
207             "ExpectedServerSignHash" => "SHA384",
208             "ExpectedServerSignType" => "EC",
209             "ExpectedResult" => "Success"
210         },
211     },
212     {
213         name => "TLS 1.2 Ed25519 Client Auth",
214         server => {
215             "VerifyCAFile" => test_pem("root-cert.pem"),
216             "VerifyMode" => "Require"
217         },
218         client => {
219             "EdDSA.Certificate" => test_pem("client-ed25519-cert.pem"),
220             "EdDSA.PrivateKey" => test_pem("client-ed25519-key.pem"),
221             "MinProtocol" => "TLSv1.2",
222             "MaxProtocol" => "TLSv1.2"
223         },
224         test   => {
225             "ExpectedClientCertType" => "Ed25519",
226             "ExpectedClientSignType" => "Ed25519",
227             "ExpectedResult" => "Success"
228         },
229     },
230 );
231
232
233 my $server_tls_1_3 = {
234     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
235     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
236     "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"),
237     "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"),
238     "MinProtocol" => "TLSv1.3",
239     "MaxProtocol" => "TLSv1.3"
240 };
241
242 my $client_tls_1_3 = {
243     "RSA.Certificate" => test_pem("ee-client-chain.pem"),
244     "RSA.PrivateKey" => test_pem("ee-key.pem"),
245     "ECDSA.Certificate" => test_pem("ee-ecdsa-client-chain.pem"),
246     "ECDSA.PrivateKey" => test_pem("ee-ecdsa-key.pem"),
247     "MinProtocol" => "TLSv1.3",
248     "MaxProtocol" => "TLSv1.3"
249 };
250
251 my @tests_tls_1_3 = (
252     {
253         name => "TLS 1.3 ECDSA Signature Algorithm Selection",
254         server => $server_tls_1_3,
255         client => {
256             "SignatureAlgorithms" => "ECDSA+SHA256",
257         },
258         test   => {
259             "ExpectedServerCertType" => "P-256",
260             "ExpectedServerSignHash" => "SHA256",
261             "ExpectedServerSignType" => "EC",
262             "ExpectedServerCANames" => "empty",
263             "ExpectedResult" => "Success"
264         },
265     },
266     {
267         name => "TLS 1.3 ECDSA Signature Algorithm Selection compressed point",
268         server => {
269             "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
270             "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
271             "MinProtocol" => "TLSv1.3",
272             "MaxProtocol" => "TLSv1.3"
273         },
274         client => {
275             "SignatureAlgorithms" => "ECDSA+SHA256",
276         },
277         test   => {
278             "ExpectedResult" => "ServerFail"
279         },
280     },
281     {
282         name => "TLS 1.3 ECDSA Signature Algorithm Selection SHA1",
283         server => $server_tls_1_3,
284         client => {
285             "SignatureAlgorithms" => "ECDSA+SHA1",
286         },
287         test   => {
288             "ExpectedResult" => "ServerFail"
289         },
290     },
291     {
292         name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS",
293         server => $server_tls_1_3,
294         client => {
295             "SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256",
296             "RequestCAFile" => test_pem("root-cert.pem"),
297         },
298         test   => {
299             "ExpectedServerCertType" => "P-256",
300             "ExpectedServerSignHash" => "SHA256",
301             "ExpectedServerSignType" => "EC",
302             "ExpectedServerCANames" => test_pem("root-cert.pem"),
303             "ExpectedResult" => "Success"
304         },
305     },
306     {
307         name => "TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS",
308         server => $server_tls_1_3,
309         client => {
310             "SignatureAlgorithms" => "ECDSA+SHA384:RSA-PSS+SHA384",
311         },
312         test   => {
313             "ExpectedServerCertType" => "RSA",
314             "ExpectedServerSignHash" => "SHA384",
315             "ExpectedServerSignType" => "RSA-PSS",
316             "ExpectedResult" => "Success"
317         },
318     },
319     {
320         name => "TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate",
321         server => {
322             "MinProtocol" => "TLSv1.3",
323             "MaxProtocol" => "TLSv1.3"
324         },
325         client => {
326             "SignatureAlgorithms" => "ECDSA+SHA256",
327         },
328         test   => {
329             "ExpectedResult" => "ServerFail"
330         },
331     },
332     {
333         name => "TLS 1.3 RSA Signature Algorithm Selection, no PSS",
334         server => $server_tls_1_3,
335         client => {
336             "SignatureAlgorithms" => "RSA+SHA256",
337         },
338         test   => {
339             "ExpectedResult" => "ServerFail"
340         },
341     },
342     {
343         name => "TLS 1.3 RSA-PSS Signature Algorithm Selection",
344         server => $server_tls_1_3,
345         client => {
346             "SignatureAlgorithms" => "RSA-PSS+SHA256",
347         },
348         test   => {
349             "ExpectedServerCertType" => "RSA",
350             "ExpectedServerSignHash" => "SHA256",
