From fe93b010e78ab60bc222cf4cbbf3cdfcbecffd91 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 27 Feb 2018 13:02:00 +0000 Subject: [PATCH] Update tests for TLS Ed448 Reviewed-by: Rich Salz Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/5470) --- test/certs/client-ed448-cert.pem | 15 + test/certs/client-ed448-key.pem | 4 + test/certs/mkcert.sh | 1 + test/certs/server-ed448-cert.pem | 14 + test/certs/server-ed448-key.pem | 4 + test/clienthellotest.c | 15 +- test/ecdsatest.c | 2 +- test/ectest.c | 6 - test/ossl_shim/ossl_shim.cc | 2 +- test/ssl-tests/14-curves.conf | 31 +- test/ssl-tests/14-curves.conf.in | 2 +- test/ssl-tests/20-cert-select.conf | 1006 +++++++++++++++---------- test/ssl-tests/20-cert-select.conf.in | 126 +++- test/ssl_cert_table_internal_test.c | 2 + 14 files changed, 828 insertions(+), 402 deletions(-) create mode 100644 test/certs/client-ed448-cert.pem create mode 100644 test/certs/client-ed448-key.pem create mode 100644 test/certs/server-ed448-cert.pem create mode 100644 test/certs/server-ed448-key.pem diff --git a/test/certs/client-ed448-cert.pem b/test/certs/client-ed448-cert.pem new file mode 100644 index 0000000000..3d6d5e87c9 --- /dev/null +++ b/test/certs/client-ed448-cert.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICQDCCASigAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE4MDIyNzE3MTAxN1oYDzIxMTgwMjI4MTcxMDE3WjAXMRUwEwYDVQQD +DAxDbGllbnQtRWQ0NDgwQzAFBgMrZXEDOgB4bFbdmw9IviAHXKt/2/hRDaiEr6JH +bsLr3IPNQq3XIYxYh4AIPx3YffYW3xukHDGWTQ50dptQiwCjezB5MB0GA1UdDgQW +BBTEno3ezhmTYZzGdD65nVRMp3f2hzAfBgNVHSMEGDAWgBSO9SWvHptrhD18gJrJ +U5xNcvejUjAJBgNVHRMEAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMBcGA1UdEQQQ +MA6CDENsaWVudC1FZDQ0ODANBgkqhkiG9w0BAQsFAAOCAQEAP2/y30iko57i8lUY +ju9Vb4V0TCATKa+HNnzHG1jyWAgiWpPtHe269Cnb8AvdwWKVeppKkG6LeWHo3btP +LOd8xEFhnklM4rPkxMYMCQ0lcw2xagbw3CW12mLs15N3QCjxSnA/kuuftzor9fRl +gzazVh4Kf/jXtlRyBI6R4+bXSGgKhIipdBF5xWmTPvZBViWKxgysQuP1bNzw9AC4 +QMGm4ApOVuY9iE8dPYKgJUVGWc3d9l23fkd422kEgz5euK66HovjYaBj0S0kZhEZ +tWUCRTcv4k40ke2jr8/Zm3Ugab09XWU2T98k/OvXu+Y0AlLMZp2ehC6wXObprEXv +dY5URg== +-----END CERTIFICATE----- diff --git a/test/certs/client-ed448-key.pem b/test/certs/client-ed448-key.pem new file mode 100644 index 0000000000..ab4d7ff3de --- /dev/null +++ b/test/certs/client-ed448-key.pem @@ -0,0 +1,4 @@ +-----BEGIN PRIVATE KEY----- +MEcCAQAwBQYDK2VxBDsEOWmRn7GCRupyB1q/qQZ+h1lEt+TGtZSNJ5U+Saa+X+hk +gWpeKJP9MTpw7kdMAeAhb6XlhCANH2zV9A== +-----END PRIVATE KEY----- diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh index 7048f27757..1d4b503700 100755 --- a/test/certs/mkcert.sh +++ b/test/certs/mkcert.sh @@ -55,6 +55,7 @@ key() { args=("${args[@]}" -pkeyopt ec_param_enc:named_curve);; dsa) args=(-paramfile "$bits");; ed25519) ;; + ed448) ;; *) printf "Unsupported key algorithm: %s\n" "$alg" >&2; return 1;; esac stderr_onerror \ diff --git a/test/certs/server-ed448-cert.pem b/test/certs/server-ed448-cert.pem new file mode 100644 index 0000000000..740f275549 --- /dev/null +++ b/test/certs/server-ed448-cert.pem @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICHTCCAQWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE4MDIyNzE1MDcxM1oYDzIxMTgwMjI4MTUwNzEzWjAQMQ4wDAYDVQQD +DAVFZDQ0ODBDMAUGAytlcQM6ABBicYlhG1s3AoG5BFmY3r50lJzjQoER4zwuieEe +QTvKxLEV06vGh79UWO6yQ5FxqmxvM1F/Xw7RAKNfMF0wHQYDVR0OBBYEFAwa1L4m +3pwA8+IEJ7K/4izrjJIHMB8GA1UdIwQYMBaAFHB/Lq6DaFmYBCMqzes+F80k3QFJ +MAkGA1UdEwQCMAAwEAYDVR0RBAkwB4IFRWQ0NDgwDQYJKoZIhvcNAQELBQADggEB +AAugH2aE6VvArnOVjKBtalqtHlx+NCC3+S65sdWc9A9sNgI1ZiN7dn76TKn5d0T7 +NqV8nY1rwQg6WPGrCD6Eh63qhotytqYIxltppb4MOUJcz/Zf0ZwhB5bUfwNB//Ih +5aZT86FpXVuyMnwUTWPcISJqpZiBv95yzZFMpniHFvecvV445ly4TFW5y6VURh40 +Tg4tMgjPTE7ADw+dX4FvnTWY3blxT1GzGxGvqWW4HgP8dOETnjmAwCzN0nUVmH9s +7ybHORcSljcpe0XH6L/K7mbI+r8mVLsAoIzUeDwUdKKJZ2uGEtdhQDmJBp4EjOXE +3qIn3wEQQ6ax4NIwkZihdLI= +-----END CERTIFICATE----- diff --git a/test/certs/server-ed448-key.pem b/test/certs/server-ed448-key.pem new file mode 100644 index 0000000000..25a750fec8 --- /dev/null +++ b/test/certs/server-ed448-key.pem @@ -0,0 +1,4 @@ +-----BEGIN PRIVATE KEY----- +MEcCAQAwBQYDK2VxBDsEOTiHqANC9pFHbs8VAeqZ52cwKi0jPTSM5GjsKW4vbgG6 +BMFSdURqGj2FD02H7xsyrR20pIXI1GbE+A== +-----END PRIVATE KEY----- diff --git a/test/clienthellotest.c b/test/clienthellotest.c index 4f6bd40c9b..5cff519ead 100644 --- a/test/clienthellotest.c +++ b/test/clienthellotest.c @@ -111,12 +111,19 @@ static int test_client_hello(int currtest) * F5_WORKAROUND_MIN_MSG_LEN bytes long - meaning padding will be * needed. */ - if (currtest == TEST_ADD_PADDING - && (!TEST_false(SSL_CTX_set_alpn_protos(ctx, + if (currtest == TEST_ADD_PADDING) { + if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, (unsigned char *)alpn_prots, - sizeof(alpn_prots) - 1)))) + sizeof(alpn_prots) - 1))) + goto end; + /* + * Otherwise we need to make sure we have a small enough message to + * not need padding. + */ + } else if (!TEST_true(SSL_CTX_set_cipher_list(ctx, + "AES128-SHA:TLS13-AES-128-GCM-SHA256"))) { goto end; - + } break; default: diff --git a/test/ecdsatest.c b/test/ecdsatest.c index e53afdf33b..6a15b3af27 100644 --- a/test/ecdsatest.c +++ b/test/ecdsatest.c @@ -239,7 +239,7 @@ static int test_builtin(void) unsigned char dirt, offset; nid = curves[n].nid; - if (nid == NID_ipsec4 || nid == NID_X25519) + if (nid == NID_ipsec4) continue; /* create new ecdsa key (== EC_KEY) */ if (!TEST_ptr(eckey = EC_KEY_new()) diff --git a/test/ectest.c b/test/ectest.c index 9341752897..e49920cec7 100644 --- a/test/ectest.c +++ b/test/ectest.c @@ -1152,12 +1152,6 @@ static int internal_curve_test_method(int n) int r, nid = curves[n].nid; EC_GROUP *group; - /* - * Skip for X25519 because low level operations such as EC_POINT_mul() - * are not supported for this curve - */ - if (nid == NID_X25519) - return 1; if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) { TEST_info("Curve %s failed\n", OBJ_nid2sn(nid)); return 0; diff --git a/test/ossl_shim/ossl_shim.cc b/test/ossl_shim/ossl_shim.cc index 5ef195c66c..fd6fa06a1f 100644 --- a/test/ossl_shim/ossl_shim.cc +++ b/test/ossl_shim/ossl_shim.cc @@ -968,7 +968,7 @@ static bool DoExchange(bssl::UniquePtr *out_session, } if (config->enable_all_curves) { static const int kAllCurves[] = { - NID_X9_62_prime256v1, NID_secp384r1, NID_secp521r1, NID_X25519, + NID_X25519, NID_X9_62_prime256v1, NID_X448, NID_secp521r1, NID_secp384r1 }; if (!SSL_set1_curves(ssl.get(), kAllCurves, OPENSSL_ARRAY_SIZE(kAllCurves))) { diff --git a/test/ssl-tests/14-curves.conf b/test/ssl-tests/14-curves.conf index ab04c2ef39..f76f08fd7d 100644 --- a/test/ssl-tests/14-curves.conf +++ b/test/ssl-tests/14-curves.conf @@ -1,6 +1,6 @@ # Generated with generate_ssl_tests.pl -num_tests = 29 +num_tests = 30 test-0 = 0-curve-sect163k1 test-1 = 1-curve-sect163r1 @@ -31,6 +31,7 @@ test-25 = 25-curve-brainpoolP256r1 test-26 = 26-curve-brainpoolP384r1 test-27 = 27-curve-brainpoolP512r1 test-28 = 28-curve-X25519 +test-29 = 29-curve-X448 # =========================================================== [0-curve-sect163k1] @@ -843,3 +844,31 @@ ExpectedResult = Success ExpectedTmpKeyType = X25519 +# =========================================================== + +[29-curve-X448] +ssl_conf = 29-curve-X448-ssl + +[29-curve-X448-ssl] +server = 29-curve-X448-server +client = 29-curve-X448-client + +[29-curve-X448-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = X448 +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[29-curve-X448-client] +CipherString = ECDHE +Curves = X448 +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-29] +ExpectedResult = Success +ExpectedTmpKeyType = X448 + + diff --git a/test/ssl-tests/14-curves.conf.in b/test/ssl-tests/14-curves.conf.in index 9f6e4339a4..2f8077c44a 100644 --- a/test/ssl-tests/14-curves.conf.in +++ b/test/ssl-tests/14-curves.conf.in @@ -17,7 +17,7 @@ my @curves = ("sect163k1", "sect163r1", "sect163r2", "sect193r1", "secp160r2", "secp192k1", "prime192v1", "secp224k1", "secp224r1", "secp256k1", "prime256v1", "secp384r1", "secp521r1", "brainpoolP256r1", "brainpoolP384r1", - "brainpoolP512r1", "X25519"); + "brainpoolP512r1", "X25519", "X448"); our @tests = (); diff --git a/test/ssl-tests/20-cert-select.conf b/test/ssl-tests/20-cert-select.conf index 609e2166c4..1f415bfe72 100644 --- a/test/ssl-tests/20-cert-select.conf +++ b/test/ssl-tests/20-cert-select.conf @@ -1,46 +1,52 @@ # Generated with generate_ssl_tests.pl -num_tests = 39 +num_tests = 45 test-0 = 0-ECDSA CipherString Selection