The branch OpenSSL_1_1_1-stable has been updated via 59d846ffb13d36d8a8caad09f43bcc968b21cf74 (commit) via fc009331ab1345eed635690ae4e81a81b1b2fe5a (commit) via 7467c87c6e88acca887bac0bf85ec0dc76fa522d (commit) from 85171a929d53fdac4b0da97eb2f4d85ff0ecd986 (commit)
- Log ----------------------------------------------------------------- commit 59d846ffb13d36d8a8caad09f43bcc968b21cf74 Author: Matt Caswell <m...@openssl.org> Date: Thu Aug 8 11:41:18 2019 +0100 Add TLS tests for RSA-PSS Restricted certificates Reviewed-by: Paul Dale <paul.d...@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9553) (cherry picked from commit 20946b94658416d2fed0b9d9c7adfbe4b7d70515) commit fc009331ab1345eed635690ae4e81a81b1b2fe5a Author: Matt Caswell <m...@openssl.org> Date: Thu Aug 8 11:08:14 2019 +0100 Add Restricted PSS certificate and key Create a PSS certificate with parameter restrictions Reviewed-by: Paul Dale <paul.d...@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9553) (cherry picked from commit 39d9ea5e502114a204750f641ca76ff5b4912401) commit 7467c87c6e88acca887bac0bf85ec0dc76fa522d Author: Matt Caswell <m...@openssl.org> Date: Thu Aug 8 09:13:51 2019 +0100 Ensure RSA PSS correctly returns the right default digest A default digest of SHA256 was being returned for RSA PSS even if the PSS parameters indicated a different digest must be used. We change this so that the correct default digest is returned and additionally mark this as mandatory for PSS. This bug had an impact on sig alg selection in libssl. Due to this issue an incorrect sig alg might be selected in the event that a server is configured with an RSA-PSS cert with parameter restrictions. Fixes #9545 Reviewed-by: Paul Dale <paul.d...@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9553) (cherry picked from commit 9bcc9f973b2a216461dd6f140e47ef647eb733b4) ----------------------------------------------------------------------- Summary of changes: crypto/rsa/rsa_ameth.c | 13 + test/certs/mkcert.sh | 29 ++ test/certs/server-pss-restrict-cert.pem | 21 + test/certs/server-pss-restrict-key.pem | 29 ++ test/certs/setup.sh | 6 + test/ssl-tests/20-cert-select.conf | 660 +++++++++++++++++++------------- test/ssl-tests/20-cert-select.conf.in | 66 ++++ 7 files changed, 562 insertions(+), 262 deletions(-) create mode 100644 test/certs/server-pss-restrict-cert.pem create mode 100644 test/certs/server-pss-restrict-key.pem diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index ab5f61518b..9dcb85d837 100644 --- a/crypto/rsa/rsa_ameth.c +++ b/crypto/rsa/rsa_ameth.c @@ -458,6 +458,9 @@ static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) { X509_ALGOR *alg = NULL; + const EVP_MD *md; + const EVP_MD *mgf1md; + int min_saltlen; switch (op) { @@ -497,6 +500,16 @@ static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) #endif case ASN1_PKEY_CTRL_DEFAULT_MD_NID: + if (pkey->pkey.rsa->pss != NULL) { + if (!rsa_pss_get_param(pkey->pkey.rsa->pss, &md, &mgf1md, + &min_saltlen)) { + RSAerr(0, ERR_R_INTERNAL_ERROR); + return 0; + } + *(int *)arg2 = EVP_MD_type(md); + /* Return of 2 indicates this MD is mandatory */ + return 2; + } *(int *)arg2 = NID_sha256; return 1; diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh index bf61548dba..4b258e104e 100755 --- a/test/certs/mkcert.sh +++ b/test/certs/mkcert.sh @@ -233,6 +233,35 @@ genee() { -set_serial 2 -days "${DAYS}" "$@" } +geneenocsr() { + local OPTIND=1 + local purpose=serverAuth + + while getopts p: o + do + case $o in + p) purpose="$OPTARG";; + *) echo "Usage: $0 genee [-p EKU] cn certname cakeyname cacertname" >&2 + return 1;; + esac + done + + shift $((OPTIND - 1)) + local cn=$1; shift + local cert=$1; shift + local cakey=$1; shift + local ca=$1; shift + + exts=$(printf "%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \ + "subjectKeyIdentifier = hash" \ + "authorityKeyIdentifier = keyid, issuer" \ + "basicConstraints = CA:false" \ + "extendedKeyUsage = $purpose" \ + "subjectAltName = @alts" "DNS=${cn}") + cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \ + -set_serial 2 -days "${DAYS}" "$@" +} + genss() { local cn=$1; shift local key=$1; shift diff --git a/test/certs/server-pss-restrict-cert.pem b/test/certs/server-pss-restrict-cert.pem new file mode 100644 index 0000000000..273363808a --- /dev/null +++ b/test/certs/server-pss-restrict-cert.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDYjCCAkqgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE5MDgwODEwNDMxMFoYDzIxMTkwODA5MTA0MzEwWjAUMRIwEAYDVQQD +DAlsb2NhbGhvc3QwggFSMD0GCSqGSIb3DQEBCjAwoA0wCwYJYIZIAWUDBAIBoRow +GAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgEgA4IBDwAwggEKAoIBAQDDlygk +sUEAajpdVquo9XIAyTd9ZJ+55hNmhBfhn3lHz3ryPD+0XlgCE9qsKwfR7iYaqmnN +ilQnsxWpMGXAgOlC1+w5zh8qHvrI5wX+A6U9N8leIOSgFuFNP0FMMG7I677QzRxG +FqKX1o4V73JWqnHCfnfHRyZY9xM0tYbJKNbRO7Hy4jKBPl3ptPHUoTltr4WYTOpg +stcEamdiiif+0U4bQvVltNg9pzFEjkAktTUGn92W5CgLnsbPXxBo6a/kUlHcgmhY +bpOXEjCPufZLgsQo8iF2Bq8eWMEsByjr0chQjzrfZAUVtD8Hmh2uMVAPQFAHUkaL +j2tHukL+s9tAaWKNAgMBAAGjgY4wgYswHQYDVR0OBBYEFLqlLFaNrS8hbX6voiGi +AfMYfsivMB8GA1UdIwQYMBaAFHB/Lq6DaFmYBCMqzes+F80k3QFJMAkGA1UdEwQC +MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwKQYDVR0RBCIwIIIeU2VydmVyIFJTQS1Q +U1MgcmVzdHJpY3RlZCBjZXJ0MA0GCSqGSIb3DQEBCwUAA4IBAQAEhm9Skn2XfEZo +Q+YMu6HIQZovRT3IljHvesjIby7KfS86SU4r+CG7qaPLw7jeIR92YMnihnaXRGGJ +POixpHY6gapEzR2Sqg7c0ApGenDZ3uKnBUjf9LEorPmhrEHUsnHREXoPx5Lt5Nh/ +7WRNB/GKvbnAby+5HQBOvU6P8t37/zK1JjJhGNv0uvaYthQGk3r6nEhQG+O6JBSw +H/auU4ClIB4fg8GWaMuupN5VMNP9mxpL9tONH8QRKs+KIQWMOsr83rOKwSHrrkIL +/vDI5hPj9RHvjjta6FQx140wA6c8ZB59x9YIv1alJWf6s3+TM8bv70L/aBBT8+IM +vwjUz9Gp +-----END CERTIFICATE----- diff --git a/test/certs/server-pss-restrict-key.pem b/test/certs/server-pss-restrict-key.pem new file mode 100644 index 0000000000..65032269c1 --- /dev/null +++ b/test/certs/server-pss-restrict-key.pem @@ -0,0 +1,29 @@ +-----BEGIN PRIVATE KEY----- +MIIE7wIBADA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3 +DQEBCDALBglghkgBZQMEAgGiAwIBIASCBKkwggSlAgEAAoIBAQDDlygksUEAajpd +Vquo9XIAyTd9ZJ+55hNmhBfhn3lHz3ryPD+0XlgCE9qsKwfR7iYaqmnNilQnsxWp +MGXAgOlC1+w5zh8qHvrI5wX+A6U9N8leIOSgFuFNP0FMMG7I677QzRxGFqKX1o4V +73JWqnHCfnfHRyZY9xM0tYbJKNbRO7Hy4jKBPl3ptPHUoTltr4WYTOpgstcEamdi +iif+0U4bQvVltNg9pzFEjkAktTUGn92W5CgLnsbPXxBo6a/kUlHcgmhYbpOXEjCP +ufZLgsQo8iF2Bq8eWMEsByjr0chQjzrfZAUVtD8Hmh2uMVAPQFAHUkaLj2tHukL+ +s9tAaWKNAgMBAAECggEBAIzgfwWOtmb6HHfGSXY085wlUlZ696EKWsboNdtI5i4W +/1Mimi/sFC/K5SJFDCjlA4UJYZOuItdFYkCun1t8foaqx3cLQ98u2SuDWwmOzqG9 +YMjvoDy+viDJgtrBt8n4I0R5t/ezrgD3hPe/s/dAZRfVx6g9Ux2ZOLgqV57kT3X7 +6paEz3jrIMvuoXQCsi9Qh+eJQ23/sAcc7OHQ7uD8QJVudEBnSHQ+ttvOPXhr7tba +8NuNVa6E/KewkKHRAZqBTJolCVyPtWmvfaDwdJtunCvyR1w3Rv1adZLK4YRFz+vc +sOMK+K1c2aojA+/Fnba19inNq13j6Dwqmq8Ho7MZwHECgYEA6aSx7/93S1VGpxQ9 +KqFE4Fy9ylliC/hanc9qOcfEIo0tDus9lfpuPp+aOXML0msVkIfhCnaru32qtnaI +AQkIbPhSZFvC/i6BibpArXINbDzTS/46zZHehXskjWFGw+iRm/YI7MBuCmWzSnFO +YUwSKRIPKZKyXswFzP8RsQO/QbsCgYEA1k5SamQheuKdo/X40ShWTTOoDlpL4Sir +b2zTnEqlHyMv8c7w880hPf4P+0pqrKyf7jmEykJvp1qSAmyMUCWzrKTr8gQ2sMyb +zj90cEm++M5YIQh5lPJy4pGqmCliJXqkt+zT1xmnRASwMNQOnU2bBmXkve/ofb4M +dEwyig/nZFcCgYBLWPilTD6dhce+NBGxwMZkkKQIMKEk+RfIEs7QCXNgLSUdzZFT +36pT+caTxl1Go5AVxyw04qZpVZKLO1iK9O3Jrp9rjAgrTrYpw23+QWzAvjDqLfeq +ueMIKvlTus5GeacTo9mm+DvEkJ2sYTQEvrKQmilXn950IdmxDYUYD/xK5wKBgQDQ +5ON9BUGFUSQsUHVLG7CT7EhiRS41ubjyEfhrHm+53Ei9weQpIcjHbsERR8aXrmTu +h26i4QOI88XjSv+ymC19mfzLmcPdrnQpJL1RPvFCAZDyEhrBT1sg8rCBRcV/lv68 +scMEpuLecFt2HR5pwt3b7LJ9Wj8bYoctTaDt5va8XQKBgQDCr4hZB5haAcKmNm/g +PjlaLdrDEIuuBjxMzX1t3PXwsEene1cE731v6fbmrDUa8AuJyMY80xhGrTTDQfS3 +QOu/6wtcUv/JC/06OwEaUlT/kdYek+zYfBm3b1sKP3HVKSxCLTcPcC4aQoAFqbEy +3kuSVh03vVBdaP//qMPyeue17w== +-----END PRIVATE KEY----- diff --git a/test/certs/setup.sh b/test/certs/setup.sh index 53d4a807a7..26b2f1ddfe 100755 --- a/test/certs/setup.sh +++ b/test/certs/setup.sh @@ -369,3 +369,9 @@ REQMASK=MASK:0x800 ./mkcert.sh req badalt7-key "O = Bad NC Test Certificate 7" \ OPENSSL_KEYALG=ec OPENSSL_KEYBITS=brainpoolP256r1 ./mkcert.sh genee \ "Server ECDSA brainpoolP256r1 cert" server-ecdsa-brainpoolP256r1-key \ server-ecdsa-brainpoolP256r1-cert rootkey rootcert + +openssl req -new -nodes -subj "/CN=localhost" \ + -newkey rsa-pss -keyout server-pss-restrict-key.pem \ + -pkeyopt rsa_pss_keygen_md:sha256 -pkeyopt rsa_pss_keygen_saltlen:32 | \ + ./mkcert.sh geneenocsr "Server RSA-PSS restricted cert" \ + server-pss-restrict-cert rootkey rootcert diff --git a/test/ssl-tests/20-cert-select.conf b/test/ssl-tests/20-cert-select.conf index 0bcd23d7f0..93f3a1ff68 100644 --- a/test/ssl-tests/20-cert-select.conf +++ b/test/ssl-tests/20-cert-select.conf @@ -1,6 +1,6 @@ # Generated with generate_ssl_tests.pl -num_tests = 51 +num_tests = 56 test-0 = 0-ECDSA CipherString Selection test-1 = 1-ECDSA CipherString Selection @@ -24,35 +24,40 @@ test-18 = 18-RSA-PSS Signature Algorithm Selection test-19 = 19-RSA-PSS Certificate Legacy Signature Algorithm Selection test-20 = 20-RSA-PSS Certificate Unified Signature Algorithm Selection test-21 = 21-Only RSA-PSS Certificate -test-22 = 22-RSA-PSS Certificate, no PSS signature algorithms -test-23 = 23-RSA key exchange with all RSA certificate types -test-24 = 24-RSA key exchange with only RSA-PSS certificate -test-25 = 25-Suite B P-256 Hash Algorithm Selection -test-26 = 26-Suite B P-384 Hash Algorithm Selection -test-27 = 27-TLS 1.2 Ed25519 Client Auth -test-28 = 28-TLS 1.2 Ed448 Client Auth -test-29 = 29-Only RSA-PSS Certificate, TLS v1.1 -test-30 = 30-TLS 1.3 ECDSA Signature Algorithm Selection -test-31 = 31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point -test-32 = 32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1 -test-33 = 33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS -test-34 = 34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS -test-35 = 35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate -test-36 = 36-TLS 1.3 RSA Signature Algorithm Selection, no PSS -test-37 = 37-TLS 1.3 RSA-PSS Signature Algorithm Selection -test-38 = 38-TLS 1.3 Ed25519 Signature Algorithm Selection -test-39 = 39-TLS 1.3 Ed448 Signature Algorithm Selection -test-40 = 40-TLS 1.3 Ed25519 CipherString and Groups Selection -test-41 = 41-TLS 1.3 Ed448 CipherString and Groups Selection -test-42 = 42-TLS 1.3 RSA Client Auth Signature Algorithm Selection -test-43 = 43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names -test-44 = 44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection -test-45 = 45-TLS 1.3 Ed25519 Client Auth -test-46 = 46-TLS 1.3 Ed448 Client Auth -test-47 = 47-TLS 1.3 ECDSA with brainpool -test-48 = 48-TLS 1.2 DSA Certificate Test -test-49 = 49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms -test-50 = 50-TLS 1.3 DSA Certificate Test +test-22 = 22-Only RSA-PSS Certificate Valid Signature Algorithms +test-23 = 23-RSA-PSS Certificate, no PSS signature algorithms +test-24 = 24-Only RSA-PSS Restricted Certificate +test-25 = 25-RSA-PSS Restricted Certificate Valid Signature Algorithms +test-26 = 26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm +test-27 = 27-RSA-PSS Restricted Certificate Invalid Signature Algorithms +test-28 = 28-RSA key exchange with all RSA certificate types +test-29 = 29-RSA key exchange with only RSA-PSS certificate +test-30 = 30-Suite B P-256 Hash Algorithm Selection +test-31 = 31-Suite B P-384 Hash Algorithm Selection +test-32 = 32-TLS 1.2 Ed25519 Client Auth +test-33 = 33-TLS 1.2 Ed448 Client Auth +test-34 = 34-Only RSA-PSS Certificate, TLS v1.1 +test-35 = 35-TLS 1.3 ECDSA Signature Algorithm Selection +test-36 = 36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point +test-37 = 37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1 +test-38 = 38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS +test-39 = 39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS +test-40 = 40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate +test-41 = 41-TLS 1.3 RSA Signature Algorithm Selection, no PSS +test-42 = 42-TLS 1.3 RSA-PSS Signature Algorithm Selection +test-43 = 43-TLS 1.3 Ed25519 Signature Algorithm Selection +test-44 = 44-TLS 1.3 Ed448 Signature Algorithm Selection +test-45 = 45-TLS 1.3 Ed25519 CipherString and Groups Selection +test-46 = 46-TLS 1.3 Ed448 CipherString and Groups Selection +test-47 = 47-TLS 1.3 RSA Client Auth Signature Algorithm Selection +test-48 = 48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names +test-49 = 49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection +test-50 = 50-TLS 1.3 Ed25519 Client Auth +test-51 = 51-TLS 1.3 Ed448 Client Auth +test-52 = 52-TLS 1.3 ECDSA with brainpool +test-53 = 53-TLS 1.2 DSA Certificate Test +test-54 = 54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms +test-55 = 55-TLS 1.3 DSA Certificate Test # =========================================================== [0-ECDSA CipherString Selection] @@ -775,89 +780,220 @@ ExpectedServerSignType = RSA-PSS # =========================================================== -[22-RSA-PSS Certificate, no PSS signature algorithms] -ssl_conf = 22-RSA-PSS Certificate, no PSS signature algorithms-ssl +[22-Only RSA-PSS Certificate Valid Signature Algorithms] +ssl_conf = 22-Only RSA-PSS Certificate Valid Signature Algorithms-ssl -[22-RSA-PSS Certificate, no PSS signature algorithms-ssl] -server = 22-RSA-PSS Certificate, no PSS signature algorithms-server -client = 22-RSA-PSS Certificate, no PSS