2009-02-09 23:32:35 +01:00
|
|
|
/*
|
|
|
|
* SSL certificate functionality tests
|
|
|
|
*
|
2011-11-18 15:26:47 +01:00
|
|
|
* Copyright (C) 2006-2011, Brainspark B.V.
|
2010-07-18 22:36:00 +02:00
|
|
|
*
|
|
|
|
* This file is part of PolarSSL (http://www.polarssl.org)
|
2010-07-18 12:13:04 +02:00
|
|
|
* Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
|
2010-07-18 22:36:00 +02:00
|
|
|
*
|
2009-07-28 19:23:11 +02:00
|
|
|
* All rights reserved.
|
2009-02-09 23:32:35 +01:00
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
|
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
|
|
* (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License along
|
|
|
|
* with this program; if not, write to the Free Software Foundation, Inc.,
|
|
|
|
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef _CRT_SECURE_NO_DEPRECATE
|
|
|
|
#define _CRT_SECURE_NO_DEPRECATE 1
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#include <string.h>
|
|
|
|
#include <stdio.h>
|
|
|
|
|
2011-05-26 15:16:06 +02:00
|
|
|
#include "polarssl/config.h"
|
|
|
|
|
2009-02-09 23:32:35 +01:00
|
|
|
#include "polarssl/certs.h"
|
2013-09-17 13:25:29 +02:00
|
|
|
#include "polarssl/x509_crt.h"
|
2009-02-09 23:32:35 +01:00
|
|
|
|
2009-05-02 17:13:40 +02:00
|
|
|
#if defined _MSC_VER && !defined snprintf
|
|
|
|
#define snprintf _snprintf
|
|
|
|
#endif
|
|
|
|
|
2009-05-03 12:18:48 +02:00
|
|
|
#define MAX_CLIENT_CERTS 8
|
2009-02-09 23:32:35 +01:00
|
|
|
|
2013-06-24 13:01:08 +02:00
|
|
|
const char *client_certificates[MAX_CLIENT_CERTS] =
|
2009-02-09 23:32:35 +01:00
|
|
|
{
|
2009-05-02 17:13:40 +02:00
|
|
|
"client1.crt",
|
|
|
|
"client2.crt",
|
2009-05-03 12:18:48 +02:00
|
|
|
"server1.crt",
|
|
|
|
"server2.crt",
|
2009-05-02 17:13:40 +02:00
|
|
|
"cert_sha224.crt",
|
|
|
|
"cert_sha256.crt",
|
|
|
|
"cert_sha384.crt",
|
|
|
|
"cert_sha512.crt"
|
2009-02-09 23:32:35 +01:00
|
|
|
};
|
|
|
|
|
2013-06-24 13:01:08 +02:00
|
|
|
const char *client_private_keys[MAX_CLIENT_CERTS] =
|
2009-03-28 18:30:26 +01:00
|
|
|
{
|
2009-05-02 17:13:40 +02:00
|
|
|
"client1.key",
|
|
|
|
"client2.key",
|
2009-05-03 12:18:48 +02:00
|
|
|
"server1.key",
|
|
|
|
"server2.key",
|
2011-02-09 18:10:48 +01:00
|
|
|
"cert_digest.key",
|
|
|
|
"cert_digest.key",
|
|
|
|
"cert_digest.key",
|
|
|
|
"cert_digest.key"
|
2009-03-28 18:30:26 +01:00
|
|
|
};
|
|
|
|
|
2011-05-26 15:16:06 +02:00
|
|
|
#if !defined(POLARSSL_BIGNUM_C) || !defined(POLARSSL_RSA_C) || \
|
2013-09-17 13:25:29 +02:00
|
|
|
!defined(POLARSSL_X509_CRT_PARSE_C) || !defined(POLARSSL_PK_PARSE_C) || \
|
|
|
|
!defined(POLARSSL_FS_IO)
|
2011-11-18 15:26:47 +01:00
|
|
|
