20-cert-select.cnf.in@ 107935

Last change on this file since 107935 was 105949, checked in by vboxsync, 5 months ago
openssl-3.1.7: Applied and adjusted our OpenSSL changes to 3.1.7. bugref:10757
File size: 32.6 KB

Line
1	# -- mode: perl; --
2
3	## SSL test configurations
4
5
6	use strict;
7	use warnings;
8
9	package ssltests;
10	use OpenSSL::Test::Utils;
11
12	our $fips_mode;
13	our $no_deflt_libctx;
14
15	my $server = {
16	"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
17	"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
18	"Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
19	"Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
20	"Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
21	"Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
22	"MaxProtocol" => "TLSv1.2"
23	};
24
25	my $server_pss = {
26	"PSS.Certificate" => test_pem("server-pss-cert.pem"),
27	"PSS.PrivateKey" => test_pem("server-pss-key.pem"),
28	"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
29	"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
30	"Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
31	"Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
32	"Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
33	"Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
34	"MaxProtocol" => "TLSv1.2"
35	};
36
37	my $server_pss_only = {
38	"Certificate" => test_pem("server-pss-cert.pem"),
39	"PrivateKey" => test_pem("server-pss-key.pem"),
40	};
41
42	my $server_pss_restrict_only = {
43	"Certificate" => test_pem("server-pss-restrict-cert.pem"),
44	"PrivateKey" => test_pem("server-pss-restrict-key.pem"),
45	};
46
47	my $server_rsa_all;
48
49	if ($no_deflt_libctx) {
50	$server_rsa_all = {
51	"Certificate" => test_pem("servercert.pem"),
52	"PrivateKey" => test_pem("serverkey.pem"),
53	};
54	} else {
55	$server_rsa_all = {
56	"PSS.Certificate" => test_pem("server-pss-cert.pem"),
57	"PSS.PrivateKey" => test_pem("server-pss-key.pem"),
58	"Certificate" => test_pem("servercert.pem"),
59	"PrivateKey" => test_pem("serverkey.pem"),
60	};
61	}
62
63	our @tests = (
64	{
65	name => "ECDSA CipherString Selection",
66	server => $server,
67	client => {
68	"CipherString" => "aECDSA",
69	"MaxProtocol" => "TLSv1.2",
70	"RequestCAFile" => test_pem("root-cert.pem"),
71	},
72	test => {
73	"ExpectedServerCertType" =>, "P-256",
74	"ExpectedServerSignType" =>, "EC",
75	# Note: certificate_authorities not sent for TLS < 1.3
76	"ExpectedServerCANames" =>, "empty",
77	"ExpectedResult" => "Success"
78	},
79	},
80	{
81	name => "ECDSA CipherString Selection",
82	server => {
83	"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
84	"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
85	"MaxProtocol" => "TLSv1.2",
86	#Deliberately set supported_groups to one not in the cert. This
87	#should be tolerated
88	"Groups" => "P-384"
89	},
90	client => {
91	"CipherString" => "aECDSA",
92	"MaxProtocol" => "TLSv1.2",
93	"Groups" => "P-256:P-384",
94	"RequestCAFile" => test_pem("root-cert.pem"),
95	},
96	test => {
97	"ExpectedServerCertType" =>, "P-256",
98	"ExpectedServerSignType" =>, "EC",
99	# Note: certificate_authorities not sent for TLS < 1.3
100	"ExpectedServerCANames" =>, "empty",
101	"ExpectedResult" => "Success"
102	},
103	},
104	{
105	name => "ECDSA CipherString Selection",
106	server => {
107	"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
108	"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
109	"MaxProtocol" => "TLSv1.2",
110	"Groups" => "P-256:P-384"
111	},
112	client => {
113	"CipherString" => "aECDSA",
114	"MaxProtocol" => "TLSv1.2",
