1/* BEGIN_HEADER */ 2#include "mbedtls/bignum.h" 3#include "mbedtls/x509_crt.h" 4#include "mbedtls/x509_csr.h" 5#include "mbedtls/pem.h" 6#include "mbedtls/oid.h" 7#include "mbedtls/rsa.h" 8#include "mbedtls/asn1write.h" 9 10#include "hash_info.h" 11#include "mbedtls/legacy_or_psa.h" 12 13#if defined(MBEDTLS_RSA_C) 14int mbedtls_rsa_decrypt_func( void *ctx, size_t *olen, 15 const unsigned char *input, unsigned char *output, 16 size_t output_max_len ) 17{ 18 return( mbedtls_rsa_pkcs1_decrypt( (mbedtls_rsa_context *) ctx, NULL, NULL, 19 olen, input, output, output_max_len ) ); 20} 21int mbedtls_rsa_sign_func( void *ctx, 22 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, 23 mbedtls_md_type_t md_alg, unsigned int hashlen, 24 const unsigned char *hash, unsigned char *sig ) 25{ 26 return( mbedtls_rsa_pkcs1_sign( (mbedtls_rsa_context *) ctx, f_rng, p_rng, 27 md_alg, hashlen, hash, sig ) ); 28} 29size_t mbedtls_rsa_key_len_func( void *ctx ) 30{ 31 return( ((const mbedtls_rsa_context *) ctx)->len ); 32} 33#endif /* MBEDTLS_RSA_C */ 34 35#if defined(MBEDTLS_USE_PSA_CRYPTO) && \ 36 defined(MBEDTLS_PEM_WRITE_C) && defined(MBEDTLS_X509_CSR_WRITE_C) 37static int x509_crt_verifycsr( const unsigned char *buf, size_t buflen ) 38{ 39 unsigned char hash[PSA_HASH_MAX_SIZE]; 40 mbedtls_x509_csr csr; 41 int ret = 0; 42 43 mbedtls_x509_csr_init( &csr ); 44 45 if( mbedtls_x509_csr_parse( &csr, buf, buflen ) != 0 ) 46 { 47 ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA; 48 goto cleanup; 49 } 50 51 psa_algorithm_t psa_alg = mbedtls_hash_info_psa_from_md( csr.sig_md ); 52 size_t hash_size = 0; 53 psa_status_t status = psa_hash_compute( psa_alg, csr.cri.p, csr.cri.len, 54 hash, PSA_HASH_MAX_SIZE, &hash_size ); 55 56 if( status != PSA_SUCCESS ) 57 { 58 /* Note: this can't happen except after an internal error */ 59 ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA; 60 goto cleanup; 61 } 62 63 if( mbedtls_pk_verify_ext( csr.sig_pk, csr.sig_opts, &csr.pk, 64 csr.sig_md, hash, mbedtls_hash_info_get_size( csr.sig_md ), 65 csr.sig.p, csr.sig.len ) != 0 ) 66 { 67 ret = MBEDTLS_ERR_X509_CERT_VERIFY_FAILED; 68 goto cleanup; 69 } 70 71cleanup: 72 73 mbedtls_x509_csr_free( &csr ); 74 return( ret ); 75} 76#endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_PEM_WRITE_C && MBEDTLS_X509_CSR_WRITE_C */ 77 78#if defined(MBEDTLS_X509_CSR_WRITE_C) 79 80/* 81 * The size of this temporary buffer is given by the sequence of functions 82 * called hereinafter: 83 * - mbedtls_asn1_write_oid() 84 * - 8 bytes for MBEDTLS_OID_EXTENDED_KEY_USAGE raw value 85 * - 1 byte for MBEDTLS_OID_EXTENDED_KEY_USAGE length 86 * - 1 byte for MBEDTLS_ASN1_OID tag 87 * - mbedtls_asn1_write_len() 88 * - 1 byte since we're dealing with sizes which are less than 0x80 89 * - mbedtls_asn1_write_tag() 90 * - 1 byte 91 * 92 * This length is fine as long as this function is called using the 93 * MBEDTLS_OID_SERVER_AUTH OID. If this is changed in the future, then this 94 * buffer's length should be adjusted accordingly. 