signature algorithms-client +[22-Only RSA-PSS Certificate Valid Signature Algorithms-ssl] +server = 22-Only RSA-PSS Certificate Valid Signature Algorithms-server +client = 22-Only RSA-PSS Certificate Valid Signature Algorithms-client -[22-RSA-PSS Certificate, no PSS signature algorithms-server] +[22-Only RSA-PSS Certificate Valid Signature Algorithms-server] Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem -[22-RSA-PSS Certificate, no PSS signature algorithms-client] +[22-Only RSA-PSS Certificate Valid Signature Algorithms-client] CipherString = DEFAULT -SignatureAlgorithms = RSA+SHA256 +SignatureAlgorithms = rsa_pss_pss_sha512 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-22] +ExpectedResult = Success +ExpectedServerCertType = RSA-PSS +ExpectedServerSignHash = SHA512 +ExpectedServerSignType = RSA-PSS + + +# =========================================================== + +[23-RSA-PSS Certificate, no PSS signature algorithms] +ssl_conf = 23-RSA-PSS Certificate, no PSS signature algorithms-ssl + +[23-RSA-PSS Certificate, no PSS signature algorithms-ssl] +server = 23-RSA-PSS Certificate, no PSS signature algorithms-server +client = 23-RSA-PSS Certificate, no PSS signature algorithms-client + +[23-RSA-PSS Certificate, no PSS signature algorithms-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem + +[23-RSA-PSS Certificate, no PSS signature algorithms-client] +CipherString = DEFAULT +SignatureAlgorithms = RSA+SHA256 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-23] +ExpectedResult = ServerFail + + +# =========================================================== + +[24-Only RSA-PSS Restricted Certificate] +ssl_conf = 24-Only RSA-PSS Restricted Certificate-ssl + +[24-Only RSA-PSS Restricted Certificate-ssl] +server = 24-Only RSA-PSS Restricted Certificate-server +client = 24-Only RSA-PSS Restricted Certificate-client + +[24-Only RSA-PSS Restricted Certificate-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem + +[24-Only RSA-PSS Restricted Certificate-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-24] +ExpectedResult = Success +ExpectedServerCertType = RSA-PSS +ExpectedServerSignHash = SHA256 +ExpectedServerSignType = RSA-PSS + + +# =========================================================== + +[25-RSA-PSS Restricted Certificate Valid Signature Algorithms] +ssl_conf = 25-RSA-PSS Restricted Certificate Valid Signature Algorithms-ssl + +[25-RSA-PSS Restricted Certificate Valid Signature Algorithms-ssl] +server = 25-RSA-PSS Restricted Certificate Valid Signature Algorithms-server +client = 25-RSA-PSS Restricted Certificate Valid Signature Algorithms-client + +[25-RSA-PSS Restricted Certificate Valid Signature Algorithms-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem + +[25-RSA-PSS Restricted Certificate Valid Signature Algorithms-client] +CipherString = DEFAULT +SignatureAlgorithms = rsa_pss_pss_sha256:rsa_pss_pss_sha512 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-25] +ExpectedResult = Success +ExpectedServerCertType = RSA-PSS +ExpectedServerSignHash = SHA256 +ExpectedServerSignType = RSA-PSS + + +# =========================================================== + +[26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm] +ssl_conf = 26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-ssl + +[26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-ssl] +server = 26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-server +client = 26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-client + +[26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem + +[26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-client] +CipherString = DEFAULT +SignatureAlgorithms = rsa_pss_pss_sha512:rsa_pss_pss_sha256 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-26] +ExpectedResult = Success +ExpectedServerCertType = RSA-PSS +ExpectedServerSignHash = SHA256 +ExpectedServerSignType = RSA-PSS + + +# =========================================================== + +[27-RSA-PSS Restricted Certificate Invalid Signature Algorithms] +ssl_conf = 27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-ssl + +[27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-ssl] +server = 27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-server +client = 27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-client + +[27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem + +[27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-client] +CipherString = DEFAULT +SignatureAlgorithms = rsa_pss_pss_sha512 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-27] ExpectedResult = ServerFail # =========================================================== -[23-RSA key exchange with all RSA certificate types] -ssl_conf = 23-RSA key exchange with all RSA certificate types-ssl +[28-RSA key exchange with all RSA certificate types] +ssl_conf = 28-RSA key exchange with all RSA certificate types-ssl -[23-RSA key exchange with all RSA certificate types-ssl] -server = 23-RSA key exchange with all RSA certificate types-server -client = 23-RSA key exchange with all RSA certificate types-client +[28-RSA key exchange with all RSA certificate types-ssl] +server = 28-RSA key exchange with all RSA certificate types-server +client = 28-RSA key exchange with all RSA certificate types-client -[23-RSA key exchange with all RSA certificate types-server] +[28-RSA key exchange with all RSA certificate types-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[23-RSA key exchange with all RSA certificate types-client] +[28-RSA key exchange with all RSA certificate types-client] CipherString = kRSA MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-23] +[test-28] ExpectedResult = Success ExpectedServerCertType = RSA # =========================================================== -[24-RSA key exchange with only RSA-PSS certificate] -ssl_conf = 24-RSA key exchange with only RSA-PSS certificate-ssl +[29-RSA key exchange with only RSA-PSS certificate] +ssl_conf = 29-RSA key exchange with only RSA-PSS certificate-ssl -[24-RSA key exchange with only RSA-PSS certificate-ssl] -server = 24-RSA key exchange with only RSA-PSS certificate-server -client = 24-RSA key exchange with only RSA-PSS certificate-client +[29-RSA key exchange with only RSA-PSS certificate-ssl] +server = 29-RSA key exchange with only RSA-PSS certificate-server +client = 29-RSA key exchange with only RSA-PSS certificate-client -[24-RSA key exchange with only RSA-PSS certificate-server] +[29-RSA key exchange with only RSA-PSS certificate-server] Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem -[24-RSA key exchange with only RSA-PSS certificate-client] +[29-RSA key exchange with only