Commit graph

410 commits

Author SHA1 Message Date
Jerry Yu
460b6cf0ba Add server5-der*crt generate command
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-05-29 20:55:40 +08:00
Jerry Yu
b7b40b494d Add rules to generate server5[-badsign].crt
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-05-29 20:55:40 +08:00
Pengyu Lv
543d912495 Update server3.crt and server4.crt
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-05-29 20:55:40 +08:00
Pengyu Lv
f31d18a52b Add rules to generate server4.crt
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-05-29 20:55:40 +08:00
Pengyu Lv
cd61b740c5 Add rules to generate server3.crt
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-05-29 20:55:40 +08:00
Pengyu Lv
6f804693e5 Fix wrong target names in the Makefile in tests/data_files
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-05-29 20:55:40 +08:00
Pengyu Lv
491c64cd37 Mark all_intermediate as intermediate files
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-05-29 20:55:40 +08:00
Jerry Yu
bffe31cbfb change path of mbedtls_x509_crl_parse input data
- Move data_files/crl-malformed-trailing-spaces.pem->data_files/parse_input/crl-malformed-trailing-spaces.pem
- Move data_files/crl-idp.pem->data_files/parse_input/crl-idp.pem
- Move data_files/crl-idpnc.pem->data_files/parse_input/crl-idpnc.pem

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-05-29 17:28:45 +08:00
Jerry Yu
87f647776b change path of mbedtls_x509_csr_parse_file input data
- Move data_files/test_csr_v3_all_malformed_attributes_sequence_tag.csr.der->data_files/parse_input/test_csr_v3_all_malformed_attributes_sequence_tag.csr.der
- Move data_files/test_csr_v3_all_malformed_attributes_id_tag.csr.der->data_files/parse_input/test_csr_v3_all_malformed_attributes_id_tag.csr.der
- Move data_files/test_csr_v3_all_malformed_attributes_extension_request.csr.der->data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request.csr.der
- Move data_files/test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr.der->data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr.der
- Move data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr.der->data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr.der
- Move data_files/test_csr_v3_all_malformed_attributes_len1.csr.der->data_files/parse_input/test_csr_v3_all_malformed_attributes_len1.csr.der
- Move data_files/test_csr_v3_all_malformed_attributes_len2.csr.der->data_files/parse_input/test_csr_v3_all_malformed_attributes_len2.csr.der
- Move data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der->data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der
- Move data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der->data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der
- Move data_files/test_csr_v3_all_malformed_extensions_sequence_tag.csr.der->data_files/parse_input/test_csr_v3_all_malformed_extensions_sequence_tag.csr.der
- Move data_files/test_csr_v3_all_malformed_extension_id_tag.csr.der->data_files/parse_input/test_csr_v3_all_malformed_extension_id_tag.csr.der
- Move data_files/test_csr_v3_all_malformed_extension_data_tag.csr.der->data_files/parse_input/test_csr_v3_all_malformed_extension_data_tag.csr.der
- Move data_files/test_csr_v3_all_malformed_extension_data_len1.csr.der->data_files/parse_input/test_csr_v3_all_malformed_extension_data_len1.csr.der
- Move data_files/test_csr_v3_all_malformed_extension_data_len2.csr.der->data_files/parse_input/test_csr_v3_all_malformed_extension_data_len2.csr.der
- Move data_files/test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der->data_files/parse_input/test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der
- Move data_files/test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der->data_files/parse_input/test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der
- Move data_files/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der->data_files/parse_input/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der
- Move data_files/test_csr_v3_all_malformed_duplicated_extension.csr.der->data_files/parse_input/test_csr_v3_all_malformed_duplicated_extension.csr.der
- Move data_files/test_csr_v3_all_malformed_extension_type_oid.csr.der->data_files/parse_input/test_csr_v3_all_malformed_extension_type_oid.csr.der

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-05-29 17:28:45 +08:00
Jerry Yu
a3e249cb2b change path of mbedtls_x509_csr_info input data
- Copy data_files/server1.req.md5->data_files/parse_input/server1.req.md5
- Copy data_files/server1.req.sha1->data_files/parse_input/server1.req.sha1
- Copy data_files/server1.req.sha224->data_files/parse_input/server1.req.sha224
- Copy data_files/server1.req.sha256->data_files/parse_input/server1.req.sha256
- Copy data_files/server1.req.sha384->data_files/parse_input/server1.req.sha384
- Copy data_files/server1.req.sha512->data_files/parse_input/server1.req.sha512
- Move data_files/server1.req.commas.sha256->data_files/parse_input/server1.req.commas.sha256
- Move data_files/server5.req.sha1->data_files/parse_input/server5.req.sha1
- Move data_files/server5.req.sha224->data_files/parse_input/server5.req.sha224
- Move data_files/server5.req.sha256->data_files/parse_input/server5.req.sha256
- Move data_files/server5.req.sha384->data_files/parse_input/server5.req.sha384
- Move data_files/server5.req.sha512->data_files/parse_input/server5.req.sha512
- Move data_files/server9.req.sha1->data_files/parse_input/server9.req.sha1
- Move data_files/server9.req.sha224->data_files/parse_input/server9.req.sha224
- Move data_files/server9.req.sha256->data_files/parse_input/server9.req.sha256
- Move data_files/server9.req.sha384->data_files/parse_input/server9.req.sha384
- Move data_files/server9.req.sha512->data_files/parse_input/server9.req.sha512
- Move data_files/server1-ms.req.sha256->data_files/parse_input/server1-ms.req.sha256
- Move data_files/test_csr_v3_all.csr.der->data_files/parse_input/test_csr_v3_all.csr.der
- Move data_files/test_csr_v3_nsCertType.csr.der->data_files/parse_input/test_csr_v3_nsCertType.csr.der
- Move data_files/test_csr_v3_subjectAltName.csr.der->data_files/parse_input/test_csr_v3_subjectAltName.csr.der
- Move data_files/test_csr_v3_keyUsage.csr.der->data_files/parse_input/test_csr_v3_keyUsage.csr.der

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-05-29 17:28:44 +08:00
Jerry Yu
e8e7bbb59d change path of x509_parse_san input data
- Move data_files/server5-othername.crt->data_files/parse_input/server5-othername.crt
- Move data_files/server5-nonprintable_othername.crt->data_files/parse_input/server5-nonprintable_othername.crt
- Move data_files/server5-directoryname.crt.der->data_files/parse_input/server5-directoryname.crt.der
- Move data_files/server5-directoryname-seq-malformed.crt.der->data_files/parse_input/server5-directoryname-seq-malformed.crt.der
- Move data_files/server5-second-directoryname-oid-malformed.crt.der->data_files/parse_input/server5-second-directoryname-oid-malformed.crt.der
- Copy data_files/cert_example_multi.crt->data_files/parse_input/cert_example_multi.crt
- Move data_files/multiple_san.crt->data_files/parse_input/multiple_san.crt
- Copy data_files/server4.crt->data_files/parse_input/server4.crt
- Move data_files/server5-unsupported_othername.crt->data_files/parse_input/server5-unsupported_othername.crt
- Move data_files/test_cert_rfc822name.crt.der->data_files/parse_input/test_cert_rfc822name.crt.der

