1/* BEGIN_HEADER */ 2#include "mbedtls/bignum.h" 3#include "mbedtls/x509.h" 4#include "mbedtls/x509_crt.h" 5#include "mbedtls/x509_crl.h" 6#include "mbedtls/x509_csr.h" 7#include "x509_internal.h" 8#include "mbedtls/pem.h" 9#include "mbedtls/oid.h" 10#include "mbedtls/base64.h" 11#include "mbedtls/error.h" 12#include "mbedtls/pk.h" 13#include "string.h" 14 15#if MBEDTLS_X509_MAX_INTERMEDIATE_CA > 19 16#error "The value of MBEDTLS_X509_MAX_INTERMEDIATE_C is larger \ 17 than the current threshold 19. To test larger values, please \ 18 adapt the script tests/data_files/dir-max/long.sh." 19#endif 20 21/* Test-only profile allowing all digests, PK algorithms, and curves. */ 22const mbedtls_x509_crt_profile profile_all = 23{ 24 0xFFFFFFFF, /* Any MD */ 25 0xFFFFFFFF, /* Any PK alg */ 26 0xFFFFFFFF, /* Any curve */ 27 1024, 28}; 29 30/* Profile for backward compatibility. Allows SHA-1, unlike the default 31 profile. */ 32const mbedtls_x509_crt_profile compat_profile = 33{ 34 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA1) | 35 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_RIPEMD160) | 36 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA224) | 37 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) | 38 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) | 39 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512), 40 0xFFFFFFFF, /* Any PK alg */ 41 0xFFFFFFFF, /* Any curve */ 42 1024, 43}; 44 45const mbedtls_x509_crt_profile profile_rsa3072 = 46{ 47 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) | 48 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) | 49 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512), 50 MBEDTLS_X509_ID_FLAG(MBEDTLS_PK_RSA), 51 0, 52 3072, 53}; 54 55const mbedtls_x509_crt_profile profile_sha512 = 56{ 57 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512), 58 0xFFFFFFFF, /* Any PK alg */ 59 0xFFFFFFFF, /* Any curve */ 60 1024, 61}; 62 63int verify_none(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags) 64{ 65 ((void) data); 66 ((void) crt); 67 ((void) certificate_depth); 68 *flags |= MBEDTLS_X509_BADCERT_OTHER; 69 70 return 0; 71} 72 73int verify_all(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags) 74{ 75 ((void) data); 76 ((void) crt); 77 ((void) certificate_depth); 78 *flags = 0; 79 80 return 0; 81} 82 83#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) 84int ca_callback_fail(void *data, mbedtls_x509_crt const *child, mbedtls_x509_crt **candidates) 85{ 86 ((void) data); 87 ((void) child); 88 ((void) candidates); 89 90 return -1; 91} 92#if defined(MBEDTLS_X509_CRT_PARSE_C) 93int ca_callback(void *data, mbedtls_x509_crt const *child, 94 mbedtls_x509_crt **candidates) 95{ 96 int ret = 0; 97 mbedtls_x509_crt *ca = (mbedtls_x509_crt *) data; 98 mbedtls_x509_crt *first; 99 100 /* This is a test-only implementation of the CA callback 101 * which always returns the entire list of trusted certificates. 102 * Production implementations managing a large number of CAs 103 * should use an efficient presentation and lookup for the 104 * set of trusted certificates (such as a hashtable) and only 105 * return those trusted certificates which satisfy basic 106 * parental checks, such as the matching of child `Issuer` 107 * and parent `Subject` field. */ 108 ((void) child); 109 110 first = mbedtls_calloc(1, sizeof(mbedtls_x509_crt)); 111 if (first == NULL) { 112 ret = -1; 113 goto exit; 114 } 115 mbedtls_x509_crt_init(first); 116 117 if (mbedtls_x509_crt_parse_der(first, ca->raw.p, ca->raw.len) != 0) { 118 ret = -1; 119 goto exit; 120 } 121 122 while (ca->next != NULL) { 123 ca = ca->next; 124 if (mbedtls_x509_crt_parse_der(first, ca->raw.p, ca->raw.len) != 0) { 125 ret = -1; 126 goto exit; 127 } 128 } 129 130exit: 131 132 if (ret != 0) { 133 mbedtls_x509_crt_free(first); 134 mbedtls_free(first); 135 first = NULL; 136 } 137 138 *candidates = first; 139 return ret; 140} 141#endif /* MBEDTLS_X509_CRT_PARSE_C */ 142#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 143 144int verify_fatal(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags) 145{ 146 int *levels = (int *) data; 147 148 ((void) crt); 149 ((void) certificate_depth); 150 151 /* Simulate a fatal error in the callback */ 152 if (*levels & (1 << certificate_depth)) { 153 *flags |= (1 << certificate_depth); 154 return -1 - certificate_depth; 155 } 156 157 return 0; 158} 159 160/* strsep() not available on Windows */ 161char *mystrsep(char **stringp, const char *delim) 162{ 163 const char *p; 164 char *ret = *stringp; 165 166 if (*stringp == NULL) { 167 return NULL; 168 } 169 170 for (;; (*stringp)++) { 171 if (**stringp == '\0') { 172 *stringp = NULL; 173 goto done; 174 } 175 176 for (p = delim; *p != '\0'; p++) { 177 if (**stringp == *p) { 178 **stringp = '\0'; 179 (*stringp)++; 180 goto done; 181 } 182 } 183 } 184 185done: 186 return ret; 187} 188 189#if defined(MBEDTLS_X509_CRT_PARSE_C) 190typedef struct { 191 char buf[512]; 192 char *p; 193} verify_print_context; 194 195void verify_print_init(verify_print_context *ctx) 196{ 197 memset(ctx, 0, sizeof(verify_print_context)); 198 ctx->p = ctx->buf; 199} 200 201int verify_print(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags) 202{ 203 int ret; 204 verify_print_context *ctx = (verify_print_context *) data; 205 char *p = ctx->p; 206 size_t n = ctx->buf + sizeof(ctx->buf) - ctx->p; 207 ((void) flags); 208 209 ret = mbedtls_snprintf(p, n, "depth %d - serial ", certificate_depth); 210 MBEDTLS_X509_SAFE_SNPRINTF; 211 212 ret = mbedtls_x509_serial_gets(p, n, &crt->serial); 213 MBEDTLS_X509_SAFE_SNPRINTF; 214 215 ret = mbedtls_snprintf(p, n, " - subject "); 216 MBEDTLS_X509_SAFE_SNPRINTF; 217 218 ret = mbedtls_x509_dn_gets(p, n, &crt->subject); 219 MBEDTLS_X509_SAFE_SNPRINTF; 220 221 ret = mbedtls_snprintf(p, n, " - flags 0x%08x\n", *flags); 222 MBEDTLS_X509_SAFE_SNPRINTF; 223 224 ctx->p = p; 225 226 return 0; 227} 228 229int verify_parse_san(mbedtls_x509_subject_alternative_name *san, 230 char **buf, size_t *size) 231{ 232 int ret; 233 size_t i; 234 char *p = *buf; 235 size_t n = *size; 236 237 ret = mbedtls_snprintf(p, n, "type : %d", san->type); 238 MBEDTLS_X509_SAFE_SNPRINTF; 239 240 switch (san->type) { 241 case (MBEDTLS_X509_SAN_OTHER_NAME): 242 ret = mbedtls_snprintf(p, n, "\notherName :"); 243 MBEDTLS_X509_SAFE_SNPRINTF; 244 245 if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME, 246 &san->san.other_name.type_id) == 0) { 247 ret = mbedtls_snprintf(p, n, " hardware module name :"); 248 MBEDTLS_X509_SAFE_SNPRINTF; 249 ret = mbedtls_snprintf(p, n, " hardware type : "); 250 MBEDTLS_X509_SAFE_SNPRINTF; 251 252 ret = mbedtls_oid_get_numeric_string(p, 253 n, 254 &san->san.other_name.value.hardware_module_name 255 .oid); 256 MBEDTLS_X509_SAFE_SNPRINTF; 257 258 ret = mbedtls_snprintf(p, n, ", hardware serial number : "); 259 MBEDTLS_X509_SAFE_SNPRINTF; 260 261 for (i = 0; i < san->san.other_name.value.hardware_module_name.val.len; i++) { 262 ret = mbedtls_snprintf(p, 263 n, 264 "%02X", 265 san->san.other_name.value.hardware_module_name.val.p[i]); 266 MBEDTLS_X509_SAFE_SNPRINTF; 267 } 268 } 269 break;/* MBEDTLS_OID_ON_HW_MODULE_NAME */ 270 case (MBEDTLS_X509_SAN_DNS_NAME): 271 ret = mbedtls_snprintf(p, n, "\ndNSName : "); 272 MBEDTLS_X509_SAFE_SNPRINTF; 273 if (san->san.unstructured_name.len >= n) { 274 *p = '\0'; 275 return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; 276 } 277 n -= san->san.unstructured_name.len; 278 for (i = 0; i < san->san.unstructured_name.len; i++) { 279 *p++ = san->san.unstructured_name.p[i]; 280 } 281 break;/* MBEDTLS_X509_SAN_DNS_NAME */ 282 case (MBEDTLS_X509_SAN_RFC822_NAME): 283 ret = mbedtls_snprintf(p, n, "\nrfc822Name : "); 284 MBEDTLS_X509_SAFE_SNPRINTF; 285 if (san->san.unstructured_name.len >= n) { 286 *p = '\0'; 287 return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; 288 } 289 n -= san->san.unstructured_name.len; 290 for (i = 0; i < san->san.unstructured_name.len; i++) { 291 *p++ = san->san.unstructured_name.p[i]; 292 } 293 break;/* MBEDTLS_X509_SAN_RFC822_NAME */ 294 case (MBEDTLS_X509_SAN_DIRECTORY_NAME): 295 ret = mbedtls_snprintf(p, n, "\ndirectoryName : "); 296 MBEDTLS_X509_SAFE_SNPRINTF; 297 ret = mbedtls_x509_dn_gets(p, n, &san->san.directory_name); 298 if (ret < 0) { 299 return ret; 300 } 301 302 p += ret; 303 n -= ret; 304 break;/* MBEDTLS_X509_SAN_DIRECTORY_NAME */ 305 default: 306 /* 307 * Should not happen. 308 */ 309 return -1; 310 } 311 ret = mbedtls_snprintf(p, n, "\n"); 312 MBEDTLS_X509_SAFE_SNPRINTF; 313 314 *size = n; 315 *buf = p; 316 317 return 0; 318} 319 320int parse_crt_ext_cb(void *p_ctx, mbedtls_x509_crt const *crt, mbedtls_x509_buf const *oid, 321 int critical, const unsigned char *cp, const unsigned char *end) 322{ 323 (void) crt; 324 (void) critical; 325 mbedtls_x509_buf *new_oid = (mbedtls_x509_buf *) p_ctx; 326 if (oid->tag == MBEDTLS_ASN1_OID && 327 MBEDTLS_OID_CMP(MBEDTLS_OID_CERTIFICATE_POLICIES, oid) == 0) { 328 /* Handle unknown certificate policy */ 329 int ret, parse_ret = 0; 330 size_t len; 331 unsigned char **p = (unsigned char **) &cp; 332 333 /* Get main sequence tag */ 334 ret = mbedtls_asn1_get_tag(p, end, &len, 335 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); 336 if (ret != 0) { 337 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 338 } 339 340 if (*p + len != end) { 341 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 342 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 343 } 344 345 /* 346 * Cannot be an empty sequence. 347 */ 348 if (len == 0) { 349 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 350 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 351 } 352 353 while (*p < end) { 354 const unsigned char *policy_end; 355 356 /* 357 * Get the policy sequence 358 */ 359 if ((ret = mbedtls_asn1_get_tag(p, end, &len, 360 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 361 0) { 362 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 363 } 364 365 policy_end = *p + len; 366 367 if ((ret = mbedtls_asn1_get_tag(p, policy_end, &len, 368 MBEDTLS_ASN1_OID)) != 0) { 369 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 370 } 371 372 /* 373 * Recognize exclusively the policy with OID 1 374 */ 375 if (len != 1 || *p[0] != 1) { 376 parse_ret = MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE; 377 } 378 379 *p += len; 380 381 /* 382 * If there is an optional qualifier, then *p < policy_end 383 * Check the Qualifier len to verify it doesn't exceed policy_end. 384 */ 385 if (*p < policy_end) { 386 if ((ret = mbedtls_asn1_get_tag(p, policy_end, &len, 387 MBEDTLS_ASN1_CONSTRUCTED | 388 MBEDTLS_ASN1_SEQUENCE)) != 0) { 389 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 390 } 391 /* 392 * Skip the optional policy qualifiers. 393 */ 394 *p += len; 395 } 396 397 if (*p != policy_end) { 398 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 399 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 400 } 401 } 402 403 if (*p != end) { 404 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 405 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 406 } 407 408 return parse_ret; 409 } else if (new_oid != NULL && new_oid->tag == oid->tag && new_oid->len == oid->len && 410 memcmp(new_oid->p, oid->p, oid->len) == 0) { 411 return 0; 412 } else { 413 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 414 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG); 415 } 416} 417#endif /* MBEDTLS_X509_CRT_PARSE_C */ 418 419#if defined(MBEDTLS_X509_CSR_PARSE_C) 420int parse_csr_ext_accept_cb(void *p_ctx, mbedtls_x509_csr const *csr, mbedtls_x509_buf const *oid, 421 int critical, const unsigned char *cp, const unsigned char *end) 422{ 423 (void) p_ctx; 424 (void) csr; 425 (void) oid; 426 (void) critical; 427 (void) cp; 428 (void) end; 429 430 return 0; 431} 432 433int parse_csr_ext_reject_cb(void *p_ctx, mbedtls_x509_csr const *csr, mbedtls_x509_buf const *oid, 434 int critical, const unsigned char *cp, const unsigned char *end) 435{ 436 (void) p_ctx; 437 (void) csr; 438 (void) oid; 439 (void) critical; 440 (void) cp; 441 (void) end; 442 443 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 444 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG); 445} 