[openssl] master update
Matt Caswell
matt at openssl.org
Fri Aug 9 12:30:29 UTC 2019
The branch master has been updated
via 20946b94658416d2fed0b9d9c7adfbe4b7d70515 (commit)
via 39d9ea5e502114a204750f641ca76ff5b4912401 (commit)
via 9bcc9f973b2a216461dd6f140e47ef647eb733b4 (commit)
from d6dda392c10a9297b5009339a4656ec5bf53399b (commit)
- Log -----------------------------------------------------------------
commit 20946b94658416d2fed0b9d9c7adfbe4b7d70515
Author: Matt Caswell <matt at openssl.org>
Date: Thu Aug 8 11:41:18 2019 +0100
Add TLS tests for RSA-PSS Restricted certificates
Reviewed-by: Paul Dale <paul.dale at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9553)
commit 39d9ea5e502114a204750f641ca76ff5b4912401
Author: Matt Caswell <matt at openssl.org>
Date: Thu Aug 8 11:08:14 2019 +0100
Add Restricted PSS certificate and key
Create a PSS certificate with parameter restrictions
Reviewed-by: Paul Dale <paul.dale at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9553)
commit 9bcc9f973b2a216461dd6f140e47ef647eb733b4
Author: Matt Caswell <matt at openssl.org>
Date: Thu Aug 8 09:13:51 2019 +0100
Ensure RSA PSS correctly returns the right default digest
A default digest of SHA256 was being returned for RSA PSS even if the
PSS parameters indicated a different digest must be used. We change this
so that the correct default digest is returned and additionally mark this
as mandatory for PSS.
This bug had an impact on sig alg selection in libssl. Due to this issue
an incorrect sig alg might be selected in the event that a server is
configured with an RSA-PSS cert with parameter restrictions.
Fixes #9545
Reviewed-by: Paul Dale <paul.dale at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9553)
-----------------------------------------------------------------------
Summary of changes:
crypto/rsa/rsa_ameth.c | 13 +
test/certs/mkcert.sh | 29 ++
test/certs/server-pss-restrict-cert.pem | 21 +
test/certs/server-pss-restrict-key.pem | 29 ++
test/certs/setup.sh | 6 +
test/ssl-tests/20-cert-select.conf | 660 +++++++++++++++++++-------------
test/ssl-tests/20-cert-select.conf.in | 66 ++++
7 files changed, 562 insertions(+), 262 deletions(-)
create mode 100644 test/certs/server-pss-restrict-cert.pem
create mode 100644 test/certs/server-pss-restrict-key.pem
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
index 82d1d56d0a..bf56039b46 100644
--- a/crypto/rsa/rsa_ameth.c
+++ b/crypto/rsa/rsa_ameth.c
@@ -458,6 +458,9 @@ static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg,
static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
{
X509_ALGOR *alg = NULL;
+ const EVP_MD *md;
+ const EVP_MD *mgf1md;
+ int min_saltlen;
switch (op) {
@@ -497,6 +500,16 @@ static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
#endif
case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
+ if (pkey->pkey.rsa->pss != NULL) {
+ if (!rsa_pss_get_param(pkey->pkey.rsa->pss, &md, &mgf1md,
+ &min_saltlen)) {
+ RSAerr(0, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ *(int *)arg2 = EVP_MD_type(md);
+ /* Return of 2 indicates this MD is mandatory */
+ return 2;
+ }
*(int *)arg2 = NID_sha256;
return 1;
diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh
index 41bbe23e2d..e03b19014e 100755
--- a/test/certs/mkcert.sh
+++ b/test/certs/mkcert.sh
@@ -233,6 +233,35 @@ genee() {
-set_serial 2 -days "${DAYS}" "$@"
}
+geneenocsr() {
+ local OPTIND=1
+ local purpose=serverAuth
+
+ while getopts p: o
+ do
+ case $o in
+ p) purpose="$OPTARG";;
+ *) echo "Usage: $0 genee [-p EKU] cn certname cakeyname cacertname" >&2
+ return 1;;
+ esac
+ done
+
+ shift $((OPTIND - 1))
+ local cn=$1; shift
+ local cert=$1; shift
+ local cakey=$1; shift
+ local ca=$1; shift
+
+ exts=$(printf "%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
+ "subjectKeyIdentifier = hash" \
+ "authorityKeyIdentifier = keyid, issuer" \
+ "basicConstraints = CA:false" \
+ "extendedKeyUsage = $purpose" \
+ "subjectAltName = @alts" "DNS=${cn}")
+ cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
+ -set_serial 2 -days "${DAYS}" "$@"
+}
+
genss() {
local cn=$1; shift
local key=$1; shift
diff --git a/test/certs/server-pss-restrict-cert.pem b/test/certs/server-pss-restrict-cert.pem
new file mode 100644
index 0000000000..273363808a
--- /dev/null
+++ b/test/certs/server-pss-restrict-cert.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDYjCCAkqgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
+IENBMCAXDTE5MDgwODEwNDMxMFoYDzIxMTkwODA5MTA0MzEwWjAUMRIwEAYDVQQD
+DAlsb2NhbGhvc3QwggFSMD0GCSqGSIb3DQEBCjAwoA0wCwYJYIZIAWUDBAIBoRow
+GAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgEgA4IBDwAwggEKAoIBAQDDlygk
+sUEAajpdVquo9XIAyTd9ZJ+55hNmhBfhn3lHz3ryPD+0XlgCE9qsKwfR7iYaqmnN
+ilQnsxWpMGXAgOlC1+w5zh8qHvrI5wX+A6U9N8leIOSgFuFNP0FMMG7I677QzRxG
+FqKX1o4V73JWqnHCfnfHRyZY9xM0tYbJKNbRO7Hy4jKBPl3ptPHUoTltr4WYTOpg
+stcEamdiiif+0U4bQvVltNg9pzFEjkAktTUGn92W5CgLnsbPXxBo6a/kUlHcgmhY
+bpOXEjCPufZLgsQo8iF2Bq8eWMEsByjr0chQjzrfZAUVtD8Hmh2uMVAPQFAHUkaL
+j2tHukL+s9tAaWKNAgMBAAGjgY4wgYswHQYDVR0OBBYEFLqlLFaNrS8hbX6voiGi
+AfMYfsivMB8GA1UdIwQYMBaAFHB/Lq6DaFmYBCMqzes+F80k3QFJMAkGA1UdEwQC
+MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwKQYDVR0RBCIwIIIeU2VydmVyIFJTQS1Q
+U1MgcmVzdHJpY3RlZCBjZXJ0MA0GCSqGSIb3DQEBCwUAA4IBAQAEhm9Skn2XfEZo
+Q+YMu6HIQZovRT3IljHvesjIby7KfS86SU4r+CG7qaPLw7jeIR92YMnihnaXRGGJ
+POixpHY6gapEzR2Sqg7c0ApGenDZ3uKnBUjf9LEorPmhrEHUsnHREXoPx5Lt5Nh/
+7WRNB/GKvbnAby+5HQBOvU6P8t37/zK1JjJhGNv0uvaYthQGk3r6nEhQG+O6JBSw
+H/auU4ClIB4fg8GWaMuupN5VMNP9mxpL9tONH8QRKs+KIQWMOsr83rOKwSHrrkIL
+/vDI5hPj9RHvjjta6FQx140wA6c8ZB59x9YIv1alJWf6s3+TM8bv70L/aBBT8+IM
+vwjUz9Gp
+-----END CERTIFICATE-----
diff --git a/test/certs/server-pss-restrict-key.pem b/test/certs/server-pss-restrict-key.pem
new file mode 100644
index 0000000000..65032269c1
--- /dev/null
+++ b/test/certs/server-pss-restrict-key.pem
@@ -0,0 +1,29 @@
+-----BEGIN PRIVATE KEY-----
+MIIE7wIBADA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3
+DQEBCDALBglghkgBZQMEAgGiAwIBIASCBKkwggSlAgEAAoIBAQDDlygksUEAajpd
+Vquo9XIAyTd9ZJ+55hNmhBfhn3lHz3ryPD+0XlgCE9qsKwfR7iYaqmnNilQnsxWp
+MGXAgOlC1+w5zh8qHvrI5wX+A6U9N8leIOSgFuFNP0FMMG7I677QzRxGFqKX1o4V
+73JWqnHCfnfHRyZY9xM0tYbJKNbRO7Hy4jKBPl3ptPHUoTltr4WYTOpgstcEamdi
+iif+0U4bQvVltNg9pzFEjkAktTUGn92W5CgLnsbPXxBo6a/kUlHcgmhYbpOXEjCP
+ufZLgsQo8iF2Bq8eWMEsByjr0chQjzrfZAUVtD8Hmh2uMVAPQFAHUkaLj2tHukL+
+s9tAaWKNAgMBAAECggEBAIzgfwWOtmb6HHfGSXY085wlUlZ696EKWsboNdtI5i4W
+/1Mimi/sFC/K5SJFDCjlA4UJYZOuItdFYkCun1t8foaqx3cLQ98u2SuDWwmOzqG9
+YMjvoDy+viDJgtrBt8n4I0R5t/ezrgD3hPe/s/dAZRfVx6g9Ux2ZOLgqV57kT3X7
+6paEz3jrIMvuoXQCsi9Qh+eJQ23/sAcc7OHQ7uD8QJVudEBnSHQ+ttvOPXhr7tba
+8NuNVa6E/KewkKHRAZqBTJolCVyPtWmvfaDwdJtunCvyR1w3Rv1adZLK4YRFz+vc
+sOMK+K1c2aojA+/Fnba19inNq13j6Dwqmq8Ho7MZwHECgYEA6aSx7/93S1VGpxQ9
+KqFE4Fy9ylliC/hanc9qOcfEIo0tDus9lfpuPp+aOXML0msVkIfhCnaru32qtnaI
+AQkIbPhSZFvC/i6BibpArXINbDzTS/46zZHehXskjWFGw+iRm/YI7MBuCmWzSnFO
+YUwSKRIPKZKyXswFzP8RsQO/QbsCgYEA1k5SamQheuKdo/X40ShWTTOoDlpL4Sir