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-05-29 17:28:43 +08:00
Jerry Yu
1c3cfb3ed6 change path of x509parse_crt_file input data
- Move data_files/server1_pathlen_int_max.crt->data_files/parse_input/server1_pathlen_int_max.crt
- Move data_files/server1_pathlen_int_max-1.crt->data_files/parse_input/server1_pathlen_int_max-1.crt
- Copy data_files/server7_int-ca.crt->data_files/parse_input/server7_int-ca.crt
- Move data_files/server7_pem_space.crt->data_files/parse_input/server7_pem_space.crt
- Move data_files/server7_all_space.crt->data_files/parse_input/server7_all_space.crt
- Move data_files/server7_trailing_space.crt->data_files/parse_input/server7_trailing_space.crt
- Move data_files/cli-rsa-sha256-badalg.crt.der->data_files/parse_input/cli-rsa-sha256-badalg.crt.der

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-05-29 17:28:42 +08:00
Jerry Yu
85b0758b41 change path of x509_cert_info input data
- Copy data_files/server1.crt->data_files/parse_input/server1.crt
- Move data_files/server1.crt.der->data_files/parse_input/server1.crt.der
- Copy data_files/server2.crt->data_files/parse_input/server2.crt
- Copy data_files/server2.crt.der->data_files/parse_input/server2.crt.der
- Copy data_files/test-ca.crt->data_files/parse_input/test-ca.crt
- Move data_files/test-ca.crt.der->data_files/parse_input/test-ca.crt.der
- Copy data_files/cert_md5.crt->data_files/parse_input/cert_md5.crt
- Copy data_files/cert_sha1.crt->data_files/parse_input/cert_sha1.crt
- Copy data_files/cert_sha224.crt->data_files/parse_input/cert_sha224.crt
- Copy data_files/cert_sha256.crt->data_files/parse_input/cert_sha256.crt
- Copy data_files/cert_sha384.crt->data_files/parse_input/cert_sha384.crt
- Copy data_files/cert_sha512.crt->data_files/parse_input/cert_sha512.crt
- Copy data_files/server9.crt->data_files/parse_input/server9.crt
- Copy data_files/server9-sha224.crt->data_files/parse_input/server9-sha224.crt
- Copy data_files/server9-sha256.crt->data_files/parse_input/server9-sha256.crt
- Copy data_files/server9-sha384.crt->data_files/parse_input/server9-sha384.crt
- Copy data_files/server9-sha512.crt->data_files/parse_input/server9-sha512.crt
- Copy data_files/server5-sha1.crt->data_files/parse_input/server5-sha1.crt
- Copy data_files/server5-sha224.crt->data_files/parse_input/server5-sha224.crt
- Copy data_files/server5.crt->data_files/parse_input/server5.crt
- Copy data_files/server5-sha384.crt->data_files/parse_input/server5-sha384.crt
- Copy data_files/server5-sha512.crt->data_files/parse_input/server5-sha512.crt
- Copy data_files/server5-othername.crt->data_files/parse_input/server5-othername.crt
- Copy data_files/server5-nonprintable_othername.crt->data_files/parse_input/server5-nonprintable_othername.crt
- Copy data_files/server5-directoryname.crt.der->data_files/parse_input/server5-directoryname.crt.der
- Move data_files/server5-two-directorynames.crt.der->data_files/parse_input/server5-two-directorynames.crt.der
- Move data_files/server5-fan.crt->data_files/parse_input/server5-fan.crt
- Copy data_files/server1.cert_type.crt->data_files/parse_input/server1.cert_type.crt
- Copy data_files/server1.key_usage.crt->data_files/parse_input/server1.key_usage.crt
- Copy data_files/keyUsage.decipherOnly.crt->data_files/parse_input/keyUsage.decipherOnly.crt
- Copy data_files/cert_example_multi.crt->data_files/parse_input/cert_example_multi.crt
- Copy data_files/multiple_san.crt->data_files/parse_input/multiple_san.crt
- Copy data_files/cert_example_multi_nocn.crt->data_files/parse_input/cert_example_multi_nocn.crt
- Move data_files/rsa_single_san_uri.crt.der->data_files/parse_input/rsa_single_san_uri.crt.der
- Move data_files/rsa_multiple_san_uri.crt.der->data_files/parse_input/rsa_multiple_san_uri.crt.der
- Move data_files/test-ca-any_policy.crt->data_files/parse_input/test-ca-any_policy.crt
- Move data_files/test-ca-any_policy_ec.crt->data_files/parse_input/test-ca-any_policy_ec.crt
- Move data_files/test-ca-any_policy_with_qualifier.crt->data_files/parse_input/test-ca-any_policy_with_qualifier.crt
- Move data_files/test-ca-any_policy_with_qualifier_ec.crt->data_files/parse_input/test-ca-any_policy_with_qualifier_ec.crt
- Move data_files/test-ca-multi_policy.crt->data_files/parse_input/test-ca-multi_policy.crt
- Move data_files/test-ca-multi_policy_ec.crt->data_files/parse_input/test-ca-multi_policy_ec.crt
- Move data_files/test-ca-unsupported_policy.crt->data_files/parse_input/test-ca-unsupported_policy.crt
- Move data_files/test-ca-unsupported_policy_ec.crt->data_files/parse_input/test-ca-unsupported_policy_ec.crt
- Move data_files/server1.ext_ku.crt->data_files/parse_input/server1.ext_ku.crt
- Copy data_files/server4.crt->data_files/parse_input/server4.crt
- Copy data_files/server3.crt->data_files/parse_input/server3.crt
- Move data_files/bitstring-in-dn.pem->data_files/parse_input/bitstring-in-dn.pem
- Move data_files/non-ascii-string-in-issuer.crt->data_files/parse_input/non-ascii-string-in-issuer.crt

