20-cert-select.cnf.in@ 99507

最後變更在這個檔案從99507是 94320,由 vboxsync 提交於 3 年前
libs/openssl-3.0.1: Export to OSE and fix copyright headers in Makefiles, bugref:10128
檔案大小: 32.4 KB

行
1	# -- mode: perl; --
2
3	## SSL test configurations
4
5
6	use strict;
7	use warnings;
8
9	package ssltests;
10	use OpenSSL::Test::Utils;
11
12	our $fips_mode;
13	our $no_deflt_libctx;
14
15	my $server = {
16	"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
17	"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
18	"Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
19	"Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
20	"Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
21	"Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
22	"MaxProtocol" => "TLSv1.2"
23	};
24
25	my $server_pss = {
26	"PSS.Certificate" => test_pem("server-pss-cert.pem"),
27	"PSS.PrivateKey" => test_pem("server-pss-key.pem"),
28	"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
29	"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
30	"Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
31	"Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
32	"Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
33	"Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
34	"MaxProtocol" => "TLSv1.2"
35	};
36
37	my $server_pss_only = {
38	"Certificate" => test_pem("server-pss-cert.pem"),
39	"PrivateKey" => test_pem("server-pss-key.pem"),
40	};
41
42	my $server_pss_restrict_only = {
43	"Certificate" => test_pem("server-pss-restrict-cert.pem"),
44	"PrivateKey" => test_pem("server-pss-restrict-key.pem"),
45	};
46
47	my $server_rsa_all;
48
49	if ($no_deflt_libctx) {
50	$server_rsa_all = {
51	"Certificate" => test_pem("servercert.pem"),
52	"PrivateKey" => test_pem("serverkey.pem"),
53	};
54	} else {
55	$server_rsa_all = {
56	"PSS.Certificate" => test_pem("server-pss-cert.pem"),
57	"PSS.PrivateKey" => test_pem("server-pss-key.pem"),
58	"Certificate" => test_pem("servercert.pem"),
59	"PrivateKey" => test_pem("serverkey.pem"),
60	};
61	}
62
63	our @tests = (
64	{
65	name => "ECDSA CipherString Selection",
66	server => $server,
67	client => {
68	"CipherString" => "aECDSA",
69	"MaxProtocol" => "TLSv1.2",
70	"RequestCAFile" => test_pem("root-cert.pem"),
71	},
72	test => {
73	"ExpectedServerCertType" =>, "P-256",
74	"ExpectedServerSignType" =>, "EC",
75	# Note: certificate_authorities not sent for TLS < 1.3
76	"ExpectedServerCANames" =>, "empty",
77	"ExpectedResult" => "Success"
78	},
79	},
80	{
81	name => "ECDSA CipherString Selection",
82	server => {
83	"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
84	"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
85	"MaxProtocol" => "TLSv1.2",
86	#Deliberately set supported_groups to one not in the cert. This
87	#should be tolerated
88	"Groups" => "P-384"
89	},
90	client => {
91	"CipherString" => "aECDSA",
92	"MaxProtocol" => "TLSv1.2",
93	"Groups" => "P-256:P-384",
94	"RequestCAFile" => test_pem("root-cert.pem"),
95	},
96	test => {
97	"ExpectedServerCertType" =>, "P-256",
98	"ExpectedServerSignType" =>, "EC",
99	# Note: certificate_authorities not sent for TLS < 1.3
100	"ExpectedServerCANames" =>, "empty",
101	"ExpectedResult" => "Success"
102	},
103	},
104	{
105	name => "ECDSA CipherString Selection",
106	server => {
107	"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
108	"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
109	"MaxProtocol" => "TLSv1.2",
110	"Groups" => "P-256:P-384"
111	},
112	client => {
113	"CipherString" => "aECDSA",
114	"MaxProtocol" => "TLSv1.2",