RSA-PSS certificate-client] CipherString = kRSA MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-24] +[test-29] ExpectedResult = ServerFail # =========================================================== -[25-Suite B P-256 Hash Algorithm Selection] -ssl_conf = 25-Suite B P-256 Hash Algorithm Selection-ssl +[30-Suite B P-256 Hash Algorithm Selection] +ssl_conf = 30-Suite B P-256 Hash Algorithm Selection-ssl -[25-Suite B P-256 Hash Algorithm Selection-ssl] -server = 25-Suite B P-256 Hash Algorithm Selection-server -client = 25-Suite B P-256 Hash Algorithm Selection-client +[30-Suite B P-256 Hash Algorithm Selection-ssl] +server = 30-Suite B P-256 Hash Algorithm Selection-server +client = 30-Suite B P-256 Hash Algorithm Selection-client -[25-Suite B P-256 Hash Algorithm Selection-server] +[30-Suite B P-256 Hash Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = SUITEB128 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p256-server-cert.pem @@ -865,13 +1001,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p256-server-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[25-Suite B P-256 Hash Algorithm Selection-client] +[30-Suite B P-256 Hash Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA384:ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem VerifyMode = Peer -[test-25] +[test-30] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA256 @@ -880,14 +1016,14 @@ ExpectedServerSignType = EC # =========================================================== -[26-Suite B P-384 Hash Algorithm Selection] -ssl_conf = 26-Suite B P-384 Hash Algorithm Selection-ssl +[31-Suite B P-384 Hash Algorithm Selection] +ssl_conf = 31-Suite B P-384 Hash Algorithm Selection-ssl -[26-Suite B P-384 Hash Algorithm Selection-ssl] -server = 26-Suite B P-384 Hash Algorithm Selection-server -client = 26-Suite B P-384 Hash Algorithm Selection-client +[31-Suite B P-384 Hash Algorithm Selection-ssl] +server = 31-Suite B P-384 Hash Algorithm Selection-server +client = 31-Suite B P-384 Hash Algorithm Selection-client -[26-Suite B P-384 Hash Algorithm Selection-server] +[31-Suite B P-384 Hash Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = SUITEB128 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem @@ -895,13 +1031,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[26-Suite B P-384 Hash Algorithm Selection-client] +[31-Suite B P-384 Hash Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem VerifyMode = Peer -[test-26] +[test-31] ExpectedResult = Success ExpectedServerCertType = P-384 ExpectedServerSignHash = SHA384 @@ -910,21 +1046,21 @@ ExpectedServerSignType = EC # =========================================================== -[27-TLS 1.2 Ed25519 Client Auth] -ssl_conf = 27-TLS 1.2 Ed25519 Client Auth-ssl +[32-TLS 1.2 Ed25519 Client Auth] +ssl_conf = 32-TLS 1.2 Ed25519 Client Auth-ssl -[27-TLS 1.2 Ed25519 Client Auth-ssl] -server = 27-TLS 1.2 Ed25519 Client Auth-server -client = 27-TLS 1.2 Ed25519 Client Auth-client +[32-TLS 1.2 Ed25519 Client Auth-ssl] +server = 32-TLS 1.2 Ed25519 Client Auth-server +client = 32-TLS 1.2 Ed25519 Client Auth-client -[27-TLS 1.2 Ed25519 Client Auth-server] +[32-TLS 1.2 Ed25519 Client Auth-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[27-TLS 1.2 Ed25519 Client Auth-client] +[32-TLS 1.2 Ed25519 Client Auth-client] CipherString = DEFAULT Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed25519-cert.pem Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed25519-key.pem @@ -933,7 +1069,7 @@ MinProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-27] +[test-32] ExpectedClientCertType = Ed25519 ExpectedClientSignType = Ed25519 ExpectedResult = Success @@ -941,21 +1077,21 @@ ExpectedResult = Success # =========================================================== -[28-TLS 1.2 Ed448 Client Auth] -ssl_conf = 28-TLS 1.2 Ed448 Client Auth-ssl +[33-TLS 1.2 Ed448 Client Auth] +ssl_conf = 33-TLS 1.2 Ed448 Client Auth-ssl -[28-TLS 1.2 Ed448 Client Auth-ssl] -server = 28-TLS 1.2 Ed448 Client Auth-server -client = 28-TLS 1.2 Ed448 Client Auth-client +[33-TLS 1.2 Ed448 Client Auth-ssl] +server = 33-TLS 1.2 Ed448 Client Auth-server +client = 33-TLS 1.2 Ed448 Client Auth-client -[28-TLS 1.2 Ed448 Client Auth-server] +[33-TLS 1.2 Ed448 Client Auth-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[28-TLS 1.2 Ed448 Client Auth-client] +[33-TLS 1.2 Ed448 Client Auth-client] CipherString = DEFAULT Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed448-cert.pem Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed448-key.pem @@ -964,7 +1100,7 @@ MinProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-28] +[test-33] ExpectedClientCertType = Ed448 ExpectedClientSignType = Ed448 ExpectedResult = Success @@ -972,38 +1108,38 @@ ExpectedResult = Success # =========================================================== -[29-Only RSA-PSS Certificate, TLS v1.1] -ssl_conf = 29-Only RSA-PSS Certificate, TLS v1.1-ssl +[34-Only RSA-PSS Certificate, TLS v1.1] +ssl_conf = 34-Only RSA-PSS Certificate, TLS v1.1-ssl -[29-Only RSA-PSS Certificate, TLS v1.1-ssl] -server = 29-Only RSA-PSS Certificate, TLS v1.1-server -client = 29-Only RSA-PSS Certificate, TLS v1.1-client +[34-Only RSA-PSS Certificate, TLS v1.1-ssl] +server = 34-Only RSA-PSS Certificate, TLS v1.1-server +client = 34-Only RSA-PSS Certificate, TLS v1.1-client -[29-Only RSA-PSS Certificate, TLS v1.1-server] +[34-Only RSA-PSS Certificate, TLS v1.1-server] Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem -[29-Only RSA-PSS Certificate, TLS v1.1-client] +[34-Only RSA-PSS Certificate, TLS v1.1-client] CipherString = DEFAULT MaxProtocol = TLSv1.1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-29] +[test-34] ExpectedResult = ServerFail # =========================================================== -[30-TLS 1.3 ECDSA Signature Algorithm Selection] -ssl_conf = 30-TLS 1.3 ECDSA Signature Algorithm Selection-ssl +[35-TLS 1.3 ECDSA Signature Algorithm Selection] +ssl_conf = 35-TLS 1.3 ECDSA Signature Algorithm Selection-ssl -[30-TLS 1.3 ECDSA Signature Algorithm Selection-ssl] -server = 30-TLS 1.3 ECDSA Signature Algorithm Selection-server -client = 30-TLS 1.3 ECDSA Signature Algorithm Selection-client +[35-TLS 1.3 ECDSA Signature Algorithm Selection-ssl] +server = 35-TLS 1.3 ECDSA Signature Algorithm Selection-server +client = 35-TLS 1.3 ECDSA Signature Algorithm Selection-client -[30-TLS 1.3 ECDSA Signature Algorithm Selection-server] +[35-TLS 1.3 ECDSA Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -1016,13 +1152,13 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[30-TLS 1.3 ECDSA Signature Algorithm Selection-client] +[35-TLS 1.3 