Gitiles
Code Review Sign In
192.168.1.100 / T106_DC / f646f5c5756a779e17361145cfb2f3fc7d3b7a06 / . / ap / lib / libssl / openssl-1.1.1o / test / ssl-tests / 20-cert-select.conf.in
blob: 24093548cd682791974f7d1dac68af2074c6ad08 [file] [log] [blame]
lh9ed821d2023-04-07 01:36:19 -0700[diff] [blame]1# -*- mode: perl; -*-
2
3## SSL test configurations
4
5
6use strict;
7use warnings;
8
9package ssltests;
10use OpenSSL::Test::Utils;
11
12my $server = {
13 "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
14 "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
15 "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
16 "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
17 "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
18 "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
19 "MaxProtocol" => "TLSv1.2"
20};
21
22my $server_pss = {
23 "PSS.Certificate" => test_pem("server-pss-cert.pem"),
24 "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
25 "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
26 "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
27 "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
28 "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
29 "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
30 "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
31 "MaxProtocol" => "TLSv1.2"
32};
33
34my $server_pss_only = {
35 "Certificate" => test_pem("server-pss-cert.pem"),
36 "PrivateKey" => test_pem("server-pss-key.pem"),
37};
38
39my $server_pss_restrict_only = {
40 "Certificate" => test_pem("server-pss-restrict-cert.pem"),
41 "PrivateKey" => test_pem("server-pss-restrict-key.pem"),
42};
43
44
45my $server_rsa_all = {
46 "PSS.Certificate" => test_pem("server-pss-cert.pem"),
47 "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
48 "Certificate" => test_pem("servercert.pem"),
49 "PrivateKey" => test_pem("serverkey.pem"),
50};
51
52our @tests = (
53 {
54 name => "ECDSA CipherString Selection",
55 server => $server,
56 client => {
57 "CipherString" => "aECDSA",
58 "MaxProtocol" => "TLSv1.2",
59 "RequestCAFile" => test_pem("root-cert.pem"),
60 },
61 test => {
62 "ExpectedServerCertType" =>, "P-256",
63 "ExpectedServerSignType" =>, "EC",
64 # Note: certificate_authorities not sent for TLS < 1.3
65 "ExpectedServerCANames" =>, "empty",
66 "ExpectedResult" => "Success"
67 },
68 },
69 {
70 name => "ECDSA CipherString Selection",
71 server => {
72 "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
73 "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
74 "MaxProtocol" => "TLSv1.2",
75 #Deliberately set supported_groups to one not in the cert. This
76 #should be tolerated
77 "Groups" => "P-384"
78 },
79 client => {
80 "CipherString" => "aECDSA",
81 "MaxProtocol" => "TLSv1.2",
82 "Groups" => "P-256:P-384",
83 "RequestCAFile" => test_pem("root-cert.pem"),
84 },
85 test => {
86 "ExpectedServerCertType" =>, "P-256",
87 "ExpectedServerSignType" =>, "EC",
88 # Note: certificate_authorities not sent for TLS < 1.3
89 "ExpectedServerCANames" =>, "empty",
90 "ExpectedResult" => "Success"
91 },
92 },
93 {
94 name => "ECDSA CipherString Selection",
95 server => {
96 "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
97 "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
98 "MaxProtocol" => "TLSv1.2",
99 "Groups" => "P-256:P-384"
100 },
101 client => {
102 "CipherString" => "aECDSA",
