From c749308fc44a0b33b340e23834320dbef9fbf8de Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sat, 25 Feb 2017 00:40:55 +0000 Subject: [PATCH] Add tests for SHA1 and EC point compression Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/2739) --- test/ssl-tests/20-cert-select.conf | 172 ++++++++++++++++++-------- test/ssl-tests/20-cert-select.conf.in | 55 ++++++++ 2 files changed, 172 insertions(+), 55 deletions(-) diff --git a/test/ssl-tests/20-cert-select.conf b/test/ssl-tests/20-cert-select.conf index 290bb878f1..e787efc5f0 100644 --- a/test/ssl-tests/20-cert-select.conf +++ b/test/ssl-tests/20-cert-select.conf @@ -1,18 +1,20 @@ # Generated with generate_ssl_tests.pl -num_tests = 11 +num_tests = 13 test-0 = 0-ECDSA CipherString Selection test-1 = 1-RSA CipherString Selection test-2 = 2-ECDSA CipherString Selection, no ECDSA certificate test-3 = 3-ECDSA Signature Algorithm Selection test-4 = 4-ECDSA Signature Algorithm Selection SHA384 -test-5 = 5-ECDSA Signature Algorithm Selection, no ECDSA certificate -test-6 = 6-RSA Signature Algorithm Selection -test-7 = 7-RSA-PSS Signature Algorithm Selection -test-8 = 8-Suite B P-256 Hash Algorithm Selection -test-9 = 9-Suite B P-384 Hash Algorithm Selection -test-10 = 10-TLS 1.2 DSA Certificate Test +test-5 = 5-ECDSA Signature Algorithm Selection SHA1 +test-6 = 6-ECDSA Signature Algorithm Selection compressed point +test-7 = 7-ECDSA Signature Algorithm Selection, no ECDSA certificate +test-8 = 8-RSA Signature Algorithm Selection +test-9 = 9-RSA-PSS Signature Algorithm Selection +test-10 = 10-Suite B P-256 Hash Algorithm Selection +test-11 = 11-Suite B P-384 Hash Algorithm Selection +test-12 = 12-TLS 1.2 DSA Certificate Test # =========================================================== [0-ECDSA CipherString Selection] @@ -155,39 +157,99 @@ ExpectedServerSignType = EC # =========================================================== -[5-ECDSA Signature Algorithm Selection, no ECDSA certificate] -ssl_conf = 5-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl +[5-ECDSA Signature Algorithm Selection SHA1] +ssl_conf = 5-ECDSA Signature Algorithm Selection SHA1-ssl -[5-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl] -server = 5-ECDSA Signature Algorithm Selection, no ECDSA certificate-server -client = 5-ECDSA Signature Algorithm Selection, no ECDSA certificate-client +[5-ECDSA Signature Algorithm Selection SHA1-ssl] +server = 5-ECDSA Signature Algorithm Selection SHA1-server +client = 5-ECDSA Signature Algorithm Selection SHA1-client -[5-ECDSA Signature Algorithm Selection, no ECDSA certificate-server] +[5-ECDSA Signature Algorithm Selection SHA1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[5-ECDSA Signature Algorithm Selection, no ECDSA certificate-client] +[5-ECDSA Signature Algorithm Selection SHA1-client] CipherString = DEFAULT -SignatureAlgorithms = ECDSA+SHA256 +SignatureAlgorithms = ECDSA+SHA1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-5] +ExpectedResult = Success +ExpectedServerCertType = P-256 +ExpectedServerSignHash = SHA1 +ExpectedServerSignType = EC + + +# =========================================================== + +[6-ECDSA Signature Algorithm Selection compressed point] +ssl_conf = 6-ECDSA Signature Algorithm Selection compressed point-ssl + +[6-ECDSA Signature Algorithm Selection compressed point-ssl] +server = 6-ECDSA Signature Algorithm Selection compressed point-server +client = 6-ECDSA Signature Algorithm Selection compressed point-client + +[6-ECDSA Signature Algorithm Selection compressed point-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-cecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-cecdsa-key.pem +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[6-ECDSA Signature Algorithm Selection compressed point-client] +CipherString = DEFAULT +SignatureAlgorithms = ECDSA+SHA256 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-6] +ExpectedResult = Success +ExpectedServerCertType = P-256 +ExpectedServerSignHash = SHA256 +ExpectedServerSignType = EC + + +# =========================================================== + +[7-ECDSA