test-1 = 1-Ed25519 CipherString and Signature Algorithm Selection -test-2 = 2-RSA CipherString Selection -test-3 = 3-RSA-PSS Certificate CipherString Selection -test-4 = 4-P-256 CipherString and Signature Algorithm Selection -test-5 = 5-Ed25519 CipherString and Curves Selection -test-6 = 6-ECDSA CipherString Selection, no ECDSA certificate -test-7 = 7-ECDSA Signature Algorithm Selection -test-8 = 8-ECDSA Signature Algorithm Selection SHA384 -test-9 = 9-ECDSA Signature Algorithm Selection SHA1 -test-10 = 10-ECDSA Signature Algorithm Selection compressed point -test-11 = 11-ECDSA Signature Algorithm Selection, no ECDSA certificate -test-12 = 12-RSA Signature Algorithm Selection -test-13 = 13-RSA-PSS Signature Algorithm Selection -test-14 = 14-RSA-PSS Certificate Legacy Signature Algorithm Selection -test-15 = 15-RSA-PSS Certificate Unified Signature Algorithm Selection -test-16 = 16-Only RSA-PSS Certificate -test-17 = 17-RSA-PSS Certificate, no PSS signature algorithms -test-18 = 18-Suite B P-256 Hash Algorithm Selection -test-19 = 19-Suite B P-384 Hash Algorithm Selection -test-20 = 20-TLS 1.2 Ed25519 Client Auth -test-21 = 21-Only RSA-PSS Certificate, TLS v1.1 -test-22 = 22-TLS 1.3 ECDSA Signature Algorithm Selection -test-23 = 23-TLS 1.3 ECDSA Signature Algorithm Selection compressed point -test-24 = 24-TLS 1.3 ECDSA Signature Algorithm Selection SHA1 -test-25 = 25-TLS 1.3 ECDSA Signature Algorithm Selection with PSS -test-26 = 26-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS -test-27 = 27-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate -test-28 = 28-TLS 1.3 RSA Signature Algorithm Selection, no PSS -test-29 = 29-TLS 1.3 RSA-PSS Signature Algorithm Selection -test-30 = 30-TLS 1.3 Ed25519 Signature Algorithm Selection -test-31 = 31-TLS 1.3 Ed25519 CipherString and Groups Selection -test-32 = 32-TLS 1.3 RSA Client Auth Signature Algorithm Selection -test-33 = 33-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names -test-34 = 34-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection -test-35 = 35-TLS 1.3 Ed25519 Client Auth -test-36 = 36-TLS 1.2 DSA Certificate Test -test-37 = 37-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms -test-38 = 38-TLS 1.3 DSA Certificate Test +test-2 = 2-Ed448 CipherString and Signature Algorithm Selection +test-3 = 3-RSA CipherString Selection +test-4 = 4-RSA-PSS Certificate CipherString Selection +test-5 = 5-P-256 CipherString and Signature Algorithm Selection +test-6 = 6-Ed25519 CipherString and Curves Selection +test-7 = 7-Ed448 CipherString and Curves Selection +test-8 = 8-ECDSA CipherString Selection, no ECDSA certificate +test-9 = 9-ECDSA Signature Algorithm Selection +test-10 = 10-ECDSA Signature Algorithm Selection SHA384 +test-11 = 11-ECDSA Signature Algorithm Selection SHA1 +test-12 = 12-ECDSA Signature Algorithm Selection compressed point +test-13 = 13-ECDSA Signature Algorithm Selection, no ECDSA certificate +test-14 = 14-RSA Signature Algorithm Selection +test-15 = 15-RSA-PSS Signature Algorithm Selection +test-16 = 16-RSA-PSS Certificate Legacy Signature Algorithm Selection +test-17 = 17-RSA-PSS Certificate Unified Signature Algorithm Selection +test-18 = 18-Only RSA-PSS Certificate +test-19 = 19-RSA-PSS Certificate, no PSS signature algorithms +test-20 = 20-Suite B P-256 Hash Algorithm Selection +test-21 = 21-Suite B P-384 Hash Algorithm Selection +test-22 = 22-TLS 1.2 Ed25519 Client Auth +test-23 = 23-TLS 1.2 Ed448 Client Auth +test-24 = 24-Only RSA-PSS Certificate, TLS v1.1 +test-25 = 25-TLS 1.3 ECDSA Signature Algorithm Selection +test-26 = 26-TLS 1.3 ECDSA Signature Algorithm Selection compressed point +test-27 = 27-TLS 1.3 ECDSA Signature Algorithm Selection SHA1 +test-28 = 28-TLS 1.3 ECDSA Signature Algorithm Selection with PSS +test-29 = 29-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS +test-30 = 30-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate +test-31 = 31-TLS 1.3 RSA Signature Algorithm Selection, no PSS +test-32 = 32-TLS 1.3 RSA-PSS Signature Algorithm Selection +test-33 = 33-TLS 1.3 Ed25519 Signature Algorithm Selection +test-34 = 34-TLS 1.3 Ed448 Signature Algorithm Selection +test-35 = 35-TLS 1.3 Ed25519 CipherString and Groups Selection +test-36 = 36-TLS 1.3 Ed448 CipherString and Groups Selection +test-37 = 37-TLS 1.3 RSA Client Auth Signature Algorithm Selection +test-38 = 38-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names +test-39 = 39-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection +test-40 = 40-TLS 1.3 Ed25519 Client Auth +test-41 = 41-TLS 1.3 Ed448 Client Auth +test-42 = 42-TLS 1.2 DSA Certificate Test +test-43 = 43-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms +test-44 = 44-TLS 1.3 DSA Certificate Test # =========================================================== [0-ECDSA CipherString Selection] @@ -55,8 +61,10 @@ Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem @@ -88,8 +96,10 @@ Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem @@ -110,63 +120,103 @@ ExpectedServerSignType = Ed25519 # =========================================================== -[2-RSA CipherString Selection] -ssl_conf = 2-RSA CipherString Selection-ssl +[2-Ed448 CipherString and Signature Algorithm Selection] +ssl_conf = 2-Ed448 CipherString and Signature Algorithm Selection-ssl -[2-RSA CipherString Selection-ssl] -server = 2-RSA CipherString Selection-server -client = 2-RSA CipherString Selection-client +[2-Ed448 CipherString and Signature Algorithm Selection-ssl] +server = 2-Ed448 CipherString and Signature Algorithm Selection-server +client = 2-Ed448 CipherString and Signature Algorithm Selection-client -[2-RSA CipherString Selection-server] +[2-Ed448 CipherString and Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[2-RSA CipherString Selection-client] -CipherString = aRSA +[2-Ed448 CipherString and Signature Algorithm Selection-client] +CipherString = aECDSA MaxProtocol = TLSv1.2 +RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +SignatureAlgorithms = ed448:ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-2] ExpectedResult = Success +ExpectedServerCANames = empty +ExpectedServerCertType = Ed448 +ExpectedServerSignType = Ed448 + + +# =========================================================== + +[3-RSA CipherString Selection] +ssl_conf = 3-RSA CipherString Selection-ssl + +[3-RSA CipherString Selection-ssl] +server = 3-RSA CipherString Selection-server +client = 3-RSA CipherString Selection-client + +[3-RSA CipherString Selection-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[3-RSA CipherString Selection-client] +CipherString = aRSA +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-3] +ExpectedResult = Success ExpectedServerCertType = RSA ExpectedServerSignType = RSA-PSS # =========================================================== -[3-RSA-PSS Certificate CipherString Selection] -ssl_conf = 3-RSA-PSS Certificate CipherString Selection-ssl +[4-RSA-PSS Certificate CipherString Selection] +ssl_conf = 4-RSA-PSS Certificate CipherString Selection-ssl -[3-RSA-PSS Certificate CipherString Selection-ssl] -server = 3-RSA-PSS Certificate CipherString Selection-server -client = 3-RSA-PSS Certificate CipherString Selection-client +[4-RSA-PSS Certificate CipherString Selection-ssl] +server = 4-RSA-PSS Certificate CipherString Selection-server +client = 4-RSA-PSS Certificate CipherString Selection-client -[3-RSA-PSS Certificate CipherString Selection-server] +[4-RSA-PSS Certificate CipherString Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[3-RSA-PSS Certificate CipherString Selection-client] +[4-RSA-PSS Certificate CipherString Selection-client] CipherString = aRSA MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-3] +[test-4] ExpectedResult = Success ExpectedServerCertType = RSA-PSS ExpectedServerSignType = RSA-PSS @@ -174,31 +224,33 @@ ExpectedServerSignType = RSA-PSS # =========================================================== -[4-P-256 CipherString and Signature Algorithm Selection] -ssl_conf = 4-P-256 CipherString and Signature Algorithm Selection-ssl +[5-P-256 CipherString and Signature Algorithm Selection] +ssl_conf = 5-P-256 CipherString and Signature Algorithm Selection-ssl -[4-P-256 CipherString and Signature Algorithm Selection-ssl] -server = 4-P-256 CipherString and Signature Algorithm Selection-server -client = 4-P-256 CipherString and Signature Algorithm Selection-client +[5-P-256 CipherString and Signature Algorithm Selection-ssl] +server = 5-P-256 CipherString and Signature Algorithm Selection-server +client = 5-P-256 CipherString and Signature Algorithm Selection-client -[4-P-256 CipherString and Signature Algorithm Selection-server] +[5-P-256 CipherString and Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[4-P-256 CipherString and Signature Algorithm Selection-client] +[5-P-256 CipherString and Signature Algorithm Selection-client] CipherString = aECDSA MaxProtocol = TLSv1.2 SignatureAlgorithms = ECDSA+SHA256:ed25519 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-4] +[test-5] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA256 @@ -207,24 +259,26 @@ ExpectedServerSignType = EC # =========================================================== -[5-Ed25519 CipherString and Curves Selection] -ssl_conf = 5-Ed25519 CipherString and Curves Selection-ssl +[6-Ed25519 CipherString and Curves Selection] +ssl_conf = 6-Ed25519 CipherString and Curves Selection-ssl -[5-Ed25519 CipherString and Curves Selection-ssl] -server = 5-Ed25519 CipherString and Curves Selection-server -client = 5-Ed25519 CipherString and Curves Selection-client +[6-Ed25519 CipherString and Curves Selection-ssl] +server = 6-Ed25519 CipherString and Curves Selection-server +client = 6-Ed25519 CipherString and Curves Selection-client -[5-Ed25519 CipherString and Curves Selection-server] +[6-Ed25519 CipherString and Curves Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[5-Ed25519 CipherString and Curves Selection-client] +[6-Ed25519 CipherString and Curves Selection-client] CipherString = aECDSA Curves = X25519 MaxProtocol = TLSv1.2 @@ -232,7 +286,7 @@ SignatureAlgorithms = ECDSA+SHA256:ed25519 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-5] +[test-6] ExpectedResult = Success ExpectedServerCertType = Ed25519 ExpectedServerSignType = Ed25519 @@ -240,55 +294,92 @@ ExpectedServerSignType = Ed25519 # =========================================================== -[6-ECDSA CipherString Selection, no ECDSA certificate] -ssl_conf = 6-ECDSA CipherString Selection, no ECDSA certificate-ssl +[7-Ed448 CipherString and Curves Selection] +ssl_conf = 7-Ed448 CipherString and Curves Selection-ssl -[6-ECDSA CipherString Selection, no ECDSA certificate-ssl] -server = 6-ECDSA CipherString Selection, no ECDSA certificate-server -client = 6-ECDSA CipherString Selection, no ECDSA certificate-client +[7-Ed448 CipherString and Curves Selection-ssl] +server = 7-Ed448 CipherString and Curves Selection-server +client = 7-Ed448 CipherString and Curves Selection-client -[6-ECDSA CipherString Selection, no ECDSA certificate-server] +[7-Ed448 CipherString and Curves Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[6-ECDSA CipherString Selection, no ECDSA certificate-client] +[7-Ed448 CipherString and Curves Selection-client] CipherString = aECDSA +Curves = X448 MaxProtocol = TLSv1.2 +SignatureAlgorithms = ECDSA+SHA256:ed448 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-6] +[test-7] +ExpectedResult = Success +ExpectedServerCertType = Ed448 +ExpectedServerSignType = Ed448 + + +# =========================================================== + +[8-ECDSA CipherString Selection, no ECDSA certificate] +ssl_conf = 8-ECDSA CipherString Selection, no ECDSA certificate-ssl + +[8-ECDSA CipherString Selection, no ECDSA certificate-ssl] +server = 8-ECDSA CipherString Selection, no ECDSA certificate-server +client = 8-ECDSA CipherString Selection, no ECDSA certificate-client + +[8-ECDSA CipherString Selection, no ECDSA certificate-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[8-ECDSA CipherString Selection, no ECDSA certificate-client] +CipherString = aECDSA +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-8] ExpectedResult = ServerFail # =========================================================== -[7-ECDSA Signature Algorithm Selection] -ssl_conf = 7-ECDSA Signature Algorithm Selection-ssl +[9-ECDSA Signature Algorithm Selection] +ssl_conf = 9-ECDSA Signature Algorithm Selection-ssl -[7-ECDSA Signature Algorithm Selection-ssl] -server = 7-ECDSA Signature Algorithm Selection-server -client = 7-ECDSA Signature Algorithm Selection-client +[9-ECDSA Signature Algorithm Selection-ssl] +server = 9-ECDSA Signature Algorithm Selection-server +client = 9-ECDSA Signature Algorithm Selection-client -[7-ECDSA Signature Algorithm Selection-server] +[9-ECDSA Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[7-ECDSA Signature Algorithm Selection-client] +[9-ECDSA Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-7] +[test-9] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA256 @@ -297,30 +388,32 @@ ExpectedServerSignType = EC # =========================================================== -[8-ECDSA Signature Algorithm Selection SHA384] -ssl_conf = 8-ECDSA Signature Algorithm Selection SHA384-ssl +[10-ECDSA Signature Algorithm Selection SHA384] +ssl_conf = 10-ECDSA Signature Algorithm Selection SHA384-ssl -[8-ECDSA Signature Algorithm Selection SHA384-ssl] -server = 8-ECDSA Signature Algorithm Selection SHA384-server -client = 8-ECDSA Signature Algorithm Selection SHA384-client +[10-ECDSA Signature Algorithm Selection SHA384-ssl] +server = 10-ECDSA Signature Algorithm Selection SHA384-server +client = 10-ECDSA Signature Algorithm Selection SHA384-client -[8-ECDSA Signature Algorithm Selection SHA384-server] +[10-ECDSA Signature Algorithm Selection SHA384-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[8-ECDSA Signature Algorithm Selection SHA384-client] +[10-ECDSA Signature Algorithm Selection SHA384-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA384 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-8] +[test-10] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA384 @@ -329,30 +422,32 @@ ExpectedServerSignType = EC # =========================================================== -[9-ECDSA Signature Algorithm Selection SHA1] -ssl_conf = 9-ECDSA Signature Algorithm Selection SHA1-ssl +[11-ECDSA Signature Algorithm Selection SHA1] +ssl_conf = 11-ECDSA Signature Algorithm Selection SHA1-ssl -[9-ECDSA Signature Algorithm Selection SHA1-ssl] -server = 9-ECDSA Signature Algorithm Selection SHA1-server -client = 9-ECDSA Signature Algorithm Selection SHA1-client +[11-ECDSA Signature Algorithm Selection SHA1-ssl] +server = 11-ECDSA Signature Algorithm Selection SHA1-server +client = 11-ECDSA Signature Algorithm Selection SHA1-client -[9-ECDSA Signature Algorithm Selection SHA1-server] +[11-ECDSA Signature Algorithm Selection SHA1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[9-ECDSA Signature Algorithm Selection SHA1-client] +[11-ECDSA Signature Algorithm Selection SHA1-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-9] +[test-11] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA1 @@ -361,14 +456,14 @@ ExpectedServerSignType = EC # =========================================================== -[10-ECDSA Signature Algorithm Selection compressed point] -ssl_conf = 10-ECDSA Signature Algorithm Selection compressed point-ssl +[12-ECDSA Signature Algorithm Selection compressed point] +ssl_conf = 12-ECDSA Signature Algorithm Selection compressed point-ssl -[10-ECDSA Signature Algorithm Selection compressed point-ssl] -server = 10-ECDSA Signature Algorithm Selection compressed point-server -client = 10-ECDSA Signature Algorithm Selection compressed point-client +[12-ECDSA Signature Algorithm Selection compressed point-ssl] +server = 12-ECDSA Signature Algorithm Selection compressed point-server +client = 12-ECDSA Signature Algorithm Selection compressed point-client -[10-ECDSA Signature Algorithm Selection compressed point-server] +[12-ECDSA Signature Algorithm Selection compressed point-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-cecdsa-cert.pem @@ -376,13 +471,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-cecdsa-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[10-ECDSA Signature Algorithm Selection compressed point-client] +[12-ECDSA Signature Algorithm Selection compressed point-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-10] +[test-12] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA256 @@ -391,55 +486,57 @@ ExpectedServerSignType = EC # =========================================================== -[11-ECDSA Signature Algorithm Selection, no ECDSA certificate] -ssl_conf = 11-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl +[13-ECDSA Signature Algorithm Selection, no ECDSA certificate] +ssl_conf = 