Add support for certificate policies extension
Add support for certificate policies, as defined in rfc 5280. Currently support only `anyPolicy` policy.
This commit is contained in:
parent
b2dc3fa72e
commit
74d9acc144
13 changed files with 405 additions and 0 deletions
|
@ -78,6 +78,8 @@ typedef struct mbedtls_x509_crt
|
|||
mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */
|
||||
mbedtls_x509_sequence subject_alt_names; /**< Optional list of Subject Alternative Names (Only dNSName and OtherName supported). */
|
||||
|
||||
mbedtls_x509_sequence certificate_policies; /**< Optional list of certificate4 policies (Only anyPolicy supported). */
|
||||
|
||||
int ext_types; /**< Bit string containing detected and parsed extensions */
|
||||
int ca_istrue; /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */
|
||||
int max_pathlen; /**< Optional Basic Constraint extension value: The maximum path length to the root certificate. Path length is 1 higher than RFC 5280 'meaning', so 1+ */
|
||||
|
|
|
@ -690,6 +690,139 @@ static int x509_get_subject_alt_name( unsigned char **p,
|
|||
return( 0 );
|
||||
}
|
||||
|
||||
/*
|
||||
* id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 }
|
||||
*
|
||||
* anyPolicy OBJECT IDENTIFIER ::= { id-ce-certificatePolicies 0 }
|
||||
*
|
||||
* certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
|
||||
*
|
||||
* PolicyInformation ::= SEQUENCE {
|
||||
* policyIdentifier CertPolicyId,
|
||||
* policyQualifiers SEQUENCE SIZE (1..MAX) OF
|
||||
* PolicyQualifierInfo OPTIONAL }
|
||||
*
|
||||
* CertPolicyId ::= OBJECT IDENTIFIER
|
||||
*
|
||||
* PolicyQualifierInfo ::= SEQUENCE {
|
||||
* policyQualifierId PolicyQualifierId,
|
||||
* qualifier ANY DEFINED BY policyQualifierId }
|
||||
*
|
||||
* -- policyQualifierIds for Internet policy qualifiers
|
||||
*
|
||||
* id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
|
||||
* id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 }
|
||||
* id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 }
|
||||
*
|
||||
* PolicyQualifierId ::= OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
|
||||
*
|
||||
* Qualifier ::= CHOICE {
|
||||
* cPSuri CPSuri,
|
||||
* userNotice UserNotice }
|
||||
*
|
||||
* CPSuri ::= IA5String
|
||||
*
|
||||
* UserNotice ::= SEQUENCE {
|
||||
* noticeRef NoticeReference OPTIONAL,
|
||||
* explicitText DisplayText OPTIONAL }
|
||||
*
|
||||
* NoticeReference ::= SEQUENCE {
|
||||
* organization DisplayText,
|
||||
* noticeNumbers SEQUENCE OF INTEGER }
|
||||
*
|
||||
* DisplayText ::= CHOICE {
|
||||
* ia5String IA5String (SIZE (1..200)),
|
||||
* visibleString VisibleString (SIZE (1..200)),
|
||||
* bmpString BMPString (SIZE (1..200)),
|
||||
* utf8String UTF8String (SIZE (1..200)) }
|
||||
*
|
||||
* NOTE: we only parse and use anyPolicy without qualifiers at this point
|
||||
* as defined in RFC 5280.
|
||||
*/
|
||||
static int x509_get_certificate_policies( unsigned char **p,
|
||||
const unsigned char *end,
|
||||
mbedtls_x509_sequence *certificate_policies )
|
||||
{
|
||||
int ret;
|
||||
size_t len;
|
||||
mbedtls_asn1_buf *buf;
|
||||
mbedtls_asn1_sequence *cur = certificate_policies;
|
||||
|
||||
/* Get main sequence tag */
|
||||
ret = mbedtls_asn1_get_tag( p, end, &len,
|
||||
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE );
|
||||
if( ret != 0 )
|
||||
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
|
||||
|
||||
if( *p + len != end )
|
||||
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
|
||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
|
||||
|
||||
/*
|
||||
* Cannot be an empty sequence.