115	#Deliberately set groups to not include the certificate group. This
116	#should fail
117	"Groups" => "P-384",
118	"RequestCAFile" => test_pem("root-cert.pem"),
119	},
120	test => {
121	"ExpectedResult" => "ServerFail"
122	},
123	},
124	{
125	name => "RSA CipherString Selection",
126	server => $server,
127	client => {
128	"CipherString" => "aRSA",
129	"MaxProtocol" => "TLSv1.2",
130	},
131	test => {
132	"ExpectedServerCertType" =>, "RSA",
133	"ExpectedServerSignType" =>, "RSA-PSS",
134	"ExpectedResult" => "Success"
135	},
136	},
137	{
138	name => "P-256 CipherString and Signature Algorithm Selection",
139	server => $server,
140	client => {
141	"CipherString" => "aECDSA",
142	"MaxProtocol" => "TLSv1.2",
143	"SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
144	},
145	test => {
146	"ExpectedServerCertType" => "P-256",
147	"ExpectedServerSignHash" => "SHA256",
148	"ExpectedServerSignType" => "EC",
149	"ExpectedResult" => "Success"
150	},
151	},
152	{
153	name => "ECDSA CipherString Selection, no ECDSA certificate",
154	server => {
155	"MaxProtocol" => "TLSv1.2"
156	},
157	client => {
158	"CipherString" => "aECDSA",
159	"MaxProtocol" => "TLSv1.2"
160	},
161	test => {
162	"ExpectedResult" => "ServerFail"
163	},
164	},
165	{
166	name => "ECDSA Signature Algorithm Selection",
167	server => $server,
168	client => {
169	"SignatureAlgorithms" => "ECDSA+SHA256",
170	},
171	test => {
172	"ExpectedServerCertType" => "P-256",
173	"ExpectedServerSignHash" => "SHA256",
174	"ExpectedServerSignType" => "EC",
175	"ExpectedResult" => "Success"
176	},
177	},
178	{
179	name => "ECDSA Signature Algorithm Selection SHA384",
180	server => $server,
181	client => {
182	"SignatureAlgorithms" => "ECDSA+SHA384",
183	},
184	test => {
185	"ExpectedServerCertType" => "P-256",
186	"ExpectedServerSignHash" => "SHA384",
187	"ExpectedServerSignType" => "EC",
188	"ExpectedResult" => "Success"
189	},
190	},
191	{
192	name => "ECDSA Signature Algorithm Selection compressed point",
193	server => {
194	"ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
195	"ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
196	"MaxProtocol" => "TLSv1.2"
197	},
198	client => {
199	"SignatureAlgorithms" => "ECDSA+SHA256",
200	},
201	test => {
202	"ExpectedServerCertType" => "P-256",
203	"ExpectedServerSignHash" => "SHA256",
204	"ExpectedServerSignType" => "EC",
205	"ExpectedResult" => "Success"
206	},
207	},
208	{
209	name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
210	server => {
211	"MaxProtocol" => "TLSv1.2"
212	},
213	client => {
214	"SignatureAlgorithms" => "ECDSA+SHA256",
215	},
216	test => {
217	"ExpectedResult" => "ServerFail"
218	},
219	},
220	{
221	name => "RSA Signature Algorithm Selection",
222	server => $server,
223	client => {
224	"SignatureAlgorithms" => "RSA+SHA256",
225	},
226	test => {
227	"ExpectedServerCertType" => "RSA",
228	"ExpectedServerSignHash" => "SHA256",
229	"ExpectedServerSignType" => "RSA",
230	"ExpectedResult" => "Success"
231	},
232	},
233	{
234	name => "RSA-PSS Signature Algorithm Selection",
235	server => $server,
236	client => {
237	"SignatureAlgorithms" => "RSA-PSS+SHA256",
238	},
239	test => {
240	"ExpectedServerCertType" => "RSA",
241	"ExpectedServerSignHash" => "SHA256",
242	"ExpectedServerSignType" => "RSA-PSS",
243	"ExpectedResult" => "Success"
244	},
245	},
246	{
247	name => "RSA key exchange with all RSA certificate types",
248	server => $server_rsa_all,
249	client => {
250	"CipherString" => "kRSA",
251	"MaxProtocol" => "TLSv1.2",
252	},
253	test => {
254	"ExpectedServerCertType" =>, "RSA",
255	"ExpectedResult" => "Success"
256	},