13-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl -[11-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl] -server = 11-ECDSA Signature Algorithm Selection, no ECDSA certificate-server -client = 11-ECDSA Signature Algorithm Selection, no ECDSA certificate-client +[13-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl] +server = 13-ECDSA Signature Algorithm Selection, no ECDSA certificate-server +client = 13-ECDSA Signature Algorithm Selection, no ECDSA certificate-client -[11-ECDSA Signature Algorithm Selection, no ECDSA certificate-server] +[13-ECDSA Signature Algorithm Selection, no ECDSA certificate-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[11-ECDSA Signature Algorithm Selection, no ECDSA certificate-client] +[13-ECDSA Signature Algorithm Selection, no ECDSA certificate-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-11] +[test-13] ExpectedResult = ServerFail # =========================================================== -[12-RSA Signature Algorithm Selection] -ssl_conf = 12-RSA Signature Algorithm Selection-ssl +[14-RSA Signature Algorithm Selection] +ssl_conf = 14-RSA Signature Algorithm Selection-ssl -[12-RSA Signature Algorithm Selection-ssl] -server = 12-RSA Signature Algorithm Selection-server -client = 12-RSA Signature Algorithm Selection-client +[14-RSA Signature Algorithm Selection-ssl] +server = 14-RSA Signature Algorithm Selection-server +client = 14-RSA Signature Algorithm Selection-client -[12-RSA Signature Algorithm Selection-server] +[14-RSA Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[12-RSA Signature Algorithm Selection-client] +[14-RSA Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = RSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-12] +[test-14] ExpectedResult = Success ExpectedServerCertType = RSA ExpectedServerSignHash = SHA256 @@ -448,30 +545,32 @@ ExpectedServerSignType = RSA # =========================================================== -[13-RSA-PSS Signature Algorithm Selection] -ssl_conf = 13-RSA-PSS Signature Algorithm Selection-ssl +[15-RSA-PSS Signature Algorithm Selection] +ssl_conf = 15-RSA-PSS Signature Algorithm Selection-ssl -[13-RSA-PSS Signature Algorithm Selection-ssl] -server = 13-RSA-PSS Signature Algorithm Selection-server -client = 13-RSA-PSS Signature Algorithm Selection-client +[15-RSA-PSS Signature Algorithm Selection-ssl] +server = 15-RSA-PSS Signature Algorithm Selection-server +client = 15-RSA-PSS Signature Algorithm Selection-client -[13-RSA-PSS Signature Algorithm Selection-server] +[15-RSA-PSS Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[13-RSA-PSS Signature Algorithm Selection-client] +[15-RSA-PSS Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = RSA-PSS+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-13] +[test-15] ExpectedResult = Success ExpectedServerCertType = RSA ExpectedServerSignHash = SHA256 @@ -480,32 +579,34 @@ ExpectedServerSignType = RSA-PSS # =========================================================== -[14-RSA-PSS Certificate Legacy Signature Algorithm Selection] -ssl_conf = 14-RSA-PSS Certificate Legacy Signature Algorithm Selection-ssl +[16-RSA-PSS Certificate Legacy Signature Algorithm Selection] +ssl_conf = 16-RSA-PSS Certificate Legacy Signature Algorithm Selection-ssl -[14-RSA-PSS Certificate Legacy Signature Algorithm Selection-ssl] -server = 14-RSA-PSS Certificate Legacy Signature Algorithm Selection-server -client = 14-RSA-PSS Certificate Legacy Signature Algorithm Selection-client +[16-RSA-PSS Certificate Legacy Signature Algorithm Selection-ssl] +server = 16-RSA-PSS Certificate Legacy Signature Algorithm Selection-server +client = 16-RSA-PSS Certificate Legacy Signature Algorithm Selection-client -[14-RSA-PSS Certificate Legacy Signature Algorithm Selection-server] +[16-RSA-PSS Certificate Legacy Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[14-RSA-PSS Certificate Legacy Signature Algorithm Selection-client] +[16-RSA-PSS Certificate Legacy Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = RSA-PSS+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-14] +[test-16] ExpectedResult = Success ExpectedServerCertType = RSA ExpectedServerSignHash = SHA256 @@ -514,32 +615,34 @@ ExpectedServerSignType = RSA-PSS # =========================================================== -[15-RSA-PSS Certificate Unified Signature Algorithm Selection] -ssl_conf = 15-RSA-PSS Certificate Unified Signature Algorithm Selection-ssl +[17-RSA-PSS Certificate Unified Signature Algorithm Selection] +ssl_conf = 17-RSA-PSS Certificate Unified Signature Algorithm Selection-ssl -[15-RSA-PSS Certificate Unified Signature Algorithm Selection-ssl] -server = 15-RSA-PSS Certificate Unified Signature Algorithm Selection-server -client = 15-RSA-PSS Certificate Unified Signature Algorithm Selection-client +[17-RSA-PSS Certificate Unified Signature Algorithm Selection-ssl] +server = 17-RSA-PSS Certificate Unified Signature Algorithm Selection-server +client = 17-RSA-PSS Certificate Unified Signature Algorithm Selection-client -[15-RSA-PSS Certificate Unified Signature Algorithm Selection-server] +[17-RSA-PSS Certificate Unified Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[15-RSA-PSS Certificate Unified Signature Algorithm Selection-client] +[17-RSA-PSS Certificate Unified Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = rsa_pss_pss_sha256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-15] +[test-17] ExpectedResult = Success ExpectedServerCertType = RSA-PSS ExpectedServerSignHash = SHA256 @@ -548,24 +651,24 @@ ExpectedServerSignType = RSA-PSS # =========================================================== -[16-Only RSA-PSS Certificate] -ssl_conf = 16-Only RSA-PSS Certificate-ssl +[18-Only RSA-PSS Certificate] +ssl_conf = 18-Only RSA-PSS Certificate-ssl -[16-Only RSA-PSS Certificate-ssl] -server = 16-Only RSA-PSS Certificate-server -client = 16-Only RSA-PSS Certificate-client +[18-Only RSA-PSS Certificate-ssl] +server = 18-Only RSA-PSS Certificate-server +client = 18-Only RSA-PSS Certificate-client -[16-Only RSA-PSS Certificate-server] +[18-Only RSA-PSS Certificate-server] Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem -[16-Only RSA-PSS Certificate-client] +[18-Only RSA-PSS Certificate-client] CipherString = DEFAULT VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-16] +[test-18] ExpectedResult = Success ExpectedServerCertType = RSA-PSS ExpectedServerSignHash = SHA256 @@ -574,38 +677,38 @@ ExpectedServerSignType = RSA-PSS # =========================================================== -[17-RSA-PSS Certificate, no PSS signature algorithms] -ssl_conf = 17-RSA-PSS Certificate, no PSS signature algorithms-ssl +[19-RSA-PSS Certificate, no PSS signature algorithms] +ssl_conf = 19-RSA-PSS Certificate, no PSS signature algorithms-ssl -[17-RSA-PSS Certificate, no PSS signature algorithms-ssl] -server = 17-RSA-PSS Certificate, no PSS signature algorithms-server -client = 17-RSA-PSS Certificate, no PSS signature algorithms-client +[19-RSA-PSS Certificate, no PSS signature algorithms-ssl] +server = 19-RSA-PSS Certificate, no PSS signature algorithms-server +client = 19-RSA-PSS Certificate, no PSS signature algorithms-client -[17-RSA-PSS Certificate, no PSS signature algorithms-server] +[19-RSA-PSS Certificate, no PSS signature algorithms-server] Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem -[17-RSA-PSS Certificate, no PSS signature algorithms-client] +[19-RSA-PSS Certificate, no PSS signature algorithms-client] CipherString = DEFAULT SignatureAlgorithms = RSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-17] +[test-19] ExpectedResult = ServerFail # =========================================================== -[18-Suite B P-256 Hash Algorithm Selection] -ssl_conf = 18-Suite B P-256 Hash Algorithm Selection-ssl +[20-Suite B P-256 Hash Algorithm Selection] +ssl_conf = 20-Suite B P-256 Hash Algorithm Selection-ssl -[18-Suite B P-256 Hash Algorithm Selection-ssl] -server = 18-Suite B P-256 Hash Algorithm Selection-server -client = 18-Suite B P-256 Hash Algorithm Selection-client +[20-Suite B P-256 Hash Algorithm Selection-ssl] +server = 20-Suite B P-256 Hash Algorithm Selection-server +client = 20-Suite B P-256 Hash Algorithm Selection-client -[18-Suite B P-256 Hash Algorithm Selection-server] +[20-Suite B P-256 Hash Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = SUITEB128 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p256-server-cert.pem @@ -613,13 +716,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p256-server-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[18-Suite B P-256 Hash Algorithm Selection-client] +[20-Suite B P-256 Hash Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA384:ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem VerifyMode = Peer -[test-18] +[test-20] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA256 @@ -628,14 +731,14 @@ ExpectedServerSignType = EC # =========================================================== -[19-Suite B P-384 Hash Algorithm Selection] -ssl_conf = 19-Suite B P-384 Hash Algorithm Selection-ssl +[21-Suite B P-384 Hash Algorithm Selection] +ssl_conf = 21-Suite B P-384 Hash Algorithm Selection-ssl -[19-Suite B P-384 Hash Algorithm Selection-ssl] -server = 19-Suite B P-384 Hash Algorithm Selection-server -client = 19-Suite B P-384 Hash Algorithm Selection-client +[21-Suite B P-384 Hash Algorithm Selection-ssl] +server = 21-Suite B P-384 Hash Algorithm Selection-server +client = 21-Suite B P-384 Hash Algorithm Selection-client -[19-Suite B P-384 Hash Algorithm Selection-server] +[21-Suite B P-384 Hash Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = SUITEB128 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem @@ -643,13 +746,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[19-Suite B P-384 Hash Algorithm Selection-client] +[21-Suite B P-384 Hash Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem VerifyMode = Peer -[test-19] +[test-21] ExpectedResult = Success ExpectedServerCertType = P-384 ExpectedServerSignHash = SHA384 @@ -658,30 +761,30 @@ ExpectedServerSignType = EC # =========================================================== -[20-TLS 1.2 Ed25519 Client Auth] -ssl_conf = 20-TLS 1.2 Ed25519 Client Auth-ssl +[22-TLS 1.2 Ed25519 Client Auth] +ssl_conf = 22-TLS 1.2 Ed25519 Client Auth-ssl -[20-TLS 1.2 Ed25519 Client Auth-ssl] -server = 20-TLS 1.2 Ed25519 Client Auth-server -client = 20-TLS 1.2 Ed25519 Client Auth-client +[22-TLS 1.2 Ed25519 Client Auth-ssl] +server = 22-TLS 1.2 Ed25519 Client Auth-server +client = 22-TLS 1.2 Ed25519 Client Auth-client -[20-TLS 1.2 Ed25519 Client Auth-server] +[22-TLS 1.2 Ed25519 Client Auth-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[20-TLS 1.2 Ed25519 Client Auth-client] +[22-TLS 1.2 Ed25519 Client Auth-client] CipherString = DEFAULT -EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed25519-cert.pem -EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed25519-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed25519-key.pem MaxProtocol = TLSv1.2 MinProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-20] +[test-22] ExpectedClientCertType = Ed25519 ExpectedClientSignType = Ed25519 ExpectedResult = Success @@ -689,55 +792,88 @@ ExpectedResult = Success # =========================================================== -[21-Only RSA-PSS Certificate, TLS v1.1] -ssl_conf = 21-Only RSA-PSS Certificate, TLS v1.1-ssl +[23-TLS 1.2 Ed448 Client Auth] +ssl_conf = 23-TLS 1.2 Ed448 Client Auth-ssl + +[23-TLS 1.2 Ed448 Client Auth-ssl] +server = 23-TLS 1.2 Ed448 Client Auth-server +client = 23-TLS 1.2 Ed448 Client Auth-client + +[23-TLS 1.2 Ed448 Client Auth-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Require + +[23-TLS 1.2 Ed448 Client Auth-client] +CipherString = DEFAULT +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed448-key.pem +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-23] +ExpectedClientCertType = Ed448 +ExpectedClientSignType = Ed448 +ExpectedResult = Success + + +# =========================================================== + +[24-Only RSA-PSS Certificate, TLS v1.1] +ssl_conf = 24-Only RSA-PSS Certificate, TLS v1.1-ssl -[21-Only RSA-PSS Certificate, TLS v1.1-ssl] -server = 21-Only RSA-PSS Certificate, TLS v1.1-server -client = 21-Only RSA-PSS Certificate, TLS v1.1-client +[24-Only RSA-PSS Certificate, TLS v1.1-ssl] +server = 24-Only RSA-PSS Certificate, TLS v1.1-server +client = 24-Only RSA-PSS Certificate, TLS v1.1-client -[21-Only RSA-PSS Certificate, TLS v1.1-server] +[24-Only RSA-PSS Certificate, TLS v1.1-server] Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem -[21-Only RSA-PSS Certificate, TLS v1.1-client] +[24-Only RSA-PSS Certificate, TLS v1.1-client] CipherString = DEFAULT MaxProtocol = TLSv1.1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-21] +[test-24] ExpectedResult = ServerFail # =========================================================== -[22-TLS 1.3 ECDSA Signature Algorithm Selection] -ssl_conf = 22-TLS 1.3 ECDSA Signature Algorithm Selection-ssl +[25-TLS 1.3 ECDSA Signature Algorithm Selection] +ssl_conf = 25-TLS 1.3 ECDSA Signature Algorithm Selection-ssl -[22-TLS 1.3 ECDSA Signature Algorithm Selection-ssl] -server = 22-TLS 1.3 ECDSA Signature Algorithm Selection-server -client = 22-TLS 1.3 ECDSA Signature Algorithm Selection-client +[25-TLS 1.3 ECDSA Signature Algorithm Selection-ssl] +server = 25-TLS 1.3 ECDSA Signature Algorithm Selection-server +client = 25-TLS 1.3 ECDSA Signature Algorithm Selection-client -[22-TLS 1.3 ECDSA Signature Algorithm Selection-server] +[25-TLS 1.3 ECDSA Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[22-TLS 1.3 ECDSA Signature Algorithm Selection-client] +[25-TLS 1.3 ECDSA Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-22] +[test-25] ExpectedResult = Success ExpectedServerCANames = empty ExpectedServerCertType = P-256 @@ -747,14 +883,14 @@ ExpectedServerSignType = EC # =========================================================== -[23-TLS 1.3 ECDSA Signature Algorithm Selection compressed point] -ssl_conf = 23-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-ssl +[26-TLS 1.3 ECDSA Signature Algorithm Selection compressed point] +ssl_conf = 26-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-ssl -[23-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-ssl] -server = 23-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-server -client = 23-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-client +[26-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-ssl] +server = 26-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-server +client = 26-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-client -[23-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-server] +[26-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-cecdsa-cert.pem @@ -763,74 +899,78 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[23-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-client] +[26-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-23] +[test-26] ExpectedResult = ServerFail # =========================================================== -[24-TLS 1.3 ECDSA Signature Algorithm Selection SHA1] -ssl_conf = 24-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-ssl +[27-TLS 1.3 ECDSA Signature Algorithm Selection SHA1] +ssl_conf = 27-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-ssl -[24-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-ssl] -server = 24-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-server -client = 24-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-client +[27-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-ssl] +server = 27-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-server +client = 27-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-client -[24-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-server] +[27-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[24-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-client] +[27-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-24] +[test-27] ExpectedResult = ServerFail # =========================================================== -[25-TLS 1.3 ECDSA Signature Algorithm Selection with PSS] -ssl_conf = 25-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-ssl +[28-TLS 1.3 ECDSA Signature Algorithm Selection with PSS] +ssl_conf = 28-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-ssl -[25-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-ssl] -server = 25-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-server -client = 25-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-client +[28-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-ssl] +server = 28-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-server +client = 28-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-client -[25-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-server] +[28-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[25-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-client] +[28-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-client] CipherString = DEFAULT RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem SignatureAlgorithms = ECDSA+SHA256:RSA-PSS+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-25] +[test-28] ExpectedResult = Success ExpectedServerCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem ExpectedServerCertType = P-256 @@ -840,31 +980,33 @@ ExpectedServerSignType = EC # =========================================================== -[26-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS] -ssl_conf = 26-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-ssl +[29-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS] +ssl_conf = 29-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-ssl -[26-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-ssl] -server = 26-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-server -client = 26-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-client +[29-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-ssl] +server = 29-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-server +client = 29-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-client -[26-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-server] +[29-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[26-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-client] +[29-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA384:RSA-PSS+SHA384 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-26] +[test-29] ExpectedResult = Success ExpectedServerCertType = RSA ExpectedServerSignHash = SHA384 @@ -873,87 +1015,91 @@ ExpectedServerSignType = RSA-PSS # =========================================================== -[27-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate] -ssl_conf = 27-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl +[30-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate] +ssl_conf = 30-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl -[27-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl] -server = 27-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-server -client = 27-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-client +[30-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl] +server = 30-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-server +client = 30-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-client -[27-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-server] +[30-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[27-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-client] +[30-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-27] +[test-30] ExpectedResult = ServerFail # =========================================================== -[28-TLS 1.3 RSA Signature Algorithm Selection, no PSS] -ssl_conf = 28-TLS 1.3 RSA Signature Algorithm Selection, no PSS-ssl +[31-TLS 1.3 RSA Signature Algorithm Selection, no PSS] +ssl_conf = 31-TLS 1.3 RSA Signature Algorithm Selection, no PSS-ssl -[28-TLS 1.3 RSA Signature Algorithm Selection, no PSS-ssl] -server = 28-TLS 1.3 RSA Signature Algorithm Selection, no PSS-server -client = 28-TLS 1.3 RSA Signature Algorithm Selection, no PSS-client +[31-TLS 1.3 RSA Signature Algorithm Selection, no PSS-ssl] +server = 31-TLS 1.3 RSA Signature Algorithm Selection, no PSS-server +client = 31-TLS 1.3 RSA Signature Algorithm Selection, no PSS-client -[28-TLS 1.3 RSA Signature Algorithm Selection, no PSS-server] +[31-TLS 1.3 RSA Signature Algorithm Selection, no PSS-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[28-TLS 1.3 RSA Signature Algorithm Selection, no PSS-client] +[31-TLS 1.3 RSA Signature Algorithm Selection, no PSS-client] CipherString = DEFAULT SignatureAlgorithms = RSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-28] +[test-31] ExpectedResult = ServerFail # =========================================================== -[29-TLS 1.3 RSA-PSS Signature Algorithm Selection] -ssl_conf = 29-TLS 1.3 RSA-PSS Signature Algorithm Selection-ssl +[32-TLS 1.3 RSA-PSS Signature Algorithm Selection] +ssl_conf = 32-TLS 1.3 RSA-PSS Signature Algorithm Selection-ssl -[29-TLS 1.3 RSA-PSS Signature Algorithm Selection-ssl] -server = 29-TLS 1.3 RSA-PSS Signature Algorithm Selection-server -client = 29-TLS 1.3 RSA-PSS Signature Algorithm Selection-client +[32-TLS 1.3 RSA-PSS Signature Algorithm Selection-ssl] +server = 32-TLS 1.3 RSA-PSS Signature Algorithm Selection-server +client = 32-TLS 1.3 RSA-PSS Signature Algorithm Selection-client -[29-TLS 1.3 RSA-PSS Signature Algorithm Selection-server] +[32-TLS 1.3 RSA-PSS Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[29-TLS 1.3 RSA-PSS Signature Algorithm Selection-client] +[32-TLS 1.3 RSA-PSS Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = RSA-PSS+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-29] +[test-32] ExpectedResult = Success ExpectedServerCertType = RSA ExpectedServerSignHash = SHA256 @@ -962,31 +1108,33 @@ ExpectedServerSignType = RSA-PSS # =========================================================== -[30-TLS 1.3 Ed25519 Signature Algorithm Selection] -ssl_conf = 30-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl +[33-TLS 1.3 Ed25519 Signature Algorithm Selection] +ssl_conf = 33-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl -[30-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl] -server = 30-TLS 1.3 Ed25519 Signature Algorithm Selection-server -client = 30-TLS 1.3 Ed25519 Signature Algorithm Selection-client +[33-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl] +server = 33-TLS 1.3 Ed25519 Signature Algorithm Selection-server +client = 33-TLS 1.3 Ed25519 Signature Algorithm Selection-client -[30-TLS 1.3 Ed25519 Signature Algorithm Selection-server] +[33-TLS 1.3 Ed25519 Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[30-TLS 1.3 Ed25519 Signature Algorithm Selection-client] +[33-TLS 1.3 Ed25519 Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ed25519 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-30] +[test-33] ExpectedResult = Success ExpectedServerCertType = Ed25519 ExpectedServerSignType = Ed25519 @@ -994,32 +1142,68 @@ ExpectedServerSignType = Ed25519 # =========================================================== -[31-TLS 1.3 Ed25519 CipherString and Groups Selection] -ssl_conf = 31-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl +[34-TLS 1.3 Ed448 Signature Algorithm Selection] +ssl_conf = 34-TLS 1.3 Ed448 Signature Algorithm Selection-ssl -[31-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl] -server = 31-TLS 1.3 Ed25519 CipherString and Groups Selection-server -client = 31-TLS 1.3 Ed25519 CipherString and Groups Selection-client +[34-TLS 1.3 Ed448 Signature Algorithm Selection-ssl] +server = 34-TLS 1.3 Ed448 Signature Algorithm Selection-server +client = 34-TLS 1.3 Ed448 Signature Algorithm Selection-client -[31-TLS 1.3 Ed25519 CipherString and Groups Selection-server] +[34-TLS 1.3 Ed448 Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[31-TLS 1.3 Ed25519 CipherString and Groups Selection-client] +[34-TLS 1.3 Ed448 Signature Algorithm Selection-client] +CipherString = DEFAULT +SignatureAlgorithms = ed448 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-34] +ExpectedResult = Success +ExpectedServerCertType = Ed448 +ExpectedServerSignType = Ed448 + + +# =========================================================== + +[35-TLS 1.3 Ed25519 CipherString and Groups Selection] +ssl_conf = 35-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl + +[35-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl] +server = 35-TLS 1.3 Ed25519 CipherString and Groups Selection-server +client = 35-TLS 1.3 Ed25519 CipherString and Groups Selection-client + +[35-TLS 1.3 Ed25519 CipherString and Groups Selection-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem +MaxProtocol = TLSv1.3 +MinProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[35-TLS 1.3 Ed25519 CipherString and Groups Selection-client] CipherString = DEFAULT Groups = X25519 SignatureAlgorithms = ECDSA+SHA256:ed25519 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-31] +[test-35] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignType = EC @@ -1027,14 +1211,49 @@ ExpectedServerSignType = EC # =========================================================== -[32-TLS 1.3 RSA Client Auth Signature