Implement cert profile checking
This commit is contained in:
parent
f8ea856296
commit
cbb1f6e5cb
2 changed files with 90 additions and 9 deletions
|
@ -143,6 +143,65 @@ const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb =
|
||||||
0,
|
0,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Check md_alg against profile
|
||||||
|
* Return 0 if md_alg acceptable for this profile, -1 otherwise
|
||||||
|
*/
|
||||||
|
static int x509_profile_check_md_alg( const mbedtls_x509_crt_profile *profile,
|
||||||
|
mbedtls_md_type_t md_alg )
|
||||||
|
{
|
||||||
|
if( ( profile->allowed_mds & MBEDTLS_X509_ID_FLAG( md_alg ) ) != 0 )
|
||||||
|
return( 0 );
|
||||||
|
|
||||||
|
return( -1 );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Check pk_alg against profile
|
||||||
|
* Return 0 if pk_alg acceptable for this profile, -1 otherwise
|
||||||
|
*/
|
||||||
|
static int x509_profile_check_pk_alg( const mbedtls_x509_crt_profile *profile,
|
||||||
|
mbedtls_pk_type_t pk_alg )
|
||||||
|
{
|
||||||
|
if( ( profile->allowed_pks & MBEDTLS_X509_ID_FLAG( pk_alg ) ) != 0 )
|
||||||
|
return( 0 );
|
||||||
|
|
||||||
|
return( -1 );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Check key against profile
|
||||||
|
* Return 0 if pk_alg acceptable for this profile, -1 otherwise
|
||||||
|
*/
|
||||||
|
static int x509_profile_check_key( const mbedtls_x509_crt_profile *profile,
|
||||||
|
mbedtls_pk_type_t pk_alg,
|
||||||
|
const mbedtls_pk_context *pk )
|
||||||
|
{
|
||||||
|
#if defined(MBEDTLS_RSA_C)
|
||||||
|
if( pk_alg == MBEDTLS_PK_RSA || pk_alg == MBEDTLS_PK_RSASSA_PSS )
|
||||||
|
{
|
||||||
|
if( mbedtls_pk_get_size( pk ) >= profile->rsa_min_bitlen )
|
||||||
|
return( 0 );
|
||||||
|
|
||||||
|
return( -1 );
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ECDSA_C)
|
||||||
|
if( pk_alg == MBEDTLS_PK_ECDSA )
|
||||||
|
{
|
||||||
|
mbedtls_ecp_group_id gid = mbedtls_pk_ec( *pk )->grp.id;
|
||||||
|
|
||||||
|
if( ( profile->allowed_curves & MBEDTLS_X509_ID_FLAG( gid ) ) != 0 )
|
||||||
|
return( 0 );
|
||||||
|
|
||||||
|
return( -1 );
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
return( -1 );
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Version ::= INTEGER { v1(0), v2(1), v3(2) }
|
* Version ::= INTEGER { v1(0), v2(1), v3(2) }
|
||||||
*/
|
*/
|
||||||
|
@ -1611,6 +1670,12 @@ static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
|
||||||
/*
|
/*
|
||||||
* Check if CRL is correctly signed by the trusted CA
|
* Check if CRL is correctly signed by the trusted CA
|
||||||
*/
|
*/
|
||||||
|
if( x509_profile_check_md_alg( profile, crl_list->sig_md ) != 0 )
|
||||||
|
flags |= MBEDTLS_X509_BADCRL_BAD_MD;
|
||||||
|
|
||||||
|
if( x509_profile_check_pk_alg( profile, crl_list->sig_pk ) != 0 )
|
||||||
|
flags |= MBEDTLS_X509_BADCRL_BAD_PK;
|
||||||
|
|
||||||
md_info = mbedtls_md_info_from_type( crl_list->sig_md );
|
md_info = mbedtls_md_info_from_type( crl_list->sig_md );
|
||||||
if( md_info == NULL )
|
if( md_info == NULL )
|
||||||
{
|
{
|
||||||
|
@ -1623,7 +1688,8 @@ static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
|
||||||
|
|
||||||
mbedtls_md( md_info, crl_list->tbs.p, crl_list->tbs.len, hash );
|
mbedtls_md( md_info, crl_list->tbs.p, crl_list->tbs.len, hash );
|
||||||
|
|
||||||
(void) profile; /* WIP:TODO: check profile */
|
if( x509_profile_check_key( profile, crl_list->sig_pk, &ca->pk ) != 0 )
|
||||||
|
flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
|
||||||
|
|
||||||
if( mbedtls_pk_verify_ext( crl_list->sig_pk, crl_list->sig_opts, &ca->pk,
|
