Refactor certificates and keys in ssl handshake mock tests

Let the caller decide what certificates and keys are loaded (EC/RSA)
instead of loading both for the server, and an unspecified one 
for the client. Use only DER encoding.
This commit is contained in:
Andrzej Kurek 2020-02-02 19:25:26 -05:00
parent 2a1f178d7c
commit b29807413e

View file

@ -629,9 +629,7 @@ typedef struct mbedtls_endpoint_certificate
{
mbedtls_x509_crt ca_cert;
mbedtls_x509_crt cert;
mbedtls_x509_crt cert2;
mbedtls_pk_context pkey;
mbedtls_pk_context pkey2;
} mbedtls_endpoint_certificate;
/*
@ -654,7 +652,7 @@ typedef struct mbedtls_endpoint
*
* \retval 0 on success, otherwise error code.
*/
int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep )
int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg )
{
int i = 0;
int ret = -1;
@ -668,9 +666,7 @@ int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep )
cert = &( ep->cert );
mbedtls_x509_crt_init( &( cert->ca_cert ) );
mbedtls_x509_crt_init( &( cert->cert ) );
mbedtls_x509_crt_init( &( cert->cert2 ) );
mbedtls_pk_init( &( cert->pkey ) );
mbedtls_pk_init( &( cert->pkey2 ) );
/* Load the trusted CA */
@ -694,58 +690,71 @@ int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep )
if( ep->conf.endpoint == MBEDTLS_SSL_IS_SERVER )
{
ret = mbedtls_x509_crt_parse( &( cert->cert ),
(const unsigned char *) mbedtls_test_srv_crt_rsa,
mbedtls_test_srv_crt_rsa_len );
TEST_ASSERT( ret == 0 );
if( pk_alg == MBEDTLS_PK_RSA )
{
ret = mbedtls_x509_crt_parse( &( cert->cert ),
(const unsigned char*) mbedtls_test_srv_crt_rsa_sha256_der,
mbedtls_test_srv_crt_rsa_sha256_der_len );
TEST_ASSERT( ret == 0 );
ret = mbedtls_pk_parse_key( &( cert->pkey ),
(const unsigned char *) mbedtls_test_srv_key_rsa,
mbedtls_test_srv_key_rsa_len, NULL, 0 );
TEST_ASSERT( ret == 0 );
ret = mbedtls_pk_parse_key( &( cert->pkey ),
(const unsigned char*) mbedtls_test_srv_key_rsa_der,
mbedtls_test_srv_key_rsa_der_len, NULL, 0 );
TEST_ASSERT( ret == 0 );
}
else
{
ret = mbedtls_x509_crt_parse( &( cert->cert ),
(const unsigned char*) mbedtls_test_srv_crt_ec_der,
mbedtls_test_srv_crt_ec_der_len );
TEST_ASSERT( ret == 0 );
ret = mbedtls_x509_crt_parse( &( cert->cert2 ),
(const unsigned char *) mbedtls_test_srv_crt_ec,
mbedtls_test_srv_crt_ec_len );
TEST_ASSERT( ret == 0 );
ret = mbedtls_pk_parse_key( &( cert->pkey2 ),
(const unsigned char *) mbedtls_test_srv_key_ec,
mbedtls_test_srv_key_ec_len, NULL, 0 );
TEST_ASSERT( ret == 0 );
ret = mbedtls_pk_parse_key( &( cert->pkey ),
(const unsigned char*) mbedtls_test_srv_key_ec_der,
mbedtls_test_srv_key_ec_der_len, NULL, 0 );
TEST_ASSERT( ret == 0 );
}
}
else
{
ret = mbedtls_x509_crt_parse( &( cert->cert ),
(const unsigned char *) mbedtls_test_cli_crt,
mbedtls_test_cli_crt_len );
TEST_ASSERT( ret == 0 );
if( pk_alg == MBEDTLS_PK_RSA )
{
ret = mbedtls_x509_crt_parse( &( cert->cert ),
(const unsigned char *) mbedtls_test_cli_crt_rsa_der,
mbedtls_test_cli_crt_rsa_der_len );
TEST_ASSERT( ret == 0 );
ret = mbedtls_pk_parse_key( &( cert->pkey ),
(const unsigned char *) mbedtls_test_cli_key,
mbedtls_test_cli_key_len, NULL, 0 );
TEST_ASSERT( ret == 0 );
ret = mbedtls_pk_parse_key( &( cert->pkey ),
(const unsigned char *) mbedtls_test_cli_key_rsa_der,
mbedtls_test_cli_key_rsa_der_len, NULL, 0 );
TEST_ASSERT( ret == 0 );
}
else
{
ret = mbedtls_x509_crt_parse( &( cert->cert ),
