Merge branch 'development' into development-restricted
This commit is contained in:
commit
7fb29b17c7
33 changed files with 754 additions and 294 deletions
21
ChangeLog
21
ChangeLog
|
@ -53,6 +53,27 @@ Bugfix
|
|||
* Fix out-of-memory problem when parsing 4096-bit PKCS8-encrypted RSA keys.
|
||||
Found independently by Florian in the mbed TLS forum and by Mishamax.
|
||||
#878, #1019.
|
||||
* Fix variable used before assignment compilation warnings with IAR
|
||||
toolchain. Found by gkerrien38.
|
||||
* Fix unchecked return codes from AES, DES and 3DES functions in
|
||||
pem_aes_decrypt(), pem_des_decrypt() and pem_des3_decrypt() respectively.
|
||||
If a call to one of the functions of the cryptographic primitive modules
|
||||
failed, the error may not be noticed by the function
|
||||
mbedtls_pem_read_buffer() causing it to return invalid values. Found by
|
||||
Guido Vranken. #756
|
||||
* Include configuration file in md.h, to fix compilation warnings.
|
||||
Reported by aaronmdjones in #1001
|
||||
* Correct extraction of signature-type from PK instance in X.509 CRT and CSR
|
||||
writing routines that prevented these functions to work with alternative
|
||||
RSA implementations. Raised by J.B. in the Mbed TLS forum. Fixes #1011.
|
||||
* Don't print X.509 version tag for v1 CRT's, and omit extensions for
|
||||
non-v3 CRT's.
|
||||
* Fix bugs in RSA test suite under MBEDTLS_NO_PLATFORM_ENTROPY. #1023 #1024
|
||||
|
||||
Changes
|
||||
* Extend cert_write example program by options to set the CRT version
|
||||
and the message digest. Further, allow enabling/disabling of authority
|
||||
identifier, subject identifier and basic constraints extensions.
|
||||
|
||||
= mbed TLS 2.6.0 branch released 2017-08-10
|
||||
|
||||
|
|
|
@ -27,6 +27,12 @@
|
|||
|
||||
#include <stddef.h>
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
|
||||
#define MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE -0x5080 /**< The selected feature is not available. */
|
||||
#define MBEDTLS_ERR_MD_BAD_INPUT_DATA -0x5100 /**< Bad input parameters to function. */
|
||||
#define MBEDTLS_ERR_MD_ALLOC_FAILED -0x5180 /**< Failed to allocate memory. */
|
||||
|
|
|
@ -83,6 +83,9 @@ void mbedtls_entropy_init( mbedtls_entropy_context *ctx )
|
|||
mbedtls_havege_init( &ctx->havege_data );
|
||||
#endif
|
||||
|
||||
/* Reminder: Update ENTROPY_HAVE_STRONG in the test files
|
||||
* when adding more strong entropy sources here. */
|
||||
|
||||
#if defined(MBEDTLS_TEST_NULL_ENTROPY)
|
||||
mbedtls_entropy_add_source( ctx, mbedtls_null_entropy_poll, NULL,
|
||||
1, MBEDTLS_ENTROPY_SOURCE_STRONG );
|
||||
|
|
|
@ -134,45 +134,55 @@ static void pem_pbkdf1( unsigned char *key, size_t keylen,
|
|||
/*
|
||||
* Decrypt with DES-CBC, using PBKDF1 for key derivation
|
||||
*/
|
||||
static void pem_des_decrypt( unsigned char des_iv[8],
|
||||
unsigned char *buf, size_t buflen,
|
||||
const unsigned char *pwd, size_t pwdlen )
|
||||
static int pem_des_decrypt( unsigned char des_iv[8],
|
||||
unsigned char *buf, size_t buflen,
|
||||
const unsigned char *pwd, size_t pwdlen )
|
||||
{
|
||||
mbedtls_des_context des_ctx;
|
||||
unsigned char des_key[8];
|
||||
int ret;
|
||||
|
||||
mbedtls_des_init( &des_ctx );
|
||||
|
||||
pem_pbkdf1( des_key, 8, des_iv, pwd, pwdlen );
|
||||
|
||||
mbedtls_des_setkey_dec( &des_ctx, des_key );
|
||||
mbedtls_des_crypt_cbc( &des_ctx, MBEDTLS_DES_DECRYPT, buflen,
|
||||
if( ( ret = mbedtls_des_setkey_dec( &des_ctx, des_key ) ) != 0 )
|
||||
goto exit;
|
||||
ret = mbedtls_des_crypt_cbc( &des_ctx, MBEDTLS_DES_DECRYPT, buflen,
|
||||
des_iv, buf, buf );
|
||||
|
||||
exit:
|
||||
mbedtls_des_free( &des_ctx );
|
||||
mbedtls_zeroize( des_key, 8 );
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
/*
|
||||
* Decrypt with 3DES-CBC, using PBKDF1 for key derivation
|
||||
*/
|
||||
static void pem_des3_decrypt( unsigned char des3_iv[8],
|
||||
unsigned char *buf, size_t buflen,
|
||||
const unsigned char *pwd, size_t pwdlen )
|
||||
static int pem_des3_decrypt( unsigned char des3_iv[8],
|
||||
unsigned char *buf, size_t buflen,
|
||||
const unsigned char *pwd, size_t pwdlen )
|
||||
{
|
||||
mbedtls_des3_context des3_ctx;
|
||||
unsigned char des3_key[24];
|
||||
int ret;
|
||||
|
||||
mbedtls_des3_init( &des3_ctx );
|
||||
|
||||
pem_pbkdf1( des3_key, 24, des3_iv, pwd, pwdlen );
|
||||
|
||||
mbedtls_des3_set3key_dec( &des3_ctx, des3_key );
|
||||
mbedtls_des3_crypt_cbc( &des3_ctx, MBEDTLS_DES_DECRYPT, buflen,
|
||||
if( ( ret = mbedtls_des3_set3key_dec( &des3_ctx, des3_key ) ) != 0 )
|
||||
goto exit;
|
||||
ret = mbedtls_des3_crypt_cbc( &des3_ctx, MBEDTLS_DES_DECRYPT, buflen,
|
||||
des3_iv, buf, buf );
|
||||
|
||||
exit:
|
||||
mbedtls_des3_free( &des3_ctx );
|
||||
mbedtls_zeroize( des3_key, 24 );
|
||||
|
||||
return( ret );
|
||||
}
|
||||
#endif /* MBEDTLS_DES_C */
|
||||
|
||||
|
@ -180,23 +190,28 @@ static void pem_des3_decrypt( unsigned char des3_iv[8],
|
|||
/*
|
||||
* Decrypt with AES-XXX-CBC, using PBKDF1 for key derivation
|
||||
*/
|
||||
static void pem_aes_decrypt( unsigned char aes_iv[16], unsigned int keylen,
|
||||
unsigned char *buf, size_t buflen,
|
||||
const unsigned char *pwd, size_t pwdlen )
|
||||
static int pem_aes_decrypt( unsigned char aes_iv[16], unsigned int keylen,
|
||||
unsigned char *buf, size_t buflen,
|
||||
const unsigned char *pwd, size_t pwdlen )
|
||||
{
|
||||
mbedtls_aes_context aes_ctx;
|
||||
unsigned char aes_key[32];
|
||||
int ret;
|
||||
|
||||
mbedtls_aes_init( &aes_ctx );
|
||||
|
||||
pem_pbkdf1( aes_key, keylen, aes_iv, pwd, pwdlen );
|
||||
|
||||
mbedtls_aes_setkey_dec( &aes_ctx, aes_key, keylen * 8 );
|
||||
mbedtls_aes_crypt_cbc( &aes_ctx, MBEDTLS_AES_DECRYPT, buflen,
|
||||
if( ( ret = mbedtls_aes_setkey_dec( &aes_ctx, aes_key, keylen * 8 ) ) != 0 )
|
||||
goto exit;
|
||||
ret = mbedtls_aes_crypt_cbc( &aes_ctx, MBEDTLS_AES_DECRYPT, buflen,
|
||||
aes_iv, buf, buf );
|
||||
|
||||
exit:
|
||||
mbedtls_aes_free( &aes_ctx );
|
||||
mbedtls_zeroize( aes_key, keylen );
|
||||
|
||||
return( ret );
|
||||
}
|
||||
#endif /* MBEDTLS_AES_C */
|
||||
|
||||
|
@ -347,22 +362,30 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const
|
|||
return( MBEDTLS_ERR_PEM_PASSWORD_REQUIRED );
|
||||
}
|
||||
|
||||
ret = 0;
|
||||
|
||||
#if defined(MBEDTLS_DES_C)
|
||||
if( enc_alg == MBEDTLS_CIPHER_DES_EDE3_CBC )
|
||||
pem_des3_decrypt( pem_iv, buf, len, pwd, pwdlen );
|
||||
ret = pem_des3_decrypt( pem_iv, buf, len, pwd, pwdlen );
|
||||
else if( enc_alg == MBEDTLS_CIPHER_DES_CBC )
|
||||
pem_des_decrypt( pem_iv, buf, len, pwd, pwdlen );
|
||||
ret = pem_des_decrypt( pem_iv, buf, len, pwd, pwdlen );
|
||||
#endif /* MBEDTLS_DES_C */
|
||||
|
||||
#if defined(MBEDTLS_AES_C)
|
||||
if( enc_alg == MBEDTLS_CIPHER_AES_128_CBC )
|
||||
pem_aes_decrypt( pem_iv, 16, buf, len, pwd, pwdlen );
|
||||
ret = pem_aes_decrypt( pem_iv, 16, buf, len, pwd, pwdlen );
|
||||
else if( enc_alg == MBEDTLS_CIPHER_AES_192_CBC )
|
||||
pem_aes_decrypt( pem_iv, 24, buf, len, pwd, pwdlen );
|
||||
ret = pem_aes_decrypt( pem_iv, 24, buf, len, pwd, pwdlen );
|
||||
else if( enc_alg == MBEDTLS_CIPHER_AES_256_CBC )
|
||||
pem_aes_decrypt( pem_iv, 32, buf, len, pwd, pwdlen );
|
||||
ret = pem_aes_decrypt( pem_iv, 32, buf, len, pwd, pwdlen );
|
||||
#endif /* MBEDTLS_AES_C */
|
||||
|
||||
if( ret != 0 )
|
||||
{
|
||||
mbedtls_free( buf );
|
||||
return( ret );
|
||||
}
|
||||
|
||||
/*
|
||||
* The result will be ASN.1 starting with a SEQUENCE tag, with 1 to 3
|
||||
* length bytes (allow 4 to be sure) in all known use cases.