ECDSA Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-30] +[test-35] ExpectedResult = Success ExpectedServerCANames = empty ExpectedServerCertType = P-256 @@ -1032,14 +1168,14 @@ ExpectedServerSignType = EC # =========================================================== -[31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point] -ssl_conf = 31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-ssl +[36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point] +ssl_conf = 36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-ssl -[31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-ssl] -server = 31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-server -client = 31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-client +[36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-ssl] +server = 36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-server +client = 36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-client -[31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-server] +[36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-cecdsa-cert.pem @@ -1048,13 +1184,13 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-client] +[36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-31] +[test-36] ExpectedResult = Success ExpectedServerCANames = empty ExpectedServerCertType = P-256 @@ -1064,14 +1200,14 @@ ExpectedServerSignType = EC # =========================================================== -[32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1] -ssl_conf = 32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-ssl +[37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1] +ssl_conf = 37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-ssl -[32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-ssl] -server = 32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-server -client = 32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-client +[37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-ssl] +server = 37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-server +client = 37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-client -[32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-server] +[37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -1084,26 +1220,26 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-client] +[37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-32] +[test-37] ExpectedResult = ServerFail # =========================================================== -[33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS] -ssl_conf = 33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-ssl +[38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS] +ssl_conf = 38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-ssl -[33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-ssl] -server = 33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-server -client = 33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-client +[38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-ssl] +server = 38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-server +client = 38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-client -[33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-server] +[38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -1116,14 +1252,14 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-client] +[38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-client] CipherString = DEFAULT RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem SignatureAlgorithms = ECDSA+SHA256:RSA-PSS+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-33] +[test-38] ExpectedResult = Success ExpectedServerCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem ExpectedServerCertType = P-256 @@ -1133,14 +1269,14 @@ ExpectedServerSignType = EC # =========================================================== -[34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS] -ssl_conf = 34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-ssl +[39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS] +ssl_conf = 39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-ssl -[34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-ssl] -server = 34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-server -client = 34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-client +[39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-ssl] +server = 39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-server +client = 39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-client -[34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-server] +[39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -1153,13 +1289,13 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-client] +[39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA384:RSA-PSS+SHA384 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-34] +[test-39] ExpectedResult = Success ExpectedServerCertType = RSA ExpectedServerSignHash = SHA384 @@ -1168,40 +1304,40 @@ ExpectedServerSignType = RSA-PSS # =========================================================== -[35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate] -ssl_conf = 35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl +[40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate] +ssl_conf = 40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl -[35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl] -server = 35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-server -client = 35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-client +[40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl] +server = 40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-server +client = 40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-client -[35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-server] +[40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-client] +[40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-35] +[test-40] ExpectedResult = ServerFail # =========================================================== -[36-TLS 1.3 RSA Signature Algorithm Selection, no PSS] -ssl_conf = 36-TLS 1.3 RSA Signature Algorithm Selection, no PSS-ssl +[41-TLS 1.3 RSA Signature Algorithm Selection, no PSS] +ssl_conf = 41-TLS 1.3 RSA Signature Algorithm Selection, no PSS-ssl -[36-TLS 1.3 RSA Signature Algorithm Selection, no PSS-ssl] -server = 36-TLS 1.3 RSA Signature Algorithm Selection, no PSS-server -client = 36-TLS 1.3 RSA Signature Algorithm Selection, no PSS-client +[41-TLS 1.3 RSA Signature Algorithm Selection, no PSS-ssl] +server = 41-TLS 1.3 RSA Signature Algorithm Selection, no PSS-server +client = 41-TLS 1.3 RSA Signature