summaryrefslogtreecommitdiff
path: root/deps/openssl/openssl/test/ssl-tests/20-cert-select.conf.in
diff options
context:
space:
mode:
Diffstat (limited to 'deps/openssl/openssl/test/ssl-tests/20-cert-select.conf.in')
-rw-r--r--deps/openssl/openssl/test/ssl-tests/20-cert-select.conf.in864
1 files changed, 864 insertions, 0 deletions
diff --git a/deps/openssl/openssl/test/ssl-tests/20-cert-select.conf.in b/deps/openssl/openssl/test/ssl-tests/20-cert-select.conf.in
new file mode 100644
index 0000000000..bdf53c6e1e
--- /dev/null
+++ b/deps/openssl/openssl/test/ssl-tests/20-cert-select.conf.in
@@ -0,0 +1,864 @@
+# -*- mode: perl; -*-
+
+## SSL test configurations
+
+
+use strict;
+use warnings;
+
+package ssltests;
+use OpenSSL::Test::Utils;
+
+my $server = {
+ "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
+ "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
+ "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
+ "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
+ "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
+ "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
+ "MaxProtocol" => "TLSv1.2"
+};
+
+my $server_pss = {
+ "PSS.Certificate" => test_pem("server-pss-cert.pem"),
+ "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
+ "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
+ "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
+ "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
+ "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
+ "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
+ "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
+ "MaxProtocol" => "TLSv1.2"
+};
+
+my $server_pss_only = {
+ "Certificate" => test_pem("server-pss-cert.pem"),
+ "PrivateKey" => test_pem("server-pss-key.pem"),
+};
+
+my $server_rsa_all = {
+ "PSS.Certificate" => test_pem("server-pss-cert.pem"),
+ "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
+ "Certificate" => test_pem("servercert.pem"),
+ "PrivateKey" => test_pem("serverkey.pem"),
+};
+
+our @tests = (
+ {
+ name => "ECDSA CipherString Selection",
+ server => $server,
+ client => {
+ "CipherString" => "aECDSA",
+ "MaxProtocol" => "TLSv1.2",
+ "RequestCAFile" => test_pem("root-cert.pem"),
+ },
+ test => {
+ "ExpectedServerCertType" =>, "P-256",
+ "ExpectedServerSignType" =>, "EC",
+ # Note: certificate_authorities not sent for TLS < 1.3
+ "ExpectedServerCANames" =>, "empty",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "ECDSA CipherString Selection",
+ server => {
+ "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
+ "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
+ "MaxProtocol" => "TLSv1.2",
+ #Deliberately set supported_groups to one not in the cert. This
+ #should be tolerated
+ "Groups" => "P-384"
+ },
+ client => {
+ "CipherString" => "aECDSA",
+ "MaxProtocol" => "TLSv1.2",
+ "Groups" => "P-256:P-384",
+ "RequestCAFile" => test_pem("root-cert.pem"),
+ },
+ test => {
+ "ExpectedServerCertType" =>, "P-256",
+ "ExpectedServerSignType" =>, "EC",
+ # Note: certificate_authorities not sent for TLS < 1.3
+ "ExpectedServerCANames" =>, "empty",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "ECDSA CipherString Selection",
+ server => {
+ "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
+ "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
+ "MaxProtocol" => "TLSv1.2",
+ "Groups" => "P-256:P-384"
+ },
+ client => {
+ "CipherString" => "aECDSA",
+ "MaxProtocol" => "TLSv1.2",
+ #Deliberately set groups to not include the certificate group. This
+ #should fail
+ "Groups" => "P-384",
+ "RequestCAFile" => test_pem("root-cert.pem"),
+ },
+ test => {
+ "ExpectedResult" => "ServerFail"
+ },
+ },
+ {
+ name => "Ed25519 CipherString and Signature Algorithm Selection",
+ server => $server,
+ client => {
+ "CipherString" => "aECDSA",
+ "MaxProtocol" => "TLSv1.2",