351             "ExpectedServerSignType" => "RSA-PSS",
352             "ExpectedResult" => "Success"
353         },
354     },
355     {
356         name => "TLS 1.3 Ed25519 Signature Algorithm Selection",
357         server => $server_tls_1_3,
358         client => {
359             "SignatureAlgorithms" => "ed25519",
360         },
361         test   => {
362             "ExpectedServerCertType" => "Ed25519",
363             "ExpectedServerSignType" => "Ed25519",
364             "ExpectedResult" => "Success"
365         },
366     },
367     {
368         name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
369         server => {
370             "ClientSignatureAlgorithms" => "PSS+SHA256",
371             "VerifyCAFile" => test_pem("root-cert.pem"),
372             "VerifyMode" => "Require"
373         },
374         client => $client_tls_1_3,
375         test   => {
376             "ExpectedClientCertType" => "RSA",
377             "ExpectedClientSignHash" => "SHA256",
378             "ExpectedClientSignType" => "RSA-PSS",
379             "ExpectedClientCANames" => "empty",
380             "ExpectedResult" => "Success"
381         },
382     },
383     {
384         name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names",
385         server => {
386             "ClientSignatureAlgorithms" => "PSS+SHA256",
387             "VerifyCAFile" => test_pem("root-cert.pem"),
388             "RequestCAFile" => test_pem("root-cert.pem"),
389             "VerifyMode" => "Require"
390         },
391         client => $client_tls_1_3,
392         test   => {
393             "ExpectedClientCertType" => "RSA",
394             "ExpectedClientSignHash" => "SHA256",
395             "ExpectedClientSignType" => "RSA-PSS",
396             "ExpectedClientCANames" => test_pem("root-cert.pem"),
397             "ExpectedResult" => "Success"
398         },
399     },
400     {
401         name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
402         server => {
403             "ClientSignatureAlgorithms" => "ECDSA+SHA256",
404             "VerifyCAFile" => test_pem("root-cert.pem"),
405             "VerifyMode" => "Require"
406         },
407         client => $client_tls_1_3,
408         test   => {
409             "ExpectedClientCertType" => "P-256",
410             "ExpectedClientSignHash" => "SHA256",
411             "ExpectedClientSignType" => "EC",
412             "ExpectedResult" => "Success"
413         },
414     },
415     {
416         name => "TLS 1.3 Ed25519 Client Auth",
417         server => {
418             "VerifyCAFile" => test_pem("root-cert.pem"),
419             "VerifyMode" => "Require"
420         },
421         client => {
422             "EdDSA.Certificate" => test_pem("client-ed25519-cert.pem"),
423             "EdDSA.PrivateKey" => test_pem("client-ed25519-key.pem"),
424             "MinProtocol" => "TLSv1.3",
425             "MaxProtocol" => "TLSv1.3"
426         },
427         test   => {
428             "ExpectedClientCertType" => "Ed25519",
429             "ExpectedClientSignType" => "Ed25519",
430             "ExpectedResult" => "Success"
431         },
432     },
433     {
434         name => "TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms",
435         server => {
436             "ClientSignatureAlgorithms" => "ECDSA+SHA1:DSA+SHA256:RSA+SHA256",
437             "VerifyCAFile" => test_pem("root-cert.pem"),
438             "VerifyMode" => "Request"
439         },
440         client => {},
441         test   => {
442             "ExpectedResult" => "ServerFail"
443         },
444     },
445 );
446
447 push @tests, @tests_tls_1_3 unless disabled("tls1_3");
448
449 my @tests_dsa_tls_1_2 = (
450     {
451         name => "TLS 1.2 DSA Certificate Test",
452         server => {
453             "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
454             "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
455             "DHParameters" => test_pem("dhp2048.pem"),
456             "MinProtocol" => "TLSv1.2",
457             "MaxProtocol" => "TLSv1.2",
458             "CipherString" => "ALL",
459         },
460         client => {
461             "SignatureAlgorithms" => "DSA+SHA256:DSA+SHA1",
462             "CipherString" => "ALL",
463         },
464         test   => {
465             "ExpectedResult" => "Success"
466         },
467     },
468 );
469
470 my @tests_dsa_tls_1_3 = (
471     {
472         name => "TLS 1.3 DSA Certificate Test",
473         server => {
474             "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
475             "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
476             "MinProtocol" => "TLSv1.3",
477             "MaxProtocol" => "TLSv1.3",
478             "CipherString" => "ALL",
479         },
480         client => {
481             "SignatureAlgorithms" => "DSA+SHA1:DSA+SHA256:ECDSA+SHA256",
482             "CipherString" => "ALL",
483         },
484         test   => {
485             "ExpectedResult" => "ServerFail"
486         },
487     },
488 );
489
490 if (!disabled("dsa")) {
491     push @tests, @tests_dsa_tls_1_2 unless disabled("dh");
492     push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
493 }