|
||||
|
|
|
@ -2261,7 +2261,7 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
|
|||
int ret;
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||
ssl->transform_negotiate->ciphersuite_info;
|
||||
unsigned char *p, *end;
|
||||
unsigned char *p = NULL, *end = NULL;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
|
||||
|
||||
|
|
|
@ -51,7 +51,7 @@ static void mbedtls_zeroize( void *v, size_t n ) {
|
|||
|
||||
void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx )
|
||||
{
|
||||
memset( ctx, 0, sizeof(mbedtls_x509write_cert) );
|
||||
memset( ctx, 0, sizeof( mbedtls_x509write_cert ) );
|
||||
|
||||
mbedtls_mpi_init( &ctx->serial );
|
||||
ctx->version = MBEDTLS_X509_CRT_VERSION_3;
|
||||
|
@ -65,7 +65,7 @@ void mbedtls_x509write_crt_free( mbedtls_x509write_cert *ctx )
|
|||
mbedtls_asn1_free_named_data_list( &ctx->issuer );
|
||||
mbedtls_asn1_free_named_data_list( &ctx->extensions );
|
||||
|
||||
mbedtls_zeroize( ctx, sizeof(mbedtls_x509write_cert) );
|
||||
mbedtls_zeroize( ctx, sizeof( mbedtls_x509write_cert ) );
|
||||
}
|
||||
|
||||
void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *ctx, int version )
|
||||
|
@ -193,14 +193,14 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *
|
|||
{
|
||||
int ret;
|
||||
unsigned char buf[MBEDTLS_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */
|
||||
unsigned char *c = buf + sizeof(buf);
|
||||
unsigned char *c = buf + sizeof( buf );
|
||||
size_t len = 0;
|
||||
|
||||
memset( buf, 0, sizeof(buf) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, ctx->issuer_key ) );
|
||||
|
||||
mbedtls_sha1( buf + sizeof(buf) - len, len, buf + sizeof(buf) - 20 );
|
||||
c = buf + sizeof(buf) - 20;
|
||||
mbedtls_sha1( buf + sizeof( buf ) - len, len, buf + sizeof( buf ) - 20 );
|
||||
c = buf + sizeof( buf ) - 20;
|
||||
len = 20;
|
||||
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
|
||||
|
@ -212,7 +212,7 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *
|
|||
|
||||
return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER,
|
||||
MBEDTLS_OID_SIZE( MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER ),
|
||||
0, buf + sizeof(buf) - len, len );
|
||||
0, buf + sizeof( buf ) - len, len );
|
||||
}
|
||||
#endif /* MBEDTLS_SHA1_C */
|
||||
|
||||
|
@ -313,12 +313,18 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf,
|
|||
c = tmp_buf + sizeof( tmp_buf );
|
||||
|
||||
/* Signature algorithm needed in TBS, and later for actual signature */
|
||||
pk_alg = mbedtls_pk_get_type( ctx->issuer_key );
|
||||
if( pk_alg == MBEDTLS_PK_ECKEY )
|
||||
|
||||
/* There's no direct way of extracting a signature algorithm
|
||||
* (represented as an element of mbedtls_pk_type_t) from a PK instance. */
|
||||
if( mbedtls_pk_can_do( ctx->issuer_key, MBEDTLS_PK_RSA ) )
|
||||
pk_alg = MBEDTLS_PK_RSA;
|
||||
else if( mbedtls_pk_can_do( ctx->issuer_key, MBEDTLS_PK_ECDSA ) )
|
||||
pk_alg = MBEDTLS_PK_ECDSA;
|
||||
else
|
||||
return( MBEDTLS_ERR_X509_INVALID_ALG );
|
||||
|
||||
if( ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
|
||||
&sig_oid, &sig_oid_len ) ) != 0 )
|
||||
&sig_oid, &sig_oid_len ) ) != 0 )
|
||||
{
|
||||
return( ret );
|
||||
}
|
||||
|
@ -326,13 +332,18 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf,
|
|||
/*
|
||||
* Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
|
||||
*/
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SEQUENCE ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
|
||||
MBEDTLS_ASN1_CONSTRUCTED | 3 ) );
|
||||
|
||||
/* Only for v3 */
|
||||
if( ctx->version == MBEDTLS_X509_CRT_VERSION_3 )
|
||||
{
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SEQUENCE ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
|
||||
MBEDTLS_ASN1_CONSTRUCTED | 3 ) );
|
||||
}
|
||||
|
||||
/*
|
||||
* SubjectPublicKeyInfo
|
||||
|
@ -384,16 +395,21 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf,
|
|||
/*
|
||||
* Version ::= INTEGER { v1(0), v2(1), v3(2) }
|
||||
*/
|
||||
sub_len = 0;
|
||||
MBEDTLS_ASN1_CHK_ADD( sub_len, mbedtls_asn1_write_int( &c, tmp_buf, ctx->version ) );
|
||||
len += sub_len;
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
|
||||
MBEDTLS_ASN1_CONSTRUCTED | 0 ) );
|
||||
|
||||
/* Can be omitted for v1 */
|
||||
if( ctx->version != MBEDTLS_X509_CRT_VERSION_1 )
|
||||
{
|
||||
sub_len = 0;
|
||||
MBEDTLS_ASN1_CHK_ADD( sub_len, mbedtls_asn1_write_int( &c, tmp_buf, ctx->version ) );
|
||||
len += sub_len;
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
|
||||
MBEDTLS_ASN1_CONSTRUCTED | 0 ) );
|
||||
}
|
||||
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SEQUENCE ) );
|
||||
MBEDTLS_ASN1_SEQUENCE ) );
|
||||
|
||||
/*
|
||||
* Make signature
|
||||
|
|
|
@ -50,7 +50,7 @@ static void mbedtls_zeroize( void *v, size_t n ) {
|
|||
|
||||
void mbedtls_x509write_csr_init( mbedtls_x509write_csr *ctx )
|
||||
{
|
||||
memset( ctx, 0, sizeof(mbedtls_x509write_csr) );
|
||||
memset( ctx, 0, sizeof( mbedtls_x509write_csr ) );
|
||||
}
|
||||
|
||||
void mbedtls_x509write_csr_free( mbedtls_x509write_csr *ctx )
|
||||
|
@ -58,7 +58,7 @@ void mbedtls_x509write_csr_free( mbedtls_x509write_csr *ctx )
|
|||
mbedtls_asn1_free_named_data_list( &ctx->subject );
|
||||
mbedtls_asn1_free_named_data_list( &ctx->extensions );
|
||||
|
||||
mbedtls_zeroize( ctx, sizeof(mbedtls_x509write_csr) );
|
||||
mbedtls_zeroize( ctx, sizeof( mbedtls_x509write_csr ) );
|
||||
}
|
||||
|
||||
void mbedtls_x509write_csr_set_md_alg( mbedtls_x509write_csr *ctx, mbedtls_md_type_t md_alg )
|
||||
|
@ -194,14 +194,21 @@ int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf, s
|
|||
*/
|
||||
mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c, len, hash );
|
||||
|
||||
pk_alg = mbedtls_pk_get_type( ctx->key );
|
||||
if( pk_alg == MBEDTLS_PK_ECKEY )
|
||||
pk_alg = MBEDTLS_PK_ECDSA;
|
||||
|
||||
if( ( ret = mbedtls_pk_sign( ctx->key, ctx->md_alg, hash, 0, sig, &sig_len,
|
||||
f_rng, p_rng ) ) != 0 ||
|
||||
( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
|
||||
&sig_oid, &sig_oid_len ) ) != 0 )
|
||||
f_rng, p_rng ) ) != 0 )
|
||||
{
|
||||
return( ret );
|
||||
}
|
||||
|
||||
if( mbedtls_pk_can_do( ctx->key, MBEDTLS_PK_RSA ) )
|
||||
pk_alg = MBEDTLS_PK_RSA;
|
||||
else if( mbedtls_pk_can_do( ctx->key, MBEDTLS_PK_ECDSA ) )
|
||||
pk_alg = MBEDTLS_PK_ECDSA;
|
||||
else
|
||||
return( MBEDTLS_ERR_X509_INVALID_ALG );
|
||||
|
||||
if( ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
|
||||
&sig_oid, &sig_oid_len ) ) != 0 )
|
||||
{
|
||||
return( ret );
|
||||
}
|
||||
|
|
|
@ -51,6 +51,7 @@ int main( void )
|
|||
#include "mbedtls/x509_csr.h"
|
||||
#include "mbedtls/entropy.h"
|
||||
#include "mbedtls/ctr_drbg.h"
|
||||
#include "mbedtls/md.h"
|
||||
#include "mbedtls/error.h"
|
||||
|
||||
#include <stdio.h>
|
||||
|
@ -59,9 +60,9 @@ int main( void )
|
|||
|
||||
#if defined(MBEDTLS_X509_CSR_PARSE_C)
|
||||
#define USAGE_CSR \
|
||||
" request_file=%%s default: (empty)\n" \
|
||||
" If request_file is specified, subject_key,\n" \
|
||||
" subject_pwd and subject_name are ignored!\n"
|
||||
" request_file=%%s default: (empty)\n" \
|
||||
" If request_file is specified, subject_key,\n" \
|
||||
" subject_pwd and subject_name are ignored!\n"
|
||||
#else
|
||||
#define USAGE_CSR ""
|
||||
#endif /* MBEDTLS_X509_CSR_PARSE_C */
|
||||
|
@ -83,50 +84,70 @@ int main( void )
|
|||
#define DFL_MAX_PATHLEN -1
|
||||
#define DFL_KEY_USAGE 0
|
||||
#define DFL_NS_CERT_TYPE 0
|
||||
#define DFL_VERSION 3
|
||||
#define DFL_AUTH_IDENT 1
|
||||
#define DFL_SUBJ_IDENT 1
|
||||
#define DFL_CONSTRAINTS 1
|
||||
#define DFL_DIGEST MBEDTLS_MD_SHA256
|
||||
|
||||
#define USAGE \
|
||||
"\n usage: cert_write param=<>...\n" \
|
||||
"\n acceptable parameters:\n" \
|
||||
USAGE_CSR \
|
||||
" subject_key=%%s default: subject.key\n" \
|
||||
" subject_pwd=%%s default: (empty)\n" \
|
||||
" subject_name=%%s default: CN=Cert,O=mbed TLS,C=UK\n" \
|
||||
" subject_key=%%s default: subject.key\n" \
|
||||
" subject_pwd=%%s default: (empty)\n" \
|
||||
" subject_name=%%s default: CN=Cert,O=mbed TLS,C=UK\n" \
|
||||
"\n" \
|
||||
" issuer_crt=%%s default: (empty)\n" \
|
||||
" If issuer_crt is specified, issuer_name is\n" \
|
||||
" ignored!\n" \
|
||||
" issuer_name=%%s default: CN=CA,O=mbed TLS,C=UK\n" \
|
||||
" issuer_crt=%%s default: (empty)\n" \
|
||||
" If issuer_crt is specified, issuer_name is\n" \
|
||||
" ignored!\n" \
|
||||
" issuer_name=%%s default: CN=CA,O=mbed TLS,C=UK\n" \
|
||||
"\n" \
|
||||
" selfsign=%%d default: 0 (false)\n" \
|
||||
" If selfsign is enabled, issuer_name and\n" \
|
||||
" issuer_key are required (issuer_crt and\n" \
|
||||
" subject_* are ignored\n" \
|
||||
" issuer_key=%%s default: ca.key\n" \
|
||||
" issuer_pwd=%%s default: (empty)\n" \
|
||||
" output_file=%%s default: cert.crt\n" \
|
||||
" serial=%%s default: 1\n" \
|
||||
" not_before=%%s default: 20010101000000\n"\
|
||||
" not_after=%%s default: 20301231235959\n"\
|
||||
" is_ca=%%d default: 0 (disabled)\n" \
|
||||
" max_pathlen=%%d default: -1 (none)\n" \
|
||||
" key_usage=%%s default: (empty)\n" \