103 "MaxProtocol" => "TLSv1.2",
104 #Deliberately set groups to not include the certificate group. This
105 #should fail
106 "Groups" => "P-384",
107 "RequestCAFile" => test_pem("root-cert.pem"),
108 },
109 test => {
110 "ExpectedResult" => "ServerFail"
111 },
112 },
113 {
114 name => "Ed25519 CipherString and Signature Algorithm Selection",
115 server => $server,
116 client => {
117 "CipherString" => "aECDSA",
118 "MaxProtocol" => "TLSv1.2",
119 "SignatureAlgorithms" => "ed25519:ECDSA+SHA256",
120 "RequestCAFile" => test_pem("root-cert.pem"),
121 },
122 test => {
123 "ExpectedServerCertType" =>, "Ed25519",
124 "ExpectedServerSignType" =>, "Ed25519",
125 # Note: certificate_authorities not sent for TLS < 1.3
126 "ExpectedServerCANames" =>, "empty",
127 "ExpectedResult" => "Success"
128 },
129 },
130 {
131 name => "Ed448 CipherString and Signature Algorithm Selection",
132 server => $server,
133 client => {
134 "CipherString" => "aECDSA",
135 "MaxProtocol" => "TLSv1.2",
136 "SignatureAlgorithms" => "ed448:ECDSA+SHA256",
137 "RequestCAFile" => test_pem("root-ed448-cert.pem"),
138 "VerifyCAFile" => test_pem("root-ed448-cert.pem"),
139 },
140 test => {
141 "ExpectedServerCertType" =>, "Ed448",
142 "ExpectedServerSignType" =>, "Ed448",
143 # Note: certificate_authorities not sent for TLS < 1.3
144 "ExpectedServerCANames" =>, "empty",
145 "ExpectedResult" => "Success"
146 },
147 },
148 {
149 name => "ECDSA with brainpool",
150 server => {
151 "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
152 "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
153 "Groups" => "brainpoolP256r1",
154 },
155 client => {
156 #We don't restrict this to TLSv1.2, although use of brainpool
157 #should force this anyway so that this should succeed
158 "CipherString" => "aECDSA",
159 "RequestCAFile" => test_pem("root-cert.pem"),
160 "Groups" => "brainpoolP256r1",
161 },
162 test => {
163 "ExpectedServerCertType" =>, "brainpoolP256r1",
164 "ExpectedServerSignType" =>, "EC",
165 # Note: certificate_authorities not sent for TLS < 1.3
166 "ExpectedServerCANames" =>, "empty",
167 "ExpectedResult" => "Success"
168 },
169 },
170 {
171 name => "RSA CipherString Selection",
172 server => $server,
173 client => {
174 "CipherString" => "aRSA",
175 "MaxProtocol" => "TLSv1.2",
176 },
177 test => {
178 "ExpectedServerCertType" =>, "RSA",
179 "ExpectedServerSignType" =>, "RSA-PSS",
180 "ExpectedResult" => "Success"
181 },
182 },
183 {
184 name => "RSA-PSS Certificate CipherString Selection",
185 server => $server_pss,
186 client => {
187 "CipherString" => "aRSA",
188 "MaxProtocol" => "TLSv1.2",
189 },
190 test => {
191 "ExpectedServerCertType" =>, "RSA-PSS",
192 "ExpectedServerSignType" =>, "RSA-PSS",
193 "ExpectedResult" => "Success"
194 },
195 },
196 {
197 name => "P-256 CipherString and Signature Algorithm Selection",
198 server => $server,
199 client => {
200 "CipherString" => "aECDSA",
201 "MaxProtocol" => "TLSv1.2",
202 "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
203 },
204 test => {
205 "ExpectedServerCertType" => "P-256",
206 "ExpectedServerSignHash" => "SHA256",
207 "ExpectedServerSignType" => "EC",
208 "ExpectedResult" => "Success"
209 },
210 },
211 {
212 name => "Ed25519 CipherString and Curves Selection",
213 server => $server,
214 client => {
215 "CipherString" => "aECDSA",
216 "MaxProtocol" => "TLSv1.2",
