From 53f0873714a2bfd4114f0d65f9dafe476f153f6b Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 1 Feb 2017 13:29:45 +0000 Subject: [PATCH] Add TLS 1.3 certificate selection tests. For TLS 1.3 we select certificates with signature algorithms extension only. For ECDSA+SHA384 there is the additional restriction that the curve must be P-384: since the test uses P-256 this should fail. Reviewed-by: Rich Salz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/2339) --- test/recipes/80-test_ssl_new.t | 1 + test/ssl-tests/20-cert-select.conf | 87 ++++++++++++++------- test/ssl-tests/20-cert-select.conf.in | 104 +++++++++++++++++++++++++- 3 files changed, 160 insertions(+), 32 deletions(-) diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t index ce1cc22dd9..5c512cf3f5 100644 --- a/test/recipes/80-test_ssl_new.t +++ b/test/recipes/80-test_ssl_new.t @@ -58,6 +58,7 @@ my %conf_dependent_tests = ( "10-resumption.conf" => !$is_default_tls, "11-dtls_resumption.conf" => !$is_default_dtls, "19-mac-then-encrypt.conf" => !$is_default_tls, + "20-cert-select.conf" => !$is_default_tls, ); # Add your test here if it should be skipped for some compile-time diff --git a/test/ssl-tests/20-cert-select.conf b/test/ssl-tests/20-cert-select.conf index 9f30abbbbb..01afac393f 100644 --- a/test/ssl-tests/20-cert-select.conf +++ b/test/ssl-tests/20-cert-select.conf @@ -1,14 +1,15 @@ # Generated with generate_ssl_tests.pl -num_tests = 7 +num_tests = 8 test-0 = 0-ECDSA CipherString Selection test-1 = 1-RSA CipherString Selection test-2 = 2-ECDSA CipherString Selection, no ECDSA certificate test-3 = 3-ECDSA Signature Algorithm Selection -test-4 = 4-ECDSA Signature Algorithm Selection, no ECDSA certificate -test-5 = 5-RSA Signature Algorithm Selection -test-6 = 6-RSA-PSS Signature Algorithm Selection +test-4 = 4-ECDSA Signature Algorithm Selection SHA384 +test-5 = 5-ECDSA Signature Algorithm Selection, no ECDSA certificate +test-6 = 6-RSA Signature Algorithm Selection +test-7 = 7-RSA-PSS Signature Algorithm Selection # =========================================================== [0-ECDSA CipherString Selection] @@ -120,38 +121,68 @@ ExpectedServerSignType = EC # =========================================================== -[4-ECDSA Signature Algorithm Selection, no ECDSA certificate] -ssl_conf = 4-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl +[4-ECDSA Signature Algorithm Selection SHA384] +ssl_conf = 4-ECDSA Signature Algorithm Selection SHA384-ssl -[4-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl] -server = 4-ECDSA Signature Algorithm Selection, no ECDSA certificate-server -client = 4-ECDSA Signature Algorithm Selection, no ECDSA certificate-client +[4-ECDSA Signature Algorithm Selection SHA384-ssl] +server = 4-ECDSA Signature Algorithm Selection SHA384-server +client = 4-ECDSA Signature Algorithm Selection SHA384-client -[4-ECDSA Signature Algorithm Selection, no ECDSA certificate-server] +[4-ECDSA Signature Algorithm Selection SHA384-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem +MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[4-ECDSA Signature Algorithm Selection, no ECDSA certificate-client] +[4-ECDSA Signature Algorithm Selection SHA384-client] CipherString = DEFAULT -SignatureAlgorithms = ECDSA+SHA256 +SignatureAlgorithms = ECDSA+SHA384 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-4] +ExpectedResult = Success +ExpectedServerCertType = P-256 +ExpectedServerSignHash = SHA384 +ExpectedServerSignType = EC + + +# =========================================================== + +[5-ECDSA Signature Algorithm Selection, no ECDSA certificate] +ssl_conf = 5-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl + +[5-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl] +server = 5-ECDSA Signature Algorithm Selection, no ECDSA certificate-server +client = 5-ECDSA Signature Algorithm Selection, no ECDSA certificate-client + +[5-ECDSA Signature Algorithm Selection, no ECDSA certificate-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[5-ECDSA Signature Algorithm Selection, no ECDSA certificate-client] +CipherString = DEFAULT +SignatureAlgorithms = ECDSA+SHA256 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-5] ExpectedResult = ServerFail # =========================================================== -[5-RSA Signature Algorithm Selection] -ssl_conf = 5-RSA Signature Algorithm Selection-ssl +[6-RSA Signature Algorithm Selection] +ssl_conf = 6-RSA Signature Algorithm Selection-ssl -[5-RSA Signature Algorithm Selection-ssl] -server = 5-RSA Signature Algorithm Selection-server -client = 5-RSA Signature Algorithm Selection-client +[6-RSA Signature Algorithm Selection-ssl] +server = 6-RSA Signature Algorithm Selection-server +client = 6-RSA Signature Algorithm Selection-client -[5-RSA Signature Algorithm