Hanno Becker
81535d0011
Minor style and typo corrections
2017-09-14 07:51:54 +01:00
Hanno Becker
476986547b
Omit version from X.509 v1 certificates
...
The version field in an X.509 certificate is optional and defaults to v1, so it
may be omitted in this case.
2017-09-14 07:51:54 +01:00
Hanno Becker
418a62242b
Extend tests/data_files/Makefile to include CRT's for CRT write test
2017-09-14 07:51:28 +01:00
Hanno Becker
5a4f172522
Add suffix for 1024-bit RSA key files
...
Previously, 2048-bit and 4096-bit RSA key files had their bitsize indicated in their filename, while the original
1024-bit keys hadn't. This commit unifies the naming scheme by always indicating the bitsize in the filename.
2017-09-07 15:40:30 +01:00
Hanno Becker
c8063c58f0
Correct Makefile in tests/data_files
...
The documentation of the target `all_final` was no longer accurate, and numerous non-file targets were missing in the
.PHONY section.
2017-09-07 15:30:12 +01:00
Hanno Becker
8fdfc98676
Update keyfiles
...
This commit replaces the previous keyfiles with those generated by the commands added in the previous commit.
2017-09-05 10:08:37 +01:00
Hanno Becker
d16f6126c7
Add RSA key generation commands to test Makefile
...
This commit adds the commands used to generate the various RSA keys to tests/Makefile so that they can be easily
regenerated or modified, e.g. if larger key sizes or other encryption algorithms need to be tested in the future.
2017-09-05 10:08:37 +01:00
Hanno Becker
37c6b6b339
Add tests for encrypted 2048 and 4096-bit RSA keys
2017-08-26 09:22:14 +01:00
Manuel Pégourié-Gonnard
5faafa76cf
Update X.509 test certs' Readme
2017-08-17 10:13:00 +02:00
Manuel Pégourié-Gonnard
8b59049407
Make verify() actually restartable
2017-08-15 10:45:09 +02:00
Manuel Pégourié-Gonnard
d19a41d9aa
Add tests for verify_restartable()
...
For selection of test cases, see comments added in the commit.
It makes the most sense to test with chains using ECC only, so for the chain
of length 2 we use server10 -> int-ca3 -> int-ca2 and trust int-ca2 directly.
Note: server10.crt was created by copying server10_int3_int-ca2.crt and
manually truncating it to remove the intermediates. That base can now be used
to create derived certs (without or with a chain) in a programmatic way.
2017-08-15 10:44:08 +02:00
Manuel Pégourié-Gonnard
7ff243a87c
Add missing dependency in test-certs Makefile
2017-08-08 18:54:13 +02:00
Manuel Pégourié-Gonnard
2d825d42bb
Add test for same CA with different keys
...
When a trusted CA is rolling its root keys, it could happen that for some
users the list of trusted roots contains two versions of the same CA with the
same name but different keys. Currently this is supported but wasn't tested.
Note: the intermediate file test-ca-alt.csr is commited on purpose, as not
commiting intermediate files causes make to regenerate files that we don't
want it to touch.
2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard
c10afdb322
Add test for CA forgery attempt
...
As we accept EE certs that are explicitly trusted (in the list of trusted
roots) and usually look for parent by subject, and in the future we might want
to avoid checking the self-signature on trusted certs, there could a risk that we
incorrectly accept a cert that looks like a trusted root except it doesn't
have the same key. This test ensures this will never happen.
2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard
bc313017a5
Add tests for flags passed to f_vrfy
...
The tests cover chains of length 0, 1 and 2, with one error, located at any of
the available levels in the chain. This exercises all three call sites of
f_vrfy (two in verify_top, one in verify_child). Chains of greater length
would not cover any new code path or behaviour that I can see.
2017-08-08 11:06:49 +02:00
Manuel Pégourié-Gonnard
b341dd58c5
Add tests for spurious certs in the chain
...
We have code to skip them but didn't have explicit tests ensuring they are
(the corresponding branch was never taken).
While at it, remove extra copy of the chain in server10*.crt, which was
duplicated for no reason.
2017-08-08 11:00:46 +02:00
Manuel Pégourié-Gonnard
4dfc04a66f
Add test for bad signature with longer chain
...
This is one line that wasn't covered in verify_child()
2017-08-08 11:00:46 +02:00
Manuel Pégourié-Gonnard
29d60fb85f
Add test for expired cert in longer chain
...
