openssl/test/ssl-tests/04-client_auth.conf.in
Dr. Stephen Henson a92e710b7a Add tests for client and server signature type
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
2017-01-30 13:00:17 +00:00

140 lines
4.9 KiB
Perl

# -*- mode: perl; -*-
## SSL test configurations
package ssltests;
use strict;
use warnings;
use OpenSSL::Test;
use OpenSSL::Test::Utils qw(anydisabled);
setup("no_test_here");
# We test version-flexible negotiation (undef) and each protocol version.
my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2");
my @is_disabled = (0);
push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2");
our @tests = ();
my $dir_sep = $^O ne "VMS" ? "/" : "";
sub generate_tests() {
foreach (0..$#protocols) {
my $protocol = $protocols[$_];
my $protocol_name = $protocol || "flex";
my $caalert;
if (!$is_disabled[$_]) {
if ($protocol_name eq "SSLv3") {
$caalert = "BadCertificate";
} else {
$caalert = "UnknownCA";
}
my $clihash;
my $clisigtype;
my $clisigalgs;
# TODO(TLS1.3) add TLSv1.3 versions
if ($protocol_name eq "TLSv1.2") {
$clihash = "SHA256";
$clisigtype = "RSA";
$clisigalgs = "SHA256+RSA";
}
# Sanity-check simple handshake.
push @tests, {
name => "server-auth-${protocol_name}",
server => {
"MinProtocol" => $protocol,
"MaxProtocol" => $protocol
},
client => {
"MinProtocol" => $protocol,
"MaxProtocol" => $protocol
},
test => { "ExpectedResult" => "Success" },
};
# Handshake with client cert requested but not required or received.
push @tests, {
name => "client-auth-${protocol_name}-request",
server => {
"MinProtocol" => $protocol,
"MaxProtocol" => $protocol,
"VerifyMode" => "Request"
},
client => {
"MinProtocol" => $protocol,
"MaxProtocol" => $protocol
},
test => { "ExpectedResult" => "Success" },
};
# Handshake with client cert required but not present.
push @tests, {
name => "client-auth-${protocol_name}-require-fail",
server => {
"MinProtocol" => $protocol,
"MaxProtocol" => $protocol,
"VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
"VerifyMode" => "Require",
},
client => {
"MinProtocol" => $protocol,
"MaxProtocol" => $protocol
},
test => {
"ExpectedResult" => "ServerFail",
"ExpectedServerAlert" => "HandshakeFailure",
},
};
# Successful handshake with client authentication.
push @tests, {
name => "client-auth-${protocol_name}-require",
server => {
"MinProtocol" => $protocol,
"MaxProtocol" => $protocol,
"ClientSignatureAlgorithms" => $clisigalgs,
"VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
"VerifyMode" => "Request",
},
client => {
"MinProtocol" => $protocol,
"MaxProtocol" => $protocol,
"Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
"PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
},
test => { "ExpectedResult" => "Success",
"ExpectedClientCertType" => "RSA",
"ExpectedClientSignType" => $clisigtype,
"ExpectedClientSignHash" => $clihash,
},
};
# Handshake with client authentication but without the root certificate.
push @tests, {
name => "client-auth-${protocol_name}-noroot",
server => {
"MinProtocol" => $protocol,
"MaxProtocol" => $protocol,
"VerifyMode" => "Require",
},
client => {
"MinProtocol" => $protocol,
"MaxProtocol" => $protocol,
"Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
"PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
},
test => {
"ExpectedResult" => "ServerFail",
"ExpectedServerAlert" => $caalert,
},
};
}
}
}
generate_tests();