Merge remote-tracking branch 'upstream-public/pr/1089' into development
Resolve trivial conflict due to additions in the same place in tests/data_files/Makefile; minor comment/whitespace presentation improvements.
This commit is contained in:
commit
ea8d697fa2
17 changed files with 604 additions and 163 deletions
10
ChangeLog
10
ChangeLog
|
@ -40,6 +40,16 @@ Bugfix
|
||||||
Guido Vranken. #756
|
Guido Vranken. #756
|
||||||
* Include configuration file in md.h, to fix compilation warnings.
|
* Include configuration file in md.h, to fix compilation warnings.
|
||||||
Reported by aaronmdjones in #1001
|
Reported by aaronmdjones in #1001
|
||||||
|
* Correct extraction of signature-type from PK instance in X.509 CRT and CSR
|
||||||
|
writing routines that prevented these functions to work with alternative
|
||||||
|
RSA implementations. Raised by J.B. in the Mbed TLS forum. Fixes #1011.
|
||||||
|
* Don't print X.509 version tag for v1 CRT's, and omit extensions for
|
||||||
|
non-v3 CRT's.
|
||||||
|
|
||||||
|
Changes
|
||||||
|
* Extend cert_write example program by options to set the CRT version
|
||||||
|
and the message digest. Further, allow enabling/disabling of authority
|
||||||
|
identifier, subject identifier and basic constraints extensions.
|
||||||
|
|
||||||
= mbed TLS 2.6.0 branch released 2017-08-10
|
= mbed TLS 2.6.0 branch released 2017-08-10
|
||||||
|
|
||||||
|
|
|
@ -51,7 +51,7 @@ static void mbedtls_zeroize( void *v, size_t n ) {
|
||||||
|
|
||||||
void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx )
|
void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx )
|
||||||
{
|
{
|
||||||
memset( ctx, 0, sizeof(mbedtls_x509write_cert) );
|
memset( ctx, 0, sizeof( mbedtls_x509write_cert ) );
|
||||||
|
|
||||||
mbedtls_mpi_init( &ctx->serial );
|
mbedtls_mpi_init( &ctx->serial );
|
||||||
ctx->version = MBEDTLS_X509_CRT_VERSION_3;
|
ctx->version = MBEDTLS_X509_CRT_VERSION_3;
|
||||||
|
@ -65,7 +65,7 @@ void mbedtls_x509write_crt_free( mbedtls_x509write_cert *ctx )
|
||||||
mbedtls_asn1_free_named_data_list( &ctx->issuer );
|
mbedtls_asn1_free_named_data_list( &ctx->issuer );
|
||||||
mbedtls_asn1_free_named_data_list( &ctx->extensions );
|
mbedtls_asn1_free_named_data_list( &ctx->extensions );
|
||||||
|
|
||||||
mbedtls_zeroize( ctx, sizeof(mbedtls_x509write_cert) );
|
mbedtls_zeroize( ctx, sizeof( mbedtls_x509write_cert ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *ctx, int version )
|
void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *ctx, int version )
|
||||||
|
@ -193,14 +193,14 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *
|
||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
unsigned char buf[MBEDTLS_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */
|
unsigned char buf[MBEDTLS_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */
|
||||||
unsigned char *c = buf + sizeof(buf);
|
unsigned char *c = buf + sizeof( buf );
|
||||||
size_t len = 0;
|
size_t len = 0;
|
||||||
|
|
||||||
memset( buf, 0, sizeof(buf) );
|
memset( buf, 0, sizeof(buf) );
|
||||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, ctx->issuer_key ) );
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, ctx->issuer_key ) );
|
||||||
|
|
||||||
mbedtls_sha1( buf + sizeof(buf) - len, len, buf + sizeof(buf) - 20 );
|
mbedtls_sha1( buf + sizeof( buf ) - len, len, buf + sizeof( buf ) - 20 );
|
||||||
c = buf + sizeof(buf) - 20;
|
c = buf + sizeof( buf ) - 20;
|
||||||
len = 20;
|
len = 20;
|
||||||
|
|
||||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
|
||||||
|
@ -212,7 +212,7 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *
|
||||||
|
|
||||||
return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER,
|
return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER,
|
||||||
MBEDTLS_OID_SIZE( MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER ),
|
MBEDTLS_OID_SIZE( MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER ),
|
||||||
0, buf + sizeof(buf) - len, len );
|
0, buf + sizeof( buf ) - len, len );
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_SHA1_C */
|
#endif /* MBEDTLS_SHA1_C */
|
||||||
|
|
||||||
|
@ -313,12 +313,18 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf,
|
||||||
c = tmp_buf + sizeof( tmp_buf );
|
c = tmp_buf + sizeof( tmp_buf );
|
||||||
|
|
||||||
/* Signature algorithm needed in TBS, and later for actual signature */
|
/* Signature algorithm needed in TBS, and later for actual signature */
|
||||||
pk_alg = mbedtls_pk_get_type( ctx->issuer_key );
|
|
||||||
if( pk_alg == MBEDTLS_PK_ECKEY )
|
/* There's no direct way of extracting a signature algorithm
|
||||||
|
* (represented as an element of mbedtls_pk_type_t) from a PK instance. */
|
||||||
|
if( mbedtls_pk_can_do( ctx->issuer_key, MBEDTLS_PK_RSA ) )
|
||||||
|
pk_alg = MBEDTLS_PK_RSA;
|
||||||
|
else if( mbedtls_pk_can_do( ctx->issuer_key, MBEDTLS_PK_ECDSA ) )
|
||||||
pk_alg = MBEDTLS_PK_ECDSA;
|
pk_alg = MBEDTLS_PK_ECDSA;
|
||||||
|
else
|
||||||
|
return( MBEDTLS_ERR_X509_INVALID_ALG );
|
||||||
|
|
||||||
if( ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
|
if( ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
|
||||||
&sig_oid, &sig_oid_len ) ) != 0 )
|
&sig_oid, &sig_oid_len ) ) != 0 )
|
||||||
{
|
{
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
@ -326,13 +332,18 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf,
|
||||||
/*
|
/*
|
||||||
* Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
|
* Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
|
||||||
*/
|
*/
|
||||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
|
|
||||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
|
/* Only for v3 */
|
||||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
|
if( ctx->version == MBEDTLS_X509_CRT_VERSION_3 )
|
||||||
MBEDTLS_ASN1_SEQUENCE ) );
|
{
|
||||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
|
||||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
|
||||||
MBEDTLS_ASN1_CONSTRUCTED | 3 ) );
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
|
||||||
|
MBEDTLS_ASN1_SEQUENCE ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
|
||||||
|
MBEDTLS_ASN1_CONSTRUCTED | 3 ) );
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* SubjectPublicKeyInfo
|
* SubjectPublicKeyInfo
|
||||||
|
@ -384,16 +395,21 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf,
|
||||||
/*
|
/*
|
||||||
* Version ::= INTEGER { v1(0), v2(1), v3(2) }
|
* Version ::= INTEGER { v1(0), v2(1), v3(2) }
|
||||||
*/
|
*/
|
||||||
sub_len = 0;
|
|
||||||
MBEDTLS_ASN1_CHK_ADD( sub_len, mbedtls_asn1_write_int( &c, tmp_buf, ctx->version ) );
|
/* Can be omitted for v1 */
|
||||||
len += sub_len;
|
if( ctx->version != MBEDTLS_X509_CRT_VERSION_1 )
|
||||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) );
|
{
|
||||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
|
sub_len = 0;
|
||||||
MBEDTLS_ASN1_CONSTRUCTED | 0 ) );
|
MBEDTLS_ASN1_CHK_ADD( sub_len, mbedtls_asn1_write_int( &c, tmp_buf, ctx->version ) );
|
||||||
|
len += sub_len;
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
|
||||||
|
MBEDTLS_ASN1_CONSTRUCTED | 0 ) );
|
||||||
|
}
|
||||||
|
|
||||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
|
||||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
|
||||||
MBEDTLS_ASN1_SEQUENCE ) );
|
MBEDTLS_ASN1_SEQUENCE ) );
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Make signature
|
* Make signature
|
||||||
|
|
|
@ -50,7 +50,7 @@ static void mbedtls_zeroize( void *v, size_t n ) {
|
||||||
|
|
||||||
void mbedtls_x509write_csr_init( mbedtls_x509write_csr *ctx )
|
void mbedtls_x509write_csr_init( mbedtls_x509write_csr *ctx )
|
||||||
{
|
{
|
||||||
memset( ctx, 0, sizeof(mbedtls_x509write_csr) );
|
memset( ctx, 0, sizeof( mbedtls_x509write_csr ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
void mbedtls_x509write_csr_free( mbedtls_x509write_csr *ctx )
|
void mbedtls_x509write_csr_free( mbedtls_x509write_csr *ctx )
|
||||||
|
@ -58,7 +58,7 @@ void mbedtls_x509write_csr_free( mbedtls_x509write_csr *ctx )
|
||||||
mbedtls_asn1_free_named_data_list( &ctx->subject );
|
mbedtls_asn1_free_named_data_list( &ctx->subject );
|
||||||
mbedtls_asn1_free_named_data_list( &ctx->extensions );
|
mbedtls_asn1_free_named_data_list( &ctx->extensions );
|
||||||
|
|
||||||
mbedtls_zeroize( ctx, sizeof(mbedtls_x509write_csr) );
|
mbedtls_zeroize( ctx, sizeof( mbedtls_x509write_csr ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
void mbedtls_x509write_csr_set_md_alg( mbedtls_x509write_csr *ctx, mbedtls_md_type_t md_alg )
|
void mbedtls_x509write_csr_set_md_alg( mbedtls_x509write_csr *ctx, mbedtls_md_type_t md_alg )
|
||||||
|
@ -194,14 +194,21 @@ int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf, s
|
||||||
*/
|
*/
|
||||||
mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c, len, hash );
|
mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c, len, hash );
|
||||||
|
|
||||||
pk_alg = mbedtls_pk_get_type( ctx->key );
|
|
||||||
if( pk_alg == MBEDTLS_PK_ECKEY )
|
|
||||||
pk_alg = MBEDTLS_PK_ECDSA;
|
|
||||||
|
|
||||||
if( ( ret = mbedtls_pk_sign( ctx->key, ctx->md_alg, hash, 0, sig, &sig_len,
|
if( ( ret = mbedtls_pk_sign( ctx->key, ctx->md_alg, hash, 0, sig, &sig_len,
|
||||||
f_rng, p_rng ) ) != 0 ||
|
f_rng, p_rng ) ) != 0 )
|
||||||
( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
|
{
|
||||||
&sig_oid, &sig_oid_len ) ) != 0 )
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( mbedtls_pk_can_do( ctx->key, MBEDTLS_PK_RSA ) )
|
||||||
|
pk_alg = MBEDTLS_PK_RSA;
|
||||||
|
else if( mbedtls_pk_can_do( ctx->key, MBEDTLS_PK_ECDSA ) )
|
||||||
|
pk_alg = MBEDTLS_PK_ECDSA;
|
||||||
|
else
|
||||||
|
return( MBEDTLS_ERR_X509_INVALID_ALG );
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
|
||||||
|
&sig_oid, &sig_oid_len ) ) != 0 )
|
||||||
{
|
{
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
|
|
@ -51,6 +51,7 @@ int main( void )
|
||||||
#include "mbedtls/x509_csr.h"
|
#include "mbedtls/x509_csr.h"
|
||||||
#include "mbedtls/entropy.h"
|
#include "mbedtls/entropy.h"
|
||||||
#include "mbedtls/ctr_drbg.h"
|
#include "mbedtls/ctr_drbg.h"
|
||||||
|
#include "mbedtls/md.h"
|
||||||
#include "mbedtls/error.h"
|
#include "mbedtls/error.h"
|
||||||
|
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
|
@ -59,9 +60,9 @@ int main( void )
|
||||||
|
|
||||||
#if defined(MBEDTLS_X509_CSR_PARSE_C)
|
#if defined(MBEDTLS_X509_CSR_PARSE_C)
|
||||||
#define USAGE_CSR \
|
#define USAGE_CSR \
|
||||||
" request_file=%%s default: (empty)\n" \
|
" request_file=%%s default: (empty)\n" \
|
||||||
" If request_file is specified, subject_key,\n" \
|
" If request_file is specified, subject_key,\n" \
|
||||||
" subject_pwd and subject_name are ignored!\n"
|
" subject_pwd and subject_name are ignored!\n"
|
||||||
#else
|
#else
|
||||||
#define USAGE_CSR ""
|
#define USAGE_CSR ""
|
||||||
#endif /* MBEDTLS_X509_CSR_PARSE_C */
|
#endif /* MBEDTLS_X509_CSR_PARSE_C */
|
||||||
|
@ -83,50 +84,70 @@ int main( void )
|
||||||
#define DFL_MAX_PATHLEN -1
|
#define DFL_MAX_PATHLEN -1
|
||||||
#define DFL_KEY_USAGE 0
|
#define DFL_KEY_USAGE 0
|
||||||
#define DFL_NS_CERT_TYPE 0
|
#define DFL_NS_CERT_TYPE 0
|
||||||
|
#define DFL_VERSION 3
|
||||||
|
#define DFL_AUTH_IDENT 1
|
||||||
|
#define DFL_SUBJ_IDENT 1
|
||||||
|
#define DFL_CONSTRAINTS 1
|
||||||
|
#define DFL_DIGEST MBEDTLS_MD_SHA256
|
||||||
|
|
||||||
#define USAGE \
|
#define USAGE \
|
||||||
"\n usage: cert_write param=<>...\n" \
|
"\n usage: cert_write param=<>...\n" \
|
||||||
"\n acceptable parameters:\n" \
|
"\n acceptable parameters:\n" \
|
||||||
USAGE_CSR \
|
USAGE_CSR \
|
||||||
" subject_key=%%s default: subject.key\n" \
|
" subject_key=%%s default: subject.key\n" \
|
||||||
" subject_pwd=%%s default: (empty)\n" \
|
" subject_pwd=%%s default: (empty)\n" \
|
||||||
" subject_name=%%s default: CN=Cert,O=mbed TLS,C=UK\n" \
|
" subject_name=%%s default: CN=Cert,O=mbed TLS,C=UK\n" \
|
||||||
"\n" \
|
"\n" \
|
||||||
" issuer_crt=%%s default: (empty)\n" \
|
" issuer_crt=%%s default: (empty)\n" \
|
||||||
" If issuer_crt is specified, issuer_name is\n" \
|
" If issuer_crt is specified, issuer_name is\n" \
|
||||||
" ignored!\n" \
|
" ignored!\n" \
|
||||||
" issuer_name=%%s default: CN=CA,O=mbed TLS,C=UK\n" \
|
" issuer_name=%%s default: CN=CA,O=mbed TLS,C=UK\n" \
|
||||||
"\n" \
|
"\n" \
|
||||||
" selfsign=%%d default: 0 (false)\n" \
|
" selfsign=%%d default: 0 (false)\n" \
|
||||||
" If selfsign is enabled, issuer_name and\n" \
|
" If selfsign is enabled, issuer_name and\n" \
|
||||||
" issuer_key are required (issuer_crt and\n" \
|
" issuer_key are required (issuer_crt and\n" \
|
||||||
" subject_* are ignored\n" \
|
" subject_* are ignored\n" \
|
||||||
" issuer_key=%%s default: ca.key\n" \
|
" issuer_key=%%s default: ca.key\n" \
|
||||||
" issuer_pwd=%%s default: (empty)\n" \
|
" issuer_pwd=%%s default: (empty)\n" \
|
||||||
" output_file=%%s default: cert.crt\n" \
|
" output_file=%%s default: cert.crt\n" \
|
||||||
" serial=%%s default: 1\n" \
|
" serial=%%s default: 1\n" \
|
||||||
" not_before=%%s default: 20010101000000\n"\
|
" not_before=%%s default: 20010101000000\n"\
|
||||||
" not_after=%%s default: 20301231235959\n"\
|
" not_after=%%s default: 20301231235959\n"\
|
||||||
" is_ca=%%d default: 0 (disabled)\n" \
|
" is_ca=%%d default: 0 (disabled)\n" \
|
||||||
" max_pathlen=%%d default: -1 (none)\n" \
|
" max_pathlen=%%d default: -1 (none)\n" \
|
||||||
" key_usage=%%s default: (empty)\n" \
|
" md=%%s default: SHA256\n" \
|
||||||
" Comma-separated-list of values:\n" \
|
" Supported values:\n" \
|
||||||
" digital_signature\n" \
|
" MD5, SHA1, SHA256, SHA512\n"\
|
||||||
" non_repudiation\n" \
|
" version=%%d default: 3\n" \
|
||||||
" key_encipherment\n" \
|
" Possible values: 1, 2, 3\n"\
|
||||||
" data_encipherment\n" \
|
" subject_identifier=%%s default: 1\n" \
|
||||||
" key_agreement\n" \
|
" Possible values: 0, 1\n" \
|
||||||
" key_cert_sign\n" \
|
" (Considered for v3 only)\n"\
|
||||||
" crl_sign\n" \
|
" authority_identifier=%%s default: 1\n" \
|
||||||
" ns_cert_type=%%s default: (empty)\n" \
|
" Possible values: 0, 1\n" \
|
||||||
" Comma-separated-list of values:\n" \
|
" (Considered for v3 only)\n"\
|
||||||
" ssl_client\n" \
|
" basic_constraints=%%d default: 1\n" \
|
||||||
" ssl_server\n" \
|
" Possible values: 0, 1\n" \
|
||||||
" email\n" \
|
" (Considered for v3 only)\n"\
|
||||||
" object_signing\n" \
|
" key_usage=%%s default: (empty)\n" \
|
||||||
" ssl_ca\n" \
|
" Comma-separated-list of values:\n" \
|
||||||
" email_ca\n" \
|
" digital_signature\n" \
|
||||||
" object_signing_ca\n" \
|
" non_repudiation\n" \
|
||||||
|
" key_encipherment\n" \
|
||||||
|
" data_encipherment\n" \
|
||||||
|
" key_agreement\n" \
|
||||||
|
" key_cert_sign\n" \
|
||||||
|
" crl_sign\n" \
|
||||||
|
" (Considered for v3 only)\n"\
|
||||||
|
" ns_cert_type=%%s default: (empty)\n" \
|
||||||
|
" Comma-separated-list of values:\n" \
|
||||||
|
" ssl_client\n" \
|
||||||
|
" ssl_server\n" \
|
||||||
|
" email\n" \
|
||||||
|
" object_signing\n" \
|
||||||
|
" ssl_ca\n" \
|
||||||
|
" email_ca\n" \
|
||||||
|
" object_signing_ca\n" \
|
||||||
"\n"
|
"\n"
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -149,6 +170,11 @@ struct options
|
||||||
int selfsign; /* selfsign the certificate */
|
int selfsign; /* selfsign the certificate */
|
||||||
int is_ca; /* is a CA certificate */
|
int is_ca; /* is a CA certificate */
|
||||||
int max_pathlen; /* maximum CA path length */
|
int max_pathlen; /* maximum CA path length */
|
||||||
|
int authority_identifier; /* add authority identifier to CRT */
|
||||||
|
int subject_identifier; /* add subject identifier to CRT */
|
||||||
|
int basic_constraints; /* add basic constraints ext to CRT */
|
||||||
|
int version; /* CRT version */
|
||||||
|
mbedtls_md_type_t md; /* Hash used for signing */
|
||||||
unsigned char key_usage; /* key usage flags */
|
unsigned char key_usage; /* key usage flags */
|
||||||
unsigned char ns_cert_type; /* NS cert type */
|
unsigned char ns_cert_type; /* NS cert type */
|
||||||
} opt;
|
} opt;
|
||||||
|
@ -163,7 +189,8 @@ int write_certificate( mbedtls_x509write_cert *crt, const char *output_file,
|
||||||
size_t len = 0;
|
size_t len = 0;
|
||||||
|
|
||||||
memset( output_buf, 0, 4096 );
|
memset( output_buf, 0, 4096 );
|
||||||
if( ( ret = mbedtls_x509write_crt_pem( crt, output_buf, 4096, f_rng, p_rng ) ) < 0 )
|
if( ( ret = mbedtls_x509write_crt_pem( crt, output_buf, 4096,
|
||||||
|
f_rng, p_rng ) ) < 0 )
|
||||||
return( ret );
|
return( ret );
|
||||||
|
|
||||||
len = strlen( (char *) output_buf );
|
len = strlen( (char *) output_buf );
|
||||||
|
@ -207,7 +234,6 @@ int main( int argc, char *argv[] )
|
||||||
* Set to sane values
|
* Set to sane values
|
||||||
*/
|
*/
|
||||||
mbedtls_x509write_crt_init( &crt );
|
mbedtls_x509write_crt_init( &crt );
|
||||||
mbedtls_x509write_crt_set_md_alg( &crt, MBEDTLS_MD_SHA256 );
|
|
||||||
mbedtls_pk_init( &loaded_issuer_key );
|
mbedtls_pk_init( &loaded_issuer_key );
|
||||||
mbedtls_pk_init( &loaded_subject_key );
|
mbedtls_pk_init( &loaded_subject_key );
|
||||||
mbedtls_mpi_init( &serial );
|
mbedtls_mpi_init( &serial );
|
||||||
|
@ -243,6 +269,11 @@ int main( int argc, char *argv[] )
|
||||||
opt.max_pathlen = DFL_MAX_PATHLEN;
|
opt.max_pathlen = DFL_MAX_PATHLEN;
|
||||||
opt.key_usage = DFL_KEY_USAGE;
|
opt.key_usage = DFL_KEY_USAGE;
|
||||||
opt.ns_cert_type = DFL_NS_CERT_TYPE;
|
opt.ns_cert_type = DFL_NS_CERT_TYPE;
|
||||||
|
opt.version = DFL_VERSION - 1;
|
||||||
|
opt.md = DFL_DIGEST;
