]>
Commit | Line | Data |
---|---|---|
9d75dce3 | 1 | # -*- mode: perl; -*- |
33388b44 | 2 | # Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. |
9d75dce3 | 3 | # |
909f1a2e | 4 | # Licensed under the Apache License 2.0 (the "License"). You may not use |
9d75dce3 TS |
5 | # this file except in compliance with the License. You can obtain a copy |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
8 | ||
9 | ||
10 | ## Test TLSv1.3 certificate authentication | |
433deaff | 11 | ## Similar to 04-client_auth.cnf.in output, but specific for |
9d75dce3 TS |
12 | ## TLSv1.3 and post-handshake authentication |
13 | ||
14 | use strict; | |
15 | use warnings; | |
16 | ||
17 | package ssltests; | |
18 | use OpenSSL::Test::Utils; | |
19 | ||
20 | our @tests = ( | |
21 | { | |
22 | name => "server-auth-TLSv1.3", | |
23 | server => { | |
24 | "MinProtocol" => "TLSv1.3", | |
25 | "MaxProtocol" => "TLSv1.3", | |
26 | }, | |
27 | client => { | |
28 | "MinProtocol" => "TLSv1.3", | |
29 | "MaxProtocol" => "TLSv1.3", | |
30 | }, | |
31 | test => { | |
32 | "ExpectedResult" => "Success", | |
33 | }, | |
34 | }, | |
35 | { | |
36 | name => "client-auth-TLSv1.3-request", | |
37 | server => { | |
38 | "MinProtocol" => "TLSv1.3", | |
39 | "MaxProtocol" => "TLSv1.3", | |
40 | "VerifyMode" => "Request", | |
41 | }, | |
42 | client => { | |
43 | "MinProtocol" => "TLSv1.3", | |
44 | "MaxProtocol" => "TLSv1.3", | |
45 | }, | |
46 | test => { | |
47 | "ExpectedResult" => "Success", | |
48 | }, | |
49 | }, | |
50 | { | |
51 | name => "client-auth-TLSv1.3-require-fail", | |
52 | server => { | |
53 | "MinProtocol" => "TLSv1.3", | |
54 | "MaxProtocol" => "TLSv1.3", | |
55 | "VerifyCAFile" => test_pem("root-cert.pem"), | |
56 | "VerifyMode" => "Require", | |
57 | }, | |
58 | client => { | |
59 | "MinProtocol" => "TLSv1.3", | |
60 | "MaxProtocol" => "TLSv1.3", | |
61 | }, | |
62 | test => { | |
63 | "ExpectedResult" => "ServerFail", | |
43a0f273 | 64 | "ExpectedServerAlert" => "CertificateRequired", |
9d75dce3 TS |
65 | }, |
66 | }, | |
67 | { | |
68 | name => "client-auth-TLSv1.3-require", | |
69 | server => { | |
70 | "MinProtocol" => "TLSv1.3", | |
71 | "MaxProtocol" => "TLSv1.3", | |
72 | "ClientSignatureAlgorithms" => "PSS+SHA256", | |
73 | "VerifyCAFile" => test_pem("root-cert.pem"), | |
74 | "VerifyMode" => "Request", | |
75 | }, | |
76 | client => { | |
77 | "MinProtocol" => "TLSv1.3", | |
78 | "MaxProtocol" => "TLSv1.3", | |
79 | "Certificate" => test_pem("ee-client-chain.pem"), | |
80 | "PrivateKey" => test_pem("ee-key.pem"), | |
81 | }, | |
82 | test => { | |
83 | "ExpectedResult" => "Success", | |
84 | "ExpectedClientCertType" => "RSA", | |
85 | "ExpectedClientSignType" => "RSA-PSS", | |
86 | "ExpectedClientSignHash" => "SHA256", | |
87 | "ExpectedClientCANames" => "empty" | |
88 | }, | |
89 | }, | |
90 | { | |
91 | name => "client-auth-TLSv1.3-require-non-empty-names", | |
92 | server => { | |
93 | "MinProtocol" => "TLSv1.3", | |
94 | "MaxProtocol" => "TLSv1.3", | |
95 | "ClientSignatureAlgorithms" => "PSS+SHA256", | |
96 | "ClientCAFile" => test_pem("root-cert.pem"), | |
97 | "VerifyCAFile" => test_pem("root-cert.pem"), | |
98 | "VerifyMode" => "Request", | |
99 | }, | |
100 | client => { | |
101 | "MinProtocol" => "TLSv1.3", | |
102 | "MaxProtocol" => "TLSv1.3", | |