That's two lines that were not covered in verify_child()
2017-08-08 11:00:46 +02:00
Hanno Becker
e908c3de67
Improve Readme for long test certificate chains
2017-07-26 13:49:38 +01:00
Janos Follath
745bcf454f
Fix typos
2017-07-21 14:04:31 +01:00
Manuel Pégourié-Gonnard
5be13d8fd1
Make test script more portable
...
seq isn't POSIX and isn't present by default on BSDs
2017-07-06 14:31:54 +02:00
Manuel Pégourié-Gonnard
1beb048316
Add test for limit on intermediate certificates
...
Inspired by test code provided by Nicholas Wilson in PR #351 .
The test will fail if someone sets MAX_INTERMEDIATE_CA to a value larger than
18 (default is 8), which is hopefully unlikely and can easily be fixed by
running long.sh again with a larger value if it ever happens.
Current behaviour is suboptimal as flags are not set, but currently the goal
is only to document/test existing behaviour.
2017-07-06 11:57:31 +02:00
Gilles Peskine
fd14bca6dc
Document test data makefile
2017-06-06 18:44:14 +02:00
Gilles Peskine
bc70a1836b
Test that SHA-1 defaults off
...
Added tests to validate that certificates signed using SHA-1 are
rejected by default, but accepted if SHA-1 is explicitly enabled.
2017-06-06 18:44:14 +02:00
Gilles Peskine
f040a17604
Added SHA256 test certificates
...
With SHA-1 deprecation, we need a few certificates using algorithms in
the default support list. Most tests still use SHA-1 though.
The generation process for the new certificates is recorded in the makefile.
2017-06-06 18:44:13 +02:00
Simon Butcher
fc794ff2b7
Merge branch 'iotssl-1071-ca-flags'
...
Fixes a regression introduced by an earlier commit that modified
x509_crt_verify_top() to ensure that valid certificates that are after past or
future valid in the chain are processed. However the change introduced a change
in behaviour that caused the verification flags MBEDTLS_X509_BADCERT_EXPIRED and
MBEDTLS_BADCERT_FUTURE to always be set whenever there is a failure in the
verification regardless of the cause.
The fix maintains both behaviours:
* Ensure that valid certificates after future and past are verified
* Ensure that the correct verification flags are set.
2017-02-27 19:06:05 +00:00
Andres AG
9f430c15d8
Add tests for out flags from x509_crt_verify_top()
...
The tests load certificate chains from files. The CA chains contain a
past or future certificate and an invalid certificate. The test then
checks that the flags set are MBEDTLS_X509_BADCERT_EXPIRED or
MBEDTLS_X509_BADCERT_FUTURE.
2017-01-20 13:52:01 +00:00
Andres AG
a39db394db
Add test for infinite loop in CRL parse
2017-01-19 17:10:51 +00:00
Simon Butcher
4b852db299
Merge branch 'iotssl-629-der-trailing-bytes'
...
Fixes bug in mbedtls_x509_crt_parse that caused trailing extra data in the
buffer following DER certificates to be included in the raw representation.
2016-03-12 23:28:26 +00:00
Simon Butcher
f59e66ba24
Remove redundant test certificates and clarify ChangeLog
2016-03-09 19:32:10 +00:00
Janos Follath
df4bca2029
X509: Future CA among trusted: add more tests
2016-03-09 19:32:10 +00:00
Janos Follath
12c868c5d6
X509: Future CA among trusted: add unit tests
2016-03-09 19:32:10 +00:00
Janos Follath
0b2423403c
x509: trailing bytes in DER: add integration tests
2016-02-17 10:11:21 +00:00
Manuel Pégourié-Gonnard
8b4331aa56
Add test case for root with max_pathlen=0
...
This was already working but not tested so far
(Test case from previous commit still failing.)
Test certificates generated with:
programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert91.key
programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert92.key
programs/x509/cert_write serial=91 output_file=cert91.crt is_ca=1 \
issuer_key=cert91.key issuer_name="CN=Root 9,O=mbed TLS,C=UK" \
selfsign=1 max_pathlen=0
programs/x509/cert_write serial=92 output_file=cert92.crt \
issuer_key=cert91.key issuer_name="CN=Root 9,O=mbed TLS,C=UK" \
subject_key=cert92.key subject_name="CN=EE 92,O=mbed TLS,C=UK"
mv cert9?.crt tests/data_files/dir4
rm cert9?.key
2015-11-19 11:10:33 +01:00
Manuel Pégourié-Gonnard
a3aa43da5f
Add test case for first intermediate max_pathlen=0
...
