Commit graph

261 commits

Author SHA1 Message Date
Przemek Stekiel
608e3efc47 Add test for parsing SAN: rfc822Name
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-20 15:09:50 +01:00
Manuel Pégourié-Gonnard
718eb4f190
Merge pull request #7025 from AndrzejKurek/uri_san
Add the uniformResourceIdentifier subtype for the subjectAltName
2023-02-20 11:29:59 +01:00
Gilles Peskine
c5e2a4fe67
Merge pull request #6937 from valeriosetti/issue6886
Add test for PK parsing of keys using compressed points
2023-02-14 19:54:29 +01:00
Andrzej Kurek
570a0f808b Move to DER certificates for new x509 tests
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-02-14 05:52:49 -05:00
Andrzej Kurek
7a05fab716 Added the uniformResourceIdentifier subtype for the subjectAltName.
Co-authored-by: Hannes Tschofenig <hannes.tschofenig@arm.com>
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-02-13 10:03:07 -05:00
Dave Rodgman
a22749e749
Merge pull request #6816 from nick-child-ibm/pkcs7_coverage
Pkcs7 coverage
2023-02-10 12:55:29 +00:00
Nick Child
3dafc6c3b3 pkcs7: Drop support for signature in contentInfo of signed data
The contentInfo field of PKCS7 Signed Data structures can
optionally contain the content of the signature. Per RFC 2315
it can also contain any of the PKCS7 data types. Add test and
comments making it clear that the current implementation
only supports the DATA content type and the data must be empty.

Return codes should be clear whether content was invalid or
unsupported.
Identification and fix provided by:
 - Demi Marie Obenour <demiobenour@gmail.com>
 - Dave Rodgman <dave.rodgman@arm.com>

Signed-off-by: Nick Child <nick.child@ibm.com>
2023-02-07 20:04:52 +00:00
Gilles Peskine
0cfb08ddf1
Merge pull request #6922 from mprse/csr_v3
Parsing v3 extensions from a CSR - v.2
2023-02-03 16:41:11 +01:00
Nick Child
a0c15d0fec pkcs7/test: Add test cases for pkcs7 with 3 signers
Previously, a loop in pkcs7_get_signers_info_set was not
getting covered by tests. This was because when there are
two or less signers, the loop will not execute.
Therefore, add new data files for another signer and use
three signers to generate a new pkcs7 DER file. Add a test
case to make sure that verification is still successfula and
use the test script to create ASN1 errors throoughout the
stucture:
./generate_pkcs7_tests.py ../data_files/pkcs7_data_3_signed.der

This results in the loop being executed.

Signed-off-by: Nick Child <nick.child@ibm.com>
2023-01-30 19:30:38 +00:00
Nick Child
e8a811650b test/pkcs7: Add test for expired cert
PKCS7 verification should fail if the signing cert is expired.
Add test case for this condition.

Signed-off-by: Nick Child <nick.child@ibm.com>
2023-01-30 15:55:44 +00:00
Valerio Setti
18b9b035ad test: add test for a full length serial of 0xFF
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-01-27 11:47:57 +01:00
Przemek Stekiel
d7992df529 Use input files to parse CSR instead of bytes
Additionally fix the generation of test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der which was incorectly malformed.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-01-25 16:19:50 +01:00
Valerio Setti
de7bb5b361 test: add failing check for secp224r1 with compressed format
The test is expected to fail, so we verify that this is really
not suppported

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-01-25 14:02:03 +01:00
Przemek Stekiel
92cce3fe6d Use extension .csr.der to indicate format
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-01-25 10:33:26 +01:00
Przemek Stekiel
160968586b Add negative test cases and use DER format for CSRs
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-01-24 10:57:19 +01:00
Przemek Stekiel
e7fbbb3fbd Generate csr files to test v3 extensions
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-01-24 10:57:19 +01:00
Valerio Setti
ff15953a01 test: data: fix makefile error
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-01-16 17:34:53 +01:00
Valerio Setti
0c960160ae test: extend makefile to generate keys with compressed points
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-01-16 16:56:30 +01:00
Valerio Setti
c60611b986 test: check pkparse with compressed ec
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-01-16 16:27:11 +01:00
Valerio Setti
856cec45eb test: x509: add more tests for checking certificate serial
- added 2 new certificates: 1 for testing a serial which is full lenght
  and another one for a serial which starts with 0x80

