diff --git a/ChangeLog b/ChangeLog index 96fca0226..1e8af978f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -53,6 +53,27 @@ Bugfix * Fix out-of-memory problem when parsing 4096-bit PKCS8-encrypted RSA keys. Found independently by Florian in the mbed TLS forum and by Mishamax. #878, #1019. + * Fix variable used before assignment compilation warnings with IAR + toolchain. Found by gkerrien38. + * Fix unchecked return codes from AES, DES and 3DES functions in + pem_aes_decrypt(), pem_des_decrypt() and pem_des3_decrypt() respectively. + If a call to one of the functions of the cryptographic primitive modules + failed, the error may not be noticed by the function + mbedtls_pem_read_buffer() causing it to return invalid values. Found by + Guido Vranken. #756 + * Include configuration file in md.h, to fix compilation warnings. + Reported by aaronmdjones in #1001 + * Correct extraction of signature-type from PK instance in X.509 CRT and CSR + writing routines that prevented these functions to work with alternative + RSA implementations. Raised by J.B. in the Mbed TLS forum. Fixes #1011. + * Don't print X.509 version tag for v1 CRT's, and omit extensions for + non-v3 CRT's. + * Fix bugs in RSA test suite under MBEDTLS_NO_PLATFORM_ENTROPY. #1023 #1024 + +Changes + * Extend cert_write example program by options to set the CRT version + and the message digest. Further, allow enabling/disabling of authority + identifier, subject identifier and basic constraints extensions. = mbed TLS 2.6.0 branch released 2017-08-10 diff --git a/include/mbedtls/md.h b/include/mbedtls/md.h index 9b996a951..89be847ce 100644 --- a/include/mbedtls/md.h +++ b/include/mbedtls/md.h @@ -27,6 +27,12 @@ #include +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #define MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE -0x5080 /**< The selected feature is not available. */ #define MBEDTLS_ERR_MD_BAD_INPUT_DATA -0x5100 /**< Bad input parameters to function. */ #define MBEDTLS_ERR_MD_ALLOC_FAILED -0x5180 /**< Failed to allocate memory. */ diff --git a/library/entropy.c b/library/entropy.c index d878ca6bc..52b98cde8 100644 --- a/library/entropy.c +++ b/library/entropy.c @@ -83,6 +83,9 @@ void mbedtls_entropy_init( mbedtls_entropy_context *ctx ) mbedtls_havege_init( &ctx->havege_data ); #endif + /* Reminder: Update ENTROPY_HAVE_STRONG in the test files + * when adding more strong entropy sources here. */ + #if defined(MBEDTLS_TEST_NULL_ENTROPY) mbedtls_entropy_add_source( ctx, mbedtls_null_entropy_poll, NULL, 1, MBEDTLS_ENTROPY_SOURCE_STRONG ); diff --git a/library/pem.c b/library/pem.c index 9c3e60342..756572de0 100644 --- a/library/pem.c +++ b/library/pem.c @@ -134,45 +134,55 @@ static void pem_pbkdf1( unsigned char *key, size_t keylen, /* * Decrypt with DES-CBC, using PBKDF1 for key derivation */ -static void pem_des_decrypt( unsigned char des_iv[8], - unsigned char *buf, size_t buflen, - const unsigned char *pwd, size_t pwdlen ) +static int pem_des_decrypt( unsigned char des_iv[8], + unsigned char *buf, size_t buflen, + const unsigned char *pwd, size_t pwdlen ) { mbedtls_des_context des_ctx; unsigned char des_key[8]; + int ret; mbedtls_des_init( &des_ctx ); pem_pbkdf1( des_key, 8, des_iv, pwd, pwdlen ); - mbedtls_des_setkey_dec( &des_ctx, des_key ); - mbedtls_des_crypt_cbc( &des_ctx, MBEDTLS_DES_DECRYPT, buflen, + if( ( ret = mbedtls_des_setkey_dec( &des_ctx, des_key ) ) != 0 ) + goto exit; + ret = mbedtls_des_crypt_cbc( &des_ctx, MBEDTLS_DES_DECRYPT, buflen, des_iv, buf, buf ); +exit: mbedtls_des_free( &des_ctx ); mbedtls_zeroize( des_key, 8 ); + + return( ret ); } /* * Decrypt with 3DES-CBC, using PBKDF1 for key derivation */ -static void pem_des3_decrypt( unsigned char des3_iv[8], - unsigned char *buf, size_t buflen, - const unsigned char *pwd, size_t pwdlen ) +static int pem_des3_decrypt( unsigned char des3_iv[8], + unsigned char *buf, size_t buflen, + const unsigned char *pwd, size_t pwdlen ) { mbedtls_des3_context des3_ctx; unsigned char des3_key[24]; + int ret; mbedtls_des3_init( &des3_ctx ); pem_pbkdf1( des3_key, 24, des3_iv, pwd, pwdlen ); - mbedtls_des3_set3key_dec( &des3_ctx, des3_key ); - mbedtls_des3_crypt_cbc( &des3_ctx, MBEDTLS_DES_DECRYPT, buflen, + if( ( ret = mbedtls_des3_set3key_dec( &des3_ctx, des3_key ) ) != 0 ) + goto exit; + ret = mbedtls_des3_crypt_cbc( &des3_ctx, MBEDTLS_DES_DECRYPT, buflen, des3_iv, buf, buf ); +exit: mbedtls_des3_free( &des3_ctx ); mbedtls_zeroize( des3_key, 24 ); + + return( ret ); } #endif /* MBEDTLS_DES_C */ @@ -180,23 +190,28 @@ static void pem_des3_decrypt( unsigned char des3_iv[8], /* * Decrypt with AES-XXX-CBC, using PBKDF1 for key derivation */ -static void pem_aes_decrypt( unsigned char aes_iv[16], unsigned int keylen, - unsigned char *buf, size_t buflen, - const unsigned char *pwd, size_t pwdlen ) +static int pem_aes_decrypt( unsigned char aes_iv[16], unsigned int keylen, + unsigned char *buf, size_t buflen, + const unsigned char *pwd, size_t pwdlen ) { mbedtls_aes_context aes_ctx; unsigned char aes_key[32]; + int ret; mbedtls_aes_init( &aes_ctx ); pem_pbkdf1( aes_key, keylen, aes_iv, pwd, pwdlen ); - mbedtls_aes_setkey_dec( &aes_ctx, aes_key, keylen * 8 ); - mbedtls_aes_crypt_cbc( &aes_ctx, MBEDTLS_AES_DECRYPT, buflen, + if( ( ret = mbedtls_aes_setkey_dec( &aes_ctx, aes_key, keylen * 8 ) ) != 0 ) + goto exit; + ret = mbedtls_aes_crypt_cbc( &aes_ctx, MBEDTLS_AES_DECRYPT, buflen, aes_iv, buf, buf ); +exit: mbedtls_aes_free( &aes_ctx ); mbedtls_zeroize( aes_key, keylen ); + + return( ret ); } #endif /* MBEDTLS_AES_C */ @@ -347,22 +362,30 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const return( MBEDTLS_ERR_PEM_PASSWORD_REQUIRED ); } + ret = 0; + #if defined(MBEDTLS_DES_C) if( enc_alg == MBEDTLS_CIPHER_DES_EDE3_CBC ) - pem_des3_decrypt( pem_iv, buf, len, pwd, pwdlen ); + ret = pem_des3_decrypt( pem_iv, buf, len, pwd, pwdlen ); else if( enc_alg == MBEDTLS_CIPHER_DES_CBC ) - pem_des_decrypt( pem_iv, buf, len, pwd, pwdlen ); + ret = pem_des_decrypt( pem_iv, buf, len, pwd, pwdlen ); #endif /* MBEDTLS_DES_C */ #if defined(MBEDTLS_AES_C) if( enc_alg == MBEDTLS_CIPHER_AES_128_CBC ) - pem_aes_decrypt( pem_iv, 16, buf, len, pwd, pwdlen ); + ret = pem_aes_decrypt( pem_iv, 16, buf, len, pwd, pwdlen ); else if( enc_alg == MBEDTLS_CIPHER_AES_192_CBC ) - pem_aes_decrypt( pem_iv, 24, buf, len, pwd, pwdlen ); + ret = pem_aes_decrypt( pem_iv, 24, buf, len, pwd, pwdlen ); else if( enc_alg == MBEDTLS_CIPHER_AES_256_CBC ) - pem_aes_decrypt( pem_iv, 32, buf, len, pwd, pwdlen ); + ret = pem_aes_decrypt( pem_iv, 32, buf, len, pwd, pwdlen ); #endif /* MBEDTLS_AES_C */ + if( ret != 0 ) + { + mbedtls_free( buf ); + return( ret ); + } + /* * The result will be ASN.1 starting with a SEQUENCE tag, with 1 to 3 * length bytes (allow 4 to be sure) in all known use cases. diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 544c8cf5c..922743360 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2261,7 +2261,7 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) int ret; const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; - unsigned char *p, *end; + unsigned char *p = NULL, *end = NULL; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) ); diff --git a/library/x509write_crt.c b/library/x509write_crt.c index 4d674abcf..0af23d7fa 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -51,7 +51,7 @@ static void mbedtls_zeroize( void *v, size_t n ) { void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx ) { - memset( ctx, 0, sizeof(mbedtls_x509write_cert) ); + memset( ctx, 0, sizeof( mbedtls_x509write_cert ) ); mbedtls_mpi_init( &ctx->serial ); ctx->version = MBEDTLS_X509_CRT_VERSION_3; @@ -65,7 +65,7 @@ void mbedtls_x509write_crt_free( mbedtls_x509write_cert *ctx ) mbedtls_asn1_free_named_data_list( &ctx->issuer ); mbedtls_asn1_free_named_data_list( &ctx->extensions ); - mbedtls_zeroize( ctx, sizeof(mbedtls_x509write_cert) ); + mbedtls_zeroize( ctx, sizeof( mbedtls_x509write_cert ) ); } void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *ctx, int version ) @@ -193,14 +193,14 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert * { int ret; unsigned char