!!! This test case is currently failing !!!
(See fix in next-next commit.)
Test certificates generated with the following script:
programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert81.key
programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert82.key
programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert83.key
programs/x509/cert_write serial=81 output_file=cert81.crt is_ca=1 \
issuer_key=cert81.key issuer_name="CN=Root 8,O=mbed TLS,C=UK" \
selfsign=1
programs/x509/cert_write serial=82 output_file=cert82.crt is_ca=1 \
issuer_key=cert81.key issuer_name="CN=Root 8,O=mbed TLS,C=UK" \
subject_key=cert82.key subject_name="CN=Int 82,O=mbed TLS,C=UK" \
max_pathlen=0
programs/x509/cert_write serial=83 output_file=cert83.crt \
issuer_key=cert82.key issuer_name="CN=Int 82,O=mbed TLS,C=UK" \
subject_key=cert83.key subject_name="CN=EE 83,O=mbed TLS,C=UK"
mv cert8?.crt tests/data_files/dir4
rm cert8?.key
2015-11-19 10:56:30 +01:00
Manuel Pégourié-Gonnard
0a543a8bc5
Merge pull request #320 from Inikup/fix-issue-318
...
Fix boolean values according to DER specs
2015-11-02 05:52:42 +09:00
Jonathan Leroy
00ee6eee54
Test certificate "Server1 SHA1, key_usage" reissued.
2015-10-14 13:15:22 +02:00
Janos Follath
ef4f2588f3
Additional corner cases for testing pathlen constrains. Just in case.
2015-10-11 16:17:27 +02:00
Janos Follath
822b2c33b9
Added test case for pathlen constrains in intermediate certificates
2015-10-11 10:39:15 +02:00
Manuel Pégourié-Gonnard
560fea3767
Add tests for verify callback
...
As we're about to change the chain construction logic, we want to make sure
the callback will still be called exactly when it should, and not on the
(upcoming) ignored certs in the chain.
2015-09-01 17:24:42 +02:00
Manuel Pégourié-Gonnard
052d10c9d5
Accept a trailing space at end of PEM lines
...
With certs being copy-pasted from webmails and all, this will probably become
more and more common.
closes #226
2015-07-31 11:11:26 +02:00
Manuel Pégourié-Gonnard
9a702255f4
Add parsing/printing for new X.509 keyUsage flags
2015-06-23 13:09:10 +02:00
Manuel Pégourié-Gonnard
6ea831dcf4
Add tests for mbedtls_set_hs_ca_chain()
2015-06-22 17:30:18 +02:00
Manuel Pégourié-Gonnard
7a010aabde
Add tests for dhm_min_bitlen
2015-06-17 14:27:38 +02:00
Manuel Pégourié-Gonnard
5119df2022
Add test case for dh params with privateValueLength
2015-04-15 13:50:29 +02:00
Manuel Pégourié-Gonnard
e6c8366b46
Fix bug in pk_parse_key()
2015-04-15 11:21:24 +02:00
Paul Bakker
6152b0267c
Fixed typos
2015-04-14 15:00:09 +02:00
Manuel Pégourié-Gonnard
39ead3ef2f
Add test certificate for bitstring in DN
2015-03-27 13:11:33 +01:00
Manuel Pégourié-Gonnard
57a5d60abb
Add tests for concatenated CRLs
2014-11-19 16:08:34 +01:00
Manuel Pégourié-Gonnard
4be3449dbc
Add Readme about X.509 test files
2014-11-19 14:03:59 +01:00
Manuel Pégourié-Gonnard
9c911da68f
Add tests for X.509 name encoding mismatch
2014-10-17 12:42:31 +02:00
Manuel Pégourié-Gonnard
64938c63f0
Accept spaces at end of line/buffer in base64
2014-10-15 23:53:33 +02:00
Manuel Pégourié-Gonnard
da1b4de0e4
Increase MPI_MAX_BYTES to allow RSA 8192
2014-10-15 22:06:46 +02:00
Paul Bakker
5a5fa92bfe
x509_crt_parse() did not increase total_failed on PEM error
...
Result was that PEM errors in files with multiple certificates were not
detectable by the user.
