Hanno Becker
3c89dca09e
Omit version from X.509 v1 certificates
...
The version field in an X.509 certificate is optional and defaults to v1, so it
may be omitted in this case.
2017-10-05 07:39:45 +01:00
Hanno Becker
88252333e2
Fix typo
2017-07-28 13:15:57 +01:00
Hanno Becker
806c680eba
Improve Readme for long test certificate chains
2017-07-28 13:15:57 +01:00
Janos Follath
1fbc5fb027
Fix typos
2017-07-28 13:15:57 +01:00
Manuel Pégourié-Gonnard
e23f7b312d
Make test script more portable
...
seq isn't POSIX and isn't present by default on BSDs
2017-07-28 13:15:57 +01:00
Manuel Pégourié-Gonnard
7ac50196f3
Add test for limit on intermediate certificates
...
Inspired by test code provided by Nicholas Wilson in PR #351 .
The test will fail if someone sets MAX_INTERMEDIATE_CA to a value larger than
18 (default is 8), which is hopefully unlikely and can easily be fixed by
running long.sh again with a larger value if it ever happens.
Current behaviour is suboptimal as flags are not set, but currently the goal
is only to document/test existing behaviour.
2017-07-28 13:15:14 +01:00
Simon Butcher
9fb2828aee
Merge branch 'mbedtls-1.3-iotssl-1071-ca-flags'
...
Fixes a regression introduced by an earlier commit that modified
x509_crt_verify_top() to ensure that valid certificates that are after past or
future valid in the chain are processed. However the change introduced a change
in behaviour that caused the verification flags MBEDTLS_X509_BADCERT_EXPIRED and
MBEDTLS_BADCERT_FUTURE to always be set whenever there is a failure in the
verification regardless of the cause.
The fix maintains both behaviours:
* Ensure that valid certificates after future and past are verified
* Ensure that the correct verification flags are set.
2017-02-27 21:25:03 +00:00
Andres AG
28ba747c8c
Add tests for out flags from x509_crt_verify_top()
...
The tests load certificate chains from files. The CA chains contain a
past or future certificate and an invalid certificate. The test then
checks that the flags set are BADCERT_EXPIRED or BADCERT_FUTURE.
2017-01-20 17:12:43 +00:00
Andres AG
67c6df4a8a
Add test for infinite loop in CRL parse
2017-01-19 17:16:47 +00:00
Janos Follath
486c4f9a33
X509: Future CA among trusted: add more tests
2016-10-13 12:43:11 +01:00
Janos Follath
c35f458d94
X509: Future CA among trusted: add unit tests
2016-10-13 12:43:11 +01:00
Manuel Pégourié-Gonnard
6ad4f65780
Add test case for root with max_pathlen=0
...
This was already working but not tested so far
(Test case from previous commit still failing.)
Test certificates generated with:
programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert91.key
programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert92.key
programs/x509/cert_write serial=91 output_file=cert91.crt is_ca=1 \
issuer_key=cert91.key issuer_name="CN=Root 9,O=mbed TLS,C=UK" \
selfsign=1 max_pathlen=0
programs/x509/cert_write serial=92 output_file=cert92.crt \
issuer_key=cert91.key issuer_name="CN=Root 9,O=mbed TLS,C=UK" \
subject_key=cert92.key subject_name="CN=EE 92,O=mbed TLS,C=UK"
mv cert9?.crt tests/data_files/dir4
rm cert9?.key
2015-11-19 12:02:29 +01:00
Manuel Pégourié-Gonnard
c058074836
Add test case for first intermediate max_pathlen=0
...
!!! This test case is currently failing !!!
(See fix in next-next commit.)
Test certificates generated with the following script:
programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert81.key
programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert82.key
programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert83.key
programs/x509/cert_write serial=81 output_file=cert81.crt is_ca=1 \
issuer_key=cert81.key issuer_name="CN=Root 8,O=mbed TLS,C=UK" \
selfsign=1
programs/x509/cert_write serial=82 output_file=cert82.crt is_ca=1 \
issuer_key=cert81.key issuer_name="CN=Root 8,O=mbed TLS,C=UK" \
subject_key=cert82.key subject_name="CN=Int 82,O=mbed TLS,C=UK" \
max_pathlen=0
programs/x509/cert_write serial=83 output_file=cert83.crt \
issuer_key=cert82.key issuer_name="CN=Int 82,O=mbed TLS,C=UK" \
subject_key=cert83.key subject_name="CN=EE 83,O=mbed TLS,C=UK"
mv cert8?.crt tests/data_files/dir4
rm cert8?.key
2015-11-19 12:01:11 +01:00
Janos Follath
3d98a7eee3
Additional corner cases for testing pathlen constrains. Just in case.
...
backport of ef4f258
2015-10-28 18:20:43 +01:00
Janos Follath
189c743d3e
Added test case for pathlen constrains in intermediate certificates
...
backport of 822b2c3
2015-10-28 18:15:48 +01:00
Jonathan Leroy
094788ed7d
Test certificate "Server1 SHA1, key_usage" reissued.
2015-10-27 15:12:39 +01:00
Manuel Pégourié-Gonnard
15f1088ef6
Add tests for verify callback
...
As we're about to change the chain construction logic, we want to make sure
the callback will still be called exactly when it should, and not on the
(upcoming) ignored certs in the chain.
backport of 560fea3
2015-09-01 18:29:59 +02:00
Manuel Pégourié-Gonnard
b5d77d3fd9
Accept a trailing space at end of PEM lines
...