buf[MBEDTLS_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */ - unsigned char *c = buf + sizeof(buf); + unsigned char *c = buf + sizeof( buf ); size_t len = 0; memset( buf, 0, sizeof(buf) ); MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, ctx->issuer_key ) ); - mbedtls_sha1( buf + sizeof(buf) - len, len, buf + sizeof(buf) - 20 ); - c = buf + sizeof(buf) - 20; + mbedtls_sha1( buf + sizeof( buf ) - len, len, buf + sizeof( buf ) - 20 ); + c = buf + sizeof( buf ) - 20; len = 20; MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) ); @@ -212,7 +212,7 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert * return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER, MBEDTLS_OID_SIZE( MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER ), - 0, buf + sizeof(buf) - len, len ); + 0, buf + sizeof( buf ) - len, len ); } #endif /* MBEDTLS_SHA1_C */ @@ -313,12 +313,18 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, c = tmp_buf + sizeof( tmp_buf ); /* Signature algorithm needed in TBS, and later for actual signature */ - pk_alg = mbedtls_pk_get_type( ctx->issuer_key ); - if( pk_alg == MBEDTLS_PK_ECKEY ) + + /* There's no direct way of extracting a signature algorithm + * (represented as an element of mbedtls_pk_type_t) from a PK instance. */ + if( mbedtls_pk_can_do( ctx->issuer_key, MBEDTLS_PK_RSA ) ) + pk_alg = MBEDTLS_PK_RSA; + else if( mbedtls_pk_can_do( ctx->issuer_key, MBEDTLS_PK_ECDSA ) ) pk_alg = MBEDTLS_PK_ECDSA; + else + return( MBEDTLS_ERR_X509_INVALID_ALG ); if( ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg, - &sig_oid, &sig_oid_len ) ) != 0 ) + &sig_oid, &sig_oid_len ) ) != 0 ) { return( ret ); } @@ -326,13 +332,18 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, /* * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension */ - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED | - MBEDTLS_ASN1_SEQUENCE ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC | - MBEDTLS_ASN1_CONSTRUCTED | 3 ) ); + + /* Only for v3 */ + if( ctx->version == MBEDTLS_X509_CRT_VERSION_3 ) + { + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC | + MBEDTLS_ASN1_CONSTRUCTED | 3 ) ); + } /* * SubjectPublicKeyInfo @@ -384,16 +395,21 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, /* * Version ::= INTEGER { v1(0), v2(1), v3(2) } */ - sub_len = 0; - MBEDTLS_ASN1_CHK_ADD( sub_len, mbedtls_asn1_write_int( &c, tmp_buf, ctx->version ) ); - len += sub_len; - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC | - MBEDTLS_ASN1_CONSTRUCTED | 0 ) ); + + /* Can be omitted for v1 */ + if( ctx->version != MBEDTLS_X509_CRT_VERSION_1 ) + { + sub_len = 0; + MBEDTLS_ASN1_CHK_ADD( sub_len, mbedtls_asn1_write_int( &c, tmp_buf, ctx->version ) ); + len += sub_len; + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC | + MBEDTLS_ASN1_CONSTRUCTED | 0 ) ); + } MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) ); MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED | - MBEDTLS_ASN1_SEQUENCE ) ); + MBEDTLS_ASN1_SEQUENCE ) ); /* * Make signature diff --git a/library/x509write_csr.c b/library/x509write_csr.c index 8fd856b2a..e80053828 100644 --- a/library/x509write_csr.c +++ b/library/x509write_csr.c @@ -50,7 +50,7 @@ static void mbedtls_zeroize( void *v, size_t n ) { void mbedtls_x509write_csr_init( mbedtls_x509write_csr *ctx ) { - memset( ctx, 0, sizeof(mbedtls_x509write_csr) ); + memset( ctx, 0, sizeof( mbedtls_x509write_csr ) ); } void mbedtls_x509write_csr_free( mbedtls_x509write_csr *ctx ) @@ -58,7 +58,7 @@ void mbedtls_x509write_csr_free( mbedtls_x509write_csr *ctx ) mbedtls_asn1_free_named_data_list( &ctx->subject ); mbedtls_asn1_free_named_data_list( &ctx->extensions ); - mbedtls_zeroize( ctx, sizeof(mbedtls_x509write_csr) ); + mbedtls_zeroize( ctx, sizeof( mbedtls_x509write_csr ) ); } void mbedtls_x509write_csr_set_md_alg( mbedtls_x509write_csr *ctx, mbedtls_md_type_t md_alg ) @@ -194,14 +194,21 @@ int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf, s */ mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c, len, hash ); - pk_alg = mbedtls_pk_get_type( ctx->key ); - if( pk_alg == MBEDTLS_PK_ECKEY ) - pk_alg = MBEDTLS_PK_ECDSA; - if( ( ret = mbedtls_pk_sign( ctx->key, ctx->md_alg, hash, 0, sig, &sig_len, - f_rng, p_rng ) ) != 0 || - ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg, - &sig_oid, &sig_oid_len ) ) != 0 ) + f_rng, p_rng ) ) != 0 ) + { + return( ret ); + } + + if( mbedtls_pk_can_do( ctx->key, MBEDTLS_PK_RSA ) ) + pk_alg = MBEDTLS_PK_RSA; + else if( mbedtls_pk_can_do( ctx->key, MBEDTLS_PK_ECDSA ) ) + pk_alg = MBEDTLS_PK_ECDSA; + else + return( MBEDTLS_ERR_X509_INVALID_ALG ); + + if( ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg, + &sig_oid, &sig_oid_len ) ) != 0 ) { return( ret ); } diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index 66e5f1dab..9cc582d61 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -51,6 +51,7 @@ int main( void ) #include "mbedtls/x509_csr.h" #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" +#include "mbedtls/md.h" #include "mbedtls/error.h" #include @@ -59,9 +60,9 @@ int main( void ) #if defined(MBEDTLS_X509_CSR_PARSE_C) #define USAGE_CSR \ - " request_file=%%s default: (empty)\n" \ - " If request_file is specified, subject_key,\n" \ - " subject_pwd and subject_name are ignored!\n" + " request_file=%%s default: (empty)\n" \ + " If request_file is specified, subject_key,\n" \ + " subject_pwd and subject_name are ignored!\n" #else #define USAGE_CSR "" #endif /* MBEDTLS_X509_CSR_PARSE_C */ @@ -83,50 +84,70 @@ int main( void ) #define DFL_MAX_PATHLEN -1 #define DFL_KEY_USAGE 0 #define DFL_NS_CERT_TYPE 0 +#define DFL_VERSION 3 +#define DFL_AUTH_IDENT 1 +#define DFL_SUBJ_IDENT 1 +#define DFL_CONSTRAINTS 1 +#define DFL_DIGEST MBEDTLS_MD_SHA256 #define USAGE \ "\n usage: cert_write param=<>...\n" \ "\n acceptable parameters:\n" \ USAGE_CSR \ - " subject_key=%%s default: subject.key\n" \ - " subject_pwd=%%s default: (empty)\n" \ - " subject_name=%%s default: CN=Cert,O=mbed TLS,C=UK\n" \ + " subject_key=%%s default: subject.key\n" \ + " subject_pwd=%%s default: (empty)\n" \ + " subject_name=%%s default: CN=Cert,O=mbed TLS,C=UK\n" \ "\n" \ - " issuer_crt=%%s default: (empty)\n" \ - " If issuer_crt is specified, issuer_name is\n" \ - " ignored!\n" \ - " issuer_name=%%s default: CN=CA,O=mbed TLS,C=UK\n" \ + " issuer_crt=%%s default: (empty)\n" \ + " If issuer_crt is specified, issuer_name is\n" \ + " ignored!\n" \ + " issuer_name=%%s default: CN=CA,O=mbed TLS,C=UK\n" \ "\n" \ - " selfsign=%%d default: 0 (false)\n" \ - " If selfsign is enabled, issuer_name and\n" \ - " issuer_key are required (issuer_crt and\n" \ - " subject_* are ignored\n" \ - " issuer_key=%%s default: ca.key\n" \ - " issuer_pwd=%%s default: (empty)\n" \ - " output_file=%%s default: cert.crt\n" \ - " serial=%%s default: 1\n" \ - " not_before=%%s default: 20010101000000\n"\ - " not_after=%%s default: 20301231235959\n"\ - " is_ca=%%d default: 0 (disabled)\n" \ - " max_pathlen=%%d default: -1 (none)\n" \ - " key_usage=%%s default: (empty)\n" \ - " Comma-separated-list of values:\n" \ - " digital_signature\n" \ - " non_repudiation\n" \ - " key_encipherment\n" \ - " data_encipherment\n" \ - " key_agreement\n" \ - " key_cert_sign\n" \ - " crl_sign\n" \ - " ns_cert_type=%%s default: (empty)\n" \ - " Comma-separated-list of values:\n" \ - " ssl_client\n" \ - " ssl_server\n" \ - " email\n" \ - " object_signing\n" \ - " ssl_ca\n" \ - " email_ca\n" \ - " object_signing_ca\n" \ + " selfsign=%%d default: 0 (false)\n" \ + " If selfsign is enabled, issuer_name and\n" \ + " issuer_key are required (issuer_crt and\n" \ + " subject_* are ignored\n" \ + " issuer_key=%%s default: ca.key\n" \ + " issuer_pwd=%%s default: (empty)\n" \ + " output_file=%%s default: cert.crt\n" \ + " serial=%%s default: 1\n" \ + " not_before=%%s default: 20010101000000\n"\ + " not_after=%%s default: 20301231235959\n"\ + " is_ca=%%d default: 0 (disabled)\n" \ + " max_pathlen=%%d default: -1 (none)\n" \ + " md=%%s default: SHA256\n" \ + " Supported values:\n" \ + " MD5, SHA1, SHA256, SHA512\n"\ + " version=%%d default: 3\n" \ + " Possible values: 1, 2, 3\n"\ + " subject_identifier=%%s default: 