xref: /freebsd/crypto/openssl/test/ssl-tests/26-tls13_client_auth.cnf.in (revision 95eb4b873b6a8b527c5bd78d7191975dfca38998)
1# -*- mode: perl; -*-
2# Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved.
3#
4# Licensed under the Apache License 2.0 (the "License").  You may not use
5# this file except in compliance with the License.  You can obtain a copy
6# in the file LICENSE in the source distribution or at
7# https://www.openssl.org/source/license.html
8
9
10## Test TLSv1.3 certificate authentication
11## Similar to 04-client_auth.cnf.in output, but specific for
12## TLSv1.3 and post-handshake authentication
13
14use strict;
15use warnings;
16
17package ssltests;
18use OpenSSL::Test::Utils;
19
20our @tests = (
21    {
22        name => "server-auth-TLSv1.3",
23        server => {
24            "MinProtocol" => "TLSv1.3",
25            "MaxProtocol" => "TLSv1.3",
26        },
27        client => {
28            "MinProtocol" => "TLSv1.3",
29            "MaxProtocol" => "TLSv1.3",
30        },
31        test => {
32            "ExpectedResult" => "Success",
33        },
34    },
35    {
36        name => "client-auth-TLSv1.3-request",
37        server => {
38            "MinProtocol" => "TLSv1.3",
39            "MaxProtocol" => "TLSv1.3",
40            "VerifyMode" => "Request",
41        },
42        client => {
43            "MinProtocol" => "TLSv1.3",
44            "MaxProtocol" => "TLSv1.3",
45        },
46        test => {
47            "ExpectedResult" => "Success",
48        },
49    },
50    {
51        name => "client-auth-TLSv1.3-require-fail",
52        server => {
53            "MinProtocol" => "TLSv1.3",
54            "MaxProtocol" => "TLSv1.3",
55            "VerifyCAFile" => test_pem("root-cert.pem"),
56            "VerifyMode" => "Require",
57        },
58        client => {
59            "MinProtocol" => "TLSv1.3",
60            "MaxProtocol" => "TLSv1.3",
61        },
62        test => {
63            "ExpectedResult" => "ServerFail",
64            "ExpectedServerAlert" => "CertificateRequired",
65        },
66    },
67    {
68        name => "client-auth-TLSv1.3-require",
69        server => {
70            "MinProtocol" => "TLSv1.3",
71            "MaxProtocol" => "TLSv1.3",
72            "ClientSignatureAlgorithms" => "PSS+SHA256",
73            "VerifyCAFile" => test_pem("root-cert.pem"),
74            "VerifyMode" => "Request",
75        },
76        client => {
77            "MinProtocol" => "TLSv1.3",
78            "MaxProtocol" => "TLSv1.3",
79            "Certificate" => test_pem("ee-client-chain.pem"),
80            "PrivateKey" => test_pem("ee-key.pem"),
81        },
82        test => {
83            "ExpectedResult" => "Success",
84            "ExpectedClientCertType" => "RSA",
85            "ExpectedClientSignType" => "RSA-PSS",
86            "ExpectedClientSignHash" => "SHA256",
87            "ExpectedClientCANames" => "empty"
88        },
89    },
90    {
91        name => "client-auth-TLSv1.3-require-non-empty-names",
92        server => {
93            "MinProtocol" => "TLSv1.3",
94            "MaxProtocol" => "TLSv1.3",
95            "ClientSignatureAlgorithms" => "PSS+SHA256",
96            "ClientCAFile" => test_pem("root-cert.pem"),
97            "VerifyCAFile" => test_pem("root-cert.pem"),
98            "VerifyMode" => "Request",
99        },
100        client => {
101            "MinProtocol" => "TLSv1.3",
102            "MaxProtocol" => "TLSv1.3",
103            "Certificate" => test_pem("ee-client-chain.pem"),
104            "PrivateKey" => test_pem("ee-key.pem"),
105        },
106        test => {
107            "ExpectedResult" => "Success",
108            "ExpectedClientCertType" => "RSA",
109            "ExpectedClientSignType" => "RSA-PSS",
110            "ExpectedClientSignHash" => "SHA256",
111            "ExpectedClientCANames" => test_pem("root-cert.pem"),
112        },
113    },
114    {
115        name => "client-auth-TLSv1.3-noroot",
116        server => {
117            "MinProtocol" => "TLSv1.3",
118            "MaxProtocol" => "TLSv1.3",
119            "VerifyMode" => "Require",
120        },
121        client => {
122            "MinProtocol" => "TLSv1.3",
123            "MaxProtocol" => "TLSv1.3",
124            "Certificate" => test_pem("ee-client-chain.pem"),
125            "PrivateKey" => test_pem("ee-key.pem"),
126        },
127        test => {
128            "ExpectedResult" => "ServerFail",
129            "ExpectedServerAlert" => "UnknownCA",
130        },
131    },
132    {
133        name => "client-auth-TLSv1.3-request-post-handshake",
134        server => {
135            "MinProtocol" => "TLSv1.3",
136            "MaxProtocol" => "TLSv1.3",
137            "VerifyMode" => "RequestPostHandshake",
138        },
139        client => {
140            "MinProtocol" => "TLSv1.3",
141            "MaxProtocol" => "TLSv1.3",
142        },
143        test => {
144            "ExpectedResult" => "ServerFail",
145            "HandshakeMode" => "PostHandshakeAuth",
146        },
147    },
148    {
149        name => "client-auth-TLSv1.3-require-fail-post-handshake",
150        server => {
151            "MinProtocol" => "TLSv1.3",
152            "MaxProtocol" => "TLSv1.3",
153            "VerifyCAFile" => test_pem("root-cert.pem"),