|
||||
" Comma-separated-list of values:\n" \
|
||||
" digital_signature\n" \
|
||||
" non_repudiation\n" \
|
||||
" key_encipherment\n" \
|
||||
" data_encipherment\n" \
|
||||
" key_agreement\n" \
|
||||
" key_cert_sign\n" \
|
||||
" crl_sign\n" \
|
||||
" ns_cert_type=%%s default: (empty)\n" \
|
||||
" Comma-separated-list of values:\n" \
|
||||
" ssl_client\n" \
|
||||
" ssl_server\n" \
|
||||
" email\n" \
|
||||
" object_signing\n" \
|
||||
" ssl_ca\n" \
|
||||
" email_ca\n" \
|
||||
" object_signing_ca\n" \
|
||||
" selfsign=%%d default: 0 (false)\n" \
|
||||
" If selfsign is enabled, issuer_name and\n" \
|
||||
" issuer_key are required (issuer_crt and\n" \
|
||||
" subject_* are ignored\n" \
|
||||
" issuer_key=%%s default: ca.key\n" \
|
||||
" issuer_pwd=%%s default: (empty)\n" \
|
||||
" output_file=%%s default: cert.crt\n" \
|
||||
" serial=%%s default: 1\n" \
|
||||
" not_before=%%s default: 20010101000000\n"\
|
||||
" not_after=%%s default: 20301231235959\n"\
|
||||
" is_ca=%%d default: 0 (disabled)\n" \
|
||||
" max_pathlen=%%d default: -1 (none)\n" \
|
||||
" md=%%s default: SHA256\n" \
|
||||
" Supported values:\n" \
|
||||
" MD5, SHA1, SHA256, SHA512\n"\
|
||||
" version=%%d default: 3\n" \
|
||||
" Possible values: 1, 2, 3\n"\
|
||||
" subject_identifier=%%s default: 1\n" \
|
||||
" Possible values: 0, 1\n" \
|
||||
" (Considered for v3 only)\n"\
|
||||
" authority_identifier=%%s default: 1\n" \
|
||||
" Possible values: 0, 1\n" \
|
||||
" (Considered for v3 only)\n"\
|
||||
" basic_constraints=%%d default: 1\n" \
|
||||
" Possible values: 0, 1\n" \
|
||||
" (Considered for v3 only)\n"\
|
||||
" key_usage=%%s default: (empty)\n" \
|
||||
" Comma-separated-list of values:\n" \
|
||||
" digital_signature\n" \
|
||||
" non_repudiation\n" \
|
||||
" key_encipherment\n" \
|
||||
" data_encipherment\n" \
|
||||
" key_agreement\n" \
|
||||
" key_cert_sign\n" \
|
||||
" crl_sign\n" \
|
||||
" (Considered for v3 only)\n"\
|
||||
" ns_cert_type=%%s default: (empty)\n" \
|
||||
" Comma-separated-list of values:\n" \
|
||||
" ssl_client\n" \
|
||||
" ssl_server\n" \
|
||||
" email\n" \
|
||||
" object_signing\n" \
|
||||
" ssl_ca\n" \
|
||||
" email_ca\n" \
|
||||
" object_signing_ca\n" \
|
||||
"\n"
|
||||
|
||||
/*
|
||||
|
@ -149,6 +170,11 @@ struct options
|
|||
int selfsign; /* selfsign the certificate */
|
||||
int is_ca; /* is a CA certificate */
|
||||
int max_pathlen; /* maximum CA path length */
|
||||
int authority_identifier; /* add authority identifier to CRT */
|
||||
int subject_identifier; /* add subject identifier to CRT */
|
||||
int basic_constraints; /* add basic constraints ext to CRT */
|
||||
int version; /* CRT version */
|
||||
mbedtls_md_type_t md; /* Hash used for signing */
|
||||
unsigned char key_usage; /* key usage flags */
|
||||
unsigned char ns_cert_type; /* NS cert type */
|
||||
} opt;
|
||||
|
@ -163,7 +189,8 @@ int write_certificate( mbedtls_x509write_cert *crt, const char *output_file,
|
|||
size_t len = 0;
|
||||
|
||||
memset( output_buf, 0, 4096 );
|
||||
if( ( ret = mbedtls_x509write_crt_pem( crt, output_buf, 4096, f_rng, p_rng ) ) < 0 )
|
||||
if( ( ret = mbedtls_x509write_crt_pem( crt, output_buf, 4096,
|
||||
f_rng, p_rng ) ) < 0 )
|
||||
return( ret );
|
||||
|
||||
len = strlen( (char *) output_buf );
|
||||
|
@ -207,7 +234,6 @@ int main( int argc, char *argv[] )
|
|||
* Set to sane values
|
||||
*/
|
||||
mbedtls_x509write_crt_init( &crt );
|
||||
mbedtls_x509write_crt_set_md_alg( &crt, MBEDTLS_MD_SHA256 );
|
||||
mbedtls_pk_init( &loaded_issuer_key );
|
||||
mbedtls_pk_init( &loaded_subject_key );
|
||||
mbedtls_mpi_init( &serial );
|
||||
|
@ -243,6 +269,11 @@ int main( int argc, char *argv[] )
|
|||
opt.max_pathlen = DFL_MAX_PATHLEN;
|
||||
opt.key_usage = DFL_KEY_USAGE;
|
||||
opt.ns_cert_type = DFL_NS_CERT_TYPE;
|
||||
opt.version = DFL_VERSION - 1;
|
||||
opt.md = DFL_DIGEST;
|
||||
opt.subject_identifier = DFL_SUBJ_IDENT;
|
||||
opt.authority_identifier = DFL_AUTH_IDENT;
|
||||
opt.basic_constraints = DFL_CONSTRAINTS;
|
||||
|
||||
for( i = 1; i < argc; i++ )
|
||||
{
|
||||
|
@ -286,23 +317,88 @@ int main( int argc, char *argv[] )
|
|||
{
|
||||
opt.serial = q;
|
||||
}
|
||||
else if( strcmp( p, "authority_identifier" ) == 0 )
|
||||
{
|
||||
opt.authority_identifier = atoi( q );
|
||||
if( opt.authority_identifier != 0 &&
|
||||
opt.authority_identifier != 1 )
|
||||
{
|
||||
mbedtls_printf( "Invalid argument for option %s\n", p );
|
||||
goto usage;
|
||||
}
|
||||
}
|
||||
else if( strcmp( p, "subject_identifier" ) == 0 )
|
||||
{
|
||||
opt.subject_identifier = atoi( q );
|
||||
if( opt.subject_identifier != 0 &&
|
||||
opt.subject_identifier != 1 )
|
||||
{
|
||||
mbedtls_printf( "Invalid argument for option %s\n", p );
|
||||
goto usage;
|
||||
}
|
||||
}
|
||||
else if( strcmp( p, "basic_constraints" ) == 0 )
|
||||
{
|
||||
opt.basic_constraints = atoi( q );
|
||||
if( opt.basic_constraints != 0 &&
|
||||
opt.basic_constraints != 1 )
|
||||
{
|
||||
mbedtls_printf( "Invalid argument for option %s\n", p );
|
||||
goto usage;
|
||||
}
|
||||
}
|
||||
else if( strcmp( p, "md" ) == 0 )
|
||||
{
|
||||
if( strcmp( q, "SHA1" ) == 0 )
|
||||
opt.md = MBEDTLS_MD_SHA1;
|
||||
else if( strcmp( q, "SHA256" ) == 0 )
|
||||
opt.md = MBEDTLS_MD_SHA256;
|
||||
else if( strcmp( q, "SHA512" ) == 0 )
|
||||
opt.md = MBEDTLS_MD_SHA512;
|
||||
else if( strcmp( q, "MD5" ) == 0 )
|
||||
opt.md = MBEDTLS_MD_MD5;
|
||||
else
|
||||
{
|
||||
mbedtls_printf( "Invalid argument for option %s\n", p );
|
||||
goto usage;
|
||||
}
|
||||
}
|
||||
else if( strcmp( p, "version" ) == 0 )
|
||||
{
|
||||
opt.version = atoi( q );
|
||||
if( opt.version < 1 || opt.version > 3 )
|
||||
{
|
||||
mbedtls_printf( "Invalid argument for option %s\n", p );
|
||||
goto usage;
|
||||
}
|
||||
opt.version--;
|
||||
}
|
||||
else if( strcmp( p, "selfsign" ) == 0 )
|
||||
{
|
||||
opt.selfsign = atoi( q );
|
||||
if( opt.selfsign < 0 || opt.selfsign > 1 )
|
||||
{
|
||||
mbedtls_printf( "Invalid argument for option %s\n", p );
|
||||
goto usage;
|
||||
}
|
||||
}
|
||||
else if( strcmp( p, "is_ca" ) == 0 )
|
||||
{
|
||||
opt.is_ca = atoi( q );
|
||||
if( opt.is_ca < 0 || opt.is_ca > 1 )
|
||||
{
|
||||
mbedtls_printf( "Invalid argument for option %s\n", p );
|
||||
goto usage;
|
||||
}
|
||||
}
|
||||
else if( strcmp( p, "max_pathlen" ) == 0 )
|
||||
{
|
||||
opt.max_pathlen = atoi( q );
|
||||
if( opt.max_pathlen < -1 || opt.max_pathlen > 127 )
|
||||
{
|
||||
mbedtls_printf( "Invalid argument for option %s\n", p );
|
||||
goto usage;
|
||||
}
|
||||
}
|
||||
else if( strcmp( p, "key_usage" ) == 0 )
|
||||
{
|
||||
|
@ -326,7 +422,10 @@ int main( int argc, char *argv[] )
|
|||
else if( strcmp( q, "crl_sign" ) == 0 )
|
||||
opt.key_usage |= MBEDTLS_X509_KU_CRL_SIGN;
|
||||
else
|
||||
{
|
||||
mbedtls_printf( "Invalid argument for option %s\n", p );
|
||||
goto usage;
|
||||
}
|
||||
|
||||
q = r;
|
||||
}
|
||||
|
@ -353,7 +452,10 @@ int main( int argc, char *argv[] )
|
|||
else if( strcmp( q, "object_signing_ca" ) == 0 )
|
||||
opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA;
|
||||
else
|
||||
{
|
||||
mbedtls_printf( "Invalid argument for option %s\n", p );
|
||||
goto usage;
|
||||
}
|
||||
|
||||
q = r;
|
||||
}
|
||||
|
@ -376,7 +478,8 @@ int main( int argc, char *argv[] )
|
|||
strlen( pers ) ) ) != 0 )
|
||||
{
|
||||
mbedtls_strerror( ret, buf, 1024 );
|
||||
mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d - %s\n", ret, buf );
|
||||
mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d - %s\n",
|
||||
ret, buf );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
|
@ -390,7 +493,8 @@ int main( int argc, char *argv[] )
|
|||
if( ( ret = mbedtls_mpi_read_string( &serial, 10, opt.serial ) ) != 0 )
|
||||
{
|
||||
mbedtls_strerror( ret, buf, 1024 );
|
||||
mbedtls_printf( " failed\n ! mbedtls_mpi_read_string returned -0x%02x - %s\n\n", -ret, buf );
|
||||
mbedtls_printf( " failed\n ! mbedtls_mpi_read_string "
|
||||
"returned -0x%04x - %s\n\n", -ret, buf );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
|
@ -409,7 +513,8 @@ int main( int argc, char *argv[] )
|
|||
if( ( ret = mbedtls_x509_crt_parse_file( &issuer_crt, opt.issuer_crt ) ) != 0 )
|
||||
{
|
||||
mbedtls_strerror( ret, buf, 1024 );
|
||||
mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_file returned -0x%02x - %s\n\n", -ret, buf );
|
||||
mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_file "
|
||||
"returned -0x%04x - %s\n\n", -ret, buf );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
|
@ -418,7 +523,8 @@ int main( int argc, char *argv[] )
|
|||
if( ret < 0 )
|
||||
{
|
||||
mbedtls_strerror( ret, buf, 1024 );
|
||||
mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets returned -0x%02x - %s\n\n", -ret, buf );
|
||||
mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets "
|
||||
"returned -0x%04x - %s\n\n", -ret, buf );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
|
@ -441,7 +547,8 @@ int main( int argc, char *argv[] )
|
|||