217 "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
218 # Excluding P-256 from the supported curves list means server
219 # certificate should be Ed25519 and not P-256
220 "Curves" => "X25519"
221 },
222 test => {
223 "ExpectedServerCertType" =>, "Ed25519",
224 "ExpectedServerSignType" =>, "Ed25519",
225 "ExpectedResult" => "Success"
226 },
227 },
228 {
229 name => "Ed448 CipherString and Curves Selection",
230 server => $server,
231 client => {
232 "CipherString" => "aECDSA",
233 "MaxProtocol" => "TLSv1.2",
234 "SignatureAlgorithms" => "ECDSA+SHA256:ed448",
235 "VerifyCAFile" => test_pem("root-ed448-cert.pem"),
236 # Excluding P-256 from the supported curves list means server
237 # certificate should be Ed25519 and not P-256
238 "Curves" => "X448"
239 },
240 test => {
241 "ExpectedServerCertType" =>, "Ed448",
242 "ExpectedServerSignType" =>, "Ed448",
243 "ExpectedResult" => "Success"
244 },
245 },
246 {
247 name => "ECDSA CipherString Selection, no ECDSA certificate",
248 server => {
249 "MaxProtocol" => "TLSv1.2"
250 },
251 client => {
252 "CipherString" => "aECDSA",
253 "MaxProtocol" => "TLSv1.2"
254 },
255 test => {
256 "ExpectedResult" => "ServerFail"
257 },
258 },
259 {
260 name => "ECDSA Signature Algorithm Selection",
261 server => $server,
262 client => {
263 "SignatureAlgorithms" => "ECDSA+SHA256",
264 },
265 test => {
266 "ExpectedServerCertType" => "P-256",
267 "ExpectedServerSignHash" => "SHA256",
268 "ExpectedServerSignType" => "EC",
269 "ExpectedResult" => "Success"
270 },
271 },
272 {
273 name => "ECDSA Signature Algorithm Selection SHA384",
274 server => $server,
275 client => {
276 "SignatureAlgorithms" => "ECDSA+SHA384",
277 },
278 test => {
279 "ExpectedServerCertType" => "P-256",
280 "ExpectedServerSignHash" => "SHA384",
281 "ExpectedServerSignType" => "EC",
282 "ExpectedResult" => "Success"
283 },
284 },
285 {
286 name => "ECDSA Signature Algorithm Selection SHA1",
287 server => $server,
288 client => {
289 "SignatureAlgorithms" => "ECDSA+SHA1",
290 },
291 test => {
292 "ExpectedServerCertType" => "P-256",
293 "ExpectedServerSignHash" => "SHA1",
294 "ExpectedServerSignType" => "EC",
295 "ExpectedResult" => "Success"
296 },
297 },
298 {
299 name => "ECDSA Signature Algorithm Selection compressed point",
300 server => {
301 "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
302 "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
303 "MaxProtocol" => "TLSv1.2"
304 },
305 client => {
306 "SignatureAlgorithms" => "ECDSA+SHA256",
307 },
308 test => {
309 "ExpectedServerCertType" => "P-256",
310 "ExpectedServerSignHash" => "SHA256",
311 "ExpectedServerSignType" => "EC",
312 "ExpectedResult" => "Success"
313 },
314 },
315 {
316 name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
317 server => {
318 "MaxProtocol" => "TLSv1.2"
319 },
320 client => {
321 "SignatureAlgorithms" => "ECDSA+SHA256",
322 },
323 test => {
324 "ExpectedResult" => "ServerFail"
325 },
326 },
327 {
328 name => "RSA Signature Algorithm Selection",
329 server => $server,
330 client => {
331 "SignatureAlgorithms" => "RSA+SHA256",
332 },
333 test => {
334 "ExpectedServerCertType" => "RSA",
335 "ExpectedServerSignHash" => "SHA256",
336 "ExpectedServerSignType" => "RSA",
337 "ExpectedResult" => "Success"
338 },
339 },
340 {
341 name => "RSA-PSS Signature Algorithm Selection",
342 server => $server,
343 client => {
