test/ssl-tests/26-tls13_client_auth.conf.in

   1 # -*- mode: perl; -*-
   2 # Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
   3 #
   4 # Licensed under the OpenSSL license (the "License").  You may not use
   5 # this file except in compliance with the License.  You can obtain a copy
   6 # in the file LICENSE in the source distribution or at
   7 # https://www.openssl.org/source/license.html
   8
   9
  10 ## Test TLSv1.3 certificate authentication
  11 ## Similar to 04-client_auth.conf.in output, but specific for
  12 ## TLSv1.3 and post-handshake authentication
  13
  14 use strict;
  15 use warnings;
  16
  17 package ssltests;
  18 use OpenSSL::Test::Utils;
  19
  20 our @tests = (
  21     {
  22         name => "server-auth-TLSv1.3",
  23         server => {
  24             "MinProtocol" => "TLSv1.3",
  25             "MaxProtocol" => "TLSv1.3",
  26         },
  27         client => {
  28             "MinProtocol" => "TLSv1.3",
  29             "MaxProtocol" => "TLSv1.3",
  30         },
  31         test => {
  32             "ExpectedResult" => "Success",
  33         },
  34     },
  35     {
  36         name => "client-auth-TLSv1.3-request",
  37         server => {
  38             "MinProtocol" => "TLSv1.3",
  39             "MaxProtocol" => "TLSv1.3",
  40             "VerifyMode" => "Request",
  41         },
  42         client => {
  43             "MinProtocol" => "TLSv1.3",
  44             "MaxProtocol" => "TLSv1.3",
  45         },
  46         test => {
  47             "ExpectedResult" => "Success",
  48         },
  49     },
  50     {
  51         name => "client-auth-TLSv1.3-require-fail",
  52         server => {
  53             "MinProtocol" => "TLSv1.3",
  54             "MaxProtocol" => "TLSv1.3",
  55             "VerifyCAFile" => test_pem("root-cert.pem"),
  56             "VerifyMode" => "Require",
  57         },
  58         client => {
  59             "MinProtocol" => "TLSv1.3",
  60             "MaxProtocol" => "TLSv1.3",
  61         },
  62         test => {
  63             "ExpectedResult" => "ServerFail",
  64             "ExpectedServerAlert" => "HandshakeFailure",
  65         },
  66     },
  67     {
  68         name => "client-auth-TLSv1.3-require",
  69         server => {
  70             "MinProtocol" => "TLSv1.3",
  71             "MaxProtocol" => "TLSv1.3",
  72             "ClientSignatureAlgorithms" => "PSS+SHA256",
  73             "VerifyCAFile" => test_pem("root-cert.pem"),
  74             "VerifyMode" => "Request",
  75         },
  76         client => {
  77             "MinProtocol" => "TLSv1.3",
  78             "MaxProtocol" => "TLSv1.3",
  79             "Certificate" => test_pem("ee-client-chain.pem"),
  80             "PrivateKey" => test_pem("ee-key.pem"),
  81         },
  82         test => {
  83             "ExpectedResult" => "Success",
  84             "ExpectedClientCertType" => "RSA",
  85             "ExpectedClientSignType" => "RSA-PSS",
  86             "ExpectedClientSignHash" => "SHA256",
  87             "ExpectedClientCANames" => "empty"
  88         },
  89     },
  90     {
  91         name => "client-auth-TLSv1.3-require-non-empty-names",
  92         server => {
  93             "MinProtocol" => "TLSv1.3",
  94             "MaxProtocol" => "TLSv1.3",
  95             "ClientSignatureAlgorithms" => "PSS+SHA256",
  96             "ClientCAFile" => test_pem("root-cert.pem"),
  97             "VerifyCAFile" => test_pem("root-cert.pem"),
  98             "VerifyMode" => "Request",
  99         },
 100         client => {
 101             "MinProtocol" => "TLSv1.3",
