1/* BEGIN_HEADER */ 2#include "mbedtls/bignum.h" 3#include "mbedtls/x509.h" 4#include "mbedtls/x509_crt.h" 5#include "mbedtls/x509_crl.h" 6#include "mbedtls/x509_csr.h" 7#include "mbedtls/pem.h" 8#include "mbedtls/oid.h" 9#include "mbedtls/base64.h" 10#include "mbedtls/error.h" 11#include "mbedtls/pk.h" 12#include "string.h" 13 14#if MBEDTLS_X509_MAX_INTERMEDIATE_CA > 19 15#error "The value of MBEDTLS_X509_MAX_INTERMEDIATE_C is larger \ 16 than the current threshold 19. To test larger values, please \ 17 adapt the script tests/data_files/dir-max/long.sh." 18#endif 19 20/* Test-only profile allowing all digests, PK algorithms, and curves. */ 21const mbedtls_x509_crt_profile profile_all = 22{ 23 0xFFFFFFFF, /* Any MD */ 24 0xFFFFFFFF, /* Any PK alg */ 25 0xFFFFFFFF, /* Any curve */ 26 1024, 27}; 28 29/* Profile for backward compatibility. Allows SHA-1, unlike the default 30 profile. */ 31const mbedtls_x509_crt_profile compat_profile = 32{ 33 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA1) | 34 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_RIPEMD160) | 35 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA224) | 36 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) | 37 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) | 38 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512), 39 0xFFFFFFFF, /* Any PK alg */ 40 0xFFFFFFFF, /* Any curve */ 41 1024, 42}; 43 44const mbedtls_x509_crt_profile profile_rsa3072 = 45{ 46 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) | 47 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) | 48 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512), 49 MBEDTLS_X509_ID_FLAG(MBEDTLS_PK_RSA), 50 0, 51 3072, 52}; 53 54const mbedtls_x509_crt_profile profile_sha512 = 55{ 56 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512), 57 0xFFFFFFFF, /* Any PK alg */ 58 0xFFFFFFFF, /* Any curve */ 59 1024, 60}; 61 62int verify_none(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags) 63{ 64 ((void) data); 65 ((void) crt); 66 ((void) certificate_depth); 67 *flags |= MBEDTLS_X509_BADCERT_OTHER; 68 69 return 0; 70} 71 72int verify_all(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags) 73{ 74 ((void) data); 75 ((void) crt); 76 ((void) certificate_depth); 77 *flags = 0; 78 79 return 0; 80} 81 82#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) 83int ca_callback_fail(void *data, mbedtls_x509_crt const *child, mbedtls_x509_crt **candidates) 84{ 85 ((void) data); 86 ((void) child); 87 ((void) candidates); 88 89 return -1; 90} 91#if defined(MBEDTLS_X509_CRT_PARSE_C) 92int ca_callback(void *data, mbedtls_x509_crt const *child, 93 mbedtls_x509_crt **candidates) 94{ 95 int ret = 0; 96 mbedtls_x509_crt *ca = (mbedtls_x509_crt *) data; 97 mbedtls_x509_crt *first; 98 99 /* This is a test-only implementation of the CA callback 100 * which always returns the entire list of trusted certificates. 101 * Production implementations managing a large number of CAs 102 * should use an efficient presentation and lookup for the 103 * set of trusted certificates (such as a hashtable) and only 104 * return those trusted certificates which satisfy basic 105 * parental checks, such as the matching of child `Issuer` 106 * and parent `Subject` field. */ 107 ((void) child); 108 109 first = mbedtls_calloc(1, sizeof(mbedtls_x509_crt)); 110 if (first == NULL) { 111 ret = -1; 112 goto exit; 113 } 114 mbedtls_x509_crt_init(first); 115 116 if (mbedtls_x509_crt_parse_der(first, ca->raw.p, ca->raw.len) != 0) { 117 ret = -1; 118 goto exit; 119 } 120 121 while (ca->next != NULL) { 122 ca = ca->next; 123 if (mbedtls_x509_crt_parse_der(first, ca->raw.p, ca->raw.len) != 0) { 124 ret = -1; 125 goto exit; 126 } 127 } 128 129exit: 130 131 if (ret != 0) { 132 mbedtls_x509_crt_free(first); 133 mbedtls_free(first); 134 first = NULL; 135 } 136 137 *candidates = first; 138 return ret; 139} 140#endif /* MBEDTLS_X509_CRT_PARSE_C */ 141#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 142 143int verify_fatal(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags) 144{ 145 int *levels = (int *) data; 146 147 ((void) crt); 148 ((void) certificate_depth); 149 150 /* Simulate a fatal error in the callback */ 151 if (*levels & (1 << certificate_depth)) { 152 *flags |= (1 << certificate_depth); 153 return -1 - certificate_depth; 154 } 155 156 return 0; 157} 158 159/* strsep() not available on Windows */ 160char *mystrsep(char **stringp, const char *delim) 161{ 162 const char *p; 163 char *ret = *stringp; 164 165 if (*stringp == NULL) { 166 return NULL; 167 } 168 169 for (;; (*stringp)++) { 170 if (**stringp == '\0') { 171 *stringp = NULL; 172 goto done; 173 } 174 175 for (p = delim; *p != '\0'; p++) { 176 if (**stringp == *p) { 177 **stringp = '\0'; 178 (*stringp)++; 179 goto done; 180 } 181 } 182 } 183 184done: 185 return ret; 186} 187 188#if defined(MBEDTLS_X509_CRT_PARSE_C) 189typedef struct { 190 char buf[512]; 191 char *p; 192} verify_print_context; 193 194void verify_print_init(verify_print_context *ctx) 195{ 196 memset(ctx, 0, sizeof(verify_print_context)); 197 ctx->p = ctx->buf; 198} 199 200int verify_print(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags) 201{ 202 int ret; 203 verify_print_context *ctx = (verify_print_context *) data; 204 char *p = ctx->p; 205 size_t n = ctx->buf + sizeof(ctx->buf) - ctx->p; 206 ((void) flags); 207 208 ret = mbedtls_snprintf(p, n, "depth %d - serial ", certificate_depth); 209 MBEDTLS_X509_SAFE_SNPRINTF; 210 211 ret = mbedtls_x509_serial_gets(p, n, &crt->serial); 212 MBEDTLS_X509_SAFE_SNPRINTF; 213 214 ret = mbedtls_snprintf(p, n, " - subject "); 215 MBEDTLS_X509_SAFE_SNPRINTF; 216 217 ret = mbedtls_x509_dn_gets(p, n, &crt->subject); 218 MBEDTLS_X509_SAFE_SNPRINTF; 219 220 ret = mbedtls_snprintf(p, n, " - flags 0x%08x\n", *flags); 221 MBEDTLS_X509_SAFE_SNPRINTF; 