344 "SignatureAlgorithms" => "RSA-PSS+SHA256",
345 },
346 test => {
347 "ExpectedServerCertType" => "RSA",
348 "ExpectedServerSignHash" => "SHA256",
349 "ExpectedServerSignType" => "RSA-PSS",
350 "ExpectedResult" => "Success"
351 },
352 },
353 {
354 name => "RSA-PSS Certificate Legacy Signature Algorithm Selection",
355 server => $server_pss,
356 client => {
357 "SignatureAlgorithms" => "RSA-PSS+SHA256",
358 },
359 test => {
360 "ExpectedServerCertType" => "RSA",
361 "ExpectedServerSignHash" => "SHA256",
362 "ExpectedServerSignType" => "RSA-PSS",
363 "ExpectedResult" => "Success"
364 },
365 },
366 {
367 name => "RSA-PSS Certificate Unified Signature Algorithm Selection",
368 server => $server_pss,
369 client => {
370 "SignatureAlgorithms" => "rsa_pss_pss_sha256",
371 },
372 test => {
373 "ExpectedServerCertType" => "RSA-PSS",
374 "ExpectedServerSignHash" => "SHA256",
375 "ExpectedServerSignType" => "RSA-PSS",
376 "ExpectedResult" => "Success"
377 },
378 },
379 {
380 name => "Only RSA-PSS Certificate",
381 server => $server_pss_only,
382 client => {},
383 test => {
384 "ExpectedServerCertType" => "RSA-PSS",
385 "ExpectedServerSignHash" => "SHA256",
386 "ExpectedServerSignType" => "RSA-PSS",
387 "ExpectedResult" => "Success"
388 },
389 },
390 {
391 name => "Only RSA-PSS Certificate Valid Signature Algorithms",
392 server => $server_pss_only,
393 client => {
394 "SignatureAlgorithms" => "rsa_pss_pss_sha512",
395 },
396 test => {
397 "ExpectedServerCertType" => "RSA-PSS",
398 "ExpectedServerSignHash" => "SHA512",
399 "ExpectedServerSignType" => "RSA-PSS",
400 "ExpectedResult" => "Success"
401 },
402 },
403 {
404 name => "RSA-PSS Certificate, no PSS signature algorithms",
405 server => $server_pss_only,
406 client => {
407 "SignatureAlgorithms" => "RSA+SHA256",
408 },
409 test => {
410 "ExpectedResult" => "ServerFail"
411 },
412 },
413 {
414 name => "Only RSA-PSS Restricted Certificate",
415 server => $server_pss_restrict_only,
416 client => {},
417 test => {
418 "ExpectedServerCertType" => "RSA-PSS",
419 "ExpectedServerSignHash" => "SHA256",
420 "ExpectedServerSignType" => "RSA-PSS",
421 "ExpectedResult" => "Success"
422 },
423 },
424 {
425 name => "RSA-PSS Restricted Certificate Valid Signature Algorithms",
426 server => $server_pss_restrict_only,
427 client => {
428 "SignatureAlgorithms" => "rsa_pss_pss_sha256:rsa_pss_pss_sha512",
429 },
430 test => {
431 "ExpectedServerCertType" => "RSA-PSS",
432 "ExpectedServerSignHash" => "SHA256",
433 "ExpectedServerSignType" => "RSA-PSS",
434 "ExpectedResult" => "Success"
435 },
436 },
437 {
438 name => "RSA-PSS Restricted Cert client prefers invalid Signature Algorithm",
439 server => $server_pss_restrict_only,
440 client => {
441 "SignatureAlgorithms" => "rsa_pss_pss_sha512:rsa_pss_pss_sha256",
442 },
443 test => {
444 "ExpectedServerCertType" => "RSA-PSS",
445 "ExpectedServerSignHash" => "SHA256",
446 "ExpectedServerSignType" => "RSA-PSS",
447 "ExpectedResult" => "Success"
448 },
449 },
450 {
451 name => "RSA-PSS Restricted Certificate Invalid Signature Algorithms",
452 server => $server_pss_restrict_only,
453 client => {
454 "SignatureAlgorithms" => "rsa_pss_pss_sha512",
455 },
456 test => {
457 "ExpectedResult" => "ServerFail"
458 },
459 },
460 {
461 name => "RSA key exchange with all RSA certificate types",
462 server => $server_rsa_all,
463 client => {
464 "CipherString" => "kRSA",
