mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-29 09:04:22 +01:00
Merge support for verifying the extendedKeyUsage extension in X.509
This commit is contained in:
commit
52c5af7d2d
@ -7,8 +7,10 @@ ABI Alert: ALPN changes the ABI for the next release.
|
|||||||
Features
|
Features
|
||||||
* Support for the ALPN SSL extension
|
* Support for the ALPN SSL extension
|
||||||
* Add option 'use_dev_random' to gen_key application
|
* Add option 'use_dev_random' to gen_key application
|
||||||
* Enable verification of the keyUsage extension with for CA and leaf
|
* Enable verification of the keyUsage extension for CA and leaf
|
||||||
certificates (POLARSSL_X509_CHECK_KEY_USAGE)
|
certificates (POLARSSL_X509_CHECK_KEY_USAGE)
|
||||||
|
* Enable verification of the extendedKeyUsage extension
|
||||||
|
(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
|
||||||
|
|
||||||
Changes
|
Changes
|
||||||
* x509_crt_info() now prints information about parsed extensions as well
|
* x509_crt_info() now prints information about parsed extensions as well
|
||||||
|
@ -971,6 +971,19 @@
|
|||||||
*/
|
*/
|
||||||
#define POLARSSL_X509_CHECK_KEY_USAGE
|
#define POLARSSL_X509_CHECK_KEY_USAGE
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \def POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE
|
||||||
|
*
|
||||||
|
* Enable verification of the extendedKeyUsage extension (leaf certificates).
|
||||||
|
*
|
||||||
|
* Disabling this avoids problems with mis-issued and/or misused certificates.
|
||||||
|
*
|
||||||
|
* \warning Depending on your PKI use, disabling this can be a security risk!
|
||||||
|
*
|
||||||
|
* Comment to skip extendedKeyUsage checking for certificates.
|
||||||
|
*/
|
||||||
|
#define POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* \def POLARSSL_ZLIB_SUPPORT
|
* \def POLARSSL_ZLIB_SUPPORT
|
||||||
*
|
*
|
||||||
|
@ -264,6 +264,24 @@ int x509_crt_verify( x509_crt *crt,
|
|||||||
int x509_crt_check_key_usage( const x509_crt *crt, int usage );
|
int x509_crt_check_key_usage( const x509_crt *crt, int usage );
|
||||||
#endif /* POLARSSL_X509_CHECK_KEY_USAGE) */
|
#endif /* POLARSSL_X509_CHECK_KEY_USAGE) */
|
||||||
|
|
||||||
|
#if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
|
||||||
|
/**
|
||||||
|
* \brief Check usage of certificate against extentedJeyUsage.
|
||||||
|
*
|
||||||
|
* \param crt Leaf certificate used.
|
||||||
|
* \param usage_oid Intended usage (eg OID_SERVER_AUTH or OID_CLIENT_AUTH).
|
||||||
|
* \param usage_len Length of usage_oid (eg given by OID_SIZE()).
|
||||||
|
*
|
||||||
|
* \return 0 is this use of the certificate is allowed,
|
||||||
|
* POLARSSL_ERR_X509_BAD_INPUT_DATA if not.
|
||||||
|
*
|
||||||
|
* \note Usually only makes sense on leaf certificates.
