1/* BEGIN_HEADER */ 2#include "mbedtls/bignum.h" 3#include "mbedtls/x509.h" 4#include "mbedtls/x509_crt.h" 5#include "mbedtls/x509_crl.h" 6#include "mbedtls/x509_csr.h" 7#include "mbedtls/pem.h" 8#include "mbedtls/oid.h" 9#include "mbedtls/base64.h" 10#include "mbedtls/error.h" 11#include "mbedtls/pk.h" 12#include "string.h" 13 14#include "mbedtls/legacy_or_psa.h" 15 16#if MBEDTLS_X509_MAX_INTERMEDIATE_CA > 19 17#error "The value of MBEDTLS_X509_MAX_INTERMEDIATE_C is larger \ 18 than the current threshold 19. To test larger values, please \ 19 adapt the script tests/data_files/dir-max/long.sh." 20#endif 21 22/* Test-only profile allowing all digests, PK algorithms, and curves. */ 23const mbedtls_x509_crt_profile profile_all = 24{ 25 0xFFFFFFFF, /* Any MD */ 26 0xFFFFFFFF, /* Any PK alg */ 27 0xFFFFFFFF, /* Any curve */ 28 1024, 29}; 30 31/* Profile for backward compatibility. Allows SHA-1, unlike the default 32 profile. */ 33const mbedtls_x509_crt_profile compat_profile = 34{ 35 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA1) | 36 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_RIPEMD160) | 37 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA224) | 38 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) | 39 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) | 40 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512), 41 0xFFFFFFFF, /* Any PK alg */ 42 0xFFFFFFFF, /* Any curve */ 43 1024, 44}; 45 46const mbedtls_x509_crt_profile profile_rsa3072 = 47{ 48 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) | 49 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) | 50 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512), 51 MBEDTLS_X509_ID_FLAG(MBEDTLS_PK_RSA), 52 0, 53 3072, 54}; 55 56const mbedtls_x509_crt_profile profile_sha512 = 57{ 58 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512), 59 0xFFFFFFFF, /* Any PK alg */ 60 0xFFFFFFFF, /* Any curve */ 61 1024, 62}; 63 64int verify_none(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags) 65{ 66 ((void) data); 67 ((void) crt); 68 ((void) certificate_depth); 69 *flags |= MBEDTLS_X509_BADCERT_OTHER; 70 71 return 0; 72} 73 74int verify_all(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags) 75{ 76 ((void) data); 77 ((void) crt); 78 ((void) certificate_depth); 79 *flags = 0; 80 81 return 0; 82} 83 84#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) 85int ca_callback_fail(void *data, mbedtls_x509_crt const *child, mbedtls_x509_crt **candidates) 86{ 87 ((void) data); 88 ((void) child); 89 ((void) candidates); 90 91 return -1; 92} 93#if defined(MBEDTLS_X509_CRT_PARSE_C) 94int ca_callback(void *data, mbedtls_x509_crt const *child, 95 mbedtls_x509_crt **candidates) 96{ 97 int ret = 0; 98 mbedtls_x509_crt *ca = (mbedtls_x509_crt *) data; 99 mbedtls_x509_crt *first; 100 101 /* This is a test-only implementation of the CA callback 102 * which always returns the entire list of trusted certificates. 103 * Production implementations managing a large number of CAs 104 * should use an efficient presentation and lookup for the 105 * set of trusted certificates (such as a hashtable) and only 106 * return those trusted certificates which satisfy basic 107 * parental checks, such as the matching of child `Issuer` 108 * and parent `Subject` field. */ 109 ((void) child); 110 111 first = mbedtls_calloc(1, sizeof(mbedtls_x509_crt)); 112 if (first == NULL) { 113 ret = -1; 114 goto exit; 115 } 116 mbedtls_x509_crt_init(first); 117 118 if (mbedtls_x509_crt_parse_der(first, ca->raw.p, ca->raw.len) != 0) { 119 ret = -1; 120 goto exit; 121 } 122 123 while (ca->next != NULL) { 124 ca = ca->next; 125 if (mbedtls_x509_crt_parse_der(first, ca->raw.p, ca->raw.len) != 0) { 126 ret = -1; 127 goto exit; 128 } 129 } 130 131exit: 132 133 if (ret != 0) { 134 mbedtls_x509_crt_free(first); 135 mbedtls_free(first); 136 first = NULL; 137 } 138 139 *candidates = first; 140 return ret; 141} 142#endif /* MBEDTLS_X509_CRT_PARSE_C */ 143#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 144 145int verify_fatal(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags) 146{ 147 int *levels = (int *) data; 148 149 ((void) crt); 150 ((void) certificate_depth); 151 152 /* Simulate a fatal error in the callback */ 153 if (*levels & (1 << certificate_depth)) { 154 *flags |= (1 << certificate_depth); 155 return -1 - certificate_depth; 156 } 157 158 return 0; 159} 160 161/* strsep() not available on Windows */ 162char *mystrsep(char **stringp, const char *delim) 163{ 164 const char *p; 165 char *ret = *stringp; 166 167 if (*stringp == NULL) { 168 return NULL; 169 } 170 171 for (;; (*stringp)++) { 172 if (**stringp == '\0') { 173 *stringp = NULL; 174 goto done; 175 } 176 177 for (p = delim; *p != '\0'; p++) { 178 if (**stringp == *p) { 179 **stringp = '\0'; 180 (*stringp)++; 181 goto done; 182 } 183 } 184 } 185 186done: 187 return ret; 188} 189 190#if defined(MBEDTLS_X509_CRT_PARSE_C) 191typedef struct { 192 char buf[512]; 193 char *p; 194} verify_print_context; 195 196void verify_print_init(verify_print_context *ctx) 197{ 198 memset(ctx, 0, sizeof(verify_print_context)); 199 ctx->p = ctx->buf; 200} 201 202int