[openssl-commits] [openssl] master update
Dr. Stephen Henson
steve at openssl.org
Wed Sep 20 11:52:32 UTC 2017
The branch master has been updated
via 800c4883d0a0e98fa511ee166bd0c6fbfb4baf22 (commit)
via 613816fcae2ad73cd75ebcef474e17bdf3fa4c9d (commit)
via 6aaa29fb35c6d830c19e673650e6baf3f21ceda0 (commit)
via b46867d771a5e08bbee450d73ff332388b93df96 (commit)
via 045d078aefdf8d5b077485630bfd21b09980d2ec (commit)
from 6b1c8204b33aaedb7df7a009c241412839aaf950 (commit)
- Log -----------------------------------------------------------------
commit 800c4883d0a0e98fa511ee166bd0c6fbfb4baf22
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Thu Sep 14 15:23:25 2017 +0100
Add RSA-PSS certificate type TLS tests
Reviewed-by: Ben Kaduk <kaduk at mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4368)
commit 613816fcae2ad73cd75ebcef474e17bdf3fa4c9d
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Thu Sep 14 13:51:39 2017 +0100
Add RSA-PSS test certificates
Reviewed-by: Ben Kaduk <kaduk at mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4368)
commit 6aaa29fb35c6d830c19e673650e6baf3f21ceda0
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Thu Sep 14 14:48:39 2017 +0100
Allow use of RSA-PSS certificates in TLS 1.2
Reviewed-by: Ben Kaduk <kaduk at mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4368)
commit b46867d771a5e08bbee450d73ff332388b93df96
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Thu Sep 14 14:53:52 2017 +0100
Allow RSA certificates to be used for RSA-PSS
Allo RSA certificate to be used for RSA-PSS signatures: this needs
to be explicit because RSA and RSA-PSS certificates are now distinct
types.
Reviewed-by: Ben Kaduk <kaduk at mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4368)
commit 045d078aefdf8d5b077485630bfd21b09980d2ec
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Wed Sep 13 13:53:03 2017 +0100
Add RSA-PSS key certificate type.
Recognise RSA-PSS certificate algorithm and add a new certificate
type.
Reviewed-by: Ben Kaduk <kaduk at mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4368)
-----------------------------------------------------------------------
Summary of changes:
ssl/ssl_cert_table.h | 1 +
ssl/ssl_lib.c | 10 +-
ssl/ssl_locl.h | 21 +-
ssl/t1_lib.c | 42 +++-
test/certs/server-pss-cert.pem | 19 ++
test/certs/server-pss-key.pem | 28 +++
test/ssl-tests/20-cert-select.conf | 400 +++++++++++++++++++++++-----------
test/ssl-tests/20-cert-select.conf.in | 84 ++++++-
8 files changed, 452 insertions(+), 153 deletions(-)
create mode 100644 test/certs/server-pss-cert.pem
create mode 100644 test/certs/server-pss-key.pem
diff --git a/ssl/ssl_cert_table.h b/ssl/ssl_cert_table.h
index eae9ff2..fd6a1ad 100644
--- a/ssl/ssl_cert_table.h
+++ b/ssl/ssl_cert_table.h
@@ -12,6 +12,7 @@
*/
static const SSL_CERT_LOOKUP ssl_cert_info [] = {
{EVP_PKEY_RSA, SSL_aRSA}, /* SSL_PKEY_RSA */
+ {EVP_PKEY_RSA_PSS, SSL_aRSA}, /* SSL_PKEY_RSA_PSS_SIGN */
{EVP_PKEY_DSA, SSL_aDSS}, /* SSL_PKEY_DSA_SIGN */
{EVP_PKEY_EC, SSL_aECDSA}, /* SSL_PKEY_ECC */
{NID_id_GostR3410_2001, SSL_aGOST01}, /* SSL_PKEY_GOST01 */
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index b02d4f1..cc110bc 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3090,9 +3090,15 @@ void ssl_set_masks(SSL *s)
if (dh_tmp)
mask_k |= SSL_kDHE;
- if (rsa_enc || rsa_sign) {
+ /*
+ * If we only have an RSA-PSS certificate allow RSA authentication
+ * if TLS 1.2 and peer supports it.
+ */
+
+ if (rsa_enc || rsa_sign || (ssl_has_cert(s, SSL_PKEY_RSA_PSS_SIGN)
+ && pvalid[SSL_PKEY_RSA_PSS_SIGN] & CERT_PKEY_EXPLICIT_SIGN
+ && TLS1_get_version(s) == TLS1_2_VERSION))
mask_a |= SSL_aRSA;
- }
if (dsa_sign) {
mask_a |= SSL_aDSS;
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 64d5e72..95e6041 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -363,25 +363,20 @@
/* Mostly for SSLv3 */
# define SSL_PKEY_RSA 0
-# define SSL_PKEY_DSA_SIGN 1
-# define SSL_PKEY_ECC 2
-# define SSL_PKEY_GOST01 3
-# define SSL_PKEY_GOST12_256 4
-# define SSL_PKEY_GOST12_512 5
-# define SSL_PKEY_ED25519 6
-# define SSL_PKEY_NUM 7
+# define SSL_PKEY_RSA_PSS_SIGN 1
+# define SSL_PKEY_DSA_SIGN 2
+# define SSL_PKEY_ECC 3
+# define SSL_PKEY_GOST01 4
+# define SSL_PKEY_GOST12_256 5
+# define SSL_PKEY_GOST12_512 6
+# define SSL_PKEY_ED25519 7
+# define SSL_PKEY_NUM 8
/*
* Pseudo-constant. GOST cipher suites can use different certs for 1
* SSL_CIPHER. So let's see which one we have in fact.
