my $server = {
"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
+ "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"),
+ "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"),
"MaxProtocol" => "TLSv1.2"
};
server => $server,
client => {
"CipherString" => "aECDSA",
+ "MaxProtocol" => "TLSv1.2",
+ "RequestCAFile" => test_pem("root-cert.pem"),
},
test => {
"ExpectedServerCertType" =>, "P-256",
"ExpectedServerSignType" =>, "EC",
+ # Note: certificate_authorities not sent for TLS < 1.3
+ "ExpectedServerCANames" =>, "empty",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "Ed25519 CipherString and Signature Algorithm Selection",
+ server => $server,
+ client => {
+ "CipherString" => "aECDSA",
+ "MaxProtocol" => "TLSv1.2",
+ "SignatureAlgorithms" => "ed25519:ECDSA+SHA256",
+ "RequestCAFile" => test_pem("root-cert.pem"),
+ },
+ test => {
+ "ExpectedServerCertType" =>, "Ed25519",
+ "ExpectedServerSignType" =>, "Ed25519",
+ # Note: certificate_authorities not sent for TLS < 1.3
+ "ExpectedServerCANames" =>, "empty",
"ExpectedResult" => "Success"
},
},
server => $server,
client => {
"CipherString" => "aRSA",
+ "MaxProtocol" => "TLSv1.2",
},
test => {
"ExpectedServerCertType" =>, "RSA",
"ExpectedResult" => "Success"
},
},
+ {
+ name => "P-256 CipherString and Signature Algorithm Selection",
+ server => $server,
+ client => {
+ "CipherString" => "aECDSA",
+ "MaxProtocol" => "TLSv1.2",
+ "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
+ },
+ test => {
+ "ExpectedServerCertType" => "P-256",
+ "ExpectedServerSignHash" => "SHA256",
+ "ExpectedServerSignType" => "EC",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "Ed25519 CipherString and Curves Selection",
+ server => $server,
+ client => {
+ "CipherString" => "aECDSA",
+ "MaxProtocol" => "TLSv1.2",
+ "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
+ # Excluding P-256 from the supported curves list means server
+ # certificate should be Ed25519 and not P-256
+ "Curves" => "X25519"
+ },
+ test => {
+ "ExpectedServerCertType" =>, "Ed25519",
+ "ExpectedServerSignType" =>, "Ed25519",
+ "ExpectedResult" => "Success"
+ },
+ },
{
name => "ECDSA CipherString Selection, no ECDSA certificate",
server => {
"MaxProtocol" => "TLSv1.2"
},
client => {
- "CipherString" => "aECDSA"
+ "CipherString" => "aECDSA",
+ "MaxProtocol" => "TLSv1.2"
},
test => {
"ExpectedResult" => "ServerFail"
"ExpectedServerSignType" => "EC",
"ExpectedResult" => "Success"
},
- }
+ },
+ {
+ name => "TLS 1.2 Ed25519 Client Auth",
+ server => {
+ "VerifyCAFile" => test_pem("root-cert.pem"),
+ "VerifyMode" => "Require"
+ },
+ client => {
+ "EdDSA.Certificate" => test_pem("client-ed25519-cert.pem"),
+ "EdDSA.PrivateKey" => test_pem("client-ed25519-key.pem"),
+ "MinProtocol" => "TLSv1.2",
+ "MaxProtocol" => "TLSv1.2"
+ },
+ test => {
+ "ExpectedClientCertType" => "Ed25519",
+ "ExpectedClientSignType" => "Ed25519",
+ "ExpectedResult" => "Success"
+ },
+ },
);
my $server_tls_1_3 = {
"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
+ "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"),
+ "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"),
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3"
};
"ExpectedServerCertType" => "P-256",
"ExpectedServerSignHash" => "SHA256",
"ExpectedServerSignType" => "EC",
+ "ExpectedServerCANames" => "empty",
"ExpectedResult" => "Success"
},
},
server => $server_tls_1_3,
client => {
"SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256",
+ "RequestCAFile" => test_pem("root-cert.pem"),
},
test => {
"ExpectedServerCertType" => "P-256",
"ExpectedServerSignHash" => "SHA256",
"ExpectedServerSignType" => "EC",
+ "ExpectedServerCANames" => test_pem("root-cert.pem"),
"ExpectedResult" => "Success"
},
},
"ExpectedResult" => "Success"
},
},
+ {
+ name => "TLS 1.3 Ed25519 Signature Algorithm Selection",
+ server => $server_tls_1_3,
+ client => {
+ "SignatureAlgorithms" => "ed25519",
+ },
+ test => {
+ "ExpectedServerCertType" => "Ed25519",
+ "ExpectedServerSignType" => "Ed25519",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "TLS 1.3 Ed25519 CipherString and Groups Selection",
+ server => $server_tls_1_3,
+ client => {
+ "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
+ # Excluding P-256 from the supported groups list should
+ # mean server still uses a P-256 certificate because supported
+ # groups is not used in signature selection for TLS 1.3
+ "Groups" => "X25519"
+ },
+ test => {
+ "ExpectedServerCertType" =>, "P-256",
+ "ExpectedServerSignType" =>, "EC",
+ "ExpectedResult" => "Success"
+ },
+ },
{
name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
server => {
server => {
"ClientSignatureAlgorithms" => "PSS+SHA256",
"VerifyCAFile" => test_pem("root-cert.pem"),
- "ClientCAFile" => test_pem("root-cert.pem"),
+ "RequestCAFile" => test_pem("root-cert.pem"),
"VerifyMode" => "Require"
},
client => $client_tls_1_3,
},
},
{
- name => "TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms",
+ name => "TLS 1.3 Ed25519 Client Auth",
server => {
- "ClientSignatureAlgorithms" => "ECDSA+SHA1:DSA+SHA256:RSA+SHA256",
"VerifyCAFile" => test_pem("root-cert.pem"),
- "VerifyMode" => "Request"
+ "VerifyMode" => "Require"
+ },
+ client => {
+ "EdDSA.Certificate" => test_pem("client-ed25519-cert.pem"),
+ "EdDSA.PrivateKey" => test_pem("client-ed25519-key.pem"),
+ "MinProtocol" => "TLSv1.3",
+ "MaxProtocol" => "TLSv1.3"
},
- client => {},
test => {
- "ExpectedResult" => "ServerFail"
+ "ExpectedClientCertType" => "Ed25519",
+ "ExpectedClientSignType" => "Ed25519",
+ "ExpectedResult" => "Success"
},
},
);
);
my @tests_dsa_tls_1_3 = (
+ {
+ name => "TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms",
+ server => {
+ "ClientSignatureAlgorithms" => "ECDSA+SHA1:DSA+SHA256:RSA+SHA256",
+ "VerifyCAFile" => test_pem("root-cert.pem"),
+ "VerifyMode" => "Request"
+ },
+ client => {},
+ test => {
+ "ExpectedResult" => "ServerFail"
+ },
+ },
{
name => "TLS 1.3 DSA Certificate Test",
server => {
projects / openssl.git / blobdiff