Add certificate selection tests.

Add certifcate selection tests: the certificate type is selected by cipher
string and signature algorithm.
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2224)

test/recipes/80-test_ssl_new.t

@@ -29,7 +29,7 @@ map { s/\.in// } @conf_files;
 
 # We hard-code the number of tests to double-check that the globbing above
 # finds all files as expected.
-plan tests => 19;  # = scalar @conf_srcs
+plan tests => 20;  # = scalar @conf_srcs
 
 # Some test results depend on the configuration of enabled protocols. We only
 # verify generated sources in the default configuration.
@@ -80,6 +80,7 @@ my %skip = (
   "16-dtls-certstatus.conf" => $no_dtls || $no_ocsp,
   "18-dtls-renegotiate.conf" => $no_dtls,
   "19-mac-then-encrypt.conf" => $no_pre_tls1_3,
+  "20-cert-select.conf" => $no_ec,
 );
 
 foreach my $conf (@conf_files) {

test/ssl-tests/20-cert-select.conf

+# Generated with generate_ssl_tests.pl
+
+num_tests = 6
+
+test-0 = 0-ECDSA CipherString Selection
+test-1 = 1-RSA CipherString Selection
+test-2 = 2-ECDSA CipherString Selection, no ECDSA certificate
+test-3 = 3-ECDSA Signature Algorithm Selection
+test-4 = 4-ECDSA Signature Algorithm Selection, no ECDSA certificate
+test-5 = 5-RSA Signature Algorithm Selection
+# ===========================================================
+
+[0-ECDSA CipherString Selection]
+ssl_conf = 0-ECDSA CipherString Selection-ssl
+
+[0-ECDSA CipherString Selection-ssl]
+server = 0-ECDSA CipherString Selection-server
+client = 0-ECDSA CipherString Selection-client
+
+[0-ECDSA CipherString Selection-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[0-ECDSA CipherString Selection-client]
+CipherString = aECDSA
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-0]
+ExpectedResult = Success
+ExpectedServerCertType = P-256
+
+
+# ===========================================================
+
+[1-RSA CipherString Selection]
+ssl_conf = 1-RSA CipherString Selection-ssl
+
+[1-RSA CipherString Selection-ssl]
+server = 1-RSA CipherString Selection-server
+client = 1-RSA CipherString Selection-client
+
+[1-RSA CipherString Selection-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[1-RSA CipherString Selection-client]
+CipherString = aRSA
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-1]
+ExpectedResult = Success
+ExpectedServerCertType = RSA
+
+
+# ===========================================================
+
+[2-ECDSA CipherString Selection, no ECDSA certificate]
+ssl_conf = 2-ECDSA CipherString Selection, no ECDSA certificate-ssl
+
+[2-ECDSA CipherString Selection, no ECDSA certificate-ssl]
+server = 2-ECDSA CipherString Selection, no ECDSA certificate-server
+client = 2-ECDSA CipherString Selection, no ECDSA certificate-client
+
+[2-ECDSA CipherString Selection, no ECDSA certificate-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[2-ECDSA CipherString Selection, no ECDSA certificate-client]
+CipherString = aECDSA
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-2]
+ExpectedResult = ServerFail
+
+
+# ===========================================================
+
+[3-ECDSA Signature Algorithm Selection]
+ssl_conf = 3-ECDSA Signature Algorithm Selection-ssl
+
+[3-ECDSA Signature Algorithm Selection-ssl]
+server = 3-ECDSA Signature Algorithm Selection-server
+client = 3-ECDSA Signature Algorithm Selection-client
+
+[3-ECDSA Signature Algorithm Selection-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[3-ECDSA Signature Algorithm Selection-client]
+CipherString = DEFAULT
+SignatureAlgorithms = ECDSA+SHA256
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-3]
+ExpectedResult = Success
+ExpectedServerCertType = P-256
+
+
+# ===========================================================
+
+[4-ECDSA Signature Algorithm Selection, no ECDSA certificate]
+ssl_conf = 4-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl
+
+[4-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl]
+server = 4-ECDSA Signature Algorithm Selection, no ECDSA certificate-server
+client = 4-ECDSA Signature Algorithm Selection, no ECDSA certificate-client
+
+[4-ECDSA Signature Algorithm Selection, no ECDSA certificate-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[4-ECDSA Signature Algorithm Selection, no ECDSA certificate-client]
+CipherString = DEFAULT
+SignatureAlgorithms = ECDSA+SHA256
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-4]
+ExpectedResult = ServerFail
+
+
+# ===========================================================
+
+[5-RSA Signature Algorithm Selection]
+ssl_conf = 5-RSA Signature Algorithm Selection-ssl
+
+[5-RSA Signature Algorithm Selection-ssl]
+server = 5-RSA Signature Algorithm Selection-server
+client = 5-RSA Signature Algorithm Selection-client
+
+[5-RSA Signature Algorithm Selection-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[5-RSA Signature Algorithm Selection-client]
+CipherString = DEFAULT
+SignatureAlgorithms = RSA+SHA256
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-5]
+ExpectedResult = Success
+ExpectedServerCertType = RSA
+
+

test/ssl-tests/20-cert-select.conf.in

+# -*- mode: perl; -*-
+
+## SSL test configurations
+
+package ssltests;
+
+use strict;
+use warnings;
+
+use OpenSSL::Test;
+use OpenSSL::Test::Utils qw(anydisabled);
+
+my $dir_sep = $^O ne "VMS" ? "/" : "";
+
+my $server = {
+    "ECDSA.Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}server-ecdsa-cert.pem",
+    "ECDSA.PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}server-ecdsa-key.pem",
+    # TODO: add test cases for TLSv1.3
+    "MaxProtocol" => "TLSv1.2"
+};
+
+our @tests = (
+    {
+        name => "ECDSA CipherString Selection",
+        server => $server,
+        client => {
+            "CipherString" => "aECDSA",
+        },
+        test   => {
+            "ExpectedServerCertType" =>, "P-256",
+            "ExpectedResult" => "Success"
+        },
+    },
+    {
+        name => "RSA CipherString Selection",
+        server => $server,
+        client => {
+            "CipherString" => "aRSA",
+        },
+        test   => {
+            "ExpectedServerCertType" =>, "RSA",
+            "ExpectedResult" => "Success"
+        },
+    },
+    {
+        name => "ECDSA CipherString Selection, no ECDSA certificate",
+        server => { },
+        client => {
+            "CipherString" => "aECDSA"
+        },
+        test   => {
+            "ExpectedResult" => "ServerFail"
+        },
+    },
+    {
+        name => "ECDSA Signature Algorithm Selection",
+        server => $server,
+        client => {
+            "SignatureAlgorithms" => "ECDSA+SHA256",
+        },
+        test   => {
+            "ExpectedServerCertType" =>, "P-256",
+            "ExpectedResult" => "Success"
+        },
+    },
+    {
+        name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
+        server => { },
+        client => {
+            "SignatureAlgorithms" => "ECDSA+SHA256",
+        },
+        test   => {
+            "ExpectedResult" => "ServerFail"
+        },
+    },
+    {
+        name => "RSA Signature Algorithm Selection",
+        server => $server,
+        client => {
+            "SignatureAlgorithms" => "RSA+SHA256",
+        },
+        test   => {
+            "ExpectedServerCertType" =>, "RSA",
+            "ExpectedResult" => "Success"
+        },
+    }
+);