1# -*- mode: perl; -*- 2 3## SSL test configurations 4 5 6use strict; 7use warnings; 8 9package ssltests; 10use OpenSSL::Test::Utils; 11 12my $server = { 13 "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), 14 "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), 15 "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"), 16 "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"), 17 "Ed448.Certificate" => test_pem("server-ed448-cert.pem"), 18 "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"), 19 "MaxProtocol" => "TLSv1.2" 20}; 21 22my $server_pss = { 23 "PSS.Certificate" => test_pem("server-pss-cert.pem"), 24 "PSS.PrivateKey" => test_pem("server-pss-key.pem"), 25 "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), 26 "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), 27 "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"), 28 "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"), 29 "Ed448.Certificate" => test_pem("server-ed448-cert.pem"), 30 "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"), 31 "MaxProtocol" => "TLSv1.2" 32}; 33 34my $server_pss_only = { 35 "Certificate" => test_pem("server-pss-cert.pem"), 36 "PrivateKey" => test_pem("server-pss-key.pem"), 37}; 38 39my $server_pss_restrict_only = { 40 "Certificate" => test_pem("server-pss-restrict-cert.pem"), 41 "PrivateKey" => test_pem("server-pss-restrict-key.pem"), 42}; 43 44 45my $server_rsa_all = { 46 "PSS.Certificate" => test_pem("server-pss-cert.pem"), 47 "PSS.PrivateKey" => test_pem("server-pss-key.pem"), 48 "Certificate" => test_pem("servercert.pem"), 49 "PrivateKey" => test_pem("serverkey.pem"), 50}; 51 52our @tests = ( 53 { 54 name => "ECDSA CipherString Selection", 55 server => $server, 56 client => { 57 "CipherString" => "aECDSA", 58 "MaxProtocol" => "TLSv1.2", 59 "RequestCAFile" => test_pem("root-cert.pem"), 60 }, 61 test => { 62 "ExpectedServerCertType" =>, "P-256", 63 "ExpectedServerSignType" =>, "EC", 64 # Note: certificate_authorities not sent for TLS < 1.3 65 "ExpectedServerCANames" =>, "empty", 66 "ExpectedResult" => "Success" 67 }, 68 }, 69 { 70 name => "ECDSA CipherString Selection", 71 server => { 72 "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), 73 "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), 74 "MaxProtocol" => "TLSv1.2", 75 #Deliberately set supported_groups to one not in the cert. This 76 #should be tolerated 77 "Groups" => "P-384" 78 }, 79 client => { 80 "CipherString" => "aECDSA", 81 "MaxProtocol" => "TLSv1.2", 82 "Groups" => "P-256:P-384", 83 "RequestCAFile" => test_pem("root-cert.pem"), 84 }, 85 test => { 86 "ExpectedServerCertType" =>, "P-256", 87 "ExpectedServerSignType" =>, "EC", 88 # Note: certificate_authorities not sent for TLS < 1.3 89 "ExpectedServerCANames" =>, "empty", 90 "ExpectedResult" => "Success" 91 }, 92 }, 93 { 94 name => "ECDSA CipherString Selection", 95 server => { 96 "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), 97 "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), 98 "MaxProtocol" => "TLSv1.2", 99 "Groups" => "P-256:P-384" 100 }, 101 client => { 102 "CipherString" => "aECDSA", 103 "MaxProtocol" => "TLSv1.2", 104 #Deliberately set groups to not include the certificate group. This 105 #should fail 106 "Groups" => "P-384", 107 "RequestCAFile" => test_pem("root-cert.pem"), 108 }, 109 test => { 110 "ExpectedResult" => "ServerFail" 111 }, 112 }, 113 { 114 name => "Ed25519 CipherString and Signature Algorithm Selection", 115 server => $server, 116 client => { 117 "CipherString" => "aECDSA", 118 "MaxProtocol" => "TLSv1.2", 119 "SignatureAlgorithms" => "ed25519:ECDSA+SHA256", 120 "RequestCAFile" => test_pem("root-cert.pem"), 121 }, 122 test => { 123 "ExpectedServerCertType" =>, "Ed25519", 124 "ExpectedServerSignType" =>, "Ed25519", 125 # Note: certificate_authorities not sent for TLS < 1.3 126 "ExpectedServerCANames" =>, "empty", 127 "ExpectedResult" => "Success" 128 }, 129 }, 130 { 131 name => "Ed448 CipherString and Signature Algorithm Selection", 132 server => $server, 133 client => { 134 "CipherString" => "aECDSA", 135 "MaxProtocol" => "TLSv1.2", 136 "SignatureAlgorithms" => "ed448:ECDSA+SHA256", 137 "RequestCAFile" => test_pem("root-ed448-cert.pem"), 138 "VerifyCAFile" => test_pem("root-ed448-cert.pem"), 139 }, 140 test => { 141 "ExpectedServerCertType" =>, "Ed448", 142 "ExpectedServerSignType" =>, "Ed448", 143 # Note: certificate_authorities not sent for TLS < 1.3 144 "ExpectedServerCANames" =>, "empty", 145 "ExpectedResult" => "Success" 146 }, 147 }, 148 { 149 name => "ECDSA with brainpool", 150 server => { 151 "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), 152 "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), 153 "Groups" => "brainpoolP256r1", 154 }, 155 client => { 156 #We don't restrict this to TLSv1.2, although use of brainpool 157 #should force this anyway so that this should succeed 158 "CipherString" => "aECDSA", 159 "RequestCAFile" => test_pem("root-cert.pem"), 160 "Groups" => "brainpoolP256r1", 161 }, 162 test => { 163 "ExpectedServerCertType" =>, "brainpoolP256r1", 164 "ExpectedServerSignType" =>, "EC", 165 # Note: certificate_authorities not sent for TLS < 1.3 166 "ExpectedServerCANames" =>, "empty", 167 "ExpectedResult" => "Success" 168 }, 169 }, 170 { 171 name => "RSA CipherString Selection", 172 server => $server, 173 client => { 174 "CipherString" => "aRSA", 175 "MaxProtocol" => "TLSv1.2", 176 }, 177 test => { 178 "ExpectedServerCertType" =>, "RSA", 179 "ExpectedServerSignType" =>, "RSA-PSS", 180 "ExpectedResult" => "Success" 181 }, 182 }, 183 { 184 name => "RSA-PSS Certificate CipherString Selection", 185 server => $server_pss, 186 client => { 187 "CipherString" => "aRSA", 188 "MaxProtocol" => "TLSv1.2", 189 }, 190 test => { 191 "ExpectedServerCertType" =>, "RSA-PSS", 192 "ExpectedServerSignType" =>, "RSA-PSS", 193 "ExpectedResult" => "Success" 194 }, 195 }, 196 { 197 name => "P-256 CipherString and Signature Algorithm Selection", 198 server => $server, 199 client => { 200 "CipherString" => "aECDSA", 201 "MaxProtocol" => "TLSv1.2", 202 "SignatureAlgorithms" => "ECDSA+SHA256:ed25519", 203 }, 204 test => { 205 "ExpectedServerCertType" => "P-256", 206 "ExpectedServerSignHash" => "SHA256", 207 "ExpectedServerSignType" => "EC", 208 "ExpectedResult" => "Success" 209 }, 210 }, 211 { 212 name => "Ed25519 CipherString and Curves Selection", 213 server => $server, 214 client => { 215 "CipherString" => "aECDSA", 216 "MaxProtocol" => "TLSv1.2", 217 "SignatureAlgorithms" => "ECDSA+SHA256:ed25519", 218 # Excluding P-256 from the supported curves list means server 219 # certificate should be Ed25519 and not P-256 220 "Curves" => "X25519" 221 }, 222 test => { 223 "ExpectedServerCertType" =>, "Ed25519", 224 "ExpectedServerSignType" =>, "Ed25519", 225 "ExpectedResult" => "Success" 226 }, 227 }, 228 { 229 name => "Ed448 CipherString and Curves Selection", 230 server => $server, 231 client => { 232 "CipherString" => "aECDSA", 233 "MaxProtocol" => "TLSv1.2", 234 "SignatureAlgorithms" => "ECDSA+SHA256:ed448", 235 "VerifyCAFile" => test_pem("root-ed448-cert.pem"), 236 # Excluding P-256 from the supported curves list means server 237 # certificate should be Ed25519 and not P-256 238 "Curves" => "X448" 239 }, 240 test => { 241 "ExpectedServerCertType" =>, "Ed448", 242 "ExpectedServerSignType" =>, "Ed448", 243 "ExpectedResult" => "Success" 244 }, 245 }, 246 { 247 name => "ECDSA CipherString Selection, no ECDSA certificate", 248 server => { 249 "MaxProtocol" => "TLSv1.2" 250 }, 251 client => { 252 "CipherString" => "aECDSA", 253 "MaxProtocol" => "TLSv1.2" 254 }, 255 test => { 256 "ExpectedResult" => "ServerFail" 257 }, 258 }, 259 { 260 name => "ECDSA Signature Algorithm Selection", 261 server => $server, 262 client => { 263 "SignatureAlgorithms" => "ECDSA+SHA256", 264 }, 265 test => { 266 "ExpectedServerCertType" => "P-256", 267 "ExpectedServerSignHash" => "SHA256", 268 "ExpectedServerSignType" => "EC", 269 "ExpectedResult" => "Success" 270 }, 271 }, 272 { 273 name => "ECDSA Signature Algorithm Selection SHA384", 274 server => $server, 275 client => { 276 "SignatureAlgorithms" => "ECDSA+SHA384", 277 }, 278 test => { 279 "ExpectedServerCertType" => "P-256", 280 "ExpectedServerSignHash" => "SHA384", 281 "ExpectedServerSignType" => "EC", 282 "ExpectedResult" => "Success" 283 }, 284 }, 285 { 286 name => "ECDSA Signature Algorithm Selection SHA1", 287 server => $server, 288 client => { 289 "SignatureAlgorithms" => "ECDSA+SHA1", 290 }, 291 test => { 292 "ExpectedServerCertType" => "P-256", 293 "ExpectedServerSignHash" => "SHA1", 294 "ExpectedServerSignType" => "EC", 295 "ExpectedResult" => "Success" 296 }, 297 }, 298 { 299 name => "ECDSA Signature Algorithm Selection compressed point", 300 server => { 301 "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"), 302 "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"), 303 "MaxProtocol" => "TLSv1.2" 304 }, 305 client => { 306 "SignatureAlgorithms" => "ECDSA+SHA256", 307 }, 308 test => { 309 "ExpectedServerCertType" => "P-256", 310 "ExpectedServerSignHash" => "SHA256", 311 "ExpectedServerSignType" => "EC", 312 "ExpectedResult" => "Success" 313 }, 314 }, 315 { 316 name => "ECDSA Signature Algorithm Selection, no ECDSA certificate", 317 server => { 318 "MaxProtocol" => "TLSv1.2" 319 }, 320 client => { 321 "SignatureAlgorithms" => "ECDSA+SHA256", 322 }, 323 test => { 324 "ExpectedResult" => "ServerFail" 325 }, 326 }, 327 { 328 name => "RSA Signature Algorithm Selection", 329 server => $server, 330 client => { 331 "SignatureAlgorithms" => "RSA+SHA256", 332 }, 333 test => { 334 "ExpectedServerCertType" => "RSA", 335 "ExpectedServerSignHash" => "SHA256", 336 "ExpectedServerSignType" => "RSA", 337 "ExpectedResult" => "Success" 338 }, 339 }, 340 { 341 name => "RSA-PSS Signature Algorithm Selection", 342 server => $server, 343 client => { 344 "SignatureAlgorithms" => "RSA-PSS+SHA256", 345 }, 346 test => { 347 "ExpectedServerCertType" => "RSA", 348 "ExpectedServerSignHash" => "SHA256", 349 "ExpectedServerSignType" => "RSA-PSS", 