1# -*- mode: perl; -*- 2# Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. 3# 4# Licensed under the Apache License 2.0 (the "License"). You may not use 5# this file except in compliance with the License. You can obtain a copy 6# in the file LICENSE in the source distribution or at 7# https://www.openssl.org/source/license.html 8 9 10## Test TLSv1.3 certificate authentication 11## Similar to 04-client_auth.cnf.in output, but specific for 12## TLSv1.3 and post-handshake authentication 13 14use strict; 15use warnings; 16 17package ssltests; 18use OpenSSL::Test::Utils; 19 20our @tests = ( 21 { 22 name => "server-auth-TLSv1.3", 23 server => { 24 "MinProtocol" => "TLSv1.3", 25 "MaxProtocol" => "TLSv1.3", 26 }, 27 client => { 28 "MinProtocol" => "TLSv1.3", 29 "MaxProtocol" => "TLSv1.3", 30 }, 31 test => { 32 "ExpectedResult" => "Success", 33 }, 34 }, 35 { 36 name => "client-auth-TLSv1.3-request", 37 server => { 38 "MinProtocol" => "TLSv1.3", 39 "MaxProtocol" => "TLSv1.3", 40 "VerifyMode" => "Request", 41 }, 42 client => { 43 "MinProtocol" => "TLSv1.3", 44 "MaxProtocol" => "TLSv1.3", 45 }, 46 test => { 47 "ExpectedResult" => "Success", 48 }, 49 }, 50 { 51 name => "client-auth-TLSv1.3-require-fail", 52 server => { 53 "MinProtocol" => "TLSv1.3", 54 "MaxProtocol" => "TLSv1.3", 55 "VerifyCAFile" => test_pem("root-cert.pem"), 56 "VerifyMode" => "Require", 57 }, 58 client => { 59 "MinProtocol" => "TLSv1.3", 60 "MaxProtocol" => "TLSv1.3", 61 }, 62 test => { 63 "ExpectedResult" => "ServerFail", 64 "ExpectedServerAlert" => "CertificateRequired", 65 }, 66 }, 67 { 68 name => "client-auth-TLSv1.3-require", 69 server => { 70 "MinProtocol" => "TLSv1.3", 71 "MaxProtocol" => "TLSv1.3", 72 "ClientSignatureAlgorithms" => "PSS+SHA256", 73 "VerifyCAFile" => test_pem("root-cert.pem"), 74 "VerifyMode" => "Request", 75 }, 76 client => { 77 "MinProtocol" => "TLSv1.3", 78 "MaxProtocol" => "TLSv1.3", 79 "Certificate" => test_pem("ee-client-chain.pem"), 80 "PrivateKey" => test_pem("ee-key.pem"), 81 }, 82 test => { 83 "ExpectedResult" => "Success", 84 "ExpectedClientCertType" => "RSA", 85 "ExpectedClientSignType" => "RSA-PSS", 86 "ExpectedClientSignHash" => "SHA256", 87 "ExpectedClientCANames" => "empty" 88 }, 89 }, 90 { 91 name => "client-auth-TLSv1.3-require-non-empty-names", 92 server => { 93 "MinProtocol" => "TLSv1.3", 94 "MaxProtocol" => "TLSv1.3", 95 "ClientSignatureAlgorithms" => "PSS+SHA256", 96 "ClientCAFile" => test_pem("root-cert.pem"), 97 "VerifyCAFile" => test_pem("root-cert.pem"), 98 "VerifyMode" => "Request", 99 }, 100 client => { 101 "MinProtocol" => "TLSv1.3", 102 "MaxProtocol" => "TLSv1.3", 103 "Certificate" => test_pem("ee-client-chain.pem"), 104 "PrivateKey" => test_pem("ee-key.pem"), 105 }, 106 test => { 107 "ExpectedResult" => "Success", 108 "ExpectedClientCertType" => "RSA", 109 "ExpectedClientSignType" => "RSA-PSS", 110 "ExpectedClientSignHash" => "SHA256", 111 "ExpectedClientCANames" => test_pem("root-cert.pem"), 112 }, 113 }, 114 { 115 name => "client-auth-TLSv1.3-noroot", 116 server => { 117 "MinProtocol" => "TLSv1.3", 118 "MaxProtocol" => "TLSv1.3", 119 "VerifyMode" => "Require", 120 }, 121 client => { 122 "MinProtocol" => "TLSv1.3", 123 "MaxProtocol" => "TLSv1.3", 124 "Certificate" => test_pem("ee-client-chain.pem"), 125 "PrivateKey" => test_pem("ee-key.pem"), 126 }, 127 test => { 128 "ExpectedResult" => "ServerFail", 129 "ExpectedServerAlert" => "UnknownCA", 130 }, 131 }, 132 { 133 name => "client-auth-TLSv1.3-request-post-handshake", 134 server => { 135 "MinProtocol" => "TLSv1.3", 136 "MaxProtocol" => "TLSv1.3", 137 "VerifyMode" => "RequestPostHandshake", 138 }, 139 client => { 140 "MinProtocol" => "TLSv1.3", 141 "MaxProtocol" => "TLSv1.3", 142 }, 143 test => { 144 "ExpectedResult" => "ServerFail", 145 "HandshakeMode" => "PostHandshakeAuth", 146 }, 147 }, 148 { 149 name => "client-auth-TLSv1.3-require-fail-post-handshake", 150 server => { 151 "MinProtocol" => "TLSv1.3", 152 "MaxProtocol" => "TLSv1.3", 