- added also proper Makefile and openssl configuration file to generate
  these 2 new certificates

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2023-01-12 17:01:45 +01:00
Gilles Peskine
72bffe02b7
Merge pull request #6663 from davidhorstmann-arm/fix-typo-unsupported
Fix typo 'unsupoported' -> 'unsupported'
2022-11-29 21:44:27 +01:00
Gilles Peskine
4f01121f6e Fix memory leak on error in pkcs7_get_signers_info_set
mbedtls_x509_name allocates memory, which must be freed if there is a
subsequent error.

Credit to OSS-Fuzz (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53811).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-27 22:02:10 +01:00
Gilles Peskine
290f01b3f5 Fix dangling freed pointer on error in pkcs7_get_signers_info_set
This fixes a use-after-free in PKCS#7 parsing when the signer data is
malformed.

Credit to OSS-Fuzz (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53798).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-27 21:55:29 +01:00
David Horstmann
119d7e2011 Fix typo 'unsupoported' -> 'unsupported'
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2022-11-25 15:50:30 +00:00
Bence Szépkúti
a17d038ee1 Merge branch 'development' into pr3431 2022-11-22 15:54:52 +01:00
Manuel Pégourié-Gonnard
edce0b42fb
Merge pull request #6454 from valeriosetti/issue4577
Adding unit test for mbedtls_x509write_csr_set_extension()
2022-11-15 09:39:07 +01:00
Valerio Setti
48e8fc737a Adding unit test for mbedtls_x509write_csr_set_extension()
The already existing "x509_csr_check()" function is extended in order
to support/test also CSR's extensions. The test is performed by
adding an extended key usage.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-14 13:32:07 +01:00
Dave Rodgman
f58172fe43 Merge remote-tracking branch 'origin/development' into pr3431 2022-11-10 09:54:49 +00:00
Gilles Peskine
4a480ac5a1
Merge pull request #6265 from Kabbah/x509-info-hwmodulename-hex
`x509_info_subject_alt_name`: Render HardwareModuleName as hex
2022-11-08 17:11:07 +01:00
Nick Child
fc234b7b52 test/pkcs7: Add Windows CRLF EOF to data files
Windows tests are failing pkcs7 verification due to differnt line
endings. Therefore, add make instuctions for building the data
files with Windows EOF instead. As a result, regenerate other data
files so that verification works.

Add these CRLF EOF files to the exception in check_files to ignore
the line endings.

Signed-off-by: Nick Child <nick.child@ibm.com>
2022-11-03 09:24:20 -05:00
Dave Rodgman
55fd0b9fc1
Merge pull request #6121 from daverodgman/pr277
cert_write - add a way to set extended key usages - rebase
2022-10-31 13:27:49 +00:00
Nick Child
73621ef0f0 pkcs7: Improve verify logic and rebuild test data
Various responses to feedback regarding the
pkcs7_verify_signed_data/hash functions. Mainly, merge these two
functions into one to reduce redudant logic [1]. As a result, an
identified bug about skipping over a signer is patched [2].

Additionally, add a conditional in the verify logic that checks if
the given x509 validity period is expired [3]. During testing of this
conditional, it turned out that all of the testing data was expired.
So, rebuild all of the pkcs7 testing data to refresh timestamps.

