Print X.509 verify info strings even if MBEDTLS_X509_REMOVE_INFO
The new compile-time option MBEDTLS_X509_REMOVE_INFO removes various X.509 debugging strings and functionality, including ``` mbedtls_x509_crt_verify_info() ``` which ssl_client2.c and ssl_server2.c use to print human readable descriptions of X.509 verification failure conditions. Those conditions are also grepped for in numerous ssl-opt.sh tests. Instead of disabling those tests if MBEDTLS_X509_REMOVE_INFO is set, this commit essentially moves mbedtls_x509_crt_verify_info() to ssl_client2.c and ssl_server2.c. However, instead of just copy-pasting the code from x509_crt.c, the following approach is used: A macro MBEDTLS_X509_CRT_ERROR_INFO_LIST is introduced which for each verification failure condition invokes a user-defined macro X509_CRT_ERROR_INFO with (a) the numerical error code, (b) the string presentation of the corresponding error macro, (c) the info string for the error condition. This macro can thus be used to generate code which somehow iterates over the verifiation failure conditions, but the list of error conditions and information strings is nowhere duplicated. This is then used to re-implement mbedtls_x509_crt_verify_info() in x509_crt.c and to provide a functionally equivalent (yet slightly different) version in ssl_client2.c and ssl_server2.c in case MBEDTLS_X509_REMOVE_INFO is set. This way, little changes to ssl-opt.sh will be necessary in case MBEDTLS_X509_REMOVE_INFO is set because the info strings for the verification failure conditions will be printed regardless of whether MBEDTLS_X509_REMOVE_INFO is set or not. Signed-off-by: Hanno Becker <hanno.becker@arm.com>
This commit is contained in:
parent
e111356194
commit
7ac83f91bf
5 changed files with 151 additions and 41 deletions
|
@ -2152,7 +2152,7 @@
|
|||
* and other functions/constants only used by these functions, thus reducing
|
||||
* the code footprint by several KB.
|
||||
*/
|
||||
//#define MBEDTLS_X509_REMOVE_INFO
|
||||
#define MBEDTLS_X509_REMOVE_INFO
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_X509_RSASSA_PSS_SUPPORT
|
||||
|
|
|
@ -176,6 +176,74 @@ mbedtls_x509_crt_profile;
|
|||
#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512
|
||||
#endif
|
||||
|
||||
/* This macro unfolds to the concatenation of macro invocations
|
||||
* X509_CRT_ERROR_INFO( error code,
|
||||
* error code as string,
|
||||
* human readable description )
|
||||
* where X509_CRT_ERROR_INFO is defined by the user.
|
||||
* See x509_crt.c for an example of how to use this. */
|
||||
#define MBEDTLS_X509_CRT_ERROR_INFO_LIST \
|
||||
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_EXPIRED, \
|
||||
"MBEDTLS_X509_BADCERT_EXPIRED", \
|
||||
"The certificate validity has expired" ) \
|
||||
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_REVOKED, \
|
||||
"MBEDTLS_X509_BADCERT_REVOKED", \
|
||||
"The certificate has been revoked (is on a CRL)" ) \
|
||||
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_CN_MISMATCH, \
|
||||
"MBEDTLS_X509_BADCERT_CN_MISMATCH", \
|
||||
"The certificate Common Name (CN) does not match with the expected CN" ) \
|
||||
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_NOT_TRUSTED, \
|
||||
"MBEDTLS_X509_BADCERT_NOT_TRUSTED", \
|
||||
"The certificate is not correctly signed by the trusted CA" ) \
|
||||
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCRL_NOT_TRUSTED, \
|
||||
"MBEDTLS_X509_BADCRL_NOT_TRUSTED", \
|
||||
"The CRL is not correctly signed by the trusted CA" ) \