350 "ExpectedResult" => "Success" 351 }, 352 }, 353 { 354 name => "RSA-PSS Certificate Legacy Signature Algorithm Selection", 355 server => $server_pss, 356 client => { 357 "SignatureAlgorithms" => "RSA-PSS+SHA256", 358 }, 359 test => { 360 "ExpectedServerCertType" => "RSA", 361 "ExpectedServerSignHash" => "SHA256", 362 "ExpectedServerSignType" => "RSA-PSS", 363 "ExpectedResult" => "Success" 364 }, 365 }, 366 { 367 name => "RSA-PSS Certificate Unified Signature Algorithm Selection", 368 server => $server_pss, 369 client => { 370 "SignatureAlgorithms" => "rsa_pss_pss_sha256", 371 }, 372 test => { 373 "ExpectedServerCertType" => "RSA-PSS", 374 "ExpectedServerSignHash" => "SHA256", 375 "ExpectedServerSignType" => "RSA-PSS", 376 "ExpectedResult" => "Success" 377 }, 378 }, 379 { 380 name => "Only RSA-PSS Certificate", 381 server => $server_pss_only, 382 client => {}, 383 test => { 384 "ExpectedServerCertType" => "RSA-PSS", 385 "ExpectedServerSignHash" => "SHA256", 386 "ExpectedServerSignType" => "RSA-PSS", 387 "ExpectedResult" => "Success" 388 }, 389 }, 390 { 391 name => "Only RSA-PSS Certificate Valid Signature Algorithms", 392 server => $server_pss_only, 393 client => { 394 "SignatureAlgorithms" => "rsa_pss_pss_sha512", 395 }, 396 test => { 397 "ExpectedServerCertType" => "RSA-PSS", 398 "ExpectedServerSignHash" => "SHA512", 399 "ExpectedServerSignType" => "RSA-PSS", 400 "ExpectedResult" => "Success" 401 }, 402 }, 403 { 404 name => "RSA-PSS Certificate, no PSS signature algorithms", 405 server => $server_pss_only, 406 client => { 407 "SignatureAlgorithms" => "RSA+SHA256", 408 }, 409 test => { 410 "ExpectedResult" => "ServerFail" 411 }, 412 }, 413 { 414 name => "Only RSA-PSS Restricted Certificate", 415 server => $server_pss_restrict_only, 416 client => {}, 417 test => { 418 "ExpectedServerCertType" => "RSA-PSS", 419 "ExpectedServerSignHash" => "SHA256", 420 "ExpectedServerSignType" => "RSA-PSS", 421 "ExpectedResult" => "Success" 422 }, 423 }, 424 { 425 name => "RSA-PSS Restricted Certificate Valid Signature Algorithms", 426 server => $server_pss_restrict_only, 427 client => { 428 "SignatureAlgorithms" => "rsa_pss_pss_sha256:rsa_pss_pss_sha512", 429 }, 430 test => { 431 "ExpectedServerCertType" => "RSA-PSS", 432 "ExpectedServerSignHash" => "SHA256", 433 "ExpectedServerSignType" => "RSA-PSS", 434 "ExpectedResult" => "Success" 435 }, 436 }, 437 { 438 name => "RSA-PSS Restricted Cert client prefers invalid Signature Algorithm", 439 server => $server_pss_restrict_only, 440 client => { 441 "SignatureAlgorithms" => "rsa_pss_pss_sha512:rsa_pss_pss_sha256", 442 }, 443 test => { 444 "ExpectedServerCertType" => "RSA-PSS", 445 "ExpectedServerSignHash" => "SHA256", 446 "ExpectedServerSignType" => "RSA-PSS", 447 "ExpectedResult" => "Success" 448 }, 449 }, 450 { 451 name => "RSA-PSS Restricted Certificate Invalid Signature Algorithms", 452 server => $server_pss_restrict_only, 453 client => { 454 "SignatureAlgorithms" => "rsa_pss_pss_sha512", 455 }, 456 test => { 457 "ExpectedResult" => "ServerFail" 458 }, 459 }, 460 { 461 name => "RSA key exchange with all RSA certificate types", 462 server => $server_rsa_all, 463 client => { 464 "CipherString" => "kRSA", 465 "MaxProtocol" => "TLSv1.2", 466 }, 467 test => { 468 "ExpectedServerCertType" =>, "RSA", 469 "ExpectedResult" => "Success" 470 }, 471 }, 472 { 473 name => "RSA key exchange with only RSA-PSS certificate", 474 server => $server_pss_only, 475 client => { 476 "CipherString" => "kRSA", 477 "MaxProtocol" => "TLSv1.2", 478 }, 479 test => { 480 "ExpectedResult" => "ServerFail" 481 }, 482 }, 483 { 484 name => "Suite B P-256 Hash Algorithm Selection", 485 server => { 486 "ECDSA.Certificate" => test_pem("p256-server-cert.pem"), 487 "ECDSA.PrivateKey" => test_pem("p256-server-key.pem"), 488 "MaxProtocol" => "TLSv1.2", 489 "CipherString" => "SUITEB128" 490 }, 491 client => { 492 "VerifyCAFile" => test_pem("p384-root.pem"), 493 "SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256" 494 }, 495 test => { 496 "ExpectedServerCertType" => "P-256", 497 "ExpectedServerSignHash" => "SHA256", 498 "ExpectedServerSignType" => "EC", 499 "ExpectedResult" => "Success" 500 }, 501 }, 502 { 503 name => "Suite B P-384 Hash Algorithm Selection", 504 server => { 505 "ECDSA.Certificate" => test_pem("p384-server-cert.pem"), 506 "ECDSA.PrivateKey" => test_pem("p384-server-key.pem"), 507 "MaxProtocol" => "TLSv1.2", 508 "CipherString" => "SUITEB128" 509 }, 510 client => { 511 "VerifyCAFile" => test_pem("p384-root.pem"), 512 "SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384" 513 }, 514 test => { 515 "ExpectedServerCertType" => "P-384", 516 "ExpectedServerSignHash" => "SHA384", 517 "ExpectedServerSignType" => "EC", 518 "ExpectedResult" => "Success" 519 }, 520 }, 521 { 522 name => "TLS 1.2 Ed25519 Client Auth", 523 server => { 524 "VerifyCAFile" => test_pem("root-cert.pem"), 525 "VerifyMode" => "Require" 526 }, 527 client => { 528 "Ed25519.Certificate" => test_pem("client-ed25519-cert.pem"), 529 "Ed25519.PrivateKey" => test_pem("client-ed25519-key.pem"), 530 "MinProtocol" => "TLSv1.2", 531 "MaxProtocol" => "TLSv1.2" 532 }, 533 test => { 534 "ExpectedClientCertType" => "Ed25519", 535 "ExpectedClientSignType" => "Ed25519", 536 "ExpectedResult" => "Success" 537 }, 538 }, 539 { 540 name => "TLS 1.2 Ed448 Client Auth", 541 server => { 542 "VerifyCAFile" => test_pem("root-cert.pem"), 543 "VerifyMode" => "Require" 544 }, 545 client => { 546 "Ed448.Certificate" => test_pem("client-ed448-cert.pem"), 547 "Ed448.PrivateKey" => test_pem("client-ed448-key.pem"), 548 "MinProtocol" => "TLSv1.2", 549 "MaxProtocol" => "TLSv1.2" 550 }, 551 test => { 552 "ExpectedClientCertType" => "Ed448", 553 "ExpectedClientSignType" => "Ed448", 554 "ExpectedResult" => "Success" 555 }, 556 }, 557); 558 559my @tests_tls_1_1 = ( 560 { 561 name => "Only RSA-PSS Certificate, TLS v1.1", 562 server => $server_pss_only, 563 client => { 564 "MaxProtocol" => "TLSv1.1", 565 }, 566 test => { 567 "ExpectedResult" => "ServerFail" 568 }, 569 }, 570); 571 572push @tests, @tests_tls_1_1 unless disabled("tls1_1"); 573 574my $server_tls_1_3 = { 575 "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), 576 "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), 577 "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"), 578 "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"), 579 "Ed448.Certificate" => test_pem("server-ed448-cert.pem"), 580 "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"), 581 "MinProtocol" => "TLSv1.3", 582 "MaxProtocol" => "TLSv1.3" 583}; 584 585my $server_tls_1_3_pss = { 586 "PSS.Certificate" => test_pem("server-pss-cert.pem"), 587 "PSS.PrivateKey" => test_pem("server-pss-key.pem"), 