103 | "Certificate" => test_pem("ee-client-chain.pem"), | |
104 | "PrivateKey" => test_pem("ee-key.pem"), | |
105 | }, | |
106 | test => { | |
107 | "ExpectedResult" => "Success", | |
108 | "ExpectedClientCertType" => "RSA", | |
109 | "ExpectedClientSignType" => "RSA-PSS", | |
110 | "ExpectedClientSignHash" => "SHA256", | |
111 | "ExpectedClientCANames" => test_pem("root-cert.pem"), | |
112 | }, | |
113 | }, | |
114 | { | |
115 | name => "client-auth-TLSv1.3-noroot", | |
116 | server => { | |
117 | "MinProtocol" => "TLSv1.3", | |
118 | "MaxProtocol" => "TLSv1.3", | |
119 | "VerifyMode" => "Require", | |
120 | }, | |
121 | client => { | |
122 | "MinProtocol" => "TLSv1.3", | |
123 | "MaxProtocol" => "TLSv1.3", | |
124 | "Certificate" => test_pem("ee-client-chain.pem"), | |
125 | "PrivateKey" => test_pem("ee-key.pem"), | |
126 | }, | |
127 | test => { | |
128 | "ExpectedResult" => "ServerFail", | |
129 | "ExpectedServerAlert" => "UnknownCA", | |
130 | }, | |
131 | }, | |
132 | { | |
133 | name => "client-auth-TLSv1.3-request-post-handshake", | |
134 | server => { | |
135 | "MinProtocol" => "TLSv1.3", | |
136 | "MaxProtocol" => "TLSv1.3", | |
137 | "VerifyMode" => "RequestPostHandshake", | |
138 | }, | |
139 | client => { | |
140 | "MinProtocol" => "TLSv1.3", | |
141 | "MaxProtocol" => "TLSv1.3", | |
142 | }, | |
143 | test => { | |
144 | "ExpectedResult" => "ServerFail", | |
145 | "HandshakeMode" => "PostHandshakeAuth", | |
146 | }, | |
147 | }, | |
148 | { | |
149 | name => "client-auth-TLSv1.3-require-fail-post-handshake", | |
150 | server => { | |
151 | "MinProtocol" => "TLSv1.3", | |
152 | "MaxProtocol" => "TLSv1.3", | |
153 | "VerifyCAFile" => test_pem("root-cert.pem"), | |
154 | "VerifyMode" => "RequirePostHandshake", | |
155 | }, | |
156 | client => { | |
157 | "MinProtocol" => "TLSv1.3", | |
158 | "MaxProtocol" => "TLSv1.3", | |
159 | }, | |
160 | test => { | |
161 | "ExpectedResult" => "ServerFail", | |
162 | "HandshakeMode" => "PostHandshakeAuth", | |
163 | }, | |
164 | }, | |
165 | { | |
166 | name => "client-auth-TLSv1.3-require-post-handshake", | |
167 | server => { | |
168 | "MinProtocol" => "TLSv1.3", | |
169 | "MaxProtocol" => "TLSv1.3", | |
170 | "ClientSignatureAlgorithms" => "PSS+SHA256", | |
171 | "VerifyCAFile" => test_pem("root-cert.pem"), | |
172 | "VerifyMode" => "RequestPostHandshake", | |
173 | }, | |
174 | client => { | |
175 | "MinProtocol" => "TLSv1.3", | |
176 | "MaxProtocol" => "TLSv1.3", | |
177 | "Certificate" => test_pem("ee-client-chain.pem"), | |
178 | "PrivateKey" => test_pem("ee-key.pem"), | |
32097b33 MC |
179 | extra => { |
180 | "EnablePHA" => "Yes", | |
181 | }, | |
9d75dce3 TS |
182 | }, |
183 | test => { | |
184 | "ExpectedResult" => "Success", | |
185 | "HandshakeMode" => "PostHandshakeAuth", | |
186 | "ExpectedClientCertType" => "RSA", | |
187 | "ExpectedClientSignType" => "RSA-PSS", | |
188 | "ExpectedClientSignHash" => "SHA256", | |
189 | "ExpectedClientCANames" => "empty" | |
190 | }, | |
191 | }, | |
192 | { | |
193 | name => "client-auth-TLSv1.3-require-non-empty-names-post-handshake", | |
194 | server => { | |
195 | "MinProtocol" => "TLSv1.3", | |
196 | "MaxProtocol" => "TLSv1.3", | |
197 | "ClientSignatureAlgorithms" => "PSS+SHA256", | |
198 | "ClientCAFile" => test_pem("root-cert.pem"), | |
199 | "VerifyCAFile" => test_pem("root-cert.pem"), | |