465 "MaxProtocol" => "TLSv1.2",
466 },
467 test => {
468 "ExpectedServerCertType" =>, "RSA",
469 "ExpectedResult" => "Success"
470 },
471 },
472 {
473 name => "RSA key exchange with only RSA-PSS certificate",
474 server => $server_pss_only,
475 client => {
476 "CipherString" => "kRSA",
477 "MaxProtocol" => "TLSv1.2",
478 },
479 test => {
480 "ExpectedResult" => "ServerFail"
481 },
482 },
483 {
484 name => "Suite B P-256 Hash Algorithm Selection",
485 server => {
486 "ECDSA.Certificate" => test_pem("p256-server-cert.pem"),
487 "ECDSA.PrivateKey" => test_pem("p256-server-key.pem"),
488 "MaxProtocol" => "TLSv1.2",
489 "CipherString" => "SUITEB128"
490 },
491 client => {
492 "VerifyCAFile" => test_pem("p384-root.pem"),
493 "SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256"
494 },
495 test => {
496 "ExpectedServerCertType" => "P-256",
497 "ExpectedServerSignHash" => "SHA256",
498 "ExpectedServerSignType" => "EC",
499 "ExpectedResult" => "Success"
500 },
501 },
502 {
503 name => "Suite B P-384 Hash Algorithm Selection",
504 server => {
505 "ECDSA.Certificate" => test_pem("p384-server-cert.pem"),
506 "ECDSA.PrivateKey" => test_pem("p384-server-key.pem"),
507 "MaxProtocol" => "TLSv1.2",
508 "CipherString" => "SUITEB128"
509 },
510 client => {
511 "VerifyCAFile" => test_pem("p384-root.pem"),
512 "SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384"
513 },
514 test => {
515 "ExpectedServerCertType" => "P-384",
516 "ExpectedServerSignHash" => "SHA384",
517 "ExpectedServerSignType" => "EC",
518 "ExpectedResult" => "Success"
519 },
520 },
521 {
522 name => "TLS 1.2 Ed25519 Client Auth",
523 server => {
524 "VerifyCAFile" => test_pem("root-cert.pem"),
525 "VerifyMode" => "Require"
526 },
527 client => {
528 "Ed25519.Certificate" => test_pem("client-ed25519-cert.pem"),
529 "Ed25519.PrivateKey" => test_pem("client-ed25519-key.pem"),
530 "MinProtocol" => "TLSv1.2",
531 "MaxProtocol" => "TLSv1.2"
532 },
533 test => {
534 "ExpectedClientCertType" => "Ed25519",
535 "ExpectedClientSignType" => "Ed25519",
536 "ExpectedResult" => "Success"
537 },
538 },
539 {
540 name => "TLS 1.2 Ed448 Client Auth",
541 server => {
542 "VerifyCAFile" => test_pem("root-cert.pem"),
543 "VerifyMode" => "Require"
544 },
545 client => {
546 "Ed448.Certificate" => test_pem("client-ed448-cert.pem"),
547 "Ed448.PrivateKey" => test_pem("client-ed448-key.pem"),
548 "MinProtocol" => "TLSv1.2",
549 "MaxProtocol" => "TLSv1.2"
550 },
551 test => {
552 "ExpectedClientCertType" => "Ed448",
553 "ExpectedClientSignType" => "Ed448",
554 "ExpectedResult" => "Success"
555 },
556 },
557);
558
559my @tests_tls_1_1 = (
560 {
561 name => "Only RSA-PSS Certificate, TLS v1.1",
562 server => $server_pss_only,
563 client => {
564 "MaxProtocol" => "TLSv1.1",
565 },
566 test => {
567 "ExpectedResult" => "ServerFail"
568 },
569 },
570);
571
572push @tests, @tests_tls_1_1 unless disabled("tls1_1");
573
574my $server_tls_1_3 = {
575 "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
576 "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
577 "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
578 "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
579 "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
580 "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
581 "MinProtocol" => "TLSv1.3",
582 "MaxProtocol" => "TLSv1.3"
583};
584
585my $server_tls_1_3_pss = {