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-05-29 17:28:42 +08:00
Jerry Yu
2d412c6b24 change path of mbedtls_x509_crl_info input data
- Copy data_files/crl_expired.pem->data_files/parse_input/crl_expired.pem
- Move data_files/crl_md5.pem->data_files/parse_input/crl_md5.pem
- Move data_files/crl_sha1.pem->data_files/parse_input/crl_sha1.pem
- Move data_files/crl_sha224.pem->data_files/parse_input/crl_sha224.pem
- Copy data_files/crl_sha256.pem->data_files/parse_input/crl_sha256.pem
- Move data_files/crl_sha384.pem->data_files/parse_input/crl_sha384.pem
- Move data_files/crl_sha512.pem->data_files/parse_input/crl_sha512.pem
- Copy data_files/crl-rsa-pss-sha1.pem->data_files/parse_input/crl-rsa-pss-sha1.pem
- Copy data_files/crl-rsa-pss-sha224.pem->data_files/parse_input/crl-rsa-pss-sha224.pem
- Copy data_files/crl-rsa-pss-sha256.pem->data_files/parse_input/crl-rsa-pss-sha256.pem
- Copy data_files/crl-rsa-pss-sha384.pem->data_files/parse_input/crl-rsa-pss-sha384.pem
- Copy data_files/crl-rsa-pss-sha512.pem->data_files/parse_input/crl-rsa-pss-sha512.pem
- Copy data_files/crl-ec-sha1.pem->data_files/parse_input/crl-ec-sha1.pem
- Move data_files/crl-ec-sha224.pem->data_files/parse_input/crl-ec-sha224.pem
- Copy data_files/crl-ec-sha256.pem->data_files/parse_input/crl-ec-sha256.pem
- Move data_files/crl-ec-sha384.pem->data_files/parse_input/crl-ec-sha384.pem
- Move data_files/crl-ec-sha512.pem->data_files/parse_input/crl-ec-sha512.pem

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-05-29 17:28:40 +08:00
Andrzej Kurek
00d55988d9 Fix wrong makefile target
Missing tab and a prerequisite that's not a file
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-05-22 09:37:55 -04:00
Andrzej Kurek
ccdd975286 Add a certificate exercising all supported SAN types
This will be used for comparison in unit tests.
Add a possibility to write certificates with SAN
in cert_write.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-05-17 11:45:36 -04:00
Mukesh Bharsakle
4823d5ff0e
Merge branch 'Mbed-TLS:development' into update-pkparse-tests-to-use-AES 2023-05-10 12:35:19 +01:00
Jethro Beekman
0167244be4 Read and write X25519 and X448 private keys
Signed-off-by: Jethro Beekman <jethro@fortanix.com>
Co-authored-by: Gijs Kwakkel <gijs.kwakkel@fortanix.com>
Signed-off-by: Gijs Kwakkel <gijs.kwakkel@fortanix.com>
2023-05-04 13:01:47 +02:00
Valerio Setti
8820b57b6e test: fix makefile for ec_pub.[der/pem] generation
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-05-02 15:45:39 +02:00
Valerio Setti
c8b7865612 test: align ec_pub public keyfile with its ec_prv.sec1 counterpart
This change affects:
- both PEM and DER files, since they contain the same public key
  only in different formats
- "ec_pub.comp.pem" since it's the same as "ec_pub.pem" but in
  compressed format

The makefile was also updated accordingly to reflect these
dependencies.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-05-02 15:45:39 +02:00
Valerio Setti
547b3a4ab5 fix typos
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-24 10:24:37 +02:00
Valerio Setti
232a006a46 test: fix extension in DER test files
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-18 12:53:19 +02:00
Valerio Setti
8b7d4323da test: add Makefile target for the generated DER files
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-18 11:08:44 +02:00
Valerio Setti
28567abf4f test: add DER file format for pkwrite tests
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-17 18:43:55 +02:00
Mukesh Bharsakle
b17f6a211d Updating makefile to document key generation
Signed-off-by: Mukesh Bharsakle <bharsaklemukesh975@gmail.com>
2023-04-12 00:05:45 +01:00
Mukesh Bharsakle
1a4cc5e92c updating test-ca.key to use AES instead of DES
Signed-off-by: Mukesh Bharsakle <bharsaklemukesh975@gmail.com>
2023-04-10 14:05:42 +01:00
Andrzej Kurek
303704ef4a Remove unnecessary tabs
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-03-29 11:41:34 -04:00
Andrzej Kurek
d90376ef46 Add a test for a malformed directoryname sequence
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-03-29 11:38:45 -04:00
Andrzej Kurek
d348632a6a Switch from PEM to DER format for new x509 directoryname test
This simplifies generating malformed data and doesn't require
the PEM support for tests.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-03-29 11:03:01 -04:00
Andrzej Kurek
151d85d82c Introduce a test for a malformed directoryname SAN
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-03-29 11:03:01 -04:00
Andrzej Kurek
4a4f1ec8e9 Add the original certificate to be malformed for x509 tests
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-03-29 11:03:01 -04:00
Andrzej Kurek
e12b01d31b Add support for directoryName subjectAltName
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-03-29 11:03:01 -04:00
Paul Elliott
9f02a4177b
Merge pull request #7009 from mprse/csr_write_san
Added ability to include the SubjectAltName extension to a CSR - v.2
2023-03-17 10:07:27 +00:00
Dave Rodgman
2e8442565a Add PKCS #7 test files using expired cert
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-03-11 10:24:30 +00:00
Dave Rodgman
ca43e0d0ac Fix test file extension
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-03-10 13:06:01 +00:00
Dave Rodgman
f2f2dbcfd7 Add test case for PKCS7 file with zero signers
The test file was created by manually modifying
tests/data_files/pkcs7_data_without_cert_signed.der, using
ASN.1 JavaScript decoder  https://lapo.it/asn1js/

Changes made:
The SignerInfos set was truncated to zero length.
All the parent sequences, sets, etc were then adjusted
for their new reduced length.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-03-10 12:52:00 +00:00
Dave Rodgman
8657e3280a Add corrupt PKCS #7 test files
Generated by running "make <filename>" and commiting the result.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-03-09 15:59:15 +00:00
Xiaokang Qian
c96d2de569 Update corrupted char for pkcs7 corrupt signer info cases
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-03-07 10:35:47 +00:00
Xiaokang Qian
9c703d80ca Add fuzz bad cases for signer info 1 and 2
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-03-07 08:38:58 +00:00
Xiaokang Qian
8993a14567 Add unexpected tag cases for signer info 1 and 2
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-03-07 08:38:58 +00:00
Xiaokang Qian
e8c696ffd1 Add invalid size test case for signer info[2](The third one)
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-03-07 08:38:58 +00:00
Xiaokang Qian
72b4bcac03 Add invalid size test case for signer info 1(the second one)
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-03-07 08:38:55 +00:00
Przemek Stekiel
8e83d3aaa9 Add tests for writting SAN to CSR
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-03-03 12:58:05 +01:00
Gilles Peskine
1eae11565d
Merge pull request #6949 from bensze01/replace_pkcs7_fuzzer_tests
Replace fuzzer-generated PKCS #7 memory management tests
2023-03-01 10:46:22 +01:00
Bence Szépkúti
35d674a6ee Replace usage of echo -e in pkcs7 data Makefile
This use of the shell builtin is not portable.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2023-02-28 17:01:21 +01:00
Paul Elliott
ac2251dad1
Merge pull request #7076 from mprse/parse_RFC822_name
Add parsing of x509 RFC822 name + test
2023-02-27 14:16:13 +00:00
Bence Szépkúti
248971348b Replace fuzzer-generated PKCS7 regression tests
This commit adds well-formed reproducers for the memory management
issues fixed in the following commits:

