mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-22 12:35:40 +01:00
- Added prelimenary CRL parsing and info support
This commit is contained in:
parent
68041ec500
commit
d98030e7d6
@ -169,6 +169,46 @@ typedef struct _x509_cert
|
||||
}
|
||||
x509_cert;
|
||||
|
||||
typedef struct _x509_crl_entry
|
||||
{
|
||||
x509_buf raw;
|
||||
|
||||
x509_buf serial;
|
||||
|
||||
x509_time revocation_date;
|
||||
|
||||
x509_buf entry_ext;
|
||||
|
||||
struct _x509_crl_entry *next;
|
||||
}
|
||||
x509_crl_entry;
|
||||
|
||||
typedef struct _x509_crl
|
||||
{
|
||||
x509_buf raw;
|
||||
x509_buf tbs;
|
||||
|
||||
int version;
|
||||
x509_buf sig_oid1;
|
||||
|
||||
x509_buf issuer_raw;
|
||||
|
||||
x509_name issuer;
|
||||
|
||||
x509_time this_update;
|
||||
x509_time next_update;
|
||||
|
||||
x509_crl_entry entry;
|
||||
|
||||
x509_buf crl_ext;
|
||||
|
||||
x509_buf sig_oid2;
|
||||
x509_buf sig;
|
||||
|
||||
struct _x509_crl *next;
|
||||
}
|
||||
x509_crl;
|
||||
|
||||
/*
|
||||
* Structures for writing X.509 certificates
|
||||
*/
|
||||
@ -227,6 +267,29 @@ int x509parse_crt( x509_cert *chain, unsigned char *buf, int buflen );
|
||||
*/
|
||||
int x509parse_crtfile( x509_cert *chain, char *path );
|
||||
|
||||
/**
|
||||
* \brief Parse one or more CRLs and add them
|
||||
* to the chained list
|
||||
*
|
||||
* \param chain points to the start of the chain
|
||||
* \param buf buffer holding the CRL data
|
||||
* \param buflen size of the buffer
|
||||
*
|
||||
* \return 0 if successful, or a specific X509 error code
|
||||
*/
|
||||
int x509parse_crl( x509_crl *chain, unsigned char *buf, int buflen );
|
||||
|
||||
/**
|
||||
* \brief Load one or more CRLs and add them
|
||||
* to the chained list
|
||||
*
|
||||
* \param chain points to the start of the chain
|
||||
* \param path filename to read the CRLs from
|
||||
*
|
||||
* \return 0 if successful, or a specific X509 error code
|
||||
*/
|
||||
int x509parse_crlfile( x509_crl *chain, char *path );
|
||||
|
||||
/**
|
||||
* \brief Parse a private RSA key
|
||||
*
|
||||
@ -255,15 +318,21 @@ int x509parse_keyfile( rsa_context *rsa, char *path, char *password );
|
||||
|
||||
/**
|
||||
* \brief Store the certificate DN in printable form into buf;
|
||||
* no more than (end - buf) characters will be written.
|
||||
* no more than size characters will be written.
|
||||
*/
|
||||
int x509parse_dn_gets( char *buf, char *end, x509_name *dn );
|
||||
int x509parse_dn_gets( char *buf, size_t size, x509_name *dn );
|
||||
|
||||
/**
|
||||
* \brief Returns an informational string about the
|
||||
* certificate.
|
||||
*/
|
||||
char *x509parse_cert_info( char *prefix, x509_cert *crt );
|
||||
int x509parse_cert_info( char *buf, size_t size, char *prefix, x509_cert *crt );
|
||||
|
||||
/**
|
||||
* \brief Returns an informational string about the
|
||||
* CRL.