588 "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), 589 "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), 590 "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"), 591 "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"), 592 "Ed448.Certificate" => test_pem("server-ed448-cert.pem"), 593 "Ed448.PrivateKey" => test_pem("server-ed449-key.pem"), 594 "MinProtocol" => "TLSv1.3", 595 "MaxProtocol" => "TLSv1.3" 596}; 597 598my $client_tls_1_3 = { 599 "RSA.Certificate" => test_pem("ee-client-chain.pem"), 600 "RSA.PrivateKey" => test_pem("ee-key.pem"), 601 "ECDSA.Certificate" => test_pem("ee-ecdsa-client-chain.pem"), 602 "ECDSA.PrivateKey" => test_pem("ee-ecdsa-key.pem"), 603 "MinProtocol" => "TLSv1.3", 604 "MaxProtocol" => "TLSv1.3" 605}; 606 607my @tests_tls_1_3 = ( 608 { 609 name => "TLS 1.3 ECDSA Signature Algorithm Selection", 610 server => $server_tls_1_3, 611 client => { 612 "SignatureAlgorithms" => "ECDSA+SHA256", 613 }, 614 test => { 615 "ExpectedServerCertType" => "P-256", 616 "ExpectedServerSignHash" => "SHA256", 617 "ExpectedServerSignType" => "EC", 618 "ExpectedServerCANames" => "empty", 619 "ExpectedResult" => "Success" 620 }, 621 }, 622 { 623 name => "TLS 1.3 ECDSA Signature Algorithm Selection compressed point", 624 server => { 625 "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"), 626 "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"), 627 "MinProtocol" => "TLSv1.3", 628 "MaxProtocol" => "TLSv1.3" 629 }, 630 client => { 631 "SignatureAlgorithms" => "ECDSA+SHA256", 632 }, 633 test => { 634 "ExpectedServerCertType" => "P-256", 635 "ExpectedServerSignHash" => "SHA256", 636 "ExpectedServerSignType" => "EC", 637 "ExpectedServerCANames" => "empty", 638 "ExpectedResult" => "Success" 639 }, 640 }, 641 { 642 name => "TLS 1.3 ECDSA Signature Algorithm Selection SHA1", 643 server => $server_tls_1_3, 644 client => { 645 "SignatureAlgorithms" => "ECDSA+SHA1", 646 }, 647 test => { 648 "ExpectedResult" => "ServerFail" 649 }, 650 }, 651 { 652 name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS", 653 server => $server_tls_1_3, 654 client => { 655 "SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256", 656 "RequestCAFile" => test_pem("root-cert.pem"), 657 }, 658 test => { 659 "ExpectedServerCertType" => "P-256", 660 "ExpectedServerSignHash" => "SHA256", 661 "ExpectedServerSignType" => "EC", 662 "ExpectedServerCANames" => test_pem("root-cert.pem"), 663 "ExpectedResult" => "Success" 664 }, 665 }, 666 { 667 name => "TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS", 668 server => $server_tls_1_3, 669 client => { 670 "SignatureAlgorithms" => "ECDSA+SHA384:RSA-PSS+SHA384", 671 }, 672 test => { 673 "ExpectedServerCertType" => "RSA", 674 "ExpectedServerSignHash" => "SHA384", 675 "ExpectedServerSignType" => "RSA-PSS", 676 "ExpectedResult" => "Success" 677 }, 678 }, 679 { 680 name => "TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate", 681 server => { 682 "MinProtocol" => "TLSv1.3", 683 "MaxProtocol" => "TLSv1.3" 684 }, 685 client => { 686 "SignatureAlgorithms" => "ECDSA+SHA256", 687 }, 688 test => { 689 "ExpectedResult" => "ServerFail" 690 }, 691 }, 692 { 693 name => "TLS 1.3 RSA Signature Algorithm Selection, no PSS", 694 server => $server_tls_1_3, 695 client => { 696 "SignatureAlgorithms" => "RSA+SHA256", 697 }, 698 