int main( int argc, char *argv[] )
|
2011-05-26 15:16:06 +02:00
|
|
|
{
|
2011-11-18 15:26:47 +01:00
|
|
|
((void) argc);
|
|
|
|
((void) argv);
|
|
|
|
|
2011-05-26 15:16:06 +02:00
|
|
|
printf("POLARSSL_BIGNUM_C and/or POLARSSL_RSA_C and/or "
|
2013-09-17 13:25:29 +02:00
|
|
|
"POLARSSL_X509_CRT_PARSE_C and/or POLARSSL_FS_IO and/or "
|
|
|
|
"POLARSSL_PK_PARSE_C not defined.\n");
|
2011-05-26 15:16:06 +02:00
|
|
|
return( 0 );
|
|
|
|
}
|
|
|
|
#else
|
2011-11-18 15:26:47 +01:00
|
|
|
int main( int argc, char *argv[] )
|
2009-02-09 23:32:35 +01:00
|
|
|
{
|
|
|
|
int ret, i;
|
2013-09-18 14:13:26 +02:00
|
|
|
x509_crt cacert;
|
2009-05-02 17:13:40 +02:00
|
|
|
x509_crl crl;
|
|
|
|
char buf[10240];
|
|
|
|
|
2011-11-18 15:26:47 +01:00
|
|
|
((void) argc);
|
|
|
|
((void) argv);
|
|
|
|
|
2013-09-18 11:58:25 +02:00
|
|
|
x509_crt_init( &cacert );
|
|
|
|
x509_crl_init( &crl );
|
2009-02-09 23:32:35 +01:00
|
|
|
|
|
|
|
/*
|
|
|
|
* 1.1. Load the trusted CA
|
|
|
|
*/
|
|
|
|
printf( "\n . Loading the CA root certificate ..." );
|
|
|
|
fflush( stdout );
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Alternatively, you may load the CA certificates from a .pem or
|
2013-09-18 13:46:23 +02:00
|
|
|
* .crt file by calling x509_crt_parse_file( &cacert, "myca.crt" ).
|
2009-02-09 23:32:35 +01:00
|
|
|
*/
|
2013-09-18 13:46:23 +02:00
|
|
|
ret = x509_crt_parse_file( &cacert, "ssl/test-ca/test-ca.crt" );
|
2009-02-09 23:32:35 +01:00
|
|
|
if( ret != 0 )
|
|
|
|
{
|
2013-09-18 13:46:23 +02:00
|
|
|
printf( " failed\n ! x509_crt_parse_file returned %d\n\n", ret );
|
2009-02-09 23:32:35 +01:00
|
|
|
goto exit;
|
|
|
|
}
|
|
|
|
|
|
|
|
printf( " ok\n" );
|
|
|
|
|
2013-09-18 13:46:23 +02:00
|
|
|
x509_crt_info( buf, 1024, "CRT: ", &cacert );
|
2009-05-03 12:18:48 +02:00
|
|
|
printf("%s\n", buf );
|
|
|
|
|
2009-05-02 17:13:40 +02:00
|
|
|
/*
|
|
|
|
* 1.2. Load the CRL
|
|
|
|
*/
|
|
|
|
printf( " . Loading the CRL ..." );
|
|
|
|
fflush( stdout );
|
|
|
|
|
2013-09-18 13:46:23 +02:00
|
|
|
ret = x509_crl_parse_file( &crl, "ssl/test-ca/crl.pem" );
|
2009-05-02 17:13:40 +02:00
|
|
|
if( ret != 0 )
|
|
|
|
{
|
2013-09-18 13:46:23 +02:00
|
|
|
printf( " failed\n ! x509_crl_parse_file returned %d\n\n", ret );
|
2009-05-02 17:13:40 +02:00
|
|
|
goto exit;
|
|
|
|
}
|
|
|
|
|
|
|
|
printf( " ok\n" );
|
|
|
|
|
2013-09-18 13:46:23 +02:00
|
|
|
x509_crl_info( buf, 1024, "CRL: ", &crl );
|
2009-05-02 17:13:40 +02:00
|
|
|
printf("%s\n", buf );
|
|
|
|
|
2009-02-09 23:32:35 +01:00
|
|
|
for( i = 0; i < MAX_CLIENT_CERTS; i++ )
|
|
|
|
{
|
|
|
|
/*
|
2009-05-02 17:13:40 +02:00
|
|
|
* 1.3. Load own certificate
|
2009-02-09 23:32:35 +01:00
