26-tls13_client_auth.conf.in 9.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293
  1. # -*- mode: perl; -*-
  2. # Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
  3. #
  4. # Licensed under the OpenSSL license (the "License"). You may not use
  5. # this file except in compliance with the License. You can obtain a copy
  6. # in the file LICENSE in the source distribution or at
  7. # https://www.openssl.org/source/license.html
  8. ## Test TLSv1.3 certificate authentication
  9. ## Similar to 04-client_auth.conf.in output, but specific for
  10. ## TLSv1.3 and post-handshake authentication
  11. use strict;
  12. use warnings;
  13. package ssltests;
  14. use OpenSSL::Test::Utils;
  15. our @tests = (
  16. {
  17. name => "server-auth-TLSv1.3",
  18. server => {
  19. "MinProtocol" => "TLSv1.3",
  20. "MaxProtocol" => "TLSv1.3",
  21. },
  22. client => {
  23. "MinProtocol" => "TLSv1.3",
  24. "MaxProtocol" => "TLSv1.3",
  25. },
  26. test => {
  27. "ExpectedResult" => "Success",
  28. },
  29. },
  30. {
  31. name => "client-auth-TLSv1.3-request",
  32. server => {
  33. "MinProtocol" => "TLSv1.3",
  34. "MaxProtocol" => "TLSv1.3",
  35. "VerifyMode" => "Request",
  36. },
  37. client => {
  38. "MinProtocol" => "TLSv1.3",
  39. "MaxProtocol" => "TLSv1.3",
  40. },
  41. test => {
  42. "ExpectedResult" => "Success",
  43. },
  44. },
  45. {
  46. name => "client-auth-TLSv1.3-require-fail",
  47. server => {
  48. "MinProtocol" => "TLSv1.3",
  49. "MaxProtocol" => "TLSv1.3",
  50. "VerifyCAFile" => test_pem("root-cert.pem"),
  51. "VerifyMode" => "Require",
  52. },
  53. client => {
  54. "MinProtocol" => "TLSv1.3",
  55. "MaxProtocol" => "TLSv1.3",
  56. },
  57. test => {
  58. "ExpectedResult" => "ServerFail",
  59. "ExpectedServerAlert" => "HandshakeFailure",
  60. },
  61. },
  62. {
  63. name => "client-auth-TLSv1.3-require",
  64. server => {
  65. "MinProtocol" => "TLSv1.3",
  66. "MaxProtocol" => "TLSv1.3",
  67. "ClientSignatureAlgorithms" => "PSS+SHA256",
  68. "VerifyCAFile" => test_pem("root-cert.pem"),
  69. "VerifyMode" => "Request",
  70. },
  71. client => {
  72. "MinProtocol" => "TLSv1.3",
  73. "MaxProtocol" => "TLSv1.3",
  74. "Certificate" => test_pem("ee-client-chain.pem"),
  75. "PrivateKey" => test_pem("ee-key.pem"),
  76. },
  77. test => {
  78. "ExpectedResult" => "Success",
  79. "ExpectedClientCertType" => "RSA",
  80. "ExpectedClientSignType" => "RSA-PSS",
  81. "ExpectedClientSignHash" => "SHA256",
  82. "ExpectedClientCANames" => "empty"
  83. },
  84. },
  85. {
  86. name => "client-auth-TLSv1.3-require-non-empty-names",
  87. server => {
  88. "MinProtocol" => "TLSv1.3",
  89. "MaxProtocol" => "TLSv1.3",
  90. "ClientSignatureAlgorithms" => "PSS+SHA256",
  91. "ClientCAFile" => test_pem("root-cert.pem"),
  92. "VerifyCAFile" => test_pem("root-cert.pem"),
  93. "VerifyMode" => "Request",
  94. },
  95. client => {
  96. "MinProtocol" => "TLSv1.3",
  97. "MaxProtocol" => "TLSv1.3",
  98. "Certificate" => test_pem("ee-client-chain.pem"),
  99. "PrivateKey" => test_pem("ee-key.pem"),
  100. },
  101. test => {
  102. "ExpectedResult" => "Success",
  103. "ExpectedClientCertType" => "RSA",
  104. "ExpectedClientSignType" => "RSA-PSS",
  105. "ExpectedClientSignHash" => "SHA256",
  106. "ExpectedClientCANames" => test_pem("root-cert.pem"),
  107. },
  108. },
  109. {
  110. name => "client-auth-TLSv1.3-noroot",
  111. server => {
  112. "MinProtocol" => "TLSv1.3",
  113. "MaxProtocol" => "TLSv1.3",
  114. "VerifyMode" => "Require",
  115. },
  116. client => {
  117. "MinProtocol" => "TLSv1.3",
  118. "MaxProtocol" => "TLSv1.3",
  119. "Certificate" => test_pem("ee-client-chain.pem"),
  120. "PrivateKey" => test_pem("ee-key.pem"),
  121. },
  122. test => {
  123. "ExpectedResult" => "ServerFail",
  124. "ExpectedServerAlert" => "UnknownCA",
  125. },
  126. },
  127. {
  128. name => "client-auth-TLSv1.3-request-post-handshake",
  129. server => {
  130. "MinProtocol" => "TLSv1.3",
  131. "MaxProtocol" => "TLSv1.3",
  132. "VerifyMode" => "RequestPostHandshake",
  133. },
  134. client => {
  135. "MinProtocol" => "TLSv1.3",
  136. "MaxProtocol" => "TLSv1.3",
  137. },
  138. test => {
  139. "ExpectedResult" => "ServerFail",
  140. "HandshakeMode" => "PostHandshakeAuth",
  141. },
  142. },
  143. {
