Add certificate selection tests.

# We hard-code the number of tests to double-check that the globbing above

# finds all files as expected.

plan tests => 19;  # = scalar @conf_srcs

plan tests => 20;  # = scalar @conf_srcs

# Some test results depend on the configuration of enabled protocols. We only

# verify generated sources in the default configuration.

  "16-dtls-certstatus.conf" => $no_dtls || $no_ocsp,

  "18-dtls-renegotiate.conf" => $no_dtls,

  "19-mac-then-encrypt.conf" => $no_pre_tls1_3,

  "20-cert-select.conf" => $no_ec,

);

foreach my $conf (@conf_files) {

# Generated with generate_ssl_tests.pl

num_tests = 6

test-0 = 0-ECDSA CipherString Selection

test-1 = 1-RSA CipherString Selection

test-2 = 2-ECDSA CipherString Selection, no ECDSA certificate

test-3 = 3-ECDSA Signature Algorithm Selection

test-4 = 4-ECDSA Signature Algorithm Selection, no ECDSA certificate

test-5 = 5-RSA Signature Algorithm Selection

# ===========================================================

[0-ECDSA CipherString Selection]

ssl_conf = 0-ECDSA CipherString Selection-ssl

[0-ECDSA CipherString Selection-ssl]

server = 0-ECDSA CipherString Selection-server

client = 0-ECDSA CipherString Selection-client

[0-ECDSA CipherString Selection-server]

Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem

CipherString = DEFAULT

ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem

ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem

MaxProtocol = TLSv1.2

PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

[0-ECDSA CipherString Selection-client]

CipherString = aECDSA

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem

VerifyMode = Peer

[test-0]

ExpectedResult = Success

ExpectedServerCertType = P-256

# ===========================================================

[1-RSA CipherString Selection]

ssl_conf = 1-RSA CipherString Selection-ssl

[1-RSA CipherString Selection-ssl]

server = 1-RSA CipherString Selection-server

client = 1-RSA CipherString Selection-client

[1-RSA CipherString Selection-server]

Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem

CipherString = DEFAULT

ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem

ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem

MaxProtocol = TLSv1.2

PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

[1-RSA CipherString Selection-client]

CipherString = aRSA

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem

VerifyMode = Peer

[test-1]

ExpectedResult = Success

ExpectedServerCertType = RSA

# ===========================================================

[2-ECDSA CipherString Selection, no ECDSA certificate]

ssl_conf = 2-ECDSA CipherString Selection, no ECDSA certificate-ssl

[2-ECDSA CipherString Selection, no ECDSA certificate-ssl]

server = 2-ECDSA CipherString Selection, no ECDSA certificate-server

client = 2-ECDSA CipherString Selection, no ECDSA certificate-client

[2-ECDSA CipherString Selection, no ECDSA certificate-server]

Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem

CipherString = DEFAULT

PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

[2-ECDSA CipherString Selection, no ECDSA certificate-client]

CipherString = aECDSA

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem

VerifyMode = Peer

[test-2]

ExpectedResult = ServerFail

# ===========================================================

[3-ECDSA Signature Algorithm Selection]

ssl_conf = 3-ECDSA Signature Algorithm Selection-ssl

[3-ECDSA Signature Algorithm Selection-ssl]

server = 3-ECDSA Signature Algorithm Selection-server

client = 3-ECDSA Signature Algorithm Selection-client

[3-ECDSA Signature Algorithm Selection-server]

Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem

CipherString = DEFAULT

ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem

ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem

MaxProtocol = TLSv1.2

PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

[3-ECDSA Signature Algorithm Selection-client]

CipherString = DEFAULT

SignatureAlgorithms = ECDSA+SHA256

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem

VerifyMode = Peer

[test-3]

ExpectedResult = Success

ExpectedServerCertType = P-256

# ===========================================================

[4-ECDSA Signature Algorithm Selection, no ECDSA certificate]

ssl_conf = 4-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl

[4-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl]

server = 4-ECDSA Signature Algorithm Selection, no ECDSA certificate-server

client = 4-ECDSA Signature Algorithm Selection, no ECDSA certificate-client

[4-ECDSA Signature Algorithm Selection, no ECDSA certificate-server]

Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem

CipherString = DEFAULT

PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

[4-ECDSA Signature Algorithm Selection, no ECDSA certificate-client]

CipherString = DEFAULT

SignatureAlgorithms = ECDSA+SHA256

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem

VerifyMode = Peer

[test-4]

ExpectedResult = ServerFail

# ===========================================================

[5-RSA Signature Algorithm Selection]

ssl_conf = 5-RSA Signature Algorithm Selection-ssl

[5-RSA Signature Algorithm Selection-ssl]

server = 5-RSA Signature Algorithm Selection-server

client = 5-RSA Signature Algorithm Selection-client

[5-RSA Signature Algorithm Selection-server]

Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem

CipherString = DEFAULT

ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem

ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem

MaxProtocol = TLSv1.2

PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

[5-RSA Signature Algorithm Selection-client]

CipherString = DEFAULT

SignatureAlgorithms = RSA+SHA256

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem

VerifyMode = Peer

[test-5]

ExpectedResult = Success

ExpectedServerCertType = RSA

# -*- mode: perl; -*-

## SSL test configurations

package ssltests;

use strict;

use warnings;

use OpenSSL::Test;

use OpenSSL::Test::Utils qw(anydisabled);

my $dir_sep = $^O ne "VMS" ? "/" : "";

my $server = {

    "ECDSA.Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}server-ecdsa-cert.pem",

    "ECDSA.PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}server-ecdsa-key.pem",

    # TODO: add test cases for TLSv1.3

    "MaxProtocol" => "TLSv1.2"

};

our @tests = (

    {

        name => "ECDSA CipherString Selection",

        server => $server,

        client => {

            "CipherString" => "aECDSA",

        },

        test   => {

            "ExpectedServerCertType" =>, "P-256",

            "ExpectedResult" => "Success"

        },

    },

    {

        name => "RSA CipherString Selection",

        server => $server,

        client => {

            "CipherString" => "aRSA",

        },

        test   => {

            "ExpectedServerCertType" =>, "RSA",

            "ExpectedResult" => "Success"

        },

    },

    {

        name => "ECDSA CipherString Selection, no ECDSA certificate",

        server => { },

        client => {

            "CipherString" => "aECDSA"

        },

        test   => {

            "ExpectedResult" => "ServerFail"

        },

    },

    {

        name => "ECDSA Signature Algorithm Selection",

        server => $server,

        client => {

            "SignatureAlgorithms" => "ECDSA+SHA256",

        },

        test   => {

            "ExpectedServerCertType" =>, "P-256",

            "ExpectedResult" => "Success"

        },

    },

    {

        name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",

        server => { },

        client => {

            "SignatureAlgorithms" => "ECDSA+SHA256",

        },

        test   => {

            "ExpectedResult" => "ServerFail"

        },

    },

    {

        name => "RSA Signature Algorithm Selection",

        server => $server,

        client => {

            "SignatureAlgorithms" => "RSA+SHA256",

        },

        test   => {

            "ExpectedServerCertType" =>, "RSA",

            "ExpectedResult" => "Success"

        },

    }

);