test_ssl_new: X448, X25519, and EdDSA are supported with fips
Removed the related TODOs. Also adjusted the DH parameters used for the DH test to be acceptable for FIPS as that now allows only known safe prime parameters. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14367)
This commit is contained in:
Tomas Mraz
Pauli
parent
21b7dfa8ad
commit
5e2f580d4a
@ -1,8 +1,8 @@
|
||||
-----BEGIN DH PARAMETERS-----
|
||||
MIIBCAKCAQEAoI0V5HKAcsG4LlAnVJhYnnl2ErOcdvz7WN4n+LoSkZVkfPcPExAF
|
||||
uXnT6v16rYfxCgZDPB/tSYaRhOxpJgaAHGA9PrfwprM4xQm9HLIWtidyIGtkgynQ
|
||||
rrtxaCculbPOMxc1od7V0jw8/Sj4pdKjijmdvY3VsvuQPu6Lo7qV94u3pYN+WSP9
|
||||
ESPcY0lvIV0s0eYxzU5LOU7FZRv6gpe658yxnpaQf13M3sFBqcQEnw+vIjNyaBBK
|
||||
Nm4jVFeKCN3aIz+yJL8y14HEnV/tnhtIrr33MAJvsG1qFBY7iFvbvlx/gKDW7qyk
|
||||
V0/iN2uElrJZIGxD2uPMZNXO+dci+EriMwIBAg==
|
||||
MIIBDAKCAQEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
|
||||
IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
|
||||
awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
|
||||
mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
|
||||
fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
|
||||
5RXSJhiY+gUQFXKOWoqsqmj//////////wIBAgICB/8=
|
||||
-----END DH PARAMETERS-----
|
||||
|
||||
@ -17,14 +17,14 @@ test-11 = 11-RSA-PSS Signature Algorithm Selection
|
||||
test-12 = 12-RSA key exchange with all RSA certificate types
|
||||
test-13 = 13-Suite B P-256 Hash Algorithm Selection
|
||||
test-14 = 14-Suite B P-384 Hash Algorithm Selection
|
||||
test-15 = 15-ECDSA Signature Algorithm Selection SHA1
|
||||
test-16 = 16-Ed25519 CipherString and Signature Algorithm Selection
|
||||
test-17 = 17-Ed448 CipherString and Signature Algorithm Selection
|
||||
test-18 = 18-ECDSA with brainpool
|
||||
test-19 = 19-Ed25519 CipherString and Curves Selection
|
||||
test-20 = 20-Ed448 CipherString and Curves Selection
|
||||
test-21 = 21-TLS 1.2 Ed25519 Client Auth
|
||||
test-22 = 22-TLS 1.2 Ed448 Client Auth
|
||||
test-15 = 15-Ed25519 CipherString and Signature Algorithm Selection
|
||||
test-16 = 16-Ed448 CipherString and Signature Algorithm Selection
|
||||
test-17 = 17-Ed25519 CipherString and Curves Selection
|
||||
test-18 = 18-Ed448 CipherString and Curves Selection
|
||||
test-19 = 19-TLS 1.2 Ed25519 Client Auth
|
||||
test-20 = 20-TLS 1.2 Ed448 Client Auth
|
||||
test-21 = 21-ECDSA Signature Algorithm Selection SHA1
|
||||
test-22 = 22-ECDSA with brainpool
|
||||
test-23 = 23-RSA-PSS Certificate CipherString Selection
|
||||
test-24 = 24-RSA-PSS Certificate Legacy Signature Algorithm Selection
|
||||
test-25 = 25-RSA-PSS Certificate Unified Signature Algorithm Selection
|
||||
@ -529,48 +529,14 @@ ExpectedServerSignType = EC
|
||||
|
||||
# ===========================================================
|
||||
|
||||
[15-ECDSA Signature Algorithm Selection SHA1]
|
||||
ssl_conf = 15-ECDSA Signature Algorithm Selection SHA1-ssl
|
||||
[15-Ed25519 CipherString and Signature Algorithm Selection]
|
||||
ssl_conf = 15-Ed25519 CipherString and Signature Algorithm Selection-ssl
|
||||
|
||||
[15-ECDSA Signature Algorithm Selection SHA1-ssl]
|
||||
server = 15-ECDSA Signature Algorithm Selection SHA1-server
|
||||
client = 15-ECDSA Signature Algorithm Selection SHA1-client
|
||||
[15-Ed25519 CipherString and Signature Algorithm Selection-ssl]
|
||||
server = 15-Ed25519 CipherString and Signature Algorithm Selection-server
|
||||
client = 15-Ed25519 CipherString and Signature Algorithm Selection-client
|
||||
|
||||
[15-ECDSA Signature Algorithm Selection SHA1-server]
|
||||
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
|
||||
CipherString = DEFAULT:@SECLEVEL=0
|
||||
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
|
||||
ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
|
||||
Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
|
||||
Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
|
||||
Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
|
||||
Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
|
||||
MaxProtocol = TLSv1.2
|
||||
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
||||
|
||||
[15-ECDSA Signature Algorithm Selection SHA1-client]
|
||||
CipherString = DEFAULT:@SECLEVEL=0
|
||||
SignatureAlgorithms = ECDSA+SHA1
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
[test-15]
|
||||
ExpectedResult = Success
|
||||
ExpectedServerCertType = P-256
|
||||
ExpectedServerSignHash = SHA1
|
||||
ExpectedServerSignType = EC
|
||||
|
||||
|
||||
# ===========================================================
|
||||
|
||||
[16-Ed25519 CipherString and Signature Algorithm Selection]
|
||||
ssl_conf = 16-Ed25519 CipherString and Signature Algorithm Selection-ssl
|
||||
|
||||
[16-Ed25519 CipherString and Signature Algorithm Selection-ssl]
|
||||
server = 16-Ed25519 CipherString and Signature Algorithm Selection-server
|
||||
client = 16-Ed25519 CipherString and Signature Algorithm Selection-client
|
||||
|
||||
[16-Ed25519 CipherString and Signature Algorithm Selection-server]
|
||||
[15-Ed25519 CipherString and Signature Algorithm Selection-server]
|
||||
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
|
||||
CipherString = DEFAULT
|
||||
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
|
||||
@ -582,7 +548,7 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
|
||||
MaxProtocol = TLSv1.2
|
||||
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
||||
|
||||
[16-Ed25519 CipherString and Signature Algorithm Selection-client]
|
||||
[15-Ed25519 CipherString and Signature Algorithm Selection-client]
|
||||
CipherString = aECDSA
|
||||
MaxProtocol = TLSv1.2
|
||||
RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
|
||||
@ -590,7 +556,7 @@ SignatureAlgorithms = ed25519:ECDSA+SHA256
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
[test-16]
|
||||
[test-15]
|
||||
ExpectedResult = Success
|
||||
ExpectedServerCANames = empty
|
||||
ExpectedServerCertType = Ed25519
|
||||
@ -599,14 +565,14 @@ ExpectedServerSignType = Ed25519
|
||||
|
||||
# ===========================================================
|
||||
|
||||
[17-Ed448 CipherString and Signature Algorithm Selection]
|
||||
ssl_conf = 17-Ed448 CipherString and Signature Algorithm Selection-ssl
|
||||
[16-Ed448 CipherString and Signature Algorithm Selection]
|
||||
ssl_conf = 16-Ed448 CipherString and Signature Algorithm Selection-ssl
|
||||
|
||||
[17-Ed448 CipherString and Signature Algorithm Selection-ssl]
|
||||
server = 17-Ed448 CipherString and Signature Algorithm Selection-server
|
||||
client = 17-Ed448 CipherString and Signature Algorithm Selection-client
|
||||
[16-Ed448 CipherString and Signature Algorithm Selection-ssl]
|
||||
server = 16-Ed448 CipherString and Signature Algorithm Selection-server
|
||||
client = 16-Ed448 CipherString and Signature Algorithm Selection-client
|
||||
|
||||
[17-Ed448 CipherString and Signature Algorithm Selection-server]
|
||||
[16-Ed448 CipherString and Signature Algorithm Selection-server]
|
||||
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
|
||||
CipherString = DEFAULT
|
||||
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
|
||||
@ -618,7 +584,7 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
|
||||
MaxProtocol = TLSv1.2
|
||||
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
||||
|
||||
[17-Ed448 CipherString and Signature Algorithm Selection-client]
|
||||
[16-Ed448 CipherString and Signature Algorithm Selection-client]
|
||||
CipherString = aECDSA
|
||||
MaxProtocol = TLSv1.2
|
||||
RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
|
||||
@ -626,7 +592,7 @@ SignatureAlgorithms = ed448:ECDSA+SHA256
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
[test-17]
|
||||
[test-16]
|
||||
ExpectedResult = Success
|
||||
ExpectedServerCANames = empty
|
||||
ExpectedServerCertType = Ed448
|
||||
@ -635,43 +601,14 @@ ExpectedServerSignType = Ed448
