Andres Amaya Garcia
b1d78fcf70
Improve leap year test names in x509parse.data
2017-10-12 21:03:15 +01:00
Andres Amaya Garcia
bc041130b0
Correctly handle leap year in x509_date_is_valid()
...
This patch ensures that invalid dates on leap years with 100 or 400
years intervals are handled correctly.
2017-10-12 21:03:01 +01:00
Manuel Pégourié-Gonnard
c386317298
Only return VERIFY_FAILED from a single point
...
Everything else is a fatal error. Also improve documentation about that for
the vrfy callback.
2017-07-28 12:20:48 +01:00
Manuel Pégourié-Gonnard
489939f829
Improve behaviour on fatal errors
...
If we didn't walk the whole chain, then there may be any kind of errors in the
part of the chain we didn't check, so setting all flags looks like the safe
thing to do.
2017-07-28 12:20:47 +01:00
Manuel Pégourié-Gonnard
4770dbc913
Add test for limit on intermediate certificates
...
Inspired by test code provided by Nicholas Wilson in PR #351 .
The test will fail if someone sets MAX_INTERMEDIATE_CA to a value larger than
18 (default is 8), which is hopefully unlikely and can easily be fixed by
running long.sh again with a larger value if it ever happens.
Current behaviour is suboptimal as flags are not set, but currently the goal
is only to document/test existing behaviour.
2017-07-28 12:19:49 +01:00
Andres AG
ad6cf99d6d
Add CRT DER tests with incorrect version
2017-07-26 18:01:54 +01:00
Andres AG
9674a628e5
Add CRL DER tests with incorrect version
2017-07-26 18:01:43 +01:00
Andres AG
7ebf632b3e
Add CSR DER tests with incorrect version
2017-07-26 18:01:32 +01:00
Gilles Peskine
c4cb493174
Cleaned up negative test predicate for test case
...
The test infrastructure does support negative predicates for test
cases, thanks to Andreas for letting me know.
2017-06-06 19:09:04 +02:00
Gilles Peskine
7344e1bd05
SHA-1 deprecation: allow it in key exchange
...
By default, keep allowing SHA-1 in key exchange signatures. Disabling
it causes compatibility issues, especially with clients that use
TLS1.2 but don't send the signature_algorithms extension.
SHA-1 is forbidden in certificates by default, since it's vulnerable
to offline collision-based attacks.
2017-06-06 19:09:02 +02:00
Gilles Peskine
e7375ef314
X.509 tests: obey compile-time SHA-1 support option
...
There is now one test case to validate that SHA-1 is rejected in
certificates by default, and one test case to validate that SHA-1 is
supported if MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 is #defined.
2017-06-06 19:08:23 +02:00
Gilles Peskine
559674ce48
Test that X.509 verification rejects SHA-256 by default
2017-06-06 19:08:23 +02:00
Gilles Peskine
dd57d75dfa
Allow SHA-1 in X.509 and TLS tests
...
SHA-1 is now disabled by default in the X.509 layer. Explicitly enable
it in our tests for now. Updating all the test data to SHA-256 should
be done over time.
2017-06-06 19:08:23 +02:00
Janos Follath
a841d75aad
Add unit tests for X509 certificate date parsing
2017-02-28 14:17:32 +00:00
Simon Butcher
d352e6dfcc
Merge branch 'mbedtls-2.1-iotssl-1071-ca-flags'
...
Fixes a regression introduced by an earlier commit that modified
x509_crt_verify_top() to ensure that valid certificates that are after past or
future valid in the chain are processed. However the change introduced a change
in behaviour that caused the verification flags MBEDTLS_X509_BADCERT_EXPIRED and
MBEDTLS_BADCERT_FUTURE to always be set whenever there is a failure in the
verification regardless of the cause.
The fix maintains both behaviours:
* Ensure that valid certificates after future and past are verified
* Ensure that the correct verification flags are set.
2017-02-27 20:24:55 +00:00
Andres AG
3da3b6eccb
Add tests for out flags from x509_crt_verify_top()
...