Algorithm Selection, no PSS-client -[36-TLS 1.3 RSA Signature Algorithm Selection, no PSS-server] +[41-TLS 1.3 RSA Signature Algorithm Selection, no PSS-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -1214,26 +1350,26 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[36-TLS 1.3 RSA Signature Algorithm Selection, no PSS-client] +[41-TLS 1.3 RSA Signature Algorithm Selection, no PSS-client] CipherString = DEFAULT SignatureAlgorithms = RSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-36] +[test-41] ExpectedResult = ServerFail # =========================================================== -[37-TLS 1.3 RSA-PSS Signature Algorithm Selection] -ssl_conf = 37-TLS 1.3 RSA-PSS Signature Algorithm Selection-ssl +[42-TLS 1.3 RSA-PSS Signature Algorithm Selection] +ssl_conf = 42-TLS 1.3 RSA-PSS Signature Algorithm Selection-ssl -[37-TLS 1.3 RSA-PSS Signature Algorithm Selection-ssl] -server = 37-TLS 1.3 RSA-PSS Signature Algorithm Selection-server -client = 37-TLS 1.3 RSA-PSS Signature Algorithm Selection-client +[42-TLS 1.3 RSA-PSS Signature Algorithm Selection-ssl] +server = 42-TLS 1.3 RSA-PSS Signature Algorithm Selection-server +client = 42-TLS 1.3 RSA-PSS Signature Algorithm Selection-client -[37-TLS 1.3 RSA-PSS Signature Algorithm Selection-server] +[42-TLS 1.3 RSA-PSS Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -1246,13 +1382,13 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[37-TLS 1.3 RSA-PSS Signature Algorithm Selection-client] +[42-TLS 1.3 RSA-PSS Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = RSA-PSS+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-37] +[test-42] ExpectedResult = Success ExpectedServerCertType = RSA ExpectedServerSignHash = SHA256 @@ -1261,14 +1397,14 @@ ExpectedServerSignType = RSA-PSS # =========================================================== -[38-TLS 1.3 Ed25519 Signature Algorithm Selection] -ssl_conf = 38-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl +[43-TLS 1.3 Ed25519 Signature Algorithm Selection] +ssl_conf = 43-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl -[38-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl] -server = 38-TLS 1.3 Ed25519 Signature Algorithm Selection-server -client = 38-TLS 1.3 Ed25519 Signature Algorithm Selection-client +[43-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl] +server = 43-TLS 1.3 Ed25519 Signature Algorithm Selection-server +client = 43-TLS 1.3 Ed25519 Signature Algorithm Selection-client -[38-TLS 1.3 Ed25519 Signature Algorithm Selection-server] +[43-TLS 1.3 Ed25519 Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -1281,13 +1417,13 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[38-TLS 1.3 Ed25519 Signature Algorithm Selection-client] +[43-TLS 1.3 Ed25519 Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ed25519 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-38] +[test-43] ExpectedResult = Success ExpectedServerCertType = Ed25519 ExpectedServerSignType = Ed25519 @@ -1295,14 +1431,14 @@ ExpectedServerSignType = Ed25519 # =========================================================== -[39-TLS 1.3 Ed448 Signature Algorithm Selection] -ssl_conf = 39-TLS 1.3 Ed448 Signature Algorithm Selection-ssl +[44-TLS 1.3 Ed448 Signature Algorithm Selection] +ssl_conf = 44-TLS 1.3 Ed448 Signature Algorithm Selection-ssl -[39-TLS 1.3 Ed448 Signature Algorithm Selection-ssl] -server = 39-TLS 1.3 Ed448 Signature Algorithm Selection-server -client = 39-TLS 1.3 Ed448 Signature Algorithm Selection-client +[44-TLS 1.3 Ed448 Signature Algorithm Selection-ssl] +server = 44-TLS 1.3 Ed448 Signature Algorithm Selection-server +client = 44-TLS 1.3 Ed448 Signature Algorithm Selection-client -[39-TLS 1.3 Ed448 Signature Algorithm Selection-server] +[44-TLS 1.3 Ed448 Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -1315,13 +1451,13 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[39-TLS 1.3 Ed448 Signature Algorithm Selection-client] +[44-TLS 1.3 Ed448 Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ed448 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-39] +[test-44] ExpectedResult = Success ExpectedServerCertType = Ed448 ExpectedServerSignType = Ed448 @@ -1329,14 +1465,14 @@ ExpectedServerSignType = Ed448 # =========================================================== -[40-TLS 1.3 Ed25519 CipherString and Groups Selection] -ssl_conf = 40-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl +[45-TLS 1.3 Ed25519 CipherString and Groups Selection] +ssl_conf = 45-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl -[40-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl] -server = 40-TLS 1.3 Ed25519 CipherString and Groups Selection-server -client = 40-TLS 1.3 Ed25519 CipherString and Groups Selection-client +[45-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl] +server = 45-TLS 1.3 Ed25519 CipherString and Groups Selection-server +client = 45-TLS 1.3 Ed25519 CipherString and Groups Selection-client -[40-TLS 1.3 Ed25519 CipherString and Groups Selection-server] +[45-TLS 1.3 Ed25519 CipherString and Groups Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -1349,14 +1485,14 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[40-TLS 1.3 Ed25519 CipherString and Groups Selection-client] +[45-TLS 1.3 Ed25519 CipherString and Groups Selection-client] CipherString = DEFAULT Groups = X25519 SignatureAlgorithms = ECDSA+SHA256:ed25519 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-40] +[test-45] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignType = EC @@ -1364,14 +1500,14 @@ ExpectedServerSignType = EC # =========================================================== -[41-TLS 1.3 Ed448 CipherString and Groups Selection] -ssl_conf = 41-TLS 1.3 Ed448 CipherString and Groups Selection-ssl +[46-TLS 1.3 Ed448 CipherString and Groups Selection] +ssl_conf = 46-TLS 1.3 Ed448 CipherString and Groups Selection-ssl -[41-TLS 1.3 Ed448 CipherString and Groups Selection-ssl] -server = 41-TLS 1.3 Ed448 CipherString and Groups Selection-server -client = 41-TLS 1.3 Ed448 CipherString and Groups Selection-client +[46-TLS 1.3 Ed448 CipherString and Groups Selection-ssl] +server = 46-TLS 1.3 Ed448 CipherString and Groups Selection-server +client = 46-TLS 1.3 Ed448 CipherString and Groups Selection-client -[41-TLS 1.3 Ed448 CipherString and Groups Selection-server] +[46-TLS 1.3 Ed448 CipherString and Groups Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -1384,14 +1520,14 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[41-TLS 1.3 Ed448 CipherString and Groups Selection-client] +[46-TLS 1.3 Ed448 CipherString and Groups Selection-client] CipherString = DEFAULT Groups = X448 SignatureAlgorithms = ECDSA+SHA256:ed448 