222 223 ctx->p = p; 224 225 return 0; 226} 227 228int verify_parse_san(mbedtls_x509_subject_alternative_name *san, 229 char **buf, size_t *size) 230{ 231 int ret; 232 size_t i; 233 char *p = *buf; 234 size_t n = *size; 235 236 ret = mbedtls_snprintf(p, n, "type : %d", san->type); 237 MBEDTLS_X509_SAFE_SNPRINTF; 238 239 switch (san->type) { 240 case (MBEDTLS_X509_SAN_OTHER_NAME): 241 ret = mbedtls_snprintf(p, n, "\notherName :"); 242 MBEDTLS_X509_SAFE_SNPRINTF; 243 244 if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME, 245 &san->san.other_name.type_id) == 0) { 246 ret = mbedtls_snprintf(p, n, " hardware module name :"); 247 MBEDTLS_X509_SAFE_SNPRINTF; 248 ret = mbedtls_snprintf(p, n, " hardware type : "); 249 MBEDTLS_X509_SAFE_SNPRINTF; 250 251 ret = mbedtls_oid_get_numeric_string(p, 252 n, 253 &san->san.other_name.value.hardware_module_name.oid); 254 MBEDTLS_X509_SAFE_SNPRINTF; 255 256 ret = mbedtls_snprintf(p, n, ", hardware serial number : "); 257 MBEDTLS_X509_SAFE_SNPRINTF; 258 259 for (i = 0; i < san->san.other_name.value.hardware_module_name.val.len; i++) { 260 ret = mbedtls_snprintf(p, 261 n, 262 "%02X", 263 san->san.other_name.value.hardware_module_name.val.p[i]); 264 MBEDTLS_X509_SAFE_SNPRINTF; 265 } 266 } 267 break;/* MBEDTLS_OID_ON_HW_MODULE_NAME */ 268 case (MBEDTLS_X509_SAN_DNS_NAME): 269 ret = mbedtls_snprintf(p, n, "\ndNSName : "); 270 MBEDTLS_X509_SAFE_SNPRINTF; 271 if (san->san.unstructured_name.len >= n) { 272 *p = '\0'; 273 return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; 274 } 275 n -= san->san.unstructured_name.len; 276 for (i = 0; i < san->san.unstructured_name.len; i++) { 277 *p++ = san->san.unstructured_name.p[i]; 278 } 279 break;/* MBEDTLS_X509_SAN_DNS_NAME */ 280 case (MBEDTLS_X509_SAN_RFC822_NAME): 281 ret = mbedtls_snprintf(p, n, "\nrfc822Name : "); 282 MBEDTLS_X509_SAFE_SNPRINTF; 283 if (san->san.unstructured_name.len >= n) { 284 *p = '\0'; 285 return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; 286 } 287 n -= san->san.unstructured_name.len; 288 for (i = 0; i < san->san.unstructured_name.len; i++) { 289 *p++ = san->san.unstructured_name.p[i]; 290 } 291 break;/* MBEDTLS_X509_SAN_RFC822_NAME */ 292 case (MBEDTLS_X509_SAN_DIRECTORY_NAME): 293 ret = mbedtls_snprintf(p, n, "\ndirectoryName : "); 294 MBEDTLS_X509_SAFE_SNPRINTF; 295 ret = mbedtls_x509_dn_gets(p, n, &san->san.directory_name); 296 if (ret < 0) { 297 return ret; 298 } 299 300 p += ret; 301 n -= ret; 302 break;/* MBEDTLS_X509_SAN_DIRECTORY_NAME */ 303 default: 304 /* 305 * Should not happen. 306 */ 307 return -1; 308 } 309 ret = mbedtls_snprintf(p, n, "\n"); 310 MBEDTLS_X509_SAFE_SNPRINTF; 311 312 *size = n; 313 *buf = p; 314 315 return 0; 316} 317 318int parse_crt_ext_cb(void *p_ctx, mbedtls_x509_crt const *crt, mbedtls_x509_buf const *oid, 319 int critical, const unsigned char *cp, const unsigned char *end) 320{ 321 (void) crt; 322 (void) critical; 323 mbedtls_x509_buf *new_oid = (mbedtls_x509_buf *) p_ctx; 324 if (oid->tag == MBEDTLS_ASN1_OID && 325 MBEDTLS_OID_CMP(MBEDTLS_OID_CERTIFICATE_POLICIES, oid) == 0) { 326 /* Handle unknown certificate policy */ 327 int ret, parse_ret = 0; 328 size_t len; 329 unsigned char **p = (unsigned char **) &cp; 330 331 /* Get main sequence tag */ 332 ret = mbedtls_asn1_get_tag(p, end, &len, 333 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); 334 if (ret != 0) { 335 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 336 } 337 338 if (*p + len != end) { 339 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 340 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 341 } 342 343 /* 344 * Cannot be an empty sequence. 345 */ 346 if (len == 0) { 347 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 348 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 349 } 350 351 while (*p < end) { 352 const unsigned char *policy_end; 353 354 /* 355 * Get the policy sequence 356 */ 357 if ((ret = mbedtls_asn1_get_tag(p, end, &len, 358 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 359 0) { 360 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 361 } 362 363 policy_end = *p + len; 364 365 if ((ret = mbedtls_asn1_get_tag(p, policy_end, &len, 366 MBEDTLS_ASN1_OID)) != 0) { 367 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 368 } 369 370 /* 371 * Recognize exclusively the policy with OID 1 372 */ 373 if (len != 1 || *p[0] != 1) { 374 parse_ret = MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE; 375 } 376 377 *p += len; 378 379 /* 380 * If there is an optional qualifier, then *p < policy_end 381 * Check the Qualifier len to verify it doesn't exceed policy_end. 382 */ 383 if (*p < policy_end) { 384 if ((ret = mbedtls_asn1_get_tag(p, policy_end, &len, 385 MBEDTLS_ASN1_CONSTRUCTED | 386 MBEDTLS_ASN1_SEQUENCE)) != 0) { 387 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 388 } 389 /* 390 * Skip the optional policy qualifiers. 391 */ 392 *p += len; 393 } 394 395 if (*p != policy_end) { 396 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 397 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 398 } 399 } 400 401 if (*p != end) { 402 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 403 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 404 } 405 406 return parse_ret; 407 } else if (new_oid != NULL && new_oid->tag == oid->tag && new_oid->len == oid->len && 408 memcmp(new_oid->p, oid->p, oid->len) == 0) { 409 return 0; 410 } else { 411 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 412 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG); 413 } 414} 415#endif /* MBEDTLS_X509_CRT_PARSE_C */ 416/* END_HEADER */ 417 418/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */ 419void x509_accessor_ext_types(int ext_type, int has_ext_type) 420{ 421 mbedtls_x509_crt crt; 422 int expected_result = ext_type & has_ext_type; 423 424 