test/ssl-tests/26-tls13_client_auth.cnf.in

   1 # -*- mode: perl; -*-
   2 # Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
   3 #
   4 # Licensed under the Apache License 2.0 (the "License").  You may not use
   5 # this file except in compliance with the License.  You can obtain a copy
   6 # in the file LICENSE in the source distribution or at
   7 # https://www.openssl.org/source/license.html
   8
   9
  10 ## Test TLSv1.3 certificate authentication
  11 ## Similar to 04-client_auth.cnf.in output, but specific for
  12 ## TLSv1.3 and post-handshake authentication
  13
  14 use strict;
  15 use warnings;
  16
  17 package ssltests;
  18 use OpenSSL::Test::Utils;
  19
  20 our @tests = (
  21     {
  22         name => "server-auth-TLSv1.3",
  23         server => {
  24             "MinProtocol" => "TLSv1.3",
  25             "MaxProtocol" => "TLSv1.3",
  26         },
  27         client => {
  28             "MinProtocol" => "TLSv1.3",
  29             "MaxProtocol" => "TLSv1.3",
  30         },
  31         test => {
  32             "ExpectedResult" => "Success",
  33         },
  34     },
  35     {
  36         name => "client-auth-TLSv1.3-request",
  37         server => {
  38             "MinProtocol" => "TLSv1.3",
  39             "MaxProtocol" => "TLSv1.3",
  40             "VerifyMode" => "Request",
  41         },
  42         client => {
  43             "MinProtocol" => "TLSv1.3",
  44             "MaxProtocol" => "TLSv1.3",
  45         },
  46         test => {
  47             "ExpectedResult" => "Success",
  48         },
  49     },
  50     {
  51         name => "client-auth-TLSv1.3-require-fail",
  52         server => {
  53             "MinProtocol" => "TLSv1.3",
  54             "MaxProtocol" => "TLSv1.3",
  55             "VerifyCAFile" => test_pem("root-cert.pem"),
  56             "VerifyMode" => "Require",
  57         },
  58         client => {
  59             "MinProtocol" => "TLSv1.3",
  60             "MaxProtocol" => "TLSv1.3",
  61         },
  62         test => {
  63             "ExpectedResult" => "ServerFail",
  64             "ExpectedServerAlert" => "CertificateRequired",
  65         },
  66     },
  67     {
  68         name => "client-auth-TLSv1.3-require",
  69         server => {
  70             "MinProtocol" => "TLSv1.3",
  71             "MaxProtocol" => "TLSv1.3",
  72             "ClientSignatureAlgorithms" => "PSS+SHA256",
  73             "VerifyCAFile" => test_pem("root-cert.pem"),
  74             "VerifyMode" => "Request",
  75         },
  76         client => {
  77             "MinProtocol" => "TLSv1.3",
  78             "MaxProtocol" => "TLSv1.3",
  79             "Certificate" => test_pem("ee-client-chain.pem"),
  80             "PrivateKey" => test_pem("ee-key.pem"),
  81         },
  82         test => {
  83             "ExpectedResult" => "Success",
  84             "ExpectedClientCertType" => "RSA",
  85             "ExpectedClientSignType" => "RSA-PSS",
  86             "ExpectedClientSignHash" => "SHA256",
  87             "ExpectedClientCANames" => "empty"
  88         },
  89     },
  90     {
  91         name => "client-auth-TLSv1.3-require-non-empty-names",
  92         server => {
  93             "MinProtocol" => "TLSv1.3",
  94             "MaxProtocol" => "TLSv1.3",
  95             "ClientSignatureAlgorithms" => "PSS+SHA256",
  96             "ClientCAFile" => test_pem("root-cert.pem"),
  97             "VerifyCAFile" => test_pem("root-cert.pem"),
  98             "VerifyMode" => "Request",
  99         },
 100         client => {
 101             "MinProtocol" => "TLSv1.3",
 102             "MaxProtocol" => "TLSv1.3",
 103             "Certificate" => test_pem("ee-client-chain.pem"),
