test_suite_x509parse.function (51943B)
1 /* BEGIN_HEADER */ 2 #include "mbedtls/bignum.h" 3 #include "mbedtls/x509.h" 4 #include "mbedtls/x509_crt.h" 5 #include "mbedtls/x509_crl.h" 6 #include "mbedtls/x509_csr.h" 7 #include "x509_internal.h" 8 #include "mbedtls/pem.h" 9 #include "mbedtls/oid.h" 10 #include "mbedtls/base64.h" 11 #include "mbedtls/error.h" 12 #include "mbedtls/pk.h" 13 #include "string.h" 14 15 #if MBEDTLS_X509_MAX_INTERMEDIATE_CA > 19 16 #error "The value of MBEDTLS_X509_MAX_INTERMEDIATE_C is larger \ 17 than the current threshold 19. To test larger values, please \ 18 adapt the script framework/data_files/dir-max/long.sh." 19 #endif 20 21 /* Test-only profile allowing all digests, PK algorithms, and curves. */ 22 const mbedtls_x509_crt_profile profile_all = 23 { 24 0xFFFFFFFF, /* Any MD */ 25 0xFFFFFFFF, /* Any PK alg */ 26 0xFFFFFFFF, /* Any curve */ 27 1024, 28 }; 29 30 /* Profile for backward compatibility. Allows SHA-1, unlike the default 31 profile. */ 32 const mbedtls_x509_crt_profile compat_profile = 33 { 34 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA1) | 35 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_RIPEMD160) | 36 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA224) | 37 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) | 38 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) | 39 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512), 40 0xFFFFFFFF, /* Any PK alg */ 41 0xFFFFFFFF, /* Any curve */ 42 1024, 43 }; 44 45 const mbedtls_x509_crt_profile profile_rsa3072 = 46 { 47 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) | 48 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) | 49 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512), 50 MBEDTLS_X509_ID_FLAG(MBEDTLS_PK_RSA), 51 0, 52 3072, 53 }; 54 55 const mbedtls_x509_crt_profile profile_sha512 = 56 { 57 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512), 58 0xFFFFFFFF, /* Any PK alg */ 59 0xFFFFFFFF, /* Any curve */ 60 1024, 61 }; 62 63 #if defined(MBEDTLS_X509_CRT_PARSE_C) 64 65 #if defined(MBEDTLS_FS_IO) 66 static int verify_none(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags) 67 { 68 ((void) data); 69 ((void) crt); 70 ((void) certificate_depth); 71 *flags |= MBEDTLS_X509_BADCERT_OTHER; 72 73 return 0; 74 } 75 76 static int verify_all(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags) 77 { 78 ((void) data); 79 ((void) crt); 80 ((void) certificate_depth); 81 *flags = 0; 82 83 return 0; 84 } 85 86 #if defined(MBEDTLS_X509_CRL_PARSE_C) && \ 87 defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) 88 static int ca_callback_fail(void *data, mbedtls_x509_crt const *child, 89 mbedtls_x509_crt **candidates) 90 { 91 ((void) data); 92 ((void) child); 93 ((void) candidates); 94 95 return -1; 96 } 97 98 static int ca_callback(void *data, mbedtls_x509_crt const *child, 99 mbedtls_x509_crt **candidates) 100 { 101 int ret = 0; 102 mbedtls_x509_crt *ca = (mbedtls_x509_crt *) data; 103 mbedtls_x509_crt *first; 104 105 /* This is a test-only implementation of the CA callback 106 * which always returns the entire list of trusted certificates. 107 * Production implementations managing a large number of CAs 108 * should use an efficient presentation and lookup for the 109 * set of trusted certificates (such as a hashtable) and only 110 * return those trusted certificates which satisfy basic 111 * parental checks, such as the matching of child `Issuer` 112 * and parent `Subject` field. */ 113 ((void) child); 114 115 first = mbedtls_calloc(1, sizeof(mbedtls_x509_crt)); 116 if (first == NULL) { 117 ret = -1; 118 goto exit; 119 } 120 mbedtls_x509_crt_init(first); 121 122 if (mbedtls_x509_crt_parse_der(first, ca->raw.p, ca->raw.len) != 0) { 123 ret = -1; 124 goto exit; 125 } 126 127 while (ca->next != NULL) { 128 ca = ca->next; 129 if (mbedtls_x509_crt_parse_der(first, ca->raw.p, ca->raw.len) != 0) { 130 ret = -1; 131 goto exit; 132 } 133 } 134 135 exit: 136 137 if (ret != 0) { 138 mbedtls_x509_crt_free(first); 139 mbedtls_free(first); 140 first = NULL; 141 } 142 143 *candidates = first; 144 return ret; 145 } 146 #endif /* MBEDTLS_X509_CRL_PARSE_C && MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 147 148 static int verify_fatal(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags) 149 { 150 int *levels = (int *) data; 151 152 ((void) crt); 153 ((void) certificate_depth); 154 155 /* Simulate a fatal error in the callback */ 156 if (*levels & (1 << certificate_depth)) { 157 *flags |= (1 << certificate_depth); 158 return -1 - certificate_depth; 159 } 160 161 return 0; 162 } 163 164 /* strsep() not available on Windows */ 165 static char *mystrsep(char **stringp, const char *delim) 166 { 167 const char *p; 168 char *ret = *stringp; 169 170 if (*stringp == NULL) { 171 return NULL; 172 } 173 174 for (;; (*stringp)++) { 175 if (**stringp == '\0') { 176 *stringp = NULL; 177 goto done; 178 } 179 180 for (p = delim; *p != '\0'; p++) { 181 if (**stringp == *p) { 182 **stringp = '\0'; 183 (*stringp)++; 184 goto done; 185 } 186 } 187 } 188 189 done: 190 return ret; 191 } 192 193 typedef struct { 194 char buf[512]; 195 char *p; 196 } verify_print_context; 197 198 static void verify_print_init(verify_print_context *ctx) 199 { 200 memset(ctx, 0, sizeof(verify_print_context)); 201 ctx->p = ctx->buf; 202 } 203 204 static int verify_print(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags) 205 { 206 int ret; 207 verify_print_context *ctx = (verify_print_context *) data; 208 char *p = ctx->p; 209 size_t n = ctx->buf + sizeof(ctx->buf) - ctx->p; 210 ((void) flags); 211 212 ret = mbedtls_snprintf(p, n, "depth %d - serial ", certificate_depth); 213 MBEDTLS_X509_SAFE_SNPRINTF; 214 215 ret = mbedtls_x509_serial_gets(p, n, &crt->serial); 216 MBEDTLS_X509_SAFE_SNPRINTF; 217 218 ret = mbedtls_snprintf(p, n, " - subject "); 219 MBEDTLS_X509_SAFE_SNPRINTF; 220 221 ret = mbedtls_x509_dn_gets(p, n, &crt->subject); 222 MBEDTLS_X509_SAFE_SNPRINTF; 223 224 ret = mbedtls_snprintf(p, n, " - flags 0x%08x\n", *flags); 225 MBEDTLS_X509_SAFE_SNPRINTF; 226 227 ctx->p = p; 228 229 return 0; 230 } 231 232 static int verify_parse_san(mbedtls_x509_subject_alternative_name *san, 233 char **buf, size_t *size) 234 { 235 int ret; 236 size_t i; 237 char *p = *buf; 238 size_t n = *size; 239 240 ret = mbedtls_snprintf(p, n, "type : %d", san->type); 241 MBEDTLS_X509_SAFE_SNPRINTF; 242 243 switch (san->type) { 244 case (MBEDTLS_X509_SAN_OTHER_NAME): 245 ret = mbedtls_snprintf(p, n, "\notherName :"); 246 MBEDTLS_X509_SAFE_SNPRINTF; 247 248 if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME, 249 &san->san.other_name.type_id) == 0) { 250 ret = mbedtls_snprintf(p, n, " hardware module name :"); 251 MBEDTLS_X509_SAFE_SNPRINTF; 252 ret = mbedtls_snprintf(p, n, " hardware type : "); 253 MBEDTLS_X509_SAFE_SNPRINTF; 254 255 ret = mbedtls_oid_get_numeric_string(p, 256 n, 257 &san->san.other_name.value.hardware_module_name 258 .oid); 259 MBEDTLS_X509_SAFE_SNPRINTF; 260 261 ret = mbedtls_snprintf(p, n, ", hardware serial number : "); 262 MBEDTLS_X509_SAFE_SNPRINTF; 263 264 for (i = 0; i < san->san.other_name.value.hardware_module_name.val.len; i++) { 265 ret = mbedtls_snprintf(p, 266 n, 267 "%02X", 268 san->san.other_name.value.hardware_module_name.val.p[i]); 269 MBEDTLS_X509_SAFE_SNPRINTF; 270 } 271 } 272 break;/* MBEDTLS_OID_ON_HW_MODULE_NAME */ 273 case (MBEDTLS_X509_SAN_DNS_NAME): 274 ret = mbedtls_snprintf(p, n, "\ndNSName : "); 275 MBEDTLS_X509_SAFE_SNPRINTF; 276 if (san->san.unstructured_name.len >= n) { 277 *p = '\0'; 278 return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; 279 } 280 n -= san->san.unstructured_name.len; 281 for (i = 0; i < san->san.unstructured_name.len; i++) { 282 *p++ = san->san.unstructured_name.p[i]; 283 } 284 break;/* MBEDTLS_X509_SAN_DNS_NAME */ 285 case (MBEDTLS_X509_SAN_RFC822_NAME): 286 ret = mbedtls_snprintf(p, n, "\nrfc822Name : "); 287 MBEDTLS_X509_SAFE_SNPRINTF; 288 if (san->san.unstructured_name.len >= n) { 289 *p = '\0'; 290 return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; 291 } 292 n -= san->san.unstructured_name.len; 293 for (i = 0; i < san->san.unstructured_name.len; i++) { 294 *p++ = san->san.unstructured_name.p[i]; 295 } 296 break;/* MBEDTLS_X509_SAN_RFC822_NAME */ 297 case (MBEDTLS_X509_SAN_DIRECTORY_NAME): 298 ret = mbedtls_snprintf(p, n, "\ndirectoryName : "); 299 MBEDTLS_X509_SAFE_SNPRINTF; 300 ret = mbedtls_x509_dn_gets(p, n, &san->san.directory_name); 301 if (ret < 0) { 302 return ret; 303 } 304 305 p += ret; 306 n -= ret; 307 break;/* MBEDTLS_X509_SAN_DIRECTORY_NAME */ 308 default: 309 /* 310 * Should not happen. 311 */ 312 return -1; 313 } 314 ret = mbedtls_snprintf(p, n, "\n"); 315 MBEDTLS_X509_SAFE_SNPRINTF; 316 317 *size = n; 318 *buf = p; 319 320 return 0; 321 } 322 #endif /* MBEDTLS_FS_IO */ 323 324 static int parse_crt_ext_cb(void *p_ctx, mbedtls_x509_crt const *crt, mbedtls_x509_buf const *oid, 325 int critical, const unsigned char *cp, const unsigned char *end) 326 { 327 (void) crt; 328 (void) critical; 329 mbedtls_x509_buf *new_oid = (mbedtls_x509_buf *) p_ctx; 330 if (oid->tag == MBEDTLS_ASN1_OID && 331 MBEDTLS_OID_CMP(MBEDTLS_OID_CERTIFICATE_POLICIES, oid) == 0) { 332 /* Handle unknown certificate policy */ 333 int ret, parse_ret = 0; 334 size_t len; 335 unsigned char **p = (unsigned char **) &cp; 336 337 /* Get main sequence tag */ 338 ret = mbedtls_asn1_get_tag(p, end, &len, 339 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); 340 if (ret != 0) { 341 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 342 } 343 344 if (*p + len != end) { 345 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 346 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 347 } 348 349 /* 350 * Cannot be an empty sequence. 351 */ 352 if (len == 0) { 353 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 354 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 355 } 356 357 while (*p < end) { 358 const unsigned char *policy_end; 359 360 /* 361 * Get the policy sequence 362 */ 363 if ((ret = mbedtls_asn1_get_tag(p, end, &len, 364 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 365 0) { 366 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 367 } 368 369 policy_end = *p + len; 370 371 if ((ret = mbedtls_asn1_get_tag(p, policy_end, &len, 372 MBEDTLS_ASN1_OID)) != 0) { 373 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 374 } 375 376 /* 377 * Recognize exclusively the policy with OID 1 378 */ 379 if (len != 1 || *p[0] != 1) { 380 parse_ret = MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE; 381 } 382 383 *p += len; 384 385 /* 386 * If there is an optional qualifier, then *p < policy_end 387 * Check the Qualifier len to verify it doesn't exceed policy_end. 388 */ 389 if (*p < policy_end) { 390 if ((ret = mbedtls_asn1_get_tag(p, policy_end, &len, 391 MBEDTLS_ASN1_CONSTRUCTED | 392 MBEDTLS_ASN1_SEQUENCE)) != 0) { 393 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 394 } 395 /* 396 * Skip the optional policy qualifiers. 397 */ 398 *p += len; 399 } 400 401 if (*p != policy_end) { 402 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 403 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 404 } 405 } 406 407 if (*p != end) { 408 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 409 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 410 } 411 412 return parse_ret; 413 } else if (new_oid != NULL && new_oid->tag == oid->tag && new_oid->len == oid->len && 414 memcmp(new_oid->p, oid->p, oid->len) == 0) { 415 return 0; 416 } else { 417 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 418 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG); 419 } 420 } 421 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 422 423 #if defined(MBEDTLS_X509_CSR_PARSE_C) && \ 424 !defined(MBEDTLS_X509_REMOVE_INFO) 425 static int parse_csr_ext_accept_cb(void *p_ctx, 426 mbedtls_x509_csr const *csr, 427 mbedtls_x509_buf const *oid, 428 int critical, 429 const unsigned char *cp, 430 const unsigned char *end) 431 { 432 (void) p_ctx; 433 (void) csr; 434 (void) oid; 435 (void) critical; 436 (void) cp; 437 (void) end; 438 439 return 0; 440 } 441 442 static int parse_csr_ext_reject_cb(void *p_ctx, 443 mbedtls_x509_csr const *csr, 444 mbedtls_x509_buf const *oid, 445 int critical, 446 const unsigned char *cp, 447 const unsigned char *end) 448 { 449 (void) p_ctx; 450 (void) csr; 451 (void) oid; 452 (void) critical; 453 (void) cp; 454 (void) end; 455 456 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 457 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG); 458 } 459 #endif /* MBEDTLS_X509_CSR_PARSE_C && !MBEDTLS_X509_REMOVE_INFO */ 460 /* END_HEADER */ 461 462 /* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */ 463 void x509_accessor_ext_types(int ext_type, int has_ext_type) 464 { 465 mbedtls_x509_crt crt; 466 int expected_result = ext_type & has_ext_type; 467 468 mbedtls_x509_crt_init(&crt); 469 USE_PSA_INIT(); 470 471 crt.ext_types = ext_type; 472 473 TEST_EQUAL(mbedtls_x509_crt_has_ext_type(&crt, has_ext_type), expected_result); 474 475 exit: 476 mbedtls_x509_crt_free(&crt); 477 USE_PSA_DONE(); 478 } 479 /* END_CASE */ 480 481 /* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_TEST_HOOKS */ 482 void x509_crt_parse_cn_inet_pton(const char *cn, data_t *exp, int ref_ret) 483 { 484 uint32_t addr[4]; 485 size_t addrlen = mbedtls_x509_crt_parse_cn_inet_pton(cn, addr); 486 TEST_EQUAL(addrlen, (size_t) ref_ret); 487 488 if (addrlen) { 489 TEST_MEMORY_COMPARE(exp->x, exp->len, addr, addrlen); 490 } 491 } 492 /* END_CASE */ 493 494 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 495 void x509_parse_san(char *crt_file, char *result_str, int parse_result) 496 { 497 int ret; 498 mbedtls_x509_crt crt; 499 mbedtls_x509_subject_alternative_name san; 500 mbedtls_x509_sequence *cur = NULL; 501 char buf[2000]; 502 char *p = buf; 503 size_t n = sizeof(buf); 504 505 mbedtls_x509_crt_init(&crt); 506 USE_PSA_INIT(); 507 memset(buf, 0, 2000); 508 509 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), parse_result); 510 511 if (parse_result != 0) { 512 goto exit; 513 } 514 if (crt.ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) { 515 cur = &crt.subject_alt_names; 516 while (cur != NULL) { 517 ret = mbedtls_x509_parse_subject_alt_name(&cur->buf, &san); 518 TEST_ASSERT(ret == 0 || ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE); 519 /* 520 * If san type not supported, ignore. 521 */ 522 if (ret == 0) { 523 ret = verify_parse_san(&san, &p, &n); 524 mbedtls_x509_free_subject_alt_name(&san); 525 TEST_EQUAL(ret, 0); 526 } 527 cur = cur->next; 528 } 529 } 530 531 TEST_EQUAL(strcmp(buf, result_str), 0); 532 533 exit: 534 mbedtls_x509_crt_free(&crt); 535 USE_PSA_DONE(); 536 } 537 /* END_CASE */ 538 539 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:!MBEDTLS_X509_REMOVE_INFO:MBEDTLS_X509_CRT_PARSE_C */ 540 void x509_cert_info(char *crt_file, char *result_str) 541 { 542 mbedtls_x509_crt crt; 543 char buf[2000]; 544 int res; 545 546 mbedtls_x509_crt_init(&crt); 547 USE_PSA_INIT(); 548 memset(buf, 0, 2000); 549 550 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 551 res = mbedtls_x509_crt_info(buf, 2000, "", &crt); 552 553 TEST_ASSERT(res != -1); 554 TEST_ASSERT(res != -2); 555 556 TEST_EQUAL(strcmp(buf, result_str), 0); 557 558 exit: 559 mbedtls_x509_crt_free(&crt); 560 USE_PSA_DONE(); 561 } 562 /* END_CASE */ 563 564 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRL_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 565 void mbedtls_x509_crl_info(char *crl_file, char *result_str) 566 { 567 mbedtls_x509_crl crl; 568 char buf[2000]; 569 int res; 570 571 mbedtls_x509_crl_init(&crl); 572 USE_PSA_INIT(); 573 memset(buf, 0, 2000); 574 575 TEST_EQUAL(mbedtls_x509_crl_parse_file(&crl, crl_file), 0); 576 res = mbedtls_x509_crl_info(buf, 2000, "", &crl); 577 578 TEST_ASSERT(res != -1); 579 TEST_ASSERT(res != -2); 580 581 TEST_EQUAL(strcmp(buf, result_str), 0); 582 583 exit: 584 mbedtls_x509_crl_free(&crl); 585 USE_PSA_DONE(); 586 } 587 /* END_CASE */ 588 589 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRL_PARSE_C */ 590 void mbedtls_x509_crl_parse(char *crl_file, int result) 591 { 592 mbedtls_x509_crl crl; 593 char buf[2000]; 594 595 mbedtls_x509_crl_init(&crl); 596 USE_PSA_INIT(); 597 memset(buf, 0, 2000); 598 599 TEST_EQUAL(mbedtls_x509_crl_parse_file(&crl, crl_file), result); 600 601 exit: 602 mbedtls_x509_crl_free(&crl); 603 USE_PSA_DONE(); 604 } 605 /* END_CASE */ 606 607 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CSR_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 608 void mbedtls_x509_csr_info(char *csr_file, char *result_str) 609 { 610 mbedtls_x509_csr csr; 611 char buf[2000]; 612 int res; 613 614 mbedtls_x509_csr_init(&csr); 615 USE_PSA_INIT(); 616 memset(buf, 0, 2000); 617 618 TEST_EQUAL(mbedtls_x509_csr_parse_file(&csr, csr_file), 0); 619 res = mbedtls_x509_csr_info(buf, 2000, "", &csr); 620 621 TEST_ASSERT(res != -1); 622 TEST_ASSERT(res != -2); 623 624 TEST_EQUAL(strcmp(buf, result_str), 0); 625 626 exit: 627 mbedtls_x509_csr_free(&csr); 628 USE_PSA_DONE(); 629 } 630 /* END_CASE */ 631 632 /* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 633 void x509_verify_info(int flags, char *prefix, char *result_str) 634 { 635 char buf[2000]; 636 int res; 637 638 USE_PSA_INIT(); 639 memset(buf, 0, sizeof(buf)); 640 641 res = mbedtls_x509_crt_verify_info(buf, sizeof(buf), prefix, flags); 642 643 TEST_ASSERT(res >= 0); 644 645 TEST_EQUAL(strcmp(buf, result_str), 0); 646 647 exit: 648 USE_PSA_DONE(); 649 } 650 /* END_CASE */ 651 652 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CRL_PARSE_C:MBEDTLS_ECP_RESTARTABLE:MBEDTLS_ECDSA_C */ 653 void x509_verify_restart(char *crt_file, char *ca_file, 654 int result, int flags_result, 655 int max_ops, int min_restart, int max_restart) 656 { 657 int ret, cnt_restart; 658 mbedtls_x509_crt_restart_ctx rs_ctx; 659 mbedtls_x509_crt crt; 660 mbedtls_x509_crt ca; 661 uint32_t flags = 0; 662 663 /* 664 * See comments on ecp_test_vect_restart() for op count precision. 