]>
Commit | Line | Data |
---|---|---|
edb8a5eb DSH |
1 | # -*- mode: perl; -*- |
2 | ||
3 | ## SSL test configurations | |
4 | ||
edb8a5eb DSH |
5 | |
6 | use strict; | |
7 | use warnings; | |
8 | ||
53f08737 DSH |
9 | package ssltests; |
10 | use OpenSSL::Test::Utils; | |
edb8a5eb | 11 | |
edb8a5eb | 12 | my $server = { |
31b238ad DSH |
13 | "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), |
14 | "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), | |
fe93b010 MC |
15 | "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"), |
16 | "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"), | |
17 | "Ed448.Certificate" => test_pem("server-ed448-cert.pem"), | |
18 | "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"), | |
edb8a5eb DSH |
19 | "MaxProtocol" => "TLSv1.2" |
20 | }; | |
21 | ||
800c4883 DSH |
22 | my $server_pss = { |
23 | "PSS.Certificate" => test_pem("server-pss-cert.pem"), | |
24 | "PSS.PrivateKey" => test_pem("server-pss-key.pem"), | |
25 | "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), | |
26 | "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), | |
fe93b010 MC |
27 | "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"), |
28 | "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"), | |
29 | "Ed448.Certificate" => test_pem("server-ed448-cert.pem"), | |
30 | "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"), | |
800c4883 DSH |
31 | "MaxProtocol" => "TLSv1.2" |
32 | }; | |
33 | ||
34 | my $server_pss_only = { | |
35 | "Certificate" => test_pem("server-pss-cert.pem"), | |
36 | "PrivateKey" => test_pem("server-pss-key.pem"), | |
37 | }; | |
38 | ||
59d846ff MC |
39 | my $server_pss_restrict_only = { |
40 | "Certificate" => test_pem("server-pss-restrict-cert.pem"), | |
41 | "PrivateKey" => test_pem("server-pss-restrict-key.pem"), | |
42 | }; | |
43 | ||
44 | ||
b2c4909c MC |
45 | my $server_rsa_all = { |
46 | "PSS.Certificate" => test_pem("server-pss-cert.pem"), | |
47 | "PSS.PrivateKey" => test_pem("server-pss-key.pem"), | |
48 | "Certificate" => test_pem("servercert.pem"), | |
49 | "PrivateKey" => test_pem("serverkey.pem"), | |
50 | }; | |
51 | ||
edb8a5eb DSH |
52 | our @tests = ( |
53 | { | |
54 | name => "ECDSA CipherString Selection", | |
55 | server => $server, | |
56 | client => { | |
57 | "CipherString" => "aECDSA", | |
aafec89c | 58 | "MaxProtocol" => "TLSv1.2", |
25a9fabb | 59 | "RequestCAFile" => test_pem("root-cert.pem"), |
edb8a5eb DSH |
60 | }, |
61 | test => { | |
62 | "ExpectedServerCertType" =>, "P-256", | |
a92e710b | 63 | "ExpectedServerSignType" =>, "EC", |
25a9fabb DSH |
64 | # Note: certificate_authorities not sent for TLS < 1.3 |
65 | "ExpectedServerCANames" =>, "empty", | |
edb8a5eb DSH |
66 | "ExpectedResult" => "Success" |
67 | }, | |
68 | }, | |
dcf8b01f MC |
69 | { |
70 | name => "ECDSA CipherString Selection", | |
71 | server => { | |
72 | "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), | |
73 | "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), | |
74 | "MaxProtocol" => "TLSv1.2", | |
75 | #Deliberately set supported_groups to one not in the cert. This | |
76 | #should be tolerated | |
77 | "Groups" => "P-384" | |
78 | }, | |
79 | client => { | |
80 | "CipherString" => "aECDSA", | |
81 | "MaxProtocol" => "TLSv1.2", | |
82 | "Groups" => "P-256:P-384", | |
83 | "RequestCAFile" => test_pem("root-cert.pem"), | |
84 | }, | |
85 | test => { | |
86 | "ExpectedServerCertType" =>, "P-256", | |
87 | "ExpectedServerSignType" =>, "EC", | |
88 | # Note: certificate_authorities not sent for TLS < 1.3 | |
89 | "ExpectedServerCANames" =>, "empty", | |
90 | "ExpectedResult" => "Success" | |
91 | }, | |
92 | }, | |
93 | { | |
94 | name => "ECDSA CipherString Selection", | |
95 | server => { | |
96 | "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), | |
97 | "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), | |
98 | "MaxProtocol" => "TLSv1.2", | |
99 | "Groups" => "P-256:P-384" | |
100 | }, | |
101 | client => { | |
102 | "CipherString" => "aECDSA", | |
103 | "MaxProtocol" => "TLSv1.2", | |
104 | #Deliberately set groups to not include the certificate group. This | |
105 | #should fail | |
106 | "Groups" => "P-384", | |
