From 50a3a1f04ba56249d48112e04a6b303b44512fc7 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 4 Jul 2017 13:07:22 +0100 Subject: [PATCH] Add additional ECDSA/Ed25519 selection tests. Add two tests with ECDSA+SHA256 preferred over Ed25519, the second also excludes P-256 from the supported curves extension which will force the use of Ed25519 in TLS 1.2, but not TLS 1.3: this would fail before the certificate table updates. Add TLS 1.3 test also with P-256 exclude from the groups extension: this should have no effect as the groups extension is not used for signature selection in TLS 1.3 Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/3858) --- test/ssl-tests/20-cert-select.conf | 284 ++++++++++++++++---------- test/ssl-tests/20-cert-select.conf.in | 48 +++++ 2 files changed, 224 insertions(+), 108 deletions(-) diff --git a/test/ssl-tests/20-cert-select.conf b/test/ssl-tests/20-cert-select.conf index f34a6de3db..47d2131513 100644 --- a/test/ssl-tests/20-cert-select.conf +++ b/test/ssl-tests/20-cert-select.conf @@ -1,22 +1,24 @@ # Generated with generate_ssl_tests.pl -num_tests = 15 +num_tests = 17 test-0 = 0-ECDSA CipherString Selection test-1 = 1-Ed25519 CipherString and Signature Algorithm Selection test-2 = 2-RSA CipherString Selection -test-3 = 3-ECDSA CipherString Selection, no ECDSA certificate -test-4 = 4-ECDSA Signature Algorithm Selection -test-5 = 5-ECDSA Signature Algorithm Selection SHA384 -test-6 = 6-ECDSA Signature Algorithm Selection SHA1 -test-7 = 7-ECDSA Signature Algorithm Selection compressed point -test-8 = 8-ECDSA Signature Algorithm Selection, no ECDSA certificate -test-9 = 9-RSA Signature Algorithm Selection -test-10 = 10-RSA-PSS Signature Algorithm Selection -test-11 = 11-Suite B P-256 Hash Algorithm Selection -test-12 = 12-Suite B P-384 Hash Algorithm Selection -test-13 = 13-TLS 1.2 Ed25519 Client Auth -test-14 = 14-TLS 1.2 DSA Certificate Test +test-3 = 3-P-256 CipherString and Signature Algorithm Selection +test-4 = 4-Ed25519 CipherString and Curves Selection +test-5 = 5-ECDSA CipherString Selection, no ECDSA certificate +test-6 = 6-ECDSA Signature Algorithm Selection +test-7 = 7-ECDSA Signature Algorithm Selection SHA384 +test-8 = 8-ECDSA Signature Algorithm Selection SHA1 +test-9 = 9-ECDSA Signature Algorithm Selection compressed point +test-10 = 10-ECDSA Signature Algorithm Selection, no ECDSA certificate +test-11 = 11-RSA Signature Algorithm Selection +test-12 = 12-RSA-PSS Signature Algorithm Selection +test-13 = 13-Suite B P-256 Hash Algorithm Selection +test-14 = 14-Suite B P-384 Hash Algorithm Selection +test-15 = 15-TLS 1.2 Ed25519 Client Auth +test-16 = 16-TLS 1.2 DSA Certificate Test # =========================================================== [0-ECDSA CipherString Selection] @@ -117,39 +119,105 @@ ExpectedServerSignType = RSA-PSS # =========================================================== -[3-ECDSA CipherString Selection, no ECDSA certificate] -ssl_conf = 3-ECDSA CipherString Selection, no ECDSA certificate-ssl +[3-P-256 CipherString and Signature Algorithm Selection] +ssl_conf = 3-P-256 CipherString and Signature Algorithm Selection-ssl -[3-ECDSA CipherString Selection, no ECDSA certificate-ssl] -server = 3-ECDSA CipherString Selection, no ECDSA certificate-server -client = 3-ECDSA CipherString Selection, no ECDSA certificate-client +[3-P-256 CipherString and Signature Algorithm Selection-ssl] +server = 3-P-256 CipherString and Signature Algorithm Selection-server +client = 3-P-256 CipherString and Signature Algorithm Selection-client -[3-ECDSA CipherString Selection, no ECDSA certificate-server] +[3-P-256 CipherString and Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem +EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[3-ECDSA CipherString Selection, no ECDSA certificate-client] +[3-P-256 CipherString and Signature Algorithm Selection-client] CipherString = aECDSA MaxProtocol = TLSv1.2 +SignatureAlgorithms = ECDSA+SHA256:ed25519 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-3] +ExpectedResult = Success +ExpectedServerCertType = P-256 +ExpectedServerSignHash = SHA256 +ExpectedServerSignType = EC + + +# =========================================================== + +[4-Ed25519 CipherString and Curves Selection] +ssl_conf = 4-Ed25519 CipherString and Curves Selection-ssl + +[4-Ed25519 CipherString and Curves Selection-ssl] +server = 4-Ed25519 CipherString and Curves Selection-server +client = 4-Ed25519 CipherString and Curves Selection-client + +[4-Ed25519 CipherString and Curves Selection-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem +EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[4-Ed25519 CipherString and Curves Selection-client] +CipherString = aECDSA +Curves = X25519 +MaxProtocol = TLSv1.2 +SignatureAlgorithms = ECDSA+SHA256:ed25519 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-4] +ExpectedResult = Success +ExpectedServerCertType = Ed25519 +ExpectedServerSignType = Ed25519 + + +# =========================================================== + +[5-ECDSA CipherString Selection, no ECDSA certificate] +ssl_conf = 5-ECDSA CipherString Selection, no ECDSA certificate-ssl + +[5-ECDSA CipherString Selection, no ECDSA certificate-ssl] +server = 5-ECDSA CipherString Selection, no ECDSA certificate-server +client = 5-ECDSA CipherString Selection, no ECDSA certificate-client + +[5-ECDSA CipherString Selection, no ECDSA certificate-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[5-ECDSA CipherString Selection, no ECDSA certificate-client] +CipherString = aECDSA +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-5] ExpectedResult = ServerFail # =========================================================== -[4-ECDSA Signature Algorithm Selection] -ssl_conf = 4-ECDSA Signature Algorithm Selection-ssl +[6-ECDSA Signature Algorithm Selection] +ssl_conf = 6-ECDSA Signature Algorithm Selection-ssl -[4-ECDSA Signature Algorithm Selection-ssl] -server = 4-ECDSA Signature Algorithm Selection-server -client = 4-ECDSA Signature Algorithm Selection-client +[6-ECDSA Signature Algorithm Selection-ssl] +server = 6-ECDSA Signature Algorithm Selection-server +client = 6-ECDSA Signature Algorithm Selection-client -[4-ECDSA Signature Algorithm Selection-server] +[6-ECDSA Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -159,13 +227,13 @@ EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[4-ECDSA Signature Algorithm Selection-client] +[6-ECDSA Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-4] +[test-6] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA256 @@ -174,14 +242,14 @@ ExpectedServerSignType = EC # =========================================================== -[5-ECDSA Signature Algorithm Selection SHA384] -ssl_conf = 5-ECDSA Signature Algorithm Selection SHA384-ssl +[7-ECDSA Signature Algorithm Selection SHA384] +ssl_conf = 7-ECDSA Signature Algorithm Selection SHA384-ssl -[5-ECDSA Signature Algorithm Selection SHA384-ssl] -server = 5-ECDSA Signature Algorithm Selection SHA384-server -client = 5-ECDSA Signature Algorithm Selection SHA384-client +[7-ECDSA Signature Algorithm Selection SHA384-ssl] +server = 7-ECDSA Signature Algorithm Selection SHA384-server +client = 7-ECDSA Signature Algorithm Selection SHA384-client -[5-ECDSA Signature Algorithm Selection SHA384-server] +[7-ECDSA Signature Algorithm Selection SHA384-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -191,13 +259,13 @@ EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[5-ECDSA Signature Algorithm Selection SHA384-client] +[7-ECDSA Signature Algorithm Selection SHA384-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA384 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-5] +[test-7] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA384 @@ -206,14 +274,14 @@ ExpectedServerSignType = EC # =========================================================== -[6-ECDSA Signature Algorithm Selection SHA1] -ssl_conf = 6-ECDSA Signature Algorithm Selection SHA1-ssl +[8-ECDSA Signature Algorithm Selection SHA1] +ssl_conf = 