665 * 666 * For reference, with Mbed TLS 2.6 and default settings: 667 * - ecdsa_verify() for P-256: ~ 6700 668 * - ecdsa_verify() for P-384: ~ 18800 669 * - x509_verify() for server5 -> test-ca2: ~ 18800 670 * - x509_verify() for server10 -> int-ca3 -> int-ca2: ~ 25500 671 */ 672 mbedtls_x509_crt_restart_init(&rs_ctx); 673 mbedtls_x509_crt_init(&crt); 674 mbedtls_x509_crt_init(&ca); 675 MD_OR_USE_PSA_INIT(); 676 677 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 678 TEST_EQUAL(mbedtls_x509_crt_parse_file(&ca, ca_file), 0); 679 680 mbedtls_ecp_set_max_ops(max_ops); 681 682 cnt_restart = 0; 683 do { 684 ret = mbedtls_x509_crt_verify_restartable(&crt, &ca, NULL, 685 &mbedtls_x509_crt_profile_default, NULL, &flags, 686 NULL, NULL, &rs_ctx); 687 } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart); 688 689 TEST_EQUAL(ret, result); 690 TEST_EQUAL(flags, (uint32_t) flags_result); 691 692 TEST_ASSERT(cnt_restart >= min_restart); 693 TEST_ASSERT(cnt_restart <= max_restart); 694 695 /* Do we leak memory when aborting? */ 696 ret = mbedtls_x509_crt_verify_restartable(&crt, &ca, NULL, 697 &mbedtls_x509_crt_profile_default, NULL, &flags, 698 NULL, NULL, &rs_ctx); 699 TEST_ASSERT(ret == result || ret == MBEDTLS_ERR_ECP_IN_PROGRESS); 700 701 exit: 702 mbedtls_x509_crt_restart_free(&rs_ctx); 703 mbedtls_x509_crt_free(&crt); 704 mbedtls_x509_crt_free(&ca); 705 MD_OR_USE_PSA_DONE(); 706 } 707 /* END_CASE */ 708 709 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CRL_PARSE_C */ 710 void x509_verify(char *crt_file, char *ca_file, char *crl_file, 711 char *cn_name_str, int result, int flags_result, 712 char *profile_str, 713 char *verify_callback) 714 { 715 mbedtls_x509_crt crt; 716 mbedtls_x509_crt ca; 717 mbedtls_x509_crl crl; 718 uint32_t flags = 0; 719 int res; 720 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *) = NULL; 721 char *cn_name = NULL; 722 const mbedtls_x509_crt_profile *profile; 723 724 mbedtls_x509_crt_init(&crt); 725 mbedtls_x509_crt_init(&ca); 726 mbedtls_x509_crl_init(&crl); 727 MD_OR_USE_PSA_INIT(); 728 729 if (strcmp(cn_name_str, "NULL") != 0) { 730 cn_name = cn_name_str; 731 } 732 733 if (strcmp(profile_str, "") == 0) { 734 profile = &mbedtls_x509_crt_profile_default; 735 } else if (strcmp(profile_str, "next") == 0) { 736 profile = &mbedtls_x509_crt_profile_next; 737 } else if (strcmp(profile_str, "suite_b") == 0) { 738 profile = &mbedtls_x509_crt_profile_suiteb; 739 } else if (strcmp(profile_str, "compat") == 0) { 740 profile = &compat_profile; 741 } else if (strcmp(profile_str, "all") == 0) { 742 profile = &profile_all; 743 } else { 744 TEST_FAIL("Unknown algorithm profile"); 745 } 746 747 if (strcmp(verify_callback, "NULL") == 0) { 748 f_vrfy = NULL; 749 } else if (strcmp(verify_callback, "verify_none") == 0) { 750 f_vrfy = verify_none; 751 } else if (strcmp(verify_callback, "verify_all") == 0) { 752 f_vrfy = verify_all; 753 } else { 754 TEST_FAIL("No known verify callback selected"); 755 } 756 757 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 758 TEST_EQUAL(mbedtls_x509_crt_parse_file(&ca, ca_file), 0); 759 TEST_EQUAL(mbedtls_x509_crl_parse_file(&crl, crl_file), 0); 760 761 res = mbedtls_x509_crt_verify_with_profile(&crt, 762 &ca, 763 &crl, 764 profile, 765 cn_name, 766 &flags, 767 f_vrfy, 768 NULL); 769 770 TEST_EQUAL(res, result); 771 TEST_EQUAL(flags, (uint32_t) flags_result); 772 773 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) 774 /* CRLs aren't supported with CA callbacks, so skip the CA callback 775 * version of the test if CRLs are in use. */ 776 if (strcmp(crl_file, "") == 0) { 777 flags = 0; 778 779 res = mbedtls_x509_crt_verify_with_ca_cb(&crt, 780 ca_callback, 781 &ca, 782 profile, 783 cn_name, 784 &flags, 785 f_vrfy, 786 NULL); 787 788 TEST_EQUAL(res, result); 789 TEST_EQUAL(flags, (uint32_t) (flags_result)); 790 } 791 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 792 exit: 793 mbedtls_x509_crt_free(&crt); 794 mbedtls_x509_crt_free(&ca); 795 mbedtls_x509_crl_free(&crl); 796 MD_OR_USE_PSA_DONE(); 797 } 798 /* END_CASE */ 799 800 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CRL_PARSE_C:MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 801 void x509_verify_ca_cb_failure(char *crt_file, char *ca_file, char *name, 802 int exp_ret) 803 { 804 int ret; 805 mbedtls_x509_crt crt; 806 mbedtls_x509_crt ca; 807 uint32_t flags = 0; 808 809 mbedtls_x509_crt_init(&crt); 810 mbedtls_x509_crt_init(&ca); 811 USE_PSA_INIT(); 812 813 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 814 TEST_EQUAL(mbedtls_x509_crt_parse_file(&ca, ca_file), 0); 815 816 if (strcmp(name, "NULL") == 0) { 817 name = NULL; 818 } 819 820 ret = mbedtls_x509_crt_verify_with_ca_cb(&crt, ca_callback_fail, &ca, 821 &compat_profile, name, &flags, 822 NULL, NULL); 823 824 TEST_EQUAL(ret, exp_ret); 825 TEST_EQUAL(flags, (uint32_t) (-1)); 826 exit: 827 mbedtls_x509_crt_free(&crt); 828 mbedtls_x509_crt_free(&ca); 829 USE_PSA_DONE(); 830 } 831 /* END_CASE */ 832 833 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 834 void x509_verify_callback(char *crt_file, char *ca_file, char *name, 835 int exp_ret, char *exp_vrfy_out) 836 { 837 int ret; 838 mbedtls_x509_crt crt; 839 mbedtls_x509_crt ca; 840 uint32_t flags = 0; 841 verify_print_context vrfy_ctx; 842 843 mbedtls_x509_crt_init(&crt); 844 mbedtls_x509_crt_init(&ca); 845 MD_OR_USE_PSA_INIT(); 846 847 verify_print_init(&vrfy_ctx); 848 849 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 850 TEST_EQUAL(mbedtls_x509_crt_parse_file(&ca, ca_file), 0); 851 852 if (strcmp(name, "NULL") == 0) { 853 name = NULL; 854 } 855 856 ret = mbedtls_x509_crt_verify_with_profile(&crt, &ca, NULL, 857 &compat_profile, 858 name, &flags, 859 verify_print, &vrfy_ctx); 860 861 TEST_EQUAL(ret, exp_ret); 862 TEST_EQUAL(strcmp(vrfy_ctx.buf, exp_vrfy_out), 0); 863 864 exit: 865 mbedtls_x509_crt_free(&crt); 866 mbedtls_x509_crt_free(&ca); 867 MD_OR_USE_PSA_DONE(); 868 } 869 /* END_CASE */ 870 871 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 872 void mbedtls_x509_dn_gets_subject_replace(char *crt_file, 873 char *new_subject_ou, 874 char *result_str, 875 int ret) 876 { 877 mbedtls_x509_crt crt; 878 char buf[2000]; 879 int res = 0; 880 881 mbedtls_x509_crt_init(&crt); 882 USE_PSA_INIT(); 883 884 memset(buf, 0, 2000); 885 886 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 887 crt.subject.next->val.p = (unsigned char *) new_subject_ou; 888 crt.subject.next->val.len = strlen(new_subject_ou); 889 890 res = mbedtls_x509_dn_gets(buf, 2000, &crt.subject); 891 892 if (ret != 0) { 893 TEST_EQUAL(res, ret); 894 } else { 895 TEST_ASSERT(res != -1); 896 TEST_ASSERT(res != -2); 897 