107 | "RequestCAFile" => test_pem("root-cert.pem"), | |
108 | }, | |
109 | test => { | |
110 | "ExpectedResult" => "ServerFail" | |
111 | }, | |
112 | }, | |
fbe1af9d DSH |
113 | { |
114 | name => "Ed25519 CipherString and Signature Algorithm Selection", | |
115 | server => $server, | |
116 | client => { | |
117 | "CipherString" => "aECDSA", | |
118 | "MaxProtocol" => "TLSv1.2", | |
119 | "SignatureAlgorithms" => "ed25519:ECDSA+SHA256", | |
120 | "RequestCAFile" => test_pem("root-cert.pem"), | |
121 | }, | |
122 | test => { | |
123 | "ExpectedServerCertType" =>, "Ed25519", | |
124 | "ExpectedServerSignType" =>, "Ed25519", | |
125 | # Note: certificate_authorities not sent for TLS < 1.3 | |
126 | "ExpectedServerCANames" =>, "empty", | |
127 | "ExpectedResult" => "Success" | |
128 | }, | |
129 | }, | |
fe93b010 MC |
130 | { |
131 | name => "Ed448 CipherString and Signature Algorithm Selection", | |
132 | server => $server, | |
133 | client => { | |
134 | "CipherString" => "aECDSA", | |
135 | "MaxProtocol" => "TLSv1.2", | |
136 | "SignatureAlgorithms" => "ed448:ECDSA+SHA256", | |
137 | "RequestCAFile" => test_pem("root-cert.pem"), | |
138 | }, | |
139 | test => { | |
140 | "ExpectedServerCertType" =>, "Ed448", | |
141 | "ExpectedServerSignType" =>, "Ed448", | |
142 | # Note: certificate_authorities not sent for TLS < 1.3 | |
143 | "ExpectedServerCANames" =>, "empty", | |
144 | "ExpectedResult" => "Success" | |
145 | }, | |
146 | }, | |
7bd5405a MC |
147 | { |
148 | name => "ECDSA with brainpool", | |
149 | server => { | |
150 | "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), | |
151 | "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), | |
152 | "Groups" => "brainpoolP256r1", | |
153 | }, | |
154 | client => { | |
155 | #We don't restrict this to TLSv1.2, although use of brainpool | |
156 | #should force this anyway so that this should succeed | |
157 | "CipherString" => "aECDSA", | |
158 | "RequestCAFile" => test_pem("root-cert.pem"), | |
159 | "Groups" => "brainpoolP256r1", | |
160 | }, | |
161 | test => { | |
162 | "ExpectedServerCertType" =>, "brainpoolP256r1", | |
163 | "ExpectedServerSignType" =>, "EC", | |
164 | # Note: certificate_authorities not sent for TLS < 1.3 | |
165 | "ExpectedServerCANames" =>, "empty", | |
166 | "ExpectedResult" => "Success" | |
167 | }, | |
168 | }, | |
edb8a5eb DSH |
169 | { |
170 | name => "RSA CipherString Selection", | |
171 | server => $server, | |
172 | client => { | |
173 | "CipherString" => "aRSA", | |
aafec89c | 174 | "MaxProtocol" => "TLSv1.2", |
edb8a5eb DSH |
175 | }, |
176 | test => { | |
177 | "ExpectedServerCertType" =>, "RSA", | |
a92e710b | 178 | "ExpectedServerSignType" =>, "RSA-PSS", |
edb8a5eb DSH |
179 | "ExpectedResult" => "Success" |
180 | }, | |
181 | }, | |
800c4883 DSH |
182 | { |
183 | name => "RSA-PSS Certificate CipherString Selection", | |
184 | server => $server_pss, | |
185 | client => { | |
186 | "CipherString" => "aRSA", | |
187 | "MaxProtocol" => "TLSv1.2", | |
188 | }, | |
189 | test => { | |
190 | "ExpectedServerCertType" =>, "RSA-PSS", | |
191 | "ExpectedServerSignType" =>, "RSA-PSS", | |
192 | "ExpectedResult" => "Success" | |
193 | }, | |
194 | }, | |
50a3a1f0 DSH |
195 | { |
196 | name => "P-256 CipherString and Signature Algorithm Selection", | |
197 | server => $server, | |
198 | client => { | |
199 | "CipherString" => "aECDSA", | |
200 | "MaxProtocol" => "TLSv1.2", | |
201 | "SignatureAlgorithms" => "ECDSA+SHA256:ed25519", | |
202 | }, | |
203 | test => { | |
204 | "ExpectedServerCertType" => "P-256", | |
205 | "ExpectedServerSignHash" => "SHA256", | |
206 | "ExpectedServerSignType" => "EC", | |
207 | "ExpectedResult" => "Success" | |
208 | }, | |
209 | }, | |
210 | { | |
211 | name => "Ed25519 CipherString and Curves Selection", | |
212 | server => $server, | |
213 | client => { | |
214 | "CipherString" => "aECDSA", | |
215 | "MaxProtocol" => "TLSv1.2", | |
216 | "SignatureAlgorithms" => "ECDSA+SHA256:ed25519", | |
217 | # Excluding P-256 from the supported curves list means server | |
218 | # certificate should be Ed25519 and not P-256 | |
219 | "Curves" => "X25519" | |
220 | }, | |
221 | test => { | |
