26-tls13_client_auth.cnf.in 9.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302
  1. # -*- mode: perl; -*-
  2. # Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. #
  4. # Licensed under the Apache License 2.0 (the "License"). You may not use
  5. # this file except in compliance with the License. You can obtain a copy
  6. # in the file LICENSE in the source distribution or at
  7. # https://www.openssl.org/source/license.html
  8. ## Test TLSv1.3 certificate authentication
  9. ## Similar to 04-client_auth.cnf.in output, but specific for
  10. ## TLSv1.3 and post-handshake authentication
  11. use strict;
  12. use warnings;
  13. package ssltests;
  14. use OpenSSL::Test::Utils;
  15. our @tests = (
  16. {
  17. name => "server-auth-TLSv1.3",
  18. server => {
  19. "MinProtocol" => "TLSv1.3",
  20. "MaxProtocol" => "TLSv1.3",
  21. },
  22. client => {
  23. "MinProtocol" => "TLSv1.3",
  24. "MaxProtocol" => "TLSv1.3",
  25. },
  26. test => {
  27. "ExpectedResult" => "Success",
  28. },
  29. },
  30. {
  31. name => "client-auth-TLSv1.3-request",
  32. server => {
  33. "MinProtocol" => "TLSv1.3",
  34. "MaxProtocol" => "TLSv1.3",
  35. "VerifyMode" => "Request",
  36. },
  37. client => {
  38. "MinProtocol" => "TLSv1.3",
  39. "MaxProtocol" => "TLSv1.3",
  40. },
  41. test => {
  42. "ExpectedResult" => "Success",
  43. },
  44. },
  45. {
  46. name => "client-auth-TLSv1.3-require-fail",
  47. server => {
  48. "MinProtocol" => "TLSv1.3",
  49. "MaxProtocol" => "TLSv1.3",
  50. "VerifyCAFile" => test_pem("root-cert.pem"),
  51. "VerifyMode" => "Require",
  52. },
  53. client => {
  54. "MinProtocol" => "TLSv1.3",
  55. "MaxProtocol" => "TLSv1.3",
  56. },
  57. test => {
  58. "ExpectedResult" => "ServerFail",
  59. "ExpectedServerAlert" => "CertificateRequired",
  60. },
  61. },
  62. {
  63. name => "client-auth-TLSv1.3-require",
  64. server => {
  65. "MinProtocol" => "TLSv1.3",
  66. "MaxProtocol" => "TLSv1.3",
  67. "ClientSignatureAlgorithms" => "PSS+SHA256",
  68. "VerifyCAFile" => test_pem("root-cert.pem"),
  69. "VerifyMode" => "Request",
  70. },
  71. client => {
  72. "MinProtocol" => "TLSv1.3",
  73. "MaxProtocol" => "TLSv1.3",
  74. "Certificate" => test_pem("ee-client-chain.pem"),
  75. "PrivateKey" => test_pem("ee-key.pem"),
  76. },
  77. test => {
  78. "ExpectedResult" => "Success",
  79. "ExpectedClientCertType" => "RSA",
  80. "ExpectedClientSignType" => "RSA-PSS",
  81. "ExpectedClientSignHash" => "SHA256",
  82. "ExpectedClientCANames" => "empty"
  83. },
  84. },
  85. {
  86. name => "client-auth-TLSv1.3-require-non-empty-names",
  87. server => {
  88. "MinProtocol" => "TLSv1.3",
  89. "MaxProtocol" => "TLSv1.3",
  90. "ClientSignatureAlgorithms" => "PSS+SHA256",
  91. "ClientCAFile" => test_pem("root-cert.pem"),
  92. "VerifyCAFile" => test_pem("root-cert.pem"),
  93. "VerifyMode" => "Request",
  94. },
  95. client => {
  96. "MinProtocol" => "TLSv1.3",