|
||||||
|
opt.subject_identifier = DFL_SUBJ_IDENT;
|
||||||
|
opt.authority_identifier = DFL_AUTH_IDENT;
|
||||||
|
opt.basic_constraints = DFL_CONSTRAINTS;
|
||||||
|
|
||||||
for( i = 1; i < argc; i++ )
|
for( i = 1; i < argc; i++ )
|
||||||
{
|
{
|
||||||
|
@ -286,23 +317,88 @@ int main( int argc, char *argv[] )
|
||||||
{
|
{
|
||||||
opt.serial = q;
|
opt.serial = q;
|
||||||
}
|
}
|
||||||
|
else if( strcmp( p, "authority_identifier" ) == 0 )
|
||||||
|
{
|
||||||
|
opt.authority_identifier = atoi( q );
|
||||||
|
if( opt.authority_identifier != 0 &&
|
||||||
|
opt.authority_identifier != 1 )
|
||||||
|
{
|
||||||
|
mbedtls_printf( "Invalid argument for option %s\n", p );
|
||||||
|
goto usage;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else if( strcmp( p, "subject_identifier" ) == 0 )
|
||||||
|
{
|
||||||
|
opt.subject_identifier = atoi( q );
|
||||||
|
if( opt.subject_identifier != 0 &&
|
||||||
|
opt.subject_identifier != 1 )
|
||||||
|
{
|
||||||
|
mbedtls_printf( "Invalid argument for option %s\n", p );
|
||||||
|
goto usage;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else if( strcmp( p, "basic_constraints" ) == 0 )
|
||||||
|
{
|
||||||
|
opt.basic_constraints = atoi( q );
|
||||||
|
if( opt.basic_constraints != 0 &&
|
||||||
|
opt.basic_constraints != 1 )
|
||||||
|
{
|
||||||
|
mbedtls_printf( "Invalid argument for option %s\n", p );
|
||||||
|
goto usage;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else if( strcmp( p, "md" ) == 0 )
|
||||||
|
{
|
||||||
|
if( strcmp( q, "SHA1" ) == 0 )
|
||||||
|
opt.md = MBEDTLS_MD_SHA1;
|
||||||
|
else if( strcmp( q, "SHA256" ) == 0 )
|
||||||
|
opt.md = MBEDTLS_MD_SHA256;
|
||||||
|
else if( strcmp( q, "SHA512" ) == 0 )
|
||||||
|
opt.md = MBEDTLS_MD_SHA512;
|
||||||
|
else if( strcmp( q, "MD5" ) == 0 )
|
||||||
|
opt.md = MBEDTLS_MD_MD5;
|
||||||
|
else
|
||||||
|
{
|
||||||
|
mbedtls_printf( "Invalid argument for option %s\n", p );
|
||||||
|
goto usage;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else if( strcmp( p, "version" ) == 0 )
|
||||||
|
{
|
||||||
|
opt.version = atoi( q );
|
||||||
|
if( opt.version < 1 || opt.version > 3 )
|
||||||
|
{
|
||||||
|
mbedtls_printf( "Invalid argument for option %s\n", p );
|
||||||
|
goto usage;
|
||||||
|
}
|
||||||
|
opt.version--;
|
||||||
|
}
|
||||||
else if( strcmp( p, "selfsign" ) == 0 )
|
else if( strcmp( p, "selfsign" ) == 0 )
|
||||||
{
|
{
|
||||||
opt.selfsign = atoi( q );
|
opt.selfsign = atoi( q );
|
||||||
if( opt.selfsign < 0 || opt.selfsign > 1 )
|
if( opt.selfsign < 0 || opt.selfsign > 1 )
|
||||||
|
{
|
||||||
|
mbedtls_printf( "Invalid argument for option %s\n", p );
|
||||||
goto usage;
|
goto usage;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
else if( strcmp( p, "is_ca" ) == 0 )
|
else if( strcmp( p, "is_ca" ) == 0 )
|
||||||
{
|
{
|
||||||
opt.is_ca = atoi( q );
|
opt.is_ca = atoi( q );
|
||||||
if( opt.is_ca < 0 || opt.is_ca > 1 )
|
if( opt.is_ca < 0 || opt.is_ca > 1 )
|
||||||
|
{
|
||||||
|
mbedtls_printf( "Invalid argument for option %s\n", p );
|
||||||
goto usage;
|
goto usage;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
else if( strcmp( p, "max_pathlen" ) == 0 )
|
else if( strcmp( p, "max_pathlen" ) == 0 )
|
||||||
{
|
{
|
||||||
opt.max_pathlen = atoi( q );
|
opt.max_pathlen = atoi( q );
|
||||||
if( opt.max_pathlen < -1 || opt.max_pathlen > 127 )
|
if( opt.max_pathlen < -1 || opt.max_pathlen > 127 )
|
||||||
|
{
|
||||||
|
mbedtls_printf( "Invalid argument for option %s\n", p );
|
||||||
goto usage;
|
goto usage;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
else if( strcmp( p, "key_usage" ) == 0 )
|
else if( strcmp( p, "key_usage" ) == 0 )
|
||||||
{
|
{
|
||||||
|
@ -326,7 +422,10 @@ int main( int argc, char *argv[] )
|
||||||
else if( strcmp( q, "crl_sign" ) == 0 )
|
else if( strcmp( q, "crl_sign" ) == 0 )
|
||||||
opt.key_usage |= MBEDTLS_X509_KU_CRL_SIGN;
|
opt.key_usage |= MBEDTLS_X509_KU_CRL_SIGN;
|
||||||
else
|
else
|
||||||
|
{
|
||||||
|
mbedtls_printf( "Invalid argument for option %s\n", p );
|
||||||
goto usage;
|
goto usage;
|
||||||
|
}
|
||||||
|
|
||||||
q = r;
|
q = r;
|
||||||
}
|
}
|
||||||
|
@ -353,7 +452,10 @@ int main( int argc, char *argv[] )
|
||||||
else if( strcmp( q, "object_signing_ca" ) == 0 )
|
else if( strcmp( q, "object_signing_ca" ) == 0 )
|
||||||
opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA;
|
opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA;
|
||||||
else
|
else
|
||||||
|
{
|
||||||
|
mbedtls_printf( "Invalid argument for option %s\n", p );
|
||||||
goto usage;
|
goto usage;
|
||||||
|
}
|
||||||
|
|
||||||
q = r;
|
q = r;
|
||||||
}
|
}
|
||||||
|
@ -376,7 +478,8 @@ int main( int argc, char *argv[] )
|
||||||
strlen( pers ) ) ) != 0 )
|
strlen( pers ) ) ) != 0 )
|
||||||
{
|
{
|
||||||
mbedtls_strerror( ret, buf, 1024 );
|
mbedtls_strerror( ret, buf, 1024 );
|
||||||
mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d - %s\n", ret, buf );
|
mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d - %s\n",
|
||||||
|
ret, buf );
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -390,7 +493,8 @@ int main( int argc, char *argv[] )
|
||||||
if( ( ret = mbedtls_mpi_read_string( &serial, 10, opt.serial ) ) != 0 )
|
if( ( ret = mbedtls_mpi_read_string( &serial, 10, opt.serial ) ) != 0 )
|
||||||
{
|
{
|
||||||
mbedtls_strerror( ret, buf, 1024 );
|
mbedtls_strerror( ret, buf, 1024 );
|
||||||
mbedtls_printf( " failed\n ! mbedtls_mpi_read_string returned -0x%02x - %s\n\n", -ret, buf );
|
mbedtls_printf( " failed\n ! mbedtls_mpi_read_string "
|
||||||
|
"returned -0x%04x - %s\n\n", -ret, buf );
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -409,7 +513,8 @@ int main( int argc, char *argv[] )
|
||||||
if( ( ret = mbedtls_x509_crt_parse_file( &issuer_crt, opt.issuer_crt ) ) != 0 )
|
if( ( ret = mbedtls_x509_crt_parse_file( &issuer_crt, opt.issuer_crt ) ) != 0 )
|
||||||
{
|
{
|
||||||
mbedtls_strerror( ret, buf, 1024 );
|
mbedtls_strerror( ret, buf, 1024 );
|
||||||
mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_file returned -0x%02x - %s\n\n", -ret, buf );
|
mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_file "
|
||||||
|
"returned -0x%04x - %s\n\n", -ret, buf );
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -418,7 +523,8 @@ int main( int argc, char *argv[] )
|
||||||
if( ret < 0 )
|
if( ret < 0 )
|
||||||
{
|
{
|
||||||
mbedtls_strerror( ret, buf, 1024 );
|
mbedtls_strerror( ret, buf, 1024 );
|
||||||
mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets returned -0x%02x - %s\n\n", -ret, buf );
|
mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets "
|
||||||
|
"returned -0x%04x - %s\n\n", -ret, buf );
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -441,7 +547,8 @@ int main( int argc, char *argv[] )
|
||||||
if( ( ret = mbedtls_x509_csr_parse_file( &csr, opt.request_file ) ) != 0 )
|
if( ( ret = mbedtls_x509_csr_parse_file( &csr, opt.request_file ) ) != 0 )
|
||||||
{
|
{
|
||||||
mbedtls_strerror( ret, buf, 1024 );
|
mbedtls_strerror( ret, buf, 1024 );
|
||||||
mbedtls_printf( " failed\n ! mbedtls_x509_csr_parse_file returned -0x%02x - %s\n\n", -ret, buf );
|
mbedtls_printf( " failed\n ! mbedtls_x509_csr_parse_file "
|
||||||
|
"returned -0x%04x - %s\n\n", -ret, buf );
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -450,7 +557,8 @@ int main( int argc, char *argv[] )
|
||||||
if( ret < 0 )
|
if( ret < 0 )
|
||||||
{
|
{
|
||||||
mbedtls_strerror( ret, buf, 1024 );
|
mbedtls_strerror( ret, buf, 1024 );
|
||||||
mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets returned -0x%02x - %s\n\n", -ret, buf );
|
mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets "
|
||||||
|
"returned -0x%04x - %s\n\n", -ret, buf );
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -474,7 +582,8 @@ int main( int argc, char *argv[] )
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
{
|
{
|
||||||
mbedtls_strerror( ret, buf, 1024 );
|
mbedtls_strerror( ret, buf, 1024 );
|
||||||
mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile returned -0x%02x - %s\n\n", -ret, buf );
|
mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile "
|
||||||
|
"returned -0x%04x - %s\n\n", -ret, buf );
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -489,7 +598,8 @@ int main( int argc, char *argv[] )
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
{
|
{
|
||||||
mbedtls_strerror( ret, buf, 1024 );
|
mbedtls_strerror( ret, buf, 1024 );
|
||||||
mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile returned -x%02x - %s\n\n", -ret, buf );
|
mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile "
|
||||||
|
"returned -x%02x - %s\n\n", -ret, buf );
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -503,7 +613,8 @@ int main( int argc, char *argv[] )
|
||||||
