From: Dr. Stephen Henson Date: Thu, 14 Sep 2017 14:23:25 +0000 (+0100) Subject: Add RSA-PSS certificate type TLS tests X-Git-Tag: OpenSSL_1_1_1-pre1~643 X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=800c4883d0a0e98fa511ee166bd0c6fbfb4baf22 Add RSA-PSS certificate type TLS tests Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/4368) --- diff --git a/test/ssl-tests/20-cert-select.conf b/test/ssl-tests/20-cert-select.conf index 47d2131513..b2aab95383 100644 --- a/test/ssl-tests/20-cert-select.conf +++ b/test/ssl-tests/20-cert-select.conf @@ -1,24 +1,29 @@ # Generated with generate_ssl_tests.pl -num_tests = 17 +num_tests = 22 test-0 = 0-ECDSA CipherString Selection test-1 = 1-Ed25519 CipherString and Signature Algorithm Selection test-2 = 2-RSA CipherString Selection -test-3 = 3-P-256 CipherString and Signature Algorithm Selection -test-4 = 4-Ed25519 CipherString and Curves Selection -test-5 = 5-ECDSA CipherString Selection, no ECDSA certificate -test-6 = 6-ECDSA Signature Algorithm Selection -test-7 = 7-ECDSA Signature Algorithm Selection SHA384 -test-8 = 8-ECDSA Signature Algorithm Selection SHA1 -test-9 = 9-ECDSA Signature Algorithm Selection compressed point -test-10 = 10-ECDSA Signature Algorithm Selection, no ECDSA certificate -test-11 = 11-RSA Signature Algorithm Selection -test-12 = 12-RSA-PSS Signature Algorithm Selection -test-13 = 13-Suite B P-256 Hash Algorithm Selection -test-14 = 14-Suite B P-384 Hash Algorithm Selection -test-15 = 15-TLS 1.2 Ed25519 Client Auth -test-16 = 16-TLS 1.2 DSA Certificate Test +test-3 = 3-RSA-PSS Certificate CipherString Selection +test-4 = 4-P-256 CipherString and Signature Algorithm Selection +test-5 = 5-Ed25519 CipherString and Curves Selection +test-6 = 6-ECDSA CipherString Selection, no ECDSA certificate +test-7 = 7-ECDSA Signature Algorithm Selection +test-8 = 8-ECDSA Signature Algorithm Selection SHA384 +test-9 = 9-ECDSA Signature Algorithm Selection SHA1 +test-10 = 10-ECDSA Signature Algorithm Selection compressed point +test-11 = 11-ECDSA Signature Algorithm Selection, no ECDSA certificate +test-12 = 12-RSA Signature Algorithm Selection +test-13 = 13-RSA-PSS Signature Algorithm Selection +test-14 = 14-RSA-PSS Certificate Signature Algorithm Selection +test-15 = 15-Only RSA-PSS Certificate +test-16 = 16-RSA-PSS Certificate, no PSS signature algorithms +test-17 = 17-Only RSA-PSS Certificate, TLS v1.1 +test-18 = 18-Suite B P-256 Hash Algorithm Selection +test-19 = 19-Suite B P-384 Hash Algorithm Selection +test-20 = 20-TLS 1.2 Ed25519 Client Auth +test-21 = 21-TLS 1.2 DSA Certificate Test # =========================================================== [0-ECDSA CipherString Selection] @@ -119,14 +124,14 @@ ExpectedServerSignType = RSA-PSS # =========================================================== -[3-P-256 CipherString and Signature Algorithm Selection] -ssl_conf = 3-P-256 CipherString and Signature Algorithm Selection-ssl +[3-RSA-PSS Certificate CipherString Selection] +ssl_conf = 3-RSA-PSS Certificate CipherString Selection-ssl -[3-P-256 CipherString and Signature Algorithm Selection-ssl] -server = 3-P-256 CipherString and Signature Algorithm Selection-server -client = 3-P-256 CipherString and Signature Algorithm Selection-client +[3-RSA-PSS Certificate CipherString Selection-ssl] +server = 3-RSA-PSS Certificate CipherString Selection-server +client = 3-RSA-PSS Certificate CipherString Selection-client -[3-P-256 CipherString and Signature Algorithm Selection-server] +[3-RSA-PSS Certificate CipherString Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -134,16 +139,49 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem MaxProtocol = TLSv1.2 +PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem +PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[3-P-256 CipherString and Signature Algorithm Selection-client] +[3-RSA-PSS Certificate CipherString Selection-client] +CipherString = aRSA +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-3] +ExpectedResult = Success +ExpectedServerCertType = RSA-PSS +ExpectedServerSignType = RSA-PSS + + +# =========================================================== + +[4-P-256 CipherString and Signature Algorithm Selection] +ssl_conf = 4-P-256 CipherString and Signature Algorithm Selection-ssl + +[4-P-256 CipherString and Signature Algorithm