123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986 |
- # -*- mode: perl; -*-
- ## SSL test configurations
- use strict;
- use warnings;
- package ssltests;
- use OpenSSL::Test::Utils;
- our $fips_mode;
- our $no_deflt_libctx;
- my $server;
- if ($fips_mode) {
- #TODO(3.0): No EdDSA support in FIPS mode at the moment
- $server = {
- "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
- "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
- "MaxProtocol" => "TLSv1.2"
- };
- } else {
- $server = {
- "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
- "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
- "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
- "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
- "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
- "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
- "MaxProtocol" => "TLSv1.2"
- };
- }
- my $server_pss = {
- "PSS.Certificate" => test_pem("server-pss-cert.pem"),
- "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
- "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
- "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
- "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
- "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
- "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
- "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
- "MaxProtocol" => "TLSv1.2"
- };
- my $server_pss_only = {
- "Certificate" => test_pem("server-pss-cert.pem"),
- "PrivateKey" => test_pem("server-pss-key.pem"),
- };
- my $server_pss_restrict_only = {
- "Certificate" => test_pem("server-pss-restrict-cert.pem"),
- "PrivateKey" => test_pem("server-pss-restrict-key.pem"),
- };
- my $server_rsa_all;
- if ($no_deflt_libctx) {
- $server_rsa_all = {
- "Certificate" => test_pem("servercert.pem"),
- "PrivateKey" => test_pem("serverkey.pem"),
- };
- } else {
- $server_rsa_all = {
- "PSS.Certificate" => test_pem("server-pss-cert.pem"),
- "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
- "Certificate" => test_pem("servercert.pem"),
- "PrivateKey" => test_pem("serverkey.pem"),
- };
- }
- our @tests = (
- {
- name => "ECDSA CipherString Selection",
- server => $server,
- client => {
- "CipherString" => "aECDSA",
- "MaxProtocol" => "TLSv1.2",
- "RequestCAFile" => test_pem("root-cert.pem"),
- },
- test => {
- "ExpectedServerCertType" =>, "P-256",
- "ExpectedServerSignType" =>, "EC",
- # Note: certificate_authorities not sent for TLS < 1.3
- "ExpectedServerCANames" =>, "empty",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "ECDSA CipherString Selection",
- server => {
- "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
- "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
- "MaxProtocol" => "TLSv1.2",
- #Deliberately set supported_groups to one not in the cert. This
- #should be tolerated
- "Groups" => "P-384"
- },
- client => {
- "CipherString" => "aECDSA",
- "MaxProtocol" => "TLSv1.2",
- "Groups" => "P-256:P-384",
- "RequestCAFile" => test_pem("root-cert.pem"),
- },
- test => {
- "ExpectedServerCertType" =>, "P-256",
- "ExpectedServerSignType" =>, "EC",
- # Note: certificate_authorities not sent for TLS < 1.3
- "ExpectedServerCANames" =>, "empty",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "ECDSA CipherString Selection",
- server => {
- "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
- "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
- "MaxProtocol" => "TLSv1.2",
- "Groups" => "P-256:P-384"
- },
- client => {
- "CipherString" => "aECDSA",
- "MaxProtocol" => "TLSv1.2",
- #Deliberately set groups to not include the certificate group. This
- #should fail
- "Groups" => "P-384",