With certs being copy-pasted from webmails and all, this will probably become
more and more common.
2015-08-10 12:01:50 +02:00
Manuel Pégourié-Gonnard
5119df2022
Add test case for dh params with privateValueLength
2015-04-15 13:50:29 +02:00
Manuel Pégourié-Gonnard
e6c8366b46
Fix bug in pk_parse_key()
2015-04-15 11:21:24 +02:00
Paul Bakker
6152b0267c
Fixed typos
2015-04-14 15:00:09 +02:00
Manuel Pégourié-Gonnard
39ead3ef2f
Add test certificate for bitstring in DN
2015-03-27 13:11:33 +01:00
Manuel Pégourié-Gonnard
57a5d60abb
Add tests for concatenated CRLs
2014-11-19 16:08:34 +01:00
Manuel Pégourié-Gonnard
4be3449dbc
Add Readme about X.509 test files
2014-11-19 14:03:59 +01:00
Manuel Pégourié-Gonnard
9c911da68f
Add tests for X.509 name encoding mismatch
2014-10-17 12:42:31 +02:00
Manuel Pégourié-Gonnard
64938c63f0
Accept spaces at end of line/buffer in base64
2014-10-15 23:53:33 +02:00
Manuel Pégourié-Gonnard
da1b4de0e4
Increase MPI_MAX_BYTES to allow RSA 8192
2014-10-15 22:06:46 +02:00
Paul Bakker
5a5fa92bfe
x509_crt_parse() did not increase total_failed on PEM error
...
Result was that PEM errors in files with multiple certificates were not
detectable by the user.
2014-10-03 15:47:13 +02:00
Manuel Pégourié-Gonnard
192253aaa9
Fix buffer size in pk_write_*_pem()
2014-08-14 11:34:35 +02:00
Manuel Pégourié-Gonnard
d249b7ab9a
Restore ability to trust non-CA selfsigned EE cert
2014-06-25 11:26:13 +02:00
Manuel Pégourié-Gonnard
c4eff16516
Restore ability to use v1 CA if trusted locally
2014-06-25 11:26:12 +02:00
Manuel Pégourié-Gonnard
5873b00b7f
Add pathological RSASSA-PSS test certificates
...
Certificates announcing different PSS options than the ones actually used for
the signature. Makes sure the options are correctly passed to the verification
function.
2014-06-07 11:21:52 +02:00
Manuel Pégourié-Gonnard
eacccb7fb9
Add RSASSA-PSS certificate with all defaults
2014-06-05 18:00:08 +02:00
Manuel Pégourié-Gonnard
53882023e7
Also verify CRLs signed with RSASSA-PSS
2014-06-05 17:59:55 +02:00
Manuel Pégourié-Gonnard
920e1cd5e2
Add basic PSS cert verification
...
Still todo:
- handle MGF-hash != sign-hash
- check effective salt len == announced salt len
- add support in the PK layer so that we don't have to bypass it here
2014-06-04 12:09:08 +02:00
Manuel Pégourié-Gonnard
39868ee301
Parse CSRs signed with RSASSA-PSS
2014-06-02 16:10:30 +02:00
Manuel Pégourié-Gonnard
2a8d7fd76e
Add tests for parsing CSRs
2014-06-02 16:10:29 +02:00
Manuel Pégourié-Gonnard
8e42ff6bde
Parse CRLs signed with RSASSA-PSS
2014-06-02 16:10:29 +02:00
Manuel Pégourié-Gonnard
e76b750b69
Finish parsing RSASSA-PSS parameters
2014-06-02 16:10:29 +02:00
Manuel Pégourié-Gonnard
59a75d5b9d
Basic parsing of certs signed with RSASSA-PSS
2014-06-02 16:10:29 +02:00
Manuel Pégourié-Gonnard
7afb8a0dca
Add x509_crt_check_extended_key_usage()
2014-04-11 11:09:00 +02:00
Manuel Pégourié-Gonnard
99d4f19111
Add keyUsage checking for CAs
2014-04-09 15:50:58 +02:00
Manuel Pégourié-Gonnard
7f2a07d7b2
Check keyUsage in SSL client and server
2014-04-09 15:50:57 +02:00
Manuel Pégourié-Gonnard
3fec220a33
Add test for dhm_parse_dhmfile
2014-04-04 16:42:44 +02:00
Manuel Pégourié-Gonnard
6c1a73e061
Improve x509xrite_csr testing: extensions, version
2014-04-04 16:33:01 +02:00
Manuel Pégourié-Gonnard
c5ce83a3b8
Improve x509xrite_csr testing: extensions, ECDSA
2014-04-04 16:33:01 +02:00
Manuel Pégourié-Gonnard
6c33a16dae
Add previously forgotten test files... oops!
2014-04-04 16:23:29 +02:00
Manuel Pégourié-Gonnard
f6f4ab40d3
Print extended key usage in x509_crt_info()
2014-04-04 14:01:39 +02:00
Manuel Pégourié-Gonnard
76b8ab73cd
ssl-opt.sh: address some robustness issues
2014-03-26 14:21:34 +01:00
Manuel Pégourié-Gonnard
a11a77f316
Add test for SpecifiedECDomain
2014-03-19 16:50:59 +01:00