if( ( ret = mbedtls_x509_csr_parse_file( &csr, opt.request_file ) ) != 0 )
|
||||
{
|
||||
mbedtls_strerror( ret, buf, 1024 );
|
||||
mbedtls_printf( " failed\n ! mbedtls_x509_csr_parse_file returned -0x%02x - %s\n\n", -ret, buf );
|
||||
mbedtls_printf( " failed\n ! mbedtls_x509_csr_parse_file "
|
||||
"returned -0x%04x - %s\n\n", -ret, buf );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
|
@ -450,7 +557,8 @@ int main( int argc, char *argv[] )
|
|||
if( ret < 0 )
|
||||
{
|
||||
mbedtls_strerror( ret, buf, 1024 );
|
||||
mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets returned -0x%02x - %s\n\n", -ret, buf );
|
||||
mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets "
|
||||
"returned -0x%04x - %s\n\n", -ret, buf );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
|
@ -474,7 +582,8 @@ int main( int argc, char *argv[] )
|
|||
if( ret != 0 )
|
||||
{
|
||||
mbedtls_strerror( ret, buf, 1024 );
|
||||
mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile returned -0x%02x - %s\n\n", -ret, buf );
|
||||
mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile "
|
||||
"returned -0x%04x - %s\n\n", -ret, buf );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
|
@ -489,7 +598,8 @@ int main( int argc, char *argv[] )
|
|||
if( ret != 0 )
|
||||
{
|
||||
mbedtls_strerror( ret, buf, 1024 );
|
||||
mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile returned -x%02x - %s\n\n", -ret, buf );
|
||||
mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile "
|
||||
"returned -x%02x - %s\n\n", -ret, buf );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
|
@ -503,7 +613,8 @@ int main( int argc, char *argv[] )
|
|||
mbedtls_mpi_cmp_mpi( &mbedtls_pk_rsa( issuer_crt.pk )->E,
|
||||
&mbedtls_pk_rsa( *issuer_key )->E ) != 0 )
|
||||
{
|
||||
mbedtls_printf( " failed\n ! issuer_key does not match issuer certificate\n\n" );
|
||||
mbedtls_printf( " failed\n ! issuer_key does not match "
|
||||
"issuer certificate\n\n" );
|
||||
ret = -1;
|
||||
goto exit;
|
||||
}
|
||||
|
@ -526,25 +637,31 @@ int main( int argc, char *argv[] )
|
|||
if( ( ret = mbedtls_x509write_crt_set_subject_name( &crt, opt.subject_name ) ) != 0 )
|
||||
{
|
||||
mbedtls_strerror( ret, buf, 1024 );
|
||||
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject_name returned -0x%02x - %s\n\n", -ret, buf );
|
||||
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject_name "
|
||||
"returned -0x%04x - %s\n\n", -ret, buf );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_x509write_crt_set_issuer_name( &crt, opt.issuer_name ) ) != 0 )
|
||||
{
|
||||
mbedtls_strerror( ret, buf, 1024 );
|
||||
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_issuer_name returned -0x%02x - %s\n\n", -ret, buf );
|
||||
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_issuer_name "
|
||||
"returned -0x%04x - %s\n\n", -ret, buf );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
mbedtls_printf( " . Setting certificate values ..." );
|
||||
fflush( stdout );
|
||||
|
||||
mbedtls_x509write_crt_set_version( &crt, opt.version );
|
||||
mbedtls_x509write_crt_set_md_alg( &crt, opt.md );
|
||||
|
||||
ret = mbedtls_x509write_crt_set_serial( &crt, &serial );
|
||||
if( ret != 0 )
|
||||
{
|
||||
mbedtls_strerror( ret, buf, 1024 );
|
||||
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_serial returned -0x%02x - %s\n\n", -ret, buf );
|
||||
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_serial "
|
||||
"returned -0x%04x - %s\n\n", -ret, buf );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
|
@ -552,55 +669,74 @@ int main( int argc, char *argv[] )
|
|||
if( ret != 0 )
|
||||
{
|
||||
mbedtls_strerror( ret, buf, 1024 );
|
||||
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_validity returned -0x%02x - %s\n\n", -ret, buf );
|
||||
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_validity "
|
||||
"returned -0x%04x - %s\n\n", -ret, buf );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
mbedtls_printf( " ok\n" );
|
||||
|
||||
mbedtls_printf( " . Adding the Basic Constraints extension ..." );
|
||||
fflush( stdout );
|
||||
|
||||
ret = mbedtls_x509write_crt_set_basic_constraints( &crt, opt.is_ca,
|
||||
opt.max_pathlen );
|
||||
if( ret != 0 )
|
||||
if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
|
||||
opt.basic_constraints != 0 )
|
||||
{
|
||||
mbedtls_strerror( ret, buf, 1024 );
|
||||
mbedtls_printf( " failed\n ! x509write_crt_set_basic_contraints returned -0x%02x - %s\n\n", -ret, buf );
|
||||
goto exit;
|
||||
}
|
||||
mbedtls_printf( " . Adding the Basic Constraints extension ..." );
|
||||
fflush( stdout );
|
||||
|
||||
mbedtls_printf( " ok\n" );
|
||||
ret = mbedtls_x509write_crt_set_basic_constraints( &crt, opt.is_ca,
|
||||
opt.max_pathlen );
|
||||
if( ret != 0 )
|
||||
{
|
||||
mbedtls_strerror( ret, buf, 1024 );
|
||||
mbedtls_printf( " failed\n ! x509write_crt_set_basic_contraints "
|
||||
"returned -0x%04x - %s\n\n", -ret, buf );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
mbedtls_printf( " ok\n" );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
mbedtls_printf( " . Adding the Subject Key Identifier ..." );
|
||||
fflush( stdout );
|
||||
|
||||
ret = mbedtls_x509write_crt_set_subject_key_identifier( &crt );
|
||||
if( ret != 0 )
|
||||
if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
|
||||
opt.subject_identifier != 0 )
|
||||
{
|
||||
mbedtls_strerror( ret, buf, 1024 );
|
||||
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject_key_identifier returned -0x%02x - %s\n\n", -ret, buf );
|
||||
goto exit;
|
||||
mbedtls_printf( " . Adding the Subject Key Identifier ..." );
|
||||
fflush( stdout );
|
||||
|
||||
ret = mbedtls_x509write_crt_set_subject_key_identifier( &crt );
|
||||
if( ret != 0 )
|
||||
{
|
||||
mbedtls_strerror( ret, buf, 1024 );
|
||||
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject"
|
||||
"_key_identifier returned -0x%04x - %s\n\n",
|
||||
-ret, buf );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
mbedtls_printf( " ok\n" );
|
||||
}
|
||||
|
||||
mbedtls_printf( " ok\n" );
|
||||
|
||||
mbedtls_printf( " . Adding the Authority Key Identifier ..." );
|
||||
fflush( stdout );
|
||||
|
||||
ret = mbedtls_x509write_crt_set_authority_key_identifier( &crt );
|
||||
if( ret != 0 )
|
||||
if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
|
||||
opt.authority_identifier != 0 )
|
||||
{
|
||||
mbedtls_strerror( ret, buf, 1024 );
|
||||
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_authority_key_identifier returned -0x%02x - %s\n\n", -ret, buf );
|
||||
goto exit;
|
||||
}
|
||||
mbedtls_printf( " . Adding the Authority Key Identifier ..." );
|
||||
fflush( stdout );
|
||||
|
||||
mbedtls_printf( " ok\n" );
|
||||
ret = mbedtls_x509write_crt_set_authority_key_identifier( &crt );
|
||||
if( ret != 0 )
|
||||
{
|
||||
mbedtls_strerror( ret, buf, 1024 );
|
||||
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_authority_"
|
||||
"key_identifier returned -0x%04x - %s\n\n",
|
||||
-ret, buf );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
mbedtls_printf( " ok\n" );
|
||||
}
|
||||
#endif /* MBEDTLS_SHA1_C */
|
||||
|
||||
if( opt.key_usage )
|
||||
if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
|
||||
opt.key_usage != 0 )
|
||||
{
|
||||
mbedtls_printf( " . Adding the Key Usage extension ..." );
|
||||
fflush( stdout );
|
||||
|
@ -609,14 +745,16 @@ int main( int argc, char *argv[] )
|
|||
if( ret != 0 )
|
||||
{
|
||||
mbedtls_strerror( ret, buf, 1024 );
|
||||
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_key_usage returned -0x%02x - %s\n\n", -ret, buf );
|
||||
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_key_usage "
|
||||
"returned -0x%04x - %s\n\n", -ret, buf );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
mbedtls_printf( " ok\n" );
|
||||
}
|
||||
|
||||
if( opt.ns_cert_type )
|
||||
if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
|
||||
opt.ns_cert_type != 0 )
|
||||
{
|
||||
mbedtls_printf( " . Adding the NS Cert Type extension ..." );
|
||||
fflush( stdout );
|
||||
|
@ -625,7 +763,8 @@ int main( int argc, char *argv[] )
|
|||
if( ret != 0 )
|
||||
{
|
||||
mbedtls_strerror( ret, buf, 1024 );
|
||||
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_ns_cert_type returned -0x%02x - %s\n\n", -ret, buf );
|
||||
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_ns_cert_type "
|
||||
"returned -0x%04x - %s\n\n", -ret, buf );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
|
@ -642,7 +781,8 @@ int main( int argc, char *argv[] )
|
|||
mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 )
|
||||
{
|
||||
mbedtls_strerror( ret, buf, 1024 );
|
||||
mbedtls_printf( " failed\n ! write_certifcate -0x%02x - %s\n\n", -ret, buf );
|
||||
mbedtls_printf( " failed\n ! write_certificate -0x%04x - %s\n\n",
|
||||
-ret, buf );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
|
|
|
@ -2,8 +2,8 @@
|
|||
expression x, y;
|
||||
statement S;
|
||||
@@
|
||||
x = mbedtls_malloc(...);
|
||||
y = mbedtls_malloc(...);
|
||||
x = mbedtls_calloc(...);
|
||||
y = mbedtls_calloc(...);
|
||||
...