|
||||
*/
|
||||
int x509parse_crl_info( char *buf, size_t size, char *prefix, x509_crl *crl );
|
||||
|
||||
/**
|
||||
* \brief Return 0 if the certificate is still valid,
|
||||
@ -299,6 +368,11 @@ int x509parse_verify( x509_cert *crt,
|
||||
*/
|
||||
void x509_free( x509_cert *crt );
|
||||
|
||||
/**
|
||||
* \brief Unallocate all CRL data
|
||||
*/
|
||||
void x509_crl_free( x509_crl *crl );
|
||||
|
||||
/**
|
||||
* \brief Checkup routine
|
||||
*
|
||||
|
@ -171,7 +171,7 @@ void debug_print_mpi( ssl_context *ssl, int level,
|
||||
void debug_print_crt( ssl_context *ssl, int level,
|
||||
char *file, int line, char *text, x509_cert *crt )
|
||||
{
|
||||
char str[1024], prefix[64], *p;
|
||||
char str[1024], prefix[64];
|
||||
int i = 0, maxlen = sizeof( prefix ) - 1;
|
||||
|
||||
if( ssl->f_dbg == NULL || crt == NULL )
|
||||
@ -183,10 +183,11 @@ void debug_print_crt( ssl_context *ssl, int level,
|
||||
|
||||
while( crt != NULL && crt->next != NULL )
|
||||
{
|
||||
p = x509parse_cert_info( prefix, crt );
|
||||
char buf[1024];
|
||||
x509parse_cert_info( buf, sizeof( buf ) - 1, prefix, crt );
|
||||
|
||||
snprintf( str, maxlen, "%s(%04d): %s #%d:\n%s",
|
||||
file, line, text, ++i, p );
|
||||
file, line, text, ++i, buf );
|
||||
|
||||
str[maxlen] = '\0';
|
||||
ssl->f_dbg( ssl->p_dbg, level, str );
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -208,7 +208,8 @@ int main( void )
|
||||
printf( " ok\n" );
|
||||
|
||||
printf( " . Peer certificate information ...\n" );
|
||||
printf( x509parse_cert_info( " ", ssl.peer_cert ) );
|
||||
x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, " ", ssl.peer_cert );
|
||||
printf( "%s\n", buf );
|
||||
|
||||
/*
|
||||
* 6. Write the GET request
|
||||
|
@ -28,33 +28,41 @@
|
||||
#include "polarssl/certs.h"
|
||||
#include "polarssl/x509.h"
|
||||
|
||||
#define MAX_CLIENT_CERTS 6
|
||||
#if defined _MSC_VER && !defined snprintf
|
||||
#define snprintf _snprintf
|
||||
#endif
|
||||
|
||||
#define MAX_CLIENT_CERTS 6
|
||||
|
||||
char *client_certificates[MAX_CLIENT_CERTS] =
|
||||
{
|
||||
"client1.crt",
|
||||
"client2.crt",
|
||||
"cert_sha224.crt",
|
||||
"cert_sha256.crt",
|
||||
"cert_sha384.crt",
|
||||
"cert_sha512.crt"
|
||||
"client1.crt",
|
||||
"client2.crt",
|
||||
"cert_sha224.crt",
|
||||
"cert_sha256.crt",
|
||||
"cert_sha384.crt",
|
||||
"cert_sha512.crt"
|
||||
};
|
||||
|
||||
char *client_private_keys[MAX_CLIENT_CERTS] =
|
||||
{
|
||||
"client1.key",
|
||||
"client2.key",
|
||||
"cert_sha224.key",
|
||||
"cert_sha256.key",
|
||||
"cert_sha384.key",
|
||||
"cert_sha512.key"
|
||||
"client1.key",
|
||||
"client2.key",
|
||||
"cert_sha224.key",
|
||||
"cert_sha256.key",
|
||||
"cert_sha384.key",
|
||||
"cert_sha512.key"
|
||||
};
|
||||
|
||||
int main( void )
|
||||
{
|
||||
int ret, i;
|
||||
x509_cert cacert, clicert;
|
||||
rsa_context rsa;
|
||||
x509_cert cacert;
|
||||
x509_crl crl;
|
||||
char buf[10240];
|
||||
|
||||
memset( &cacert, 0, sizeof( x509_cert ) );
|
||||
memset( &crl, 0, sizeof( x509_crl ) );
|
||||
|
||||
/*
|
||||
* 1.1. Load the trusted CA
|
||||
@ -62,8 +70,6 @@ int main( void )
|
||||
printf( "\n . Loading the CA root certificate ..." );
|
||||
fflush( stdout );
|
||||
|
||||
memset( &cacert, 0, sizeof( x509_cert ) );
|
||||
|
||||
/*
|
||||
* Alternatively, you may load the CA certificates from a .pem or
|
||||
* .crt file by calling x509parse_crtfile( &cacert, "myca.crt" ).
|
||||
@ -77,97 +83,119 @@ int main( void )
|
||||
|
||||
printf( " ok\n" );
|
||||
|
||||
/*
|
||||
* 1.2. Load the CRL
|
||||
*/
|
||||
printf( " . Loading the CRL ..." );
|
||||
fflush( stdout );
|
||||
|
||||
ret = x509parse_crlfile( &crl, "ssl/test-ca/crl.pem" );
|
||||
if( ret != 0 )
|
||||
{
|
||||
printf( " failed\n ! x509parse_crlfile returned %d\n\n", ret );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
printf( " ok\n" );
|
||||
|
||||
x509parse_crl_info( buf, 1024, "CRL: ", &crl );
|
||||
printf("%s\n", buf );
|
||||
|
||||
for( i = 0; i < MAX_CLIENT_CERTS; i++ )
|
||||
{
|
||||
/*
|
||||
* 1.2. Load own certificate
|
||||
* 1.3. Load own certificate
|
||||
*/
|
||||
char name[512];
|
||||
int flags;
|
||||
|
||||
snprintf(name, 512, "ssl/test-ca/%s", client_certificates[i]);
|
||||
|
||||