586 "PSS.Certificate" => test_pem("server-pss-cert.pem"),
587 "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
588 "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
589 "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
590 "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
591 "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
592 "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
593 "Ed448.PrivateKey" => test_pem("server-ed449-key.pem"),
594 "MinProtocol" => "TLSv1.3",
595 "MaxProtocol" => "TLSv1.3"
596};
597
598my $client_tls_1_3 = {
599 "RSA.Certificate" => test_pem("ee-client-chain.pem"),
600 "RSA.PrivateKey" => test_pem("ee-key.pem"),
601 "ECDSA.Certificate" => test_pem("ee-ecdsa-client-chain.pem"),
602 "ECDSA.PrivateKey" => test_pem("ee-ecdsa-key.pem"),
603 "MinProtocol" => "TLSv1.3",
604 "MaxProtocol" => "TLSv1.3"
605};
606
607my @tests_tls_1_3 = (
608 {
609 name => "TLS 1.3 ECDSA Signature Algorithm Selection",
610 server => $server_tls_1_3,
611 client => {
612 "SignatureAlgorithms" => "ECDSA+SHA256",
613 },
614 test => {
615 "ExpectedServerCertType" => "P-256",
616 "ExpectedServerSignHash" => "SHA256",
617 "ExpectedServerSignType" => "EC",
618 "ExpectedServerCANames" => "empty",
619 "ExpectedResult" => "Success"
620 },
621 },
622 {
623 name => "TLS 1.3 ECDSA Signature Algorithm Selection compressed point",
624 server => {
625 "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
626 "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
627 "MinProtocol" => "TLSv1.3",
628 "MaxProtocol" => "TLSv1.3"
629 },
630 client => {
631 "SignatureAlgorithms" => "ECDSA+SHA256",
632 },
633 test => {
634 "ExpectedServerCertType" => "P-256",
635 "ExpectedServerSignHash" => "SHA256",
636 "ExpectedServerSignType" => "EC",
637 "ExpectedServerCANames" => "empty",
638 "ExpectedResult" => "Success"
639 },
640 },
641 {
642 name => "TLS 1.3 ECDSA Signature Algorithm Selection SHA1",
643 server => $server_tls_1_3,
644 client => {
645 "SignatureAlgorithms" => "ECDSA+SHA1",
646 },
647 test => {
648 "ExpectedResult" => "ServerFail"
649 },
650 },
651 {
652 name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS",
653 server => $server_tls_1_3,
654 client => {
655 "SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256",
656 "RequestCAFile" => test_pem("root-cert.pem"),
657 },
658 test => {
659 "ExpectedServerCertType" => "P-256",
660 "ExpectedServerSignHash" => "SHA256",
661 "ExpectedServerSignType" => "EC",
662 "ExpectedServerCANames" => test_pem("root-cert.pem"),
663 "ExpectedResult" => "Success"
664 },
665 },
666 {
667 name => "TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS",
668 server => $server_tls_1_3,
669 client => {
670 "SignatureAlgorithms" => "ECDSA+SHA384:RSA-PSS+SHA384",
671 },
672 test => {
673 "ExpectedServerCertType" => "RSA",
674 "ExpectedServerSignHash" => "SHA384",
675 "ExpectedServerSignType" => "RSA-PSS",
676 "ExpectedResult" => "Success"
677 },
678 },
679 {
680 name => "TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate",
681 server => {
682 "MinProtocol" => "TLSv1.3",
683 "MaxProtocol" => "TLSv1.3"
684 },
685 client => {
686 "SignatureAlgorithms" => "ECDSA+SHA256",
687 },
688 test => {
689 "ExpectedResult" => "ServerFail"
690 },
691 },
692 {
693 name => "TLS 1.3 RSA Signature Algorithm Selection, no PSS",
694 server => $server_tls_1_3,