Algorithm Selection] -ssl_conf = 32-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl +[36-TLS 1.3 Ed448 CipherString and Groups Selection] +ssl_conf = 36-TLS 1.3 Ed448 CipherString and Groups Selection-ssl -[32-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl] -server = 32-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server -client = 32-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client +[36-TLS 1.3 Ed448 CipherString and Groups Selection-ssl] +server = 36-TLS 1.3 Ed448 CipherString and Groups Selection-server +client = 36-TLS 1.3 Ed448 CipherString and Groups Selection-client -[32-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server] +[36-TLS 1.3 Ed448 CipherString and Groups Selection-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem +MaxProtocol = TLSv1.3 +MinProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[36-TLS 1.3 Ed448 CipherString and Groups Selection-client] +CipherString = DEFAULT +Groups = X448 +SignatureAlgorithms = ECDSA+SHA256:ed448 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-36] +ExpectedResult = Success +ExpectedServerCertType = P-256 +ExpectedServerSignType = EC + + +# =========================================================== + +[37-TLS 1.3 RSA Client Auth Signature Algorithm Selection] +ssl_conf = 37-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl + +[37-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl] +server = 37-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server +client = 37-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client + +[37-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ClientSignatureAlgorithms = PSS+SHA256 @@ -1042,7 +1261,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[32-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client] +[37-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client] CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem @@ -1053,7 +1272,7 @@ RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-32] +[test-37] ExpectedClientCANames = empty ExpectedClientCertType = RSA ExpectedClientSignHash = SHA256 @@ -1063,14 +1282,14 @@ ExpectedResult = Success # =========================================================== -[33-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names] -ssl_conf = 33-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl +[38-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names] +ssl_conf = 38-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl -[33-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl] -server = 33-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server -client = 33-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client +[38-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl] +server = 38-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server +client = 38-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client -[33-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server] +[38-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ClientSignatureAlgorithms = PSS+SHA256 @@ -1079,7 +1298,7 @@ RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[33-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client] +[38-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client] CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem @@ -1090,7 +1309,7 @@ RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-33] +[test-38] ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem ExpectedClientCertType = RSA ExpectedClientSignHash = SHA256 @@ -1100,14 +1319,14 @@ ExpectedResult = Success # =========================================================== -[34-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection] -ssl_conf = 34-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl +[39-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection] +ssl_conf = 39-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl -[34-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl] -server = 34-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server -client = 34-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client +[39-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl] +server = 39-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server +client = 39-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client -[34-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server] +[39-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ClientSignatureAlgorithms = ECDSA+SHA256 @@ -1115,7 +1334,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[34-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client] +[39-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client] CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem @@ -1126,7 +1345,7 @@ RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-34] +[test-39] ExpectedClientCertType = P-256 ExpectedClientSignHash = SHA256 ExpectedClientSignType = EC @@ -1135,21 +1354,21 @@ ExpectedResult = Success # =========================================================== -[35-TLS 1.3 Ed25519 Client Auth] -ssl_conf = 35-TLS 1.3 Ed25519 Client Auth-ssl +[40-TLS 1.3 Ed25519 Client Auth] +ssl_conf = 40-TLS 1.3 Ed25519 Client Auth-ssl -[35-TLS 1.3 Ed25519 Client Auth-ssl] -server = 35-TLS 1.3 Ed25519 Client Auth-server -client = 35-TLS 1.3 Ed25519 Client Auth-client +[40-TLS 1.3 Ed25519 Client Auth-ssl] +server = 40-TLS 1.3 Ed25519 Client Auth-server +client = 40-TLS 1.3 Ed25519 Client Auth-client -[35-TLS 1.3 Ed25519 Client Auth-server] +[40-TLS 1.3 Ed25519 Client Auth-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[35-TLS 1.3 Ed25519 Client Auth-client] +[40-TLS 1.3 Ed25519 Client Auth-client] CipherString = DEFAULT EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed25519-cert.pem EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed25519-key.pem @@ -1158,7 +1377,7 @@ MinProtocol = TLSv1.3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-35] +[test-40] ExpectedClientCertType = Ed25519 ExpectedClientSignType = Ed25519 ExpectedResult = Success @@ -1166,14 +1385,45 @@ ExpectedResult = Success # =========================================================== -[36-TLS 1.2 DSA Certificate Test] -ssl_conf = 36-TLS 1.2 DSA Certificate Test-ssl +[41-TLS 1.3 Ed448 Client Auth] +ssl_conf = 41-TLS 1.3 Ed448 Client Auth-ssl + +[41-TLS 1.3 Ed448 Client Auth-ssl] +server = 41-TLS 1.3 Ed448 Client Auth-server +client = 41-TLS 1.3 Ed448 Client Auth-client + +[41-TLS 1.3 Ed448 Client Auth-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Require + +[41-TLS 1.3 Ed448 Client Auth-client] +CipherString = DEFAULT +EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed448-cert.pem +EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed448-key.pem +MaxProtocol = TLSv1.3 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-41] +ExpectedClientCertType = Ed448 +ExpectedClientSignType = Ed448 +ExpectedResult = Success + + +# =========================================================== + +[42-TLS 1.2 DSA Certificate Test] +ssl_conf = 42-TLS 1.2 DSA Certificate Test-ssl -[36-TLS 1.2 DSA Certificate Test-ssl] -server = 36-TLS 1.2 DSA Certificate Test-server -client = 36-TLS 1.2 DSA Certificate Test-client +[42-TLS 1.2 DSA Certificate Test-ssl] +server = 42-TLS 1.2 DSA Certificate Test-server +client = 42-TLS 1.2 DSA Certificate Test-client -[36-TLS 1.2 DSA Certificate Test-server] +[42-TLS 1.2 DSA Certificate Test-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = ALL DHParameters = ${ENV::TEST_CERTS_DIR}/dhp2048.pem @@ -1183,26 +1433,26 @@ MaxProtocol = TLSv1.2 MinProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[36-TLS 1.2 DSA Certificate Test-client] +[42-TLS 1.2 DSA Certificate Test-client] CipherString = ALL SignatureAlgorithms = DSA+SHA256:DSA+SHA1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-36] +[test-42] ExpectedResult = Success # =========================================================== -[37-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms] -ssl_conf = 37-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-ssl +[43-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms] +ssl_conf = 43-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-ssl -[37-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-ssl] -server = 37-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-server -client = 37-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-client +[43-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-ssl] +server = 43-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-server +client = 43-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-client -[37-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-server] +[43-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ClientSignatureAlgorithms = ECDSA+SHA1:DSA+SHA256:RSA+SHA256 @@ -1210,25 +1460,25 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Request -[37-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-client] +[43-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-client] CipherString = DEFAULT VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-37] +[test-43] ExpectedResult = ServerFail # =========================================================== -[38-TLS 1.3 DSA Certificate Test] -ssl_conf = 38-TLS 1.3 DSA Certificate Test-ssl +[44-TLS 1.3 DSA Certificate Test] +ssl_conf = 44-TLS 1.3 DSA Certificate Test-ssl -[38-TLS 1.3 DSA Certificate Test-ssl] -server = 38-TLS 1.3 DSA Certificate Test-server -client = 38-TLS 1.3 DSA Certificate Test-client +[44-TLS 1.3 DSA Certificate Test-ssl] +server = 44-TLS 1.3 DSA Certificate Test-server +client = 44-TLS 1.3 DSA Certificate Test-client -[38-TLS 1.3 DSA Certificate Test-server] +[44-TLS 1.3 DSA Certificate Test-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = ALL DSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-dsa-cert.pem @@ -1237,13 +1487,13 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[38-TLS 1.3 DSA Certificate Test-client] +[44-TLS 1.3 DSA Certificate Test-client] CipherString = ALL SignatureAlgorithms = DSA+SHA1:DSA+SHA256:ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-38] +[test-44] ExpectedResult = ServerFail diff --git a/test/ssl-tests/20-cert-select.conf.in b/test/ssl-tests/20-cert-select.conf.in index ff77f6bd8c..c6589c732a 100644 --- a/test/ssl-tests/20-cert-select.conf.in +++ b/test/ssl-tests/20-cert-select.conf.in @@ -12,8 +12,10 @@ use OpenSSL::Test::Utils; my $server = { "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), - "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"), - "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"), + "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"), + "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"), + "Ed448.Certificate" => test_pem("server-ed448-cert.pem"), + "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"), "MaxProtocol" => "TLSv1.2" }; @@ -22,8 +24,10 @@ my $server_pss = { "PSS.PrivateKey" => test_pem("server-pss-key.pem"), "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), - "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"), - "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"), + "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"), + "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"), + "Ed448.Certificate" => test_pem("server-ed448-cert.pem"), + "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"), "MaxProtocol" => "TLSv1.2" }; @@ -66,6 +70,23 @@ our @tests = ( "ExpectedResult" => "Success" }, }, + { + name => "Ed448 CipherString and Signature Algorithm Selection", + server => $server, + client => { + "CipherString" => "aECDSA", + "MaxProtocol" => "TLSv1.2", + "SignatureAlgorithms" => "ed448:ECDSA+SHA256", + "RequestCAFile" => test_pem("root-cert.pem"), + }, + test => { + "ExpectedServerCertType" =>, "Ed448", + "ExpectedServerSignType" =>, "Ed448", + # Note: certificate_authorities not sent for TLS < 1.3 + "ExpectedServerCANames" =>, "empty", + "ExpectedResult" => "Success" + }, + }, { name => "RSA CipherString Selection", server => $server, @@ -124,6 +145,23 @@ our @tests = ( "ExpectedResult" => "Success" }, }, + { + name => "Ed448 CipherString and Curves Selection", + server => $server, + client => { + "CipherString" => "aECDSA", + "MaxProtocol" => "TLSv1.2", + "SignatureAlgorithms" => "ECDSA+SHA256:ed448", + # Excluding P-256 from the supported curves list means server + # certificate should be Ed25519 and not P-256 + "Curves" => "X448" + }, + test => { + "ExpectedServerCertType" =>, "Ed448", + "ExpectedServerSignType" =>, "Ed448", + "ExpectedResult" => "Success" + }, + }, { name => "ECDSA CipherString Selection, no ECDSA certificate", server => { @@ -323,8 +361,8 @@ our @tests = ( "VerifyMode" => "Require" }, client => { - "EdDSA.Certificate" => test_pem("client-ed25519-cert.pem"), - "EdDSA.PrivateKey" => test_pem("client-ed25519-key.pem"), + "Ed25519.Certificate" => test_pem("client-ed25519-cert.pem"), + "Ed25519.PrivateKey" => test_pem("client-ed25519-key.pem"), "MinProtocol" => "TLSv1.2", "MaxProtocol" => "TLSv1.2" }, @@ -334,6 +372,24 @@ our @tests = ( "ExpectedResult" => "Success" }, }, + { + name => "TLS 1.2 Ed448 Client Auth", + server => { + "VerifyCAFile" => test_pem("root-cert.pem"), + "VerifyMode" => "Require" + }, + client => { + "Ed448.Certificate" => test_pem("client-ed448-cert.pem"), + "Ed448.PrivateKey" => test_pem("client-ed448-key.pem"), + "MinProtocol" => "TLSv1.2", + "MaxProtocol" => "TLSv1.2" + }, + test => { + "ExpectedClientCertType" => "Ed448", + "ExpectedClientSignType" => "Ed448", + "ExpectedResult" => "Success" + }, + }, ); my @tests_tls_1_1 = ( @@ -354,8 +410,10 @@ push @tests, @tests_tls_1_1 unless disabled("tls1_1"); my $server_tls_1_3 = { "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), - "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"), - "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"), + "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"), + "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"), + "Ed448.Certificate" => test_pem("server-ed448-cert.pem"), + "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"), "MinProtocol" => "TLSv1.3", "MaxProtocol" => "TLSv1.3" }; @@ -365,8 +423,10 @@ my $server_tls_1_3_pss = { "PSS.PrivateKey" => test_pem("server-pss-key.pem"), "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), - "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"), - "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"), + "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"), + "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"), + "Ed448.Certificate" => test_pem("server-ed448-cert.pem"), + "Ed448.PrivateKey" => test_pem("server-ed449-key.pem"), "MinProtocol" => "TLSv1.3", "MaxProtocol" => "TLSv1.3" }; @@ -496,6 +556,18 @@ my @tests_tls_1_3 = ( "ExpectedResult" => "Success" }, }, + { + name => "TLS 1.3 Ed448 Signature Algorithm Selection", + server => $server_tls_1_3, + client => { + "SignatureAlgorithms" => "ed448", + }, + test => { + "ExpectedServerCertType" => "Ed448", + "ExpectedServerSignType" => "Ed448", + "ExpectedResult" => "Success" + }, + }, { name => "TLS 1.3 Ed25519 CipherString and Groups Selection", server => $server_tls_1_3, @@ -512,6 +584,22 @@ my @tests_tls_1_3 = ( "ExpectedResult" => "Success" }, }, + { + name => "TLS 1.3 Ed448 CipherString and Groups Selection", + server => $server_tls_1_3, + client => { + "SignatureAlgorithms" => "ECDSA+SHA256:ed448", + # Excluding P-256 from the supported groups list should + # mean server still uses a P-256 certificate because supported + # groups is not used in signature selection for TLS 1.3 + "Groups" => "X448" + }, + test => { + "ExpectedServerCertType" =>, "P-256", + "ExpectedServerSignType" =>, "EC", + "ExpectedResult" => "Success" + }, + }, { name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection", server => { @@ -578,6 +666,24 @@ my @tests_tls_1_3 = ( "ExpectedResult" => "Success" }, }, + { + name => "TLS 1.3 Ed448 Client Auth", + server => { + "VerifyCAFile" => test_pem("root-cert.pem"), + "VerifyMode" => "Require" + }, + client => { + "EdDSA.Certificate" => test_pem("client-ed448-cert.pem"), + "EdDSA.PrivateKey" => test_pem("client-ed448-key.pem"), + "MinProtocol" => "TLSv1.3", + "MaxProtocol" => "TLSv1.3" + }, + test => { + "ExpectedClientCertType" => "Ed448", + "ExpectedClientSignType" => "Ed448", + "ExpectedResult" => "Success" + }, + }, ); push @tests, @tests_tls_1_3 unless disabled("tls1_3"); diff --git a/test/ssl_cert_table_internal_test.c b/test/ssl_cert_table_internal_test.c index b298cfe225..5adcb8d4df 100644 --- a/test/ssl_cert_table_internal_test.c +++ b/test/ssl_cert_table_internal_test.c @@ -70,6 +70,8 @@ static int test_ssl_cert_table(void) return 0; if (!test_cert_table(EVP_PKEY_ED25519, SSL_aECDSA, SSL_PKEY_ED25519)) return 0; + if (!test_cert_table(EVP_PKEY_ED448, SSL_aECDSA, SSL_PKEY_ED448)) + return 0; return 1; } -- 2.25.1