From 63936115e8e70ac36fc865ea32830dc93a7a5157 Mon Sep 17 00:00:00 2001 From: Emilia Kasper Date: Tue, 31 May 2016 16:42:58 +0200 Subject: [PATCH] Update client authentication tests Port client auth tests to the new framework, add coverage. The old tests were only testing success, and only for some protocol versions; the new tests add all protocol versions and various failure modes. Reviewed-by: Rich Salz --- test/certs/ee-client-chain.pem | 37 ++ test/recipes/80-test_ssl_new.t | 2 +- test/recipes/80-test_ssl_old.t | 89 ++-- test/ssl-tests/04-client_auth.conf | 602 ++++++++++++++++++++++++++ test/ssl-tests/04-client_auth.conf.in | 109 +++++ 5 files changed, 778 insertions(+), 61 deletions(-) create mode 100644 test/certs/ee-client-chain.pem create mode 100644 test/ssl-tests/04-client_auth.conf create mode 100644 test/ssl-tests/04-client_auth.conf.in diff --git a/test/certs/ee-client-chain.pem b/test/certs/ee-client-chain.pem new file mode 100644 index 0000000000..27652fa29a --- /dev/null +++ b/test/certs/ee-client-chain.pem @@ -0,0 +1,37 @@ +-----BEGIN CERTIFICATE----- +MIIDIDCCAgigAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg +Fw0xNjAxMTUwODE5NTBaGA8yMTE2MDExNjA4MTk1MFowGTEXMBUGA1UEAwwOc2Vy +dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY +YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT +5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l +Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 +U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 +ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn +iIQPYf55NB9KiR+3AgMBAAGjfTB7MB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi +l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA +MBMGA1UdJQQMMAoGCCsGAQUFBwMCMBkGA1UdEQQSMBCCDnNlcnZlci5leGFtcGxl +MA0GCSqGSIb3DQEBCwUAA4IBAQB+x23yjviJ9/n0G65xjntoPCLpsZtqId+WvN/9 +sXGqRZyAnBWPFpWrf9qXdxXZpTw7KRfywnEVsUQP12XKCc9JH4tG4l/wCDaHi9qO +pLstQskcXk40gWaU83ojjchdtDFBaxR5KxC83SR669Rw9mn66bWz/6zpK9VYohVh +A5/3RqteQaeQETFbZdlb6e7jAjiGp6DmAiH/WLrVvMY8k0z81TD0+UjJqI9097mF +VtNX0l+46/tR4zvyA4yYqxK+L8M57SjfwxvwUpDxxVVnRsf3kHhudeAc+UDWzqws +n5P71o+AfbkYzhHsSFIZyYUnGv+JApFpcGEMEiHL2iBhCRdx +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIC7DCCAdSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjANMQswCQYDVQQD +DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd +j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz +n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W +l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l +YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc +ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 +CLNNsUcCAwEAAaNQME4wHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G +A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wDQYJ +KoZIhvcNAQELBQADggEBADnZ9uXGAdwfNC3xuERIlBwgLROeBRGgcfHWdXZB/tWk +IM9ox88wYKWynanPbra4n0zhepooKt+naeY2HLR8UgwT6sTi0Yfld9mjytA8/DP6 +AcqtIDDf60vNI00sgxjgZqofVayA9KShzIPzjBec4zI1sg5YzoSNyH28VXFstEpi +8CVtmRYQHhc2gDI9MGge4sHRYwaIFkegzpwcEUnp6tTVe9ZvHawgsXF/rCGfH4M6 +uNO0D+9Md1bdW7382yOtWbkyibsugqnfBYCUH6hAhDlfYzpba2Smb0roc6Crq7HR +5HpEYY6qEir9wFMkD5MZsWrNRGRuzd5am82J+aaHz/4= +-----END CERTIFICATE----- diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t index 2bce02aa49..d432d1a5e8 100644 --- a/test/recipes/80-test_ssl_new.t +++ b/test/recipes/80-test_ssl_new.t @@ -42,7 +42,7 @@ foreach my $conf (@conf_files) { # We hard-code the number of tests to double-check that the globbing above # finds all files as expected. -plan tests => 3; # = scalar @conf_srcs +plan tests => 4; # = scalar @conf_srcs sub test_conf { plan tests => 3; diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t index b41e67a2ac..74d4360c94 100644 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t @@ -311,11 +311,8 @@ sub testss { } sub testssl { - my $key = shift || bldtop_file("apps","server.pem"); - my $cert = shift || bldtop_file("apps","server.pem"); - my $CAtmp = shift; + my ($key, $cert, $CAtmp) = @_; my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", bldtop_dir("certs")); - my @extra = @_; my @ssltest = ("ssltest_old", "-s_key", $key, "-s_cert", $cert, @@ -334,47 +331,19 @@ sub testssl { subtest 'standard SSL tests' => sub { ###################################################################### - plan tests => 29; + plan tests => 21; SKIP: { skip "SSLv3 is not supported by this OpenSSL build", 4 if