verify_print(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags) 203{ 204 int ret; 205 verify_print_context *ctx = (verify_print_context *) data; 206 char *p = ctx->p; 207 size_t n = ctx->buf + sizeof(ctx->buf) - ctx->p; 208 ((void) flags); 209 210 ret = mbedtls_snprintf(p, n, "depth %d - serial ", certificate_depth); 211 MBEDTLS_X509_SAFE_SNPRINTF; 212 213 ret = mbedtls_x509_serial_gets(p, n, &crt->serial); 214 MBEDTLS_X509_SAFE_SNPRINTF; 215 216 ret = mbedtls_snprintf(p, n, " - subject "); 217 MBEDTLS_X509_SAFE_SNPRINTF; 218 219 ret = mbedtls_x509_dn_gets(p, n, &crt->subject); 220 MBEDTLS_X509_SAFE_SNPRINTF; 221 222 ret = mbedtls_snprintf(p, n, " - flags 0x%08x\n", *flags); 223 MBEDTLS_X509_SAFE_SNPRINTF; 224 225 ctx->p = p; 226 227 return 0; 228} 229 230int verify_parse_san(mbedtls_x509_subject_alternative_name *san, 231 char **buf, size_t *size) 232{ 233 int ret; 234 size_t i; 235 char *p = *buf; 236 size_t n = *size; 237 238 ret = mbedtls_snprintf(p, n, "type : %d", san->type); 239 MBEDTLS_X509_SAFE_SNPRINTF; 240 241 switch (san->type) { 242 case (MBEDTLS_X509_SAN_OTHER_NAME): 243 ret = mbedtls_snprintf(p, n, "\notherName :"); 244 MBEDTLS_X509_SAFE_SNPRINTF; 245 246 if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME, 247 &san->san.other_name.value.hardware_module_name.oid) != 0) { 248 ret = mbedtls_snprintf(p, n, " hardware module name :"); 249 MBEDTLS_X509_SAFE_SNPRINTF; 250 ret = mbedtls_snprintf(p, n, " hardware type : "); 251 MBEDTLS_X509_SAFE_SNPRINTF; 252 253 ret = mbedtls_oid_get_numeric_string(p, 254 n, 255 &san->san.other_name.value.hardware_module_name.oid); 256 MBEDTLS_X509_SAFE_SNPRINTF; 257 258 ret = mbedtls_snprintf(p, n, ", hardware serial number : "); 259 MBEDTLS_X509_SAFE_SNPRINTF; 260 261 for (i = 0; i < san->san.other_name.value.hardware_module_name.val.len; i++) { 262 ret = mbedtls_snprintf(p, 263 n, 264 "%02X", 265 san->san.other_name.value.hardware_module_name.val.p[i]); 266 MBEDTLS_X509_SAFE_SNPRINTF; 267 } 268 } 269 break;/* MBEDTLS_OID_ON_HW_MODULE_NAME */ 270 case (MBEDTLS_X509_SAN_DNS_NAME): 271 ret = mbedtls_snprintf(p, n, "\ndNSName : "); 272 MBEDTLS_X509_SAFE_SNPRINTF; 273 if (san->san.unstructured_name.len >= n) { 274 *p = '\0'; 275 return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; 276 } 277 n -= san->san.unstructured_name.len; 278 for (i = 0; i < san->san.unstructured_name.len; i++) { 279 *p++ = san->san.unstructured_name.p[i]; 280 } 281 break;/* MBEDTLS_X509_SAN_DNS_NAME */ 282 case (MBEDTLS_X509_SAN_RFC822_NAME): 283 ret = mbedtls_snprintf(p, n, "\nrfc822Name : "); 284 MBEDTLS_X509_SAFE_SNPRINTF; 285 if (san->san.unstructured_name.len >= n) { 286 *p = '\0'; 287 return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; 288 } 289 n -= san->san.unstructured_name.len; 290 for (i = 0; i < san->san.unstructured_name.len; i++) { 291 *p++ = san->san.unstructured_name.p[i]; 292 } 293 break;/* MBEDTLS_X509_SAN_RFC822_NAME */ 294 default: 295 /* 296 * Should not happen. 297 */ 298 return -1; 299 } 300 ret = mbedtls_snprintf(p, n, "\n"); 301 MBEDTLS_X509_SAFE_SNPRINTF; 302 303 *size = n; 304 *buf = p; 305 306 return 0; 307} 308 309int parse_crt_ext_cb(void *p_ctx, mbedtls_x509_crt const *crt, mbedtls_x509_buf const *oid, 310 int critical, const unsigned char *cp, const unsigned char *end) 311{ 312 (void) crt; 313 (void) critical; 314 mbedtls_x509_buf *new_oid = (mbedtls_x509_buf *) p_ctx; 315 if (oid->tag == MBEDTLS_ASN1_OID && 316 MBEDTLS_OID_CMP(MBEDTLS_OID_CERTIFICATE_POLICIES, oid) == 0) { 317 /* Handle unknown certificate policy */ 318 int ret, parse_ret = 0; 319 size_t len; 320 unsigned char **p = (unsigned char **) &cp; 321 322 /* Get main sequence tag */ 323 ret = mbedtls_asn1_get_tag(p, end, &len, 324 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); 325 if (ret != 0) { 326 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 327 } 328 329 if (*p + len != end) { 330 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 331 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 332 } 333 334 /* 335 * Cannot be an empty sequence. 336 */ 337 if (len == 0) { 338 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 339 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 340 } 341 342 while (*p < end) { 343 const unsigned char *policy_end; 344 345 /* 346 * Get the policy sequence 347 */ 348 if ((ret = mbedtls_asn1_get_tag(p, end, &len, 349 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 350 0) { 351 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 352 } 353 354 policy_end = *p + len; 355 356 if ((ret = mbedtls_asn1_get_tag(p, policy_end, &len, 357 MBEDTLS_ASN1_OID)) != 0) { 358 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 359 } 360 361 /* 362 * Recognize exclusively the policy with OID 1 363 */ 364 if (len != 1 || *p[0] != 1) { 365 parse_ret = MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE; 366 } 367 368 *p += len; 369 370 /* 371 * If there is an optional qualifier, then *p < policy_end 372 * Check the Qualifier len to verify it doesn't exceed policy_end. 373 */ 374 if (*p < policy_end) { 375 if ((ret = mbedtls_asn1_get_tag(p, policy_end, &len, 376 MBEDTLS_ASN1_CONSTRUCTED | 377 MBEDTLS_ASN1_SEQUENCE)) != 0) { 378 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 379 } 380 /* 381 * Skip the optional policy qualifiers. 