695 client => {
696 "SignatureAlgorithms" => "RSA+SHA256",
697 },
698 test => {
699 "ExpectedResult" => "ServerFail"
700 },
701 },
702 {
703 name => "TLS 1.3 RSA-PSS Signature Algorithm Selection",
704 server => $server_tls_1_3,
705 client => {
706 "SignatureAlgorithms" => "RSA-PSS+SHA256",
707 },
708 test => {
709 "ExpectedServerCertType" => "RSA",
710 "ExpectedServerSignHash" => "SHA256",
711 "ExpectedServerSignType" => "RSA-PSS",
712 "ExpectedResult" => "Success"
713 },
714 },
715 {
716 name => "TLS 1.3 Ed25519 Signature Algorithm Selection",
717 server => $server_tls_1_3,
718 client => {
719 "SignatureAlgorithms" => "ed25519",
720 },
721 test => {
722 "ExpectedServerCertType" => "Ed25519",
723 "ExpectedServerSignType" => "Ed25519",
724 "ExpectedResult" => "Success"
725 },
726 },
727 {
728 name => "TLS 1.3 Ed448 Signature Algorithm Selection",
729 server => $server_tls_1_3,
730 client => {
731 "SignatureAlgorithms" => "ed448",
732 "VerifyCAFile" => test_pem("root-ed448-cert.pem"),
733 },
734 test => {
735 "ExpectedServerCertType" => "Ed448",
736 "ExpectedServerSignType" => "Ed448",
737 "ExpectedResult" => "Success"
738 },
739 },
740 {
741 name => "TLS 1.3 Ed25519 CipherString and Groups Selection",
742 server => $server_tls_1_3,
743 client => {
744 "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
745 # Excluding P-256 from the supported groups list should
746 # mean server still uses a P-256 certificate because supported
747 # groups is not used in signature selection for TLS 1.3
748 "Groups" => "X25519"
749 },
750 test => {
751 "ExpectedServerCertType" =>, "P-256",
752 "ExpectedServerSignType" =>, "EC",
753 "ExpectedResult" => "Success"
754 },
755 },
756 {
757 name => "TLS 1.3 Ed448 CipherString and Groups Selection",
758 server => $server_tls_1_3,
759 client => {
760 "SignatureAlgorithms" => "ECDSA+SHA256:ed448",
761 # Excluding P-256 from the supported groups list should
762 # mean server still uses a P-256 certificate because supported
763 # groups is not used in signature selection for TLS 1.3
764 "Groups" => "X448"
765 },
766 test => {
767 "ExpectedServerCertType" =>, "P-256",
768 "ExpectedServerSignType" =>, "EC",
769 "ExpectedResult" => "Success"
770 },
771 },
772 {
773 name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
774 server => {
775 "ClientSignatureAlgorithms" => "PSS+SHA256",
776 "VerifyCAFile" => test_pem("root-cert.pem"),
777 "VerifyMode" => "Require"
778 },
779 client => $client_tls_1_3,
780 test => {
781 "ExpectedClientCertType" => "RSA",
782 "ExpectedClientSignHash" => "SHA256",
783 "ExpectedClientSignType" => "RSA-PSS",
784 "ExpectedClientCANames" => "empty",
785 "ExpectedResult" => "Success"
786 },
787 },
788 {
789 name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names",
790 server => {
791 "ClientSignatureAlgorithms" => "PSS+SHA256",
792 "VerifyCAFile" => test_pem("root-cert.pem"),
793 "RequestCAFile" => test_pem("root-cert.pem"),
794 "VerifyMode" => "Require"
795 },
796 client => $client_tls_1_3,
797 test => {
798 "ExpectedClientCertType" => "RSA",
799 "ExpectedClientSignHash" => "SHA256",
800 "ExpectedClientSignType" => "RSA-PSS",
801 "ExpectedClientCANames" => test_pem("root-cert.pem"),
802 "ExpectedResult" => "Success"
803 },
804 },
805 {
806 name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
807 server => {
808 "ClientSignatureAlgorithms" => "ECDSA+SHA256",