222 | "ExpectedServerCertType" =>, "Ed25519", | |
223 | "ExpectedServerSignType" =>, "Ed25519", | |
224 | "ExpectedResult" => "Success" | |
225 | }, | |
226 | }, | |
fe93b010 MC |
227 | { |
228 | name => "Ed448 CipherString and Curves Selection", | |
229 | server => $server, | |
230 | client => { | |
231 | "CipherString" => "aECDSA", | |
232 | "MaxProtocol" => "TLSv1.2", | |
233 | "SignatureAlgorithms" => "ECDSA+SHA256:ed448", | |
234 | # Excluding P-256 from the supported curves list means server | |
235 | # certificate should be Ed25519 and not P-256 | |
236 | "Curves" => "X448" | |
237 | }, | |
238 | test => { | |
239 | "ExpectedServerCertType" =>, "Ed448", | |
240 | "ExpectedServerSignType" =>, "Ed448", | |
241 | "ExpectedResult" => "Success" | |
242 | }, | |
243 | }, | |
edb8a5eb DSH |
244 | { |
245 | name => "ECDSA CipherString Selection, no ECDSA certificate", | |
0e2c7b3e DSH |
246 | server => { |
247 | "MaxProtocol" => "TLSv1.2" | |
248 | }, | |
edb8a5eb | 249 | client => { |
aafec89c MC |
250 | "CipherString" => "aECDSA", |
251 | "MaxProtocol" => "TLSv1.2" | |
edb8a5eb DSH |
252 | }, |
253 | test => { | |
254 | "ExpectedResult" => "ServerFail" | |
255 | }, | |
256 | }, | |
257 | { | |
258 | name => "ECDSA Signature Algorithm Selection", | |
259 | server => $server, | |
260 | client => { | |
261 | "SignatureAlgorithms" => "ECDSA+SHA256", | |
262 | }, | |
263 | test => { | |
062540cb DSH |
264 | "ExpectedServerCertType" => "P-256", |
265 | "ExpectedServerSignHash" => "SHA256", | |
a92e710b | 266 | "ExpectedServerSignType" => "EC", |
edb8a5eb DSH |
267 | "ExpectedResult" => "Success" |
268 | }, | |
269 | }, | |
53f08737 DSH |
270 | { |
271 | name => "ECDSA Signature Algorithm Selection SHA384", | |
272 | server => $server, | |
273 | client => { | |
274 | "SignatureAlgorithms" => "ECDSA+SHA384", | |
275 | }, | |
276 | test => { | |
277 | "ExpectedServerCertType" => "P-256", | |
278 | "ExpectedServerSignHash" => "SHA384", | |
279 | "ExpectedServerSignType" => "EC", | |
280 | "ExpectedResult" => "Success" | |
281 | }, | |
282 | }, | |
c749308f DSH |
283 | { |
284 | name => "ECDSA Signature Algorithm Selection SHA1", | |
285 | server => $server, | |
286 | client => { | |
287 | "SignatureAlgorithms" => "ECDSA+SHA1", | |
288 | }, | |
289 | test => { | |
290 | "ExpectedServerCertType" => "P-256", | |
291 | "ExpectedServerSignHash" => "SHA1", | |
292 | "ExpectedServerSignType" => "EC", | |
293 | "ExpectedResult" => "Success" | |
294 | }, | |
295 | }, | |
296 | { | |
297 | name => "ECDSA Signature Algorithm Selection compressed point", | |
298 | server => { | |
299 | "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"), | |
300 | "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"), | |
301 | "MaxProtocol" => "TLSv1.2" | |
302 | }, | |
303 | client => { | |
304 | "SignatureAlgorithms" => "ECDSA+SHA256", | |
305 | }, | |
306 | test => { | |
307 | "ExpectedServerCertType" => "P-256", | |
308 | "ExpectedServerSignHash" => "SHA256", | |
309 | "ExpectedServerSignType" => "EC", | |
310 | "ExpectedResult" => "Success" | |
311 | }, | |
312 | }, | |
edb8a5eb DSH |
313 | { |
314 | name => "ECDSA Signature Algorithm Selection, no ECDSA certificate", | |
0e2c7b3e DSH |
315 | server => { |
316 | "MaxProtocol" => "TLSv1.2" | |
317 | }, | |
edb8a5eb DSH |
318 | client => { |
319 | "SignatureAlgorithms" => "ECDSA+SHA256", | |
320 | }, | |
321 | test => { | |
322 | "ExpectedResult" => "ServerFail" | |
323 | }, | |
324 | }, | |
325 | { | |
326 | name => "RSA Signature Algorithm Selection", | |
327 | server => $server, | |
328 | client => { | |
329 | "SignatureAlgorithms" => "RSA+SHA256", | |
330 | }, | |
331 | test => { | |
062540cb DSH |
332 | "ExpectedServerCertType" => "RSA", |
333 | "ExpectedServerSignHash" => "SHA256", | |
a92e710b DSH |
334 | "ExpectedServerSignType" => "RSA", |
335 | "ExpectedResult" => "Success" | |
336 | }, | |
337 | }, | |
338 | { | |
339 | name => "RSA-PSS Signature Algorithm Selection", | |
340 | server => $server, | |
341 | client => { | |
342 | "SignatureAlgorithms" => "RSA-PSS+SHA256", | |
343 | }, | |
344 | test => { | |
345 | "ExpectedServerCertType" => "RSA", | |
346 | "ExpectedServerSignHash" => "SHA256", | |