|
||||||
|
*/
|
||||||
|
int x509_crt_check_extended_key_usage( const x509_crt *crt,
|
||||||
|
const char *usage_oid,
|
||||||
|
size_t usage_len );
|
||||||
|
#endif /* POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE) */
|
||||||
|
|
||||||
#if defined(POLARSSL_X509_CRL_PARSE_C)
|
#if defined(POLARSSL_X509_CRL_PARSE_C)
|
||||||
/**
|
/**
|
||||||
* \brief Verify the certificate revocation status
|
* \brief Verify the certificate revocation status
|
||||||
|
@ -38,6 +38,11 @@
|
|||||||
#include "polarssl/debug.h"
|
#include "polarssl/debug.h"
|
||||||
#include "polarssl/ssl.h"
|
#include "polarssl/ssl.h"
|
||||||
|
|
||||||
|
#if defined(POLARSSL_X509_CRT_PARSE_C) && \
|
||||||
|
defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
|
||||||
|
#include "polarssl/oid.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
#if defined(POLARSSL_PLATFORM_C)
|
#if defined(POLARSSL_PLATFORM_C)
|
||||||
#include "polarssl/platform.h"
|
#include "polarssl/platform.h"
|
||||||
#else
|
#else
|
||||||
@ -4770,15 +4775,19 @@ int ssl_check_cert_usage( const x509_crt *cert,
|
|||||||
const ssl_ciphersuite_t *ciphersuite,
|
const ssl_ciphersuite_t *ciphersuite,
|
||||||
int cert_endpoint )
|
int cert_endpoint )
|
||||||
{
|
{
|
||||||
#if !defined(POLARSSL_X509_CHECK_KEY_USAGE)
|
|
||||||
((void) cert);
|
|
||||||
((void) ciphersuite);
|
|
||||||
((void) cert_endpoint);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
|
#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
|
||||||
int usage = 0;
|
int usage = 0;
|
||||||
#endif
|
#endif
|
||||||
|
#if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
|
||||||
|
const char *ext_oid;
|
||||||
|
size_t ext_len;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if !defined(POLARSSL_X509_CHECK_KEY_USAGE) && \
|
||||||
|
!defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
|
||||||
|
((void) cert);
|
||||||
|
((void) cert_endpoint);
|
||||||
|
#endif
|
||||||
|
|
||||||
#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
|
#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
|
||||||
if( cert_endpoint == SSL_IS_SERVER )
|
if( cert_endpoint == SSL_IS_SERVER )
|
||||||
@ -4818,8 +4827,26 @@ int ssl_check_cert_usage( const x509_crt *cert,
|
|||||||
|
|
||||||
if( x509_crt_check_key_usage( cert, usage ) != 0 )
|
if( x509_crt_check_key_usage( cert, usage ) != 0 )
|
||||||
return( -1 );
|
return( -1 );
|
||||||
|
#else
|
||||||
|
((void) ciphersuite);
|
||||||
#endif /* POLARSSL_X509_CHECK_KEY_USAGE */
|
#endif /* POLARSSL_X509_CHECK_KEY_USAGE */
|
||||||
|
|
||||||
|
#if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
|
||||||
|
if( cert_endpoint == SSL_IS_SERVER )
|
||||||
|
{
|
||||||
|
ext_oid = OID_SERVER_AUTH;
|
||||||
|
ext_len = OID_SIZE( OID_SERVER_AUTH );
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
ext_oid = OID_CLIENT_AUTH;
|
||||||
|
ext_len = OID_SIZE( OID_CLIENT_AUTH );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
|
||||||
|
return( -1 );
|
||||||
|
#endif /* POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE */
|
||||||
|
|
||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
#endif /* POLARSSL_X509_CRT_PARSE_C */
|
#endif /* POLARSSL_X509_CRT_PARSE_C */
|
||||||
|
@ -1371,6 +1371,38 @@ int x509_crt_check_key_usage( const x509_crt *crt, int usage )
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
|
||||||
|
int x509_crt_check_extended_key_usage( const x509_crt *crt,
|
||||||
|
const char *usage_oid,
|
||||||
|
size_t usage_len )
|
||||||
|
{
|
||||||
|
const x509_sequence *cur;
|
||||||
|
|
||||||
|
/* Extension is not mandatory, absent means no restriction */
|
||||||
|
if( ( crt->ext_types & EXT_EXTENDED_KEY_USAGE ) == 0 )
|
||||||
|
return( 0 );
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Look for the requested usage (or wildcard ANY) in our list
|
||||||
|
*/
|
||||||
|
for( cur = &crt->ext_key_usage; cur != NULL; cur = cur->next )
|
||||||
|
{
|
||||||
|
const x509_buf *cur_oid = &cur->buf;
|
||||||
|
|
||||||
|
if( cur_oid->len == usage_len &&
|
||||||
|
memcmp( cur_oid->p, usage_oid, usage_len ) == 0 )
|
||||||
|
{
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( OID_CMP( OID_ANY_EXTENDED_KEY_USAGE, cur_oid ) )
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
#if defined(POLARSSL_X509_CRL_PARSE_C)
|
#if defined(POLARSSL_X509_CRL_PARSE_C)
|
||||||
/*
|
/*
|
||||||
* Return 1 if the certificate is revoked, or 0 otherwise.
