Add additional ECDSA/Ed25519 selection tests.

[openssl.git] / test / ssl-tests / 20-cert-select.conf.in

diff --git a/test/ssl-tests/20-cert-select.conf.in b/test/ssl-tests/20-cert-select.conf.in
index 90bc5a23c8e3219803380ea31f6fd13a7a7457d7..1d8e059c31ad0cebac6f71a7a8081c2e87220757 100644 (file)
--- a/test/ssl-tests/20-cert-select.conf.in
+++ b/test/ssl-tests/20-cert-select.conf.in
@@ -64,6 +64,38 @@ our @tests = (
             "ExpectedResult" => "Success"
         },
     },
+    {
+        name => "P-256 CipherString and Signature Algorithm Selection",
+        server => $server,
+        client => {
+            "CipherString" => "aECDSA",
+            "MaxProtocol" => "TLSv1.2",
+            "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
+        },
+        test   => {
+            "ExpectedServerCertType" => "P-256",
+            "ExpectedServerSignHash" => "SHA256",
+            "ExpectedServerSignType" => "EC",
+            "ExpectedResult" => "Success"
+        },
+    },
+    {
+        name => "Ed25519 CipherString and Curves Selection",
+        server => $server,
+        client => {
+            "CipherString" => "aECDSA",
+            "MaxProtocol" => "TLSv1.2",
+            "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
+            # Excluding P-256 from the supported curves list means server
+            # certificate should be Ed25519 and not P-256
+            "Curves" => "X25519"
+        },
+        test   => {
+            "ExpectedServerCertType" =>, "Ed25519",
+            "ExpectedServerSignType" =>, "Ed25519",
+            "ExpectedResult" => "Success"
+        },
+    },
     {
         name => "ECDSA CipherString Selection, no ECDSA certificate",
         server => {
@@ -364,6 +396,22 @@ my @tests_tls_1_3 = (
             "ExpectedResult" => "Success"
         },
     },
+    {
+        name => "TLS 1.3 Ed25519 CipherString and Groups Selection",
+        server => $server_tls_1_3,
+        client => {
+            "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
+            # Excluding P-256 from the supported groups list should
+            # mean server still uses a P-256 certificate because supported
+            # groups is not used in signature selection for TLS 1.3
+            "Groups" => "X25519"
+        },
+        test   => {
+            "ExpectedServerCertType" =>, "P-256",
+            "ExpectedServerSignType" =>, "EC",
+            "ExpectedResult" => "Success"
+        },
+    },
     {
         name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
         server => {
@@ -430,18 +478,6 @@ my @tests_tls_1_3 = (
             "ExpectedResult" => "Success"
         },
     },
-    {
-        name => "TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms",
-        server => {
-            "ClientSignatureAlgorithms" => "ECDSA+SHA1:DSA+SHA256:RSA+SHA256",
-            "VerifyCAFile" => test_pem("root-cert.pem"),
-            "VerifyMode" => "Request"
-        },
-        client => {},
-        test   => {
-            "ExpectedResult" => "ServerFail"
-        },
-    },
 );
 
 push @tests, @tests_tls_1_3 unless disabled("tls1_3");
@@ -468,6 +504,18 @@ my @tests_dsa_tls_1_2 = (
 );
 
 my @tests_dsa_tls_1_3 = (
+    {
+        name => "TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms",
+        server => {
+            "ClientSignatureAlgorithms" => "ECDSA+SHA1:DSA+SHA256:RSA+SHA256",
+            "VerifyCAFile" => test_pem("root-cert.pem"),
+            "VerifyMode" => "Request"
+        },
+        client => {},
+        test   => {
+            "ExpectedResult" => "ServerFail"
+        },
+    },
     {
         name => "TLS 1.3 DSA Certificate Test",
         server => {