mbedtls_x509_crt_init(&crt); 425 USE_PSA_INIT(); 426 427 crt.ext_types = ext_type; 428 429 TEST_EQUAL(mbedtls_x509_crt_has_ext_type(&crt, has_ext_type), expected_result); 430 431exit: 432 mbedtls_x509_crt_free(&crt); 433 USE_PSA_DONE(); 434} 435/* END_CASE */ 436 437/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_TEST_HOOKS */ 438void x509_crt_parse_cn_inet_pton(const char *cn, data_t *exp, int ref_ret) 439{ 440 uint32_t addr[4]; 441 size_t addrlen = mbedtls_x509_crt_parse_cn_inet_pton(cn, addr); 442 TEST_EQUAL(addrlen, (size_t) ref_ret); 443 444 if (addrlen) { 445 TEST_MEMORY_COMPARE(exp->x, exp->len, addr, addrlen); 446 } 447} 448/* END_CASE */ 449 450/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 451void x509_parse_san(char *crt_file, char *result_str, int parse_result) 452{ 453 int ret; 454 mbedtls_x509_crt crt; 455 mbedtls_x509_subject_alternative_name san; 456 mbedtls_x509_sequence *cur = NULL; 457 char buf[2000]; 458 char *p = buf; 459 size_t n = sizeof(buf); 460 461 mbedtls_x509_crt_init(&crt); 462 USE_PSA_INIT(); 463 memset(buf, 0, 2000); 464 465 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), parse_result); 466 467 if (parse_result != 0) { 468 goto exit; 469 } 470 if (crt.ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) { 471 cur = &crt.subject_alt_names; 472 while (cur != NULL) { 473 ret = mbedtls_x509_parse_subject_alt_name(&cur->buf, &san); 474 TEST_ASSERT(ret == 0 || ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE); 475 /* 476 * If san type not supported, ignore. 477 */ 478 if (ret == 0) { 479 ret = verify_parse_san(&san, &p, &n); 480 mbedtls_x509_free_subject_alt_name(&san); 481 TEST_EQUAL(ret, 0); 482 } 483 cur = cur->next; 484 } 485 } 486 487 TEST_EQUAL(strcmp(buf, result_str), 0); 488 489exit: 490 mbedtls_x509_crt_free(&crt); 491 USE_PSA_DONE(); 492} 493/* END_CASE */ 494 495/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:!MBEDTLS_X509_REMOVE_INFO:MBEDTLS_X509_CRT_PARSE_C */ 496void x509_cert_info(char *crt_file, char *result_str) 497{ 498 mbedtls_x509_crt crt; 499 char buf[2000]; 500 int res; 501 502 mbedtls_x509_crt_init(&crt); 503 USE_PSA_INIT(); 504 memset(buf, 0, 2000); 505 506 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 507 res = mbedtls_x509_crt_info(buf, 2000, "", &crt); 508 509 TEST_ASSERT(res != -1); 510 TEST_ASSERT(res != -2); 511 512 TEST_EQUAL(strcmp(buf, result_str), 0); 513 514exit: 515 mbedtls_x509_crt_free(&crt); 516 USE_PSA_DONE(); 517} 518/* END_CASE */ 519 520/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRL_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 521void mbedtls_x509_crl_info(char *crl_file, char *result_str) 522{ 523 mbedtls_x509_crl crl; 524 char buf[2000]; 525 int res; 526 527 mbedtls_x509_crl_init(&crl); 528 USE_PSA_INIT(); 529 memset(buf, 0, 2000); 530 531 TEST_EQUAL(mbedtls_x509_crl_parse_file(&crl, crl_file), 0); 532 res = mbedtls_x509_crl_info(buf, 2000, "", &crl); 533 534 TEST_ASSERT(res != -1); 535 TEST_ASSERT(res != -2); 536 537 TEST_EQUAL(strcmp(buf, result_str), 0); 538 539exit: 540 mbedtls_x509_crl_free(&crl); 541 USE_PSA_DONE(); 542} 543/* END_CASE */ 544 545/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRL_PARSE_C */ 546void mbedtls_x509_crl_parse(char *crl_file, int result) 547{ 548 mbedtls_x509_crl crl; 549 char buf[2000]; 550 551 mbedtls_x509_crl_init(&crl); 552 USE_PSA_INIT(); 553 memset(buf, 0, 2000); 554 555 TEST_EQUAL(mbedtls_x509_crl_parse_file(&crl, crl_file), result); 556 557exit: 558 mbedtls_x509_crl_free(&crl); 559 USE_PSA_DONE(); 560} 561/* END_CASE */ 562 563/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CSR_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 564void mbedtls_x509_csr_info(char *csr_file, char *result_str) 565{ 566 mbedtls_x509_csr csr; 567 char buf[2000]; 568 int res; 569 570 mbedtls_x509_csr_init(&csr); 571 USE_PSA_INIT(); 572 memset(buf, 0, 2000); 573 574 TEST_EQUAL(mbedtls_x509_csr_parse_file(&csr, csr_file), 0); 575 res = mbedtls_x509_csr_info(buf, 2000, "", &csr); 576 577 TEST_ASSERT(res != -1); 578 TEST_ASSERT(res != -2); 579 580 TEST_EQUAL(strcmp(buf, result_str), 0); 581 582exit: 583 mbedtls_x509_csr_free(&csr); 584 USE_PSA_DONE(); 585} 586/* END_CASE */ 587 588/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 589void x509_verify_info(int flags, char *prefix, char *result_str) 590{ 591 char buf[2000]; 592 int res; 593 594 USE_PSA_INIT(); 595 memset(buf, 0, sizeof(buf)); 596 597 res = mbedtls_x509_crt_verify_info(buf, sizeof(buf), prefix, flags); 598 599 TEST_ASSERT(res >= 0); 600 601 TEST_EQUAL(strcmp(buf, result_str), 0); 602 603exit: 604 USE_PSA_DONE(); 605} 606/* END_CASE */ 607 608/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CRL_PARSE_C:MBEDTLS_ECP_RESTARTABLE:MBEDTLS_ECDSA_C */ 609void x509_verify_restart(char *crt_file, char *ca_file, 610 int result, int flags_result, 611 int max_ops, int min_restart, int max_restart) 612{ 613 int ret, cnt_restart; 614 mbedtls_x509_crt_restart_ctx rs_ctx; 615 mbedtls_x509_crt crt; 616 mbedtls_x509_crt ca; 617 uint32_t flags = 0; 618 619 /* 620 * See comments on ecp_test_vect_restart() for op count precision. 