(const unsigned char *) mbedtls_test_cli_crt_ec_der,
mbedtls_test_cli_crt_ec_len );
TEST_ASSERT( ret == 0 );
ret = mbedtls_pk_parse_key( &( cert->pkey ),
(const unsigned char *) mbedtls_test_cli_key_ec_der,
mbedtls_test_cli_key_ec_der_len, NULL, 0 );
TEST_ASSERT( ret == 0 );
}
}
mbedtls_ssl_conf_ca_chain( &( ep->conf ), &( cert->ca_cert ), NULL );
ret = mbedtls_ssl_conf_own_cert( &( ep->conf ), &( cert->cert ), &( cert->pkey ) );
ret = mbedtls_ssl_conf_own_cert( &( ep->conf ), &( cert->cert ),
&( cert->pkey ) );
TEST_ASSERT( ret == 0 );
if( ep->conf.endpoint == MBEDTLS_SSL_IS_SERVER )
{
ret = mbedtls_ssl_conf_own_cert( &( ep->conf ), &( cert->cert2 ), &( cert->pkey2 ) );
TEST_ASSERT( ret == 0 );
}
exit:
if( ret != 0 )
{
mbedtls_x509_crt_free( &( cert->ca_cert ) );
mbedtls_x509_crt_free( &( cert->cert ) );
mbedtls_x509_crt_free( &( cert->cert2 ) );
mbedtls_pk_free( &( cert->pkey ) );
mbedtls_pk_free( &( cert->pkey2 ) );
}
return ret;
@ -760,7 +769,7 @@ exit:
*
* \retval 0 on success, otherwise error code.
*/
int mbedtls_endpoint_init( mbedtls_endpoint *ep, int endpoint_type )
int mbedtls_endpoint_init( mbedtls_endpoint *ep, int endpoint_type, int pk_alg )
{
int ret = -1;
@ -801,7 +810,7 @@ int mbedtls_endpoint_init( mbedtls_endpoint *ep, int endpoint_type )
MBEDTLS_SSL_PRESET_DEFAULT );
TEST_ASSERT( ret == 0 );
ret = mbedtls_endpoint_certificate_init( ep );
ret = mbedtls_endpoint_certificate_init( ep, pk_alg );
TEST_ASSERT( ret == 0 );
exit:
@ -816,9 +825,7 @@ void mbedtls_endpoint_certificate_free( mbedtls_endpoint *ep )
mbedtls_endpoint_certificate *cert = &( ep->cert );
mbedtls_x509_crt_free( &( cert->ca_cert ) );
mbedtls_x509_crt_free( &( cert->cert ) );
mbedtls_x509_crt_free( &( cert->cert2 ) );
mbedtls_pk_free( &( cert->pkey ) );
mbedtls_pk_free( &( cert->pkey2 ) );
}
/*
@ -2916,20 +2923,20 @@ void ssl_session_serialize_version_check( int corrupt_major,
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_USE_PSA_CRYPTO */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_USE_PSA_CRYPTO */
void mbedtls_endpoint_sanity( int endpoint_type )
{
enum { BUFFSIZE = 1024 };
mbedtls_endpoint ep;
int ret = -1;
ret = mbedtls_endpoint_init( NULL, endpoint_type );
ret = mbedtls_endpoint_init( NULL, endpoint_type, MBEDTLS_PK_RSA );
TEST_ASSERT( MBEDTLS_ERR_SSL_BAD_INPUT_DATA == ret );
ret = mbedtls_endpoint_certificate_init( NULL );
ret = mbedtls_endpoint_certificate_init( NULL, MBEDTLS_PK_RSA );
TEST_ASSERT( MBEDTLS_ERR_SSL_BAD_INPUT_DATA == ret );
ret = mbedtls_endpoint_init( &ep, endpoint_type );
ret = mbedtls_endpoint_init( &ep, endpoint_type, MBEDTLS_PK_RSA );
TEST_ASSERT( ret == 0 );
exit:
@ -2937,19 +2944,20 @@ exit:
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_USE_PSA_CRYPTO */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15 */
void move_handshake_to_state(int endpoint_type, int state, int need_pass)
{
enum { BUFFSIZE = 1024 };
mbedtls_endpoint base_ep, second_ep;
int ret = -1;
ret = mbedtls_endpoint_init( &base_ep, endpoint_type );
ret = mbedtls_endpoint_init( &base_ep, endpoint_type, MBEDTLS_PK_RSA );
TEST_ASSERT( ret == 0 );
ret = mbedtls_endpoint_init( &second_ep,
( endpoint_type == MBEDTLS_SSL_IS_SERVER ) ?
MBEDTLS_SSL_IS_CLIENT : MBEDTLS_SSL_IS_SERVER );
MBEDTLS_SSL_IS_CLIENT : MBEDTLS_SSL_IS_SERVER,
MBEDTLS_PK_RSA );
TEST_ASSERT( ret == 0 );
ret = mbedtls_mock_socket_connect( &(base_ep.socket),