Merge branch 'sha1-dev' into development
* sha1-dev: Cleaned up negative test predicate for test case all.sh: test with SHA-1 enabled SHA-1 deprecation: allow it in key exchange Allow SHA-1 in server tests, when the signature_algorithm extension is not used Document test data makefile X.509 tests: obey compile-time SHA-1 support option Allow SHA-1 in test scripts Test that SHA-1 defaults off Allow SHA-1 in SSL renegotiation tests Test that X.509 verification rejects SHA-256 by default Allow SHA-1 in X.509 and TLS tests X.509 self-tests: replaced SHA-1 certificates by SHA-256 Added SHA256 test certificates Remove SHA-1 in TLS by default
This commit is contained in:
commit
003b4c7b4a
26 changed files with 680 additions and 148 deletions
|
@ -2,6 +2,12 @@ mbed TLS ChangeLog (Sorted per branch, date)
|
|||
|
||||
mbed TLS 2.x.x branch released xxxx-xx-xx
|
||||
|
||||
Security
|
||||
|
||||
* Removed SHA-1 and RIPEMD-160 from the default hash algorithms for
|
||||
certificate verification. SHA-1 can be turned back on with a compile-time
|
||||
option if needed.
|
||||
|
||||
Bugfix
|
||||
* Remove invalid use of size zero arrays in ECJPAKE test suite.
|
||||
* Fix insufficient support for signature-hash-algorithm extension,
|
||||
|
|
|
@ -2251,7 +2251,8 @@
|
|||
* library/ssl_tls.c
|
||||
* library/x509write_crt.c
|
||||
*
|
||||
* This module is required for SSL/TLS and SHA1-signed certificates.
|
||||
* This module is required for SSL/TLS up to version 1.1, for TLS 1.2
|
||||
* depending on the handshake parameters, and for SHA1-signed certificates.
|
||||
*/
|
||||
#define MBEDTLS_SHA1_C
|
||||
|
||||
|
@ -2636,6 +2637,26 @@
|
|||
//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */
|
||||
//#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 /**< Maximum length of a path/filename string in bytes including the null terminator character ('\0'). */
|
||||
|
||||
/**
|
||||
* Allow SHA-1 in the default TLS configuration for certificate signing.
|
||||
* Without this build-time option, SHA-1 support must be activated explicitly
|
||||
* through mbedtls_ssl_conf_cert_profile. Turning on this option is not
|
||||
* recommended because of it is possible to generte SHA-1 collisions, however
|
||||
* this may be safe for legacy infrastructure where additional controls apply.
|
||||
*/
|
||||
// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
|
||||
|
||||
/**
|
||||
* Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake
|
||||
* signature and ciphersuite selection. Without this build-time option, SHA-1
|
||||
* support must be activated explicitly through mbedtls_ssl_conf_sig_hashes.
|
||||
* The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by
|
||||
* default. At the time of writing, there is no practical attack on the use
|
||||
* of SHA-1 in handshake signatures, hence this option is turned on by default
|
||||
* for compatibility with existing peers.
|
||||
*/
|
||||
#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
|
||||
|
||||
/* \} name SECTION: Customisation configuration options */
|
||||
|
||||
/* Target and application specific configurations */
|
||||
|
|
121
library/certs.c
121
library/certs.c
|
@ -47,6 +47,7 @@
|
|||
"uCjn8pwUOkABXK8Mss90fzCfCEOtIA==\r\n" \
|
||||
"-----END CERTIFICATE-----\r\n"
|
||||
const char mbedtls_test_ca_crt_ec[] = TEST_CA_CRT_EC;
|
||||
const size_t mbedtls_test_ca_crt_ec_len = sizeof( mbedtls_test_ca_crt_ec );
|
||||
|
||||
const char mbedtls_test_ca_key_ec[] =
|
||||
"-----BEGIN EC PRIVATE KEY-----\r\n"
|
||||
|
@ -58,8 +59,10 @@ const char mbedtls_test_ca_key_ec[] =
|
|||
"UsuWTITwJImcnlAs1gaRZ3sAWm7cOUidL0fo2G0fYUFNcYoCSLffCFTEHBuPnagb\r\n"
|
||||
"a77x/sY1Bvii8S9/XhDTb6pTMx06wzrm\r\n"
|
||||
"-----END EC PRIVATE KEY-----\r\n";
|
||||
const size_t mbedtls_test_ca_key_ec_len = sizeof( mbedtls_test_ca_key_ec );
|
||||
|
||||
const char mbedtls_test_ca_pwd_ec[] = "PolarSSLTest";
|
||||
const size_t mbedtls_test_ca_pwd_ec_len = sizeof( mbedtls_test_ca_pwd_ec ) - 1;
|
||||
|
||||
const char mbedtls_test_srv_crt_ec[] =
|
||||
"-----BEGIN CERTIFICATE-----\r\n"
|
||||
|
@ -76,6 +79,7 @@ const char mbedtls_test_srv_crt_ec[] =
|
|||
"C12r0Lz3ri/moSEpNZWqPjkCMCE2f53GXcYLqyfyJR078c/xNSUU5+Xxl7VZ414V\r\n"
|
||||
"fGa5kHvHARBPc8YAIVIqDvHH1Q==\r\n"
|
||||
"-----END CERTIFICATE-----\r\n";
|
||||
const size_t mbedtls_test_srv_crt_ec_len = sizeof( mbedtls_test_srv_crt_ec );
|
||||
|
||||
const char mbedtls_test_srv_key_ec[] =
|
||||
"-----BEGIN EC PRIVATE KEY-----\r\n"
|
||||
|
@ -83,6 +87,7 @@ const char mbedtls_test_srv_key_ec[] =
|
|||
"AwEHoUQDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDYIxH/\r\n"
|
||||
"6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/w==\r\n"
|
||||
"-----END EC PRIVATE KEY-----\r\n";
|
||||
const size_t mbedtls_test_srv_key_ec_len = sizeof( mbedtls_test_srv_key_ec );
|
||||
|
||||
const char mbedtls_test_cli_crt_ec[] =
|
||||
"-----BEGIN CERTIFICATE-----\r\n"
|
||||
|
@ -99,6 +104,7 @@ const char mbedtls_test_cli_crt_ec[] =
|
|||
"lgOsjnhw3fIOoLIWy2WOGsk/LGF++DzvrRzuNiACMQCd8iem1XS4JK7haj8xocpU\r\n"
|
||||
"LwjQje5PDGHfd3h9tP38Qknu5bJqws0md2KOKHyeV0U=\r\n"
|
||||
"-----END CERTIFICATE-----\r\n";
|
||||
const size_t mbedtls_test_cli_crt_ec_len = sizeof( mbedtls_test_cli_crt_ec );
|
||||
|
||||
const char mbedtls_test_cli_key_ec[] =
|
||||
"-----BEGIN EC PRIVATE KEY-----\r\n"
|
||||
|
@ -106,20 +112,12 @@ const char mbedtls_test_cli_key_ec[] =
|
|||
"AwEHoUQDQgAEV+WusXPf06y7k7iB/xKu7uZTrM5VU/Y0Dswu42MlC9+Y4vNcYDaW\r\n"
|
||||
"wNUYFHDlf5/VS0UY5bBs1Vz4lo+HcKPkxw==\r\n"
|
||||
"-----END EC PRIVATE KEY-----\r\n";
|
||||
|
||||
const size_t mbedtls_test_ca_crt_ec_len = sizeof( mbedtls_test_ca_crt_ec );
|
||||
const size_t mbedtls_test_ca_key_ec_len = sizeof( mbedtls_test_ca_key_ec );
|
||||
const size_t mbedtls_test_ca_pwd_ec_len = sizeof( mbedtls_test_ca_pwd_ec ) - 1;
|
||||
const size_t mbedtls_test_srv_crt_ec_len = sizeof( mbedtls_test_srv_crt_ec );
|
||||
const size_t mbedtls_test_srv_key_ec_len = sizeof( mbedtls_test_srv_key_ec );
|
||||
const size_t mbedtls_test_cli_crt_ec_len = sizeof( mbedtls_test_cli_crt_ec );
|
||||
const size_t mbedtls_test_cli_key_ec_len = sizeof( mbedtls_test_cli_key_ec );
|
||||
#else
|
||||
#define TEST_CA_CRT_EC
|
||||
#endif /* MBEDTLS_ECDSA_C */
|
||||
|
||||
#if defined(MBEDTLS_RSA_C)
|
||||
#define TEST_CA_CRT_RSA \
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
#define TEST_CA_CRT_RSA_SHA1 \
|
||||
"-----BEGIN CERTIFICATE-----\r\n" \
|
||||
"MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" \
|
||||
"MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
|
||||
|
@ -141,7 +139,34 @@ const size_t mbedtls_test_cli_key_ec_len = sizeof( mbedtls_test_cli_key_ec );
|
|||
"m/UTSLBNFNHesiTZeH31NcxYGdHSme9Nc/gfidRa0FLOCfWxRlFqAI47zG9jAQCZ\r\n" \
|
||||
"7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA==\r\n" \
|
||||
"-----END CERTIFICATE-----\r\n"
|
||||
const char mbedtls_test_ca_crt_rsa[] = TEST_CA_CRT_RSA;
|
||||
static const char mbedtls_test_ca_crt_rsa_sha1[] = TEST_CA_CRT_RSA_SHA1;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
#define TEST_CA_CRT_RSA_SHA256 \
|
||||
"-----BEGIN CERTIFICATE-----\r\n" \
|
||||
"MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n" \
|
||||
"MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
|
||||
"MTcwNTA0MTY1NzAxWhcNMjcwNTA1MTY1NzAxWjA7MQswCQYDVQQGEwJOTDERMA8G\r\n" \
|
||||
"A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G\r\n" \
|
||||
"CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx\r\n" \
|
||||
"mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny\r\n" \
|
||||
"50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n\r\n" \
|
||||
"YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL\r\n" \
|
||||
"R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu\r\n" \
|
||||
"KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj\r\n" \