|
||||
|
||||
# ===========================================================
|
||||
|
||||
[18-ECDSA with brainpool]
|
||||
ssl_conf = 18-ECDSA with brainpool-ssl
|
||||
[17-Ed25519 CipherString and Curves Selection]
|
||||
ssl_conf = 17-Ed25519 CipherString and Curves Selection-ssl
|
||||
|
||||
[18-ECDSA with brainpool-ssl]
|
||||
server = 18-ECDSA with brainpool-server
|
||||
client = 18-ECDSA with brainpool-client
|
||||
[17-Ed25519 CipherString and Curves Selection-ssl]
|
||||
server = 17-Ed25519 CipherString and Curves Selection-server
|
||||
client = 17-Ed25519 CipherString and Curves Selection-client
|
||||
|
||||
[18-ECDSA with brainpool-server]
|
||||
Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
|
||||
CipherString = DEFAULT
|
||||
Groups = brainpoolP256r1
|
||||
PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
|
||||
|
||||
[18-ECDSA with brainpool-client]
|
||||
CipherString = aECDSA
|
||||
Groups = brainpoolP256r1
|
||||
RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
[test-18]
|
||||
ExpectedResult = Success
|
||||
ExpectedServerCANames = empty
|
||||
ExpectedServerCertType = brainpoolP256r1
|
||||
ExpectedServerSignType = EC
|
||||
|
||||
|
||||
# ===========================================================
|
||||
|
||||
[19-Ed25519 CipherString and Curves Selection]
|
||||
ssl_conf = 19-Ed25519 CipherString and Curves Selection-ssl
|
||||
|
||||
[19-Ed25519 CipherString and Curves Selection-ssl]
|
||||
server = 19-Ed25519 CipherString and Curves Selection-server
|
||||
client = 19-Ed25519 CipherString and Curves Selection-client
|
||||
|
||||
[19-Ed25519 CipherString and Curves Selection-server]
|
||||
[17-Ed25519 CipherString and Curves Selection-server]
|
||||
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
|
||||
CipherString = DEFAULT
|
||||
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
|
||||
@ -683,7 +620,7 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
|
||||
MaxProtocol = TLSv1.2
|
||||
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
||||
|
||||
[19-Ed25519 CipherString and Curves Selection-client]
|
||||
[17-Ed25519 CipherString and Curves Selection-client]
|
||||
CipherString = aECDSA
|
||||
Curves = X25519
|
||||
MaxProtocol = TLSv1.2
|
||||
@ -691,7 +628,7 @@ SignatureAlgorithms = ECDSA+SHA256:ed25519
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
[test-19]
|
||||
[test-17]
|
||||
ExpectedResult = Success
|
||||
ExpectedServerCertType = Ed25519
|
||||
ExpectedServerSignType = Ed25519
|
||||
@ -699,14 +636,14 @@ ExpectedServerSignType = Ed25519
|
||||
|
||||
# ===========================================================
|
||||
|
||||
[20-Ed448 CipherString and Curves Selection]
|
||||
ssl_conf = 20-Ed448 CipherString and Curves Selection-ssl
|
||||
[18-Ed448 CipherString and Curves Selection]
|
||||
ssl_conf = 18-Ed448 CipherString and Curves Selection-ssl
|
||||
|
||||
[20-Ed448 CipherString and Curves Selection-ssl]
|
||||
server = 20-Ed448 CipherString and Curves Selection-server
|
||||
client = 20-Ed448 CipherString and Curves Selection-client
|
||||
[18-Ed448 CipherString and Curves Selection-ssl]
|
||||
server = 18-Ed448 CipherString and Curves Selection-server
|
||||
client = 18-Ed448 CipherString and Curves Selection-client
|
||||
|
||||
[20-Ed448 CipherString and Curves Selection-server]
|
||||
[18-Ed448 CipherString and Curves Selection-server]
|
||||
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
|
||||
CipherString = DEFAULT
|
||||
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
|
||||
@ -718,7 +655,7 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
|
||||
MaxProtocol = TLSv1.2
|
||||
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
||||
|
||||
[20-Ed448 CipherString and Curves Selection-client]
|
||||
[18-Ed448 CipherString and Curves Selection-client]
|
||||
CipherString = aECDSA
|
||||
Curves = X448
|
||||
MaxProtocol = TLSv1.2