+ "SignatureAlgorithms" => "ed25519:ECDSA+SHA256",
+ "RequestCAFile" => test_pem("root-cert.pem"),
+ },
+ test => {
+ "ExpectedServerCertType" =>, "Ed25519",
+ "ExpectedServerSignType" =>, "Ed25519",
+ # Note: certificate_authorities not sent for TLS < 1.3
+ "ExpectedServerCANames" =>, "empty",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "Ed448 CipherString and Signature Algorithm Selection",
+ server => $server,
+ client => {
+ "CipherString" => "aECDSA",
+ "MaxProtocol" => "TLSv1.2",
+ "SignatureAlgorithms" => "ed448:ECDSA+SHA256",
+ "RequestCAFile" => test_pem("root-cert.pem"),
+ },
+ test => {
+ "ExpectedServerCertType" =>, "Ed448",
+ "ExpectedServerSignType" =>, "Ed448",
+ # Note: certificate_authorities not sent for TLS < 1.3
+ "ExpectedServerCANames" =>, "empty",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "ECDSA with brainpool",
+ server => {
+ "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
+ "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
+ "Groups" => "brainpoolP256r1",
+ },
+ client => {
+ #We don't restrict this to TLSv1.2, although use of brainpool
+ #should force this anyway so that this should succeed
+ "CipherString" => "aECDSA",
+ "RequestCAFile" => test_pem("root-cert.pem"),
+ "Groups" => "brainpoolP256r1",
+ },
+ test => {
+ "ExpectedServerCertType" =>, "brainpoolP256r1",
+ "ExpectedServerSignType" =>, "EC",
+ # Note: certificate_authorities not sent for TLS < 1.3
+ "ExpectedServerCANames" =>, "empty",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "RSA CipherString Selection",
+ server => $server,
+ client => {
+ "CipherString" => "aRSA",
+ "MaxProtocol" => "TLSv1.2",
+ },
+ test => {
+ "ExpectedServerCertType" =>, "RSA",
+ "ExpectedServerSignType" =>, "RSA-PSS",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "RSA-PSS Certificate CipherString Selection",
+ server => $server_pss,
+ client => {
+ "CipherString" => "aRSA",
+ "MaxProtocol" => "TLSv1.2",
+ },
+ test => {
+ "ExpectedServerCertType" =>, "RSA-PSS",
+ "ExpectedServerSignType" =>, "RSA-PSS",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "P-256 CipherString and Signature Algorithm Selection",
+ server => $server,
+ client => {
+ "CipherString" => "aECDSA",
+ "MaxProtocol" => "TLSv1.2",
+ "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
+ },
+ test => {
+ "ExpectedServerCertType" => "P-256",
+ "ExpectedServerSignHash" => "SHA256",
+ "ExpectedServerSignType" => "EC",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "Ed25519 CipherString and Curves Selection",
+ server => $server,
+ client => {
+ "CipherString" => "aECDSA",
+ "MaxProtocol" => "TLSv1.2",
+ "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
+ # Excluding P-256 from the supported curves list means server
+ # certificate should be Ed25519 and not P-256
+ "Curves" => "X25519"
+ },
+ test => {
+ "ExpectedServerCertType" =>, "Ed25519",
+ "ExpectedServerSignType" =>, "Ed25519",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "Ed448 CipherString and Curves Selection",
+ server => $server,
+ client => {
+ "CipherString" => "aECDSA",
+ "MaxProtocol" => "TLSv1.2",
+ "SignatureAlgorithms" => "ECDSA+SHA256:ed448",
+ # Excluding P-256 from the supported curves list means server
+ # certificate should be Ed25519 and not P-256
+ "Curves" => "X448"
+ },
+ test => {
+ "ExpectedServerCertType" =>, "Ed448",
+ "ExpectedServerSignType" =>, "Ed448",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "ECDSA CipherString Selection, no ECDSA certificate",
+ server => {
+ "MaxProtocol" => "TLSv1.2"
+ },
+ client => {
+ "CipherString" => "aECDSA",
+ "MaxProtocol" => "TLSv1.2"
+ },
+ test => {
+ "ExpectedResult" => "ServerFail"
+ },
+ },
+ {
+ name => "ECDSA Signature Algorithm Selection",
+ server => $server,
+ client => {
+ "SignatureAlgorithms" => "ECDSA+SHA256",
+ },
+ test => {
+ "ExpectedServerCertType" => "P-256",