257	},
258	{
259	name => "Suite B P-256 Hash Algorithm Selection",
260	server => {
261	"ECDSA.Certificate" => test_pem("p256-server-cert.pem"),
262	"ECDSA.PrivateKey" => test_pem("p256-server-key.pem"),
263	"MaxProtocol" => "TLSv1.2",
264	"CipherString" => "SUITEB128"
265	},
266	client => {
267	"VerifyCAFile" => test_pem("p384-root.pem"),
268	"SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256"
269	},
270	test => {
271	"ExpectedServerCertType" => "P-256",
272	"ExpectedServerSignHash" => "SHA256",
273	"ExpectedServerSignType" => "EC",
274	"ExpectedResult" => "Success"
275	},
276	},
277	{
278	name => "Suite B P-384 Hash Algorithm Selection",
279	server => {
280	"ECDSA.Certificate" => test_pem("p384-server-cert.pem"),
281	"ECDSA.PrivateKey" => test_pem("p384-server-key.pem"),
282	"MaxProtocol" => "TLSv1.2",
283	"CipherString" => "SUITEB128"
284	},
285	client => {
286	"VerifyCAFile" => test_pem("p384-root.pem"),
287	"SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384"
288	},
289	test => {
290	"ExpectedServerCertType" => "P-384",
291	"ExpectedServerSignHash" => "SHA384",
292	"ExpectedServerSignType" => "EC",
293	"ExpectedResult" => "Success"
294	},
295	},
296	{
297	name => "Ed25519 CipherString and Signature Algorithm Selection",
298	server => $server,
299	client => {
300	"CipherString" => "aECDSA",
301	"MaxProtocol" => "TLSv1.2",
302	"SignatureAlgorithms" => "ed25519:ECDSA+SHA256",
303	"RequestCAFile" => test_pem("root-cert.pem"),
304	},
305	test => {
306	"ExpectedServerCertType" =>, "Ed25519",
307	"ExpectedServerSignType" =>, "Ed25519",
308	# Note: certificate_authorities not sent for TLS < 1.3
309	"ExpectedServerCANames" =>, "empty",
310	"ExpectedResult" => "Success"
311	},
312	},
313	{
314	name => "Ed448 CipherString and Signature Algorithm Selection",
315	server => $server,
316	client => {
317	"CipherString" => "aECDSA",
318	"MaxProtocol" => "TLSv1.2",
319	"SignatureAlgorithms" => "ed448:ECDSA+SHA256",
320	"RequestCAFile" => test_pem("root-ed448-cert.pem"),
321	"VerifyCAFile" => test_pem("root-ed448-cert.pem"),
322	},
323	test => {
324	"ExpectedServerCertType" =>, "Ed448",
325	"ExpectedServerSignType" =>, "Ed448",
326	# Note: certificate_authorities not sent for TLS < 1.3
327	"ExpectedServerCANames" =>, "empty",
328	"ExpectedResult" => "Success"
329	},
330	},
331	{
332	name => "Ed25519 CipherString and Curves Selection",
333	server => $server,
334	client => {
335	"CipherString" => "aECDSA",
336	"MaxProtocol" => "TLSv1.2",
337	"SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
338	# Excluding P-256 from the supported curves list means server
339	# certificate should be Ed25519 and not P-256
340	"Curves" => "X25519"
341	},
342	test => {
343	"ExpectedServerCertType" =>, "Ed25519",
344	"ExpectedServerSignType" =>, "Ed25519",
345	"ExpectedResult" => "Success"
346	},
347	},
348	{
349	name => "Ed448 CipherString and Curves Selection",
350	server => $server,
351	client => {
352	"CipherString" => "aECDSA",
353	"MaxProtocol" => "TLSv1.2",
354	"SignatureAlgorithms" => "ECDSA+SHA256:ed448",
355	"VerifyCAFile" => test_pem("root-ed448-cert.pem"),
356	# Excluding P-256 from the supported curves list means server
357	# certificate should be Ed25519 and not P-256
358	"Curves" => "X448"
359	},
360	test => {
361	"ExpectedServerCertType" =>, "Ed448",
362	"ExpectedServerSignType" =>, "Ed448",
363	"ExpectedResult" => "Success"
364	},
365	},
366	{
367	name => "TLS 1.2 Ed25519 Client Auth",
368	server => {
369	"VerifyCAFile" => test_pem("root-cert.pem"),
370	"VerifyMode" => "Require"
371	},
372	client => {