|
* Return 1 if the certificate is revoked, or 0 otherwise.
|
||||||
|
13
tests/data_files/server5.eku-cli.crt
Normal file
13
tests/data_files/server5.eku-cli.crt
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIB5DCCAWmgAwIBAgIBPDAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
|
||||||
|
A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
|
||||||
|
MTQwNDEwMTcyMTIxWhcNMjQwNDA3MTcyMTIxWjA0MQswCQYDVQQGEwJOTDERMA8G
|
||||||
|
A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
|
||||||
|
CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
|
||||||
|
2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jYjBgMAkGA1UdEwQCMAAwHQYD
|
||||||
|
VR0OBBYEFFBhpY/UB9nXggEM5WV/jGNGpxO+MB8GA1UdIwQYMBaAFJ1tICRJAT8r
|
||||||
|
y3i1Gbx+JMnb+zZ8MBMGA1UdJQQMMAoGCCsGAQUFBwMCMAoGCCqGSM49BAMCA2kA
|
||||||
|
MGYCMQCzHyEvd56zm1AzfDBi3psz3rDL/m0RN2WnbRBQJxIJqjwEXOrKazko9m9q
|
||||||
|
owgau88CMQDuI0fsq5tnyiHPaDSAE21/6hlrCR6deNbwzB94OuPIbx1wIas9D1jc
|
||||||
|
//iSmKtbl8Y=
|
||||||
|
-----END CERTIFICATE-----
|
13
tests/data_files/server5.eku-cs.crt
Normal file
13
tests/data_files/server5.eku-cs.crt
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIB4zCCAWmgAwIBAgIBOjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
|
||||||
|
A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
|
||||||
|
MTQwNDEwMTcyMDQxWhcNMjQwNDA3MTcyMDQxWjA0MQswCQYDVQQGEwJOTDERMA8G
|
||||||
|
A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
|
||||||
|
CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
|
||||||
|
2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jYjBgMAkGA1UdEwQCMAAwHQYD
|
||||||
|
VR0OBBYEFFBhpY/UB9nXggEM5WV/jGNGpxO+MB8GA1UdIwQYMBaAFJ1tICRJAT8r
|
||||||
|
y3i1Gbx+JMnb+zZ8MBMGA1UdJQQMMAoGCCsGAQUFBwMDMAoGCCqGSM49BAMCA2gA
|
||||||
|
MGUCMQC294oVK6fUjH/abI1xzytTusi8dl7518L0Y19q8zi9K19OtxzPK09h7xyy
|
||||||
|
gaJRvpUCMFS6hYhrht38yqwwhSVlnmTMVtira58mEUhL6v7Qzw1sz/Dm4aXkW3s6
|
||||||
|
JQV1kqqbRw==
|
||||||
|
-----END CERTIFICATE-----
|
13
tests/data_files/server5.eku-cs_any.crt
Normal file
13
tests/data_files/server5.eku-cs_any.crt
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIB6TCCAW+gAwIBAgIBOzAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
|
||||||
|
A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
|
||||||
|
MTQwNDEwMTcyMDU4WhcNMjQwNDA3MTcyMDU4WjA0MQswCQYDVQQGEwJOTDERMA8G
|
||||||
|
A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
|
||||||
|
CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
|
||||||
|
2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jaDBmMAkGA1UdEwQCMAAwHQYD
|
||||||
|
VR0OBBYEFFBhpY/UB9nXggEM5WV/jGNGpxO+MB8GA1UdIwQYMBaAFJ1tICRJAT8r
|
||||||
|
y3i1Gbx+JMnb+zZ8MBkGA1UdJQQSMBAGCCsGAQUFBwMDBgRVHSUAMAoGCCqGSM49
|
||||||
|
BAMCA2gAMGUCMQCSYaq/9IKOTkzIrU/eOtpha/3af3JwT6vKh4N3cSX62ksMz0GT
|
||||||
|
Uxmq4UGMBt4VmBkCMBGpYqof6hS1o92ltNRpDSHuVQ+nke1lOsoQ1plZp4SI+bY1
|
||||||
|
bUD/WrUSLlwikZAeng==
|
||||||
|
-----END CERTIFICATE-----
|
13
tests/data_files/server5.eku-srv.crt
Normal file
13
tests/data_files/server5.eku-srv.crt
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIB5DCCAWmgAwIBAgIBPjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