- "RequestCAFile" => test_pem("root-cert.pem"),
- },
- test => {
- "ExpectedResult" => "ServerFail"
- },
- },
- {
- name => "RSA CipherString Selection",
- server => $server,
- client => {
- "CipherString" => "aRSA",
- "MaxProtocol" => "TLSv1.2",
- },
- test => {
- "ExpectedServerCertType" =>, "RSA",
- "ExpectedServerSignType" =>, "RSA-PSS",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "P-256 CipherString and Signature Algorithm Selection",
- server => $server,
- client => {
- "CipherString" => "aECDSA",
- "MaxProtocol" => "TLSv1.2",
- "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
- },
- test => {
- "ExpectedServerCertType" => "P-256",
- "ExpectedServerSignHash" => "SHA256",
- "ExpectedServerSignType" => "EC",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "ECDSA CipherString Selection, no ECDSA certificate",
- server => {
- "MaxProtocol" => "TLSv1.2"
- },
- client => {
- "CipherString" => "aECDSA",
- "MaxProtocol" => "TLSv1.2"
- },
- test => {
- "ExpectedResult" => "ServerFail"
- },
- },
- {
- name => "ECDSA Signature Algorithm Selection",
- server => $server,
- client => {
- "SignatureAlgorithms" => "ECDSA+SHA256",
- },
- test => {
- "ExpectedServerCertType" => "P-256",
- "ExpectedServerSignHash" => "SHA256",
- "ExpectedServerSignType" => "EC",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "ECDSA Signature Algorithm Selection SHA384",
- server => $server,
- client => {
- "SignatureAlgorithms" => "ECDSA+SHA384",
- },
- test => {
- "ExpectedServerCertType" => "P-256",
- "ExpectedServerSignHash" => "SHA384",
- "ExpectedServerSignType" => "EC",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "ECDSA Signature Algorithm Selection compressed point",
- server => {
- "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
- "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
- "MaxProtocol" => "TLSv1.2"
- },
- client => {
- "SignatureAlgorithms" => "ECDSA+SHA256",
- },
- test => {
- "ExpectedServerCertType" => "P-256",
- "ExpectedServerSignHash" => "SHA256",
- "ExpectedServerSignType" => "EC",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
- server => {
- "MaxProtocol" => "TLSv1.2"
- },
- client => {
- "SignatureAlgorithms" => "ECDSA+SHA256",
- },
- test => {
- "ExpectedResult" => "ServerFail"
- },
- },
- {
- name => "RSA Signature Algorithm Selection",
- server => $server,
- client => {
- "SignatureAlgorithms" => "RSA+SHA256",
- },
- test => {
- "ExpectedServerCertType" => "RSA",
- "ExpectedServerSignHash" => "SHA256",
- "ExpectedServerSignType" => "RSA",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "RSA-PSS Signature Algorithm Selection",
- server => $server,
- client => {
- "SignatureAlgorithms" => "RSA-PSS+SHA256",
- },
- test => {
- "ExpectedServerCertType" => "RSA",
- "ExpectedServerSignHash" => "SHA256",
- "ExpectedServerSignType" => "RSA-PSS",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "RSA key exchange with all RSA certificate types",
- server => $server_rsa_all,
- client => {
- "CipherString" => "kRSA",
- "MaxProtocol" => "TLSv1.2",
- },
- test => {
- "ExpectedServerCertType" =>, "RSA",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "Suite B P-256 Hash Algorithm Selection",
- server => {
- "ECDSA.Certificate" => test_pem("p256-server-cert.pem"),
- "ECDSA.PrivateKey" => test_pem("p256-server-key.pem"),
- "MaxProtocol" => "TLSv1.2",
- "CipherString" => "SUITEB128"
- },
- client => {
- "VerifyCAFile" => test_pem("p384-root.pem"),
- "SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256"
- },
- test => {
- "ExpectedServerCertType" => "P-256",
- "ExpectedServerSignHash" => "SHA256",
