The branch master has been updated via 20946b94658416d2fed0b9d9c7adfbe4b7d70515 (commit) via 39d9ea5e502114a204750f641ca76ff5b4912401 (commit) via 9bcc9f973b2a216461dd6f140e47ef647eb733b4 (commit) from d6dda392c10a9297b5009339a4656ec5bf53399b (commit)
- Log ----------------------------------------------------------------- commit 20946b94658416d2fed0b9d9c7adfbe4b7d70515 Author: Matt Caswell <m...@openssl.org> Date: Thu Aug 8 11:41:18 2019 +0100 Add TLS tests for RSA-PSS Restricted certificates Reviewed-by: Paul Dale <paul.d...@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9553) commit 39d9ea5e502114a204750f641ca76ff5b4912401 Author: Matt Caswell <m...@openssl.org> Date: Thu Aug 8 11:08:14 2019 +0100 Add Restricted PSS certificate and key Create a PSS certificate with parameter restrictions Reviewed-by: Paul Dale <paul.d...@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9553) commit 9bcc9f973b2a216461dd6f140e47ef647eb733b4 Author: Matt Caswell <m...@openssl.org> Date: Thu Aug 8 09:13:51 2019 +0100 Ensure RSA PSS correctly returns the right default digest A default digest of SHA256 was being returned for RSA PSS even if the PSS parameters indicated a different digest must be used. We change this so that the correct default digest is returned and additionally mark this as mandatory for PSS. This bug had an impact on sig alg selection in libssl. Due to this issue an incorrect sig alg might be selected in the event that a server is configured with an RSA-PSS cert with parameter restrictions. Fixes #9545 Reviewed-by: Paul Dale <paul.d...@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9553) ----------------------------------------------------------------------- Summary of changes: crypto/rsa/rsa_ameth.c | 13 + test/certs/mkcert.sh | 29 ++ test/certs/server-pss-restrict-cert.pem | 21 + test/certs/server-pss-restrict-key.pem | 29 ++ test/certs/setup.sh | 6 + test/ssl-tests/20-cert-select.conf | 660 +++++++++++++++++++------------- test/ssl-tests/20-cert-select.conf.in | 66 ++++ 7 files changed, 562 insertions(+), 262 deletions(-) create mode 100644 test/certs/server-pss-restrict-cert.pem create mode 100644 test/certs/server-pss-restrict-key.pem diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index 82d1d56d0a..bf56039b46 100644 --- a/crypto/rsa/rsa_ameth.c +++ b/crypto/rsa/rsa_ameth.c @@ -458,6 +458,9 @@ static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) { X509_ALGOR *alg = NULL; + const EVP_MD *md; + const EVP_MD *mgf1md; + int min_saltlen; switch (op) { @@ -497,6 +500,16 @@ static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) #endif case ASN1_PKEY_CTRL_DEFAULT_MD_NID: + if (pkey->pkey.rsa->pss != NULL) { + if (!rsa_pss_get_param(pkey->pkey.rsa->pss, &md, &mgf1md, + &min_saltlen)) { + RSAerr(0, ERR_R_INTERNAL_ERROR); + return 0; + } + *(int *)arg2 = EVP_MD_type(md); + /* Return of 2 indicates this MD is mandatory */ + return 2; + } *(int *)arg2 = NID_sha256; return 1; diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh index 41bbe23e2d..e03b19014e 100755 --- a/test/certs/mkcert.sh +++ b/test/certs/mkcert.sh @@ -233,6 +233,35 @@ genee() { -set_serial 2 -days "${DAYS}" "$@" } +geneenocsr() { + local OPTIND=1 + local purpose=serverAuth + + while getopts p: o + do + case $o in + p) purpose="$OPTARG";; + *) echo "Usage: $0 genee [-p EKU] cn certname cakeyname cacertname" >&2 + return 1;; + esac + done + + shift $((OPTIND - 1)) + local cn=$1; shift + local cert=$1; shift + local cakey=$1; shift + local ca=$1; shift + + exts=$(printf "%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \ + "subjectKeyIdentifier = hash" \ + "authorityKeyIdentifier = keyid, issuer" \ + "basicConstraints = CA:false" \ + "extendedKeyUsage = $purpose" \ + "subjectAltName = @alts" "DNS=${cn}") + cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \ + -set_serial 2 -days "${DAYS}" "$@" +} + genss() { local cn=$1; shift local key=$1; shift diff --git a/test/certs/server-pss-restrict-cert.pem b/test/certs/server-pss-restrict-cert.pem new file mode 100644 index 0000000000..273363808a --- /dev/null +++ b/test/certs/server-pss-restrict-cert.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDYjCCAkqgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE5MDgwODEwNDMxMFoYDzIxMTkwODA5MTA0MzEwWjAUMRIwEAYDVQQD +DAlsb2NhbGhvc3QwggFSMD0GCSqGSIb3DQEBCjAwoA0wCwYJYIZIAWUDBAIBoRow +GAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgEgA4IBDwAwggEKAoIBAQDDlygk +sUEAajpdVquo9XIAyTd9ZJ+55hNmhBfhn3lHz3ryPD+0XlgCE9qsKwfR7iYaqmnN +ilQnsxWpMGXAgOlC1+w5zh8qHvrI5wX+A6U9N8leIOSgFuFNP0FMMG7I677QzRxG +FqKX1o4V73JWqnHCfnfHRyZY9xM0tYbJKNbRO7Hy4jKBPl3ptPHUoTltr4WYTOpg +stcEamdiiif+0U4bQvVltNg9pzFEjkAktTUGn92W5CgLnsbPXxBo6a/kUlHcgmhY +bpOXEjCPufZLgsQo8iF2Bq8eWMEsByjr0chQjzrfZAUVtD8Hmh2uMVAPQFAHUkaL +j2tHukL+s9tAaWKNAgMBAAGjgY4wgYswHQYDVR0OBBYEFLqlLFaNrS8hbX6voiGi +AfMYfsivMB8GA1UdIwQYMBaAFHB/Lq6DaFmYBCMqzes+F80k3QFJMAkGA1UdEwQC +MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwKQYDVR0RBCIwIIIeU2VydmVyIFJTQS1Q +U1MgcmVzdHJpY3RlZCBjZXJ0MA0GCSqGSIb3DQEBCwUAA4IBAQAEhm9Skn2XfEZo +Q+YMu6HIQZovRT3IljHvesjIby7KfS86SU4r+CG7qaPLw7jeIR92YMnihnaXRGGJ +POixpHY6gapEzR2Sqg7c0ApGenDZ3uKnBUjf9LEorPmhrEHUsnHREXoPx5Lt5Nh/ +7WRNB/GKvbnAby+5HQBOvU6P8t37/zK1JjJhGNv0uvaYthQGk3r6nEhQG+O6JBSw +H/auU4ClIB4fg8GWaMuupN5VMNP9mxpL9tONH8QRKs+KIQWMOsr83rOKwSHrrkIL +/vDI5hPj9RHvjjta6FQx140wA6c8ZB59x9YIv1alJWf6s3+TM8bv70L/aBBT8+IM +vwjUz9Gp +-----END CERTIFICATE----- diff --git a/test/certs/server-pss-restrict-key.pem b/test/certs/server-pss-restrict-key.pem new file mode 100644 index 0000000000..65032269c1 --- /dev/null +++ b/test/certs/server-pss-restrict-key.pem @@ -0,0 +1,29 @@ +-----BEGIN PRIVATE KEY----- +MIIE7wIBADA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3 +DQEBCDALBglghkgBZQMEAgGiAwIBIASCBKkwggSlAgEAAoIBAQDDlygksUEAajpd +Vquo9XIAyTd9ZJ+55hNmhBfhn3lHz3ryPD+0XlgCE9qsKwfR7iYaqmnNilQnsxWp +MGXAgOlC1+w5zh8qHvrI5wX+A6U9N8leIOSgFuFNP0FMMG7I677QzRxGFqKX1o4V +73JWqnHCfnfHRyZY9xM0tYbJKNbRO7Hy4jKBPl3ptPHUoTltr4WYTOpgstcEamdi +iif+0U4bQvVltNg9pzFEjkAktTUGn92W5CgLnsbPXxBo6a/kUlHcgmhYbpOXEjCP +ufZLgsQo8iF2Bq8eWMEsByjr0chQjzrfZAUVtD8Hmh2uMVAPQFAHUkaLj2tHukL+ +s9tAaWKNAgMBAAECggEBAIzgfwWOtmb6HHfGSXY085wlUlZ696EKWsboNdtI5i4W +/1Mimi/sFC/K5SJFDCjlA4UJYZOuItdFYkCun1t8foaqx3cLQ98u2SuDWwmOzqG9 +YMjvoDy+viDJgtrBt8n4I0R5t/ezrgD3hPe/s/dAZRfVx6g9Ux2ZOLgqV57kT3X7 +6paEz3jrIMvuoXQCsi9Qh+eJQ23/sAcc7OHQ7uD8QJVudEBnSHQ+ttvOPXhr7tba +8NuNVa6E/KewkKHRAZqBTJolCVyPtWmvfaDwdJtunCvyR1w3Rv1adZLK4YRFz+vc +sOMK+K1c2aojA+/Fnba19inNq13j6Dwqmq8Ho7MZwHECgYEA6aSx7/93S1VGpxQ9 +KqFE4Fy9ylliC/hanc9qOcfEIo0tDus9lfpuPp+aOXML0msVkIfhCnaru32qtnaI +AQkIbPhSZFvC/i6BibpArXINbDzTS/46zZHehXskjWFGw+iRm/YI7MBuCmWzSnFO +YUwSKRIPKZKyXswFzP8RsQO/QbsCgYEA1k5SamQheuKdo/X40ShWTTOoDlpL4Sir +b2zTnEqlHyMv8c7w880hPf4P+0pqrKyf7jmEykJvp1qSAmyMUCWzrKTr8gQ2sMyb +zj90cEm++M5YIQh5lPJy4pGqmCliJXqkt+zT1xmnRASwMNQOnU2bBmXkve/ofb4M +dEwyig/nZFcCgYBLWPilTD6dhce+NBGxwMZkkKQIMKEk+RfIEs7QCXNgLSUdzZFT +36pT+caTxl1Go5AVxyw04qZpVZKLO1iK9O3Jrp9rjAgrTrYpw23+QWzAvjDqLfeq +ueMIKvlTus5GeacTo9mm+DvEkJ2sYTQEvrKQmilXn950IdmxDYUYD/xK5wKBgQDQ +5ON9BUGFUSQsUHVLG7CT7EhiRS41ubjyEfhrHm+53Ei9weQpIcjHbsERR8aXrmTu +h26i4QOI88XjSv+ymC19mfzLmcPdrnQpJL1RPvFCAZDyEhrBT1sg8rCBRcV/lv68 +scMEpuLecFt2HR5pwt3b7LJ9Wj8bYoctTaDt5va8XQKBgQDCr4hZB5haAcKmNm/g +PjlaLdrDEIuuBjxMzX1t3PXwsEene1cE731v6fbmrDUa8AuJyMY80xhGrTTDQfS3 +QOu/6wtcUv/JC/06OwEaUlT/kdYek+zYfBm3b1sKP3HVKSxCLTcPcC4aQoAFqbEy +3kuSVh03vVBdaP//qMPyeue17w== +-----END PRIVATE KEY----- diff --git a/test/certs/setup.sh b/test/certs/setup.sh index 53d4a807a7..26b2f1ddfe 100755 --- a/test/certs/setup.sh +++ b/test/certs/setup.sh @@ -369,3 +369,9 @@ REQMASK=MASK:0x800 ./mkcert.sh req badalt7-key "O = Bad NC Test Certificate 7" \ OPENSSL_KEYALG=ec OPENSSL_KEYBITS=brainpoolP256r1 ./mkcert.sh genee \ "Server ECDSA brainpoolP256r1 cert" server-ecdsa-brainpoolP256r1-key \ server-ecdsa-brainpoolP256r1-cert rootkey rootcert + +openssl req -new -nodes -subj "/CN=localhost" \ + -newkey rsa-pss -keyout server-pss-restrict-key.pem \ + -pkeyopt rsa_pss_keygen_md:sha256 -pkeyopt rsa_pss_keygen_saltlen:32 | \ + ./mkcert.sh geneenocsr "Server RSA-PSS restricted cert" \ + server-pss-restrict-cert rootkey rootcert diff --git a/test/ssl-tests/20-cert-select.conf b/test/ssl-tests/20-cert-select.conf index 0bcd23d7f0..93f3a1ff68 100644 --- a/test/ssl-tests/20-cert-select.conf +++ b/test/ssl-tests/20-cert-select.conf @@ -1,6 +1,6 @@ # Generated with generate_ssl_tests.pl -num_tests = 51 +num_tests = 56 test-0 = 0-ECDSA CipherString Selection test-1 = 1-ECDSA CipherString Selection @@ -24,35 +24,40 @@ test-18 = 18-RSA-PSS Signature Algorithm Selection test-19 = 19-RSA-PSS Certificate Legacy Signature Algorithm Selection test-20 = 20-RSA-PSS Certificate Unified Signature Algorithm Selection test-21 = 21-Only RSA-PSS Certificate -test-22 = 22-RSA-PSS Certificate, no PSS signature algorithms -test-23 = 23-RSA key exchange with all RSA certificate types -test-24 = 24-RSA key exchange with only RSA-PSS certificate -test-25 = 25-Suite B P-256 Hash Algorithm Selection -test-26 = 26-Suite B P-384 Hash Algorithm Selection -test-27 = 27-TLS 1.2 Ed25519 Client Auth -test-28 = 28-TLS 1.2 Ed448 Client Auth -test-29 = 29-Only RSA-PSS Certificate, TLS v1.1 -test-30 = 30-TLS 1.3 ECDSA Signature Algorithm Selection -test-31 = 31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point -test-32 = 32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1 -test-33 = 33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS -test-34 = 34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS -test-35 = 35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate -test-36 = 36-TLS 1.3 RSA Signature Algorithm Selection, no PSS -test-37 = 37-TLS 1.3 RSA-PSS Signature Algorithm Selection -test-38 = 38-TLS 1.3 Ed25519 Signature Algorithm Selection -test-39 = 39-TLS 1.3 Ed448 Signature Algorithm Selection -test-40 = 40-TLS 1.3 Ed25519 CipherString and Groups Selection -test-41 = 41-TLS 1.3 Ed448 CipherString and Groups Selection -test-42 = 42-TLS 1.3 RSA Client Auth Signature Algorithm Selection -test-43 = 43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names -test-44 = 44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection -test-45 = 45-TLS 1.3 Ed25519 Client Auth -test-46 = 46-TLS 1.3 Ed448 Client Auth -test-47 = 47-TLS 1.3 ECDSA with brainpool -test-48 = 48-TLS 1.2 DSA Certificate Test -test-49 = 49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms -test-50 = 50-TLS 1.3 DSA Certificate Test +test-22 = 22-Only RSA-PSS Certificate Valid Signature Algorithms +test-23 = 23-RSA-PSS Certificate, no PSS signature algorithms +test-24 = 24-Only RSA-PSS Restricted Certificate +test-25 = 25-RSA-PSS Restricted Certificate Valid Signature Algorithms +test-26 = 26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm +test-27 = 27-RSA-PSS Restricted Certificate Invalid Signature Algorithms +test-28 = 28-RSA key exchange with all RSA certificate types +test-29 = 29-RSA key exchange with only RSA-PSS certificate +test-30 = 30-Suite B P-256 Hash Algorithm Selection +test-31 = 31-Suite B P-384 Hash Algorithm Selection +test-32 = 32-TLS 1.2 Ed25519 Client Auth +test-33 = 33-TLS 1.2 Ed448 Client Auth +test-34 = 34-Only RSA-PSS Certificate, TLS v1.1 +test-35 = 35-TLS 1.3 ECDSA Signature Algorithm Selection +test-36 = 36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point +test-37 = 37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1 +test-38 = 38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS +test-39 = 39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS +test-40 = 40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate +test-41 = 41-TLS 1.3 RSA Signature Algorithm Selection, no PSS +test-42 = 42-TLS 1.3 RSA-PSS Signature Algorithm Selection +test-43 = 43-TLS 1.3 Ed25519 Signature Algorithm Selection +test-44 = 44-TLS 1.3 Ed448 Signature Algorithm Selection +test-45 = 45-TLS 1.3 Ed25519 CipherString and Groups Selection +test-46 = 46-TLS 1.3 Ed448 CipherString and Groups Selection +test-47 = 47-TLS 1.3 RSA Client Auth Signature Algorithm Selection +test-48 = 48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names +test-49 = 49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection +test-50 = 50-TLS 1.3 Ed25519 Client Auth +test-51 = 51-TLS 1.3 Ed448 Client Auth +test-52 = 52-TLS 1.3 ECDSA with brainpool +test-53 = 53-TLS 1.2 DSA Certificate Test +test-54 = 54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms +test-55 = 55-TLS 1.3 DSA Certificate Test # =========================================================== [0-ECDSA CipherString Selection] @@ -775,89 +780,220 @@ ExpectedServerSignType = RSA-PSS # =========================================================== -[22-RSA-PSS Certificate, no PSS signature algorithms] -ssl_conf = 22-RSA-PSS Certificate, no PSS signature algorithms-ssl +[22-Only RSA-PSS Certificate Valid Signature Algorithms] +ssl_conf = 22-Only RSA-PSS Certificate Valid Signature Algorithms-ssl -[22-RSA-PSS Certificate, no PSS signature algorithms-ssl] -server = 22-RSA-PSS Certificate, no PSS signature algorithms-server -client = 22-RSA-PSS Certificate, no PSS signature algorithms-client +[22-Only RSA-PSS Certificate Valid Signature Algorithms-ssl] +server = 22-Only RSA-PSS Certificate Valid Signature Algorithms-server +client = 22-Only RSA-PSS Certificate Valid Signature Algorithms-client -[22-RSA-PSS Certificate, no PSS signature algorithms-server] +[22-Only RSA-PSS Certificate Valid Signature Algorithms-server] Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem -[22-RSA-PSS Certificate, no PSS signature algorithms-client] +[22-Only RSA-PSS Certificate Valid Signature Algorithms-client] CipherString = DEFAULT -SignatureAlgorithms = RSA+SHA256 +SignatureAlgorithms = rsa_pss_pss_sha512 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-22] +ExpectedResult = Success +ExpectedServerCertType = RSA-PSS +ExpectedServerSignHash = SHA512 +ExpectedServerSignType = RSA-PSS + + +# =========================================================== + +[23-RSA-PSS Certificate, no PSS signature algorithms] +ssl_conf = 23-RSA-PSS Certificate, no PSS signature algorithms-ssl + +[23-RSA-PSS Certificate, no PSS signature algorithms-ssl] +server = 23-RSA-PSS Certificate, no PSS signature algorithms-server +client = 23-RSA-PSS Certificate, no PSS signature algorithms-client + +[23-RSA-PSS Certificate, no PSS signature algorithms-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem + +[23-RSA-PSS Certificate, no PSS signature algorithms-client] +CipherString = DEFAULT +SignatureAlgorithms = RSA+SHA256 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-23] +ExpectedResult = ServerFail + + +# =========================================================== + +[24-Only RSA-PSS Restricted Certificate] +ssl_conf = 24-Only RSA-PSS Restricted Certificate-ssl + +[24-Only RSA-PSS Restricted Certificate-ssl] +server = 24-Only RSA-PSS Restricted Certificate-server +client = 24-Only RSA-PSS Restricted Certificate-client + +[24-Only RSA-PSS Restricted Certificate-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem + +[24-Only RSA-PSS Restricted Certificate-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-24] +ExpectedResult = Success +ExpectedServerCertType = RSA-PSS +ExpectedServerSignHash = SHA256 +ExpectedServerSignType = RSA-PSS + + +# =========================================================== + +[25-RSA-PSS Restricted Certificate Valid Signature Algorithms] +ssl_conf = 25-RSA-PSS Restricted Certificate Valid Signature Algorithms-ssl + +[25-RSA-PSS Restricted Certificate Valid Signature Algorithms-ssl] +server = 25-RSA-PSS Restricted Certificate Valid Signature Algorithms-server +client = 25-RSA-PSS Restricted Certificate Valid Signature Algorithms-client + +[25-RSA-PSS Restricted Certificate Valid Signature Algorithms-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem + +[25-RSA-PSS Restricted Certificate Valid Signature Algorithms-client] +CipherString = DEFAULT +SignatureAlgorithms = rsa_pss_pss_sha256:rsa_pss_pss_sha512 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-25] +ExpectedResult = Success +ExpectedServerCertType = RSA-PSS +ExpectedServerSignHash = SHA256 +ExpectedServerSignType = RSA-PSS + + +# =========================================================== + +[26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm] +ssl_conf = 26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-ssl + +[26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-ssl] +server = 26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-server +client = 26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-client + +[26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem + +[26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-client] +CipherString = DEFAULT +SignatureAlgorithms = rsa_pss_pss_sha512:rsa_pss_pss_sha256 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-26] +ExpectedResult = Success +ExpectedServerCertType = RSA-PSS +ExpectedServerSignHash = SHA256 +ExpectedServerSignType = RSA-PSS + + +# =========================================================== + +[27-RSA-PSS Restricted Certificate Invalid Signature Algorithms] +ssl_conf = 27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-ssl + +[27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-ssl] +server = 27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-server +client = 27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-client + +[27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem + +[27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-client] +CipherString = DEFAULT +SignatureAlgorithms = rsa_pss_pss_sha512 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-27] ExpectedResult = ServerFail # =========================================================== -[23-RSA key exchange with all RSA certificate types] -ssl_conf = 23-RSA key exchange with all RSA certificate types-ssl +[28-RSA key exchange with all RSA certificate types] +ssl_conf = 28-RSA key exchange with all RSA certificate types-ssl -[23-RSA key exchange with all RSA certificate types-ssl] -server = 23-RSA key exchange with all RSA certificate types-server -client = 23-RSA key exchange with all RSA certificate types-client +[28-RSA key exchange with all RSA certificate types-ssl] +server = 28-RSA key exchange with all RSA certificate types-server +client = 28-RSA key exchange with all RSA certificate types-client -[23-RSA key exchange with all RSA certificate types-server] +[28-RSA key exchange with all RSA certificate types-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[23-RSA key exchange with all RSA certificate types-client] +[28-RSA key exchange with all RSA certificate types-client] CipherString = kRSA MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-23] +[test-28] ExpectedResult = Success ExpectedServerCertType = RSA # =========================================================== -[24-RSA key exchange with only RSA-PSS certificate] -ssl_conf = 24-RSA key exchange with only RSA-PSS certificate-ssl +[29-RSA key exchange with only RSA-PSS certificate] +ssl_conf = 29-RSA key exchange with only RSA-PSS certificate-ssl -[24-RSA key exchange with only RSA-PSS certificate-ssl] -server = 24-RSA key exchange with only RSA-PSS certificate-server -client = 24-RSA key exchange with only RSA-PSS certificate-client +[29-RSA key exchange with only RSA-PSS certificate-ssl] +server = 29-RSA key exchange with only RSA-PSS certificate-server +client = 29-RSA key exchange with only RSA-PSS certificate-client -[24-RSA key exchange with only RSA-PSS certificate-server] +[29-RSA key exchange with only RSA-PSS certificate-server] Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem -[24-RSA key exchange with only RSA-PSS certificate-client] +[29-RSA key exchange with only RSA-PSS certificate-client] CipherString = kRSA MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-24] +[test-29] ExpectedResult = ServerFail # =========================================================== -[25-Suite B P-256 Hash Algorithm Selection] -ssl_conf = 25-Suite B P-256 Hash Algorithm Selection-ssl +[30-Suite B P-256 Hash Algorithm Selection] +ssl_conf = 30-Suite B P-256 Hash Algorithm Selection-ssl -[25-Suite B P-256 Hash Algorithm Selection-ssl] -server = 25-Suite B P-256 Hash Algorithm Selection-server -client = 25-Suite B P-256 Hash Algorithm Selection-client +[30-Suite B P-256 Hash Algorithm Selection-ssl] +server = 30-Suite B P-256 Hash Algorithm Selection-server +client = 30-Suite B P-256 Hash Algorithm Selection-client -[25-Suite B P-256 Hash Algorithm Selection-server] +[30-Suite B P-256 Hash Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = SUITEB128 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p256-server-cert.pem @@ -865,13 +1001,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p256-server-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[25-Suite B P-256 Hash Algorithm Selection-client] +[30-Suite B P-256 Hash Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA384:ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem VerifyMode = Peer -[test-25] +[test-30] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA256 @@ -880,14 +1016,14 @@ ExpectedServerSignType = EC # =========================================================== -[26-Suite B P-384 Hash Algorithm Selection] -ssl_conf = 26-Suite B P-384 Hash Algorithm Selection-ssl +[31-Suite B P-384 Hash Algorithm Selection] +ssl_conf = 31-Suite B P-384 Hash Algorithm Selection-ssl -[26-Suite B P-384 Hash Algorithm Selection-ssl] -server = 26-Suite B P-384 Hash Algorithm Selection-server -client = 26-Suite B P-384 Hash Algorithm Selection-client +[31-Suite B P-384 Hash Algorithm Selection-ssl] +server = 31-Suite B P-384 Hash Algorithm Selection-server +client = 31-Suite B P-384 Hash Algorithm Selection-client -[26-Suite B P-384 Hash Algorithm Selection-server] +[31-Suite B P-384 Hash Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = SUITEB128 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem @@ -895,13 +1031,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[26-Suite B P-384 Hash Algorithm Selection-client] +[31-Suite B P-384 Hash Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem VerifyMode = Peer -[test-26] +[test-31] ExpectedResult = Success ExpectedServerCertType = P-384 ExpectedServerSignHash = SHA384 @@ -910,21 +1046,21 @@ ExpectedServerSignType = EC # =========================================================== -[27-TLS 1.2 Ed25519 Client Auth] -ssl_conf = 27-TLS 1.2 Ed25519 Client Auth-ssl +[32-TLS 1.2 Ed25519 Client Auth] +ssl_conf = 32-TLS 1.2 Ed25519 Client Auth-ssl -[27-TLS 1.2 Ed25519 Client Auth-ssl] -server = 27-TLS 1.2 Ed25519 Client Auth-server -client = 27-TLS 1.2 Ed25519 Client Auth-client +[32-TLS 1.2 Ed25519 Client Auth-ssl] +server = 32-TLS 1.2 Ed25519 Client Auth-server +client = 32-TLS 1.2 Ed25519 Client Auth-client -[27-TLS 1.2 Ed25519 Client Auth-server] +[32-TLS 1.2 Ed25519 Client Auth-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[27-TLS 1.2 Ed25519 Client Auth-client] +[32-TLS 1.2 Ed25519 Client Auth-client] CipherString = DEFAULT Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed25519-cert.pem Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed25519-key.pem @@ -933,7 +1069,7 @@ MinProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-27] +[test-32] ExpectedClientCertType = Ed25519 ExpectedClientSignType = Ed25519 ExpectedResult = Success @@ -941,21 +1077,21 @@ ExpectedResult = Success # =========================================================== -[28-TLS 1.2 Ed448 Client Auth] -ssl_conf = 28-TLS 1.2 Ed448 Client Auth-ssl +[33-TLS 1.2 Ed448 Client Auth] +ssl_conf = 33-TLS 1.2 Ed448 Client Auth-ssl -[28-TLS 1.2 Ed448 Client Auth-ssl] -server = 28-TLS 1.2 Ed448 Client Auth-server -client = 28-TLS 1.2 Ed448 Client Auth-client +[33-TLS 1.2 Ed448 Client Auth-ssl] +server = 33-TLS 1.2 Ed448 Client Auth-server +client = 33-TLS 1.2 Ed448 Client Auth-client -[28-TLS 1.2 Ed448 Client Auth-server] +[33-TLS 1.2 Ed448 Client Auth-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[28-TLS 1.2 Ed448 Client Auth-client] +[33-TLS 1.2 Ed448 Client Auth-client] CipherString = DEFAULT Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed448-cert.pem Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed448-key.pem @@ -964,7 +1100,7 @@ MinProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-28] +[test-33] ExpectedClientCertType = Ed448 ExpectedClientSignType = Ed448 ExpectedResult = Success @@ -972,38 +1108,38 @@ ExpectedResult = Success # =========================================================== -[29-Only RSA-PSS Certificate, TLS v1.1] -ssl_conf = 29-Only RSA-PSS Certificate, TLS v1.1-ssl +[34-Only RSA-PSS Certificate, TLS v1.1] +ssl_conf = 34-Only RSA-PSS Certificate, TLS v1.1-ssl -[29-Only RSA-PSS Certificate, TLS v1.1-ssl] -server = 29-Only RSA-PSS Certificate, TLS v1.1-server -client = 29-Only RSA-PSS Certificate, TLS v1.1-client +[34-Only RSA-PSS Certificate, TLS v1.1-ssl] +server = 34-Only RSA-PSS Certificate, TLS v1.1-server +client = 34-Only RSA-PSS Certificate, TLS v1.1-client -[29-Only RSA-PSS Certificate, TLS v1.1-server] +[34-Only RSA-PSS Certificate, TLS v1.1-server] Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem -[29-Only RSA-PSS Certificate, TLS v1.1-client] +[34-Only RSA-PSS Certificate, TLS v1.1-client] CipherString = DEFAULT MaxProtocol = TLSv1.1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-29] +[test-34] ExpectedResult = ServerFail # =========================================================== -[30-TLS 1.3 ECDSA Signature Algorithm Selection] -ssl_conf = 30-TLS 1.3 ECDSA Signature Algorithm Selection-ssl +[35-TLS 1.3 ECDSA Signature Algorithm Selection] +ssl_conf = 35-TLS 1.3 ECDSA Signature Algorithm Selection-ssl -[30-TLS 1.3 ECDSA Signature Algorithm Selection-ssl] -server = 30-TLS 1.3 ECDSA Signature Algorithm Selection-server -client = 30-TLS 1.3 ECDSA Signature Algorithm Selection-client +[35-TLS 1.3 ECDSA Signature Algorithm Selection-ssl] +server = 35-TLS 1.3 ECDSA Signature Algorithm Selection-server +client = 35-TLS 1.3 ECDSA Signature Algorithm Selection-client -[30-TLS 1.3 ECDSA Signature Algorithm Selection-server] +[35-TLS 1.3 ECDSA Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -1016,13 +1152,13 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[30-TLS 1.3 ECDSA Signature Algorithm Selection-client] +[35-TLS 1.3 ECDSA Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-30] +[test-35] ExpectedResult = Success ExpectedServerCANames = empty ExpectedServerCertType = P-256 @@ -1032,14 +1168,14 @@ ExpectedServerSignType = EC # =========================================================== -[31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point] -ssl_conf = 31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-ssl +[36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point] +ssl_conf = 36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-ssl -[31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-ssl] -server = 31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-server -client = 31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-client +[36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-ssl] +server = 36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-server +client = 36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-client -[31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-server] +[36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-cecdsa-cert.pem @@ -1048,13 +1184,13 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-client] +[36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-31] +[test-36] ExpectedResult = Success ExpectedServerCANames = empty ExpectedServerCertType = P-256 @@ -1064,14 +1200,14 @@ ExpectedServerSignType = EC # =========================================================== -[32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1] -ssl_conf = 32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-ssl +[37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1] +ssl_conf = 37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-ssl -[32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-ssl] -server = 32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-server -client = 32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-client +[37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-ssl] +server = 37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-server +client = 37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-client -[32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-server] +[37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -1084,26 +1220,26 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-client] +[37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-32] +[test-37] ExpectedResult = ServerFail # =========================================================== -[33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS] -ssl_conf = 33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-ssl +[38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS] +ssl_conf = 38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-ssl -[33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-ssl] -server = 33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-server -client = 33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-client +[38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-ssl] +server = 38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-server +client = 38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-client -[33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-server] +[38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -1116,14 +1252,14 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-client] +[38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-client] CipherString = DEFAULT RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem SignatureAlgorithms = ECDSA+SHA256:RSA-PSS+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-33] +[test-38] ExpectedResult = Success ExpectedServerCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem ExpectedServerCertType = P-256 @@ -1133,14 +1269,14 @@ ExpectedServerSignType = EC # =========================================================== -[34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS] -ssl_conf = 34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-ssl +[39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS] +ssl_conf = 39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-ssl -[34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-ssl] -server = 34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-server -client = 34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-client +[39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-ssl] +server = 39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-server +client = 39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-client -[34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-server] +[39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -1153,13 +1289,13 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-client] +[39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA384:RSA-PSS+SHA384 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-34] +[test-39] ExpectedResult = Success ExpectedServerCertType = RSA ExpectedServerSignHash = SHA384 @@ -1168,40 +1304,40 @@ ExpectedServerSignType = RSA-PSS # =========================================================== -[35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate] -ssl_conf = 35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl +[40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate] +ssl_conf = 40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl -[35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl] -server = 35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-server -client = 35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-client +[40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl] +server = 40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-server +client = 40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-client -[35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-server] +[40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-client] +[40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-35] +[test-40] ExpectedResult = ServerFail # =========================================================== -[36-TLS 1.3 RSA Signature Algorithm Selection, no PSS] -ssl_conf = 36-TLS 1.3 RSA Signature Algorithm Selection, no PSS-ssl +[41-TLS 1.3 RSA Signature Algorithm Selection, no PSS] +ssl_conf = 41-TLS 1.3 RSA Signature Algorithm Selection, no PSS-ssl -[36-TLS 1.3 RSA Signature Algorithm Selection, no PSS-ssl] -server = 36-TLS 1.3 RSA Signature Algorithm Selection, no PSS-server -client = 36-TLS 1.3 RSA Signature Algorithm Selection, no PSS-client +[41-TLS 1.3 RSA Signature Algorithm Selection, no PSS-ssl] +server = 41-TLS 1.3 RSA Signature Algorithm Selection, no PSS-server +client = 41-TLS 1.3 RSA Signature Algorithm Selection, no PSS-client -[36-TLS 1.3 RSA Signature Algorithm Selection, no