Selection-ssl] +server = 4-P-256 CipherString and Signature Algorithm Selection-server +client = 4-P-256 CipherString and Signature Algorithm Selection-client + +[4-P-256 CipherString and Signature Algorithm Selection-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem +EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[4-P-256 CipherString and Signature Algorithm Selection-client] CipherString = aECDSA MaxProtocol = TLSv1.2 SignatureAlgorithms = ECDSA+SHA256:ed25519 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-3] +[test-4] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA256 @@ -152,14 +190,14 @@ ExpectedServerSignType = EC # =========================================================== -[4-Ed25519 CipherString and Curves Selection] -ssl_conf = 4-Ed25519 CipherString and Curves Selection-ssl +[5-Ed25519 CipherString and Curves Selection] +ssl_conf = 5-Ed25519 CipherString and Curves Selection-ssl -[4-Ed25519 CipherString and Curves Selection-ssl] -server = 4-Ed25519 CipherString and Curves Selection-server -client = 4-Ed25519 CipherString and Curves Selection-client +[5-Ed25519 CipherString and Curves Selection-ssl] +server = 5-Ed25519 CipherString and Curves Selection-server +client = 5-Ed25519 CipherString and Curves Selection-client -[4-Ed25519 CipherString and Curves Selection-server] +[5-Ed25519 CipherString and Curves Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -169,7 +207,7 @@ EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[4-Ed25519 CipherString and Curves Selection-client] +[5-Ed25519 CipherString and Curves Selection-client] CipherString = aECDSA Curves = X25519 MaxProtocol = TLSv1.2 @@ -177,7 +215,7 @@ SignatureAlgorithms = ECDSA+SHA256:ed25519 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-4] +[test-5] ExpectedResult = Success ExpectedServerCertType = Ed25519 ExpectedServerSignType = Ed25519 @@ -185,39 +223,39 @@ ExpectedServerSignType = Ed25519 # =========================================================== -[5-ECDSA CipherString Selection, no ECDSA certificate] -ssl_conf = 5-ECDSA CipherString Selection, no ECDSA certificate-ssl +[6-ECDSA CipherString Selection, no ECDSA certificate] +ssl_conf = 6-ECDSA CipherString Selection, no ECDSA certificate-ssl -[5-ECDSA CipherString Selection, no ECDSA certificate-ssl] -server = 5-ECDSA CipherString Selection, no ECDSA certificate-server -client = 5-ECDSA CipherString Selection, no ECDSA certificate-client +[6-ECDSA CipherString Selection, no ECDSA certificate-ssl] +server = 6-ECDSA CipherString Selection, no ECDSA certificate-server +client = 6-ECDSA CipherString Selection, no ECDSA certificate-client -[5-ECDSA CipherString Selection, no ECDSA certificate-server] +[6-ECDSA CipherString Selection, no ECDSA certificate-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[5-ECDSA CipherString Selection, no ECDSA certificate-client] +[6-ECDSA CipherString Selection, no ECDSA certificate-client] CipherString = aECDSA MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-5] +[test-6] ExpectedResult = ServerFail # =========================================================== -[6-ECDSA Signature Algorithm Selection] -ssl_conf = 6-ECDSA Signature Algorithm Selection-ssl +[7-ECDSA Signature Algorithm Selection] +ssl_conf = 7-ECDSA Signature Algorithm Selection-ssl -[6-ECDSA Signature Algorithm Selection-ssl] -server = 6-ECDSA Signature Algorithm Selection-server -client = 6-ECDSA Signature Algorithm Selection-client +[7-ECDSA Signature Algorithm Selection-ssl] +server = 7-ECDSA Signature Algorithm Selection-server +client = 7-ECDSA Signature Algorithm Selection-client -[6-ECDSA Signature Algorithm Selection-server] +[7-ECDSA Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -227,13 +265,13 @@ EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[6-ECDSA Signature Algorithm Selection-client] +[7-ECDSA Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-6] +[test-7] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA256 @@ -242,14 +280,14 @@ ExpectedServerSignType = EC # =========================================================== -[7-ECDSA Signature Algorithm Selection SHA384] -ssl_conf = 7-ECDSA Signature Algorithm Selection SHA384-ssl +[8-ECDSA Signature Algorithm Selection SHA384] +ssl_conf = 8-ECDSA Signature Algorithm Selection SHA384-ssl -[7-ECDSA Signature Algorithm