8-ECDSA Signature Algorithm Selection SHA1-ssl -[6-ECDSA Signature Algorithm Selection SHA1-ssl] -server = 6-ECDSA Signature Algorithm Selection SHA1-server -client = 6-ECDSA Signature Algorithm Selection SHA1-client +[8-ECDSA Signature Algorithm Selection SHA1-ssl] +server = 8-ECDSA Signature Algorithm Selection SHA1-server +client = 8-ECDSA Signature Algorithm Selection SHA1-client -[6-ECDSA Signature Algorithm Selection SHA1-server] +[8-ECDSA Signature Algorithm Selection SHA1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -223,13 +291,13 @@ EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[6-ECDSA Signature Algorithm Selection SHA1-client] +[8-ECDSA Signature Algorithm Selection SHA1-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-6] +[test-8] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA1 @@ -238,14 +306,14 @@ ExpectedServerSignType = EC # =========================================================== -[7-ECDSA Signature Algorithm Selection compressed point] -ssl_conf = 7-ECDSA Signature Algorithm Selection compressed point-ssl +[9-ECDSA Signature Algorithm Selection compressed point] +ssl_conf = 9-ECDSA Signature Algorithm Selection compressed point-ssl -[7-ECDSA Signature Algorithm Selection compressed point-ssl] -server = 7-ECDSA Signature Algorithm Selection compressed point-server -client = 7-ECDSA Signature Algorithm Selection compressed point-client +[9-ECDSA Signature Algorithm Selection compressed point-ssl] +server = 9-ECDSA Signature Algorithm Selection compressed point-server +client = 9-ECDSA Signature Algorithm Selection compressed point-client -[7-ECDSA Signature Algorithm Selection compressed point-server] +[9-ECDSA Signature Algorithm Selection compressed point-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-cecdsa-cert.pem @@ -253,13 +321,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-cecdsa-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[7-ECDSA Signature Algorithm Selection compressed point-client] +[9-ECDSA Signature Algorithm Selection compressed point-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-7] +[test-9] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA256 @@ -268,39 +336,39 @@ ExpectedServerSignType = EC # =========================================================== -[8-ECDSA Signature Algorithm Selection, no ECDSA certificate] -ssl_conf = 8-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl +[10-ECDSA Signature Algorithm Selection, no ECDSA certificate] +ssl_conf = 10-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl -[8-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl] -server = 8-ECDSA Signature Algorithm Selection, no ECDSA certificate-server -client = 8-ECDSA Signature Algorithm Selection, no ECDSA certificate-client +[10-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl] +server = 10-ECDSA Signature Algorithm Selection, no ECDSA certificate-server +client = 10-ECDSA Signature Algorithm Selection, no ECDSA certificate-client -[8-ECDSA Signature Algorithm Selection, no ECDSA certificate-server] +[10-ECDSA Signature Algorithm Selection, no ECDSA certificate-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[8-ECDSA Signature Algorithm Selection, no ECDSA certificate-client] +[10-ECDSA Signature Algorithm Selection, no ECDSA certificate-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-8] +[test-10] ExpectedResult = ServerFail # =========================================================== -[9-RSA Signature Algorithm Selection] -ssl_conf = 9-RSA Signature Algorithm Selection-ssl +[11-RSA Signature Algorithm Selection] +ssl_conf = 11-RSA Signature Algorithm Selection-ssl -[9-RSA Signature Algorithm Selection-ssl] -server = 9-RSA Signature Algorithm Selection-server -client = 9-RSA Signature Algorithm Selection-client +[11-RSA Signature Algorithm Selection-ssl] +server = 11-RSA Signature Algorithm Selection-server +client = 11-RSA Signature Algorithm Selection-client -[9-RSA Signature Algorithm