Selection-server] +[6-RSA Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -159,13 +190,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[5-RSA Signature Algorithm Selection-client] +[6-RSA Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = RSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-5] +[test-6] ExpectedResult = Success ExpectedServerCertType = RSA ExpectedServerSignHash = SHA256 @@ -174,14 +205,14 @@ ExpectedServerSignType = RSA # =========================================================== -[6-RSA-PSS Signature Algorithm Selection] -ssl_conf = 6-RSA-PSS Signature Algorithm Selection-ssl +[7-RSA-PSS Signature Algorithm Selection] +ssl_conf = 7-RSA-PSS Signature Algorithm Selection-ssl -[6-RSA-PSS Signature Algorithm Selection-ssl] -server = 6-RSA-PSS Signature Algorithm Selection-server -client = 6-RSA-PSS Signature Algorithm Selection-client +[7-RSA-PSS Signature Algorithm Selection-ssl] +server = 7-RSA-PSS Signature Algorithm Selection-server +client = 7-RSA-PSS Signature Algorithm Selection-client -[6-RSA-PSS Signature Algorithm Selection-server] +[7-RSA-PSS Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -189,13 +220,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[6-RSA-PSS Signature Algorithm Selection-client] +[7-RSA-PSS Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = RSA-PSS+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-6] +[test-7] ExpectedResult = Success ExpectedServerCertType = RSA ExpectedServerSignHash = SHA256 diff --git a/test/ssl-tests/20-cert-select.conf.in b/test/ssl-tests/20-cert-select.conf.in index 6bc1d90dd0..7767aca0f8 100644 --- a/test/ssl-tests/20-cert-select.conf.in +++ b/test/ssl-tests/20-cert-select.conf.in @@ -2,20 +2,18 @@ ## SSL test configurations -package ssltests; use strict; use warnings; -use OpenSSL::Test; -use OpenSSL::Test::Utils qw(anydisabled); +package ssltests; +use OpenSSL::Test::Utils; my $dir_sep = $^O ne "VMS" ? "/" : ""; my $server = { "ECDSA.Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}server-ecdsa-cert.pem", "ECDSA.PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}server-ecdsa-key.pem", - # TODO(TLS1.3): add test cases for TLSv1.3 "MaxProtocol" => "TLSv1.2" }; @@ -67,6 +65,19 @@ our @tests = ( "ExpectedResult" => "Success" }, }, + { + name => "ECDSA Signature Algorithm Selection SHA384", + server => $server, + client => { + "SignatureAlgorithms" => "ECDSA+SHA384", + }, + test => { + "ExpectedServerCertType" => "P-256", + "ExpectedServerSignHash" => "SHA384", + "ExpectedServerSignType" => "EC", + "ExpectedResult" => "Success" + }, + }, { name => "ECDSA Signature Algorithm Selection, no ECDSA certificate", server => { }, @@ -104,3 +115,88 @@ our @tests = ( }, } ); + + +my $server_tls_1_3 = { + "ECDSA.Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}server-ecdsa-cert.pem", + "ECDSA.PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}server-ecdsa-key.pem", + "MinProtocol" => "TLSv1.3", + "MaxProtocol" => "TLSv1.3" +}; + +my @tests_tls_1_3 = ( + { + name => "TLS 1.3 ECDSA Signature Algorithm Selection", + server => $server_tls_1_3, + client => { + "SignatureAlgorithms" => "ECDSA+SHA256", + }, + test => { + "ExpectedServerCertType" => "P-256", + "ExpectedServerSignHash" => "SHA256", + "ExpectedServerSignType" => "EC", + "ExpectedResult" => "Success" + }, + }, + { + name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS", + server => $server_tls_1_3, + client => { + "SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256", + }, + test => { + "ExpectedServerCertType" => "P-256", + "ExpectedServerSignHash" => "SHA256", + "ExpectedServerSignType" => "EC", + "ExpectedResult" => "Success" + }, + }, + { + name => "TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS", + server => $server_tls_1_3, + client => { + "SignatureAlgorithms" => "ECDSA+SHA384:RSA-PSS+SHA384", + }, + test => { + "ExpectedServerCertType" => "RSA", + "ExpectedServerSignHash" => "SHA384", + "ExpectedServerSignType" => "RSA-PSS", + "ExpectedResult" => "Success" + }, + }, + { + name => "TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate", + server => { }, + client => { + "SignatureAlgorithms" => "ECDSA+SHA256", + }, + test => { + "ExpectedResult" => "ServerFail" + }, + }, + { + name => "TLS 1.3 RSA Signature Algorithm Selection, no PSS", + server => $server_tls_1_3, + client => { + "SignatureAlgorithms" => "RSA+SHA256", + }, + test => { + "ExpectedResult" => "ServerFail" + }, + }, + { + name => "TLS 1.3 RSA-PSS Signature Algorithm Selection", + server => $server_tls_1_3, + client => { + "SignatureAlgorithms" => "RSA-PSS+SHA256", + }, + test => { + "ExpectedServerCertType" => "RSA", + "ExpectedServerSignHash" => "SHA256", + "ExpectedServerSignType" => "RSA-PSS", + "ExpectedResult" => "Success" + }, + } +); + +push @tests, @tests_tls_1_3 unless disabled("tls1_3"); -- 2.25.1