The tests load certificate chains from files. The CA chains contain a
past or future certificate and an invalid certificate. The test then
checks that the flags set are MBEDTLS_X509_BADCERT_EXPIRED or
MBEDTLS_X509_BADCERT_FUTURE.
2017-01-20 16:38:25 +00:00
Andres AG
978bdf9575
Add test for infinite loop in CRL parse
2017-01-19 17:13:36 +00:00
Andres AG
53d77130fc
Add check for validity of date in x509_get_time()
2016-10-13 16:24:12 +01:00
Simon Butcher
8b459923ac
Add missing dependencies to X509 Parse test suite for P-384 curve
...
The test script curves.pl was failing on testing dependencies for the P-384
curve on the new test cases introduced by ede75f0
and 884b4fc
.
2016-07-15 12:53:25 +01:00
Janos Follath
e223527da0
X509: Future CA among trusted: add more tests
2016-07-14 12:02:56 +01:00
Janos Follath
38921c8837
X509: Future CA among trusted: add unit tests
2016-07-14 12:02:50 +01:00
Janos Follath
f6f5441fd1
x509: trailing bytes in DER: correct a unit test
...
One of the unit test was failing, because it was testing behavior
that was part of the bug. Updated the return value to the correct one
2016-03-15 23:48:25 +00:00
Manuel Pégourié-Gonnard
3cb2074a82
Add test case for root with max_pathlen=0
...
This was already working but not tested so far
(Test case from previous commit still failing.)
Test certificates generated with:
programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert91.key
programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert92.key
programs/x509/cert_write serial=91 output_file=cert91.crt is_ca=1 \
issuer_key=cert91.key issuer_name="CN=Root 9,O=mbed TLS,C=UK" \
selfsign=1 max_pathlen=0
programs/x509/cert_write serial=92 output_file=cert92.crt \
issuer_key=cert91.key issuer_name="CN=Root 9,O=mbed TLS,C=UK" \
subject_key=cert92.key subject_name="CN=EE 92,O=mbed TLS,C=UK"
mv cert9?.crt tests/data_files/dir4
rm cert9?.key
2015-11-19 11:25:30 +01:00
Manuel Pégourié-Gonnard
922cd9ba36
Add test case for first intermediate max_pathlen=0
...
!!! This test case is currently failing !!!
(See fix in next-next commit.)
Test certificates generated with the following script:
programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert81.key
programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert82.key
programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert83.key
programs/x509/cert_write serial=81 output_file=cert81.crt is_ca=1 \
issuer_key=cert81.key issuer_name="CN=Root 8,O=mbed TLS,C=UK" \
selfsign=1
programs/x509/cert_write serial=82 output_file=cert82.crt is_ca=1 \
issuer_key=cert81.key issuer_name="CN=Root 8,O=mbed TLS,C=UK" \
subject_key=cert82.key subject_name="CN=Int 82,O=mbed TLS,C=UK" \
max_pathlen=0
programs/x509/cert_write serial=83 output_file=cert83.crt \
issuer_key=cert82.key issuer_name="CN=Int 82,O=mbed TLS,C=UK" \
subject_key=cert83.key subject_name="CN=EE 83,O=mbed TLS,C=UK"
mv cert8?.crt tests/data_files/dir4
rm cert8?.key
2015-11-19 11:25:27 +01:00
Manuel Pégourié-Gonnard
fd1f9e735e
Fix whitespace at EOL issues
2015-11-02 05:55:58 +09:00
Manuel Pégourié-Gonnard
841caf1b74
Use symbolic constants in test data
2015-11-02 05:55:39 +09:00
Janos Follath
36f1234d96
Additional corner cases for testing pathlen constrains. Just in case.
2015-11-02 05:55:15 +09:00
Janos Follath
c7bea3158a
Added test case for pathlen constrains in intermediate certificates
2015-11-02 05:55:02 +09:00
Manuel Pégourié-Gonnard
93080dfacf
Fix missing check for RSA key length on EE certs
...
- also adapt tests to use lesser requirement for compatibility with old
testing material
2015-10-28 13:22:32 +01:00
Manuel Pégourié-Gonnard
fdbdd72b8b
Skip to trusted certs early in the chain
...