446#endif /* MBEDTLS_X509_CSR_PARSE_C */ 447/* END_HEADER */ 448 449/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */ 450void x509_accessor_ext_types(int ext_type, int has_ext_type) 451{ 452 mbedtls_x509_crt crt; 453 int expected_result = ext_type & has_ext_type; 454 455 mbedtls_x509_crt_init(&crt); 456 USE_PSA_INIT(); 457 458 crt.ext_types = ext_type; 459 460 TEST_EQUAL(mbedtls_x509_crt_has_ext_type(&crt, has_ext_type), expected_result); 461 462exit: 463 mbedtls_x509_crt_free(&crt); 464 USE_PSA_DONE(); 465} 466/* END_CASE */ 467 468/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_TEST_HOOKS */ 469void x509_crt_parse_cn_inet_pton(const char *cn, data_t *exp, int ref_ret) 470{ 471 uint32_t addr[4]; 472 size_t addrlen = mbedtls_x509_crt_parse_cn_inet_pton(cn, addr); 473 TEST_EQUAL(addrlen, (size_t) ref_ret); 474 475 if (addrlen) { 476 TEST_MEMORY_COMPARE(exp->x, exp->len, addr, addrlen); 477 } 478} 479/* END_CASE */ 480 481/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 482void x509_parse_san(char *crt_file, char *result_str, int parse_result) 483{ 484 int ret; 485 mbedtls_x509_crt crt; 486 mbedtls_x509_subject_alternative_name san; 487 mbedtls_x509_sequence *cur = NULL; 488 char buf[2000]; 489 char *p = buf; 490 size_t n = sizeof(buf); 491 492 mbedtls_x509_crt_init(&crt); 493 USE_PSA_INIT(); 494 memset(buf, 0, 2000); 495 496 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), parse_result); 497 498 if (parse_result != 0) { 499 goto exit; 500 } 501 if (crt.ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) { 502 cur = &crt.subject_alt_names; 503 while (cur != NULL) { 504 ret = mbedtls_x509_parse_subject_alt_name(&cur->buf, &san); 505 TEST_ASSERT(ret == 0 || ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE); 506 /* 507 * If san type not supported, ignore. 508 */ 509 if (ret == 0) { 510 ret = verify_parse_san(&san, &p, &n); 511 mbedtls_x509_free_subject_alt_name(&san); 512 TEST_EQUAL(ret, 0); 513 } 514 cur = cur->next; 515 } 516 } 517 518 TEST_EQUAL(strcmp(buf, result_str), 0); 519 520exit: 521 mbedtls_x509_crt_free(&crt); 522 USE_PSA_DONE(); 523} 524/* END_CASE */ 525 526/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:!MBEDTLS_X509_REMOVE_INFO:MBEDTLS_X509_CRT_PARSE_C */ 527void x509_cert_info(char *crt_file, char *result_str) 528{ 529 mbedtls_x509_crt crt; 530 char buf[2000]; 531 int res; 532 533 mbedtls_x509_crt_init(&crt); 534 USE_PSA_INIT(); 535 memset(buf, 0, 2000); 536 537 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 538 res = mbedtls_x509_crt_info(buf, 2000, "", &crt); 539 540 TEST_ASSERT(res != -1); 541 TEST_ASSERT(res != -2); 542 543 TEST_EQUAL(strcmp(buf, result_str), 0); 544 545exit: 546 mbedtls_x509_crt_free(&crt); 547 USE_PSA_DONE(); 548} 549/* END_CASE */ 550 551/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRL_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 552void mbedtls_x509_crl_info(char *crl_file, char *result_str) 553{ 554 mbedtls_x509_crl crl; 555 char buf[2000]; 556 int res; 557 558 mbedtls_x509_crl_init(&crl); 559 USE_PSA_INIT(); 560 memset(buf, 0, 2000); 561 562 TEST_EQUAL(mbedtls_x509_crl_parse_file(&crl, crl_file), 0); 563 res = mbedtls_x509_crl_info(buf, 2000, "", &crl); 564 565 TEST_ASSERT(res != -1); 566 TEST_ASSERT(res != -2); 567 568 TEST_EQUAL(strcmp(buf, result_str), 0); 569 570exit: 571 mbedtls_x509_crl_free(&crl); 572 USE_PSA_DONE(); 573} 574/* END_CASE */ 575 576/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRL_PARSE_C */ 577void mbedtls_x509_crl_parse(char *crl_file, int result) 578{ 579 mbedtls_x509_crl crl; 580 char buf[2000]; 581 582 mbedtls_x509_crl_init(&crl); 583 USE_PSA_INIT(); 584 memset(buf, 0, 2000); 585 586 TEST_EQUAL(mbedtls_x509_crl_parse_file(&crl, crl_file), result); 587 588exit: 589 mbedtls_x509_crl_free(&crl); 590 USE_PSA_DONE(); 591} 592/* END_CASE */ 593 594/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CSR_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 595void mbedtls_x509_csr_info(char *csr_file, char *result_str) 596{ 597 mbedtls_x509_csr csr; 598 char buf[2000]; 599 int res; 600 601 mbedtls_x509_csr_init(&csr); 602 USE_PSA_INIT(); 603 memset(buf, 0, 2000); 604 605 TEST_EQUAL(mbedtls_x509_csr_parse_file(&csr, csr_file), 0); 606 res = mbedtls_x509_csr_info(buf, 2000, "", &csr); 607 608 TEST_ASSERT(res != -1); 609 TEST_ASSERT(res != -2); 610 611 TEST_EQUAL(strcmp(buf, result_str), 0); 612 613exit: 614 mbedtls_x509_csr_free(&csr); 615 USE_PSA_DONE(); 616} 617/* END_CASE */ 618 619/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 620void x509_verify_info(int flags, char *prefix, char *result_str) 621{ 622 char buf[2000]; 623 int res; 624 625 USE_PSA_INIT(); 626 memset(buf, 0, sizeof(buf)); 627 628 res = mbedtls_x509_crt_verify_info(buf, sizeof(buf), prefix, flags); 629 630 TEST_ASSERT(res >= 0); 631 632 TEST_EQUAL(strcmp(buf, result_str), 0); 633 634exit: 635 USE_PSA_DONE(); 636} 637/* END_CASE */ 638 639/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CRL_PARSE_C:MBEDTLS_ECP_RESTARTABLE:MBEDTLS_ECDSA_C */ 640void x509_verify_restart(char *crt_file, char *ca_file, 641 int result, int flags_result, 642 int max_ops, int min_restart, int max_restart) 643{ 644 int ret, cnt_restart; 645 mbedtls_x509_crt_restart_ctx rs_ctx; 646 mbedtls_x509_crt crt; 647 mbedtls_x509_crt ca; 648 uint32_t flags = 0; 649 650 /* 651 * See comments on ecp_test_vect_restart() for op count precision. 