Selection SHA384-ssl] -server = 7-ECDSA Signature Algorithm Selection SHA384-server -client = 7-ECDSA Signature Algorithm Selection SHA384-client +[8-ECDSA Signature Algorithm Selection SHA384-ssl] +server = 8-ECDSA Signature Algorithm Selection SHA384-server +client = 8-ECDSA Signature Algorithm Selection SHA384-client -[7-ECDSA Signature Algorithm Selection SHA384-server] +[8-ECDSA Signature Algorithm Selection SHA384-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -259,13 +297,13 @@ EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[7-ECDSA Signature Algorithm Selection SHA384-client] +[8-ECDSA Signature Algorithm Selection SHA384-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA384 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-7] +[test-8] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA384 @@ -274,14 +312,14 @@ ExpectedServerSignType = EC # =========================================================== -[8-ECDSA Signature Algorithm Selection SHA1] -ssl_conf = 8-ECDSA Signature Algorithm Selection SHA1-ssl +[9-ECDSA Signature Algorithm Selection SHA1] +ssl_conf = 9-ECDSA Signature Algorithm Selection SHA1-ssl -[8-ECDSA Signature Algorithm Selection SHA1-ssl] -server = 8-ECDSA Signature Algorithm Selection SHA1-server -client = 8-ECDSA Signature Algorithm Selection SHA1-client +[9-ECDSA Signature Algorithm Selection SHA1-ssl] +server = 9-ECDSA Signature Algorithm Selection SHA1-server +client = 9-ECDSA Signature Algorithm Selection SHA1-client -[8-ECDSA Signature Algorithm Selection SHA1-server] +[9-ECDSA Signature Algorithm Selection SHA1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -291,13 +329,13 @@ EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[8-ECDSA Signature Algorithm Selection SHA1-client] +[9-ECDSA Signature Algorithm Selection SHA1-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-8] +[test-9] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA1 @@ -306,14 +344,14 @@ ExpectedServerSignType = EC # =========================================================== -[9-ECDSA Signature Algorithm Selection compressed point] -ssl_conf = 9-ECDSA Signature Algorithm Selection compressed point-ssl +[10-ECDSA Signature Algorithm Selection compressed point] +ssl_conf = 10-ECDSA Signature Algorithm Selection compressed point-ssl -[9-ECDSA Signature Algorithm Selection compressed point-ssl] -server = 9-ECDSA Signature Algorithm Selection compressed point-server -client = 9-ECDSA Signature Algorithm Selection compressed point-client +[10-ECDSA Signature Algorithm Selection compressed point-ssl] +server = 10-ECDSA Signature Algorithm Selection compressed point-server +client = 10-ECDSA Signature Algorithm Selection compressed point-client -[9-ECDSA Signature Algorithm Selection compressed point-server] +[10-ECDSA Signature Algorithm Selection compressed point-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-cecdsa-cert.pem @@ -321,13 +359,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-cecdsa-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[9-ECDSA Signature Algorithm Selection compressed point-client] +[10-ECDSA Signature Algorithm Selection compressed point-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-9] +[test-10] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA256 @@ -336,39 +374,39 @@ ExpectedServerSignType = EC # =========================================================== -[10-ECDSA Signature Algorithm Selection, no ECDSA certificate] -ssl_conf = 10-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl +[11-ECDSA Signature Algorithm Selection, no ECDSA certificate] +ssl_conf = 11-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl -[10-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl] -server = 10-ECDSA Signature Algorithm Selection, no ECDSA certificate-server -client = 10-ECDSA Signature Algorithm Selection, no ECDSA certificate-client +[11-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl] +server = 11-ECDSA Signature Algorithm Selection, no ECDSA certificate-server +client = 11-ECDSA Signature Algorithm Selection, no ECDSA certificate-client -[10-ECDSA Signature Algorithm Selection, no ECDSA certificate-server] +[11-ECDSA Signature Algorithm Selection, no ECDSA certificate-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[10-ECDSA Signature Algorithm Selection, no