mbedtls_mpi_cmp_mpi( &mbedtls_pk_rsa( issuer_crt.pk )->E,
|
mbedtls_mpi_cmp_mpi( &mbedtls_pk_rsa( issuer_crt.pk )->E,
|
||||||
&mbedtls_pk_rsa( *issuer_key )->E ) != 0 )
|
&mbedtls_pk_rsa( *issuer_key )->E ) != 0 )
|
||||||
{
|
{
|
||||||
mbedtls_printf( " failed\n ! issuer_key does not match issuer certificate\n\n" );
|
mbedtls_printf( " failed\n ! issuer_key does not match "
|
||||||
|
"issuer certificate\n\n" );
|
||||||
ret = -1;
|
ret = -1;
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
@ -526,25 +637,31 @@ int main( int argc, char *argv[] )
|
||||||
if( ( ret = mbedtls_x509write_crt_set_subject_name( &crt, opt.subject_name ) ) != 0 )
|
if( ( ret = mbedtls_x509write_crt_set_subject_name( &crt, opt.subject_name ) ) != 0 )
|
||||||
{
|
{
|
||||||
mbedtls_strerror( ret, buf, 1024 );
|
mbedtls_strerror( ret, buf, 1024 );
|
||||||
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject_name returned -0x%02x - %s\n\n", -ret, buf );
|
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject_name "
|
||||||
|
"returned -0x%04x - %s\n\n", -ret, buf );
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
if( ( ret = mbedtls_x509write_crt_set_issuer_name( &crt, opt.issuer_name ) ) != 0 )
|
if( ( ret = mbedtls_x509write_crt_set_issuer_name( &crt, opt.issuer_name ) ) != 0 )
|
||||||
{
|
{
|
||||||
mbedtls_strerror( ret, buf, 1024 );
|
mbedtls_strerror( ret, buf, 1024 );
|
||||||
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_issuer_name returned -0x%02x - %s\n\n", -ret, buf );
|
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_issuer_name "
|
||||||
|
"returned -0x%04x - %s\n\n", -ret, buf );
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
mbedtls_printf( " . Setting certificate values ..." );
|
mbedtls_printf( " . Setting certificate values ..." );
|
||||||
fflush( stdout );
|
fflush( stdout );
|
||||||
|
|
||||||
|
mbedtls_x509write_crt_set_version( &crt, opt.version );
|
||||||
|
mbedtls_x509write_crt_set_md_alg( &crt, opt.md );
|
||||||
|
|
||||||
ret = mbedtls_x509write_crt_set_serial( &crt, &serial );
|
ret = mbedtls_x509write_crt_set_serial( &crt, &serial );
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
{
|
{
|
||||||
mbedtls_strerror( ret, buf, 1024 );
|
mbedtls_strerror( ret, buf, 1024 );
|
||||||
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_serial returned -0x%02x - %s\n\n", -ret, buf );
|
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_serial "
|
||||||
|
"returned -0x%04x - %s\n\n", -ret, buf );
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -552,55 +669,74 @@ int main( int argc, char *argv[] )
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
{
|
{
|
||||||
mbedtls_strerror( ret, buf, 1024 );
|
mbedtls_strerror( ret, buf, 1024 );
|
||||||
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_validity returned -0x%02x - %s\n\n", -ret, buf );
|
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_validity "
|
||||||
|
"returned -0x%04x - %s\n\n", -ret, buf );
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
mbedtls_printf( " ok\n" );
|
mbedtls_printf( " ok\n" );
|
||||||
|
|
||||||
mbedtls_printf( " . Adding the Basic Constraints extension ..." );
|
if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
|
||||||
fflush( stdout );
|
opt.basic_constraints != 0 )
|
||||||
|
|
||||||
ret = mbedtls_x509write_crt_set_basic_constraints( &crt, opt.is_ca,
|
|
||||||
opt.max_pathlen );
|
|
||||||
if( ret != 0 )
|
|
||||||
{
|
{
|
||||||
mbedtls_strerror( ret, buf, 1024 );
|
mbedtls_printf( " . Adding the Basic Constraints extension ..." );
|
||||||
mbedtls_printf( " failed\n ! x509write_crt_set_basic_contraints returned -0x%02x - %s\n\n", -ret, buf );
|
fflush( stdout );
|
||||||
goto exit;
|
|
||||||
}
|
|
||||||
|
|
||||||
mbedtls_printf( " ok\n" );
|
ret = mbedtls_x509write_crt_set_basic_constraints( &crt, opt.is_ca,
|
||||||
|
opt.max_pathlen );
|
||||||
|
if( ret != 0 )
|
||||||
|
{
|
||||||
|
mbedtls_strerror( ret, buf, 1024 );
|
||||||
|
mbedtls_printf( " failed\n ! x509write_crt_set_basic_contraints "
|
||||||
|
"returned -0x%04x - %s\n\n", -ret, buf );
|
||||||
|
goto exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
mbedtls_printf( " ok\n" );
|
||||||
|
}
|
||||||
|
|
||||||
#if defined(MBEDTLS_SHA1_C)
|
#if defined(MBEDTLS_SHA1_C)
|
||||||
mbedtls_printf( " . Adding the Subject Key Identifier ..." );
|
if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
|
||||||
fflush( stdout );
|
opt.subject_identifier != 0 )
|
||||||
|
|
||||||
ret = mbedtls_x509write_crt_set_subject_key_identifier( &crt );
|
|
||||||
if( ret != 0 )
|
|
||||||
{
|
{
|
||||||
mbedtls_strerror( ret, buf, 1024 );
|
mbedtls_printf( " . Adding the Subject Key Identifier ..." );
|
||||||
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject_key_identifier returned -0x%02x - %s\n\n", -ret, buf );
|
fflush( stdout );
|
||||||
goto exit;
|
|
||||||
|
ret = mbedtls_x509write_crt_set_subject_key_identifier( &crt );
|
||||||
|
if( ret != 0 )
|
||||||
|
{
|
||||||
|
mbedtls_strerror( ret, buf, 1024 );
|
||||||
|
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject"
|
||||||
|
"_key_identifier returned -0x%04x - %s\n\n",
|
||||||
|
-ret, buf );
|
||||||
|
goto exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
mbedtls_printf( " ok\n" );
|
||||||
}
|
}
|
||||||
|
|
||||||
mbedtls_printf( " ok\n" );
|
if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
|
||||||
|
opt.authority_identifier != 0 )
|
||||||
mbedtls_printf( " . Adding the Authority Key Identifier ..." );
|
|
||||||
fflush( stdout );
|
|
||||||
|
|
||||||
ret = mbedtls_x509write_crt_set_authority_key_identifier( &crt );
|
|
||||||
if( ret != 0 )
|
|
||||||
{
|
{
|
||||||
mbedtls_strerror( ret, buf, 1024 );
|
mbedtls_printf( " . Adding the Authority Key Identifier ..." );
|
||||||
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_authority_key_identifier returned -0x%02x - %s\n\n", -ret, buf );
|
fflush( stdout );
|
||||||
goto exit;
|
|
||||||
}
|
|
||||||
|
|
||||||
mbedtls_printf( " ok\n" );
|
ret = mbedtls_x509write_crt_set_authority_key_identifier( &crt );
|
||||||
|
if( ret != 0 )
|
||||||
|
{
|
||||||
|
mbedtls_strerror( ret, buf, 1024 );
|
||||||
|
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_authority_"
|
||||||
|
"key_identifier returned -0x%04x - %s\n\n",
|
||||||
|
-ret, buf );
|
||||||
|
goto exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
mbedtls_printf( " ok\n" );
|
||||||
|
}
|
||||||
#endif /* MBEDTLS_SHA1_C */
|
#endif /* MBEDTLS_SHA1_C */
|
||||||
|
|
||||||
if( opt.key_usage )
|
if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
|
||||||
|
opt.key_usage != 0 )
|
||||||
{
|
{
|
||||||
mbedtls_printf( " . Adding the Key Usage extension ..." );
|
mbedtls_printf( " . Adding the Key Usage extension ..." );
|
||||||
fflush( stdout );
|
fflush( stdout );
|
||||||
|
@ -609,14 +745,16 @@ int main( int argc, char *argv[] )
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
{
|
{
|
||||||
mbedtls_strerror( ret, buf, 1024 );
|
mbedtls_strerror( ret, buf, 1024 );
|
||||||
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_key_usage returned -0x%02x - %s\n\n", -ret, buf );
|
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_key_usage "
|
||||||
|
"returned -0x%04x - %s\n\n", -ret, buf );
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
mbedtls_printf( " ok\n" );
|
mbedtls_printf( " ok\n" );
|
||||||
}
|
}
|
||||||
|
|
||||||
if( opt.ns_cert_type )
|
if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
|
||||||
|
opt.ns_cert_type != 0 )
|
||||||
{
|
{
|
||||||
mbedtls_printf( " . Adding the NS Cert Type extension ..." );
|
mbedtls_printf( " . Adding the NS Cert Type extension ..." );
|
||||||
fflush( stdout );
|
fflush( stdout );
|
||||||
|
@ -625,7 +763,8 @@ int main( int argc, char *argv[] )
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
{
|
{
|
||||||
mbedtls_strerror( ret, buf, 1024 );
|
mbedtls_strerror( ret, buf, 1024 );
|
||||||
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_ns_cert_type returned -0x%02x - %s\n\n", -ret, buf );
|
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_ns_cert_type "
|
||||||
|
"returned -0x%04x - %s\n\n", -ret, buf );
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -642,7 +781,8 @@ int main( int argc, char *argv[] )
|
||||||
mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 )
|
mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 )
|
||||||
{
|
{
|
||||||
mbedtls_strerror( ret, buf, 1024 );
|
mbedtls_strerror( ret, buf, 1024 );
|
||||||
mbedtls_printf( " failed\n ! write_certifcate -0x%02x - %s\n\n", -ret, buf );
|
mbedtls_printf( " failed\n ! write_certificate -0x%04x - %s\n\n",
|
||||||
|
-ret, buf );
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -12,6 +12,7 @@
|
||||||
|
|
||||||
## Tools
|
## Tools
|
||||||