347 | "ExpectedServerSignType" => "RSA-PSS", | |
edb8a5eb DSH |
348 | "ExpectedResult" => "Success" |
349 | }, | |
9f577cdd | 350 | }, |
800c4883 | 351 | { |
f55e99f7 | 352 | name => "RSA-PSS Certificate Legacy Signature Algorithm Selection", |
800c4883 DSH |
353 | server => $server_pss, |
354 | client => { | |
355 | "SignatureAlgorithms" => "RSA-PSS+SHA256", | |
356 | }, | |
f55e99f7 BK |
357 | test => { |
358 | "ExpectedServerCertType" => "RSA", | |
359 | "ExpectedServerSignHash" => "SHA256", | |
360 | "ExpectedServerSignType" => "RSA-PSS", | |
361 | "ExpectedResult" => "Success" | |
362 | }, | |
363 | }, | |
364 | { | |
365 | name => "RSA-PSS Certificate Unified Signature Algorithm Selection", | |
366 | server => $server_pss, | |
367 | client => { | |
368 | "SignatureAlgorithms" => "rsa_pss_pss_sha256", | |
369 | }, | |
800c4883 DSH |
370 | test => { |
371 | "ExpectedServerCertType" => "RSA-PSS", | |
372 | "ExpectedServerSignHash" => "SHA256", | |
373 | "ExpectedServerSignType" => "RSA-PSS", | |
374 | "ExpectedResult" => "Success" | |
375 | }, | |
376 | }, | |
377 | { | |
378 | name => "Only RSA-PSS Certificate", | |
379 | server => $server_pss_only, | |
380 | client => {}, | |
381 | test => { | |
382 | "ExpectedServerCertType" => "RSA-PSS", | |
383 | "ExpectedServerSignHash" => "SHA256", | |
384 | "ExpectedServerSignType" => "RSA-PSS", | |
385 | "ExpectedResult" => "Success" | |
386 | }, | |
387 | }, | |
59d846ff MC |
388 | { |
389 | name => "Only RSA-PSS Certificate Valid Signature Algorithms", | |
390 | server => $server_pss_only, | |
391 | client => { | |
392 | "SignatureAlgorithms" => "rsa_pss_pss_sha512", | |
393 | }, | |
394 | test => { | |
395 | "ExpectedServerCertType" => "RSA-PSS", | |
396 | "ExpectedServerSignHash" => "SHA512", | |
397 | "ExpectedServerSignType" => "RSA-PSS", | |
398 | "ExpectedResult" => "Success" | |
399 | }, | |
400 | }, | |
800c4883 DSH |
401 | { |
402 | name => "RSA-PSS Certificate, no PSS signature algorithms", | |
403 | server => $server_pss_only, | |
404 | client => { | |
405 | "SignatureAlgorithms" => "RSA+SHA256", | |
406 | }, | |
407 | test => { | |
408 | "ExpectedResult" => "ServerFail" | |
409 | }, | |
410 | }, | |
59d846ff MC |
411 | { |
412 | name => "Only RSA-PSS Restricted Certificate", | |
413 | server => $server_pss_restrict_only, | |
414 | client => {}, | |
415 | test => { | |
416 | "ExpectedServerCertType" => "RSA-PSS", | |
417 | "ExpectedServerSignHash" => "SHA256", | |
418 | "ExpectedServerSignType" => "RSA-PSS", | |
419 | "ExpectedResult" => "Success" | |
420 | }, | |
421 | }, | |
422 | { | |
423 | name => "RSA-PSS Restricted Certificate Valid Signature Algorithms", | |
424 | server => $server_pss_restrict_only, | |
425 | client => { | |
426 | "SignatureAlgorithms" => "rsa_pss_pss_sha256:rsa_pss_pss_sha512", | |
427 | }, | |
428 | test => { | |
429 | "ExpectedServerCertType" => "RSA-PSS", | |
430 | "ExpectedServerSignHash" => "SHA256", | |
431 | "ExpectedServerSignType" => "RSA-PSS", | |
432 | "ExpectedResult" => "Success" | |
433 | }, | |
434 | }, | |
435 | { | |
436 | name => "RSA-PSS Restricted Cert client prefers invalid Signature Algorithm", | |
437 | server => $server_pss_restrict_only, | |
438 | client => { | |
439 | "SignatureAlgorithms" => "rsa_pss_pss_sha512:rsa_pss_pss_sha256", | |
440 | }, | |
441 | test => { | |
442 | "ExpectedServerCertType" => "RSA-PSS", | |
443 | "ExpectedServerSignHash" => "SHA256", | |
444 | "ExpectedServerSignType" => "RSA-PSS", | |
445 | "ExpectedResult" => "Success" | |
446 | }, | |
447 | }, | |
448 | { | |
449 | name => "RSA-PSS Restricted Certificate Invalid Signature Algorithms", | |
450 | server => $server_pss_restrict_only, | |
451 | client => { | |
452 | "SignatureAlgorithms" => "rsa_pss_pss_sha512", | |
453 | }, | |
454 | test => { | |
455 | "ExpectedResult" => "ServerFail" | |
456 | }, | |
457 | }, | |
b2c4909c MC |
458 | { |
459 | name => "RSA key exchange with all RSA certificate types", | |
460 | server => $server_rsa_all, | |
461 | client => { | |
462 | "CipherString" => "kRSA", | |
463 | "MaxProtocol" => "TLSv1.2", | |
464 | }, | |
465 | test => { | |
466 | "ExpectedServerCertType" =>, "RSA", | |
467 | "ExpectedResult" => "Success" | |