if( mbedtls_pk_verify_ext( crl_list->sig_pk, crl_list->sig_opts, &ca->pk,
|
||||||
crl_list->sig_md, hash, mbedtls_md_get_size( md_info ),
|
crl_list->sig_md, hash, mbedtls_md_get_size( md_info ),
|
||||||
|
@ -1653,6 +1719,7 @@ static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
|
||||||
|
|
||||||
crl_list = crl_list->next;
|
crl_list = crl_list->next;
|
||||||
}
|
}
|
||||||
|
|
||||||
return( flags );
|
return( flags );
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_X509_CRL_PARSE_C */
|
#endif /* MBEDTLS_X509_CRL_PARSE_C */
|
||||||
|
@ -1853,6 +1920,12 @@ static int x509_crt_verify_top(
|
||||||
if( mbedtls_x509_time_is_future( &child->valid_from ) )
|
if( mbedtls_x509_time_is_future( &child->valid_from ) )
|
||||||
*flags |= MBEDTLS_X509_BADCERT_FUTURE;
|
*flags |= MBEDTLS_X509_BADCERT_FUTURE;
|
||||||
|
|
||||||
|
if( x509_profile_check_md_alg( profile, child->sig_md ) != 0 )
|
||||||
|
*flags |= MBEDTLS_X509_BADCERT_BAD_MD;
|
||||||
|
|
||||||
|
if( x509_profile_check_pk_alg( profile, child->sig_pk ) != 0 )
|
||||||
|
*flags |= MBEDTLS_X509_BADCERT_BAD_PK;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Child is the top of the chain. Check against the trust_ca list.
|
* Child is the top of the chain. Check against the trust_ca list.
|
||||||
*/
|
*/
|
||||||
|
@ -1869,8 +1942,6 @@ static int x509_crt_verify_top(
|
||||||
else
|
else
|
||||||
mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash );
|
mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash );
|
||||||
|
|
||||||
(void) profile; /* WIP:TODO: check profile */
|
|
||||||
|
|
||||||
for( /* trust_ca */ ; trust_ca != NULL; trust_ca = trust_ca->next )
|
for( /* trust_ca */ ; trust_ca != NULL; trust_ca = trust_ca->next )
|
||||||
{
|
{
|
||||||
if( x509_crt_check_parent( child, trust_ca, 1, path_cnt == 0 ) != 0 )
|
if( x509_crt_check_parent( child, trust_ca, 1, path_cnt == 0 ) != 0 )
|
||||||
|
@ -1895,6 +1966,9 @@ static int x509_crt_verify_top(
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if( x509_profile_check_key( profile, child->sig_pk, &trust_ca->pk ) != 0 )
|
||||||
|
*flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
|
||||||
|
|
||||||
if( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &trust_ca->pk,
|
if( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &trust_ca->pk,
|
||||||
child->sig_md, hash, mbedtls_md_get_size( md_info ),
|
child->sig_md, hash, mbedtls_md_get_size( md_info ),
|
||||||
child->sig.p, child->sig.len ) != 0 )
|
child->sig.p, child->sig.len ) != 0 )
|
||||||
|
@ -1983,6 +2057,12 @@ static int x509_crt_verify_child(
|
||||||
if( mbedtls_x509_time_is_future( &child->valid_from ) )
|
if( mbedtls_x509_time_is_future( &child->valid_from ) )
|
||||||
*flags |= MBEDTLS_X509_BADCERT_FUTURE;
|
*flags |= MBEDTLS_X509_BADCERT_FUTURE;
|
||||||
|
|
||||||
|
if( x509_profile_check_md_alg( profile, child->sig_md ) != 0 )
|
||||||
|
*flags |= MBEDTLS_X509_BADCERT_BAD_MD;
|
||||||
|
|
||||||
|
if( x509_profile_check_pk_alg( profile, child->sig_pk ) != 0 )
|
||||||
|
*flags |= MBEDTLS_X509_BADCERT_BAD_PK;
|
||||||
|
|
||||||
md_info = mbedtls_md_info_from_type( child->sig_md );
|
md_info = mbedtls_md_info_from_type( child->sig_md );
|
||||||
if( md_info == NULL )
|
if( md_info == NULL )
|
||||||
{
|
{
|
||||||
|
@ -1993,10 +2073,11 @@ static int x509_crt_verify_child(
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
(void) profile; /* WIP:TODO: check profile */
|
|
||||||
|
|
||||||
mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash );
|
mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash );
|
||||||
|
|
||||||
|
if( x509_profile_check_key( profile, child->sig_pk, &parent->pk ) != 0 )
|
||||||
|
*flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
|
||||||
|
|
||||||
if( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &parent->pk,
|
if( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &parent->pk,
|
||||||
child->sig_md, hash, mbedtls_md_get_size( md_info ),
|
child->sig_md, hash, mbedtls_md_get_size( md_info ),
|
||||||
child->sig.p, child->sig.len ) != 0 )
|
child->sig.p, child->sig.len ) != 0 )
|
||||||
|
|
|
@ -413,11 +413,11 @@ x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_ex
|
||||||
|
|
||||||
X509 Certificate verification #12 (Valid Cert MD4 Digest)
|
X509 Certificate verification #12 (Valid Cert MD4 Digest)
|
||||||
depends_on:MBEDTLS_MD4_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
depends_on:MBEDTLS_MD4_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||||
x509_verify:"data_files/cert_md4.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
x509_verify:"data_files/cert_md4.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD:"NULL"
|
||||||
|
|
||||||
X509 Certificate verification #13 (Valid Cert MD5 Digest)
|
X509 Certificate verification #13 (Valid Cert MD5 Digest)
|
||||||
depends_on:MBEDTLS_MD5_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
depends_on:MBEDTLS_MD5_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||||
x509_verify:"data_files/cert_md5.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
x509_verify:"data_files/cert_md5.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD:"NULL"
|
||||||
|
|
||||||
X509 Certificate verification #14 (Valid Cert SHA1 Digest)
|
X509 Certificate verification #14 (Valid Cert SHA1 Digest)
|
||||||
depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||||
|
@ -669,7 +669,7 @@ x509_verify:"data_files/server6-ss-child.crt":"data_files/server5-selfsigned.crt
|
||||||
|
|
||||||
X509 Certificate verification #75 (encoding mismatch)
|
X509 Certificate verification #75 (encoding mismatch)
|
||||||
depends_on:MBEDTLS_PEM_PARSE_C
|
depends_on:MBEDTLS_PEM_PARSE_C
|
||||||
x509_verify:"data_files/enco-cert-utf8str.pem":"data_files/enco-ca-prstr.pem":"data_files/crl.pem":"NULL":0:0:"NULL"
|
x509_verify:"data_files/enco-cert-utf8str.pem":"data_files/enco-ca-prstr.pem":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_KEY:"NULL"
|
||||||
|
|
||||||
X509 Certificate verification #76 (multiple CRLs, not revoked)
|
X509 Certificate verification #76 (multiple CRLs, not revoked)
|
||||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
|
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
|
||||||
|
@ -693,7 +693,7 @@ x509_verify:"data_files/server1.crt":"data_files/test-ca_cat12.crt":"data_files/
|
||||||
|
|
||||||
X509 Certificate verification #81 (multiple CRLs, none relevant)
|
X509 Certificate verification #81 (multiple CRLs, none relevant)
|
||||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
|
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
|
||||||
x509_verify:"data_files/enco-cert-utf8str.pem":"data_files/enco-ca-prstr.pem":"data_files/crl_cat_rsa-ec.pem":"NULL":0:0:"NULL"
|
x509_verify:"data_files/enco-cert-utf8str.pem":"data_files/enco-ca-prstr.pem":"data_files/crl_cat_rsa-ec.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_KEY:"NULL"
|
||||||
|
|
||||||
X509 Parse Selftest
|
X509 Parse Selftest
|
||||||
depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CERTS_C
|
depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CERTS_C
|
||||||
|
|
Loading…
Reference in a new issue