 102             "MaxProtocol" => "TLSv1.3",
 103             "Certificate" => test_pem("ee-client-chain.pem"),
 104             "PrivateKey" => test_pem("ee-key.pem"),
 105         },
 106         test => {
 107             "ExpectedResult" => "Success",
 108             "ExpectedClientCertType" => "RSA",
 109             "ExpectedClientSignType" => "RSA-PSS",
 110             "ExpectedClientSignHash" => "SHA256",
 111             "ExpectedClientCANames" => test_pem("root-cert.pem"),
 112         },
 113     },
 114     {
 115         name => "client-auth-TLSv1.3-noroot",
 116         server => {
 117             "MinProtocol" => "TLSv1.3",
 118             "MaxProtocol" => "TLSv1.3",
 119             "VerifyMode" => "Require",
 120         },
 121         client => {
 122             "MinProtocol" => "TLSv1.3",
 123             "MaxProtocol" => "TLSv1.3",
 124             "Certificate" => test_pem("ee-client-chain.pem"),
 125             "PrivateKey" => test_pem("ee-key.pem"),
 126         },
 127         test => {
 128             "ExpectedResult" => "ServerFail",
 129             "ExpectedServerAlert" => "UnknownCA",
 130         },
 131     },
 132     {
 133         name => "client-auth-TLSv1.3-request-post-handshake",
 134         server => {
 135             "MinProtocol" => "TLSv1.3",
 136             "MaxProtocol" => "TLSv1.3",
 137             "VerifyMode" => "RequestPostHandshake",
 138         },
 139         client => {
 140             "MinProtocol" => "TLSv1.3",
 141             "MaxProtocol" => "TLSv1.3",
 142         },
 143         test => {
 144             "ExpectedResult" => "ServerFail",
 145             "HandshakeMode" => "PostHandshakeAuth",
 146         },
 147     },
 148     {
 149         name => "client-auth-TLSv1.3-require-fail-post-handshake",
 150         server => {
 151             "MinProtocol" => "TLSv1.3",
 152             "MaxProtocol" => "TLSv1.3",
 153             "VerifyCAFile" => test_pem("root-cert.pem"),
 154             "VerifyMode" => "RequirePostHandshake",
 155         },
 156         client => {
 157             "MinProtocol" => "TLSv1.3",
 158             "MaxProtocol" => "TLSv1.3",
 159         },
 160         test => {
 161             "ExpectedResult" => "ServerFail",
 162             "HandshakeMode" => "PostHandshakeAuth",
 163         },
 164     },
 165     {
 166         name => "client-auth-TLSv1.3-require-post-handshake",
 167         server => {
 168             "MinProtocol" => "TLSv1.3",
 169             "MaxProtocol" => "TLSv1.3",
 170             "ClientSignatureAlgorithms" => "PSS+SHA256",
 171             "VerifyCAFile" => test_pem("root-cert.pem"),
 172             "VerifyMode" => "RequestPostHandshake",
 173         },
 174         client => {
 175             "MinProtocol" => "TLSv1.3",
 176             "MaxProtocol" => "TLSv1.3",
 177             "Certificate" => test_pem("ee-client-chain.pem"),
 178             "PrivateKey" => test_pem("ee-key.pem"),
 179         },
 180         test => {
 181             "ExpectedResult" => "Success",
 182             "HandshakeMode" => "PostHandshakeAuth",
 183             "ExpectedClientCertType" => "RSA",
 184             "ExpectedClientSignType" => "RSA-PSS",
 185             "ExpectedClientSignHash" => "SHA256",
 186             "ExpectedClientCANames" => "empty"
 187         },
 188     },
 189     {
 190         name => "client-auth-TLSv1.3-require-non-empty-names-post-handshake",
 191         server => {
 192             "MinProtocol" => "TLSv1.3",
 193             "MaxProtocol" => "TLSv1.3",
 194             "ClientSignatureAlgorithms" => "PSS+SHA256",