|
||||
*/
|
||||
if( len == 0 )
|
||||
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
|
||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
|
||||
|
||||
while( *p < end )
|
||||
{
|
||||
mbedtls_x509_buf policy_oid;
|
||||
const unsigned char *policy_end;
|
||||
|
||||
/*
|
||||
* Get the policy sequence
|
||||
*/
|
||||
if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
|
||||
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
|
||||
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
|
||||
|
||||
policy_end = *p + len;
|
||||
|
||||
if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
|
||||
MBEDTLS_ASN1_OID ) ) != 0 )
|
||||
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
|
||||
|
||||
policy_oid.tag = MBEDTLS_ASN1_OID;
|
||||
policy_oid.len = len;
|
||||
policy_oid.p = *p;
|
||||
|
||||
/* Allocate and assign next pointer */
|
||||
if( cur->buf.p != NULL )
|
||||
{
|
||||
if( cur->next != NULL )
|
||||
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS );
|
||||
|
||||
cur->next = mbedtls_calloc( 1, sizeof( mbedtls_asn1_sequence ) );
|
||||
|
||||
if( cur->next == NULL )
|
||||
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
|
||||
MBEDTLS_ERR_ASN1_ALLOC_FAILED );
|
||||
|
||||
cur = cur->next;
|
||||
}
|
||||
|
||||
buf = &( cur->buf );
|
||||
buf->tag = policy_oid.tag;
|
||||
buf->p = policy_oid.p;
|
||||
buf->len = policy_oid.len;
|
||||
/*
|
||||
* Skip the optional policy qualifiers,
|
||||
* and set the pointer to the end of the policy.
|
||||
*/
|
||||
*p = (unsigned char *)policy_end;
|
||||
}
|
||||
|
||||
/* Set final sequence entry's next pointer to NULL */
|
||||
cur->next = NULL;
|
||||
|
||||
if( *p != end )
|
||||
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
|
||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
/*
|
||||
* X.509 v3 extensions
|
||||
*
|
||||
|
@ -817,6 +950,13 @@ static int x509_get_crt_ext( unsigned char **p,
|
|||
return( ret );
|
||||
break;
|
||||
|
||||
case MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES:
|
||||
/* Parse certificate policies type */
|
||||
if( ( ret = x509_get_certificate_policies( p, end_ext_octet,
|
||||
&crt->certificate_policies ) ) != 0 )
|
||||
return( ret );
|
||||
break;
|
||||
|
||||
default:
|
||||
/*
|
||||
* If this is a non-critical extension, which the oid layer
|
||||
|
@ -1820,6 +1960,35 @@ static int x509_info_ext_key_usage( char **buf, size_t *size,
|
|||
return( 0 );
|
||||
}
|
||||
|
||||
static int x509_info_cert_policies( char **buf, size_t *size,
|
||||
const mbedtls_x509_sequence *certificate_policies )
|
||||
{
|
||||
int ret;
|
||||
const char *desc;
|
||||
size_t n = *size;
|
||||
char *p = *buf;
|
||||
const mbedtls_x509_sequence *cur = certificate_policies;
|
||||
const char *sep = "";
|
||||
|
||||
while( cur != NULL )
|
||||
{
|
||||
if( mbedtls_oid_get_certificate_policies( &cur->buf, &desc ) != 0 )
|
||||
desc = "???";
|
||||
|
||||
ret = mbedtls_snprintf( p, n, "%s%s", sep, desc );
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
sep = ", ";
|
||||
|
||||
cur = cur->next;
|
||||
}
|
||||
|
||||
*size = n;
|
||||
*buf = p;
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
/*
|
||||
* Return an informational string about the certificate.