*/
# define SSL_PKEY_GOST_EC SSL_PKEY_NUM+1
-/*
- * TODO(TLS1.3) for now use SSL_PKEY_RSA keys for PSS
- */
-
-#define SSL_PKEY_RSA_PSS_SIGN SSL_PKEY_RSA
-
/*-
* SSL_kRSA <- RSA_ENC
* SSL_kDH <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN)
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 48c33de..2aa4261 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -799,6 +799,7 @@ static const SIGALG_LOOKUP legacy_rsa_sigalg = {
*/
static const uint16_t tls_default_sigalg[] = {
TLSEXT_SIGALG_rsa_pkcs1_sha1, /* SSL_PKEY_RSA */
+ 0, /* SSL_PKEY_RSA_PSS_SIGN */
TLSEXT_SIGALG_dsa_sha1, /* SSL_PKEY_DSA_SIGN */
TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */
TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */
@@ -2126,6 +2127,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
void tls1_set_cert_validity(SSL *s)
{
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA);
+ tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_PSS_SIGN);
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
@@ -2266,18 +2268,23 @@ int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
/*
* For TLS 1.2 servers check if we have a certificate which can be used
- * with the signature algorithm "lu".
+ * with the signature algorithm "lu" and return index of certificate.
*/
-static int tls12_check_cert_sigalg(const SSL *s, const SIGALG_LOOKUP *lu)
+static int tls12_get_cert_sigalg_idx(const SSL *s, const SIGALG_LOOKUP *lu)
{
- const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(lu->sig_idx);
+ int sig_idx = lu->sig_idx;
+ const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(sig_idx);
/* If not recognised or not supported by cipher mask it is not suitable */
if (clu == NULL || !(clu->amask & s->s3->tmp.new_cipher->algorithm_auth))
- return 0;
+ return -1;
+
+ /* If PSS and we have no PSS cert use RSA */
+ if (sig_idx == SSL_PKEY_RSA_PSS_SIGN && !ssl_has_cert(s, sig_idx))
+ sig_idx = SSL_PKEY_RSA;
- return s->s3->tmp.valid_flags[lu->sig_idx] & CERT_PKEY_VALID ? 1 : 0;
+ return s->s3->tmp.valid_flags[sig_idx] & CERT_PKEY_VALID ? sig_idx : -1;
}
/*
@@ -2294,6 +2301,7 @@ static int tls12_check_cert_sigalg(const SSL *s, const SIGALG_LOOKUP *lu)
int tls_choose_sigalg(SSL *s, int *al)
{
const SIGALG_LOOKUP *lu = NULL;
+ int sig_idx = -1;
s->s3->tmp.cert = NULL;
s->s3->tmp.sigalg = NULL;
@@ -2316,8 +2324,12 @@ int tls_choose_sigalg(SSL *s, int *al)
continue;
if (!tls1_lookup_md(lu, NULL))
continue;
- if (!ssl_has_cert(s, lu->sig_idx))
+ if (!ssl_has_cert(s, lu->sig_idx)) {
+ if (lu->sig_idx != SSL_PKEY_RSA_PSS_SIGN
+ || !ssl_has_cert(s, SSL_PKEY_RSA))
continue;
+ sig_idx = SSL_PKEY_RSA;
+ }
if (lu->sig == EVP_PKEY_EC) {
#ifndef OPENSSL_NO_EC
if (curve == -1) {
@@ -2374,10 +2386,18 @@ int tls_choose_sigalg(SSL *s, int *al)
lu = s->cert->shared_sigalgs[i];
if (s->server) {
- if (!tls12_check_cert_sigalg(s, lu))
- continue;
- } else if (lu->sig_idx != s->cert->key - s->cert->pkeys) {
+ if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1)
continue;
+ } else {
+ int cc_idx = s->cert->key - s->cert->pkeys;
+
+ sig_idx = lu->sig_idx;
+ if (cc_idx != sig_idx) {
+ if (sig_idx != SSL_PKEY_RSA_PSS_SIGN
+ || cc_idx != SSL_PKEY_RSA)
+ continue;
+ sig_idx = SSL_PKEY_RSA;
+ }
}
#ifndef OPENSSL_NO_EC
if (curve == -1 || lu->curve == curve)
@@ -2430,7 +2450,9 @@ int tls_choose_sigalg(SSL *s, int *al)
}
}
}
- s->s3->tmp.cert = &s->cert->pkeys[lu->sig_idx];
+ if (sig_idx == -1)
+ sig_idx = lu->sig_idx;
+ s->s3->tmp.cert = &s->cert->pkeys[sig_idx];
s->cert->key = s->s3->tmp.cert;
s->s3->tmp.sigalg = lu;
return 1;
diff --git a/test/certs/server-pss-cert.pem b/test/certs/server-pss-cert.pem
new file mode 100644
index 0000000..5777c4d
--- /dev/null
+++ b/test/certs/server-pss-cert.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGzCCAgOgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
+IENBMCAXDTE3MDkxNDEyNTg0MVoYDzIxMTcwOTE1MTI1ODQxWjAVMRMwEQYDVQQD
+DApSU0FTU0EtUFNTMIIBIDALBgkqhkiG9w0BAQoDggEPADCCAQoCggEBAJzIk36B
+urRLuRWsMHUzcmoNDYEZw4VMN0ZNVGUYj7RJtCP6wKBcQEkHu667J3XGxUm3RHT8
+EBv2R+XKcVX+VOc8SSb5+k1/QCHXF1qamNFan7wtYjgbAXiA0/Wg9ydlhfwj5gp4
+n5168Lc/DnkFBdyMSylNOESUvtKyu811l+ecakeidUbUnLGF2XbqyK1WKp18t1n1
+rJYi/+oMm8xoJPMtWjoC2zit3wT1k8+9lClxWZFhLmDFy0lmT8FAVvMOk4Y/E+2e
+Q0sRrV+REsfyFEoytmoGKlwO9z2gK5n3WaJx+Y15EykMG6CsjBp84iCiFkd6LOND
+nXQBBLAvmg1Ci8UCAwEAAaN5MHcwHQYDVR0OBBYEFG+1oaEnl3Bs6E2vHFdWwUY0
+qdlhMB8GA1UdIwQYMBaAFHB/Lq6DaFmYBCMqzes+F80k3QFJMAkGA1UdEwQCMAAw
+EwYDVR0lBAwwCgYIKwYBBQUHAwEwFQYDVR0RBA4wDIIKUlNBU1NBLVBTUzANBgkq
+hkiG9w0BAQsFAAOCAQEAh1MrKKwdpsjT7Q+gfyAXQRgwBz15m08eZip7rznzieE0
++PuXaGQT9jOEmSKTtEHd07mJ0YMijdGvItrZaodUV0rscdCFd4lUe4uctirjVMIU
+OKALZ7HsobWvKWnob2GRQJ/vTB7plUeclFhX1FskiG7kh50cMeeL2Oy7Oy4csf7e
+2ab5q1dYri1Yk7HSi/XXGwomvWz8jGqUS9UGJrQQENrogg5Ue315u32lbR+N7gTB