382 */ 383 *p += len; 384 } 385 386 if (*p != policy_end) { 387 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 388 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 389 } 390 } 391 392 if (*p != end) { 393 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 394 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 395 } 396 397 return parse_ret; 398 } else if (new_oid != NULL && new_oid->tag == oid->tag && new_oid->len == oid->len && 399 memcmp(new_oid->p, oid->p, oid->len) == 0) { 400 return 0; 401 } else { 402 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 403 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG); 404 } 405} 406#endif /* MBEDTLS_X509_CRT_PARSE_C */ 407/* END_HEADER */ 408 409/* BEGIN_DEPENDENCIES 410 * depends_on:MBEDTLS_BIGNUM_C 411 * END_DEPENDENCIES 412 */ 413 414/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */ 415void x509_accessor_ext_types(int ext_type, int has_ext_type) 416{ 417 mbedtls_x509_crt crt; 418 int expected_result = ext_type & has_ext_type; 419 420 mbedtls_x509_crt_init(&crt); 421 422 crt.ext_types = ext_type; 423 424 TEST_ASSERT(mbedtls_x509_crt_has_ext_type(&crt, has_ext_type) == expected_result); 425 426 mbedtls_x509_crt_free(&crt); 427} 428/* END_CASE */ 429 430/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 431void x509_parse_san(char *crt_file, char *result_str) 432{ 433 int ret; 434 mbedtls_x509_crt crt; 435 mbedtls_x509_subject_alternative_name san; 436 mbedtls_x509_sequence *cur = NULL; 437 char buf[2000]; 438 char *p = buf; 439 size_t n = sizeof(buf); 440 441 mbedtls_x509_crt_init(&crt); 442 memset(buf, 0, 2000); 443 444 TEST_ASSERT(mbedtls_x509_crt_parse_file(&crt, crt_file) == 0); 445 446 if (crt.ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) { 447 cur = &crt.subject_alt_names; 448 while (cur != NULL) { 449 ret = mbedtls_x509_parse_subject_alt_name(&cur->buf, &san); 450 TEST_ASSERT(ret == 0 || ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE); 451 /* 452 * If san type not supported, ignore. 453 */ 454 if (ret == 0) { 455 TEST_ASSERT(verify_parse_san(&san, &p, &n) == 0); 456 } 457 cur = cur->next; 458 } 459 } 460 461 TEST_ASSERT(strcmp(buf, result_str) == 0); 462 463exit: 464 465 mbedtls_x509_crt_free(&crt); 466} 467/* END_CASE */ 468 469/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:!MBEDTLS_X509_REMOVE_INFO:MBEDTLS_X509_CRT_PARSE_C */ 470void x509_cert_info(char *crt_file, char *result_str) 471{ 472 mbedtls_x509_crt crt; 473 char buf[2000]; 474 int res; 475 476 mbedtls_x509_crt_init(&crt); 477 memset(buf, 0, 2000); 478 479 TEST_ASSERT(mbedtls_x509_crt_parse_file(&crt, crt_file) == 0); 480 res = mbedtls_x509_crt_info(buf, 2000, "", &crt); 481 482 TEST_ASSERT(res != -1); 483 TEST_ASSERT(res != -2); 484 485 TEST_ASSERT(strcmp(buf, result_str) == 0); 486 487exit: 488 mbedtls_x509_crt_free(&crt); 489} 490/* END_CASE */ 491 492/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRL_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 493void mbedtls_x509_crl_info(char *crl_file, char *result_str) 494{ 495 mbedtls_x509_crl crl; 496 char buf[2000]; 497 int res; 498 499 mbedtls_x509_crl_init(&crl); 500 memset(buf, 0, 2000); 501 502 TEST_ASSERT(mbedtls_x509_crl_parse_file(&crl, crl_file) == 0); 503 res = mbedtls_x509_crl_info(buf, 2000, "", &crl); 504 505 TEST_ASSERT(res != -1); 506 TEST_ASSERT(res != -2); 507 508 TEST_ASSERT(strcmp(buf, result_str) == 0); 509 510exit: 511 mbedtls_x509_crl_free(&crl); 512} 513/* END_CASE */ 514 515/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRL_PARSE_C */ 516void mbedtls_x509_crl_parse(char *crl_file, int result) 517{ 518 mbedtls_x509_crl crl; 519 char buf[2000]; 520 521 mbedtls_x509_crl_init(&crl); 522 memset(buf, 0, 2000); 523 524 TEST_ASSERT(mbedtls_x509_crl_parse_file(&crl, crl_file) == result); 525 526exit: 527 mbedtls_x509_crl_free(&crl); 528} 529/* END_CASE */ 530 531/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CSR_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 532void mbedtls_x509_csr_info(char *csr_file, char *result_str) 533{ 534 mbedtls_x509_csr csr; 535 char buf[2000]; 536 int res; 537 538 mbedtls_x509_csr_init(&csr); 539 memset(buf, 0, 2000); 540 541 TEST_ASSERT(mbedtls_x509_csr_parse_file(&csr, csr_file) == 0); 542 res = mbedtls_x509_csr_info(buf, 2000, "", &csr); 543 544 TEST_ASSERT(res != -1); 545 TEST_ASSERT(res != -2); 546 547 TEST_ASSERT(strcmp(buf, result_str) == 0); 548 549exit: 550 mbedtls_x509_csr_free(&csr); 551} 552/* END_CASE */ 553 554/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 555void x509_verify_info(int flags, char *prefix, char *result_str) 556{ 557 char buf[2000]; 558 int res; 559 560 memset(buf, 0, sizeof(buf)); 561 562 res = mbedtls_x509_crt_verify_info(buf, sizeof(buf), prefix, flags); 563 564 TEST_ASSERT(res >= 0); 565 566 TEST_ASSERT(strcmp(buf, result_str) == 0); 567} 568/* END_CASE */ 569 570/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CRL_PARSE_C:MBEDTLS_ECP_RESTARTABLE:MBEDTLS_ECDSA_C */ 571void x509_verify_restart(char *crt_file, char *ca_file, 572 int result, int flags_result, 573 int max_ops, int min_restart, int max_restart) 574{ 575 int ret, cnt_restart; 576 mbedtls_x509_crt_restart_ctx rs_ctx; 577 mbedtls_x509_crt crt; 578 mbedtls_x509_crt ca; 579 uint32_t flags = 0; 580 581 /* 582 * See comments on ecp_test_vect_restart() for op count precision. 