115	#Deliberately set groups to not include the certificate group. This
116	#should fail
117	"Groups" => "P-384",
118	"RequestCAFile" => test_pem("root-cert.pem"),
119	},
120	test => {
121	"ExpectedResult" => "ServerFail"
122	},
123	},
124	{
125	name => "RSA CipherString Selection",
126	server => $server,
127	client => {
128	"CipherString" => "aRSA",
129	"MaxProtocol" => "TLSv1.2",
130	},
131	test => {
132	"ExpectedServerCertType" =>, "RSA",
133	"ExpectedServerSignType" =>, "RSA-PSS",
134	"ExpectedResult" => "Success"
135	},
136	},
137	{
138	name => "P-256 CipherString and Signature Algorithm Selection",
139	server => $server,
140	client => {
141	"CipherString" => "aECDSA",
142	"MaxProtocol" => "TLSv1.2",
143	"SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
144	},
145	test => {
146	"ExpectedServerCertType" => "P-256",
147	"ExpectedServerSignHash" => "SHA256",
148	"ExpectedServerSignType" => "EC",
149	"ExpectedResult" => "Success"
150	},
151	},
152	{
153	name => "ECDSA CipherString Selection, no ECDSA certificate",
154	server => {
155	"MaxProtocol" => "TLSv1.2"
156	},
157	client => {
158	"CipherString" => "aECDSA",
159	"MaxProtocol" => "TLSv1.2"
160	},
161	test => {
162	"ExpectedResult" => "ServerFail"
163	},
164	},
165	{
166	name => "ECDSA Signature Algorithm Selection",
167	server => $server,
168	client => {
169	"SignatureAlgorithms" => "ECDSA+SHA256",
170	},
171	test => {
172	"ExpectedServerCertType" => "P-256",
173	"ExpectedServerSignHash" => "SHA256",
174	"ExpectedServerSignType" => "EC",
175	"ExpectedResult" => "Success"
176	},
177	},
178	{
179	name => "ECDSA Signature Algorithm Selection SHA384",
180	server => $server,
181	client => {
182	"SignatureAlgorithms" => "ECDSA+SHA384",
183	},
184	test => {
185	"ExpectedServerCertType" => "P-256",
186	"ExpectedServerSignHash" => "SHA384",
187	"ExpectedServerSignType" => "EC",
188	"ExpectedResult" => "Success"
189	},
190	},
191	{
192	name => "ECDSA Signature Algorithm Selection compressed point",
193	server => {
194	"ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
195	"ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
196	"MaxProtocol" => "TLSv1.2"
197	},
198	client => {
199	"SignatureAlgorithms" => "ECDSA+SHA256",
200	},
201	test => {
202	"ExpectedServerCertType" => "P-256",
203	"ExpectedServerSignHash" => "SHA256",
204	"ExpectedServerSignType" => "EC",
205	"ExpectedResult" => "Success"
206	},
207	},
208	{
209	name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
210	server => {
211	"MaxProtocol" => "TLSv1.2"
212	},
213	client => {
214	"SignatureAlgorithms" => "ECDSA+SHA256",
215	},
216	test => {
217	"ExpectedResult" => "ServerFail"
218	},
219	},
220	{
221	name => "RSA Signature Algorithm Selection",
222	server => $server,
223	client => {
224	"SignatureAlgorithms" => "RSA+SHA256",
225	},
226	test => {
227	"ExpectedServerCertType" => "RSA",
228	"ExpectedServerSignHash" => "SHA256",
229	"ExpectedServerSignType" => "RSA",
230	"ExpectedResult" => "Success"
231	},
232	},
233	{
234	name => "RSA-PSS Signature Algorithm Selection",
235	server => $server,
236	client => {
237	"SignatureAlgorithms" => "RSA-PSS+SHA256",
238	},
239	test => {
240	"ExpectedServerCertType" => "RSA",
241	"ExpectedServerSignHash" => "SHA256",
242	"ExpectedServerSignType" => "RSA-PSS",
243	"ExpectedResult" => "Success"
244	},
245	},
246	{
247	name => "RSA key exchange with all RSA certificate types",
248	server => $server_rsa_all,
249	client => {
250	"CipherString" => "kRSA",
251	"MaxProtocol" => "TLSv1.2",
252	},
253	test => {
254	"ExpectedServerCertType" =>, "RSA",
255	"ExpectedResult" => "Success"
256	},
257	},
258	{