OPENSSL ?= openssl
|
OPENSSL ?= openssl
|
||||||
|
MBEDTLS_CERT_WRITE ?= $(PWD)/../../programs/x509/cert_write
|
||||||
|
|
||||||
## Build the generated test data. Note that since the final outputs
|
## Build the generated test data. Note that since the final outputs
|
||||||
## are committed to the repository, this target should do nothing on a
|
## are committed to the repository, this target should do nothing on a
|
||||||
|
@ -30,6 +31,7 @@ all_final := # files used by tests
|
||||||
#### Generate certificates from existing keys
|
#### Generate certificates from existing keys
|
||||||
################################################################
|
################################################################
|
||||||
|
|
||||||
|
test_ca_crt = test-ca.crt
|
||||||
test_ca_key_file_rsa = test-ca.key
|
test_ca_key_file_rsa = test-ca.key
|
||||||
test_ca_pwd_rsa = PolarSSLTest
|
test_ca_pwd_rsa = PolarSSLTest
|
||||||
test_ca_config_file = test-ca.opensslconf
|
test_ca_config_file = test-ca.opensslconf
|
||||||
|
@ -64,6 +66,8 @@ server2-sha256.crt: server2-rsa.csr
|
||||||
$(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA test-ca-sha256.crt -CAkey $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 4 -days 3653 -sha256 -in server2-rsa.csr -out $@
|
$(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA test-ca-sha256.crt -CAkey $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 4 -days 3653 -sha256 -in server2-rsa.csr -out $@
|
||||||
all_final += server2-sha256.crt
|
all_final += server2-sha256.crt
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
################################################################
|
################################################################
|
||||||
#### Generate various RSA keys
|
#### Generate various RSA keys
|
||||||
################################################################
|
################################################################
|
||||||
|
@ -309,6 +313,85 @@ keys_rsa_enc_pkcs8_v2: keys_rsa_enc_pkcs8_v2_1024 keys_rsa_enc_pkcs8_v2_2048 key
|
||||||
### Generate all RSA keys
|
### Generate all RSA keys
|
||||||
keys_rsa_all: keys_rsa_unenc keys_rsa_enc_basic keys_rsa_enc_pkcs8_v1 keys_rsa_enc_pkcs8_v2
|
keys_rsa_all: keys_rsa_unenc keys_rsa_enc_basic keys_rsa_enc_pkcs8_v1 keys_rsa_enc_pkcs8_v2
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
################################################################
|
||||||
|
### Generate certificates for CRT write check tests
|
||||||
|
################################################################
|
||||||
|
|
||||||
|
### The test files use the Mbed TLS generated certificates server1*.crt,
|
||||||
|
### but for comparison with OpenSSL also rules for OpenSSL-generated
|
||||||
|
### certificates server1*.crt.openssl are offered.
|
||||||
|
###
|
||||||
|
### Known differences:
|
||||||
|
### * OpenSSL encodes trailing zero-bits in bit-strings occurring in X.509 extension
|
||||||
|
### as unused bits, while Mbed TLS doesn't.
|
||||||
|
|
||||||
|
test_ca_server1_db = test-ca.server1.db
|
||||||
|
test_ca_server1_serial = test-ca.server1.serial
|
||||||
|
test_ca_server1_config_file = test-ca.server1.opensslconf
|
||||||
|
|
||||||
|
server1.csr: server1.key server1_csr.opensslconf
|
||||||
|
$(OPENSSL) req -keyform PEM -key server1.key -config server1_csr.opensslconf -out $@ -new
|
||||||
|
all_final += server1.csr
|
||||||
|
|
||||||
|
server1.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
|
||||||
|
$(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 version=3 output_file=$@
|
||||||
|
server1.noauthid.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
|
||||||
|
$(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20110212144406 not_after=20210212144406 md=SHA1 authority_identifier=0 version=3 output_file=$@
|
||||||
|
server1.der: server1.crt
|
||||||
|
$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
|
||||||
|
all_final += server1.crt server1.noauthid.crt server1.der
|
||||||
|
|
||||||
|
server1.key_usage.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
|
||||||
|
$(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 key_usage=digital_signature,non_repudiation,key_encipherment version=3 output_file=$@
|
||||||
|
server1.key_usage_noauthid.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
|
||||||
|
$(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 key_usage=digital_signature,non_repudiation,key_encipherment authority_identifier=0 version=3 output_file=$@
|
||||||
|
server1.key_usage.der: server1.key_usage.crt
|
||||||
|
$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
|
||||||
|
all_final += server1.key_usage.crt server1.key_usage_noauthid.crt server1.key_usage.der
|
||||||
|
|
||||||
|
server1.cert_type.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
|
||||||
|
$(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 ns_cert_type=ssl_server version=3 output_file=$@
|
||||||
|
server1.cert_type_noauthid.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
|
||||||
|
$(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 ns_cert_type=ssl_server authority_identifier=0 version=3 output_file=$@
|
||||||
|
server1.cert_type.der: server1.cert_type.crt
|
||||||
|
$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
|
||||||
|
all_final += server1.cert_type.crt server1.cert_type_noauthid.crt server1.cert_type.der
|
||||||
|
|
||||||
|
server1.v1.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
|
||||||
|
$(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 version=1 output_file=$@
|
||||||
|
server1.v1.der: server1.v1.crt
|
||||||
|
$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
|
||||||
|
all_final += server1.v1.crt server1.v1.der
|
||||||
|
|
||||||
|
# OpenSSL-generated certificates for comparison
|
||||||
|
# Also provide certificates in DER format to allow
|
||||||
|
# direct binary comparison using e.g. dumpasn1
|
||||||
|
server1.crt.openssl server1.key_usage.crt.openssl server1.cert_type.crt.openssl: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa) $(test_ca_server1_config_file)
|
||||||
|
echo "01" > $(test_ca_server1_serial)
|
||||||
|
rm -f $(test_ca_server1_db)
|
||||||
|
touch $(test_ca_server1_db)
|
||||||
|
$(OPENSSL) ca -batch -passin "pass:$(test_ca_pwd_rsa)" -config $(test_ca_server1_config_file) -in server1.csr -extensions v3_ext -extfile $@.v3_ext -out $@
|
||||||
|
server1.der.openssl: server1.crt.openssl
|
||||||
|
$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
|
||||||
|
server1.key_usage.der.openssl: server1.key_usage.crt.openssl
|
||||||
|
$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
|
||||||
|
server1.cert_type.der.openssl: server1.cert_type.crt.openssl
|
||||||
|
$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
|
||||||
|
|
||||||
|
server1.v1.crt.openssl: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa) $(test_ca_server1_config_file)
|
||||||
|
echo "01" > $(test_ca_server1_serial)
|
||||||
|
rm -f $(test_ca_server1_db)
|
||||||
|
touch $(test_ca_server1_db)
|
||||||
|
$(OPENSSL) ca -batch -passin "pass:$(test_ca_pwd_rsa)" -config $(test_ca_server1_config_file) -in server1.csr -out $@
|
||||||
|
server1.v1.der.openssl: server1.v1.crt.openssl
|
||||||
|
$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
|
||||||
|
|
||||||
|
server1_all: server1.csr server1.crt server1.noauthid.crt server1.crt.openssl server1.v1.crt server1.v1.crt.openssl server1.key_usage.crt server1.key_usage_noauthid.crt server1.key_usage.crt.openssl server1.cert_type.crt server1.cert_type_noauthid.crt server1.cert_type.crt.openssl server1.der server1.der.openssl server1.v1.der server1.v1.der.openssl server1.key_usage.der server1.key_usage.der.openssl server1.cert_type.der server1.cert_type.der.openssl
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
################################################################
|
################################################################
|
||||||
#### Meta targets
|
#### Meta targets
|
||||||
################################################################
|
################################################################
|
||||||
|
@ -316,10 +399,15 @@ keys_rsa_all: keys_rsa_unenc keys_rsa_enc_basic keys_rsa_enc_pkcs8_v1 keys_rsa_e
|
||||||
all_final: $(all_final)
|
all_final: $(all_final)
|
||||||
all: $(all_intermediate) $(all_final)
|
all: $(all_intermediate) $(all_final)
|
||||||
|
|
||||||
.PHONY: default all_final all keys_rsa_unenc keys_rsa_enc_basic keys_rsa_enc_pkcs8_v1 keys_rsa_enc_pkcs8_v2 keys_rsa_all \
|
.PHONY: default all_final all
|
||||||
keys_rsa_enc_basic_1024 keys_rsa_enc_basic_2048 keys_rsa_enc_basic_4096 keys_rsa_enc_pkcs8_v1_1024 \
|
.PHONY: keys_rsa_all
|
||||||
keys_rsa_enc_pkcs8_v1_2048 keys_rsa_enc_pkcs8_v1_4096 keys_rsa_enc_pkcs8_v2_1024 \