|
||||||
|
A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
|
||||||
|
MTQwNDEwMTcyMTU0WhcNMjQwNDA3MTcyMTU0WjA0MQswCQYDVQQGEwJOTDERMA8G
|
||||||
|
A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
|
||||||
|
CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
|
||||||
|
2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jYjBgMAkGA1UdEwQCMAAwHQYD
|
||||||
|
VR0OBBYEFFBhpY/UB9nXggEM5WV/jGNGpxO+MB8GA1UdIwQYMBaAFJ1tICRJAT8r
|
||||||
|
y3i1Gbx+JMnb+zZ8MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAoGCCqGSM49BAMCA2kA
|
||||||
|
MGYCMQDQzjWB0xZs/8IsqJb7owYYtCiT17939Uuc/1yBF69pJRy7KV/qJlHNvlVu
|
||||||
|
qwWVTx0CMQDNW/0dlX1gU6ashrZv5Ly4sijg/g645fFpfMKCNXysEb9xiBeEj5de
|
||||||
|
2x5sX/0OSx4=
|
||||||
|
-----END CERTIFICATE-----
|
13
tests/data_files/server5.eku-srv_cli.crt
Normal file
13
tests/data_files/server5.eku-srv_cli.crt
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIB7DCCAXOgAwIBAgIBPTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
|
||||||
|
A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
|
||||||
|
MTQwNDEwMTcyMTQyWhcNMjQwNDA3MTcyMTQyWjA0MQswCQYDVQQGEwJOTDERMA8G
|
||||||
|
A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
|
||||||
|
CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
|
||||||
|
2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jbDBqMAkGA1UdEwQCMAAwHQYD
|
||||||
|
VR0OBBYEFFBhpY/UB9nXggEM5WV/jGNGpxO+MB8GA1UdIwQYMBaAFJ1tICRJAT8r
|
||||||
|
y3i1Gbx+JMnb+zZ8MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAKBggq
|
||||||
|
hkjOPQQDAgNnADBkAjAmQjJxxC82ZhBpH/GQkOQXDmaaV/JHRHGok1cWn3j3Xj8A
|
||||||
|
fqRZkp8JihpGIMse208CMFCMdNAfNd1tv+oPuynoK5Oh6/YlASX/otJT68voEIAN
|
||||||
|
SmsT1m9VPQMIyUo/3RtYjg==
|
||||||
|
-----END CERTIFICATE-----
|
107
tests/ssl-opt.sh
107
tests/ssl-opt.sh
@ -1136,6 +1136,113 @@ run_test "keyUsage cli-auth #5 (ECDSA, KeyAgreement: fail (soft))" \
|
|||||||
-s "bad certificate (usage extensions)" \
|
-s "bad certificate (usage extensions)" \
|
||||||
-S "Processing of the Certificate handshake message failed"
|
-S "Processing of the Certificate handshake message failed"
|
||||||
|
|
||||||
|
# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
|
||||||
|
|
||||||
|
run_test "extKeyUsage srv #1 (serverAuth -> OK)" \
|
||||||
|
"$P_SRV key_file=data_files/server5.key \
|
||||||
|
crt_file=data_files/server5.eku-srv.crt" \
|
||||||
|
"$P_CLI" \
|
||||||
|
0
|
||||||
|
|
||||||
|
run_test "extKeyUsage srv #2 (serverAuth,clientAuth -> OK)" \
|
||||||
|
"$P_SRV key_file=data_files/server5.key \
|
||||||
|
crt_file=data_files/server5.eku-srv.crt" \
|
||||||
|
"$P_CLI" \
|
||||||
|
0
|
||||||
|
|
||||||
|
run_test "extKeyUsage srv #3 (codeSign,anyEKU -> OK)" \
|
||||||
|
"$P_SRV key_file=data_files/server5.key \
|
||||||
|
crt_file=data_files/server5.eku-cs_any.crt" \
|
||||||
|
"$P_CLI" \
|
||||||
|
0
|
||||||
|
|
||||||
|
# add psk to leave an option for client to send SERVERQUIT
|
||||||
|
run_test "extKeyUsage srv #4 (codeSign -> fail)" \
|
||||||
|
"$P_SRV psk=abc123 key_file=data_files/server5.key \
|
||||||
|