|
||||
*/
|
||||
|
@ -1952,6 +2121,16 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
|
|||
return( ret );
|
||||
}
|
||||
|
||||
if( crt->ext_types & MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES )
|
||||
{
|
||||
ret = mbedtls_snprintf( p, n, "\n%scertificate policies : ", prefix );
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
if( ( ret = x509_info_cert_policies( &p, &n,
|
||||
&crt->certificate_policies ) ) != 0 )
|
||||
return( ret );
|
||||
}
|
||||
|
||||
ret = mbedtls_snprintf( p, n, "\n" );
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
|
@ -3078,6 +3257,16 @@ void mbedtls_x509_crt_free( mbedtls_x509_crt *crt )
|
|||
mbedtls_free( seq_prv );
|
||||
}
|
||||
|
||||
seq_cur = cert_cur->certificate_policies.next;
|
||||
while( seq_cur != NULL )
|
||||
{
|
||||
seq_prv = seq_cur;
|
||||
seq_cur = seq_cur->next;
|
||||
mbedtls_platform_zeroize( seq_prv,
|
||||
sizeof( mbedtls_x509_sequence ) );
|
||||
mbedtls_free( seq_prv );
|
||||
}
|
||||
|
||||
if( cert_cur->raw.p != NULL && cert_cur->own_buffer )
|
||||
{
|
||||
mbedtls_platform_zeroize( cert_cur->raw.p, cert_cur->raw.len );
|
||||
|
|
|
@ -77,6 +77,42 @@ all_final += test-ca-good-alt.crt
|
|||
test_ca_crt_file_ec = test-ca2.crt
|
||||
test_ca_key_file_ec = test-ca2.key
|
||||
|
||||
test-ca-any_policy.crt: $(test_ca_key_file_rsa) test-ca.req.sha256
|
||||
$(OPENSSL) req -x509 -config $(test_ca_config_file) -extensions v3_any_policy_ca -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 0 -days 3653 -sha256 -in test-ca.req.sha256 -out $@
|
||||
all_final += test-ca-any_policy.crt
|
||||
|
||||
test-ca-any_policy_ec.crt: $(test_ca_key_file_ec) test-ca.req_ec.sha256
|
||||
$(OPENSSL) req -x509 -config $(test_ca_config_file) -extensions v3_any_policy_ca -key $(test_ca_key_file_ec) -set_serial 0 -days 3653 -sha256 -in test-ca.req_ec.sha256 -out $@
|
||||
all_final += test-ca-any_policy_ec.crt
|
||||
|
||||
test-ca-any_policy_with_qualifier.crt: $(test_ca_key_file_rsa) test-ca.req.sha256
|
||||
$(OPENSSL) req -x509 -config $(test_ca_config_file) -extensions v3_any_policy_qualifier_ca -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 0 -days 3653 -sha256 -in test-ca.req.sha256 -out $@
|
||||
all_final += test-ca-any_policy_with_qualifier.crt
|
||||
|
||||
test-ca-any_policy_with_qualifier_ec.crt: $(test_ca_key_file_ec) test-ca.req_ec.sha256
|
||||
$(OPENSSL) req -x509 -config $(test_ca_config_file) -extensions v3_any_policy_qualifier_ca -key $(test_ca_key_file_ec) -set_serial 0 -days 3653 -sha256 -in test-ca.req_ec.sha256 -out $@
|
||||
all_final += test-ca-any_policy_with_qualifier_ec.crt
|
||||
|
||||
test-ca-multi_policy.crt: $(test_ca_key_file_rsa) test-ca.req.sha256
|
||||
$(OPENSSL) req -x509 -config $(test_ca_config_file) -extensions v3_multi_policy_ca -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 0 -days 3653 -sha256 -in test-ca.req.sha256 -out $@
|
||||
all_final += test-ca-multi_policy.crt
|
||||
|
||||
test-ca-multi_policy_ec.crt: $(test_ca_key_file_ec) test-ca.req_ec.sha256
|
||||