|
||||
@ -726,7 +663,7 @@ SignatureAlgorithms = ECDSA+SHA256:ed448
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
[test-20]
|
||||
[test-18]
|
||||
ExpectedResult = Success
|
||||
ExpectedServerCertType = Ed448
|
||||
ExpectedServerSignType = Ed448
|
||||
@ -734,21 +671,21 @@ ExpectedServerSignType = Ed448
|
||||
|
||||
# ===========================================================
|
||||
|
||||
[21-TLS 1.2 Ed25519 Client Auth]
|
||||
ssl_conf = 21-TLS 1.2 Ed25519 Client Auth-ssl
|
||||
[19-TLS 1.2 Ed25519 Client Auth]
|
||||
ssl_conf = 19-TLS 1.2 Ed25519 Client Auth-ssl
|
||||
|
||||
[21-TLS 1.2 Ed25519 Client Auth-ssl]
|
||||
server = 21-TLS 1.2 Ed25519 Client Auth-server
|
||||
client = 21-TLS 1.2 Ed25519 Client Auth-client
|
||||
[19-TLS 1.2 Ed25519 Client Auth-ssl]
|
||||
server = 19-TLS 1.2 Ed25519 Client Auth-server
|
||||
client = 19-TLS 1.2 Ed25519 Client Auth-client
|
||||
|
||||
[21-TLS 1.2 Ed25519 Client Auth-server]
|
||||
[19-TLS 1.2 Ed25519 Client Auth-server]
|
||||
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
|
||||
CipherString = DEFAULT
|
||||
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
|
||||
VerifyMode = Require
|
||||
|
||||
[21-TLS 1.2 Ed25519 Client Auth-client]
|
||||
[19-TLS 1.2 Ed25519 Client Auth-client]
|
||||
CipherString = DEFAULT
|
||||
Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed25519-cert.pem
|
||||
Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed25519-key.pem
|
||||
@ -757,7 +694,7 @@ MinProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
[test-21]
|
||||
[test-19]
|
||||
ExpectedClientCertType = Ed25519
|
||||
ExpectedClientSignType = Ed25519
|
||||
ExpectedResult = Success
|
||||
@ -765,21 +702,21 @@ ExpectedResult = Success
|
||||
|
||||
# ===========================================================
|
||||
|
||||
[22-TLS 1.2 Ed448 Client Auth]
|
||||
ssl_conf = 22-TLS 1.2 Ed448 Client Auth-ssl
|
||||
[20-TLS 1.2 Ed448 Client Auth]
|
||||
ssl_conf = 20-TLS 1.2 Ed448 Client Auth-ssl
|
||||
|
||||
[22-TLS 1.2 Ed448 Client Auth-ssl]
|
||||
server = 22-TLS 1.2 Ed448 Client Auth-server
|
||||
client = 22-TLS 1.2 Ed448 Client Auth-client
|
||||
[20-TLS 1.2 Ed448 Client Auth-ssl]
|
||||
server = 20-TLS 1.2 Ed448 Client Auth-server
|
||||
client = 20-TLS 1.2 Ed448 Client Auth-client
|
||||
|
||||
[22-TLS 1.2 Ed448 Client Auth-server]
|
||||
[20-TLS 1.2 Ed448 Client Auth-server]
|
||||
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
|
||||
CipherString = DEFAULT
|
||||
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
|
||||
VerifyMode = Require
|
||||
|
||||
[22-TLS 1.2 Ed448 Client Auth-client]
|
||||
[20-TLS 1.2 Ed448 Client Auth-client]
|
||||
CipherString = DEFAULT
|
||||
Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed448-cert.pem
|
||||
Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed448-key.pem
|
||||
@ -788,12 +725,75 @@ MinProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
[test-22]
|
||||
[test-20]
|
||||
ExpectedClientCertType = Ed448
|
||||
ExpectedClientSignType = Ed448
|
||||
ExpectedResult = Success
|
||||
|
||||
|
||||
# ===========================================================
|
||||
|
||||
[21-ECDSA Signature Algorithm Selection SHA1]
|
||||
ssl_conf = 21-ECDSA Signature Algorithm Selection SHA1-ssl
|
||||
|
||||
[21-ECDSA Signature Algorithm Selection SHA1-ssl]
|
||||
server = 21-ECDSA Signature Algorithm Selection SHA1-server
|
||||
client = 21-ECDSA Signature Algorithm Selection SHA1-client
|
||||
|
||||
[21-ECDSA Signature Algorithm Selection SHA1-server]
|
||||
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
|
||||
CipherString = DEFAULT:@SECLEVEL=0
|
||||
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
|
||||
ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
|
||||
Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
|
||||
Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
|
||||
Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
|
||||
Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
|
||||
MaxProtocol = TLSv1.2
|
||||
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
||||
|
||||
[21-ECDSA Signature Algorithm Selection SHA1-client]
|
||||
CipherString = DEFAULT:@SECLEVEL=0
|
||||
SignatureAlgorithms = ECDSA+SHA1
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
[test-21]
|
||||
ExpectedResult = Success
|
||||
ExpectedServerCertType = P-256
|
||||
ExpectedServerSignHash = SHA1
|
||||
ExpectedServerSignType = EC
|
||||
|
||||
|
||||
# ===========================================================
|
||||
|
||||
[22-ECDSA with brainpool]
|
||||
ssl_conf = 22-ECDSA with brainpool-ssl
|
||||
|
||||
[22-ECDSA with brainpool-ssl]
|
||||
server = 22-ECDSA with brainpool-server
|
||||
client = 22-ECDSA with brainpool-client
|
||||
|
||||
[22-ECDSA with brainpool-server]
|
||||
Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
|
||||
CipherString = DEFAULT
|
||||
Groups = brainpoolP256r1
|
||||
PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
|
||||
|
||||
[22-ECDSA with brainpool-client]
|
||||
CipherString = aECDSA
|
||||
Groups = brainpoolP256r1
|
||||
RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
[test-22]
|
||||
ExpectedResult = Success
|
||||
ExpectedServerCANames = empty
|
||||
ExpectedServerCertType = brainpoolP256r1
|
||||
ExpectedServerSignType = EC
|
||||
|
||||
|
||||
# ===========================================================
|
||||
|
||||
[23-RSA-PSS Certificate CipherString Selection]
|
||||
|
||||
@ -12,26 +12,15 @@ use OpenSSL::Test::Utils;
|
||||
our $fips_mode;
|
||||
our $no_deflt_libctx;
|
||||
|
||||
my $server;
|
||||
|
||||
if ($fips_mode) {
|
||||
#TODO(3.0): No EdDSA support in FIPS mode at the moment
|
||||
$server = {
|
||||
"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
|
||||
"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
|
||||
"MaxProtocol" => "TLSv1.2"
|
||||
};
|
||||
} else {
|
||||
$server = {
|
||||
"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
|
||||
"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
|
||||
"Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
|
||||
"Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
|
||||
"Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
|
||||
"Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
|
||||
"MaxProtocol" => "TLSv1.2"
|
||||
};
|
||||
}
|
||||
my $server = {
|
||||
"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
|
||||
"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
|
||||
"Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
|
||||
"Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
|
||||
"Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
|
||||
"Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
|
||||
"MaxProtocol" => "TLSv1.2"
|
||||
};
|
||||
|
||||
my $server_pss = {
|
||||
"PSS.Certificate" => test_pem("server-pss-cert.pem"),
|
||||
@ -304,33 +293,6 @@ our @tests = (
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
);
|
||||
|
||||
my @tests_non_fips = (
|
||||
{
|
||||
name => "ECDSA Signature Algorithm Selection SHA1",
|
||||
server => {
|
||||
"CipherString" => "DEFAULT:\@SECLEVEL=0",
|
||||
"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
|
||||
"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
|
||||
"Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
|
||||
"Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
|
||||
"Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
|
||||
"Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
|
||||
"MaxProtocol" => "TLSv1.2"
|
||||
},
|
||||
client => {
|
||||
"CipherString" => "DEFAULT:\@SECLEVEL=0",
|
||||
"SignatureAlgorithms" => "ECDSA+SHA1",
|
||||
},
|
||||
test => {
|
||||
"ExpectedServerCertType" => "P-256",
|
||||
"ExpectedServerSignHash" => "SHA1",
|
||||
"ExpectedServerSignType" => "EC",