259	name => "Suite B P-256 Hash Algorithm Selection",
260	server => {
261	"ECDSA.Certificate" => test_pem("p256-server-cert.pem"),
262	"ECDSA.PrivateKey" => test_pem("p256-server-key.pem"),
263	"MaxProtocol" => "TLSv1.2",
264	"CipherString" => "SUITEB128"
265	},
266	client => {
267	"VerifyCAFile" => test_pem("p384-root.pem"),
268	"SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256"
269	},
270	test => {
271	"ExpectedServerCertType" => "P-256",
272	"ExpectedServerSignHash" => "SHA256",
273	"ExpectedServerSignType" => "EC",
274	"ExpectedResult" => "Success"
275	},
276	},
277	{
278	name => "Suite B P-384 Hash Algorithm Selection",
279	server => {
280	"ECDSA.Certificate" => test_pem("p384-server-cert.pem"),
281	"ECDSA.PrivateKey" => test_pem("p384-server-key.pem"),
282	"MaxProtocol" => "TLSv1.2",
283	"CipherString" => "SUITEB128"
284	},
285	client => {
286	"VerifyCAFile" => test_pem("p384-root.pem"),
287	"SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384"
288	},
289	test => {
290	"ExpectedServerCertType" => "P-384",
291	"ExpectedServerSignHash" => "SHA384",
292	"ExpectedServerSignType" => "EC",
293	"ExpectedResult" => "Success"
294	},
295	},
296	{
297	name => "Ed25519 CipherString and Signature Algorithm Selection",
298	server => $server,
299	client => {
300	"CipherString" => "aECDSA",
301	"MaxProtocol" => "TLSv1.2",
302	"SignatureAlgorithms" => "ed25519:ECDSA+SHA256",
303	"RequestCAFile" => test_pem("root-cert.pem"),
304	},
305	test => {
306	"ExpectedServerCertType" =>, "Ed25519",
307	"ExpectedServerSignType" =>, "Ed25519",
308	# Note: certificate_authorities not sent for TLS < 1.3
309	"ExpectedServerCANames" =>, "empty",
310	"ExpectedResult" => "Success"
311	},
312	},
313	{
314	name => "Ed448 CipherString and Signature Algorithm Selection",
315	server => $server,
316	client => {
317	"CipherString" => "aECDSA",
318	"MaxProtocol" => "TLSv1.2",
319	"SignatureAlgorithms" => "ed448:ECDSA+SHA256",
320	"RequestCAFile" => test_pem("root-ed448-cert.pem"),
321	"VerifyCAFile" => test_pem("root-ed448-cert.pem"),
322	},
323	test => {
324	"ExpectedServerCertType" =>, "Ed448",
325	"ExpectedServerSignType" =>, "Ed448",
326	# Note: certificate_authorities not sent for TLS < 1.3
327	"ExpectedServerCANames" =>, "empty",
328	"ExpectedResult" => "Success"
329	},
330	},
331	{
332	name => "Ed25519 CipherString and Curves Selection",
333	server => $server,
334	client => {
335	"CipherString" => "aECDSA",
336	"MaxProtocol" => "TLSv1.2",
337	"SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
338	# Excluding P-256 from the supported curves list means server
339	# certificate should be Ed25519 and not P-256
340	"Curves" => "X25519"
341	},
342	test => {
343	"ExpectedServerCertType" =>, "Ed25519",
344	"ExpectedServerSignType" =>, "Ed25519",
345	"ExpectedResult" => "Success"
346	},
347	},
348	{
349	name => "Ed448 CipherString and Curves Selection",
350	server => $server,
351	client => {
352	"CipherString" => "aECDSA",
353	"MaxProtocol" => "TLSv1.2",
354	"SignatureAlgorithms" => "ECDSA+SHA256:ed448",
355	"VerifyCAFile" => test_pem("root-ed448-cert.pem"),
356	# Excluding P-256 from the supported curves list means server
357	# certificate should be Ed25519 and not P-256
358	"Curves" => "X448"
359	},
360	test => {
361	"ExpectedServerCertType" =>, "Ed448",
362	"ExpectedServerSignType" =>, "Ed448",
363	"ExpectedResult" => "Success"
364	},
365	},
366	{
367	name => "TLS 1.2 Ed25519 Client Auth",
368	server => {
369	"VerifyCAFile" => test_pem("root-cert.pem"),
370	"VerifyMode" => "Require"
371	},
372	client => {
373	"Ed25519.Certificate" => test_pem("client-ed25519-cert.pem"),