583 * 584 * For reference, with mbed TLS 2.6 and default settings: 585 * - ecdsa_verify() for P-256: ~ 6700 586 * - ecdsa_verify() for P-384: ~ 18800 587 * - x509_verify() for server5 -> test-ca2: ~ 18800 588 * - x509_verify() for server10 -> int-ca3 -> int-ca2: ~ 25500 589 */ 590 591 mbedtls_x509_crt_restart_init(&rs_ctx); 592 mbedtls_x509_crt_init(&crt); 593 mbedtls_x509_crt_init(&ca); 594 595 USE_PSA_INIT(); 596 597 TEST_ASSERT(mbedtls_x509_crt_parse_file(&crt, crt_file) == 0); 598 TEST_ASSERT(mbedtls_x509_crt_parse_file(&ca, ca_file) == 0); 599 600 mbedtls_ecp_set_max_ops(max_ops); 601 602 cnt_restart = 0; 603 do { 604 ret = mbedtls_x509_crt_verify_restartable(&crt, &ca, NULL, 605 &mbedtls_x509_crt_profile_default, NULL, &flags, 606 NULL, NULL, &rs_ctx); 607 } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart); 608 609 TEST_ASSERT(ret == result); 610 TEST_ASSERT(flags == (uint32_t) flags_result); 611 612 TEST_ASSERT(cnt_restart >= min_restart); 613 TEST_ASSERT(cnt_restart <= max_restart); 614 615 /* Do we leak memory when aborting? */ 616 ret = mbedtls_x509_crt_verify_restartable(&crt, &ca, NULL, 617 &mbedtls_x509_crt_profile_default, NULL, &flags, 618 NULL, NULL, &rs_ctx); 619 TEST_ASSERT(ret == result || ret == MBEDTLS_ERR_ECP_IN_PROGRESS); 620 621exit: 622 mbedtls_x509_crt_restart_free(&rs_ctx); 623 mbedtls_x509_crt_free(&crt); 624 mbedtls_x509_crt_free(&ca); 625 USE_PSA_DONE(); 626} 627/* END_CASE */ 628 629/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CRL_PARSE_C */ 630void x509_verify(char *crt_file, char *ca_file, char *crl_file, 631 char *cn_name_str, int result, int flags_result, 632 char *profile_str, 633 char *verify_callback) 634{ 635 mbedtls_x509_crt crt; 636 mbedtls_x509_crt ca; 637 mbedtls_x509_crl crl; 638 uint32_t flags = 0; 639 int res; 640 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *) = NULL; 641 char *cn_name = NULL; 642 const mbedtls_x509_crt_profile *profile; 643 644 mbedtls_x509_crt_init(&crt); 645 mbedtls_x509_crt_init(&ca); 646 mbedtls_x509_crl_init(&crl); 647 648 USE_PSA_INIT(); 649 650 if (strcmp(cn_name_str, "NULL") != 0) { 651 cn_name = cn_name_str; 652 } 653 654 if (strcmp(profile_str, "") == 0) { 655 profile = &mbedtls_x509_crt_profile_default; 656 } else if (strcmp(profile_str, "next") == 0) { 657 profile = &mbedtls_x509_crt_profile_next; 658 } else if (strcmp(profile_str, "suite_b") == 0) { 659 profile = &mbedtls_x509_crt_profile_suiteb; 660 } else if (strcmp(profile_str, "compat") == 0) { 661 profile = &compat_profile; 662 } else if (strcmp(profile_str, "all") == 0) { 663 profile = &profile_all; 664 } else { 665 TEST_ASSERT("Unknown algorithm profile" == 0); 666 } 667 668 if (strcmp(verify_callback, "NULL") == 0) { 669 f_vrfy = NULL; 670 } else if (strcmp(verify_callback, "verify_none") == 0) { 671 f_vrfy = verify_none; 672 } else if (strcmp(verify_callback, "verify_all") == 0) { 673 f_vrfy = verify_all; 674 } else { 675 TEST_ASSERT("No known verify callback selected" == 0); 676 } 677 678 TEST_ASSERT(mbedtls_x509_crt_parse_file(&crt, crt_file) == 0); 679 TEST_ASSERT(mbedtls_x509_crt_parse_file(&ca, ca_file) == 0); 680 TEST_ASSERT(mbedtls_x509_crl_parse_file(&crl, crl_file) == 0); 681 682 res = mbedtls_x509_crt_verify_with_profile(&crt, 683 &ca, 684 &crl, 685 profile, 686 cn_name, 687 &flags, 688 f_vrfy, 689 NULL); 690 691 TEST_EQUAL(res, result); 692 TEST_EQUAL(flags, (uint32_t) flags_result); 693 694#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) 695 /* CRLs aren't supported with CA callbacks, so skip the CA callback 696 * version of the test if CRLs are in use. */ 697 if (crl_file == NULL || strcmp(crl_file, "") == 0) { 698 flags = 0; 699 700 res = mbedtls_x509_crt_verify_with_ca_cb(&crt, 701 ca_callback, 702 &ca, 703 profile, 704 cn_name, 705 &flags, 706 f_vrfy, 707 NULL); 708 709 TEST_ASSERT(res == (result)); 710 TEST_ASSERT(flags == (uint32_t) (flags_result)); 711 } 712#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 713exit: 714 mbedtls_x509_crt_free(&crt); 715 mbedtls_x509_crt_free(&ca); 716 mbedtls_x509_crl_free(&crl); 717 USE_PSA_DONE(); 718} 719/* END_CASE */ 720 721/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CRL_PARSE_C:MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 722void x509_verify_ca_cb_failure(char *crt_file, char *ca_file, char *name, 723 int exp_ret) 724{ 725 int ret; 726 mbedtls_x509_crt crt; 727 mbedtls_x509_crt ca; 728 uint32_t flags = 0; 729 730 mbedtls_x509_crt_init(&crt); 731 mbedtls_x509_crt_init(&ca); 732 733 TEST_ASSERT(mbedtls_x509_crt_parse_file(&crt, crt_file) == 0); 734 TEST_ASSERT(mbedtls_x509_crt_parse_file(&ca, ca_file) == 0); 735 736 if (strcmp(name, "NULL") == 0) { 737 name = NULL; 738 } 739 740 ret = mbedtls_x509_crt_verify_with_ca_cb(&crt, ca_callback_fail, &ca, 741 &compat_profile, name, &flags, 742 NULL, NULL); 743 744 TEST_ASSERT(ret == exp_ret); 745 