2 # Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the Apache License 2.0 (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
10 ## Test TLSv1.3 certificate authentication
11 ## Similar to 04-client_auth.cnf.in output, but specific for
12 ## TLSv1.3 and post-handshake authentication
18 use OpenSSL::Test::Utils;
22 name => "server-auth-TLSv1.3",
24 "MinProtocol" => "TLSv1.3",
25 "MaxProtocol" => "TLSv1.3",
28 "MinProtocol" => "TLSv1.3",
29 "MaxProtocol" => "TLSv1.3",
32 "ExpectedResult" => "Success",
36 name => "client-auth-TLSv1.3-request",
38 "MinProtocol" => "TLSv1.3",
39 "MaxProtocol" => "TLSv1.3",
40 "VerifyMode" => "Request",
43 "MinProtocol" => "TLSv1.3",
44 "MaxProtocol" => "TLSv1.3",
47 "ExpectedResult" => "Success",
51 name => "client-auth-TLSv1.3-require-fail",
53 "MinProtocol" => "TLSv1.3",
54 "MaxProtocol" => "TLSv1.3",
55 "VerifyCAFile" => test_pem("root-cert.pem"),
56 "VerifyMode" => "Require",
59 "MinProtocol" => "TLSv1.3",
60 "MaxProtocol" => "TLSv1.3",
63 "ExpectedResult" => "ServerFail",
64 "ExpectedServerAlert" => "CertificateRequired",
68 name => "client-auth-TLSv1.3-require",
70 "MinProtocol" => "TLSv1.3",
71 "MaxProtocol" => "TLSv1.3",
72 "ClientSignatureAlgorithms" => "PSS+SHA256",
73 "VerifyCAFile" => test_pem("root-cert.pem"),
74 "VerifyMode" => "Request",
77 "MinProtocol" => "TLSv1.3",
78 "MaxProtocol" => "TLSv1.3",
79 "Certificate" => test_pem("ee-client-chain.pem"),
80 "PrivateKey" => test_pem("ee-key.pem"),
83 "ExpectedResult" => "Success",
84 "ExpectedClientCertType" => "RSA",
85 "ExpectedClientSignType" => "RSA-PSS",
86 "ExpectedClientSignHash" => "SHA256",
87 "ExpectedClientCANames" => "empty"
91 name => "client-auth-TLSv1.3-require-non-empty-names",
93 "MinProtocol" => "TLSv1.3",
94 "MaxProtocol" => "TLSv1.3",
95 "ClientSignatureAlgorithms" => "PSS+SHA256",
96 "ClientCAFile" => test_pem("root-cert.pem"),
97 "VerifyCAFile" => test_pem("root-cert.pem"),
98 "VerifyMode" => "Request",
101 "MinProtocol" => "TLSv1.3",
102 "MaxProtocol" => "TLSv1.3",
103 "Certificate" => test_pem("ee-client-chain.pem"),
104 "PrivateKey" => test_pem("ee-key.pem"),
107 "ExpectedResult" => "Success",
108 "ExpectedClientCertType" => "RSA",
109 "ExpectedClientSignType" => "RSA-PSS",
110 "ExpectedClientSignHash" => "SHA256",
111 "ExpectedClientCANames" => test_pem("root-cert.pem"),
115 name => "client-auth-TLSv1.3-noroot",
117 "MinProtocol" => "TLSv1.3",
118 "MaxProtocol" => "TLSv1.3",
119 "VerifyMode" => "Require",
122 "MinProtocol" => "TLSv1.3",
123 "MaxProtocol" => "TLSv1.3",
124 "Certificate" => test_pem("ee-client-chain.pem"),
125 "PrivateKey" => test_pem("ee-key.pem"),
128 "ExpectedResult" => "ServerFail",
129 "ExpectedServerAlert" => "UnknownCA",
133 name => "client-auth-TLSv1.3-request-post-handshake",
135 "MinProtocol" => "TLSv1.3",
136 "MaxProtocol" => "TLSv1.3",
137 "VerifyMode" => "RequestPostHandshake",
140 "MinProtocol" => "TLSv1.3",
141 "MaxProtocol" => "TLSv1.3",
144 "ExpectedResult" => "ServerFail",
145 "HandshakeMode" => "PostHandshakeAuth",
149 name => "client-auth-TLSv1.3-require-fail-post-handshake",
151 "MinProtocol" => "TLSv1.3",
152 "MaxProtocol" => "TLSv1.3",
153 "VerifyCAFile" => test_pem("root-cert.pem"),