468 | }, | |
469 | }, | |
470 | { | |
471 | name => "RSA key exchange with only RSA-PSS certificate", | |
472 | server => $server_pss_only, | |
473 | client => { | |
474 | "CipherString" => "kRSA", | |
475 | "MaxProtocol" => "TLSv1.2", | |
476 | }, | |
477 | test => { | |
478 | "ExpectedResult" => "ServerFail" | |
479 | }, | |
480 | }, | |
9f577cdd DSH |
481 | { |
482 | name => "Suite B P-256 Hash Algorithm Selection", | |
483 | server => { | |
484 | "ECDSA.Certificate" => test_pem("p256-server-cert.pem"), | |
485 | "ECDSA.PrivateKey" => test_pem("p256-server-key.pem"), | |
486 | "MaxProtocol" => "TLSv1.2", | |
487 | "CipherString" => "SUITEB128" | |
488 | }, | |
489 | client => { | |
490 | "VerifyCAFile" => test_pem("p384-root.pem"), | |
491 | "SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256" | |
492 | }, | |
493 | test => { | |
494 | "ExpectedServerCertType" => "P-256", | |
495 | "ExpectedServerSignHash" => "SHA256", | |
496 | "ExpectedServerSignType" => "EC", | |
497 | "ExpectedResult" => "Success" | |
498 | }, | |
499 | }, | |
500 | { | |
501 | name => "Suite B P-384 Hash Algorithm Selection", | |
502 | server => { | |
503 | "ECDSA.Certificate" => test_pem("p384-server-cert.pem"), | |
504 | "ECDSA.PrivateKey" => test_pem("p384-server-key.pem"), | |
505 | "MaxProtocol" => "TLSv1.2", | |
506 | "CipherString" => "SUITEB128" | |
507 | }, | |
508 | client => { | |
509 | "VerifyCAFile" => test_pem("p384-root.pem"), | |
510 | "SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384" | |
511 | }, | |
512 | test => { | |
513 | "ExpectedServerCertType" => "P-384", | |
514 | "ExpectedServerSignHash" => "SHA384", | |
515 | "ExpectedServerSignType" => "EC", | |
516 | "ExpectedResult" => "Success" | |
517 | }, | |
fbe1af9d DSH |
518 | }, |
519 | { | |
520 | name => "TLS 1.2 Ed25519 Client Auth", | |
521 | server => { | |
522 | "VerifyCAFile" => test_pem("root-cert.pem"), | |
523 | "VerifyMode" => "Require" | |
524 | }, | |
525 | client => { | |
fe93b010 MC |
526 | "Ed25519.Certificate" => test_pem("client-ed25519-cert.pem"), |
527 | "Ed25519.PrivateKey" => test_pem("client-ed25519-key.pem"), | |
fbe1af9d DSH |
528 | "MinProtocol" => "TLSv1.2", |
529 | "MaxProtocol" => "TLSv1.2" | |
530 | }, | |
531 | test => { | |
532 | "ExpectedClientCertType" => "Ed25519", | |
533 | "ExpectedClientSignType" => "Ed25519", | |
534 | "ExpectedResult" => "Success" | |
535 | }, | |
536 | }, | |
fe93b010 MC |
537 | { |
538 | name => "TLS 1.2 Ed448 Client Auth", | |
539 | server => { | |
540 | "VerifyCAFile" => test_pem("root-cert.pem"), | |
541 | "VerifyMode" => "Require" | |
542 | }, | |
543 | client => { | |
544 | "Ed448.Certificate" => test_pem("client-ed448-cert.pem"), | |
545 | "Ed448.PrivateKey" => test_pem("client-ed448-key.pem"), | |
546 | "MinProtocol" => "TLSv1.2", | |
547 | "MaxProtocol" => "TLSv1.2" | |
548 | }, | |
549 | test => { | |
550 | "ExpectedClientCertType" => "Ed448", | |
551 | "ExpectedClientSignType" => "Ed448", | |
552 | "ExpectedResult" => "Success" | |
553 | }, | |
554 | }, | |
edb8a5eb | 555 | ); |
53f08737 | 556 | |
b7ab4eee MC |
557 | my @tests_tls_1_1 = ( |
558 | { | |
559 | name => "Only RSA-PSS Certificate, TLS v1.1", | |
560 | server => $server_pss_only, | |
561 | client => { | |
562 | "MaxProtocol" => "TLSv1.1", | |
563 | }, | |
564 | test => { | |
565 | "ExpectedResult" => "ServerFail" | |
566 | }, | |
567 | }, | |
568 | ); | |
569 | ||
570 | push @tests, @tests_tls_1_1 unless disabled("tls1_1"); | |
571 | ||
53f08737 | 572 | my $server_tls_1_3 = { |
31b238ad DSH |
573 | "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), |
574 | "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), | |
fe93b010 MC |
575 | "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"), |
576 | "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"), | |
577 | "Ed448.Certificate" => test_pem("server-ed448-cert.pem"), | |
578 | "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"), | |
86de658a DSH |
579 | "MinProtocol" => "TLSv1.3", |
580 | "MaxProtocol" => "TLSv1.3" | |
581 | }; | |
582 | ||
800c4883 DSH |
583 | my $server_tls_1_3_pss = { |
584 | "PSS.Certificate" => test_pem("server-pss-cert.pem"), | |