Signature Algorithm Selection, no ECDSA certificate] +ssl_conf = 7-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl + +[7-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl] +server = 7-ECDSA Signature Algorithm Selection, no ECDSA certificate-server +client = 7-ECDSA Signature Algorithm Selection, no ECDSA certificate-client + +[7-ECDSA Signature Algorithm Selection, no ECDSA certificate-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[7-ECDSA Signature Algorithm Selection, no ECDSA certificate-client] +CipherString = DEFAULT +SignatureAlgorithms = ECDSA+SHA256 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-7] ExpectedResult = ServerFail # =========================================================== -[6-RSA Signature Algorithm Selection] -ssl_conf = 6-RSA Signature Algorithm Selection-ssl +[8-RSA Signature Algorithm Selection] +ssl_conf = 8-RSA Signature Algorithm Selection-ssl -[6-RSA Signature Algorithm Selection-ssl] -server = 6-RSA Signature Algorithm Selection-server -client = 6-RSA Signature Algorithm Selection-client +[8-RSA Signature Algorithm Selection-ssl] +server = 8-RSA Signature Algorithm Selection-server +client = 8-RSA Signature Algorithm Selection-client -[6-RSA Signature Algorithm Selection-server] +[8-RSA Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -195,13 +257,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[6-RSA Signature Algorithm Selection-client] +[8-RSA Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = RSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-6] +[test-8] ExpectedResult = Success ExpectedServerCertType = RSA ExpectedServerSignHash = SHA256 @@ -210,14 +272,14 @@ ExpectedServerSignType = RSA # =========================================================== -[7-RSA-PSS Signature Algorithm Selection] -ssl_conf = 7-RSA-PSS Signature Algorithm Selection-ssl +[9-RSA-PSS Signature Algorithm Selection] +ssl_conf = 9-RSA-PSS Signature Algorithm Selection-ssl -[7-RSA-PSS Signature Algorithm Selection-ssl] -server = 7-RSA-PSS Signature Algorithm Selection-server -client = 7-RSA-PSS Signature Algorithm Selection-client +[9-RSA-PSS Signature Algorithm Selection-ssl] +server = 9-RSA-PSS Signature Algorithm Selection-server +client = 9-RSA-PSS Signature Algorithm Selection-client -[7-RSA-PSS Signature Algorithm Selection-server] +[9-RSA-PSS Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -225,13 +287,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[7-RSA-PSS Signature Algorithm Selection-client] +[9-RSA-PSS Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = RSA-PSS+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-7] +[test-9] ExpectedResult = Success ExpectedServerCertType = RSA ExpectedServerSignHash = SHA256 @@ -240,14 +302,14 @@ ExpectedServerSignType = RSA-PSS # =========================================================== -[8-Suite B P-256 Hash Algorithm Selection] -ssl_conf = 8-Suite B P-256 Hash Algorithm Selection-ssl +[10-Suite B P-256 Hash Algorithm Selection] +ssl_conf = 10-Suite B P-256 Hash Algorithm Selection-ssl -[8-Suite B P-256 Hash Algorithm Selection-ssl] -server = 8-Suite B P-256 Hash Algorithm Selection-server -client = 8-Suite B P-256 Hash Algorithm Selection-client +[10-Suite B P-256 Hash Algorithm Selection-ssl] +server = 10-Suite B P-256 Hash Algorithm Selection-server +client = 10-Suite B P-256 Hash Algorithm Selection-client -[8-Suite B P-256 Hash Algorithm Selection-server] +[10-Suite B P-256 Hash Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = SUITEB128 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p256-server-cert.pem @@ -255,13 +317,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p256-server-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[8-Suite B P-256 Hash Algorithm Selection-client] +[10-Suite B P-256 Hash Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA384:ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem VerifyMode = Peer -[test-8] +[test-10] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA256 @@ -270,14 +332,14 @@ ExpectedServerSignType = EC # =========================================================== -[9-Suite B P-384 Hash Algorithm Selection] -ssl_conf = 9-Suite B P-384 Hash Algorithm Selection-ssl +[11-Suite B P-384 Hash Algorithm Selection] +ssl_conf = 11-Suite B P-384 Hash Algorithm Selection-ssl -[9-Suite B P-384 Hash Algorithm Selection-ssl] -server = 9-Suite B P-384 Hash Algorithm Selection-server -client = 9-Suite B P-384 Hash Algorithm Selection-client +[11-Suite B P-384 Hash Algorithm Selection-ssl] +server = 11-Suite B P-384 Hash Algorithm Selection-server +client = 11-Suite B P-384 Hash Algorithm Selection-client -[9-Suite B P-384 Hash Algorithm Selection-server] +[11-Suite B P-384 Hash Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = SUITEB128 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem @@ -285,13 +347,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[9-Suite B P-384 Hash Algorithm Selection-client] +[11-Suite B P-384 Hash Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem VerifyMode = Peer -[test-9] +[test-11] ExpectedResult = Success ExpectedServerCertType = P-384 ExpectedServerSignHash = SHA384 @@ -300,14 +362,14 @@ ExpectedServerSignType = EC # =========================================================== -[10-TLS 1.2 DSA Certificate Test] -ssl_conf = 10-TLS 1.2 DSA Certificate Test-ssl +[12-TLS 1.2 DSA Certificate Test] +ssl_conf = 12-TLS 1.2 DSA Certificate Test-ssl -[10-TLS 1.2 DSA Certificate Test-ssl] -server = 10-TLS 1.2 DSA Certificate Test-server -client = 10-TLS 1.2 DSA Certificate Test-client +[12-TLS 1.2 DSA Certificate Test-ssl] +server = 12-TLS 1.2 DSA Certificate Test-server +client = 12-TLS 1.2 DSA Certificate Test-client -[10-TLS 1.2 DSA Certificate Test-server] +[12-TLS 1.2 DSA Certificate Test-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = ALL DHParameters = ${ENV::TEST_CERTS_DIR}/dhp2048.pem @@ -317,13 +379,13 @@ MaxProtocol = TLSv1.2 MinProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[10-TLS 1.2 DSA Certificate Test-client] +[12-TLS 1.2 DSA Certificate Test-client] CipherString = ALL SignatureAlgorithms = DSA+SHA256:DSA+SHA1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-10] +[test-12] ExpectedResult = Success diff --git a/test/ssl-tests/20-cert-select.conf.in b/test/ssl-tests/20-cert-select.conf.in index e33b3d60f7..1dd7860d88 100644 --- a/test/ssl-tests/20-cert-select.conf.in +++ b/test/ssl-tests/20-cert-select.conf.in @@ -78,6 +78,36 @@ our @tests = ( "ExpectedResult" => "Success" }, }, + { + name => "ECDSA Signature Algorithm Selection SHA1", + server => $server, + client => { + "SignatureAlgorithms" => "ECDSA+SHA1", + }, + test => { + "ExpectedServerCertType" => "P-256", + "ExpectedServerSignHash" => "SHA1", + "ExpectedServerSignType" => "EC", + "ExpectedResult" => "Success" + }, + }, + { + name => "ECDSA Signature Algorithm Selection compressed point", + server => { + "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"), + "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"), + "MaxProtocol" => "TLSv1.2" + }, + client => { + "SignatureAlgorithms" => "ECDSA+SHA256", + }, + test => { + "ExpectedServerCertType" => "P-256", + "ExpectedServerSignHash" => "SHA256", + "ExpectedServerSignType" => "EC", + "ExpectedResult" => "Success" + }, + }, { name => "ECDSA Signature Algorithm Selection, no ECDSA certificate", server => { @@ -187,6 +217,31 @@ my @tests_tls_1_3 = ( "ExpectedResult" => "Success" }, }, + { + name => "TLS 1.3 ECDSA Signature Algorithm Selection compressed point", + server => { + "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"), + "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"), + "MinProtocol" => "TLSv1.3", + "MaxProtocol" => "TLSv1.3" + }, + client => { + "SignatureAlgorithms" => "ECDSA+SHA256", + }, + test => { + "ExpectedResult" => "ServerFail" + }, + }, + { + name => "TLS 1.3 ECDSA Signature Algorithm Selection SHA1", + server => $server_tls_1_3, + client => { + "SignatureAlgorithms" => "ECDSA+SHA1", + }, + test => { + "ExpectedResult" => "ServerFail" + }, + }, { name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS", server => $server_tls_1_3, -- 2.25.1