652 * 653 * For reference, with Mbed TLS 2.6 and default settings: 654 * - ecdsa_verify() for P-256: ~ 6700 655 * - ecdsa_verify() for P-384: ~ 18800 656 * - x509_verify() for server5 -> test-ca2: ~ 18800 657 * - x509_verify() for server10 -> int-ca3 -> int-ca2: ~ 25500 658 */ 659 mbedtls_x509_crt_restart_init(&rs_ctx); 660 mbedtls_x509_crt_init(&crt); 661 mbedtls_x509_crt_init(&ca); 662 MD_OR_USE_PSA_INIT(); 663 664 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 665 TEST_EQUAL(mbedtls_x509_crt_parse_file(&ca, ca_file), 0); 666 667 mbedtls_ecp_set_max_ops(max_ops); 668 669 cnt_restart = 0; 670 do { 671 ret = mbedtls_x509_crt_verify_restartable(&crt, &ca, NULL, 672 &mbedtls_x509_crt_profile_default, NULL, &flags, 673 NULL, NULL, &rs_ctx); 674 } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart); 675 676 TEST_EQUAL(ret, result); 677 TEST_EQUAL(flags, (uint32_t) flags_result); 678 679 TEST_ASSERT(cnt_restart >= min_restart); 680 TEST_ASSERT(cnt_restart <= max_restart); 681 682 /* Do we leak memory when aborting? */ 683 ret = mbedtls_x509_crt_verify_restartable(&crt, &ca, NULL, 684 &mbedtls_x509_crt_profile_default, NULL, &flags, 685 NULL, NULL, &rs_ctx); 686 TEST_ASSERT(ret == result || ret == MBEDTLS_ERR_ECP_IN_PROGRESS); 687 688exit: 689 mbedtls_x509_crt_restart_free(&rs_ctx); 690 mbedtls_x509_crt_free(&crt); 691 mbedtls_x509_crt_free(&ca); 692 MD_OR_USE_PSA_DONE(); 693} 694/* END_CASE */ 695 696/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CRL_PARSE_C */ 697void x509_verify(char *crt_file, char *ca_file, char *crl_file, 698 char *cn_name_str, int result, int flags_result, 699 char *profile_str, 700 char *verify_callback) 701{ 702 mbedtls_x509_crt crt; 703 mbedtls_x509_crt ca; 704 mbedtls_x509_crl crl; 705 uint32_t flags = 0; 706 int res; 707 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *) = NULL; 708 char *cn_name = NULL; 709 const mbedtls_x509_crt_profile *profile; 710 711 mbedtls_x509_crt_init(&crt); 712 mbedtls_x509_crt_init(&ca); 713 mbedtls_x509_crl_init(&crl); 714 MD_OR_USE_PSA_INIT(); 715 716 if (strcmp(cn_name_str, "NULL") != 0) { 717 cn_name = cn_name_str; 718 } 719 720 if (strcmp(profile_str, "") == 0) { 721 profile = &mbedtls_x509_crt_profile_default; 722 } else if (strcmp(profile_str, "next") == 0) { 723 profile = &mbedtls_x509_crt_profile_next; 724 } else if (strcmp(profile_str, "suite_b") == 0) { 725 profile = &mbedtls_x509_crt_profile_suiteb; 726 } else if (strcmp(profile_str, "compat") == 0) { 727 profile = &compat_profile; 728 } else if (strcmp(profile_str, "all") == 0) { 729 profile = &profile_all; 730 } else { 731 TEST_FAIL("Unknown algorithm profile"); 732 } 733 734 if (strcmp(verify_callback, "NULL") == 0) { 735 f_vrfy = NULL; 736 } else if (strcmp(verify_callback, "verify_none") == 0) { 737 f_vrfy = verify_none; 738 } else if (strcmp(verify_callback, "verify_all") == 0) { 739 f_vrfy = verify_all; 740 } else { 741 TEST_FAIL("No known verify callback selected"); 742 } 743 744 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 745 TEST_EQUAL(mbedtls_x509_crt_parse_file(&ca, ca_file), 0); 746 TEST_EQUAL(mbedtls_x509_crl_parse_file(&crl, crl_file), 0); 747 748 res = mbedtls_x509_crt_verify_with_profile(&crt, 749 &ca, 750 &crl, 751 profile, 752 cn_name, 753 &flags, 754 f_vrfy, 755 NULL); 756 757 TEST_EQUAL(res, result); 758 TEST_EQUAL(flags, (uint32_t) flags_result); 759 760#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) 761 /* CRLs aren't supported with CA callbacks, so skip the CA callback 762 * version of the test if CRLs are in use. */ 763 if (strcmp(crl_file, "") == 0) { 764 flags = 0; 765 766 res = mbedtls_x509_crt_verify_with_ca_cb(&crt, 767 ca_callback, 768 &ca, 769 profile, 770 cn_name, 771 &flags, 772 f_vrfy, 773 NULL); 774 775 TEST_EQUAL(res, result); 776 TEST_EQUAL(flags, (uint32_t) (flags_result)); 777 } 778#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 779exit: 780 mbedtls_x509_crt_free(&crt); 781 mbedtls_x509_crt_free(&ca); 782 mbedtls_x509_crl_free(&crl); 783 MD_OR_USE_PSA_DONE(); 784} 785/* END_CASE */ 786 787/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CRL_PARSE_C:MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 788void x509_verify_ca_cb_failure(char *crt_file, char *ca_file, char *name, 789 int exp_ret) 790{ 791 int ret; 792 mbedtls_x509_crt crt; 793 mbedtls_x509_crt ca; 794 uint32_t flags = 0; 795 796 mbedtls_x509_crt_init(&crt); 797 mbedtls_x509_crt_init(&ca); 798 USE_PSA_INIT(); 799 800 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 801 TEST_EQUAL(mbedtls_x509_crt_parse_file(&ca, ca_file), 0); 802 803 if (strcmp(name, "NULL") == 0) { 804 name = NULL; 805 } 806 807 ret = mbedtls_x509_crt_verify_with_ca_cb(&crt, ca_callback_fail, &ca, 808 &compat_profile, name, &flags, 809 NULL, NULL); 810 811 TEST_EQUAL(ret, exp_ret); 812 TEST_EQUAL(flags, (uint32_t) (-1)); 813exit: 814 mbedtls_x509_crt_free(&crt); 815 mbedtls_x509_crt_free(&ca); 816 USE_PSA_DONE(); 817} 818/* END_CASE */ 819 820/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 821void x509_verify_callback(char *crt_file, char *ca_file, char *name, 822 int exp_ret, char *exp_vrfy_out) 823{ 824 int ret; 825 mbedtls_x509_crt crt; 826 mbedtls_x509_crt ca; 827 uint32_t flags = 0; 828 verify_print_context vrfy_ctx; 829 830 mbedtls_x509_crt_init(&crt); 831 mbedtls_x509_crt_init(&ca); 832 MD_OR_USE_PSA_INIT(); 833 834 verify_print_init(&vrfy_ctx); 835 836 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 837 TEST_EQUAL(mbedtls_x509_crt_parse_file(&ca, ca_file), 0); 838 839 if (strcmp(name, "NULL") == 0) { 840 name = NULL; 841 } 842 843 ret = mbedtls_x509_crt_verify_with_profile(&crt, &ca, NULL, 844 &compat_profile, 845 name, &flags, 846 verify_print, &vrfy_ctx); 847 848 TEST_EQUAL(ret, exp_ret); 849 TEST_EQUAL(strcmp(vrfy_ctx.buf, exp_vrfy_out), 0); 850 851exit: 852 mbedtls_x509_crt_free(&crt); 853 mbedtls_x509_crt_free(&ca); 854 MD_OR_USE_PSA_DONE(); 855} 856/* END_CASE */ 857 858/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 859void mbedtls_x509_dn_gets_subject_replace(char *crt_file, 860 char *new_subject_ou, 861 char *result_str, 862 int ret) 863{ 864 mbedtls_x509_crt crt; 865 char buf[2000]; 866 int res = 0; 867 868 mbedtls_x509_crt_init(&crt); 869 USE_PSA_INIT(); 870 871 memset(buf, 0, 2000); 872 873 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 874 crt.subject.next->val.p = (unsigned char *) new_subject_ou; 875 crt.subject.next->val.len = strlen(new_subject_ou); 876 877 res = mbedtls_x509_dn_gets(buf, 2000, &crt.subject); 878 879 if (ret != 0) { 880 TEST_EQUAL(res, ret); 881 } else { 882 TEST_ASSERT(res != -1); 883 TEST_ASSERT(res != -2); 884 TEST_EQUAL(strcmp(buf, result_str), 0); 885 } 886exit: 887 mbedtls_x509_crt_free(&crt); 888 USE_PSA_DONE(); 889} 890/* END_CASE */ 891 