585 | "PSS.PrivateKey" => test_pem("server-pss-key.pem"), | |
586 | "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), | |
587 | "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), | |
fe93b010 MC |
588 | "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"), |
589 | "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"), | |
590 | "Ed448.Certificate" => test_pem("server-ed448-cert.pem"), | |
591 | "Ed448.PrivateKey" => test_pem("server-ed449-key.pem"), | |
800c4883 DSH |
592 | "MinProtocol" => "TLSv1.3", |
593 | "MaxProtocol" => "TLSv1.3" | |
594 | }; | |
595 | ||
86de658a | 596 | my $client_tls_1_3 = { |
31b238ad DSH |
597 | "RSA.Certificate" => test_pem("ee-client-chain.pem"), |
598 | "RSA.PrivateKey" => test_pem("ee-key.pem"), | |
599 | "ECDSA.Certificate" => test_pem("ee-ecdsa-client-chain.pem"), | |
600 | "ECDSA.PrivateKey" => test_pem("ee-ecdsa-key.pem"), | |
53f08737 DSH |
601 | "MinProtocol" => "TLSv1.3", |
602 | "MaxProtocol" => "TLSv1.3" | |
603 | }; | |
604 | ||
605 | my @tests_tls_1_3 = ( | |
606 | { | |
607 | name => "TLS 1.3 ECDSA Signature Algorithm Selection", | |
608 | server => $server_tls_1_3, | |
609 | client => { | |
610 | "SignatureAlgorithms" => "ECDSA+SHA256", | |
611 | }, | |
612 | test => { | |
613 | "ExpectedServerCertType" => "P-256", | |
614 | "ExpectedServerSignHash" => "SHA256", | |
615 | "ExpectedServerSignType" => "EC", | |
25a9fabb | 616 | "ExpectedServerCANames" => "empty", |
53f08737 DSH |
617 | "ExpectedResult" => "Success" |
618 | }, | |
619 | }, | |
c749308f DSH |
620 | { |
621 | name => "TLS 1.3 ECDSA Signature Algorithm Selection compressed point", | |
622 | server => { | |
623 | "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"), | |
624 | "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"), | |
625 | "MinProtocol" => "TLSv1.3", | |
626 | "MaxProtocol" => "TLSv1.3" | |
627 | }, | |
628 | client => { | |
629 | "SignatureAlgorithms" => "ECDSA+SHA256", | |
630 | }, | |
631 | test => { | |
7500bc33 MC |
632 | "ExpectedServerCertType" => "P-256", |
633 | "ExpectedServerSignHash" => "SHA256", | |
634 | "ExpectedServerSignType" => "EC", | |
635 | "ExpectedServerCANames" => "empty", | |
636 | "ExpectedResult" => "Success" | |
c749308f DSH |
637 | }, |
638 | }, | |
639 | { | |
640 | name => "TLS 1.3 ECDSA Signature Algorithm Selection SHA1", | |
641 | server => $server_tls_1_3, | |
642 | client => { | |
643 | "SignatureAlgorithms" => "ECDSA+SHA1", | |
644 | }, | |
645 | test => { | |
646 | "ExpectedResult" => "ServerFail" | |
647 | }, | |
648 | }, | |
53f08737 DSH |
649 | { |
650 | name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS", | |
651 | server => $server_tls_1_3, | |
652 | client => { | |
653 | "SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256", | |
25a9fabb | 654 | "RequestCAFile" => test_pem("root-cert.pem"), |
53f08737 DSH |
655 | }, |
656 | test => { | |
657 | "ExpectedServerCertType" => "P-256", | |
658 | "ExpectedServerSignHash" => "SHA256", | |
659 | "ExpectedServerSignType" => "EC", | |
25a9fabb | 660 | "ExpectedServerCANames" => test_pem("root-cert.pem"), |
53f08737 DSH |
661 | "ExpectedResult" => "Success" |
662 | }, | |
663 | }, | |
664 | { | |
665 | name => "TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS", | |
666 | server => $server_tls_1_3, | |
667 | client => { | |
668 | "SignatureAlgorithms" => "ECDSA+SHA384:RSA-PSS+SHA384", | |
669 | }, | |
670 | test => { | |
671 | "ExpectedServerCertType" => "RSA", | |
672 | "ExpectedServerSignHash" => "SHA384", | |
673 | "ExpectedServerSignType" => "RSA-PSS", | |
674 | "ExpectedResult" => "Success" | |
675 | }, | |
676 | }, | |
677 | { | |
678 | name => "TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate", | |
0e2c7b3e DSH |
679 | server => { |
680 | "MinProtocol" => "TLSv1.3", | |
681 | "MaxProtocol" => "TLSv1.3" | |
682 | }, | |
53f08737 DSH |
683 | client => { |
684 | "SignatureAlgorithms" => "ECDSA+SHA256", | |
685 | }, | |
686 | test => { | |
687 | "ExpectedResult" => "ServerFail" | |
688 | }, | |
689 | }, | |
690 | { | |
691 | name => "TLS 1.3 RSA Signature Algorithm Selection, no PSS", | |
692 | server => $server_tls_1_3, | |
693 | client => { | |