+ "ExpectedServerSignHash" => "SHA256",
+ "ExpectedServerSignType" => "EC",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "ECDSA Signature Algorithm Selection SHA384",
+ server => $server,
+ client => {
+ "SignatureAlgorithms" => "ECDSA+SHA384",
+ },
+ test => {
+ "ExpectedServerCertType" => "P-256",
+ "ExpectedServerSignHash" => "SHA384",
+ "ExpectedServerSignType" => "EC",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "ECDSA Signature Algorithm Selection SHA1",
+ server => $server,
+ client => {
+ "SignatureAlgorithms" => "ECDSA+SHA1",
+ },
+ test => {
+ "ExpectedServerCertType" => "P-256",
+ "ExpectedServerSignHash" => "SHA1",
+ "ExpectedServerSignType" => "EC",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "ECDSA Signature Algorithm Selection compressed point",
+ server => {
+ "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
+ "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
+ "MaxProtocol" => "TLSv1.2"
+ },
+ client => {
+ "SignatureAlgorithms" => "ECDSA+SHA256",
+ },
+ test => {
+ "ExpectedServerCertType" => "P-256",
+ "ExpectedServerSignHash" => "SHA256",
+ "ExpectedServerSignType" => "EC",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
+ server => {
+ "MaxProtocol" => "TLSv1.2"
+ },
+ client => {
+ "SignatureAlgorithms" => "ECDSA+SHA256",
+ },
+ test => {
+ "ExpectedResult" => "ServerFail"
+ },
+ },
+ {
+ name => "RSA Signature Algorithm Selection",
+ server => $server,
+ client => {
+ "SignatureAlgorithms" => "RSA+SHA256",
+ },
+ test => {
+ "ExpectedServerCertType" => "RSA",
+ "ExpectedServerSignHash" => "SHA256",
+ "ExpectedServerSignType" => "RSA",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "RSA-PSS Signature Algorithm Selection",
+ server => $server,
+ client => {
+ "SignatureAlgorithms" => "RSA-PSS+SHA256",
+ },
+ test => {
+ "ExpectedServerCertType" => "RSA",
+ "ExpectedServerSignHash" => "SHA256",
+ "ExpectedServerSignType" => "RSA-PSS",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "RSA-PSS Certificate Legacy Signature Algorithm Selection",
+ server => $server_pss,
+ client => {
+ "SignatureAlgorithms" => "RSA-PSS+SHA256",
+ },
+ test => {
+ "ExpectedServerCertType" => "RSA",
+ "ExpectedServerSignHash" => "SHA256",
+ "ExpectedServerSignType" => "RSA-PSS",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "RSA-PSS Certificate Unified Signature Algorithm Selection",
+ server => $server_pss,
+ client => {
+ "SignatureAlgorithms" => "rsa_pss_pss_sha256",
+ },
+ test => {
+ "ExpectedServerCertType" => "RSA-PSS",
+ "ExpectedServerSignHash" => "SHA256",
+ "ExpectedServerSignType" => "RSA-PSS",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "Only RSA-PSS Certificate",
+ server => $server_pss_only,
+ client => {},
+ test => {
+ "ExpectedServerCertType" => "RSA-PSS",
+ "ExpectedServerSignHash" => "SHA256",
+ "ExpectedServerSignType" => "RSA-PSS",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "RSA-PSS Certificate, no PSS signature algorithms",
+ server => $server_pss_only,
+ client => {
+ "SignatureAlgorithms" => "RSA+SHA256",
+ },
+ test => {
+ "ExpectedResult" => "ServerFail"
+ },
+ },
+ {
+ name => "RSA key exchange with all RSA certificate types",
+ server => $server_rsa_all,
+ client => {
+ "CipherString" => "kRSA",
+ "MaxProtocol" => "TLSv1.2",
+ },
+ test => {
+ "ExpectedServerCertType" =>, "RSA",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "RSA key exchange with only RSA-PSS certificate",
+ server => $server_pss_only,
+ client => {
+ "CipherString" => "kRSA",
+ "MaxProtocol" => "TLSv1.2",
+ },
+ test => {
+ "ExpectedResult" => "ServerFail"
+ },
+ },
+ {
+ name => "Suite B P-256 Hash Algorithm Selection",
+ server => {
+ "ECDSA.Certificate" => test_pem("p256-server-cert.pem"),
+ "ECDSA.PrivateKey" => test_pem("p256-server-key.pem"),
+ "MaxProtocol" => "TLSv1.2",
+ "CipherString" => "SUITEB128"
