1# -*- mode: perl; -*- 2# Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved. 3# 4# Licensed under the Apache License 2.0 (the "License"). You may not use 5# this file except in compliance with the License. You can obtain a copy 6# in the file LICENSE in the source distribution or at 7# https://www.openssl.org/source/license.html 8 9 10## Test TLSv1.3 certificate authentication 11## Similar to 04-client_auth.cnf.in output, but specific for 12## TLSv1.3 and post-handshake authentication 13 14use strict; 15use warnings; 16 17package ssltests; 18use OpenSSL::Test::Utils; 19 20srand(26); 21sub randcase { 22 my ($names) = @_; 23 my @ret; 24 foreach my $name (split(/:/, $names)) { 25 my ($alg, $rest) = split(/(?=[+])/, $name, 2); 26 $alg =~ s{([a-zA-Z])}{chr(ord($1)^(int(rand(2.0)) * 32))}eg; 27 push @ret, $alg . ($rest // ""); 28 } 29 return join(":", @ret); 30} 31 32our @tests = ( 33 { 34 name => "server-auth-TLSv1.3", 35 server => { 36 "MinProtocol" => "TLSv1.3", 37 "MaxProtocol" => "TLSv1.3", 38 }, 39 client => { 40 "MinProtocol" => "TLSv1.3", 41 "MaxProtocol" => "TLSv1.3", 42 }, 43 test => { 44 "ExpectedResult" => "Success", 45 }, 46 }, 47 { 48 name => "client-auth-TLSv1.3-request", 49 server => { 50 "MinProtocol" => "TLSv1.3", 51 "MaxProtocol" => "TLSv1.3", 52 "VerifyMode" => "Request", 53 }, 54 client => { 55 "MinProtocol" => "TLSv1.3", 56 "MaxProtocol" => "TLSv1.3", 57 }, 58 test => { 59 "ExpectedResult" => "Success", 60 }, 61 }, 62 { 63 name => "client-auth-TLSv1.3-require-fail", 64 server => { 65 "MinProtocol" => "TLSv1.3", 66 "MaxProtocol" => "TLSv1.3", 67 "VerifyCAFile" => test_pem("root-cert.pem"), 68 "VerifyMode" => "Require", 69 }, 70 client => { 71 "MinProtocol" => "TLSv1.3", 72 "MaxProtocol" => "TLSv1.3", 73 }, 74 test => { 75 "ExpectedResult" => "ServerFail", 76 "ExpectedServerAlert" => "CertificateRequired", 77 }, 78 }, 79 { 80 name => "client-auth-TLSv1.3-require", 81 server => { 82 "MinProtocol" => "TLSv1.3", 83 "MaxProtocol" => "TLSv1.3", 84 "ClientSignatureAlgorithms" => randcase("PSS+SHA256"), 85 "VerifyCAFile" => test_pem("root-cert.pem"), 86 "VerifyMode" => "Request", 87 }, 88 client => { 89 "MinProtocol" => "TLSv1.3", 90 "MaxProtocol" => "TLSv1.3", 91 "Certificate" => test_pem("ee-client-chain.pem"), 92 "PrivateKey" => test_pem("ee-key.pem"), 93 }, 94 test => { 95 "ExpectedResult" => "Success", 96 "ExpectedClientCertType" => "RSA", 97 "ExpectedClientSignType" => "RSA-PSS", 98 "ExpectedClientSignHash" => "SHA256", 99 "ExpectedClientCANames" => "empty" 100 }, 101 }, 102 { 103 name => "client-auth-TLSv1.3-require-non-empty-names", 104 server => { 105 "MinProtocol" => "TLSv1.3", 106 "MaxProtocol" => "TLSv1.3", 107 "ClientSignatureAlgorithms" => randcase("PSS+SHA256"), 108 "ClientCAFile" => test_pem("root-cert.pem"), 109 "VerifyCAFile" => test_pem("root-cert.pem"), 110 "VerifyMode" => "Request", 111 }, 112 client => { 113 "MinProtocol" => "TLSv1.3", 114 "MaxProtocol" => "TLSv1.3", 115 "Certificate" => test_pem("ee-client-chain.pem"), 116 "PrivateKey" => test_pem("ee-key.pem"), 117 }, 118 test => { 119 "ExpectedResult" => "Success", 120 "ExpectedClientCertType" => "RSA", 121 "ExpectedClientSignType" => "RSA-PSS", 122 "ExpectedClientSignHash" => "SHA256", 123 "ExpectedClientCANames" => test_pem("root-cert.pem"), 124 }, 125 }, 126 { 127 name => "client-auth-TLSv1.3-noroot", 128 server => { 129 "MinProtocol" => "TLSv1.3", 130 "MaxProtocol" => "TLSv1.3", 131 "VerifyMode" => "Require", 132 }, 133 client => { 134 "MinProtocol" => "TLSv1.3", 135 "MaxProtocol" => "TLSv1.3", 136 "Certificate" => test_pem("ee-client-chain.pem"), 137 "PrivateKey" => test_pem("ee-key.pem"), 138 }, 139 test => { 140 "ExpectedResult" => "ServerFail", 141 "ExpectedServerAlert" => "UnknownCA", 142 }, 143 }, 144 { 145 name => "client-auth-TLSv1.3-request-post-handshake", 146 server => { 147 "MinProtocol" => "TLSv1.3", 148 "MaxProtocol" => "TLSv1.3", 149 "VerifyMode" => "RequestPostHandshake", 150 }, 151 client => { 152 "MinProtocol" => "TLSv1.3", 153 "MaxProtocol" => "TLSv1.3", 154 }, 155 test => { 156 "ExpectedResult" => "ServerFail", 157 "HandshakeMode" => "PostHandshakeAuth", 158 }, 159 }, 160 { 161 name => "client-auth-TLSv1.3-require-fail-post-handshake", 162 server => { 163 "MinProtocol" => "TLSv1.3", 164 "MaxProtocol" => "TLSv1.3", 165 "VerifyCAFile" => test_pem("root-cert.pem"), 166 "VerifyMode" => "RequirePostHandshake", 167 }, 168 client => { 169 "MinProtocol" => "TLSv1.3", 170 "MaxProtocol" => "TLSv1.3", 171 }, 172 test => { 173 "ExpectedResult" => "ServerFail", 174 "HandshakeMode" => "PostHandshakeAuth", 175 }, 176 }, 177 { 178 name => "client-auth-TLSv1.3-require-post-handshake", 179 server => { 180 "MinProtocol" => "TLSv1.3", 181 "MaxProtocol" => "TLSv1.3", 182 "ClientSignatureAlgorithms" => randcase("PSS+SHA256"), 183 "VerifyCAFile" => test_pem("root-cert.pem"), 184 "VerifyMode" => "RequestPostHandshake", 185 }, 186 client => { 187 "MinProtocol" => "TLSv1.3", 188 "MaxProtocol" => "TLSv1.3", 189 "Certificate" => test_pem("ee-client-chain.pem"), 190 "PrivateKey" => test_pem("ee-key.pem"), 191 extra => { 192 "EnablePHA" => "Yes", 193 }, 194 }, 195 test => { 196 "ExpectedResult" => "Success", 197 "HandshakeMode" => "PostHandshakeAuth", 198 "ExpectedClientCertType" => "RSA", 199 "ExpectedClientSignType" => "RSA-PSS", 200 "ExpectedClientSignHash" => "SHA256", 201 "ExpectedClientCANames" => "empty" 202 }, 203 }, 204 { 205 name => "client-auth-TLSv1.3-require-non-empty-names-post-handshake", 206 server => { 207 "MinProtocol" => "TLSv1.3", 208 "MaxProtocol" => "TLSv1.3", 209 "ClientSignatureAlgorithms" => randcase("PSS+SHA256"), 210 "ClientCAFile" => test_pem("root-cert.pem"), 211 "VerifyCAFile" => test_pem("root-cert.pem"), 212 "VerifyMode" => "RequestPostHandshake", 213 }, 214 client => { 215 "MinProtocol" => "TLSv1.3", 216 "MaxProtocol" => "TLSv1.3", 217 "Certificate" => test_pem("ee-client-chain.pem"), 218 "PrivateKey" => test_pem("ee-key.pem"), 219 extra => { 220 "EnablePHA" => "Yes", 221 }, 222 }, 223 test => { 224 "ExpectedResult" => "Success", 225 "HandshakeMode" => "PostHandshakeAuth", 226 "ExpectedClientCertType" => "RSA", 227 "ExpectedClientSignType" => "RSA-PSS", 228 "ExpectedClientSignHash" => "SHA256", 229 "ExpectedClientCANames" => test_pem("root-cert.pem"), 230 }, 231 }, 232 { 233 name => "client-auth-TLSv1.3-noroot-post-handshake", 234 server => { 235 "MinProtocol" => "TLSv1.3", 236 "MaxProtocol" => "TLSv1.3", 237 "VerifyMode" => "RequirePostHandshake", 238 }, 239 client => { 240 "MinProtocol" => "TLSv1.3", 241 "MaxProtocol" => "TLSv1.3", 242 "Certificate" => test_pem("ee-client-chain.pem"), 243 "PrivateKey" => test_pem("ee-key.pem"), 244 extra => { 245 "EnablePHA" => "Yes", 246 }, 247 }, 248 test => { 249 "ExpectedResult" => "ServerFail", 250 "HandshakeMode" => "PostHandshakeAuth", 251 "ExpectedServerAlert" => "UnknownCA", 252 }, 253 }, 254 { 255 name => "client-auth-TLSv1.3-request-force-client-post-handshake", 256 server => { 257 "MinProtocol" => "TLSv1.3", 258 "MaxProtocol" => "TLSv1.3", 259 "VerifyMode" => "RequestPostHandshake", 260 }, 261 client => { 262 "MinProtocol" => "TLSv1.3", 263 "MaxProtocol" => "TLSv1.3", 264 extra => { 265 "EnablePHA" => "Yes", 266 }, 267 }, 268 test => { 269 "ExpectedResult" => "Success", 270 "HandshakeMode" => "PostHandshakeAuth", 271 }, 272 }, 273 { 274 name => "client-auth-TLSv1.3-request-force-server-post-handshake", 275 server => { 276 "MinProtocol" => "TLSv1.3", 277 "MaxProtocol" => "TLSv1.3", 278 "VerifyMode" => "RequestPostHandshake", 279 extra => { 280 "ForcePHA" => "Yes", 281 }, 282 }, 283 client => { 284 "MinProtocol" => "TLSv1.3", 285 "MaxProtocol" => "TLSv1.3", 286 }, 287 test => { 288 "ExpectedResult" => "ClientFail", 289 "HandshakeMode" => "PostHandshakeAuth", 290 }, 291 }, 292 { 293 name => "client-auth-TLSv1.3-request-force-both-post-handshake", 294 server => { 295 "MinProtocol" => "TLSv1.3", 296 "MaxProtocol" => "TLSv1.3", 297 "VerifyMode" => "RequestPostHandshake", 298 extra => { 299 "ForcePHA" => "Yes", 300 }, 301 }, 302 client => { 303 "MinProtocol" => "TLSv1.3", 304 "MaxProtocol" => "TLSv1.3", 305 extra => { 306 "EnablePHA" => "Yes", 307 }, 308 }, 309 test => { 310 "ExpectedResult" => "Success", 311 "HandshakeMode" => "PostHandshakeAuth", 312 }, 313 }, 314); 315