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-41] +[test-46] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignType = EC @@ -1399,14 +1535,14 @@ ExpectedServerSignType = EC # =========================================================== -[42-TLS 1.3 RSA Client Auth Signature Algorithm Selection] -ssl_conf = 42-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl +[47-TLS 1.3 RSA Client Auth Signature Algorithm Selection] +ssl_conf = 47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl -[42-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl] -server = 42-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server -client = 42-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client +[47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl] +server = 47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server +client = 47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client -[42-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server] +[47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ClientSignatureAlgorithms = PSS+SHA256 @@ -1414,7 +1550,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[42-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client] +[47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client] CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem @@ -1425,7 +1561,7 @@ RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-42] +[test-47] ExpectedClientCANames = empty ExpectedClientCertType = RSA ExpectedClientSignHash = SHA256 @@ -1435,14 +1571,14 @@ ExpectedResult = Success # =========================================================== -[43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names] -ssl_conf = 43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl +[48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names] +ssl_conf = 48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl -[43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl] -server = 43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server -client = 43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client +[48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl] +server = 48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server +client = 48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client -[43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server] +[48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ClientSignatureAlgorithms = PSS+SHA256 @@ -1451,7 +1587,7 @@ RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client] +[48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client] CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem @@ -1462,7 +1598,7 @@ RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-43] +[test-48] ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem ExpectedClientCertType = RSA ExpectedClientSignHash = SHA256 @@ -1472,14 +1608,14 @@ ExpectedResult = Success # =========================================================== -[44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection] -ssl_conf = 44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl +[49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection] +ssl_conf = 49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl -[44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl] -server = 44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server -client = 44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client +[49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl] +server = 49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server +client = 49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client -[44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server] +[49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ClientSignatureAlgorithms = ECDSA+SHA256 @@ -1487,7 +1623,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client] +[49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client] CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem @@ -1498,7 +1634,7 @@ RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-44] +[test-49] ExpectedClientCertType = P-256 ExpectedClientSignHash = SHA256 ExpectedClientSignType = EC @@ -1507,21 +1643,21 @@ ExpectedResult = Success # =========================================================== -[45-TLS 1.3 Ed25519 Client Auth] -ssl_conf = 45-TLS 1.3 Ed25519 Client Auth-ssl +[50-TLS 1.3 Ed25519 Client Auth] +ssl_conf = 50-TLS 1.3 Ed25519 Client Auth-ssl -[45-TLS 1.3 Ed25519 Client Auth-ssl] -server = 45-TLS 1.3 Ed25519 Client Auth-server -client = 45-TLS 1.3 Ed25519 Client Auth-client +[50-TLS 1.3 Ed25519 Client Auth-ssl] +server = 50-TLS 1.3 Ed25519 Client Auth-server +client = 50-TLS 1.3 Ed25519 Client Auth-client -[45-TLS 1.3 Ed25519 Client Auth-server] +[50-TLS 1.3 Ed25519 Client Auth-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[45-TLS 1.3 Ed25519 Client Auth-client] +[50-TLS 1.3 Ed25519 Client Auth-client] CipherString = DEFAULT EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed25519-cert.pem EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed25519-key.pem @@ -1530,7 +1666,7 @@ MinProtocol = TLSv1.3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-45] +[test-50] ExpectedClientCertType = Ed25519 ExpectedClientSignType = Ed25519 ExpectedResult = Success @@ -1538,21 +1674,21 @@ ExpectedResult = Success # =========================================================== -[46-TLS 1.3 Ed448 Client Auth] -ssl_conf = 46-TLS 1.3 Ed448 Client Auth-ssl +[51-TLS 1.3 Ed448 Client Auth] +ssl_conf = 51-TLS 1.3 Ed448 Client Auth-ssl -[46-TLS 1.3 Ed448 Client Auth-ssl] -server = 46-TLS 1.3 Ed448 Client Auth-server -client = 46-TLS 1.3 Ed448 Client Auth-client +[51-TLS 1.3 Ed448 Client Auth-ssl] +server = 51-TLS 1.3 Ed448 Client Auth-server +client = 51-TLS 1.3 Ed448 Client Auth-client -[46-TLS 1.3 Ed448 Client Auth-server] +[51-TLS 1.3 Ed448 Client Auth-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[46-TLS 1.3 Ed448 Client Auth-client] +[51-TLS 1.3 Ed448 Client Auth-client] CipherString = DEFAULT EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed448-cert.pem EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed448-key.pem @@ -1561,7 +1697,7 @@ MinProtocol = TLSv1.3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-46] +[test-51] ExpectedClientCertType = Ed448 ExpectedClientSignType = Ed448 ExpectedResult = Success @@ -1569,20 +1705,20 @@ ExpectedResult = Success # =========================================================== -[47-TLS 1.3 ECDSA with brainpool] -ssl_conf = 47-TLS 1.3 ECDSA with brainpool-ssl +[52-TLS 1.3 ECDSA with brainpool] +ssl_conf = 52-TLS 1.3 ECDSA with