crt_file=data_files/server5.eku-cli.crt" \
|
||||||
|
"$P_CLI psk=badbad" \
|
||||||
|
1
|
||||||
|
|
||||||
|
# Tests for extendedKeyUsage, part 2: client-side checking of server cert
|
||||||
|
|
||||||
|
run_test "extKeyUsage cli #1 (serverAuth -> OK)" \
|
||||||
|
"$O_SRV -key data_files/server5.key \
|
||||||
|
-cert data_files/server5.eku-srv.crt" \
|
||||||
|
"$P_CLI debug_level=2" \
|
||||||
|
0 \
|
||||||
|
-C "bad certificate (usage extensions)" \
|
||||||
|
-C "Processing of the Certificate handshake message failed" \
|
||||||
|
-c "Ciphersuite is TLS-"
|
||||||
|
|
||||||
|
run_test "extKeyUsage cli #2 (serverAuth,clientAuth -> OK)" \
|
||||||
|
"$O_SRV -key data_files/server5.key \
|
||||||
|
-cert data_files/server5.eku-srv_cli.crt" \
|
||||||
|
"$P_CLI debug_level=2" \
|
||||||
|
0 \
|
||||||
|
-C "bad certificate (usage extensions)" \
|
||||||
|
-C "Processing of the Certificate handshake message failed" \
|
||||||
|
-c "Ciphersuite is TLS-"
|
||||||
|
|
||||||
|
run_test "extKeyUsage cli #3 (codeSign,anyEKU -> OK)" \
|
||||||
|
"$O_SRV -key data_files/server5.key \
|
||||||
|
-cert data_files/server5.eku-cs_any.crt" \
|
||||||
|
"$P_CLI debug_level=2" \
|
||||||
|
0 \
|
||||||
|
-C "bad certificate (usage extensions)" \
|
||||||
|
-C "Processing of the Certificate handshake message failed" \
|
||||||
|
-c "Ciphersuite is TLS-"
|
||||||
|
|
||||||
|
run_test "extKeyUsage cli #4 (codeSign -> fail)" \
|
||||||
|
"$O_SRV -key data_files/server5.key \
|
||||||
|
-cert data_files/server5.eku-cs.crt" \
|
||||||
|
"$P_CLI debug_level=2" \
|
||||||
|
1 \
|
||||||
|
-c "bad certificate (usage extensions)" \
|
||||||
|
-c "Processing of the Certificate handshake message failed" \
|
||||||
|
-C "Ciphersuite is TLS-"
|
||||||
|
|
||||||
|
# Tests for extendedKeyUsage, part 3: server-side checking of client cert
|
||||||
|
|
||||||
|
run_test "extKeyUsage cli-auth #1 (clientAuth -> OK)" \
|
||||||
|
"$P_SRV debug_level=2 auth_mode=optional" \
|
||||||
|
"$O_CLI -key data_files/server5.key \
|
||||||
|
-cert data_files/server5.eku-cli.crt" \
|
||||||
|
0 \
|
||||||
|
-S "bad certificate (usage extensions)" \
|
||||||
|
-S "Processing of the Certificate handshake message failed"
|
||||||
|
|
||||||
|
run_test "extKeyUsage cli-auth #2 (serverAuth,clientAuth -> OK)" \
|
||||||
|
"$P_SRV debug_level=2 auth_mode=optional" \
|
||||||
|
"$O_CLI -key data_files/server5.key \
|
||||||
|
-cert data_files/server5.eku-srv_cli.crt" \
|
||||||
|
0 \
|
||||||
|
-S "bad certificate (usage extensions)" \
|
||||||
|
-S "Processing of the Certificate handshake message failed"
|
||||||
|
|
||||||
|
run_test "extKeyUsage cli-auth #3 (codeSign,anyEKU -> OK)" \
|
||||||
|
"$P_SRV debug_level=2 auth_mode=optional" \
|
||||||
|
"$O_CLI -key data_files/server5.key \
|
||||||
|
-cert data_files/server5.eku-cs_any.crt" \
|
||||||
|
0 \
|
||||||
|
-S "bad certificate (usage extensions)" \
|
||||||
|
-S "Processing of the Certificate handshake message failed"
|
||||||
|
|
||||||
|
run_test "extKeyUsage cli-auth #4 (codeSign -> fail (soft))" \
|
||||||
|
"$P_SRV debug_level=2 auth_mode=optional" \
|