|
||||
* if (x == NULL || y == NULL)
|
||||
S
|
||||
|
@ -13,8 +13,8 @@ expression x, y;
|
|||
statement S;
|
||||
@@
|
||||
if (
|
||||
* (x = mbedtls_malloc(...)) == NULL
|
||||
* (x = mbedtls_calloc(...)) == NULL
|
||||
||
|
||||
* (y = mbedtls_malloc(...)) == NULL
|
||||
* (y = mbedtls_calloc(...)) == NULL
|
||||
)
|
||||
S
|
||||
|
|
|
@ -1,70 +0,0 @@
|
|||
#!/usr/bin/perl
|
||||
|
||||
# Check for malloc calls not shortly followed by initialisation.
|
||||
#
|
||||
# Known limitations:
|
||||
# - false negative: can't see allocations spanning more than one line
|
||||
# - possible false negatives, see patterns
|
||||
# - false positive: malloc-malloc-init-init is not accepted
|
||||
# - false positives: "non-standard" init functions (eg, the things being
|
||||
# initialised is not the first arg, or initialise struct members)
|
||||
#
|
||||
# Since false positives are expected, the results must be manually reviewed.
|
||||
#
|
||||
# Typical usage: scripts/malloc-init.pl library/*.c
|
||||
|
||||
use warnings;
|
||||
use strict;
|
||||
|
||||
use utf8;
|
||||
use open qw(:std utf8);
|
||||
|
||||
my $limit = 7;
|
||||
my $inits = qr/memset|memcpy|_init|fread|base64_..code/;
|
||||
|
||||
# cases to bear in mind:
|
||||
#
|
||||
# 0. foo = malloc(...); memset( foo, ... );
|
||||
# 1. *foo = malloc(...); memset( *foo, ... );
|
||||
# 2. type *foo = malloc(...); memset( foo, ...);
|
||||
# 3. foo = malloc(...); foo_init( (type *) foo );
|
||||
# 4. foo = malloc(...); for(i=0..n) { init( &foo[i] ); }
|
||||
#
|
||||
# The chosen patterns are a bit relaxed, but unlikely to cause false positives
|
||||
# in real code (initialising *foo or &foo instead of foo will likely be caught
|
||||
# by functional tests).
|
||||
#
|
||||
my $id = qr/([a-zA-Z-0-9_\->\.]*)/;
|
||||
my $prefix = qr/\s(?:\*?|\&?|\([a-z_]* \*\))\s*/;
|
||||
|
||||
my $name;
|
||||
my $line;
|
||||
my @bad;
|
||||
|
||||
die "Usage: $0 file.c [...]\n" unless @ARGV;
|
||||
|
||||
while (my $file = shift @ARGV)
|
||||
{
|
||||
open my $fh, "<", $file or die "read $file failed: $!\n";
|
||||
while (<$fh>)
|
||||
{
|
||||
if( /mbedtls_malloc\(/ ) {
|
||||
if( /$id\s*=.*mbedtls_malloc\(/ ) {
|
||||
push @bad, "$file:$line:$name" if $name;
|
||||
$name = $1;
|
||||
$line = $.;
|
||||
} else {
|
||||
push @bad, "$file:$.:???" unless /return mbedtls_malloc/;
|
||||
}
|
||||
} elsif( $name && /(?:$inits)\($prefix\Q$name\E\b/ ) {
|
||||
undef $name;
|
||||
} elsif( $name && $. - $line > $limit ) {
|
||||
push @bad, "$file:$line:$name";
|
||||
undef $name;
|
||||
undef $line;
|
||||
}
|
||||
}
|
||||
close $fh or die;
|
||||
}
|
||||
|
||||
print "$_\n" for @bad;
|
7
scripts/rm-calloc-cast.cocci
Normal file
7
scripts/rm-calloc-cast.cocci
Normal file
|
@ -0,0 +1,7 @@
|
|||
@rm_calloc_cast@
|
||||
expression x, n, m;
|
||||
type T;
|
||||
@@
|
||||
x =
|
||||
- (T *)
|
||||
mbedtls_calloc(n, m)
|
|
@ -1,7 +0,0 @@
|
|||
@rm_malloc_cast@
|
||||
expression x, n;
|
||||
type T;
|
||||
@@
|
||||
x =
|
||||
- (T *)
|
||||
mbedtls_malloc(n)
|
|
@ -12,6 +12,7 @@
|
|||
|
||||
## Tools
|
||||
OPENSSL ?= openssl
|
||||
MBEDTLS_CERT_WRITE ?= $(PWD)/../../programs/x509/cert_write
|
||||
|
||||
## Build the generated test data. Note that since the final outputs
|
||||
## are committed to the repository, this target should do nothing on a
|
||||
|
@ -30,6 +31,7 @@ all_final := # files used by tests
|
|||
#### Generate certificates from existing keys
|
||||
################################################################
|
||||
|
||||
test_ca_crt = test-ca.crt
|
||||
test_ca_key_file_rsa = test-ca.key
|
||||
test_ca_pwd_rsa = PolarSSLTest
|
||||
test_ca_config_file = test-ca.opensslconf
|
||||
|
@ -64,6 +66,8 @@ server2-sha256.crt: server2-rsa.csr
|
|||
$(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA test-ca-sha256.crt -CAkey $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 4 -days 3653 -sha256 -in server2-rsa.csr -out $@
|
||||
all_final += server2-sha256.crt
|
||||
|
||||
|
||||
|
||||
################################################################
|
||||
#### Generate various RSA keys
|
||||
################################################################
|
||||
|
@ -309,6 +313,85 @@ keys_rsa_enc_pkcs8_v2: keys_rsa_enc_pkcs8_v2_1024 keys_rsa_enc_pkcs8_v2_2048 key
|
|||
### Generate all RSA keys
|
||||
keys_rsa_all: keys_rsa_unenc keys_rsa_enc_basic keys_rsa_enc_pkcs8_v1 keys_rsa_enc_pkcs8_v2
|
||||
|
||||
|
||||
|
||||
################################################################
|
||||
### Generate certificates for CRT write check tests
|
||||
################################################################
|
||||
|
||||
### The test files use the Mbed TLS generated certificates server1*.crt,
|
||||
### but for comparison with OpenSSL also rules for OpenSSL-generated
|
||||
### certificates server1*.crt.openssl are offered.
|
||||
###
|
||||
### Known differences:
|
||||
### * OpenSSL encodes trailing zero-bits in bit-strings occurring in X.509 extension
|
||||
### as unused bits, while Mbed TLS doesn't.
|
||||
|
||||
test_ca_server1_db = test-ca.server1.db
|
||||
test_ca_server1_serial = test-ca.server1.serial
|
||||
test_ca_server1_config_file = test-ca.server1.opensslconf
|
||||
|
||||
server1.csr: server1.key server1_csr.opensslconf
|
||||
$(OPENSSL) req -keyform PEM -key server1.key -config server1_csr.opensslconf -out $@ -new
|
||||
all_final += server1.csr
|
||||
|
||||
server1.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
|
||||
$(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 version=3 output_file=$@
|
||||
server1.noauthid.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
|
||||
$(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20110212144406 not_after=20210212144406 md=SHA1 authority_identifier=0 version=3 output_file=$@
|
||||
server1.der: server1.crt
|
||||
$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
|
||||
all_final += server1.crt server1.noauthid.crt server1.der
|
||||
|
||||
server1.key_usage.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
|
||||
$(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 key_usage=digital_signature,non_repudiation,key_encipherment version=3 output_file=$@
|
||||
server1.key_usage_noauthid.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
|
||||
$(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 key_usage=digital_signature,non_repudiation,key_encipherment authority_identifier=0 version=3 output_file=$@
|
||||
server1.key_usage.der: server1.key_usage.crt
|
||||
$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
|
||||
all_final += server1.key_usage.crt server1.key_usage_noauthid.crt server1.key_usage.der
|
||||
|
||||
server1.cert_type.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
|
||||
$(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 ns_cert_type=ssl_server version=3 output_file=$@
|
||||
server1.cert_type_noauthid.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
|
||||
$(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 ns_cert_type=ssl_server authority_identifier=0 version=3 output_file=$@
|
||||
server1.cert_type.der: server1.cert_type.crt
|
||||
$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
|
||||
all_final += server1.cert_type.crt server1.cert_type_noauthid.crt server1.cert_type.der
|
||||
|
||||
server1.v1.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
|
||||
$(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 version=1 output_file=$@
|
||||
server1.v1.der: server1.v1.crt
|
||||
$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
|
||||
all_final += server1.v1.crt server1.v1.der
|
||||
|
||||
# OpenSSL-generated certificates for comparison
|
||||
# Also provide certificates in DER format to allow
|
||||
# direct binary comparison using e.g. dumpasn1
|
||||
server1.crt.openssl server1.key_usage.crt.openssl server1.cert_type.crt.openssl: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa) $(test_ca_server1_config_file)
|
||||
echo "01" > $(test_ca_server1_serial)
|
||||
rm -f $(test_ca_server1_db)
|
||||
touch $(test_ca_server1_db)
|
||||
$(OPENSSL) ca -batch -passin "pass:$(test_ca_pwd_rsa)" -config $(test_ca_server1_config_file) -in server1.csr -extensions v3_ext -extfile $@.v3_ext -out $@
|
||||
server1.der.openssl: server1.crt.openssl
|
||||
$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
|
||||
server1.key_usage.der.openssl: server1.key_usage.crt.openssl
|
||||
$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
|
||||
server1.cert_type.der.openssl: server1.cert_type.crt.openssl
|
||||
$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
|
||||
|
||||
server1.v1.crt.openssl: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa) $(test_ca_server1_config_file)
|
||||
echo "01" > $(test_ca_server1_serial)
|
||||
rm -f $(test_ca_server1_db)
|
||||
touch $(test_ca_server1_db)
|
||||
$(OPENSSL) ca -batch -passin "pass:$(test_ca_pwd_rsa)" -config $(test_ca_server1_config_file) -in server1.csr -out $@
|
||||
server1.v1.der.openssl: server1.v1.crt.openssl
|
||||
$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
|
||||
|
||||
server1_all: server1.csr server1.crt server1.noauthid.crt server1.crt.openssl server1.v1.crt server1.v1.crt.openssl server1.key_usage.crt server1.key_usage_noauthid.crt server1.key_usage.crt.openssl server1.cert_type.crt server1.cert_type_noauthid.crt server1.cert_type.crt.openssl server1.der server1.der.openssl server1.v1.der server1.v1.der.openssl server1.key_usage.der server1.key_usage.der.openssl server1.cert_type.der server1.cert_type.der.openssl
|
||||
|
||||
|
||||
|
||||
################################################################
|
||||
#### Meta targets
|
||||
################################################################
|
||||
|
@ -316,10 +399,15 @@ keys_rsa_all: keys_rsa_unenc keys_rsa_enc_basic keys_rsa_enc_pkcs8_v1 keys_rsa_e
|
|||
all_final: $(all_final)
|
||||
all: $(all_intermediate) $(all_final)
|
||||
|
||||
.PHONY: default all_final all keys_rsa_unenc keys_rsa_enc_basic keys_rsa_enc_pkcs8_v1 keys_rsa_enc_pkcs8_v2 keys_rsa_all \
|
||||
keys_rsa_enc_basic_1024 keys_rsa_enc_basic_2048 keys_rsa_enc_basic_4096 keys_rsa_enc_pkcs8_v1_1024 \
|
||||
keys_rsa_enc_pkcs8_v1_2048 keys_rsa_enc_pkcs8_v1_4096 keys_rsa_enc_pkcs8_v2_1024 \
