123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302 |
- # -*- mode: perl; -*-
- # Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
- #
- # Licensed under the Apache License 2.0 (the "License"). You may not use
- # this file except in compliance with the License. You can obtain a copy
- # in the file LICENSE in the source distribution or at
- # https://www.openssl.org/source/license.html
- ## Test TLSv1.3 certificate authentication
- ## Similar to 04-client_auth.cnf.in output, but specific for
- ## TLSv1.3 and post-handshake authentication
- use strict;
- use warnings;
- package ssltests;
- use OpenSSL::Test::Utils;
- our @tests = (
- {
- name => "server-auth-TLSv1.3",
- server => {
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3",
- },
- client => {
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3",
- },
- test => {
- "ExpectedResult" => "Success",
- },
- },
- {
- name => "client-auth-TLSv1.3-request",
- server => {
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3",
- "VerifyMode" => "Request",
- },
- client => {
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3",
- },
- test => {
- "ExpectedResult" => "Success",
- },
- },
- {
- name => "client-auth-TLSv1.3-require-fail",
- server => {
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3",
- "VerifyCAFile" => test_pem("root-cert.pem"),
- "VerifyMode" => "Require",
- },
- client => {
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3",
- },
- test => {
- "ExpectedResult" => "ServerFail",
- "ExpectedServerAlert" => "CertificateRequired",
- },
- },
- {
- name => "client-auth-TLSv1.3-require",
- server => {
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3",
- "ClientSignatureAlgorithms" => "PSS+SHA256",
- "VerifyCAFile" => test_pem("root-cert.pem"),
- "VerifyMode" => "Request",
- },
- client => {
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3",
- "Certificate" => test_pem("ee-client-chain.pem"),
- "PrivateKey" => test_pem("ee-key.pem"),
- },
- test => {
- "ExpectedResult" => "Success",
- "ExpectedClientCertType" => "RSA",
- "ExpectedClientSignType" => "RSA-PSS",
- "ExpectedClientSignHash" => "SHA256",
- "ExpectedClientCANames" => "empty"
- },
- },
- {
- name => "client-auth-TLSv1.3-require-non-empty-names",
- server => {
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3",
- "ClientSignatureAlgorithms" => "PSS+SHA256",
- "ClientCAFile" => test_pem("root-cert.pem"),
- "VerifyCAFile" => test_pem("root-cert.pem"),
- "VerifyMode" => "Request",
- },
- client => {
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3",
- "Certificate" => test_pem("ee-client-chain.pem"),
- "PrivateKey" => test_pem("ee-key.pem"),
- },
- test => {
- "ExpectedResult" => "Success",
- "ExpectedClientCertType" => "RSA",
- "ExpectedClientSignType" => "RSA-PSS",
- "ExpectedClientSignHash" => "SHA256",
- "ExpectedClientCANames" => test_pem("root-cert.pem"),
- },
- },
- {
- name => "client-auth-TLSv1.3-noroot",
- server => {
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3",
- "VerifyMode" => "Require",
- },
- client => {
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3",
- "Certificate" => test_pem("ee-client-chain.pem"),
- "PrivateKey" => test_pem("ee-key.pem"),
- },
- test => {
- "ExpectedResult" => "ServerFail",
- "ExpectedServerAlert" => "UnknownCA",
- },
- },
- {
- name => "client-auth-TLSv1.3-request-post-handshake",
- server => {
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3",
- "VerifyMode" => "RequestPostHandshake",
- },
- client => {
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3",
- },
- test => {
- "ExpectedResult" => "ServerFail",
- "HandshakeMode" => "PostHandshakeAuth",
- },
- },
- {
- name => "client-auth-TLSv1.3-require-fail-post-handshake",
- server => {
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3",
- "VerifyCAFile" => test_pem("root-cert.pem"),
- "VerifyMode" => "RequirePostHandshake",
- },
- client => {
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3",
- },
- test => {
- "ExpectedResult" => "ServerFail",
- "HandshakeMode" => "PostHandshakeAuth",
- },
- },
- {
- name => "client-auth-TLSv1.3-require-post-handshake",
- server => {
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3",
- "ClientSignatureAlgorithms" => "PSS+SHA256",
- "VerifyCAFile" => test_pem("root-cert.pem"),
- "VerifyMode" => "RequestPostHandshake",
- },
- client => {
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3",
- "Certificate" => test_pem("ee-client-chain.pem"),
- "PrivateKey" => test_pem("ee-key.pem"),
- extra => {
- "EnablePHA" => "Yes",
- },
- },
- test => {
- "ExpectedResult" => "Success",
- "HandshakeMode" => "PostHandshakeAuth",
- "ExpectedClientCertType" => "RSA",
- "ExpectedClientSignType" => "RSA-PSS",
- "ExpectedClientSignHash" => "SHA256",
- "ExpectedClientCANames" => "empty"
- },
- },
- {
- name => "client-auth-TLSv1.3-require-non-empty-names-post-handshake",
- server => {
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3",
- "ClientSignatureAlgorithms" => "PSS+SHA256",
- "ClientCAFile" => test_pem("root-cert.pem"),
- "VerifyCAFile" => test_pem("root-cert.pem"),
- "VerifyMode" => "RequestPostHandshake",
- },
- client => {
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3",
- "Certificate" => test_pem("ee-client-chain.pem"),
- "PrivateKey" => test_pem("ee-key.pem"),
- extra => {
- "EnablePHA" => "Yes",
- },
- },
- test => {
- "ExpectedResult" => "Success",
- "HandshakeMode" => "PostHandshakeAuth",
- "ExpectedClientCertType" => "RSA",
- "ExpectedClientSignType" => "RSA-PSS",
- "ExpectedClientSignHash" => "SHA256",
- "ExpectedClientCANames" => test_pem("root-cert.pem"),
- },
- },
- {
- name => "client-auth-TLSv1.3-noroot-post-handshake",
- server => {
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3",
- "VerifyMode" => "RequirePostHandshake",
- },
- client => {
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3",
- "Certificate" => test_pem("ee-client-chain.pem"),
- "PrivateKey" => test_pem("ee-key.pem"),
- extra => {
- "EnablePHA" => "Yes",
- },
- },
- test => {
- "ExpectedResult" => "ServerFail",
- "HandshakeMode" => "PostHandshakeAuth",
- "ExpectedServerAlert" => "UnknownCA",
- },
- },
- {
- name => "client-auth-TLSv1.3-request-force-client-post-handshake",
- server => {
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3",
- "VerifyMode" => "RequestPostHandshake",
- },
- client => {
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3",
- extra => {
- "EnablePHA" => "Yes",
- },
- },
- test => {
- "ExpectedResult" => "Success",
- "HandshakeMode" => "PostHandshakeAuth",
- },
- },
- {
- name => "client-auth-TLSv1.3-request-force-server-post-handshake",
- server => {
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3",
- "VerifyMode" => "RequestPostHandshake",
- extra => {
- "ForcePHA" => "Yes",
- },
- },
- client => {
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3",
- },
- test => {
- "ExpectedResult" => "ClientFail",
- "HandshakeMode" => "PostHandshakeAuth",
- },
- },
- {
- name => "client-auth-TLSv1.3-request-force-both-post-handshake",
- server => {
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3",
- "VerifyMode" => "RequestPostHandshake",
- extra => {
- "ForcePHA" => "Yes",
- },
- },
- client => {
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3",
- extra => {
- "EnablePHA" => "Yes",
- },
- },
- test => {
- "ExpectedResult" => "Success",
- "HandshakeMode" => "PostHandshakeAuth",
- },
- },
- );
|