892/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 893void mbedtls_x509_dn_gets(char *crt_file, char *entity, char *result_str) 894{ 895 mbedtls_x509_crt crt; 896 char buf[2000]; 897 int res = 0; 898 899 mbedtls_x509_crt_init(&crt); 900 USE_PSA_INIT(); 901 902 memset(buf, 0, 2000); 903 904 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 905 if (strcmp(entity, "subject") == 0) { 906 res = mbedtls_x509_dn_gets(buf, 2000, &crt.subject); 907 } else if (strcmp(entity, "issuer") == 0) { 908 res = mbedtls_x509_dn_gets(buf, 2000, &crt.issuer); 909 } else { 910 TEST_FAIL("Unknown entity"); 911 } 912 913 TEST_ASSERT(res != -1); 914 TEST_ASSERT(res != -2); 915 916 TEST_EQUAL(strcmp(buf, result_str), 0); 917 918exit: 919 mbedtls_x509_crt_free(&crt); 920 USE_PSA_DONE(); 921} 922/* END_CASE */ 923 924/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */ 925void mbedtls_x509_get_name(char *rdn_sequence, int exp_ret) 926{ 927 unsigned char *name = NULL; 928 unsigned char *p; 929 size_t name_len; 930 mbedtls_x509_name head; 931 int ret; 932 933 USE_PSA_INIT(); 934 memset(&head, 0, sizeof(head)); 935 936 name = mbedtls_test_unhexify_alloc(rdn_sequence, &name_len); 937 p = name; 938 939 ret = mbedtls_x509_get_name(&p, (name + name_len), &head); 940 if (ret == 0) { 941 mbedtls_asn1_free_named_data_list_shallow(head.next); 942 } 943 944 TEST_EQUAL(ret, exp_ret); 945 946exit: 947 mbedtls_free(name); 948 USE_PSA_DONE(); 949} 950/* END_CASE */ 951 952/* BEGIN_CASE depends_on:MBEDTLS_X509_CREATE_C:MBEDTLS_X509_USE_C:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 953void mbedtls_x509_dn_get_next(char *name_str, 954 int next_merged, 955 char *expected_oids, 956 int exp_count, 957 char *exp_dn_gets) 958{ 959 int ret = 0, i; 960 size_t len = 0, out_size; 961 mbedtls_asn1_named_data *names = NULL; 962 mbedtls_x509_name parsed; 963 memset(&parsed, 0, sizeof(parsed)); 964 mbedtls_x509_name *parsed_cur; 965 // Size of buf is maximum required for test cases 966 unsigned char buf[80] = { 0 }; 967 unsigned char *out = NULL; 968 unsigned char *c = buf + sizeof(buf); 969 const char *short_name; 970 971 USE_PSA_INIT(); 972 973 // Additional size required for trailing space 974 out_size = strlen(expected_oids) + 2; 975 TEST_CALLOC(out, out_size); 976 977 TEST_EQUAL(mbedtls_x509_string_to_names(&names, name_str), 0); 978 979 ret = mbedtls_x509_write_names(&c, buf, names); 980 TEST_LE_S(0, ret); 981 982 TEST_EQUAL(mbedtls_asn1_get_tag(&c, buf + sizeof(buf), &len, 983 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE), 0); 984 TEST_EQUAL(mbedtls_x509_get_name(&c, buf + sizeof(buf), &parsed), 0); 985 986 // Iterate over names and set next_merged nodes 987 parsed_cur = &parsed; 988 for (; next_merged != 0 && parsed_cur != NULL; next_merged = next_merged >> 1) { 989 parsed_cur->next_merged = next_merged & 0x01; 990 parsed_cur = parsed_cur->next; 991 } 992 993 // Iterate over RDN nodes and print OID of first element to buffer 994 parsed_cur = &parsed; 995 len = 0; 996 for (i = 0; parsed_cur != NULL; i++) { 997 TEST_EQUAL(mbedtls_oid_get_attr_short_name(&parsed_cur->oid, 998 &short_name), 0); 999 len += mbedtls_snprintf((char *) out + len, out_size - len, "%s ", short_name); 1000 parsed_cur = mbedtls_x509_dn_get_next(parsed_cur); 1001 } 1002 out[len-1] = 0; 1003 1004 TEST_EQUAL(exp_count, i); 1005 TEST_EQUAL(strcmp((char *) out, expected_oids), 0); 1006 mbedtls_free(out); 1007 out = NULL; 1008 1009 out_size = strlen(exp_dn_gets) + 1; 1010 TEST_CALLOC(out, out_size); 1011 1012 TEST_LE_S(0, mbedtls_x509_dn_gets((char *) out, out_size, &parsed)); 1013 TEST_EQUAL(strcmp((char *) out, exp_dn_gets), 0); 1014exit: 1015 mbedtls_free(out); 1016 mbedtls_asn1_free_named_data_list(&names); 1017 mbedtls_asn1_free_named_data_list_shallow(parsed.next); 1018 USE_PSA_DONE(); 1019} 1020/* END_CASE */ 1021 1022/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 1023void mbedtls_x509_time_is_past(char *crt_file, char *entity, int result) 1024{ 1025 mbedtls_x509_crt crt; 1026 1027 mbedtls_x509_crt_init(&crt); 1028 USE_PSA_INIT(); 1029 1030 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 1031 1032 if (strcmp(entity, "valid_from") == 0) { 1033 TEST_EQUAL(mbedtls_x509_time_is_past(&crt.valid_from), result); 1034 } else if (strcmp(entity, "valid_to") == 0) { 1035 TEST_EQUAL(mbedtls_x509_time_is_past(&crt.valid_to), result); 1036 } else { 1037 TEST_FAIL("Unknown entity"); 1038 } 1039 1040exit: 1041 mbedtls_x509_crt_free(&crt); 1042 USE_PSA_DONE(); 1043} 1044/* END_CASE */ 1045 1046/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 1047void mbedtls_x509_time_is_future(char *crt_file, char *entity, int result) 1048{ 1049 mbedtls_x509_crt crt; 1050 1051 mbedtls_x509_crt_init(&crt); 1052 USE_PSA_INIT(); 1053 1054 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 1055 1056 if (strcmp(entity, "valid_from") == 0) { 1057 TEST_EQUAL(mbedtls_x509_time_is_future(&crt.valid_from), result); 1058 } else if (strcmp(entity, "valid_to") == 0) { 1059 TEST_EQUAL(mbedtls_x509_time_is_future(&crt.valid_to), result); 1060 } else { 1061 TEST_FAIL("Unknown entity"); 1062 } 1063 1064exit: 1065 mbedtls_x509_crt_free(&crt); 1066 USE_PSA_DONE(); 1067} 1068/* END_CASE */ 1069 1070/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_FS_IO */ 1071void x509parse_crt_file(char *crt_file, int result) 1072{ 1073 mbedtls_x509_crt crt; 1074 1075 mbedtls_x509_crt_init(&crt); 1076 USE_PSA_INIT(); 1077 1078 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), result); 1079 1080exit: 1081 mbedtls_x509_crt_free(&crt); 1082 USE_PSA_DONE(); 1083} 1084/* END_CASE */ 1085 1086/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_FS_IO */ 1087void mbedtls_x509_get_ca_istrue(char *crt_file, int result) 1088{ 1089 mbedtls_x509_crt crt; 1090 mbedtls_x509_crt_init(&crt); 1091 USE_PSA_INIT(); 1092 1093 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 1094 TEST_EQUAL(mbedtls_x509_crt_get_ca_istrue(&crt), result); 1095exit: 1096 mbedtls_x509_crt_free(&crt); 1097 USE_PSA_DONE(); 1098} 1099/* END_CASE */ 1100 1101/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */ 1102void