 104             "PrivateKey" => test_pem("ee-key.pem"),
 105         },
 106         test => {
 107             "ExpectedResult" => "Success",
 108             "ExpectedClientCertType" => "RSA",
 109             "ExpectedClientSignType" => "RSA-PSS",
 110             "ExpectedClientSignHash" => "SHA256",
 111             "ExpectedClientCANames" => test_pem("root-cert.pem"),
 112         },
 113     },
 114     {
 115         name => "client-auth-TLSv1.3-noroot",
 116         server => {
 117             "MinProtocol" => "TLSv1.3",
 118             "MaxProtocol" => "TLSv1.3",
 119             "VerifyMode" => "Require",
 120         },
 121         client => {
 122             "MinProtocol" => "TLSv1.3",
 123             "MaxProtocol" => "TLSv1.3",
 124             "Certificate" => test_pem("ee-client-chain.pem"),
 125             "PrivateKey" => test_pem("ee-key.pem"),
 126         },
 127         test => {
 128             "ExpectedResult" => "ServerFail",
 129             "ExpectedServerAlert" => "UnknownCA",
 130         },
 131     },
 132     {
 133         name => "client-auth-TLSv1.3-request-post-handshake",
 134         server => {
 135             "MinProtocol" => "TLSv1.3",
 136             "MaxProtocol" => "TLSv1.3",
 137             "VerifyMode" => "RequestPostHandshake",
 138         },
 139         client => {
 140             "MinProtocol" => "TLSv1.3",
 141             "MaxProtocol" => "TLSv1.3",
 142         },
 143         test => {
 144             "ExpectedResult" => "ServerFail",
 145             "HandshakeMode" => "PostHandshakeAuth",
 146         },
 147     },
 148     {
 149         name => "client-auth-TLSv1.3-require-fail-post-handshake",
 150         server => {
 151             "MinProtocol" => "TLSv1.3",
 152             "MaxProtocol" => "TLSv1.3",
 153             "VerifyCAFile" => test_pem("root-cert.pem"),
 154             "VerifyMode" => "RequirePostHandshake",
 155         },
 156         client => {
 157             "MinProtocol" => "TLSv1.3",
 158             "MaxProtocol" => "TLSv1.3",
 159         },
 160         test => {
 161             "ExpectedResult" => "ServerFail",
 162             "HandshakeMode" => "PostHandshakeAuth",
 163         },
 164     },
 165     {
 166         name => "client-auth-TLSv1.3-require-post-handshake",
 167         server => {
 168             "MinProtocol" => "TLSv1.3",
 169             "MaxProtocol" => "TLSv1.3",
 170             "ClientSignatureAlgorithms" => "PSS+SHA256",
 171             "VerifyCAFile" => test_pem("root-cert.pem"),
 172             "VerifyMode" => "RequestPostHandshake",
 173         },
 174         client => {
 175             "MinProtocol" => "TLSv1.3",
 176             "MaxProtocol" => "TLSv1.3",
 177             "Certificate" => test_pem("ee-client-chain.pem"),
 178             "PrivateKey" => test_pem("ee-key.pem"),
 179             extra => {
 180                 "EnablePHA" => "Yes",
 181             },
 182         },
 183         test => {
 184             "ExpectedResult" => "Success",
 185             "HandshakeMode" => "PostHandshakeAuth",
 186             "ExpectedClientCertType" => "RSA",
 187             "ExpectedClientSignType" => "RSA-PSS",
 188             "ExpectedClientSignHash" => "SHA256",
 189             "ExpectedClientCANames" => "empty"
 190         },
 191     },
 192     {
 193         name => "client-auth-TLSv1.3-require-non-empty-names-post-handshake",
 194         server => {
 195             "MinProtocol" => "TLSv1.3",
 196             "MaxProtocol" => "TLSv1.3",
 197             "ClientSignatureAlgorithms" => "PSS+SHA256",
 198             "ClientCAFile" => test_pem("root-cert.pem"),
 199             "VerifyCAFile" => test_pem("root-cert.pem"),