153 "VerifyCAFile" => test_pem("root-cert.pem"), 154 "VerifyMode" => "RequirePostHandshake", 155 }, 156 client => { 157 "MinProtocol" => "TLSv1.3", 158 "MaxProtocol" => "TLSv1.3", 159 }, 160 test => { 161 "ExpectedResult" => "ServerFail", 162 "HandshakeMode" => "PostHandshakeAuth", 163 }, 164 }, 165 { 166 name => "client-auth-TLSv1.3-require-post-handshake", 167 server => { 168 "MinProtocol" => "TLSv1.3", 169 "MaxProtocol" => "TLSv1.3", 170 "ClientSignatureAlgorithms" => "PSS+SHA256", 171 "VerifyCAFile" => test_pem("root-cert.pem"), 172 "VerifyMode" => "RequestPostHandshake", 173 }, 174 client => { 175 "MinProtocol" => "TLSv1.3", 176 "MaxProtocol" => "TLSv1.3", 177 "Certificate" => test_pem("ee-client-chain.pem"), 178 "PrivateKey" => test_pem("ee-key.pem"), 179 extra => { 180 "EnablePHA" => "Yes", 181 }, 182 }, 183 test => { 184 "ExpectedResult" => "Success", 185 "HandshakeMode" => "PostHandshakeAuth", 186 "ExpectedClientCertType" => "RSA", 187 "ExpectedClientSignType" => "RSA-PSS", 188 "ExpectedClientSignHash" => "SHA256", 189 "ExpectedClientCANames" => "empty" 190 }, 191 }, 192 { 193 name => "client-auth-TLSv1.3-require-non-empty-names-post-handshake", 194 server => { 195 "MinProtocol" => "TLSv1.3", 196 "MaxProtocol" => "TLSv1.3", 197 "ClientSignatureAlgorithms" => "PSS+SHA256", 198 "ClientCAFile" => test_pem("root-cert.pem"), 199 "VerifyCAFile" => test_pem("root-cert.pem"), 200 "VerifyMode" => "RequestPostHandshake", 201 }, 202 client => { 203 "MinProtocol" => "TLSv1.3", 204 "MaxProtocol" => "TLSv1.3", 205 "Certificate" => test_pem("ee-client-chain.pem"), 206 "PrivateKey" => test_pem("ee-key.pem"), 207 extra => { 208 "EnablePHA" => "Yes", 209 }, 210 }, 211 test => { 212 "ExpectedResult" => "Success", 213 "HandshakeMode" => "PostHandshakeAuth", 214 "ExpectedClientCertType" => "RSA", 215 "ExpectedClientSignType" => "RSA-PSS", 216 "ExpectedClientSignHash" => "SHA256", 217 "ExpectedClientCANames" => test_pem("root-cert.pem"), 218 }, 219 }, 220 { 221 name => "client-auth-TLSv1.3-noroot-post-handshake", 222 server => { 223 "MinProtocol" => "TLSv1.3", 224 "MaxProtocol" => "TLSv1.3", 225 "VerifyMode" => "RequirePostHandshake", 226 }, 227 client => { 228 "MinProtocol" => "TLSv1.3", 229 "MaxProtocol" => "TLSv1.3", 230 "Certificate" => test_pem("ee-client-chain.pem"), 231 "PrivateKey" => test_pem("ee-key.pem"), 232 extra => { 233 "EnablePHA" => "Yes", 234 }, 235 }, 236 test => { 237 "ExpectedResult" => "ServerFail", 238 "HandshakeMode" => "PostHandshakeAuth", 239 "ExpectedServerAlert" => "UnknownCA", 240 }, 241 }, 242 { 243 name => "client-auth-TLSv1.3-request-force-client-post-handshake", 244 server => { 245 "MinProtocol" => "TLSv1.3", 246 "MaxProtocol" => "TLSv1.3", 247 "VerifyMode" => "RequestPostHandshake", 248 }, 249 client => { 250 "MinProtocol" => "TLSv1.3", 251 "MaxProtocol" => "TLSv1.3", 252 extra => { 253 "EnablePHA" => "Yes", 254 }, 255 }, 256 test => { 257 "ExpectedResult" => "Success", 258 "HandshakeMode" => "PostHandshakeAuth", 259 }, 260 }, 261 { 262 name => "client-auth-TLSv1.3-request-force-server-post-handshake", 263 server => { 264 "MinProtocol" => "TLSv1.3", 265 "MaxProtocol" => "TLSv1.3", 266 "VerifyMode" => "RequestPostHandshake", 267 extra => { 268 "ForcePHA" => "Yes", 269 }, 270 }, 271 client => { 272 "MinProtocol" => "TLSv1.3", 273 "MaxProtocol" => "TLSv1.3", 274 }, 275 test => { 276 "ExpectedResult" => "ClientFail", 277 "HandshakeMode" => "PostHandshakeAuth", 278 }, 279 }, 280 { 281 name => "client-auth-TLSv1.3-request-force-both-post-handshake", 282 server => { 283 "MinProtocol" => "TLSv1.3", 284 "MaxProtocol" => "TLSv1.3", 285 "VerifyMode" => "RequestPostHandshake", 286 extra => { 287 "ForcePHA" => "Yes", 288 }, 289 }, 290 client => { 291 "MinProtocol" => "TLSv1.3", 292 "MaxProtocol" => "TLSv1.3", 293 extra => { 294 "EnablePHA" => "Yes", 295 }, 296 }, 297 test => { 298 "ExpectedResult" => "Success", 299 "HandshakeMode" => "PostHandshakeAuth", 300 }, 301 }, 302); 303