x509parse_crt(data_t *buf, char *result_str, int result) 1103{ 1104 mbedtls_x509_crt crt; 1105#if !defined(MBEDTLS_X509_REMOVE_INFO) 1106 unsigned char output[2000] = { 0 }; 1107 int res; 1108#else 1109 ((void) result_str); 1110#endif 1111 1112 mbedtls_x509_crt_init(&crt); 1113 USE_PSA_INIT(); 1114 1115 TEST_EQUAL(mbedtls_x509_crt_parse_der(&crt, buf->x, buf->len), result); 1116#if !defined(MBEDTLS_X509_REMOVE_INFO) 1117 if ((result) == 0) { 1118 res = mbedtls_x509_crt_info((char *) output, 2000, "", &crt); 1119 TEST_ASSERT(res != -1); 1120 TEST_ASSERT(res != -2); 1121 1122 TEST_EQUAL(strcmp((char *) output, result_str), 0); 1123 } 1124 memset(output, 0, 2000); 1125#endif 1126 1127 mbedtls_x509_crt_free(&crt); 1128 mbedtls_x509_crt_init(&crt); 1129 1130 TEST_EQUAL(mbedtls_x509_crt_parse_der_nocopy(&crt, buf->x, buf->len), result); 1131#if !defined(MBEDTLS_X509_REMOVE_INFO) 1132 if ((result) == 0) { 1133 memset(output, 0, 2000); 1134 1135 res = mbedtls_x509_crt_info((char *) output, 2000, "", &crt); 1136 1137 TEST_ASSERT(res != -1); 1138 TEST_ASSERT(res != -2); 1139 1140 TEST_EQUAL(strcmp((char *) output, result_str), 0); 1141 } 1142 memset(output, 0, 2000); 1143#endif /* !MBEDTLS_X509_REMOVE_INFO */ 1144 1145 mbedtls_x509_crt_free(&crt); 1146 mbedtls_x509_crt_init(&crt); 1147 1148 TEST_EQUAL(mbedtls_x509_crt_parse_der_with_ext_cb(&crt, buf->x, buf->len, 0, NULL, NULL), 1149 result); 1150#if !defined(MBEDTLS_X509_REMOVE_INFO) 1151 if ((result) == 0) { 1152 res = mbedtls_x509_crt_info((char *) output, 2000, "", &crt); 1153 1154 TEST_ASSERT(res != -1); 1155 TEST_ASSERT(res != -2); 1156 1157 TEST_EQUAL(strcmp((char *) output, result_str), 0); 1158 } 1159 memset(output, 0, 2000); 1160#endif /* !MBEDTLS_X509_REMOVE_INFO */ 1161 1162 mbedtls_x509_crt_free(&crt); 1163 mbedtls_x509_crt_init(&crt); 1164 1165 TEST_EQUAL(mbedtls_x509_crt_parse_der_with_ext_cb(&crt, buf->x, buf->len, 1, NULL, NULL), 1166 result); 1167#if !defined(MBEDTLS_X509_REMOVE_INFO) 1168 if ((result) == 0) { 1169 res = mbedtls_x509_crt_info((char *) output, 2000, "", &crt); 1170 1171 TEST_ASSERT(res != -1); 1172 TEST_ASSERT(res != -2); 1173 1174 TEST_EQUAL(strcmp((char *) output, result_str), 0); 1175 } 1176#endif /* !MBEDTLS_X509_REMOVE_INFO */ 1177 1178exit: 1179 mbedtls_x509_crt_free(&crt); 1180 USE_PSA_DONE(); 1181} 1182/* END_CASE */ 1183 1184/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */ 1185void x509parse_crt_cb(data_t *buf, char *result_str, int result) 1186{ 1187 mbedtls_x509_crt crt; 1188 mbedtls_x509_buf oid; 1189 1190#if !defined(MBEDTLS_X509_REMOVE_INFO) 1191 unsigned char output[2000] = { 0 }; 1192 int res; 1193#else 1194 ((void) result_str); 1195#endif 1196 1197 oid.tag = MBEDTLS_ASN1_OID; 1198 oid.len = MBEDTLS_OID_SIZE(MBEDTLS_OID_PKIX "\x01\x1F"); 1199 oid.p = (unsigned char *) MBEDTLS_OID_PKIX "\x01\x1F"; 1200 1201 mbedtls_x509_crt_init(&crt); 1202 USE_PSA_INIT(); 1203 1204 TEST_EQUAL(mbedtls_x509_crt_parse_der_with_ext_cb(&crt, buf->x, buf->len, 0, parse_crt_ext_cb, 1205 &oid), result); 1206#if !defined(MBEDTLS_X509_REMOVE_INFO) 1207 if ((result) == 0) { 1208 res = mbedtls_x509_crt_info((char *) output, 2000, "", &crt); 1209 1210 TEST_ASSERT(res != -1); 1211 TEST_ASSERT(res != -2); 1212 1213 TEST_EQUAL(strcmp((char *) output, result_str), 0); 1214 } 1215 memset(output, 0, 2000); 1216#endif /* !MBEDTLS_X509_REMOVE_INFO */ 1217 1218 mbedtls_x509_crt_free(&crt); 1219 mbedtls_x509_crt_init(&crt); 1220 1221 TEST_EQUAL(mbedtls_x509_crt_parse_der_with_ext_cb(&crt, buf->x, buf->len, 1, parse_crt_ext_cb, 1222 &oid), (result)); 1223#if !defined(MBEDTLS_X509_REMOVE_INFO) 1224 if ((result) == 0) { 1225 res = mbedtls_x509_crt_info((char *) output, 2000, "", &crt); 1226 1227 TEST_ASSERT(res != -1); 1228 TEST_ASSERT(res != -2); 1229 1230 TEST_EQUAL(strcmp((char *) output, result_str), 0); 1231 } 1232#endif /* !MBEDTLS_X509_REMOVE_INFO */ 1233 1234exit: 1235 mbedtls_x509_crt_free(&crt); 1236 USE_PSA_DONE(); 1237} 1238/* END_CASE */ 1239 1240/* BEGIN_CASE depends_on:MBEDTLS_X509_CRL_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 1241void x509parse_crl(data_t *buf, char *result_str, int result) 1242{ 1243 mbedtls_x509_crl crl; 1244 unsigned char output[2000]; 1245 int res; 1246 1247 mbedtls_x509_crl_init(&crl); 1248 USE_PSA_INIT(); 1249 1250 memset(output, 0, 2000); 1251 1252 1253 TEST_EQUAL(mbedtls_x509_crl_parse(&crl, buf->x, buf->len), (result)); 1254 if ((result) == 0) { 1255 res = mbedtls_x509_crl_info((char *) output, 2000, "", &crl); 1256 1257 TEST_ASSERT(res != -1); 1258 TEST_ASSERT(res != -2); 1259 1260 TEST_EQUAL(strcmp((char *) output, result_str), 0); 1261 } 1262 1263exit: 1264 mbedtls_x509_crl_free(&crl); 1265 USE_PSA_DONE(); 1266} 1267/* END_CASE */ 1268 1269/* BEGIN_CASE depends_on:MBEDTLS_X509_CSR_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 1270void mbedtls_x509_csr_parse(data_t *csr_der, char *ref_out, int ref_ret) 1271{ 1272 mbedtls_x509_csr csr; 1273 char my_out[1000]; 1274 int my_ret; 1275 1276 mbedtls_x509_csr_init(&csr); 1277 USE_PSA_INIT(); 1278 1279 memset(my_out, 0, sizeof(my_out)); 1280 1281 my_ret = mbedtls_x509_csr_parse_der(&csr, csr_der->x, csr_der->len); 1282 TEST_EQUAL(my_ret, ref_ret); 1283 1284 if (ref_ret == 0) { 1285 size_t my_out_len = mbedtls_x509_csr_info(my_out, sizeof(my_out), "", &csr); 1286 TEST_EQUAL(my_out_len, strlen(ref_out)); 1287 TEST_EQUAL(strcmp(my_out, ref_out), 0); 1288 } 1289 1290exit: 1291 mbedtls_x509_csr_free(&csr); 1292 USE_PSA_DONE(); 1293} 1294/* END_CASE */ 1295 1296/* BEGIN_CASE depends_on:MBEDTLS_X509_CSR_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 1297void mbedtls_x509_csr_parse_with_ext_cb(data_t *csr_der, char *ref_out, int ref_ret, int accept) 1298{ 1299 mbedtls_x509_csr csr; 1300 char my_out[1000]; 1301 int my_ret; 1302 1303 mbedtls_x509_csr_init(&csr); 1304 USE_PSA_INIT(); 1305 1306 memset(my_out, 0, sizeof(my_out)); 1307 1308 my_ret = mbedtls_x509_csr_parse_der_with_ext_cb(&csr, csr_der->x, csr_der->len, 1309 accept ? parse_csr_ext_accept_cb : 1310 parse_csr_ext_reject_cb, 1311 NULL); 1312 TEST_EQUAL(my_ret, ref_ret); 1313 1314 if (ref_ret == 0) { 1315 size_t my_out_len = mbedtls_x509_csr_info(my_out, sizeof(my_out), "", &csr); 1316 TEST_EQUAL(my_out_len, strlen(ref_out)); 1317 TEST_EQUAL(strcmp(my_out, ref_out), 0); 1318 } 1319 1320exit: 1321 mbedtls_x509_csr_free(&csr); 1322 USE_PSA_DONE(); 1323} 1324/* END_CASE */ 1325 1326/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CSR_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 1327void mbedtls_x509_csr_parse_file(char *csr_file, char *ref_out, int ref_ret) 1328{ 1329 mbedtls_x509_csr csr; 1330 char my_out[1000]; 1331 int my_ret; 1332 1333 mbedtls_x509_csr_init(&csr); 1334 USE_PSA_INIT(); 1335 1336 memset(my_out, 0, sizeof(my_out)); 1337 1338 my_ret = mbedtls_x509_csr_parse_file(&csr, csr_file); 1339 TEST_EQUAL(my_ret, ref_ret); 1340 1341 if (ref_ret == 0) { 1342 size_t my_out_len = mbedtls_x509_csr_info(my_out, sizeof(my_out), "", &csr); 1343 TEST_EQUAL(my_out_len, strlen(ref_out)); 1344 TEST_EQUAL(strcmp(my_out, ref_out), 0); 1345 } 1346 1347exit: 1348 mbedtls_x509_csr_free(&csr); 1349 USE_PSA_DONE(); 1350} 1351/* END_CASE */ 1352 1353/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 1354void mbedtls_x509_crt_parse_file(char *crt_path, int ret, int nb_crt) 1355{ 1356 mbedtls_x509_crt chain, *cur; 1357 int i; 1358 1359 mbedtls_x509_crt_init(&chain); 1360 USE_PSA_INIT(); 1361 1362 TEST_EQUAL(mbedtls_x509_crt_parse_file(&chain, crt_path), ret); 1363 1364 /* Check how many certs we got */ 1365 for (i = 0, cur = &chain; cur != NULL; cur = cur->next) { 1366 if (cur->raw.p != NULL) { 1367 i++; 1368 } 1369 } 1370 1371 TEST_EQUAL(i, nb_crt); 1372 1373exit: 1374 mbedtls_x509_crt_free(&chain); 1375 USE_PSA_DONE(); 1376} 1377/* END_CASE */ 1378 1379/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 1380void mbedtls_x509_crt_parse_path(char *crt_path, int ret, int nb_crt) 1381{ 1382 mbedtls_x509_crt chain, *cur; 1383 int i; 1384 1385 mbedtls_x509_crt_init(&chain); 1386 USE_PSA_INIT(); 1387 1388 TEST_EQUAL(mbedtls_x509_crt_parse_path(&chain, crt_path), ret); 1389 1390 /* Check how many certs we got */ 1391 for (i = 0, cur = &chain; cur != NULL; cur = cur->next) { 1392 if (cur->raw.p != NULL) { 1393 i++; 1394 } 1395 } 1396 1397 TEST_EQUAL(i, nb_crt); 1398 1399exit: 1400 mbedtls_x509_crt_free(&chain); 1401 USE_PSA_DONE(); 1402} 1403/* END_CASE */ 1404 1405/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 1406void mbedtls_x509_crt_verify_max(char *ca_file, char *chain_dir, int nb_int, 1407 int ret_chk, int flags_chk) 1408{ 1409 char file_buf[128]; 1410 int ret; 1411 uint32_t flags; 1412 mbedtls_x509_crt trusted, chain; 1413 1414 /* 1415 * We expect chain_dir to contain certificates 00.crt, 01.crt, etc. 1416 * with NN.crt signed by NN-1.crt 1417 */ 1418 mbedtls_x509_crt_init(&trusted); 1419 mbedtls_x509_crt_init(&chain); 1420 MD_OR_USE_PSA_INIT(); 1421 1422 /* Load trusted root */ 1423 TEST_EQUAL(mbedtls_x509_crt_parse_file(&trusted, ca_file), 0); 1424 1425 /* Load a chain with nb_int intermediates (from 01 to nb_int), 1426 * plus one "end-entity" cert (nb_int + 1) */ 1427 ret = mbedtls_snprintf(file_buf, sizeof(file_buf), "%s/c%02d.pem", chain_dir, 1428 nb_int + 1); 1429 TEST_ASSERT(ret > 0 && (size_t) ret < sizeof(file_buf)); 1430 TEST_EQUAL(mbedtls_x509_crt_parse_file(&chain, file_buf), 0); 1431 1432 /* Try to verify that chain */ 1433 ret = mbedtls_x509_crt_verify(&chain, &trusted, NULL, NULL, &flags, 1434 NULL, NULL); 1435 TEST_EQUAL(ret, ret_chk); 1436 TEST_EQUAL(flags, (uint32_t) flags_chk); 1437 1438exit: 1439 mbedtls_x509_crt_free(&chain); 1440 mbedtls_x509_crt_free(&trusted); 1441 MD_OR_USE_PSA_DONE(); 1442} 1443/* END_CASE */ 1444 1445/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 1446void mbedtls_x509_crt_verify_chain(char *chain_paths, char *trusted_ca, 1447 int flags_result, int result, 1448 char *profile_name, int vrfy_fatal_lvls) 1449{ 1450 char *act; 1451 uint32_t flags; 1452 int res; 1453 mbedtls_x509_crt trusted, chain; 1454 const mbedtls_x509_crt_profile *profile = NULL; 1455 1456 mbedtls_x509_crt_init(&chain); 1457 mbedtls_x509_crt_init(&trusted); 1458 MD_OR_USE_PSA_INIT(); 1459 1460 while ((act = mystrsep(&chain_paths, " ")) != NULL) { 1461 TEST_EQUAL(mbedtls_x509_crt_parse_file(&chain, act), 0); 1462 } 1463 TEST_EQUAL(mbedtls_x509_crt_parse_file(&trusted, trusted_ca), 0); 1464 1465 if (strcmp(profile_name, "") == 0) { 1466 profile = &mbedtls_x509_crt_profile_default; 1467 } else if (strcmp(profile_name, "next") == 0) { 1468 profile = &mbedtls_x509_crt_profile_next; 1469 } else if (strcmp(profile_name, "suiteb") == 0) { 1470 profile = &mbedtls_x509_crt_profile_suiteb; 1471 } else if (strcmp(profile_name, "rsa3072") == 0) { 1472 profile = &profile_rsa3072; 1473 } else if (strcmp(profile_name, "sha512") == 0) { 1474 profile = &profile_sha512; 1475 } 1476 1477 res = mbedtls_x509_crt_verify_with_profile(&chain, &trusted, NULL, profile, 1478 NULL, &flags, verify_fatal, &vrfy_fatal_lvls); 1479 1480 TEST_EQUAL(res, (result)); 1481 TEST_EQUAL(flags, (uint32_t) (flags_result)); 1482 1483exit: 1484 mbedtls_x509_crt_free(&trusted); 1485 mbedtls_x509_crt_free(&chain); 1486 MD_OR_USE_PSA_DONE(); 1487} 1488/* END_CASE */ 1489 1490/* BEGIN_CASE depends_on:MBEDTLS_X509_USE_C:!MBEDTLS_X509_REMOVE_INFO */ 1491void x509_oid_desc(data_t *buf, char *ref_desc) 1492{ 1493 mbedtls_x509_buf oid; 1494 const char *desc = NULL; 1495 int ret; 1496 1497 USE_PSA_INIT(); 1498 1499 oid.tag = MBEDTLS_ASN1_OID; 1500 oid.p = buf->x; 1501 oid.len = buf->len; 1502 1503 ret = mbedtls_oid_get_extended_key_usage(&oid, &desc); 1504 1505 if (strcmp(ref_desc, "notfound") == 0) { 1506 TEST_ASSERT(ret != 0); 1507 TEST_ASSERT(desc == NULL); 1508 } else { 1509 TEST_EQUAL(ret, 0); 1510 TEST_ASSERT(desc != NULL); 1511 TEST_EQUAL(strcmp(desc, ref_desc), 0); 1512 } 1513 1514exit: 1515 USE_PSA_DONE(); 1516} 1517/* END_CASE */ 1518 1519/* BEGIN_CASE depends_on:MBEDTLS_X509_USE_C */ 1520void x509_oid_numstr(data_t *oid_buf, char *numstr, int blen, int ret) 1521{ 1522 mbedtls_x509_buf oid; 1523 char num_buf[100]; 1524 1525 USE_PSA_INIT(); 1526 1527 memset(num_buf, 0x2a, sizeof(num_buf)); 1528 1529 