+7w3KirvpP+wzJgiTqMJ9BuGo8vSoXA3qrmBaYS/FQ7x4gQ86Jb0oLRuTiyniWC/v
+A4exY19iM/j6/IQWM4IY7iuNAU3DMGdXOHkuxryizA==
+-----END CERTIFICATE-----
diff --git a/test/certs/server-pss-key.pem b/test/certs/server-pss-key.pem
new file mode 100644
index 0000000..6b2d8cc
--- /dev/null
+++ b/test/certs/server-pss-key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADALBgkqhkiG9w0BAQoEggSoMIIEpAIBAAKCAQEAnMiTfoG6tEu5Faww
+dTNyag0NgRnDhUw3Rk1UZRiPtEm0I/rAoFxASQe7rrsndcbFSbdEdPwQG/ZH5cpx
+Vf5U5zxJJvn6TX9AIdcXWpqY0VqfvC1iOBsBeIDT9aD3J2WF/CPmCnifnXrwtz8O
+eQUF3IxLKU04RJS+0rK7zXWX55xqR6J1RtScsYXZdurIrVYqnXy3WfWsliL/6gyb
+zGgk8y1aOgLbOK3fBPWTz72UKXFZkWEuYMXLSWZPwUBW8w6Thj8T7Z5DSxGtX5ES
+x/IUSjK2agYqXA73PaArmfdZonH5jXkTKQwboKyMGnziIKIWR3os40OddAEEsC+a
+DUKLxQIDAQABAoIBAAGf1l9eKrgJfM5rrUjZkprkrbojsTHlW0FANdqiSYLdrJ8e
+zvYaXpQjH1+tEriWqZ6c5nmrzuLrR01rLodsjiajKkLcHirFYb24A8btiR3KKZOC
+iNz58qbz9r45v7XJyHyXRp/fJhA0oN/VKGo6khf54CF6alXTkLKQJX/4cu10XkJd
+lknXMiQsGBzt7WezRzqzbJsMSjhSPBowmapDRYqALIlINY96f3QUALiKh0WwkbEB
+MU71Hharv9+jwpu58NcGXHvNfqQYUU6QTXiOKTxt71VChO6lefazaTrCYan9Zpx/
+6rofVqkpZUebNI1gVa/FbzGaMhQYlMWEhvk+sZUCgYEAzftGwnoHbMoyXbw30bAJ
+MMEvc892o2qJPPnHJMwKIHDVEnY026c/TO5FSGhKcv9CPKe6bcdA6CtPjSGA484z
+ErLo9GfWigN4jVkn3eYKUKFn0+tQ4HKYoPZrBApQ9pm25/KpPSIsVJ6iuEN72CZU
+MM1y8NgCF2IlAvi04org8e8CgYEAwtrufdryJHQ+o69fhCMfYe1mCCuGeaueIEfa
+ccZUSfe1A7p5mqSjYTw4GW6E64uELUkVGkZpuVj3Qwr2BmCY7u4Hgp5Lg+WWVZt7
+qvHhDnb19ITL1nrXAKBr2XPlkUSnPJ+Dl20F8ErIb4zsnq7xH+AoDIZldh/wCflY
+mW7mwYsCgYEAxKs8vocg+8B7IoCJk05PGBv8IMlfb1xTOMMMX5fpu1vANWZjxa4E
+hIGj6SSaoP4T0jIbkKGE2agwxoHMvLWukhX80w8qCpCR0/PiWr4/7wiNSAwQJp2E
+GXvuZecrsqjFuOU6rcIpLYphtynH33OJQyeGrWqxZH4y9IlevEb5zEUCgYEAudis
+PVeVOdWxZNdAp7wEE5ekiEhTMzrPT4SYwYljHUVn3Y1+rFM5DOWtr/vsROhFghfB
+S9U6wzAqbURIER8S3lgiy58E8WEJeM8aLZoTiINH5Ra/f+qbpBpdowJaQ6qSQ0z0
+6nluf5gkAdkMWfELQ9a8++03WmntvOWYbocLCi8CgYASTpxnjl62YY201mIkVAKC
+b6XK+RQS2ZohTintLqzePwKR3XJrlwAz9smyMqUTFklkmrc6XQABVfnpZOnOZEdV
+kzsvLmQin9a9Mr6n1WYz9YQDuS2wY0NAbCzy61YYXO9IdNyQTWolWLmyzwpUXP/D
+T28vNzPfGv4WW1OjDtFmQg==
+-----END PRIVATE KEY-----
diff --git a/test/ssl-tests/20-cert-select.conf b/test/ssl-tests/20-cert-select.conf
index 47d2131..b2aab95 100644
--- a/test/ssl-tests/20-cert-select.conf
+++ b/test/ssl-tests/20-cert-select.conf
@@ -1,24 +1,29 @@
# Generated with generate_ssl_tests.pl
-num_tests = 17
+num_tests = 22
test-0 = 0-ECDSA CipherString Selection
test-1 = 1-Ed25519 CipherString and Signature Algorithm Selection
test-2 = 2-RSA CipherString Selection
-test-3 = 3-P-256 CipherString and Signature Algorithm Selection
-test-4 = 4-Ed25519 CipherString and Curves Selection
-test-5 = 5-ECDSA CipherString Selection, no ECDSA certificate
-test-6 = 6-ECDSA Signature Algorithm Selection
-test-7 = 7-ECDSA Signature Algorithm Selection SHA384
-test-8 = 8-ECDSA Signature Algorithm Selection SHA1
-test-9 = 9-ECDSA Signature Algorithm Selection compressed point
-test-10 = 10-ECDSA Signature Algorithm Selection, no ECDSA certificate
-test-11 = 11-RSA Signature Algorithm Selection
-test-12 = 12-RSA-PSS Signature Algorithm Selection
-test-13 = 13-Suite B P-256 Hash Algorithm Selection
-test-14 = 14-Suite B P-384 Hash Algorithm Selection
-test-15 = 15-TLS 1.2 Ed25519 Client Auth
-test-16 = 16-TLS 1.2 DSA Certificate Test
+test-3 = 3-RSA-PSS Certificate CipherString Selection
+test-4 = 4-P-256 CipherString and Signature Algorithm Selection
+test-5 = 5-Ed25519 CipherString and Curves Selection
+test-6 = 6-ECDSA CipherString Selection, no ECDSA certificate
+test-7 = 7-ECDSA Signature Algorithm Selection
+test-8 = 8-ECDSA Signature Algorithm Selection SHA384
+test-9 = 9-ECDSA Signature Algorithm Selection SHA1
+test-10 = 10-ECDSA Signature Algorithm Selection compressed point
+test-11 = 11-ECDSA Signature Algorithm Selection, no ECDSA certificate
+test-12 = 12-RSA Signature Algorithm Selection
+test-13 = 13-RSA-PSS Signature Algorithm Selection
+test-14 = 14-RSA-PSS Certificate Signature Algorithm Selection
+test-15 = 15-Only RSA-PSS Certificate
+test-16 = 16-RSA-PSS Certificate, no PSS signature algorithms
+test-17 = 17-Only RSA-PSS Certificate, TLS v1.1
+test-18 = 18-Suite B P-256 Hash Algorithm Selection
+test-19 = 19-Suite B P-384 Hash Algorithm Selection
+test-20 = 20-TLS 1.2 Ed25519 Client Auth
+test-21 = 21-TLS 1.2 DSA Certificate Test
# ===========================================================
[0-ECDSA CipherString Selection]
@@ -119,14 +124,14 @@ ExpectedServerSignType = RSA-PSS
# ===========================================================
-[3-P-256 CipherString and Signature Algorithm Selection]
-ssl_conf = 3-P-256 CipherString and Signature Algorithm Selection-ssl
+[3-RSA-PSS Certificate CipherString Selection]
+ssl_conf = 3-RSA-PSS Certificate CipherString Selection-ssl