374	"Ed25519.PrivateKey" => test_pem("client-ed25519-key.pem"),
375	"MinProtocol" => "TLSv1.2",
376	"MaxProtocol" => "TLSv1.2"
377	},
378	test => {
379	"ExpectedClientCertType" => "Ed25519",
380	"ExpectedClientSignType" => "Ed25519",
381	"ExpectedResult" => "Success"
382	},
383	},
384	{
385	name => "TLS 1.2 Ed448 Client Auth",
386	server => {
387	"VerifyCAFile" => test_pem("root-cert.pem"),
388	"VerifyMode" => "Require"
389	},
390	client => {
391	"Ed448.Certificate" => test_pem("client-ed448-cert.pem"),
392	"Ed448.PrivateKey" => test_pem("client-ed448-key.pem"),
393	"MinProtocol" => "TLSv1.2",
394	"MaxProtocol" => "TLSv1.2"
395	},
396	test => {
397	"ExpectedClientCertType" => "Ed448",
398	"ExpectedClientSignType" => "Ed448",
399	"ExpectedResult" => "Success"
400	},
401	},
402	);
403
404	my @tests_non_fips = (
405	{
406	name => "ECDSA Signature Algorithm Selection SHA1",
407	server => {
408	"CipherString" => "DEFAULT:\@SECLEVEL=0",
409	"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
410	"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
411	"Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
412	"Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
413	"Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
414	"Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
415	"MaxProtocol" => "TLSv1.2"
416	},
417	client => {
418	"CipherString" => "DEFAULT:\@SECLEVEL=0",
419	"SignatureAlgorithms" => "ECDSA+SHA1",
420	},
421	test => {
422	"ExpectedServerCertType" => "P-256",
423	"ExpectedServerSignHash" => "SHA1",
424	"ExpectedServerSignType" => "EC",
425	"ExpectedResult" => "Success"
426	},
427	},
428	{
429	name => "ECDSA with brainpool",
430	server => {
431	"Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
432	"PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
433	"Groups" => "brainpoolP256r1",
434	},
435	client => {
436	"MaxProtocol" => "TLSv1.2",
437	"CipherString" => "aECDSA",
438	"RequestCAFile" => test_pem("root-cert.pem"),
439	"Groups" => "brainpoolP256r1",
440	},
441	test => {
442	"ExpectedServerCertType" =>, "brainpoolP256r1",
443	"ExpectedServerSignType" =>, "EC",
444	# Note: certificate_authorities not sent for TLS < 1.3
445	"ExpectedServerCANames" =>, "empty",
446	"ExpectedResult" => "Success"
447	},
448	},
449	);
450
451	my @tests_pss = (
452	{
453	name => "RSA-PSS Certificate CipherString Selection",
454	server => $server_pss,
455	client => {
456	"CipherString" => "aRSA",
457	"MaxProtocol" => "TLSv1.2",
458	},
459	test => {
460	"ExpectedServerCertType" =>, "RSA-PSS",
461	"ExpectedServerSignType" =>, "RSA-PSS",
462	"ExpectedResult" => "Success"
463	},
464	},
465	{
466	name => "RSA-PSS Certificate Legacy Signature Algorithm Selection",
467	server => $server_pss,
468	client => {
469	"SignatureAlgorithms" => "RSA-PSS+SHA256",
470	},
471	test => {
472	"ExpectedServerCertType" => "RSA",
473	"ExpectedServerSignHash" => "SHA256",
474	"ExpectedServerSignType" => "RSA-PSS",
475	"ExpectedResult" => "Success"
476	},
477	},
478	{
479	name => "RSA-PSS Certificate Unified Signature Algorithm Selection",
480	server => $server_pss,
481	client => {
482	"SignatureAlgorithms" => "rsa_pss_pss_sha256",
483	},
484	test => {
485	"ExpectedServerCertType" => "RSA-PSS",
486	"ExpectedServerSignHash" => "SHA256",
487	"ExpectedServerSignType" => "RSA-PSS",
488	"ExpectedResult" => "Success"
489	},
490	},
491	{
492	name => "Only RSA-PSS Certificate",
493	server => $server_pss_only,
494	client => {},
495	test => {
496	"ExpectedServerCertType" => "RSA-PSS",
497	"ExpectedServerSignHash" => "SHA256",
498	"ExpectedServerSignType" => "RSA-PSS",