TEST_EQUAL(strcmp(buf, result_str), 0); 898 } 899 exit: 900 mbedtls_x509_crt_free(&crt); 901 USE_PSA_DONE(); 902 } 903 /* END_CASE */ 904 905 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 906 void mbedtls_x509_dn_gets(char *crt_file, char *entity, char *result_str) 907 { 908 mbedtls_x509_crt crt; 909 char buf[2000]; 910 int res = 0; 911 912 mbedtls_x509_crt_init(&crt); 913 USE_PSA_INIT(); 914 915 memset(buf, 0, 2000); 916 917 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 918 if (strcmp(entity, "subject") == 0) { 919 res = mbedtls_x509_dn_gets(buf, 2000, &crt.subject); 920 } else if (strcmp(entity, "issuer") == 0) { 921 res = mbedtls_x509_dn_gets(buf, 2000, &crt.issuer); 922 } else { 923 TEST_FAIL("Unknown entity"); 924 } 925 926 TEST_ASSERT(res != -1); 927 TEST_ASSERT(res != -2); 928 929 TEST_EQUAL(strcmp(buf, result_str), 0); 930 931 exit: 932 mbedtls_x509_crt_free(&crt); 933 USE_PSA_DONE(); 934 } 935 /* END_CASE */ 936 937 /* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */ 938 void mbedtls_x509_get_name(char *rdn_sequence, int exp_ret) 939 { 940 unsigned char *name = NULL; 941 unsigned char *p; 942 size_t name_len; 943 mbedtls_x509_name head; 944 int ret; 945 946 USE_PSA_INIT(); 947 memset(&head, 0, sizeof(head)); 948 949 name = mbedtls_test_unhexify_alloc(rdn_sequence, &name_len); 950 p = name; 951 952 ret = mbedtls_x509_get_name(&p, (name + name_len), &head); 953 if (ret == 0) { 954 mbedtls_asn1_free_named_data_list_shallow(head.next); 955 } 956 957 TEST_EQUAL(ret, exp_ret); 958 959 exit: 960 mbedtls_free(name); 961 USE_PSA_DONE(); 962 } 963 /* END_CASE */ 964 965 /* BEGIN_CASE depends_on:MBEDTLS_X509_CREATE_C:MBEDTLS_X509_USE_C:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 966 void mbedtls_x509_dn_get_next(char *name_str, 967 int next_merged, 968 char *expected_oids, 969 int exp_count, 970 char *exp_dn_gets) 971 { 972 int ret = 0, i; 973 size_t len = 0, out_size; 974 mbedtls_asn1_named_data *names = NULL; 975 mbedtls_x509_name parsed; 976 memset(&parsed, 0, sizeof(parsed)); 977 mbedtls_x509_name *parsed_cur; 978 // Size of buf is maximum required for test cases 979 unsigned char buf[80] = { 0 }; 980 unsigned char *out = NULL; 981 unsigned char *c = buf + sizeof(buf); 982 const char *short_name; 983 984 USE_PSA_INIT(); 985 986 // Additional size required for trailing space 987 out_size = strlen(expected_oids) + 2; 988 TEST_CALLOC(out, out_size); 989 990 TEST_EQUAL(mbedtls_x509_string_to_names(&names, name_str), 0); 991 992 ret = mbedtls_x509_write_names(&c, buf, names); 993 TEST_LE_S(0, ret); 994 995 TEST_EQUAL(mbedtls_asn1_get_tag(&c, buf + sizeof(buf), &len, 996 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE), 0); 997 TEST_EQUAL(mbedtls_x509_get_name(&c, buf + sizeof(buf), &parsed), 0); 998 999 // Iterate over names and set next_merged nodes 1000 parsed_cur = &parsed; 1001 for (; next_merged != 0 && parsed_cur != NULL; next_merged = next_merged >> 1) { 1002 parsed_cur->next_merged = next_merged & 0x01; 1003 parsed_cur = parsed_cur->next; 1004 } 1005 1006 // Iterate over RDN nodes and print OID of first element to buffer 1007 parsed_cur = &parsed; 1008 len = 0; 1009 for (i = 0; parsed_cur != NULL; i++) { 1010 TEST_EQUAL(mbedtls_oid_get_attr_short_name(&parsed_cur->oid, 1011 &short_name), 0); 1012 len += mbedtls_snprintf((char *) out + len, out_size - len, "%s ", short_name); 1013 parsed_cur = mbedtls_x509_dn_get_next(parsed_cur); 1014 } 1015 out[len-1] = 0; 1016 1017 TEST_EQUAL(exp_count, i); 1018 TEST_EQUAL(strcmp((char *) out, expected_oids), 0); 1019 mbedtls_free(out); 1020 out = NULL; 1021 1022 out_size = strlen(exp_dn_gets) + 1; 1023 TEST_CALLOC(out, out_size); 1024 1025 TEST_LE_S(0, mbedtls_x509_dn_gets((char *) out, out_size, &parsed)); 1026 TEST_EQUAL(strcmp((char *) out, exp_dn_gets), 0); 1027 exit: 1028 mbedtls_free(out); 1029 mbedtls_asn1_free_named_data_list(&names); 1030 mbedtls_asn1_free_named_data_list_shallow(parsed.next); 1031 USE_PSA_DONE(); 1032 } 1033 /* END_CASE */ 1034 1035 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 1036 void mbedtls_x509_time_is_past(char *crt_file, char *entity, int result) 1037 { 1038 mbedtls_x509_crt crt; 1039 1040 mbedtls_x509_crt_init(&crt); 1041 USE_PSA_INIT(); 1042 1043 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 1044 1045 if (strcmp(entity, "valid_from") == 0) { 1046 TEST_EQUAL(mbedtls_x509_time_is_past(&crt.valid_from), result); 1047 } else if (strcmp(entity, "valid_to") == 0) { 1048 TEST_EQUAL(mbedtls_x509_time_is_past(&crt.valid_to), result); 1049 } else { 1050 TEST_FAIL("Unknown entity"); 1051 } 1052 1053 exit: 1054 mbedtls_x509_crt_free(&crt); 1055 USE_PSA_DONE(); 1056 } 1057 /* END_CASE */ 1058 1059 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 1060 void mbedtls_x509_time_is_future(char *crt_file, char *entity, int result) 1061 { 1062 mbedtls_x509_crt crt; 1063 1064 mbedtls_x509_crt_init(&crt); 1065 USE_PSA_INIT(); 1066 1067 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 1068 1069 if (strcmp(entity, "valid_from") == 0) { 1070 TEST_EQUAL(mbedtls_x509_time_is_future(&crt.valid_from), result); 1071 } else if (strcmp(entity, "valid_to") == 0) { 1072 TEST_EQUAL(mbedtls_x509_time_is_future(&crt.valid_to), result); 1073 } else { 1074 TEST_FAIL("Unknown entity"); 1075 } 1076 1077 exit: 1078 mbedtls_x509_crt_free(&crt); 1079 USE_PSA_DONE(); 1080 } 1081 /* END_CASE */ 1082 1083 /* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_FS_IO */ 1084 void x509parse_crt_file(char *crt_file, int result) 1085 { 1086 mbedtls_x509_crt crt; 1087 1088 mbedtls_x509_crt_init(&crt); 1089 USE_PSA_INIT(); 1090 1091 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), result); 1092 1093 exit: 1094 mbedtls_x509_crt_free(&crt); 1095 USE_PSA_DONE(); 1096 } 1097 /* END_CASE */ 1098 1099 /* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_FS_IO */ 1100 void mbedtls_x509_get_ca_istrue(char *crt_file, int result) 1101 { 1102 mbedtls_x509_crt crt; 1103 mbedtls_x509_crt_init(&crt); 1104 USE_PSA_INIT(); 1105 1106 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 1107 TEST_EQUAL(mbedtls_x509_crt_get_ca_istrue(&crt), result); 1108 exit: 1109 mbedtls_x509_crt_free(&crt); 1110 