+b2zTnEqlHyMv8c7w880hPf4P+0pqrKyf7jmEykJvp1qSAmyMUCWzrKTr8gQ2sMyb
+zj90cEm++M5YIQh5lPJy4pGqmCliJXqkt+zT1xmnRASwMNQOnU2bBmXkve/ofb4M
+dEwyig/nZFcCgYBLWPilTD6dhce+NBGxwMZkkKQIMKEk+RfIEs7QCXNgLSUdzZFT
+36pT+caTxl1Go5AVxyw04qZpVZKLO1iK9O3Jrp9rjAgrTrYpw23+QWzAvjDqLfeq
+ueMIKvlTus5GeacTo9mm+DvEkJ2sYTQEvrKQmilXn950IdmxDYUYD/xK5wKBgQDQ
+5ON9BUGFUSQsUHVLG7CT7EhiRS41ubjyEfhrHm+53Ei9weQpIcjHbsERR8aXrmTu
+h26i4QOI88XjSv+ymC19mfzLmcPdrnQpJL1RPvFCAZDyEhrBT1sg8rCBRcV/lv68
+scMEpuLecFt2HR5pwt3b7LJ9Wj8bYoctTaDt5va8XQKBgQDCr4hZB5haAcKmNm/g
+PjlaLdrDEIuuBjxMzX1t3PXwsEene1cE731v6fbmrDUa8AuJyMY80xhGrTTDQfS3
+QOu/6wtcUv/JC/06OwEaUlT/kdYek+zYfBm3b1sKP3HVKSxCLTcPcC4aQoAFqbEy
+3kuSVh03vVBdaP//qMPyeue17w==
+-----END PRIVATE KEY-----
diff --git a/test/certs/setup.sh b/test/certs/setup.sh
index 53d4a807a7..26b2f1ddfe 100755
--- a/test/certs/setup.sh
+++ b/test/certs/setup.sh
@@ -369,3 +369,9 @@ REQMASK=MASK:0x800 ./mkcert.sh req badalt7-key "O = Bad NC Test Certificate 7" \
OPENSSL_KEYALG=ec OPENSSL_KEYBITS=brainpoolP256r1 ./mkcert.sh genee \
"Server ECDSA brainpoolP256r1 cert" server-ecdsa-brainpoolP256r1-key \
server-ecdsa-brainpoolP256r1-cert rootkey rootcert
+
+openssl req -new -nodes -subj "/CN=localhost" \
+ -newkey rsa-pss -keyout server-pss-restrict-key.pem \
+ -pkeyopt rsa_pss_keygen_md:sha256 -pkeyopt rsa_pss_keygen_saltlen:32 | \
+ ./mkcert.sh geneenocsr "Server RSA-PSS restricted cert" \
+ server-pss-restrict-cert rootkey rootcert
diff --git a/test/ssl-tests/20-cert-select.conf b/test/ssl-tests/20-cert-select.conf
index 0bcd23d7f0..93f3a1ff68 100644
--- a/test/ssl-tests/20-cert-select.conf
+++ b/test/ssl-tests/20-cert-select.conf
@@ -1,6 +1,6 @@
# Generated with generate_ssl_tests.pl
-num_tests = 51
+num_tests = 56
test-0 = 0-ECDSA CipherString Selection
test-1 = 1-ECDSA CipherString Selection
@@ -24,35 +24,40 @@ test-18 = 18-RSA-PSS Signature Algorithm Selection
test-19 = 19-RSA-PSS Certificate Legacy Signature Algorithm Selection
test-20 = 20-RSA-PSS Certificate Unified Signature Algorithm Selection
test-21 = 21-Only RSA-PSS Certificate
-test-22 = 22-RSA-PSS Certificate, no PSS signature algorithms
-test-23 = 23-RSA key exchange with all RSA certificate types
-test-24 = 24-RSA key exchange with only RSA-PSS certificate
-test-25 = 25-Suite B P-256 Hash Algorithm Selection
-test-26 = 26-Suite B P-384 Hash Algorithm Selection
-test-27 = 27-TLS 1.2 Ed25519 Client Auth
-test-28 = 28-TLS 1.2 Ed448 Client Auth
-test-29 = 29-Only RSA-PSS Certificate, TLS v1.1
-test-30 = 30-TLS 1.3 ECDSA Signature Algorithm Selection
-test-31 = 31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point
-test-32 = 32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1
-test-33 = 33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS
-test-34 = 34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS
-test-35 = 35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate
-test-36 = 36-TLS 1.3 RSA Signature Algorithm Selection, no PSS
-test-37 = 37-TLS 1.3 RSA-PSS Signature Algorithm Selection
-test-38 = 38-TLS 1.3 Ed25519 Signature Algorithm Selection
-test-39 = 39-TLS 1.3 Ed448 Signature Algorithm Selection
-test-40 = 40-TLS 1.3 Ed25519 CipherString and Groups Selection
-test-41 = 41-TLS 1.3 Ed448 CipherString and Groups Selection
-test-42 = 42-TLS 1.3 RSA Client Auth Signature Algorithm Selection
-test-43 = 43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names
-test-44 = 44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection
-test-45 = 45-TLS 1.3 Ed25519 Client Auth
-test-46 = 46-TLS 1.3 Ed448 Client Auth
-test-47 = 47-TLS 1.3 ECDSA with brainpool
-test-48 = 48-TLS 1.2 DSA Certificate Test
-test-49 = 49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms
-test-50 = 50-TLS 1.3 DSA Certificate Test
+test-22 = 22-Only RSA-PSS Certificate Valid Signature Algorithms
+test-23 = 23-RSA-PSS Certificate, no PSS signature algorithms
+test-24 = 24-Only RSA-PSS Restricted Certificate
+test-25 = 25-RSA-PSS Restricted Certificate Valid Signature Algorithms
+test-26 = 26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm
+test-27 = 27-RSA-PSS Restricted Certificate Invalid Signature Algorithms
+test-28 = 28-RSA key exchange with all RSA certificate types
+test-29 = 29-RSA key exchange with only RSA-PSS certificate
+test-30 = 30-Suite B P-256 Hash Algorithm Selection
+test-31 = 31-Suite B P-384 Hash Algorithm Selection
+test-32 = 32-TLS 1.2 Ed25519 Client Auth
+test-33 = 33-TLS 1.2 Ed448 Client Auth
+test-34 = 34-Only RSA-PSS Certificate, TLS v1.1
+test-35 = 35-TLS 1.3 ECDSA Signature Algorithm Selection
+test-36 = 36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point
+test-37 = 37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1
+test-38 = 38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS
+test-39 = 39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS
+test-40 = 40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate
+test-41 = 41-TLS 1.3 RSA Signature Algorithm Selection, no PSS
+test-42 = 42-TLS 1.3 RSA-PSS Signature Algorithm Selection
+test-43 = 43-TLS 1.3 Ed25519 Signature Algorithm Selection
+test-44 = 44-TLS 1.3 Ed448 Signature Algorithm Selection
+test-45 = 45-TLS 1.3 Ed25519 CipherString and Groups Selection
+test-46 = 46-TLS 1.3 Ed448 CipherString and Groups Selection
+test-47 = 47-TLS 1.3 RSA Client Auth Signature Algorithm Selection
+test-48 = 48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names
+test-49 = 49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection
+test-50 = 50-TLS 1.3 Ed25519 Client Auth
+test-51 = 51-TLS 1.3 Ed448 Client Auth
+test-52 = 52-TLS 1.3 ECDSA with brainpool
+test-53 = 53-TLS 1.2 DSA Certificate Test
+test-54 = 54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms
+test-55 = 55-TLS 1.3 DSA Certificate Test
# ===========================================================
[0-ECDSA CipherString Selection]
@@ -775,89 +780,220 @@ ExpectedServerSignType = RSA-PSS
# ===========================================================
-[22-RSA-PSS Certificate, no PSS signature algorithms]
-ssl_conf = 22-RSA-PSS Certificate, no PSS signature algorithms-ssl
+[22-Only RSA-PSS Certificate Valid Signature Algorithms]
+ssl_conf = 22-Only RSA-PSS Certificate Valid Signature Algorithms-ssl
-[22-RSA-PSS Certificate, no PSS signature algorithms-ssl]
-server = 22-RSA-PSS Certificate, no PSS signature algorithms-server
-client = 22-RSA-PSS Certificate, no PSS signature algorithms-client
+[22-Only RSA-PSS Certificate Valid Signature Algorithms-ssl]
+server = 22-Only RSA-PSS Certificate Valid Signature Algorithms-server
+client = 22-Only RSA-PSS Certificate Valid Signature Algorithms-client
-[22-RSA-PSS Certificate, no PSS signature algorithms-server]
+[22-Only RSA-PSS Certificate Valid Signature Algorithms-server]
Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem
-[22-RSA-PSS Certificate, no PSS signature algorithms-client]
+[22-Only RSA-PSS Certificate Valid Signature Algorithms-client]