621 * 622 * For reference, with Mbed TLS 2.6 and default settings: 623 * - ecdsa_verify() for P-256: ~ 6700 624 * - ecdsa_verify() for P-384: ~ 18800 625 * - x509_verify() for server5 -> test-ca2: ~ 18800 626 * - x509_verify() for server10 -> int-ca3 -> int-ca2: ~ 25500 627 */ 628 mbedtls_x509_crt_restart_init(&rs_ctx); 629 mbedtls_x509_crt_init(&crt); 630 mbedtls_x509_crt_init(&ca); 631 MD_OR_USE_PSA_INIT(); 632 633 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 634 TEST_EQUAL(mbedtls_x509_crt_parse_file(&ca, ca_file), 0); 635 636 mbedtls_ecp_set_max_ops(max_ops); 637 638 cnt_restart = 0; 639 do { 640 ret = mbedtls_x509_crt_verify_restartable(&crt, &ca, NULL, 641 &mbedtls_x509_crt_profile_default, NULL, &flags, 642 NULL, NULL, &rs_ctx); 643 } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart); 644 645 TEST_EQUAL(ret, result); 646 TEST_EQUAL(flags, (uint32_t) flags_result); 647 648 TEST_ASSERT(cnt_restart >= min_restart); 649 TEST_ASSERT(cnt_restart <= max_restart); 650 651 /* Do we leak memory when aborting? */ 652 ret = mbedtls_x509_crt_verify_restartable(&crt, &ca, NULL, 653 &mbedtls_x509_crt_profile_default, NULL, &flags, 654 NULL, NULL, &rs_ctx); 655 TEST_ASSERT(ret == result || ret == MBEDTLS_ERR_ECP_IN_PROGRESS); 656 657exit: 658 mbedtls_x509_crt_restart_free(&rs_ctx); 659 mbedtls_x509_crt_free(&crt); 660 mbedtls_x509_crt_free(&ca); 661 MD_OR_USE_PSA_DONE(); 662} 663/* END_CASE */ 664 665/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CRL_PARSE_C */ 666void x509_verify(char *crt_file, char *ca_file, char *crl_file, 667 char *cn_name_str, int result, int flags_result, 668 char *profile_str, 669 char *verify_callback) 670{ 671 mbedtls_x509_crt crt; 672 mbedtls_x509_crt ca; 673 mbedtls_x509_crl crl; 674 uint32_t flags = 0; 675 int res; 676 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *) = NULL; 677 char *cn_name = NULL; 678 const mbedtls_x509_crt_profile *profile; 679 680 mbedtls_x509_crt_init(&crt); 681 mbedtls_x509_crt_init(&ca); 682 mbedtls_x509_crl_init(&crl); 683 MD_OR_USE_PSA_INIT(); 684 685 if (strcmp(cn_name_str, "NULL") != 0) { 686 cn_name = cn_name_str; 687 } 688 689 if (strcmp(profile_str, "") == 0) { 690 profile = &mbedtls_x509_crt_profile_default; 691 } else if (strcmp(profile_str, "next") == 0) { 692 profile = &mbedtls_x509_crt_profile_next; 693 } else if (strcmp(profile_str, "suite_b") == 0) { 694 profile = &mbedtls_x509_crt_profile_suiteb; 695 } else if (strcmp(profile_str, "compat") == 0) { 696 profile = &compat_profile; 697 } else if (strcmp(profile_str, "all") == 0) { 698 profile = &profile_all; 699 } else { 700 TEST_FAIL("Unknown algorithm profile"); 701 } 702 703 if (strcmp(verify_callback, "NULL") == 0) { 704 f_vrfy = NULL; 705 } else if (strcmp(verify_callback, "verify_none") == 0) { 706 f_vrfy = verify_none; 707 } else if (strcmp(verify_callback, "verify_all") == 0) { 708 f_vrfy = verify_all; 709 } else { 710 TEST_FAIL("No known verify callback selected"); 711 } 712 713 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 714 TEST_EQUAL(mbedtls_x509_crt_parse_file(&ca, ca_file), 0); 715 TEST_EQUAL(mbedtls_x509_crl_parse_file(&crl, crl_file), 0); 716 717 res = mbedtls_x509_crt_verify_with_profile(&crt, 718 &ca, 719 &crl, 720 profile, 721 cn_name, 722 &flags, 723 f_vrfy, 724 NULL); 725 726 TEST_EQUAL(res, result); 727 TEST_EQUAL(flags, (uint32_t) flags_result); 728 729#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) 730 /* CRLs aren't supported with CA callbacks, so skip the CA callback 731 * version of the test if CRLs are in use. */ 732 if (crl_file == NULL || strcmp(crl_file, "") == 0) { 733 flags = 0; 734 735 res = mbedtls_x509_crt_verify_with_ca_cb(&crt, 736 ca_callback, 737 &ca, 738 profile, 739 cn_name, 740 &flags, 741 f_vrfy, 742 NULL); 743 744 TEST_EQUAL(res, result); 745 TEST_EQUAL(flags, (uint32_t) (flags_result)); 746 } 747#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 748exit: 749 mbedtls_x509_crt_free(&crt); 750 mbedtls_x509_crt_free(&ca); 751 mbedtls_x509_crl_free(&crl); 752 MD_OR_USE_PSA_DONE(); 753} 754/* END_CASE */ 755 756/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CRL_PARSE_C:MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 757void x509_verify_ca_cb_failure(char *crt_file, char *ca_file, char *name, 758 int exp_ret) 759{ 760 int ret; 761 mbedtls_x509_crt crt; 762 mbedtls_x509_crt ca; 763 uint32_t flags = 0; 764 765 mbedtls_x509_crt_init(&crt); 766 mbedtls_x509_crt_init(&ca); 767 USE_PSA_INIT(); 768 769 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 770 TEST_EQUAL(mbedtls_x509_crt_parse_file(&ca, ca_file), 0); 771 772 if (strcmp(name, "NULL") == 0) { 773 name = NULL; 774 } 775 776 ret = mbedtls_x509_crt_verify_with_ca_cb(&crt, ca_callback_fail, &ca, 777 &compat_profile, name, &flags, 778 NULL, NULL); 779 780 TEST_EQUAL(ret, exp_ret); 781 TEST_EQUAL(flags, (uint32_t) (-1)); 782exit: 783 mbedtls_x509_crt_free(&crt); 784 mbedtls_x509_crt_free(&ca); 785 USE_PSA_DONE(); 786} 787/* END_CASE */ 788 789/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 790void x509_verify_callback(char *crt_file, char *ca_file, char *name, 791 int exp_ret, char *exp_vrfy_out) 792{ 793 int ret; 794 mbedtls_x509_crt crt; 795 mbedtls_x509_crt ca; 796 uint32_t flags = 0; 797 verify_print_context vrfy_ctx; 798 799 mbedtls_x509_crt_init(&crt); 800 mbedtls_x509_crt_init(&ca); 801 MD_OR_USE_PSA_INIT(); 802 803 verify_print_init(&vrfy_ctx); 804 805 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 806 TEST_EQUAL(mbedtls_x509_crt_parse_file(&ca, ca_file), 0); 807 808 if (strcmp(name, "NULL") == 0) { 809 name = NULL; 810 } 811 812 ret = mbedtls_x509_crt_verify_with_profile(&crt, &ca, NULL, 813 &compat_profile, 814 name, &flags, 815 verify_print, &vrfy_ctx); 816 817 TEST_EQUAL(ret, exp_ret); 818 TEST_EQUAL(strcmp(vrfy_ctx.buf, exp_vrfy_out), 0); 819 820exit: 821 mbedtls_x509_crt_free(&crt); 822 mbedtls_x509_crt_free(&ca); 823 MD_OR_USE_PSA_DONE(); 824} 825/* END_CASE */ 826 827/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 828void mbedtls_x509_dn_gets_subject_replace(char *crt_file, 829 char *new_subject_ou, 830 char *result_str, 831 int ret) 832{ 833 mbedtls_x509_crt crt; 834 char buf[2000]; 835 int res = 0; 836 837 mbedtls_x509_crt_init(&crt); 838 USE_PSA_INIT(); 839 840 memset(buf, 0, 2000); 841 842 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 843 crt.subject.next->val.p = (unsigned char *) new_subject_ou; 844 crt.subject.next->val.len = strlen(new_subject_ou); 845 846 res = mbedtls_x509_dn_gets(buf, 