USE_PSA_DONE(); 1111 } 1112 /* END_CASE */ 1113 1114 /* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */ 1115 void x509parse_crt(data_t *buf, char *result_str, int result) 1116 { 1117 mbedtls_x509_crt crt; 1118 #if !defined(MBEDTLS_X509_REMOVE_INFO) 1119 unsigned char output[2000] = { 0 }; 1120 int res; 1121 #else 1122 ((void) result_str); 1123 #endif 1124 1125 mbedtls_x509_crt_init(&crt); 1126 USE_PSA_INIT(); 1127 1128 TEST_EQUAL(mbedtls_x509_crt_parse_der(&crt, buf->x, buf->len), result); 1129 #if !defined(MBEDTLS_X509_REMOVE_INFO) 1130 if ((result) == 0) { 1131 res = mbedtls_x509_crt_info((char *) output, 2000, "", &crt); 1132 TEST_ASSERT(res != -1); 1133 TEST_ASSERT(res != -2); 1134 1135 TEST_EQUAL(strcmp((char *) output, result_str), 0); 1136 } 1137 memset(output, 0, 2000); 1138 #endif 1139 1140 mbedtls_x509_crt_free(&crt); 1141 mbedtls_x509_crt_init(&crt); 1142 1143 TEST_EQUAL(mbedtls_x509_crt_parse_der_nocopy(&crt, buf->x, buf->len), result); 1144 #if !defined(MBEDTLS_X509_REMOVE_INFO) 1145 if ((result) == 0) { 1146 memset(output, 0, 2000); 1147 1148 res = mbedtls_x509_crt_info((char *) output, 2000, "", &crt); 1149 1150 TEST_ASSERT(res != -1); 1151 TEST_ASSERT(res != -2); 1152 1153 TEST_EQUAL(strcmp((char *) output, result_str), 0); 1154 } 1155 memset(output, 0, 2000); 1156 #endif /* !MBEDTLS_X509_REMOVE_INFO */ 1157 1158 mbedtls_x509_crt_free(&crt); 1159 mbedtls_x509_crt_init(&crt); 1160 1161 TEST_EQUAL(mbedtls_x509_crt_parse_der_with_ext_cb(&crt, buf->x, buf->len, 0, NULL, NULL), 1162 result); 1163 #if !defined(MBEDTLS_X509_REMOVE_INFO) 1164 if ((result) == 0) { 1165 res = mbedtls_x509_crt_info((char *) output, 2000, "", &crt); 1166 1167 TEST_ASSERT(res != -1); 1168 TEST_ASSERT(res != -2); 1169 1170 TEST_EQUAL(strcmp((char *) output, result_str), 0); 1171 } 1172 memset(output, 0, 2000); 1173 #endif /* !MBEDTLS_X509_REMOVE_INFO */ 1174 1175 mbedtls_x509_crt_free(&crt); 1176 mbedtls_x509_crt_init(&crt); 1177 1178 TEST_EQUAL(mbedtls_x509_crt_parse_der_with_ext_cb(&crt, buf->x, buf->len, 1, NULL, NULL), 1179 result); 1180 #if !defined(MBEDTLS_X509_REMOVE_INFO) 1181 if ((result) == 0) { 1182 res = mbedtls_x509_crt_info((char *) output, 2000, "", &crt); 1183 1184 TEST_ASSERT(res != -1); 1185 TEST_ASSERT(res != -2); 1186 1187 TEST_EQUAL(strcmp((char *) output, result_str), 0); 1188 } 1189 #endif /* !MBEDTLS_X509_REMOVE_INFO */ 1190 1191 exit: 1192 mbedtls_x509_crt_free(&crt); 1193 USE_PSA_DONE(); 1194 } 1195 /* END_CASE */ 1196 1197 /* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */ 1198 void x509parse_crt_cb(data_t *buf, char *result_str, int result) 1199 { 1200 mbedtls_x509_crt crt; 1201 mbedtls_x509_buf oid; 1202 1203 #if !defined(MBEDTLS_X509_REMOVE_INFO) 1204 unsigned char output[2000] = { 0 }; 1205 int res; 1206 #else 1207 ((void) result_str); 1208 #endif 1209 1210 oid.tag = MBEDTLS_ASN1_OID; 1211 oid.len = MBEDTLS_OID_SIZE(MBEDTLS_OID_PKIX "\x01\x1F"); 1212 oid.p = (unsigned char *) MBEDTLS_OID_PKIX "\x01\x1F"; 1213 1214 mbedtls_x509_crt_init(&crt); 1215 USE_PSA_INIT(); 1216 1217 TEST_EQUAL(mbedtls_x509_crt_parse_der_with_ext_cb(&crt, buf->x, buf->len, 0, parse_crt_ext_cb, 1218 &oid), result); 1219 #if !defined(MBEDTLS_X509_REMOVE_INFO) 1220 if ((result) == 0) { 1221 res = mbedtls_x509_crt_info((char *) output, 2000, "", &crt); 1222 1223 TEST_ASSERT(res != -1); 1224 TEST_ASSERT(res != -2); 1225 1226 TEST_EQUAL(strcmp((char *) output, result_str), 0); 1227 } 1228 memset(output, 0, 2000); 1229 #endif /* !MBEDTLS_X509_REMOVE_INFO */ 1230 1231 mbedtls_x509_crt_free(&crt); 1232 mbedtls_x509_crt_init(&crt); 1233 1234 TEST_EQUAL(mbedtls_x509_crt_parse_der_with_ext_cb(&crt, buf->x, buf->len, 1, parse_crt_ext_cb, 1235 &oid), (result)); 1236 #if !defined(MBEDTLS_X509_REMOVE_INFO) 1237 if ((result) == 0) { 1238 res = mbedtls_x509_crt_info((char *) output, 2000, "", &crt); 1239 1240 TEST_ASSERT(res != -1); 1241 TEST_ASSERT(res != -2); 1242 1243 TEST_EQUAL(strcmp((char *) output, result_str), 0); 1244 } 1245 #endif /* !MBEDTLS_X509_REMOVE_INFO */ 1246 1247 exit: 1248 mbedtls_x509_crt_free(&crt); 1249 USE_PSA_DONE(); 1250 } 1251 /* END_CASE */ 1252 1253 /* BEGIN_CASE depends_on:MBEDTLS_X509_CRL_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 1254 void x509parse_crl(data_t *buf, char *result_str, int result) 1255 { 1256 mbedtls_x509_crl crl; 1257 unsigned char output[2000]; 1258 int res; 1259 1260 mbedtls_x509_crl_init(&crl); 1261 USE_PSA_INIT(); 1262 1263 memset(output, 0, 2000); 1264 1265 1266 TEST_EQUAL(mbedtls_x509_crl_parse(&crl, buf->x, buf->len), (result)); 1267 if ((result) == 0) { 1268 res = mbedtls_x509_crl_info((char *) output, 2000, "", &crl); 1269 1270 TEST_ASSERT(res != -1); 1271 TEST_ASSERT(res != -2); 1272 1273 TEST_EQUAL(strcmp((char *) output, result_str), 0); 1274 } 1275 1276 exit: 1277 mbedtls_x509_crl_free(&crl); 1278 USE_PSA_DONE(); 1279 } 1280 /* END_CASE */ 1281 1282 /* BEGIN_CASE depends_on:MBEDTLS_X509_CSR_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 1283 void mbedtls_x509_csr_parse(data_t *csr_der, char *ref_out, int ref_ret) 1284 { 1285 mbedtls_x509_csr csr; 1286 char my_out[1000]; 1287 int my_ret; 1288 1289 mbedtls_x509_csr_init(&csr); 1290 USE_PSA_INIT(); 1291 1292 memset(my_out, 0, sizeof(my_out)); 1293 1294 my_ret = mbedtls_x509_csr_parse_der(&csr, csr_der->x, csr_der->len); 1295 TEST_EQUAL(my_ret, ref_ret); 1296 1297 if (ref_ret == 0) { 1298 size_t my_out_len = mbedtls_x509_csr_info(my_out, sizeof(my_out), "", &csr); 1299 TEST_EQUAL(my_out_len, strlen(ref_out)); 1300 TEST_EQUAL(strcmp(my_out, ref_out), 0); 1301 } 1302 1303 exit: 1304 mbedtls_x509_csr_free(&csr); 1305 USE_PSA_DONE(); 1306 } 1307 /* END_CASE */ 1308 1309 /* BEGIN_CASE depends_on:MBEDTLS_X509_CSR_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 1310 void mbedtls_x509_csr_parse_with_ext_cb(data_t *csr_der, char *ref_out, int ref_ret, int accept) 1311 { 1312 mbedtls_x509_csr csr; 1313 char my_out[1000]; 1314 int my_ret; 1315 1316 mbedtls_x509_csr_init(&csr); 1317 USE_PSA_INIT(); 1318 1319 memset(my_out, 0, sizeof(my_out)); 1320 1321 my_ret = mbedtls_x509_csr_parse_der_with_ext_cb(&csr, csr_der->x, csr_der->len, 1322 accept ? parse_csr_ext_accept_cb : 1323 