499	"ExpectedResult" => "Success"
500	},
501	},
502	{
503	name => "Only RSA-PSS Certificate Valid Signature Algorithms",
504	server => $server_pss_only,
505	client => {
506	"SignatureAlgorithms" => "rsa_pss_pss_sha512",
507	},
508	test => {
509	"ExpectedServerCertType" => "RSA-PSS",
510	"ExpectedServerSignHash" => "SHA512",
511	"ExpectedServerSignType" => "RSA-PSS",
512	"ExpectedResult" => "Success"
513	},
514	},
515	{
516	name => "RSA-PSS Certificate, no PSS signature algorithms",
517	server => $server_pss_only,
518	client => {
519	"SignatureAlgorithms" => "RSA+SHA256",
520	},
521	test => {
522	"ExpectedResult" => "ServerFail"
523	},
524	},
525	{
526	name => "Only RSA-PSS Restricted Certificate",
527	server => $server_pss_restrict_only,
528	client => {},
529	test => {
530	"ExpectedServerCertType" => "RSA-PSS",
531	"ExpectedServerSignHash" => "SHA256",
532	"ExpectedServerSignType" => "RSA-PSS",
533	"ExpectedResult" => "Success"
534	},
535	},
536	{
537	name => "RSA-PSS Restricted Certificate Valid Signature Algorithms",
538	server => $server_pss_restrict_only,
539	client => {
540	"SignatureAlgorithms" => "rsa_pss_pss_sha256:rsa_pss_pss_sha512",
541	},
542	test => {
543	"ExpectedServerCertType" => "RSA-PSS",
544	"ExpectedServerSignHash" => "SHA256",
545	"ExpectedServerSignType" => "RSA-PSS",
546	"ExpectedResult" => "Success"
547	},
548	},
549	{
550	name => "RSA-PSS Restricted Cert client prefers invalid Signature Algorithm",
551	server => $server_pss_restrict_only,
552	client => {
553	"SignatureAlgorithms" => "rsa_pss_pss_sha512:rsa_pss_pss_sha256",
554	},
555	test => {
556	"ExpectedServerCertType" => "RSA-PSS",
557	"ExpectedServerSignHash" => "SHA256",
558	"ExpectedServerSignType" => "RSA-PSS",
559	"ExpectedResult" => "Success"
560	},
561	},
562	{
563	name => "RSA-PSS Restricted Certificate Invalid Signature Algorithms",
564	server => $server_pss_restrict_only,
565	client => {
566	"SignatureAlgorithms" => "rsa_pss_pss_sha512",
567	},
568	test => {
569	"ExpectedResult" => "ServerFail"
570	},
571	},
572	{
573	name => "RSA key exchange with only RSA-PSS certificate",
574	server => $server_pss_only,
575	client => {
576	"CipherString" => "kRSA",
577	"MaxProtocol" => "TLSv1.2",
578	},
579	test => {
580	"ExpectedResult" => "ServerFail"
581	},
582	},
583	);
584
585	my @tests_tls_1_1 = (
586	{
587	name => "Only RSA-PSS Certificate, TLS v1.1",
588	server => {
589	"CipherString" => "DEFAULT:\@SECLEVEL=0",
590	"Certificate" => test_pem("server-pss-cert.pem"),
591	"PrivateKey" => test_pem("server-pss-key.pem"),
592	},
593	client => {
594	"MaxProtocol" => "TLSv1.1",
595	"CipherString" => "DEFAULT:\@SECLEVEL=0",
596	},
597	test => {
598	"ExpectedResult" => "ServerFail"
599	},
600	},
601	);
602
603	push @tests, @tests_non_fips unless $fips_mode;
604	push @tests, @tests_pss;
605	push @tests, @tests_tls_1_1 unless disabled("tls1_1") \|\| $no_deflt_libctx;
606
607	my $server_tls_1_3;
608
609	if ($fips_mode) {
610	$server_tls_1_3 = {
611	"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
612	"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
613	"MinProtocol" => "TLSv1.3",
614	"MaxProtocol" => "TLSv1.3"
615	};
616	} else {
617	$server_tls_1_3 = {
618	"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
619	"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
620	"Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
621	"Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
622	"Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
623	"Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
624	"MinProtocol" => "TLSv1.3",
625	"MaxProtocol" => "TLSv1.3"
626	};