|
.PHONY: keys_rsa_unenc keys_rsa_enc_basic
|
||||||
keys_rsa_enc_pkcs8_v2_2048 keys_rsa_enc_pkcs8_v2_4096
|
.PHONY: keys_rsa_enc_pkcs8_v1 keys_rsa_enc_pkcs8_v2
|
||||||
|
.PHONY: keys_rsa_enc_basic_1024 keys_rsa_enc_basic_2048 keys_rsa_enc_basic_4096
|
||||||
|
.PHONY: keys_rsa_enc_pkcs8_v1_1024 keys_rsa_enc_pkcs8_v2_1024
|
||||||
|
.PHONY: keys_rsa_enc_pkcs8_v1_2048 keys_rsa_enc_pkcs8_v2_2048
|
||||||
|
.PHONY: keys_rsa_enc_pkcs8_v1_4096 keys_rsa_enc_pkcs8_v2_4096
|
||||||
|
.PHONY: server1_all
|
||||||
|
|
||||||
# These files should not be committed to the repository.
|
# These files should not be committed to the repository.
|
||||||
list_intermediate:
|
list_intermediate:
|
||||||
|
|
5
tests/data_files/server1.cert_type.crt.openssl.v3_ext
Normal file
5
tests/data_files/server1.cert_type.crt.openssl.v3_ext
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
[v3_ext]
|
||||||
|
basicConstraints = CA:false
|
||||||
|
subjectKeyIdentifier=hash
|
||||||
|
authorityKeyIdentifier=keyid
|
||||||
|
nsCertType=server
|
20
tests/data_files/server1.cert_type_noauthid.crt
Normal file
20
tests/data_files/server1.cert_type_noauthid.crt
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDMTCCAhmgAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
|
||||||
|
MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
|
||||||
|
MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
|
||||||
|
A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
|
||||||
|
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
|
||||||
|
uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
|
||||||
|
d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
|
||||||
|
CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
|
||||||
|
lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
|
||||||
|
bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
|
||||||
|
oz8wPTAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAR
|
||||||
|
BglghkgBhvhCAQEEBAMCAEAwDQYJKoZIhvcNAQEFBQADggEBABNT+r+6vvlpjtyz
|
||||||
|
mewrGOKPt5iwb8w2aReJ0AWuyQzTiduN26MhXq93cXHV0pHj2rD7MfiBEwBSWnf9
|
||||||
|
FcxkE0g77GVyM9Vs9Uy/MspIqOce7JD0c36G4EI8lYce2TYwQLE9CGNl+LDxqkLy
|
||||||
|
prijXBl/FaD+IO/SNMr3VVnfFEZqPUxg+BSTaGgD+52Z7B4nPP0xGPjlW367RGDv
|
||||||
|
9dIkr1thve2WOeC9ixxl9K/864I7/0GdbgKSf77xl3/5vnQUOY7kugRvkvxWIgHS
|
||||||
|
HNVnmEN2I2Nb0M8lQNF1sFDbpFwVbh9CkBF5LJNesy0VWd67Ho6EntPEb7vBFF/x
|
||||||
|
jz0b2l4=
|
||||||
|
-----END CERTIFICATE-----
|
4
tests/data_files/server1.crt.openssl.v3_ext
Normal file
4
tests/data_files/server1.crt.openssl.v3_ext
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
[v3_ext]
|
||||||
|
basicConstraints = CA:false
|
||||||
|
subjectKeyIdentifier=hash
|
||||||
|
authorityKeyIdentifier=keyid
|
16
tests/data_files/server1.csr
Normal file
16
tests/data_files/server1.csr
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
-----BEGIN CERTIFICATE REQUEST-----
|
||||||
|
MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRow
|
||||||
|
GAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
|
||||||
|
ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
|
||||||
|
ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
|
||||||
|
HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
|
||||||
|
W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
|
||||||
|
FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
|
||||||
|
DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBCwUA
|
||||||
|
A4IBAQBY/1nnYQ3ThVyeZb1Z2wLYoHZ5rfeJCedyP7N/gjJZjhrMbwioUft2uHpb
|
||||||
|
+OZQfxRXJTbtj/1wpRMCoUMLWzapS7/xGx3IjoPtl42aM4M+xVYvbLjExL13kUAr
|
||||||
|
eE4JWcMIbTEPol2zSdX/LuB+m27jEp5VsvM2ty9qOw/T4iKwjFSe6pcYZ2spks19
|
||||||
|
3ltgjnaamwqKcN9zUA3IERTsWjr5exKYgfXm2OeeuSP0tHr7Dh+w/2XA9dGcLhrm
|
||||||
|
TA4P8QjIgSDlyzmhYYmsrioFPuCfdi1uzs8bxmbLXbiCGZ8TDMy5oLqLo1K+j2pF
|
||||||
|
ox+ATHKxQ/XpRQP+2OTb9sw1kM59
|
||||||
|
-----END CERTIFICATE REQUEST-----
|
5
tests/data_files/server1.key_usage.crt.openssl.v3_ext
Normal file
5
tests/data_files/server1.key_usage.crt.openssl.v3_ext
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
[v3_ext]
|
||||||
|
basicConstraints = CA:false
|
||||||
|
subjectKeyIdentifier=hash
|
||||||
|
authorityKeyIdentifier=keyid
|
||||||
|
keyUsage=critical, digitalSignature, nonRepudiation, keyEncipherment
|
20
tests/data_files/server1.key_usage_noauthid.crt
Normal file
20
tests/data_files/server1.key_usage_noauthid.crt
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDLjCCAhagAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
|
||||||
|
MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
|
||||||
|
MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
|
||||||
|
A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
|
||||||
|
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
|
||||||
|
uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
|
||||||
|
d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
|
||||||
|
CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
|
||||||
|
lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
|
||||||
|
bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
|
||||||
|
ozwwOjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAO
|
||||||
|
BgNVHQ8BAf8EBAMCAeAwDQYJKoZIhvcNAQEFBQADggEBAJZRIISo4+rDvHXXaS43
|
||||||
|
shfSkyJyur588mNJFzty1WVfhaIkwjMIGHeGlHS29fwgPsBUgelZ3Qv3J7wsm42+
|
||||||
|
3BwQet0l36FIBIJtFhcrTGlaCFUo/5bZJUPGgiOFB9ec/8lOszVlX8cH34UimWqg
|
||||||
|
q2wXRGoXWPbuRnUWlJhI2bAv5ri9Mt7Rs4nK4wyS1ZjC8ByXMn4tk3yMjkUEqu0o
|
||||||
|
37zoQiF+FJApu0eTKK5goA2hisyfCX9eJMppAbcyvJwoj/AmiBkXW8J3kEMJtLmZ
|
||||||
|
VoxXYknnXumxBLxUrGuamR/3cmbaJHIHE1Dqox7hB+9miyp4lue1/uXHCocGAIeF
|
||||||
|
JTo=
|
||||||
|
-----END CERTIFICATE-----
|
19
tests/data_files/server1.noauthid.crt
Normal file
19
tests/data_files/server1.noauthid.crt
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDHjCCAgagAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
|
||||||
|
MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
|
||||||
|
MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
|
||||||
|
A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
|
||||||
|
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
|
||||||
|
uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
|
||||||
|
d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
|
||||||
|
CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
|
||||||
|
lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
|
||||||
|
bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
|
||||||
|
oywwKjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAN
|
||||||
|
BgkqhkiG9w0BAQUFAAOCAQEAUMDKviuchRc4ICoVwi9LFyfQjxFQLgjnX1UYSqc5
|
||||||
|
UptiJsDpbJ+TMbOhNBs7YRV7ju61J33ax1fqgcFWkc2M2Vsqzz9+3zJlQoQuOLxH
|
||||||
|
5C6v5/rhUEV9HMy3K5SIa/BVem9osWvMwDnB8g5k3wCZAnOuFcT6ttvzRqz6Oh9d
|
||||||
|
avozrYHsATzPXBal41Gf95cNVcJ1pn/JgE4EOijMqmAPldVbCqfXLl6TB0nJS6dm
|
||||||
|
q9z73DGrVQlOwmCVI+qD2POJI67LuQ0g6Y0WVMxsWilMppt+UrEknMzk4O4qOaUs
|
||||||
|
1B20vI/bN4XPDnw58psazdoBxFL+fAk5MbTNKETNHjBsIg==
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -1,18 +1,18 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
-----BEGIN CERTIFICATE-----
|
||||||
MIIC9DCCAdygAwIBAAIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
|
MIIC6zCCAdMCAQEwDQYJKoZIhvcNAQEFBQAwOzELMAkGA1UEBhMCTkwxETAPBgNV
|
||||||
MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
|
BAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBMB4XDTExMDIx
|
||||||
MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
|
MjE0NDQwNloXDTIxMDIxMjE0NDQwNlowPDELMAkGA1UEBhMCTkwxETAPBgNVBAoT
|
||||||
A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