||||||
|
"$O_CLI -key data_files/server5.key \
|
||||||
|
-cert data_files/server5.eku-cs.crt" \
|
||||||
|
0 \
|
||||||
|
-s "bad certificate (usage extensions)" \
|
||||||
|
-S "Processing of the Certificate handshake message failed"
|
||||||
|
|
||||||
|
run_test "extKeyUsage cli-auth #4b (codeSign -> fail (hard))" \
|
||||||
|
"$P_SRV debug_level=2 auth_mode=required" \
|
||||||
|
"$O_CLI -key data_files/server5.key \
|
||||||
|
-cert data_files/server5.eku-cs.crt" \
|
||||||
|
1 \
|
||||||
|
-s "bad certificate (usage extensions)" \
|
||||||
|
-s "Processing of the Certificate handshake message failed"
|
||||||
|
|
||||||
# Final report
|
# Final report
|
||||||
|
|
||||||
echo "------------------------------------------------------------------------"
|
echo "------------------------------------------------------------------------"
|
||||||
|
@ -447,7 +447,7 @@ depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C
|
|||||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt_crl.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL"
|
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt_crl.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL"
|
||||||
|
|
||||||
X509 Certificate verification #53 (CA keyUsage missing cRLSign)
|
X509 Certificate verification #53 (CA keyUsage missing cRLSign)
|
||||||
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C
|
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C:POLARSSL_X509_CHECK_KEY_USAGE
|
||||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl-ec-sha256.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCRL_NOT_TRUSTED:"NULL"
|
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl-ec-sha256.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCRL_NOT_TRUSTED:"NULL"
|
||||||
|
|
||||||
X509 Certificate verification #54 (CA keyUsage missing cRLSign, no CRL)
|
X509 Certificate verification #54 (CA keyUsage missing cRLSign, no CRL)
|
||||||
@ -455,11 +455,11 @@ depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C
|
|||||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||||
|
|
||||||
X509 Certificate verification #55 (CA keyUsage missing keyCertSign)
|
X509 Certificate verification #55 (CA keyUsage missing keyCertSign)
|
||||||
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C
|
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C:POLARSSL_X509_CHECK_KEY_USAGE
|
||||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crl.crt":"data_files/crl-ec-sha256.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL"
|
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crl.crt":"data_files/crl-ec-sha256.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL"
|
||||||
|
|
||||||
X509 Certificate verification #55 (CA keyUsage plain wrong)
|
X509 Certificate verification #55 (CA keyUsage plain wrong)
|
||||||
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C
|
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C:POLARSSL_X509_CHECK_KEY_USAGE
|
||||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-ds.crt":"data_files/crl-ec-sha256.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL"