627	}
628
629	my $client_tls_1_3 = {
630	"RSA.Certificate" => test_pem("ee-client-chain.pem"),
631	"RSA.PrivateKey" => test_pem("ee-key.pem"),
632	"ECDSA.Certificate" => test_pem("ee-ecdsa-client-chain.pem"),
633	"ECDSA.PrivateKey" => test_pem("ee-ecdsa-key.pem"),
634	"MinProtocol" => "TLSv1.3",
635	"MaxProtocol" => "TLSv1.3"
636	};
637
638	my @tests_tls_1_3 = (
639	{
640	name => "TLS 1.3 ECDSA Signature Algorithm Selection",
641	server => $server_tls_1_3,
642	client => {
643	"SignatureAlgorithms" => "ECDSA+SHA256",
644	},
645	test => {
646	"ExpectedServerCertType" => "P-256",
647	"ExpectedServerSignHash" => "SHA256",
648	"ExpectedServerSignType" => "EC",
649	"ExpectedServerCANames" => "empty",
650	"ExpectedResult" => "Success"
651	},
652	},
653	{
654	name => "TLS 1.3 ECDSA Signature Algorithm Selection compressed point",
655	server => {
656	"ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
657	"ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
658	"MinProtocol" => "TLSv1.3",
659	"MaxProtocol" => "TLSv1.3"
660	},
661	client => {
662	"SignatureAlgorithms" => "ECDSA+SHA256",
663	},
664	test => {
665	"ExpectedServerCertType" => "P-256",
666	"ExpectedServerSignHash" => "SHA256",
667	"ExpectedServerSignType" => "EC",
668	"ExpectedServerCANames" => "empty",
669	"ExpectedResult" => "Success"
670	},
671	},
672	{
673	name => "TLS 1.3 ECDSA Signature Algorithm Selection SHA1",
674	server => {
675	"CipherString" => "DEFAULT:\@SECLEVEL=0",
676	"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
677	"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
678	"Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
679	"Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
680	"Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
681	"Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
682	"MinProtocol" => "TLSv1.3",
683	"MaxProtocol" => "TLSv1.3"
684	},
685	client => {
686	"CipherString" => "DEFAULT:\@SECLEVEL=0",
687	"SignatureAlgorithms" => "ECDSA+SHA1",
688	},
689	test => {
690	"ExpectedResult" => "ServerFail"
691	},
692	},
693	{
694	name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS",
695	server => $server_tls_1_3,
696	client => {
697	"SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256",
698	"RequestCAFile" => test_pem("root-cert.pem"),
699	},
700	test => {
701	"ExpectedServerCertType" => "P-256",
702	"ExpectedServerSignHash" => "SHA256",
703	"ExpectedServerSignType" => "EC",
704	"ExpectedServerCANames" => test_pem("root-cert.pem"),
705	"ExpectedResult" => "Success"
706	},
707	},
708	{
709	name => "TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS",
710	server => $server_tls_1_3,
711	client => {
712	"SignatureAlgorithms" => "ECDSA+SHA384:RSA-PSS+SHA384",
713	},
714	test => {
715	"ExpectedServerCertType" => "RSA",
716	"ExpectedServerSignHash" => "SHA384",
717	"ExpectedServerSignType" => "RSA-PSS",
718	"ExpectedResult" => "Success"
719	},
720	},
721	{
722	name => "TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate",
723	server => {
724	"MinProtocol" => "TLSv1.3",
725	"MaxProtocol" => "TLSv1.3"
726	},
727	client => {
728	"SignatureAlgorithms" => "ECDSA+SHA256",
729	},
730	test => {
731	"ExpectedResult" => "ServerFail"
732	},
733	},
734	{
735	name => "TLS 1.3 RSA Signature Algorithm Selection, no PSS",
736	server => $server_tls_1_3,
737	client => {
738	"SignatureAlgorithms" => "RSA+SHA256",
739	},
740	test => {
741	"ExpectedResult" => "ServerFail"
742	},
743	},
744	{
745	name => "TLS 1.3 RSA-PSS Signature Algorithm Selection",
746	server => $server_tls_1_3,
747	client => {
748	"SignatureAlgorithms" => "RSA-PSS+SHA256",
