From 1969f6a453300ab9cb3f46f58acc014ef083c08a Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Tue, 18 Apr 2023 08:38:16 +0200
Subject: [PATCH] Test optional fields in authorityKeyId

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 tests/data_files/Makefile                     |  11 +++-
 tests/data_files/authorityKeyId_empty.crt.der | Bin 0 -> 412 bytes
 .../authorityKeyId_no_issuer_serial.crt.der   | Bin 0 -> 412 bytes
 .../authorityKeyId_no_keyid.crt.der           | Bin 0 -> 512 bytes
 .../authorityKeyId_subjectKeyId.conf          |   7 +++
 tests/suites/test_suite_x509parse.data        |  12 +++++
 tests/suites/test_suite_x509parse.function    |  47 +++++++++++-------
 7 files changed, 57 insertions(+), 20 deletions(-)
 create mode 100644 tests/data_files/authorityKeyId_empty.crt.der
 create mode 100644 tests/data_files/authorityKeyId_no_issuer_serial.crt.der
 create mode 100644 tests/data_files/authorityKeyId_no_keyid.crt.der

diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile
index 702aefb6d..461ad8bc9 100644
--- a/tests/data_files/Makefile
+++ b/tests/data_files/Makefile
@@ -551,7 +551,16 @@ crl_cat_rsa-ec.pem:crl.pem crl-ec-sha256.pem
 all_final += crl_cat_ec-rsa.pem crl_cat_rsa-ec.pem
 
 authorityKeyId_subjectKeyId.crt.der:
-	$(OPENSSL) req -x509 -nodes -days 7300 -key server5.key -outform DER -out authorityKeyId_subjectKeyId.crt.der -config authorityKeyId_subjectKeyId.conf -extensions 'v3_req'
+	$(OPENSSL) req -x509 -nodes -days 7300 -key server5.key -outform DER -out $@ -config authorityKeyId_subjectKeyId.conf -extensions 'v3_req'
+
+authorityKeyId_no_keyid.crt.der:
+	$(OPENSSL) req -x509 -nodes -days 7300 -key server5.key -outform DER -out $@ -config authorityKeyId_subjectKeyId.conf -extensions 'v3_req_authorityKeyId_no_keyid'
+
+authorityKeyId_no_issuer_serial.crt.der:
+	$(OPENSSL) req -x509 -nodes -days 7300 -key server5.key -outform DER -out $@ -config authorityKeyId_subjectKeyId.conf -extensions 'v3_req_authorityKeyId_no_issuer_serial'
+
+authorityKeyId_empty.crt.der:
+	$(OPENSSL) req -x509 -nodes -days 7300 -key server5.key -outform DER -out $@ -config authorityKeyId_subjectKeyId.conf -extensions 'v3_req_authorityKeyId_empty'
 
 authorityKeyId_subjectKeyId_tag_malformed.crt.der: authorityKeyId_subjectKeyId.crt.der
 	hexdump -ve '1/1 "%.2X"' $< | sed "s/04145061A58FD407D9D782010CE5657F8C6346A713BE/01145061A58FD407D9D782010CE5657F8C6346A713BE/" | xxd -r -p > $@
diff --git a/tests/data_files/authorityKeyId_empty.crt.der b/tests/data_files/authorityKeyId_empty.crt.der
new file mode 100644
index 0000000000000000000000000000000000000000..8ddf78d9fc07b3ae28095a3d3b669b788bbb3051
GIT binary patch
literal 412
zcmXqLVw_>n#Av^OnTe5!Nkr7#?ea!Lk<W7*3YJV`iVYOo7If2qi;Y98&EuRc3p0~}
zwIR0wCmVAp3!5;LpO2xS0Y8Yt&BGCppOaV=9PDE#X&?>~V&)Nm2`Pl67MCbEI~vG|
z^BNf&m>60Zm>HNGm_~{7nt-^*P%dSLM;ZvTv4h>o#0YgTGb1~*69bF+nXsE>oN`e`
zcE=-i|10FZtNF<`vE;&9k*(h|lp>QR`8{R0p)C0SmHs7@*jTZ>T^)zA%Xvf3c4_hb
zVmz_s?f=D!2J!~7Ku^i?v52vV1SBr)zrud=dJ`kh)71K&WVhwQ`;fzk*`2|_g-Jnw
z;rHit8<{tYT=_D`Uck0^i^)cfH-Bve722O|S<v-kC6j_s(V;iuug!WyH*6PSF<!{`
VdF$d$0{UOphnLkh`;{o_0RW<6e?kBN