95 * Unfortunately there's no predefined max size for OIDs which can be used 96 * to set an overall upper boundary which is always guaranteed. 97 */ 98#define EXT_KEY_USAGE_TMP_BUF_MAX_LENGTH 12 99 100static int csr_set_extended_key_usage( mbedtls_x509write_csr *ctx, 101 const char *oid, size_t oid_len ) 102{ 103 unsigned char buf[EXT_KEY_USAGE_TMP_BUF_MAX_LENGTH] = { 0 }; 104 unsigned char *p = buf + sizeof( buf ); 105 int ret; 106 size_t len = 0; 107 108 /* 109 * Following functions fail anyway if the temporary buffer is not large, 110 * but we set an extra check here to emphasize a possible source of errors 111 */ 112 if ( oid_len > EXT_KEY_USAGE_TMP_BUF_MAX_LENGTH ) 113 { 114 return MBEDTLS_ERR_X509_BAD_INPUT_DATA; 115 } 116 117 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_oid( &p, buf, oid, oid_len ) ); 118 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &p, buf, ret ) ); 119 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &p, buf, 120 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ); 121 122 ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_EXTENDED_KEY_USAGE, 123 MBEDTLS_OID_SIZE( MBEDTLS_OID_EXTENDED_KEY_USAGE ), 0, p, len ); 124 125 return ret; 126} 127#endif /* MBEDTLS_X509_CSR_WRITE_C */ 128/* END_HEADER */ 129 130/* BEGIN_DEPENDENCIES 131 * depends_on:MBEDTLS_BIGNUM_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C 132 * END_DEPENDENCIES 133 */ 134 135/* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CSR_WRITE_C */ 136void x509_csr_check( char * key_file, char * cert_req_check_file, int md_type, 137 int key_usage, int set_key_usage, int cert_type, 138 int set_cert_type, int set_extension ) 139{ 140 mbedtls_pk_context key; 141 mbedtls_x509write_csr req; 142 unsigned char buf[4096]; 143 int ret; 144#if !defined(MBEDTLS_USE_PSA_CRYPTO) 145 unsigned char check_buf[4000]; 146 FILE *f; 147 size_t olen = 0; 148#endif /* !MBEDTLS_USE_PSA_CRYPTO */ 149 size_t pem_len = 0, buf_index; 150 int der_len = -1; 151 const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1"; 152 mbedtls_test_rnd_pseudo_info rnd_info; 153 154 memset( &rnd_info, 0x2a, sizeof( mbedtls_test_rnd_pseudo_info ) ); 155 156 mbedtls_x509write_csr_init( &req ); 157 158 USE_PSA_INIT( ); 159 160 mbedtls_pk_init( &key ); 161 TEST_ASSERT( mbedtls_pk_parse_keyfile( &key, key_file, NULL, 162 mbedtls_test_rnd_std_rand, NULL ) == 0 ); 163 164 mbedtls_x509write_csr_set_md_alg( &req, md_type ); 165 mbedtls_x509write_csr_set_key( &req, &key ); 166 TEST_ASSERT( mbedtls_x509write_csr_set_subject_name( &req, subject_name ) == 0 ); 167 if( set_key_usage != 0 ) 168 TEST_ASSERT( mbedtls_x509write_csr_set_key_usage( &req, key_usage ) == 0 ); 169 if( set_cert_type != 0 ) 170 