749	},
750	test => {
751	"ExpectedServerCertType" => "RSA",
752	"ExpectedServerSignHash" => "SHA256",
753	"ExpectedServerSignType" => "RSA-PSS",
754	"ExpectedResult" => "Success"
755	},
756	},
757	{
758	name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
759	server => {
760	"ClientSignatureAlgorithms" => "PSS+SHA256",
761	"VerifyCAFile" => test_pem("root-cert.pem"),
762	"VerifyMode" => "Require"
763	},
764	client => $client_tls_1_3,
765	test => {
766	"ExpectedClientCertType" => "RSA",
767	"ExpectedClientSignHash" => "SHA256",
768	"ExpectedClientSignType" => "RSA-PSS",
769	"ExpectedClientCANames" => "empty",
770	"ExpectedResult" => "Success"
771	},
772	},
773	{
774	name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names",
775	server => {
776	"ClientSignatureAlgorithms" => "PSS+SHA256",
777	"VerifyCAFile" => test_pem("root-cert.pem"),
778	"RequestCAFile" => test_pem("root-cert.pem"),
779	"VerifyMode" => "Require"
780	},
781	client => $client_tls_1_3,
782	test => {
783	"ExpectedClientCertType" => "RSA",
784	"ExpectedClientSignHash" => "SHA256",
785	"ExpectedClientSignType" => "RSA-PSS",
786	"ExpectedClientCANames" => test_pem("root-cert.pem"),
787	"ExpectedResult" => "Success"
788	},
789	},
790	{
791	name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
792	server => {
793	"ClientSignatureAlgorithms" => "ECDSA+SHA256",
794	"VerifyCAFile" => test_pem("root-cert.pem"),
795	"VerifyMode" => "Require"
796	},
797	client => $client_tls_1_3,
798	test => {
799	"ExpectedClientCertType" => "P-256",
800	"ExpectedClientSignHash" => "SHA256",
801	"ExpectedClientSignType" => "EC",
802	"ExpectedResult" => "Success"
803	},
804	},
805	);
806
807	my @tests_tls_1_3_non_fips = (
808	{
809	name => "TLS 1.3 Ed25519 Signature Algorithm Selection",
810	server => $server_tls_1_3,
811	client => {
812	"SignatureAlgorithms" => "ed25519",
813	},
814	test => {
815	"ExpectedServerCertType" => "Ed25519",
816	"ExpectedServerSignType" => "Ed25519",
817	"ExpectedResult" => "Success"
818	},
819	},
820	{
821	name => "TLS 1.3 Ed448 Signature Algorithm Selection",
822	server => $server_tls_1_3,
823	client => {
824	"SignatureAlgorithms" => "ed448",
825	"VerifyCAFile" => test_pem("root-ed448-cert.pem"),
826	},
827	test => {
828	"ExpectedServerCertType" => "Ed448",
829	"ExpectedServerSignType" => "Ed448",
830	"ExpectedResult" => "Success"
831	},
832	},
833	{
834	name => "TLS 1.3 Ed25519 CipherString and Groups Selection",
835	server => $server_tls_1_3,
836	client => {
837	"SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
838	# Excluding P-256 from the supported groups list should
839	# mean server still uses a P-256 certificate because supported
840	# groups is not used in signature selection for TLS 1.3
841	"Groups" => "X25519"
842	},
843	test => {
844	"ExpectedServerCertType" =>, "P-256",
845	"ExpectedServerSignType" =>, "EC",
846	"ExpectedResult" => "Success"
847	},
848	},
849	{
850	name => "TLS 1.3 Ed448 CipherString and Groups Selection",
851	server => $server_tls_1_3,
852	client => {
853	"SignatureAlgorithms" => "ECDSA+SHA256:ed448",
854	# Excluding P-256 from the supported groups list should
855	# mean server still uses a P-256 certificate because supported
856	# groups is not used in signature selection for TLS 1.3
857	"Groups" => "X448"
858	},
859	test => {
860	"ExpectedServerCertType" =>, "P-256",
861	"ExpectedServerSignType" =>, "EC",
862	"ExpectedResult" => "Success"
863	},
864	},
865	{
866	name => "TLS 1.3 Ed25519 Client Auth",
867	server => {
868	"VerifyCAFile" => test_pem("root-cert.pem"),
869	"VerifyMode" => "Require"
870	},
871	client => {