 195             "ClientCAFile" => test_pem("root-cert.pem"),
 196             "VerifyCAFile" => test_pem("root-cert.pem"),
 197             "VerifyMode" => "RequestPostHandshake",
 198         },
 199         client => {
 200             "MinProtocol" => "TLSv1.3",
 201             "MaxProtocol" => "TLSv1.3",
 202             "Certificate" => test_pem("ee-client-chain.pem"),
 203             "PrivateKey" => test_pem("ee-key.pem"),
 204         },
 205         test => {
 206             "ExpectedResult" => "Success",
 207             "HandshakeMode" => "PostHandshakeAuth",
 208             "ExpectedClientCertType" => "RSA",
 209             "ExpectedClientSignType" => "RSA-PSS",
 210             "ExpectedClientSignHash" => "SHA256",
 211             "ExpectedClientCANames" => test_pem("root-cert.pem"),
 212         },
 213     },
 214     {
 215         name => "client-auth-TLSv1.3-noroot-post-handshake",
 216         server => {
 217             "MinProtocol" => "TLSv1.3",
 218             "MaxProtocol" => "TLSv1.3",
 219             "VerifyMode" => "RequirePostHandshake",
 220         },
 221         client => {
 222             "MinProtocol" => "TLSv1.3",
 223             "MaxProtocol" => "TLSv1.3",
 224             "Certificate" => test_pem("ee-client-chain.pem"),
 225             "PrivateKey" => test_pem("ee-key.pem"),
 226         },
 227         test => {
 228             "ExpectedResult" => "ServerFail",
 229             "HandshakeMode" => "PostHandshakeAuth",
 230             "ExpectedServerAlert" => "UnknownCA",
 231         },
 232     },
 233     {
 234         name => "client-auth-TLSv1.3-request-force-client-post-handshake",
 235         server => {
 236             "MinProtocol" => "TLSv1.3",
 237             "MaxProtocol" => "TLSv1.3",
 238             "VerifyMode" => "RequestPostHandshake",
 239         },
 240         client => {
 241             "MinProtocol" => "TLSv1.3",
 242             "MaxProtocol" => "TLSv1.3",
 243             extra => {
 244                 "ForcePHA" => "Yes",
 245             },
 246         },
 247         test => {
 248             "ExpectedResult" => "Success",
 249             "HandshakeMode" => "PostHandshakeAuth",
 250         },
 251     },
 252     {
 253         name => "client-auth-TLSv1.3-request-force-server-post-handshake",
 254         server => {
 255             "MinProtocol" => "TLSv1.3",
 256             "MaxProtocol" => "TLSv1.3",
 257             "VerifyMode" => "RequestPostHandshake",
 258             extra => {
 259                 "ForcePHA" => "Yes",
 260             },
 261         },
 262         client => {
 263             "MinProtocol" => "TLSv1.3",
 264             "MaxProtocol" => "TLSv1.3",
 265         },
 266         test => {
 267             "ExpectedResult" => "ClientFail",
 268             "HandshakeMode" => "PostHandshakeAuth",
 269         },
 270     },
 271     {
 272         name => "client-auth-TLSv1.3-request-force-both-post-handshake",
 273         server => {
 274             "MinProtocol" => "TLSv1.3",
 275             "MaxProtocol" => "TLSv1.3",
 276             "VerifyMode" => "RequestPostHandshake",
 277             extra => {
 278                 "ForcePHA" => "Yes",
 279             },
 280         },
 281         client => {
 282             "MinProtocol" => "TLSv1.3",
 283             "MaxProtocol" => "TLSv1.3",
 284             extra => {
 285                 "ForcePHA" => "Yes",
 286             },
 287         },
 288         test => {
 289             "ExpectedResult" => "Success",
 290             "HandshakeMode" => "PostHandshakeAuth",
 291         },
 292     },
 293 );