200 | "VerifyMode" => "RequestPostHandshake", | |
201 | }, | |
202 | client => { | |
203 | "MinProtocol" => "TLSv1.3", | |
204 | "MaxProtocol" => "TLSv1.3", | |
205 | "Certificate" => test_pem("ee-client-chain.pem"), | |
206 | "PrivateKey" => test_pem("ee-key.pem"), | |
32097b33 MC |
207 | extra => { |
208 | "EnablePHA" => "Yes", | |
209 | }, | |
9d75dce3 TS |
210 | }, |
211 | test => { | |
212 | "ExpectedResult" => "Success", | |
213 | "HandshakeMode" => "PostHandshakeAuth", | |
214 | "ExpectedClientCertType" => "RSA", | |
215 | "ExpectedClientSignType" => "RSA-PSS", | |
216 | "ExpectedClientSignHash" => "SHA256", | |
217 | "ExpectedClientCANames" => test_pem("root-cert.pem"), | |
218 | }, | |
219 | }, | |
220 | { | |
221 | name => "client-auth-TLSv1.3-noroot-post-handshake", | |
222 | server => { | |
223 | "MinProtocol" => "TLSv1.3", | |
224 | "MaxProtocol" => "TLSv1.3", | |
225 | "VerifyMode" => "RequirePostHandshake", | |
226 | }, | |
227 | client => { | |
228 | "MinProtocol" => "TLSv1.3", | |
229 | "MaxProtocol" => "TLSv1.3", | |
230 | "Certificate" => test_pem("ee-client-chain.pem"), | |
231 | "PrivateKey" => test_pem("ee-key.pem"), | |
32097b33 MC |
232 | extra => { |
233 | "EnablePHA" => "Yes", | |
234 | }, | |
9d75dce3 TS |
235 | }, |
236 | test => { | |
237 | "ExpectedResult" => "ServerFail", | |
238 | "HandshakeMode" => "PostHandshakeAuth", | |
239 | "ExpectedServerAlert" => "UnknownCA", | |
240 | }, | |
241 | }, | |
242 | { | |
243 | name => "client-auth-TLSv1.3-request-force-client-post-handshake", | |
244 | server => { | |
245 | "MinProtocol" => "TLSv1.3", | |
246 | "MaxProtocol" => "TLSv1.3", | |
247 | "VerifyMode" => "RequestPostHandshake", | |
248 | }, | |
249 | client => { | |
250 | "MinProtocol" => "TLSv1.3", | |
251 | "MaxProtocol" => "TLSv1.3", | |
32097b33 MC |
252 | extra => { |
253 | "EnablePHA" => "Yes", | |
254 | }, | |
9d75dce3 TS |
255 | }, |
256 | test => { | |
257 | "ExpectedResult" => "Success", | |
258 | "HandshakeMode" => "PostHandshakeAuth", | |
259 | }, | |
260 | }, | |
261 | { | |
262 | name => "client-auth-TLSv1.3-request-force-server-post-handshake", | |
263 | server => { | |
264 | "MinProtocol" => "TLSv1.3", | |
265 | "MaxProtocol" => "TLSv1.3", | |
266 | "VerifyMode" => "RequestPostHandshake", | |
32097b33 MC |
267 | extra => { |
268 | "ForcePHA" => "Yes", | |
269 | }, | |
9d75dce3 TS |
270 | }, |
271 | client => { | |
272 | "MinProtocol" => "TLSv1.3", | |
273 | "MaxProtocol" => "TLSv1.3", | |
274 | }, | |
275 | test => { | |
276 | "ExpectedResult" => "ClientFail", | |
277 | "HandshakeMode" => "PostHandshakeAuth", | |
278 | }, | |
279 | }, | |
280 | { | |
281 | name => "client-auth-TLSv1.3-request-force-both-post-handshake", | |
282 | server => { | |
283 | "MinProtocol" => "TLSv1.3", | |
284 | "MaxProtocol" => "TLSv1.3", | |
285 | "VerifyMode" => "RequestPostHandshake", | |
32097b33 MC |
286 | extra => { |
287 | "ForcePHA" => "Yes", | |
288 | }, | |
9d75dce3 TS |
289 | }, |
290 | client => { | |
291 | "MinProtocol" => "TLSv1.3", | |
292 | "MaxProtocol" => "TLSv1.3", | |
32097b33 MC |
293 | extra => { |
294 | "EnablePHA" => "Yes", | |
295 | }, | |
9d75dce3 TS |
296 | }, |
297 | test => { | |
298 | "ExpectedResult" => "Success", | |
299 | "HandshakeMode" => "PostHandshakeAuth", | |
300 | }, | |
301 | }, | |
302 | ); |