2000, &crt.subject); 847 848 if (ret != 0) { 849 TEST_EQUAL(res, ret); 850 } else { 851 TEST_ASSERT(res != -1); 852 TEST_ASSERT(res != -2); 853 TEST_EQUAL(strcmp(buf, result_str), 0); 854 } 855exit: 856 mbedtls_x509_crt_free(&crt); 857 USE_PSA_DONE(); 858} 859/* END_CASE */ 860 861/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 862void mbedtls_x509_dn_gets(char *crt_file, char *entity, char *result_str) 863{ 864 mbedtls_x509_crt crt; 865 char buf[2000]; 866 int res = 0; 867 868 mbedtls_x509_crt_init(&crt); 869 USE_PSA_INIT(); 870 871 memset(buf, 0, 2000); 872 873 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 874 if (strcmp(entity, "subject") == 0) { 875 res = mbedtls_x509_dn_gets(buf, 2000, &crt.subject); 876 } else if (strcmp(entity, "issuer") == 0) { 877 res = mbedtls_x509_dn_gets(buf, 2000, &crt.issuer); 878 } else { 879 TEST_FAIL("Unknown entity"); 880 } 881 882 TEST_ASSERT(res != -1); 883 TEST_ASSERT(res != -2); 884 885 TEST_EQUAL(strcmp(buf, result_str), 0); 886 887exit: 888 mbedtls_x509_crt_free(&crt); 889 USE_PSA_DONE(); 890} 891/* END_CASE */ 892 893/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */ 894void mbedtls_x509_get_name(char *rdn_sequence, int exp_ret) 895{ 896 unsigned char *name = NULL; 897 unsigned char *p; 898 size_t name_len; 899 mbedtls_x509_name head; 900 int ret; 901 902 USE_PSA_INIT(); 903 memset(&head, 0, sizeof(head)); 904 905 name = mbedtls_test_unhexify_alloc(rdn_sequence, &name_len); 906 p = name; 907 908 ret = mbedtls_x509_get_name(&p, (name + name_len), &head); 909 if (ret == 0) { 910 mbedtls_asn1_free_named_data_list_shallow(head.next); 911 } 912 913 TEST_EQUAL(ret, exp_ret); 914 915exit: 916 mbedtls_free(name); 917 USE_PSA_DONE(); 918} 919/* END_CASE */ 920 921/* BEGIN_CASE depends_on:MBEDTLS_X509_CREATE_C:MBEDTLS_X509_USE_C:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 922void mbedtls_x509_dn_get_next(char *name_str, 923 int next_merged, 924 char *expected_oids, 925 int exp_count, 926 char *exp_dn_gets) 927{ 928 int ret = 0, i; 929 size_t len = 0, out_size; 930 mbedtls_asn1_named_data *names = NULL; 931 mbedtls_x509_name parsed, *parsed_cur; 932 // Size of buf is maximum required for test cases 933 unsigned char buf[80], *out = NULL, *c; 934 const char *short_name; 935 936 USE_PSA_INIT(); 937 memset(&parsed, 0, sizeof(parsed)); 938 memset(buf, 0, sizeof(buf)); 939 c = buf + sizeof(buf); 940 // Additional size required for trailing space 941 out_size = strlen(expected_oids) + 2; 942 TEST_CALLOC(out, out_size); 943 944 TEST_EQUAL(mbedtls_x509_string_to_names(&names, name_str), 0); 945 946 ret = mbedtls_x509_write_names(&c, buf, names); 947 TEST_LE_S(0, ret); 948 949 TEST_EQUAL(mbedtls_asn1_get_tag(&c, buf + sizeof(buf), &len, 950 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE), 0); 951 TEST_EQUAL(mbedtls_x509_get_name(&c, buf + sizeof(buf), &parsed), 0); 952 953 // Iterate over names and set next_merged nodes 954 parsed_cur = &parsed; 955 for (; next_merged != 0 && parsed_cur != NULL; next_merged = next_merged >> 1) { 956 parsed_cur->next_merged = next_merged & 0x01; 957 parsed_cur = parsed_cur->next; 958 } 959 960 // Iterate over RDN nodes and print OID of first element to buffer 961 parsed_cur = &parsed; 962 len = 0; 963 for (i = 0; parsed_cur != NULL; i++) { 964 TEST_EQUAL(mbedtls_oid_get_attr_short_name(&parsed_cur->oid, 965 &short_name), 0); 966 len += mbedtls_snprintf((char *) out + len, out_size - len, "%s ", short_name); 967 parsed_cur = mbedtls_x509_dn_get_next(parsed_cur); 968 } 969 out[len-1] = 0; 970 971 TEST_EQUAL(exp_count, i); 972 TEST_EQUAL(strcmp((char *) out, expected_oids), 0); 973 mbedtls_free(out); 974 out = NULL; 975 976 out_size = strlen(exp_dn_gets) + 1; 977 TEST_CALLOC(out, out_size); 978 979 TEST_LE_S(0, mbedtls_x509_dn_gets((char *) out, out_size, &parsed)); 980 TEST_EQUAL(strcmp((char *) out, exp_dn_gets), 0); 981exit: 982 mbedtls_free(out); 983 mbedtls_asn1_free_named_data_list(&names); 984 mbedtls_asn1_free_named_data_list_shallow(parsed.next); 985 USE_PSA_DONE(); 986} 987/* END_CASE */ 988 989/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 990void mbedtls_x509_time_is_past(char *crt_file, char *entity, int result) 991{ 992 mbedtls_x509_crt crt; 993 994 mbedtls_x509_crt_init(&crt); 995 USE_PSA_INIT(); 996 997 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 998 999 if (strcmp(entity, "valid_from") == 0) { 1000 TEST_EQUAL(mbedtls_x509_time_is_past(&crt.valid_from), result); 1001 } else if (strcmp(entity, "valid_to") == 0) { 1002 TEST_EQUAL(mbedtls_x509_time_is_past(&crt.valid_to), result); 1003 } else { 1004 TEST_FAIL("Unknown entity"); 1005 } 1006 1007exit: 1008 mbedtls_x509_crt_free(&crt); 1009 USE_PSA_DONE(); 1010} 1011/* END_CASE */ 1012 1013/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 1014void mbedtls_x509_time_is_future(char *crt_file, char *entity, int result) 1015{ 1016 mbedtls_x509_crt crt; 1017 1018 mbedtls_x509_crt_init(&crt); 1019 USE_PSA_INIT(); 1020 1021 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 1022 1023 if (strcmp(entity, "valid_from") == 0) { 1024 TEST_EQUAL(mbedtls_x509_time_is_future(&crt.valid_from), result); 1025 } else if (strcmp(entity, "valid_to") == 0) { 1026 TEST_EQUAL(mbedtls_x509_time_is_future(&crt.valid_to), result); 1027 } else { 1028 TEST_FAIL("Unknown entity"); 1029 } 1030 1031exit: 1032 mbedtls_x509_crt_free(&crt); 1033 USE_PSA_DONE(); 1034} 1035/* END_CASE */ 1036 1037/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_FS_IO */ 1038void x509parse_crt_file(char *crt_file, int result) 1039{ 1040 mbedtls_x509_crt crt; 1041 1042 mbedtls_x509_crt_init(&crt); 1043 USE_PSA_INIT(); 1044 1045 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), result); 1046 1047exit: 1048 mbedtls_x509_crt_free(&crt); 1049 USE_PSA_DONE(); 1050} 1051/* END_CASE */ 1052 