154            "VerifyMode" => "RequirePostHandshake",
155        },
156        client => {
157            "MinProtocol" => "TLSv1.3",
158            "MaxProtocol" => "TLSv1.3",
159        },
160        test => {
161            "ExpectedResult" => "ServerFail",
162            "HandshakeMode" => "PostHandshakeAuth",
163        },
164    },
165    {
166        name => "client-auth-TLSv1.3-require-post-handshake",
167        server => {
168            "MinProtocol" => "TLSv1.3",
169            "MaxProtocol" => "TLSv1.3",
170            "ClientSignatureAlgorithms" => "PSS+SHA256",
171            "VerifyCAFile" => test_pem("root-cert.pem"),
172            "VerifyMode" => "RequestPostHandshake",
173        },
174        client => {
175            "MinProtocol" => "TLSv1.3",
176            "MaxProtocol" => "TLSv1.3",
177            "Certificate" => test_pem("ee-client-chain.pem"),
178            "PrivateKey" => test_pem("ee-key.pem"),
179            extra => {
180                "EnablePHA" => "Yes",
181            },
182        },
183        test => {
184            "ExpectedResult" => "Success",
185            "HandshakeMode" => "PostHandshakeAuth",
186            "ExpectedClientCertType" => "RSA",
187            "ExpectedClientSignType" => "RSA-PSS",
188            "ExpectedClientSignHash" => "SHA256",
189            "ExpectedClientCANames" => "empty"
190        },
191    },
192    {
193        name => "client-auth-TLSv1.3-require-non-empty-names-post-handshake",
194        server => {
195            "MinProtocol" => "TLSv1.3",
196            "MaxProtocol" => "TLSv1.3",
197            "ClientSignatureAlgorithms" => "PSS+SHA256",
198            "ClientCAFile" => test_pem("root-cert.pem"),
199            "VerifyCAFile" => test_pem("root-cert.pem"),
200            "VerifyMode" => "RequestPostHandshake",
201        },
202        client => {
203            "MinProtocol" => "TLSv1.3",
204            "MaxProtocol" => "TLSv1.3",
205            "Certificate" => test_pem("ee-client-chain.pem"),
206            "PrivateKey" => test_pem("ee-key.pem"),
207            extra => {
208                "EnablePHA" => "Yes",
209            },
210        },
211        test => {
212            "ExpectedResult" => "Success",
213            "HandshakeMode" => "PostHandshakeAuth",
214            "ExpectedClientCertType" => "RSA",
215            "ExpectedClientSignType" => "RSA-PSS",
216            "ExpectedClientSignHash" => "SHA256",
217            "ExpectedClientCANames" => test_pem("root-cert.pem"),
218        },
219    },
220    {
221        name => "client-auth-TLSv1.3-noroot-post-handshake",
222        server => {
223            "MinProtocol" => "TLSv1.3",
224            "MaxProtocol" => "TLSv1.3",
225            "VerifyMode" => "RequirePostHandshake",
226        },
227        client => {
228            "MinProtocol" => "TLSv1.3",
229            "MaxProtocol" => "TLSv1.3",
230            "Certificate" => test_pem("ee-client-chain.pem"),
231            "PrivateKey" => test_pem("ee-key.pem"),
232            extra => {
233                "EnablePHA" => "Yes",
234            },
235        },
236        test => {
237            "ExpectedResult" => "ServerFail",
238            "HandshakeMode" => "PostHandshakeAuth",
239            "ExpectedServerAlert" => "UnknownCA",
240        },
241    },
242    {
243        name => "client-auth-TLSv1.3-request-force-client-post-handshake",
244        server => {
245            "MinProtocol" => "TLSv1.3",
246            "MaxProtocol" => "TLSv1.3",
247            "VerifyMode" => "RequestPostHandshake",
248        },
249        client => {
250            "MinProtocol" => "TLSv1.3",
251            "MaxProtocol" => "TLSv1.3",
252            extra => {
253                "EnablePHA" => "Yes",
254            },
255        },
256        test => {
257            "ExpectedResult" => "Success",
258            "HandshakeMode" => "PostHandshakeAuth",
259        },
260    },
261    {
262        name => "client-auth-TLSv1.3-request-force-server-post-handshake",
263        server => {
264            "MinProtocol" => "TLSv1.3",
265            "MaxProtocol" => "TLSv1.3",
266            "VerifyMode" => "RequestPostHandshake",
267            extra => {
268                "ForcePHA" => "Yes",
269            },
270        },
271        client => {
272            "MinProtocol" => "TLSv1.3",
273            "MaxProtocol" => "TLSv1.3",
274        },
275        test => {
276            "ExpectedResult" => "ClientFail",
277            "HandshakeMode" => "PostHandshakeAuth",
278        },
279    },
280    {
281        name => "client-auth-TLSv1.3-request-force-both-post-handshake",
282        server => {
283            "MinProtocol" => "TLSv1.3",
284            "MaxProtocol" => "TLSv1.3",
285            "VerifyMode" => "RequestPostHandshake",
286            extra => {
287                "ForcePHA" => "Yes",
288            },
289        },
290        client => {
291            "MinProtocol" => "TLSv1.3",
292            "MaxProtocol" => "TLSv1.3",
293            extra => {
294                "EnablePHA" => "Yes",
295            },
296        },
297        test => {
298            "ExpectedResult" => "Success",
299            "HandshakeMode" => "PostHandshakeAuth",
300        },
301    },
302);
303