|
||||
"gZUwgZIwHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/MGMGA1UdIwRcMFqA\r\n" \
|
||||
"FLRa5KWz3tJS9rnVppUP6z68x/3/oT+kPTA7MQswCQYDVQQGEwJOTDERMA8GA1UE\r\n" \
|
||||
"CgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0GCAQAwDAYDVR0T\r\n" \
|
||||
"BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAHK/HHrTZMnnVMpde1io+voAtql7j\r\n" \
|
||||
"4sRhLrjD7o3THtwRbDa2diCvpq0Sq23Ng2LMYoXsOxoL/RQK3iN7UKxV3MKPEr0w\r\n" \
|
||||
"XQS+kKQqiT2bsfrjnWMVHZtUOMpm6FNqcdGm/Rss3vKda2lcKl8kUnq/ylc1+QbB\r\n" \
|
||||
"G6A6tUvQcr2ZyWfVg+mM5XkhTrOOXus2OLikb4WwEtJTJRNE0f+yPODSUz0/vT57\r\n" \
|
||||
"ApH0CnB80bYJshYHPHHymOtleAB8KSYtqm75g/YNobjnjB6cm4HkW3OZRVIl6fYY\r\n" \
|
||||
"n20NRVA1Vjs6GAROr4NqW4k/+LofY9y0LLDE+p0oIEKXIsIvhPr39swxSA==\r\n" \
|
||||
"-----END CERTIFICATE-----\r\n"
|
||||
static const char mbedtls_test_ca_crt_rsa_sha256[] = TEST_CA_CRT_RSA_SHA256;
|
||||
#endif
|
||||
|
||||
const char mbedtls_test_ca_key_rsa[] =
|
||||
"-----BEGIN RSA PRIVATE KEY-----\r\n"
|
||||
|
@ -174,8 +199,10 @@ const char mbedtls_test_ca_key_rsa[] =
|
|||
"wN48lslbHnqqagr6Xm1nNOSVl8C/6kbJEsMpLhAezfRtGwvOucoaE+WbeUNolGde\r\n"
|
||||
"P/eQiddSf0brnpiLJRh7qZrl9XuqYdpUqnoEdMAfotDOID8OtV7gt8a48ad8VPW2\r\n"
|
||||
"-----END RSA PRIVATE KEY-----\r\n";
|
||||
const size_t mbedtls_test_ca_key_rsa_len = sizeof( mbedtls_test_ca_key_rsa );
|
||||
|
||||
const char mbedtls_test_ca_pwd_rsa[] = "PolarSSLTest";
|
||||
const size_t mbedtls_test_ca_pwd_rsa_len = sizeof( mbedtls_test_ca_pwd_rsa ) - 1;
|
||||
|
||||
const char mbedtls_test_srv_crt_rsa[] =
|
||||
"-----BEGIN CERTIFICATE-----\r\n"
|
||||
|
@ -198,6 +225,7 @@ const char mbedtls_test_srv_crt_rsa[] =
|
|||
"RRQfaD8neM9c1S/iJ/amTVqJxA1KOdOS5780WhPfSArA+g4qAmSjelc3p4wWpha8\r\n"
|
||||
"zhuYwjVuX6JHG0c=\r\n"
|
||||
"-----END CERTIFICATE-----\r\n";
|
||||
const size_t mbedtls_test_srv_crt_rsa_len = sizeof( mbedtls_test_srv_crt_rsa );
|
||||
|
||||
const char mbedtls_test_srv_key_rsa[] =
|
||||
"-----BEGIN RSA PRIVATE KEY-----\r\n"
|
||||
|
@ -227,27 +255,29 @@ const char mbedtls_test_srv_key_rsa[] =
|
|||
"4AgahOxIxXx2gxJnq3yfkJfIjwf0s2DyP0kY2y6Ua1OeomPeY9mrIS4tCuDQ6LrE\r\n"
|
||||
"TB6l9VGoxJL4fyHnZb8L5gGvnB1bbD8cL6YPaDiOhcRseC9vBiEuVg==\r\n"
|
||||
"-----END RSA PRIVATE KEY-----\r\n";
|
||||
const size_t mbedtls_test_srv_key_rsa_len = sizeof( mbedtls_test_srv_key_rsa );
|
||||
|
||||
const char mbedtls_test_cli_crt_rsa[] =
|
||||
static const char mbedtls_test_cli_crt_rsa_sha256[] =
|
||||
"-----BEGIN CERTIFICATE-----\r\n"
|
||||
"MIIDPzCCAiegAwIBAgIBBDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n"
|
||||
"MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"
|
||||
"MTEwMjEyMTQ0NDA3WhcNMjEwMjEyMTQ0NDA3WjA8MQswCQYDVQQGEwJOTDERMA8G\r\n"
|
||||
"A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIENsaWVudCAyMIIBIjAN\r\n"
|
||||
"MIIDhTCCAm2gAwIBAgIBBDANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n"
|
||||
"MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"
|
||||
"MTcwNTA1MTMwNzU5WhcNMjcwNTA2MTMwNzU5WjA8MQswCQYDVQQGEwJOTDERMA8G\r\n"
|
||||
"A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIENsaWVudCAyMIIBIjAN\r\n"
|
||||
"BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6f\r\n"
|
||||
"M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu\r\n"
|
||||
"1C93KYRhTYJQj6eVSHD1bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEw\r\n"
|
||||
"MjDV0/YI0FZPRo7yX/k9Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v\r\n"
|
||||
"4Jv4EFbMs44TFeY0BGbH7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx/\r\n"
|
||||
"/DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB\r\n"
|
||||
"o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITAf\r\n"
|
||||
"BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQUFAAOC\r\n"
|
||||
"AQEAAn86isAM8X+mVwJqeItt6E9slhEQbAofyk+diH1Lh8Y9iLlWQSKbw/UXYjx5\r\n"
|
||||
"LLPZcniovxIcARC/BjyZR9g3UwTHNGNm+rwrqa15viuNOFBchykX/Orsk02EH7NR\r\n"
|
||||
"Alw5WLPorYjED6cdVQgBl9ot93HdJogRiXCxErM7NC8/eP511mjq+uLDjLKH8ZPQ\r\n"
|
||||
"8I4ekHJnroLsDkIwXKGIsvIBHQy2ac/NwHLCQOK6mfum1pRx52V4Utu5dLLjD5bM\r\n"
|
||||
"xOBC7KU4xZKuMXXZM6/93Yb51K/J4ahf1TxJlTWXtnzDr9saEYdNy2SKY/6ZiDNH\r\n"
|
||||
"D+stpAKiQLAWaAusIWKYEyw9MQ==\r\n"
|
||||
"o4GSMIGPMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITBjBgNVHSMEXDBa\r\n"
|
||||
"gBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNV\r\n"
|
||||
"BAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENBggEAMAkGA1Ud\r\n"
|
||||
"EwQCMAAwDQYJKoZIhvcNAQELBQADggEBAC7yO786NvcHpK8UovKIG9cB32oSQQom\r\n"
|
||||
"LoR0eHDRzdqEkoq7yGZufHFiRAAzbMqJfogRtxlrWAeB4y/jGaMBV25IbFOIcH2W\r\n"
|
||||
"iCEaMMbG+VQLKNvuC63kmw/Zewc9ThM6Pa1Hcy0axT0faf1B/U01j0FIcw/6mTfK\r\n"
|
||||
"D8w48OIwc1yr0JtutCVjig5DC0yznGMt32RyseOLcUe+lfq005v2PAiCozr5X8rE\r\n"
|
||||
"ofGZpiM2NqRPePgYy+Vc75Zk28xkRQq1ncprgQb3S4vTsZdScpM9hLf+eMlrgqlj\r\n"
|
||||
"c5PLSkXBeLE5+fedkyfTaLxxQlgCpuoOhKBm04/R1pWNzUHyqagjO9Q=\r\n"
|
||||
"-----END CERTIFICATE-----\r\n";
|
||||
|
||||
const char mbedtls_test_cli_key_rsa[] =
|
||||
|
@ -278,28 +308,32 @@ const char mbedtls_test_cli_key_rsa[] =
|
|||
"bHFVW2r0dBTqegP2/KTOxKzaHfC1qf0RGDsUoJCNJrd1cwoCLG8P2EF4w3OBrKqv\r\n"
|
||||
"8u4ytY0F+Vlanj5lm3TaoHSVF1+NWPyOTiwevIECGKwSxvlki4fDAA==\r\n"
|
||||
"-----END RSA PRIVATE KEY-----\r\n";
|
||||
|
||||
const size_t mbedtls_test_ca_crt_rsa_len = sizeof( mbedtls_test_ca_crt_rsa );
|
||||
const size_t mbedtls_test_ca_key_rsa_len = sizeof( mbedtls_test_ca_key_rsa );
|
||||
const size_t mbedtls_test_ca_pwd_rsa_len = sizeof( mbedtls_test_ca_pwd_rsa ) - 1;
|
||||
const size_t mbedtls_test_srv_crt_rsa_len = sizeof( mbedtls_test_srv_crt_rsa );
|
||||
const size_t mbedtls_test_srv_key_rsa_len = sizeof( mbedtls_test_srv_key_rsa );
|
||||
const size_t mbedtls_test_cli_crt_rsa_len = sizeof( mbedtls_test_cli_crt_rsa );
|
||||
const size_t mbedtls_test_cli_key_rsa_len = sizeof( mbedtls_test_cli_key_rsa );
|
||||
#else
|
||||
#define TEST_CA_CRT_RSA
|
||||
#endif /* MBEDTLS_RSA_C */
|
||||
|
||||
#if defined(MBEDTLS_PEM_PARSE_C)
|
||||
/* Concatenation of all available CA certificates */
|
||||
const char mbedtls_test_cas_pem[] = TEST_CA_CRT_RSA TEST_CA_CRT_EC;
|
||||
const char mbedtls_test_cas_pem[] =
|
||||
#ifdef TEST_CA_CRT_RSA_SHA1
|
||||
TEST_CA_CRT_RSA_SHA1
|
||||
#endif
|
||||
#ifdef TEST_CA_CRT_RSA_SHA256
|
||||
TEST_CA_CRT_RSA_SHA256
|
||||
#endif
|
||||
#ifdef TEST_CA_CRT_EC
|
||||
TEST_CA_CRT_EC
|
||||
#endif
|
||||
"";
|
||||
const size_t mbedtls_test_cas_pem_len = sizeof( mbedtls_test_cas_pem );
|
||||
#endif
|
||||
|
||||
/* List of all available CA certificates */
|
||||
const char * mbedtls_test_cas[] = {
|
||||
#if defined(MBEDTLS_RSA_C)
|
||||
mbedtls_test_ca_crt_rsa,
|
||||
#if defined(TEST_CA_CRT_RSA_SHA1)
|
||||
mbedtls_test_ca_crt_rsa_sha1,
|
||||
#endif
|
||||
#if defined(TEST_CA_CRT_RSA_SHA256)
|
||||
mbedtls_test_ca_crt_rsa_sha256,
|
||||
#endif
|
||||
#if defined(MBEDTLS_ECDSA_C)
|
||||
mbedtls_test_ca_crt_ec,
|
||||
|
@ -307,8 +341,11 @@ const char * mbedtls_test_cas[] = {
|
|||
NULL
|
||||
};
|
||||
const size_t mbedtls_test_cas_len[] = {
|
||||
#if defined(MBEDTLS_RSA_C)
|
||||
sizeof( mbedtls_test_ca_crt_rsa ),
|
||||
#if defined(TEST_CA_CRT_RSA_SHA1)
|
||||
sizeof( mbedtls_test_ca_crt_rsa_sha1 ),
|
||||
#endif
|
||||
#if defined(TEST_CA_CRT_RSA_SHA256)
|
||||
sizeof( mbedtls_test_ca_crt_rsa_sha256 ),
|
||||
#endif
|
||||
#if defined(MBEDTLS_ECDSA_C)
|
||||
sizeof( mbedtls_test_ca_crt_ec ),
|
||||
|
@ -317,19 +354,19 @@ const size_t mbedtls_test_cas_len[] = {
|
|||
};
|
||||
|
||||
#if defined(MBEDTLS_RSA_C)
|
||||
const char *mbedtls_test_ca_crt = mbedtls_test_ca_crt_rsa;
|
||||
const char *mbedtls_test_ca_crt = mbedtls_test_ca_crt_rsa_sha256;
|
||||
const char *mbedtls_test_ca_key = mbedtls_test_ca_key_rsa;
|
||||
const char *mbedtls_test_ca_pwd = mbedtls_test_ca_pwd_rsa;
|
||||
const char *mbedtls_test_srv_crt = mbedtls_test_srv_crt_rsa;