TEST_ASSERT(flags == (uint32_t) (-1)); 746exit: 747 mbedtls_x509_crt_free(&crt); 748 mbedtls_x509_crt_free(&ca); 749} 750/* END_CASE */ 751 752/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 753void x509_verify_callback(char *crt_file, char *ca_file, char *name, 754 int exp_ret, char *exp_vrfy_out) 755{ 756 int ret; 757 mbedtls_x509_crt crt; 758 mbedtls_x509_crt ca; 759 uint32_t flags = 0; 760 verify_print_context vrfy_ctx; 761 762 mbedtls_x509_crt_init(&crt); 763 mbedtls_x509_crt_init(&ca); 764 verify_print_init(&vrfy_ctx); 765 766 USE_PSA_INIT(); 767 768 TEST_ASSERT(mbedtls_x509_crt_parse_file(&crt, crt_file) == 0); 769 TEST_ASSERT(mbedtls_x509_crt_parse_file(&ca, ca_file) == 0); 770 771 if (strcmp(name, "NULL") == 0) { 772 name = NULL; 773 } 774 775 ret = mbedtls_x509_crt_verify_with_profile(&crt, &ca, NULL, 776 &compat_profile, 777 name, &flags, 778 verify_print, &vrfy_ctx); 779 780 TEST_ASSERT(ret == exp_ret); 781 TEST_ASSERT(strcmp(vrfy_ctx.buf, exp_vrfy_out) == 0); 782 783exit: 784 mbedtls_x509_crt_free(&crt); 785 mbedtls_x509_crt_free(&ca); 786 USE_PSA_DONE(); 787} 788/* END_CASE */ 789 790/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 791void mbedtls_x509_dn_gets_subject_replace(char *crt_file, 792 char *new_subject_ou, 793 char *result_str, 794 int ret) 795{ 796 mbedtls_x509_crt crt; 797 char buf[2000]; 798 int res = 0; 799 800 mbedtls_x509_crt_init(&crt); 801 memset(buf, 0, 2000); 802 803 TEST_ASSERT(mbedtls_x509_crt_parse_file(&crt, crt_file) == 0); 804 crt.subject.next->val.p = (unsigned char *) new_subject_ou; 805 crt.subject.next->val.len = strlen(new_subject_ou); 806 807 res = mbedtls_x509_dn_gets(buf, 2000, &crt.subject); 808 809 if (ret != 0) { 810 TEST_ASSERT(res == ret); 811 } else { 812 TEST_ASSERT(res != -1); 813 TEST_ASSERT(res != -2); 814 TEST_ASSERT(strcmp(buf, result_str) == 0); 815 } 816exit: 817 mbedtls_x509_crt_free(&crt); 818} 819/* END_CASE */ 820 821/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 822void mbedtls_x509_dn_gets(char *crt_file, char *entity, char *result_str) 823{ 824 mbedtls_x509_crt crt; 825 char buf[2000]; 826 int res = 0; 827 828 mbedtls_x509_crt_init(&crt); 829 memset(buf, 0, 2000); 830 831 TEST_ASSERT(mbedtls_x509_crt_parse_file(&crt, crt_file) == 0); 832 if (strcmp(entity, "subject") == 0) { 833 res = mbedtls_x509_dn_gets(buf, 2000, &crt.subject); 834 } else if (strcmp(entity, "issuer") == 0) { 835 res = mbedtls_x509_dn_gets(buf, 2000, &crt.issuer); 836 } else { 837 TEST_ASSERT("Unknown entity" == 0); 838 } 839 840 TEST_ASSERT(res != -1); 841 TEST_ASSERT(res != -2); 842 843 TEST_ASSERT(strcmp(buf, result_str) == 0); 844 845exit: 846 mbedtls_x509_crt_free(&crt); 847} 848/* END_CASE */ 849 850/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */ 851void mbedtls_x509_get_name(char *rdn_sequence, int exp_ret) 852{ 853 unsigned char *name; 854 unsigned char *p; 855 size_t name_len; 856 mbedtls_x509_name head; 857 int ret; 858 859 memset(&head, 0, sizeof(head)); 860 861 name = mbedtls_test_unhexify_alloc(rdn_sequence, &name_len); 862 p = name; 863 864 ret = mbedtls_x509_get_name(&p, (name + name_len), &head); 865 if (ret == 0) { 866 mbedtls_asn1_free_named_data_list_shallow(head.next); 867 } 868 869 TEST_EQUAL(ret, exp_ret); 870 871 mbedtls_free(name); 872} 873/* END_CASE */ 874 875/* BEGIN_CASE depends_on:MBEDTLS_X509_CREATE_C:MBEDTLS_X509_USE_C:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 876void mbedtls_x509_dn_get_next(char *name_str, 877 int next_merged, 878 char *expected_oids, 879 int exp_count, 880 char *exp_dn_gets) 881{ 882 int ret = 0, i; 883 size_t len = 0, out_size; 884 mbedtls_asn1_named_data *names = NULL; 885 mbedtls_x509_name parsed, *parsed_cur; 886 // Size of buf is maximum required for test cases 887 unsigned char buf[80], *out = NULL, *c; 888 const char *short_name; 889 890 memset(&parsed, 0, sizeof(parsed)); 891 memset(buf, 0, sizeof(buf)); 892 c = buf + sizeof(buf); 893 // Additional size required for trailing space 894 out_size = strlen(expected_oids) + 2; 895 ASSERT_ALLOC(out, out_size); 896 897 TEST_EQUAL(mbedtls_x509_string_to_names(&names, name_str), 0); 898 899 ret = mbedtls_x509_write_names(&c, buf, names); 900 TEST_LE_S(0, ret); 901 902 TEST_EQUAL(mbedtls_asn1_get_tag(&c, buf + sizeof(buf), &len, 903 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE), 0); 904 TEST_EQUAL(mbedtls_x509_get_name(&c, buf + sizeof(buf), &parsed), 0); 905 906 // Iterate over names and set next_merged nodes 907 parsed_cur = &parsed; 908 for (; next_merged != 0 && parsed_cur != NULL; next_merged = next_merged >> 1) { 909 parsed_cur->next_merged = next_merged & 0x01; 910 parsed_cur = parsed_cur->next; 911 } 912 913 // Iterate over RDN nodes and print OID of first element to buffer 914 parsed_cur = &parsed; 915 len = 0; 916 for (i = 0; parsed_cur != NULL; i++) { 917 TEST_EQUAL(mbedtls_oid_get_attr_short_name(&parsed_cur->oid, 918 &short_name), 0); 919 len += mbedtls_snprintf((char *) out + len, out_size - len, "%s ", short_name); 920 parsed_cur = mbedtls_x509_dn_get_next(parsed_cur); 921 } 922 out[len-1] = 0; 923 924 TEST_EQUAL(exp_count, i); 925 TEST_EQUAL(strcmp((char *) out, expected_oids), 0); 926 