1\n" \ + " Possible values: 0, 1\n" \ + " (Considered for v3 only)\n"\ + " authority_identifier=%%s default: 1\n" \ + " Possible values: 0, 1\n" \ + " (Considered for v3 only)\n"\ + " basic_constraints=%%d default: 1\n" \ + " Possible values: 0, 1\n" \ + " (Considered for v3 only)\n"\ + " key_usage=%%s default: (empty)\n" \ + " Comma-separated-list of values:\n" \ + " digital_signature\n" \ + " non_repudiation\n" \ + " key_encipherment\n" \ + " data_encipherment\n" \ + " key_agreement\n" \ + " key_cert_sign\n" \ + " crl_sign\n" \ + " (Considered for v3 only)\n"\ + " ns_cert_type=%%s default: (empty)\n" \ + " Comma-separated-list of values:\n" \ + " ssl_client\n" \ + " ssl_server\n" \ + " email\n" \ + " object_signing\n" \ + " ssl_ca\n" \ + " email_ca\n" \ + " object_signing_ca\n" \ "\n" /* @@ -149,6 +170,11 @@ struct options int selfsign; /* selfsign the certificate */ int is_ca; /* is a CA certificate */ int max_pathlen; /* maximum CA path length */ + int authority_identifier; /* add authority identifier to CRT */ + int subject_identifier; /* add subject identifier to CRT */ + int basic_constraints; /* add basic constraints ext to CRT */ + int version; /* CRT version */ + mbedtls_md_type_t md; /* Hash used for signing */ unsigned char key_usage; /* key usage flags */ unsigned char ns_cert_type; /* NS cert type */ } opt; @@ -163,7 +189,8 @@ int write_certificate( mbedtls_x509write_cert *crt, const char *output_file, size_t len = 0; memset( output_buf, 0, 4096 ); - if( ( ret = mbedtls_x509write_crt_pem( crt, output_buf, 4096, f_rng, p_rng ) ) < 0 ) + if( ( ret = mbedtls_x509write_crt_pem( crt, output_buf, 4096, + f_rng, p_rng ) ) < 0 ) return( ret ); len = strlen( (char *) output_buf ); @@ -207,7 +234,6 @@ int main( int argc, char *argv[] ) * Set to sane values */ mbedtls_x509write_crt_init( &crt ); - mbedtls_x509write_crt_set_md_alg( &crt, MBEDTLS_MD_SHA256 ); mbedtls_pk_init( &loaded_issuer_key ); mbedtls_pk_init( &loaded_subject_key ); mbedtls_mpi_init( &serial ); @@ -243,6 +269,11 @@ int main( int argc, char *argv[] ) opt.max_pathlen = DFL_MAX_PATHLEN; opt.key_usage = DFL_KEY_USAGE; opt.ns_cert_type = DFL_NS_CERT_TYPE; + opt.version = DFL_VERSION - 1; + opt.md = DFL_DIGEST; + opt.subject_identifier = DFL_SUBJ_IDENT; + opt.authority_identifier = DFL_AUTH_IDENT; + opt.basic_constraints = DFL_CONSTRAINTS; for( i = 1; i < argc; i++ ) { @@ -286,23 +317,88 @@ int main( int argc, char *argv[] ) { opt.serial = q; } + else if( strcmp( p, "authority_identifier" ) == 0 ) + { + opt.authority_identifier = atoi( q ); + if( opt.authority_identifier != 0 && + opt.authority_identifier != 1 ) + { + mbedtls_printf( "Invalid argument for option %s\n", p ); + goto usage; + } + } + else if( strcmp( p, "subject_identifier" ) == 0 ) + { + opt.subject_identifier = atoi( q ); + if( opt.subject_identifier != 0 && + opt.subject_identifier != 1 ) + { + mbedtls_printf( "Invalid argument for option %s\n", p ); + goto usage; + } + } + else if( strcmp( p, "basic_constraints" ) == 0 ) + { + opt.basic_constraints = atoi( q ); + if( opt.basic_constraints != 0 && + opt.basic_constraints != 1 ) + { + mbedtls_printf( "Invalid argument for option %s\n", p ); + goto usage; + } + } + else if( strcmp( p, "md" ) == 0 ) + { + if( strcmp( q, "SHA1" ) == 0 ) + opt.md = MBEDTLS_MD_SHA1; + else if( strcmp( q, "SHA256" ) == 0 ) + opt.md = MBEDTLS_MD_SHA256; + else if( strcmp( q, "SHA512" ) == 0 ) + opt.md = MBEDTLS_MD_SHA512; + else if( strcmp( q, "MD5" ) == 0 ) + opt.md = MBEDTLS_MD_MD5; + else + { + mbedtls_printf( "Invalid argument for option %s\n", p ); + goto usage; + } + } + else if( strcmp( p, "version" ) == 0 ) + { + opt.version = atoi( q ); + if( opt.version < 1 || opt.version > 3 ) + { + mbedtls_printf( "Invalid argument for option %s\n", p ); + goto usage; + } + opt.version--; + } else if( strcmp( p, "selfsign" ) == 0 ) { opt.selfsign = atoi( q ); if( opt.selfsign < 0 || opt.selfsign > 1 ) + { + mbedtls_printf( "Invalid argument for option %s\n", p ); goto usage; + } } else if( strcmp( p, "is_ca" ) == 0 ) { opt.is_ca = atoi( q ); if( opt.is_ca < 0 || opt.is_ca > 1 ) + { + mbedtls_printf( "Invalid argument for option %s\n", p ); goto usage; + } } else if( strcmp( p, "max_pathlen" ) == 0 ) { opt.max_pathlen = atoi( q ); if( opt.max_pathlen < -1 || opt.max_pathlen > 127 ) + { + mbedtls_printf( "Invalid argument for option %s\n", p ); goto usage; + } } else if( strcmp( p, "key_usage" ) == 0 ) { @@ -326,7 +422,10 @@ int main( int argc, char *argv[] ) else if( strcmp( q, "crl_sign" ) == 0 ) opt.key_usage |= MBEDTLS_X509_KU_CRL_SIGN; else + { + mbedtls_printf( "Invalid argument for option %s\n", p ); goto usage; + } q = r; } @@ -353,7 +452,10 @@ int main( int argc, char *argv[] ) else if( strcmp( q, "object_signing_ca" ) == 0 ) opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA; else + { + mbedtls_printf( "Invalid argument for option %s\n", p ); goto usage; + } q = r; } @@ -376,7 +478,8 @@ int main( int argc, char *argv[] ) strlen( pers ) ) ) != 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d - %s\n", ret, buf ); + mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d - %s\n", + ret, buf ); goto exit; } @@ -390,7 +493,8 @@ int main( int argc, char *argv[] ) if( ( ret = mbedtls_mpi_read_string( &serial, 10, opt.serial ) ) != 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_mpi_read_string returned -0x%02x - %s\n\n", -ret, buf ); + mbedtls_printf( " failed\n ! mbedtls_mpi_read_string " + "returned -0x%04x - %s\n\n", -ret, buf ); goto exit; } @@ -409,7 +513,8 @@ int main( int argc, char *argv[] ) if( ( ret = mbedtls_x509_crt_parse_file( &issuer_crt, opt.issuer_crt ) ) != 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_file returned -0x%02x - %s\n\n", -ret, buf ); + mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_file " + "returned -0x%04x - %s\n\n", -ret, buf ); goto exit; } @@ -418,7 +523,8 @@ int main( int argc, char *argv[] ) if( ret < 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets returned -0x%02x - %s\n\n", -ret, buf ); + mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets " + "returned -0x%04x - %s\n\n", -ret, buf ); goto exit; } @@ -441,7 +547,8 @@ int main( int argc, char *argv[] ) if( ( ret = mbedtls_x509_csr_parse_file( &csr, opt.request_file ) ) != 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_x509_csr_parse_file returned -0x%02x - %s\n\n", -ret, buf ); + mbedtls_printf( " failed\n ! mbedtls_x509_csr_parse_file " + "returned -0x%04x - %s\n\n", -ret, buf ); goto exit; } @@ -450,7 +557,8 @@ int main( int argc, char *argv[] ) if( ret < 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets returned -0x%02x - %s\n\n", -ret, buf ); + mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets " + "returned -0x%04x - %s\n\n", -ret, buf ); goto exit; } @@ -474,7 +582,8 @@ int main( int argc, char *argv[] ) if( ret != 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile returned -0x%02x - %s\n\n", -ret, buf ); + mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile " + "returned -0x%04x - %s\n\n", -ret, buf ); goto exit; } @@ -489,7 +598,8 @@ int main( int argc, char *argv[] ) if( ret != 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile returned -x%02x - %s\n\n", -ret, buf ); + mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile " + "returned -x%02x - %s\n\n", -ret, buf ); goto exit; } @@ -503,7 +613,8 @@ int main( int argc, char *argv[] ) mbedtls_mpi_cmp_mpi( &mbedtls_pk_rsa( issuer_crt.pk )->E, &mbedtls_pk_rsa( *issuer_key )->E ) != 0 ) { - mbedtls_printf( " failed\n ! issuer_key does not match issuer certificate\n\n" ); + mbedtls_printf( " failed\n ! issuer_key does not match " + "issuer certificate\n\n" ); ret = -1; goto exit; } @@ -526,25 +637,31 @@ int main( int argc, char *argv[] ) if( ( ret = mbedtls_x509write_crt_set_subject_name( &crt, opt.subject_name ) ) != 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject_name returned -0x%02x - %s\n\n", -ret, buf ); + mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject_name " + "returned -0x%04x - %s\n\n", -ret, buf ); goto exit; } if( ( ret = mbedtls_x509write_crt_set_issuer_name( &crt, opt.issuer_name ) ) != 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_issuer_name returned -0x%02x - %s\n\n", -ret, buf ); + mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_issuer_name " + "returned -0x%04x - %s\n\n", -ret, buf ); goto exit; } mbedtls_printf( " . Setting certificate values ..." ); fflush( stdout ); + mbedtls_x509write_crt_set_version( &crt, opt.version ); + mbedtls_x509write_crt_set_md_alg( &crt, opt.md ); + ret = mbedtls_x509write_crt_set_serial( &crt, &serial ); if( ret != 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_serial returned -0x%02x - %s\n\n", -ret, buf ); + mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_serial " + "returned -0x%04x - %s\n\n", -ret, buf ); goto exit; } @@ -552,55 +669,74 @@ int main( int argc, char *argv[] ) if( ret != 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_validity returned -0x%02x - %s\n\n", -ret, buf ); + mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_validity " + "returned -0x%04x - %s\n\n", -ret, buf ); goto exit; } mbedtls_printf( " ok\n" ); - mbedtls_printf( " . Adding the Basic Constraints extension ..." ); - fflush( stdout ); - - ret = mbedtls_x509write_crt_set_basic_constraints( &crt, opt.is_ca, - opt.max_pathlen ); - if( ret != 0 ) + if( opt.version == MBEDTLS_X509_CRT_VERSION_3 && + opt.basic_constraints != 0 ) { - mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! x509write_crt_set_basic_contraints returned -0x%02x - %s\n\n", -ret, buf ); - goto exit; - } + mbedtls_printf( " . Adding the Basic Constraints extension ..." ); + fflush( stdout ); - mbedtls_printf( " ok\n" ); + ret = mbedtls_x509write_crt_set_basic_constraints( &crt, opt.is_ca, + opt.max_pathlen ); + if( ret != 0 ) + { + mbedtls_strerror( ret, buf, 1024 ); + mbedtls_printf( " failed\n ! x509write_crt_set_basic_contraints " + "returned -0x%04x - %s\n\n", -ret, buf ); + goto exit; + } + + mbedtls_printf( " ok\n" ); + } #if defined(MBEDTLS_SHA1_C) - mbedtls_printf( " . Adding the Subject Key Identifier ..." ); - fflush( stdout ); - - ret = mbedtls_x509write_crt_set_subject_key_identifier( &crt ); - if( ret != 0 ) + if( opt.version == MBEDTLS_X509_CRT_VERSION_3 && + opt.subject_identifier != 0 ) { - mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject_key_identifier returned -0x%02x - %s\n\n", -ret, buf ); - goto exit; + mbedtls_printf( " . Adding the Subject Key Identifier ..." ); + fflush( stdout ); + + ret = mbedtls_x509write_crt_set_subject_key_identifier( &crt ); + if( ret != 0 ) + { + mbedtls_strerror( ret, buf, 1024 ); + mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject" + "_key_identifier returned -0x%04x - %s\n\n", + -ret, buf ); + goto exit; + } + + mbedtls_printf( " ok\n" ); } - mbedtls_printf( " ok\n" ); - - mbedtls_printf( " . Adding the Authority Key Identifier ..." ); - fflush( stdout ); - - ret = mbedtls_x509write_crt_set_authority_key_identifier( &crt ); - if( ret != 0 ) + if( opt.version == MBEDTLS_X509_CRT_VERSION_3 && + opt.authority_identifier != 0 ) { - mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_authority_key_identifier returned -0x%02x - %s\n\n", -ret, buf ); - goto exit; - } + mbedtls_printf( " . Adding the Authority Key Identifier ..." ); + fflush( stdout ); - mbedtls_printf( " ok\n" ); + ret = mbedtls_x509write_crt_set_authority_key_identifier( &crt ); + if( ret != 0 ) + { + mbedtls_strerror( ret, buf, 1024 ); + mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_authority_" + "key_identifier returned -0x%04x - %s\n\n", + -ret, buf ); + goto exit; + } + + mbedtls_printf( " ok\n" ); + } #endif /* MBEDTLS_SHA1_C */ - if( opt.key_usage ) + if( opt.version == MBEDTLS_X509_CRT_VERSION_3 && + opt.key_usage != 0 ) { mbedtls_printf( " . Adding the Key Usage extension ..." ); fflush( stdout ); @@ -609,14 +745,16 @@ int main( int argc, char *argv[] ) if( ret != 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_key_usage returned -0x%02x - %s\n\n", -ret, buf ); + mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_key_usage " + "returned -0x%04x - %s\n\n", -ret, buf ); goto exit; } mbedtls_printf( " ok\n" ); } - if( opt.ns_cert_type ) + if( opt.version == MBEDTLS_X509_CRT_VERSION_3 && + opt.ns_cert_type != 0 ) { mbedtls_printf( " . Adding the NS Cert Type extension ..." ); fflush( stdout ); @@ -625,7 +763,8 @@ int main( int argc, char *argv[] ) if( ret != 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_ns_cert_type returned -0x%02x - %s\n\n", -ret, buf ); + mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_ns_cert_type " + "returned -0x%04x - %s\n\n", -ret, buf ); goto exit; } @@ -642,7 +781,8 @@ int main( int argc, char *argv[] ) mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! write_certifcate -0x%02x - %s\n\n", -ret, buf ); + mbedtls_printf( " failed\n ! write_certificate -0x%04x - %s\n\n", + -ret, buf ); goto exit; } diff --git a/scripts/find-mem-leak.cocci b/scripts/find-mem-leak.cocci index 5cfe4522d..8179e2b3e 100644 --- a/scripts/find-mem-leak.cocci +++ b/scripts/find-mem-leak.cocci @@ -2,8 +2,8 @@ expression x, y; statement S; @@ - x = mbedtls_malloc(...); - y = mbedtls_malloc(...); + x = mbedtls_calloc(...); + y = mbedtls_calloc(...); ... * if (x == NULL || y == NULL) S @@ -13,8 +13,8 @@ expression x, y; statement S; @@ if ( -* (x = mbedtls_malloc(...)) == NULL +* (x = mbedtls_calloc(...)) == NULL || -* (y = mbedtls_malloc(...)) == NULL +* (y = mbedtls_calloc(...)) == NULL ) S diff --git a/scripts/malloc-init.pl b/scripts/malloc-init.pl deleted file mode 100755 index b7d6fcfac..000000000 --- a/scripts/malloc-init.pl +++ /dev/null @@ -1,70 +0,0 @@ -#!/usr/bin/perl - -# Check for malloc calls not shortly followed by initialisation. -# -# Known limitations: -# - false negative: can't see allocations spanning more than one line -# - possible false negatives, see patterns -# - false positive: malloc-malloc-init-init is not accepted -# - false positives: "non-standard" init functions (eg, the things being -# initialised is not the first arg, or initialise struct members) -# -# Since false positives are expected, the results must be manually reviewed. -# -# Typical usage: scripts/malloc-init.pl library/*.c - -use warnings; -use strict; - -use utf8; -use open qw(:std utf8); - -my $limit = 7; -my $inits = qr/memset|memcpy|_init|fread|base64_..code/; - -# cases to bear in mind: -# -# 0. foo = malloc(...); memset( foo, ... ); -# 1. *foo = malloc(...); memset( *foo, ... ); -# 2. type *foo = malloc(...); memset( foo, ...); -# 3. foo = malloc(...); foo_init( (type *) foo ); -# 4. foo = malloc(...); for(i=0..n) { init( &foo[i] ); } -# -# The chosen patterns are a bit relaxed, but unlikely to cause false positives -# in real code (initialising *foo or &foo instead of foo will likely be caught -# by functional tests). -# -my $id = qr/([a-zA-Z-0-9_\->\.]*)/; -my $prefix = qr/\s(?:\*?|\&?|\([a-z_]* \*\))\s*/; - -my $name; -my $line; -my @bad; - -die "Usage: $0 file.c [...]\n" unless @ARGV; - -while (my $file = shift @ARGV) -{ - open my $fh, "<", $file or die "read $file failed: $!\n"; - while (<$fh>) - { - if( /mbedtls_malloc\(/ ) { - if( /$id\s*=.*mbedtls_malloc\(/ ) { - push @bad, "$file:$line:$name" if $name; - $name = $1; - $line = $.; - } else { - push @bad, "$file:$.:???" unless /return mbedtls_malloc/; - } - } elsif( $name && /(?:$inits)\($prefix\Q$name\E\b/ ) { - undef $name; - } elsif( $name && $. - $line > $limit ) { - push @bad, "$file:$line:$name"; - undef $name; - undef $line; - } - } - close $fh or die; -} - -print "$_\n" for @bad; diff --git a/scripts/rm-calloc-cast.cocci b/scripts/rm-calloc-cast.cocci new file mode 100644 index 000000000..89481c01a --- /dev/null +++ b/scripts/rm-calloc-cast.cocci @@ -0,0 +1,7 @@ +@rm_calloc_cast@ +expression x, n, m; +type T; +@@ + x = +- (T *) + mbedtls_calloc(n, m) diff --git a/scripts/rm-malloc-cast.cocci b/scripts/rm-malloc-cast.cocci deleted file mode 100644 index 9337dc501..000000000 --- a/scripts/rm-malloc-cast.cocci +++ /dev/null @@ -1,7 +0,0 @@ -@rm_malloc_cast@ -expression x, n; -type T; -@@ - x = -- (T *) - mbedtls_malloc(n) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index e963f493f..d4aed678a 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -12,6 +12,7 @@ ## Tools OPENSSL ?