|
||||
const char *mbedtls_test_srv_key = mbedtls_test_srv_key_rsa;
|
||||
const char *mbedtls_test_cli_crt = mbedtls_test_cli_crt_rsa;
|
||||
const char *mbedtls_test_cli_crt = mbedtls_test_cli_crt_rsa_sha256;
|
||||
const char *mbedtls_test_cli_key = mbedtls_test_cli_key_rsa;
|
||||
const size_t mbedtls_test_ca_crt_len = sizeof( mbedtls_test_ca_crt_rsa );
|
||||
const size_t mbedtls_test_ca_crt_len = sizeof( mbedtls_test_ca_crt_rsa_sha256 );
|
||||
const size_t mbedtls_test_ca_key_len = sizeof( mbedtls_test_ca_key_rsa );
|
||||
const size_t mbedtls_test_ca_pwd_len = sizeof( mbedtls_test_ca_pwd_rsa ) - 1;
|
||||
const size_t mbedtls_test_srv_crt_len = sizeof( mbedtls_test_srv_crt_rsa );
|
||||
const size_t mbedtls_test_srv_key_len = sizeof( mbedtls_test_srv_key_rsa );
|
||||
const size_t mbedtls_test_cli_crt_len = sizeof( mbedtls_test_cli_crt_rsa );
|
||||
const size_t mbedtls_test_cli_crt_len = sizeof( mbedtls_test_cli_crt_rsa_sha256 );
|
||||
const size_t mbedtls_test_cli_key_len = sizeof( mbedtls_test_cli_key_rsa );
|
||||
#else /* ! MBEDTLS_RSA_C, so MBEDTLS_ECDSA_C */
|
||||
const char *mbedtls_test_ca_crt = mbedtls_test_ca_crt_ec;
|
||||
|
|
|
@ -2134,8 +2134,8 @@ static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
|
|||
*/
|
||||
if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm "
|
||||
"that was not offered" ) );
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm %d that was not offered",
|
||||
*(p)[0] ) );
|
||||
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
|
||||
}
|
||||
|
||||
|
|
|
@ -7162,7 +7162,7 @@ static int ssl_preset_default_hashes[] = {
|
|||
MBEDTLS_MD_SHA256,
|
||||
MBEDTLS_MD_SHA224,
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE)
|
||||
MBEDTLS_MD_SHA1,
|
||||
#endif
|
||||
MBEDTLS_MD_NONE
|
||||
|
|
|
@ -1035,7 +1035,7 @@ int mbedtls_x509_time_is_future( const mbedtls_x509_time *from )
|
|||
*/
|
||||
int mbedtls_x509_self_test( int verbose )
|
||||
{
|
||||
#if defined(MBEDTLS_CERTS_C) && defined(MBEDTLS_SHA1_C)
|
||||
#if defined(MBEDTLS_CERTS_C) && defined(MBEDTLS_SHA256_C)
|
||||
int ret;
|
||||
uint32_t flags;
|
||||
mbedtls_x509_crt cacert;
|
||||
|
|
|
@ -85,9 +85,11 @@ static void mbedtls_zeroize( void *v, size_t n ) {
|
|||
*/
|
||||
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
|
||||
{
|
||||
/* Hashes from SHA-1 and above */
|
||||
#if defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES)
|
||||
/* Allow SHA-1 (weak, but still safe in controlled environments) */
|
||||
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
|
||||
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_RIPEMD160 ) |
|
||||
#endif
|
||||
/* Only SHA-2 hashes */
|
||||
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) |
|
||||
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
|
||||
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
|
||||
|
|
|
@ -87,6 +87,7 @@ int main( void )
|
|||
#define DFL_MIN_VERSION -1
|
||||
#define DFL_MAX_VERSION -1
|
||||
#define DFL_ARC4 -1
|
||||
#define DFL_SHA1 -1
|
||||
#define DFL_AUTH_MODE -1
|
||||
#define DFL_MFL_CODE MBEDTLS_SSL_MAX_FRAG_LEN_NONE
|
||||
#define DFL_TRUNC_HMAC -1
|
||||
|
@ -263,6 +264,7 @@ int main( void )
|
|||
USAGE_DHMLEN \
|
||||
"\n" \
|
||||
" arc4=%%d default: (library default: 0)\n" \
|
||||
" allow_sha1=%%d default: 0\n" \
|
||||
" min_version=%%s default: (library default: tls1)\n" \
|
||||
" max_version=%%s default: (library default: tls1_2)\n" \
|
||||
" force_version=%%s default: \"\" (none)\n" \
|
||||
|
@ -301,6 +303,7 @@ struct options
|
|||
int min_version; /* minimum protocol version accepted */
|
||||
int max_version; /* maximum protocol version accepted */
|
||||
int arc4; /* flag for arc4 suites support */
|
||||
int allow_sha1; /* flag for SHA-1 support */
|
||||
int auth_mode; /* verify mode for connection */
|
||||
unsigned char mfl_code; /* code for maximum fragment length */
|
||||
int trunc_hmac; /* negotiate truncated hmac or not */
|
||||
|
@ -395,6 +398,22 @@ static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, uint32_t *fl
|
|||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
static int ssl_sig_hashes_for_test[] = {
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
MBEDTLS_MD_SHA512,
|
||||
MBEDTLS_MD_SHA384,
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
MBEDTLS_MD_SHA256,
|
||||
MBEDTLS_MD_SHA224,
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
/* Allow SHA-1 as we use it extensively in tests. */
|
||||
MBEDTLS_MD_SHA1,
|
||||
#endif
|
||||
MBEDTLS_MD_NONE
|
||||
};
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
|
||||
int main( int argc, char *argv[] )
|
||||
|
@ -411,6 +430,9 @@ int main( int argc, char *argv[] )
|
|||
#endif
|
||||
const char *pers = "ssl_client2";
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default;
|
||||
#endif
|
||||
mbedtls_entropy_context entropy;
|
||||
mbedtls_ctr_drbg_context ctr_drbg;
|
||||
mbedtls_ssl_context ssl;
|
||||
|
@ -491,6 +513,7 @@ int main( int argc, char *argv[] )
|
|||
opt.min_version = DFL_MIN_VERSION;
|
||||
opt.max_version = DFL_MAX_VERSION;
|
||||
opt.arc4 = DFL_ARC4;
|
||||
opt.allow_sha1 = DFL_SHA1;
|
||||
opt.auth_mode = DFL_AUTH_MODE;
|
||||
opt.mfl_code = DFL_MFL_CODE;
|
||||
opt.trunc_hmac = DFL_TRUNC_HMAC;
|
||||
|
@ -705,6 +728,15 @@ int main( int argc, char *argv[] )
|
|||
default: goto usage;
|
||||
}
|
||||
}
|
||||
else if( strcmp( p, "allow_sha1" ) == 0 )
|
||||
{
|
||||
switch( atoi( q ) )
|
||||
{
|
||||
case 0: opt.allow_sha1 = 0; break;
|
||||
case 1: opt.allow_sha1 = 1; break;
|
||||
default: goto usage;
|
||||
}
|
||||
}
|
||||
else if( strcmp( p, "force_version" ) == 0 )
|
||||
{
|
||||
if( strcmp( q, "ssl3" ) == 0 )
|
||||
|
@ -1089,9 +1121,18 @@ int main( int argc, char *argv[] )
|
|||
}
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
/* The default algorithms profile disables SHA-1, but our tests still
|
||||
rely on it heavily. */
|
||||
if( opt.allow_sha1 > 0 )
|
||||
{
|
||||
crt_profile_for_test.allowed_mds |= MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 );
|
||||
mbedtls_ssl_conf_cert_profile( &conf, &crt_profile_for_test );
|
||||
mbedtls_ssl_conf_sig_hashes( &conf, ssl_sig_hashes_for_test );
|
||||
}
|
||||
|
||||
if( opt.debug_level > 0 )
|
||||
mbedtls_ssl_conf_verify( &conf, my_verify, NULL );
|
||||
#endif
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
|
||||
if( opt.auth_mode != DFL_AUTH_MODE )
|
||||
mbedtls_ssl_conf_authmode( &conf, opt.auth_mode );
|
||||
|
|
|
@ -123,6 +123,7 @@ int main( void )
|
|||
#define DFL_MIN_VERSION -1
|
||||
#define DFL_MAX_VERSION -1
|
||||
#define DFL_ARC4 -1
|
||||
#define DFL_SHA1 -1
|
||||
#define DFL_AUTH_MODE -1
|
||||
#define DFL_CERT_REQ_CA_LIST MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED
|
||||
#define DFL_MFL_CODE MBEDTLS_SSL_MAX_FRAG_LEN_NONE
|
||||
|
@ -348,6 +349,7 @@ int main( void )
|
|||
USAGE_ETM \
|
||||
"\n" \
|
||||
" arc4=%%d default: (library default: 0)\n" \
|
||||
" allow_sha1=%%d default: 0\n" \
|
||||
" min_version=%%s default: (library default: tls1)\n" \
|
||||
" max_version=%%s default: (library default: tls1_2)\n" \
|
||||
" force_version=%%s default: \"\" (none)\n" \
|
||||
|
@ -403,6 +405,7 @@ struct options
|
|||
int min_version; /* minimum protocol version accepted */
|
||||
int max_version; /* maximum protocol version accepted */
|
||||
int arc4; /* flag for arc4 suites support */
|
||||
int allow_sha1; /* flag for SHA-1 support */
|
||||
int auth_mode; /* verify mode for connection */
|
||||
int cert_req_ca_list; /* should we send the CA list? */
|
||||
unsigned char mfl_code; /* code for maximum fragment length */
|
||||
|
@ -799,6 +802,24 @@ void term_handler( int sig )
|
|||
}
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
static int ssl_sig_hashes_for_test[] = {
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