290f01b3f5
e7f8c616d0
f7641544ea

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2023-02-24 15:31:03 +01:00
Dave Rodgman
e42cedf256
Merge pull request #7077 from daverodgman/pkcs7-fixes-dm-rebased
Pkcs7 fixes
2023-02-21 11:53:30 +00:00
Przemek Stekiel
608e3efc47 Add test for parsing SAN: rfc822Name
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-20 15:09:50 +01:00
Manuel Pégourié-Gonnard
718eb4f190
Merge pull request #7025 from AndrzejKurek/uri_san
Add the uniformResourceIdentifier subtype for the subjectAltName
2023-02-20 11:29:59 +01:00
Dave Rodgman
c5874db5b0 Add test-case for signature over zero-length data
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-02-16 16:14:46 +00:00
Gilles Peskine
c5e2a4fe67
Merge pull request #6937 from valeriosetti/issue6886
Add test for PK parsing of keys using compressed points
2023-02-14 19:54:29 +01:00
Andrzej Kurek
570a0f808b Move to DER certificates for new x509 tests
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-02-14 05:52:49 -05:00
Andrzej Kurek
7a05fab716 Added the uniformResourceIdentifier subtype for the subjectAltName.
Co-authored-by: Hannes Tschofenig <hannes.tschofenig@arm.com>
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-02-13 10:03:07 -05:00
Dave Rodgman
a22749e749
Merge pull request #6816 from nick-child-ibm/pkcs7_coverage
Pkcs7 coverage
2023-02-10 12:55:29 +00:00
Nick Child
3dafc6c3b3 pkcs7: Drop support for signature in contentInfo of signed data
The contentInfo field of PKCS7 Signed Data structures can
optionally contain the content of the signature. Per RFC 2315
it can also contain any of the PKCS7 data types. Add test and
comments making it clear that the current implementation
only supports the DATA content type and the data must be empty.

Return codes should be clear whether content was invalid or
unsupported.
Identification and fix provided by:
 - Demi Marie Obenour <demiobenour@gmail.com>
 - Dave Rodgman <dave.rodgman@arm.com>

Signed-off-by: Nick Child <nick.child@ibm.com>
2023-02-07 20:04:52 +00:00
Gilles Peskine
0cfb08ddf1
Merge pull request #6922 from mprse/csr_v3
Parsing v3 extensions from a CSR - v.2
2023-02-03 16:41:11 +01:00
Nick Child
a0c15d0fec pkcs7/test: Add test cases for pkcs7 with 3 signers
Previously, a loop in pkcs7_get_signers_info_set was not
getting covered by tests. This was because when there are
two or less signers, the loop will not execute.
Therefore, add new data files for another signer and use
three signers to generate a new pkcs7 DER file. Add a test
case to make sure that verification is still successfula and
use the test script to create ASN1 errors throoughout the
stucture:
./generate_pkcs7_tests.py ../data_files/pkcs7_data_3_signed.der

This results in the loop being executed.

Signed-off-by: Nick Child <nick.child@ibm.com>
2023-01-30 19:30:38 +00:00
Nick Child
e8a811650b test/pkcs7: Add test for expired cert
PKCS7 verification should fail if the signing cert is expired.
Add test case for this condition.

Signed-off-by: Nick Child <nick.child@ibm.com>
2023-01-30 15:55:44 +00:00
Valerio Setti
18b9b035ad test: add test for a full length serial of 0xFF
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-01-27 11:47:57 +01:00
Przemek Stekiel
d7992df529 Use input files to parse CSR instead of bytes
Additionally fix the generation of test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der which was incorectly malformed.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-01-25 16:19:50 +01:00
Valerio Setti
de7bb5b361 test: add failing check for secp224r1 with compressed format
The test is expected to fail, so we verify that this is really
not suppported

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-01-25 14:02:03 +01:00
Przemek Stekiel
92cce3fe6d Use extension .csr.der to indicate format
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-01-25 10:33:26 +01:00
Przemek Stekiel
160968586b Add negative test cases and use DER format for CSRs
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-01-24 10:57:19 +01:00
Przemek Stekiel
e7fbbb3fbd Generate csr files to test v3 extensions
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-01-24 10:57:19 +01:00
Valerio Setti
ff15953a01 test: data: fix makefile error
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-01-16 17:34:53 +01:00
Valerio Setti
0c960160ae test: extend makefile to generate keys with compressed points
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-01-16 16:56:30 +01:00
Valerio Setti
c60611b986 test: check pkparse with compressed ec
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-01-16 16:27:11 +01:00
Valerio Setti
856cec45eb test: x509: add more tests for checking certificate serial
- added 2 new certificates: 1 for testing a serial which is full lenght
  and another one for a serial which starts with 0x80

- added also proper Makefile and openssl configuration file to generate
  these 2 new certificates

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2023-01-12 17:01:45 +01:00
Gilles Peskine
72bffe02b7
Merge pull request #6663 from davidhorstmann-arm/fix-typo-unsupported
Fix typo 'unsupoported' -> 'unsupported'
2022-11-29 21:44:27 +01:00
Gilles Peskine
4f01121f6e Fix memory leak on error in pkcs7_get_signers_info_set
mbedtls_x509_name allocates memory, which must be freed if there is a
subsequent error.

Credit to OSS-Fuzz (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53811).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-27 22:02:10 +01:00
Gilles Peskine
290f01b3f5 Fix dangling freed pointer on error in pkcs7_get_signers_info_set
This fixes a use-after-free in PKCS#7 parsing when the signer data is
malformed.