|
|
|
*/
|
2009-05-02 17:13:40 +02:00
|
|
|
char name[512];
|
|
|
|
int flags;
|
2013-09-18 14:13:26 +02:00
|
|
|
x509_crt clicert;
|
2013-09-17 13:25:29 +02:00
|
|
|
pk_context pk;
|
2009-03-28 18:53:03 +01:00
|
|
|
|
2013-09-18 11:58:25 +02:00
|
|
|
x509_crt_init( &clicert );
|
2013-09-17 13:25:29 +02:00
|
|
|
pk_init( &pk );
|
2009-02-09 23:32:35 +01:00
|
|
|
|
2009-05-02 17:13:40 +02:00
|
|
|
snprintf(name, 512, "ssl/test-ca/%s", client_certificates[i]);
|
2009-02-09 23:32:35 +01:00
|
|
|
|
2009-05-02 17:13:40 +02:00
|
|
|
printf( " . Loading the client certificate %s...", name );
|
|
|
|
fflush( stdout );
|
2009-02-09 23:32:35 +01:00
|
|
|
|
2013-09-18 13:46:23 +02:00
|
|
|
ret = x509_crt_parse_file( &clicert, name );
|
2009-05-02 17:13:40 +02:00
|
|
|
if( ret != 0 )
|
|
|
|
{
|
2013-09-18 13:46:23 +02:00
|
|
|
printf( " failed\n ! x509_crt_parse_file returned %d\n\n", ret );
|
2009-05-02 17:13:40 +02:00
|
|
|
goto exit;
|
|
|
|
}
|
2009-02-09 23:32:35 +01:00
|
|
|
|
2009-05-02 17:13:40 +02:00
|
|
|
printf( " ok\n" );
|
2009-02-09 23:32:35 +01:00
|
|
|
|
2009-05-02 17:13:40 +02:00
|
|
|
/*
|
|
|
|
* 1.4. Verify certificate validity with CA certificate
|
|
|
|
*/
|
|
|
|
printf( " . Verify the client certificate with CA certificate..." );
|
|
|
|
fflush( stdout );
|
2009-02-09 23:32:35 +01:00
|
|
|
|
2013-09-18 13:46:23 +02:00
|
|
|
ret = x509_crt_verify( &clicert, &cacert, &crl, NULL, &flags, NULL,
|
|
|
|
NULL );
|
2009-05-02 17:13:40 +02:00
|
|
|
if( ret != 0 )
|
|
|
|
{
|
2009-05-03 12:18:48 +02:00
|
|
|
if( ret == POLARSSL_ERR_X509_CERT_VERIFY_FAILED )
|
|
|
|
{
|
2009-05-03 19:29:56 +02:00
|
|
|
if( flags & BADCERT_CN_MISMATCH )
|
|
|
|
printf( " CN_MISMATCH " );
|
|
|
|
if( flags & BADCERT_EXPIRED )
|
|
|
|
printf( " EXPIRED " );
|
|
|
|
if( flags & BADCERT_REVOKED )
|
2009-05-03 12:18:48 +02:00
|
|
|
printf( " REVOKED " );
|
2009-05-03 19:29:56 +02:00
|
|
|
if( flags & BADCERT_NOT_TRUSTED )
|
|
|
|
printf( " NOT_TRUSTED " );
|
|
|
|
if( flags & BADCRL_NOT_TRUSTED )
|
|
|
|
printf( " CRL_NOT_TRUSTED " );
|
|
|
|
if( flags & BADCRL_EXPIRED )
|
|
|
|
printf( " CRL_EXPIRED " );
|
2009-05-03 12:18:48 +02:00
|
|
|
} else {
|
2013-09-18 13:46:23 +02:00
|
|
|
printf( " failed\n ! x509_crt_verify returned %d\n\n", ret );
|
2009-05-03 12:18:48 +02:00
|
|
|
goto exit;
|
|
|
|
}
|
2009-05-02 17:13:40 +02:00
|
|
|
}
|
2009-02-09 23:32:35 +01:00
|
|
|
|
2009-05-02 17:13:40 +02:00
|
|
|
printf( " ok\n" );
|
2009-03-28 18:30:26 +01:00
|
|
|
|
|
|
|
/*
|
2009-05-02 17:13:40 +02:00
|
|
|
* 1.5. Load own private key
|
2009-03-28 18:30:26 +01:00
|
|
|
*/
|
2009-05-02 17:13:40 +02:00
|
|
|