373	"Ed25519.Certificate" => test_pem("client-ed25519-cert.pem"),
374	"Ed25519.PrivateKey" => test_pem("client-ed25519-key.pem"),
375	"MinProtocol" => "TLSv1.2",
376	"MaxProtocol" => "TLSv1.2"
377	},
378	test => {
379	"ExpectedClientCertType" => "Ed25519",
380	"ExpectedClientSignType" => "Ed25519",
381	"ExpectedResult" => "Success"
382	},
383	},
384	{
385	name => "TLS 1.2 Ed448 Client Auth",
386	server => {
387	"VerifyCAFile" => test_pem("root-cert.pem"),
388	"VerifyMode" => "Require"
389	},
390	client => {
391	"Ed448.Certificate" => test_pem("client-ed448-cert.pem"),
392	"Ed448.PrivateKey" => test_pem("client-ed448-key.pem"),
393	"MinProtocol" => "TLSv1.2",
394	"MaxProtocol" => "TLSv1.2"
395	},
396	test => {
397	"ExpectedClientCertType" => "Ed448",
398	"ExpectedClientSignType" => "Ed448",
399	"ExpectedResult" => "Success"
400	},
401	},
402	);
403
404	my @tests_non_fips = (
405	{
406	name => "ECDSA Signature Algorithm Selection SHA1",
407	server => {
408	"CipherString" => "DEFAULT:\@SECLEVEL=0",
409	"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
410	"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
411	"Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
412	"Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
413	"Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
414	"Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
415	"MaxProtocol" => "TLSv1.2"
416	},
417	client => {
418	"CipherString" => "DEFAULT:\@SECLEVEL=0",
419	"SignatureAlgorithms" => "ECDSA+SHA1",
420	},
421	test => {
422	"ExpectedServerCertType" => "P-256",
423	"ExpectedServerSignHash" => "SHA1",
424	"ExpectedServerSignType" => "EC",
425	"ExpectedResult" => "Success"
426	},
427	},
428	{
429	name => "ECDSA with brainpool",
430	server => {
431	"Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
432	"PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
433	"Groups" => "brainpoolP256r1",
434	},
435	client => {
436	"MaxProtocol" => "TLSv1.2",
437	"CipherString" => "aECDSA",
438	"RequestCAFile" => test_pem("root-cert.pem"),
439	"Groups" => "brainpoolP256r1",
440	},
441	test => {
442	"ExpectedServerCertType" =>, "brainpoolP256r1",
443	"ExpectedServerSignType" =>, "EC",
444	# Note: certificate_authorities not sent for TLS < 1.3
445	"ExpectedServerCANames" =>, "empty",
446	"ExpectedResult" => "Success"
447	},
448	},
449	);
450
451	my @tests_pss = (
452	{
453	name => "RSA-PSS Certificate CipherString Selection",
454	server => $server_pss,
455	client => {
456	"CipherString" => "aRSA",
457	"MaxProtocol" => "TLSv1.2",
458	},
459	test => {
460	"ExpectedServerCertType" =>, "RSA-PSS",
461	"ExpectedServerSignType" =>, "RSA-PSS",
462	"ExpectedResult" => "Success"
463	},
464	},
465	{
466	name => "RSA-PSS Certificate Legacy Signature Algorithm Selection",
467	server => $server_pss,
468	client => {
469	"SignatureAlgorithms" => "RSA-PSS+SHA256",
470	},
471	test => {
472	"ExpectedServerCertType" => "RSA",
473	"ExpectedServerSignHash" => "SHA256",
474	"ExpectedServerSignType" => "RSA-PSS",
475	"ExpectedResult" => "Success"
476	},
477	},
478	{
479	name => "RSA-PSS Certificate Unified Signature Algorithm Selection",
480	server => $server_pss,
481	client => {
482	"SignatureAlgorithms" => "rsa_pss_pss_sha256",
483	},
484	test => {
485	"ExpectedServerCertType" => "RSA-PSS",
486	"ExpectedServerSignHash" => "SHA256",
487	"ExpectedServerSignType" => "RSA-PSS",
488	"ExpectedResult" => "Success"
489	},
490	},
491	{
492	name => "Only RSA-PSS Certificate",
493	server => $server_pss_only,
494	client => {},
495	test => {
496	"ExpectedServerCertType" => "RSA-PSS",