CipherString = DEFAULT
-SignatureAlgorithms = RSA+SHA256
+SignatureAlgorithms = rsa_pss_pss_sha512
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-22]
+ExpectedResult = Success
+ExpectedServerCertType = RSA-PSS
+ExpectedServerSignHash = SHA512
+ExpectedServerSignType = RSA-PSS
+
+
+# ===========================================================
+
+[23-RSA-PSS Certificate, no PSS signature algorithms]
+ssl_conf = 23-RSA-PSS Certificate, no PSS signature algorithms-ssl
+
+[23-RSA-PSS Certificate, no PSS signature algorithms-ssl]
+server = 23-RSA-PSS Certificate, no PSS signature algorithms-server
+client = 23-RSA-PSS Certificate, no PSS signature algorithms-client
+
+[23-RSA-PSS Certificate, no PSS signature algorithms-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem
+
+[23-RSA-PSS Certificate, no PSS signature algorithms-client]
+CipherString = DEFAULT
+SignatureAlgorithms = RSA+SHA256
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-23]
+ExpectedResult = ServerFail
+
+
+# ===========================================================
+
+[24-Only RSA-PSS Restricted Certificate]
+ssl_conf = 24-Only RSA-PSS Restricted Certificate-ssl
+
+[24-Only RSA-PSS Restricted Certificate-ssl]
+server = 24-Only RSA-PSS Restricted Certificate-server
+client = 24-Only RSA-PSS Restricted Certificate-client
+
+[24-Only RSA-PSS Restricted Certificate-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem
+
+[24-Only RSA-PSS Restricted Certificate-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-24]
+ExpectedResult = Success
+ExpectedServerCertType = RSA-PSS
+ExpectedServerSignHash = SHA256
+ExpectedServerSignType = RSA-PSS
+
+
+# ===========================================================
+
+[25-RSA-PSS Restricted Certificate Valid Signature Algorithms]
+ssl_conf = 25-RSA-PSS Restricted Certificate Valid Signature Algorithms-ssl
+
+[25-RSA-PSS Restricted Certificate Valid Signature Algorithms-ssl]
+server = 25-RSA-PSS Restricted Certificate Valid Signature Algorithms-server
+client = 25-RSA-PSS Restricted Certificate Valid Signature Algorithms-client
+
+[25-RSA-PSS Restricted Certificate Valid Signature Algorithms-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem
+
+[25-RSA-PSS Restricted Certificate Valid Signature Algorithms-client]
+CipherString = DEFAULT
+SignatureAlgorithms = rsa_pss_pss_sha256:rsa_pss_pss_sha512
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-25]
+ExpectedResult = Success
+ExpectedServerCertType = RSA-PSS
+ExpectedServerSignHash = SHA256
+ExpectedServerSignType = RSA-PSS
+
+
+# ===========================================================
+
+[26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm]
+ssl_conf = 26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-ssl
+
+[26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-ssl]
+server = 26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-server
+client = 26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-client
+
+[26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem
+
+[26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-client]
+CipherString = DEFAULT
+SignatureAlgorithms = rsa_pss_pss_sha512:rsa_pss_pss_sha256
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-26]
+ExpectedResult = Success
+ExpectedServerCertType = RSA-PSS
+ExpectedServerSignHash = SHA256
+ExpectedServerSignType = RSA-PSS
+
+
+# ===========================================================
+
+[27-RSA-PSS Restricted Certificate Invalid Signature Algorithms]
+ssl_conf = 27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-ssl
+
+[27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-ssl]
+server = 27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-server
+client = 27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-client
+
+[27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem
+
+[27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-client]
+CipherString = DEFAULT
+SignatureAlgorithms = rsa_pss_pss_sha512
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-27]
ExpectedResult = ServerFail
# ===========================================================
-[23-RSA key exchange with all RSA certificate types]
-ssl_conf = 23-RSA key exchange with all RSA certificate types-ssl
+[28-RSA key exchange with all RSA certificate types]
+ssl_conf = 28-RSA key exchange with all RSA certificate types-ssl
-[23-RSA key exchange with all RSA certificate types-ssl]
-server = 23-RSA key exchange with all RSA certificate types-server
-client = 23-RSA key exchange with all RSA certificate types-client
+[28-RSA key exchange with all RSA certificate types-ssl]
+server = 28-RSA key exchange with all RSA certificate types-server
+client = 28-RSA key exchange with all RSA certificate types-client
-[23-RSA key exchange with all RSA certificate types-server]
+[28-RSA key exchange with all RSA certificate types-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem
PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[23-RSA key exchange with all RSA certificate types-client]
+[28-RSA key exchange with all RSA certificate types-client]
CipherString = kRSA
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-23]
+[test-28]
ExpectedResult = Success
ExpectedServerCertType = RSA
# ===========================================================
-[24-RSA key exchange with only RSA-PSS certificate]
-ssl_conf = 24-RSA key exchange with only RSA-PSS certificate-ssl
+[29-RSA key exchange with only RSA-PSS certificate]
+ssl_conf = 29-RSA key exchange with only RSA-PSS certificate-ssl
-[24-RSA key exchange with only RSA-PSS certificate-ssl]
-server = 24-RSA key exchange with only RSA-PSS certificate-server
-client = 24-RSA key exchange with only RSA-PSS certificate-client
+[29-RSA key exchange with only RSA-PSS certificate-ssl]
+server = 29-RSA key exchange with only RSA-PSS certificate-server
+client = 29-RSA key exchange with only RSA-PSS certificate-client
-[24-RSA key exchange with only RSA-PSS certificate-server]
+[29-RSA key exchange with only RSA-PSS certificate-server]
Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem
-[24-RSA key exchange with only RSA-PSS certificate-client]
+[29-RSA key exchange with only RSA-PSS certificate-client]
CipherString = kRSA
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-24]
+[test-29]
ExpectedResult = ServerFail
# ===========================================================
-[25-Suite B P-256 Hash Algorithm Selection]
-ssl_conf = 25-Suite B P-256 Hash Algorithm Selection-ssl
+[30-Suite B P-256 Hash Algorithm Selection]
+ssl_conf = 30-Suite B P-256 Hash Algorithm Selection-ssl
-[25-Suite B P-256 Hash Algorithm Selection-ssl]
-server = 25-Suite B P-256 Hash Algorithm Selection-server
-client = 25-Suite B P-256 Hash Algorithm Selection-client
+[30-Suite B P-256 Hash Algorithm Selection-ssl]
+server = 30-Suite B P-256 Hash Algorithm Selection-server
+client = 30-Suite B P-256 Hash Algorithm Selection-client