MBEDTLS_MD_SHA512,
|
||||
MBEDTLS_MD_SHA384,
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
MBEDTLS_MD_SHA256,
|
||||
MBEDTLS_MD_SHA224,
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
/* Allow SHA-1 as we use it extensively in tests. */
|
||||
MBEDTLS_MD_SHA1,
|
||||
#endif
|
||||
MBEDTLS_MD_NONE
|
||||
};
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
|
||||
int main( int argc, char *argv[] )
|
||||
{
|
||||
int ret = 0, len, written, frags, exchanges_left;
|
||||
|
@ -816,6 +837,9 @@ int main( int argc, char *argv[] )
|
|||
mbedtls_ssl_cookie_ctx cookie_ctx;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default;
|
||||
#endif
|
||||
mbedtls_entropy_context entropy;
|
||||
mbedtls_ctr_drbg_context ctr_drbg;
|
||||
mbedtls_ssl_context ssl;
|
||||
|
@ -947,6 +971,7 @@ int main( int argc, char *argv[] )
|
|||
opt.min_version = DFL_MIN_VERSION;
|
||||
opt.max_version = DFL_MAX_VERSION;
|
||||
opt.arc4 = DFL_ARC4;
|
||||
opt.allow_sha1 = DFL_SHA1;
|
||||
opt.auth_mode = DFL_AUTH_MODE;
|
||||
opt.cert_req_ca_list = DFL_CERT_REQ_CA_LIST;
|
||||
opt.mfl_code = DFL_MFL_CODE;
|
||||
|
@ -1118,6 +1143,15 @@ int main( int argc, char *argv[] )
|
|||
default: goto usage;
|
||||
}
|
||||
}
|
||||
else if( strcmp( p, "allow_sha1" ) == 0 )
|
||||
{
|
||||
switch( atoi( q ) )
|
||||
{
|
||||
case 0: opt.allow_sha1 = 0; break;
|
||||
case 1: opt.allow_sha1 = 1; break;
|
||||
default: goto usage;
|
||||
}
|
||||
}
|
||||
else if( strcmp( p, "force_version" ) == 0 )
|
||||
{
|
||||
if( strcmp( q, "ssl3" ) == 0 )
|
||||
|
@ -1642,6 +1676,18 @@ int main( int argc, char *argv[] )
|
|||
goto exit;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
/* The default algorithms profile disables SHA-1, but our tests still
|
||||
rely on it heavily. Hence we allow it here. A real-world server
|
||||
should use the default profile unless there is a good reason not to. */
|
||||
if( opt.allow_sha1 > 0 )
|
||||
{
|
||||
crt_profile_for_test.allowed_mds |= MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 );
|
||||
mbedtls_ssl_conf_cert_profile( &conf, &crt_profile_for_test );
|
||||
mbedtls_ssl_conf_sig_hashes( &conf, ssl_sig_hashes_for_test );
|
||||
}
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
|
||||
if( opt.auth_mode != DFL_AUTH_MODE )
|
||||
mbedtls_ssl_conf_authmode( &conf, opt.auth_mode );
|
||||
|
||||
|
|
|
@ -824,6 +824,11 @@ setup_arguments()
|
|||
else
|
||||
M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=none key_file=none"
|
||||
fi
|
||||
|
||||
# Allow SHA-1. It's disabled by default for security reasons but
|
||||
# our tests still use certificates signed with it.
|
||||
M_SERVER_ARGS="$M_SERVER_ARGS allow_sha1=1"
|
||||
M_CLIENT_ARGS="$M_CLIENT_ARGS allow_sha1=1"
|
||||
;;
|
||||
|
||||
"PSK")
|
||||
|
@ -836,6 +841,11 @@ setup_arguments()
|
|||
M_CLIENT_ARGS="$M_CLIENT_ARGS psk=6162636465666768696a6b6c6d6e6f70 crt_file=none key_file=none"
|
||||
O_CLIENT_ARGS="$O_CLIENT_ARGS -psk 6162636465666768696a6b6c6d6e6f70"
|
||||
G_CLIENT_ARGS="$G_CLIENT_ARGS --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70"
|
||||
|
||||
# Allow SHA-1. It's disabled by default for security reasons but
|
||||
# our tests still use certificates signed with it.
|
||||
M_SERVER_ARGS="$M_SERVER_ARGS allow_sha1=1"
|
||||
M_CLIENT_ARGS="$M_CLIENT_ARGS allow_sha1=1"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
|
3
tests/data_files/.gitignore
vendored
Normal file
3
tests/data_files/.gitignore
vendored
Normal file
|
@ -0,0 +1,3 @@
|
|||
cli-rsa.csr
|
||||
server2-rsa.csr
|
||||
test-ca.csr
|
94
tests/data_files/Makefile
Normal file
94
tests/data_files/Makefile
Normal file
|
@ -0,0 +1,94 @@
|
|||
## This file contains a record of how some of the test data was
|
||||
## generated. The final build products are committed to the repository
|
||||
## as well to make sure that the test data is identical. You do not
|
||||
## need to use this makefile unless you're extending mbed TLS's tests.
|
||||
|
||||
## Many data files were generated prior to the existence of this
|
||||
## makefile, so the method of their generation was not recorded.
|
||||
|
||||
## Note that in addition to depending on the version of the data
|
||||
## generation tool, many of the build outputs are randomized, so
|
||||
## running this makefile twice would not produce the same results.
|
||||
|
||||
## Tools
|
||||
OPENSSL ?= openssl
|
||||
|
||||
## Build the generated test data. Note that since the final outputs
|
||||
## are committed to the repository, this target should do nothing on a
|
||||
## fresh checkout. Furthermore, since the generation is randomized,
|
||||
## re-running the same targets may result in differing files. The goal
|
||||
## of this makefile is primarily to serve as a record of how the
|
||||
## targets were generated in the first place.
|
||||
default: all_final
|
||||
|
||||
all_intermediate := # temporary files
|
||||
all_final := # files used by tests
|
||||
|
||||
|
||||
|
||||
################################################################
|
||||
#### Generate certificates from existing keys
|
||||
################################################################
|
||||
|
||||
test_ca_key_file_rsa = test-ca.key
|
||||
test_ca_pwd_rsa = PolarSSLTest
|
||||
test_ca_config_file = test-ca.opensslconf
|
||||
|
||||
test-ca.csr: $(test_ca_key_file_rsa) $(test_ca_config_file)
|
||||
$(OPENSSL) req -new -config $(test_ca_config_file) -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -subj "/C=NL/O=PolarSSL/CN=PolarSSL Test CA" -out $@
|
||||
all_intermediate += test-ca.csr
|
||||
test-ca-sha1.crt: $(test_ca_key_file_rsa) $(test_ca_config_file) test-ca.csr
|
||||
$(OPENSSL) req -x509 -config $(test_ca_config_file) -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 0 -days 3653 -sha1 -in test-ca.csr -out $@
|
||||
all_final += test-ca-sha1.crt
|
||||
test-ca-sha256.crt: $(test_ca_key_file_rsa) $(test_ca_config_file) test-ca.csr
|
||||
$(OPENSSL) req -x509 -config $(test_ca_config_file) -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 0 -days 3653 -sha256 -in test-ca.csr -out $@
|
||||
all_final += test-ca-sha256.crt
|
||||
|
||||
cli_crt_key_file_rsa = cli-rsa.key
|
||||
cli_crt_extensions_file = cli.opensslconf
|
||||
|
||||
cli-rsa.csr: $(cli_crt_key_file_rsa)
|
||||
$(OPENSSL) req -new -key $(cli_crt_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -subj "/C=NL/O=PolarSSL/CN=PolarSSL Client 2" -out $@
|
||||
all_intermediate += cli-rsa.csr
|
||||
cli-rsa-sha1.crt: $(cli_crt_key_file_rsa) test-ca-sha1.crt cli-rsa.csr
|
||||
$(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA test-ca-sha1.crt -CAkey $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 4 -days 3653 -sha1 -in cli-rsa.csr -out $@
|
||||
all_final += cli-rsa-sha1.crt
|
||||
cli-rsa-sha256.crt: $(cli_crt_key_file_rsa) test-ca-sha256.crt cli-rsa.csr
|
||||
$(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA test-ca-sha256.crt -CAkey $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 4 -days 3653 -sha256 -in cli-rsa.csr -out $@
|
||||
all_final += cli-rsa-sha256.crt
|
||||
|
||||
server2-rsa.csr: server2.key
|
||||
$(OPENSSL) req -new -key server2.key -passin "pass:$(test_ca_pwd_rsa)" -subj "/C=NL/O=PolarSSL/CN=localhost" -out $@
|
||||
all_intermediate += server2-rsa.csr
|
||||
server2-sha256.crt: server2-rsa.csr
|
||||
$(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA test-ca-sha256.crt -CAkey $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 4 -days 3653 -sha256 -in server2-rsa.csr -out $@
|
||||
all_final += server2-sha256.crt
|
||||
|
||||
|
||||
|
||||
################################################################
|
||||
#### Meta targets
|
||||
################################################################
|
||||
|
||||
all_final: $(all_final)
|
||||
all: $(all_intermediate) $(all_final)