brainpool-ssl -[47-TLS 1.3 ECDSA with brainpool-ssl] -server = 47-TLS 1.3 ECDSA with brainpool-server -client = 47-TLS 1.3 ECDSA with brainpool-client +[52-TLS 1.3 ECDSA with brainpool-ssl] +server = 52-TLS 1.3 ECDSA with brainpool-server +client = 52-TLS 1.3 ECDSA with brainpool-client -[47-TLS 1.3 ECDSA with brainpool-server] +[52-TLS 1.3 ECDSA with brainpool-server] Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem CipherString = DEFAULT Groups = brainpoolP256r1 PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem -[47-TLS 1.3 ECDSA with brainpool-client] +[52-TLS 1.3 ECDSA with brainpool-client] CipherString = DEFAULT Groups = brainpoolP256r1 MaxProtocol = TLSv1.3 @@ -1591,20 +1727,20 @@ RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-47] +[test-52] ExpectedResult = ServerFail # =========================================================== -[48-TLS 1.2 DSA Certificate Test] -ssl_conf = 48-TLS 1.2 DSA Certificate Test-ssl +[53-TLS 1.2 DSA Certificate Test] +ssl_conf = 53-TLS 1.2 DSA Certificate Test-ssl -[48-TLS 1.2 DSA Certificate Test-ssl] -server = 48-TLS 1.2 DSA Certificate Test-server -client = 48-TLS 1.2 DSA Certificate Test-client +[53-TLS 1.2 DSA Certificate Test-ssl] +server = 53-TLS 1.2 DSA Certificate Test-server +client = 53-TLS 1.2 DSA Certificate Test-client -[48-TLS 1.2 DSA Certificate Test-server] +[53-TLS 1.2 DSA Certificate Test-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = ALL DHParameters = ${ENV::TEST_CERTS_DIR}/dhp2048.pem @@ -1614,26 +1750,26 @@ MaxProtocol = TLSv1.2 MinProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[48-TLS 1.2 DSA Certificate Test-client] +[53-TLS 1.2 DSA Certificate Test-client] CipherString = ALL SignatureAlgorithms = DSA+SHA256:DSA+SHA1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-48] +[test-53] ExpectedResult = Success # =========================================================== -[49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms] -ssl_conf = 49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-ssl +[54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms] +ssl_conf = 54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-ssl -[49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-ssl] -server = 49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-server -client = 49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-client +[54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-ssl] +server = 54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-server +client = 54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-client -[49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-server] +[54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ClientSignatureAlgorithms = ECDSA+SHA1:DSA+SHA256:RSA+SHA256 @@ -1641,25 +1777,25 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Request -[49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-client] +[54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-client] CipherString = DEFAULT VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-49] +[test-54] ExpectedResult = ServerFail # =========================================================== -[50-TLS 1.3 DSA Certificate Test] -ssl_conf = 50-TLS 1.3 DSA Certificate Test-ssl +[55-TLS 1.3 DSA Certificate Test] +ssl_conf = 55-TLS 1.3 DSA Certificate Test-ssl -[50-TLS 1.3 DSA Certificate Test-ssl] -server = 50-TLS 1.3 DSA Certificate Test-server -client = 50-TLS 1.3 DSA Certificate Test-client +[55-TLS 1.3 DSA Certificate Test-ssl] +server = 55-TLS 1.3 DSA Certificate Test-server +client = 55-TLS 1.3 DSA Certificate Test-client -[50-TLS 1.3 DSA Certificate Test-server] +[55-TLS 1.3 DSA Certificate Test-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = ALL DSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-dsa-cert.pem @@ -1668,13 +1804,13 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[50-TLS 1.3 DSA Certificate Test-client] +[55-TLS 1.3 DSA Certificate Test-client] CipherString = ALL SignatureAlgorithms = DSA+SHA1:DSA+SHA256:ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-50] +[test-55] ExpectedResult = ServerFail diff --git a/test/ssl-tests/20-cert-select.conf.in b/test/ssl-tests/20-cert-select.conf.in index bdf53c6e1e..5e9bfede5d 100644 --- a/test/ssl-tests/20-cert-select.conf.in +++ b/test/ssl-tests/20-cert-select.conf.in @@ -36,6 +36,12 @@ my $server_pss_only = { "PrivateKey" => test_pem("server-pss-key.pem"), }; +my $server_pss_restrict_only = { + "Certificate" => test_pem("server-pss-restrict-cert.pem"), + "PrivateKey" => test_pem("server-pss-restrict-key.pem"), +}; + + my $server_rsa_all = { "PSS.Certificate" => test_pem("server-pss-cert.pem"), "PSS.PrivateKey" => test_pem("server-pss-key.pem"), @@ -379,6 +385,19 @@ our @tests = ( "ExpectedResult" => "Success" }, }, + { + name => "Only RSA-PSS Certificate Valid Signature Algorithms", + server => $server_pss_only, + client => { + "SignatureAlgorithms" => "rsa_pss_pss_sha512", + }, + test => { + "ExpectedServerCertType" => "RSA-PSS", + "ExpectedServerSignHash" => "SHA512", + "ExpectedServerSignType" => "RSA-PSS", + "ExpectedResult" => "Success" + }, + }, { name => "RSA-PSS Certificate, no PSS signature algorithms", server => $server_pss_only, @@ -389,6 +408,53 @@ our @tests = ( "ExpectedResult" => "ServerFail" }, }, + { + name => "Only RSA-PSS Restricted Certificate", + server => $server_pss_restrict_only, + client => {}, + test => { + "ExpectedServerCertType" => "RSA-PSS", + "ExpectedServerSignHash" => "SHA256", + "ExpectedServerSignType" => "RSA-PSS", + "ExpectedResult" => "Success" + }, + }, + { + name => "RSA-PSS Restricted Certificate Valid Signature Algorithms", + server => $server_pss_restrict_only, + client => { + "SignatureAlgorithms" => "rsa_pss_pss_sha256:rsa_pss_pss_sha512", + }, + test => { + "ExpectedServerCertType" => "RSA-PSS", + "ExpectedServerSignHash" => "SHA256", + "ExpectedServerSignType" => "RSA-PSS", + "ExpectedResult" => "Success" + }, + }, + { + name => "RSA-PSS Restricted Cert client prefers invalid Signature Algorithm", + server => $server_pss_restrict_only, + client => { + "SignatureAlgorithms" => "rsa_pss_pss_sha512:rsa_pss_pss_sha256", + }, + test => { + "ExpectedServerCertType" => "RSA-PSS", + "ExpectedServerSignHash" => "SHA256", + "ExpectedServerSignType" => "RSA-PSS", + "ExpectedResult" => "Success" + }, + }, + { + name => "RSA-PSS Restricted Certificate Invalid Signature Algorithms", + server => $server_pss_restrict_only, + client => { + "SignatureAlgorithms" => "rsa_pss_pss_sha512", + }, + test => { + "ExpectedResult" => "ServerFail" + }, + }, { name => "RSA key exchange with all RSA certificate types", server => $server_rsa_all,