parse_csr_ext_reject_cb, 1324 NULL); 1325 TEST_EQUAL(my_ret, ref_ret); 1326 1327 if (ref_ret == 0) { 1328 size_t my_out_len = mbedtls_x509_csr_info(my_out, sizeof(my_out), "", &csr); 1329 TEST_EQUAL(my_out_len, strlen(ref_out)); 1330 TEST_EQUAL(strcmp(my_out, ref_out), 0); 1331 } 1332 1333 exit: 1334 mbedtls_x509_csr_free(&csr); 1335 USE_PSA_DONE(); 1336 } 1337 /* END_CASE */ 1338 1339 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CSR_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 1340 void mbedtls_x509_csr_parse_file(char *csr_file, char *ref_out, int ref_ret) 1341 { 1342 mbedtls_x509_csr csr; 1343 char my_out[1000]; 1344 int my_ret; 1345 1346 mbedtls_x509_csr_init(&csr); 1347 USE_PSA_INIT(); 1348 1349 memset(my_out, 0, sizeof(my_out)); 1350 1351 my_ret = mbedtls_x509_csr_parse_file(&csr, csr_file); 1352 TEST_EQUAL(my_ret, ref_ret); 1353 1354 if (ref_ret == 0) { 1355 size_t my_out_len = mbedtls_x509_csr_info(my_out, sizeof(my_out), "", &csr); 1356 TEST_EQUAL(my_out_len, strlen(ref_out)); 1357 TEST_EQUAL(strcmp(my_out, ref_out), 0); 1358 } 1359 1360 exit: 1361 mbedtls_x509_csr_free(&csr); 1362 USE_PSA_DONE(); 1363 } 1364 /* END_CASE */ 1365 1366 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 1367 void mbedtls_x509_crt_parse_file(char *crt_path, int ret, int nb_crt) 1368 { 1369 mbedtls_x509_crt chain, *cur; 1370 int i; 1371 1372 mbedtls_x509_crt_init(&chain); 1373 USE_PSA_INIT(); 1374 1375 TEST_EQUAL(mbedtls_x509_crt_parse_file(&chain, crt_path), ret); 1376 1377 /* Check how many certs we got */ 1378 for (i = 0, cur = &chain; cur != NULL; cur = cur->next) { 1379 if (cur->raw.p != NULL) { 1380 i++; 1381 } 1382 } 1383 1384 TEST_EQUAL(i, nb_crt); 1385 1386 exit: 1387 mbedtls_x509_crt_free(&chain); 1388 USE_PSA_DONE(); 1389 } 1390 /* END_CASE */ 1391 1392 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 1393 void mbedtls_x509_crt_parse_path(char *crt_path, int ret, int nb_crt) 1394 { 1395 mbedtls_x509_crt chain, *cur; 1396 int i; 1397 1398 mbedtls_x509_crt_init(&chain); 1399 USE_PSA_INIT(); 1400 1401 TEST_EQUAL(mbedtls_x509_crt_parse_path(&chain, crt_path), ret); 1402 1403 /* Check how many certs we got */ 1404 for (i = 0, cur = &chain; cur != NULL; cur = cur->next) { 1405 if (cur->raw.p != NULL) { 1406 i++; 1407 } 1408 } 1409 1410 TEST_EQUAL(i, nb_crt); 1411 1412 exit: 1413 mbedtls_x509_crt_free(&chain); 1414 USE_PSA_DONE(); 1415 } 1416 /* END_CASE */ 1417 1418 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 1419 void mbedtls_x509_crt_verify_max(char *ca_file, char *chain_dir, int nb_int, 1420 int ret_chk, int flags_chk) 1421 { 1422 char file_buf[128]; 1423 int ret; 1424 uint32_t flags; 1425 mbedtls_x509_crt trusted, chain; 1426 1427 /* 1428 * We expect chain_dir to contain certificates 00.crt, 01.crt, etc. 1429 * with NN.crt signed by NN-1.crt 1430 */ 1431 mbedtls_x509_crt_init(&trusted); 1432 mbedtls_x509_crt_init(&chain); 1433 MD_OR_USE_PSA_INIT(); 1434 1435 /* Load trusted root */ 1436 TEST_EQUAL(mbedtls_x509_crt_parse_file(&trusted, ca_file), 0); 1437 1438 /* Load a chain with nb_int intermediates (from 01 to nb_int), 1439 * plus one "end-entity" cert (nb_int + 1) */ 1440 ret = mbedtls_snprintf(file_buf, sizeof(file_buf), "%s/c%02d.pem", chain_dir, 1441 nb_int + 1); 1442 TEST_ASSERT(ret > 0 && (size_t) ret < sizeof(file_buf)); 1443 TEST_EQUAL(mbedtls_x509_crt_parse_file(&chain, file_buf), 0); 1444 1445 /* Try to verify that chain */ 1446 ret = mbedtls_x509_crt_verify(&chain, &trusted, NULL, NULL, &flags, 1447 NULL, NULL); 1448 TEST_EQUAL(ret, ret_chk); 1449 TEST_EQUAL(flags, (uint32_t) flags_chk); 1450 1451 exit: 1452 mbedtls_x509_crt_free(&chain); 1453 mbedtls_x509_crt_free(&trusted); 1454 MD_OR_USE_PSA_DONE(); 1455 } 1456 /* END_CASE */ 1457 1458 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 1459 void mbedtls_x509_crt_verify_chain(char *chain_paths, char *trusted_ca, 1460 int flags_result, int result, 1461 char *profile_name, int vrfy_fatal_lvls) 1462 { 1463 char *act; 1464 uint32_t flags; 1465 int res; 1466 mbedtls_x509_crt trusted, chain; 1467 const mbedtls_x509_crt_profile *profile = NULL; 1468 1469 mbedtls_x509_crt_init(&chain); 1470 mbedtls_x509_crt_init(&trusted); 1471 MD_OR_USE_PSA_INIT(); 1472 1473 while ((act = mystrsep(&chain_paths, " ")) != NULL) { 1474 TEST_EQUAL(mbedtls_x509_crt_parse_file(&chain, act), 0); 1475 } 1476 TEST_EQUAL(mbedtls_x509_crt_parse_file(&trusted, trusted_ca), 0); 1477 1478 if (strcmp(profile_name, "") == 0) { 1479 profile = &mbedtls_x509_crt_profile_default; 1480 } else if (strcmp(profile_name, "next") == 0) { 1481 profile = &mbedtls_x509_crt_profile_next; 1482 } else if (strcmp(profile_name, "suiteb") == 0) { 1483 profile = &mbedtls_x509_crt_profile_suiteb; 1484 } else if (strcmp(profile_name, "rsa3072") == 0) { 1485 profile = &profile_rsa3072; 1486 } else if (strcmp(profile_name, "sha512") == 0) { 1487 profile = &profile_sha512; 1488 } 1489 1490 res = mbedtls_x509_crt_verify_with_profile(&chain, &trusted, NULL, profile, 1491 NULL, &flags, verify_fatal, &vrfy_fatal_lvls); 1492 1493 TEST_EQUAL(res, (result)); 1494 TEST_EQUAL(flags, (uint32_t) (flags_result)); 1495 1496 exit: 1497 mbedtls_x509_crt_free(&trusted); 1498 mbedtls_x509_crt_free(&chain); 1499 MD_OR_USE_PSA_DONE(); 1500 } 1501 /* END_CASE */ 1502 1503 /* BEGIN_CASE depends_on:MBEDTLS_X509_USE_C:!MBEDTLS_X509_REMOVE_INFO */ 1504 void x509_oid_desc(data_t *buf, char *ref_desc) 1505 { 1506 mbedtls_x509_buf oid; 1507 const char *desc = NULL; 1508 int ret; 1509 1510 USE_PSA_INIT(); 1511 1512 oid.tag = MBEDTLS_ASN1_OID; 1513 oid.p = buf->x; 1514 oid.len = buf->len; 1515 1516 ret = mbedtls_oid_get_extended_key_usage(&oid, &desc); 1517 1518 if (strcmp(ref_desc, "notfound") == 0) { 1519 TEST_ASSERT(ret != 0); 1520 TEST_ASSERT(desc == NULL); 1521 } else { 1522 TEST_EQUAL(ret, 0); 1523 TEST_ASSERT(desc != NULL); 1524 TEST_EQUAL(strcmp(desc, ref_desc), 0); 1525 } 1526 1527 exit: 1528 USE_PSA_DONE(); 1529 } 1530 /* END_CASE */ 1531 1532 /* BEGIN_CASE depends_on:MBEDTLS_X509_USE_C */ 1533 void x509_oid_numstr(data_t *oid_buf, char *numstr, int blen, int ret) 1534 { 1535 mbedtls_x509_buf oid; 1536 char num_buf[100]; 1537 1538 USE_PSA_INIT(); 1539 1540 