|
||||
keys_rsa_enc_pkcs8_v2_2048 keys_rsa_enc_pkcs8_v2_4096
|
||||
.PHONY: default all_final all
|
||||
.PHONY: keys_rsa_all
|
||||
.PHONY: keys_rsa_unenc keys_rsa_enc_basic
|
||||
.PHONY: keys_rsa_enc_pkcs8_v1 keys_rsa_enc_pkcs8_v2
|
||||
.PHONY: keys_rsa_enc_basic_1024 keys_rsa_enc_basic_2048 keys_rsa_enc_basic_4096
|
||||
.PHONY: keys_rsa_enc_pkcs8_v1_1024 keys_rsa_enc_pkcs8_v2_1024
|
||||
.PHONY: keys_rsa_enc_pkcs8_v1_2048 keys_rsa_enc_pkcs8_v2_2048
|
||||
.PHONY: keys_rsa_enc_pkcs8_v1_4096 keys_rsa_enc_pkcs8_v2_4096
|
||||
.PHONY: server1_all
|
||||
|
||||
# These files should not be committed to the repository.
|
||||
list_intermediate:
|
||||
|
|
5
tests/data_files/server1.cert_type.crt.openssl.v3_ext
Normal file
5
tests/data_files/server1.cert_type.crt.openssl.v3_ext
Normal file
|
@ -0,0 +1,5 @@
|
|||
[v3_ext]
|
||||
basicConstraints = CA:false
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid
|
||||
nsCertType=server
|
20
tests/data_files/server1.cert_type_noauthid.crt
Normal file
20
tests/data_files/server1.cert_type_noauthid.crt
Normal file
|
@ -0,0 +1,20 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDMTCCAhmgAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
|
||||
MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
|
||||
MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
|
||||
A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
|
||||
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
|
||||
uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
|
||||
d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
|
||||
CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
|
||||
lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
|
||||
bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
|
||||
oz8wPTAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAR
|
||||
BglghkgBhvhCAQEEBAMCAEAwDQYJKoZIhvcNAQEFBQADggEBABNT+r+6vvlpjtyz
|
||||
mewrGOKPt5iwb8w2aReJ0AWuyQzTiduN26MhXq93cXHV0pHj2rD7MfiBEwBSWnf9
|
||||
FcxkE0g77GVyM9Vs9Uy/MspIqOce7JD0c36G4EI8lYce2TYwQLE9CGNl+LDxqkLy
|
||||
prijXBl/FaD+IO/SNMr3VVnfFEZqPUxg+BSTaGgD+52Z7B4nPP0xGPjlW367RGDv
|
||||
9dIkr1thve2WOeC9ixxl9K/864I7/0GdbgKSf77xl3/5vnQUOY7kugRvkvxWIgHS
|
||||
HNVnmEN2I2Nb0M8lQNF1sFDbpFwVbh9CkBF5LJNesy0VWd67Ho6EntPEb7vBFF/x
|
||||
jz0b2l4=
|
||||
-----END CERTIFICATE-----
|
4
tests/data_files/server1.crt.openssl.v3_ext
Normal file
4
tests/data_files/server1.crt.openssl.v3_ext
Normal file
|
@ -0,0 +1,4 @@
|
|||
[v3_ext]
|
||||
basicConstraints = CA:false
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid
|
16
tests/data_files/server1.csr
Normal file
16
tests/data_files/server1.csr
Normal file
|
@ -0,0 +1,16 @@
|
|||
-----BEGIN CERTIFICATE REQUEST-----
|
||||
MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRow
|
||||
GAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
|
||||
ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
|
||||
ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
|
||||
HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
|
||||
W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
|
||||
FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
|
||||
DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBCwUA
|
||||
A4IBAQBY/1nnYQ3ThVyeZb1Z2wLYoHZ5rfeJCedyP7N/gjJZjhrMbwioUft2uHpb
|
||||
+OZQfxRXJTbtj/1wpRMCoUMLWzapS7/xGx3IjoPtl42aM4M+xVYvbLjExL13kUAr
|
||||
eE4JWcMIbTEPol2zSdX/LuB+m27jEp5VsvM2ty9qOw/T4iKwjFSe6pcYZ2spks19
|
||||
3ltgjnaamwqKcN9zUA3IERTsWjr5exKYgfXm2OeeuSP0tHr7Dh+w/2XA9dGcLhrm
|
||||
TA4P8QjIgSDlyzmhYYmsrioFPuCfdi1uzs8bxmbLXbiCGZ8TDMy5oLqLo1K+j2pF
|
||||
ox+ATHKxQ/XpRQP+2OTb9sw1kM59
|
||||
-----END CERTIFICATE REQUEST-----
|
5
tests/data_files/server1.key_usage.crt.openssl.v3_ext
Normal file
5
tests/data_files/server1.key_usage.crt.openssl.v3_ext
Normal file
|
@ -0,0 +1,5 @@
|
|||
[v3_ext]
|
||||
basicConstraints = CA:false
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid
|
||||
keyUsage=critical, digitalSignature, nonRepudiation, keyEncipherment
|
20
tests/data_files/server1.key_usage_noauthid.crt
Normal file
20
tests/data_files/server1.key_usage_noauthid.crt
Normal file
|
@ -0,0 +1,20 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDLjCCAhagAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
|
||||
MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
|
||||
MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
|
||||
A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
|
||||
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
|
||||
uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
|
||||
d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
|
||||
CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
|
||||
lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
|
||||
bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
|
||||
ozwwOjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAO
|
||||
BgNVHQ8BAf8EBAMCAeAwDQYJKoZIhvcNAQEFBQADggEBAJZRIISo4+rDvHXXaS43
|
||||
shfSkyJyur588mNJFzty1WVfhaIkwjMIGHeGlHS29fwgPsBUgelZ3Qv3J7wsm42+
|
||||
3BwQet0l36FIBIJtFhcrTGlaCFUo/5bZJUPGgiOFB9ec/8lOszVlX8cH34UimWqg
|
||||
q2wXRGoXWPbuRnUWlJhI2bAv5ri9Mt7Rs4nK4wyS1ZjC8ByXMn4tk3yMjkUEqu0o
|
||||
37zoQiF+FJApu0eTKK5goA2hisyfCX9eJMppAbcyvJwoj/AmiBkXW8J3kEMJtLmZ
|
||||
VoxXYknnXumxBLxUrGuamR/3cmbaJHIHE1Dqox7hB+9miyp4lue1/uXHCocGAIeF
|
||||
JTo=
|
||||
-----END CERTIFICATE-----
|
19
tests/data_files/server1.noauthid.crt
Normal file
19
tests/data_files/server1.noauthid.crt
Normal file
|
@ -0,0 +1,19 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDHjCCAgagAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
|
||||
MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
|
||||
MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
|
||||
A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
|
||||
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
|
||||
uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
|
||||
d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
|
||||
CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
|
||||
lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
|
||||
bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
|
||||
oywwKjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAN
|
||||
BgkqhkiG9w0BAQUFAAOCAQEAUMDKviuchRc4ICoVwi9LFyfQjxFQLgjnX1UYSqc5
|
||||
UptiJsDpbJ+TMbOhNBs7YRV7ju61J33ax1fqgcFWkc2M2Vsqzz9+3zJlQoQuOLxH
|
||||
5C6v5/rhUEV9HMy3K5SIa/BVem9osWvMwDnB8g5k3wCZAnOuFcT6ttvzRqz6Oh9d
|
||||
avozrYHsATzPXBal41Gf95cNVcJ1pn/JgE4EOijMqmAPldVbCqfXLl6TB0nJS6dm
|
||||
q9z73DGrVQlOwmCVI+qD2POJI67LuQ0g6Y0WVMxsWilMppt+UrEknMzk4O4qOaUs
|
||||
1B20vI/bN4XPDnw58psazdoBxFL+fAk5MbTNKETNHjBsIg==
|
||||
-----END CERTIFICATE-----
|
|
@ -1,18 +1,18 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIC9DCCAdygAwIBAAIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
|
||||
MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
|
||||
MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
|
||||
A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
|
||||
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
|
||||
uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
|
||||
d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
|
||||
CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
|
||||
lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
|
||||
bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
|
||||
owIwADANBgkqhkiG9w0BAQUFAAOCAQEAoZVuVi7bIslKgMJhejSFXiO+ICMz1fmK
|
||||
b0tPN68mRYhI/gsjRT0cmX6GUNrg+U5mcBWhMwHgyvx1CARU4YToKZxcXGNL0DPd
|
||||
Z1hF8nCrJCZBQvNuWE7s0ufw92xz5ZfuKkVxi94RYR529F6gzgl4rpX8UQVu2ym/
|
||||
9pTlHKr4MKi9LNppyJMS89uRcb2FJFMdhAKbhNtbIjI9qGZ7x//0belAaWhq389u
|
||||
6XWFnZt35PU6Zz6YbAQ5pjZYsTaohuufgrpOlFPUuc4uR+RfGHIQ6id12lZaQC2m
|
||||
OFIBDcU0x1cFfPfMgVdBLf6klPt/v/tD77mwx0eztSp28NIf+ACw8A==
|
||||
MIIC6zCCAdMCAQEwDQYJKoZIhvcNAQEFBQAwOzELMAkGA1UEBhMCTkwxETAPBgNV
|
||||
BAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBMB4XDTExMDIx
|
||||
MjE0NDQwNloXDTIxMDIxMjE0NDQwNlowPDELMAkGA1UEBhMCTkwxETAPBgNVBAoT
|
||||
CFBvbGFyU1NMMRowGAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZI
|
||||
hvcNAQEBBQADggEPADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb
|
||||
7ogWUtPxQ1BHlhJZZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJ
|
||||
BEeCsFc5cO2j7BUZHqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8Yw
|
||||
fhU5rPla7n+SnqYFW+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5B
|
||||
Xhem2mxbacwCuhQsFiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1Y
|
||||
ieJTWZ5uWpJl4og/DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAATANBgkq
|
||||
hkiG9w0BAQUFAAOCAQEAPMRfR9ql7b06b5DdNyJhD96lBzuVSUOW2MgVHT2Vs7NB
|
||||
tk5L1htpA5N4uaIeyt6YM0xU0nHdHUKaywNcDiXcnzvRoctGWiWdpcEvdA0rYRF5
|
||||
T4MGPpjEuLJcG3aTU8mV8wUEbrY6IEnSpC1G9iasjhkwAF7pb/Ic8+/riwmPD/Fh
|
||||
zBrRfBCgi5VXbX9IvY+yQHRVRal8y+n4eh9/hFxBKDbvuidFropGzcuparEwCIRi
|
||||
U7L/7aZ3A5wsQp9GPDliSjpeYCf5tok/bvjG4xU041pGQ7yVNpu2mEIoqDz9v+Ay
|
||||
IKqsWradEnFG/1ov78a2RB+2+iIPE4iCDtmKUkgPjQ==
|
||||
-----END CERTIFICATE-----
|
||||
|
|
10
tests/data_files/server1_csr.opensslconf
Normal file
10
tests/data_files/server1_csr.opensslconf
Normal file
|
@ -0,0 +1,10 @@
|
|||
[ req ]