Credit to OSS-Fuzz (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53798).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-27 21:55:29 +01:00
David Horstmann
119d7e2011 Fix typo 'unsupoported' -> 'unsupported'
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2022-11-25 15:50:30 +00:00
Bence Szépkúti
a17d038ee1 Merge branch 'development' into pr3431 2022-11-22 15:54:52 +01:00
Manuel Pégourié-Gonnard
edce0b42fb
Merge pull request #6454 from valeriosetti/issue4577
Adding unit test for mbedtls_x509write_csr_set_extension()
2022-11-15 09:39:07 +01:00
Valerio Setti
48e8fc737a Adding unit test for mbedtls_x509write_csr_set_extension()
The already existing "x509_csr_check()" function is extended in order
to support/test also CSR's extensions. The test is performed by
adding an extended key usage.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-14 13:32:07 +01:00
Dave Rodgman
f58172fe43 Merge remote-tracking branch 'origin/development' into pr3431 2022-11-10 09:54:49 +00:00
Gilles Peskine
4a480ac5a1
Merge pull request #6265 from Kabbah/x509-info-hwmodulename-hex
`x509_info_subject_alt_name`: Render HardwareModuleName as hex
2022-11-08 17:11:07 +01:00
Nick Child
fc234b7b52 test/pkcs7: Add Windows CRLF EOF to data files
Windows tests are failing pkcs7 verification due to differnt line
endings. Therefore, add make instuctions for building the data
files with Windows EOF instead. As a result, regenerate other data
files so that verification works.

Add these CRLF EOF files to the exception in check_files to ignore
the line endings.

Signed-off-by: Nick Child <nick.child@ibm.com>
2022-11-03 09:24:20 -05:00
Dave Rodgman
55fd0b9fc1
Merge pull request #6121 from daverodgman/pr277
cert_write - add a way to set extended key usages - rebase
2022-10-31 13:27:49 +00:00
Nick Child
73621ef0f0 pkcs7: Improve verify logic and rebuild test data
Various responses to feedback regarding the
pkcs7_verify_signed_data/hash functions. Mainly, merge these two
functions into one to reduce redudant logic [1]. As a result, an
identified bug about skipping over a signer is patched [2].

Additionally, add a conditional in the verify logic that checks if
the given x509 validity period is expired [3]. During testing of this
conditional, it turned out that all of the testing data was expired.
So, rebuild all of the pkcs7 testing data to refresh timestamps.

[1] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r999652525
[2] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r997090215
[3] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r967238206
Signed-off-by: Nick Child <nick.child@ibm.com>
2022-10-28 11:24:25 -05:00
Ronald Cron
c9176a03a7
Merge pull request #6410 from gilles-peskine-arm/psa-pkparse-pkwrite-3.2
PSA with RSA requires PK_WRITE and PK_PARSE
2022-10-26 14:57:36 +02:00
Raef Coles
aa9d52bcdc
Rename LMS private key files to match library name
Signed-off-by: Raef Coles <raef.coles@arm.com>
2022-10-13 17:53:40 +01:00
Raef Coles
ce18e528ff Rename LMS private key files
And remove now-unnecessary modification to check_files.py

Signed-off-by: Raef Coles <raef.coles@arm.com>
2022-10-13 16:45:05 +01:00
Raef Coles
a6b47c0aac
Add LMS hsslms interop tests
Signed-off-by: Raef Coles <raef.coles@arm.com>
2022-10-13 14:29:55 +01:00
Raef Coles
90e13fc3c6
Add repro instructions for LMS test data
Add more interop tests, and use real data for the negative tests

Signed-off-by: Raef Coles <raef.coles@arm.com>
2022-10-13 14:29:49 +01:00
Gilles Peskine
9624a5932e Add mbedtls_dhm_parse_dhmfile test case with DER input
dh.optlen.der is the result of converting dh.optlen.pem from PEM to DER.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-10-11 20:52:34 +02:00
Victor Barpp Gomes
d0225afcb6 Add a new test with a binary hwSerialNum
Signed-off-by: Victor Barpp Gomes <17840319+Kabbah@users.noreply.github.com>
2022-09-29 13:52:55 -03:00
XiaokangQian
335cfaadf9 Finalize client side code for psk
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-09-23 01:48:26 +00:00
Nick Child
45525d3768 pkcs7: Fix dependencies for pkcs7 tests
Fixes include removing PEM dependency for greater
coverage when PEM config is not set and defining
test dependencies at the appropriate level.

Signed-off-by: Nick Child <nick.child@ibm.com>
2022-09-01 19:45:41 -05:00
Manuel Pégourié-Gonnard
600bd30427 Avoid unwanted eol conversion of test data
Also, text files don't need to be generated by the Makefile.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-09-01 19:45:41 -05:00
Nayna Jain
136c6aa467 mbedtls: add pkcs7 test data
This commit adds the static test data generated by
commands from Makefile.

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
2022-09-01 19:45:41 -05:00
Nayna Jain
673a226698 pkcs7: add support for signed data
OpenSSL provides APIs to generate only the signted data
format PKCS7 i.e. without content type OID. This patch
adds support to parse the data correctly even if formatted
only as signed data

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
2022-09-01 19:45:41 -05:00
Nayna Jain
c9deb184b0 mbedtls: add support for pkcs7
PKCS7 signing format is used by OpenPOWER Key Management, which is
using mbedtls as its crypto library.

This patch adds the limited support of pkcs7 parser and verification
to the mbedtls. The limitations are:

* Only signed data is supported.
* CRLs are not currently handled.
* Single signer is supported.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Eric Richter <erichte@linux.ibm.com>
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
2022-09-01 19:45:33 -05:00
Dave Rodgman
abdb0df91d Fix test fails due to changes in cert generation
Test certs were originally generated with an old version of Mbed TLS
that used printableString where we now use utf8string (e.g., in the
organizationName). Otherwise the certs are identical.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-08-30 10:25:45 +01:00
Nicholas Wilson
ca841d32db Add test for mbedtls_x509write_crt_set_ext_key_usage, and fix reversed order
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-08-30 10:25:43 +01:00
Werner Lewis
f65a327111 Remove remaining bignum radix args
Functions which are not covered by script, changes made to use radix
16.

Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-08-01 15:07:14 +01:00
Werner Lewis
b33dacdb50 Fix parsing of special chars in X509 DN values
Use escape mechanism defined in RFC 1779 when parsing commas and other
special characters in X509 DN values. Resolves failures when generating
a certificate with a CSR containing a comma in subject value.
Fixes #769.

Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-06-27 11:19:50 +01:00
Shaun Case
8b0ecbccf4 Redo of PR#5345. Fixed spelling and typographical errors found by CodeSpell.
Signed-off-by: Shaun Case <warmsocks@gmail.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-05-11 21:25:51 +01:00
Ronald Cron
64bff9f261 tests: data_files: Avoid symbolic links
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 15:09:57 +01:00
Jerry Yu
dda036d8e0 rename ecdsa_secp*sha* to ecdsa_secp*
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-06 18:20:43 +08:00
Jerry Yu
0f99af8c19 Add keys for tls13 compat tests
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-06 18:16:30 +08:00
TRodziewicz
f41dc7cb35 Removal of RC4 certs and fixes to docs and tests
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-21 13:27:29 +02:00
TRodziewicz
75628d51b3 Code review fixes
Reverting some deleted tests and changing the deprecated algo
Deleting deprecated headers from /alt-dummy dir
Corrections to the comments
Removal of deleted functions from compat-2.x.h
Corrections to tests/data_files/Makefile

Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-18 12:59:38 +02:00
TRodziewicz
10e8cf5fef Remove MD2, MD4, RC4, Blowfish and XTEA
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-16 10:34:25 +02:00
Gilles Peskine
c6b0d96c31 More precise testing of dhm_min_len
An SSL client can be configured to insist on a minimum size for the
Diffie-Hellman (DHM) parameters sent by the server. Add several test
cases where the server sends parameters with exactly the minimum
size (must be accepted) or parameters that are one bit too short (must
be rejected). Make sure that there are test cases both where the
boundary is byte-aligned and where it isn't.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-04-01 14:18:31 +02:00
Dave Rodgman
6fbff5b557
Merge pull request #3698 from darrenkrahn/development
Mark basic constraints critical as appropriate.
2021-01-17 18:06:18 +00:00
Darren Krahn
9c134cef35 Add build instructions for new test data.
Signed-off-by: Darren Krahn <dkrahn@google.com>
2021-01-13 22:04:45 -08:00
Gilles Peskine
a282984c3d
Merge pull request #773 from paul-elliott-arm/discrepancy_cert
Add missing tag check to signature check on certificate load
2020-12-03 12:19:39 +01:00
Paul Elliott
ca17ebfbc0 Add tag check to cert algorithm check
Add missing tag check for algorithm parameters when comparing the
signature in the description part of the cert against the actual
signature whilst loading a certificate. This was found by a
certificate (created by fuzzing) that openssl would not verify, but
mbedtls would.

Regression test added (one of the client certs modified accordingly)

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2020-11-26 16:34:16 +00:00
David Brown
3bea9f61e6 Add a context-info.sh test for 0xFF chars
Add a non-regression test for ssl_context_info to ensure the base64
decoder doesn't stop processing when it encounters a 0xFF character.

Signed-off-by: David Brown <david.brown@linaro.org>
2020-10-20 13:35:21 -06:00
Ronald Cron
8f24a8bb34
Merge pull request #3595 from gilles-peskine-arm/cert-gen-cleanup-202008-development
Minor cleanups in certificate generation
2020-10-15 13:32:53 +02:00
Gilles Peskine
1803563572 Fix "make -C tests/data_files -f ..."
The toplevel directory is actually just ../..: the makefile commands
are executed in the subdirectory. $(PWD) earlier was wrong because it
comes from the shell, not from make. Looking up $(MAKEFILE_LIST) is
wrong because it indicates where the makefile is (make -f), not which
directory to work in (make -C).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-09-24 16:36:04 +02:00
Darren Krahn
e560be3ab4 Mark basic constraints critical as appropriate.
Per RFC 5280 4.2.1.9 if the 'cA' field is set to true, the extension
must be marked critical.

Signed-off-by: Darren Krahn <dkrahn@google.com>
2020-09-21 18:25:35 -07:00
Gilles Peskine
9e4d4387f0
Merge pull request #3433 from raoulstrackx/raoul/verify_crl_without_time
Always revoke certificate on CRL
2020-08-26 12:56:11 +02:00
Manuel Pégourié-Gonnard
6edfe60e0d
Merge pull request #2182 from hanno-arm/key_pwd
Add support for password protected key files to ssl_server2 and ssl_client2
2020-08-24 09:42:38 +02:00
Gilles Peskine
0f38590edf Commit the intermediate files cert_md*.csr
They are used to generate cert_md*.crt.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-21 20:47:52 +02:00
Gilles Peskine
d1ff7579c8 Fix "make -C tests/data_files"
It wasn't working when invoking programs/x509/cert_write or
programs/x509/cert_req due to relying on the current directory rather
than the location of the makefile.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-21 20:43:32 +02:00
Bence Szépkúti
1e14827beb Update copyright notices to use Linux Foundation guidance
As a result, the copyright of contributors other than Arm is now
acknowledged, and the years of publishing are no longer tracked in the
source files.

Also remove the now-redundant lines declaring that the files are part of
MbedTLS.

This commit was generated using the following script:

# ========================
#!/bin/sh

# Find files
find '(' -path './.git' -o -path './3rdparty' ')' -prune -o -type f -print | xargs sed -bi '

# Replace copyright attribution line
s/Copyright.*Arm.*/Copyright The Mbed TLS Contributors/I

# Remove redundant declaration and the preceding line
$!N
/This file is part of Mbed TLS/Id
P
D
'
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-08-19 10:35:41 +02:00
Hanno Becker
226eedb5f3 Add password protected version of key for data_files/server{2,5}.key
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-08-17 12:14:00 +01:00
Raoul Strackx
a4e86141f1 Always revoke certificate on CRL
RFC5280 does not state that the `revocationDate` should be checked.

In addition, when no time source is available (i.e., when MBEDTLS_HAVE_TIME_DATE is not defined), `mbedtls_x509_time_is_past` always returns 0. This results in the CRL not being checked at all.

https://tools.ietf.org/html/rfc5280
Signed-off-by: Raoul Strackx <raoul.strackx@fortanix.com>
2020-08-17 09:05:03 +02:00
Manuel Pégourié-Gonnard
7d2a4d873f Add test: DNS names should not match IP addresses
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-11 10:23:52 +02:00
Bence Szépkúti
c7da1fe381 Add Apache-2.0 headers to all scripts
This commit was generated using the following script:

# ========================
#!/bin/sh

# Find scripts
find -path './.git' -prune -o '(' -name '*.gdb' -o -name '*.pl' -o -name '*.py' -o -name '*.sh' ')' -print | xargs sed -i '

# Remove Mbed TLS declaration if it occurs before the copyright line
1,/Copyright.*Arm/I {
  /This file is part of/,$ {
    /Copyright.*Arm/I! d
  }
}

# Convert non-standard header in scripts/abi_check.py to the format used in the other scripts
/"""/,/"""/ {

  # Cut copyright declaration
  /Copyright.*Arm/I {
    h
    N
    d
  }

  # Paste copyright declaration
  /"""/ {
    x
    /./ {
      s/^/# /    # Add #
      x          # Replace orignal buffer with Copyright declaration
      p          # Print original buffer, insert newline
      i\

      s/.*//     # Clear original buffer
    }
    x
  }
}

/Copyright.*Arm/I {

  # Print copyright declaration
  p

  # Read the two lines immediately following the copyright declaration
  N
  N

  # Insert Apache header if it is missing
  /SPDX/! {
    i\
# SPDX-License-Identifier: Apache-2.0\
#\
# Licensed under the Apache License, Version 2.0 (the "License"); you may\
# not use this file except in compliance with the License.\
# You may obtain a copy of the License at\
#\
# http://www.apache.org/licenses/LICENSE-2.0\
#\
# Unless required by applicable law or agreed to in writing, software\
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT\
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\
# See the License for the specific language governing permissions and\
# limitations under the License.