- "ExpectedServerSignType" => "EC",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "Suite B P-384 Hash Algorithm Selection",
- server => {
- "ECDSA.Certificate" => test_pem("p384-server-cert.pem"),
- "ECDSA.PrivateKey" => test_pem("p384-server-key.pem"),
- "MaxProtocol" => "TLSv1.2",
- "CipherString" => "SUITEB128"
- },
- client => {
- "VerifyCAFile" => test_pem("p384-root.pem"),
- "SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384"
- },
- test => {
- "ExpectedServerCertType" => "P-384",
- "ExpectedServerSignHash" => "SHA384",
- "ExpectedServerSignType" => "EC",
- "ExpectedResult" => "Success"
- },
- },
- );
- my @tests_non_fips = (
- {
- name => "ECDSA Signature Algorithm Selection SHA1",
- server => {
- "CipherString" => "DEFAULT:\@SECLEVEL=0",
- "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
- "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
- "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
- "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
- "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
- "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
- "MaxProtocol" => "TLSv1.2"
- },
- client => {
- "CipherString" => "DEFAULT:\@SECLEVEL=0",
- "SignatureAlgorithms" => "ECDSA+SHA1",
- },
- test => {
- "ExpectedServerCertType" => "P-256",
- "ExpectedServerSignHash" => "SHA1",
- "ExpectedServerSignType" => "EC",
- "ExpectedResult" => "Success"
- },
- },
- # TODO(3.0) No Ed25519/Ed448 in FIPS mode at the moment
- {
- name => "Ed25519 CipherString and Signature Algorithm Selection",
- server => $server,
- client => {
- "CipherString" => "aECDSA",
- "MaxProtocol" => "TLSv1.2",
- "SignatureAlgorithms" => "ed25519:ECDSA+SHA256",
- "RequestCAFile" => test_pem("root-cert.pem"),
- },
- test => {
- "ExpectedServerCertType" =>, "Ed25519",
- "ExpectedServerSignType" =>, "Ed25519",
- # Note: certificate_authorities not sent for TLS < 1.3
- "ExpectedServerCANames" =>, "empty",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "Ed448 CipherString and Signature Algorithm Selection",
- server => $server,
- client => {
- "CipherString" => "aECDSA",
- "MaxProtocol" => "TLSv1.2",
- "SignatureAlgorithms" => "ed448:ECDSA+SHA256",
- "RequestCAFile" => test_pem("root-ed448-cert.pem"),
- "VerifyCAFile" => test_pem("root-ed448-cert.pem"),
- },
- test => {
- "ExpectedServerCertType" =>, "Ed448",
- "ExpectedServerSignType" =>, "Ed448",
- # Note: certificate_authorities not sent for TLS < 1.3
- "ExpectedServerCANames" =>, "empty",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "ECDSA with brainpool",
- server => {
- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
- "Groups" => "brainpoolP256r1",
- },
- client => {
- #We don't restrict this to TLSv1.2, although use of brainpool
- #should force this anyway so that this should succeed
- "CipherString" => "aECDSA",
- "RequestCAFile" => test_pem("root-cert.pem"),
- "Groups" => "brainpoolP256r1",
- },
- test => {
- "ExpectedServerCertType" =>, "brainpoolP256r1",
- "ExpectedServerSignType" =>, "EC",
- # Note: certificate_authorities not sent for TLS < 1.3
- "ExpectedServerCANames" =>, "empty",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "Ed25519 CipherString and Curves Selection",
- server => $server,
- client => {
- "CipherString" => "aECDSA",
- "MaxProtocol" => "TLSv1.2",
- "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
- # Excluding P-256 from the supported curves list means server
- # certificate should be Ed25519 and not P-256
- "Curves" => "X25519"
- },
- test => {
- "ExpectedServerCertType" =>, "Ed25519",
- "ExpectedServerSignType" =>, "Ed25519",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "Ed448 CipherString and Curves Selection",