  144. name => "client-auth-TLSv1.3-require-fail-post-handshake",
  145. server => {
  146. "MinProtocol" => "TLSv1.3",
  147. "MaxProtocol" => "TLSv1.3",
  148. "VerifyCAFile" => test_pem("root-cert.pem"),
  149. "VerifyMode" => "RequirePostHandshake",
  150. },
  151. client => {
  152. "MinProtocol" => "TLSv1.3",
  153. "MaxProtocol" => "TLSv1.3",
  154. },
  155. test => {
  156. "ExpectedResult" => "ServerFail",
  157. "HandshakeMode" => "PostHandshakeAuth",
  158. },
  159. },
  160. {
  161. name => "client-auth-TLSv1.3-require-post-handshake",
  162. server => {
  163. "MinProtocol" => "TLSv1.3",
  164. "MaxProtocol" => "TLSv1.3",
  165. "ClientSignatureAlgorithms" => "PSS+SHA256",
  166. "VerifyCAFile" => test_pem("root-cert.pem"),
  167. "VerifyMode" => "RequestPostHandshake",
  168. },
  169. client => {
  170. "MinProtocol" => "TLSv1.3",
  171. "MaxProtocol" => "TLSv1.3",
  172. "Certificate" => test_pem("ee-client-chain.pem"),
  173. "PrivateKey" => test_pem("ee-key.pem"),
  174. },
  175. test => {
  176. "ExpectedResult" => "Success",
  177. "HandshakeMode" => "PostHandshakeAuth",
  178. "ExpectedClientCertType" => "RSA",
  179. "ExpectedClientSignType" => "RSA-PSS",
  180. "ExpectedClientSignHash" => "SHA256",
  181. "ExpectedClientCANames" => "empty"
  182. },
  183. },
  184. {
  185. name => "client-auth-TLSv1.3-require-non-empty-names-post-handshake",
  186. server => {
  187. "MinProtocol" => "TLSv1.3",
  188. "MaxProtocol" => "TLSv1.3",
  189. "ClientSignatureAlgorithms" => "PSS+SHA256",
  190. "ClientCAFile" => test_pem("root-cert.pem"),
  191. "VerifyCAFile" => test_pem("root-cert.pem"),
  192. "VerifyMode" => "RequestPostHandshake",
  193. },
  194. client => {
  195. "MinProtocol" => "TLSv1.3",
  196. "MaxProtocol" => "TLSv1.3",
  197. "Certificate" => test_pem("ee-client-chain.pem"),
  198. "PrivateKey" => test_pem("ee-key.pem"),
  199. },
  200. test => {
  201. "ExpectedResult" => "Success",
  202. "HandshakeMode" => "PostHandshakeAuth",
  203. "ExpectedClientCertType" => "RSA",
  204. "ExpectedClientSignType" => "RSA-PSS",
  205. "ExpectedClientSignHash" => "SHA256",
  206. "ExpectedClientCANames" => test_pem("root-cert.pem"),
  207. },
  208. },
  209. {
  210. name => "client-auth-TLSv1.3-noroot-post-handshake",
  211. server => {
  212. "MinProtocol" => "TLSv1.3",
  213. "MaxProtocol" => "TLSv1.3",
  214. "VerifyMode" => "RequirePostHandshake",
  215. },
  216. client => {
  217. "MinProtocol" => "TLSv1.3",
  218. "MaxProtocol" => "TLSv1.3",
  219. "Certificate" => test_pem("ee-client-chain.pem"),
  220. "PrivateKey" => test_pem("ee-key.pem"),
  221. },
  222. test => {
  223. "ExpectedResult" => "ServerFail",
  224. "HandshakeMode" => "PostHandshakeAuth",
  225. "ExpectedServerAlert" => "UnknownCA",
  226. },
  227. },
  228. {
  229. name => "client-auth-TLSv1.3-request-force-client-post-handshake",
  230. server => {
  231. "MinProtocol" => "TLSv1.3",
  232. "MaxProtocol" => "TLSv1.3",
  233. "VerifyMode" => "RequestPostHandshake",
  234. },
  235. client => {
  236. "MinProtocol" => "TLSv1.3",
  237. "MaxProtocol" => "TLSv1.3",
  238. extra => {
  239. "ForcePHA" => "Yes",
  240. },
  241. },
  242. test => {
  243. "ExpectedResult" => "Success",
  244. "HandshakeMode" => "PostHandshakeAuth",
  245. },
  246. },
  247. {
  248. name => "client-auth-TLSv1.3-request-force-server-post-handshake",
  249. server => {
  250. "MinProtocol" => "TLSv1.3",
  251. "MaxProtocol" => "TLSv1.3",
  252. "VerifyMode" => "RequestPostHandshake",
  253. extra => {
  254. "ForcePHA" => "Yes",
  255. },
  256. },
  257. client => {
  258. "MinProtocol" => "TLSv1.3",
  259. "MaxProtocol" => "TLSv1.3",
  260. },
  261. test => {
  262. "ExpectedResult" => "ClientFail",
  263. "HandshakeMode" => "PostHandshakeAuth",
  264. },
  265. },
  266. {
  267. name => "client-auth-TLSv1.3-request-force-both-post-handshake",
  268. server => {
  269. "MinProtocol" => "TLSv1.3",
  270. "MaxProtocol" => "TLSv1.3",
  271. "VerifyMode" => "RequestPostHandshake",
  272. extra => {
  273. "ForcePHA" => "Yes",
  274. },
  275. },
  276. client => {
  277. "MinProtocol" => "TLSv1.3",
  278. "MaxProtocol" => "TLSv1.3",
  279. extra => {
  280. "ForcePHA" => "Yes",
  281. },
  282. },
  283. test => {
  284. "ExpectedResult" => "Success",
  285. "HandshakeMode" => "PostHandshakeAuth",
  286. },
  287. },
  288. );