PSS-server] +[41-TLS 1.3 RSA Signature Algorithm Selection, no PSS-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -1214,26 +1350,26 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[36-TLS 1.3 RSA Signature Algorithm Selection, no PSS-client] +[41-TLS 1.3 RSA Signature Algorithm Selection, no PSS-client] CipherString = DEFAULT SignatureAlgorithms = RSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-36] +[test-41] ExpectedResult = ServerFail # =========================================================== -[37-TLS 1.3 RSA-PSS Signature Algorithm Selection] -ssl_conf = 37-TLS 1.3 RSA-PSS Signature Algorithm Selection-ssl +[42-TLS 1.3 RSA-PSS Signature Algorithm Selection] +ssl_conf = 42-TLS 1.3 RSA-PSS Signature Algorithm Selection-ssl -[37-TLS 1.3 RSA-PSS Signature Algorithm Selection-ssl] -server = 37-TLS 1.3 RSA-PSS Signature Algorithm Selection-server -client = 37-TLS 1.3 RSA-PSS Signature Algorithm Selection-client +[42-TLS 1.3 RSA-PSS Signature Algorithm Selection-ssl] +server = 42-TLS 1.3 RSA-PSS Signature Algorithm Selection-server +client = 42-TLS 1.3 RSA-PSS Signature Algorithm Selection-client -[37-TLS 1.3 RSA-PSS Signature Algorithm Selection-server] +[42-TLS 1.3 RSA-PSS Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -1246,13 +1382,13 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[37-TLS 1.3 RSA-PSS Signature Algorithm Selection-client] +[42-TLS 1.3 RSA-PSS Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = RSA-PSS+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-37] +[test-42] ExpectedResult = Success ExpectedServerCertType = RSA ExpectedServerSignHash = SHA256 @@ -1261,14 +1397,14 @@ ExpectedServerSignType = RSA-PSS # =========================================================== -[38-TLS 1.3 Ed25519 Signature Algorithm Selection] -ssl_conf = 38-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl +[43-TLS 1.3 Ed25519 Signature Algorithm Selection] +ssl_conf = 43-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl -[38-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl] -server = 38-TLS 1.3 Ed25519 Signature Algorithm Selection-server -client = 38-TLS 1.3 Ed25519 Signature Algorithm Selection-client +[43-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl] +server = 43-TLS 1.3 Ed25519 Signature Algorithm Selection-server +client = 43-TLS 1.3 Ed25519 Signature Algorithm Selection-client -[38-TLS 1.3 Ed25519 Signature Algorithm Selection-server] +[43-TLS 1.3 Ed25519 Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -1281,13 +1417,13 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[38-TLS 1.3 Ed25519 Signature Algorithm Selection-client] +[43-TLS 1.3 Ed25519 Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ed25519 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-38] +[test-43] ExpectedResult = Success ExpectedServerCertType = Ed25519 ExpectedServerSignType = Ed25519 @@ -1295,14 +1431,14 @@ ExpectedServerSignType = Ed25519 # =========================================================== -[39-TLS 1.3 Ed448 Signature Algorithm Selection] -ssl_conf = 39-TLS 1.3 Ed448 Signature Algorithm Selection-ssl +[44-TLS 1.3 Ed448 Signature Algorithm Selection] +ssl_conf = 44-TLS 1.3 Ed448 Signature Algorithm Selection-ssl -[39-TLS 1.3 Ed448 Signature Algorithm Selection-ssl] -server = 39-TLS 1.3 Ed448 Signature Algorithm Selection-server -client = 39-TLS 1.3 Ed448 Signature Algorithm Selection-client +[44-TLS 1.3 Ed448 Signature Algorithm Selection-ssl] +server = 44-TLS 1.3 Ed448 Signature Algorithm Selection-server +client = 44-TLS 1.3 Ed448 Signature Algorithm Selection-client -[39-TLS 1.3 Ed448 Signature Algorithm Selection-server] +[44-TLS 1.3 Ed448 Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -1315,13 +1451,13 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[39-TLS 1.3 Ed448 Signature Algorithm Selection-client] +[44-TLS 1.3 Ed448 Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ed448 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-39] +[test-44] ExpectedResult = Success ExpectedServerCertType = Ed448 ExpectedServerSignType = Ed448 @@ -1329,14 +1465,14 @@ ExpectedServerSignType = Ed448 # =========================================================== -[40-TLS 1.3 Ed25519 CipherString and Groups Selection] -ssl_conf = 40-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl +[45-TLS 1.3 Ed25519 CipherString and Groups Selection] +ssl_conf = 45-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl -[40-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl] -server = 40-TLS 1.3 Ed25519 CipherString and Groups Selection-server -client = 40-TLS 1.3 Ed25519 CipherString and Groups Selection-client +[45-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl] +server = 45-TLS 1.3 Ed25519 CipherString and Groups Selection-server +client = 45-TLS 1.3 Ed25519 CipherString and Groups Selection-client -[40-TLS 1.3 Ed25519 CipherString and Groups Selection-server] +[45-TLS 1.3 Ed25519 CipherString and Groups Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -1349,14 +1485,14 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[40-TLS 1.3 Ed25519 CipherString and Groups Selection-client] +[45-TLS 1.3 Ed25519 CipherString and Groups Selection-client] CipherString = DEFAULT Groups = X25519 SignatureAlgorithms = ECDSA+SHA256:ed25519 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-40] +[test-45] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignType = EC @@ -1364,14 +1500,14 @@ ExpectedServerSignType = EC # =========================================================== -[41-TLS 1.3 Ed448 CipherString and Groups Selection] -ssl_conf = 41-TLS 1.3 Ed448 CipherString and Groups Selection-ssl +[46-TLS 1.3 Ed448 CipherString and Groups Selection] +ssl_conf = 46-TLS 1.3 Ed448 CipherString and Groups Selection-ssl -[41-TLS 1.3 Ed448 CipherString and Groups Selection-ssl] -server = 41-TLS 1.3 Ed448 CipherString and Groups Selection-server -client = 41-TLS 1.3 Ed448 CipherString and Groups Selection-client +[46-TLS 1.3 Ed448 CipherString and Groups Selection-ssl] +server = 46-TLS 1.3 Ed448 CipherString and Groups Selection-server +client = 46-TLS 1.3 Ed448 CipherString and Groups Selection-client -[41-TLS 1.3 Ed448 CipherString and Groups Selection-server] +[46-TLS 1.3 Ed448 CipherString and Groups Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -1384,14 +1520,14 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[41-TLS 1.3 Ed448 CipherString and Groups Selection-client] +[46-TLS 1.3 Ed448 CipherString and Groups Selection-client] CipherString = DEFAULT Groups = X448 SignatureAlgorithms = ECDSA+SHA256:ed448 