1053/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */ 1054void x509parse_crt(data_t *buf, char *result_str, int result) 1055{ 1056 mbedtls_x509_crt crt; 1057#if !defined(MBEDTLS_X509_REMOVE_INFO) 1058 unsigned char output[2000] = { 0 }; 1059 int res; 1060#else 1061 ((void) result_str); 1062#endif 1063 1064 mbedtls_x509_crt_init(&crt); 1065 USE_PSA_INIT(); 1066 1067 TEST_EQUAL(mbedtls_x509_crt_parse_der(&crt, buf->x, buf->len), result); 1068#if !defined(MBEDTLS_X509_REMOVE_INFO) 1069 if ((result) == 0) { 1070 res = mbedtls_x509_crt_info((char *) output, 2000, "", &crt); 1071 TEST_ASSERT(res != -1); 1072 TEST_ASSERT(res != -2); 1073 1074 TEST_EQUAL(strcmp((char *) output, result_str), 0); 1075 } 1076 memset(output, 0, 2000); 1077#endif 1078 1079 mbedtls_x509_crt_free(&crt); 1080 mbedtls_x509_crt_init(&crt); 1081 1082 TEST_EQUAL(mbedtls_x509_crt_parse_der_nocopy(&crt, buf->x, buf->len), result); 1083#if !defined(MBEDTLS_X509_REMOVE_INFO) 1084 if ((result) == 0) { 1085 memset(output, 0, 2000); 1086 1087 res = mbedtls_x509_crt_info((char *) output, 2000, "", &crt); 1088 1089 TEST_ASSERT(res != -1); 1090 TEST_ASSERT(res != -2); 1091 1092 TEST_EQUAL(strcmp((char *) output, result_str), 0); 1093 } 1094 memset(output, 0, 2000); 1095#endif /* !MBEDTLS_X509_REMOVE_INFO */ 1096 1097 mbedtls_x509_crt_free(&crt); 1098 mbedtls_x509_crt_init(&crt); 1099 1100 TEST_EQUAL(mbedtls_x509_crt_parse_der_with_ext_cb(&crt, buf->x, buf->len, 0, NULL, NULL), 1101 result); 1102#if !defined(MBEDTLS_X509_REMOVE_INFO) 1103 if ((result) == 0) { 1104 res = mbedtls_x509_crt_info((char *) output, 2000, "", &crt); 1105 1106 TEST_ASSERT(res != -1); 1107 TEST_ASSERT(res != -2); 1108 1109 TEST_EQUAL(strcmp((char *) output, result_str), 0); 1110 } 1111 memset(output, 0, 2000); 1112#endif /* !MBEDTLS_X509_REMOVE_INFO */ 1113 1114 mbedtls_x509_crt_free(&crt); 1115 mbedtls_x509_crt_init(&crt); 1116 1117 TEST_EQUAL(mbedtls_x509_crt_parse_der_with_ext_cb(&crt, buf->x, buf->len, 1, NULL, NULL), 1118 result); 1119#if !defined(MBEDTLS_X509_REMOVE_INFO) 1120 if ((result) == 0) { 1121 res = mbedtls_x509_crt_info((char *) output, 2000, "", &crt); 1122 1123 TEST_ASSERT(res != -1); 1124 TEST_ASSERT(res != -2); 1125 1126 TEST_EQUAL(strcmp((char *) output, result_str), 0); 1127 } 1128#endif /* !MBEDTLS_X509_REMOVE_INFO */ 1129 1130exit: 1131 mbedtls_x509_crt_free(&crt); 1132 USE_PSA_DONE(); 1133} 1134/* END_CASE */ 1135 1136/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */ 1137void x509parse_crt_cb(data_t *buf, char *result_str, int result) 1138{ 1139 mbedtls_x509_crt crt; 1140 mbedtls_x509_buf oid; 1141 1142#if !defined(MBEDTLS_X509_REMOVE_INFO) 1143 unsigned char output[2000] = { 0 }; 1144 int res; 1145#else 1146 ((void) result_str); 1147#endif 1148 1149 oid.tag = MBEDTLS_ASN1_OID; 1150 oid.len = MBEDTLS_OID_SIZE(MBEDTLS_OID_PKIX "\x01\x1F"); 1151 oid.p = (unsigned char *) MBEDTLS_OID_PKIX "\x01\x1F"; 1152 1153 mbedtls_x509_crt_init(&crt); 1154 USE_PSA_INIT(); 1155 1156 TEST_EQUAL(mbedtls_x509_crt_parse_der_with_ext_cb(&crt, buf->x, buf->len, 0, parse_crt_ext_cb, 1157 &oid), result); 1158#if !defined(MBEDTLS_X509_REMOVE_INFO) 1159 if ((result) == 0) { 1160 res = mbedtls_x509_crt_info((char *) output, 2000, "", &crt); 1161 1162 TEST_ASSERT(res != -1); 1163 TEST_ASSERT(res != -2); 1164 1165 TEST_EQUAL(strcmp((char *) output, result_str), 0); 1166 } 1167 memset(output, 0, 2000); 1168#endif /* !MBEDTLS_X509_REMOVE_INFO */ 1169 1170 mbedtls_x509_crt_free(&crt); 1171 mbedtls_x509_crt_init(&crt); 1172 1173 TEST_EQUAL(mbedtls_x509_crt_parse_der_with_ext_cb(&crt, buf->x, buf->len, 1, parse_crt_ext_cb, 1174 &oid), (result)); 1175#if !defined(MBEDTLS_X509_REMOVE_INFO) 1176 if ((result) == 0) { 1177 res = mbedtls_x509_crt_info((char *) output, 2000, "", &crt); 1178 1179 TEST_ASSERT(res != -1); 1180 TEST_ASSERT(res != -2); 1181 1182 TEST_EQUAL(strcmp((char *) output, result_str), 0); 1183 } 1184#endif /* !MBEDTLS_X509_REMOVE_INFO */ 1185 1186exit: 1187 mbedtls_x509_crt_free(&crt); 1188 USE_PSA_DONE(); 1189} 1190/* END_CASE */ 1191 1192/* BEGIN_CASE depends_on:MBEDTLS_X509_CRL_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 1193void x509parse_crl(data_t *buf, char *result_str, int result) 1194{ 1195 mbedtls_x509_crl crl; 1196 unsigned char output[2000]; 1197 int res; 1198 1199 mbedtls_x509_crl_init(&crl); 1200 USE_PSA_INIT(); 1201 1202 memset(output, 0, 2000); 1203 1204 1205 TEST_EQUAL(mbedtls_x509_crl_parse(&crl, buf->x, buf->len), (result)); 1206 if ((result) == 0) { 1207 res = mbedtls_x509_crl_info((char *) output, 2000, "", &crl); 1208 1209 TEST_ASSERT(res != -1); 1210 TEST_ASSERT(res != -2); 1211 1212 TEST_EQUAL(strcmp((char *) output, result_str), 0); 1213 } 1214 1215exit: 1216 mbedtls_x509_crl_free(&crl); 1217 USE_PSA_DONE(); 1218} 1219/* END_CASE */ 1220 1221/* BEGIN_CASE depends_on:MBEDTLS_X509_CSR_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 1222void mbedtls_x509_csr_parse(data_t *csr_der, char *ref_out, int ref_ret) 1223{ 1224 mbedtls_x509_csr csr; 1225 char my_out[1000]; 1226 int my_ret; 1227 1228 mbedtls_x509_csr_init(&csr); 1229 USE_PSA_INIT(); 1230 1231 memset(my_out, 0, sizeof(my_out)); 1232 1233 my_ret = mbedtls_x509_csr_parse_der(&csr, csr_der->x, csr_der->len); 1234 TEST_EQUAL(my_ret, ref_ret); 1235 1236 if (ref_ret == 0) { 1237 size_t my_out_len = mbedtls_x509_csr_info(my_out, sizeof(my_out), "", &csr); 1238 TEST_EQUAL(my_out_len, strlen(ref_out)); 1239 TEST_EQUAL(strcmp(my_out, ref_out), 0); 1240 } 1241 1242exit: 1243 mbedtls_x509_csr_free(&csr); 1244 USE_PSA_DONE(); 1245} 1246/* END_CASE */ 1247 1248/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CSR_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */ 1249void mbedtls_x509_csr_parse_file(char *csr_file, char *ref_out, int ref_ret) 1250{ 1251 mbedtls_x509_csr csr; 1252 char my_out[1000]; 1253 int