-[3-P-256 CipherString and Signature Algorithm Selection-ssl]
-server = 3-P-256 CipherString and Signature Algorithm Selection-server
-client = 3-P-256 CipherString and Signature Algorithm Selection-client
+[3-RSA-PSS Certificate CipherString Selection-ssl]
+server = 3-RSA-PSS Certificate CipherString Selection-server
+client = 3-RSA-PSS Certificate CipherString Selection-client
-[3-P-256 CipherString and Signature Algorithm Selection-server]
+[3-RSA-PSS Certificate CipherString Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@@ -134,16 +139,49 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
MaxProtocol = TLSv1.2
+PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem
+PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[3-P-256 CipherString and Signature Algorithm Selection-client]
+[3-RSA-PSS Certificate CipherString Selection-client]
+CipherString = aRSA
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-3]
+ExpectedResult = Success
+ExpectedServerCertType = RSA-PSS
+ExpectedServerSignType = RSA-PSS
+
+
+# ===========================================================
+
+[4-P-256 CipherString and Signature Algorithm Selection]
+ssl_conf = 4-P-256 CipherString and Signature Algorithm Selection-ssl
+
+[4-P-256 CipherString and Signature Algorithm Selection-ssl]
+server = 4-P-256 CipherString and Signature Algorithm Selection-server
+client = 4-P-256 CipherString and Signature Algorithm Selection-client
+
+[4-P-256 CipherString and Signature Algorithm Selection-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
+EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[4-P-256 CipherString and Signature Algorithm Selection-client]
CipherString = aECDSA
MaxProtocol = TLSv1.2
SignatureAlgorithms = ECDSA+SHA256:ed25519
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-3]
+[test-4]
ExpectedResult = Success
ExpectedServerCertType = P-256
ExpectedServerSignHash = SHA256
@@ -152,14 +190,14 @@ ExpectedServerSignType = EC
# ===========================================================
-[4-Ed25519 CipherString and Curves Selection]
-ssl_conf = 4-Ed25519 CipherString and Curves Selection-ssl
+[5-Ed25519 CipherString and Curves Selection]
+ssl_conf = 5-Ed25519 CipherString and Curves Selection-ssl
-[4-Ed25519 CipherString and Curves Selection-ssl]
-server = 4-Ed25519 CipherString and Curves Selection-server
-client = 4-Ed25519 CipherString and Curves Selection-client
+[5-Ed25519 CipherString and Curves Selection-ssl]
+server = 5-Ed25519 CipherString and Curves Selection-server
+client = 5-Ed25519 CipherString and Curves Selection-client
-[4-Ed25519 CipherString and Curves Selection-server]
+[5-Ed25519 CipherString and Curves Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@@ -169,7 +207,7 @@ EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[4-Ed25519 CipherString and Curves Selection-client]
+[5-Ed25519 CipherString and Curves Selection-client]
CipherString = aECDSA
Curves = X25519
MaxProtocol = TLSv1.2
@@ -177,7 +215,7 @@ SignatureAlgorithms = ECDSA+SHA256:ed25519
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-4]
+[test-5]
ExpectedResult = Success
ExpectedServerCertType = Ed25519
ExpectedServerSignType = Ed25519
@@ -185,39 +223,39 @@ ExpectedServerSignType = Ed25519
# ===========================================================
-[5-ECDSA CipherString Selection, no ECDSA certificate]
-ssl_conf = 5-ECDSA CipherString Selection, no ECDSA certificate-ssl
+[6-ECDSA CipherString Selection, no ECDSA certificate]
+ssl_conf = 6-ECDSA CipherString Selection, no ECDSA certificate-ssl
-[5-ECDSA CipherString Selection, no ECDSA certificate-ssl]
-server = 5-ECDSA CipherString Selection, no ECDSA certificate-server
-client = 5-ECDSA CipherString Selection, no ECDSA certificate-client
+[6-ECDSA CipherString Selection, no ECDSA certificate-ssl]
+server = 6-ECDSA CipherString Selection, no ECDSA certificate-server
+client = 6-ECDSA CipherString Selection, no ECDSA certificate-client
-[5-ECDSA CipherString Selection, no ECDSA certificate-server]
+[6-ECDSA CipherString Selection, no ECDSA certificate-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[5-ECDSA CipherString Selection, no ECDSA certificate-client]
+[6-ECDSA CipherString Selection, no ECDSA certificate-client]
CipherString = aECDSA
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-5]
+[test-6]
ExpectedResult = ServerFail
# ===========================================================
-[6-ECDSA Signature Algorithm Selection]
-ssl_conf = 6-ECDSA Signature Algorithm Selection-ssl
+[7-ECDSA Signature Algorithm Selection]
+ssl_conf = 7-ECDSA Signature Algorithm Selection-ssl
-[6-ECDSA Signature Algorithm Selection-ssl]
-server = 6-ECDSA Signature Algorithm Selection-server
-client = 6-ECDSA Signature Algorithm Selection-client
