Add TLS tests for RSA-PSS Restricted certificates

Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9553)
2019-08-08 11:41:18 +01:00 · 2019-08-08 11:41:18 +01:00 · 20946b9465
commit 20946b9465
parent 39d9ea5e50
2 changed files with 569 additions and 367 deletions
--- a/test/ssl-tests/20-cert-select.conf
+++ b/test/ssl-tests/20-cert-select.conf
--- a/test/ssl-tests/20-cert-select.conf.in
+++ b/test/ssl-tests/20-cert-select.conf.in
@ -36,6 +36,12 @@ my $server_pss_only = {
    "PrivateKey" => test_pem("server-pss-key.pem"),
 };

+my $server_pss_restrict_only = {
+    "Certificate" => test_pem("server-pss-restrict-cert.pem"),
+    "PrivateKey" => test_pem("server-pss-restrict-key.pem"),
+};
+
+
 my $server_rsa_all = {
    "PSS.Certificate" => test_pem("server-pss-cert.pem"),
    "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
@ -379,6 +385,19 @@ our @tests = (
            "ExpectedResult" => "Success"
        },
    },
+    {
+        name => "Only RSA-PSS Certificate Valid Signature Algorithms",
+        server => $server_pss_only,
+        client => {
+            "SignatureAlgorithms" => "rsa_pss_pss_sha512",
+        },
+        test   => {
+            "ExpectedServerCertType" => "RSA-PSS",
+            "ExpectedServerSignHash" => "SHA512",
+            "ExpectedServerSignType" => "RSA-PSS",
+            "ExpectedResult" => "Success"
+        },
+    },
    {
        name => "RSA-PSS Certificate, no PSS signature algorithms",
        server => $server_pss_only,
@ -389,6 +408,53 @@ our @tests = (
            "ExpectedResult" => "ServerFail"
        },
    },
+    {
+        name => "Only RSA-PSS Restricted Certificate",
+        server => $server_pss_restrict_only,
+        client => {},
+        test   => {
+            "ExpectedServerCertType" => "RSA-PSS",
+            "ExpectedServerSignHash" => "SHA256",
+            "ExpectedServerSignType" => "RSA-PSS",
+            "ExpectedResult" => "Success"
+        },
+    },
+    {
+        name => "RSA-PSS Restricted Certificate Valid Signature Algorithms",
+        server => $server_pss_restrict_only,
+        client => {
+            "SignatureAlgorithms" => "rsa_pss_pss_sha256:rsa_pss_pss_sha512",
+        },
+        test   => {
+            "ExpectedServerCertType" => "RSA-PSS",
+            "ExpectedServerSignHash" => "SHA256",
+            "ExpectedServerSignType" => "RSA-PSS",
+            "ExpectedResult" => "Success"
+        },
+    },
+    {
+        name => "RSA-PSS Restricted Cert client prefers invalid Signature Algorithm",
+        server => $server_pss_restrict_only,
+        client => {
+            "SignatureAlgorithms" => "rsa_pss_pss_sha512:rsa_pss_pss_sha256",
+        },
+        test   => {
+            "ExpectedServerCertType" => "RSA-PSS",
+            "ExpectedServerSignHash" => "SHA256",
+            "ExpectedServerSignType" => "RSA-PSS",
+            "ExpectedResult" => "Success"
+        },
+    },
+    {
+        name => "RSA-PSS Restricted Certificate Invalid Signature Algorithms",
+        server => $server_pss_restrict_only,
+        client => {
+            "SignatureAlgorithms" => "rsa_pss_pss_sha512",
+        },
+        test   => {
+            "ExpectedResult" => "ServerFail"
+        },
+    },
    {
        name => "RSA key exchange with all RSA certificate types",
        server => $server_rsa_all,