- server => $server,
- client => {
- "CipherString" => "aECDSA",
- "MaxProtocol" => "TLSv1.2",
- "SignatureAlgorithms" => "ECDSA+SHA256:ed448",
- "VerifyCAFile" => test_pem("root-ed448-cert.pem"),
- # Excluding P-256 from the supported curves list means server
- # certificate should be Ed25519 and not P-256
- "Curves" => "X448"
- },
- test => {
- "ExpectedServerCertType" =>, "Ed448",
- "ExpectedServerSignType" =>, "Ed448",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "TLS 1.2 Ed25519 Client Auth",
- server => {
- "VerifyCAFile" => test_pem("root-cert.pem"),
- "VerifyMode" => "Require"
- },
- client => {
- "Ed25519.Certificate" => test_pem("client-ed25519-cert.pem"),
- "Ed25519.PrivateKey" => test_pem("client-ed25519-key.pem"),
- "MinProtocol" => "TLSv1.2",
- "MaxProtocol" => "TLSv1.2"
- },
- test => {
- "ExpectedClientCertType" => "Ed25519",
- "ExpectedClientSignType" => "Ed25519",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "TLS 1.2 Ed448 Client Auth",
- server => {
- "VerifyCAFile" => test_pem("root-cert.pem"),
- "VerifyMode" => "Require"
- },
- client => {
- "Ed448.Certificate" => test_pem("client-ed448-cert.pem"),
- "Ed448.PrivateKey" => test_pem("client-ed448-key.pem"),
- "MinProtocol" => "TLSv1.2",
- "MaxProtocol" => "TLSv1.2"
- },
- test => {
- "ExpectedClientCertType" => "Ed448",
- "ExpectedClientSignType" => "Ed448",
- "ExpectedResult" => "Success"
- },
- },
- );
- my @tests_pss = (
- {
- name => "RSA-PSS Certificate CipherString Selection",
- server => $server_pss,
- client => {
- "CipherString" => "aRSA",
- "MaxProtocol" => "TLSv1.2",
- },
- test => {
- "ExpectedServerCertType" =>, "RSA-PSS",
- "ExpectedServerSignType" =>, "RSA-PSS",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "RSA-PSS Certificate Legacy Signature Algorithm Selection",
- server => $server_pss,
- client => {
- "SignatureAlgorithms" => "RSA-PSS+SHA256",
- },
- test => {
- "ExpectedServerCertType" => "RSA",
- "ExpectedServerSignHash" => "SHA256",
- "ExpectedServerSignType" => "RSA-PSS",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "RSA-PSS Certificate Unified Signature Algorithm Selection",
- server => $server_pss,
- client => {
- "SignatureAlgorithms" => "rsa_pss_pss_sha256",
- },
- test => {
- "ExpectedServerCertType" => "RSA-PSS",
- "ExpectedServerSignHash" => "SHA256",
- "ExpectedServerSignType" => "RSA-PSS",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "Only RSA-PSS Certificate",
- server => $server_pss_only,
- client => {},
- test => {
- "ExpectedServerCertType" => "RSA-PSS",
- "ExpectedServerSignHash" => "SHA256",
- "ExpectedServerSignType" => "RSA-PSS",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "Only RSA-PSS Certificate Valid Signature Algorithms",
- server => $server_pss_only,
- client => {
- "SignatureAlgorithms" => "rsa_pss_pss_sha512",
- },
- test => {
- "ExpectedServerCertType" => "RSA-PSS",
- "ExpectedServerSignHash" => "SHA512",
- "ExpectedServerSignType" => "RSA-PSS",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "RSA-PSS Certificate, no PSS signature algorithms",
- server => $server_pss_only,
- client => {
- "SignatureAlgorithms" => "RSA+SHA256",
- },
- test => {
- "ExpectedResult" => "ServerFail"
- },
- },
- {
- name => "Only RSA-PSS Restricted Certificate",
- server => $server_pss_restrict_only,
- client => {},
- test => {
- "ExpectedServerCertType" => "RSA-PSS",
- "ExpectedServerSignHash" => "SHA256",
- "ExpectedServerSignType" => "RSA-PSS",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "RSA-PSS Restricted Certificate Valid Signature Algorithms",
- server => $server_pss_restrict_only,
- client => {
- "SignatureAlgorithms" => "rsa_pss_pss_sha256:rsa_pss_pss_sha512",