|
||||
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCRL_EXPIRED, \
|
||||
"MBEDTLS_X509_BADCRL_EXPIRED", \
|
||||
"The CRL is expired" ) \
|
||||
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_MISSING, \
|
||||
"MBEDTLS_X509_BADCERT_MISSING", \
|
||||
"Certificate was missing" ) \
|
||||
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_SKIP_VERIFY, \
|
||||
"MBEDTLS_X509_BADCERT_SKIP_VERIFY", \
|
||||
"Certificate verification was skipped" ) \
|
||||
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_OTHER, \
|
||||
"MBEDTLS_X509_BADCERT_OTHER", \
|
||||
"Other reason (can be used by verify callback)" ) \
|
||||
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_FUTURE, \
|
||||
"MBEDTLS_X509_BADCERT_FUTURE", \
|
||||
"The certificate validity starts in the future" ) \
|
||||
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCRL_FUTURE, \
|
||||
"MBEDTLS_X509_BADCRL_FUTURE", \
|
||||
"The CRL is from the future" ) \
|
||||
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_KEY_USAGE, \
|
||||
"MBEDTLS_X509_BADCERT_KEY_USAGE", \
|
||||
"Usage does not match the keyUsage extension" ) \
|
||||
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_EXT_KEY_USAGE, \
|
||||
"MBEDTLS_X509_BADCERT_EXT_KEY_USAGE", \
|
||||
"Usage does not match the extendedKeyUsage extension" ) \
|
||||
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_NS_CERT_TYPE, \
|
||||
"MBEDTLS_X509_BADCERT_NS_CERT_TYPE", \
|
||||
"Usage does not match the nsCertType extension" ) \
|
||||
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_BAD_MD, \
|
||||
"MBEDTLS_X509_BADCERT_BAD_MD", \
|
||||
"The certificate is signed with an unacceptable hash." ) \
|
||||
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_BAD_PK, \
|
||||
"MBEDTLS_X509_BADCERT_BAD_PK", \
|
||||
"The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA)." ) \
|
||||
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_BAD_KEY, \
|
||||
"MBEDTLS_X509_BADCERT_BAD_KEY", \
|
||||
"The certificate is signed with an unacceptable key (eg bad curve, RSA too short)." ) \
|
||||
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCRL_BAD_MD, \
|
||||
"MBEDTLS_X509_BADCRL_BAD_MD", \
|
||||
"The CRL is signed with an unacceptable hash." ) \
|
||||
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCRL_BAD_PK, \
|
||||
"MBEDTLS_X509_BADCRL_BAD_PK", \
|
||||
"The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA)." ) \
|
||||
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCRL_BAD_KEY, \
|
||||
"MBEDTLS_X509_BADCRL_BAD_KEY", \
|
||||
"The CRL is signed with an unacceptable key (eg bad curve, RSA too short)." )
|
||||
|
||||
/**
|
||||
* Container for writing a certificate (CRT)
|
||||
*/
|
||||
|
|
|
@ -2200,29 +2200,12 @@ struct x509_crt_verify_string {
|
|||
const char *string;
|
||||
};
|
||||
|
||||
#define X509_CRT_ERROR_INFO( err, err_str, info ) { err, info },
|
||||
static const struct x509_crt_verify_string x509_crt_verify_strings[] = {
|
||||
{ MBEDTLS_X509_BADCERT_EXPIRED, "The certificate validity has expired" },
|
||||
{ MBEDTLS_X509_BADCERT_REVOKED, "The certificate has been revoked (is on a CRL)" },
|
||||
{ MBEDTLS_X509_BADCERT_CN_MISMATCH, "The certificate Common Name (CN) does not match with the expected CN" },
|
||||
{ MBEDTLS_X509_BADCERT_NOT_TRUSTED, "The certificate is not correctly signed by the trusted CA" },
|
||||
{ MBEDTLS_X509_BADCRL_NOT_TRUSTED, "The CRL is not correctly signed by the trusted CA" },
|
||||