my_ret; 1254 1255 mbedtls_x509_csr_init(&csr); 1256 USE_PSA_INIT(); 1257 1258 memset(my_out, 0, sizeof(my_out)); 1259 1260 my_ret = mbedtls_x509_csr_parse_file(&csr, csr_file); 1261 TEST_EQUAL(my_ret, ref_ret); 1262 1263 if (ref_ret == 0) { 1264 size_t my_out_len = mbedtls_x509_csr_info(my_out, sizeof(my_out), "", &csr); 1265 TEST_EQUAL(my_out_len, strlen(ref_out)); 1266 TEST_EQUAL(strcmp(my_out, ref_out), 0); 1267 } 1268 1269exit: 1270 mbedtls_x509_csr_free(&csr); 1271 USE_PSA_DONE(); 1272} 1273/* END_CASE */ 1274 1275/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 1276void mbedtls_x509_crt_parse_file(char *crt_path, int ret, int nb_crt) 1277{ 1278 mbedtls_x509_crt chain, *cur; 1279 int i; 1280 1281 mbedtls_x509_crt_init(&chain); 1282 USE_PSA_INIT(); 1283 1284 TEST_EQUAL(mbedtls_x509_crt_parse_file(&chain, crt_path), ret); 1285 1286 /* Check how many certs we got */ 1287 for (i = 0, cur = &chain; cur != NULL; cur = cur->next) { 1288 if (cur->raw.p != NULL) { 1289 i++; 1290 } 1291 } 1292 1293 TEST_EQUAL(i, nb_crt); 1294 1295exit: 1296 mbedtls_x509_crt_free(&chain); 1297 USE_PSA_DONE(); 1298} 1299/* END_CASE */ 1300 1301/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 1302void mbedtls_x509_crt_parse_path(char *crt_path, int ret, int nb_crt) 1303{ 1304 mbedtls_x509_crt chain, *cur; 1305 int i; 1306 1307 mbedtls_x509_crt_init(&chain); 1308 USE_PSA_INIT(); 1309 1310 TEST_EQUAL(mbedtls_x509_crt_parse_path(&chain, crt_path), ret); 1311 1312 /* Check how many certs we got */ 1313 for (i = 0, cur = &chain; cur != NULL; cur = cur->next) { 1314 if (cur->raw.p != NULL) { 1315 i++; 1316 } 1317 } 1318 1319 TEST_EQUAL(i, nb_crt); 1320 1321exit: 1322 mbedtls_x509_crt_free(&chain); 1323 USE_PSA_DONE(); 1324} 1325/* END_CASE */ 1326 1327/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 1328void mbedtls_x509_crt_verify_max(char *ca_file, char *chain_dir, int nb_int, 1329 int ret_chk, int flags_chk) 1330{ 1331 char file_buf[128]; 1332 int ret; 1333 uint32_t flags; 1334 mbedtls_x509_crt trusted, chain; 1335 1336 /* 1337 * We expect chain_dir to contain certificates 00.crt, 01.crt, etc. 1338 * with NN.crt signed by NN-1.crt 1339 */ 1340 mbedtls_x509_crt_init(&trusted); 1341 mbedtls_x509_crt_init(&chain); 1342 MD_OR_USE_PSA_INIT(); 1343 1344 /* Load trusted root */ 1345 TEST_EQUAL(mbedtls_x509_crt_parse_file(&trusted, ca_file), 0); 1346 1347 /* Load a chain with nb_int intermediates (from 01 to nb_int), 1348 * plus one "end-entity" cert (nb_int + 1) */ 1349 ret = mbedtls_snprintf(file_buf, sizeof(file_buf), "%s/c%02d.pem", chain_dir, 1350 nb_int + 1); 1351 TEST_ASSERT(ret > 0 && (size_t) ret < sizeof(file_buf)); 1352 TEST_EQUAL(mbedtls_x509_crt_parse_file(&chain, file_buf), 0); 1353 1354 /* Try to verify that chain */ 1355 ret = mbedtls_x509_crt_verify(&chain, &trusted, NULL, NULL, &flags, 1356 NULL, NULL); 1357 TEST_EQUAL(ret, ret_chk); 1358 TEST_EQUAL(flags, (uint32_t) flags_chk); 1359 1360exit: 1361 mbedtls_x509_crt_free(&chain); 1362 mbedtls_x509_crt_free(&trusted); 1363 MD_OR_USE_PSA_DONE(); 1364} 1365/* END_CASE */ 1366 1367/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 1368void mbedtls_x509_crt_verify_chain(char *chain_paths, char *trusted_ca, 1369 int flags_result, int result, 1370 char *profile_name, int vrfy_fatal_lvls) 1371{ 1372 char *act; 1373 uint32_t flags; 1374 int res; 1375 mbedtls_x509_crt trusted, chain; 1376 const mbedtls_x509_crt_profile *profile = NULL; 1377 1378 mbedtls_x509_crt_init(&chain); 1379 mbedtls_x509_crt_init(&trusted); 1380 MD_OR_USE_PSA_INIT(); 1381 1382 while ((act = mystrsep(&chain_paths, " ")) != NULL) { 1383 TEST_EQUAL(mbedtls_x509_crt_parse_file(&chain, act), 0); 1384 } 1385 TEST_EQUAL(mbedtls_x509_crt_parse_file(&trusted, trusted_ca), 0); 1386 1387 if (strcmp(profile_name, "") == 0) { 1388 profile = &mbedtls_x509_crt_profile_default; 1389 } else if (strcmp(profile_name, "next") == 0) { 1390 profile = &mbedtls_x509_crt_profile_next; 1391 } else if (strcmp(profile_name, "suiteb") == 0) { 1392 profile = &mbedtls_x509_crt_profile_suiteb; 1393 } else if (strcmp(profile_name, "rsa3072") == 0) { 1394 profile = &profile_rsa3072; 1395 } else if (strcmp(profile_name, "sha512") == 0) { 1396 profile = &profile_sha512; 1397 } 1398 1399 res = mbedtls_x509_crt_verify_with_profile(&chain, &trusted, NULL, profile, 1400 NULL, &flags, verify_fatal, &vrfy_fatal_lvls); 1401 1402 TEST_EQUAL(res, (result)); 1403 TEST_EQUAL(flags, (uint32_t) (flags_result)); 1404 1405exit: 1406 mbedtls_x509_crt_free(&trusted); 1407 mbedtls_x509_crt_free(&chain); 1408 MD_OR_USE_PSA_DONE(); 1409} 1410/* END_CASE */ 1411 1412/* BEGIN_CASE depends_on:MBEDTLS_X509_USE_C:!MBEDTLS_X509_REMOVE_INFO */ 1413void x509_oid_desc(data_t *buf, char *ref_desc) 1414{ 1415 mbedtls_x509_buf oid; 1416 const char *desc = NULL; 1417 int ret; 1418 1419 USE_PSA_INIT(); 1420 1421 oid.tag = MBEDTLS_ASN1_OID; 1422 oid.p = buf->x; 1423 oid.len = buf->len; 1424 1425 ret = mbedtls_oid_get_extended_key_usage(&oid, &desc); 1426 1427 if (strcmp(ref_desc, "notfound") == 0) { 1428 TEST_ASSERT(ret != 0); 1429 TEST_ASSERT(desc == NULL); 1430 } else { 1431 TEST_EQUAL(ret, 0); 1432 TEST_ASSERT(desc != NULL); 1433 TEST_EQUAL(strcmp(desc, ref_desc), 0); 1434 } 1435 1436exit: 1437 USE_PSA_DONE(); 1438} 1439/* END_CASE */ 1440 1441/* BEGIN_CASE depends_on:MBEDTLS_X509_USE_C */ 1442void x509_oid_numstr(data_t *oid_buf, char *numstr, int blen, int ret) 1443{ 1444 mbedtls_x509_buf oid; 1445 char num_buf[100]; 1446 1447 USE_PSA_INIT(); 1448 1449 memset(num_buf, 0x2a, sizeof(num_buf)); 1450 1451 oid.tag = MBEDTLS_ASN1_OID; 1452 oid.p = oid_buf->x; 1453 oid.len = oid_buf->len; 1454 1455 TEST_ASSERT((size_t) blen <= sizeof(num_buf)); 1456 1457 TEST_EQUAL(mbedtls_oid_get_numeric_string(num_buf, blen, &oid), ret); 1458 1459 if (ret >= 0) { 1460 TEST_EQUAL(num_buf[ret], 