|
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-ds.crt":"data_files/crl-ec-sha256.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL"
|
||||||
|
|
||||||
X509 Parse Selftest
|
X509 Parse Selftest
|
||||||
@ -871,3 +871,24 @@ x509_check_key_usage:"data_files/server1.key_usage.crt":KU_KEY_CERT_SIGN|KU_CRL_
|
|||||||
X509 crt keyUsage #8 (extension present, combined KU one absent)
|
X509 crt keyUsage #8 (extension present, combined KU one absent)
|
||||||
x509_check_key_usage:"data_files/server1.key_usage.crt":KU_KEY_ENCIPHERMENT|KU_KEY_AGREEMENT:POLARSSL_ERR_X509_BAD_INPUT_DATA
|
x509_check_key_usage:"data_files/server1.key_usage.crt":KU_KEY_ENCIPHERMENT|KU_KEY_AGREEMENT:POLARSSL_ERR_X509_BAD_INPUT_DATA
|
||||||
|
|
||||||
|
X509 crt extendedKeyUsage #1 (no extension, serverAuth)
|
||||||
|
x509_check_extended_key_usage:"data_files/server5.crt":"2B06010505070301":0
|
||||||
|
|
||||||
|
X509 crt extendedKeyUsage #2 (single value, present)
|
||||||
|
x509_check_extended_key_usage:"data_files/server5.eku-srv.crt":"2B06010505070301":0
|
||||||
|
|
||||||
|
X509 crt extendedKeyUsage #3 (single value, absent)
|
||||||
|
x509_check_extended_key_usage:"data_files/server5.eku-cli.crt":"2B06010505070301":POLARSSL_ERR_X509_BAD_INPUT_DATA
|
||||||
|
|
||||||
|
X509 crt extendedKeyUsage #4 (two values, first)
|
||||||
|
x509_check_extended_key_usage:"data_files/server5.eku-srv_cli.crt":"2B06010505070301":0
|
||||||
|
|
||||||
|
X509 crt extendedKeyUsage #5 (two values, second)
|
||||||
|
x509_check_extended_key_usage:"data_files/server5.eku-srv_cli.crt":"2B06010505070302":0
|
||||||
|
|
||||||
|
X509 crt extendedKeyUsage #6 (two values, other)
|
||||||
|
x509_check_extended_key_usage:"data_files/server5.eku-srv_cli.crt":"2B06010505070303":POLARSSL_ERR_X509_BAD_INPUT_DATA
|
||||||
|
|
||||||
|
X509 crt extendedKeyUsage #7 (any, random)
|
||||||
|
x509_check_extended_key_usage:"data_files/server5.eku-cs_any.crt":"2B060105050703FF":0
|
||||||
|
|
||||||
|
@ -331,6 +331,25 @@ void x509_check_key_usage( char *crt_file, int usage, int ret )
|
|||||||
}
|
}
|
||||||
/* END_CASE */
|
/* END_CASE */
|
||||||
|
|
||||||
|
/* BEGIN_CASE depends_on:POLARSSL_X509_CRT_PARSE_C:POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE */
|
||||||
|
void x509_check_extended_key_usage( char *crt_file, char *usage_hex, int ret )
|
||||||
|
{
|
||||||
|
x509_crt crt;
|
||||||
|
char oid[50];
|
||||||
|
size_t len;
|
||||||
|
|
||||||
|
x509_crt_init( &crt );
|
||||||
|
|
||||||
|
len = unhexify( (unsigned char *) oid, usage_hex );
|
||||||
|
|
||||||
|
TEST_ASSERT( x509_crt_parse_file( &crt, crt_file ) == 0 );
|
||||||
|
|
||||||
|
TEST_ASSERT( x509_crt_check_extended_key_usage( &crt, oid, len ) == ret );
|
||||||
|
|
||||||
|
x509_crt_free( &crt );
|
||||||
|
}
|
||||||
|
/* END_CASE */
|
||||||
|
|
||||||
/* BEGIN_CASE depends_on:POLARSSL_X509_CRT_PARSE_C:POLARSSL_SELF_TEST */
|
/* BEGIN_CASE depends_on:POLARSSL_X509_CRT_PARSE_C:POLARSSL_SELF_TEST */
|
||||||
void x509_selftest()
|
void x509_selftest()
|
||||||
{
|
{
|
||||||
|
Loading…
Reference in New Issue
Block a user