|
||||
|
||||
.PHONY: default all_final all
|
||||
|
||||
# These files should not be committed to the repository.
|
||||
list_intermediate:
|
||||
@printf '%s\n' $(all_intermediate) | sort
|
||||
# These files should be committed to the repository so that the test data is
|
||||
# available upon checkout without running a randomized process depending on
|
||||
# third-party tools.
|
||||
list_final:
|
||||
@printf '%s\n' $(all_final) | sort
|
||||
.PHONY: list_intermediate list_final
|
||||
|
||||
## Remove intermediate files
|
||||
clean:
|
||||
rm -f $(all_intermediate)
|
||||
## Remove all build products, even the ones that are committed
|
||||
neat: clean
|
||||
rm -f $(all_final)
|
||||
.PHONY: clean neat
|
|
@ -6,6 +6,8 @@ Certification authorities
|
|||
There are two main CAs for use as trusted roots:
|
||||
- test-ca.crt aka "C=NL, O=PolarSSL, CN=PolarSSL Test CA"
|
||||
uses a RSA-2048 key
|
||||
test-ca-sha1.crt and test-ca-sha256.crt use the same key, signed with
|
||||
different hashes.
|
||||
- test-ca2*.crt aka "C=NL, O=PolarSSL, CN=Polarssl Test EC CA"
|
||||
uses an EC key with NIST P-384 (aka secp384r1)
|
||||
variants used to test the keyUsage extension
|
||||
|
@ -53,6 +55,8 @@ List of certificates:
|
|||
- cert_md*.crt, cert_sha*.crt: 1 R: signature hash
|
||||
- cert_v1_with_ext.crt: 1 R: v1 with extensions (illegal)
|
||||
- cli2.crt: 2 E: basic
|
||||
- cli-rsa.key, cli-rsa-*.crt: RSA key used for test clients, signed by
|
||||
the RSA test CA.
|
||||
- enco-cert-utf8str.pem: see enco-ca-prstr.pem above
|
||||
- server1*.crt: 1* R C* P1*: misc *(server1-v1 see test-ca-v1.crt above)
|
||||
*CRL for: .cert_type.crt, .crt, .key_usage.crt, .v1.crt
|
||||
|
@ -91,3 +95,13 @@ Signing CA in parentheses (same meaning as certificates).
|
|||
|
||||
Note: crl_future would revoke server9 and cert_sha384.crt if signed by CA 1
|
||||
crl-rsa-pss* would revoke server6.crt if signed by CA 2
|
||||
|
||||
Generation
|
||||
----------
|
||||
|
||||
Newer test files have been generated through commands in the Makefile. The
|
||||
resulting files are committed to the repository so that the tests can
|
||||
run without having to re-do the generation and so that the output is the
|
||||
same for everyone (the generation process is randomized).
|
||||
|
||||
The origin of older certificates has not been recorded.
|
||||
|
|
21
tests/data_files/cli-rsa-sha1.crt
Normal file
21
tests/data_files/cli-rsa-sha1.crt
Normal file
|
@ -0,0 +1,21 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDhTCCAm2gAwIBAgIBBDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
|
||||
MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
|
||||
MTcwNTA1MTMwNzEwWhcNMjcwNTA2MTMwNzEwWjA8MQswCQYDVQQGEwJOTDERMA8G
|
||||
A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIENsaWVudCAyMIIBIjAN
|
||||
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6f
|
||||
M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu
|
||||
1C93KYRhTYJQj6eVSHD1bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEw
|
||||
MjDV0/YI0FZPRo7yX/k9Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v
|
||||
4Jv4EFbMs44TFeY0BGbH7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx/
|
||||
/DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB
|
||||
o4GSMIGPMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITBjBgNVHSMEXDBa
|
||||
gBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNV
|
||||
BAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENBggEAMAkGA1Ud
|
||||
EwQCMAAwDQYJKoZIhvcNAQEFBQADggEBAE/yq2fOqjI0jm52TwdVsTUvZ+B2s16u
|
||||
C4Qj/c89iZ7VfplpOAEV9+G6gHm/gf2O7Jgj0yXfFugQ2d+lR70cH64JFn9N1Rg9
|
||||
gCo5EDBLourI8R0Kkg9zdlShBv7giwqg667Qjsu+oEWVerICOqNQGolotYSZvmtJ
|
||||
7RiD8I4MXB4Qt0sSjxE897pvc4ODem10zXzvedv/q11q1mUn2L1fFc1dGIguk1fn
|
||||
I/XP87FCapRobUTYrF6IvdqFaUMQ7lF3GiUIvjDPb4Wt1CyHhi/tu/SfV3fmX3rs
|
||||
19UeGnvC7AdQ+OwLt3nEIlSpqVKPXHKfRKZg1WzZNgCQtNB1SrZAzFc=
|
||||
-----END CERTIFICATE-----
|
21
tests/data_files/cli-rsa-sha256.crt
Normal file
21
tests/data_files/cli-rsa-sha256.crt
Normal file
|
@ -0,0 +1,21 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDhTCCAm2gAwIBAgIBBDANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
|
||||
MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
|
||||
MTcwNTA1MTMwNzU5WhcNMjcwNTA2MTMwNzU5WjA8MQswCQYDVQQGEwJOTDERMA8G
|
||||
A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIENsaWVudCAyMIIBIjAN
|
||||
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6f
|
||||
M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu
|
||||
1C93KYRhTYJQj6eVSHD1bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEw
|
||||
MjDV0/YI0FZPRo7yX/k9Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v
|
||||
4Jv4EFbMs44TFeY0BGbH7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx/
|
||||
/DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB
|
||||
o4GSMIGPMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITBjBgNVHSMEXDBa
|
||||
gBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNV
|
||||
BAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENBggEAMAkGA1Ud
|
||||
EwQCMAAwDQYJKoZIhvcNAQELBQADggEBAC7yO786NvcHpK8UovKIG9cB32oSQQom
|
||||
LoR0eHDRzdqEkoq7yGZufHFiRAAzbMqJfogRtxlrWAeB4y/jGaMBV25IbFOIcH2W
|
||||
iCEaMMbG+VQLKNvuC63kmw/Zewc9ThM6Pa1Hcy0axT0faf1B/U01j0FIcw/6mTfK
|
||||
D8w48OIwc1yr0JtutCVjig5DC0yznGMt32RyseOLcUe+lfq005v2PAiCozr5X8rE
|
||||
ofGZpiM2NqRPePgYy+Vc75Zk28xkRQq1ncprgQb3S4vTsZdScpM9hLf+eMlrgqlj
|
||||
c5PLSkXBeLE5+fedkyfTaLxxQlgCpuoOhKBm04/R1pWNzUHyqagjO9Q=
|
||||
-----END CERTIFICATE-----
|
27
tests/data_files/cli-rsa.key
Normal file
27
tests/data_files/cli-rsa.key
Normal file
|
@ -0,0 +1,27 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEpAIBAAKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6fM60Nj4o8VmXl3ETZzGaF
|
||||
B9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu1C93KYRhTYJQj6eVSHD1
|
||||
bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEwMjDV0/YI0FZPRo7yX/k9
|
||||
Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v4Jv4EFbMs44TFeY0BGbH
|
||||
7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx//DZrtenNLQNiTrM9AM+v
|
||||
dqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQABAoIBAGdNtfYDiap6bzst
|
||||
yhCiI8m9TtrhZw4MisaEaN/ll3XSjaOG2dvV6xMZCMV+5TeXDHOAZnY18Yi18vzz
|
||||
4Ut2TnNFzizCECYNaA2fST3WgInnxUkV3YXAyP6CNxJaCmv2aA0yFr2kFVSeaKGt
|
||||
ymvljNp2NVkvm7Th8fBQBO7I7AXhz43k0mR7XmPgewe8ApZOG3hstkOaMvbWAvWA
|
||||
zCZupdDjZYjOJqlA4eEA4H8/w7F83r5CugeBE8LgEREjLPiyejrU5H1fubEY+h0d
|
||||
l5HZBJ68ybTXfQ5U9o/QKA3dd0toBEhhdRUDGzWtjvwkEQfqF1reGWj/tod/gCpf
|
||||
DFi6X0ECgYEA4wOv/pjSC3ty6TuOvKX2rOUiBrLXXv2JSxZnMoMiWI5ipLQt+RYT
|
||||
VPafL/m7Dn6MbwjayOkcZhBwk5CNz5A6Q4lJ64Mq/lqHznRCQQ2Mc1G8eyDF/fYL
|
||||
Ze2pLvwP9VD5jTc2miDfw+MnvJhywRRLcemDFP8k4hQVtm8PMp3ZmNECgYEA4gz7
|
||||
wzObR4gn8ibe617uQPZjWzUj9dUHYd+in1gwBCIrtNnaRn9I9U/Q6tegRYpii4ys
|
||||
c176NmU+umy6XmuSKV5qD9bSpZWG2nLFnslrN15Lm3fhZxoeMNhBaEDTnLT26yoi
|
||||
33gp0mSSWy94ZEqipms+ULF6sY1ZtFW6tpGFoy8CgYAQHhnnvJflIs2ky4q10B60
|
||||
ZcxFp3rtDpkp0JxhFLhiizFrujMtZSjYNm5U7KkgPVHhLELEUvCmOnKTt4ap/vZ0
|
||||
BxJNe1GZH3pW6SAvGDQpl9sG7uu/vTFP+lCxukmzxB0DrrDcvorEkKMom7ZCCRvW
|
||||
KZsZ6YeH2Z81BauRj218kQKBgQCUV/DgKP2985xDTT79N08jUo3hTP5MVYCCuj/+
|
||||
UeEw1TvZcx3LJby7P6Xad6a1/BqveaGyFKIfEFIaBUBItk801sDDpDaYc4gL00Xc
|
||||
7lFuBHOZkxJYlss5QrGpuOEl9ZwUt5IrFLBdYaKqNHzNVC1pCPfb/JyH6Dr2HUxq
|
||||
gxUwAQKBgQCcU6G2L8AG9d9c0UpOyL1tMvFe5Ttw0KjlQVdsh1MP6yigYo9DYuwu
|
||||
bHFVW2r0dBTqegP2/KTOxKzaHfC1qf0RGDsUoJCNJrd1cwoCLG8P2EF4w3OBrKqv
|
||||
8u4ytY0F+Vlanj5lm3TaoHSVF1+NWPyOTiwevIECGKwSxvlki4fDAA==
|
||||
-----END RSA PRIVATE KEY-----
|
4
tests/data_files/cli.opensslconf
Normal file
4
tests/data_files/cli.opensslconf
Normal file
|
@ -0,0 +1,4 @@
|
|||
[cli-rsa]
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
basicConstraints = CA:false
|
34
tests/data_files/print_c.pl
Executable file
34
tests/data_files/print_c.pl
Executable file
|
@ -0,0 +1,34 @@
|
|||
#!/usr/bin/env perl
|
||||
use strict;
|
||||
use warnings;
|
||||
|
||||
if (!@ARGV || $ARGV[0] == '--help') {
|
||||
print <<EOF;
|
||||
Usage: $0 mbedtls_test_foo <file.pem
|
||||
$0 TEST_FOO mbedtls_test_foo <file.pem
|
||||
Print out a PEM file as C code defining a string constant.