literal 0
HcmV?d00001

diff --git a/tests/data_files/authorityKeyId_no_issuer_serial.crt.der b/tests/data_files/authorityKeyId_no_issuer_serial.crt.der
new file mode 100644
index 0000000000000000000000000000000000000000..3d587db7eb43ab7819d87da4ad97d11226534789
GIT binary patch
literal 412
zcmXqLVw_>n#Av^OnTe5!NyPh#^gRF2)xA>%eYZ=0IIi{SrbLGU7aNCGo5wj@7G@>`
zYeQ}WPB!LH7B*ofKOaLu1AY*Pn};JHKPRy$IM~Nf(m)&}#LOcA6H*9CEiO@Tb~KO^
z=QT1mFfp_+Ff%YSHHs4FH34yrp<K!gk2DZwV+XsFi4p2xW=3{qCk7VtGhsK&IOU>>
z?2bq3{#VF*SM!r?V#$TIB3r*_C`Bes@_Wi~Ls{_uEB#9*v9V%%yE+bKm-B|6?b71=
z#du=N+y9Fd4de}Efu54(V-aH!2}oSpe}(<#^(IE1r>XTl$!^Pq_aTQ7vpa)<3zI_N
z_x%S~aA@;~Ig0OGu;I63%r6c@=YOgG=j@H_45V+lF)0|AezZFIF8ZkU+z<bKvK#8U
U)^0A-jG9}Q8**mqUWbJj0p>S=%>V!Z

literal 0
HcmV?d00001

diff --git a/tests/data_files/authorityKeyId_no_keyid.crt.der b/tests/data_files/authorityKeyId_no_keyid.crt.der
new file mode 100644
index 0000000000000000000000000000000000000000..952f7b026900cd4caf0a1b168705bf6f96625885
GIT binary patch
literal 512
zcmXqLV*F#!#JG3?GZP~dlStqJMmN>jvCAIHo!d}xWx}FqyC1$a;9}#@YV$Z}%fifL
zU~R~4z{$oO%EBhh<mY23XuuERaPx2k<mV(71qb^WN*aiRgqV2*U_uHZsl_D<&W;9h
z;=D%21}26U24)6kMy65Xye1&7F_cT0;gJTyZ0ulnGBH9O%*@En?8LxgekSZ@8K+!S
zk=^k~-Tw-C?`nRsO)R;vR%Gk<45i4VNq$cmZYT@>f2DuPBsNxTZ&$~m>~h}Fvt3$z
zzZg$!dHa8HV~as!qk$~YTe5sCVk{y7iA(#hu;0Ai#K`kBwZ13WZMpD1g9MPYGE1aE
z_(J<7wiNlLiC{c1yE7QLFezxv5{llCwMFROk7qXFKep@=^6{H>|FDF6@D=VV^<AM~
om=wgbC+%ns4ZNGabpnsbv&X;Qcb)h8k)^->f_UfAsyCgx0LE6L^#A|>

literal 0
HcmV?d00001

diff --git a/tests/data_files/authorityKeyId_subjectKeyId.conf b/tests/data_files/authorityKeyId_subjectKeyId.conf
index 208082d20..7237724c1 100644
--- a/tests/data_files/authorityKeyId_subjectKeyId.conf
+++ b/tests/data_files/authorityKeyId_subjectKeyId.conf
@@ -9,3 +9,10 @@ commonName = PolarSSL Test CA
 [v3_req]
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer:always
+[v3_req_authorityKeyId_no_keyid]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = issuer:always
+[v3_req_authorityKeyId_no_issuer_serial]
+subjectKeyIdentifier = hash
+[v3_req_authorityKeyId_empty]
+subjectKeyIdentifier = hash
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index d73476a88..a46e47d7b 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -3313,6 +3313,18 @@ X509 CRT parse Authority Key Id - Correct Authority Key ID
 depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C
 x509_crt_parse_authoritykeyid:"data_files/authorityKeyId_subjectKeyId.crt.der":"5061A58FD407D9D782010CE5657F8C6346A713BE":"NL/PolarSSL/PolarSSL Test CA/":"3960EFDE5674DE1F7B761699CF8E5C024E209452":0
 