TEST_ASSERT( mbedtls_x509write_csr_set_ns_cert_type( &req, cert_type ) == 0 ); 171 if ( set_extension != 0 ) 172 TEST_ASSERT( csr_set_extended_key_usage( &req, MBEDTLS_OID_SERVER_AUTH, 173 MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH ) ) == 0 ); 174 175 ret = mbedtls_x509write_csr_pem( &req, buf, sizeof( buf ), 176 mbedtls_test_rnd_pseudo_rand, &rnd_info ); 177 TEST_ASSERT( ret == 0 ); 178 179 pem_len = strlen( (char *) buf ); 180 181 for( buf_index = pem_len; buf_index < sizeof( buf ); ++buf_index ) 182 { 183 TEST_ASSERT( buf[buf_index] == 0 ); 184 } 185 186#if defined(MBEDTLS_USE_PSA_CRYPTO) 187 // When using PSA crypto, RNG isn't controllable, so cert_req_check_file can't be used 188 (void)cert_req_check_file; 189 buf[pem_len] = '\0'; 190 TEST_ASSERT( x509_crt_verifycsr( buf, pem_len + 1 ) == 0 ); 191#else 192 f = fopen( cert_req_check_file, "r" ); 193 TEST_ASSERT( f != NULL ); 194 olen = fread( check_buf, 1, sizeof( check_buf ), f ); 195 fclose( f ); 196 197 TEST_ASSERT( olen >= pem_len - 1 ); 198 TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 ); 199#endif /* MBEDTLS_USE_PSA_CRYPTO */ 200 201 der_len = mbedtls_x509write_csr_der( &req, buf, sizeof( buf ), 202 mbedtls_test_rnd_pseudo_rand, 203 &rnd_info ); 204 TEST_ASSERT( der_len >= 0 ); 205 206 if( der_len == 0 ) 207 goto exit; 208 209#if defined(MBEDTLS_USE_PSA_CRYPTO) 210 // When using PSA crypto, RNG isn't controllable, result length isn't 211 // deterministic over multiple runs, removing a single byte isn't enough to 212 // go into the MBEDTLS_ERR_ASN1_BUF_TOO_SMALL error case 213 der_len /= 2; 214#else 215 der_len -= 1; 216#endif 217 ret = mbedtls_x509write_csr_der( &req, buf, (size_t)( der_len ), 218 mbedtls_test_rnd_pseudo_rand, &rnd_info ); 219 TEST_ASSERT( ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); 220 221exit: 222 mbedtls_x509write_csr_free( &req ); 223 mbedtls_pk_free( &key ); 224 USE_PSA_DONE( ); 225} 226/* END_CASE */ 227 228/* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CSR_WRITE_C:MBEDTLS_USE_PSA_CRYPTO */ 229void x509_csr_check_opaque( char *key_file, int md_type, int key_usage, 230 int cert_type ) 231{ 232 mbedtls_pk_context key; 233 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; 234 psa_algorithm_t md_alg_psa, alg_psa; 235 mbedtls_x509write_csr req; 236 unsigned char buf[4096]; 237 int ret; 238 size_t pem_len = 0; 239 const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1"; 240 mbedtls_test_rnd_pseudo_info rnd_info; 241 242 memset( &rnd_info, 0x2a, sizeof( mbedtls_test_rnd_pseudo_info ) ); 243 244 mbedtls_x509write_csr_init( &req ); 245 246 USE_PSA_INIT( ); 247 248 md_alg_psa = mbedtls_hash_info_psa_from_md( (mbedtls_md_type_t) md_type ); 249 TEST_ASSERT( md_alg_psa != MBEDTLS_MD_NONE ); 250 251 mbedtls_pk_init( &key ); 252 TEST_ASSERT( mbedtls_pk_parse_keyfile( &key, key_file, NULL, 253 mbedtls_test_rnd_std_rand, NULL ) == 0 ); 