mirror of
https://github.com/openssl/openssl.git
synced 2024-12-13 03:53:44 +08:00
Add TLS 1.3 certificate selection tests.
For TLS 1.3 we select certificates with signature algorithms extension only. For ECDSA+SHA384 there is the additional restriction that the curve must be P-384: since the test uses P-256 this should fail. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2339)
This commit is contained in:
Dr. Stephen Henson
parent
612ca8067a
commit
53f0873714
@ -58,6 +58,7 @@ my %conf_dependent_tests = (
|
||||
"10-resumption.conf" => !$is_default_tls,
|
||||
"11-dtls_resumption.conf" => !$is_default_dtls,
|
||||
"19-mac-then-encrypt.conf" => !$is_default_tls,
|
||||
"20-cert-select.conf" => !$is_default_tls,
|
||||
);
|
||||
|
||||
# Add your test here if it should be skipped for some compile-time
|
||||
|
||||
@ -1,14 +1,15 @@
|
||||
# Generated with generate_ssl_tests.pl
|
||||
|
||||
num_tests = 7
|
||||
num_tests = 8
|
||||
|
||||
test-0 = 0-ECDSA CipherString Selection
|
||||
test-1 = 1-RSA CipherString Selection
|
||||
test-2 = 2-ECDSA CipherString Selection, no ECDSA certificate
|
||||
test-3 = 3-ECDSA Signature Algorithm Selection
|
||||
test-4 = 4-ECDSA Signature Algorithm Selection, no ECDSA certificate
|
||||
test-5 = 5-RSA Signature Algorithm Selection
|
||||
test-6 = 6-RSA-PSS Signature Algorithm Selection
|
||||
test-4 = 4-ECDSA Signature Algorithm Selection SHA384
|
||||
test-5 = 5-ECDSA Signature Algorithm Selection, no ECDSA certificate
|
||||
test-6 = 6-RSA Signature Algorithm Selection
|
||||
test-7 = 7-RSA-PSS Signature Algorithm Selection
|
||||
# ===========================================================
|
||||
|
||||
[0-ECDSA CipherString Selection]
|
||||
@ -120,38 +121,14 @@ ExpectedServerSignType = EC
|
||||
|
||||
# ===========================================================
|
||||
|
||||
[4-ECDSA Signature Algorithm Selection, no ECDSA certificate]
|
||||
ssl_conf = 4-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl
|
||||
[4-ECDSA Signature Algorithm Selection SHA384]
|
||||
ssl_conf = 4-ECDSA Signature Algorithm Selection SHA384-ssl
|
||||
|
||||
[4-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl]
|
||||
server = 4-ECDSA Signature Algorithm Selection, no ECDSA certificate-server
|
||||
client = 4-ECDSA Signature Algorithm Selection, no ECDSA certificate-client
|
||||
[4-ECDSA Signature Algorithm Selection SHA384-ssl]
|
||||
server = 4-ECDSA Signature Algorithm Selection SHA384-server
|
||||
client = 4-ECDSA Signature Algorithm Selection SHA384-client
|
||||
|
||||
[4-ECDSA Signature Algorithm Selection, no ECDSA certificate-server]
|
||||
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
|
||||
CipherString = DEFAULT
|
||||
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
||||
|
||||
[4-ECDSA Signature Algorithm Selection, no ECDSA certificate-client]
|
||||
CipherString = DEFAULT
|
||||
SignatureAlgorithms = ECDSA+SHA256
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
[test-4]
|
||||
ExpectedResult = ServerFail
|
||||
|
||||
|
||||
# ===========================================================
|
||||
|
||||
[5-RSA Signature Algorithm Selection]
|
||||
ssl_conf = 5-RSA Signature Algorithm Selection-ssl
|
||||
|
||||
[5-RSA Signature Algorithm Selection-ssl]
|
||||
server = 5-RSA Signature Algorithm Selection-server
|
||||
client = 5-RSA Signature Algorithm Selection-client
|
||||
|
||||
[5-RSA Signature Algorithm Selection-server]
|
||||
[4-ECDSA Signature Algorithm Selection SHA384-server]
|
||||
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
|
||||
CipherString = DEFAULT
|
||||
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
|
||||
@ -159,13 +136,67 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
|
||||
MaxProtocol = TLSv1.2
|
||||
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
||||
|
||||
[5-RSA Signature Algorithm Selection-client]
