diff --git a/test/ssl-tests/20-cert-select.conf b/test/ssl-tests/20-cert-select.conf index 290bb878f1..e787efc5f0 100644 --- a/test/ssl-tests/20-cert-select.conf +++ b/test/ssl-tests/20-cert-select.conf @@ -1,18 +1,20 @@ # Generated with generate_ssl_tests.pl -num_tests = 11 +num_tests = 13 test-0 = 0-ECDSA CipherString Selection test-1 = 1-RSA CipherString Selection test-2 = 2-ECDSA CipherString Selection, no ECDSA certificate test-3 = 3-ECDSA Signature Algorithm Selection test-4 = 4-ECDSA Signature Algorithm Selection SHA384 -test-5 = 5-ECDSA Signature Algorithm Selection, no ECDSA certificate -test-6 = 6-RSA Signature Algorithm Selection -test-7 = 7-RSA-PSS Signature Algorithm Selection -test-8 = 8-Suite B P-256 Hash Algorithm Selection -test-9 = 9-Suite B P-384 Hash Algorithm Selection -test-10 = 10-TLS 1.2 DSA Certificate Test +test-5 = 5-ECDSA Signature Algorithm Selection SHA1 +test-6 = 6-ECDSA Signature Algorithm Selection compressed point +test-7 = 7-ECDSA Signature Algorithm Selection, no ECDSA certificate +test-8 = 8-RSA Signature Algorithm Selection +test-9 = 9-RSA-PSS Signature Algorithm Selection +test-10 = 10-Suite B P-256 Hash Algorithm Selection +test-11 = 11-Suite B P-384 Hash Algorithm Selection +test-12 = 12-TLS 1.2 DSA Certificate Test # =========================================================== [0-ECDSA CipherString Selection] @@ -155,114 +157,59 @@ ExpectedServerSignType = EC # =========================================================== -[5-ECDSA Signature Algorithm Selection, no ECDSA certificate] -ssl_conf = 5-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl +[5-ECDSA Signature Algorithm Selection SHA1] +ssl_conf = 5-ECDSA Signature Algorithm Selection SHA1-ssl -[5-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl] -server = 5-ECDSA Signature Algorithm Selection, no ECDSA certificate-server -client = 5-ECDSA Signature Algorithm Selection, no ECDSA certificate-client +[5-ECDSA Signature Algorithm Selection SHA1-ssl] +server = 5-ECDSA Signature Algorithm Selection SHA1-server +client = 5-ECDSA Signature Algorithm Selection SHA1-client -[5-ECDSA Signature Algorithm Selection, no ECDSA certificate-server] +[5-ECDSA Signature Algorithm Selection SHA1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[5-ECDSA Signature Algorithm Selection, no ECDSA certificate-client] +[5-ECDSA Signature Algorithm Selection SHA1-client] +CipherString = DEFAULT +SignatureAlgorithms = ECDSA+SHA1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-5] +ExpectedResult = Success +ExpectedServerCertType = P-256 +ExpectedServerSignHash = SHA1 +ExpectedServerSignType = EC + + +# =========================================================== + +[6-ECDSA Signature Algorithm Selection compressed point] +ssl_conf = 6-ECDSA Signature Algorithm Selection compressed point-ssl + +[6-ECDSA Signature Algorithm Selection compressed point-ssl] +server = 6-ECDSA Signature Algorithm Selection compressed point-server +client = 6-ECDSA Signature Algorithm Selection compressed point-client + +[6-ECDSA Signature Algorithm Selection compressed point-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-cecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-cecdsa-key.pem +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[6-ECDSA Signature Algorithm Selection compressed point-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-5] -ExpectedResult = ServerFail - - -# =========================================================== - -[6-RSA Signature Algorithm Selection] -ssl_conf = 6-RSA Signature Algorithm Selection-ssl - -[6-RSA Signature Algorithm Selection-ssl] -server = 6-RSA Signature Algorithm Selection-server -client = 6-RSA Signature Algorithm Selection-client - -[6-RSA Signature Algorithm Selection-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem -ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -MaxProtocol = TLSv1.2 -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[6-RSA Signature Algorithm Selection-client] -CipherString = DEFAULT -SignatureAlgorithms = RSA+SHA256 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - [test-6] ExpectedResult = Success -ExpectedServerCertType = RSA -ExpectedServerSignHash = SHA256 -ExpectedServerSignType = RSA - - -# =========================================================== - -[7-RSA-PSS Signature Algorithm Selection] -ssl_conf = 7-RSA-PSS Signature Algorithm Selection-ssl - -[7-RSA-PSS Signature Algorithm