|
||||
distinguished_name = req_distinguished_name
|
||||
prompt = no
|
||||
# Restrict to non-UTF8 PrintableStrings.
|
||||
string_mask = nombstr
|
||||
|
||||
[ req_distinguished_name ]
|
||||
C = NL
|
||||
O = PolarSSL
|
||||
CN = PolarSSL Server 1
|
18
tests/data_files/test-ca.server1.opensslconf
Normal file
18
tests/data_files/test-ca.server1.opensslconf
Normal file
|
@ -0,0 +1,18 @@
|
|||
[ ca ]
|
||||
default_ca = test-ca
|
||||
|
||||
[ test-ca ]
|
||||
certificate = test-ca.crt
|
||||
private_key = test-ca.key
|
||||
serial = test-ca.server1.serial
|
||||
default_md = sha1
|
||||
default_startdate = 110212144406Z
|
||||
default_enddate = 210212144406Z
|
||||
new_certs_dir = ./
|
||||
database = ./test-ca.server1.db
|
||||
policy = policy_match
|
||||
|
||||
[policy_match]
|
||||
countryName = supplied
|
||||
organizationName = supplied
|
||||
commonName = supplied
|
|
@ -333,7 +333,7 @@ END
|
|||
# and make check code
|
||||
my $dep_check_code;
|
||||
|
||||
my @res = $test_data =~ /^depends_on:([\w:]+)/msg;
|
||||
my @res = $test_data =~ /^depends_on:([!:\w]+)/msg;
|
||||
my %case_deps;
|
||||
foreach my $deps (@res)
|
||||
{
|
||||
|
@ -344,7 +344,23 @@ foreach my $deps (@res)
|
|||
}
|
||||
while( my ($key, $value) = each(%case_deps) )
|
||||
{
|
||||
$dep_check_code .= << "END";
|
||||
if( substr($key, 0, 1) eq "!" )
|
||||
{
|
||||
my $key = substr($key, 1);
|
||||
$dep_check_code .= << "END";
|
||||
if( strcmp( str, "!$key" ) == 0 )
|
||||
{
|
||||
#if !defined($key)
|
||||
return( DEPENDENCY_SUPPORTED );
|
||||
#else
|
||||
return( DEPENDENCY_NOT_SUPPORTED );
|
||||
#endif
|
||||
}
|
||||
END
|
||||
}
|
||||
else
|
||||
{
|
||||
$dep_check_code .= << "END";
|
||||
if( strcmp( str, "$key" ) == 0 )
|
||||
{
|
||||
#if defined($key)
|
||||
|
@ -354,6 +370,7 @@ while( my ($key, $value) = each(%case_deps) )
|
|||
#endif
|
||||
}
|
||||
END
|
||||
}
|
||||
}
|
||||
|
||||
# Make mapping code
|
||||
|
|
|
@ -110,6 +110,21 @@ static struct
|
|||
test_info;
|
||||
|
||||
|
||||
/*----------------------------------------------------------------------------*/
|
||||
/* Helper flags for complex dependencies */
|
||||
|
||||
/* Indicates whether we expect mbedtls_entropy_init
|
||||
* to initialize some strong entropy source. */
|
||||
#if defined(MBEDTLS_TEST_NULL_ENTROPY) || \
|
||||
( !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES) && \
|
||||
( !defined(MBEDTLS_NO_PLATFORM_ENTROPY) || \
|
||||
defined(MBEDTLS_HAVEGE_C) || \
|
||||
defined(MBEDTLS_ENTROPY_HARDWARE_ALT) || \
|
||||
defined(ENTROPY_NV_SEED) ) )
|
||||
#define ENTROPY_HAVE_STRONG
|
||||
#endif
|
||||
|
||||
|
||||
/*----------------------------------------------------------------------------*/
|
||||
/* Helper Functions */
|
||||
|
||||
|
@ -408,4 +423,3 @@ static void test_fail( const char *test, int line_no, const char* filename )
|
|||
test_info.line_no = line_no;
|
||||
test_info.filename = filename;
|
||||
}
|
||||
|
||||
|
|
|
@ -448,24 +448,24 @@ int main(int argc, const char *argv[])
|
|||
if( unmet_dep_count > 0 || ret == DISPATCH_UNSUPPORTED_SUITE )
|
||||
{
|
||||
total_skipped++;
|
||||
mbedtls_fprintf( stdout, "----\n" );
|
||||
mbedtls_fprintf( stdout, "----" );
|
||||
|
||||
if( 1 == option_verbose && ret == DISPATCH_UNSUPPORTED_SUITE )
|
||||
{
|
||||
mbedtls_fprintf( stdout, " Test Suite not enabled" );
|
||||
mbedtls_fprintf( stdout, "\n Test Suite not enabled" );
|
||||
}
|
||||
|
||||
if( 1 == option_verbose && unmet_dep_count > 0 )
|
||||
{
|
||||
mbedtls_fprintf( stdout, " Unmet dependencies: " );
|
||||
mbedtls_fprintf( stdout, "\n Unmet dependencies: " );
|
||||
for( i = 0; i < unmet_dep_count; i++ )
|
||||
{
|
||||
mbedtls_fprintf(stdout, "%s ",
|
||||
unmet_dependencies[i]);
|
||||
free(unmet_dependencies[i]);
|
||||
}
|
||||
mbedtls_fprintf( stdout, "\n" );
|
||||
}
|
||||
mbedtls_fprintf( stdout, "\n" );
|
||||
fflush( stdout );
|
||||
|
||||
unmet_dep_count = 0;
|
||||
|
@ -489,22 +489,22 @@ int main(int argc, const char *argv[])
|
|||
else if( ret == DISPATCH_INVALID_TEST_DATA )
|
||||
{
|
||||
mbedtls_fprintf( stderr, "FAILED: FATAL PARSE ERROR\n" );
|
||||
fclose(file);
|
||||
fclose( file );
|
||||
mbedtls_exit( 2 );
|
||||
}
|
||||
else
|
||||
total_errors++;
|
||||
|
||||
if( ( ret = get_line( file, buf, sizeof(buf) ) ) != 0 )
|
||||
if( ( ret = get_line( file, buf, sizeof( buf ) ) ) != 0 )
|
||||
break;
|
||||
if( strlen(buf) != 0 )
|
||||
if( strlen( buf ) != 0 )
|
||||
{
|
||||
mbedtls_fprintf( stderr, "Should be empty %d\n",
|
||||
(int) strlen(buf) );
|
||||
(int) strlen( buf ) );
|
||||
return( 1 );
|
||||
}
|
||||
}
|
||||
fclose(file);
|
||||
fclose( file );
|
||||
|
||||
/* In case we encounter early end of file */
|
||||
for( i = 0; i < unmet_dep_count; i++ )
|
||||
|
@ -535,4 +535,3 @@ int main(int argc, const char *argv[])
|
|||
|
||||
return( total_errors != 0 );
|
||||
}
|
||||
|
||||
|
|
|
@ -34,10 +34,10 @@ entropy_threshold:16:2:8
|
|||
Entropy threshold #2
|
||||
entropy_threshold:32:1:32
|
||||
|
||||
Entropy thershold #3
|
||||
Entropy threshold #3
|
||||
entropy_threshold:16:0:MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
|
||||
|
||||
Entropy thershold #4
|
||||
Entropy threshold #4
|
||||
entropy_threshold:1024:1:MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
|
||||
|
||||
Check NV seed standard IO
|
||||
|
|
|
@ -163,7 +163,7 @@ exit:
|
|||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE */
|
||||
/* BEGIN_CASE depends_on:ENTROPY_HAVE_STRONG */
|
||||
void entropy_func_len( int len, int ret )
|
||||
{
|
||||
mbedtls_entropy_context ctx;
|
||||
|
@ -224,7 +224,7 @@ exit:
|
|||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE */
|
||||
/* BEGIN_CASE depends_on:ENTROPY_HAVE_STRONG */
|
||||
void entropy_threshold( int threshold, int chunk_size, int result )
|
||||
{
|
||||
mbedtls_entropy_context ctx;
|
||||
|
@ -377,7 +377,7 @@ void entropy_nv_seed( char *read_seed_str )
|
|||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
|
||||
/* BEGIN_CASE depends_on:ENTROPY_HAVE_STRONG:MBEDTLS_SELF_TEST */
|
||||
void entropy_selftest( int result )
|
||||
{
|
||||
TEST_ASSERT( mbedtls_entropy_self_test( 1 ) == result );
|
||||
|
|
|
@ -17,11 +17,22 @@ PEM write (exactly two lines + 1)
|
|||
mbedtls_pem_write_buffer:"-----START TEST-----\n":"-----END TEST-----\n":"000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F00":"-----START TEST-----\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\nAA==\n-----END TEST-----\n"
|
||||
|
||||
PEM read (DES-EDE3-CBC + invalid iv)
|
||||
mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-EDE3-CBC,00$":MBEDTLS_ERR_PEM_INVALID_ENC_IV
|
||||
mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-EDE3-CBC,00$":"pwd":MBEDTLS_ERR_PEM_INVALID_ENC_IV
|
||||
|
||||
PEM read (DES-CBC + invalid iv)
|
||||
mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-CBC,00$":MBEDTLS_ERR_PEM_INVALID_ENC_IV
|
||||
mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-CBC,00$":"pwd":MBEDTLS_ERR_PEM_INVALID_ENC_IV
|
||||
|
||||
PEM read (unknown encryption algorithm)
|
||||
mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-,00$":MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG
|
||||
mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-,00$":"pwd":MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG
|
||||
|
||||
PEM read (malformed PEM DES-CBC)
|
||||
depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC
|
||||
mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-CBC,AA94892A169FA426\n\nMAAA\n-----END EC PRIVATE KEY-----":"pwd":MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH
|
||||
|
||||
PEM read (malformed PEM DES-EDE3-CBC)
|
||||
depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC
|
||||
mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-EDE3-CBC,AA94892A169FA426\n\nMAAA\n-----END EC PRIVATE KEY-----":"pwd":MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH
|
||||
|
||||
PEM read (malformed PEM AES-128-CBC)
|
||||
depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC
|
||||
mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,AA94892A169FA426AA94892A169FA426\n\nMAAA\n-----END EC PRIVATE KEY-----":"pwd":MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
/* BEGIN_HEADER */
|
||||
#include "mbedtls/base64.h"
|
||||
#include "mbedtls/pem.h"
|
||||
#include "mbedtls/des.h"
|
||||
#include "mbedtls/aes.h"
|
||||
/* END_HEADER */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C */
|
||||
|
@ -35,16 +37,19 @@ exit:
|
|||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_AES_C:MBEDTLS_DES_C:MBEDTLS_MD5_C:MBEDTLS_CIPHER_MODE_CBC */
|
||||
void mbedtls_pem_read_buffer( char *header, char *footer, char *data, int ret )
|
||||
void mbedtls_pem_read_buffer( char *header, char *footer, char *data,
|
||||
char *pwd, int res )
|
||||
{
|
||||
mbedtls_pem_context ctx;
|
||||
int ret;
|
||||
size_t use_len = 0;
|
||||
size_t pwd_len = strlen( pwd );
|
||||
|
||||
mbedtls_pem_init( &ctx );
|
||||
|
||||
TEST_ASSERT( mbedtls_pem_read_buffer( &ctx, header, footer,
|
||||
(const unsigned char *)data, NULL, 0,
|
||||
&use_len ) == ret );
|
||||
ret = mbedtls_pem_read_buffer( &ctx, header, footer, (unsigned char *)data,
|
||||
(unsigned char *)pwd, pwd_len, &use_len );
|
||||
TEST_ASSERT( ret == res );
|
||||
|
||||
exit:
|
||||
mbedtls_pem_free( &ctx );
|
||||
|
|
|
@ -8,6 +8,7 @@
|
|||
#include "mbedtls/sha512.h"
|
||||
#include "mbedtls/entropy.h"
|
||||
#include "mbedtls/ctr_drbg.h"
|
||||
|
||||
/* END_HEADER */
|
||||
|
||||
/* BEGIN_DEPENDENCIES
|
||||
|
@ -658,7 +659,7 @@ exit:
|