mbedtls_free(out); 927 out = NULL; 928 929 out_size = strlen(exp_dn_gets) + 1; 930 ASSERT_ALLOC(out, out_size); 931 932 TEST_LE_S(0, mbedtls_x509_dn_gets((char *) out, out_size, &parsed)); 933 TEST_EQUAL(strcmp((char *) out, exp_dn_gets), 0); 934exit: 935 mbedtls_free(out); 936 mbedtls_asn1_free_named_data_list(&names); 937 mbedtls_asn1_free_named_data_list_shallow(parsed.next); 938} 939/* END_CASE */ 940 941/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 942void mbedtls_x509_time_is_past(char *crt_file, char *entity, int result) 943{ 944 mbedtls_x509_crt crt; 945 946 mbedtls_x509_crt_init(&crt); 947 948 TEST_ASSERT(mbedtls_x509_crt_parse_file(&crt, crt_file) == 0); 949 950 if (strcmp(entity, "valid_from") == 0) { 951 TEST_ASSERT(mbedtls_x509_time_is_past(&crt.valid_from) == result); 952 } else if (strcmp(entity, "valid_to") == 0) { 953 TEST_ASSERT(mbedtls_x509_time_is_past(&crt.valid_to) == result); 954 } else { 955 TEST_ASSERT("Unknown entity" == 0); 956 } 957 958exit: 959 mbedtls_x509_crt_free(&crt); 960} 961/* END_CASE */ 962 963/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 964void mbedtls_x509_time_is_future(char *crt_file, char *entity, int result) 965{ 966 mbedtls_x509_crt crt; 967 968 mbedtls_x509_crt_init(&crt); 969 970 TEST_ASSERT(mbedtls_x509_crt_parse_file(&crt, crt_file) == 0); 971 972 if (strcmp(entity, "valid_from") == 0) { 973 TEST_ASSERT(mbedtls_x509_time_is_future(&crt.valid_from) == result); 974 } else if (strcmp(entity, "valid_to") == 0) { 975 TEST_ASSERT(mbedtls_x509_time_is_future(&crt.valid_to) == result); 976 } else { 977 TEST_ASSERT("Unknown entity" == 0); 978 } 979 980exit: 981 mbedtls_x509_crt_free(&crt); 982} 983/* END_CASE */ 984 985/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_FS_IO */ 986void x509parse_crt_file(char *crt_file, int result) 987{ 988 mbedtls_x509_crt crt; 989 990 mbedtls_x509_crt_init(&crt); 991 992 TEST_ASSERT(mbedtls_x509_crt_parse_file(&crt, crt_file) == result); 993 994exit: 995 mbedtls_x509_crt_free(&crt); 996} 997/* END_CASE */ 998 999/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */ 1000void x509parse_crt(data_t *buf, char *result_str, int result) 1001{ 1002 mbedtls_x509_crt crt; 1003#if !defined(MBEDTLS_X509_REMOVE_INFO) 1004 unsigned char output[2000] = { 0 }; 1005 int res; 1006#else 1007 ((void) result_str); 1008#endif 1009 1010 mbedtls_x509_crt_init(&crt); 1011 1012 TEST_ASSERT(mbedtls_x509_crt_parse_der(&crt, buf->x, buf->len) == (result)); 1013#if !defined(MBEDTLS_X509_REMOVE_INFO) 1014 if ((result) == 0) { 1015 res = mbedtls_x509_crt_info((char *) output, 2000, "", &crt); 1016 TEST_ASSERT(res != -1); 1017 TEST_ASSERT(res != -2); 1018 1019 TEST_ASSERT(strcmp((char *) output, result_str) == 0); 1020 } 1021 memset(output, 0, 2000); 1022#endif 1023 1024 mbedtls_x509_crt_free(&crt); 1025 mbedtls_x509_crt_init(&crt); 1026 1027 TEST_ASSERT(mbedtls_x509_crt_parse_der_nocopy(&crt, buf->x, buf->len) == (result)); 1028#if !defined(MBEDTLS_X509_REMOVE_INFO) 1029 if ((result) == 0) { 1030 memset(output, 0, 2000); 1031 1032 res = mbedtls_x509_crt_info((char *) output, 2000, "", &crt); 1033 1034 TEST_ASSERT(res != -1); 1035 TEST_ASSERT(res != -2); 1036 1037 TEST_ASSERT(strcmp((char *) output, result_str) == 0); 1038 } 1039 memset(output, 0, 2000); 1040#endif /* !MBEDTLS_X509_REMOVE_INFO */ 1041 1042 mbedtls_x509_crt_free(&crt); 1043 mbedtls_x509_crt_init(&crt); 1044 1045 TEST_ASSERT(mbedtls_x509_crt_parse_der_with_ext_cb(&crt, buf->x, buf->len, 0, NULL, 1046 NULL) == (result)); 1047#if !defined(MBEDTLS_X509_REMOVE_INFO) 1048 if ((result) == 0) { 1049 res = mbedtls_x509_crt_info((char *) output, 2000, "", &crt); 1050 1051 TEST_ASSERT(res != -1); 1052 TEST_ASSERT(res != -2); 1053 1054 TEST_ASSERT(strcmp((char *) output, result_str) == 0); 1055 } 1056 memset(output, 0, 2000); 1057#endif /* !MBEDTLS_X509_REMOVE_INFO */ 1058 1059 mbedtls_x509_crt_free(&crt); 1060 mbedtls_x509_crt_init(&crt); 1061 1062 TEST_ASSERT(mbedtls_x509_crt_parse_der_with_ext_cb(&crt, buf->x, buf->len, 1, NULL, 1063 NULL) == (result)); 1064#if !defined(MBEDTLS_X509_REMOVE_INFO) 1065 if ((result) == 0) { 1066 res = mbedtls_x509_crt_info((char *) output, 2000, "", &crt); 1067 1068 TEST_ASSERT(res != -1); 1069 TEST_ASSERT(res != -2); 1070 1071 TEST_ASSERT(strcmp((char *) output, result_str) == 0); 1072 } 1073#endif /* !MBEDTLS_X509_REMOVE_INFO */ 1074 1075exit: 1076 mbedtls_x509_crt_free(&crt); 1077} 1078/* END_CASE */ 1079 1080/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */ 1081void x509parse_crt_cb(data_t *buf, char *result_str, int result) 1082{ 1083 mbedtls_x509_crt crt; 1084 mbedtls_x509_buf oid; 1085 1086#if !defined(MBEDTLS_X509_REMOVE_INFO) 1087 unsigned char output[2000] = { 0 }; 1088 int res; 1089#else 1090 ((void) result_str); 1091#endif 1092 1093 oid.tag = MBEDTLS_ASN1_OID; 1094 oid.len = MBEDTLS_OID_SIZE(MBEDTLS_OID_PKIX "\x01\x1F"); 1095 oid.p = (unsigned char *) MBEDTLS_OID_PKIX "\x01\x1F"; 1096 1097 mbedtls_x509_crt_init(&crt); 1098 1099 TEST_ASSERT(mbedtls_x509_crt_parse_der_with_ext_cb(&crt, buf->x, buf->len, 0, parse_crt_ext_cb, 1100 &oid) == (result)); 1101#if !defined(MBEDTLS_X509_REMOVE_INFO) 1102 if ((result) == 