{ MBEDTLS_X509_BADCRL_EXPIRED, "The CRL is expired" },
|
||||
{ MBEDTLS_X509_BADCERT_MISSING, "Certificate was missing" },
|
||||
{ MBEDTLS_X509_BADCERT_SKIP_VERIFY, "Certificate verification was skipped" },
|
||||
{ MBEDTLS_X509_BADCERT_OTHER, "Other reason (can be used by verify callback)" },
|
||||
{ MBEDTLS_X509_BADCERT_FUTURE, "The certificate validity starts in the future" },
|
||||
{ MBEDTLS_X509_BADCRL_FUTURE, "The CRL is from the future" },
|
||||
{ MBEDTLS_X509_BADCERT_KEY_USAGE, "Usage does not match the keyUsage extension" },
|
||||
{ MBEDTLS_X509_BADCERT_EXT_KEY_USAGE, "Usage does not match the extendedKeyUsage extension" },
|
||||
{ MBEDTLS_X509_BADCERT_NS_CERT_TYPE, "Usage does not match the nsCertType extension" },
|
||||
{ MBEDTLS_X509_BADCERT_BAD_MD, "The certificate is signed with an unacceptable hash." },
|
||||
{ MBEDTLS_X509_BADCERT_BAD_PK, "The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA)." },
|
||||
{ MBEDTLS_X509_BADCERT_BAD_KEY, "The certificate is signed with an unacceptable key (eg bad curve, RSA too short)." },
|
||||
{ MBEDTLS_X509_BADCRL_BAD_MD, "The CRL is signed with an unacceptable hash." },
|
||||
{ MBEDTLS_X509_BADCRL_BAD_PK, "The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA)." },
|
||||
{ MBEDTLS_X509_BADCRL_BAD_KEY, "The CRL is signed with an unacceptable key (eg bad curve, RSA too short)." },
|
||||
MBEDTLS_X509_CRT_ERROR_INFO_LIST
|
||||
{ 0, NULL }
|
||||
};
|
||||
#undef X509_CRT_ERROR_INFO
|
||||
|
||||
int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
|
||||
uint32_t flags )
|
||||
|
|
|
@ -523,17 +523,53 @@ struct options
|
|||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
static unsigned char peer_crt_info[1024];
|
||||
|
||||
#if !defined(MBEDTLS_X509_REMOVE_INFO)
|
||||
int x509_crt_verify_info( char *buf, size_t size, const char *prefix,
|
||||
uint32_t flags )
|
||||
{
|
||||
return( mbedtls_x509_crt_verify_info( buf, size, prefix, flags ) );
|
||||
}
|
||||
#else /* !MBEDTLS_X509_REMOVE_INFO */
|
||||
int x509_crt_verify_info( char *buf, size_t size, const char *prefix,
|
||||
uint32_t flags )
|
||||
{
|
||||
int ret;
|
||||
char *p = buf;
|
||||
size_t n = size;
|
||||
|
||||
#define X509_CRT_ERROR_INFO( err, err_str, info ) \
|
||||
if( ( flags & err ) != 0 ) \
|
||||
{ \
|
||||
ret = mbedtls_snprintf( p, n, "%s%s\n", prefix, info ); \
|
||||
MBEDTLS_X509_SAFE_SNPRINTF; \
|
||||
flags ^= err; \
|
||||
}
|
||||
|
||||
MBEDTLS_X509_CRT_ERROR_INFO_LIST
|
||||
#undef X509_CRT_ERROR_INFO
|
||||
|
||||
if( flags != 0 )
|
||||
{
|
||||
ret = mbedtls_snprintf( p, n, "%sUnknown reason "
|
||||
"(this should not happen)\n", prefix );
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
}
|
||||
|
||||
return( (int) ( size - n ) );
|
||||
}
|
||||
#endif /* MBEDTLS_X509_REMOVE_INFO */
|
||||
|
||||
/*
|
||||
* Enabled if debug_level > 1 in code below
|
||||
*/
|
||||
static int my_verify( void *data, mbedtls_x509_crt *crt,
|
||||
int depth, uint32_t *flags )
|
||||
{
|
||||
#if !defined(MBEDTLS_X509_REMOVE_INFO)
|
||||
char buf[1024];
|
||||
#endif
|
||||
((void) data);
|
||||
|
||||
mbedtls_printf( "\nVerify requested for (Depth %d):\n", depth );
|
||||
|
||||
#if !defined(MBEDTLS_X509_REMOVE_INFO)
|
||||
mbedtls_x509_crt_info( buf, sizeof( buf ) - 1, "", crt );
|
||||
if( depth == 0 )
|
||||
|
@ -542,7 +578,6 @@ static int my_verify( void *data, mbedtls_x509_crt *crt,
|
|||
if( opt.debug_level == 0 )
|
||||
return( 0 );
|
||||
|
||||
mbedtls_printf( "\nVerify requested for (Depth %d):\n", depth );