|
||||
|
||||
Used to include some of the test data in /library/certs.c for
|
||||
self-tests and sample programs.
|
||||
EOF
|
||||
exit;
|
||||
}
|
||||
|
||||
my $pp_name = @ARGV > 1 ? shift @ARGV : undef;
|
||||
my $name = shift @ARGV;
|
||||
|
||||
my @lines = map {chomp; s/([\\"])/\\$1/g; "\"$_\\r\\n\""} <STDIN>;
|
||||
|
||||
if (defined $pp_name) {
|
||||
foreach ("#define $pp_name", @lines[0..@lines-2]) {
|
||||
printf "%-72s\\\n", $_;
|
||||
}
|
||||
print "$lines[@lines-1]\n";
|
||||
print "const char $name\[\] = $pp_name;\n";
|
||||
} else {
|
||||
print "const char $name\[\] =";
|
||||
foreach (@lines) {
|
||||
print "\n$_";
|
||||
}
|
||||
print ";\n";
|
||||
}
|
21
tests/data_files/server2-sha256.crt
Normal file
21
tests/data_files/server2-sha256.crt
Normal file
|
@ -0,0 +1,21 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDfTCCAmWgAwIBAgIBBDANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
|
||||
MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
|
||||
MTcwNTA5MTM1MTA1WhcNMjcwNTEwMTM1MTA1WjA0MQswCQYDVQQGEwJOTDERMA8G
|
||||
A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN
|
||||
AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN
|
||||
owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz
|
||||
NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM
|
||||
tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P
|
||||
hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya
|
||||
HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaOBkjCBjzAd
|
||||
BgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwYwYDVR0jBFwwWoAUtFrkpbPe
|
||||
0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xh
|
||||
clNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVzdCBDQYIBADAJBgNVHRMEAjAAMA0G
|
||||
CSqGSIb3DQEBCwUAA4IBAQAQf85QSjAeP+l6hirPorUL+k/3BznAh/6RXdveBO3K
|
||||
uwtqK5qI59+3N+ZLXP7fr2Z5eO8qpchRgNNwT0LKglAEXGWn30PYI1GKSiqAaK0X
|
||||
CUNIrxV3qKqOLbtqP1dMdiwsmiHYrN8E9UdysObedE2yDNLpTMHPJBZ+k6FowTyZ
|
||||
IpUuabkxMBFxmLv+nOBDOiaCzintEcdJdY4F6p5j8jwMvVNVAXNfxAEwa0MoVRTt
|
||||
/GORvq4ZEfsatVA+HRi602m+dZETTWKSODrj8AuQcG8/i1AOhk3C1WNOFKj/ZSfB
|
||||
2P6EQmhLeRp4bO+3rG73T3R2yn0PZYQ7ZrjFPPKqgu+n
|
||||
-----END CERTIFICATE-----
|
21
tests/data_files/test-ca-sha1.crt
Normal file
21
tests/data_files/test-ca-sha1.crt
Normal file
|
@ -0,0 +1,21 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
|
||||
MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
|
||||
MTcwNTA0MTY1NzAxWhcNMjcwNTA1MTY1NzAxWjA7MQswCQYDVQQGEwJOTDERMA8G
|
||||
A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
|
||||
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
|
||||
mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
|
||||
50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
|
||||
YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
|
||||
R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
|
||||
KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
|
||||
gZUwgZIwHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/MGMGA1UdIwRcMFqA
|
||||
FLRa5KWz3tJS9rnVppUP6z68x/3/oT+kPTA7MQswCQYDVQQGEwJOTDERMA8GA1UE
|
||||
CgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0GCAQAwDAYDVR0T
|
||||
BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAfDd5khSv/+K3De9qmH/ID3CVapGS
|
||||
EN5MlXS5vvGCjZSA41MuXkUl11akKHXQ9aLlp85OZUdGbfQ5wwCoj/MymbT4fES2
|
||||
1dI8O1oI3PZI/0dqEvQETlIwSoZV2c/oaPRfh2E99v2+8FNIaZOfV2MX1n9+6AdO
|
||||
W2nlK2oklozXSYg6KWtISr8N8Ofew2LQ9+riFlrrdaxsr8CoJqPqMDTq7FUmkDmO
|
||||
oHize/h9bFksIunKoVQHa8P4w/W9bnR69nziyhZotbwOOkAWVnIyEM9QnaKWXeIy
|
||||
rP6ewcTQjNYkguHJ8RY9rW+5bdaSY4EljSqZ3P3F+zo8P6sVi3qSlai5lQ==
|
||||
-----END CERTIFICATE-----
|
21
tests/data_files/test-ca-sha256.crt
Normal file
21
tests/data_files/test-ca-sha256.crt
Normal file
|
@ -0,0 +1,21 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
|
||||
MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
|
||||
MTcwNTA0MTY1NzAxWhcNMjcwNTA1MTY1NzAxWjA7MQswCQYDVQQGEwJOTDERMA8G
|
||||
A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
|
||||
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
|
||||
mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
|
||||
50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
|
||||
YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
|
||||
R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
|
||||
KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
|
||||
gZUwgZIwHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/MGMGA1UdIwRcMFqA
|
||||
FLRa5KWz3tJS9rnVppUP6z68x/3/oT+kPTA7MQswCQYDVQQGEwJOTDERMA8GA1UE
|
||||
CgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0GCAQAwDAYDVR0T
|
||||
BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAHK/HHrTZMnnVMpde1io+voAtql7j
|
||||
4sRhLrjD7o3THtwRbDa2diCvpq0Sq23Ng2LMYoXsOxoL/RQK3iN7UKxV3MKPEr0w
|
||||
XQS+kKQqiT2bsfrjnWMVHZtUOMpm6FNqcdGm/Rss3vKda2lcKl8kUnq/ylc1+QbB
|
||||
G6A6tUvQcr2ZyWfVg+mM5XkhTrOOXus2OLikb4WwEtJTJRNE0f+yPODSUz0/vT57
|
||||
ApH0CnB80bYJshYHPHHymOtleAB8KSYtqm75g/YNobjnjB6cm4HkW3OZRVIl6fYY
|
||||
n20NRVA1Vjs6GAROr4NqW4k/+LofY9y0LLDE+p0oIEKXIsIvhPr39swxSA==
|
||||
-----END CERTIFICATE-----
|
13
tests/data_files/test-ca.opensslconf
Normal file
13
tests/data_files/test-ca.opensslconf
Normal file
|
@ -0,0 +1,13 @@
|
|||
[req]
|
||||
x509_extensions = v3_ca
|
||||
distinguished_name = req_dn
|
||||
|
||||
[req_dn]
|
||||
countryName = NL
|
||||
organizationalUnitName = PolarSSL
|
||||
commonName = PolarSSL Test CA
|
||||
|
||||
[v3_ca]
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
basicConstraints = CA:true
|
|
@ -486,6 +486,15 @@ armc6_build_test "--target=arm-arm-none-eabi -march=armv8.2-a"
|
|||
armc6_build_test "--target=arm-arm-none-eabi -march=armv8-m.main"
|
||||
armc6_build_test "--target=aarch64-arm-none-eabi"
|
||||
|
||||
msg "build: allow SHA1 in certificates by default"
|
||||
cleanup
|
||||
cp "$CONFIG_H" "$CONFIG_BAK"
|
||||
scripts/config.pl set MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
|
||||
CFLAGS='-Werror -Wall -Wextra' make
|
||||
msg "test: allow SHA1 in certificates by default"
|
||||
make test
|
||||
tests/ssl-opt.sh -f SHA-1
|
||||
|
||||
msg "build: Windows cross build - mingw64, make (Link Library)" # ~ 30s
|
||||
cleanup
|
||||
CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 make lib programs
|
||||
|
|
|
@ -628,6 +628,10 @@ O_CLI="$O_CLI -connect localhost:+SRV_PORT"
|
|||
G_SRV="$G_SRV -p $SRV_PORT"
|
||||
G_CLI="$G_CLI -p +SRV_PORT localhost"
|
||||
|
||||
# Allow SHA-1, because many of our test certificates use it
|
||||
P_SRV="$P_SRV allow_sha1=1"
|
||||
P_CLI="$P_CLI allow_sha1=1"
|
||||
|
||||
# Also pick a unique name for intermediate files
|
||||
SRV_OUT="srv_out.$$"
|
||||
CLI_OUT="cli_out.$$"
|
||||
|
@ -699,6 +703,40 @@ run_test "RC4: both enabled" \
|
|||
-S "SSL - None of the common ciphersuites is usable" \
|
||||
-S "SSL - The server has no ciphersuites in common"
|
||||
|
||||
# Tests for SHA-1 support
|
||||
|
||||
run_test "SHA-1 forbidden by default in server certificate" \
|
||||
"$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
|
||||
"$P_CLI debug_level=2 allow_sha1=0" \
|
||||
1 \
|
||||
-c "The certificate is signed with an unacceptable hash"
|
||||
|
||||
run_test "SHA-1 explicitly allowed in server certificate" \
|
||||
"$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
|
||||
"$P_CLI allow_sha1=1" \
|
||||
0
|
||||
|
||||
run_test "SHA-256 allowed by default in server certificate" \
|
||||
"$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
|
||||
"$P_CLI allow_sha1=0" \
|
||||
0
|
||||
|
||||
run_test "SHA-1 forbidden by default in client certificate" \
|
||||
"$P_SRV auth_mode=required allow_sha1=0" \
|
||||
"$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
|
||||
1 \
|
||||
-s "The certificate is signed with an unacceptable hash"
|
||||
|
||||
run_test "SHA-1 explicitly allowed in client certificate" \
|
||||
"$P_SRV auth_mode=required allow_sha1=1" \
|
||||
"$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
|
||||
0
|
||||
|
||||
run_test "SHA-256 allowed by default in client certificate" \
|
||||
"$P_SRV auth_mode=required allow_sha1=0" \
|
||||
"$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
|
||||
0
|
||||
|
||||
# Tests for Truncated HMAC extension
|
||||
|
||||
run_test "Truncated HMAC: client default, server default" \
|
||||
|
@ -2870,12 +2908,19 @@ run_test "Per-version suites: TLS 1.2" \
|
|||
# Test for ClientHello without extensions
|
||||
|
||||
requires_gnutls
|
||||
run_test "ClientHello without extensions" \
|
||||
run_test "ClientHello without extensions, SHA-1 allowed" \
|
||||
"$P_SRV debug_level=3" \
|
||||
"$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
|
||||
0 \
|
||||
-s "dumping 'client hello extensions' (0 bytes)"
|
||||
|
||||
requires_gnutls
|
||||
run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \
|
||||
"$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \
|
||||
"$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
|
||||
0 \
|
||||
-s "dumping 'client hello extensions' (0 bytes)"
|
||||
|
||||
# Tests for mbedtls_ssl_get_bytes_avail()
|
||||
|
||||
run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
|
||||
|
|
|
@ -357,375 +357,383 @@ mbedtls_x509_time_is_future:"data_files/test-ca2.crt":"valid_to":1
|
|||
|
||||
X509 Certificate verification #1 (Revoked Cert, Expired CRL, no CN)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||
x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED:"NULL"
|
||||
x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #1a (Revoked Cert, Future CRL, no CN)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE:"NULL"
|
||||
x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #2 (Revoked Cert, Expired CRL)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||
x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"PolarSSL Server 1":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED:"NULL"
|
||||
x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"PolarSSL Server 1":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #2a (Revoked Cert, Future CRL)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"localhost":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE:"NULL"
|
||||
x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"localhost":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #3 (Revoked Cert, Future CRL, CN Mismatch)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||
x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"PolarSSL Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED | MBEDTLS_X509_BADCERT_CN_MISMATCH:"NULL"
|
||||
x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"PolarSSL Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED | MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #3a (Revoked Cert, Expired CRL, CN Mismatch)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE | MBEDTLS_X509_BADCERT_CN_MISMATCH:"NULL"
|
||||
x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE | MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #4 (Valid Cert, Expired CRL)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||
x509_verify:"data_files/server2.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_EXPIRED:"NULL"
|
||||
x509_verify:"data_files/server2.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_EXPIRED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #4a (Revoked Cert, Future CRL)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_FUTURE:"NULL"
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #5 (Revoked Cert)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||
x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"NULL"
|
||||
x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #6 (Revoked Cert)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||
x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"PolarSSL Server 1":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"NULL"
|
||||
x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"PolarSSL Server 1":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #7 (Revoked Cert, CN Mismatch)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||
x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"PolarSSL Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCERT_CN_MISMATCH:"NULL"
|
||||
x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"PolarSSL Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #8 (Valid Cert)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #8a (Expired Cert)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server5-expired.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_EXPIRED:"NULL"
|
||||
x509_verify:"data_files/server5-expired.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_EXPIRED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #8b (Future Cert)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server5-future.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_FUTURE:"NULL"
|
||||