|
||||
[4-ECDSA Signature Algorithm Selection SHA384-client]
|
||||
CipherString = DEFAULT
|
||||
SignatureAlgorithms = ECDSA+SHA384
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
[test-4]
|
||||
ExpectedResult = Success
|
||||
ExpectedServerCertType = P-256
|
||||
ExpectedServerSignHash = SHA384
|
||||
ExpectedServerSignType = EC
|
||||
|
||||
|
||||
# ===========================================================
|
||||
|
||||
[5-ECDSA Signature Algorithm Selection, no ECDSA certificate]
|
||||
ssl_conf = 5-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl
|
||||
|
||||
[5-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl]
|
||||
server = 5-ECDSA Signature Algorithm Selection, no ECDSA certificate-server
|
||||
client = 5-ECDSA Signature Algorithm Selection, no ECDSA certificate-client
|
||||
|
||||
[5-ECDSA Signature Algorithm Selection, no ECDSA certificate-server]
|
||||
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
|
||||
CipherString = DEFAULT
|
||||
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
||||
|
||||
[5-ECDSA Signature Algorithm Selection, no ECDSA certificate-client]
|
||||
CipherString = DEFAULT
|
||||
SignatureAlgorithms = ECDSA+SHA256
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
[test-5]
|
||||
ExpectedResult = ServerFail
|
||||
|
||||
|
||||
# ===========================================================
|
||||
|
||||
[6-RSA Signature Algorithm Selection]
|
||||
ssl_conf = 6-RSA Signature Algorithm Selection-ssl
|
||||
|
||||
[6-RSA Signature Algorithm Selection-ssl]
|
||||
server = 6-RSA Signature Algorithm Selection-server
|
||||
client = 6-RSA Signature Algorithm Selection-client
|
||||
|
||||
[6-RSA Signature Algorithm Selection-server]
|
||||
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
|
||||
CipherString = DEFAULT
|
||||
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
|
||||
ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
|
||||
MaxProtocol = TLSv1.2
|
||||
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
||||
|
||||
[6-RSA Signature Algorithm Selection-client]
|
||||
CipherString = DEFAULT
|
||||
SignatureAlgorithms = RSA+SHA256
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
[test-5]
|
||||
[test-6]
|
||||
ExpectedResult = Success
|
||||
ExpectedServerCertType = RSA
|
||||
ExpectedServerSignHash = SHA256
|
||||
@ -174,14 +205,14 @@ ExpectedServerSignType = RSA
|
||||
|
||||
# ===========================================================
|
||||
|
||||
[6-RSA-PSS Signature Algorithm Selection]
|
||||
ssl_conf = 6-RSA-PSS Signature Algorithm Selection-ssl
|
||||
[7-RSA-PSS Signature Algorithm Selection]
|
||||
ssl_conf = 7-RSA-PSS Signature Algorithm Selection-ssl
|
||||
|
||||
[6-RSA-PSS Signature Algorithm Selection-ssl]
|
||||
server = 6-RSA-PSS Signature Algorithm Selection-server
|
||||
client = 6-RSA-PSS Signature Algorithm Selection-client
|
||||
[7-RSA-PSS Signature Algorithm Selection-ssl]
|
||||
server = 7-RSA-PSS Signature Algorithm Selection-server
|
||||
client = 7-RSA-PSS Signature Algorithm Selection-client
|
||||
|
||||
[6-RSA-PSS Signature Algorithm Selection-server]
|
||||
[7-RSA-PSS Signature Algorithm Selection-server]
|
||||
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
|
||||
CipherString = DEFAULT
|
||||
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
|
||||
@ -189,13 +220,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
|
||||
MaxProtocol = TLSv1.2
|
||||
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
||||
|
||||
[6-RSA-PSS Signature Algorithm Selection-client]
|
||||
[7-RSA-PSS Signature Algorithm Selection-client]
|
||||
CipherString = DEFAULT
|
||||
SignatureAlgorithms = RSA-PSS+SHA256
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
[test-6]
|
||||
[test-7]
|
||||
ExpectedResult = Success
|
||||
ExpectedServerCertType = RSA
|
||||