694 | "SignatureAlgorithms" => "RSA+SHA256", | |
695 | }, | |
696 | test => { | |
697 | "ExpectedResult" => "ServerFail" | |
698 | }, | |
699 | }, | |
700 | { | |
701 | name => "TLS 1.3 RSA-PSS Signature Algorithm Selection", | |
702 | server => $server_tls_1_3, | |
703 | client => { | |
704 | "SignatureAlgorithms" => "RSA-PSS+SHA256", | |
705 | }, | |
706 | test => { | |
707 | "ExpectedServerCertType" => "RSA", | |
708 | "ExpectedServerSignHash" => "SHA256", | |
709 | "ExpectedServerSignType" => "RSA-PSS", | |
710 | "ExpectedResult" => "Success" | |
711 | }, | |
86de658a | 712 | }, |
fbe1af9d DSH |
713 | { |
714 | name => "TLS 1.3 Ed25519 Signature Algorithm Selection", | |
715 | server => $server_tls_1_3, | |
716 | client => { | |
717 | "SignatureAlgorithms" => "ed25519", | |
718 | }, | |
719 | test => { | |
720 | "ExpectedServerCertType" => "Ed25519", | |
721 | "ExpectedServerSignType" => "Ed25519", | |
722 | "ExpectedResult" => "Success" | |
723 | }, | |
724 | }, | |
fe93b010 MC |
725 | { |
726 | name => "TLS 1.3 Ed448 Signature Algorithm Selection", | |
727 | server => $server_tls_1_3, | |
728 | client => { | |
729 | "SignatureAlgorithms" => "ed448", | |
730 | }, | |
731 | test => { | |
732 | "ExpectedServerCertType" => "Ed448", | |
733 | "ExpectedServerSignType" => "Ed448", | |
734 | "ExpectedResult" => "Success" | |
735 | }, | |
736 | }, | |
50a3a1f0 DSH |
737 | { |
738 | name => "TLS 1.3 Ed25519 CipherString and Groups Selection", | |
739 | server => $server_tls_1_3, | |
740 | client => { | |
741 | "SignatureAlgorithms" => "ECDSA+SHA256:ed25519", | |
742 | # Excluding P-256 from the supported groups list should | |
743 | # mean server still uses a P-256 certificate because supported | |
744 | # groups is not used in signature selection for TLS 1.3 | |
745 | "Groups" => "X25519" | |
746 | }, | |
747 | test => { | |
748 | "ExpectedServerCertType" =>, "P-256", | |
749 | "ExpectedServerSignType" =>, "EC", | |
750 | "ExpectedResult" => "Success" | |
751 | }, | |
752 | }, | |
fe93b010 MC |
753 | { |
754 | name => "TLS 1.3 Ed448 CipherString and Groups Selection", | |
755 | server => $server_tls_1_3, | |
756 | client => { | |
757 | "SignatureAlgorithms" => "ECDSA+SHA256:ed448", | |
758 | # Excluding P-256 from the supported groups list should | |
759 | # mean server still uses a P-256 certificate because supported | |
760 | # groups is not used in signature selection for TLS 1.3 | |
761 | "Groups" => "X448" | |
762 | }, | |
763 | test => { | |
764 | "ExpectedServerCertType" =>, "P-256", | |
765 | "ExpectedServerSignType" =>, "EC", | |
766 | "ExpectedResult" => "Success" | |
767 | }, | |
768 | }, | |
86de658a DSH |
769 | { |
770 | name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection", | |
771 | server => { | |
772 | "ClientSignatureAlgorithms" => "PSS+SHA256", | |
31b238ad | 773 | "VerifyCAFile" => test_pem("root-cert.pem"), |
86de658a DSH |
774 | "VerifyMode" => "Require" |
775 | }, | |
776 | client => $client_tls_1_3, | |
777 | test => { | |
778 | "ExpectedClientCertType" => "RSA", | |
779 | "ExpectedClientSignHash" => "SHA256", | |
780 | "ExpectedClientSignType" => "RSA-PSS", | |
2c1b0f1e DSH |
781 | "ExpectedClientCANames" => "empty", |
782 | "ExpectedResult" => "Success" | |
783 | }, | |
784 | }, | |
785 | { | |
786 | name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names", | |
787 | server => { | |
788 | "ClientSignatureAlgorithms" => "PSS+SHA256", | |
789 | "VerifyCAFile" => test_pem("root-cert.pem"), | |
25a9fabb | 790 | "RequestCAFile" => test_pem("root-cert.pem"), |
2c1b0f1e DSH |
791 | "VerifyMode" => "Require" |
792 | }, | |
793 | client => $client_tls_1_3, | |
794 | test => { | |
795 | "ExpectedClientCertType" => "RSA", | |
796 | "ExpectedClientSignHash" => "SHA256", | |
797 | "ExpectedClientSignType" => "RSA-PSS", | |
798 | "ExpectedClientCANames" => test_pem("root-cert.pem"), | |
86de658a DSH |
799 | "ExpectedResult" => "Success" |
800 | }, | |
801 | }, | |
802 | { | |
803 | name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection", | |
804 | server => { | |
805 | "ClientSignatureAlgorithms" => "ECDSA+SHA256", | |
31b238ad | 806 | "VerifyCAFile" => test_pem("root-cert.pem"), |