2014-10-03 15:47:13 +02:00
Manuel Pégourié-Gonnard
192253aaa9
Fix buffer size in pk_write_*_pem()
2014-08-14 11:34:35 +02:00
Manuel Pégourié-Gonnard
d249b7ab9a
Restore ability to trust non-CA selfsigned EE cert
2014-06-25 11:26:13 +02:00
Manuel Pégourié-Gonnard
c4eff16516
Restore ability to use v1 CA if trusted locally
2014-06-25 11:26:12 +02:00
Manuel Pégourié-Gonnard
5873b00b7f
Add pathological RSASSA-PSS test certificates
...
Certificates announcing different PSS options than the ones actually used for
the signature. Makes sure the options are correctly passed to the verification
function.
2014-06-07 11:21:52 +02:00
Manuel Pégourié-Gonnard
eacccb7fb9
Add RSASSA-PSS certificate with all defaults
2014-06-05 18:00:08 +02:00
Manuel Pégourié-Gonnard
53882023e7
Also verify CRLs signed with RSASSA-PSS
2014-06-05 17:59:55 +02:00
Manuel Pégourié-Gonnard
920e1cd5e2
Add basic PSS cert verification
...
Still todo:
- handle MGF-hash != sign-hash
- check effective salt len == announced salt len
- add support in the PK layer so that we don't have to bypass it here
2014-06-04 12:09:08 +02:00
Manuel Pégourié-Gonnard
39868ee301
Parse CSRs signed with RSASSA-PSS
2014-06-02 16:10:30 +02:00
Manuel Pégourié-Gonnard
2a8d7fd76e
Add tests for parsing CSRs
2014-06-02 16:10:29 +02:00
Manuel Pégourié-Gonnard
8e42ff6bde
Parse CRLs signed with RSASSA-PSS
2014-06-02 16:10:29 +02:00
Manuel Pégourié-Gonnard
e76b750b69
Finish parsing RSASSA-PSS parameters
2014-06-02 16:10:29 +02:00
Manuel Pégourié-Gonnard
59a75d5b9d
Basic parsing of certs signed with RSASSA-PSS
2014-06-02 16:10:29 +02:00
Manuel Pégourié-Gonnard
7afb8a0dca
Add x509_crt_check_extended_key_usage()
2014-04-11 11:09:00 +02:00
Manuel Pégourié-Gonnard
99d4f19111
Add keyUsage checking for CAs
2014-04-09 15:50:58 +02:00
Manuel Pégourié-Gonnard
7f2a07d7b2
Check keyUsage in SSL client and server
2014-04-09 15:50:57 +02:00
Manuel Pégourié-Gonnard
3fec220a33
Add test for dhm_parse_dhmfile
2014-04-04 16:42:44 +02:00
Manuel Pégourié-Gonnard
6c1a73e061
Improve x509xrite_csr testing: extensions, version
2014-04-04 16:33:01 +02:00
Manuel Pégourié-Gonnard
c5ce83a3b8
Improve x509xrite_csr testing: extensions, ECDSA
2014-04-04 16:33:01 +02:00
Manuel Pégourié-Gonnard
6c33a16dae
Add previously forgotten test files... oops!
2014-04-04 16:23:29 +02:00
Manuel Pégourié-Gonnard
f6f4ab40d3
Print extended key usage in x509_crt_info()
2014-04-04 14:01:39 +02:00
Manuel Pégourié-Gonnard
76b8ab73cd
ssl-opt.sh: address some robustness issues
2014-03-26 14:21:34 +01:00
Manuel Pégourié-Gonnard
a11a77f316
Add test for SpecifiedECDomain
2014-03-19 16:50:59 +01:00
Manuel Pégourié-Gonnard
5b2d776d2a
GnuTLS in compat.sh: server-side
2014-03-14 08:41:02 +01:00
Manuel Pégourié-Gonnard
9533765b25
Reject certs and CRLs from the future
2014-03-13 19:25:06 +01:00
Manuel Pégourié-Gonnard
6304f786e0
Add x509_time_future()
2014-03-13 19:25:06 +01:00
Manuel Pégourié-Gonnard
c9093085ed
Revert "Merged RSA-PSS support in Certificate, CSR and CRL"
...
This reverts commit ab50d8d30c
, reversing
changes made to e31b1d992a
.