497	"ExpectedServerSignHash" => "SHA256",
498	"ExpectedServerSignType" => "RSA-PSS",
499	"ExpectedResult" => "Success"
500	},
501	},
502	{
503	name => "Only RSA-PSS Certificate Valid Signature Algorithms",
504	server => $server_pss_only,
505	client => {
506	"SignatureAlgorithms" => "rsa_pss_pss_sha512",
507	},
508	test => {
509	"ExpectedServerCertType" => "RSA-PSS",
510	"ExpectedServerSignHash" => "SHA512",
511	"ExpectedServerSignType" => "RSA-PSS",
512	"ExpectedResult" => "Success"
513	},
514	},
515	{
516	name => "RSA-PSS Certificate, no PSS signature algorithms",
517	server => $server_pss_only,
518	client => {
519	"SignatureAlgorithms" => "RSA+SHA256",
520	},
521	test => {
522	"ExpectedResult" => "ServerFail"
523	},
524	},
525	{
526	name => "Only RSA-PSS Restricted Certificate",
527	server => $server_pss_restrict_only,
528	client => {},
529	test => {
530	"ExpectedServerCertType" => "RSA-PSS",
531	"ExpectedServerSignHash" => "SHA256",
532	"ExpectedServerSignType" => "RSA-PSS",
533	"ExpectedResult" => "Success"
534	},
535	},
536	{
537	name => "RSA-PSS Restricted Certificate Valid Signature Algorithms",
538	server => $server_pss_restrict_only,
539	client => {
540	"SignatureAlgorithms" => "rsa_pss_pss_sha256:rsa_pss_pss_sha512",
541	},
542	test => {
543	"ExpectedServerCertType" => "RSA-PSS",
544	"ExpectedServerSignHash" => "SHA256",
545	"ExpectedServerSignType" => "RSA-PSS",
546	"ExpectedResult" => "Success"
547	},
548	},
549	{
550	name => "RSA-PSS Restricted Cert client prefers invalid Signature Algorithm",
551	server => $server_pss_restrict_only,
552	client => {
553	"SignatureAlgorithms" => "rsa_pss_pss_sha512:rsa_pss_pss_sha256",
554	},
555	test => {
556	"ExpectedServerCertType" => "RSA-PSS",
557	"ExpectedServerSignHash" => "SHA256",
558	"ExpectedServerSignType" => "RSA-PSS",
559	"ExpectedResult" => "Success"
560	},
561	},
562	{
563	name => "RSA-PSS Restricted Certificate Invalid Signature Algorithms",
564	server => $server_pss_restrict_only,
565	client => {
566	"SignatureAlgorithms" => "rsa_pss_pss_sha512",
567	},
568	test => {
569	"ExpectedResult" => "ServerFail"
570	},
571	},
572	{
573	name => "RSA key exchange with only RSA-PSS certificate",
574	server => $server_pss_only,
575	client => {
576	"CipherString" => "kRSA",
577	"MaxProtocol" => "TLSv1.2",
578	},
579	test => {
580	"ExpectedResult" => "ServerFail"
581	},
582	},
583	);
584
585	my @tests_tls_1_1 = (
586	{
587	name => "Only RSA-PSS Certificate, TLS v1.1",
588	server => $server_pss_only,
589	client => {
590	"MaxProtocol" => "TLSv1.1",
591	},
592	test => {
593	"ExpectedResult" => "ServerFail"
594	},
595	},
596	);
597
598	push @tests, @tests_non_fips unless $fips_mode;
599	push @tests, @tests_pss;
600	push @tests, @tests_tls_1_1 unless disabled("tls1_1") \|\| $no_deflt_libctx;
601
602	my $server_tls_1_3;
603
604	if ($fips_mode) {
605	$server_tls_1_3 = {
606	"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
607	"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
608	"MinProtocol" => "TLSv1.3",
609	"MaxProtocol" => "TLSv1.3"
610	};
611	} else {
612	$server_tls_1_3 = {
613	"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
614	"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
615	"Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
616	"Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
617	"Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
618	"Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
619	"MinProtocol" => "TLSv1.3",
620	"MaxProtocol" => "TLSv1.3"
621	};
622	}
623
624	my $client_tls_1_3 = {
625	"RSA.Certificate" => test_pem("ee-client-chain.pem"),