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-41] +[test-46] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignType = EC @@ -1399,14 +1535,14 @@ ExpectedServerSignType = EC # =========================================================== -[42-TLS 1.3 RSA Client Auth Signature Algorithm Selection] -ssl_conf = 42-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl +[47-TLS 1.3 RSA Client Auth Signature Algorithm Selection] +ssl_conf = 47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl -[42-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl] -server = 42-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server -client = 42-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client +[47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl] +server = 47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server +client = 47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client -[42-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server] +[47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ClientSignatureAlgorithms = PSS+SHA256 @@ -1414,7 +1550,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[42-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client] +[47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client] CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem @@ -1425,7 +1561,7 @@ RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-42] +[test-47] ExpectedClientCANames = empty ExpectedClientCertType = RSA ExpectedClientSignHash = SHA256 @@ -1435,14 +1571,14 @@ ExpectedResult = Success # =========================================================== -[43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names] -ssl_conf = 43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl +[48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names] +ssl_conf = 48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl -[43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl] -server = 43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server -client = 43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client +[48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl] +server = 48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server +client = 48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client -[43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server] +[48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ClientSignatureAlgorithms = PSS+SHA256 @@ -1451,7 +1587,7 @@ RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client] +[48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client] CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem @@ -1462,7 +1598,7 @@ RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-43] +[test-48] ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem ExpectedClientCertType = RSA ExpectedClientSignHash = SHA256 @@ -1472,14 +1608,14 @@ ExpectedResult = Success # =========================================================== -[44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection] -ssl_conf = 44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl +[49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection] +ssl_conf = 49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl -[44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl] -server = 44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server -client = 44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client +[49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl] +server = 49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server +client = 49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client -[44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server] +[49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ClientSignatureAlgorithms = ECDSA+SHA256 @@ -1487,7 +1623,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client] +[49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client] CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem @@ -1498,7 +1634,7 @@ RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-44] +[test-49] ExpectedClientCertType = P-256 ExpectedClientSignHash = SHA256 ExpectedClientSignType = EC @@ -1507,21 +1643,21 @@ ExpectedResult = Success # =========================================================== -[45-TLS 1.3 Ed25519 Client Auth] -ssl_conf = 45-TLS 1.3 Ed25519 Client Auth-ssl +[50-TLS 1.3 Ed25519 Client Auth] +ssl_conf = 50-TLS 1.3 Ed25519 Client Auth-ssl -[45-TLS 1.3 Ed25519 Client Auth-ssl] -server = 45-TLS 1.3 Ed25519 Client Auth-server -client = 45-TLS 1.3 Ed25519 Client Auth-client +[50-TLS 1.3 Ed25519 Client Auth-ssl] +server = 50-TLS 1.3 Ed25519 Client Auth-server +client = 50-TLS 1.3 Ed25519 Client Auth-client -[45-TLS 1.3 Ed25519 Client Auth-server] +[50-TLS 1.3 Ed25519 Client Auth-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[45-TLS 1.3 Ed25519 Client Auth-client] +[50-TLS 1.3 Ed25519 Client Auth-client] CipherString = DEFAULT EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed25519-cert.pem EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed25519-key.pem @@ -1530,7 +1666,7 @@ MinProtocol = TLSv1.3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-45] +[test-50] ExpectedClientCertType = Ed25519 ExpectedClientSignType = Ed25519 ExpectedResult = Success @@ -1538,21 +1674,21 @@ ExpectedResult = Success # =========================================================== -[46-TLS 1.3 Ed448 Client Auth] -ssl_conf = 46-TLS 1.3 Ed448 Client Auth-ssl +[51-TLS 1.3 Ed448 Client Auth] +ssl_conf = 51-TLS 1.3 Ed448 Client Auth-ssl -[46-TLS 1.3 Ed448 Client Auth-ssl] -server = 46-TLS 1.3 Ed448 Client Auth-server -client = 46-TLS 1.3 Ed448 Client Auth-client +[51-TLS 1.3 Ed448 Client Auth-ssl] +server = 51-TLS 1.3 Ed448 Client Auth-server +client = 51-TLS 1.3 Ed448 Client Auth-client -[46-TLS 1.3 Ed448 Client Auth-server] +[51-TLS 1.3 Ed448 Client Auth-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[46-TLS 1.3 Ed448 Client Auth-client] +[51-TLS 1.3 Ed448 Client Auth-client] CipherString = DEFAULT EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed448-cert.pem EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed448-key.pem @@ -1561,7 +1697,7 @@ MinProtocol = TLSv1.3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-46] +[test-51] ExpectedClientCertType = Ed448 ExpectedClientSignType = Ed448 ExpectedResult = Success @@ -1569,20 +1705,20 @@ ExpectedResult = Success # =========================================================== -[47-TLS 1.3 ECDSA with brainpool] -ssl_conf = 47-TLS 1.3 ECDSA with brainpool-ssl +[52-TLS 1.3 ECDSA with brainpool] +ssl_conf = 52-TLS 1.3 ECDSA with brainpool-ssl -[47-TLS 1.3 