  97. "MaxProtocol" => "TLSv1.3",
  98. "Certificate" => test_pem("ee-client-chain.pem"),
  99. "PrivateKey" => test_pem("ee-key.pem"),
  100. },
  101. test => {
  102. "ExpectedResult" => "Success",
  103. "ExpectedClientCertType" => "RSA",
  104. "ExpectedClientSignType" => "RSA-PSS",
  105. "ExpectedClientSignHash" => "SHA256",
  106. "ExpectedClientCANames" => test_pem("root-cert.pem"),
  107. },
  108. },
  109. {
  110. name => "client-auth-TLSv1.3-noroot",
  111. server => {
  112. "MinProtocol" => "TLSv1.3",
  113. "MaxProtocol" => "TLSv1.3",
  114. "VerifyMode" => "Require",
  115. },
  116. client => {
  117. "MinProtocol" => "TLSv1.3",
  118. "MaxProtocol" => "TLSv1.3",
  119. "Certificate" => test_pem("ee-client-chain.pem"),
  120. "PrivateKey" => test_pem("ee-key.pem"),
  121. },
  122. test => {
  123. "ExpectedResult" => "ServerFail",
  124. "ExpectedServerAlert" => "UnknownCA",
  125. },
  126. },
  127. {
  128. name => "client-auth-TLSv1.3-request-post-handshake",
  129. server => {
  130. "MinProtocol" => "TLSv1.3",
  131. "MaxProtocol" => "TLSv1.3",
  132. "VerifyMode" => "RequestPostHandshake",
  133. },
  134. client => {
  135. "MinProtocol" => "TLSv1.3",
  136. "MaxProtocol" => "TLSv1.3",
  137. },
  138. test => {
  139. "ExpectedResult" => "ServerFail",
  140. "HandshakeMode" => "PostHandshakeAuth",
  141. },
  142. },
  143. {
  144. name => "client-auth-TLSv1.3-require-fail-post-handshake",
  145. server => {
  146. "MinProtocol" => "TLSv1.3",
  147. "MaxProtocol" => "TLSv1.3",
  148. "VerifyCAFile" => test_pem("root-cert.pem"),
  149. "VerifyMode" => "RequirePostHandshake",
  150. },
  151. client => {
  152. "MinProtocol" => "TLSv1.3",
  153. "MaxProtocol" => "TLSv1.3",
  154. },
  155. test => {
  156. "ExpectedResult" => "ServerFail",
  157. "HandshakeMode" => "PostHandshakeAuth",
  158. },
  159. },
  160. {
  161. name => "client-auth-TLSv1.3-require-post-handshake",
  162. server => {
  163. "MinProtocol" => "TLSv1.3",
  164. "MaxProtocol" => "TLSv1.3",
  165. "ClientSignatureAlgorithms" => "PSS+SHA256",
  166. "VerifyCAFile" => test_pem("root-cert.pem"),
  167. "VerifyMode" => "RequestPostHandshake",
  168. },
  169. client => {
  170. "MinProtocol" => "TLSv1.3",
  171. "MaxProtocol" => "TLSv1.3",
  172. "Certificate" => test_pem("ee-client-chain.pem"),
  173. "PrivateKey" => test_pem("ee-key.pem"),
  174. extra => {
  175. "EnablePHA" => "Yes",
  176. },
  177. },
  178. test => {
  179. "ExpectedResult" => "Success",
  180. "HandshakeMode" => "PostHandshakeAuth",
  181. "ExpectedClientCertType" => "RSA",
  182. "ExpectedClientSignType" => "RSA-PSS",
  183. "ExpectedClientSignHash" => "SHA256",
  184. "ExpectedClientCANames" => "empty"
  185. },
  186. },
  187. {
  188. name => "client-auth-TLSv1.3-require-non-empty-names-post-handshake",
  189. server => {
  190. "MinProtocol" => "TLSv1.3",
  191. "MaxProtocol" => "TLSv1.3",
  192. "ClientSignatureAlgorithms" => "PSS+SHA256",