This helps in the case where an intermediate certificate is directly trusted.
In that case we want to ignore what comes after it in the chain, not only for
performance but also to avoid false negatives (eg an old root being no longer
trusted while the newer intermediate is directly trusted).
closes #220
2015-09-01 17:24:42 +02:00
Manuel Pégourié-Gonnard
560fea3767
Add tests for verify callback
...
As we're about to change the chain construction logic, we want to make sure
the callback will still be called exactly when it should, and not on the
(upcoming) ignored certs in the chain.
2015-09-01 17:24:42 +02:00
Manuel Pégourié-Gonnard
052d10c9d5
Accept a trailing space at end of PEM lines
...
With certs being copy-pasted from webmails and all, this will probably become
more and more common.
closes #226
2015-07-31 11:11:26 +02:00
Manuel Pégourié-Gonnard
655a964539
Adapt check_key_usage to new weird bits
2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard
9a702255f4
Add parsing/printing for new X.509 keyUsage flags
2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard
d5f38b045d
Fix dependencies on time on x509 test suite
2015-06-22 14:40:56 +02:00
Manuel Pégourié-Gonnard
cbb1f6e5cb
Implement cert profile checking
2015-06-17 14:27:38 +02:00
Manuel Pégourié-Gonnard
9505164ef4
Create cert profile API (unimplemented yet)
2015-06-17 14:27:38 +02:00
Manuel Pégourié-Gonnard
bc7bbbc85a
Remove duplicated tests for x509_verify_info()
2015-06-17 14:27:38 +02:00
Manuel Pégourié-Gonnard
c730ed3f2d
Rename boolean functions to be clearer
2015-06-02 10:38:50 +01:00
Manuel Pégourié-Gonnard
e6028c93f5
Fix some X509 macro names
...
For some reason, during the great renaming, some names that should have been
prefixed with MBEDTLS_X509_ have only been prefixed with MBEDTLS_
2015-04-20 12:19:02 +01:00
Manuel Pégourié-Gonnard
e75fa70b36
Merge branch 'mbedtls-1.3' into development
...
* mbedtls-1.3:
Make results of (ext)KeyUsage accessible
Use x509_crt_verify_info() in programs
Add x509_crt_verify_info()
Conflicts:
ChangeLog
include/mbedtls/x509_crt.h
include/polarssl/ssl.h
include/polarssl/x509.h
library/ssl_srv.c
library/ssl_tls.c
library/x509_crt.c
programs/ssl/ssl_client1.c
programs/ssl/ssl_client2.c
programs/ssl/ssl_mail_client.c
programs/ssl/ssl_server2.c
programs/test/ssl_cert_test.c
programs/x509/cert_app.c
tests/ssl-opt.sh
tests/suites/test_suite_x509parse.function
2015-04-20 11:51:34 +01:00
Manuel Pégourié-Gonnard
b5f48ad82f
manually merge 39a183a
add x509_crt_verify_info()
2015-04-20 11:22:57 +01:00
Manuel Pégourié-Gonnard
39a183a629
Add x509_crt_verify_info()
2015-04-17 17:24:25 +02:00
Manuel Pégourié-Gonnard
2cf5a7c98e
The Great Renaming
...
A simple execution of tmp/invoke-rename.pl
2015-04-08 13:25:31 +02:00
Manuel Pégourié-Gonnard
932e3934bd
Fix typos & Co
2015-04-03 18:46:55 +02:00
Manuel Pégourié-Gonnard
39ead3ef2f
Add test certificate for bitstring in DN
2015-03-27 13:11:33 +01:00
Manuel Pégourié-Gonnard
555fbf8758
Support composite RDNs in X.509 certs parsing
2015-02-04 17:11:55 +00:00
Manuel Pégourié-Gonnard
5c2aa10c15
Fix curve dependency issues in X.509 test suite
2014-11-20 16:36:07 +01:00
Manuel Pégourié-Gonnard
57a5d60abb
Add tests for concatenated CRLs
2014-11-19 16:08:34 +01:00
Manuel Pégourié-Gonnard
8a5e3d4a40
Forbid repeated X.509 extensions
2014-11-12 18:13:58 +01:00