154 "VerifyMode" => "RequirePostHandshake",
157 "MinProtocol" => "TLSv1.3",
158 "MaxProtocol" => "TLSv1.3",
161 "ExpectedResult" => "ServerFail",
162 "HandshakeMode" => "PostHandshakeAuth",
166 name => "client-auth-TLSv1.3-require-post-handshake",
168 "MinProtocol" => "TLSv1.3",
169 "MaxProtocol" => "TLSv1.3",
170 "ClientSignatureAlgorithms" => "PSS+SHA256",
171 "VerifyCAFile" => test_pem("root-cert.pem"),
172 "VerifyMode" => "RequestPostHandshake",
175 "MinProtocol" => "TLSv1.3",
176 "MaxProtocol" => "TLSv1.3",
177 "Certificate" => test_pem("ee-client-chain.pem"),
178 "PrivateKey" => test_pem("ee-key.pem"),
180 "EnablePHA" => "Yes",
184 "ExpectedResult" => "Success",
185 "HandshakeMode" => "PostHandshakeAuth",
186 "ExpectedClientCertType" => "RSA",
187 "ExpectedClientSignType" => "RSA-PSS",
188 "ExpectedClientSignHash" => "SHA256",
189 "ExpectedClientCANames" => "empty"
193 name => "client-auth-TLSv1.3-require-non-empty-names-post-handshake",
195 "MinProtocol" => "TLSv1.3",
196 "MaxProtocol" => "TLSv1.3",
197 "ClientSignatureAlgorithms" => "PSS+SHA256",
198 "ClientCAFile" => test_pem("root-cert.pem"),
199 "VerifyCAFile" => test_pem("root-cert.pem"),
200 "VerifyMode" => "RequestPostHandshake",
203 "MinProtocol" => "TLSv1.3",
204 "MaxProtocol" => "TLSv1.3",
205 "Certificate" => test_pem("ee-client-chain.pem"),
206 "PrivateKey" => test_pem("ee-key.pem"),
208 "EnablePHA" => "Yes",
212 "ExpectedResult" => "Success",
213 "HandshakeMode" => "PostHandshakeAuth",
214 "ExpectedClientCertType" => "RSA",
215 "ExpectedClientSignType" => "RSA-PSS",
216 "ExpectedClientSignHash" => "SHA256",
217 "ExpectedClientCANames" => test_pem("root-cert.pem"),
221 name => "client-auth-TLSv1.3-noroot-post-handshake",
223 "MinProtocol" => "TLSv1.3",
224 "MaxProtocol" => "TLSv1.3",
225 "VerifyMode" => "RequirePostHandshake",
228 "MinProtocol" => "TLSv1.3",
229 "MaxProtocol" => "TLSv1.3",
230 "Certificate" => test_pem("ee-client-chain.pem"),
231 "PrivateKey" => test_pem("ee-key.pem"),
233 "EnablePHA" => "Yes",
237 "ExpectedResult" => "ServerFail",
238 "HandshakeMode" => "PostHandshakeAuth",
239 "ExpectedServerAlert" => "UnknownCA",
243 name => "client-auth-TLSv1.3-request-force-client-post-handshake",
245 "MinProtocol" => "TLSv1.3",
246 "MaxProtocol" => "TLSv1.3",
247 "VerifyMode" => "RequestPostHandshake",
250 "MinProtocol" => "TLSv1.3",
251 "MaxProtocol" => "TLSv1.3",
253 "EnablePHA" => "Yes",
257 "ExpectedResult" => "Success",
258 "HandshakeMode" => "PostHandshakeAuth",
262 name => "client-auth-TLSv1.3-request-force-server-post-handshake",
264 "MinProtocol" => "TLSv1.3",
265 "MaxProtocol" => "TLSv1.3",
266 "VerifyMode" => "RequestPostHandshake",
272 "MinProtocol" => "TLSv1.3",
273 "MaxProtocol" => "TLSv1.3",
276 "ExpectedResult" => "ClientFail",
277 "HandshakeMode" => "PostHandshakeAuth",
281 name => "client-auth-TLSv1.3-request-force-both-post-handshake",
283 "MinProtocol" => "TLSv1.3",
284 "MaxProtocol" => "TLSv1.3",
285 "VerifyMode" => "RequestPostHandshake",
291 "MinProtocol" => "TLSv1.3",
292 "MaxProtocol" => "TLSv1.3",
294 "EnablePHA" => "Yes",
298 "ExpectedResult" => "Success",
299 "HandshakeMode" => "PostHandshakeAuth",