printf( " . Loading the client certificatei %s...", name );
|
||||
fflush( stdout );
|
||||
char name[512];
|
||||
int flags;
|
||||
x509_cert clicert;
|
||||
rsa_context rsa;
|
||||
|
||||
memset( &clicert, 0, sizeof( x509_cert ) );
|
||||
memset( &rsa, 0, sizeof( rsa_context ) );
|
||||
|
||||
snprintf(name, 512, "ssl/test-ca/%s", client_certificates[i]);
|
||||
|
||||
printf( " . Loading the client certificate %s...", name );
|
||||
fflush( stdout );
|
||||
|
||||
ret = x509parse_crtfile( &clicert, name );
|
||||
if( ret != 0 )
|
||||
{
|
||||
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
|
||||
goto exit;
|
||||
}
|
||||
if( ret != 0 )
|
||||
{
|
||||
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
printf( " ok\n" );
|
||||
|
||||
/*
|
||||
* 1.3. Verify certificate validity with CA certificate
|
||||
*/
|
||||
printf( " . Verify the client certificate with CA certificate..." );
|
||||
fflush( stdout );
|
||||
|
||||
ret = x509parse_verify( &clicert, &cacert, NULL, &flags );
|
||||
if( ret != 0 )
|
||||
{
|
||||
printf( " failed\n ! x509parse_verify returned %d\n\n", ret );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
printf( " ok\n" );
|
||||
printf( " ok\n" );
|
||||
|
||||
/*
|
||||
* 1.4. Load own private key
|
||||
* 1.4. Verify certificate validity with CA certificate
|
||||
*/
|
||||
snprintf(name, 512, "ssl/test-ca/%s", client_private_keys[i]);
|
||||
printf( " . Verify the client certificate with CA certificate..." );
|
||||
fflush( stdout );
|
||||
|
||||
ret = x509parse_verify( &clicert, &cacert, NULL, &flags );
|
||||
if( ret != 0 )
|
||||
{
|
||||
printf( " failed\n ! x509parse_verify returned %d\n\n", ret );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
printf( " ok\n" );
|
||||
|
||||
/*
|
||||
* 1.5. Load own private key
|
||||
*/
|
||||
snprintf(name, 512, "ssl/test-ca/%s", client_private_keys[i]);
|
||||
|
||||
printf( " . Loading the client private key %s...", name );
|
||||
fflush( stdout );
|
||||
|
||||
memset( &rsa, 0, sizeof( rsa_context ) );
|
||||
ret = x509parse_keyfile( &rsa, name, NULL );
|
||||
if( ret != 0 )
|
||||
{
|
||||
printf( " failed\n ! x509parse_key returned %d\n\n", ret );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
ret = x509parse_keyfile( &rsa, name, NULL );
|
||||
if( ret != 0 )
|
||||
{
|
||||
printf( " failed\n ! x509parse_key returned %d\n\n", ret );
|
||||
goto exit;
|
||||
}
|
||||
printf( " ok\n" );
|
||||
|
||||
printf( " ok\n" );
|
||||
/*
|
||||
* 1.5. Verify certificate validity with private key
|
||||
*/
|
||||
printf( " . Verify the client certificate with private key..." );
|
||||
fflush( stdout );
|
||||
|
||||
/*
|
||||
* 1.4. Verify certificate validity with private key
|
||||
*/
|
||||
printf( " . Verify the client certificate with private key..." );
|
||||
fflush( stdout );
|
||||
ret = mpi_cmp_mpi(&rsa.N, &clicert.rsa.N);
|
||||
if( ret != 0 )
|
||||
{
|
||||
printf( " failed\n ! mpi_cmp_mpi for N returned %d\n\n", ret );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
ret = mpi_cmp_mpi(&rsa.N, &clicert.rsa.N);
|
||||
if( ret != 0 )
|
||||
{
|
||||
printf( " failed\n ! mpi_cmp_mpi for N returned %d\n\n", ret );
|
||||
goto exit;
|
||||
}
|
||||
ret = mpi_cmp_mpi(&rsa.E, &clicert.rsa.E);
|
||||
if( ret != 0 )
|
||||
{
|
||||
printf( " failed\n ! mpi_cmp_mpi for E returned %d\n\n", ret );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
ret = mpi_cmp_mpi(&rsa.E, &clicert.rsa.E);
|
||||
if( ret != 0 )
|
||||
{
|
||||
printf( " failed\n ! mpi_cmp_mpi for E returned %d\n\n", ret );
|
||||
goto exit;
|
||||
}
|
||||
ret = rsa_check_privkey( &rsa );
|
||||
if( ret != 0 )
|
||||
{
|
||||
printf( " failed\n ! rsa_check_privkey returned %d\n\n", ret );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
ret = rsa_check_privkey( &rsa );
|
||||
if( ret != 0 )
|
||||
{
|
||||
printf( " failed\n ! rsa_check_privkey returned %d\n\n", ret );
|
||||
goto exit;
|
||||
}
|
||||
printf( " ok\n" );
|
||||
|
||||
printf( " ok\n" );
|
||||
x509_free( &clicert );
|
||||
rsa_free( &rsa );
|
||||
}
|
||||
|
||||
exit:
|
||||
x509_free( &clicert );
|
||||
x509_free( &cacert );
|
||||
x509_crl_free( &crl );
|
||||
|
||||
#ifdef WIN32
|
||||
printf( " + Press Enter to exit this program.\n" );
|
||||
|
Loading…
Reference in New Issue
Block a user