test => { 699 "ExpectedResult" => "ServerFail" 700 }, 701 }, 702 { 703 name => "TLS 1.3 RSA-PSS Signature Algorithm Selection", 704 server => $server_tls_1_3, 705 client => { 706 "SignatureAlgorithms" => "RSA-PSS+SHA256", 707 }, 708 test => { 709 "ExpectedServerCertType" => "RSA", 710 "ExpectedServerSignHash" => "SHA256", 711 "ExpectedServerSignType" => "RSA-PSS", 712 "ExpectedResult" => "Success" 713 }, 714 }, 715 { 716 name => "TLS 1.3 Ed25519 Signature Algorithm Selection", 717 server => $server_tls_1_3, 718 client => { 719 "SignatureAlgorithms" => "ed25519", 720 }, 721 test => { 722 "ExpectedServerCertType" => "Ed25519", 723 "ExpectedServerSignType" => "Ed25519", 724 "ExpectedResult" => "Success" 725 }, 726 }, 727 { 728 name => "TLS 1.3 Ed448 Signature Algorithm Selection", 729 server => $server_tls_1_3, 730 client => { 731 "SignatureAlgorithms" => "ed448", 732 "VerifyCAFile" => test_pem("root-ed448-cert.pem"), 733 }, 734 test => { 735 "ExpectedServerCertType" => "Ed448", 736 "ExpectedServerSignType" => "Ed448", 737 "ExpectedResult" => "Success" 738 }, 739 }, 740 { 741 name => "TLS 1.3 Ed25519 CipherString and Groups Selection", 742 server => $server_tls_1_3, 743 client => { 744 "SignatureAlgorithms" => "ECDSA+SHA256:ed25519", 745 # Excluding P-256 from the supported groups list should 746 # mean server still uses a P-256 certificate because supported 747 # groups is not used in signature selection for TLS 1.3 748 "Groups" => "X25519" 749 }, 750 test => { 751 "ExpectedServerCertType" =>, "P-256", 752 "ExpectedServerSignType" =>, "EC", 753 "ExpectedResult" => "Success" 754 }, 755 }, 756 { 757 name => "TLS 1.3 Ed448 CipherString and Groups Selection", 758 server => $server_tls_1_3, 759 client => { 760 "SignatureAlgorithms" => "ECDSA+SHA256:ed448", 761 # Excluding P-256 from the supported groups list should 762 # mean server still uses a P-256 certificate because supported 763 # groups is not used in signature selection for TLS 1.3 764 "Groups" => "X448" 765 }, 766 test => { 767 "ExpectedServerCertType" =>, "P-256", 768 "ExpectedServerSignType" =>, "EC", 769 "ExpectedResult" => "Success" 770 }, 771 }, 772 { 773 name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection", 774 server => { 775 "ClientSignatureAlgorithms" => "PSS+SHA256", 776 "VerifyCAFile" => test_pem("root-cert.pem"), 777 "VerifyMode" => "Require" 778 }, 779 client => $client_tls_1_3, 780 test => { 781 "ExpectedClientCertType" => "RSA", 782 "ExpectedClientSignHash" => "SHA256", 783 "ExpectedClientSignType" => "RSA-PSS", 784 "ExpectedClientCANames" => "empty", 785 "ExpectedResult" => "Success" 786 }, 787 }, 788 { 789 name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names", 790 server => { 791 "ClientSignatureAlgorithms" => "PSS+SHA256", 792 "VerifyCAFile" => test_pem("root-cert.pem"), 793 "RequestCAFile" => test_pem("root-cert.pem"), 794 "VerifyMode" => "Require" 795 }, 796 client => $client_tls_1_3, 797 test => { 798 "ExpectedClientCertType" => "RSA", 799 "ExpectedClientSignHash" => "SHA256", 800 "ExpectedClientSignType" => "RSA-PSS", 801 "ExpectedClientCANames" => test_pem("root-cert.pem"), 802 "ExpectedResult" => "Success" 803 }, 804 }, 805 { 806 name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection", 807 server => { 808 "ClientSignatureAlgorithms" => "ECDSA+SHA256", 809 "VerifyCAFile" => test_pem("root-cert.pem"), 