|
CFBvbGFyU1NMMRowGAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZI
|
||||||
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
|
hvcNAQEBBQADggEPADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb
|
||||||
uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
|
7ogWUtPxQ1BHlhJZZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJ
|
||||||
d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
|
BEeCsFc5cO2j7BUZHqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8Yw
|
||||||
CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
|
fhU5rPla7n+SnqYFW+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5B
|
||||||
lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
|
Xhem2mxbacwCuhQsFiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1Y
|
||||||
bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
|
ieJTWZ5uWpJl4og/DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAATANBgkq
|
||||||
owIwADANBgkqhkiG9w0BAQUFAAOCAQEAoZVuVi7bIslKgMJhejSFXiO+ICMz1fmK
|
hkiG9w0BAQUFAAOCAQEAPMRfR9ql7b06b5DdNyJhD96lBzuVSUOW2MgVHT2Vs7NB
|
||||||
b0tPN68mRYhI/gsjRT0cmX6GUNrg+U5mcBWhMwHgyvx1CARU4YToKZxcXGNL0DPd
|
tk5L1htpA5N4uaIeyt6YM0xU0nHdHUKaywNcDiXcnzvRoctGWiWdpcEvdA0rYRF5
|
||||||
Z1hF8nCrJCZBQvNuWE7s0ufw92xz5ZfuKkVxi94RYR529F6gzgl4rpX8UQVu2ym/
|
T4MGPpjEuLJcG3aTU8mV8wUEbrY6IEnSpC1G9iasjhkwAF7pb/Ic8+/riwmPD/Fh
|
||||||
9pTlHKr4MKi9LNppyJMS89uRcb2FJFMdhAKbhNtbIjI9qGZ7x//0belAaWhq389u
|
zBrRfBCgi5VXbX9IvY+yQHRVRal8y+n4eh9/hFxBKDbvuidFropGzcuparEwCIRi
|
||||||
6XWFnZt35PU6Zz6YbAQ5pjZYsTaohuufgrpOlFPUuc4uR+RfGHIQ6id12lZaQC2m
|
U7L/7aZ3A5wsQp9GPDliSjpeYCf5tok/bvjG4xU041pGQ7yVNpu2mEIoqDz9v+Ay
|
||||||
OFIBDcU0x1cFfPfMgVdBLf6klPt/v/tD77mwx0eztSp28NIf+ACw8A==
|
IKqsWradEnFG/1ov78a2RB+2+iIPE4iCDtmKUkgPjQ==
|
||||||
-----END CERTIFICATE-----
|
-----END CERTIFICATE-----
|
||||||
|
|
10
tests/data_files/server1_csr.opensslconf
Normal file
10
tests/data_files/server1_csr.opensslconf
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
[ req ]
|
||||||
|
distinguished_name = req_distinguished_name
|
||||||
|
prompt = no
|
||||||
|
# Restrict to non-UTF8 PrintableStrings.
|
||||||
|
string_mask = nombstr
|
||||||
|
|
||||||
|
[ req_distinguished_name ]
|
||||||
|
C = NL
|
||||||
|
O = PolarSSL
|
||||||
|
CN = PolarSSL Server 1
|
18
tests/data_files/test-ca.server1.opensslconf
Normal file
18
tests/data_files/test-ca.server1.opensslconf
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
[ ca ]
|
||||||
|
default_ca = test-ca
|
||||||
|
|
||||||
|
[ test-ca ]
|
||||||
|
certificate = test-ca.crt
|
||||||
|
private_key = test-ca.key
|
||||||
|
serial = test-ca.server1.serial
|
||||||
|
default_md = sha1
|
||||||
|
default_startdate = 110212144406Z
|
||||||
|
default_enddate = 210212144406Z
|
||||||
|
new_certs_dir = ./
|
||||||
|
database = ./test-ca.server1.db
|
||||||
|
policy = policy_match
|
||||||
|
|
||||||
|
[policy_match]
|
||||||
|
countryName = supplied
|
||||||
|
organizationName = supplied
|
||||||
|
commonName = supplied
|
|
@ -44,19 +44,35 @@ x509_csr_check:"data_files/server5.key":"data_files/server5.req.ku.sha1":MBEDTLS
|
||||||
|
|
||||||
Certificate write check Server1 SHA1
|
Certificate write check Server1 SHA1
|
||||||
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
|
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
|
||||||
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:-1:"data_files/server1.crt"
|
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:1:-1:"data_files/server1.crt":0
|
||||||
|
|
||||||
Certificate write check Server1 SHA1, key_usage
|
Certificate write check Server1 SHA1, key_usage
|
||||||
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
|
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
|
||||||
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0:-1:"data_files/server1.key_usage.crt"
|
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0:1:-1:"data_files/server1.key_usage.crt":0
|
||||||
|
|
||||||
Certificate write check Server1 SHA1, ns_cert_type
|
Certificate write check Server1 SHA1, ns_cert_type
|
||||||
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
|
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
|
||||||
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:-1:"data_files/server1.cert_type.crt"
|
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:-1:"data_files/server1.cert_type.crt":0
|
||||||
|
|
||||||
Certificate write check Server1 SHA1, version 1
|
Certificate write check Server1 SHA1, version 1
|
||||||
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
|
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
|
||||||
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt"
|
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":0
|
||||||
|
|
||||||
|
Certificate write check Server1 SHA1, RSA_ALT
|
||||||
|
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
|
||||||
|
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:-1:"data_files/server1.noauthid.crt":1
|
||||||
|
|
||||||
|
Certificate write check Server1 SHA1, RSA_ALT, key_usage
|
||||||
|
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
|
||||||
|
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0:0:-1:"data_files/server1.key_usage_noauthid.crt":1
|
||||||
|
|
||||||
|
Certificate write check Server1 SHA1, RSA_ALT, ns_cert_type
|
||||||
|
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
|
||||||
|
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:0:-1:"data_files/server1.cert_type_noauthid.crt":1
|
||||||
|
|
||||||
|
Certificate write check Server1 SHA1, RSA_ALT, version 1
|
||||||
|
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
|
||||||
|
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":1
|
||||||
|
|
||||||
X509 String to Names #1
|
X509 String to Names #1
|
||||||
mbedtls_x509_string_to_names:"C=NL,O=Offspark\, Inc., OU=PolarSSL":"C=NL, O=Offspark, Inc., OU=PolarSSL":0
|
mbedtls_x509_string_to_names:"C=NL,O=Offspark\, Inc., OU=PolarSSL":"C=NL, O=Offspark, Inc., OU=PolarSSL":0
|
||||||
|
|
|
@ -3,6 +3,30 @@
|
||||||
#include "mbedtls/x509_csr.h"
|
#include "mbedtls/x509_csr.h"
|
||||||
#include "mbedtls/pem.h"
|
#include "mbedtls/pem.h"
|
||||||
#include "mbedtls/oid.h"
|
#include "mbedtls/oid.h"
|
||||||
|
#include "mbedtls/rsa.h"
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_RSA_C)
|
||||||
|
int mbedtls_rsa_decrypt_func( void *ctx, int mode, size_t *olen,
|
||||||
|
const unsigned char *input, unsigned char *output,
|
||||||
|
size_t output_max_len )
|
||||||
|
{
|
||||||
|
return( mbedtls_rsa_pkcs1_decrypt( (mbedtls_rsa_context *) ctx, NULL, NULL, mode, olen,
|
||||||
|
input, output, output_max_len ) );
|
||||||
|
}
|
||||||
|
int mbedtls_rsa_sign_func( void *ctx,
|
||||||
|
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
|
||||||
|
int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,
|
||||||
|
const unsigned char *hash, unsigned char *sig )
|
||||||
|
{
|
||||||
|
return( mbedtls_rsa_pkcs1_sign( (mbedtls_rsa_context *) ctx, f_rng, p_rng, mode,
|
||||||
|
md_alg, hashlen, hash, sig ) );
|
||||||
|
}
|
||||||
|
size_t mbedtls_rsa_key_len_func( void *ctx )
|
||||||
|
{
|
||||||
|
return( ((const mbedtls_rsa_context *) ctx)->len );
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_RSA_C */
|
||||||
|
|
||||||
/* END_HEADER */
|
/* END_HEADER */
|
||||||
|
|
||||||
/* BEGIN_DEPENDENCIES
|
/* BEGIN_DEPENDENCIES
|
||||||
|
@ -39,7 +63,7 @@ void x509_csr_check( char *key_file, char *cert_req_check_file,
|
||||||
if( cert_type != 0 )
|
if( cert_type != 0 )
|
||||||
TEST_ASSERT( mbedtls_x509write_csr_set_ns_cert_type( &req, cert_type ) == 0 );