oid.tag = MBEDTLS_ASN1_OID; 1530 oid.p = oid_buf->x; 1531 oid.len = oid_buf->len; 1532 1533 TEST_ASSERT((size_t) blen <= sizeof(num_buf)); 1534 1535 TEST_EQUAL(mbedtls_oid_get_numeric_string(num_buf, blen, &oid), ret); 1536 1537 if (ret >= 0) { 1538 TEST_EQUAL(num_buf[ret], 0); 1539 TEST_EQUAL(strcmp(num_buf, numstr), 0); 1540 } 1541 1542exit: 1543 USE_PSA_DONE(); 1544} 1545/* END_CASE */ 1546 1547/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 1548void x509_check_key_usage(char *crt_file, int usage, int ret) 1549{ 1550 mbedtls_x509_crt crt; 1551 1552 mbedtls_x509_crt_init(&crt); 1553 USE_PSA_INIT(); 1554 1555 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 1556 1557 TEST_EQUAL(mbedtls_x509_crt_check_key_usage(&crt, usage), ret); 1558 1559exit: 1560 mbedtls_x509_crt_free(&crt); 1561 USE_PSA_DONE(); 1562} 1563/* END_CASE */ 1564 1565/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 1566void x509_check_extended_key_usage(char *crt_file, data_t *oid, int ret 1567 ) 1568{ 1569 mbedtls_x509_crt crt; 1570 1571 mbedtls_x509_crt_init(&crt); 1572 USE_PSA_INIT(); 1573 1574 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 1575 1576 TEST_EQUAL(mbedtls_x509_crt_check_extended_key_usage(&crt, (const char *) oid->x, oid->len), 1577 ret); 1578 1579exit: 1580 mbedtls_x509_crt_free(&crt); 1581 USE_PSA_DONE(); 1582} 1583/* END_CASE */ 1584 1585/* BEGIN_CASE depends_on:MBEDTLS_X509_USE_C */ 1586void x509_get_time(int tag, char *time_str, int ret, int year, int mon, 1587 int day, int hour, int min, int sec) 1588{ 1589 mbedtls_x509_time time; 1590 unsigned char buf[21]; 1591 unsigned char *start = buf; 1592 unsigned char *end = buf; 1593 1594 USE_PSA_INIT(); 1595 memset(&time, 0x00, sizeof(time)); 1596 *end = (unsigned char) tag; end++; 1597 *end = strlen(time_str); 1598 TEST_ASSERT(*end < 20); 1599 end++; 1600 memcpy(end, time_str, (size_t) *(end - 1)); 1601 end += *(end - 1); 1602 1603 TEST_EQUAL(mbedtls_x509_get_time(&start, end, &time), ret); 1604 if (ret == 0) { 1605 TEST_EQUAL(year, time.year); 1606 TEST_EQUAL(mon, time.mon); 1607 TEST_EQUAL(day, time.day); 1608 TEST_EQUAL(hour, time.hour); 1609 TEST_EQUAL(min, time.min); 1610 TEST_EQUAL(sec, time.sec); 1611 } 1612exit: 1613 USE_PSA_DONE(); 1614} 1615/* END_CASE */ 1616 1617/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT */ 1618void x509_parse_rsassa_pss_params(data_t *params, int params_tag, 1619 int ref_msg_md, int ref_mgf_md, 1620 int ref_salt_len, int ref_ret) 1621{ 1622 int my_ret; 1623 mbedtls_x509_buf buf; 1624 mbedtls_md_type_t my_msg_md, my_mgf_md; 1625 int my_salt_len; 1626 1627 USE_PSA_INIT(); 1628 1629 buf.p = params->x; 1630 buf.len = params->len; 1631 buf.tag = params_tag; 1632 1633 my_ret = mbedtls_x509_get_rsassa_pss_params(&buf, &my_msg_md, &my_mgf_md, 1634 &my_salt_len); 1635 1636 TEST_EQUAL(my_ret, ref_ret); 1637 1638 if (ref_ret == 0) { 1639 TEST_EQUAL(my_msg_md, (mbedtls_md_type_t) ref_msg_md); 1640 TEST_EQUAL(my_mgf_md, (mbedtls_md_type_t) ref_mgf_md); 1641 TEST_EQUAL(my_salt_len, ref_salt_len); 1642 } 1643 1644exit: 1645 USE_PSA_DONE(); 1646} 1647/* END_CASE */ 1648 1649/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_FS_IO */ 1650void x509_crt_parse_subjectkeyid(char *file, data_t *subjectKeyId, int ref_ret) 1651{ 1652 mbedtls_x509_crt crt; 1653 1654 mbedtls_x509_crt_init(&crt); 1655 1656 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, file), ref_ret); 1657 1658 if (ref_ret == 0) { 1659 TEST_EQUAL(crt.subject_key_id.tag, MBEDTLS_ASN1_OCTET_STRING); 1660 TEST_EQUAL(memcmp(crt.subject_key_id.p, subjectKeyId->x, subjectKeyId->len), 0); 1661 TEST_EQUAL(crt.subject_key_id.len, subjectKeyId->len); 1662 } else { 1663 TEST_EQUAL(crt.subject_key_id.tag, 0); 1664 TEST_EQUAL(crt.subject_key_id.len, 0); 1665 } 1666 1667exit: 1668 mbedtls_x509_crt_free(&crt); 1669} 1670/* END_CASE */ 1671 1672/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_FS_IO */ 1673void x509_crt_parse_authoritykeyid(char *file, 1674 data_t *keyId, 1675 char *authorityKeyId_issuer, 1676 data_t *serial, 1677 int ref_ret) 1678{ 1679 mbedtls_x509_crt crt; 1680 mbedtls_x509_subject_alternative_name san; 1681 char name_buf[128]; 1682 1683 mbedtls_x509_crt_init(&crt); 1684 1685 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, file), ref_ret); 1686 1687 if (ref_ret == 0) { 1688 /* KeyId test */ 1689 if (keyId->len > 0) { 1690 TEST_EQUAL(crt.authority_key_id.keyIdentifier.tag, MBEDTLS_ASN1_OCTET_STRING); 1691 TEST_EQUAL(memcmp(crt.authority_key_id.keyIdentifier.p, keyId->x, keyId->len), 0); 1692 TEST_EQUAL(crt.authority_key_id.keyIdentifier.len, keyId->len); 1693 } else { 1694 TEST_EQUAL(crt.authority_key_id.keyIdentifier.tag, 0); 1695 TEST_EQUAL(crt.authority_key_id.keyIdentifier.len, 0); 1696 } 1697 1698 1699 /* Issuer test */ 1700 if (strlen(authorityKeyId_issuer) > 0) { 1701 mbedtls_x509_sequence *issuerPtr = &crt.authority_key_id.authorityCertIssuer; 1702 1703 TEST_EQUAL(mbedtls_x509_parse_subject_alt_name(&issuerPtr->buf, &san), 0); 1704 1705 TEST_ASSERT(mbedtls_x509_dn_gets(name_buf, sizeof(name_buf), 1706 &san.san.directory_name) 1707 > 0); 1708 TEST_EQUAL(strcmp(name_buf, authorityKeyId_issuer), 0); 1709 1710 mbedtls_x509_free_subject_alt_name(&san); 1711 } 1712 1713 /* Serial test */ 1714 if (serial->len > 0) { 1715 TEST_EQUAL(crt.authority_key_id.authorityCertSerialNumber.tag, 1716 MBEDTLS_ASN1_INTEGER); 1717 TEST_EQUAL(memcmp(crt.authority_key_id.authorityCertSerialNumber.p, 1718 serial->x, serial->len), 0); 1719 TEST_EQUAL(crt.authority_key_id.authorityCertSerialNumber.len, serial->len); 1720 } else { 1721 TEST_EQUAL(crt.authority_key_id.authorityCertSerialNumber.tag, 0); 1722 TEST_EQUAL(crt.authority_key_id.authorityCertSerialNumber.len, 0); 1723 } 1724 1725 } else { 1726 TEST_EQUAL(crt.authority_key_id.keyIdentifier.tag, 0); 1727 TEST_EQUAL(crt.authority_key_id.keyIdentifier.len, 0); 1728 1729 TEST_EQUAL(crt.authority_key_id.authorityCertSerialNumber.tag, 0); 1730 TEST_EQUAL(crt.authority_key_id.authorityCertSerialNumber.len, 0); 1731 } 1732 1733exit: 1734 mbedtls_x509_crt_free(&crt); 1735} 1736/* END_CASE */ 1737