-[25-Suite B P-256 Hash Algorithm Selection-server]
+[30-Suite B P-256 Hash Algorithm Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = SUITEB128
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p256-server-cert.pem
@@ -865,13 +1001,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p256-server-key.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[25-Suite B P-256 Hash Algorithm Selection-client]
+[30-Suite B P-256 Hash Algorithm Selection-client]
CipherString = DEFAULT
SignatureAlgorithms = ECDSA+SHA384:ECDSA+SHA256
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem
VerifyMode = Peer
-[test-25]
+[test-30]
ExpectedResult = Success
ExpectedServerCertType = P-256
ExpectedServerSignHash = SHA256
@@ -880,14 +1016,14 @@ ExpectedServerSignType = EC
# ===========================================================
-[26-Suite B P-384 Hash Algorithm Selection]
-ssl_conf = 26-Suite B P-384 Hash Algorithm Selection-ssl
+[31-Suite B P-384 Hash Algorithm Selection]
+ssl_conf = 31-Suite B P-384 Hash Algorithm Selection-ssl
-[26-Suite B P-384 Hash Algorithm Selection-ssl]
-server = 26-Suite B P-384 Hash Algorithm Selection-server
-client = 26-Suite B P-384 Hash Algorithm Selection-client
+[31-Suite B P-384 Hash Algorithm Selection-ssl]
+server = 31-Suite B P-384 Hash Algorithm Selection-server
+client = 31-Suite B P-384 Hash Algorithm Selection-client
-[26-Suite B P-384 Hash Algorithm Selection-server]
+[31-Suite B P-384 Hash Algorithm Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = SUITEB128
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem
@@ -895,13 +1031,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[26-Suite B P-384 Hash Algorithm Selection-client]
+[31-Suite B P-384 Hash Algorithm Selection-client]
CipherString = DEFAULT
SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem
VerifyMode = Peer
-[test-26]
+[test-31]
ExpectedResult = Success
ExpectedServerCertType = P-384
ExpectedServerSignHash = SHA384
@@ -910,21 +1046,21 @@ ExpectedServerSignType = EC
# ===========================================================
-[27-TLS 1.2 Ed25519 Client Auth]
-ssl_conf = 27-TLS 1.2 Ed25519 Client Auth-ssl
+[32-TLS 1.2 Ed25519 Client Auth]
+ssl_conf = 32-TLS 1.2 Ed25519 Client Auth-ssl
-[27-TLS 1.2 Ed25519 Client Auth-ssl]
-server = 27-TLS 1.2 Ed25519 Client Auth-server
-client = 27-TLS 1.2 Ed25519 Client Auth-client
+[32-TLS 1.2 Ed25519 Client Auth-ssl]
+server = 32-TLS 1.2 Ed25519 Client Auth-server
+client = 32-TLS 1.2 Ed25519 Client Auth-client
-[27-TLS 1.2 Ed25519 Client Auth-server]
+[32-TLS 1.2 Ed25519 Client Auth-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Require
-[27-TLS 1.2 Ed25519 Client Auth-client]
+[32-TLS 1.2 Ed25519 Client Auth-client]
CipherString = DEFAULT
Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed25519-cert.pem
Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed25519-key.pem
@@ -933,7 +1069,7 @@ MinProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-27]
+[test-32]
ExpectedClientCertType = Ed25519
ExpectedClientSignType = Ed25519
ExpectedResult = Success
@@ -941,21 +1077,21 @@ ExpectedResult = Success
# ===========================================================
-[28-TLS 1.2 Ed448 Client Auth]
-ssl_conf = 28-TLS 1.2 Ed448 Client Auth-ssl
+[33-TLS 1.2 Ed448 Client Auth]
+ssl_conf = 33-TLS 1.2 Ed448 Client Auth-ssl
-[28-TLS 1.2 Ed448 Client Auth-ssl]
-server = 28-TLS 1.2 Ed448 Client Auth-server
-client = 28-TLS 1.2 Ed448 Client Auth-client
+[33-TLS 1.2 Ed448 Client Auth-ssl]
+server = 33-TLS 1.2 Ed448 Client Auth-server
+client = 33-TLS 1.2 Ed448 Client Auth-client
-[28-TLS 1.2 Ed448 Client Auth-server]
+[33-TLS 1.2 Ed448 Client Auth-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Require
-[28-TLS 1.2 Ed448 Client Auth-client]
+[33-TLS 1.2 Ed448 Client Auth-client]
CipherString = DEFAULT
Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed448-cert.pem
Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed448-key.pem
@@ -964,7 +1100,7 @@ MinProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-28]
+[test-33]
ExpectedClientCertType = Ed448
ExpectedClientSignType = Ed448
ExpectedResult = Success
@@ -972,38 +1108,38 @@ ExpectedResult = Success
# ===========================================================
-[29-Only RSA-PSS Certificate, TLS v1.1]
-ssl_conf = 29-Only RSA-PSS Certificate, TLS v1.1-ssl
+[34-Only RSA-PSS Certificate, TLS v1.1]
+ssl_conf = 34-Only RSA-PSS Certificate, TLS v1.1-ssl
-[29-Only RSA-PSS Certificate, TLS v1.1-ssl]
-server = 29-Only RSA-PSS Certificate, TLS v1.1-server
-client = 29-Only RSA-PSS Certificate, TLS v1.1-client
+[34-Only RSA-PSS Certificate, TLS v1.1-ssl]
+server = 34-Only RSA-PSS Certificate, TLS v1.1-server
+client = 34-Only RSA-PSS Certificate, TLS v1.1-client
-[29-Only RSA-PSS Certificate, TLS v1.1-server]
+[34-Only RSA-PSS Certificate, TLS v1.1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem
-[29-Only RSA-PSS Certificate, TLS v1.1-client]
+[34-Only RSA-PSS Certificate, TLS v1.1-client]
CipherString = DEFAULT
MaxProtocol = TLSv1.1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-29]
+[test-34]
ExpectedResult = ServerFail
# ===========================================================
-[30-TLS 1.3 ECDSA Signature Algorithm Selection]
-ssl_conf = 30-TLS 1.3 ECDSA Signature Algorithm Selection-ssl
+[35-TLS 1.3 ECDSA Signature Algorithm Selection]
+ssl_conf = 35-TLS 1.3 ECDSA Signature Algorithm Selection-ssl
-[30-TLS 1.3 ECDSA Signature Algorithm Selection-ssl]
-server = 30-TLS 1.3 ECDSA Signature Algorithm Selection-server
-client = 30-TLS 1.3 ECDSA Signature Algorithm Selection-client
+[35-TLS 1.3 ECDSA Signature Algorithm Selection-ssl]
+server = 35-TLS 1.3 ECDSA Signature Algorithm Selection-server
+client = 35-TLS 1.3 ECDSA Signature Algorithm Selection-client
-[30-TLS 1.3 ECDSA Signature Algorithm Selection-server]
+[35-TLS 1.3 ECDSA Signature Algorithm Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@@ -1016,13 +1152,13 @@ MaxProtocol = TLSv1.3
MinProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[30-TLS 1.3 ECDSA Signature Algorithm Selection-client]
+[35-TLS 1.3 ECDSA Signature Algorithm Selection-client]
CipherString = DEFAULT
SignatureAlgorithms = ECDSA+SHA256
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-30]
+[test-35]
ExpectedResult = Success
ExpectedServerCANames = empty
ExpectedServerCertType = P-256
@@ -1032,14 +1168,14 @@ ExpectedServerSignType = EC
# ===========================================================
-[31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point]
-ssl_conf = 31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-ssl
+[36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point]
+ssl_conf = 36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-ssl
-[31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-ssl]
-server = 31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-server