254 255 if( mbedtls_pk_get_type( &key ) == MBEDTLS_PK_ECKEY ) 256 alg_psa = PSA_ALG_ECDSA( md_alg_psa ); 257 else if( mbedtls_pk_get_type( &key ) == MBEDTLS_PK_RSA ) 258 alg_psa = PSA_ALG_RSA_PKCS1V15_SIGN( md_alg_psa ); 259 else 260 TEST_ASSUME( ! "PK key type not supported in this configuration" ); 261 262 TEST_ASSERT( mbedtls_pk_wrap_as_opaque( &key, &key_id, alg_psa, 263 PSA_KEY_USAGE_SIGN_HASH, 264 PSA_ALG_NONE ) == 0 ); 265 266 mbedtls_x509write_csr_set_md_alg( &req, md_type ); 267 mbedtls_x509write_csr_set_key( &req, &key ); 268 TEST_ASSERT( mbedtls_x509write_csr_set_subject_name( &req, subject_name ) == 0 ); 269 if( key_usage != 0 ) 270 TEST_ASSERT( mbedtls_x509write_csr_set_key_usage( &req, key_usage ) == 0 ); 271 if( cert_type != 0 ) 272 TEST_ASSERT( mbedtls_x509write_csr_set_ns_cert_type( &req, cert_type ) == 0 ); 273 274 ret = mbedtls_x509write_csr_pem( &req, buf, sizeof( buf ) - 1, 275 mbedtls_test_rnd_pseudo_rand, &rnd_info ); 276 277 TEST_ASSERT( ret == 0 ); 278 279 pem_len = strlen( (char *) buf ); 280 buf[pem_len] = '\0'; 281 TEST_ASSERT( x509_crt_verifycsr( buf, pem_len + 1 ) == 0 ); 282 283 284exit: 285 mbedtls_x509write_csr_free( &req ); 286 mbedtls_pk_free( &key ); 287 psa_destroy_key( key_id ); 288 PSA_DONE( ); 289} 290/* END_CASE */ 291 292/* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CRT_WRITE_C:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ 293void x509_crt_check( char *subject_key_file, char *subject_pwd, 294 char *subject_name, char *issuer_key_file, 295 char *issuer_pwd, char *issuer_name, 296 char *serial_str, char *not_before, char *not_after, 297 int md_type, int key_usage, int set_key_usage, 298 char *ext_key_usage, 299 int cert_type, int set_cert_type, int auth_ident, 300 int ver, char *cert_check_file, int pk_wrap, int is_ca, 301 char *cert_verify_file ) 302{ 303 mbedtls_pk_context subject_key, issuer_key, issuer_key_alt; 304 mbedtls_pk_context *key = &issuer_key; 305 306 mbedtls_x509write_cert crt; 307 unsigned char buf[4096]; 308 unsigned char check_buf[5000]; 309 unsigned char *p, *end; 310 unsigned char tag, sz; 311 mbedtls_mpi serial; 312 int ret, before_tag, after_tag; 313 size_t olen = 0, pem_len = 0, buf_index = 0; 314 int der_len = -1; 315 FILE *f; 316 mbedtls_test_rnd_pseudo_info rnd_info; 317#if defined(MBEDTLS_USE_PSA_CRYPTO) 318 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; 319#endif 320 mbedtls_pk_type_t issuer_key_type; 321 322 memset( &rnd_info, 0x2a, sizeof( mbedtls_test_rnd_pseudo_info ) ); 323 mbedtls_mpi_init( &serial ); 324 325 USE_PSA_INIT( ); 326 327 mbedtls_pk_init( &subject_key ); 328 mbedtls_pk_init( &issuer_key ); 329 mbedtls_pk_init( &issuer_key_alt ); 330 331 mbedtls_x509write_crt_init( &crt ); 332 333 TEST_ASSERT( mbedtls_pk_parse_keyfile( &subject_key, subject_key_file, 334 subject_pwd, mbedtls_test_rnd_std_rand, NULL ) == 0 ); 335 336 