Selection-server] +[11-RSA Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -310,13 +378,13 @@ EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[9-RSA Signature Algorithm Selection-client] +[11-RSA Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = RSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-9] +[test-11] ExpectedResult = Success ExpectedServerCertType = RSA ExpectedServerSignHash = SHA256 @@ -325,14 +393,14 @@ ExpectedServerSignType = RSA # =========================================================== -[10-RSA-PSS Signature Algorithm Selection] -ssl_conf = 10-RSA-PSS Signature Algorithm Selection-ssl +[12-RSA-PSS Signature Algorithm Selection] +ssl_conf = 12-RSA-PSS Signature Algorithm Selection-ssl -[10-RSA-PSS Signature Algorithm Selection-ssl] -server = 10-RSA-PSS Signature Algorithm Selection-server -client = 10-RSA-PSS Signature Algorithm Selection-client +[12-RSA-PSS Signature Algorithm Selection-ssl] +server = 12-RSA-PSS Signature Algorithm Selection-server +client = 12-RSA-PSS Signature Algorithm Selection-client -[10-RSA-PSS Signature Algorithm Selection-server] +[12-RSA-PSS Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -342,13 +410,13 @@ EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[10-RSA-PSS Signature Algorithm Selection-client] +[12-RSA-PSS Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = RSA-PSS+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-10] +[test-12] ExpectedResult = Success ExpectedServerCertType = RSA ExpectedServerSignHash = SHA256 @@ -357,14 +425,14 @@ ExpectedServerSignType = RSA-PSS # =========================================================== -[11-Suite B P-256 Hash Algorithm Selection] -ssl_conf = 11-Suite B P-256 Hash Algorithm Selection-ssl +[13-Suite B P-256 Hash Algorithm Selection] +ssl_conf = 13-Suite B P-256 Hash Algorithm Selection-ssl -[11-Suite B P-256 Hash Algorithm Selection-ssl] -server = 11-Suite B P-256 Hash Algorithm Selection-server -client = 11-Suite B P-256 Hash Algorithm Selection-client +[13-Suite B P-256 Hash Algorithm Selection-ssl] +server = 13-Suite B P-256 Hash Algorithm Selection-server +client = 13-Suite B P-256 Hash Algorithm Selection-client -[11-Suite B P-256 Hash Algorithm Selection-server] +[13-Suite B P-256 Hash Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = SUITEB128 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p256-server-cert.pem @@ -372,13 +440,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p256-server-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[11-Suite B P-256 Hash Algorithm Selection-client] +[13-Suite B P-256 Hash Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA384:ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem VerifyMode = Peer -[test-11] +[test-13] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA256 @@ -387,14 +455,14 @@ ExpectedServerSignType = EC # =========================================================== -[12-Suite B P-384 Hash Algorithm Selection] -ssl_conf = 12-Suite B P-384 Hash Algorithm Selection-ssl +[14-Suite B P-384 Hash Algorithm Selection] +ssl_conf = 14-Suite B P-384 Hash Algorithm Selection-ssl -[12-Suite B P-384 Hash Algorithm Selection-ssl] -server = 12-Suite B P-384 Hash Algorithm Selection-server -client = 12-Suite B P-384 Hash Algorithm Selection-client +[14-Suite B P-384 Hash Algorithm Selection-ssl] +server = 14-Suite B P-384 Hash Algorithm Selection-server +client = 14-Suite B P-384 Hash Algorithm Selection-client -[12-Suite B P-384 Hash Algorithm Selection-server] +[14-Suite B P-384 Hash Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = SUITEB128 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem @@ -402,13 +470,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[12-Suite B P-384 Hash Algorithm Selection-client] +[14-Suite B P-384 Hash Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem VerifyMode = Peer -[test-12] +[test-14] ExpectedResult = Success ExpectedServerCertType = P-384 ExpectedServerSignHash = SHA384 @@ -417,21 +485,21 @@ ExpectedServerSignType = EC # =========================================================== -[13-TLS 1.2 Ed25519 Client Auth] -ssl_conf = 13-TLS 1.2 Ed25519 Client Auth-ssl +[15-TLS 1.2 Ed25519 Client Auth] +ssl_conf = 15-TLS 1.2 Ed25519 Client Auth-ssl -[13-TLS 1.2 Ed25519 Client Auth-ssl] -server = 13-TLS 1.2 Ed25519 Client Auth-server -client = 13-TLS 1.2 Ed25519 Client Auth-client +[15-TLS 1.2 Ed25519 Client Auth-ssl] +server = 15-TLS 1.2 Ed25519 Client Auth-server +client = 15-TLS 1.2 Ed25519 Client Auth-client -[13-TLS 1.2 Ed25519 Client Auth-server] +[15-TLS 1.2 Ed25519 Client Auth-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[13-TLS 1.2 Ed25519 Client Auth-client] +[15-TLS 1.2 Ed25519 Client Auth-client] CipherString = DEFAULT EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed25519-cert.pem EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed25519-key.pem @@ -440,7 +508,7 @@ MinProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-13] +[test-15] ExpectedClientCertType = Ed25519 ExpectedClientSignType = Ed25519 ExpectedResult = Success @@ -448,14 +516,14 @@ ExpectedResult = Success # =========================================================== -[14-TLS 1.2 DSA Certificate Test] -ssl_conf = 14-TLS 1.2 DSA Certificate Test-ssl +[16-TLS 1.2 DSA Certificate Test] +ssl_conf = 16-TLS 1.2 DSA Certificate Test-ssl -[14-TLS 1.2 DSA Certificate Test-ssl] -server = 14-TLS 1.2 DSA Certificate Test-server -client = 14-TLS 1.2 DSA Certificate Test-client +[16-TLS 1.2 DSA Certificate Test-ssl] +server = 16-TLS 1.2 DSA Certificate Test-server +client = 16-TLS 1.2 DSA Certificate Test-client -[14-TLS 1.2 DSA Certificate Test-server] +[16-TLS 1.2 DSA Certificate Test-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = ALL DHParameters = ${ENV::TEST_CERTS_DIR}/dhp2048.pem @@ -465,13 +533,13 @@ MaxProtocol = TLSv1.2 MinProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[14-TLS 1.2 DSA Certificate Test-client] +[16-TLS 1.2 DSA Certificate Test-client] CipherString = ALL SignatureAlgorithms = DSA+SHA256:DSA+SHA1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-14] +[test-16] ExpectedResult = Success diff --git a/test/ssl-tests/20-cert-select.conf.in b/test/ssl-tests/20-cert-select.conf.in index 96801e2cd1..1d8e059c31 100644 --- a/test/ssl-tests/20-cert-select.conf.in +++ b/test/ssl-tests/20-cert-select.conf.in @@ -64,6 +64,38 @@ our @tests = ( "ExpectedResult" => "Success" }, }, + { + name => "P-256 CipherString and Signature Algorithm Selection", + server => $server, + client => { + "CipherString" => "aECDSA", + "MaxProtocol" => "TLSv1.2", + "SignatureAlgorithms" => "ECDSA+SHA256:ed25519", + }, + test => { + "ExpectedServerCertType" => "P-256", + "ExpectedServerSignHash" => "SHA256", + "ExpectedServerSignType" => "EC", + "ExpectedResult" => "Success" + }, + }, + { + name => "Ed25519 CipherString and Curves Selection", + server => $server, + client => { + "CipherString" => "aECDSA", + "MaxProtocol" => "TLSv1.2", + "SignatureAlgorithms" => "ECDSA+SHA256:ed25519", + # Excluding P-256 from the supported curves list means server + # certificate should be Ed25519 and not P-256 + "Curves" => "X25519" + }, + test => { + "ExpectedServerCertType" =>, "Ed25519", + "ExpectedServerSignType" =>, "Ed25519", + "ExpectedResult" => "Success" + }, + }, { name => "ECDSA CipherString Selection, no ECDSA certificate", server => { @@ -364,6 +396,22 @@ my @tests_tls_1_3 = ( "ExpectedResult" => "Success" }, }, + { + name => "TLS 1.3 Ed25519 CipherString and Groups Selection", + server => $server_tls_1_3, + client => { + "SignatureAlgorithms" => "ECDSA+SHA256:ed25519", + # Excluding P-256 from the supported groups list should + # mean server still uses a P-256 certificate because supported + # groups is not used in signature selection for TLS 1.3 + "Groups" => "X25519" + }, + test => { + "ExpectedServerCertType" =>, "P-256", + "ExpectedServerSignType" =>, "EC", + "ExpectedResult" => "Success" + }, + }, { name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection", server => { -- 2.40.0