- },
- test => {
- "ExpectedServerCertType" => "RSA-PSS",
- "ExpectedServerSignHash" => "SHA256",
- "ExpectedServerSignType" => "RSA-PSS",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "RSA-PSS Restricted Cert client prefers invalid Signature Algorithm",
- server => $server_pss_restrict_only,
- client => {
- "SignatureAlgorithms" => "rsa_pss_pss_sha512:rsa_pss_pss_sha256",
- },
- test => {
- "ExpectedServerCertType" => "RSA-PSS",
- "ExpectedServerSignHash" => "SHA256",
- "ExpectedServerSignType" => "RSA-PSS",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "RSA-PSS Restricted Certificate Invalid Signature Algorithms",
- server => $server_pss_restrict_only,
- client => {
- "SignatureAlgorithms" => "rsa_pss_pss_sha512",
- },
- test => {
- "ExpectedResult" => "ServerFail"
- },
- },
- {
- name => "RSA key exchange with only RSA-PSS certificate",
- server => $server_pss_only,
- client => {
- "CipherString" => "kRSA",
- "MaxProtocol" => "TLSv1.2",
- },
- test => {
- "ExpectedResult" => "ServerFail"
- },
- },
- );
- my @tests_tls_1_1 = (
- {
- name => "Only RSA-PSS Certificate, TLS v1.1",
- server => $server_pss_only,
- client => {
- "MaxProtocol" => "TLSv1.1",
- },
- test => {
- "ExpectedResult" => "ServerFail"
- },
- },
- );
- push @tests, @tests_non_fips unless $fips_mode;
- push @tests, @tests_pss;
- push @tests, @tests_tls_1_1 unless disabled("tls1_1") || $no_deflt_libctx;
- my $server_tls_1_3;
- if ($fips_mode) {
- $server_tls_1_3 = {
- "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
- "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3"
- };
- } else {
- $server_tls_1_3 = {
- "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
- "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
- "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
- "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
- "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
- "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3"
- };
- }
- my $client_tls_1_3 = {
- "RSA.Certificate" => test_pem("ee-client-chain.pem"),
- "RSA.PrivateKey" => test_pem("ee-key.pem"),
- "ECDSA.Certificate" => test_pem("ee-ecdsa-client-chain.pem"),
- "ECDSA.PrivateKey" => test_pem("ee-ecdsa-key.pem"),
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3"
- };
- my @tests_tls_1_3 = (
- {
- name => "TLS 1.3 ECDSA Signature Algorithm Selection",
- server => $server_tls_1_3,
- client => {
- "SignatureAlgorithms" => "ECDSA+SHA256",
- },
- test => {
- "ExpectedServerCertType" => "P-256",
- "ExpectedServerSignHash" => "SHA256",
- "ExpectedServerSignType" => "EC",
- "ExpectedServerCANames" => "empty",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "TLS 1.3 ECDSA Signature Algorithm Selection compressed point",
- server => {
- "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
- "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3"
- },
- client => {
- "SignatureAlgorithms" => "ECDSA+SHA256",
- },
- test => {
- "ExpectedServerCertType" => "P-256",
- "ExpectedServerSignHash" => "SHA256",
- "ExpectedServerSignType" => "EC",
- "ExpectedServerCANames" => "empty",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "TLS 1.3 ECDSA Signature Algorithm Selection SHA1",
- server => {
- "CipherString" => "DEFAULT:\@SECLEVEL=0",
- "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
- "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
- "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
- "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
- "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
- "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3"
- },
- client => {