= openssl +MBEDTLS_CERT_WRITE ?= $(PWD)/../../programs/x509/cert_write ## Build the generated test data. Note that since the final outputs ## are committed to the repository, this target should do nothing on a @@ -30,6 +31,7 @@ all_final := # files used by tests #### Generate certificates from existing keys ################################################################ +test_ca_crt = test-ca.crt test_ca_key_file_rsa = test-ca.key test_ca_pwd_rsa = PolarSSLTest test_ca_config_file = test-ca.opensslconf @@ -64,6 +66,8 @@ server2-sha256.crt: server2-rsa.csr $(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA test-ca-sha256.crt -CAkey $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 4 -days 3653 -sha256 -in server2-rsa.csr -out $@ all_final += server2-sha256.crt + + ################################################################ #### Generate various RSA keys ################################################################ @@ -309,6 +313,85 @@ keys_rsa_enc_pkcs8_v2: keys_rsa_enc_pkcs8_v2_1024 keys_rsa_enc_pkcs8_v2_2048 key ### Generate all RSA keys keys_rsa_all: keys_rsa_unenc keys_rsa_enc_basic keys_rsa_enc_pkcs8_v1 keys_rsa_enc_pkcs8_v2 + + +################################################################ +### Generate certificates for CRT write check tests +################################################################ + +### The test files use the Mbed TLS generated certificates server1*.crt, +### but for comparison with OpenSSL also rules for OpenSSL-generated +### certificates server1*.crt.openssl are offered. +### +### Known differences: +### * OpenSSL encodes trailing zero-bits in bit-strings occurring in X.509 extension +### as unused bits, while Mbed TLS doesn't. + +test_ca_server1_db = test-ca.server1.db +test_ca_server1_serial = test-ca.server1.serial +test_ca_server1_config_file = test-ca.server1.opensslconf + +server1.csr: server1.key server1_csr.opensslconf + $(OPENSSL) req -keyform PEM -key server1.key -config server1_csr.opensslconf -out $@ -new +all_final += server1.csr + +server1.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa) + $(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 version=3 output_file=$@ +server1.noauthid.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa) + $(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20110212144406 not_after=20210212144406 md=SHA1 authority_identifier=0 version=3 output_file=$@ +server1.der: server1.crt + $(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@ +all_final += server1.crt server1.noauthid.crt server1.der + +server1.key_usage.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa) + $(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 key_usage=digital_signature,non_repudiation,key_encipherment version=3 output_file=$@ +server1.key_usage_noauthid.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa) + $(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 key_usage=digital_signature,non_repudiation,key_encipherment authority_identifier=0 version=3 output_file=$@ +server1.key_usage.der: server1.key_usage.crt + $(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@ +all_final += server1.key_usage.crt server1.key_usage_noauthid.crt server1.key_usage.der + +server1.cert_type.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa) + $(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 ns_cert_type=ssl_server version=3 output_file=$@ +server1.cert_type_noauthid.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa) + $(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 ns_cert_type=ssl_server authority_identifier=0 version=3 output_file=$@ +server1.cert_type.der: server1.cert_type.crt + $(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@ +all_final += server1.cert_type.crt server1.cert_type_noauthid.crt server1.cert_type.der + +server1.v1.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa) + $(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 version=1 output_file=$@ +server1.v1.der: server1.v1.crt + $(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@ +all_final += server1.v1.crt server1.v1.der + +# OpenSSL-generated certificates for comparison +# Also provide certificates in DER format to allow +# direct binary comparison using e.g. dumpasn1 +server1.crt.openssl server1.key_usage.crt.openssl server1.cert_type.crt.openssl: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa) $(test_ca_server1_config_file) + echo "01" > $(test_ca_server1_serial) + rm -f $(test_ca_server1_db) + touch $(test_ca_server1_db) + $(OPENSSL) ca -batch -passin "pass:$(test_ca_pwd_rsa)" -config $(test_ca_server1_config_file) -in server1.csr -extensions v3_ext -extfile $@.v3_ext -out $@ +server1.der.openssl: server1.crt.openssl + $(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@ +server1.key_usage.der.openssl: server1.key_usage.crt.openssl + $(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@ +server1.cert_type.der.openssl: server1.cert_type.crt.openssl + $(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@ + +server1.v1.crt.openssl: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa) $(test_ca_server1_config_file) + echo "01" > $(test_ca_server1_serial) + rm -f $(test_ca_server1_db) + touch $(test_ca_server1_db) + $(OPENSSL) ca -batch -passin "pass:$(test_ca_pwd_rsa)" -config $(test_ca_server1_config_file) -in server1.csr -out $@ +server1.v1.der.openssl: server1.v1.crt.openssl + $(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@ + +server1_all: server1.csr server1.crt server1.noauthid.crt server1.crt.openssl server1.v1.crt server1.v1.crt.openssl server1.key_usage.crt server1.key_usage_noauthid.crt server1.key_usage.crt.openssl server1.cert_type.crt server1.cert_type_noauthid.crt server1.cert_type.crt.openssl server1.der server1.der.openssl server1.v1.der server1.v1.der.openssl server1.key_usage.der server1.key_usage.der.openssl server1.cert_type.der server1.cert_type.der.openssl + + + ################################################################ #### Meta targets ################################################################ @@ -316,10 +399,15 @@ keys_rsa_all: keys_rsa_unenc keys_rsa_enc_basic keys_rsa_enc_pkcs8_v1 keys_rsa_e all_final: $(all_final) all: $(all_intermediate) $(all_final) -.PHONY: default all_final all keys_rsa_unenc keys_rsa_enc_basic keys_rsa_enc_pkcs8_v1 keys_rsa_enc_pkcs8_v2 keys_rsa_all \ - keys_rsa_enc_basic_1024 keys_rsa_enc_basic_2048 keys_rsa_enc_basic_4096 keys_rsa_enc_pkcs8_v1_1024 \ - keys_rsa_enc_pkcs8_v1_2048 keys_rsa_enc_pkcs8_v1_4096 keys_rsa_enc_pkcs8_v2_1024 \ - keys_rsa_enc_pkcs8_v2_2048 keys_rsa_enc_pkcs8_v2_4096 +.PHONY: default all_final all +.PHONY: keys_rsa_all +.PHONY: keys_rsa_unenc keys_rsa_enc_basic +.PHONY: keys_rsa_enc_pkcs8_v1 keys_rsa_enc_pkcs8_v2 +.PHONY: keys_rsa_enc_basic_1024 keys_rsa_enc_basic_2048 keys_rsa_enc_basic_4096 +.PHONY: keys_rsa_enc_pkcs8_v1_1024 keys_rsa_enc_pkcs8_v2_1024 +.PHONY: keys_rsa_enc_pkcs8_v1_2048 keys_rsa_enc_pkcs8_v2_2048 +.PHONY: keys_rsa_enc_pkcs8_v1_4096 keys_rsa_enc_pkcs8_v2_4096 +.PHONY: server1_all # These files should not be committed to the repository. list_intermediate: diff --git a/tests/data_files/server1.cert_type.crt.openssl.v3_ext b/tests/data_files/server1.cert_type.crt.openssl.v3_ext new file mode 100644 index 000000000..bd225ff74 --- /dev/null +++ b/tests/data_files/server1.cert_type.crt.openssl.v3_ext @@ -0,0 +1,5 @@ +[v3_ext] +basicConstraints = CA:false +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid +nsCertType=server diff --git a/tests/data_files/server1.cert_type_noauthid.crt b/tests/data_files/server1.cert_type_noauthid.crt new file mode 100644 index 000000000..ed8b80baa --- /dev/null +++ b/tests/data_files/server1.cert_type_noauthid.