+ },
+ client => {
+ "VerifyCAFile" => test_pem("p384-root.pem"),
+ "SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256"
+ },
+ test => {
+ "ExpectedServerCertType" => "P-256",
+ "ExpectedServerSignHash" => "SHA256",
+ "ExpectedServerSignType" => "EC",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "Suite B P-384 Hash Algorithm Selection",
+ server => {
+ "ECDSA.Certificate" => test_pem("p384-server-cert.pem"),
+ "ECDSA.PrivateKey" => test_pem("p384-server-key.pem"),
+ "MaxProtocol" => "TLSv1.2",
+ "CipherString" => "SUITEB128"
+ },
+ client => {
+ "VerifyCAFile" => test_pem("p384-root.pem"),
+ "SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384"
+ },
+ test => {
+ "ExpectedServerCertType" => "P-384",
+ "ExpectedServerSignHash" => "SHA384",
+ "ExpectedServerSignType" => "EC",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "TLS 1.2 Ed25519 Client Auth",
+ server => {
+ "VerifyCAFile" => test_pem("root-cert.pem"),
+ "VerifyMode" => "Require"
+ },
+ client => {
+ "Ed25519.Certificate" => test_pem("client-ed25519-cert.pem"),
+ "Ed25519.PrivateKey" => test_pem("client-ed25519-key.pem"),
+ "MinProtocol" => "TLSv1.2",
+ "MaxProtocol" => "TLSv1.2"
+ },
+ test => {
+ "ExpectedClientCertType" => "Ed25519",
+ "ExpectedClientSignType" => "Ed25519",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "TLS 1.2 Ed448 Client Auth",
+ server => {
+ "VerifyCAFile" => test_pem("root-cert.pem"),
+ "VerifyMode" => "Require"
+ },
+ client => {
+ "Ed448.Certificate" => test_pem("client-ed448-cert.pem"),
+ "Ed448.PrivateKey" => test_pem("client-ed448-key.pem"),
+ "MinProtocol" => "TLSv1.2",
+ "MaxProtocol" => "TLSv1.2"
+ },
+ test => {
+ "ExpectedClientCertType" => "Ed448",
+ "ExpectedClientSignType" => "Ed448",
+ "ExpectedResult" => "Success"
+ },
+ },
+);
+
+my @tests_tls_1_1 = (
+ {
+ name => "Only RSA-PSS Certificate, TLS v1.1",
+ server => $server_pss_only,
+ client => {
+ "MaxProtocol" => "TLSv1.1",
+ },
+ test => {
+ "ExpectedResult" => "ServerFail"
+ },
+ },
+);
+
+push @tests, @tests_tls_1_1 unless disabled("tls1_1");
+
+my $server_tls_1_3 = {
+ "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
+ "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
+ "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
+ "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
+ "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
+ "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
+ "MinProtocol" => "TLSv1.3",
+ "MaxProtocol" => "TLSv1.3"
+};
+
+my $server_tls_1_3_pss = {
+ "PSS.Certificate" => test_pem("server-pss-cert.pem"),
+ "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
+ "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
+ "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
+ "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
+ "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
+ "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
+ "Ed448.PrivateKey" => test_pem("server-ed449-key.pem"),
+ "MinProtocol" => "TLSv1.3",
+ "MaxProtocol" => "TLSv1.3"
+};
+
+my $client_tls_1_3 = {
+ "RSA.Certificate" => test_pem("ee-client-chain.pem"),
+ "RSA.PrivateKey" => test_pem("ee-key.pem"),
+ "ECDSA.Certificate" => test_pem("ee-ecdsa-client-chain.pem"),
+ "ECDSA.PrivateKey" => test_pem("ee-ecdsa-key.pem"),
+ "MinProtocol" => "TLSv1.3",
+ "MaxProtocol" => "TLSv1.3"
+};
+
+my @tests_tls_1_3 = (
+ {
+ name => "TLS 1.3 ECDSA Signature Algorithm Selection",
+ server => $server_tls_1_3,
+ client => {
+ "SignatureAlgorithms" => "ECDSA+SHA256",
+ },
+ test => {
+ "ExpectedServerCertType" => "P-256",
+ "ExpectedServerSignHash" => "SHA256",
+ "ExpectedServerSignType" => "EC",
+ "ExpectedServerCANames" => "empty",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "TLS 1.3 ECDSA Signature Algorithm Selection compressed point",
+ server => {
+ "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