$(OPENSSL) req -x509 -config $(test_ca_config_file) -extensions v3_multi_policy_ca -key $(test_ca_key_file_ec) -set_serial 0 -days 3653 -sha256 -in test-ca.req_ec.sha256 -out $@
|
||||
all_final += test-ca-multi_policy_ec.crt
|
||||
|
||||
test-ca-unsupported_policy.crt: $(test_ca_key_file_rsa) test-ca.req.sha256
|
||||
$(OPENSSL) req -x509 -config $(test_ca_config_file) -extensions v3_unsupported_policy_ca -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 0 -days 3653 -sha256 -in test-ca.req.sha256 -out $@
|
||||
all_final += test-ca-unsupported_policy.crt
|
||||
|
||||
test-ca-unsupported_policy_ec.crt: $(test_ca_key_file_ec) test-ca.req_ec.sha256
|
||||
$(OPENSSL) req -x509 -config $(test_ca_config_file) -extensions v3_unsupported_policy_ca -key $(test_ca_key_file_ec) -set_serial 0 -days 3653 -sha256 -in test-ca.req_ec.sha256 -out $@
|
||||
all_final += test-ca-unsupported_policy_ec.crt
|
||||
|
||||
test-ca.req_ec.sha256: $(test_ca_key_file_ec)
|
||||
$(MBEDTLS_CERT_REQ) output_file=$@ filename=$(test_ca_key_file_ec) subject_name="C=NL, O=PolarSSL, CN=Polarssl Test EC CA" md=SHA256
|
||||
all_intermediate += test-ca.req_ec.sha256
|
||||
|
||||
test_ca_crt_cat12 = test-ca_cat12.crt
|
||||
$(test_ca_crt_cat12): $(test_ca_crt) $(test_ca_crt_file_ec)
|
||||
cat $(test_ca_crt) $(test_ca_crt_file_ec) > $@
|
||||
|
|
19
tests/data_files/test-ca-any_policy.crt
Normal file
19
tests/data_files/test-ca-any_policy.crt
Normal file
|
@ -0,0 +1,19 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDFDCCAfygAwIBAgIBADANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
|
||||
MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
|
||||
MTkwMzIxMTY0MDU5WhcNMjkwMzIxMTY0MDU5WjA7MQswCQYDVQQGEwJOTDERMA8G
|
||||
A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
|
||||
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
|
||||
mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
|
||||
50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
|
||||
YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
|
||||
R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
|
||||
KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
|
||||
IzAhMAwGA1UdEwQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMA0GCSqGSIb3DQEB
|
||||
CwUAA4IBAQCHadUDZiIjJhcrG+rYrpOVgMu548rc5kHLC7zVSVfszfdOJq/TdXQT
|
||||
Lbn9i+AAVRYJU2kHWKD2fvgOYIIBeEGFJKohlKZ82irWxt0Ltph31cuygLcpqNq9
|
||||
KRQ/dh3S0w9vn1A1ubYGKTzTnZGELTVzMlXZGTRbAOylMu4eWac6LHymE2EBqmOq
|
||||
fPCuWdFB62ewQWRa+dRO92Aphh870u43/iLbw7hs4s8hokZP7Ewg6AHb4qjVePdF
|
||||
jjxAO6x5VCj/WQRnw7muAy0P3l5AhYXAIUdnkdYca5Ja6LfdEJiVeTdE3IU6UJg+
|
||||
gAu9swDhUlEuIlCrOdC3tOPDslsOIgTV
|
||||
-----END CERTIFICATE-----
|
12
tests/data_files/test-ca-any_policy_ec.crt
Normal file
12
tests/data_files/test-ca-any_policy_ec.crt
Normal file
|
@ -0,0 +1,12 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIBzDCCAVGgAwIBAgIBADAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
|
||||
A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
|
||||
MTkwMzI1MDkwMjQ1WhcNMjkwMzI1MDkwMjQ1WjA+MQswCQYDVQQGEwJOTDERMA8G
|
||||
A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwdjAQ
|
||||
BgcqhkjOPQIBBgUrgQQAIgNiAATD2is0QTdYL4dW/vyJuilDS07gbsMOV1MzOVjU
|
||||
UrSRlTkLI99fFyRiSPwalSnOLC2HwohSgK/Waqsh3bjTHG5YuMrosmmO80GtKcO0
|
||||
X3WnR2/VGSlVaZpTOyC0ZhZgMx6jIzAhMAwGA1UdEwQFMAMBAf8wEQYDVR0gBAow
|
||||
CDAGBgRVHSAAMAoGCCqGSM49BAMCA2kAMGYCMQDWHgmWMckbGLd7XREnJVAv+XRp
|
||||
XANOCbWLDu+Fik6c28S+qR6zGEKKGiPHYeDpjRACMQDnYcFBwlfuAB6td3fteG0P
|
||||
AWngOaGHmUFEA6h24b5Z6/GSFD9FK9rVRdxQc4Olz7U=
|
||||
-----END CERTIFICATE-----
|
20
tests/data_files/test-ca-any_policy_with_qualifier.crt
Normal file
20
tests/data_files/test-ca-any_policy_with_qualifier.crt
Normal file
|
@ -0,0 +1,20 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDMjCCAhqgAwIBAgIBADANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
|
||||
MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
|
||||
MTkwNDI4MTMxNDMxWhcNMjkwNDI4MTMxNDMxWjA7MQswCQYDVQQGEwJOTDERMA8G
|
||||
A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
|
||||
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
|
||||
mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
|
||||
50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
|
||||
YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
|
||||
R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
|
||||
KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
|
||||
QTA/MAwGA1UdEwQFMAMBAf8wLwYDVR0gBCgwJjAkBgRVHSAAMBwwGgYIKwYBBQUH
|
||||
AgEWDkNQUyB1cmkgc3RyaW5nMA0GCSqGSIb3DQEBCwUAA4IBAQBo3CLwvTakVDWs
|
||||
XUZz3ehGgk39KzmYOb3m9bBfMpOplDfE8Zaj8TDZZsxXpNCXT85GgbrAdr6pONQJ
|
||||
Mqd3TzTXCs6tmmIOVDToOj6nKtm2nNSf+1TUuLRgeavgCoicoQZOtW5tAehw/RTE
|
||||
4VQXSm+ZWotYwK1jvlHS0LaehUy53GsNxWBJHCc3exD+iyutXTZ89jczIKuWpEIN
|
||||
pTdI/EYVD2r6r/IITRnJpGjNXOhGB4zvgFlwv88GeF5lG6Si9YD+swO8JuJP35q6
|
||||
7cPA/vtrjoiyM3kXmmN1LZGIfEMKNwEcyVhvl+d6sReomI3HAKOj9IIG7umFKi6t
|
||||
axMwzK3Y
|
||||
-----END CERTIFICATE-----
|
13
tests/data_files/test-ca-any_policy_with_qualifier_ec.crt
Normal file
13
tests/data_files/test-ca-any_policy_with_qualifier_ec.crt
Normal file
|
@ -0,0 +1,13 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIB6DCCAW+gAwIBAgIBADAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
|
||||
A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
|
||||
MTkwNDI4MTAxNjA1WhcNMjkwNDI4MTAxNjA1WjA+MQswCQYDVQQGEwJOTDERMA8G
|
||||
A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwdjAQ
|
||||
BgcqhkjOPQIBBgUrgQQAIgNiAATD2is0QTdYL4dW/vyJuilDS07gbsMOV1MzOVjU
|
||||
UrSRlTkLI99fFyRiSPwalSnOLC2HwohSgK/Waqsh3bjTHG5YuMrosmmO80GtKcO0
|
||||
X3WnR2/VGSlVaZpTOyC0ZhZgMx6jQTA/MAwGA1UdEwQFMAMBAf8wLwYDVR0gBCgw
|
||||
JjAkBgRVHSAAMBwwGgYIKwYBBQUHAgEWDkNQUyB1cmkgc3RyaW5nMAoGCCqGSM49
|
||||
BAMCA2cAMGQCMDvi5bBVplU3Gct+iYRmRW9ewty5b+1OX0ggzA+ExXpL1Obo6A16
|
||||
a2h1kb7Oy4+BSAIwXZHYb6OEWkOngISfwSZxDiiNXOTwvCu2/oFGC8xTENn0B88m
|
||||
2WwPzh4jnvXhNh0w
|
||||
-----END CERTIFICATE-----
|
19
tests/data_files/test-ca-multi_policy.crt
Normal file
19
tests/data_files/test-ca-multi_policy.crt
Normal file
|
@ -0,0 +1,19 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDGzCCAgOgAwIBAgIBADANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
|
||||
MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
|
||||
MTkwNDI4MTI1OTE5WhcNMjkwNDI4MTI1OTE5WjA7MQswCQYDVQQGEwJOTDERMA8G
|
||||
A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
|
||||
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
|
||||
mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
|
||||
50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
|
||||
YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
|
||||
R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
|
||||
KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
|
||||
KjAoMAwGA1UdEwQFMAMBAf8wGAYDVR0gBBEwDzAFBgMqAwQwBgYEVR0gADANBgkq
|
||||
hkiG9w0BAQsFAAOCAQEAPwOUmjnrcBA7dt5drCakEz9HOpj8gZQd1fyVGv221LCL
|
||||
h2W1Ngd2WlcADhPQcTdqNx4Dk+KPiBjPEooE9M7d3K33Qn/dVkmOYiW6E/4wU2tM
|
||||
cqFj7rg8Now4lBaEqEmBP+cpv+mYqavPcKy3tz4wn1SnA3MpT1hEazhNe4yInNAY
|
||||
4YqRBbWuBGkePjbce6Lf+rTfaA7kJnyuC9SHguQRmWtV3xzNzLUFn+V/jYSqYvYU
|
||||
2MjDFgCYCmW0xl5Wo8wMWWAvMbO2mRJ37OLUkSOkxgeEL6OihY1GPkbfxC2qV6mR
|
||||
4VjmfclwXumiDAvVLhW8hWjCxg8gc69G7kCkVbljLA==
|
||||
-----END CERTIFICATE-----
|
12
tests/data_files/test-ca-multi_policy_ec.crt
Normal file
12
tests/data_files/test-ca-multi_policy_ec.crt
Normal file
|
@ -0,0 +1,12 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIB0zCCAVigAwIBAgIBADAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
|
||||
A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
|
||||
MTkwNDI4MTI1OTUxWhcNMjkwNDI4MTI1OTUxWjA+MQswCQYDVQQGEwJOTDERMA8G
|
||||
A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwdjAQ
|
||||
BgcqhkjOPQIBBgUrgQQAIgNiAATD2is0QTdYL4dW/vyJuilDS07gbsMOV1MzOVjU
|
||||
UrSRlTkLI99fFyRiSPwalSnOLC2HwohSgK/Waqsh3bjTHG5YuMrosmmO80GtKcO0
|
||||
X3WnR2/VGSlVaZpTOyC0ZhZgMx6jKjAoMAwGA1UdEwQFMAMBAf8wGAYDVR0gBBEw
|
||||
DzAFBgMqAwQwBgYEVR0gADAKBggqhkjOPQQDAgNpADBmAjEAqyz2v+6i3xXF4qlr
|
||||
o89qxwlpIn9sR0xU+qo9tgcM6Fa7IDdAU1lhweN8MpkJTtrGAjEAmgNI/08M8n6/
|
||||
sMM0Xutt5u9EUHb+4y0uyOfYMcEPr+pCUM4GPxBP6RdqI8Wu9OQf
|
||||
-----END CERTIFICATE-----
|
19
tests/data_files/test-ca-unsupported_policy.crt
Normal file
19
tests/data_files/test-ca-unsupported_policy.crt
Normal file
|
@ -0,0 +1,19 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDEzCCAfugAwIBAgIBADANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
|
||||
MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
|
||||
MTkwNDI4MTMwMDEzWhcNMjkwNDI4MTMwMDEzWjA7MQswCQYDVQQGEwJOTDERMA8G
|
||||
A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
|
||||
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
|
||||
mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
|
||||
50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
|
||||
YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
|
||||
R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
|
||||
KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
|
||||
IjAgMAwGA1UdEwQFMAMBAf8wEAYDVR0gBAkwBzAFBgMqAwQwDQYJKoZIhvcNAQEL
|
||||
BQADggEBAGvARX2orRXDmc2a7nSrbRFkdw/7qbL8Y+wLeM94SsZVgzGcxzRx1KvG
|
||||
2H5nBvPKgAzBqWVPU7eDPjrETIfsCxSu+yklBIg5QYRuOcprLtQPkFVfl+WLd31F
|
||||
lS1uMgZkahIr57aHoJLYPrEjW4CBHoliT8xfrvVZi4+ym7i/vFqXL7IJ+PIklNF8