|
TEST_ASSERT( mbedtls_x509write_csr_set_ns_cert_type( &req, cert_type ) == 0 );
|
||||||
|
|
||||||
ret = mbedtls_x509write_csr_pem( &req, buf, sizeof(buf),
|
ret = mbedtls_x509write_csr_pem( &req, buf, sizeof( buf ),
|
||||||
rnd_pseudo_rand, &rnd_info );
|
rnd_pseudo_rand, &rnd_info );
|
||||||
TEST_ASSERT( ret == 0 );
|
TEST_ASSERT( ret == 0 );
|
||||||
|
|
||||||
|
@ -75,10 +99,12 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd,
|
||||||
char *subject_name, char *issuer_key_file,
|
char *subject_name, char *issuer_key_file,
|
||||||
char *issuer_pwd, char *issuer_name,
|
char *issuer_pwd, char *issuer_name,
|
||||||
char *serial_str, char *not_before, char *not_after,
|
char *serial_str, char *not_before, char *not_after,
|
||||||
int md_type, int key_usage, int cert_type, int ver,
|
int md_type, int key_usage, int cert_type, int auth_ident,
|
||||||
char *cert_check_file )
|
int ver, char *cert_check_file, int rsa_alt )
|
||||||
{
|
{
|
||||||
mbedtls_pk_context subject_key, issuer_key;
|
mbedtls_pk_context subject_key, issuer_key, issuer_key_alt;
|
||||||
|
mbedtls_pk_context *key = &issuer_key;
|
||||||
|
|
||||||
mbedtls_x509write_cert crt;
|
mbedtls_x509write_cert crt;
|
||||||
unsigned char buf[4096];
|
unsigned char buf[4096];
|
||||||
unsigned char check_buf[5000];
|
unsigned char check_buf[5000];
|
||||||
|
@ -91,68 +117,89 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd,
|
||||||
|
|
||||||
memset( &rnd_info, 0x2a, sizeof( rnd_pseudo_info ) );
|
memset( &rnd_info, 0x2a, sizeof( rnd_pseudo_info ) );
|
||||||
mbedtls_mpi_init( &serial );
|
mbedtls_mpi_init( &serial );
|
||||||
|
|
||||||
mbedtls_pk_init( &subject_key );
|
mbedtls_pk_init( &subject_key );
|
||||||
mbedtls_pk_init( &issuer_key );
|
mbedtls_pk_init( &issuer_key );
|
||||||
|
mbedtls_pk_init( &issuer_key_alt );
|
||||||
|
|
||||||
|
mbedtls_x509write_crt_init( &crt );
|
||||||
|
|
||||||
TEST_ASSERT( mbedtls_pk_parse_keyfile( &subject_key, subject_key_file,
|
TEST_ASSERT( mbedtls_pk_parse_keyfile( &subject_key, subject_key_file,
|
||||||
subject_pwd ) == 0 );
|
subject_pwd ) == 0 );
|
||||||
|
|
||||||
TEST_ASSERT( mbedtls_pk_parse_keyfile( &issuer_key, issuer_key_file,
|
TEST_ASSERT( mbedtls_pk_parse_keyfile( &issuer_key, issuer_key_file,
|
||||||
issuer_pwd ) == 0 );
|
issuer_pwd ) == 0 );
|
||||||
|
|
||||||
|
/* For RSA PK contexts, create a copy as an alternative RSA context. */
|
||||||
|
if( rsa_alt == 1 && mbedtls_pk_get_type( &issuer_key ) == MBEDTLS_PK_RSA )
|
||||||
|
{
|
||||||
|
TEST_ASSERT( mbedtls_pk_setup_rsa_alt( &issuer_key_alt,
|
||||||
|
mbedtls_pk_rsa( issuer_key ),
|
||||||
|
mbedtls_rsa_decrypt_func,
|
||||||
|
mbedtls_rsa_sign_func,
|
||||||
|
mbedtls_rsa_key_len_func ) == 0 );
|
||||||
|
|
||||||
|
key = &issuer_key_alt;
|
||||||
|
}
|
||||||
|
|
||||||
TEST_ASSERT( mbedtls_mpi_read_string( &serial, 10, serial_str ) == 0 );
|
TEST_ASSERT( mbedtls_mpi_read_string( &serial, 10, serial_str ) == 0 );
|
||||||
|
|
||||||
mbedtls_x509write_crt_init( &crt );
|
|
||||||
if( ver != -1 )
|
if( ver != -1 )
|
||||||
mbedtls_x509write_crt_set_version( &crt, ver );
|
mbedtls_x509write_crt_set_version( &crt, ver );
|
||||||
|
|
||||||
TEST_ASSERT( mbedtls_x509write_crt_set_serial( &crt, &serial ) == 0 );
|
TEST_ASSERT( mbedtls_x509write_crt_set_serial( &crt, &serial ) == 0 );
|
||||||
TEST_ASSERT( mbedtls_x509write_crt_set_validity( &crt, not_before,
|
TEST_ASSERT( mbedtls_x509write_crt_set_validity( &crt, not_before,
|
||||||
not_after ) == 0 );
|
not_after ) == 0 );
|
||||||
mbedtls_x509write_crt_set_md_alg( &crt, md_type );
|
mbedtls_x509write_crt_set_md_alg( &crt, md_type );
|
||||||
TEST_ASSERT( mbedtls_x509write_crt_set_issuer_name( &crt, issuer_name ) == 0 );
|
TEST_ASSERT( mbedtls_x509write_crt_set_issuer_name( &crt, issuer_name ) == 0 );
|
||||||
TEST_ASSERT( mbedtls_x509write_crt_set_subject_name( &crt, subject_name ) == 0 );
|
TEST_ASSERT( mbedtls_x509write_crt_set_subject_name( &crt, subject_name ) == 0 );
|
||||||
mbedtls_x509write_crt_set_subject_key( &crt, &subject_key );
|
mbedtls_x509write_crt_set_subject_key( &crt, &subject_key );
|
||||||
mbedtls_x509write_crt_set_issuer_key( &crt, &issuer_key );
|
|
||||||
|
mbedtls_x509write_crt_set_issuer_key( &crt, key );
|
||||||
|
|
||||||
if( crt.version >= MBEDTLS_X509_CRT_VERSION_3 )
|
if( crt.version >= MBEDTLS_X509_CRT_VERSION_3 )
|
||||||
{
|
{
|
||||||
TEST_ASSERT( mbedtls_x509write_crt_set_basic_constraints( &crt, 0, 0 ) == 0 );
|
TEST_ASSERT( mbedtls_x509write_crt_set_basic_constraints( &crt, 0, 0 ) == 0 );
|
||||||
TEST_ASSERT( mbedtls_x509write_crt_set_subject_key_identifier( &crt ) == 0 );
|
TEST_ASSERT( mbedtls_x509write_crt_set_subject_key_identifier( &crt ) == 0 );
|
||||||
TEST_ASSERT( mbedtls_x509write_crt_set_authority_key_identifier( &crt ) == 0 );
|
if( auth_ident )
|
||||||
|
TEST_ASSERT( mbedtls_x509write_crt_set_authority_key_identifier( &crt ) == 0 );
|
||||||
if( key_usage != 0 )
|
if( key_usage != 0 )
|
||||||
TEST_ASSERT( mbedtls_x509write_crt_set_key_usage( &crt, key_usage ) == 0 );
|
TEST_ASSERT( mbedtls_x509write_crt_set_key_usage( &crt, key_usage ) == 0 );
|
||||||
if( cert_type != 0 )
|
if( cert_type != 0 )
|
||||||
TEST_ASSERT( mbedtls_x509write_crt_set_ns_cert_type( &crt, cert_type ) == 0 );
|
TEST_ASSERT( mbedtls_x509write_crt_set_ns_cert_type( &crt, cert_type ) == 0 );
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = mbedtls_x509write_crt_pem( &crt, buf, sizeof(buf),
|
ret = mbedtls_x509write_crt_pem( &crt, buf, sizeof( buf ),
|
||||||
rnd_pseudo_rand, &rnd_info );
|
rnd_pseudo_rand, &rnd_info );
|
||||||
TEST_ASSERT( ret == 0 );
|
TEST_ASSERT( ret == 0 );
|
||||||
|
|
||||||
pem_len = strlen( (char *) buf );
|
pem_len = strlen( (char *) buf );
|
||||||
|
|
||||||
f = fopen( cert_check_file, "r" );
|
f = fopen( cert_check_file, "r" );
|
||||||
TEST_ASSERT( f != NULL );
|
TEST_ASSERT( f != NULL );
|
||||||
olen = fread( check_buf, 1, sizeof(check_buf), f );
|
olen = fread( check_buf, 1, sizeof( check_buf ), f );
|
||||||
fclose( f );
|
fclose( f );
|
||||||
TEST_ASSERT( olen < sizeof(check_buf) );
|
TEST_ASSERT( olen < sizeof( check_buf ) );
|
||||||
|
|
||||||
TEST_ASSERT( olen >= pem_len - 1 );
|
TEST_ASSERT( olen >= pem_len - 1 );
|
||||||
TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 );
|
TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 );
|
||||||
|
|
||||||
der_len = mbedtls_x509write_crt_der( &crt, buf, sizeof( buf ),
|
der_len = mbedtls_x509write_crt_der( &crt, buf, sizeof( buf ),
|
||||||
rnd_pseudo_rand, &rnd_info );
|
rnd_pseudo_rand, &rnd_info );
|
||||||
TEST_ASSERT( der_len >= 0 );
|
TEST_ASSERT( der_len >= 0 );
|
||||||
|
|
||||||
if( der_len == 0 )
|
if( der_len == 0 )
|
||||||
goto exit;
|
goto exit;
|
||||||
|
|
||||||
ret = mbedtls_x509write_crt_der( &crt, buf, (size_t)( der_len - 1 ),
|
ret = mbedtls_x509write_crt_der( &crt, buf, (size_t)( der_len - 1 ),
|
||||||
rnd_pseudo_rand, &rnd_info );
|
rnd_pseudo_rand, &rnd_info );
|
||||||
TEST_ASSERT( ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
|
TEST_ASSERT( ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
|
||||||
|
|
||||||
exit:
|
exit:
|
||||||
mbedtls_x509write_crt_free( &crt );
|
mbedtls_x509write_crt_free( &crt );
|
||||||
mbedtls_pk_free( &issuer_key );
|
mbedtls_pk_free( &issuer_key_alt );
|
||||||
mbedtls_pk_free( &subject_key );
|
mbedtls_pk_free( &subject_key );
|
||||||
|
mbedtls_pk_free( &issuer_key );
|
||||||
mbedtls_mpi_free( &serial );
|
mbedtls_mpi_free( &serial );
|
||||||
}
|
}
|
||||||
/* END_CASE */
|
/* END_CASE */
|
||||||
|
|
Loading…
Reference in a new issue