810 "VerifyMode" => "Require" 811 }, 812 client => $client_tls_1_3, 813 test => { 814 "ExpectedClientCertType" => "P-256", 815 "ExpectedClientSignHash" => "SHA256", 816 "ExpectedClientSignType" => "EC", 817 "ExpectedResult" => "Success" 818 }, 819 }, 820 { 821 name => "TLS 1.3 Ed25519 Client Auth", 822 server => { 823 "VerifyCAFile" => test_pem("root-cert.pem"), 824 "VerifyMode" => "Require" 825 }, 826 client => { 827 "EdDSA.Certificate" => test_pem("client-ed25519-cert.pem"), 828 "EdDSA.PrivateKey" => test_pem("client-ed25519-key.pem"), 829 "MinProtocol" => "TLSv1.3", 830 "MaxProtocol" => "TLSv1.3" 831 }, 832 test => { 833 "ExpectedClientCertType" => "Ed25519", 834 "ExpectedClientSignType" => "Ed25519", 835 "ExpectedResult" => "Success" 836 }, 837 }, 838 { 839 name => "TLS 1.3 Ed448 Client Auth", 840 server => { 841 "VerifyCAFile" => test_pem("root-cert.pem"), 842 "VerifyMode" => "Require" 843 }, 844 client => { 845 "EdDSA.Certificate" => test_pem("client-ed448-cert.pem"), 846 "EdDSA.PrivateKey" => test_pem("client-ed448-key.pem"), 847 "MinProtocol" => "TLSv1.3", 848 "MaxProtocol" => "TLSv1.3" 849 }, 850 test => { 851 "ExpectedClientCertType" => "Ed448", 852 "ExpectedClientSignType" => "Ed448", 853 "ExpectedResult" => "Success" 854 }, 855 }, 856 { 857 name => "TLS 1.3 ECDSA with brainpool", 858 server => { 859 "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), 860 "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), 861 "Groups" => "brainpoolP256r1", 862 }, 863 client => { 864 "RequestCAFile" => test_pem("root-cert.pem"), 865 "Groups" => "brainpoolP256r1", 866 "MinProtocol" => "TLSv1.3", 867 "MaxProtocol" => "TLSv1.3" 868 }, 869 test => { 870 "ExpectedResult" => "ServerFail" 871 }, 872 }, 873); 874 875push @tests, @tests_tls_1_3 unless disabled("tls1_3"); 876 877my @tests_dsa_tls_1_2 = ( 878 { 879 name => "TLS 1.2 DSA Certificate Test", 880 server => { 881 "DSA.Certificate" => test_pem("server-dsa-cert.pem"), 882 "DSA.PrivateKey" => test_pem("server-dsa-key.pem"), 883 "DHParameters" => test_pem("dhp2048.pem"), 884 "MinProtocol" => "TLSv1.2", 885 "MaxProtocol" => "TLSv1.2", 886 "CipherString" => "ALL", 887 }, 888 client => { 889 "SignatureAlgorithms" => "DSA+SHA256:DSA+SHA1", 890 "CipherString" => "ALL", 891 }, 892 test => { 893 "ExpectedResult" => "Success" 894 }, 895 }, 896); 897 898my @tests_dsa_tls_1_3 = ( 899 { 900 name => "TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms", 901 server => { 902 "ClientSignatureAlgorithms" => "ECDSA+SHA1:DSA+SHA256:RSA+SHA256", 903 "VerifyCAFile" => test_pem("root-cert.pem"), 904 "VerifyMode" => "Request" 905 }, 906 client => {}, 907 test => { 908 "ExpectedResult" => "ServerFail" 909 }, 910 }, 911 { 912 name => "TLS 1.3 DSA Certificate Test", 913 server => { 914 "DSA.Certificate" => test_pem("server-dsa-cert.pem"), 915 "DSA.PrivateKey" => test_pem("server-dsa-key.pem"), 916 "MinProtocol" => "TLSv1.3", 917 "MaxProtocol" => "TLSv1.3", 918 "CipherString" => "ALL", 919 }, 920 client => { 921 "SignatureAlgorithms" => "DSA+SHA1:DSA+SHA256:ECDSA+SHA256", 922 "CipherString" => "ALL", 923 }, 924 test => { 925 "ExpectedResult" => "ServerFail" 926 }, 927 }, 928); 929 930if (!disabled("dsa")) { 931 push @tests, @tests_dsa_tls_1_2 unless disabled("dh"); 932 push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3"); 933} 934