  193. "ClientCAFile" => test_pem("root-cert.pem"),
  194. "VerifyCAFile" => test_pem("root-cert.pem"),
  195. "VerifyMode" => "RequestPostHandshake",
  196. },
  197. client => {
  198. "MinProtocol" => "TLSv1.3",
  199. "MaxProtocol" => "TLSv1.3",
  200. "Certificate" => test_pem("ee-client-chain.pem"),
  201. "PrivateKey" => test_pem("ee-key.pem"),
  202. extra => {
  203. "EnablePHA" => "Yes",
  204. },
  205. },
  206. test => {
  207. "ExpectedResult" => "Success",
  208. "HandshakeMode" => "PostHandshakeAuth",
  209. "ExpectedClientCertType" => "RSA",
  210. "ExpectedClientSignType" => "RSA-PSS",
  211. "ExpectedClientSignHash" => "SHA256",
  212. "ExpectedClientCANames" => test_pem("root-cert.pem"),
  213. },
  214. },
  215. {
  216. name => "client-auth-TLSv1.3-noroot-post-handshake",
  217. server => {
  218. "MinProtocol" => "TLSv1.3",
  219. "MaxProtocol" => "TLSv1.3",
  220. "VerifyMode" => "RequirePostHandshake",
  221. },
  222. client => {
  223. "MinProtocol" => "TLSv1.3",
  224. "MaxProtocol" => "TLSv1.3",
  225. "Certificate" => test_pem("ee-client-chain.pem"),
  226. "PrivateKey" => test_pem("ee-key.pem"),
  227. extra => {
  228. "EnablePHA" => "Yes",
  229. },
  230. },
  231. test => {
  232. "ExpectedResult" => "ServerFail",
  233. "HandshakeMode" => "PostHandshakeAuth",
  234. "ExpectedServerAlert" => "UnknownCA",
  235. },
  236. },
  237. {
  238. name => "client-auth-TLSv1.3-request-force-client-post-handshake",
  239. server => {
  240. "MinProtocol" => "TLSv1.3",
  241. "MaxProtocol" => "TLSv1.3",
  242. "VerifyMode" => "RequestPostHandshake",
  243. },
  244. client => {
  245. "MinProtocol" => "TLSv1.3",
  246. "MaxProtocol" => "TLSv1.3",
  247. extra => {
  248. "EnablePHA" => "Yes",
  249. },
  250. },
  251. test => {
  252. "ExpectedResult" => "Success",
  253. "HandshakeMode" => "PostHandshakeAuth",
  254. },
  255. },
  256. {
  257. name => "client-auth-TLSv1.3-request-force-server-post-handshake",
  258. server => {
  259. "MinProtocol" => "TLSv1.3",
  260. "MaxProtocol" => "TLSv1.3",
  261. "VerifyMode" => "RequestPostHandshake",
  262. extra => {
  263. "ForcePHA" => "Yes",
  264. },
  265. },
  266. client => {
  267. "MinProtocol" => "TLSv1.3",
  268. "MaxProtocol" => "TLSv1.3",
  269. },
  270. test => {
  271. "ExpectedResult" => "ClientFail",
  272. "HandshakeMode" => "PostHandshakeAuth",
  273. },
  274. },
  275. {
  276. name => "client-auth-TLSv1.3-request-force-both-post-handshake",
  277. server => {
  278. "MinProtocol" => "TLSv1.3",
  279. "MaxProtocol" => "TLSv1.3",
  280. "VerifyMode" => "RequestPostHandshake",
  281. extra => {
  282. "ForcePHA" => "Yes",
  283. },
  284. },
  285. client => {
  286. "MinProtocol" => "TLSv1.3",
  287. "MaxProtocol" => "TLSv1.3",
  288. extra => {
  289. "EnablePHA" => "Yes",
  290. },
  291. },
  292. test => {
  293. "ExpectedResult" => "Success",
  294. "HandshakeMode" => "PostHandshakeAuth",
  295. },
  296. },
  297. );