- "CipherString" => "DEFAULT:\@SECLEVEL=0",
- "SignatureAlgorithms" => "ECDSA+SHA1",
- },
- test => {
- "ExpectedResult" => "ServerFail"
- },
- },
- {
- name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS",
- server => $server_tls_1_3,
- client => {
- "SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256",
- "RequestCAFile" => test_pem("root-cert.pem"),
- },
- test => {
- "ExpectedServerCertType" => "P-256",
- "ExpectedServerSignHash" => "SHA256",
- "ExpectedServerSignType" => "EC",
- "ExpectedServerCANames" => test_pem("root-cert.pem"),
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS",
- server => $server_tls_1_3,
- client => {
- "SignatureAlgorithms" => "ECDSA+SHA384:RSA-PSS+SHA384",
- },
- test => {
- "ExpectedServerCertType" => "RSA",
- "ExpectedServerSignHash" => "SHA384",
- "ExpectedServerSignType" => "RSA-PSS",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate",
- server => {
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3"
- },
- client => {
- "SignatureAlgorithms" => "ECDSA+SHA256",
- },
- test => {
- "ExpectedResult" => "ServerFail"
- },
- },
- {
- name => "TLS 1.3 RSA Signature Algorithm Selection, no PSS",
- server => $server_tls_1_3,
- client => {
- "SignatureAlgorithms" => "RSA+SHA256",
- },
- test => {
- "ExpectedResult" => "ServerFail"
- },
- },
- {
- name => "TLS 1.3 RSA-PSS Signature Algorithm Selection",
- server => $server_tls_1_3,
- client => {
- "SignatureAlgorithms" => "RSA-PSS+SHA256",
- },
- test => {
- "ExpectedServerCertType" => "RSA",
- "ExpectedServerSignHash" => "SHA256",
- "ExpectedServerSignType" => "RSA-PSS",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
- server => {
- "ClientSignatureAlgorithms" => "PSS+SHA256",
- "VerifyCAFile" => test_pem("root-cert.pem"),
- "VerifyMode" => "Require"
- },
- client => $client_tls_1_3,
- test => {
- "ExpectedClientCertType" => "RSA",
- "ExpectedClientSignHash" => "SHA256",
- "ExpectedClientSignType" => "RSA-PSS",
- "ExpectedClientCANames" => "empty",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names",
- server => {
- "ClientSignatureAlgorithms" => "PSS+SHA256",
- "VerifyCAFile" => test_pem("root-cert.pem"),
- "RequestCAFile" => test_pem("root-cert.pem"),
- "VerifyMode" => "Require"
- },
- client => $client_tls_1_3,
- test => {
- "ExpectedClientCertType" => "RSA",
- "ExpectedClientSignHash" => "SHA256",
- "ExpectedClientSignType" => "RSA-PSS",
- "ExpectedClientCANames" => test_pem("root-cert.pem"),
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
- server => {
- "ClientSignatureAlgorithms" => "ECDSA+SHA256",
- "VerifyCAFile" => test_pem("root-cert.pem"),
- "VerifyMode" => "Require"
- },
- client => $client_tls_1_3,
- test => {
- "ExpectedClientCertType" => "P-256",
- "ExpectedClientSignHash" => "SHA256",
- "ExpectedClientSignType" => "EC",
- "ExpectedResult" => "Success"
- },
- },
- );
- my @tests_tls_1_3_non_fips = (
- {
- name => "TLS 1.3 Ed25519 Signature Algorithm Selection",
- server => $server_tls_1_3,
- client => {
- "SignatureAlgorithms" => "ed25519",
- },
- test => {
- "ExpectedServerCertType" => "Ed25519",
- "ExpectedServerSignType" => "Ed25519",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "TLS 1.3 Ed448 Signature Algorithm Selection",
- server => $server_tls_1_3,
- client => {
- "SignatureAlgorithms" => "ed448",
- "VerifyCAFile" => test_pem("root-ed448-cert.pem"),
- },
- test => {
- "ExpectedServerCertType" => "Ed448",
- "ExpectedServerSignType" => "Ed448",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "TLS 1.3 Ed25519 CipherString and Groups Selection",
- server => $server_tls_1_3,
- client => {
- "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