|
||||
2/b4SAB9hRI5oPw1TV9Q0v2PqMXL/0cp/9Roe+H28Tcrody6jTtEdsU2wbaxhxMd
|
||||
YK4Ak1FkhKItumINbtAUnHgBVwO2IivGZgsYulC/9y1uh5NU1HxMzqh04UEMgre+
|
||||
9SeEjhwFkq16Njc5Cdt/7iFLeiaHcNU=
|
||||
-----END CERTIFICATE-----
|
12
tests/data_files/test-ca-unsupported_policy_ec.crt
Normal file
12
tests/data_files/test-ca-unsupported_policy_ec.crt
Normal file
|
@ -0,0 +1,12 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIByjCCAVCgAwIBAgIBADAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
|
||||
A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
|
||||
MTkwNDI4MTMwMDE5WhcNMjkwNDI4MTMwMDE5WjA+MQswCQYDVQQGEwJOTDERMA8G
|
||||
A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwdjAQ
|
||||
BgcqhkjOPQIBBgUrgQQAIgNiAATD2is0QTdYL4dW/vyJuilDS07gbsMOV1MzOVjU
|
||||
UrSRlTkLI99fFyRiSPwalSnOLC2HwohSgK/Waqsh3bjTHG5YuMrosmmO80GtKcO0
|
||||
X3WnR2/VGSlVaZpTOyC0ZhZgMx6jIjAgMAwGA1UdEwQFMAMBAf8wEAYDVR0gBAkw
|
||||
BzAFBgMqAwQwCgYIKoZIzj0EAwIDaAAwZQIwKUY3aTL6UR2H1Q1OzIJw7vxUso4P
|
||||
2PksCWb62kQeAnhYK85t1VGQiA49iHCXVKuXAjEAq+1qvlmwHX1E99ha/rvxcAYp
|
||||
UmxXLmSb53RT0NvhEKnUVGGUp2pBNAVVJOH+G0NI
|
||||
-----END CERTIFICATE-----
|
|
@ -31,6 +31,26 @@ subjectAltName=@alt_names
|
|||
hwtype = OID:1.3.6.1.4.1.17.3
|
||||
hwserial = OCT:123456
|
||||
|
||||
[v3_any_policy_ca]
|
||||
basicConstraints = CA:true
|
||||
certificatePolicies = 2.5.29.32.0
|
||||
|
||||
[v3_any_policy_qualifier_ca]
|
||||
basicConstraints = CA:true
|
||||
certificatePolicies = @policy_info
|
||||
|
||||
[v3_multi_policy_ca]
|
||||
basicConstraints = CA:true
|
||||
certificatePolicies = 1.2.3.4,2.5.29.32.0
|
||||
|
||||
[v3_unsupported_policy_ca]
|
||||
basicConstraints = CA:true
|
||||
certificatePolicies = 1.2.3.4
|
||||
|
||||
[policy_info]
|
||||
policyIdentifier = 2.5.29.32.0
|
||||
CPS.1 ="CPS uri string"
|
||||
|
||||
[noext_ca]
|
||||
basicConstraints = CA:true
|
||||
|
||||
|
|
|
@ -122,6 +122,38 @@ X509 Certificate information, Subject Alt Name + Key Usage
|
|||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
|
||||
x509_cert_info:"data_files/cert_example_multi_nocn.crt":"cert. version \: 3\nserial number \: F7\:C6\:7F\:F8\:E9\:A9\:63\:F9\nissuer name \: C=NL\nsubject name \: C=NL\nissued on \: 2014-01-22 10\:04\:33\nexpires on \: 2024-01-22 10\:04\:33\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nsubject alt name \:\n dNSName \: www.shotokan-braunschweig.de\n dNSName \: www.massimo-abate.eu\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
|
||||
|
||||
X509 Certificate information, RSA Certificate Policy any
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
|
||||
x509_cert_info:"data_files/test-ca-any_policy.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-03-21 16\:40\:59\nexpires on \: 2029-03-21 16\:40\:59\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n"
|
||||
|
||||
X509 Certificate information, ECDSA Certificate Policy any
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C
|
||||