626	"RSA.PrivateKey" => test_pem("ee-key.pem"),
627	"ECDSA.Certificate" => test_pem("ee-ecdsa-client-chain.pem"),
628	"ECDSA.PrivateKey" => test_pem("ee-ecdsa-key.pem"),
629	"MinProtocol" => "TLSv1.3",
630	"MaxProtocol" => "TLSv1.3"
631	};
632
633	my @tests_tls_1_3 = (
634	{
635	name => "TLS 1.3 ECDSA Signature Algorithm Selection",
636	server => $server_tls_1_3,
637	client => {
638	"SignatureAlgorithms" => "ECDSA+SHA256",
639	},
640	test => {
641	"ExpectedServerCertType" => "P-256",
642	"ExpectedServerSignHash" => "SHA256",
643	"ExpectedServerSignType" => "EC",
644	"ExpectedServerCANames" => "empty",
645	"ExpectedResult" => "Success"
646	},
647	},
648	{
649	name => "TLS 1.3 ECDSA Signature Algorithm Selection compressed point",
650	server => {
651	"ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
652	"ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
653	"MinProtocol" => "TLSv1.3",
654	"MaxProtocol" => "TLSv1.3"
655	},
656	client => {
657	"SignatureAlgorithms" => "ECDSA+SHA256",
658	},
659	test => {
660	"ExpectedServerCertType" => "P-256",
661	"ExpectedServerSignHash" => "SHA256",
662	"ExpectedServerSignType" => "EC",
663	"ExpectedServerCANames" => "empty",
664	"ExpectedResult" => "Success"
665	},
666	},
667	{
668	name => "TLS 1.3 ECDSA Signature Algorithm Selection SHA1",
669	server => {
670	"CipherString" => "DEFAULT:\@SECLEVEL=0",
671	"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
672	"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
673	"Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
674	"Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
675	"Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
676	"Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
677	"MinProtocol" => "TLSv1.3",
678	"MaxProtocol" => "TLSv1.3"
679	},
680	client => {
681	"CipherString" => "DEFAULT:\@SECLEVEL=0",
682	"SignatureAlgorithms" => "ECDSA+SHA1",
683	},
684	test => {
685	"ExpectedResult" => "ServerFail"
686	},
687	},
688	{
689	name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS",
690	server => $server_tls_1_3,
691	client => {
692	"SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256",
693	"RequestCAFile" => test_pem("root-cert.pem"),
694	},
695	test => {
696	"ExpectedServerCertType" => "P-256",
697	"ExpectedServerSignHash" => "SHA256",
698	"ExpectedServerSignType" => "EC",
699	"ExpectedServerCANames" => test_pem("root-cert.pem"),
700	"ExpectedResult" => "Success"
701	},
702	},
703	{
704	name => "TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS",
705	server => $server_tls_1_3,
706	client => {
707	"SignatureAlgorithms" => "ECDSA+SHA384:RSA-PSS+SHA384",
708	},
709	test => {
710	"ExpectedServerCertType" => "RSA",
711	"ExpectedServerSignHash" => "SHA384",
712	"ExpectedServerSignType" => "RSA-PSS",
713	"ExpectedResult" => "Success"
714	},
715	},
716	{
717	name => "TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate",
718	server => {
719	"MinProtocol" => "TLSv1.3",
720	"MaxProtocol" => "TLSv1.3"
721	},
722	client => {
723	"SignatureAlgorithms" => "ECDSA+SHA256",
724	},
725	test => {
726	"ExpectedResult" => "ServerFail"
727	},
728	},
729	{
730	name => "TLS 1.3 RSA Signature Algorithm Selection, no PSS",
731	server => $server_tls_1_3,
732	client => {
733	"SignatureAlgorithms" => "RSA+SHA256",
734	},
735	test => {
736	"ExpectedResult" => "ServerFail"
737	},
738	},
739	{
740	name => "TLS 1.3 RSA-PSS Signature Algorithm Selection",
741	server => $server_tls_1_3,
742	client => {
743	"SignatureAlgorithms" => "RSA-PSS+SHA256",
744	},
745	test => {