- # Excluding P-256 from the supported groups list should
- # mean server still uses a P-256 certificate because supported
- # groups is not used in signature selection for TLS 1.3
- "Groups" => "X25519"
- },
- test => {
- "ExpectedServerCertType" =>, "P-256",
- "ExpectedServerSignType" =>, "EC",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "TLS 1.3 Ed448 CipherString and Groups Selection",
- server => $server_tls_1_3,
- client => {
- "SignatureAlgorithms" => "ECDSA+SHA256:ed448",
- # Excluding P-256 from the supported groups list should
- # mean server still uses a P-256 certificate because supported
- # groups is not used in signature selection for TLS 1.3
- "Groups" => "X448"
- },
- test => {
- "ExpectedServerCertType" =>, "P-256",
- "ExpectedServerSignType" =>, "EC",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "TLS 1.3 Ed25519 Client Auth",
- server => {
- "VerifyCAFile" => test_pem("root-cert.pem"),
- "VerifyMode" => "Require"
- },
- client => {
- "EdDSA.Certificate" => test_pem("client-ed25519-cert.pem"),
- "EdDSA.PrivateKey" => test_pem("client-ed25519-key.pem"),
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3"
- },
- test => {
- "ExpectedClientCertType" => "Ed25519",
- "ExpectedClientSignType" => "Ed25519",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "TLS 1.3 Ed448 Client Auth",
- server => {
- "VerifyCAFile" => test_pem("root-cert.pem"),
- "VerifyMode" => "Require"
- },
- client => {
- "EdDSA.Certificate" => test_pem("client-ed448-cert.pem"),
- "EdDSA.PrivateKey" => test_pem("client-ed448-key.pem"),
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3"
- },
- test => {
- "ExpectedClientCertType" => "Ed448",
- "ExpectedClientSignType" => "Ed448",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "TLS 1.3 ECDSA with brainpool",
- server => {
- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
- },
- client => {
- "RequestCAFile" => test_pem("root-cert.pem"),
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3"
- },
- test => {
- "ExpectedResult" => "ServerFail"
- },
- },
- );
- push @tests, @tests_tls_1_3 unless disabled("tls1_3");
- push @tests, @tests_tls_1_3_non_fips unless disabled("tls1_3") || $fips_mode;
- my @tests_dsa_tls_1_2 = (
- {
- name => "TLS 1.2 DSA Certificate Test",
- server => {
- "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
- "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
- "DHParameters" => test_pem("dhp2048.pem"),
- "MinProtocol" => "TLSv1.2",
- "MaxProtocol" => "TLSv1.2",
- "CipherString" => "ALL",
- },
- client => {
- "SignatureAlgorithms" => "DSA+SHA256:DSA+SHA1",
- "CipherString" => "ALL",
- },
- test => {
- "ExpectedResult" => "Success"
- },
- },
- );
- my @tests_dsa_tls_1_3 = (
- {
- name => "TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms",
- server => {
- "ClientSignatureAlgorithms" => "ECDSA+SHA1:DSA+SHA256:RSA+SHA256",
- "VerifyCAFile" => test_pem("root-cert.pem"),
- "VerifyMode" => "Request"
- },
- client => {},
- test => {
- "ExpectedResult" => "ServerFail"
- },
- },
- {
- name => "TLS 1.3 DSA Certificate Test",
- server => {
- "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
- "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3",
- "CipherString" => "ALL",
- },
- client => {
- "SignatureAlgorithms" => "DSA+SHA1:DSA+SHA256:ECDSA+SHA256",
- "CipherString" => "ALL",
- },
- test => {
- "ExpectedResult" => "ServerFail"
- },
- },
- );
- if (!disabled("dsa")) {
- #TODO(3.0): Temporary workaround for DH issues in FIPS. Needs investigation
- push @tests, @tests_dsa_tls_1_2 unless disabled("dh") || $fips_mode;
- push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
- }
|