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDMTCCAhmgAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/ +uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD +d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf +CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr +lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w +bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB +oz8wPTAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAR +BglghkgBhvhCAQEEBAMCAEAwDQYJKoZIhvcNAQEFBQADggEBABNT+r+6vvlpjtyz +mewrGOKPt5iwb8w2aReJ0AWuyQzTiduN26MhXq93cXHV0pHj2rD7MfiBEwBSWnf9 +FcxkE0g77GVyM9Vs9Uy/MspIqOce7JD0c36G4EI8lYce2TYwQLE9CGNl+LDxqkLy +prijXBl/FaD+IO/SNMr3VVnfFEZqPUxg+BSTaGgD+52Z7B4nPP0xGPjlW367RGDv +9dIkr1thve2WOeC9ixxl9K/864I7/0GdbgKSf77xl3/5vnQUOY7kugRvkvxWIgHS +HNVnmEN2I2Nb0M8lQNF1sFDbpFwVbh9CkBF5LJNesy0VWd67Ho6EntPEb7vBFF/x +jz0b2l4= +-----END CERTIFICATE----- diff --git a/tests/data_files/server1.crt.openssl.v3_ext b/tests/data_files/server1.crt.openssl.v3_ext new file mode 100644 index 000000000..239d56ac2 --- /dev/null +++ b/tests/data_files/server1.crt.openssl.v3_ext @@ -0,0 +1,4 @@ +[v3_ext] +basicConstraints = CA:false +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid diff --git a/tests/data_files/server1.csr b/tests/data_files/server1.csr new file mode 100644 index 000000000..804c4a551 --- /dev/null +++ b/tests/data_files/server1.csr @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRow +GAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ +ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ +HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF +W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs +FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/ +DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBCwUA +A4IBAQBY/1nnYQ3ThVyeZb1Z2wLYoHZ5rfeJCedyP7N/gjJZjhrMbwioUft2uHpb ++OZQfxRXJTbtj/1wpRMCoUMLWzapS7/xGx3IjoPtl42aM4M+xVYvbLjExL13kUAr +eE4JWcMIbTEPol2zSdX/LuB+m27jEp5VsvM2ty9qOw/T4iKwjFSe6pcYZ2spks19 +3ltgjnaamwqKcN9zUA3IERTsWjr5exKYgfXm2OeeuSP0tHr7Dh+w/2XA9dGcLhrm +TA4P8QjIgSDlyzmhYYmsrioFPuCfdi1uzs8bxmbLXbiCGZ8TDMy5oLqLo1K+j2pF +ox+ATHKxQ/XpRQP+2OTb9sw1kM59 +-----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/server1.key_usage.crt.openssl.v3_ext b/tests/data_files/server1.key_usage.crt.openssl.v3_ext new file mode 100644 index 000000000..e255027ee --- /dev/null +++ b/tests/data_files/server1.key_usage.crt.openssl.v3_ext @@ -0,0 +1,5 @@ +[v3_ext] +basicConstraints = CA:false +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid +keyUsage=critical, digitalSignature, nonRepudiation, keyEncipherment diff --git a/tests/data_files/server1.key_usage_noauthid.crt b/tests/data_files/server1.key_usage_noauthid.crt new file mode 100644 index 000000000..d66e51535 --- /dev/null +++ b/tests/data_files/server1.key_usage_noauthid.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDLjCCAhagAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/ +uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD +d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf +CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr +lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w +bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB +ozwwOjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAO +BgNVHQ8BAf8EBAMCAeAwDQYJKoZIhvcNAQEFBQADggEBAJZRIISo4+rDvHXXaS43 +shfSkyJyur588mNJFzty1WVfhaIkwjMIGHeGlHS29fwgPsBUgelZ3Qv3J7wsm42+ +3BwQet0l36FIBIJtFhcrTGlaCFUo/5bZJUPGgiOFB9ec/8lOszVlX8cH34UimWqg +q2wXRGoXWPbuRnUWlJhI2bAv5ri9Mt7Rs4nK4wyS1ZjC8ByXMn4tk3yMjkUEqu0o +37zoQiF+FJApu0eTKK5goA2hisyfCX9eJMppAbcyvJwoj/AmiBkXW8J3kEMJtLmZ +VoxXYknnXumxBLxUrGuamR/3cmbaJHIHE1Dqox7hB+9miyp4lue1/uXHCocGAIeF +JTo= +-----END CERTIFICATE----- diff --git a/tests/data_files/server1.noauthid.crt b/tests/data_files/server1.noauthid.crt new file mode 100644 index 000000000..99c004f62 --- /dev/null +++ b/tests/data_files/server1.noauthid.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDHjCCAgagAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/ +uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD +d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf +CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr +lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w +bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB +oywwKjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAN +BgkqhkiG9w0BAQUFAAOCAQEAUMDKviuchRc4ICoVwi9LFyfQjxFQLgjnX1UYSqc5 +UptiJsDpbJ+TMbOhNBs7YRV7ju61J33ax1fqgcFWkc2M2Vsqzz9+3zJlQoQuOLxH +5C6v5/rhUEV9HMy3K5SIa/BVem9osWvMwDnB8g5k3wCZAnOuFcT6ttvzRqz6Oh9d +avozrYHsATzPXBal41Gf95cNVcJ1pn/JgE4EOijMqmAPldVbCqfXLl6TB0nJS6dm +q9z73DGrVQlOwmCVI+qD2POJI67LuQ0g6Y0WVMxsWilMppt+UrEknMzk4O4qOaUs +1B20vI/bN4XPDnw58psazdoBxFL+fAk5MbTNKETNHjBsIg== +-----END CERTIFICATE----- diff --git a/tests/data_files/server1.v1.crt b/tests/data_files/server1.v1.crt index 0a4b2a5cc..b13be4351 100644 --- a/tests/data_files/server1.v1.crt +++ b/tests/data_files/server1.v1.crt @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- -MIIC9DCCAdygAwIBAAIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER -MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN -MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN -BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/ -uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD -d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf -CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr -lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w -bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB -owIwADANBgkqhkiG9w0BAQUFAAOCAQEAoZVuVi7bIslKgMJhejSFXiO+ICMz1fmK -b0tPN68mRYhI/gsjRT0cmX6GUNrg+U5mcBWhMwHgyvx1CARU4YToKZxcXGNL0DPd -Z1hF8nCrJCZBQvNuWE7s0ufw92xz5ZfuKkVxi94RYR529F6gzgl4rpX8UQVu2ym/ -9pTlHKr4MKi9LNppyJMS89uRcb2FJFMdhAKbhNtbIjI9qGZ7x//0belAaWhq389u -6XWFnZt35PU6Zz6YbAQ5pjZYsTaohuufgrpOlFPUuc4uR+RfGHIQ6id12lZaQC2m -OFIBDcU0x1cFfPfMgVdBLf6klPt/v/tD77mwx0eztSp28NIf+ACw8A== +MIIC6zCCAdMCAQEwDQYJKoZIhvcNAQEFBQAwOzELMAkGA1UEBhMCTkwxETAPBgNV +BAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBMB4XDTExMDIx +MjE0NDQwNloXDTIxMDIxMjE0NDQwNlowPDELMAkGA1UEBhMCTkwxETAPBgNVBAoT +CFBvbGFyU1NMMRowGAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb +7ogWUtPxQ1BHlhJZZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJ +BEeCsFc5cO2j7BUZHqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8Yw +fhU5rPla7n+SnqYFW+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5B +Xhem2mxbacwCuhQsFiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1Y +ieJTWZ5uWpJl4og/DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAATANBgkq +hkiG9w0BAQUFAAOCAQEAPMRfR9ql7b06b5DdNyJhD96lBzuVSUOW2MgVHT2Vs7NB +tk5L1htpA5N4uaIeyt6YM0xU0nHdHUKaywNcDiXcnzvRoctGWiWdpcEvdA0rYRF5 +T4MGPpjEuLJcG3aTU8mV8wUEbrY6IEnSpC1G9iasjhkwAF7pb/Ic8+/riwmPD/Fh +zBrRfBCgi5VXbX9IvY+yQHRVRal8y+n4eh9/hFxBKDbvuidFropGzcuparEwCIRi +U7L/7aZ3A5wsQp9GPDliSjpeYCf5tok/bvjG4xU041pGQ7yVNpu2mEIoqDz9v+Ay +IKqsWradEnFG/1ov78a2RB+2+iIPE4iCDtmKUkgPjQ== -----END CERTIFICATE----- diff --git a/tests/data_files/server1_csr.opensslconf b/tests/data_files/server1_csr.opensslconf new file mode 100644 index 000000000..6e7075ea6 --- /dev/null +++ b/tests/data_files/server1_csr.opensslconf @@ -0,0 +1,10 @@ +[ req ] +distinguished_name = req_distinguished_name +prompt = no +# Restrict to non-UTF8 PrintableStrings. +string_mask = nombstr + +[ req_distinguished_name ] +C = NL +O = PolarSSL +CN = PolarSSL Server 1 diff --git a/tests/data_files/test-ca.server1.opensslconf b/tests/data_files/test-ca.server1.opensslconf new file mode 100644 index 000000000..4a5072eae --- /dev/null +++ b/tests/data_files/test-ca.server1.opensslconf @@ -0,0 +1,18 @@ + [ ca ] + default_ca = test-ca + + [ test-ca ] + certificate = test-ca.crt + private_key = test-ca.key + serial = test-ca.server1.serial + default_md = sha1 + default_startdate = 110212144406Z + default_enddate = 210212144406Z + new_certs_dir = ./ + database = ./test-ca.server1.db + policy = policy_match + + [policy_match] + countryName = supplied + organizationName = supplied + commonName = supplied diff --git a/tests/scripts/generate_code.pl b/tests/scripts/generate_code.pl index a48631946..e489a0055 100755 --- a/tests/scripts/generate_code.pl +++ b/tests/scripts/generate_code.pl @@ -333,7 +333,7 @@ END # and make check code my $dep_check_code; -my @res = $test_data =~ /^depends_on:([\w:]+)/msg; +my @res = $test_data =~ /^depends_on:([!:\w]+)/msg; my %case_deps; foreach my $deps (@res) { @@ -344,7 +344,23 @@ foreach my $deps (@res) } while( my ($key, $value) = each(%case_deps) ) { - $dep_check_code .