0) { 1103 res = mbedtls_x509_crt_info((char *) output, 2000, "", &crt); 1104 1105 TEST_ASSERT(res != -1); 1106 TEST_ASSERT(res != -2); 1107 1108 TEST_ASSERT(strcmp((char *) output, result_str) == 0); 1109 } 1110 memset(output, 0, 2000); 1111#endif /* !MBEDTLS_X509_REMOVE_INFO */ 1112 1113 mbedtls_x509_crt_free(&crt); 1114 mbedtls_x509_crt_init(&crt); 1115 1116 TEST_ASSERT(mbedtls_x509_crt_parse_der_with_ext_cb(&crt, buf->x, buf->len, 1, parse_crt_ext_cb, 1117 &oid) == (result)); 1118#if !defined(MBEDTLS_X509_REMOVE_INFO) 1119 if ((result) == 0) { 1120 res = mbedtls_x509_crt_info((char *) output, 2000, "", &crt); 1121 1122 TEST_ASSERT(res != -1); 1123 TEST_ASSERT(res != -2); 1124 1125 TEST_ASSERT(strcmp((char *) output, result_str) == 0); 1126 } 1127#endif /* !MBEDTLS_X509_REMOVE_INFO */ 1128 1129exit: 1130 mbedtls_x509_crt_free(&crt); 1131} 1132/* END_CASE */ 1133 1134/* BEGIN_CASE depends_on:MBEDTLS_X509_CRL_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 1135void x509parse_crl(data_t *buf, char *result_str, int result) 1136{ 1137 mbedtls_x509_crl crl; 1138 unsigned char output[2000]; 1139 int res; 1140 1141 mbedtls_x509_crl_init(&crl); 1142 memset(output, 0, 2000); 1143 1144 1145 TEST_ASSERT(mbedtls_x509_crl_parse(&crl, buf->x, buf->len) == (result)); 1146 if ((result) == 0) { 1147 res = mbedtls_x509_crl_info((char *) output, 2000, "", &crl); 1148 1149 TEST_ASSERT(res != -1); 1150 TEST_ASSERT(res != -2); 1151 1152 TEST_ASSERT(strcmp((char *) output, result_str) == 0); 1153 } 1154 1155exit: 1156 mbedtls_x509_crl_free(&crl); 1157} 1158/* END_CASE */ 1159 1160/* BEGIN_CASE depends_on:MBEDTLS_X509_CSR_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 1161void mbedtls_x509_csr_parse(data_t *csr_der, char *ref_out, int ref_ret) 1162{ 1163 mbedtls_x509_csr csr; 1164 char my_out[1000]; 1165 int my_ret; 1166 1167 mbedtls_x509_csr_init(&csr); 1168 memset(my_out, 0, sizeof(my_out)); 1169 1170 my_ret = mbedtls_x509_csr_parse_der(&csr, csr_der->x, csr_der->len); 1171 TEST_ASSERT(my_ret == ref_ret); 1172 1173 if (ref_ret == 0) { 1174 size_t my_out_len = mbedtls_x509_csr_info(my_out, sizeof(my_out), "", &csr); 1175 TEST_ASSERT(my_out_len == strlen(ref_out)); 1176 TEST_ASSERT(strcmp(my_out, ref_out) == 0); 1177 } 1178 1179exit: 1180 mbedtls_x509_csr_free(&csr); 1181} 1182/* END_CASE */ 1183 1184/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CSR_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 1185void mbedtls_x509_csr_parse_file(char *csr_file, char *ref_out, int ref_ret) 1186{ 1187 mbedtls_x509_csr csr; 1188 char my_out[1000]; 1189 int my_ret; 1190 1191 mbedtls_x509_csr_init(&csr); 1192 memset(my_out, 0, sizeof(my_out)); 1193 1194 my_ret = mbedtls_x509_csr_parse_file(&csr, csr_file); 1195 TEST_ASSERT(my_ret == ref_ret); 1196 1197 if (ref_ret == 0) { 1198 size_t my_out_len = mbedtls_x509_csr_info(my_out, sizeof(my_out), "", &csr); 1199 TEST_ASSERT(my_out_len == strlen(ref_out)); 1200 TEST_ASSERT(strcmp(my_out, ref_out) == 0); 1201 } 1202 1203exit: 1204 mbedtls_x509_csr_free(&csr); 1205} 1206/* END_CASE */ 1207 1208/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 1209void mbedtls_x509_crt_parse_path(char *crt_path, int ret, int nb_crt) 1210{ 1211 mbedtls_x509_crt chain, *cur; 1212 int i; 1213 1214 mbedtls_x509_crt_init(&chain); 1215 1216 TEST_ASSERT(mbedtls_x509_crt_parse_path(&chain, crt_path) == ret); 1217 1218 /* Check how many certs we got */ 1219 for (i = 0, cur = &chain; cur != NULL; cur = cur->next) { 1220 if (cur->raw.p != NULL) { 1221 i++; 1222 } 1223 } 1224 1225 TEST_ASSERT(i == nb_crt); 1226 1227exit: 1228 mbedtls_x509_crt_free(&chain); 1229} 1230/* END_CASE */ 1231 1232/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 1233void mbedtls_x509_crt_verify_max(char *ca_file, char *chain_dir, int nb_int, 1234 int ret_chk, int flags_chk) 1235{ 1236 char file_buf[128]; 1237 int ret; 1238 uint32_t flags; 1239 mbedtls_x509_crt trusted, chain; 1240 1241 /* 1242 * We expect chain_dir to contain certificates 00.crt, 01.crt, etc. 1243 * with NN.crt signed by NN-1.crt 1244 */ 1245 1246 mbedtls_x509_crt_init(&trusted); 1247 mbedtls_x509_crt_init(&chain); 1248 1249 USE_PSA_INIT(); 1250 1251 /* Load trusted root */ 1252 TEST_ASSERT(mbedtls_x509_crt_parse_file(&trusted, ca_file) == 0); 1253 1254 /* Load a chain with nb_int intermediates (from 01 to nb_int), 1255 * plus one "end-entity" cert (nb_int + 1) */ 1256 ret = mbedtls_snprintf(file_buf, sizeof(file_buf), "%s/c%02d.pem", chain_dir, 1257 nb_int + 1); 1258 TEST_ASSERT(ret > 0 && (size_t) ret < sizeof(file_buf)); 1259 TEST_ASSERT(mbedtls_x509_crt_parse_file(&chain, file_buf) == 0); 1260 1261 /* Try to verify that chain */ 1262 ret = mbedtls_x509_crt_verify(&chain, &trusted, NULL, NULL, &flags, 1263 NULL, NULL); 1264 TEST_ASSERT(ret == ret_chk); 1265 TEST_ASSERT(flags == (uint32_t) flags_chk); 1266 1267exit: 1268 mbedtls_x509_crt_free(&chain); 1269 mbedtls_x509_crt_free(&trusted); 1270 USE_PSA_DONE(); 1271} 1272/* END_CASE */ 1273 1274/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 1275void mbedtls_x509_crt_verify_chain(char *chain_paths, char *trusted_ca, 1276 int flags_result, int result, 1277 char *profile_name, int