x509_verify:"data_files/server5-future.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_FUTURE:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #9 (Not trusted Cert)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||
x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
|
||||
x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #10 (Not trusted Cert, Expired CRL)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_expired.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
|
||||
x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_expired.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #12 (Valid Cert MD4 Digest)
|
||||
depends_on:MBEDTLS_MD4_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||
x509_verify:"data_files/cert_md4.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD:"NULL"
|
||||
x509_verify:"data_files/cert_md4.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #13 (Valid Cert MD5 Digest)
|
||||
depends_on:MBEDTLS_MD5_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||
x509_verify:"data_files/cert_md5.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD:"NULL"
|
||||
x509_verify:"data_files/cert_md5.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #14 (Valid Cert SHA1 Digest)
|
||||
X509 Certificate verification #14 (Valid Cert SHA1 Digest explicitly allowed in profile)
|
||||
depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||
x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #14 (Valid Cert SHA1 Digest allowed in compile-time default profile)
|
||||
depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
|
||||
x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"default":"NULL"
|
||||
|
||||
X509 Certificate verification #14 (Valid Cert SHA1 Digest forbidden in default profile)
|
||||
depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:!MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
|
||||
x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_BAD_MD | MBEDTLS_X509_BADCERT_BAD_MD:"default":"NULL"
|
||||
|
||||
X509 Certificate verification #15 (Valid Cert SHA224 Digest)
|
||||
depends_on:MBEDTLS_SHA256_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||
x509_verify:"data_files/cert_sha224.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/cert_sha224.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #16 (Valid Cert SHA256 Digest)
|
||||
depends_on:MBEDTLS_SHA256_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||
x509_verify:"data_files/cert_sha256.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/cert_sha256.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #17 (Valid Cert SHA384 Digest)
|
||||
depends_on:MBEDTLS_SHA512_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||
x509_verify:"data_files/cert_sha384.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/cert_sha384.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #18 (Valid Cert SHA512 Digest)
|
||||
depends_on:MBEDTLS_SHA512_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||
x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #19 (Valid Cert, denying callback)
|
||||
depends_on:MBEDTLS_SHA512_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||
x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_OTHER:"verify_none"
|
||||
x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_OTHER:"compat":"verify_none"
|
||||
|
||||
X509 Certificate verification #19 (Not trusted Cert, allowing callback)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_expired.pem":"NULL":0:0:"verify_all"
|
||||
x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_expired.pem":"NULL":0:0:"compat":"verify_all"
|
||||
|
||||
X509 Certificate verification #21 (domain matching wildcard certificate, case insensitive)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||
x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.ExAmPlE.com":0:0:"NULL"
|
||||
x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.ExAmPlE.com":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #22 (domain not matching wildcard certificate)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||
x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"NULL"
|
||||
x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #23 (domain not matching wildcard certificate)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||
x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.com":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"NULL"
|
||||
x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.com":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #24 (domain matching CN of multi certificate)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||
x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.com":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"NULL"
|
||||
x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.com":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #25 (domain matching multi certificate)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||
x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.net":0:0:"NULL"
|
||||
x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.net":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #26 (domain not matching multi certificate)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||
x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"NULL"
|
||||
x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #27 (domain not matching multi certificate)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||
x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"xample.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"NULL"
|
||||
x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"xample.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #27 (domain not matching multi certificate)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||
x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"bexample.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"NULL"
|
||||
x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"bexample.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #28 (domain not matching wildcard in multi certificate)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||
x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.org":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"NULL"
|
||||
x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.org":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #29 (domain matching wildcard in multi certificate)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||
x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.example.org":0:0:"NULL"
|
||||
x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.example.org":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #30 (domain matching multi certificate without CN)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||
x509_verify:"data_files/cert_example_multi_nocn.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.shotokan-braunschweig.de":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
|
||||
x509_verify:"data_files/cert_example_multi_nocn.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.shotokan-braunschweig.de":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #31 (domain not matching multi certificate without CN)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||
x509_verify:"data_files/cert_example_multi_nocn.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH + MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
|
||||
x509_verify:"data_files/cert_example_multi_nocn.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH + MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #32 (Valid, EC cert, RSA CA)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server3.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server3.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #33 (Valid, RSA cert, EC CA)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_ECP_DP_SECP384R1_ENABLED
|
||||
x509_verify:"data_files/server4.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server4.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #34 (Valid, EC cert, EC CA)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #35 (Revoked, EC CA)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
|
||||
x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"NULL"
|
||||
x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #36 (Valid, EC CA, SHA1 Digest)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server5-sha1.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server5-sha1.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #37 (Valid, EC CA, SHA224 Digest)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
|
||||
x509_verify:"data_files/server5-sha224.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server5-sha224.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #38 (Valid, EC CA, SHA384 Digest)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_SHA256_C:MBEDTLS_SHA512_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
|
||||
x509_verify:"data_files/server5-sha384.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server5-sha384.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #39 (Valid, EC CA, SHA512 Digest)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_SHA256_C:MBEDTLS_SHA512_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
|
||||
x509_verify:"data_files/server5-sha512.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server5-sha512.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #40 (Valid, depth 0, RSA, CA)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/test-ca.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/test-ca.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #41 (Valid, depth 0, EC, CA)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C
|
||||
x509_verify:"data_files/test-ca2.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/test-ca2.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #42 (Depth 0, not CA, RSA)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server2.crt":"data_files/server2.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
|
||||
x509_verify:"data_files/server2.crt":"data_files/server2.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #43 (Depth 0, not CA, EC)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
|
||||
x509_verify:"data_files/server5.crt":"data_files/server5.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
|
||||
x509_verify:"data_files/server5.crt":"data_files/server5.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #44 (Corrupted signature, EC)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C
|
||||
x509_verify:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
|
||||
x509_verify:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #45 (Corrupted signature, RSA)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server2-badsign.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
|
||||
x509_verify:"data_files/server2-badsign.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #46 (Valid, depth 2, EC-RSA-EC)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C
|
||||
x509_verify:"data_files/server7_int-ca.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server7_int-ca.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #47 (Untrusted, depth 2, EC-RSA-EC)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C
|
||||
x509_verify:"data_files/server7_int-ca.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
|
||||
x509_verify:"data_files/server7_int-ca.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #48 (Missing intermediate CA, EC-RSA-EC)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C
|
||||
x509_verify:"data_files/server7.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
|
||||
x509_verify:"data_files/server7.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #49 (Valid, depth 2, RSA-EC-RSA)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server8_int-ca2.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server8_int-ca2.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #50 (Valid, multiple CAs)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C
|
||||
x509_verify:"data_files/server2.crt":"data_files/test-ca_cat12.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server2.crt":"data_files/test-ca_cat12.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #51 (Valid, multiple CAs, reverse order)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C
|
||||
x509_verify:"data_files/server2.crt":"data_files/test-ca_cat21.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server2.crt":"data_files/test-ca_cat21.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #52 (CA keyUsage valid)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt_crl.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt_crl.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #53 (CA keyUsage missing cRLSign)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_X509_CHECK_KEY_USAGE:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_NOT_TRUSTED:"NULL"
