1 #include <stdio.h>
2
3 #include "nx_secure_tls_api.h"
4
5 #include "tls_test_utility.h"
6
7 static TX_THREAD thread_0;
8
9 void NX_SECURE_X509_KeyUsageTest();
10
11 static void thread_0_entry(ULONG thread_input);
12
13 #define DEMO_STACK_SIZE 2048
14 static CHAR thread_stack[DEMO_STACK_SIZE];
15
16 #ifdef CTEST
17 void test_application_define(void *first_unused_memory);
test_application_define(void * first_unused_memory)18 void test_application_define(void *first_unused_memory)
19 #else
20 void nx_secure_x509_key_usage_test_application_define(void *first_unused_memory)
21 #endif
22 {
23
24 /* Create the main thread. */
25 tx_thread_create(&thread_0, "thread 0", thread_0_entry, 0,
26 thread_stack, DEMO_STACK_SIZE,
27 4, 4, TX_NO_TIME_SLICE, TX_AUTO_START);
28 }
29
thread_0_entry(ULONG thread_input)30 static void thread_0_entry(ULONG thread_input)
31 {
32 /* Print out test information banner. */
33 printf("NetX Secure Test: X509 Key Usage Test...............................");
34
35 #ifndef NX_SECURE_DISABLE_X509
36 NX_SECURE_X509_KeyUsageTest();
37
38 printf("SUCCESS!\n");
39 #else
40 printf("N/A\n");
41 #endif
42
43 test_control_return(0);
44 }
45
46 #ifndef NX_SECURE_DISABLE_X509
47
48 static UCHAR server_packet_buffer[2000];
49
50 static NX_PACKET_POOL pool_0;
51
52 #define NX_PACKET_POOL_SIZE ((1536 + sizeof(NX_PACKET)) * 32)
53
54
55 static ULONG packet_pool_area[NX_PACKET_POOL_SIZE/sizeof(ULONG) + 64 / sizeof(ULONG)];
56
57 #include "key_usage_certs.c"
58
59 static NX_SECURE_X509_CERT root_ca;
60 static NX_SECURE_X509_CERT ica_cert;
61 static NX_SECURE_X509_CERT revoked_cert;
62 static NX_SECURE_X509_CERT device_cert;
63
64 /* Cryptographic routines. */
65 static CHAR crypto_metadata[16000];
66 extern const NX_SECURE_TLS_CRYPTO nx_crypto_tls_ciphers;
67
68 /* Buffer space for certificate tests. */
69 static CHAR ica_buf1[8000];
70 static CHAR ica_buf2[3000];
71 static CHAR device_buf1[8000];
72 static CHAR device_buf2[3000];
73 static CHAR revoked_buf1[8000];
74 static CHAR revoked_buf2[3000];
75
TEST(NX_SECURE_X509,KeyUsageTest)76 TEST(NX_SECURE_X509, KeyUsageTest)
77 {
78
79 UINT status;
80 NX_PACKET *packet;
81 NX_SECURE_TLS_SESSION session;
82 UCHAR header_buffer[6];
83 UCHAR header_data[6];
84 USHORT header_size;
85 UINT message_length;
86 USHORT message_type;
87 const NX_SECURE_TLS_CIPHERSUITE_INFO *ciphersuite;
88 NX_SECURE_X509_CERTIFICATE_STORE *store;
89 NX_SECURE_X509_CERT **remote_certs;
90
91 memset(&session, 0, sizeof(NX_SECURE_TLS_SESSION));
92
93 status = nx_packet_pool_create(&pool_0, "NetX Main Packet Pool", 1536, (ULONG*)(((int)packet_pool_area + 64) & ~63) , NX_PACKET_POOL_SIZE);
94 EXPECT_EQ(NX_SUCCESS, status);
95
96 status = _nx_secure_tls_session_reset(&session);
97 EXPECT_EQ(NX_SUCCESS, status);
98
99 /* Initialize the server session. */
100 /* Create a TLS session. */
101 status = nx_secure_tls_session_create(&session,
102 &nx_crypto_tls_ciphers,
103 crypto_metadata,
104 sizeof(crypto_metadata));
105 EXPECT_EQ(NX_SUCCESS, status);
106
107 /* Setup our packet reassembly buffer. */
108 status = _nx_secure_tls_session_packet_buffer_set(&session, server_packet_buffer, sizeof(server_packet_buffer));
109 EXPECT_EQ(NX_SUCCESS, status);
110
111 /* Setup TLS session as if we were in the middle of a handshake. */
112 session.nx_secure_tls_protocol_version = NX_SECURE_TLS_VERSION_TLS_1_2;
113
114 /* Initialize our certificates - NOTE: We don't need private keys because we aren't doing anything but chain verification. */
115 status = _nx_secure_x509_certificate_initialize(&ica_cert, ica_cert_der, ica_cert_der_len, NX_NULL, 0, NX_NULL, 0, NX_SECURE_X509_KEY_TYPE_NONE);
116 EXPECT_EQ(NX_SUCCESS, status);
117 status = _nx_secure_x509_certificate_initialize(&root_ca, root_ca_cert_der, root_ca_cert_der_len, NX_NULL, 0, NX_NULL, 0, NX_SECURE_X509_KEY_TYPE_NONE);
118 EXPECT_EQ(NX_SUCCESS, status);