x509_cert_info:"data_files/test-ca-any_policy_ec.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nissued on \: 2019-03-25 09\:02\:45\nexpires on \: 2029-03-25 09\:02\:45\nsigned using \: ECDSA with SHA256\nEC key size \: 384 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n"
|
||||
|
||||
X509 Certificate information, RSA Certificate Policy any with qualifier
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
|
||||
x509_cert_info:"data_files/test-ca-any_policy_with_qualifier.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-04-28 13\:14\:31\nexpires on \: 2029-04-28 13\:14\:31\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n"
|
||||
|
||||
X509 Certificate information, ECDSA Certificate Policy any with qualifier
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C
|
||||
x509_cert_info:"data_files/test-ca-any_policy_with_qualifier_ec.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nissued on \: 2019-04-28 10\:16\:05\nexpires on \: 2029-04-28 10\:16\:05\nsigned using \: ECDSA with SHA256\nEC key size \: 384 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n"
|
||||
|
||||
X509 Certificate information, RSA Certificate multiple Policies
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
|
||||
x509_cert_info:"data_files/test-ca-multi_policy.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-04-28 12\:59\:19\nexpires on \: 2029-04-28 12\:59\:19\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: ???, Any Policy\n"
|
||||
|
||||
X509 Certificate information, ECDSA Certificate multiple Policies
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C
|
||||
x509_cert_info:"data_files/test-ca-multi_policy_ec.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nissued on \: 2019-04-28 12\:59\:51\nexpires on \: 2029-04-28 12\:59\:51\nsigned using \: ECDSA with SHA256\nEC key size \: 384 bits\nbasic constraints \: CA=true\ncertificate policies \: ???, Any Policy\n"
|
||||
|
||||
X509 Certificate information, RSA Certificate unsupported policy
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
|
||||
x509_cert_info:"data_files/test-ca-unsupported_policy.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-04-28 13\:00\:13\nexpires on \: 2029-04-28 13\:00\:13\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: ???\n"
|
||||
|
||||
X509 Certificate information, ECDSA Certificate unsupported policy
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C
|
||||
x509_cert_info:"data_files/test-ca-unsupported_policy_ec.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nissued on \: 2019-04-28 13\:00\:19\nexpires on \: 2029-04-28 13\:00\:19\nsigned using \: ECDSA with SHA256\nEC key size \: 384 bits\nbasic constraints \: CA=true\ncertificate policies \: ???\n"
|
||||
|
||||
X509 Certificate information, Key Usage + Extended Key Usage
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
|
||||
x509_cert_info:"data_files/server1.ext_ku.crt":"cert. version \: 3\nserial number \: 21\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2014-04-01 14\:44\:43\nexpires on \: 2024-03-29 14\:44\:43\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\next key usage \: TLS Web Server Authentication\n"
|
||||
|
|
Loading…
Reference in a new issue