    # Insert Mbed TLS declaration if it is missing
    /This file is part of/! i\
#\
# This file is part of Mbed TLS (https://tls.mbed.org)
  }

  # Clear copyright declaration from buffer
  D
}
'
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-06-15 12:05:47 +02:00
Bence Szépkúti
700ee44545 Add missing copyright dates to scripts and sources
To find any files with a missing copyright declaration, use the following script:

# ========================
#!/bin/sh

# Find files with copyright declarations, and list their file extensions
exts=$(grep -Ril --exclude-dir .git --exclude-dir 3rdparty\
                 --exclude-dir programs/fuzz 'Copyright.*Arm' | sed '
  s/.*\///
  s/.*\./*./
  s/.*/-name "&"/
' | sort -u | sed -n '
  :l
    N
    $!bl
  s/\n/ -o /gp
')

# Find files with file extensions that ususally include copyright extensions,
# but don't include a copyright declaration themselves.
eval "find\
  '(' -path './.git' -o -path './3rdparty' -o -path './programs/fuzz' ')' -prune\
  -o ! -path './tests/data_files/format_pkcs12.fmt'\
     ! -path './programs/psa/psa_constant_names_generated.c'\
     '(' $exts ')' -print" | xargs grep -Li 'Copyright.*Arm'
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-06-15 12:05:46 +02:00
Gilles Peskine
ee40e76943 Normalize line endings
Convert all text files to Unix line endings unless they're Windows
stuff.

Make sure that all text files have a trailing newline.

Remove whitespace at the end of lines.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-05-27 21:55:08 +02:00
Koh M. Nakagawa
46b8782a72 fix mbedtls_x509_dn_gets to escape non-ASCII characters
Signed-off-by: Koh M. Nakagawa <tsunekou1019@gmail.com>
2020-05-21 01:56:55 +09:00
Jaeden Amero
31f4cd9de2
Merge pull request #3192 from AndrzejKurek/max_pathlen_overflow
Guard from undefined behaviour in case of an INT_MAX max_pathlen
2020-04-16 16:29:44 +01:00
Piotr Nowicki
9978e6ee14 Add tests for the ssl_context_info program
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-04-15 16:21:36 +02:00
Andrzej Kurek
1605074f97
Guard from undefined behaviour in case of an INT_MAX max_pathlen
When parsing a certificate with the basic constraints extension
the max_pathlen that was read from it was incremented regardless
of its value. However, if the max_pathlen is equal to INT_MAX (which
is highly unlikely), an undefined behaviour would occur.
This commit adds a check to ensure that such value is not accepted
as valid. Relevant tests for INT_MAX and INT_MAX-1 are also introduced.
Certificates added in this commit were generated using the
test_suite_x509write, function test_x509_crt_check. Input data taken 
from the "Certificate write check Server1 SHA1" test case, so the generated
files are like the "server1.crt", but with the "is_ca" field set to 1 and
max_pathlen as described by the file name.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-04-15 06:15:45 -04:00
Gilles Peskine
b99bd39b4e Merge mbed-crypto into mbedtls: the merge commit
Merge `unremove-non-crypto` into `mbedtls/development`. The branch
`unremove-non-crypto` was obtained by starting from `mbed-crypto/development`,
then reverting many commits that removed X.509 and TLS functionality when Mbed
Crypto forked from Mbed TLS (the “unremoval”), then make a few tweaks to
facilitate the merge.

The unremoval step restored old versions of some tls files. If a file doesn't
exist in mbed-crypto, check out the mbedtls version, regardless of what
happened during the unremoval of tls files in the crypto tree. Also
unconditionally take the mbedtls version of a few files where the
modifications are completely project-specific and are not relevant in
mbed-crypto:

* `.github/issue_template.md`: completely different. We may want to reconcile
  them independently as a follow-up.
* `.travis.yml`: would only be reverted to an earlier tls version.
* `README.md`: completely different. We may want to reconcile them
  independently as a follow-up.
* `doxygen/input/doc_mainpage.h`: the changes in crypto were minimal and not
  relevant except as a stopgap as mbed-crypto did not have its own product
  versioning in the Doxygen documentation.
* `tests/.jenkins/Jenkinsfile`: completely different.
* `tests/data_files/Makefile`: there were no changes in mbed-crypto,
  but the unremoval step restored an old version.

Shell script for everything to do after the merge apart from the conflict
resolution:
```
tls_files=($(comm -23 <(git ls-tree -r --name-only HEAD) <(git ls-tree -r --name-only $(git merge-base upstream-crypto/development MERGE_HEAD))))
tls_files+=($tls_files .github/issue_template.md .travis.yml README.md doxygen/input/doc_mainpage.h tests/.jenkins/Jenkinsfile tests/data_files/Makefile)
git checkout --theirs HEAD -- $tls_files
git add -- $tls_files
```

Resolve the remaining conflicts:

* `library/CMakeLists.txt`:
    * Keep the TLS definition of `src_crypto`
    * `USE_SHARED_MBEDTLS_LIBRARY`: keep all three libraries, with both
      `include` and `crypto/include` in `target_include_directories`, all with
      version `2.21.0`.
* `programs/Makefile`:
    * Reconcile the APPS lists (add/add from a differently-formatted common
      ancestor): insert the `psa/*` from crypto into the tls list.
    * Keep the `fuzz` target defined only in tls version.
    * Keep the recipe (only in tls version) cleaning `ssl_pthread_server`
      stuff for the `clean` target.
* `scripts/config.py`:
    * `include_in_full`: add/add conflict. Keep both.
* `tests/scripts/all.sh`:
    * `component_test_no_use_psa_crypto_full_cmake_asan`: partially old
      version in crypto. Take the tls version.
    * `component_test_malloc_0_null` and more: take
      `component_test_malloc_0_null` from crypto (with `config.py` rather than
      `config.pl`, and with `$ASAN_FLAGS` rather than an explicit list), but
      add the call to `ssl-opt.sh` from tls. Take the other components from
      crypto.

With this commit, building and running the unit tests with both `make ` and
`cmake` work in the default configuration on Linux. Other platforms, build
systems and configurations are likely not to work, and there is some
regression in test coverage.

There is some loss of functionality because the unremoval step restored older
versions of tls content. This commit contains the latest tls version of
tls-only files, but some changes from the tls side in files that existed on
both sides have regressed. Most problematic changes are hunks that remove some
tls-specific feature and contain either a C preprocessor symbol identifying a
tls-specific module or option, or the name of a tls-specific file. Hunks
that remove a tls-specific preprocessor symbol can be identified with the
regular expression `^-.*MBEDTLS_(ERR_)?(PKCS11|X509|NET|SSL)_`.

