]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/ssl-tests/04-client_auth.conf.in
projects / thirdparty / openssl.git / blob
? search:


b9c014d2c0d9f2135362ea1797543804af90e34e
[thirdparty/openssl.git] / test / ssl-tests / 04-client_auth.conf.in
1 # -*- mode: perl; -*-
2
3 ## SSL test configurations
4
5 package ssltests;
6
7 use strict;
8 use warnings;
9
10 use OpenSSL::Test;
11 use OpenSSL::Test::Utils qw(anydisabled disabled);
12 setup("no_test_here");
13
14 # We test version-flexible negotiation (undef) and each protocol version.
15 my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
16
17 my @is_disabled = (0);
18 push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2");
19
20 our @tests = ();
21
22 sub generate_tests() {
23 foreach (0..$#protocols) {
24 my $protocol = $protocols[$_];
25 my $protocol_name = $protocol || "flex";
26 my $caalert;
27 my $method;
28 my $sctpenabled = 0;
29 if (!$is_disabled[$_]) {
30 if ($protocol_name eq "SSLv3") {
31 $caalert = "BadCertificate";
32 } else {
33 $caalert = "UnknownCA";
34 }
35 if ($protocol_name =~ m/^DTLS/) {
36 $method = "DTLS";
37 $sctpenabled = 1 if !disabled("sctp");
38 }
39 my $clihash;
40 my $clisigtype;
41 my $clisigalgs;
42 # TODO(TLS1.3) add TLSv1.3 versions
43 if ($protocol_name eq "TLSv1.2") {
44 $clihash = "SHA256";
45 $clisigtype = "RSA";
46 $clisigalgs = "SHA256+RSA";
47 }
48 for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) {
49 # Sanity-check simple handshake.
50 push @tests, {
51 name => "server-auth-${protocol_name}"
52 .($sctp ? "-sctp" : ""),
53 server => {
54 "MinProtocol" => $protocol,
55 "MaxProtocol" => $protocol
56 },
57 client => {
58 "MinProtocol" => $protocol,
59 "MaxProtocol" => $protocol
60 },
61 test => {
62 "ExpectedResult" => "Success",
63 "Method" => $method,
64 },
65 };
66 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
67
68 # Handshake with client cert requested but not required or received.
69 push @tests, {
70 name => "client-auth-${protocol_name}-request"
71 .($sctp ? "-sctp" : ""),
72 server => {
73 "MinProtocol" => $protocol,
74 "MaxProtocol" => $protocol,
75 "VerifyMode" => "Request"
76 },
77 client => {
78 "MinProtocol" => $protocol,
79 "MaxProtocol" => $protocol
80 },
81 test => {
82 "ExpectedResult" => "Success",
83 "Method" => $method,
84 },
85 };
86 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
87
88 # Handshake with client cert required but not present.
89 push @tests, {
90 name => "client-auth-${protocol_name}-require-fail"
91 .($sctp ? "-sctp" : ""),
92 server => {
93 "MinProtocol" => $protocol,
94 "MaxProtocol" => $protocol,
95 "VerifyCAFile" => test_pem("root-cert.pem"),
96 "VerifyMode" => "Require",
97 },
98 client => {
99 "MinProtocol" => $protocol,
100 "MaxProtocol" => $protocol
101 },
102 test => {
103 "ExpectedResult" => "ServerFail",
104 "ExpectedServerAlert" =>
105 ($protocol_name eq "flex" && !disabled("tls1_3"))
106 ? "CertificateRequired" : "HandshakeFailure",
107 "Method" => $method,
108 },
109 };
110 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
111
112 # Successful handshake with client authentication.
113 push @tests, {
114 name => "client-auth-${protocol_name}-require"
115 .($sctp ? "-sctp" : ""),
116 server => {
117 "MinProtocol" => $protocol,
118 "MaxProtocol" => $protocol,
119 "ClientSignatureAlgorithms" => $clisigalgs,
120 "VerifyCAFile" => test_pem("root-cert.pem"),
121 "VerifyMode" => "Request",
122 },
123 client => {
124 "MinProtocol" => $protocol,
125 "MaxProtocol" => $protocol,
126 "Certificate" => test_pem("ee-client-chain.pem"),
127 "PrivateKey" => test_pem("ee-key.pem"),
128 },
129 test => {
130 "ExpectedResult" => "Success",
131 "ExpectedClientCertType" => "RSA",
132 "ExpectedClientSignType" => $clisigtype,
133 "ExpectedClientSignHash" => $clihash,
134 "ExpectedClientCANames" => "empty",
135 "Method" => $method,
136 },
137 };
138 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
139
140 # Successful handshake with client authentication non-empty names
141 push @tests, {
142 name => "client-auth-${protocol_name}-require-non-empty-names"
143 .($sctp ? "-sctp" : ""),
144 server => {
145 "MinProtocol" => $protocol,
146 "MaxProtocol" => $protocol,
147 "ClientSignatureAlgorithms" => $clisigalgs,
148 "ClientCAFile" => test_pem("root-cert.pem"),
149 "VerifyCAFile" => test_pem("root-cert.pem"),
150 "VerifyMode" => "Request",
151 },
152 client => {
153 "MinProtocol" => $protocol,
154 "MaxProtocol" => $protocol,
155 "Certificate" => test_pem("ee-client-chain.pem"),
156 "PrivateKey" => test_pem("ee-key.pem"),
157 },
158 test => {
159 "ExpectedResult" => "Success",
160 "ExpectedClientCertType" => "RSA",
161 "ExpectedClientSignType" => $clisigtype,
162 "ExpectedClientSignHash" => $clihash,
163 "ExpectedClientCANames" => test_pem("root-cert.pem"),
164 "Method" => $method,
165 },
166 };
167 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
168
169 # Handshake with client authentication but without the root certificate.
170 push @tests, {
171 name => "client-auth-${protocol_name}-noroot"
172 .($sctp ? "-sctp" : ""),
173 server => {
174 "MinProtocol" => $protocol,
175 "MaxProtocol" => $protocol,
176 "VerifyMode" => "Require",
177 },
178 client => {
179 "MinProtocol" => $protocol,
180 "MaxProtocol" => $protocol,
181 "Certificate" => test_pem("ee-client-chain.pem"),
182 "PrivateKey" => test_pem("ee-key.pem"),
183 },
184 test => {
185 "ExpectedResult" => "ServerFail",
186 "ExpectedServerAlert" => $caalert,
187 "Method" => $method,
188 },
189 };
190 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
191 }
192 }
193 }
194 }
195
196 generate_tests();
A mirror of the official openssl repository