 200             "VerifyMode" => "RequestPostHandshake",
 201         },
 202         client => {
 203             "MinProtocol" => "TLSv1.3",
 204             "MaxProtocol" => "TLSv1.3",
 205             "Certificate" => test_pem("ee-client-chain.pem"),
 206             "PrivateKey" => test_pem("ee-key.pem"),
 207             extra => {
 208                 "EnablePHA" => "Yes",
 209             },
 210         },
 211         test => {
 212             "ExpectedResult" => "Success",
 213             "HandshakeMode" => "PostHandshakeAuth",
 214             "ExpectedClientCertType" => "RSA",
 215             "ExpectedClientSignType" => "RSA-PSS",
 216             "ExpectedClientSignHash" => "SHA256",
 217             "ExpectedClientCANames" => test_pem("root-cert.pem"),
 218         },
 219     },
 220     {
 221         name => "client-auth-TLSv1.3-noroot-post-handshake",
 222         server => {
 223             "MinProtocol" => "TLSv1.3",
 224             "MaxProtocol" => "TLSv1.3",
 225             "VerifyMode" => "RequirePostHandshake",
 226         },
 227         client => {
 228             "MinProtocol" => "TLSv1.3",
 229             "MaxProtocol" => "TLSv1.3",
 230             "Certificate" => test_pem("ee-client-chain.pem"),
 231             "PrivateKey" => test_pem("ee-key.pem"),
 232             extra => {
 233                 "EnablePHA" => "Yes",
 234             },
 235         },
 236         test => {
 237             "ExpectedResult" => "ServerFail",
 238             "HandshakeMode" => "PostHandshakeAuth",
 239             "ExpectedServerAlert" => "UnknownCA",
 240         },
 241     },
 242     {
 243         name => "client-auth-TLSv1.3-request-force-client-post-handshake",
 244         server => {
 245             "MinProtocol" => "TLSv1.3",
 246             "MaxProtocol" => "TLSv1.3",
 247             "VerifyMode" => "RequestPostHandshake",
 248         },
 249         client => {
 250             "MinProtocol" => "TLSv1.3",
 251             "MaxProtocol" => "TLSv1.3",
 252             extra => {
 253                 "EnablePHA" => "Yes",
 254             },
 255         },
 256         test => {
 257             "ExpectedResult" => "Success",
 258             "HandshakeMode" => "PostHandshakeAuth",
 259         },
 260     },
 261     {
 262         name => "client-auth-TLSv1.3-request-force-server-post-handshake",
 263         server => {
 264             "MinProtocol" => "TLSv1.3",
 265             "MaxProtocol" => "TLSv1.3",
 266             "VerifyMode" => "RequestPostHandshake",
 267             extra => {
 268                 "ForcePHA" => "Yes",
 269             },
 270         },
 271         client => {
 272             "MinProtocol" => "TLSv1.3",
 273             "MaxProtocol" => "TLSv1.3",
 274         },
 275         test => {
 276             "ExpectedResult" => "ClientFail",
 277             "HandshakeMode" => "PostHandshakeAuth",
 278         },
 279     },
 280     {
 281         name => "client-auth-TLSv1.3-request-force-both-post-handshake",
 282         server => {
 283             "MinProtocol" => "TLSv1.3",
 284             "MaxProtocol" => "TLSv1.3",
 285             "VerifyMode" => "RequestPostHandshake",
 286             extra => {
 287                 "ForcePHA" => "Yes",
 288             },
 289         },
 290         client => {
 291             "MinProtocol" => "TLSv1.3",
 292             "MaxProtocol" => "TLSv1.3",
 293             extra => {
 294                 "EnablePHA" => "Yes",
 295             },
 296         },
 297         test => {
 298             "ExpectedResult" => "Success",
 299             "HandshakeMode" => "PostHandshakeAuth",
 300         },
 301     },
 302 );