-client = 31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-client
+[36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-ssl]
+server = 36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-server
+client = 36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-client
-[31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-server]
+[36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-cecdsa-cert.pem
@@ -1048,13 +1184,13 @@ MaxProtocol = TLSv1.3
MinProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[31-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-client]
+[36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-client]
CipherString = DEFAULT
SignatureAlgorithms = ECDSA+SHA256
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-31]
+[test-36]
ExpectedResult = Success
ExpectedServerCANames = empty
ExpectedServerCertType = P-256
@@ -1064,14 +1200,14 @@ ExpectedServerSignType = EC
# ===========================================================
-[32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1]
-ssl_conf = 32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-ssl
+[37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1]
+ssl_conf = 37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-ssl
-[32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-ssl]
-server = 32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-server
-client = 32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-client
+[37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-ssl]
+server = 37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-server
+client = 37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-client
-[32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-server]
+[37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@@ -1084,26 +1220,26 @@ MaxProtocol = TLSv1.3
MinProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[32-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-client]
+[37-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-client]
CipherString = DEFAULT
SignatureAlgorithms = ECDSA+SHA1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-32]
+[test-37]
ExpectedResult = ServerFail
# ===========================================================
-[33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS]
-ssl_conf = 33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-ssl
+[38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS]
+ssl_conf = 38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-ssl
-[33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-ssl]
-server = 33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-server
-client = 33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-client
+[38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-ssl]
+server = 38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-server
+client = 38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-client
-[33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-server]
+[38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@@ -1116,14 +1252,14 @@ MaxProtocol = TLSv1.3
MinProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[33-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-client]
+[38-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-client]
CipherString = DEFAULT
RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
SignatureAlgorithms = ECDSA+SHA256:RSA-PSS+SHA256
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-33]
+[test-38]
ExpectedResult = Success
ExpectedServerCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem
ExpectedServerCertType = P-256
@@ -1133,14 +1269,14 @@ ExpectedServerSignType = EC
# ===========================================================
-[34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS]
-ssl_conf = 34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-ssl
+[39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS]
+ssl_conf = 39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-ssl
-[34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-ssl]
-server = 34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-server
-client = 34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-client
+[39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-ssl]
+server = 39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-server
+client = 39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-client
-[34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-server]
+[39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@@ -1153,13 +1289,13 @@ MaxProtocol = TLSv1.3
MinProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[34-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-client]
+[39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-client]
CipherString = DEFAULT
SignatureAlgorithms = ECDSA+SHA384:RSA-PSS+SHA384
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-34]
+[test-39]
ExpectedResult = Success
ExpectedServerCertType = RSA
ExpectedServerSignHash = SHA384
@@ -1168,40 +1304,40 @@ ExpectedServerSignType = RSA-PSS
# ===========================================================
-[35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate]
-ssl_conf = 35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl
+[40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate]
+ssl_conf = 40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl
-[35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl]
-server = 35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-server
-client = 35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-client
+[40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl]
+server = 40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-server
+client = 40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-client
-[35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-server]
+[40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.3
MinProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[35-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-client]
+[40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-client]
CipherString = DEFAULT
SignatureAlgorithms = ECDSA+SHA256
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-35]
+[test-40]
ExpectedResult = ServerFail
# ===========================================================
-[36-TLS 1.3 RSA Signature Algorithm Selection, no PSS]
-ssl_conf = 36-TLS 1.3 RSA Signature Algorithm Selection, no PSS-ssl
+[41-TLS 1.3 RSA Signature Algorithm Selection, no PSS]
+ssl_conf = 41-TLS 1.3 RSA Signature Algorithm Selection, no PSS-ssl
-[36-TLS 1.3 RSA Signature Algorithm Selection, no PSS-ssl]
-server = 36-TLS 1.3 RSA Signature Algorithm Selection, no PSS-server
-client = 36-TLS 1.3 RSA Signature Algorithm Selection, no PSS-client
+[41-TLS 1.3 RSA Signature Algorithm Selection, no PSS-ssl]
+server = 41-TLS 1.3 RSA Signature Algorithm Selection, no PSS-server
+client = 41-TLS 1.3 RSA Signature Algorithm Selection, no PSS-client