809 "VerifyCAFile" => test_pem("root-cert.pem"),
810 "VerifyMode" => "Require"
811 },
812 client => $client_tls_1_3,
813 test => {
814 "ExpectedClientCertType" => "P-256",
815 "ExpectedClientSignHash" => "SHA256",
816 "ExpectedClientSignType" => "EC",
817 "ExpectedResult" => "Success"
818 },
819 },
820 {
821 name => "TLS 1.3 Ed25519 Client Auth",
822 server => {
823 "VerifyCAFile" => test_pem("root-cert.pem"),
824 "VerifyMode" => "Require"
825 },
826 client => {
827 "EdDSA.Certificate" => test_pem("client-ed25519-cert.pem"),
828 "EdDSA.PrivateKey" => test_pem("client-ed25519-key.pem"),
829 "MinProtocol" => "TLSv1.3",
830 "MaxProtocol" => "TLSv1.3"
831 },
832 test => {
833 "ExpectedClientCertType" => "Ed25519",
834 "ExpectedClientSignType" => "Ed25519",
835 "ExpectedResult" => "Success"
836 },
837 },
838 {
839 name => "TLS 1.3 Ed448 Client Auth",
840 server => {
841 "VerifyCAFile" => test_pem("root-cert.pem"),
842 "VerifyMode" => "Require"
843 },
844 client => {
845 "EdDSA.Certificate" => test_pem("client-ed448-cert.pem"),
846 "EdDSA.PrivateKey" => test_pem("client-ed448-key.pem"),
847 "MinProtocol" => "TLSv1.3",
848 "MaxProtocol" => "TLSv1.3"
849 },
850 test => {
851 "ExpectedClientCertType" => "Ed448",
852 "ExpectedClientSignType" => "Ed448",
853 "ExpectedResult" => "Success"
854 },
855 },
856 {
857 name => "TLS 1.3 ECDSA with brainpool",
858 server => {
859 "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
860 "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
861 "Groups" => "brainpoolP256r1",
862 },
863 client => {
864 "RequestCAFile" => test_pem("root-cert.pem"),
865 "Groups" => "brainpoolP256r1",
866 "MinProtocol" => "TLSv1.3",
867 "MaxProtocol" => "TLSv1.3"
868 },
869 test => {
870 "ExpectedResult" => "ServerFail"
871 },
872 },
873);
874
875push @tests, @tests_tls_1_3 unless disabled("tls1_3");
876
877my @tests_dsa_tls_1_2 = (
878 {
879 name => "TLS 1.2 DSA Certificate Test",
880 server => {
881 "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
882 "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
883 "DHParameters" => test_pem("dhp2048.pem"),
884 "MinProtocol" => "TLSv1.2",
885 "MaxProtocol" => "TLSv1.2",
886 "CipherString" => "ALL",
887 },
888 client => {
889 "SignatureAlgorithms" => "DSA+SHA256:DSA+SHA1",
890 "CipherString" => "ALL",
891 },
892 test => {
893 "ExpectedResult" => "Success"
894 },
895 },
896);
897
898my @tests_dsa_tls_1_3 = (
899 {
900 name => "TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms",
901 server => {
902 "ClientSignatureAlgorithms" => "ECDSA+SHA1:DSA+SHA256:RSA+SHA256",
903 "VerifyCAFile" => test_pem("root-cert.pem"),
904 "VerifyMode" => "Request"
905 },
906 client => {},
907 test => {
908 "ExpectedResult" => "ServerFail"
909 },
910 },
911 {
912 name => "TLS 1.3 DSA Certificate Test",
913 server => {
914 "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
915 "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
916 "MinProtocol" => "TLSv1.3",
917 "MaxProtocol" => "TLSv1.3",
918 "CipherString" => "ALL",
919 },
920 client => {
921 "SignatureAlgorithms" => "DSA+SHA1:DSA+SHA256:ECDSA+SHA256",
922 "CipherString" => "ALL",
923 },
924 test => {
925 "ExpectedResult" => "ServerFail"
926 },
927 },
928);
929
930if (!disabled("dsa")) {
931 push @tests, @tests_dsa_tls_1_2 unless disabled("dh");
932 push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
933}