746	"ExpectedServerCertType" => "RSA",
747	"ExpectedServerSignHash" => "SHA256",
748	"ExpectedServerSignType" => "RSA-PSS",
749	"ExpectedResult" => "Success"
750	},
751	},
752	{
753	name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
754	server => {
755	"ClientSignatureAlgorithms" => "PSS+SHA256",
756	"VerifyCAFile" => test_pem("root-cert.pem"),
757	"VerifyMode" => "Require"
758	},
759	client => $client_tls_1_3,
760	test => {
761	"ExpectedClientCertType" => "RSA",
762	"ExpectedClientSignHash" => "SHA256",
763	"ExpectedClientSignType" => "RSA-PSS",
764	"ExpectedClientCANames" => "empty",
765	"ExpectedResult" => "Success"
766	},
767	},
768	{
769	name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names",
770	server => {
771	"ClientSignatureAlgorithms" => "PSS+SHA256",
772	"VerifyCAFile" => test_pem("root-cert.pem"),
773	"RequestCAFile" => test_pem("root-cert.pem"),
774	"VerifyMode" => "Require"
775	},
776	client => $client_tls_1_3,
777	test => {
778	"ExpectedClientCertType" => "RSA",
779	"ExpectedClientSignHash" => "SHA256",
780	"ExpectedClientSignType" => "RSA-PSS",
781	"ExpectedClientCANames" => test_pem("root-cert.pem"),
782	"ExpectedResult" => "Success"
783	},
784	},
785	{
786	name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
787	server => {
788	"ClientSignatureAlgorithms" => "ECDSA+SHA256",
789	"VerifyCAFile" => test_pem("root-cert.pem"),
790	"VerifyMode" => "Require"
791	},
792	client => $client_tls_1_3,
793	test => {
794	"ExpectedClientCertType" => "P-256",
795	"ExpectedClientSignHash" => "SHA256",
796	"ExpectedClientSignType" => "EC",
797	"ExpectedResult" => "Success"
798	},
799	},
800	);
801
802	my @tests_tls_1_3_non_fips = (
803	{
804	name => "TLS 1.3 Ed25519 Signature Algorithm Selection",
805	server => $server_tls_1_3,
806	client => {
807	"SignatureAlgorithms" => "ed25519",
808	},
809	test => {
810	"ExpectedServerCertType" => "Ed25519",
811	"ExpectedServerSignType" => "Ed25519",
812	"ExpectedResult" => "Success"
813	},
814	},
815	{
816	name => "TLS 1.3 Ed448 Signature Algorithm Selection",
817	server => $server_tls_1_3,
818	client => {
819	"SignatureAlgorithms" => "ed448",
820	"VerifyCAFile" => test_pem("root-ed448-cert.pem"),
821	},
822	test => {
823	"ExpectedServerCertType" => "Ed448",
824	"ExpectedServerSignType" => "Ed448",
825	"ExpectedResult" => "Success"
826	},
827	},
828	{
829	name => "TLS 1.3 Ed25519 CipherString and Groups Selection",
830	server => $server_tls_1_3,
831	client => {
832	"SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
833	# Excluding P-256 from the supported groups list should
834	# mean server still uses a P-256 certificate because supported
835	# groups is not used in signature selection for TLS 1.3
836	"Groups" => "X25519"
837	},
838	test => {
839	"ExpectedServerCertType" =>, "P-256",
840	"ExpectedServerSignType" =>, "EC",
841	"ExpectedResult" => "Success"
842	},
843	},
844	{
845	name => "TLS 1.3 Ed448 CipherString and Groups Selection",
846	server => $server_tls_1_3,
847	client => {
848	"SignatureAlgorithms" => "ECDSA+SHA256:ed448",
849	# Excluding P-256 from the supported groups list should
850	# mean server still uses a P-256 certificate because supported
851	# groups is not used in signature selection for TLS 1.3
852	"Groups" => "X448"
853	},
854	test => {
855	"ExpectedServerCertType" =>, "P-256",
856	"ExpectedServerSignType" =>, "EC",
857	"ExpectedResult" => "Success"
858	},
859	},
860	{
861	name => "TLS 1.3 Ed25519 Client Auth",
862	server => {
863	"VerifyCAFile" => test_pem("root-cert.pem"),
864	"VerifyMode" => "Require"
865	},
866	client => {