|||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_CTR_DRBG_C:MBEDTLS_ENTROPY_C */
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_CTR_DRBG_C:MBEDTLS_ENTROPY_C:ENTROPY_HAVE_STRONG */
|
||||
void mbedtls_rsa_gen_key( int nrbits, int exponent, int result)
|
||||
{
|
||||
mbedtls_rsa_context ctx;
|
||||
|
@ -667,13 +668,12 @@ void mbedtls_rsa_gen_key( int nrbits, int exponent, int result)
|
|||
const char *pers = "test_suite_rsa";
|
||||
|
||||
mbedtls_ctr_drbg_init( &ctr_drbg );
|
||||
|
||||
mbedtls_entropy_init( &entropy );
|
||||
mbedtls_rsa_init ( &ctx, 0, 0 );
|
||||
|
||||
TEST_ASSERT( mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
|
||||
(const unsigned char *) pers, strlen( pers ) ) == 0 );
|
||||
|
||||
mbedtls_rsa_init( &ctx, 0, 0 );
|
||||
|
||||
TEST_ASSERT( mbedtls_rsa_gen_key( &ctx, mbedtls_ctr_drbg_random, &ctr_drbg, nrbits, exponent ) == result );
|
||||
if( result == 0 )
|
||||
{
|
||||
|
|
|
@ -44,19 +44,35 @@ x509_csr_check:"data_files/server5.key":"data_files/server5.req.ku.sha1":MBEDTLS
|
|||
|
||||
Certificate write check Server1 SHA1
|
||||
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
|
||||
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:-1:"data_files/server1.crt"
|
||||
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:1:-1:"data_files/server1.crt":0
|
||||
|
||||
Certificate write check Server1 SHA1, key_usage
|
||||
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
|
||||
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0:-1:"data_files/server1.key_usage.crt"
|
||||
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0:1:-1:"data_files/server1.key_usage.crt":0
|
||||
|
||||
Certificate write check Server1 SHA1, ns_cert_type
|
||||
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
|
||||
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:-1:"data_files/server1.cert_type.crt"
|
||||
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:-1:"data_files/server1.cert_type.crt":0
|
||||
|
||||
Certificate write check Server1 SHA1, version 1
|
||||
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
|
||||
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt"
|
||||
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":0
|
||||
|
||||
Certificate write check Server1 SHA1, RSA_ALT
|
||||
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
|
||||
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:-1:"data_files/server1.noauthid.crt":1
|
||||
|
||||
Certificate write check Server1 SHA1, RSA_ALT, key_usage
|
||||
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
|
||||
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0:0:-1:"data_files/server1.key_usage_noauthid.crt":1
|
||||
|
||||
Certificate write check Server1 SHA1, RSA_ALT, ns_cert_type
|
||||
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
|
||||
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:0:-1:"data_files/server1.cert_type_noauthid.crt":1
|
||||
|
||||
Certificate write check Server1 SHA1, RSA_ALT, version 1
|
||||
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
|
||||
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":1
|
||||
|
||||
X509 String to Names #1
|
||||
mbedtls_x509_string_to_names:"C=NL,O=Offspark\, Inc., OU=PolarSSL":"C=NL, O=Offspark, Inc., OU=PolarSSL":0
|
||||
|
|
|
@ -3,6 +3,30 @@
|
|||
#include "mbedtls/x509_csr.h"
|
||||
#include "mbedtls/pem.h"
|
||||
#include "mbedtls/oid.h"
|
||||
#include "mbedtls/rsa.h"
|
||||
|
||||
#if defined(MBEDTLS_RSA_C)
|
||||
int mbedtls_rsa_decrypt_func( void *ctx, int mode, size_t *olen,
|
||||
const unsigned char *input, unsigned char *output,
|
||||
size_t output_max_len )
|
||||
{
|
||||
return( mbedtls_rsa_pkcs1_decrypt( (mbedtls_rsa_context *) ctx, NULL, NULL, mode, olen,
|
||||
input, output, output_max_len ) );
|
||||
}
|
||||
int mbedtls_rsa_sign_func( void *ctx,
|
||||
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
|
||||
int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,
|
||||
const unsigned char *hash, unsigned char *sig )
|
||||
{
|
||||
return( mbedtls_rsa_pkcs1_sign( (mbedtls_rsa_context *) ctx, f_rng, p_rng, mode,
|
||||
md_alg, hashlen, hash, sig ) );
|
||||
}
|
||||
size_t mbedtls_rsa_key_len_func( void *ctx )
|
||||
{
|
||||
return( ((const mbedtls_rsa_context *) ctx)->len );
|
||||
}
|
||||
#endif /* MBEDTLS_RSA_C */
|
||||
|
||||
/* END_HEADER */
|
||||
|
||||
/* BEGIN_DEPENDENCIES
|
||||
|
@ -39,7 +63,7 @@ void x509_csr_check( char *key_file, char *cert_req_check_file,
|
|||
if( cert_type != 0 )
|
||||
TEST_ASSERT( mbedtls_x509write_csr_set_ns_cert_type( &req, cert_type ) == 0 );
|
||||
|
||||
ret = mbedtls_x509write_csr_pem( &req, buf, sizeof(buf),
|
||||
ret = mbedtls_x509write_csr_pem( &req, buf, sizeof( buf ),
|
||||
rnd_pseudo_rand, &rnd_info );
|
||||
TEST_ASSERT( ret == 0 );
|
||||
|
||||
|
@ -75,10 +99,12 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd,
|
|||
char *subject_name, char *issuer_key_file,
|
||||
char *issuer_pwd, char *issuer_name,
|
||||
char *serial_str, char *not_before, char *not_after,
|
||||
int md_type, int key_usage, int cert_type, int ver,
|
||||
char *cert_check_file )
|
||||
int md_type, int key_usage, int cert_type, int auth_ident,
|
||||
int ver, char *cert_check_file, int rsa_alt )
|
||||
{
|
||||
mbedtls_pk_context subject_key, issuer_key;
|
||||
mbedtls_pk_context subject_key, issuer_key, issuer_key_alt;
|
||||
mbedtls_pk_context *key = &issuer_key;
|
||||
|
||||
mbedtls_x509write_cert crt;
|
||||
unsigned char buf[4096];
|
||||
unsigned char check_buf[5000];
|
||||
|
@ -91,68 +117,89 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd,
|
|||
|
||||
memset( &rnd_info, 0x2a, sizeof( rnd_pseudo_info ) );
|
||||
mbedtls_mpi_init( &serial );
|
||||
|
||||
mbedtls_pk_init( &subject_key );
|
||||
mbedtls_pk_init( &issuer_key );
|
||||
mbedtls_pk_init( &issuer_key );
|
||||
mbedtls_pk_init( &issuer_key_alt );
|
||||
|
||||
mbedtls_x509write_crt_init( &crt );
|
||||
|
||||
TEST_ASSERT( mbedtls_pk_parse_keyfile( &subject_key, subject_key_file,
|
||||
subject_pwd ) == 0 );
|
||||
|
||||
TEST_ASSERT( mbedtls_pk_parse_keyfile( &issuer_key, issuer_key_file,
|
||||
issuer_pwd ) == 0 );
|
||||
|
||||
/* For RSA PK contexts, create a copy as an alternative RSA context. */
|
||||
if( rsa_alt == 1 && mbedtls_pk_get_type( &issuer_key ) == MBEDTLS_PK_RSA )
|
||||
{
|
||||
TEST_ASSERT( mbedtls_pk_setup_rsa_alt( &issuer_key_alt,
|
||||
mbedtls_pk_rsa( issuer_key ),
|
||||
mbedtls_rsa_decrypt_func,
|
||||
mbedtls_rsa_sign_func,
|
||||
mbedtls_rsa_key_len_func ) == 0 );
|
||||
|
||||
key = &issuer_key_alt;
|
||||
}
|
||||
|
||||
TEST_ASSERT( mbedtls_mpi_read_string( &serial, 10, serial_str ) == 0 );
|
||||
|
||||
mbedtls_x509write_crt_init( &crt );
|
||||
if( ver != -1 )
|
||||
mbedtls_x509write_crt_set_version( &crt, ver );
|
||||
|
||||
TEST_ASSERT( mbedtls_x509write_crt_set_serial( &crt, &serial ) == 0 );
|
||||
TEST_ASSERT( mbedtls_x509write_crt_set_validity( &crt, not_before,
|
||||
not_after ) == 0 );
|
||||
not_after ) == 0 );
|
||||
mbedtls_x509write_crt_set_md_alg( &crt, md_type );
|
||||
TEST_ASSERT( mbedtls_x509write_crt_set_issuer_name( &crt, issuer_name ) == 0 );
|
||||
TEST_ASSERT( mbedtls_x509write_crt_set_subject_name( &crt, subject_name ) == 0 );
|
||||
mbedtls_x509write_crt_set_subject_key( &crt, &subject_key );
|
||||
mbedtls_x509write_crt_set_issuer_key( &crt, &issuer_key );
|
||||
|
||||
mbedtls_x509write_crt_set_issuer_key( &crt, key );
|
||||
|
||||
if( crt.version >= MBEDTLS_X509_CRT_VERSION_3 )
|
||||
{
|
||||
TEST_ASSERT( mbedtls_x509write_crt_set_basic_constraints( &crt, 0, 0 ) == 0 );
|
||||
TEST_ASSERT( mbedtls_x509write_crt_set_subject_key_identifier( &crt ) == 0 );
|
||||
TEST_ASSERT( mbedtls_x509write_crt_set_authority_key_identifier( &crt ) == 0 );
|
||||
if( auth_ident )
|
||||
TEST_ASSERT( mbedtls_x509write_crt_set_authority_key_identifier( &crt ) == 0 );
|
||||
if( key_usage != 0 )
|
||||
TEST_ASSERT( mbedtls_x509write_crt_set_key_usage( &crt, key_usage ) == 0 );
|
||||
if( cert_type != 0 )
|
||||
TEST_ASSERT( mbedtls_x509write_crt_set_ns_cert_type( &crt, cert_type ) == 0 );
|
||||
}
|
||||
|
||||
ret = mbedtls_x509write_crt_pem( &crt, buf, sizeof(buf),
|
||||
rnd_pseudo_rand, &rnd_info );
|
||||
ret = mbedtls_x509write_crt_pem( &crt, buf, sizeof( buf ),
|
||||
rnd_pseudo_rand, &rnd_info );
|
||||
TEST_ASSERT( ret == 0 );
|
||||
|
||||
pem_len = strlen( (char *) buf );
|
||||
|
||||
f = fopen( cert_check_file, "r" );
|
||||
TEST_ASSERT( f != NULL );
|
||||
olen = fread( check_buf, 1, sizeof(check_buf), f );
|
||||
olen = fread( check_buf, 1, sizeof( check_buf ), f );
|
||||
fclose( f );
|
||||
TEST_ASSERT( olen < sizeof(check_buf) );
|
||||
TEST_ASSERT( olen < sizeof( check_buf ) );
|
||||
|
||||
TEST_ASSERT( olen >= pem_len - 1 );
|
||||
TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 );
|
||||
|
||||
der_len = mbedtls_x509write_crt_der( &crt, buf, sizeof( buf ),
|
||||
rnd_pseudo_rand, &rnd_info );
|
||||
rnd_pseudo_rand, &rnd_info );
|
||||
TEST_ASSERT( der_len >= 0 );
|
||||
|
||||
if( der_len == 0 )
|
||||
goto exit;
|
||||
|
||||
ret = mbedtls_x509write_crt_der( &crt, buf, (size_t)( der_len - 1 ),
|
||||
rnd_pseudo_rand, &rnd_info );
|
||||
rnd_pseudo_rand, &rnd_info );
|
||||
TEST_ASSERT( ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
|
||||
|
||||
exit:
|
||||
mbedtls_x509write_crt_free( &crt );
|
||||
mbedtls_pk_free( &issuer_key );
|
||||
mbedtls_pk_free( &issuer_key_alt );
|
||||
mbedtls_pk_free( &subject_key );
|
||||
mbedtls_pk_free( &issuer_key );
|
||||
mbedtls_mpi_free( &serial );
|
||||
}
|
||||
/* END_CASE */
|
||||
|
|
Loading…
Reference in a new issue