diff options
-rw-r--r-- | tests/pkcs11/tls-neg-pkcs11-key.c | 31 |
1 files changed, 19 insertions, 12 deletions
diff --git a/tests/pkcs11/tls-neg-pkcs11-key.c b/tests/pkcs11/tls-neg-pkcs11-key.c index ca16600130..c85d8789df 100644 --- a/tests/pkcs11/tls-neg-pkcs11-key.c +++ b/tests/pkcs11/tls-neg-pkcs11-key.c @@ -247,45 +247,52 @@ typedef struct test_st { } test_st; static const test_st tests[] = { - {.name = "ecc key", + {.name = "tls1.2: ecc key", .pk = GNUTLS_PK_ECDSA, - .prio = "NORMAL:-KX-ALL:+ECDHE-RSA:+ECDHE-ECDSA", + .prio = "NORMAL:-KX-ALL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2", .cert = &server_ca3_localhost_ecc_cert, .key = &server_ca3_ecc_key, .exp_kx = GNUTLS_KX_ECDHE_ECDSA }, - {.name = "rsa-sign key", + {.name = "tls1.2: rsa-sign key", .pk = GNUTLS_PK_RSA, - .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA", + .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2", .cert = &server_ca3_localhost_cert, .key = &server_ca3_key, .exp_kx = GNUTLS_KX_ECDHE_RSA }, - {.name = "rsa-sign key with rsa-pss sigs prioritized", + {.name = "tls1.2: rsa-sign key with rsa-pss sigs prioritized", .pk = GNUTLS_PK_RSA, - .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512", + .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:-VERS-TLS-ALL:+VERS-TLS1.2", .cert = &server_ca3_localhost_cert, .key = &server_ca3_key, .exp_kx = GNUTLS_KX_ECDHE_RSA }, - {.name = "rsa-pss-sign key", + {.name = "tls1.2: rsa-pss-sign key", .pk = GNUTLS_PK_RSA_PSS, - .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA", + .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2", .cert = &server_ca3_rsa_pss2_cert, .key = &server_ca3_rsa_pss2_key, .exp_kx = GNUTLS_KX_ECDHE_RSA, .requires_pkcs11_pss = 1, - .exp_serv_err = GNUTLS_E_NO_CIPHER_SUITES }, - {.name = "rsa-pss cert, rsa-sign key", /* we expect the server to refuse negotiating */ + {.name = "tls1.2: rsa-pss cert, rsa-sign key", .pk = GNUTLS_PK_RSA, - .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA", + .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2", + .cert = &server_ca3_rsa_pss_cert, + .key = &server_ca3_rsa_pss_key, + .exp_kx = GNUTLS_KX_ECDHE_RSA, + .requires_pkcs11_pss = 1, + }, + {.name = "tls1.2: rsa-pss cert, rsa-sign key no PSS signatures", + .pk = GNUTLS_PK_RSA, + .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2:-SIGN-RSA-PSS-SHA256:-SIGN-RSA-PSS-SHA384:-SIGN-RSA-PSS-SHA512", .cert = &server_ca3_rsa_pss_cert, .key = &server_ca3_rsa_pss_key, .exp_kx = GNUTLS_KX_ECDHE_RSA, .exp_serv_err = GNUTLS_E_NO_CIPHER_SUITES }, - {.name = "ed25519 cert, ed25519 key", /* we cannot import that key */ + {.name = "tls1.2: ed25519 cert, ed25519 key", /* we cannot import that key */ .pk = GNUTLS_PK_EDDSA_ED25519, .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA", .cert = &server_ca3_eddsa_cert, |