119 status = _nx_secure_x509_certificate_initialize(&device_cert, device_cert_der, device_cert_der_len, NX_NULL, 0, NX_NULL, 0, NX_SECURE_X509_KEY_TYPE_NONE);
120 EXPECT_EQ(NX_SUCCESS, status);
121 status = _nx_secure_x509_certificate_initialize(&revoked_cert, revoked_cert_der, revoked_cert_der_len, NX_NULL, 0, NX_NULL, 0, NX_SECURE_X509_KEY_TYPE_NONE);
122 EXPECT_EQ(NX_SUCCESS, status);
123
124 /* Add certificates to session. */
125 status = _nx_secure_tls_trusted_certificate_add(&session, &root_ca);
126 EXPECT_EQ(NX_SUCCESS, status);
127
128 store = &session.nx_secure_tls_credentials.nx_secure_tls_certificate_store;
129 remote_certs = &session.nx_secure_tls_credentials.nx_secure_tls_certificate_store.nx_secure_x509_remote_certificates;
130
131 /* Add remote certificates as if we received a chain. */
132 status = _nx_secure_x509_certificate_list_add(remote_certs, &ica_cert, NX_TRUE);
133 EXPECT_EQ(NX_SUCCESS, status);
134 ica_cert.nx_secure_x509_public_cipher_metadata_area = ica_buf1;
135 ica_cert.nx_secure_x509_public_cipher_metadata_size = sizeof(ica_buf1);
136 ica_cert.nx_secure_x509_hash_metadata_area = ica_buf2;
137 ica_cert.nx_secure_x509_hash_metadata_size = sizeof(ica_buf2);
138 ica_cert.nx_secure_x509_cipher_table = session.nx_secure_tls_crypto_table -> nx_secure_tls_x509_cipher_table;
139 ica_cert.nx_secure_x509_cipher_table_size = session.nx_secure_tls_crypto_table -> nx_secure_tls_x509_cipher_table_size;
140
141 status = _nx_secure_x509_certificate_list_add(remote_certs, &device_cert, NX_TRUE);
142 EXPECT_EQ(NX_SUCCESS, status);
143 device_cert.nx_secure_x509_public_cipher_metadata_area = device_buf1;
144 device_cert.nx_secure_x509_public_cipher_metadata_size = sizeof(device_buf1);
145 device_cert.nx_secure_x509_hash_metadata_area = device_buf2;
146 device_cert.nx_secure_x509_hash_metadata_size = sizeof(device_buf2);
147 device_cert.nx_secure_x509_cipher_table = session.nx_secure_tls_crypto_table -> nx_secure_tls_x509_cipher_table;
148 device_cert.nx_secure_x509_cipher_table_size = session.nx_secure_tls_crypto_table -> nx_secure_tls_x509_cipher_table_size;
149
150
151 status = _nx_secure_x509_certificate_list_add(remote_certs, &revoked_cert, NX_TRUE);
152 EXPECT_EQ(NX_SUCCESS, status);
153 revoked_cert.nx_secure_x509_public_cipher_metadata_area = revoked_buf1;
154 revoked_cert.nx_secure_x509_public_cipher_metadata_size = sizeof(revoked_buf1);
155 revoked_cert.nx_secure_x509_hash_metadata_area = revoked_buf2;
156 revoked_cert.nx_secure_x509_hash_metadata_size = sizeof(revoked_buf2);
157 revoked_cert.nx_secure_x509_cipher_table = session.nx_secure_tls_crypto_table -> nx_secure_tls_x509_cipher_table;
158 revoked_cert.nx_secure_x509_cipher_table_size = session.nx_secure_tls_crypto_table -> nx_secure_tls_x509_cipher_table_size;
159
160
161 /* Now do some chain verifications. */
162
163 /* Check "device cert" - should FAIL because ICA does not have proper KeyUsage. */
164 status = _nx_secure_x509_certificate_chain_verify(store, &device_cert, 0);
165 EXPECT_EQ(NX_SECURE_X509_KEY_USAGE_ERROR, status);
166
167 /* Check "revoked cert" - should PASS because root CA DOES have proper KeyUsage. */
168 status = _nx_secure_x509_certificate_chain_verify(store, &revoked_cert, 0);
169 EXPECT_EQ(NX_SUCCESS, status);
170
171 /* Check CRLs. */
172
173 #ifndef NX_SECURE_X509_DISABLE_CRL
174 /* Root CRL is good because root CA has proper KeyUsage, but revoked_cert is revoked. */
175 status = _nx_secure_x509_crl_revocation_check(root_crl_der, root_crl_der_len, store, &revoked_cert);
176 EXPECT_EQ(NX_SECURE_X509_CRL_CERTIFICATE_REVOKED, status);
177
178 /* The ICA CRL is no good because ICA has improper KeyUsage. device_cert is OK, but CRL should fail. */
179 status = nx_secure_x509_crl_revocation_check(ica_crl_der, ica_crl_der_len, store, &device_cert);
180 EXPECT_EQ(NX_SECURE_X509_KEY_USAGE_ERROR, status);
181 #endif
182
183 nx_secure_tls_session_delete(&session);
184
185 }
186 #endif
187