+ "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
+ "MinProtocol" => "TLSv1.3",
+ "MaxProtocol" => "TLSv1.3"
+ },
+ client => {
+ "SignatureAlgorithms" => "ECDSA+SHA256",
+ },
+ test => {
+ "ExpectedServerCertType" => "P-256",
+ "ExpectedServerSignHash" => "SHA256",
+ "ExpectedServerSignType" => "EC",
+ "ExpectedServerCANames" => "empty",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "TLS 1.3 ECDSA Signature Algorithm Selection SHA1",
+ server => $server_tls_1_3,
+ client => {
+ "SignatureAlgorithms" => "ECDSA+SHA1",
+ },
+ test => {
+ "ExpectedResult" => "ServerFail"
+ },
+ },
+ {
+ name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS",
+ server => $server_tls_1_3,
+ client => {
+ "SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256",
+ "RequestCAFile" => test_pem("root-cert.pem"),
+ },
+ test => {
+ "ExpectedServerCertType" => "P-256",
+ "ExpectedServerSignHash" => "SHA256",
+ "ExpectedServerSignType" => "EC",
+ "ExpectedServerCANames" => test_pem("root-cert.pem"),
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS",
+ server => $server_tls_1_3,
+ client => {
+ "SignatureAlgorithms" => "ECDSA+SHA384:RSA-PSS+SHA384",
+ },
+ test => {
+ "ExpectedServerCertType" => "RSA",
+ "ExpectedServerSignHash" => "SHA384",
+ "ExpectedServerSignType" => "RSA-PSS",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate",
+ server => {
+ "MinProtocol" => "TLSv1.3",
+ "MaxProtocol" => "TLSv1.3"
+ },
+ client => {
+ "SignatureAlgorithms" => "ECDSA+SHA256",
+ },
+ test => {
+ "ExpectedResult" => "ServerFail"
+ },
+ },
+ {
+ name => "TLS 1.3 RSA Signature Algorithm Selection, no PSS",
+ server => $server_tls_1_3,
+ client => {
+ "SignatureAlgorithms" => "RSA+SHA256",
+ },
+ test => {
+ "ExpectedResult" => "ServerFail"
+ },
+ },
+ {
+ name => "TLS 1.3 RSA-PSS Signature Algorithm Selection",
+ server => $server_tls_1_3,
+ client => {
+ "SignatureAlgorithms" => "RSA-PSS+SHA256",
+ },
+ test => {
+ "ExpectedServerCertType" => "RSA",
+ "ExpectedServerSignHash" => "SHA256",
+ "ExpectedServerSignType" => "RSA-PSS",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "TLS 1.3 Ed25519 Signature Algorithm Selection",
+ server => $server_tls_1_3,
+ client => {
+ "SignatureAlgorithms" => "ed25519",
+ },
+ test => {
+ "ExpectedServerCertType" => "Ed25519",
+ "ExpectedServerSignType" => "Ed25519",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "TLS 1.3 Ed448 Signature Algorithm Selection",
+ server => $server_tls_1_3,
+ client => {
+ "SignatureAlgorithms" => "ed448",
+ },
+ test => {
+ "ExpectedServerCertType" => "Ed448",
+ "ExpectedServerSignType" => "Ed448",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "TLS 1.3 Ed25519 CipherString and Groups Selection",
+ server => $server_tls_1_3,
+ client => {
+ "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
+ # Excluding P-256 from the supported groups list should
+ # mean server still uses a P-256 certificate because supported
+ # groups is not used in signature selection for TLS 1.3
+ "Groups" => "X25519"
+ },
+ test => {
+ "ExpectedServerCertType" =>, "P-256",
+ "ExpectedServerSignType" =>, "EC",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "TLS 1.3 Ed448 CipherString and Groups Selection",
+ server => $server_tls_1_3,
+ client => {
+ "SignatureAlgorithms" => "ECDSA+SHA256:ed448",
+ # Excluding P-256 from the supported groups list should
+ # mean server still uses a P-256 certificate because supported
+ # groups is not used in signature selection for TLS 1.3
+ "Groups" => "X448"
+ },
+ test => {
+ "ExpectedServerCertType" =>, "P-256",
+ "ExpectedServerSignType" =>, "EC",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
+ server => {
+ "ClientSignatureAlgorithms" => "PSS+SHA256",
+ "VerifyCAFile" => test_pem("root-cert.pem"),
+ "VerifyMode" => "Require"
+ },
+ client => $client_tls_1_3,