|
||||
mbedtls_printf( "%s", buf );
|
||||
#else
|
||||
((void) crt);
|
||||
|
@ -553,10 +588,8 @@ static int my_verify( void *data, mbedtls_x509_crt *crt,
|
|||
mbedtls_printf( " This certificate has no flags\n" );
|
||||
else
|
||||
{
|
||||
#if !defined(MBEDTLS_X509_REMOVE_INFO)
|
||||
mbedtls_x509_crt_verify_info( buf, sizeof( buf ), " ! ", *flags );
|
||||
x509_crt_verify_info( buf, sizeof( buf ), " ! ", *flags );
|
||||
mbedtls_printf( "%s\n", buf );
|
||||
#endif
|
||||
}
|
||||
|
||||
return( 0 );
|
||||
|
@ -2284,18 +2317,13 @@ int main( int argc, char *argv[] )
|
|||
|
||||
if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
|
||||
{
|
||||
#if !defined(MBEDTLS_X509_REMOVE_INFO)
|
||||
char vrfy_buf[512];
|
||||
#endif
|
||||
|
||||
mbedtls_printf( " failed\n" );
|
||||
|
||||
#if !defined(MBEDTLS_X509_REMOVE_INFO)
|
||||
mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ),
|
||||
x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ),
|
||||
" ! ", flags );
|
||||
|
||||
mbedtls_printf( "%s\n", vrfy_buf );
|
||||
#endif
|
||||
}
|
||||
else
|
||||
mbedtls_printf( " ok\n" );
|
||||
|
|
|
@ -623,6 +623,42 @@ struct options
|
|||
|
||||
#include "ssl_test_common_source.c"
|
||||
|
||||
#if !defined(MBEDTLS_X509_REMOVE_INFO)
|
||||
int x509_crt_verify_info( char *buf, size_t size, const char *prefix,
|
||||
uint32_t flags )
|
||||
{
|
||||
return( mbedtls_x509_crt_verify_info( buf, size, prefix, flags ) );
|
||||
}
|
||||
#else /* !MBEDTLS_X509_REMOVE_INFO */
|
||||
int x509_crt_verify_info( char *buf, size_t size, const char *prefix,
|
||||
uint32_t flags )
|
||||
{
|
||||
int ret;
|
||||
char *p = buf;
|
||||
size_t n = size;
|
||||
|
||||
#define X509_CRT_ERROR_INFO( err, err_str, info ) \
|
||||
if( ( flags & err ) != 0 ) \
|
||||
{ \
|
||||
ret = mbedtls_snprintf( p, n, "%s%s\n", prefix, info ); \
|
||||
MBEDTLS_X509_SAFE_SNPRINTF; \
|
||||
flags ^= err; \
|
||||
}
|
||||
|
||||
MBEDTLS_X509_CRT_ERROR_INFO_LIST
|
||||
#undef X509_CRT_ERROR_INFO
|
||||
|
||||
if( flags != 0 )
|
||||
{
|
||||
ret = mbedtls_snprintf( p, n, "%sUnknown reason "
|
||||
"(this should not happen)\n", prefix );
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
}
|
||||
|
||||
return( (int) ( size - n ) );
|
||||
}
|
||||
#endif /* MBEDTLS_X509_REMOVE_INFO */
|
||||
|
||||
/*
|
||||
* Return authmode from string, or -1 on error
|
||||
*/
|
||||
|
@ -3134,13 +3170,13 @@ handshake:
|
|||
{
|
||||
mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", (unsigned int) -ret );
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_INFO)
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED )
|
||||
{
|
||||
char vrfy_buf[512];
|
||||
flags = mbedtls_ssl_get_verify_result( &ssl );
|
||||
|
||||
mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
|
||||
x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
|
||||
|
||||
mbedtls_printf( "%s\n", vrfy_buf );
|
||||
}
|
||||
|
@ -3188,17 +3224,12 @@ handshake:
|
|||
|
||||
if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
|
||||
{
|
||||
#if !defined(MBEDTLS_X509_REMOVE_INFO)
|
||||
char vrfy_buf[512];
|
||||
#endif
|
||||
|
||||
mbedtls_printf( " failed\n" );
|
||||
|
||||
#if !defined(MBEDTLS_X509_REMOVE_INFO)
|
||||
mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
|
||||
|
||||
x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
|
||||
mbedtls_printf( "%s\n", vrfy_buf );
|
||||
#endif
|
||||
}
|
||||
else
|
||||
mbedtls_printf( " ok\n" );
|
||||
|
|
Loading…
Reference in a new issue