86de658a DSH |
807 | "VerifyMode" => "Require" |
808 | }, | |
809 | client => $client_tls_1_3, | |
810 | test => { | |
811 | "ExpectedClientCertType" => "P-256", | |
812 | "ExpectedClientSignHash" => "SHA256", | |
813 | "ExpectedClientSignType" => "EC", | |
814 | "ExpectedResult" => "Success" | |
815 | }, | |
816 | }, | |
fbe1af9d DSH |
817 | { |
818 | name => "TLS 1.3 Ed25519 Client Auth", | |
819 | server => { | |
820 | "VerifyCAFile" => test_pem("root-cert.pem"), | |
821 | "VerifyMode" => "Require" | |
822 | }, | |
823 | client => { | |
824 | "EdDSA.Certificate" => test_pem("client-ed25519-cert.pem"), | |
825 | "EdDSA.PrivateKey" => test_pem("client-ed25519-key.pem"), | |
826 | "MinProtocol" => "TLSv1.3", | |
827 | "MaxProtocol" => "TLSv1.3" | |
828 | }, | |
829 | test => { | |
830 | "ExpectedClientCertType" => "Ed25519", | |
831 | "ExpectedClientSignType" => "Ed25519", | |
832 | "ExpectedResult" => "Success" | |
833 | }, | |
834 | }, | |
fe93b010 MC |
835 | { |
836 | name => "TLS 1.3 Ed448 Client Auth", | |
837 | server => { | |
838 | "VerifyCAFile" => test_pem("root-cert.pem"), | |
839 | "VerifyMode" => "Require" | |
840 | }, | |
841 | client => { | |
842 | "EdDSA.Certificate" => test_pem("client-ed448-cert.pem"), | |
843 | "EdDSA.PrivateKey" => test_pem("client-ed448-key.pem"), | |
844 | "MinProtocol" => "TLSv1.3", | |
845 | "MaxProtocol" => "TLSv1.3" | |
846 | }, | |
847 | test => { | |
848 | "ExpectedClientCertType" => "Ed448", | |
849 | "ExpectedClientSignType" => "Ed448", | |
850 | "ExpectedResult" => "Success" | |
851 | }, | |
852 | }, | |
7bd5405a MC |
853 | { |
854 | name => "TLS 1.3 ECDSA with brainpool", | |
855 | server => { | |
856 | "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), | |
857 | "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), | |
858 | "Groups" => "brainpoolP256r1", | |
859 | }, | |
860 | client => { | |
861 | "RequestCAFile" => test_pem("root-cert.pem"), | |
862 | "Groups" => "brainpoolP256r1", | |
863 | "MinProtocol" => "TLSv1.3", | |
864 | "MaxProtocol" => "TLSv1.3" | |
865 | }, | |
866 | test => { | |
867 | "ExpectedResult" => "ServerFail" | |
868 | }, | |
869 | }, | |
53f08737 DSH |
870 | ); |
871 | ||
872 | push @tests, @tests_tls_1_3 unless disabled("tls1_3"); | |
7a08b764 DSH |
873 | |
874 | my @tests_dsa_tls_1_2 = ( | |
875 | { | |
876 | name => "TLS 1.2 DSA Certificate Test", | |
877 | server => { | |
878 | "DSA.Certificate" => test_pem("server-dsa-cert.pem"), | |
879 | "DSA.PrivateKey" => test_pem("server-dsa-key.pem"), | |
880 | "DHParameters" => test_pem("dhp2048.pem"), | |
881 | "MinProtocol" => "TLSv1.2", | |
882 | "MaxProtocol" => "TLSv1.2", | |
883 | "CipherString" => "ALL", | |
884 | }, | |
885 | client => { | |
886 | "SignatureAlgorithms" => "DSA+SHA256:DSA+SHA1", | |
887 | "CipherString" => "ALL", | |
888 | }, | |
889 | test => { | |
890 | "ExpectedResult" => "Success" | |
891 | }, | |
892 | }, | |
893 | ); | |
894 | ||
895 | my @tests_dsa_tls_1_3 = ( | |
81813776 BK |
896 | { |
897 | name => "TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms", | |
898 | server => { | |
899 | "ClientSignatureAlgorithms" => "ECDSA+SHA1:DSA+SHA256:RSA+SHA256", | |
900 | "VerifyCAFile" => test_pem("root-cert.pem"), | |
901 | "VerifyMode" => "Request" | |
902 | }, | |
903 | client => {}, | |
904 | test => { | |
905 | "ExpectedResult" => "ServerFail" | |
906 | }, | |
907 | }, | |
7a08b764 DSH |
908 | { |
909 | name => "TLS 1.3 DSA Certificate Test", | |
910 | server => { | |
911 | "DSA.Certificate" => test_pem("server-dsa-cert.pem"), | |
912 | "DSA.PrivateKey" => test_pem("server-dsa-key.pem"), | |
913 | "MinProtocol" => "TLSv1.3", | |
914 | "MaxProtocol" => "TLSv1.3", | |
915 | "CipherString" => "ALL", | |
916 | }, | |
917 | client => { | |
8336ca13 | 918 | "SignatureAlgorithms" => "DSA+SHA1:DSA+SHA256:ECDSA+SHA256", |
7a08b764 DSH |
919 | "CipherString" => "ALL", |
920 | }, | |
921 | test => { | |
922 | "ExpectedResult" => "ServerFail" | |
923 | }, | |
924 | }, | |
925 | ); | |
926 | ||
927 | if (!disabled("dsa")) { | |
928 | push @tests, @tests_dsa_tls_1_2 unless disabled("dh"); | |
929 | push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3"); | |
930 | } |