2014-02-12 09:39:59 +01:00
Manuel Pégourié-Gonnard
41cae8e1f9
Parse CSRs signed with RSASSA-PSS
2014-01-25 12:48:58 +01:00
Manuel Pégourié-Gonnard
d4fd57dda4
Add tests for parsing CSRs
2014-01-25 12:48:58 +01:00
Manuel Pégourié-Gonnard
5eeb32b552
Parse CRLs signed with RSASSA-PSS
2014-01-25 12:48:58 +01:00
Manuel Pégourié-Gonnard
3c1e8b539c
Finish parsing RSASSA-PSS parameters
2014-01-25 12:48:58 +01:00
Manuel Pégourié-Gonnard
b1d4eb16e4
Basic parsing of certs signed with RSASSA-PSS
2014-01-25 12:48:58 +01:00
Paul Bakker
5862eee4ca
Merged RIPEMD-160 support
2014-01-22 14:18:34 +01:00
Manuel Pégourié-Gonnard
83a7fdd47b
Replace expired test certificate
2014-01-22 13:03:42 +01:00
Manuel Pégourié-Gonnard
e4d47a655b
Add RIPEMD-160 to the generic MD layer
2014-01-17 20:41:32 +01:00
Manuel Pégourié-Gonnard
fbae2a1f53
Add tests for x509_crt_parse_path()
2013-11-28 18:07:39 +01:00
Manuel Pégourié-Gonnard
48ac3db551
Add OIDs for brainpool curves
2013-10-10 15:11:33 +02:00
Manuel Pégourié-Gonnard
6a987f4a90
Update EC certs to use NIST-256 and NIST-384
2013-09-24 21:25:54 +02:00
Paul Bakker
c27c4e2efb
Support faulty X509 v1 certificates with extensions
...
(POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3)
2013-09-23 15:01:36 +02:00
Paul Bakker
77e23fb0e0
Move *_pemify() function to PEM module
2013-09-15 20:03:26 +02:00
Manuel Pégourié-Gonnard
33250b0461
Add test for x509write_pubkey_pem()
2013-09-12 11:57:01 +02:00
Manuel Pégourié-Gonnard
b4e9ca9650
Add some more x509_verify tests
...
- trust chain of depth 0
- invalid signature
- trust chain of depth 2
- multiple trusted CA's
2013-08-20 20:46:03 +02:00
Manuel Pégourié-Gonnard
20e9fad4c1
Add test files for EC cert & crl validation
2013-08-20 20:21:02 +02:00
Manuel Pégourié-Gonnard
b03de8bcbe
Add test for EC keys with all curves.
...
(Made possible by the OID fix.)
2013-08-16 14:00:52 +02:00
Manuel Pégourié-Gonnard
893879adbd
Adapt debug_print_crt() for EC keys
2013-07-17 15:59:42 +02:00
Manuel Pégourié-Gonnard
a9e54129b5
Adapt test files to supported PKCS#8 modes
...
openssl pkcs8 -topk8 -in ec_prv.sec1.pem -passout pass:polar \
-v1 PBE-SHA1-RC4-128 -outform der -out ec_prv.pk8.pw.der
openssl pkcs8 -topk8 -in ec_prv.sec1.pem -passout pass:polar \
-v1 PBE-SHA1-RC4-128 -outform pem -out ec_prv.pk8.pw.pem
2013-07-08 17:32:26 +02:00
Manuel Pégourié-Gonnard
2b9252cd8f
Add tests for x509parse_key_ec()
...
Test files were generated as follows:
openssl ecparam -name prime192v1 -genkey > key.pem
openssl ec -in key.pem -pubout -outform PEM > pub.pem
openssl ec -in key.pem -pubout -outform DER > pub.der
openssl ec -in key.pem -outform pem > prv.sec1.pem
openssl ec -in key.pem -outform der > prv.sec1.der
openssl ec -in key.pem -des -passout pass:polar -outform pem > prv.sec1.pw.pem
openssl pkcs8 -topk8 -in key.pem -nocrypt -outform pem > prv.pk8.pem
openssl pkcs8 -topk8 -in key.pem -nocrypt -outform der > prv.pk8.der
openssl pkcs8 -topk8 -in key.pem -passout pass:polar -outform der \
> prv.pk8.pw.der
openssl pkcs8 -topk8 -in key.pem -passout pass:polar -outform pem \
> prv.pk8.pw.pem
2013-07-08 17:32:26 +02:00