Add TLS 1.3 certificate selection tests. (53f08737) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

test/recipes/80-test_ssl_new.t

+1 −0

Original line number	Diff line number	Diff line
		@@ -58,6 +58,7 @@ my %conf_dependent_tests = (
		"10-resumption.conf" => !$is_default_tls,
		"11-dtls_resumption.conf" => !$is_default_dtls,
		"19-mac-then-encrypt.conf" => !$is_default_tls,
		"20-cert-select.conf" => !$is_default_tls,
		);

		# Add your test here if it should be skipped for some compile-time

test/ssl-tests/20-cert-select.conf

+59 −28

Original line number	Diff line number	Diff line
		# Generated with generate_ssl_tests.pl

		num_tests = 7
		num_tests = 8

		test-0 = 0-ECDSA CipherString Selection
		test-1 = 1-RSA CipherString Selection
		test-2 = 2-ECDSA CipherString Selection, no ECDSA certificate
		test-3 = 3-ECDSA Signature Algorithm Selection
		test-4 = 4-ECDSA Signature Algorithm Selection, no ECDSA certificate
		test-5 = 5-RSA Signature Algorithm Selection
		test-6 = 6-RSA-PSS Signature Algorithm Selection
		test-4 = 4-ECDSA Signature Algorithm Selection SHA384
		test-5 = 5-ECDSA Signature Algorithm Selection, no ECDSA certificate
		test-6 = 6-RSA Signature Algorithm Selection
		test-7 = 7-RSA-PSS Signature Algorithm Selection
		# ===========================================================

		[0-ECDSA CipherString Selection]
		@@ -120,38 +121,68 @@ ExpectedServerSignType = EC

		# ===========================================================

		[4-ECDSA Signature Algorithm Selection, no ECDSA certificate]
		ssl_conf = 4-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl
		[4-ECDSA Signature Algorithm Selection SHA384]
		ssl_conf = 4-ECDSA Signature Algorithm Selection SHA384-ssl

		[4-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl]
		server = 4-ECDSA Signature Algorithm Selection, no ECDSA certificate-server
		client = 4-ECDSA Signature Algorithm Selection, no ECDSA certificate-client
		[4-ECDSA Signature Algorithm Selection SHA384-ssl]
		server = 4-ECDSA Signature Algorithm Selection SHA384-server
		client = 4-ECDSA Signature Algorithm Selection SHA384-client

		[4-ECDSA Signature Algorithm Selection, no ECDSA certificate-server]
		[4-ECDSA Signature Algorithm Selection SHA384-server]
		Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
		CipherString = DEFAULT
		ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
		ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
		MaxProtocol = TLSv1.2
		PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

		[4-ECDSA Signature Algorithm Selection, no ECDSA certificate-client]
		[4-ECDSA Signature Algorithm Selection SHA384-client]
		CipherString = DEFAULT
		SignatureAlgorithms = ECDSA+SHA256
		SignatureAlgorithms = ECDSA+SHA384
		VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
		VerifyMode = Peer

		[test-4]
		ExpectedResult = Success
		ExpectedServerCertType = P-256
		ExpectedServerSignHash = SHA384
		ExpectedServerSignType = EC


		# ===========================================================

		[5-ECDSA Signature Algorithm Selection, no ECDSA certificate]
		ssl_conf = 5-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl

		[5-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl]
		server = 5-ECDSA Signature Algorithm Selection, no ECDSA certificate-server
		client = 5-ECDSA Signature Algorithm Selection, no ECDSA certificate-client

		[5-ECDSA Signature Algorithm Selection, no ECDSA certificate-server]
		Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
		CipherString = DEFAULT
		PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

		[5-ECDSA Signature Algorithm Selection, no ECDSA certificate-client]
		CipherString = DEFAULT
		SignatureAlgorithms = ECDSA+SHA256
		VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
		VerifyMode = Peer

		[test-5]
		ExpectedResult = ServerFail


		# ===========================================================

		[5-RSA Signature Algorithm Selection]
		ssl_conf = 5-RSA Signature Algorithm Selection-ssl
		[6-RSA Signature Algorithm Selection]
		ssl_conf = 6-RSA Signature Algorithm Selection-ssl

		[5-RSA Signature Algorithm Selection-ssl]
		server = 5-RSA Signature Algorithm Selection-server
		client = 5-RSA Signature Algorithm Selection-client
		[6-RSA Signature Algorithm Selection-ssl]
		server = 6-RSA Signature Algorithm Selection-server
		client = 6-RSA Signature Algorithm Selection-client

		[5-RSA Signature Algorithm Selection-server]
		[6-RSA Signature Algorithm Selection-server]
		Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
		CipherString = DEFAULT
		ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
		@@ -159,13 +190,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
		MaxProtocol = TLSv1.2
		PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

		[5-RSA Signature Algorithm Selection-client]
		[6-RSA Signature Algorithm Selection-client]
		CipherString = DEFAULT
		SignatureAlgorithms = RSA+SHA256
		VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
		VerifyMode = Peer

		[test-5]
		[test-6]
		ExpectedResult = Success
		ExpectedServerCertType = RSA
		ExpectedServerSignHash = SHA256
		@@ -174,14 +205,14 @@ ExpectedServerSignType = RSA