= << "END"; + if( substr($key, 0, 1) eq "!" ) + { + my $key = substr($key, 1); + $dep_check_code .= << "END"; + if( strcmp( str, "!$key" ) == 0 ) + { +#if !defined($key) + return( DEPENDENCY_SUPPORTED ); +#else + return( DEPENDENCY_NOT_SUPPORTED ); +#endif + } +END + } + else + { + $dep_check_code .= << "END"; if( strcmp( str, "$key" ) == 0 ) { #if defined($key) @@ -354,6 +370,7 @@ while( my ($key, $value) = each(%case_deps) ) #endif } END + } } # Make mapping code diff --git a/tests/suites/helpers.function b/tests/suites/helpers.function index cac104a3b..eef41c79a 100644 --- a/tests/suites/helpers.function +++ b/tests/suites/helpers.function @@ -110,6 +110,21 @@ static struct test_info; +/*----------------------------------------------------------------------------*/ +/* Helper flags for complex dependencies */ + +/* Indicates whether we expect mbedtls_entropy_init + * to initialize some strong entropy source. */ +#if defined(MBEDTLS_TEST_NULL_ENTROPY) || \ + ( !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES) && \ + ( !defined(MBEDTLS_NO_PLATFORM_ENTROPY) || \ + defined(MBEDTLS_HAVEGE_C) || \ + defined(MBEDTLS_ENTROPY_HARDWARE_ALT) || \ + defined(ENTROPY_NV_SEED) ) ) +#define ENTROPY_HAVE_STRONG +#endif + + /*----------------------------------------------------------------------------*/ /* Helper Functions */ @@ -408,4 +423,3 @@ static void test_fail( const char *test, int line_no, const char* filename ) test_info.line_no = line_no; test_info.filename = filename; } - diff --git a/tests/suites/main_test.function b/tests/suites/main_test.function index 120247e53..042085f0b 100644 --- a/tests/suites/main_test.function +++ b/tests/suites/main_test.function @@ -448,24 +448,24 @@ int main(int argc, const char *argv[]) if( unmet_dep_count > 0 || ret == DISPATCH_UNSUPPORTED_SUITE ) { total_skipped++; - mbedtls_fprintf( stdout, "----\n" ); + mbedtls_fprintf( stdout, "----" ); if( 1 == option_verbose && ret == DISPATCH_UNSUPPORTED_SUITE ) { - mbedtls_fprintf( stdout, " Test Suite not enabled" ); + mbedtls_fprintf( stdout, "\n Test Suite not enabled" ); } if( 1 == option_verbose && unmet_dep_count > 0 ) { - mbedtls_fprintf( stdout, " Unmet dependencies: " ); + mbedtls_fprintf( stdout, "\n Unmet dependencies: " ); for( i = 0; i < unmet_dep_count; i++ ) { mbedtls_fprintf(stdout, "%s ", unmet_dependencies[i]); free(unmet_dependencies[i]); } - mbedtls_fprintf( stdout, "\n" ); } + mbedtls_fprintf( stdout, "\n" ); fflush( stdout ); unmet_dep_count = 0; @@ -489,22 +489,22 @@ int main(int argc, const char *argv[]) else if( ret == DISPATCH_INVALID_TEST_DATA ) { mbedtls_fprintf( stderr, "FAILED: FATAL PARSE ERROR\n" ); - fclose(file); + fclose( file ); mbedtls_exit( 2 ); } else total_errors++; - if( ( ret = get_line( file, buf, sizeof(buf) ) ) != 0 ) + if( ( ret = get_line( file, buf, sizeof( buf ) ) ) != 0 ) break; - if( strlen(buf) != 0 ) + if( strlen( buf ) != 0 ) { mbedtls_fprintf( stderr, "Should be empty %d\n", - (int) strlen(buf) ); + (int) strlen( buf ) ); return( 1 ); } } - fclose(file); + fclose( file ); /* In case we encounter early end of file */ for( i = 0; i < unmet_dep_count; i++ ) @@ -535,4 +535,3 @@ int main(int argc, const char *argv[]) return( total_errors != 0 ); } - diff --git a/tests/suites/test_suite_entropy.data b/tests/suites/test_suite_entropy.data index e0dfae32a..5cff39984 100644 --- a/tests/suites/test_suite_entropy.data +++ b/tests/suites/test_suite_entropy.data @@ -34,10 +34,10 @@ entropy_threshold:16:2:8 Entropy threshold #2 entropy_threshold:32:1:32 -Entropy thershold #3 +Entropy threshold #3 entropy_threshold:16:0:MBEDTLS_ERR_ENTROPY_SOURCE_FAILED -Entropy thershold #4 +Entropy threshold #4 entropy_threshold:1024:1:MBEDTLS_ERR_ENTROPY_SOURCE_FAILED Check NV seed standard IO diff --git a/tests/suites/test_suite_entropy.function b/tests/suites/test_suite_entropy.function index 97a21bc18..2bab796d1 100644 --- a/tests/suites/test_suite_entropy.function +++ b/tests/suites/test_suite_entropy.function @@ -163,7 +163,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:ENTROPY_HAVE_STRONG */ void entropy_func_len( int len, int ret ) { mbedtls_entropy_context ctx; @@ -224,7 +224,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:ENTROPY_HAVE_STRONG */ void entropy_threshold( int threshold, int chunk_size, int result ) { mbedtls_entropy_context ctx; @@ -377,7 +377,7 @@ void entropy_nv_seed( char *read_seed_str ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */ +/* BEGIN_CASE depends_on:ENTROPY_HAVE_STRONG:MBEDTLS_SELF_TEST */ void entropy_selftest( int result ) { TEST_ASSERT( mbedtls_entropy_self_test( 1 ) == result ); diff --git a/tests/suites/test_suite_pem.data b/tests/suites/test_suite_pem.data index 065e4a2b5..77546c586 100644 --- a/tests/suites/test_suite_pem.data +++ b/tests/suites/test_suite_pem.data @@ -17,11 +17,22 @@ PEM write (exactly two lines + 1) mbedtls_pem_write_buffer:"-----START TEST-----\n":"-----END TEST-----\n":"000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F00":"-----START TEST-----\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\nAA==\n-----END TEST-----\n" PEM read (DES-EDE3-CBC + invalid iv) -mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-EDE3-CBC,00$":MBEDTLS_ERR_PEM_INVALID_ENC_IV +mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-EDE3-CBC,00$":"pwd":MBEDTLS_ERR_PEM_INVALID_ENC_IV PEM read (DES-CBC + invalid iv) -mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-CBC,00$":MBEDTLS_ERR_PEM_INVALID_ENC_IV +mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-CBC,00$":"pwd":MBEDTLS_ERR_PEM_INVALID_ENC_IV PEM read (unknown encryption algorithm) -mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-,00$":MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG +mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-,00$":"pwd":MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG +PEM read (malformed PEM DES-CBC) +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC +mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-CBC,AA94892A169FA426\n\nMAAA\n-----END EC PRIVATE KEY-----":"pwd":MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH + +PEM read (malformed PEM DES-EDE3-CBC) +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC +mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-EDE3-CBC,AA94892A169FA426\n\nMAAA\n-----END EC PRIVATE KEY-----":"pwd":MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH + +PEM read (malformed PEM AES-128-CBC) +depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC +mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,AA94892A169FA426AA94892A169FA426\n\nMAAA\n-----END EC PRIVATE KEY-----":"pwd":MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH diff --git a/tests/suites/test_suite_pem.function b/tests/suites/test_suite_pem.function index 5e022109c..c24595d47 100644 --- a/tests/suites/test_suite_pem.function +++ b/tests/suites/test_suite_pem.function @@ -1,6 +1,8 @@ /* BEGIN_HEADER */ #include "mbedtls/base64.h" #include "mbedtls/pem.h" +#include "mbedtls/des.h" +#include "mbedtls/aes.h" /* END_HEADER */ /* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C */ @@ -35,16 +37,19 @@ exit: /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_AES_C:MBEDTLS_DES_C:MBEDTLS_MD5_C:MBEDTLS_CIPHER_MODE_CBC */ -void mbedtls_pem_read_buffer( char *header, char *footer, char *data, int ret ) +void mbedtls_pem_read_buffer( char *header, char *footer, char *data, + char *pwd, int res ) { mbedtls_pem_context ctx; + int ret; size_t use_len = 0; + size_t pwd_len = strlen( pwd ); mbedtls_pem_init( &ctx ); - TEST_ASSERT( mbedtls_pem_read_buffer( &ctx, header, footer, - (const unsigned char *)data, NULL, 0, - &use_len ) == ret ); + ret = mbedtls_pem_read_buffer( &ctx, header, footer, (unsigned char *)data, + (unsigned char *)pwd, pwd_len, &use_len ); + TEST_ASSERT( ret == res ); exit: mbedtls_pem_free( &ctx ); diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index d48bc8595..270e2d989 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -8,6 +8,7 @@ #include "mbedtls/sha512.h" #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" + /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -658,7 +659,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_CTR_DRBG_C:MBEDTLS_ENTROPY_C */ +/* BEGIN_CASE depends_on:MBEDTLS_CTR_DRBG_C:MBEDTLS_ENTROPY_C:ENTROPY_HAVE_STRONG */ void mbedtls_rsa_gen_key( int nrbits, int exponent, int result) { mbedtls_rsa_context ctx; @@ -667,13 +668,12 @@ void mbedtls_rsa_gen_key( int nrbits, int exponent, int result) const char *pers = "test_suite_rsa"; mbedtls_ctr_drbg_init( &ctr_drbg ); - mbedtls_entropy_init( &entropy ); + mbedtls_rsa_init ( &ctx, 0, 0 ); + TEST_ASSERT( mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *) pers, strlen( pers ) ) == 0 ); - mbedtls_rsa_init( &ctx, 0, 0 ); - TEST_ASSERT( mbedtls_rsa_gen_key( &ctx, mbedtls_ctr_drbg_random, &ctr_drbg, nrbits, exponent ) == result ); if( result == 0 ) { diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index d4d2a98ce..5b54d8588 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -44,19 +44,35 @@ x509_csr_check:"data_files/server5.key":"data_files/server5.req.ku.sha1":MBEDTLS Certificate write check Server1 SHA1 depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:-1:"data_files/server1.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:1:-1:"data_files/server1.crt":0 Certificate write check Server1 SHA1, key_usage depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0:-1:"data_files/server1.key_usage.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0:1:-1:"data_files/server1.key_usage.crt":0 Certificate write check Server1 SHA1, ns_cert_type depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:-1:"data_files/server1.cert_type.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:-1:"data_files/server1.cert_type.crt":0 Certificate write check Server1 SHA1, version 1 depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":0 + +Certificate write check Server1 SHA1, RSA_ALT +depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:-1:"data_files/server1.noauthid.crt":1 + +Certificate write check Server1 SHA1, RSA_ALT, key_usage +depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0:0:-1:"data_files/server1.key_usage_noauthid.crt":1 + +Certificate write check Server1 SHA1, RSA_ALT, ns_cert_type +depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:0:-1:"data_files/server1.cert_type_noauthid.crt":1 + +Certificate write check Server1 SHA1, RSA_ALT, version 1 +depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":1 X509 String to Names #1 mbedtls_x509_string_to_names:"C=NL,O=Offspark\, Inc., OU=PolarSSL":"C=NL, O=Offspark, Inc., OU=PolarSSL":0 diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index 89be31f9a..ca76e861d 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -3,6 +3,30 @@ #include "mbedtls/x509_csr.h" #include "mbedtls/pem.h" #include "mbedtls/oid.h" +#include "mbedtls/rsa.h" + +#if defined(MBEDTLS_RSA_C) +int mbedtls_rsa_decrypt_func( void *ctx, int mode, size_t *olen, + const unsigned char *input, unsigned char *output, + size_t output_max_len ) +{ + return( mbedtls_rsa_pkcs1_decrypt( (mbedtls_rsa_context *) ctx, NULL, NULL, mode, olen, + input, output, output_max_len ) ); +} +int mbedtls_rsa_sign_func( void *ctx, + int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, + int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, + const unsigned char *hash, unsigned char *sig ) +{ + return( mbedtls_rsa_pkcs1_sign( (mbedtls_rsa_context *) ctx, f_rng, p_rng, mode, + md_alg, hashlen, hash, sig ) ); +} +size_t mbedtls_rsa_key_len_func( void *ctx ) +{ + return( ((const mbedtls_rsa_context *) ctx)->len ); +} +#endif /* MBEDTLS_RSA_C */ + /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -39,7 +63,7 @@ void x509_csr_check( char *key_file, char *cert_req_check_file, if( cert_type != 0 ) TEST_ASSERT( mbedtls_x509write_csr_set_ns_cert_type( &req, cert_type ) == 0 ); - ret = mbedtls_x509write_csr_pem( &req, buf, sizeof(buf), + ret = mbedtls_x509write_csr_pem( &req, buf, sizeof( buf ), rnd_pseudo_rand, &rnd_info ); TEST_ASSERT( ret == 0 ); @@ -75,10 +99,12 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd, char *subject_name, char *issuer_key_file, char *issuer_pwd, char *issuer_name, char *serial_str, char *not_before, char *not_after, - int md_type, int key_usage, int cert_type, int ver, - char *cert_check_file ) + int md_type, int key_usage, int cert_type, int auth_ident, + int ver, char *cert_check_file, int rsa_alt ) { - mbedtls_pk_context subject_key, issuer_key; + mbedtls_pk_context subject_key, issuer_key, issuer_key_alt; + mbedtls_pk_context *key = &issuer_key; + mbedtls_x509write_cert crt; unsigned char buf[4096]; unsigned char check_buf[5000]; @@ -91,68 +117,89 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd, memset( &rnd_info, 0x2a, sizeof( rnd_pseudo_info ) ); mbedtls_mpi_init( &serial ); + mbedtls_pk_init( &subject_key ); - mbedtls_pk_init( &issuer_key ); + mbedtls_pk_init( &issuer_key ); + mbedtls_pk_init( &issuer_key_alt ); + + mbedtls_x509write_crt_init( &crt ); TEST_ASSERT( mbedtls_pk_parse_keyfile( &subject_key, subject_key_file, subject_pwd ) == 0 ); + TEST_ASSERT( mbedtls_pk_parse_keyfile( &issuer_key, issuer_key_file, issuer_pwd ) == 0 ); + + /* For RSA PK contexts, create a copy as an alternative RSA context. */ + if( rsa_alt == 1 && mbedtls_pk_get_type( &issuer_key ) == MBEDTLS_PK_RSA ) + { + TEST_ASSERT( mbedtls_pk_setup_rsa_alt( &issuer_key_alt, + mbedtls_pk_rsa( issuer_key ), + mbedtls_rsa_decrypt_func, + mbedtls_rsa_sign_func, + mbedtls_rsa_key_len_func ) == 0 ); + + key = &issuer_key_alt; + } + TEST_ASSERT( mbedtls_mpi_read_string( &serial, 10, serial_str ) == 0 ); - mbedtls_x509write_crt_init( &crt ); if( ver != -1 ) mbedtls_x509write_crt_set_version( &crt, ver ); + TEST_ASSERT( mbedtls_x509write_crt_set_serial( &crt, &serial ) == 0 ); TEST_ASSERT( mbedtls_x509write_crt_set_validity( &crt, not_before, - not_after ) == 0 ); + not_after ) == 0 ); mbedtls_x509write_crt_set_md_alg( &crt, md_type ); TEST_ASSERT( mbedtls_x509write_crt_set_issuer_name( &crt, issuer_name ) == 0 ); TEST_ASSERT( mbedtls_x509write_crt_set_subject_name( &crt, subject_name ) == 0 ); mbedtls_x509write_crt_set_subject_key( &crt, &subject_key ); - mbedtls_x509write_crt_set_issuer_key( &crt, &issuer_key ); + + mbedtls_x509write_crt_set_issuer_key( &crt, key ); if( crt.version >= MBEDTLS_X509_CRT_VERSION_3 ) { TEST_ASSERT( mbedtls_x509write_crt_set_basic_constraints( &crt, 0, 0 ) == 0 ); TEST_ASSERT( mbedtls_x509write_crt_set_subject_key_identifier( &crt ) == 0 ); - TEST_ASSERT( mbedtls_x509write_crt_set_authority_key_identifier( &crt ) == 0 ); + if( auth_ident ) + TEST_ASSERT( mbedtls_x509write_crt_set_authority_key_identifier( &crt ) == 0 ); if( key_usage != 0 ) TEST_ASSERT( mbedtls_x509write_crt_set_key_usage( &crt, key_usage ) == 0 ); if( cert_type != 0 ) TEST_ASSERT( mbedtls_x509write_crt_set_ns_cert_type( &crt, cert_type ) == 0 ); } - ret = mbedtls_x509write_crt_pem( &crt, buf, sizeof(buf), - rnd_pseudo_rand, &rnd_info ); + ret = mbedtls_x509write_crt_pem( &crt, buf, sizeof( buf ), + rnd_pseudo_rand, &rnd_info ); TEST_ASSERT( ret == 0 ); pem_len = strlen( (char *) buf ); f = fopen( cert_check_file, "r" ); TEST_ASSERT( f != NULL ); - olen = fread( check_buf, 1, sizeof(check_buf), f ); + olen = fread( check_buf, 1, sizeof( check_buf ), f ); fclose( f ); - TEST_ASSERT( olen < sizeof(check_buf) ); + TEST_ASSERT( olen < sizeof( check_buf ) ); TEST_ASSERT( olen >= pem_len - 1 ); TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 ); der_len = mbedtls_x509write_crt_der( &crt, buf, sizeof( buf ), - rnd_pseudo_rand, &rnd_info ); + rnd_pseudo_rand, &rnd_info ); TEST_ASSERT( der_len >= 0 ); if( der_len == 0 ) goto exit; ret = mbedtls_x509write_crt_der( &crt, buf, (size_t)( der_len - 1 ), - rnd_pseudo_rand, &rnd_info ); + rnd_pseudo_rand, &rnd_info ); TEST_ASSERT( ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); exit: mbedtls_x509write_crt_free( &crt ); - mbedtls_pk_free( &issuer_key ); + mbedtls_pk_free( &issuer_key_alt ); mbedtls_pk_free( &subject_key ); + mbedtls_pk_free( &issuer_key ); mbedtls_mpi_free( &serial ); } /* END_CASE */