+[7-ECDSA Signature Algorithm Selection-ssl]
+server = 7-ECDSA Signature Algorithm Selection-server
+client = 7-ECDSA Signature Algorithm Selection-client
-[6-ECDSA Signature Algorithm Selection-server]
+[7-ECDSA Signature Algorithm Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@@ -227,13 +265,13 @@ EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[6-ECDSA Signature Algorithm Selection-client]
+[7-ECDSA Signature Algorithm Selection-client]
CipherString = DEFAULT
SignatureAlgorithms = ECDSA+SHA256
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-6]
+[test-7]
ExpectedResult = Success
ExpectedServerCertType = P-256
ExpectedServerSignHash = SHA256
@@ -242,14 +280,14 @@ ExpectedServerSignType = EC
# ===========================================================
-[7-ECDSA Signature Algorithm Selection SHA384]
-ssl_conf = 7-ECDSA Signature Algorithm Selection SHA384-ssl
+[8-ECDSA Signature Algorithm Selection SHA384]
+ssl_conf = 8-ECDSA Signature Algorithm Selection SHA384-ssl
-[7-ECDSA Signature Algorithm Selection SHA384-ssl]
-server = 7-ECDSA Signature Algorithm Selection SHA384-server
-client = 7-ECDSA Signature Algorithm Selection SHA384-client
+[8-ECDSA Signature Algorithm Selection SHA384-ssl]
+server = 8-ECDSA Signature Algorithm Selection SHA384-server
+client = 8-ECDSA Signature Algorithm Selection SHA384-client
-[7-ECDSA Signature Algorithm Selection SHA384-server]
+[8-ECDSA Signature Algorithm Selection SHA384-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@@ -259,13 +297,13 @@ EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[7-ECDSA Signature Algorithm Selection SHA384-client]
+[8-ECDSA Signature Algorithm Selection SHA384-client]
CipherString = DEFAULT
SignatureAlgorithms = ECDSA+SHA384
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-7]
+[test-8]
ExpectedResult = Success
ExpectedServerCertType = P-256
ExpectedServerSignHash = SHA384
@@ -274,14 +312,14 @@ ExpectedServerSignType = EC
# ===========================================================
-[8-ECDSA Signature Algorithm Selection SHA1]
-ssl_conf = 8-ECDSA Signature Algorithm Selection SHA1-ssl
+[9-ECDSA Signature Algorithm Selection SHA1]
+ssl_conf = 9-ECDSA Signature Algorithm Selection SHA1-ssl
-[8-ECDSA Signature Algorithm Selection SHA1-ssl]
-server = 8-ECDSA Signature Algorithm Selection SHA1-server
-client = 8-ECDSA Signature Algorithm Selection SHA1-client
+[9-ECDSA Signature Algorithm Selection SHA1-ssl]
+server = 9-ECDSA Signature Algorithm Selection SHA1-server
+client = 9-ECDSA Signature Algorithm Selection SHA1-client
-[8-ECDSA Signature Algorithm Selection SHA1-server]
+[9-ECDSA Signature Algorithm Selection SHA1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@@ -291,13 +329,13 @@ EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[8-ECDSA Signature Algorithm Selection SHA1-client]
+[9-ECDSA Signature Algorithm Selection SHA1-client]
CipherString = DEFAULT
SignatureAlgorithms = ECDSA+SHA1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-8]
+[test-9]
ExpectedResult = Success
ExpectedServerCertType = P-256
ExpectedServerSignHash = SHA1
@@ -306,14 +344,14 @@ ExpectedServerSignType = EC
# ===========================================================
-[9-ECDSA Signature Algorithm Selection compressed point]
-ssl_conf = 9-ECDSA Signature Algorithm Selection compressed point-ssl
+[10-ECDSA Signature Algorithm Selection compressed point]
+ssl_conf = 10-ECDSA Signature Algorithm Selection compressed point-ssl
-[9-ECDSA Signature Algorithm Selection compressed point-ssl]
-server = 9-ECDSA Signature Algorithm Selection compressed point-server
-client = 9-ECDSA Signature Algorithm Selection compressed point-client
+[10-ECDSA Signature Algorithm Selection compressed point-ssl]
+server = 10-ECDSA Signature Algorithm Selection compressed point-server
+client = 10-ECDSA Signature Algorithm Selection compressed point-client
-[9-ECDSA Signature Algorithm Selection compressed point-server]
+[10-ECDSA Signature Algorithm Selection compressed point-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-cecdsa-cert.pem
@@ -321,13 +359,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-cecdsa-key.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[9-ECDSA Signature Algorithm Selection compressed point-client]
+[10-ECDSA Signature Algorithm Selection compressed point-client]
CipherString = DEFAULT
SignatureAlgorithms = ECDSA+SHA256
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-9]
+[test-10]
ExpectedResult = Success
ExpectedServerCertType = P-256
ExpectedServerSignHash = SHA256
@@ -336,39 +374,39 @@ ExpectedServerSignType = EC
# ===========================================================
-[10-ECDSA Signature Algorithm Selection, no ECDSA certificate]