-[36-TLS 1.3 RSA Signature Algorithm Selection, no PSS-server]
+[41-TLS 1.3 RSA Signature Algorithm Selection, no PSS-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@@ -1214,26 +1350,26 @@ MaxProtocol = TLSv1.3
MinProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[36-TLS 1.3 RSA Signature Algorithm Selection, no PSS-client]
+[41-TLS 1.3 RSA Signature Algorithm Selection, no PSS-client]
CipherString = DEFAULT
SignatureAlgorithms = RSA+SHA256
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-36]
+[test-41]
ExpectedResult = ServerFail
# ===========================================================
-[37-TLS 1.3 RSA-PSS Signature Algorithm Selection]
-ssl_conf = 37-TLS 1.3 RSA-PSS Signature Algorithm Selection-ssl
+[42-TLS 1.3 RSA-PSS Signature Algorithm Selection]
+ssl_conf = 42-TLS 1.3 RSA-PSS Signature Algorithm Selection-ssl
-[37-TLS 1.3 RSA-PSS Signature Algorithm Selection-ssl]
-server = 37-TLS 1.3 RSA-PSS Signature Algorithm Selection-server
-client = 37-TLS 1.3 RSA-PSS Signature Algorithm Selection-client
+[42-TLS 1.3 RSA-PSS Signature Algorithm Selection-ssl]
+server = 42-TLS 1.3 RSA-PSS Signature Algorithm Selection-server
+client = 42-TLS 1.3 RSA-PSS Signature Algorithm Selection-client
-[37-TLS 1.3 RSA-PSS Signature Algorithm Selection-server]
+[42-TLS 1.3 RSA-PSS Signature Algorithm Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@@ -1246,13 +1382,13 @@ MaxProtocol = TLSv1.3
MinProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[37-TLS 1.3 RSA-PSS Signature Algorithm Selection-client]
+[42-TLS 1.3 RSA-PSS Signature Algorithm Selection-client]
CipherString = DEFAULT
SignatureAlgorithms = RSA-PSS+SHA256
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-37]
+[test-42]
ExpectedResult = Success
ExpectedServerCertType = RSA
ExpectedServerSignHash = SHA256
@@ -1261,14 +1397,14 @@ ExpectedServerSignType = RSA-PSS
# ===========================================================
-[38-TLS 1.3 Ed25519 Signature Algorithm Selection]
-ssl_conf = 38-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl
+[43-TLS 1.3 Ed25519 Signature Algorithm Selection]
+ssl_conf = 43-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl
-[38-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl]
-server = 38-TLS 1.3 Ed25519 Signature Algorithm Selection-server
-client = 38-TLS 1.3 Ed25519 Signature Algorithm Selection-client
+[43-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl]
+server = 43-TLS 1.3 Ed25519 Signature Algorithm Selection-server
+client = 43-TLS 1.3 Ed25519 Signature Algorithm Selection-client
-[38-TLS 1.3 Ed25519 Signature Algorithm Selection-server]
+[43-TLS 1.3 Ed25519 Signature Algorithm Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@@ -1281,13 +1417,13 @@ MaxProtocol = TLSv1.3
MinProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[38-TLS 1.3 Ed25519 Signature Algorithm Selection-client]
+[43-TLS 1.3 Ed25519 Signature Algorithm Selection-client]
CipherString = DEFAULT
SignatureAlgorithms = ed25519
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-38]
+[test-43]
ExpectedResult = Success
ExpectedServerCertType = Ed25519
ExpectedServerSignType = Ed25519
@@ -1295,14 +1431,14 @@ ExpectedServerSignType = Ed25519
# ===========================================================
-[39-TLS 1.3 Ed448 Signature Algorithm Selection]
-ssl_conf = 39-TLS 1.3 Ed448 Signature Algorithm Selection-ssl
+[44-TLS 1.3 Ed448 Signature Algorithm Selection]
+ssl_conf = 44-TLS 1.3 Ed448 Signature Algorithm Selection-ssl
-[39-TLS 1.3 Ed448 Signature Algorithm Selection-ssl]
-server = 39-TLS 1.3 Ed448 Signature Algorithm Selection-server
-client = 39-TLS 1.3 Ed448 Signature Algorithm Selection-client
+[44-TLS 1.3 Ed448 Signature Algorithm Selection-ssl]
+server = 44-TLS 1.3 Ed448 Signature Algorithm Selection-server
+client = 44-TLS 1.3 Ed448 Signature Algorithm Selection-client
-[39-TLS 1.3 Ed448 Signature Algorithm Selection-server]
+[44-TLS 1.3 Ed448 Signature Algorithm Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@@ -1315,13 +1451,13 @@ MaxProtocol = TLSv1.3
MinProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[39-TLS 1.3 Ed448 Signature Algorithm Selection-client]
+[44-TLS 1.3 Ed448 Signature Algorithm Selection-client]
CipherString = DEFAULT
SignatureAlgorithms = ed448
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-39]
+[test-44]
ExpectedResult = Success
ExpectedServerCertType = Ed448
ExpectedServerSignType = Ed448
@@ -1329,14 +1465,14 @@ ExpectedServerSignType = Ed448
# ===========================================================
-[40-TLS 1.3 Ed25519 CipherString and Groups Selection]
-ssl_conf = 40-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl
+[45-TLS 1.3 Ed25519 CipherString and Groups Selection]
+ssl_conf = 45-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl
-[40-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl]
-server = 40-TLS 1.3 Ed25519 CipherString and Groups Selection-server
-client = 40-TLS 1.3 Ed25519 CipherString and Groups Selection-client
+[45-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl]
+server = 45-TLS 1.3 Ed25519 CipherString and Groups Selection-server
+client = 45-TLS 1.3 Ed25519 CipherString and Groups Selection-client
-[40-TLS 1.3 Ed25519 CipherString and Groups Selection-server]
+[45-TLS 1.3 Ed25519 CipherString and Groups Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@@ -1349,14 +1485,14 @@ MaxProtocol = TLSv1.3
MinProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[40-TLS 1.3 Ed25519 CipherString and Groups Selection-client]
+[45-TLS 1.3 Ed25519 CipherString and Groups Selection-client]
CipherString = DEFAULT
Groups = X25519
SignatureAlgorithms = ECDSA+SHA256:ed25519
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-40]
+[test-45]
ExpectedResult = Success
ExpectedServerCertType = P-256
ExpectedServerSignType = EC
@@ -1364,14 +1500,14 @@ ExpectedServerSignType = EC
# ===========================================================
-[41-TLS 1.3 Ed448 CipherString and Groups Selection]
-ssl_conf = 41-TLS 1.3 Ed448 CipherString and Groups Selection-ssl
+[46-TLS 1.3 Ed448 CipherString and Groups Selection]
+ssl_conf = 46-TLS 1.3 Ed448 CipherString and Groups Selection-ssl
-[41-TLS 1.3 Ed448 CipherString and Groups Selection-ssl]
-server = 41-TLS 1.3 Ed448 CipherString and Groups Selection-server
-client = 41-TLS 1.3 Ed448 CipherString and Groups Selection-client
+[46-TLS 1.3 Ed448 CipherString and Groups Selection-ssl]
+server = 46-TLS 1.3 Ed448 CipherString and Groups Selection-server
+client = 46-TLS 1.3 Ed448 CipherString and Groups Selection-client
-[41-TLS 1.3 Ed448 CipherString and Groups Selection-server]
+[46-TLS 1.3 Ed448 CipherString and Groups Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@@ -1384,14 +1520,14 @@ MaxProtocol = TLSv1.3
MinProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[41-TLS 1.3 Ed448 CipherString and Groups Selection-client]