ExpectedServerSignHash = SHA256
|
||||
|
||||
@ -2,20 +2,18 @@
|
||||
|
||||
## SSL test configurations
|
||||
|
||||
package ssltests;
|
||||
|
||||
use strict;
|
||||
use warnings;
|
||||
|
||||
use OpenSSL::Test;
|
||||
use OpenSSL::Test::Utils qw(anydisabled);
|
||||
package ssltests;
|
||||
use OpenSSL::Test::Utils;
|
||||
|
||||
my $dir_sep = $^O ne "VMS" ? "/" : "";
|
||||
|
||||
my $server = {
|
||||
"ECDSA.Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}server-ecdsa-cert.pem",
|
||||
"ECDSA.PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}server-ecdsa-key.pem",
|
||||
# TODO(TLS1.3): add test cases for TLSv1.3
|
||||
"MaxProtocol" => "TLSv1.2"
|
||||
};
|
||||
|
||||
@ -67,6 +65,19 @@ our @tests = (
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
{
|
||||
name => "ECDSA Signature Algorithm Selection SHA384",
|
||||
server => $server,
|
||||
client => {
|
||||
"SignatureAlgorithms" => "ECDSA+SHA384",
|
||||
},
|
||||
test => {
|
||||
"ExpectedServerCertType" => "P-256",
|
||||
"ExpectedServerSignHash" => "SHA384",
|
||||
"ExpectedServerSignType" => "EC",
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
{
|
||||
name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
|
||||
server => { },
|
||||
@ -104,3 +115,88 @@ our @tests = (
|
||||
},
|
||||
}
|
||||
);
|
||||
|
||||
|
||||
my $server_tls_1_3 = {
|
||||
"ECDSA.Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}server-ecdsa-cert.pem",
|
||||
"ECDSA.PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}server-ecdsa-key.pem",
|
||||
"MinProtocol" => "TLSv1.3",
|
||||
"MaxProtocol" => "TLSv1.3"
|
||||
};
|
||||
|
||||
my @tests_tls_1_3 = (
|
||||
{
|
||||
name => "TLS 1.3 ECDSA Signature Algorithm Selection",
|
||||
server => $server_tls_1_3,
|
||||
client => {
|
||||
"SignatureAlgorithms" => "ECDSA+SHA256",
|
||||
},
|
||||
test => {
|
||||
"ExpectedServerCertType" => "P-256",
|
||||
"ExpectedServerSignHash" => "SHA256",
|
||||
"ExpectedServerSignType" => "EC",
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
{
|
||||
name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS",
|
||||
server => $server_tls_1_3,
|
||||
client => {
|
||||
"SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256",
|
||||
},
|
||||
test => {
|
||||
"ExpectedServerCertType" => "P-256",
|
||||
"ExpectedServerSignHash" => "SHA256",
|
||||
"ExpectedServerSignType" => "EC",
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
{
|
||||
name => "TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS",
|
||||
server => $server_tls_1_3,
|
||||
client => {
|
||||
"SignatureAlgorithms" => "ECDSA+SHA384:RSA-PSS+SHA384",
|
||||
},
|
||||
test => {
|
||||
"ExpectedServerCertType" => "RSA",
|
||||
"ExpectedServerSignHash" => "SHA384",
|
||||
"ExpectedServerSignType" => "RSA-PSS",
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
{
|
||||
name => "TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate",
|
||||
server => { },
|
||||
client => {
|
||||
"SignatureAlgorithms" => "ECDSA+SHA256",
|
||||
},
|
||||
test => {
|
||||
"ExpectedResult" => "ServerFail"
|
||||
},
|
||||
},
|
||||
{
|
||||
name => "TLS 1.3 RSA Signature Algorithm Selection, no PSS",
|
||||
server => $server_tls_1_3,
|
||||
client => {
|
||||
"SignatureAlgorithms" => "RSA+SHA256",
|
||||
},
|
||||
test => {
|
||||
"ExpectedResult" => "ServerFail"
|
||||
},
|
||||
},
|
||||
{
|
||||
name => "TLS 1.3 RSA-PSS Signature Algorithm Selection",
|
||||
server => $server_tls_1_3,
|
||||
client => {
|
||||
"SignatureAlgorithms" => "RSA-PSS+SHA256",
|
||||
},
|
||||
test => {
|
||||
"ExpectedServerCertType" => "RSA",
|
||||
"ExpectedServerSignHash" => "SHA256",
|
||||
"ExpectedServerSignType" => "RSA-PSS",
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
}
|
||||
);
|
||||
|
||||
push @tests, @tests_tls_1_3 unless disabled("tls1_3");
|
||||
|
||||
Loading…
Reference in New Issue
Block a user