ECDSA certificate-client] +[11-ECDSA Signature Algorithm Selection, no ECDSA certificate-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-10] +[test-11] ExpectedResult = ServerFail # =========================================================== -[11-RSA Signature Algorithm Selection] -ssl_conf = 11-RSA Signature Algorithm Selection-ssl +[12-RSA Signature Algorithm Selection] +ssl_conf = 12-RSA Signature Algorithm Selection-ssl -[11-RSA Signature Algorithm Selection-ssl] -server = 11-RSA Signature Algorithm Selection-server -client = 11-RSA Signature Algorithm Selection-client +[12-RSA Signature Algorithm Selection-ssl] +server = 12-RSA Signature Algorithm Selection-server +client = 12-RSA Signature Algorithm Selection-client -[11-RSA Signature Algorithm Selection-server] +[12-RSA Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -378,13 +416,13 @@ EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[11-RSA Signature Algorithm Selection-client] +[12-RSA Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = RSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-11] +[test-12] ExpectedResult = Success ExpectedServerCertType = RSA ExpectedServerSignHash = SHA256 @@ -393,14 +431,14 @@ ExpectedServerSignType = RSA # =========================================================== -[12-RSA-PSS Signature Algorithm Selection] -ssl_conf = 12-RSA-PSS Signature Algorithm Selection-ssl +[13-RSA-PSS Signature Algorithm Selection] +ssl_conf = 13-RSA-PSS Signature Algorithm Selection-ssl -[12-RSA-PSS Signature Algorithm Selection-ssl] -server = 12-RSA-PSS Signature Algorithm Selection-server -client = 12-RSA-PSS Signature Algorithm Selection-client +[13-RSA-PSS Signature Algorithm Selection-ssl] +server = 13-RSA-PSS Signature Algorithm Selection-server +client = 13-RSA-PSS Signature Algorithm Selection-client -[12-RSA-PSS Signature Algorithm Selection-server] +[13-RSA-PSS Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -410,13 +448,13 @@ EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[12-RSA-PSS Signature Algorithm Selection-client] +[13-RSA-PSS Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = RSA-PSS+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-12] +[test-13] ExpectedResult = Success ExpectedServerCertType = RSA ExpectedServerSignHash = SHA256 @@ -425,14 +463,122 @@ ExpectedServerSignType = RSA-PSS # =========================================================== -[13-Suite B P-256 Hash Algorithm Selection] -ssl_conf = 13-Suite B P-256 Hash Algorithm Selection-ssl +[14-RSA-PSS Certificate Signature Algorithm Selection] +ssl_conf = 14-RSA-PSS Certificate Signature Algorithm Selection-ssl -[13-Suite B P-256 Hash Algorithm Selection-ssl] -server = 13-Suite B P-256 Hash Algorithm Selection-server -client = 13-Suite B P-256 Hash Algorithm Selection-client +[14-RSA-PSS Certificate Signature Algorithm Selection-ssl] +server = 14-RSA-PSS Certificate Signature Algorithm Selection-server +client = 14-RSA-PSS Certificate Signature Algorithm Selection-client -[13-Suite B P-256 Hash Algorithm Selection-server] +[14-RSA-PSS Certificate Signature Algorithm Selection-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem +EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +MaxProtocol = TLSv1.2 +PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem +PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[14-RSA-PSS Certificate Signature Algorithm Selection-client] +CipherString = DEFAULT +SignatureAlgorithms = RSA-PSS+SHA256 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-14] +ExpectedResult = Success +ExpectedServerCertType = RSA-PSS +ExpectedServerSignHash = SHA256 +ExpectedServerSignType = RSA-PSS + + +# =========================================================== + +[15-Only RSA-PSS Certificate] +ssl_conf = 15-Only RSA-PSS Certificate-ssl + +[15-Only RSA-PSS Certificate-ssl] +server = 15-Only RSA-PSS Certificate-server +client = 15-Only RSA-PSS Certificate-client + +[15-Only RSA-PSS Certificate-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem + +[15-Only RSA-PSS Certificate-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-15] +ExpectedResult = Success +ExpectedServerCertType = RSA-PSS +ExpectedServerSignHash = SHA256 +ExpectedServerSignType = RSA-PSS + + +# =========================================================== + +[16-RSA-PSS