memset(num_buf, 0x2a, sizeof(num_buf)); 1541 1542 oid.tag = MBEDTLS_ASN1_OID; 1543 oid.p = oid_buf->x; 1544 oid.len = oid_buf->len; 1545 1546 TEST_ASSERT((size_t) blen <= sizeof(num_buf)); 1547 1548 TEST_EQUAL(mbedtls_oid_get_numeric_string(num_buf, blen, &oid), ret); 1549 1550 if (ret >= 0) { 1551 TEST_EQUAL(num_buf[ret], 0); 1552 TEST_EQUAL(strcmp(num_buf, numstr), 0); 1553 } 1554 1555 exit: 1556 USE_PSA_DONE(); 1557 } 1558 /* END_CASE */ 1559 1560 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 1561 void x509_check_key_usage(char *crt_file, int usage, int ret) 1562 { 1563 mbedtls_x509_crt crt; 1564 1565 mbedtls_x509_crt_init(&crt); 1566 USE_PSA_INIT(); 1567 1568 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 1569 1570 TEST_EQUAL(mbedtls_x509_crt_check_key_usage(&crt, usage), ret); 1571 1572 exit: 1573 mbedtls_x509_crt_free(&crt); 1574 USE_PSA_DONE(); 1575 } 1576 /* END_CASE */ 1577 1578 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 1579 void x509_check_extended_key_usage(char *crt_file, data_t *oid, int ret 1580 ) 1581 { 1582 mbedtls_x509_crt crt; 1583 1584 mbedtls_x509_crt_init(&crt); 1585 USE_PSA_INIT(); 1586 1587 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 1588 1589 TEST_EQUAL(mbedtls_x509_crt_check_extended_key_usage(&crt, (const char *) oid->x, oid->len), 1590 ret); 1591 1592 exit: 1593 mbedtls_x509_crt_free(&crt); 1594 USE_PSA_DONE(); 1595 } 1596 /* END_CASE */ 1597 1598 /* BEGIN_CASE depends_on:MBEDTLS_X509_USE_C */ 1599 void x509_get_time(int tag, char *time_str, int ret, int year, int mon, 1600 int day, int hour, int min, int sec) 1601 { 1602 mbedtls_x509_time time; 1603 unsigned char buf[21]; 1604 unsigned char *start = buf; 1605 unsigned char *end = buf; 1606 1607 USE_PSA_INIT(); 1608 memset(&time, 0x00, sizeof(time)); 1609 *end = (unsigned char) tag; end++; 1610 *end = strlen(time_str); 1611 TEST_ASSERT(*end < 20); 1612 end++; 1613 memcpy(end, time_str, (size_t) *(end - 1)); 1614 end += *(end - 1); 1615 1616 TEST_EQUAL(mbedtls_x509_get_time(&start, end, &time), ret); 1617 if (ret == 0) { 1618 TEST_EQUAL(year, time.year); 1619 TEST_EQUAL(mon, time.mon); 1620 TEST_EQUAL(day, time.day); 1621 TEST_EQUAL(hour, time.hour); 1622 TEST_EQUAL(min, time.min); 1623 TEST_EQUAL(sec, time.sec); 1624 } 1625 exit: 1626 USE_PSA_DONE(); 1627 } 1628 /* END_CASE */ 1629 1630 /* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT */ 1631 void x509_parse_rsassa_pss_params(data_t *params, int params_tag, 1632 int ref_msg_md, int ref_mgf_md, 1633 int ref_salt_len, int ref_ret) 1634 { 1635 int my_ret; 1636 mbedtls_x509_buf buf; 1637 mbedtls_md_type_t my_msg_md, my_mgf_md; 1638 int my_salt_len; 1639 1640 USE_PSA_INIT(); 1641 1642 buf.p = params->x; 1643 buf.len = params->len; 1644 buf.tag = params_tag; 1645 1646 my_ret = mbedtls_x509_get_rsassa_pss_params(&buf, &my_msg_md, &my_mgf_md, 1647 &my_salt_len); 1648 1649 TEST_EQUAL(my_ret, ref_ret); 1650 1651 if (ref_ret == 0) { 1652 TEST_EQUAL(my_msg_md, (mbedtls_md_type_t) ref_msg_md); 1653 TEST_EQUAL(my_mgf_md, (mbedtls_md_type_t) ref_mgf_md); 1654 TEST_EQUAL(my_salt_len, ref_salt_len); 1655 } 1656 1657 exit: 1658 USE_PSA_DONE(); 1659 } 1660 /* END_CASE */ 1661 1662 /* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_FS_IO */ 1663 void x509_crt_parse_subjectkeyid(char *file, data_t *subjectKeyId, int ref_ret) 1664 { 1665 mbedtls_x509_crt crt; 1666 1667 mbedtls_x509_crt_init(&crt); 1668 1669 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, file), ref_ret); 1670 1671 if (ref_ret == 0) { 1672 TEST_EQUAL(crt.subject_key_id.tag, MBEDTLS_ASN1_OCTET_STRING); 1673 TEST_EQUAL(memcmp(crt.subject_key_id.p, subjectKeyId->x, subjectKeyId->len), 0); 1674 TEST_EQUAL(crt.subject_key_id.len, subjectKeyId->len); 1675 } else { 1676 TEST_EQUAL(crt.subject_key_id.tag, 0); 1677 TEST_EQUAL(crt.subject_key_id.len, 0); 1678 } 1679 1680 exit: 1681 mbedtls_x509_crt_free(&crt); 1682 } 1683 /* END_CASE */ 1684 1685 /* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_FS_IO */ 1686 void x509_crt_parse_authoritykeyid(char *file, 1687 data_t *keyId, 1688 char *authorityKeyId_issuer, 1689 data_t *serial, 1690 int ref_ret) 1691 { 1692 mbedtls_x509_crt crt; 1693 mbedtls_x509_subject_alternative_name san; 1694 char name_buf[128]; 1695 1696 mbedtls_x509_crt_init(&crt); 1697 1698 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, file), ref_ret); 1699 1700 if (ref_ret == 0) { 1701 /* KeyId test */ 1702 if (keyId->len > 0) { 1703 TEST_EQUAL(crt.authority_key_id.keyIdentifier.tag, MBEDTLS_ASN1_OCTET_STRING); 1704 TEST_EQUAL(memcmp(crt.authority_key_id.keyIdentifier.p, keyId->x, keyId->len), 0); 1705 TEST_EQUAL(crt.authority_key_id.keyIdentifier.len, keyId->len); 1706 } else { 1707 TEST_EQUAL(crt.authority_key_id.keyIdentifier.tag, 0); 1708 TEST_EQUAL(crt.authority_key_id.keyIdentifier.len, 0); 1709 } 1710 1711 1712 /* Issuer test */ 1713 if (strlen(authorityKeyId_issuer) > 0) { 1714 mbedtls_x509_sequence *issuerPtr = &crt.authority_key_id.authorityCertIssuer; 1715 1716 TEST_EQUAL(mbedtls_x509_parse_subject_alt_name(&issuerPtr->buf, &san), 0); 1717 1718 TEST_ASSERT(mbedtls_x509_dn_gets(name_buf, sizeof(name_buf), 1719 &san.san.directory_name) 1720 > 0); 1721 TEST_EQUAL(strcmp(name_buf, authorityKeyId_issuer), 0); 1722 1723 mbedtls_x509_free_subject_alt_name(&san); 1724 } 1725 1726 /* Serial test */ 1727 if (serial->len > 0) { 1728 TEST_EQUAL(crt.authority_key_id.authorityCertSerialNumber.tag, 1729 MBEDTLS_ASN1_INTEGER); 1730 TEST_EQUAL(memcmp(crt.authority_key_id.authorityCertSerialNumber.p, 1731 serial->x, serial->len), 0); 1732 TEST_EQUAL(crt.authority_key_id.authorityCertSerialNumber.len, serial->len); 1733 } else { 1734 TEST_EQUAL(crt.authority_key_id.authorityCertSerialNumber.tag, 0); 1735 TEST_EQUAL(crt.authority_key_id.authorityCertSerialNumber.len, 0); 1736 } 1737 1738 } else { 1739 TEST_EQUAL(crt.authority_key_id.keyIdentifier.tag, 0); 1740 TEST_EQUAL(crt.authority_key_id.keyIdentifier.len, 0); 1741 1742 TEST_EQUAL(crt.authority_key_id.authorityCertSerialNumber.tag, 0); 1743 TEST_EQUAL(crt.authority_key_id.authorityCertSerialNumber.len, 0); 1744 } 1745 1746 exit: 1747 mbedtls_x509_crt_free(&crt); 1748 } 1749 /* END_CASE */