+ test => {
+ "ExpectedClientCertType" => "RSA",
+ "ExpectedClientSignHash" => "SHA256",
+ "ExpectedClientSignType" => "RSA-PSS",
+ "ExpectedClientCANames" => "empty",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names",
+ server => {
+ "ClientSignatureAlgorithms" => "PSS+SHA256",
+ "VerifyCAFile" => test_pem("root-cert.pem"),
+ "RequestCAFile" => test_pem("root-cert.pem"),
+ "VerifyMode" => "Require"
+ },
+ client => $client_tls_1_3,
+ test => {
+ "ExpectedClientCertType" => "RSA",
+ "ExpectedClientSignHash" => "SHA256",
+ "ExpectedClientSignType" => "RSA-PSS",
+ "ExpectedClientCANames" => test_pem("root-cert.pem"),
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
+ server => {
+ "ClientSignatureAlgorithms" => "ECDSA+SHA256",
+ "VerifyCAFile" => test_pem("root-cert.pem"),
+ "VerifyMode" => "Require"
+ },
+ client => $client_tls_1_3,
+ test => {
+ "ExpectedClientCertType" => "P-256",
+ "ExpectedClientSignHash" => "SHA256",
+ "ExpectedClientSignType" => "EC",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "TLS 1.3 Ed25519 Client Auth",
+ server => {
+ "VerifyCAFile" => test_pem("root-cert.pem"),
+ "VerifyMode" => "Require"
+ },
+ client => {
+ "EdDSA.Certificate" => test_pem("client-ed25519-cert.pem"),
+ "EdDSA.PrivateKey" => test_pem("client-ed25519-key.pem"),
+ "MinProtocol" => "TLSv1.3",
+ "MaxProtocol" => "TLSv1.3"
+ },
+ test => {
+ "ExpectedClientCertType" => "Ed25519",
+ "ExpectedClientSignType" => "Ed25519",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "TLS 1.3 Ed448 Client Auth",
+ server => {
+ "VerifyCAFile" => test_pem("root-cert.pem"),
+ "VerifyMode" => "Require"
+ },
+ client => {
+ "EdDSA.Certificate" => test_pem("client-ed448-cert.pem"),
+ "EdDSA.PrivateKey" => test_pem("client-ed448-key.pem"),
+ "MinProtocol" => "TLSv1.3",
+ "MaxProtocol" => "TLSv1.3"
+ },
+ test => {
+ "ExpectedClientCertType" => "Ed448",
+ "ExpectedClientSignType" => "Ed448",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "TLS 1.3 ECDSA with brainpool",
+ server => {
+ "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
+ "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
+ "Groups" => "brainpoolP256r1",
+ },
+ client => {
+ "RequestCAFile" => test_pem("root-cert.pem"),
+ "Groups" => "brainpoolP256r1",
+ "MinProtocol" => "TLSv1.3",
+ "MaxProtocol" => "TLSv1.3"
+ },
+ test => {
+ "ExpectedResult" => "ServerFail"
+ },
+ },
+);
+
+push @tests, @tests_tls_1_3 unless disabled("tls1_3");
+
+my @tests_dsa_tls_1_2 = (
+ {
+ name => "TLS 1.2 DSA Certificate Test",
+ server => {
+ "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
+ "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
+ "DHParameters" => test_pem("dhp2048.pem"),
+ "MinProtocol" => "TLSv1.2",
+ "MaxProtocol" => "TLSv1.2",
+ "CipherString" => "ALL",
+ },
+ client => {
+ "SignatureAlgorithms" => "DSA+SHA256:DSA+SHA1",
+ "CipherString" => "ALL",
+ },
+ test => {
+ "ExpectedResult" => "Success"
+ },
+ },
+);
+
+my @tests_dsa_tls_1_3 = (
+ {
+ name => "TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms",
+ server => {
+ "ClientSignatureAlgorithms" => "ECDSA+SHA1:DSA+SHA256:RSA+SHA256",
+ "VerifyCAFile" => test_pem("root-cert.pem"),
+ "VerifyMode" => "Request"
+ },
+ client => {},
+ test => {
+ "ExpectedResult" => "ServerFail"
+ },
+ },
+ {
+ name => "TLS 1.3 DSA Certificate Test",
+ server => {
+ "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
+ "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
+ "MinProtocol" => "TLSv1.3",
+ "MaxProtocol" => "TLSv1.3",
+ "CipherString" => "ALL",
+ },
+ client => {
+ "SignatureAlgorithms" => "DSA+SHA1:DSA+SHA256:ECDSA+SHA256",
+ "CipherString" => "ALL",
+ },
+ test => {
+ "ExpectedResult" => "ServerFail"
+ },
+ },
+);
+
+if (!disabled("dsa")) {
+ push @tests, @tests_dsa_tls_1_2 unless disabled("dh");
+ push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
+}