		# ===========================================================

		[6-RSA-PSS Signature Algorithm Selection]
		ssl_conf = 6-RSA-PSS Signature Algorithm Selection-ssl
		[7-RSA-PSS Signature Algorithm Selection]
		ssl_conf = 7-RSA-PSS Signature Algorithm Selection-ssl

		[6-RSA-PSS Signature Algorithm Selection-ssl]
		server = 6-RSA-PSS Signature Algorithm Selection-server
		client = 6-RSA-PSS Signature Algorithm Selection-client
		[7-RSA-PSS Signature Algorithm Selection-ssl]
		server = 7-RSA-PSS Signature Algorithm Selection-server
		client = 7-RSA-PSS Signature Algorithm Selection-client

		[6-RSA-PSS Signature Algorithm Selection-server]
		[7-RSA-PSS Signature Algorithm Selection-server]
		Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
		CipherString = DEFAULT
		ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
		@@ -189,13 +220,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
		MaxProtocol = TLSv1.2
		PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

		[6-RSA-PSS Signature Algorithm Selection-client]
		[7-RSA-PSS Signature Algorithm Selection-client]
		CipherString = DEFAULT
		SignatureAlgorithms = RSA-PSS+SHA256
		VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
		VerifyMode = Peer

		[test-6]
		[test-7]
		ExpectedResult = Success
		ExpectedServerCertType = RSA
		ExpectedServerSignHash = SHA256

test/ssl-tests/20-cert-select.conf.in

+100 −4

Original line number	Diff line number	Diff line
		@@ -2,20 +2,18 @@

		## SSL test configurations

		package ssltests;

		use strict;
		use warnings;

		use OpenSSL::Test;
		use OpenSSL::Test::Utils qw(anydisabled);
		package ssltests;
		use OpenSSL::Test::Utils;

		my $dir_sep = $^O ne "VMS" ? "/" : "";

		my $server = {
		"ECDSA.Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}server-ecdsa-cert.pem",
		"ECDSA.PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}server-ecdsa-key.pem",
		# TODO(TLS1.3): add test cases for TLSv1.3
		"MaxProtocol" => "TLSv1.2"
		};

		@@ -67,6 +65,19 @@ our @tests = (
		"ExpectedResult" => "Success"
		},
		},
		{
		name => "ECDSA Signature Algorithm Selection SHA384",
		server => $server,
		client => {
		"SignatureAlgorithms" => "ECDSA+SHA384",
		},
		test => {
		"ExpectedServerCertType" => "P-256",
		"ExpectedServerSignHash" => "SHA384",
		"ExpectedServerSignType" => "EC",
		"ExpectedResult" => "Success"
		},
		},
		{
		name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
		server => { },
		@@ -104,3 +115,88 @@ our @tests = (
		},
		}
		);


		my $server_tls_1_3 = {
		"ECDSA.Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}server-ecdsa-cert.pem",
		"ECDSA.PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}server-ecdsa-key.pem",
		"MinProtocol" => "TLSv1.3",
		"MaxProtocol" => "TLSv1.3"
		};

		my @tests_tls_1_3 = (
		{
		name => "TLS 1.3 ECDSA Signature Algorithm Selection",
		server => $server_tls_1_3,
		client => {
		"SignatureAlgorithms" => "ECDSA+SHA256",
		},
		test => {
		"ExpectedServerCertType" => "P-256",
		"ExpectedServerSignHash" => "SHA256",
		"ExpectedServerSignType" => "EC",
		"ExpectedResult" => "Success"
		},
		},
		{
		name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS",
		server => $server_tls_1_3,
		client => {
		"SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256",
		},
		test => {
		"ExpectedServerCertType" => "P-256",
		"ExpectedServerSignHash" => "SHA256",
		"ExpectedServerSignType" => "EC",
		"ExpectedResult" => "Success"
		},
		},
		{
		name => "TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS",
		server => $server_tls_1_3,
		client => {
		"SignatureAlgorithms" => "ECDSA+SHA384:RSA-PSS+SHA384",
		},
		test => {
		"ExpectedServerCertType" => "RSA",
		"ExpectedServerSignHash" => "SHA384",
		"ExpectedServerSignType" => "RSA-PSS",
		"ExpectedResult" => "Success"
		},
		},
		{
		name => "TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate",
		server => { },
		client => {
		"SignatureAlgorithms" => "ECDSA+SHA256",
		},
		test => {
		"ExpectedResult" => "ServerFail"
		},
		},
		{
		name => "TLS 1.3 RSA Signature Algorithm Selection, no PSS",
		server => $server_tls_1_3,
		client => {
		"SignatureAlgorithms" => "RSA+SHA256",
		},
		test => {
		"ExpectedResult" => "ServerFail"
		},
		},
		{
		name => "TLS 1.3 RSA-PSS Signature Algorithm Selection",
		server => $server_tls_1_3,
		client => {
		"SignatureAlgorithms" => "RSA-PSS+SHA256",
		},
		test => {
		"ExpectedServerCertType" => "RSA",
		"ExpectedServerSignHash" => "SHA256",
		"ExpectedServerSignType" => "RSA-PSS",
		"ExpectedResult" => "Success"
		},
		}
		);

		push @tests, @tests_tls_1_3 unless disabled("tls1_3");