[1] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r999652525
[2] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r997090215
[3] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r967238206
Signed-off-by: Nick Child <nick.child@ibm.com>
2022-10-28 11:24:25 -05:00
Ronald Cron
c9176a03a7
Merge pull request #6410 from gilles-peskine-arm/psa-pkparse-pkwrite-3.2
PSA with RSA requires PK_WRITE and PK_PARSE
2022-10-26 14:57:36 +02:00
Raef Coles
aa9d52bcdc
Rename LMS private key files to match library name
Signed-off-by: Raef Coles <raef.coles@arm.com>
2022-10-13 17:53:40 +01:00
Raef Coles
ce18e528ff Rename LMS private key files
And remove now-unnecessary modification to check_files.py

Signed-off-by: Raef Coles <raef.coles@arm.com>
2022-10-13 16:45:05 +01:00
Raef Coles
a6b47c0aac
Add LMS hsslms interop tests
Signed-off-by: Raef Coles <raef.coles@arm.com>
2022-10-13 14:29:55 +01:00
Raef Coles
90e13fc3c6
Add repro instructions for LMS test data
Add more interop tests, and use real data for the negative tests

Signed-off-by: Raef Coles <raef.coles@arm.com>
2022-10-13 14:29:49 +01:00
Gilles Peskine
9624a5932e Add mbedtls_dhm_parse_dhmfile test case with DER input
dh.optlen.der is the result of converting dh.optlen.pem from PEM to DER.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-10-11 20:52:34 +02:00
Victor Barpp Gomes
d0225afcb6 Add a new test with a binary hwSerialNum
Signed-off-by: Victor Barpp Gomes <17840319+Kabbah@users.noreply.github.com>
2022-09-29 13:52:55 -03:00
XiaokangQian
335cfaadf9 Finalize client side code for psk
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-09-23 01:48:26 +00:00
Nick Child
45525d3768 pkcs7: Fix dependencies for pkcs7 tests
Fixes include removing PEM dependency for greater
coverage when PEM config is not set and defining
test dependencies at the appropriate level.

Signed-off-by: Nick Child <nick.child@ibm.com>
2022-09-01 19:45:41 -05:00
Manuel Pégourié-Gonnard
600bd30427 Avoid unwanted eol conversion of test data
Also, text files don't need to be generated by the Makefile.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-09-01 19:45:41 -05:00
Nayna Jain
136c6aa467 mbedtls: add pkcs7 test data
This commit adds the static test data generated by
commands from Makefile.

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
2022-09-01 19:45:41 -05:00
Nayna Jain
673a226698 pkcs7: add support for signed data
OpenSSL provides APIs to generate only the signted data
format PKCS7 i.e. without content type OID. This patch
adds support to parse the data correctly even if formatted
only as signed data

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
2022-09-01 19:45:41 -05:00
Nayna Jain
c9deb184b0 mbedtls: add support for pkcs7
PKCS7 signing format is used by OpenPOWER Key Management, which is
using mbedtls as its crypto library.

This patch adds the limited support of pkcs7 parser and verification
to the mbedtls. The limitations are:

* Only signed data is supported.
* CRLs are not currently handled.
* Single signer is supported.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Eric Richter <erichte@linux.ibm.com>
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
2022-09-01 19:45:33 -05:00
Dave Rodgman
abdb0df91d Fix test fails due to changes in cert generation
Test certs were originally generated with an old version of Mbed TLS
that used printableString where we now use utf8string (e.g., in the
organizationName). Otherwise the certs are identical.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-08-30 10:25:45 +01:00
Nicholas Wilson
ca841d32db Add test for mbedtls_x509write_crt_set_ext_key_usage, and fix reversed order
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-08-30 10:25:43 +01:00
Werner Lewis
f65a327111 Remove remaining bignum radix args
Functions which are not covered by script, changes made to use radix
16.

Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-08-01 15:07:14 +01:00
Werner Lewis
b33dacdb50 Fix parsing of special chars in X509 DN values
Use escape mechanism defined in RFC 1779 when parsing commas and other
special characters in X509 DN values. Resolves failures when generating
a certificate with a CSR containing a comma in subject value.
Fixes #769.

Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-06-27 11:19:50 +01:00
Shaun Case
8b0ecbccf4 Redo of PR#5345. Fixed spelling and typographical errors found by CodeSpell.
Signed-off-by: Shaun Case <warmsocks@gmail.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-05-11 21:25:51 +01:00