867	"EdDSA.Certificate" => test_pem("client-ed25519-cert.pem"),
868	"EdDSA.PrivateKey" => test_pem("client-ed25519-key.pem"),
869	"MinProtocol" => "TLSv1.3",
870	"MaxProtocol" => "TLSv1.3"
871	},
872	test => {
873	"ExpectedClientCertType" => "Ed25519",
874	"ExpectedClientSignType" => "Ed25519",
875	"ExpectedResult" => "Success"
876	},
877	},
878	{
879	name => "TLS 1.3 Ed448 Client Auth",
880	server => {
881	"VerifyCAFile" => test_pem("root-cert.pem"),
882	"VerifyMode" => "Require"
883	},
884	client => {
885	"EdDSA.Certificate" => test_pem("client-ed448-cert.pem"),
886	"EdDSA.PrivateKey" => test_pem("client-ed448-key.pem"),
887	"MinProtocol" => "TLSv1.3",
888	"MaxProtocol" => "TLSv1.3"
889	},
890	test => {
891	"ExpectedClientCertType" => "Ed448",
892	"ExpectedClientSignType" => "Ed448",
893	"ExpectedResult" => "Success"
894	},
895	},
896	{
897	name => "TLS 1.3 ECDSA with brainpool but no suitable groups",
898	server => {
899	"Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
900	"PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
901	"Groups" => "brainpoolP256r1",
902	},
903	client => {
904	"CipherString" => "aECDSA",
905	"RequestCAFile" => test_pem("root-cert.pem"),
906	"Groups" => "brainpoolP256r1",
907	},
908	test => {
909	#We only configured brainpoolP256r1 on the client side, but TLSv1.3
910	#is enabled and this group is not allowed in TLSv1.3. Therefore this
911	#should fail
912	"ExpectedResult" => "ClientFail"
913	},
914	},
915	{
916	name => "TLS 1.3 ECDSA with brainpool",
917	server => {
918	"Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
919	"PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
920	},
921	client => {
922	"RequestCAFile" => test_pem("root-cert.pem"),
923	"MinProtocol" => "TLSv1.3",
924	"MaxProtocol" => "TLSv1.3"
925	},
926	test => {
927	"ExpectedResult" => "ServerFail"
928	},
929	},
930	);
931
932	push @tests, @tests_tls_1_3 unless disabled("tls1_3");
933	push @tests, @tests_tls_1_3_non_fips unless disabled("tls1_3") \|\| $fips_mode;
934
935	my @tests_dsa_tls_1_2 = (
936	{
937	name => "TLS 1.2 DSA Certificate Test",
938	server => {
939	"DSA.Certificate" => test_pem("server-dsa-cert.pem"),
940	"DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
941	"DHParameters" => test_pem("dhp2048.pem"),
942	"MinProtocol" => "TLSv1.2",
943	"MaxProtocol" => "TLSv1.2",
944	"CipherString" => "ALL",
945	},
946	client => {
947	"SignatureAlgorithms" => "DSA+SHA256:DSA+SHA1",
948	"CipherString" => "ALL",
949	},
950	test => {
951	"ExpectedResult" => "Success"
952	},
953	},
954	);
955
956	my @tests_dsa_tls_1_3 = (
957	{
958	name => "TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms",
959	server => {
960	"ClientSignatureAlgorithms" => "ECDSA+SHA1:DSA+SHA256:RSA+SHA256",
961	"VerifyCAFile" => test_pem("root-cert.pem"),
962	"VerifyMode" => "Request"
963	},
964	client => {},
965	test => {
966	"ExpectedResult" => "ServerFail"
967	},
968	},
969	{
970	name => "TLS 1.3 DSA Certificate Test",
971	server => {
972	"DSA.Certificate" => test_pem("server-dsa-cert.pem"),
973	"DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
974	"MinProtocol" => "TLSv1.3",
975	"MaxProtocol" => "TLSv1.3",
976	"CipherString" => "ALL",
977	},
978	client => {
979	"SignatureAlgorithms" => "DSA+SHA1:DSA+SHA256:ECDSA+SHA256",
980	"CipherString" => "ALL",
981	},
982	test => {
983	"ExpectedResult" => "ServerFail"
984	},
985	},
986	);
987
988	if (!disabled("dsa")) {
989	push @tests, @tests_dsa_tls_1_2 unless disabled("dh");
990	push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
991	}

注意: 瀏覽 TracBrowser 來幫助您使用儲存庫瀏覽器

以其他格式下載:

原來格式