Subsequent commits will revert a few parts of the patch from this merge commit
in order to restore the tls functionality that it removes, ensure that the
test coverage includes what was covered in either branch, and fix test
failures.
2020-03-23 17:54:46 +01:00
Gilles Peskine
70824f2c9e Revert "Remove programs that depend on TLS or X.509"
This reverts commit 0688e4f266.

Run scripts/generate_visualc_files.pl to account for the added programs.
2020-03-19 14:07:55 +01:00
Gilles Peskine
4fa9f9f744 Revert "programs, tests: Depend only on libmbedcrypto"
This reverts commit 986a15199d.
2020-03-19 14:07:55 +01:00
Gilles Peskine
32d90b3919 Revert "Remove unused test data files"
This reverts commit ef24980e66.
2020-03-04 15:39:14 +01:00
Gilles Peskine
43259ce31e Remove unused test data file
Since "Remove component designed to test MAX_SIGNATURE_SIZE",
secp521r1_prv.der is no longer used.

ec_521_prv.pem can be used for the same purpose.
2019-11-14 19:14:40 +01:00
Gilles Peskine
c212166171 pk_write test cases with short/long private key
Add pk_write test cases where the ASN.1 INTEGER encoding of the
private value would not have the mandatory size for the OCTET STRING
that contains the value.

ec_256_long_prv.pem is a random secp256r1 private key, selected so
that the private value is >= 2^255, i.e. the top bit of the first byte
is set (which would cause the INTEGER encoding to have an extra
leading 0 byte).

ec_521_short_prv.pem is a random secp521r1 private key, selected so
that the private value is < 2^519, i.e. the first byte is 0 and the
top bit of the second byte is 0 (which would cause the INTEGER
encoding to have one less 0 byte at the start).
2019-11-05 15:32:53 +01:00
Gilles Peskine
60b29d6bfd Merge remote-tracking branch 'upstream-restricted/pr/503' into development-restricted-proposed 2019-08-14 18:37:59 +02:00
Gilles Peskine
3963993e2a Merge 'mbedtls/development' into merge-crypto-development-20190806
Conflicts and changes:
* Files that do not exist in Mbed Crypto and have changed in Mbed TLS:
  These files should not exist in Mbed Crypto. Keep them deleted.
* tests/data_files/test-ca.server1.db: new file in Mbed TLS, don't create
  it in Mbed Crypto.
* tests/data_files/rsa_pkcs1_1024_clear.pem: do create this file in
  Mbed Crypto. I don't see why it would be kept out.
* tests/data_files/Makefile: don't take any of the changes in sections
  that have been removed in Crypto. Do take in the certificate
  expiration date updates and the extra .crt.der rules (even if Crypto
  doesn't actually use those certificates: removing them would be out
  of scope of the present merge).
* tests/suites/helpers.function: consecutive additions, take
  both (order indifferent).
2019-08-06 19:09:55 +02:00
Gilles Peskine
41f2de9da2
Merge pull request #638 from ARMmbed/development-proposed
Merge development into development-restricted
2019-08-05 11:06:20 +02:00
Ron Eldor
9eeb8611b1 Update certificates to expire in 2029
Update certificates that expire on 2021, to prolong their validity,
to make tests pass three years ahead.
2019-07-10 16:46:34 +03:00
Ron Eldor
b7c9626e76 Update soon to be expired crl
Update crl.pem, as it will expire on November 25 2019.
Resolves #2357.
2019-07-09 16:48:09 +03:00
Jaeden Amero
bd3a7464b7 Merge remote-tracking branch 'restricted/pr/573' into development-restricted
* restricted/pr/573:
  Remove redundant config.pl call
  Add a test for signing content with a long ECDSA key
  Add documentation notes about the required size of the signature buffers
  Add missing MBEDTLS_ECP_C dependencies in check_config.h
  Change size of preallocated buffer for pk_sign() calls
2019-06-24 11:40:33 +01:00
Jaeden Amero
6b5dc689f7 Merge remote-tracking branch 'origin/pr/2430' into development
* origin/pr/2430:
  Document support for MD2 and MD4 in programs/x509/cert_write
  Correct name of X.509 parsing test for well-formed, ill-signed CRT
  Add test cases exercising successful verification of MD2/MD4/MD5 CRT
  Add test case exercising verification of valid MD2 CRT
  Add MD[245] test CRTs to tree
  Add instructions for MD[245] test CRTs to tests/data_files/Makefile
  Add suppport for MD2 to CSR and CRT writing example programs
  Remove use of MD2 in further x509parse tests
  Convert further x509parse tests to use lower-case hex data
  Correct placement of ChangeLog entry
  Adapt ChangeLog
  Use SHA-256 instead of MD2 in X.509 CRT parsing tests
  Consistently use lower case hex data in X.509 parsing tests
2019-06-14 08:49:31 +01:00
k-stachowiak
c1955559ad Add a test for signing content with a long ECDSA key
Due to the way the current PK API works, it may have not been clear
for the library clients, how big output buffers they should pass
to the signing functions. Depending on the key type they depend on
MPI or EC specific compile-time constants.

Inside the library, there were places, where it was assumed that
the MPI size will always be enough, even for ECDSA signatures.
However, for very small sizes of the MBEDTLS_MPI_MAX_SIZE and
sufficiently large key, the EC signature could exceed the MPI size
and cause a stack overflow.

This test establishes both conditions -- small MPI size and the use
of a long ECDSA key -- and attempts to sign an arbitrary file.
This can cause a stack overvlow if the signature buffers are not
big enough, therefore the test is performed for an ASan build.
2019-06-10 11:46:18 +02:00
Hanno Becker
4cbea4b07e Remove heading spaces in tests/data_files/Makefile 2019-06-03 17:46:56 +01:00
Hanno Becker
471ad477bb Add new line at the end of test-ca2.key.enc 2019-06-03 17:46:56 +01:00
Hanno Becker
58fc28ce1a Rename server1.der to server1.crt.der 2019-06-03 17:46:56 +01:00
Hanno Becker
8843c250c0 Add DER encoded files to git tree 2019-06-03 17:46:56 +01:00
Hanno Becker
e21387e014 Add build instructions to generate DER versions of CRTs and keys 2019-06-03 17:46:56 +01:00
Hanno Becker
53756b3228 Add MD[245] test CRTs to tree 2019-06-03 14:22:59 +01:00
Hanno Becker
2e0f71f977 Add instructions for MD[245] test CRTs to tests/data_files/Makefile 2019-06-03 14:22:53 +01:00