+[46-TLS 1.3 Ed448 CipherString and Groups Selection-client]
CipherString = DEFAULT
Groups = X448
SignatureAlgorithms = ECDSA+SHA256:ed448
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-41]
+[test-46]
ExpectedResult = Success
ExpectedServerCertType = P-256
ExpectedServerSignType = EC
@@ -1399,14 +1535,14 @@ ExpectedServerSignType = EC
# ===========================================================
-[42-TLS 1.3 RSA Client Auth Signature Algorithm Selection]
-ssl_conf = 42-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl
+[47-TLS 1.3 RSA Client Auth Signature Algorithm Selection]
+ssl_conf = 47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl
-[42-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl]
-server = 42-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server
-client = 42-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client
+[47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl]
+server = 47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server
+client = 47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client
-[42-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server]
+[47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ClientSignatureAlgorithms = PSS+SHA256
@@ -1414,7 +1550,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Require
-[42-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client]
+[47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client]
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem
ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem
@@ -1425,7 +1561,7 @@ RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-42]
+[test-47]
ExpectedClientCANames = empty
ExpectedClientCertType = RSA
ExpectedClientSignHash = SHA256
@@ -1435,14 +1571,14 @@ ExpectedResult = Success
# ===========================================================
-[43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names]
-ssl_conf = 43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl
+[48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names]
+ssl_conf = 48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl
-[43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl]
-server = 43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server
-client = 43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client
+[48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl]
+server = 48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server
+client = 48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client
-[43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server]
+[48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ClientSignatureAlgorithms = PSS+SHA256
@@ -1451,7 +1587,7 @@ RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Require
-[43-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client]
+[48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client]
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem
ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem
@@ -1462,7 +1598,7 @@ RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-43]
+[test-48]
ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem
ExpectedClientCertType = RSA
ExpectedClientSignHash = SHA256
@@ -1472,14 +1608,14 @@ ExpectedResult = Success
# ===========================================================
-[44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection]
-ssl_conf = 44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl
+[49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection]
+ssl_conf = 49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl
-[44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl]
-server = 44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server
-client = 44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client
+[49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl]
+server = 49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server
+client = 49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client
-[44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server]
+[49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ClientSignatureAlgorithms = ECDSA+SHA256
@@ -1487,7 +1623,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Require
-[44-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client]
+[49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client]
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem
ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem
@@ -1498,7 +1634,7 @@ RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-44]
+[test-49]
ExpectedClientCertType = P-256
ExpectedClientSignHash = SHA256
ExpectedClientSignType = EC
@@ -1507,21 +1643,21 @@ ExpectedResult = Success
# ===========================================================
-[45-TLS 1.3 Ed25519 Client Auth]
-ssl_conf = 45-TLS 1.3 Ed25519 Client Auth-ssl
+[50-TLS 1.3 Ed25519 Client Auth]
+ssl_conf = 50-TLS 1.3 Ed25519 Client Auth-ssl
-[45-TLS 1.3 Ed25519 Client Auth-ssl]
-server = 45-TLS 1.3 Ed25519 Client Auth-server
-client = 45-TLS 1.3 Ed25519 Client Auth-client
+[50-TLS 1.3 Ed25519 Client Auth-ssl]
+server = 50-TLS 1.3 Ed25519 Client Auth-server
+client = 50-TLS 1.3 Ed25519 Client Auth-client
-[45-TLS 1.3 Ed25519 Client Auth-server]
+[50-TLS 1.3 Ed25519 Client Auth-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Require
-[45-TLS 1.3 Ed25519 Client Auth-client]
+[50-TLS 1.3 Ed25519 Client Auth-client]
CipherString = DEFAULT
EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed25519-cert.pem
EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed25519-key.pem
@@ -1530,7 +1666,7 @@ MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-45]
+[test-50]
ExpectedClientCertType = Ed25519
ExpectedClientSignType = Ed25519
ExpectedResult = Success
@@ -1538,21 +1674,21 @@ ExpectedResult = Success
# ===========================================================
-[46-TLS 1.3 Ed448 Client Auth]
-ssl_conf = 46-TLS 1.3 Ed448 Client Auth-ssl
+[51-TLS 1.3 Ed448 Client Auth]
+ssl_conf = 51-TLS 1.3 Ed448 Client Auth-ssl
-[46-TLS 1.3 Ed448 Client Auth-ssl]
-server = 46-TLS 1.3 Ed448 Client Auth-server
-client = 46-TLS 1.3 Ed448 Client Auth-client
+[51-TLS 1.3 Ed448 Client Auth-ssl]
+server = 51-TLS 1.3 Ed448 Client Auth-server
+client = 51-TLS 1.3 Ed448 Client Auth-client
-[46-TLS 1.3 Ed448 Client Auth-server]
+[51-TLS 1.3 Ed448 Client Auth-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Require
-[46-TLS 1.3 Ed448 Client Auth-client]
+[51-TLS 1.3 Ed448 Client Auth-client]
CipherString = DEFAULT
EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed448-cert.pem
EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed448-key.pem
@@ -1561,7 +1697,7 @@ MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-46]
+[test-51]
ExpectedClientCertType = Ed448
ExpectedClientSignType = Ed448
ExpectedResult = Success
@@ -1569,20 +1705,20 @@ ExpectedResult = Success