disabled("ssl3"); - ok(run(test([@ssltest, "-ssl3", @extra])), - 'test sslv3'); - ok(run(test([@ssltest, "-ssl3", "-server_auth", @CA, @extra])), - 'test sslv3 with server authentication'); - ok(run(test([@ssltest, "-ssl3", "-client_auth", @CA, @extra])), - 'test sslv3 with client authentication'); - ok(run(test([@ssltest, "-ssl3", "-server_auth", "-client_auth", @CA, @extra])), - 'test sslv3 with both server and client authentication'); - } - - SKIP: { - skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 4 - if $no_anytls; - - ok(run(test([@ssltest, @extra])), - 'test sslv2/sslv3'); - ok(run(test([@ssltest, "-server_auth", @CA, @extra])), - 'test sslv2/sslv3 with server authentication'); - ok(run(test([@ssltest, "-client_auth", @CA, @extra])), - 'test sslv2/sslv3 with client authentication'); - ok(run(test([@ssltest, "-server_auth", "-client_auth", @CA, @extra])), - 'test sslv2/sslv3 with both server and client authentication'); - } - - SKIP: { - skip "SSLv3 is not supported by this OpenSSL build", 4 - if disabled("ssl3"); - - ok(run(test([@ssltest, "-bio_pair", "-ssl3", @extra])), + ok(run(test([@ssltest, "-bio_pair", "-ssl3"])), 'test sslv3 via BIO pair'); - ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", @CA, @extra])), + ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", @CA])), 'test sslv3 with server authentication via BIO pair'); - ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-client_auth", @CA, @extra])), + ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-client_auth", @CA])), 'test sslv3 with client authentication via BIO pair'); - ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", "-client_auth", @CA, @extra])), + ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", "-client_auth", @CA])), 'test sslv3 with both server and client authentication via BIO pair'); } @@ -382,7 +351,7 @@ sub testssl { skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 1 if $no_anytls; - ok(run(test([@ssltest, "-bio_pair", @extra])), + ok(run(test([@ssltest, "-bio_pair"])), 'test sslv2/sslv3 via BIO pair'); } @@ -390,13 +359,13 @@ sub testssl { skip "DTLSv1 is not supported by this OpenSSL build", 4 if disabled("dtls1"); - ok(run(test([@ssltest, "-dtls1", @extra])), + ok(run(test([@ssltest, "-dtls1"])), 'test dtlsv1'); - ok(run(test([@ssltest, "-dtls1", "-server_auth", @CA, @extra])), + ok(run(test([@ssltest, "-dtls1", "-server_auth", @CA])), 'test dtlsv1 with server authentication'); - ok(run(test([@ssltest, "-dtls1", "-client_auth", @CA, @extra])), + ok(run(test([@ssltest, "-dtls1", "-client_auth", @CA])), 'test dtlsv1 with client authentication'); - ok(run(test([@ssltest, "-dtls1", "-server_auth", "-client_auth", @CA, @extra])), + ok(run(test([@ssltest, "-dtls1", "-server_auth", "-client_auth", @CA])), 'test dtlsv1 with both server and client authentication'); } @@ -404,13 +373,13 @@ sub testssl { skip "DTLSv1.2 is not supported by this OpenSSL build", 4 if disabled("dtls1_2"); - ok(run(test([@ssltest, "-dtls12", @extra])), + ok(run(test([@ssltest, "-dtls12"])), 'test dtlsv1.2'); - ok(run(test([@ssltest, "-dtls12", "-server_auth", @CA, @extra])), + ok(run(test([@ssltest, "-dtls12", "-server_auth", @CA])), 'test dtlsv1.2 with server authentication'); - ok(run(test([@ssltest, "-dtls12", "-client_auth", @CA, @extra])), + ok(run(test([@ssltest, "-dtls12", "-client_auth", @CA])), 'test dtlsv1.2 with client authentication'); - ok(run(test([@ssltest, "-dtls12", "-server_auth", "-client_auth", @CA, @extra])), + ok(run(test([@ssltest, "-dtls12", "-server_auth", "-client_auth", @CA])), 'test dtlsv1.2 with both server and client authentication'); } @@ -421,32 +390,32 @@ sub testssl { SKIP: { skip "skipping test of sslv2/sslv3 w/o (EC)DHE test", 1 if $dsa_cert; - ok(run(test([@ssltest, "-bio_pair", "-no_dhe", "-no_ecdhe", @extra])), + ok(run(test([@ssltest, "-bio_pair", "-no_dhe", "-no_ecdhe"])), 'test sslv2/sslv3 w/o (EC)DHE via BIO pair'); } - ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v", @extra])), + ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])), 'test sslv2/sslv3 with 1024bit DHE via BIO pair'); - ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA, @extra])), + ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])), 'test sslv2/sslv3 with server authentication'); - ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA, @extra])), + ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])), 