+X509 CRT parse Authority Key Id - Correct Authority Key ID (no keyid)
+depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C
+x509_crt_parse_authoritykeyid:"data_files/authorityKeyId_no_keyid.crt.der":"":"NL/PolarSSL/PolarSSL Test CA/":"51C00146259B5DA6E11ECEB078D490A296BBE1ED":0
+
+X509 CRT parse Authority Key Id - Correct Authority Key ID (no issuer and serial)
+depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C
+x509_crt_parse_authoritykeyid:"data_files/authorityKeyId_no_issuer_serial.crt.der":"5061A58FD407D9D782010CE5657F8C6346A713BE":"":"":0
+
+X509 CRT parse Authority Key Id - Correct Authority Key ID (empty)
+depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C
+x509_crt_parse_authoritykeyid:"data_files/authorityKeyId_empty.crt.der":"":"":"":0
+
 X509 CRT parse Authority Key Id - Wrong Length
 depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C
 x509_crt_parse_authoritykeyid:"data_files/authorityKeyId_subjectKeyId_length_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index 89155e958..71ab32cbd 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -1595,34 +1595,43 @@ void x509_crt_parse_authoritykeyid(char *file,
 
     if (ref_ret == 0) {
         /* KeyId test */
-        TEST_ASSERT(crt.authority_key_id.keyIdentifier.tag == MBEDTLS_ASN1_OCTET_STRING);
-        TEST_ASSERT(memcmp(crt.authority_key_id.keyIdentifier.p, keyId->x, keyId->len) == 0);
-        TEST_ASSERT(crt.authority_key_id.keyIdentifier.len == keyId->len);
+        if (crt.authority_key_id.keyIdentifier.len > 0)
+        {
+            TEST_ASSERT(crt.authority_key_id.keyIdentifier.tag == MBEDTLS_ASN1_OCTET_STRING);
+            TEST_ASSERT(memcmp(crt.authority_key_id.keyIdentifier.p, keyId->x, keyId->len) == 0);
+            TEST_ASSERT(crt.authority_key_id.keyIdentifier.len == keyId->len);
+        }
 
         /* Issuer test */
-        mbedtls_x509_sequence *issuerPtr = &crt.authority_key_id.authorityCertIssuer;
+        if (crt.authority_key_id.authorityCertIssuer.buf.len > 0)
+        {
+            mbedtls_x509_sequence *issuerPtr = &crt.authority_key_id.authorityCertIssuer;
 
-        TEST_ASSERT(mbedtls_x509_parse_subject_alt_name(&issuerPtr->buf, &san) == 0);
+            TEST_ASSERT(mbedtls_x509_parse_subject_alt_name(&issuerPtr->buf, &san) == 0);
 
-        pname = &san.san.directory_name;
+            pname = &san.san.directory_name;
 
-        while (pname != NULL) {
-            for (issuerCounter = 0; issuerCounter < pname->val.len; issuerCounter++) {
-                result |=
-                    (authorityKeyId_issuer[bufferCounter++] != pname->val.p[issuerCounter]);
+            while (pname != NULL) {
+                for (issuerCounter = 0; issuerCounter < pname->val.len; issuerCounter++) {
+                    result |=
+                        (authorityKeyId_issuer[bufferCounter++] != pname->val.p[issuerCounter]);
+                }
+                bufferCounter++; /* Skipping the slash */
+                pname = pname->next;
             }
-            bufferCounter++; /* Skipping the slash */
-            pname = pname->next;
+            mbedtls_x509_free_subject_alt_name(&san);
+            TEST_ASSERT(result == 0);
         }
-        mbedtls_x509_free_subject_alt_name(&san);
-        TEST_ASSERT(result == 0);
 
         /* Serial test */
-        TEST_ASSERT(crt.authority_key_id.authorityCertSerialNumber.tag ==
-                    MBEDTLS_ASN1_INTEGER);
-        TEST_ASSERT(memcmp(crt.authority_key_id.authorityCertSerialNumber.p,
-                           serial->x, serial->len) == 0);
-        TEST_ASSERT(crt.authority_key_id.authorityCertSerialNumber.len == serial->len);
+        if (crt.authority_key_id.authorityCertSerialNumber.len > 0)
+        {
+            TEST_ASSERT(crt.authority_key_id.authorityCertSerialNumber.tag ==
+                        MBEDTLS_ASN1_INTEGER);
+            TEST_ASSERT(memcmp(crt.authority_key_id.authorityCertSerialNumber.p,
+                            serial->x, serial->len) == 0);
+            TEST_ASSERT(crt.authority_key_id.authorityCertSerialNumber.len == serial->len);
+        }
 
     } else {
         TEST_ASSERT(crt.authority_key_id.keyIdentifier.tag == 0);