Selection-ssl] -server = 7-RSA-PSS Signature Algorithm Selection-server -client = 7-RSA-PSS Signature Algorithm Selection-client - -[7-RSA-PSS Signature Algorithm Selection-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem -ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -MaxProtocol = TLSv1.2 -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[7-RSA-PSS Signature Algorithm Selection-client] -CipherString = DEFAULT -SignatureAlgorithms = RSA-PSS+SHA256 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-7] -ExpectedResult = Success -ExpectedServerCertType = RSA -ExpectedServerSignHash = SHA256 -ExpectedServerSignType = RSA-PSS - - -# =========================================================== - -[8-Suite B P-256 Hash Algorithm Selection] -ssl_conf = 8-Suite B P-256 Hash Algorithm Selection-ssl - -[8-Suite B P-256 Hash Algorithm Selection-ssl] -server = 8-Suite B P-256 Hash Algorithm Selection-server -client = 8-Suite B P-256 Hash Algorithm Selection-client - -[8-Suite B P-256 Hash Algorithm Selection-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = SUITEB128 -ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p256-server-cert.pem -ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p256-server-key.pem -MaxProtocol = TLSv1.2 -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[8-Suite B P-256 Hash Algorithm Selection-client] -CipherString = DEFAULT -SignatureAlgorithms = ECDSA+SHA384:ECDSA+SHA256 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem -VerifyMode = Peer - -[test-8] -ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA256 ExpectedServerSignType = EC @@ -270,14 +217,129 @@ ExpectedServerSignType = EC # =========================================================== -[9-Suite B P-384 Hash Algorithm Selection] -ssl_conf = 9-Suite B P-384 Hash Algorithm Selection-ssl +[7-ECDSA Signature Algorithm Selection, no ECDSA certificate] +ssl_conf = 7-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl -[9-Suite B P-384 Hash Algorithm Selection-ssl] -server = 9-Suite B P-384 Hash Algorithm Selection-server -client = 9-Suite B P-384 Hash Algorithm Selection-client +[7-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl] +server = 7-ECDSA Signature Algorithm Selection, no ECDSA certificate-server +client = 7-ECDSA Signature Algorithm Selection, no ECDSA certificate-client -[9-Suite B P-384 Hash Algorithm Selection-server] +[7-ECDSA Signature Algorithm Selection, no ECDSA certificate-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[7-ECDSA Signature Algorithm Selection, no ECDSA certificate-client] +CipherString = DEFAULT +SignatureAlgorithms = ECDSA+SHA256 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-7] +ExpectedResult = ServerFail + + +# =========================================================== + +[8-RSA Signature Algorithm Selection] +ssl_conf = 8-RSA Signature Algorithm Selection-ssl + +[8-RSA Signature Algorithm Selection-ssl] +server = 8-RSA Signature Algorithm Selection-server +client = 8-RSA Signature Algorithm Selection-client + +[8-RSA Signature Algorithm Selection-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[8-RSA Signature Algorithm Selection-client] +CipherString = DEFAULT +SignatureAlgorithms = RSA+SHA256 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-8] +ExpectedResult = Success +ExpectedServerCertType = RSA +ExpectedServerSignHash = SHA256 +ExpectedServerSignType = RSA + + +# =========================================================== + +[9-RSA-PSS Signature Algorithm Selection] +ssl_conf = 9-RSA-PSS Signature Algorithm Selection-ssl + +[9-RSA-PSS Signature Algorithm Selection-ssl] +server = 9-RSA-PSS Signature Algorithm Selection-server +client = 9-RSA-PSS Signature Algorithm Selection-client + +[9-RSA-PSS Signature Algorithm Selection-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[9-RSA-PSS Signature Algorithm Selection-client] +CipherString = DEFAULT +SignatureAlgorithms = RSA-PSS+SHA256 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-9] +ExpectedResult = Success +ExpectedServerCertType = RSA +ExpectedServerSignHash = SHA256 +ExpectedServerSignType = RSA-PSS + + +# =========================================================== + +[10-Suite B P-256 Hash Algorithm Selection] +ssl_conf = 10-Suite B P-256 Hash Algorithm Selection-ssl + +[10-Suite B P-256 Hash Algorithm Selection-ssl] +server = 10-Suite B P-256 Hash Algorithm Selection-server +client = 10-Suite B P-256 Hash Algorithm Selection-client + +[10-Suite B P-256 Hash Algorithm Selection-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = SUITEB128 +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p256-server-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p256-server-key.pem +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[10-Suite B P-256 Hash Algorithm Selection-client] +CipherString = DEFAULT +SignatureAlgorithms = ECDSA+SHA384:ECDSA+SHA256 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem +VerifyMode = Peer + +[test-10] +ExpectedResult = Success +ExpectedServerCertType = P-256 +ExpectedServerSignHash = SHA256 +ExpectedServerSignType = EC + + +# =========================================================== + +[11-Suite B P-384 Hash Algorithm Selection] +ssl_conf = 11-Suite B P-384 Hash Algorithm Selection-ssl + +[11-Suite B P-384 Hash Algorithm Selection-ssl] +server = 11-Suite B P-384 Hash Algorithm Selection-server +client = 11-Suite B P-384 Hash Algorithm Selection-client + +[11-Suite B P-384 Hash Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = SUITEB128 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem @@ -285,13 +347,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[9-Suite B P-384 Hash Algorithm Selection-client] +[11-Suite B P-384 Hash Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem VerifyMode = Peer -[test-9] +[test-11] ExpectedResult = Success ExpectedServerCertType = P-384 ExpectedServerSignHash = SHA384 @@ -300,14 +362,14 @@ ExpectedServerSignType = EC # =========================================================== -[10-TLS 1.2 DSA Certificate Test] -ssl_conf = 10-TLS 1.2 DSA Certificate Test-ssl +[12-TLS 1.2 DSA Certificate Test] +ssl_conf = 12-TLS 1.2 DSA Certificate Test-ssl -[10-TLS 1.2 DSA Certificate Test-ssl] -server = 10-TLS 1.2 DSA Certificate Test-server -client = 10-TLS 1.2 DSA Certificate Test-client +[12-TLS 1.2 DSA Certificate Test-ssl] +server = 12-TLS 1.2 DSA Certificate Test-server +client = 12-TLS 1.2 DSA Certificate Test-client -[10-TLS 1.2 DSA Certificate Test-server] +[12-TLS 1.2 DSA Certificate Test-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = ALL DHParameters = ${ENV::TEST_CERTS_DIR}/dhp2048.pem @@ -317,13 +379,13 @@ MaxProtocol = TLSv1.2 MinProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[10-TLS 1.2 DSA Certificate Test-client] +[12-TLS 1.2 DSA Certificate Test-client] CipherString = ALL SignatureAlgorithms = DSA+SHA256:DSA+SHA1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-10] +[test-12] ExpectedResult = Success diff --git a/test/ssl-tests/20-cert-select.conf.in b/test/ssl-tests/20-cert-select.conf.in index e33b3d60f7..1dd7860d88 100644 --- a/test/ssl-tests/20-cert-select.conf.in +++ b/test/ssl-tests/20-cert-select.conf.in @@ -78,6 +78,36 @@ our @tests = ( "ExpectedResult" => "Success" }, }, + { + name => "ECDSA Signature Algorithm Selection SHA1", + server => $server, + client => { + "SignatureAlgorithms" => "ECDSA+SHA1", + }, + test => { + "ExpectedServerCertType" => "P-256", + "ExpectedServerSignHash" => "SHA1", + "ExpectedServerSignType" => "EC", + "ExpectedResult" => "Success" + }, + }, + { + name => "ECDSA Signature Algorithm Selection compressed point", + server => { + "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"), + "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"), + "MaxProtocol" => "TLSv1.2" + }, + client => { + "SignatureAlgorithms" => "ECDSA+SHA256", + }, + test => { + "ExpectedServerCertType" => "P-256", + "ExpectedServerSignHash" => "SHA256", + "ExpectedServerSignType" => "EC", + "ExpectedResult" => "Success" + }, + }, { name => "ECDSA Signature Algorithm Selection, no ECDSA certificate", server => { @@ -187,6 +217,31 @@ my @tests_tls_1_3 = ( "ExpectedResult" => "Success" }, }, + { + name => "TLS 1.3 ECDSA Signature Algorithm Selection compressed point", + server => { + "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"), + "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"), + "MinProtocol" => "TLSv1.3", + "MaxProtocol" => "TLSv1.3" + }, + client => { + "SignatureAlgorithms" => "ECDSA+SHA256", + }, + test => { + "ExpectedResult" => "ServerFail" + }, + }, + { + name => "TLS 1.3 ECDSA Signature Algorithm Selection SHA1", + server => $server_tls_1_3, + client => { + "SignatureAlgorithms" => "ECDSA+SHA1", + }, + test => { + "ExpectedResult" => "ServerFail" + }, + }, { name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS", server => $server_tls_1_3,