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
# TODO(3.0) No Ed25519/Ed448 in FIPS mode at the moment
|
||||
{
|
||||
name => "Ed25519 CipherString and Signature Algorithm Selection",
|
||||
server => $server,
|
||||
@ -366,28 +328,6 @@ my @tests_non_fips = (
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
{
|
||||
name => "ECDSA with brainpool",
|
||||
server => {
|
||||
"Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
|
||||
"PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
|
||||
"Groups" => "brainpoolP256r1",
|
||||
},
|
||||
client => {
|
||||
#We don't restrict this to TLSv1.2, although use of brainpool
|
||||
#should force this anyway so that this should succeed
|
||||
"CipherString" => "aECDSA",
|
||||
"RequestCAFile" => test_pem("root-cert.pem"),
|
||||
"Groups" => "brainpoolP256r1",
|
||||
},
|
||||
test => {
|
||||
"ExpectedServerCertType" =>, "brainpoolP256r1",
|
||||
"ExpectedServerSignType" =>, "EC",
|
||||
# Note: certificate_authorities not sent for TLS < 1.3
|
||||
"ExpectedServerCANames" =>, "empty",
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
{
|
||||
name => "Ed25519 CipherString and Curves Selection",
|
||||
server => $server,
|
||||
@ -461,6 +401,54 @@ my @tests_non_fips = (
|
||||
},
|
||||
);
|
||||
|
||||
my @tests_non_fips = (
|
||||
{
|
||||
name => "ECDSA Signature Algorithm Selection SHA1",
|
||||
server => {
|
||||
"CipherString" => "DEFAULT:\@SECLEVEL=0",
|
||||
"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
|
||||
"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
|
||||
"Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
|
||||
"Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
|
||||
"Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
|
||||
"Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
|
||||
"MaxProtocol" => "TLSv1.2"
|
||||
},
|
||||
client => {
|
||||
"CipherString" => "DEFAULT:\@SECLEVEL=0",
|
||||
"SignatureAlgorithms" => "ECDSA+SHA1",
|
||||
},
|
||||
test => {
|
||||
"ExpectedServerCertType" => "P-256",
|
||||
"ExpectedServerSignHash" => "SHA1",
|
||||
"ExpectedServerSignType" => "EC",
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
{
|
||||
name => "ECDSA with brainpool",
|
||||
server => {
|
||||
"Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
|
||||
"PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
|
||||
"Groups" => "brainpoolP256r1",
|
||||
},
|
||||
client => {
|
||||
#We don't restrict this to TLSv1.2, although use of brainpool
|
||||
#should force this anyway so that this should succeed
|
||||
"CipherString" => "aECDSA",
|
||||
"RequestCAFile" => test_pem("root-cert.pem"),
|
||||
"Groups" => "brainpoolP256r1",
|
||||
},
|
||||
test => {
|
||||
"ExpectedServerCertType" =>, "brainpoolP256r1",
|
||||
"ExpectedServerSignType" =>, "EC",
|
||||
# Note: certificate_authorities not sent for TLS < 1.3
|
||||
"ExpectedServerCANames" =>, "empty",
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
);
|
||||
|
||||
my @tests_pss = (
|
||||
{
|
||||
name => "RSA-PSS Certificate CipherString Selection",
|
||||
@ -980,7 +968,6 @@ my @tests_dsa_tls_1_3 = (
|
||||
);
|
||||
|
||||
if (!disabled("dsa")) {
|
||||
#TODO(3.0): Temporary workaround for DH issues in FIPS. Needs investigation
|
||||
push @tests, @tests_dsa_tls_1_2 unless disabled("dh") || $fips_mode;
|
||||
push @tests, @tests_dsa_tls_1_2 unless disabled("dh");
|
||||
push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
|
||||
}
|
||||
|
||||
@ -81,6 +81,5 @@ our @tests_tls1_2 = (
|
||||
},
|
||||
);
|
||||
|
||||
#TODO(3.0): No Ed448 or X25519 in FIPS mode at the moment
|
||||
push @tests, @tests_ec unless disabled("ec") || $fips_mode;
|
||||
push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec")|| $fips_mode;
|
||||
push @tests, @tests_ec unless disabled("ec");
|
||||
push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec");
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user