TEST_ASSERT( mbedtls_pk_parse_keyfile( &issuer_key, issuer_key_file, 337 issuer_pwd, mbedtls_test_rnd_std_rand, NULL ) == 0 ); 338 339 issuer_key_type = mbedtls_pk_get_type( &issuer_key ); 340 341#if defined(MBEDTLS_RSA_C) 342 /* For RSA PK contexts, create a copy as an alternative RSA context. */ 343 if( pk_wrap == 1 && issuer_key_type == MBEDTLS_PK_RSA ) 344 { 345 TEST_ASSERT( mbedtls_pk_setup_rsa_alt( &issuer_key_alt, 346 mbedtls_pk_rsa( issuer_key ), 347 mbedtls_rsa_decrypt_func, 348 mbedtls_rsa_sign_func, 349 mbedtls_rsa_key_len_func ) == 0 ); 350 351 key = &issuer_key_alt; 352 } 353#endif 354 355#if defined(MBEDTLS_USE_PSA_CRYPTO) 356 /* For Opaque PK contexts, wrap key as an Opaque RSA context. */ 357 if( pk_wrap == 2 ) 358 { 359 psa_algorithm_t alg_psa, md_alg_psa; 360 361 md_alg_psa = mbedtls_hash_info_psa_from_md( (mbedtls_md_type_t) md_type ); 362 TEST_ASSERT( md_alg_psa != MBEDTLS_MD_NONE ); 363 364 if( mbedtls_pk_get_type( &issuer_key ) == MBEDTLS_PK_ECKEY ) 365 alg_psa = PSA_ALG_ECDSA( md_alg_psa ); 366 else if( mbedtls_pk_get_type( &issuer_key ) == MBEDTLS_PK_RSA ) 367 alg_psa = PSA_ALG_RSA_PKCS1V15_SIGN( md_alg_psa ); 368 else 369 TEST_ASSUME( ! "PK key type not supported in this configuration" ); 370 371 TEST_ASSERT( mbedtls_pk_wrap_as_opaque( &issuer_key, &key_id, alg_psa, 372 PSA_KEY_USAGE_SIGN_HASH, 373 PSA_ALG_NONE ) == 0 ); 374 } 375#endif /* MBEDTLS_USE_PSA_CRYPTO */ 376 377 if( pk_wrap == 2 ) 378 TEST_ASSERT( mbedtls_pk_get_type( &issuer_key ) == MBEDTLS_PK_OPAQUE ); 379 380 TEST_ASSERT( mbedtls_test_read_mpi( &serial, serial_str ) == 0 ); 381 382 if( ver != -1 ) 383 mbedtls_x509write_crt_set_version( &crt, ver ); 384 385 TEST_ASSERT( mbedtls_x509write_crt_set_serial( &crt, &serial ) == 0 ); 386 TEST_ASSERT( mbedtls_x509write_crt_set_validity( &crt, not_before, 387 not_after ) == 0 ); 388 mbedtls_x509write_crt_set_md_alg( &crt, md_type ); 389 TEST_ASSERT( mbedtls_x509write_crt_set_issuer_name( &crt, issuer_name ) == 0 ); 390 TEST_ASSERT( mbedtls_x509write_crt_set_subject_name( &crt, subject_name ) == 0 ); 391 mbedtls_x509write_crt_set_subject_key( &crt, &subject_key ); 392 393 mbedtls_x509write_crt_set_issuer_key( &crt, key ); 394 395 if( crt.version >= MBEDTLS_X509_CRT_VERSION_3 ) 396 { 397 /* For the CA case, a path length of -1 means unlimited. */ 398 TEST_ASSERT( mbedtls_x509write_crt_set_basic_constraints( &crt, is_ca, 399 (is_ca ? -1 : 0) ) == 0 ); 400 TEST_ASSERT( mbedtls_x509write_crt_set_subject_key_identifier( &crt ) == 0 ); 401 if( auth_ident ) 402 TEST_ASSERT( mbedtls_x509write_crt_set_authority_key_identifier( &crt ) == 0 ); 403 if( set_key_usage != 0 ) 404 TEST_ASSERT( mbedtls_x509write_crt_set_key_usage( &crt, key_usage ) == 0 ); 405 if( set_cert_type != 0 ) 406 TEST_ASSERT( mbedtls_x509write_crt_set_ns_cert_type( &crt, cert_type ) == 0 ); 407 if( strcmp( ext_key_usage, "NULL" ) != 0 ) 408 { 