0); 1461 TEST_EQUAL(strcmp(num_buf, numstr), 0); 1462 } 1463 1464exit: 1465 USE_PSA_DONE(); 1466} 1467/* END_CASE */ 1468 1469/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 1470void x509_check_key_usage(char *crt_file, int usage, int ret) 1471{ 1472 mbedtls_x509_crt crt; 1473 1474 mbedtls_x509_crt_init(&crt); 1475 USE_PSA_INIT(); 1476 1477 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 1478 1479 TEST_EQUAL(mbedtls_x509_crt_check_key_usage(&crt, usage), ret); 1480 1481exit: 1482 mbedtls_x509_crt_free(&crt); 1483 USE_PSA_DONE(); 1484} 1485/* END_CASE */ 1486 1487/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ 1488void x509_check_extended_key_usage(char *crt_file, data_t *oid, int ret 1489 ) 1490{ 1491 mbedtls_x509_crt crt; 1492 1493 mbedtls_x509_crt_init(&crt); 1494 USE_PSA_INIT(); 1495 1496 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); 1497 1498 TEST_EQUAL(mbedtls_x509_crt_check_extended_key_usage(&crt, (const char *) oid->x, oid->len), 1499 ret); 1500 1501exit: 1502 mbedtls_x509_crt_free(&crt); 1503 USE_PSA_DONE(); 1504} 1505/* END_CASE */ 1506 1507/* BEGIN_CASE depends_on:MBEDTLS_X509_USE_C */ 1508void x509_get_time(int tag, char *time_str, int ret, int year, int mon, 1509 int day, int hour, int min, int sec) 1510{ 1511 mbedtls_x509_time time; 1512 unsigned char buf[21]; 1513 unsigned char *start = buf; 1514 unsigned char *end = buf; 1515 1516 USE_PSA_INIT(); 1517 memset(&time, 0x00, sizeof(time)); 1518 *end = (unsigned char) tag; end++; 1519 *end = strlen(time_str); 1520 TEST_ASSERT(*end < 20); 1521 end++; 1522 memcpy(end, time_str, (size_t) *(end - 1)); 1523 end += *(end - 1); 1524 1525 TEST_EQUAL(mbedtls_x509_get_time(&start, end, &time), ret); 1526 if (ret == 0) { 1527 TEST_EQUAL(year, time.year); 1528 TEST_EQUAL(mon, time.mon); 1529 TEST_EQUAL(day, time.day); 1530 TEST_EQUAL(hour, time.hour); 1531 TEST_EQUAL(min, time.min); 1532 TEST_EQUAL(sec, time.sec); 1533 } 1534exit: 1535 USE_PSA_DONE(); 1536} 1537/* END_CASE */ 1538 1539/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT */ 1540void x509_parse_rsassa_pss_params(data_t *params, int params_tag, 1541 int ref_msg_md, int ref_mgf_md, 1542 int ref_salt_len, int ref_ret) 1543{ 1544 int my_ret; 1545 mbedtls_x509_buf buf; 1546 mbedtls_md_type_t my_msg_md, my_mgf_md; 1547 int my_salt_len; 1548 1549 USE_PSA_INIT(); 1550 1551 buf.p = params->x; 1552 buf.len = params->len; 1553 buf.tag = params_tag; 1554 1555 my_ret = mbedtls_x509_get_rsassa_pss_params(&buf, &my_msg_md, &my_mgf_md, 1556 &my_salt_len); 1557 1558 TEST_EQUAL(my_ret, ref_ret); 1559 1560 if (ref_ret == 0) { 1561 TEST_EQUAL(my_msg_md, (mbedtls_md_type_t) ref_msg_md); 1562 TEST_EQUAL(my_mgf_md, (mbedtls_md_type_t) ref_mgf_md); 1563 TEST_EQUAL(my_salt_len, ref_salt_len); 1564 } 1565 1566exit: 1567 USE_PSA_DONE(); 1568} 1569/* END_CASE */ 1570 1571/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_FS_IO */ 1572void x509_crt_parse_subjectkeyid(char *file, data_t *subjectKeyId, int ref_ret) 1573{ 1574 mbedtls_x509_crt crt; 1575 1576 mbedtls_x509_crt_init(&crt); 1577 1578 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, file), ref_ret); 1579 1580 if (ref_ret == 0) { 1581 TEST_EQUAL(crt.subject_key_id.tag, MBEDTLS_ASN1_OCTET_STRING); 1582 TEST_EQUAL(memcmp(crt.subject_key_id.p, subjectKeyId->x, subjectKeyId->len), 0); 1583 TEST_EQUAL(crt.subject_key_id.len, subjectKeyId->len); 1584 } else { 1585 TEST_EQUAL(crt.subject_key_id.tag, 0); 1586 TEST_EQUAL(crt.subject_key_id.len, 0); 1587 } 1588 1589exit: 1590 mbedtls_x509_crt_free(&crt); 1591} 1592/* END_CASE */ 1593 1594/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_FS_IO */ 1595void x509_crt_parse_authoritykeyid(char *file, 1596 data_t *keyId, 1597 char *authorityKeyId_issuer, 1598 data_t *serial, 1599 int ref_ret) 1600{ 1601 mbedtls_x509_crt crt; 1602 mbedtls_x509_subject_alternative_name san; 1603 char name_buf[128]; 1604 1605 mbedtls_x509_crt_init(&crt); 1606 1607 TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, file), ref_ret); 1608 1609 if (ref_ret == 0) { 1610 /* KeyId test */ 1611 if (keyId->len > 0) { 1612 TEST_EQUAL(crt.authority_key_id.keyIdentifier.tag, MBEDTLS_ASN1_OCTET_STRING); 1613 TEST_EQUAL(memcmp(crt.authority_key_id.keyIdentifier.p, keyId->x, keyId->len), 0); 1614 TEST_EQUAL(crt.authority_key_id.keyIdentifier.len, keyId->len); 1615 } else { 1616 TEST_EQUAL(crt.authority_key_id.keyIdentifier.tag, 0); 1617 TEST_EQUAL(crt.authority_key_id.keyIdentifier.len, 0); 1618 } 1619 1620 1621 /* Issuer test */ 1622 if (strlen(authorityKeyId_issuer) > 0) { 1623 mbedtls_x509_sequence *issuerPtr = &crt.authority_key_id.authorityCertIssuer; 1624 1625 TEST_EQUAL(mbedtls_x509_parse_subject_alt_name(&issuerPtr->buf, &san), 0); 1626 1627 TEST_ASSERT(mbedtls_x509_dn_gets(name_buf, sizeof(name_buf), 1628 &san.san.directory_name) 1629 > 0); 1630 TEST_EQUAL(strcmp(name_buf, authorityKeyId_issuer), 0); 1631 1632 mbedtls_x509_free_subject_alt_name(&san); 1633 } 1634 1635 /* Serial test */ 1636 if (serial->len > 0) { 1637 TEST_EQUAL(crt.authority_key_id.authorityCertSerialNumber.tag, 1638 MBEDTLS_ASN1_INTEGER); 1639 TEST_EQUAL(memcmp(crt.authority_key_id.authorityCertSerialNumber.p, 1640 serial->x, serial->len), 0); 1641 TEST_EQUAL(crt.authority_key_id.authorityCertSerialNumber.len, serial->len); 1642 } else { 1643 TEST_EQUAL(crt.authority_key_id.authorityCertSerialNumber.tag, 0); 1644 TEST_EQUAL(crt.authority_key_id.authorityCertSerialNumber.len, 0); 1645 } 1646 1647 } else { 1648 TEST_EQUAL(crt.authority_key_id.keyIdentifier.tag, 0); 1649 TEST_EQUAL(crt.authority_key_id.keyIdentifier.len, 0); 1650 1651 TEST_EQUAL(crt.authority_key_id.authorityCertSerialNumber.tag, 0); 1652 TEST_EQUAL(crt.authority_key_id.authorityCertSerialNumber.len, 0); 1653 } 1654 1655exit: 1656 mbedtls_x509_crt_free(&crt); 1657} 1658/* END_CASE */ 1659