-ssl_conf = 10-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl
+[11-ECDSA Signature Algorithm Selection, no ECDSA certificate]
+ssl_conf = 11-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl
-[10-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl]
-server = 10-ECDSA Signature Algorithm Selection, no ECDSA certificate-server
-client = 10-ECDSA Signature Algorithm Selection, no ECDSA certificate-client
+[11-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl]
+server = 11-ECDSA Signature Algorithm Selection, no ECDSA certificate-server
+client = 11-ECDSA Signature Algorithm Selection, no ECDSA certificate-client
-[10-ECDSA Signature Algorithm Selection, no ECDSA certificate-server]
+[11-ECDSA Signature Algorithm Selection, no ECDSA certificate-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[10-ECDSA Signature Algorithm Selection, no ECDSA certificate-client]
+[11-ECDSA Signature Algorithm Selection, no ECDSA certificate-client]
CipherString = DEFAULT
SignatureAlgorithms = ECDSA+SHA256
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-10]
+[test-11]
ExpectedResult = ServerFail
# ===========================================================
-[11-RSA Signature Algorithm Selection]
-ssl_conf = 11-RSA Signature Algorithm Selection-ssl
+[12-RSA Signature Algorithm Selection]
+ssl_conf = 12-RSA Signature Algorithm Selection-ssl
-[11-RSA Signature Algorithm Selection-ssl]
-server = 11-RSA Signature Algorithm Selection-server
-client = 11-RSA Signature Algorithm Selection-client
+[12-RSA Signature Algorithm Selection-ssl]
+server = 12-RSA Signature Algorithm Selection-server
+client = 12-RSA Signature Algorithm Selection-client
-[11-RSA Signature Algorithm Selection-server]
+[12-RSA Signature Algorithm Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@@ -378,13 +416,13 @@ EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[11-RSA Signature Algorithm Selection-client]
+[12-RSA Signature Algorithm Selection-client]
CipherString = DEFAULT
SignatureAlgorithms = RSA+SHA256
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-11]
+[test-12]
ExpectedResult = Success
ExpectedServerCertType = RSA
ExpectedServerSignHash = SHA256
@@ -393,14 +431,14 @@ ExpectedServerSignType = RSA
# ===========================================================
-[12-RSA-PSS Signature Algorithm Selection]
-ssl_conf = 12-RSA-PSS Signature Algorithm Selection-ssl
+[13-RSA-PSS Signature Algorithm Selection]
+ssl_conf = 13-RSA-PSS Signature Algorithm Selection-ssl
-[12-RSA-PSS Signature Algorithm Selection-ssl]
-server = 12-RSA-PSS Signature Algorithm Selection-server
-client = 12-RSA-PSS Signature Algorithm Selection-client
+[13-RSA-PSS Signature Algorithm Selection-ssl]
+server = 13-RSA-PSS Signature Algorithm Selection-server
+client = 13-RSA-PSS Signature Algorithm Selection-client
-[12-RSA-PSS Signature Algorithm Selection-server]
+[13-RSA-PSS Signature Algorithm Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@@ -410,13 +448,13 @@ EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[12-RSA-PSS Signature Algorithm Selection-client]
+[13-RSA-PSS Signature Algorithm Selection-client]
CipherString = DEFAULT
SignatureAlgorithms = RSA-PSS+SHA256
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-12]
+[test-13]
ExpectedResult = Success
ExpectedServerCertType = RSA
ExpectedServerSignHash = SHA256
@@ -425,14 +463,122 @@ ExpectedServerSignType = RSA-PSS
# ===========================================================
-[13-Suite B P-256 Hash Algorithm Selection]
-ssl_conf = 13-Suite B P-256 Hash Algorithm Selection-ssl
+[14-RSA-PSS Certificate Signature Algorithm Selection]
+ssl_conf = 14-RSA-PSS Certificate Signature Algorithm Selection-ssl
-[13-Suite B P-256 Hash Algorithm Selection-ssl]
-server = 13-Suite B P-256 Hash Algorithm Selection-server
-client = 13-Suite B P-256 Hash Algorithm Selection-client
+[14-RSA-PSS Certificate Signature Algorithm Selection-ssl]
+server = 14-RSA-PSS Certificate Signature Algorithm Selection-server
+client = 14-RSA-PSS Certificate Signature Algorithm Selection-client
-[13-Suite B P-256 Hash Algorithm Selection-server]
+[14-RSA-PSS Certificate Signature Algorithm Selection-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
+EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
+MaxProtocol = TLSv1.2
+PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem
+PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[14-RSA-PSS Certificate Signature Algorithm Selection-client]
+CipherString = DEFAULT
+SignatureAlgorithms = RSA-PSS+SHA256
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-14]
+ExpectedResult = Success
+ExpectedServerCertType = RSA-PSS
+ExpectedServerSignHash = SHA256
+ExpectedServerSignType = RSA-PSS
+
+