snprintf(name, 512, "ssl/test-ca/%s", client_private_keys[i]);
|
2009-03-28 18:30:26 +01:00
|
|
|
|
|
|
|
printf( " . Loading the client private key %s...", name );
|
|
|
|
fflush( stdout );
|
|
|
|
|
2013-09-17 13:25:29 +02:00
|
|
|
ret = pk_parse_keyfile( &pk, name, NULL );
|
2009-05-02 17:13:40 +02:00
|
|
|
if( ret != 0 )
|
|
|
|
{
|
2013-09-17 13:25:29 +02:00
|
|
|
printf( " failed\n ! pk_parse_keyfile returned %d\n\n", ret );
|
2009-05-02 17:13:40 +02:00
|
|
|
goto exit;
|
|
|
|
}
|
|
|
|
|
|
|
|
printf( " ok\n" );
|
|
|
|
|
|
|
|
/*
|
2013-07-11 13:17:21 +02:00
|
|
|
* 1.6. Verify certificate validity with private key
|
2009-05-02 17:13:40 +02:00
|
|
|
*/
|
|
|
|
printf( " . Verify the client certificate with private key..." );
|
|
|
|
fflush( stdout );
|
|
|
|
|
2013-07-11 13:17:21 +02:00
|
|
|
|
|
|
|
/* EC NOT IMPLEMENTED YET */
|
2013-08-14 21:15:53 +02:00
|
|
|
if( ! pk_can_do( &clicert.pk, POLARSSL_PK_RSA ) )
|
2013-07-11 13:17:21 +02:00
|
|
|
{
|
|
|
|
printf( " failed\n ! certificate's key is not RSA\n\n" );
|
|
|
|
ret = POLARSSL_ERR_X509_FEATURE_UNAVAILABLE;
|
|
|
|
goto exit;
|
|
|
|
}
|
|
|
|
|
2013-09-17 13:25:29 +02:00
|
|
|
ret = mpi_cmp_mpi(&pk_rsa( pk )->N, &pk_rsa( clicert.pk )->N);
|
2009-05-02 17:13:40 +02:00
|
|
|
if( ret != 0 )
|
|
|
|
{
|
|
|
|
printf( " failed\n ! mpi_cmp_mpi for N returned %d\n\n", ret );
|
|
|
|
goto exit;
|
|
|
|
}
|
|
|
|
|
2013-09-17 13:25:29 +02:00
|
|
|
ret = mpi_cmp_mpi(&pk_rsa( pk )->E, &pk_rsa( clicert.pk )->E);
|
2009-05-02 17:13:40 +02:00
|
|
|
if( ret != 0 )
|
|
|
|
{
|
|
|
|
printf( " failed\n ! mpi_cmp_mpi for E returned %d\n\n", ret );
|
|
|
|
goto exit;
|
|
|
|
}
|
|
|
|
|
2013-09-17 13:25:29 +02:00
|
|
|
ret = rsa_check_privkey( pk_rsa( pk ) );
|
2009-05-02 17:13:40 +02:00
|
|
|
if( ret != 0 )
|
|
|
|
{
|
|
|
|
printf( " failed\n ! rsa_check_privkey returned %d\n\n", ret );
|
|
|
|
goto exit;
|
|
|
|
}
|
|
|
|
|
|
|
|
printf( " ok\n" );
|
|
|
|
|
2013-09-17 13:25:29 +02:00
|
|
|
x509_crt_free( &clicert );
|
|
|
|
pk_free( &pk );
|
2009-02-09 23:32:35 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
exit:
|
2013-09-17 13:25:29 +02:00
|
|
|
x509_crt_free( &cacert );
|
2009-05-02 17:13:40 +02:00
|
|
|
x509_crl_free( &crl );
|
2009-02-09 23:32:35 +01:00
|
|
|
|
2011-11-18 15:26:47 +01:00
|
|
|
#if defined(_WIN32)
|
2009-02-09 23:32:35 +01:00
|
|
|
printf( " + Press Enter to exit this program.\n" );
|
|
|
|
fflush( stdout ); getchar();
|
|
|
|
#endif
|
|
|
|
|
|
|
|
return( ret );
|
|
|
|
}
|
2013-09-17 13:25:29 +02:00
|
|
|
#endif /* POLARSSL_BIGNUM_C && POLARSSL_RSA_C && POLARSSL_X509_CRT_PARSE_C &&
|
|
|
|
POLARSSL_FS_IO && POLARSSL_PK_PARSE_C */
|