ECDSA with brainpool-ssl] -server = 47-TLS 1.3 ECDSA with brainpool-server -client = 47-TLS 1.3 ECDSA with brainpool-client +[52-TLS 1.3 ECDSA with brainpool-ssl] +server = 52-TLS 1.3 ECDSA with brainpool-server +client = 52-TLS 1.3 ECDSA with brainpool-client -[47-TLS 1.3 ECDSA with brainpool-server] +[52-TLS 1.3 ECDSA with brainpool-server] Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem CipherString = DEFAULT Groups = brainpoolP256r1 PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem -[47-TLS 1.3 ECDSA with brainpool-client] +[52-TLS 1.3 ECDSA with brainpool-client] CipherString = DEFAULT Groups = brainpoolP256r1 MaxProtocol = TLSv1.3 @@ -1591,20 +1727,20 @@ RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-47] +[test-52] ExpectedResult = ServerFail # =========================================================== -[48-TLS 1.2 DSA Certificate Test] -ssl_conf = 48-TLS 1.2 DSA Certificate Test-ssl +[53-TLS 1.2 DSA Certificate Test] +ssl_conf = 53-TLS 1.2 DSA Certificate Test-ssl -[48-TLS 1.2 DSA Certificate Test-ssl] -server = 48-TLS 1.2 DSA Certificate Test-server -client = 48-TLS 1.2 DSA Certificate Test-client +[53-TLS 1.2 DSA Certificate Test-ssl] +server = 53-TLS 1.2 DSA Certificate Test-server +client = 53-TLS 1.2 DSA Certificate Test-client -[48-TLS 1.2 DSA Certificate Test-server] +[53-TLS 1.2 DSA Certificate Test-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = ALL DHParameters = ${ENV::TEST_CERTS_DIR}/dhp2048.pem @@ -1614,26 +1750,26 @@ MaxProtocol = TLSv1.2 MinProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[48-TLS 1.2 DSA Certificate Test-client] +[53-TLS 1.2 DSA Certificate Test-client] CipherString = ALL SignatureAlgorithms = DSA+SHA256:DSA+SHA1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-48] +[test-53] ExpectedResult = Success # =========================================================== -[49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms] -ssl_conf = 49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-ssl +[54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms] +ssl_conf = 54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-ssl -[49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-ssl] -server = 49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-server -client = 49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-client +[54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-ssl] +server = 54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-server +client = 54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-client -[49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-server] +[54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ClientSignatureAlgorithms = ECDSA+SHA1:DSA+SHA256:RSA+SHA256 @@ -1641,25 +1777,25 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Request -[49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-client] +[54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-client] CipherString = DEFAULT VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-49] +[test-54] ExpectedResult = ServerFail # =========================================================== -[50-TLS 1.3 DSA Certificate Test] -ssl_conf = 50-TLS 1.3 DSA Certificate Test-ssl +[55-TLS 1.3 DSA Certificate Test] +ssl_conf = 55-TLS 1.3 DSA Certificate Test-ssl -[50-TLS 1.3 DSA Certificate Test-ssl] -server = 50-TLS 1.3 DSA Certificate Test-server -client = 50-TLS 1.3 DSA Certificate Test-client +[55-TLS 1.3 DSA Certificate Test-ssl] +server = 55-TLS 1.3 DSA Certificate Test-server +client = 55-TLS 1.3 DSA Certificate Test-client -[50-TLS 1.3 DSA Certificate Test-server] +[55-TLS 1.3 DSA Certificate Test-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = ALL DSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-dsa-cert.pem @@ -1668,13 +1804,13 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[50-TLS 1.3 DSA Certificate Test-client] +[55-TLS 1.3 DSA Certificate Test-client] CipherString = ALL SignatureAlgorithms = DSA+SHA1:DSA+SHA256:ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-50] +[test-55] ExpectedResult = ServerFail diff --git a/test/ssl-tests/20-cert-select.conf.in b/test/ssl-tests/20-cert-select.conf.in index bdf53c6e1e..5e9bfede5d 100644 --- a/test/ssl-tests/20-cert-select.conf.in +++ b/test/ssl-tests/20-cert-select.conf.in @@ -36,6 +36,12 @@ my $server_pss_only = { "PrivateKey" => test_pem("server-pss-key.pem"), }; +my $server_pss_restrict_only = { + "Certificate" => test_pem("server-pss-restrict-cert.pem"), + "PrivateKey" => test_pem("server-pss-restrict-key.pem"), +}; + + my $server_rsa_all = { "PSS.Certificate" => test_pem("server-pss-cert.pem"), "PSS.PrivateKey" => test_pem("server-pss-key.pem"), @@ -379,6 +385,19 @@ our @tests = ( "ExpectedResult" => "Success" }, }, + { + name => "Only RSA-PSS Certificate Valid Signature Algorithms", + server => $server_pss_only, + client => { + "SignatureAlgorithms" => "rsa_pss_pss_sha512", + }, + test => { + "ExpectedServerCertType" => "RSA-PSS", + "ExpectedServerSignHash" => "SHA512", + "ExpectedServerSignType" => "RSA-PSS", + "ExpectedResult" => "Success" + }, + }, { name => "RSA-PSS Certificate, no PSS signature algorithms", server => $server_pss_only, @@ -389,6 +408,53 @@ our @tests = ( "ExpectedResult" => "ServerFail" }, }, + { + name => "Only RSA-PSS Restricted Certificate", + server => $server_pss_restrict_only, + client => {}, + test => { + "ExpectedServerCertType" => "RSA-PSS", + "ExpectedServerSignHash" => "SHA256", + "ExpectedServerSignType" => "RSA-PSS", + "ExpectedResult" => "Success" + }, + }, + { + name => "RSA-PSS Restricted Certificate Valid Signature Algorithms", + server => $server_pss_restrict_only, + client => { + "SignatureAlgorithms" => "rsa_pss_pss_sha256:rsa_pss_pss_sha512", + }, + test => { + "ExpectedServerCertType" => "RSA-PSS", + "ExpectedServerSignHash" => "SHA256", + "ExpectedServerSignType" => "RSA-PSS", + "ExpectedResult" => "Success" + }, + }, + { + name => "RSA-PSS Restricted Cert client prefers invalid Signature Algorithm", + server => $server_pss_restrict_only, + client => { + "SignatureAlgorithms" => "rsa_pss_pss_sha512:rsa_pss_pss_sha256", + }, + test => { + "ExpectedServerCertType" => "RSA-PSS", + "ExpectedServerSignHash" => "SHA256", + "ExpectedServerSignType" => "RSA-PSS", + "ExpectedResult" => "Success" + }, + }, + { + name => "RSA-PSS Restricted Certificate Invalid Signature Algorithms", + server => $server_pss_restrict_only, + client => { + "SignatureAlgorithms" => "rsa_pss_pss_sha512", + }, + test => { + "ExpectedResult" => "ServerFail" + }, + }, { name => "RSA key exchange with all RSA certificate types", server => $server_rsa_all,