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_NOT_TRUSTED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #54 (CA keyUsage missing cRLSign, no CRL)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #55 (CA keyUsage missing keyCertSign)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_X509_CHECK_KEY_USAGE:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crl.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crl.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #56 (CA keyUsage plain wrong)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_X509_CHECK_KEY_USAGE:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-ds.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-ds.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #57 (Valid, RSASSA-PSS, SHA-1)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server9.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server9.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #58 (Valid, RSASSA-PSS, SHA-224)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server9-sha224.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha224.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server9-sha224.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha224.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #59 (Valid, RSASSA-PSS, SHA-256)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server9-sha256.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha256.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server9-sha256.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha256.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #60 (Valid, RSASSA-PSS, SHA-384)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA512_C:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server9-sha384.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha384.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server9-sha384.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha384.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #61 (Valid, RSASSA-PSS, SHA-512)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA512_C:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server9-sha512.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha512.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server9-sha512.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha512.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #62 (Revoked, RSASSA-PSS, SHA-1)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server9.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"NULL"
|
||||
x509_verify:"data_files/server9.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #63 (Revoked, RSASSA-PSS, SHA-1, CRL badsign)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server9.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1-badsign.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_NOT_TRUSTED:"NULL"
|
||||
x509_verify:"data_files/server9.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1-badsign.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_NOT_TRUSTED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #64 (Valid, RSASSA-PSS, SHA-1, not top)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server9-with-ca.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server9-with-ca.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #65 (RSASSA-PSS, SHA1, bad cert signature)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server9-badsign.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
|
||||
x509_verify:"data_files/server9-badsign.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #66 (RSASSA-PSS, SHA1, no RSA CA)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA1_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C
|
||||
x509_verify:"data_files/server9.crt":"data_files/test-ca2.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
|
||||
x509_verify:"data_files/server9.crt":"data_files/test-ca2.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #67 (Valid, RSASSA-PSS, all defaults)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server9-defaults.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server9-defaults.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #68 (RSASSA-PSS, wrong salt_len)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server9-bad-saltlen.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
|
||||
x509_verify:"data_files/server9-bad-saltlen.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #69 (RSASSA-PSS, wrong mgf_hash)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server9-bad-mgfhash.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
|
||||
x509_verify:"data_files/server9-bad-mgfhash.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #70 (v1 trusted CA)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server1-v1.crt":"data_files/test-ca-v1.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server1-v1.crt":"data_files/test-ca-v1.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #71 (v1 trusted CA, other)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server2-v1.crt":"data_files/server1-v1.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server2-v1.crt":"data_files/server1-v1.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #72 (v1 chain)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server2-v1-chain.crt":"data_files/test-ca-v1.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
|
||||
x509_verify:"data_files/server2-v1-chain.crt":"data_files/test-ca-v1.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #73 (selfsigned trusted without CA bit)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #74 (signed by selfsigned trusted without CA bit)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server6-ss-child.crt":"data_files/server5-selfsigned.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
|
||||
x509_verify:"data_files/server6-ss-child.crt":"data_files/server5-selfsigned.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #75 (encoding mismatch)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/enco-cert-utf8str.pem":"data_files/enco-ca-prstr.pem":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/enco-cert-utf8str.pem":"data_files/enco-ca-prstr.pem":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #76 (multiple CRLs, not revoked)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ec-rsa.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ec-rsa.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #77 (multiple CRLs, revoked)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server6.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ec-rsa.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"NULL"
|
||||
x509_verify:"data_files/server6.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ec-rsa.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #78 (multiple CRLs, revoked by second)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server6.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_rsa-ec.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"NULL"
|
||||
x509_verify:"data_files/server6.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_rsa-ec.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #79 (multiple CRLs, revoked by future)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server6.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ecfut-rsa.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED|MBEDTLS_X509_BADCRL_FUTURE:"NULL"
|
||||
x509_verify:"data_files/server6.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ecfut-rsa.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED|MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #80 (multiple CRLs, first future, revoked by second)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/server1.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ecfut-rsa.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"NULL"
|
||||
x509_verify:"data_files/server1.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ecfut-rsa.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #81 (multiple CRLs, none relevant)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
|
||||
x509_verify:"data_files/enco-cert-utf8str.pem":"data_files/enco-ca-prstr.pem":"data_files/crl_cat_rsa-ec.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/enco-cert-utf8str.pem":"data_files/enco-ca-prstr.pem":"data_files/crl_cat_rsa-ec.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #82 (Not yet valid CA and valid CA)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-future-present.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-future-present.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #83 (valid CA and Not yet valid CA)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-present-future.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-present-future.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #84 (valid CA and Not yet valid CA)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-present-past.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-present-past.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #85 (Not yet valid CA and valid CA)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-past-present.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-past-present.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #86 (Not yet valid CA and invalid CA)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-future-invalid.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_FUTURE:"NULL"
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-future-invalid.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_FUTURE:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification #87 (Expired CA and invalid CA)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-past-invalid.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_EXPIRED:"NULL"
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-past-invalid.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_EXPIRED:"compat":"NULL"
|
||||
|
||||
X509 Certificate verification callback: trusted EE cert
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
||||
|
|
|
@ -7,6 +7,8 @@
|
|||
#include "mbedtls/oid.h"
|
||||
#include "mbedtls/base64.h"
|
||||
|
||||
/* Profile for backward compatibility. Allows SHA-1, unlike the default
|
||||
profile. */
|
||||
const mbedtls_x509_crt_profile compat_profile =
|
||||
{
|
||||
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
|
||||
|
@ -221,6 +223,7 @@ void x509_verify_info( int flags, char *prefix, char *result_str )
|
|||
/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CRL_PARSE_C */
|
||||
void x509_verify( char *crt_file, char *ca_file, char *crl_file,
|
||||
char *cn_name_str, int result, int flags_result,
|
||||
char *profile_str,
|
||||
char *verify_callback )
|
||||
{
|
||||
mbedtls_x509_crt crt;
|
||||
|
@ -230,6 +233,7 @@ void x509_verify( char *crt_file, char *ca_file, char *crl_file,
|
|||
int res;
|
||||
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *) = NULL;
|
||||
char * cn_name = NULL;
|
||||
const mbedtls_x509_crt_profile *profile;
|
||||
|
||||
mbedtls_x509_crt_init( &crt );
|
||||
mbedtls_x509_crt_init( &ca );
|
||||
|
@ -238,6 +242,13 @@ void x509_verify( char *crt_file, char *ca_file, char *crl_file,
|
|||
if( strcmp( cn_name_str, "NULL" ) != 0 )
|
||||
cn_name = cn_name_str;
|
||||
|
||||
if( strcmp( profile_str, "default" ) == 0 )
|
||||
profile = &mbedtls_x509_crt_profile_default;
|
||||
else if( strcmp( profile_str, "compat" ) == 0 )
|
||||
profile = &compat_profile;
|
||||
else
|
||||
TEST_ASSERT( "Unknown algorithm profile" == 0 );
|
||||
|
||||
if( strcmp( verify_callback, "NULL" ) == 0 )
|
||||
f_vrfy = NULL;
|
||||
else if( strcmp( verify_callback, "verify_none" ) == 0 )
|
||||
|
@ -251,7 +262,7 @@ void x509_verify( char *crt_file, char *ca_file, char *crl_file,
|
|||
TEST_ASSERT( mbedtls_x509_crt_parse_file( &ca, ca_file ) == 0 );
|
||||
TEST_ASSERT( mbedtls_x509_crl_parse_file( &crl, crl_file ) == 0 );
|
||||
|
||||
res = mbedtls_x509_crt_verify_with_profile( &crt, &ca, &crl, &compat_profile, cn_name, &flags, f_vrfy, NULL );
|
||||
res = mbedtls_x509_crt_verify_with_profile( &crt, &ca, &crl, profile, cn_name, &flags, f_vrfy, NULL );
|
||||
|
||||
TEST_ASSERT( res == ( result ) );
|
||||
TEST_ASSERT( flags == (uint32_t)( flags_result ) );
|
||||
|
@ -280,8 +291,10 @@ void x509_verify_callback( char *crt_file, char *ca_file,
|
|||
TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 );
|
||||
TEST_ASSERT( mbedtls_x509_crt_parse_file( &ca, ca_file ) == 0 );
|
||||
|
||||
ret = mbedtls_x509_crt_verify( &crt, &ca, NULL, NULL, &flags,
|
||||
verify_print, &vrfy_ctx );
|
||||
ret = mbedtls_x509_crt_verify_with_profile( &crt, &ca, NULL,
|
||||
&compat_profile,
|
||||
NULL, &flags,
|
||||
verify_print, &vrfy_ctx );
|
||||
|
||||
TEST_ASSERT( ret == exp_ret );
|
||||
TEST_ASSERT( strcmp( vrfy_ctx.buf, exp_vrfy_out ) == 0 );
|
||||
|
|
Loading…
Reference in a new issue