+# ===========================================================
+
+[15-Only RSA-PSS Certificate]
+ssl_conf = 15-Only RSA-PSS Certificate-ssl
+
+[15-Only RSA-PSS Certificate-ssl]
+server = 15-Only RSA-PSS Certificate-server
+client = 15-Only RSA-PSS Certificate-client
+
+[15-Only RSA-PSS Certificate-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem
+
+[15-Only RSA-PSS Certificate-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-15]
+ExpectedResult = Success
+ExpectedServerCertType = RSA-PSS
+ExpectedServerSignHash = SHA256
+ExpectedServerSignType = RSA-PSS
+
+
+# ===========================================================
+
+[16-RSA-PSS Certificate, no PSS signature algorithms]
+ssl_conf = 16-RSA-PSS Certificate, no PSS signature algorithms-ssl
+
+[16-RSA-PSS Certificate, no PSS signature algorithms-ssl]
+server = 16-RSA-PSS Certificate, no PSS signature algorithms-server
+client = 16-RSA-PSS Certificate, no PSS signature algorithms-client
+
+[16-RSA-PSS Certificate, no PSS signature algorithms-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem
+
+[16-RSA-PSS Certificate, no PSS signature algorithms-client]
+CipherString = DEFAULT
+SignatureAlgorithms = RSA+SHA256
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-16]
+ExpectedResult = ServerFail
+
+
+# ===========================================================
+
+[17-Only RSA-PSS Certificate, TLS v1.1]
+ssl_conf = 17-Only RSA-PSS Certificate, TLS v1.1-ssl
+
+[17-Only RSA-PSS Certificate, TLS v1.1-ssl]
+server = 17-Only RSA-PSS Certificate, TLS v1.1-server
+client = 17-Only RSA-PSS Certificate, TLS v1.1-client
+
+[17-Only RSA-PSS Certificate, TLS v1.1-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem
+
+[17-Only RSA-PSS Certificate, TLS v1.1-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-17]
+ExpectedResult = ServerFail
+
+
+# ===========================================================
+
+[18-Suite B P-256 Hash Algorithm Selection]
+ssl_conf = 18-Suite B P-256 Hash Algorithm Selection-ssl
+
+[18-Suite B P-256 Hash Algorithm Selection-ssl]
+server = 18-Suite B P-256 Hash Algorithm Selection-server
+client = 18-Suite B P-256 Hash Algorithm Selection-client
+
+[18-Suite B P-256 Hash Algorithm Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = SUITEB128
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p256-server-cert.pem
@@ -440,13 +586,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p256-server-key.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[13-Suite B P-256 Hash Algorithm Selection-client]
+[18-Suite B P-256 Hash Algorithm Selection-client]
CipherString = DEFAULT
SignatureAlgorithms = ECDSA+SHA384:ECDSA+SHA256
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem
VerifyMode = Peer
-[test-13]
+[test-18]
ExpectedResult = Success
ExpectedServerCertType = P-256
ExpectedServerSignHash = SHA256
@@ -455,14 +601,14 @@ ExpectedServerSignType = EC
# ===========================================================
-[14-Suite B P-384 Hash Algorithm Selection]
-ssl_conf = 14-Suite B P-384 Hash Algorithm Selection-ssl
+[19-Suite B P-384 Hash Algorithm Selection]
+ssl_conf = 19-Suite B P-384 Hash Algorithm Selection-ssl
-[14-Suite B P-384 Hash Algorithm Selection-ssl]
-server = 14-Suite B P-384 Hash Algorithm Selection-server
-client = 14-Suite B P-384 Hash Algorithm Selection-client
+[19-Suite B P-384 Hash Algorithm Selection-ssl]
+server = 19-Suite B P-384 Hash Algorithm Selection-server
+client = 19-Suite B P-384 Hash Algorithm Selection-client
-[14-Suite B P-384 Hash Algorithm Selection-server]
+[19-Suite B P-384 Hash Algorithm Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = SUITEB128
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem
@@ -470,13 +616,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[14-Suite B P-384 Hash Algorithm Selection-client]
+[19-Suite B P-384 Hash Algorithm Selection-client]
CipherString = DEFAULT
SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem
VerifyMode = Peer
-[test-14]
+[test-19]
ExpectedResult = Success
ExpectedServerCertType = P-384
ExpectedServerSignHash = SHA384
@@ -485,21 +631,21 @@ ExpectedServerSignType = EC
# ===========================================================
-[15-TLS 1.2 Ed25519 Client Auth]
-ssl_conf = 15-TLS 1.2 Ed25519 Client Auth-ssl
+[20-TLS 1.2 Ed25519 Client Auth]
+ssl_conf = 20-TLS 1.2 Ed25519 Client Auth-ssl
-[15-TLS 1.2 Ed25519 Client Auth-ssl]
-server = 15-TLS 1.2 Ed25519 Client Auth-server
-client = 15-TLS 1.2 Ed25519 Client Auth-client
+[20-TLS 1.2 Ed25519 Client Auth-ssl]
+server = 20-TLS 1.2 Ed25519 Client Auth-server
+client = 20-TLS 1.2 Ed25519 Client Auth-client
-[15-TLS 1.2 Ed25519 Client Auth-server]
+[20-TLS 1.2 Ed25519 Client Auth-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Require
-[15-TLS 1.2 Ed25519 Client Auth-client]