vrfy_fatal_lvls) 1278{ 1279 char *act; 1280 uint32_t flags; 1281 int res; 1282 mbedtls_x509_crt trusted, chain; 1283 const mbedtls_x509_crt_profile *profile = NULL; 1284 1285 mbedtls_x509_crt_init(&chain); 1286 mbedtls_x509_crt_init(&trusted); 1287 1288 USE_PSA_INIT(); 1289 1290 while ((act = mystrsep(&chain_paths, " ")) != NULL) { 1291 TEST_ASSERT(mbedtls_x509_crt_parse_file(&chain, act) == 0); 1292 } 1293 TEST_ASSERT(mbedtls_x509_crt_parse_file(&trusted, trusted_ca) == 0); 1294 1295 if (strcmp(profile_name, "") == 0) { 1296 profile = &mbedtls_x509_crt_profile_default; 1297 } else if (strcmp(profile_name, "next") == 0) { 1298 profile = &mbedtls_x509_crt_profile_next; 1299 } else if (strcmp(profile_name, "suiteb") == 0) { 1300 profile = &mbedtls_x509_crt_profile_suiteb; 1301 } else if (strcmp(profile_name, "rsa3072") == 0) { 1302 profile = &profile_rsa3072; 1303 } else if (strcmp(profile_name, "sha512") == 0) { 1304 profile = &profile_sha512; 1305 } 1306 1307 res = mbedtls_x509_crt_verify_with_profile(&chain, &trusted, NULL, profile, 1308 NULL, &flags, verify_fatal, &vrfy_fatal_lvls); 1309 1310 TEST_ASSERT(res == (result)); 1311 TEST_ASSERT(flags == (uint32_t) (flags_result)); 1312 1313exit: 1314 mbedtls_x509_crt_free(&trusted); 1315 mbedtls_x509_crt_free(&chain); 1316 USE_PSA_DONE(); 1317} 1318/* END_CASE */ 1319 1320/* BEGIN_CASE depends_on:MBEDTLS_X509_USE_C:!MBEDTLS_X509_REMOVE_INFO */ 1321void x509_oid_desc(data_t *buf, char *ref_desc) 1322{ 1323 mbedtls_x509_buf oid; 1324 const char *desc = NULL; 1325 int ret; 1326 1327 1328 oid.tag = MBEDTLS_ASN1_OID; 1329 oid.p = buf->x; 1330 oid.len = buf->len; 1331 1332 ret = mbedtls_oid_get_extended_key_usage(&oid, &desc); 1333 1334 if (strcmp(ref_desc, "notfound") == 0) { 1335 TEST_ASSERT(ret != 0); 1336 TEST_ASSERT(desc == NULL); 1337 } else { 1338 TEST_ASSERT(ret == 0); 1339 TEST_ASSERT(desc != NULL); 1340 TEST_ASSERT(strcmp(desc, ref_desc) == 0); 1341 } 1342} 1343/* END_CASE */ 1344 1345/* BEGIN_CASE depends_on:MBEDTLS_X509_USE_C */ 1346void x509_oid_numstr(data_t *oid_buf, char *numstr, int blen, int ret) 1347{ 1348 mbedtls_x509_buf oid; 1349 char num_buf[100]; 1350 1351 memset(num_buf, 0x2a, sizeof(num_buf)); 1352 1353 oid.tag = MBEDTLS_ASN1_OID; 1354 oid.p = oid_buf->x; 1355 oid.len = oid_buf->len; 1356 1357 TEST_ASSERT((size_t) blen <= sizeof(num_buf)); 1358 1359 TEST_ASSERT(mbedtls_oid_get_numeric_string(num_buf, blen, &oid) == ret); 1360 1361 if (ret >= 0) { 1362 TEST_ASSERT(num_buf[ret] == 0); 1363 TEST_ASSERT(strcmp(num_buf, numstr) == 0); 1364 } 1365} 1366/* END_CASE */ 1367 1368/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 1369void x509_check_key_usage(char *crt_file, int usage, int ret) 1370{ 1371 mbedtls_x509_crt crt; 1372 1373 mbedtls_x509_crt_init(&crt); 1374 1375 TEST_ASSERT(mbedtls_x509_crt_parse_file(&crt, crt_file) == 0); 1376 1377 TEST_ASSERT(mbedtls_x509_crt_check_key_usage(&crt, usage) == ret); 1378 1379exit: 1380 mbedtls_x509_crt_free(&crt); 1381} 1382/* END_CASE */ 1383 1384/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 1385void x509_check_extended_key_usage(char *crt_file, data_t *oid, int ret 1386 ) 1387{ 1388 mbedtls_x509_crt crt; 1389 1390 mbedtls_x509_crt_init(&crt); 1391 1392 1393 TEST_ASSERT(mbedtls_x509_crt_parse_file(&crt, crt_file) == 0); 1394 1395 TEST_ASSERT(mbedtls_x509_crt_check_extended_key_usage(&crt, (const char *) oid->x, 1396 oid->len) == ret); 1397 1398exit: 1399 mbedtls_x509_crt_free(&crt); 1400} 1401/* END_CASE */ 1402 1403/* BEGIN_CASE depends_on:MBEDTLS_X509_USE_C */ 1404void x509_get_time(int tag, char *time_str, int ret, int year, int mon, 1405 int day, int hour, int min, int sec) 1406{ 1407 mbedtls_x509_time time; 1408 unsigned char buf[21]; 1409 unsigned char *start = buf; 1410 unsigned char *end = buf; 1411 1412 memset(&time, 0x00, sizeof(time)); 1413 *end = (unsigned char) tag; end++; 1414 *end = strlen(time_str); 1415 TEST_ASSERT(*end < 20); 1416 end++; 1417 memcpy(end, time_str, (size_t) *(end - 1)); 1418 end += *(end - 1); 1419 1420 TEST_ASSERT(mbedtls_x509_get_time(&start, end, &time) == ret); 1421 if (ret == 0) { 1422 TEST_ASSERT(year == time.year); 1423 TEST_ASSERT(mon == time.mon); 1424 TEST_ASSERT(day == time.day); 1425 TEST_ASSERT(hour == time.hour); 1426 TEST_ASSERT(min == time.min); 1427 TEST_ASSERT(sec == time.sec); 1428 } 1429} 1430/* END_CASE */ 1431 1432/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT */ 1433void x509_parse_rsassa_pss_params(data_t *params, int params_tag, 1434 int ref_msg_md, int ref_mgf_md, 1435 int ref_salt_len, int ref_ret) 1436{ 1437 int my_ret; 1438 mbedtls_x509_buf buf; 1439 mbedtls_md_type_t my_msg_md, my_mgf_md; 1440 int my_salt_len; 1441 1442 buf.p = params->x; 1443 buf.len = params->len; 1444 buf.tag = params_tag; 1445 1446 my_ret = mbedtls_x509_get_rsassa_pss_params(&buf, &my_msg_md, &my_mgf_md, 1447 &my_salt_len); 1448 1449 TEST_ASSERT(my_ret == ref_ret); 1450 1451 if (ref_ret == 0) { 1452 TEST_ASSERT(my_msg_md == (mbedtls_md_type_t) ref_msg_md); 1453 TEST_ASSERT(my_mgf_md == (mbedtls_md_type_t) ref_mgf_md); 1454 TEST_ASSERT(my_salt_len == ref_salt_len); 1455 } 1456 1457exit: 1458 ;; 1459} 1460/* END_CASE */ 1461