Commit graph

76 commits

Author SHA1 Message Date
Minos Galanakis
1a3ad265cc Merge branch 'development-restricted' into mbedtls-3.5.0rc0-pr
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2023-10-03 21:57:51 +01:00
Gilles Peskine
7f420faf03 parse_attribute_value_hex_der_encoded: clean up length validation
Separate the fits-in-buffer check (*data_length <= data_size) from the
we-think-it's-a-sensible-size check (*data_length <=
MBEDTLS_X509_MAX_DN_NAME_SIZE).

This requires using an intermediate buffer for the DER data, since its
maximum sensible size has to be larger than the maximum sensible size for
the payload, due to the overhead of the ASN.1 tag+length.

Remove test cases focusing on the DER length since the implementation no
longer has a threshold for it.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-25 19:59:31 +02:00
Gilles Peskine
26dd764dc3 parse_attribute_value_hex_der_encoded test case fixups
Fix the expected output in some test cases.

Add a few more test cases to exercise both a payload length around 256 bytes
and a DER length around 256 bytes, since both are placed in a 256-byte
buffer (value of MBEDTLS_X509_MAX_DN_NAME_SIZE).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-25 19:59:31 +02:00
Gilles Peskine
c94500b56b Add may-fail mode to mbedtls_x509_string_to_names output tests
Due to differing validations amongst X.509 library functions, there are
inputs that mbedtls_x509_string_to_names() accepts, but it produces output
that some library functions can't parse. Accept this for now. Do call the
functions, even when we don't care about their return code: we're ok with
returning errors, but not with e.g. a buffer overflow.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-25 19:59:31 +02:00
Gilles Peskine
70a93407ce More test cases for parse_attribute_value_der_encoded
In particular, "X509 String to Names: long hexstring (DER=258 bytes, too long)"
causes a buffer overflow in parse_attribute_value_der_encoded().

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-25 19:59:31 +02:00
Valerio Setti
db6b4db7a0 Renaming all MBEDTLS_HAVE for curves to MBEDTLS_ECP_HAVE
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-09-25 17:39:41 +02:00
Valerio Setti
6d809cc969 lib/test: use new internal helpers in library's code and tests
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-09-25 17:39:41 +02:00
Agathiyan Bragadeesh
4ce9ac8463 Add round trip tests for x509 RDNs
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
2023-09-04 16:18:26 +01:00
Agathiyan Bragadeesh
733766bc71 Remove trailing whitespace in data file.
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
2023-08-23 15:44:52 +01:00
Agathiyan Bragadeesh
de84f9d67a Add test for rejecting empty AttributeValue
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
2023-08-23 11:44:04 +01:00
Agathiyan Bragadeesh
ea3e83f36a Amend test in test_suite_x509write
Needed since we now reject escaped null hexpairs in strings

Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
2023-08-22 10:39:56 +01:00
Agathiyan Bragadeesh
01e9392c3f Add malformatted DER test for string_to_names
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
2023-08-22 10:39:56 +01:00
Agathiyan Bragadeesh
cab79188ca Remove redundant tests in test_suite_x509write
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
2023-08-22 10:39:56 +01:00
Agathiyan Bragadeesh
a953f8ab36 Remove duplicate test in test_suite_x509write
The test for outputing a hexstring representation is actually
testing dn_gets, and is tested in test_suite_x509parse.

Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
2023-08-22 10:39:56 +01:00
Agathiyan Bragadeesh
957ca0595d Accept short name/ber encoded data in DNs
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
2023-08-22 10:39:56 +01:00
Agathiyan Bragadeesh
afdb187bbc Add more comprehensive string to name tests
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
2023-08-22 10:39:56 +01:00
Agathiyan Bragadeesh
e59dedbce2 Add test reject null characters in string to names
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
2023-08-22 10:39:56 +01:00
Agathiyan Bragadeesh
5ca9848513 Reword test in test_suite_x509write
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
2023-08-22 10:39:56 +01:00
Agathiyan Bragadeesh
ef299d6735 Add more tests for RFC 4514
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
2023-08-22 10:39:56 +01:00
Agathiyan Bragadeesh
404b4bb9ab Add x509 tests for upper and lowercase hexpairs
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
2023-08-22 10:39:56 +01:00
Agathiyan Bragadeesh
ef2decbe4a Escape hexpairs characters RFC 4514
Converts none ascii to escaped hexpairs in mbedtls_x509_dn_gets and
interprets hexpairs in mbedtls_x509_string_to_names.

Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
2023-08-22 10:38:16 +01:00
Agathiyan Bragadeesh
48513b8639 Escape special characters RFC 4514
This escapes special characters according to RFC 4514 in
mbedtls_x509_dn_gets and de-escapes in mbedtls_x509_string_to_names.
This commit does not handle hexpairs.

Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
2023-08-22 10:38:16 +01:00
David Horstmann
b50ae1fef1 Add regression testcase for string_to_names()
Test against a string with no '=' or ',' in it, which previously caused
mbedtls_x509_string_to_names() to return 0.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-06-27 15:32:14 +01:00
Andrzej Kurek
51cef9ce38 Add missing AES_C dependency in x509 tests
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-05-22 15:20:48 -04:00
Andrzej Kurek
a194904055 Fix subjectAltName test prerequisites
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-05-17 15:23:56 -04:00
Andrzej Kurek
76c9662e8e Add a test for SubjectAltName writing to a certificate
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-05-17 15:23:54 -04:00
Mukesh Bharsakle
4823d5ff0e
Merge branch 'Mbed-TLS:development' into update-pkparse-tests-to-use-AES 2023-05-10 12:35:19 +01:00
Gilles Peskine
1a24895bfd Simplify string escapes
Treat backslash as a universal escape character: "\n" is a newline,
backslash escapes any non-alphanumeric character.

This affects some test cases that had "\," standing for backslash-comma.
With the new uniform treatment of backslashes, this needs to be "\\,".

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-04-26 19:39:54 +02:00
Mukesh Bharsakle
1a4cc5e92c updating test-ca.key to use AES instead of DES
Signed-off-by: Mukesh Bharsakle <bharsaklemukesh975@gmail.com>
2023-04-10 14:05:42 +01:00
Manuel Pégourié-Gonnard
a946489efd X.509: use MD_CAN macros
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-21 16:28:00 +01:00
Valerio Setti
00a6c6fcbe test: fix for using proper sign/verify macros
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-08 13:52:31 +01:00
Valerio Setti
fcc6933a53 test: fix disparities in x509parse and x509write suites
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-08 13:52:31 +01:00
Valerio Setti
18b9b035ad test: add test for a full length serial of 0xFF
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-01-27 11:47:57 +01:00
Valerio Setti
856cec45eb test: x509: add more tests for checking certificate serial
- added 2 new certificates: 1 for testing a serial which is full lenght
  and another one for a serial which starts with 0x80

- added also proper Makefile and openssl configuration file to generate
  these 2 new certificates

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2023-01-12 17:01:45 +01:00
Valerio Setti
ea19d2db73 changelog: fixed typos
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2023-01-12 17:01:44 +01:00
Valerio Setti
aad8dbd38d test: fix tests for x509write_crt_set_serial(_new)
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2023-01-12 17:01:44 +01:00
Manuel Pégourié-Gonnard
edce0b42fb
Merge pull request #6454 from valeriosetti/issue4577
Adding unit test for mbedtls_x509write_csr_set_extension()
2022-11-15 09:39:07 +01:00
Valerio Setti
48e8fc737a Adding unit test for mbedtls_x509write_csr_set_extension()
The already existing "x509_csr_check()" function is extended in order
to support/test also CSR's extensions. The test is performed by
adding an extended key usage.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-14 13:32:07 +01:00
Nicholas Wilson
ca841d32db Add test for mbedtls_x509write_crt_set_ext_key_usage, and fix reversed order
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-08-30 10:25:43 +01:00
Przemek Stekiel
76b753bbb7 Change the dependencies in pem.c to xxx_BASED_ON_USE_PSA and related files
This is done to be able to bild test_psa_crypto_config_accel_hash component where MD5 is only available accelerated (PSA_WANT_ALG_MD5 is enabled and MBEDTLS_MD5_C is disabled) but MBEDTLS_USE_PSA_CRYPTO is disabled.
So the build should not attempt to enable pem_pbkdf1.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-08-19 10:15:56 +02:00
Przemek Stekiel
050819c19e test_suite_x509write: Move MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA dependency for x509_crt_check to .function file
mbedtls_x509write_crt_set_subject_key_identifier() requires MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-08-19 10:15:56 +02:00
Przemek Stekiel
d34f8c36b8 x509 tests: adjust dependencies
*** Comparing before-default -> after-default ***
   x509parse: total 723; skipped  26 ->  26
   x509write: total  41; skipped   8 ->   8

*** Comparing before-full -> after-full ***
   x509parse: total 723; skipped  25 ->  25
   x509write: total  41; skipped   0 ->   0

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-08-19 10:15:56 +02:00
Werner Lewis
b33dacdb50 Fix parsing of special chars in X509 DN values
Use escape mechanism defined in RFC 1779 when parsing commas and other
special characters in X509 DN values. Resolves failures when generating
a certificate with a CSR containing a comma in subject value.
Fixes #769.

Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-06-27 11:19:50 +01:00
Werner Lewis
acd01e58a3 Use ASN1 UTC tags for dates before 2000
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-06-01 16:24:28 +01:00
Neil Armstrong
6ce6dd9bd7 Add Test generating certificates using an opaque EC key
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-13 10:32:03 +02:00
Neil Armstrong
98f899c7a5 Test generating certificates using an opaque RSA key
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-13 10:31:38 +02:00
Neil Armstrong
9fb9203182 Test generating CSRs using an opaque RSA key
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-13 10:31:08 +02:00
TRodziewicz
10e8cf5fef Remove MD2, MD4, RC4, Blowfish and XTEA
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-16 10:34:25 +02:00
Mateusz Starzyk
e3c48b4a88 Separate SHA224 from SHA256 config options.
These options are still dependant on each other.
This is an intermediate step.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-04-28 14:38:37 +02:00
Mateusz Starzyk
3352a53475 Modify config option for SHA384.
Although SHA512 is currently required to enable SHA384, this
is expected to change in the future. This commit is an
intermediate step towards fully separating SHA384 and SHA512.

check_config is the only module which enforces that SHA512 is
enabled together with SHA384.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-04-28 14:38:37 +02:00