409 mbedtls_asn1_sequence exts[2]; 410 memset( exts, 0, sizeof(exts) ); 411 412#define SET_OID(x, oid) \ 413 do { \ 414 x.len = MBEDTLS_OID_SIZE(oid); \ 415 x.p = (unsigned char*)oid; \ 416 x.tag = MBEDTLS_ASN1_OID; \ 417 } \ 418 while( 0 ) 419 420 if( strcmp( ext_key_usage, "serverAuth" ) == 0 ) 421 { 422 SET_OID( exts[0].buf, MBEDTLS_OID_SERVER_AUTH ); 423 } 424 else if( strcmp( ext_key_usage, "codeSigning,timeStamping" ) == 0 ) 425 { 426 SET_OID( exts[0].buf, MBEDTLS_OID_CODE_SIGNING ); 427 exts[0].next = &exts[1]; 428 SET_OID( exts[1].buf, MBEDTLS_OID_TIME_STAMPING ); 429 } 430 TEST_ASSERT( mbedtls_x509write_crt_set_ext_key_usage( &crt, exts ) == 0 ); 431 } 432 } 433 434 ret = mbedtls_x509write_crt_pem( &crt, buf, sizeof( buf ), 435 mbedtls_test_rnd_pseudo_rand, &rnd_info ); 436 TEST_ASSERT( ret == 0 ); 437 438 pem_len = strlen( (char *) buf ); 439 440 // check that the rest of the buffer remains clear 441 for( buf_index = pem_len; buf_index < sizeof( buf ); ++buf_index ) 442 { 443 TEST_ASSERT( buf[buf_index] == 0 ); 444 } 445 446 if( issuer_key_type != MBEDTLS_PK_RSA ) 447 { 448 mbedtls_x509_crt crt_parse, trusted; 449 uint32_t flags; 450 451 mbedtls_x509_crt_init( &crt_parse ); 452 mbedtls_x509_crt_init( &trusted ); 453 454 TEST_ASSERT( mbedtls_x509_crt_parse_file( &trusted, 455 cert_verify_file ) == 0 ); 456 TEST_ASSERT( mbedtls_x509_crt_parse( &crt_parse, 457 buf, sizeof( buf ) ) == 0 ); 458 459 ret = mbedtls_x509_crt_verify( &crt_parse, &trusted, NULL, NULL, &flags, 460 NULL, NULL ); 461 462 mbedtls_x509_crt_free( &crt_parse ); 463 mbedtls_x509_crt_free( &trusted ); 464 465 TEST_EQUAL( flags, 0 ); 466 TEST_EQUAL( ret, 0 ); 467 } 468 else if( *cert_check_file != '\0' ) 469 { 470 f = fopen( cert_check_file, "r" ); 471 TEST_ASSERT( f != NULL ); 472 olen = fread( check_buf, 1, sizeof( check_buf ), f ); 473 fclose( f ); 474 TEST_ASSERT( olen < sizeof( check_buf ) ); 475 476 TEST_EQUAL( olen, pem_len ); 477 TEST_ASSERT( olen >= pem_len - 1 ); 478 TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 ); 479 } 480 481 der_len = mbedtls_x509write_crt_der( &crt, buf, sizeof( buf ), 482 mbedtls_test_rnd_pseudo_rand, 483 &rnd_info ); 484 TEST_ASSERT( der_len >= 0 ); 485 486 if( der_len == 0 ) 487 goto exit; 488 489 // Not testing against file, check date format 490 if( *cert_check_file == '\0' ) 491 { 492 // UTC tag if before 2050, 2 digits less for year 493 if( not_before[0] == '2' && ( not_before[1] > '0' || not_before[2] > '4' ) ) 494 { 495 before_tag = MBEDTLS_ASN1_GENERALIZED_TIME; 496 } 497 else 498 { 499 before_tag = MBEDTLS_ASN1_UTC_TIME; 500 not_before += 2; 501 } 502 if( not_after[0] == '2' && ( not_after[1] > '0' || not_after[2] > '4' ) ) 503 { 504 after_tag = MBEDTLS_ASN1_GENERALIZED_TIME; 505 } 506 else 507 { 508 after_tag = MBEDTLS_ASN1_UTC_TIME; 509 not_after += 2; 510 } 511 end = buf + sizeof( buf ); 512 for( p = end - der_len ; p < end ; ) 513 { 514 tag = *p++; 515 sz = *p++; 516 if( tag == MBEDTLS_ASN1_UTC_TIME || tag == MBEDTLS_ASN1_GENERALIZED_TIME ) 517 { 518 // Check correct tag and time written 519 TEST_ASSERT( before_tag == tag ); 520 TEST_ASSERT( memcmp( p, not_before, sz - 1 ) == 0 ); 521 p += sz; 522 tag = *p++; 523 sz = *p++; 524 TEST_ASSERT( after_tag == tag ); 525 TEST_ASSERT( memcmp( p, not_after, sz - 1 ) == 0 ); 526 break; 527 } 528 // Increment if long form ASN1 length 529 if( sz & 0x80 ) 530 p += sz & 0x0F; 531 if( tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) 532 p += sz; 533 } 534 TEST_ASSERT( p < end ); 535 } 536 537#if defined(MBEDTLS_USE_PSA_CRYPTO) 538 // When using PSA crypto, RNG isn't controllable, result length isn't 539 // deterministic over multiple runs, removing a single byte isn't enough to 540 // go into the MBEDTLS_ERR_ASN1_BUF_TOO_SMALL error case 541 if( issuer_key_type != MBEDTLS_PK_RSA ) 542 der_len /= 2; 543 else 544#endif 545 der_len -= 1; 546 547 ret = mbedtls_x509write_crt_der( &crt, buf, (size_t)( der_len ), 548 mbedtls_test_rnd_pseudo_rand, &rnd_info ); 549 TEST_ASSERT( ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); 550 551exit: 552 mbedtls_x509write_crt_free( &crt ); 553 mbedtls_pk_free( &issuer_key_alt ); 554 mbedtls_pk_free( &subject_key ); 555 mbedtls_pk_free( &issuer_key ); 556 mbedtls_mpi_free( &serial ); 557#if defined(MBEDTLS_USE_PSA_CRYPTO) 558 psa_destroy_key( key_id ); 559#endif 560 USE_PSA_DONE( ); 561} 562/* END_CASE */ 563 564/* BEGIN_CASE depends_on:MBEDTLS_X509_CREATE_C:MBEDTLS_X509_USE_C */ 565void mbedtls_x509_string_to_names( char * name, char * parsed_name, int result 566 ) 567{ 568 int ret; 569 size_t len = 0; 570 mbedtls_asn1_named_data *names = NULL; 571 mbedtls_x509_name parsed, *parsed_cur, *parsed_prv; 572 unsigned char buf[1024], out[1024], *c; 573 574 memset( &parsed, 0, sizeof( parsed ) ); 575 memset( out, 0, sizeof( out ) ); 576 memset( buf, 0, sizeof( buf ) ); 577 c = buf + sizeof( buf ); 578 579 ret = mbedtls_x509_string_to_names( &names, name ); 580 TEST_ASSERT( ret == result ); 581 582 if( ret != 0 ) 583 goto exit; 584 585 ret = mbedtls_x509_write_names( &c, buf, names ); 586 TEST_ASSERT( ret > 0 ); 587 588 TEST_ASSERT( mbedtls_asn1_get_tag( &c, buf + sizeof( buf ), &len, 589 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) == 0 ); 590 TEST_ASSERT( mbedtls_x509_get_name( &c, buf + sizeof( buf ), &parsed ) == 0 ); 591 592 ret = mbedtls_x509_dn_gets( (char *) out, sizeof( out ), &parsed ); 593 TEST_ASSERT( ret > 0 ); 594 595 TEST_ASSERT( strcmp( (char *) out, parsed_name ) == 0 ); 596 597exit: 598 mbedtls_asn1_free_named_data_list( &names ); 599 600 parsed_cur = parsed.next; 601 while( parsed_cur != 0 ) 602 { 603 parsed_prv = parsed_cur; 604 parsed_cur = parsed_cur->next; 605 mbedtls_free( parsed_prv ); 606 } 607} 608/* END_CASE */ 609