872	"EdDSA.Certificate" => test_pem("client-ed25519-cert.pem"),
873	"EdDSA.PrivateKey" => test_pem("client-ed25519-key.pem"),
874	"MinProtocol" => "TLSv1.3",
875	"MaxProtocol" => "TLSv1.3"
876	},
877	test => {
878	"ExpectedClientCertType" => "Ed25519",
879	"ExpectedClientSignType" => "Ed25519",
880	"ExpectedResult" => "Success"
881	},
882	},
883	{
884	name => "TLS 1.3 Ed448 Client Auth",
885	server => {
886	"VerifyCAFile" => test_pem("root-cert.pem"),
887	"VerifyMode" => "Require"
888	},
889	client => {
890	"EdDSA.Certificate" => test_pem("client-ed448-cert.pem"),
891	"EdDSA.PrivateKey" => test_pem("client-ed448-key.pem"),
892	"MinProtocol" => "TLSv1.3",
893	"MaxProtocol" => "TLSv1.3"
894	},
895	test => {
896	"ExpectedClientCertType" => "Ed448",
897	"ExpectedClientSignType" => "Ed448",
898	"ExpectedResult" => "Success"
899	},
900	},
901	{
902	name => "TLS 1.3 ECDSA with brainpool but no suitable groups",
903	server => {
904	"Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
905	"PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
906	"Groups" => "brainpoolP256r1",
907	},
908	client => {
909	"CipherString" => "aECDSA",
910	"RequestCAFile" => test_pem("root-cert.pem"),
911	"Groups" => "brainpoolP256r1",
912	},
913	test => {
914	#We only configured brainpoolP256r1 on the client side, but TLSv1.3
915	#is enabled and this group is not allowed in TLSv1.3. Therefore this
916	#should fail
917	"ExpectedResult" => "ClientFail"
918	},
919	},
920	{
921	name => "TLS 1.3 ECDSA with brainpool",
922	server => {
923	"Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
924	"PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
925	},
926	client => {
927	"RequestCAFile" => test_pem("root-cert.pem"),
928	"MinProtocol" => "TLSv1.3",
929	"MaxProtocol" => "TLSv1.3"
930	},
931	test => {
932	"ExpectedResult" => "ServerFail"
933	},
934	},
935	);
936
937	push @tests, @tests_tls_1_3 unless disabled("tls1_3");
938	push @tests, @tests_tls_1_3_non_fips unless disabled("tls1_3") \|\| $fips_mode;
939
940	my @tests_dsa_tls_1_2 = (
941	{
942	name => "TLS 1.2 DSA Certificate Test",
943	server => {
944	"DSA.Certificate" => test_pem("server-dsa-cert.pem"),
945	"DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
946	"DHParameters" => test_pem("dhp2048.pem"),
947	"MinProtocol" => "TLSv1.2",
948	"MaxProtocol" => "TLSv1.2",
949	"CipherString" => "ALL",
950	},
951	client => {
952	"SignatureAlgorithms" => "DSA+SHA256:DSA+SHA1",
953	"CipherString" => "ALL",
954	},
955	test => {
956	"ExpectedResult" => "Success"
957	},
958	},
959	);
960
961	my @tests_dsa_tls_1_3 = (
962	{
963	name => "TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms",
964	server => {
965	"ClientSignatureAlgorithms" => "ECDSA+SHA1:DSA+SHA256:RSA+SHA256",
966	"VerifyCAFile" => test_pem("root-cert.pem"),
967	"VerifyMode" => "Request"
968	},
969	client => {},
970	test => {
971	"ExpectedResult" => "ServerFail"
972	},
973	},
974	{
975	name => "TLS 1.3 DSA Certificate Test",
976	server => {
977	"DSA.Certificate" => test_pem("server-dsa-cert.pem"),
978	"DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
979	"MinProtocol" => "TLSv1.3",
980	"MaxProtocol" => "TLSv1.3",
981	"CipherString" => "ALL",
982	},
983	client => {
984	"SignatureAlgorithms" => "DSA+SHA1:DSA+SHA256:ECDSA+SHA256",
985	"CipherString" => "ALL",
986	},
987	test => {
988	"ExpectedResult" => "ServerFail"
989	},
990	},
991	);
992
993	if (!disabled("dsa")) {
994	push @tests, @tests_dsa_tls_1_2 unless disabled("dh");
995	push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
996	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats:

Original Format