'test sslv2/sslv3 with client authentication via BIO pair'); - ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", @CA, @extra])), + ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", @CA])), 'test sslv2/sslv3 with both client and server authentication via BIO pair'); - ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA, @extra])), + ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])), 'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify'); SKIP: { skip "No IPv4 available on this machine", 1 unless !disabled("sock") && have_IPv4(); - ok(run(test([@ssltest, "-ipv4", @extra])), + ok(run(test([@ssltest, "-ipv4"])), 'test TLS via IPv4'); } SKIP: { skip "No IPv6 available on this machine", 1 unless !disabled("sock") && have_IPv6(); - ok(run(test([@ssltest, "-ipv6", @extra])), + ok(run(test([@ssltest, "-ipv6"])), 'test TLS via IPv6'); } } @@ -525,7 +494,7 @@ sub testssl { skip "skipping anonymous DH tests", 1 if ($no_dh); - ok(run(test([@ssltest, "-v", "-bio_pair", "-tls1", "-cipher", "ADH", "-dhe1024dsa", "-num", "10", "-f", "-time", @extra])), + ok(run(test([@ssltest, "-v", "-bio_pair", "-tls1", "-cipher", "ADH", "-dhe1024dsa", "-num", "10", "-f", "-time"])), 'test tlsv1 with 1024bit anonymous DH, multiple handshakes'); } @@ -533,13 +502,13 @@ sub testssl { skip "skipping RSA tests", 2 if $no_rsa; - ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time", @extra])), + ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time"])), 'test tlsv1 with 1024bit RSA, no (EC)DHE, multiple handshakes'); skip "skipping RSA+DHE tests", 1 if $no_dh; - ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time", @extra])), + ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time"])), 'test tlsv1 with 1024bit RSA, 1024bit DHE, multiple handshakes'); } @@ -547,10 +516,10 @@ sub testssl { skip "skipping PSK tests", 2 if ($no_psk); - ok(run(test([@ssltest, "-tls1", "-cipher", "PSK", "-psk", "abc123", @extra])), + ok(run(test([@ssltest, "-tls1", "-cipher", "PSK", "-psk", "abc123"])), 'test tls1 with PSK'); - ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123", @extra])), + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123"])), 'test tls1 with PSK via BIO pair'); } } @@ -702,7 +671,7 @@ sub testssl { if $no_anytls; skip "skipping multi-buffer tests", 2 - if @extra || (POSIX::uname())[4] ne "x86_64"; + if (POSIX::uname())[4] ne "x86_64"; ok(run(test([@ssltest, "-cipher", "AES128-SHA", "-bytes", "8m"]))); diff --git a/test/ssl-tests/04-client_auth.conf b/test/ssl-tests/04-client_auth.conf new file mode 100644 index 0000000000..191d666307 --- /dev/null +++ b/test/ssl-tests/04-client_auth.conf @@ -0,0 +1,602 @@ +# Generated with generate_ssl_tests.pl + +num_tests = 20 + +test-0 = 0-server-auth-flex +test-1 = 1-client-auth-flex-request +test-2 = 2-client-auth-flex-require-fail +test-3 = 3-client-auth-flex-require +test-4 = 4-client-auth-flex-noroot +test-5 = 5-server-auth-TLSv1 +test-6 = 6-client-auth-TLSv1-request +test-7 = 7-client-auth-TLSv1-require-fail +test-8 = 8-client-auth-TLSv1-require +test-9 = 9-client-auth-TLSv1-noroot +test-10 = 10-server-auth-TLSv1.1 +test-11 = 11-client-auth-TLSv1.1-request +test-12 = 12-client-auth-TLSv1.1-require-fail +test-13 = 13-client-auth-TLSv1.1-require +test-14 = 14-client-auth-TLSv1.1-noroot +test-15 = 15-server-auth-TLSv1.2 +test-16 = 16-client-auth-TLSv1.2-request +test-17 = 17-client-auth-TLSv1.2-require-fail +test-18 = 18-client-auth-TLSv1.2-require +test-19 = 19-client-auth-TLSv1.2-noroot +# =========================================================== + +[0-server-auth-flex] +ssl_conf = 0-server-auth-flex-ssl + +[0-server-auth-flex-ssl] +server = 0-server-auth-flex-server +client = 0-server-auth-flex-client + +[0-server-auth-flex-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[0-server-auth-flex-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-0] +ExpectedResult = Success + + +# =========================================================== + +[1-client-auth-flex-request] +ssl_conf = 1-client-auth-flex-request-ssl + +[1-client-auth-flex-request-ssl] +server = 1-client-auth-flex-request-server +client = 1-client-auth-flex-request-client + +[1-client-auth-flex-request-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyMode = Request + + +[1-client-auth-flex-request-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-1] +ExpectedResult = Success + + +# =========================================================== + +[2-client-auth-flex-require-fail] +ssl_conf = 2-client-auth-flex-require-fail-ssl + +[2-client-auth-flex-require-fail-ssl] +server = 2-client-auth-flex-require-fail-server +client = 2-client-auth-flex-require-fail-client + +[2-client-auth-flex-require-fail-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Require + + +[2-client-auth-flex-require-fail-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-2] +ExpectedResult = ServerFail +ServerAlert = HandshakeFailure + + +# =========================================================== + +[3-client-auth-flex-require] +ssl_conf = 3-client-auth-flex-require-ssl + +[3-client-auth-flex-require-ssl] +server = 3-client-auth-flex-require-server +client = 3-client-auth-flex-require-client + +[3-client-auth-flex-require-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Request + + +[3-client-auth-flex-require-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-3] +ExpectedResult = Success + + +# =========================================================== + +[4-client-auth-flex-noroot] +ssl_conf = 4-client-auth-flex-noroot-ssl + +[4-client-auth-flex-noroot-ssl] +server = 4-client-auth-flex-noroot-server +client = 4-client-auth-flex-noroot-client + +[4-client-auth-flex-noroot-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyMode = Require + + +[4-client-auth-flex-noroot-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-4] +ExpectedResult = ServerFail +ServerAlert = UnknownCA + + +# =========================================================== + +[5-server-auth-TLSv1] +ssl_conf = 5-server-auth-TLSv1-ssl + +[5-server-auth-TLSv1-ssl] +server = 5-server-auth-TLSv1-server +client = 5-server-auth-TLSv1-client + +[5-server-auth-TLSv1-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +Protocol = TLSv1 + + +[5-server-auth-TLSv1-client] +CipherString = DEFAULT +Protocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-5] +ExpectedResult = Success + + +# =========================================================== + +[6-client-auth-TLSv1-request] +ssl_conf = 6-client-auth-TLSv1-request-ssl + +[6-client-auth-TLSv1-request-ssl] +server = 6-client-auth-TLSv1-request-server +client = 6-client-auth-TLSv1-request-client + +[6-client-auth-TLSv1-request-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +Protocol = TLSv1 +VerifyMode = Request + + +[6-client-auth-TLSv1-request-client] +CipherString = DEFAULT +Protocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-6] +ExpectedResult = Success + + +# =========================================================== + +[7-client-auth-TLSv1-require-fail] +ssl_conf = 7-client-auth-TLSv1-require-fail-ssl + +[7-client-auth-TLSv1-require-fail-ssl] +server = 7-client-auth-TLSv1-require-fail-server +client = 7-client-auth-TLSv1-require-fail-client + +[7-client-auth-TLSv1-require-fail-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +Protocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Require + + +[7-client-auth-TLSv1-require-fail-client] +CipherString = DEFAULT +Protocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-7] +ExpectedResult = ServerFail +ServerAlert = HandshakeFailure + + +# =========================================================== + +[8-client-auth-TLSv1-require] +ssl_conf = 8-client-auth-TLSv1-require-ssl + +[8-client-auth-TLSv1-require-ssl] +server = 8-client-auth-TLSv1-require-server +client = 8-client-auth-TLSv1-require-client + +[8-client-auth-TLSv1-require-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +Protocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Request + + +[8-client-auth-TLSv1-require-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +Protocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-8] +ExpectedResult = Success + + +# =========================================================== + +[9-client-auth-TLSv1-noroot] +ssl_conf = 9-client-auth-TLSv1-noroot-ssl + +[9-client-auth-TLSv1-noroot-ssl] +server = 9-client-auth-TLSv1-noroot-server +client = 9-client-auth-TLSv1-noroot-client + +[9-client-auth-TLSv1-noroot-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +Protocol = TLSv1 +VerifyMode = Require + + +[9-client-auth-TLSv1-noroot-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +Protocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-9] +ExpectedResult = ServerFail +ServerAlert = UnknownCA + + +# =========================================================== + +[10-server-auth-TLSv1.1] +ssl_conf = 10-server-auth-TLSv1.1-ssl + +[10-server-auth-TLSv1.1-ssl] +server = 10-server-auth-TLSv1.1-server +client = 10-server-auth-TLSv1.1-client + +[10-server-auth-TLSv1.1-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +Protocol = TLSv1.1 + + +[10-server-auth-TLSv1.1-client] +CipherString = DEFAULT +Protocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-10] +ExpectedResult = Success + + +# =========================================================== + +[11-client-auth-TLSv1.1-request] +ssl_conf = 11-client-auth-TLSv1.1-request-ssl + +[11-client-auth-TLSv1.1-request-ssl] +server = 11-client-auth-TLSv1.1-request-server +client = 11-client-auth-TLSv1.1-request-client + +[11-client-auth-TLSv1.1-request-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +Protocol = TLSv1.1 +VerifyMode = Request + + +[11-client-auth-TLSv1.1-request-client] +CipherString = DEFAULT +Protocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-11] +ExpectedResult = Success + + +# =========================================================== + +[12-client-auth-TLSv1.1-require-fail] +ssl_conf = 12-client-auth-TLSv1.1-require-fail-ssl + +[12-client-auth-TLSv1.1-require-fail-ssl] +server = 12-client-auth-TLSv1.1-require-fail-server +client = 12-client-auth-TLSv1.1-require-fail-client + +[12-client-auth-TLSv1.1-require-fail-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +Protocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Require + + +[12-client-auth-TLSv1.1-require-fail-client] +CipherString = DEFAULT +Protocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-12] +ExpectedResult = ServerFail +ServerAlert = HandshakeFailure + + +# =========================================================== + +[13-client-auth-TLSv1.1-require] +ssl_conf = 13-client-auth-TLSv1.1-require-ssl + +[13-client-auth-TLSv1.1-require-ssl] +server = 13-client-auth-TLSv1.1-require-server +client = 13-client-auth-TLSv1.1-require-client + +[13-client-auth-TLSv1.1-require-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +Protocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Request + + +[13-client-auth-TLSv1.1-require-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +Protocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-13] +ExpectedResult = Success + + +# =========================================================== + +[14-client-auth-TLSv1.1-noroot] +ssl_conf = 14-client-auth-TLSv1.1-noroot-ssl + +[14-client-auth-TLSv1.1-noroot-ssl] +server = 14-client-auth-TLSv1.1-noroot-server +client = 14-client-auth-TLSv1.1-noroot-client + +[14-client-auth-TLSv1.1-noroot-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +Protocol = TLSv1.1 +VerifyMode = Require + + +[14-client-auth-TLSv1.1-noroot-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +Protocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-14] +ExpectedResult = ServerFail +ServerAlert = UnknownCA + + +# =========================================================== + +[15-server-auth-TLSv1.2] +ssl_conf = 15-server-auth-TLSv1.2-ssl + +[15-server-auth-TLSv1.2-ssl] +server = 15-server-auth-TLSv1.2-server +client = 15-server-auth-TLSv1.2-client + +[15-server-auth-TLSv1.2-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +Protocol = TLSv1.2 + + +[15-server-auth-TLSv1.2-client] +CipherString = DEFAULT +Protocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-15] +ExpectedResult = Success + + +# =========================================================== + +[16-client-auth-TLSv1.2-request] +ssl_conf = 16-client-auth-TLSv1.2-request-ssl + +[16-client-auth-TLSv1.2-request-ssl] +server = 16-client-auth-TLSv1.2-request-server +client = 16-client-auth-TLSv1.2-request-client + +[16-client-auth-TLSv1.2-request-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +Protocol = TLSv1.2 +VerifyMode = Request + + +[16-client-auth-TLSv1.2-request-client] +CipherString = DEFAULT +Protocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-16] +ExpectedResult = Success + + +# =========================================================== + +[17-client-auth-TLSv1.2-require-fail] +ssl_conf = 17-client-auth-TLSv1.2-require-fail-ssl + +[17-client-auth-TLSv1.2-require-fail-ssl] +server = 17-client-auth-TLSv1.2-require-fail-server +client = 17-client-auth-TLSv1.2-require-fail-client + +[17-client-auth-TLSv1.2-require-fail-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +Protocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Require + + +[17-client-auth-TLSv1.2-require-fail-client] +CipherString = DEFAULT +Protocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-17] +ExpectedResult = ServerFail +ServerAlert = HandshakeFailure + + +# =========================================================== + +[18-client-auth-TLSv1.2-require] +ssl_conf = 18-client-auth-TLSv1.2-require-ssl + +[18-client-auth-TLSv1.2-require-ssl] +server = 18-client-auth-TLSv1.2-require-server +client = 18-client-auth-TLSv1.2-require-client + +[18-client-auth-TLSv1.2-require-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +Protocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Request + + +[18-client-auth-TLSv1.2-require-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +Protocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-18] +ExpectedResult = Success + + +# =========================================================== + +[19-client-auth-TLSv1.2-noroot] +ssl_conf = 19-client-auth-TLSv1.2-noroot-ssl + +[19-client-auth-TLSv1.2-noroot-ssl] +server = 19-client-auth-TLSv1.2-noroot-server +client = 19-client-auth-TLSv1.2-noroot-client + +[19-client-auth-TLSv1.2-noroot-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +Protocol = TLSv1.2 +VerifyMode = Require + + +[19-client-auth-TLSv1.2-noroot-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +Protocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-19] +ExpectedResult = ServerFail +ServerAlert = UnknownCA + + diff --git a/test/ssl-tests/04-client_auth.conf.in b/test/ssl-tests/04-client_auth.conf.in new file mode 100644 index 0000000000..36d13df04d --- /dev/null +++ b/test/ssl-tests/04-client_auth.conf.in @@ -0,0 +1,109 @@ +# -*- mode: perl; -*- + +## SSL test configurations + +package ssltests; + +use strict; +use warnings; + +use OpenSSL::Test; +use OpenSSL::Test::Utils qw(anydisabled); +setup("no_test_here"); + +# We test version-flexible negotiation (undef) and each protocol version. +my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"); + +my @is_disabled = (0); +push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2"); + +our @tests = (); + +my $dir_sep = $^O ne "VMS" ? "/" : ""; + +sub generate_tests() { + + foreach (0..$#protocols) { + my $protocol = $protocols[$_]; + my $protocol_name = $protocol || "flex"; + if (!$is_disabled[$_]) { + # Sanity-check simple handshake. + push @tests, { + name => "server-auth-${protocol_name}", + server => { + "Protocol" => $protocol + }, + client => { + "Protocol" => $protocol + }, + test => { "ExpectedResult" => "Success" }, + }; + + # Handshake with client cert requested but not required or received. + push @tests, { + name => "client-auth-${protocol_name}-request", + server => { + "Protocol" => $protocol, + "VerifyMode" => "Request", + }, + client => { + "Protocol" => $protocol + }, + test => { "ExpectedResult" => "Success" }, + }; + + # Handshake with client cert required but not present. + push @tests, { + name => "client-auth-${protocol_name}-require-fail", + server => { + "Protocol" => $protocol, + "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem", + "VerifyMode" => "Require", + }, + client => { + "Protocol" => $protocol, + }, + test => { + "ExpectedResult" => "ServerFail", + "ServerAlert" => "HandshakeFailure", + }, + }; + + # Successful handshake with client authentication. + push @tests, { + name => "client-auth-${protocol_name}-require", + server => { + "Protocol" => $protocol, + "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem", + "VerifyMode" => "Request", + }, + client => { + "Protocol" => $protocol, + "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem", + "PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem", + }, + test => { "ExpectedResult" => "Success" }, + }; + + # Handshake with client authentication but without the root certificate. + push @tests, { + name => "client-auth-${protocol_name}-noroot", + server => { + "Protocol" => $protocol, + "VerifyMode" => "Require", + }, + client => { + "Protocol" => $protocol, + "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem", + "PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem", + }, + test => { + "ExpectedResult" => "ServerFail", + "ServerAlert" => "UnknownCA", + }, + }; + } + } +} + +generate_tests();