+[20-TLS 1.2 Ed25519 Client Auth-client]
CipherString = DEFAULT
EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed25519-cert.pem
EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed25519-key.pem
@@ -508,7 +654,7 @@ MinProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-15]
+[test-20]
ExpectedClientCertType = Ed25519
ExpectedClientSignType = Ed25519
ExpectedResult = Success
@@ -516,14 +662,14 @@ ExpectedResult = Success
# ===========================================================
-[16-TLS 1.2 DSA Certificate Test]
-ssl_conf = 16-TLS 1.2 DSA Certificate Test-ssl
+[21-TLS 1.2 DSA Certificate Test]
+ssl_conf = 21-TLS 1.2 DSA Certificate Test-ssl
-[16-TLS 1.2 DSA Certificate Test-ssl]
-server = 16-TLS 1.2 DSA Certificate Test-server
-client = 16-TLS 1.2 DSA Certificate Test-client
+[21-TLS 1.2 DSA Certificate Test-ssl]
+server = 21-TLS 1.2 DSA Certificate Test-server
+client = 21-TLS 1.2 DSA Certificate Test-client
-[16-TLS 1.2 DSA Certificate Test-server]
+[21-TLS 1.2 DSA Certificate Test-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = ALL
DHParameters = ${ENV::TEST_CERTS_DIR}/dhp2048.pem
@@ -533,13 +679,13 @@ MaxProtocol = TLSv1.2
MinProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[16-TLS 1.2 DSA Certificate Test-client]
+[21-TLS 1.2 DSA Certificate Test-client]
CipherString = ALL
SignatureAlgorithms = DSA+SHA256:DSA+SHA1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-16]
+[test-21]
ExpectedResult = Success
diff --git a/test/ssl-tests/20-cert-select.conf.in b/test/ssl-tests/20-cert-select.conf.in
index 1d8e059..659586f 100644
--- a/test/ssl-tests/20-cert-select.conf.in
+++ b/test/ssl-tests/20-cert-select.conf.in
@@ -17,6 +17,21 @@ my $server = {
"MaxProtocol" => "TLSv1.2"
};
+my $server_pss = {
+ "PSS.Certificate" => test_pem("server-pss-cert.pem"),
+ "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
+ "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
+ "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
+ "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"),
+ "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"),
+ "MaxProtocol" => "TLSv1.2"
+};
+
+my $server_pss_only = {
+ "Certificate" => test_pem("server-pss-cert.pem"),
+ "PrivateKey" => test_pem("server-pss-key.pem"),
+};
+
our @tests = (
{
name => "ECDSA CipherString Selection",
@@ -65,6 +80,19 @@ our @tests = (
},
},
{
+ name => "RSA-PSS Certificate CipherString Selection",
+ server => $server_pss,
+ client => {
+ "CipherString" => "aRSA",
+ "MaxProtocol" => "TLSv1.2",
+ },
+ test => {
+ "ExpectedServerCertType" =>, "RSA-PSS",
+ "ExpectedServerSignType" =>, "RSA-PSS",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
name => "P-256 CipherString and Signature Algorithm Selection",
server => $server,
client => {
@@ -204,6 +232,50 @@ our @tests = (
},
},
{
+ name => "RSA-PSS Certificate Signature Algorithm Selection",
+ server => $server_pss,
+ client => {
+ "SignatureAlgorithms" => "RSA-PSS+SHA256",
+ },
+ test => {
+ "ExpectedServerCertType" => "RSA-PSS",
+ "ExpectedServerSignHash" => "SHA256",
+ "ExpectedServerSignType" => "RSA-PSS",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "Only RSA-PSS Certificate",
+ server => $server_pss_only,
+ client => {},
+ test => {
+ "ExpectedServerCertType" => "RSA-PSS",
+ "ExpectedServerSignHash" => "SHA256",
+ "ExpectedServerSignType" => "RSA-PSS",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "RSA-PSS Certificate, no PSS signature algorithms",
+ server => $server_pss_only,
+ client => {
+ "SignatureAlgorithms" => "RSA+SHA256",
+ },
+ test => {
+ "ExpectedResult" => "ServerFail"
+ },
+ },
+ {
+ name => "Only RSA-PSS Certificate, TLS v1.1",
+ server => $server_pss_only,
+ client => {
+ "MaxProtocol" => "TLSv1.1",
+ },
+ test => {
+ "ExpectedResult" => "ServerFail"
+ },
+ },
+ {
name => "Suite B P-256 Hash Algorithm Selection",
server => {
"ECDSA.Certificate" => test_pem("p256-server-cert.pem"),
@@ -261,7 +333,6 @@ our @tests = (
},
);
-
my $server_tls_1_3 = {
"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
@@ -271,6 +342,17 @@ my $server_tls_1_3 = {
"MaxProtocol" => "TLSv1.3"
};
+my $server_tls_1_3_pss = {
+ "PSS.Certificate" => test_pem("server-pss-cert.pem"),
+ "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
+ "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
+ "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
+ "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"),
+ "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"),
+ "MinProtocol" => "TLSv1.3",
+ "MaxProtocol" => "TLSv1.3"
+};
+
my $client_tls_1_3 = {
"RSA.Certificate" => test_pem("ee-client-chain.pem"),
"RSA.PrivateKey" => test_pem("ee-key.pem"),
More information about the openssl-commits
mailing list