# ===========================================================
-[47-TLS 1.3 ECDSA with brainpool]
-ssl_conf = 47-TLS 1.3 ECDSA with brainpool-ssl
+[52-TLS 1.3 ECDSA with brainpool]
+ssl_conf = 52-TLS 1.3 ECDSA with brainpool-ssl
-[47-TLS 1.3 ECDSA with brainpool-ssl]
-server = 47-TLS 1.3 ECDSA with brainpool-server
-client = 47-TLS 1.3 ECDSA with brainpool-client
+[52-TLS 1.3 ECDSA with brainpool-ssl]
+server = 52-TLS 1.3 ECDSA with brainpool-server
+client = 52-TLS 1.3 ECDSA with brainpool-client
-[47-TLS 1.3 ECDSA with brainpool-server]
+[52-TLS 1.3 ECDSA with brainpool-server]
Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
CipherString = DEFAULT
Groups = brainpoolP256r1
PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
-[47-TLS 1.3 ECDSA with brainpool-client]
+[52-TLS 1.3 ECDSA with brainpool-client]
CipherString = DEFAULT
Groups = brainpoolP256r1
MaxProtocol = TLSv1.3
@@ -1591,20 +1727,20 @@ RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-47]
+[test-52]
ExpectedResult = ServerFail
# ===========================================================
-[48-TLS 1.2 DSA Certificate Test]
-ssl_conf = 48-TLS 1.2 DSA Certificate Test-ssl
+[53-TLS 1.2 DSA Certificate Test]
+ssl_conf = 53-TLS 1.2 DSA Certificate Test-ssl
-[48-TLS 1.2 DSA Certificate Test-ssl]
-server = 48-TLS 1.2 DSA Certificate Test-server
-client = 48-TLS 1.2 DSA Certificate Test-client
+[53-TLS 1.2 DSA Certificate Test-ssl]
+server = 53-TLS 1.2 DSA Certificate Test-server
+client = 53-TLS 1.2 DSA Certificate Test-client
-[48-TLS 1.2 DSA Certificate Test-server]
+[53-TLS 1.2 DSA Certificate Test-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = ALL
DHParameters = ${ENV::TEST_CERTS_DIR}/dhp2048.pem
@@ -1614,26 +1750,26 @@ MaxProtocol = TLSv1.2
MinProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[48-TLS 1.2 DSA Certificate Test-client]
+[53-TLS 1.2 DSA Certificate Test-client]
CipherString = ALL
SignatureAlgorithms = DSA+SHA256:DSA+SHA1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-48]
+[test-53]
ExpectedResult = Success
# ===========================================================
-[49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms]
-ssl_conf = 49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-ssl
+[54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms]
+ssl_conf = 54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-ssl
-[49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-ssl]
-server = 49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-server
-client = 49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-client
+[54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-ssl]
+server = 54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-server
+client = 54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-client
-[49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-server]
+[54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ClientSignatureAlgorithms = ECDSA+SHA1:DSA+SHA256:RSA+SHA256
@@ -1641,25 +1777,25 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Request
-[49-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-client]
+[54-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-client]
CipherString = DEFAULT
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-49]
+[test-54]
ExpectedResult = ServerFail
# ===========================================================
-[50-TLS 1.3 DSA Certificate Test]
-ssl_conf = 50-TLS 1.3 DSA Certificate Test-ssl
+[55-TLS 1.3 DSA Certificate Test]
+ssl_conf = 55-TLS 1.3 DSA Certificate Test-ssl
-[50-TLS 1.3 DSA Certificate Test-ssl]
-server = 50-TLS 1.3 DSA Certificate Test-server
-client = 50-TLS 1.3 DSA Certificate Test-client
+[55-TLS 1.3 DSA Certificate Test-ssl]
+server = 55-TLS 1.3 DSA Certificate Test-server
+client = 55-TLS 1.3 DSA Certificate Test-client
-[50-TLS 1.3 DSA Certificate Test-server]
+[55-TLS 1.3 DSA Certificate Test-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = ALL
DSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-dsa-cert.pem
@@ -1668,13 +1804,13 @@ MaxProtocol = TLSv1.3
MinProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[50-TLS 1.3 DSA Certificate Test-client]
+[55-TLS 1.3 DSA Certificate Test-client]
CipherString = ALL
SignatureAlgorithms = DSA+SHA1:DSA+SHA256:ECDSA+SHA256
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-50]
+[test-55]
ExpectedResult = ServerFail
diff --git a/test/ssl-tests/20-cert-select.conf.in b/test/ssl-tests/20-cert-select.conf.in
index bdf53c6e1e..5e9bfede5d 100644
--- a/test/ssl-tests/20-cert-select.conf.in
+++ b/test/ssl-tests/20-cert-select.conf.in
@@ -36,6 +36,12 @@ my $server_pss_only = {
"PrivateKey" => test_pem("server-pss-key.pem"),
};
+my $server_pss_restrict_only = {
+ "Certificate" => test_pem("server-pss-restrict-cert.pem"),
+ "PrivateKey" => test_pem("server-pss-restrict-key.pem"),
+};
+
+
my $server_rsa_all = {
"PSS.Certificate" => test_pem("server-pss-cert.pem"),
"PSS.PrivateKey" => test_pem("server-pss-key.pem"),
@@ -379,6 +385,19 @@ our @tests = (
"ExpectedResult" => "Success"
},
},
+ {
+ name => "Only RSA-PSS Certificate Valid Signature Algorithms",
+ server => $server_pss_only,
+ client => {
+ "SignatureAlgorithms" => "rsa_pss_pss_sha512",
+ },
+ test => {
+ "ExpectedServerCertType" => "RSA-PSS",
+ "ExpectedServerSignHash" => "SHA512",
+ "ExpectedServerSignType" => "RSA-PSS",
+ "ExpectedResult" => "Success"
+ },
+ },
{
name => "RSA-PSS Certificate, no PSS signature algorithms",
server => $server_pss_only,
@@ -389,6 +408,53 @@ our @tests = (
"ExpectedResult" => "ServerFail"
},
},
+ {
+ name => "Only RSA-PSS Restricted Certificate",
+ server => $server_pss_restrict_only,
+ client => {},
+ test => {
+ "ExpectedServerCertType" => "RSA-PSS",
+ "ExpectedServerSignHash" => "SHA256",
+ "ExpectedServerSignType" => "RSA-PSS",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "RSA-PSS Restricted Certificate Valid Signature Algorithms",
+ server => $server_pss_restrict_only,
+ client => {
+ "SignatureAlgorithms" => "rsa_pss_pss_sha256:rsa_pss_pss_sha512",
+ },
+ test => {
+ "ExpectedServerCertType" => "RSA-PSS",
+ "ExpectedServerSignHash" => "SHA256",
+ "ExpectedServerSignType" => "RSA-PSS",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "RSA-PSS Restricted Cert client prefers invalid Signature Algorithm",
+ server => $server_pss_restrict_only,
+ client => {
+ "SignatureAlgorithms" => "rsa_pss_pss_sha512:rsa_pss_pss_sha256",
+ },
+ test => {
+ "ExpectedServerCertType" => "RSA-PSS",
+ "ExpectedServerSignHash" => "SHA256",
+ "ExpectedServerSignType" => "RSA-PSS",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "RSA-PSS Restricted Certificate Invalid Signature Algorithms",
+ server => $server_pss_restrict_only,
+ client => {
+ "SignatureAlgorithms" => "rsa_pss_pss_sha512",
+ },
+ test => {
+ "ExpectedResult" => "ServerFail"
+ },
+ },
{
name => "RSA key exchange with all RSA certificate types",
server => $server_rsa_all,
More information about the openssl-commits
mailing list