Certificate, no PSS signature algorithms] +ssl_conf = 16-RSA-PSS Certificate, no PSS signature algorithms-ssl + +[16-RSA-PSS Certificate, no PSS signature algorithms-ssl] +server = 16-RSA-PSS Certificate, no PSS signature algorithms-server +client = 16-RSA-PSS Certificate, no PSS signature algorithms-client + +[16-RSA-PSS Certificate, no PSS signature algorithms-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem + +[16-RSA-PSS Certificate, no PSS signature algorithms-client] +CipherString = DEFAULT +SignatureAlgorithms = RSA+SHA256 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-16] +ExpectedResult = ServerFail + + +# =========================================================== + +[17-Only RSA-PSS Certificate, TLS v1.1] +ssl_conf = 17-Only RSA-PSS Certificate, TLS v1.1-ssl + +[17-Only RSA-PSS Certificate, TLS v1.1-ssl] +server = 17-Only RSA-PSS Certificate, TLS v1.1-server +client = 17-Only RSA-PSS Certificate, TLS v1.1-client + +[17-Only RSA-PSS Certificate, TLS v1.1-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem + +[17-Only RSA-PSS Certificate, TLS v1.1-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-17] +ExpectedResult = ServerFail + + +# =========================================================== + +[18-Suite B P-256 Hash Algorithm Selection] +ssl_conf = 18-Suite B P-256 Hash Algorithm Selection-ssl + +[18-Suite B P-256 Hash Algorithm Selection-ssl] +server = 18-Suite B P-256 Hash Algorithm Selection-server +client = 18-Suite B P-256 Hash Algorithm Selection-client + +[18-Suite B P-256 Hash Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = SUITEB128 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p256-server-cert.pem @@ -440,13 +586,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p256-server-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[13-Suite B P-256 Hash Algorithm Selection-client] +[18-Suite B P-256 Hash Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA384:ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem VerifyMode = Peer -[test-13] +[test-18] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA256 @@ -455,14 +601,14 @@ ExpectedServerSignType = EC # =========================================================== -[14-Suite B P-384 Hash Algorithm Selection] -ssl_conf = 14-Suite B P-384 Hash Algorithm Selection-ssl +[19-Suite B P-384 Hash Algorithm Selection] +ssl_conf = 19-Suite B P-384 Hash Algorithm Selection-ssl -[14-Suite B P-384 Hash Algorithm Selection-ssl] -server = 14-Suite B P-384 Hash Algorithm Selection-server -client = 14-Suite B P-384 Hash Algorithm Selection-client +[19-Suite B P-384 Hash Algorithm Selection-ssl] +server = 19-Suite B P-384 Hash Algorithm Selection-server +client = 19-Suite B P-384 Hash Algorithm Selection-client -[14-Suite B P-384 Hash Algorithm Selection-server] +[19-Suite B P-384 Hash Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = SUITEB128 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem @@ -470,13 +616,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[14-Suite B P-384 Hash Algorithm Selection-client] +[19-Suite B P-384 Hash Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem VerifyMode = Peer -[test-14] +[test-19] ExpectedResult = Success ExpectedServerCertType = P-384 ExpectedServerSignHash = SHA384 @@ -485,21 +631,21 @@ ExpectedServerSignType = EC # =========================================================== -[15-TLS 1.2 Ed25519 Client Auth] -ssl_conf = 15-TLS 1.2 Ed25519 Client Auth-ssl +[20-TLS 1.2 Ed25519 Client Auth] +ssl_conf = 20-TLS 1.2 Ed25519 Client Auth-ssl -[15-TLS 1.2 Ed25519 Client Auth-ssl] -server = 15-TLS 1.2 Ed25519 Client Auth-server -client = 15-TLS 1.2 Ed25519 Client Auth-client +[20-TLS 1.2 Ed25519 Client Auth-ssl] +server = 20-TLS 1.2 Ed25519 Client Auth-server +client = 20-TLS 1.2 Ed25519 Client Auth-client -[15-TLS 1.2 Ed25519 Client Auth-server] +[20-TLS 1.2 Ed25519 Client Auth-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[15-TLS 1.2 Ed25519 Client Auth-client] +[20-TLS 1.2 Ed25519 Client Auth-client] CipherString = DEFAULT EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed25519-cert.pem EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed25519-key.pem @@ -508,7 +654,7 @@ MinProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-15] +[test-20] ExpectedClientCertType = Ed25519 ExpectedClientSignType = Ed25519 ExpectedResult = Success @@ -516,14 +662,14 @@ ExpectedResult = Success # =========================================================== -[16-TLS 1.2 DSA Certificate Test] -ssl_conf = 16-TLS 1.2 DSA Certificate Test-ssl +[21-TLS 1.2 DSA Certificate Test] +ssl_conf = 21-TLS 1.2 DSA Certificate Test-ssl -[16-TLS 1.2 DSA Certificate Test-ssl] -server = 16-TLS 1.2 DSA Certificate Test-server -client = 16-TLS 1.2 DSA Certificate Test-client +[21-TLS 1.2 DSA Certificate Test-ssl] +server = 21-TLS 1.2 DSA Certificate Test-server +client = 21-TLS 1.2 DSA Certificate Test-client -[16-TLS 1.2 DSA Certificate Test-server] +[21-TLS 1.2 DSA Certificate Test-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = ALL DHParameters = ${ENV::TEST_CERTS_DIR}/dhp2048.pem @@ -533,13 +679,13 @@ MaxProtocol = TLSv1.2 MinProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[16-TLS 1.2 DSA Certificate Test-client] +[21-TLS 1.2 DSA Certificate Test-client] CipherString = ALL SignatureAlgorithms = DSA+SHA256:DSA+SHA1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-16] +[test-21] ExpectedResult = Success diff --git a/test/ssl-tests/20-cert-select.conf.in b/test/ssl-tests/20-cert-select.conf.in index 1d8e059c31..659586f659 100644 --- a/test/ssl-tests/20-cert-select.conf.in +++ b/test/ssl-tests/20-cert-select.conf.in @@ -17,6 +17,21 @@ my $server = { "MaxProtocol" => "TLSv1.2" }; +my $server_pss = { + "PSS.Certificate" => test_pem("server-pss-cert.pem"), + "PSS.PrivateKey" => test_pem("server-pss-key.pem"), + "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), + "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), + "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"), + "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"), + "MaxProtocol" => "TLSv1.2" +}; + +my $server_pss_only = { + "Certificate" => test_pem("server-pss-cert.pem"), + "PrivateKey" => test_pem("server-pss-key.pem"), +}; + our @tests = ( { name => "ECDSA CipherString Selection", @@ -64,6 +79,19 @@ our @tests = ( "ExpectedResult" => "Success" }, }, + { + name => "RSA-PSS Certificate CipherString Selection", + server => $server_pss, + client => { + "CipherString" => "aRSA", + "MaxProtocol" => "TLSv1.2", + }, + test => { + "ExpectedServerCertType" =>, "RSA-PSS", + "ExpectedServerSignType" =>, "RSA-PSS", + "ExpectedResult" => "Success" + }, + }, { name => "P-256 CipherString and Signature Algorithm Selection", server => $server, @@ -203,6 +231,50 @@ our @tests = ( "ExpectedResult" => "Success" }, }, + { + name => "RSA-PSS Certificate Signature Algorithm Selection", + server => $server_pss, + client => { + "SignatureAlgorithms" => "RSA-PSS+SHA256", + }, + test => { + "ExpectedServerCertType" => "RSA-PSS", + "ExpectedServerSignHash" => "SHA256", + "ExpectedServerSignType" => "RSA-PSS", + "ExpectedResult" => "Success" + }, + }, + { + name => "Only RSA-PSS Certificate", + server => $server_pss_only, + client => {}, + test => { + "ExpectedServerCertType" => "RSA-PSS", + "ExpectedServerSignHash" => "SHA256", + "ExpectedServerSignType" => "RSA-PSS", + "ExpectedResult" => "Success" + }, + }, + { + name => "RSA-PSS Certificate, no PSS signature algorithms", + server => $server_pss_only, + client => { + "SignatureAlgorithms" => "RSA+SHA256", + }, + test => { + "ExpectedResult" => "ServerFail" + }, + }, + { + name => "Only RSA-PSS Certificate, TLS v1.1", + server => $server_pss_only, + client => { + "MaxProtocol" => "TLSv1.1", + }, + test => { + "ExpectedResult" => "ServerFail" + }, + }, { name => "Suite B P-256 Hash Algorithm Selection", server => { @@ -261,7 +333,6 @@ our @tests = ( }, ); - my $server_tls_1_3 = { "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), @@ -271,6 +342,17 @@ my $server_tls_1_3 = { "MaxProtocol" => "TLSv1.3" }; +my $server_tls_1_3_pss = { + "PSS.Certificate" => test_pem("server-pss-cert.pem"), + "PSS.PrivateKey" => test_pem("server-pss-key.pem"), + "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), + "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), + "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"), + "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"), + "MinProtocol" => "TLSv1.3", + "MaxProtocol" => "TLSv1.3" +}; + my $client_tls_1_3 = { "RSA.Certificate" => test_pem("ee-client-chain.pem"), "RSA.PrivateKey" => test_pem("ee-key.pem"),