Commit Graph

38 Commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard
d8a1ea72b1 Fix potential buffer overread of size 1 2014-11-17 12:27:49 +01:00
Manuel Pégourié-Gonnard
017bf57daa Forbid repeated X.509 extensions 2014-11-17 11:01:09 +01:00
Manuel Pégourié-Gonnard
fdec957e55 Fix memory leak with crafted X.509 certs 2014-11-17 11:01:08 +01:00
Manuel Pégourié-Gonnard
d3ae430241 Fix uninitialised pointer dereference 2014-11-17 11:01:08 +01:00
Manuel Pégourié-Gonnard
6b44038913 Fix memory leak parsing some X.509 certs 2014-10-23 14:53:46 +02:00
Paul Bakker
0d844dd650 Add x509parse_time_future() 2014-07-07 17:46:36 +02:00
Paul Bakker
f65fbee52b x509_verify() now case insensitive for cn (RFC 6125 6.4)
(cherry picked from commit a5943858d8)

Conflicts:
	ChangeLog
	library/x509parse.c
	tests/suites/test_suite_x509parse.data
2013-09-11 13:31:55 +02:00
Paul Bakker
db7ea6f162 Made x509parse PKCS#12 and PKCS#5 tests dependent on defines 2013-06-18 16:47:59 +02:00
Paul Bakker
14a222cef2 Moved PKCS#12 PBE functions to cipher / md layer where possible
The 3-key and 2-key Triple DES PBE functions have been replaced with a
single pkcs12_pbe() function that handles both situations (and more).

In addition this allows for some PASSWORD_MISMATCH checking
2013-06-18 16:35:48 +02:00
Paul Bakker
b495d3a2c7 x509parse_crt() and x509parse_crt_der() return X509 password related codes
POLARSSL_ERR_X509_PASSWORD_MISMATCH is returned instead of
POLARSSL_ERR_PEM_PASSWORD_MISMATCH and
POLARSSL_ERR_X509_PASSWORD_REQUIRED instead of
POLARSSL_ERR_PEM_PASSWORD_REQUIRED

Rationale: For PKCS#8 encrypted keys the same are returned
2013-06-17 15:58:04 +02:00
Paul Bakker
1fd4321ba2 PKCS#5 v2 PBES2 support and use in PKCS#8 encrypted certificates
The error code POLARSSL_ERR_X509_PASSWORD_MISMATCH is now properly
returned in case of an encryption failure in the padding. The
POLARSSL_ERR_X509_PASSWORD_REQUIRED error code is only returned for PEM
formatted private keys as for DER formatted ones it is impossible to
distinguish if a DER blob is PKCS#8 encrypted or not.
2013-06-17 15:14:42 +02:00
Paul Bakker
cf6e95d9a8 Parsing of PKCS#8 encrypted private key files added and PKCS#12 basis
PKCS#8 encrypted key file support has been added to x509parse_key() with
support for some PCKS#12 PBE functions (pbeWithSHAAnd128BitRC4,
pbeWithSHAAnd3-KeyTripleDES-CBC and pbeWithSHAAnd2-KeyTripleDES-CBC)
2013-06-12 13:18:15 +02:00
Paul Bakker
65a1909dc6 Internally split up x509parse_key()
Split up x509parse_key() into a (PEM) handler function and specific
DER parser functions for the PKCS#1 (x509parse_key_pkcs1_der()) and
unencrypted PKCS#8 (x509parse_key_pkcs8_unencrypted_der()) private
key formats.
2013-06-06 21:17:08 +02:00
Paul Bakker
915275ba78 - Revamped x509_verify() and the SSL f_vrfy callback implementations 2012-09-28 07:10:55 +00:00
Paul Bakker
1a0f552030 - Fixed test for 'trust extension' change 2012-09-25 21:53:55 +00:00
Paul Bakker
9195662a4c - Added test for no-subject certificates with altSubjectNames 2012-08-23 10:46:54 +00:00
Paul Bakker
4d2c1243b1 - Changed certificate verify behaviour to comply with RFC 6125 section 6.3 to not match CN if subjectAltName extension is present. 2012-05-10 14:12:46 +00:00
Paul Bakker
57b12982b3 - Multi-domain certificates support wildcards as well 2012-02-11 17:38:38 +00:00
Paul Bakker
a8cd239d6b - Added support for wildcard certificates
- Added support for multi-domain certificates through the X509 Subject Alternative Name extension
2012-02-11 16:09:32 +00:00
Paul Bakker
fae618fa8b - Updated tests to reflect recent changes 2011-10-12 11:53:52 +00:00
Paul Bakker
36f1b197ca - Added test for PKCS#8 wrapped private and public keys 2011-07-13 11:32:29 +00:00
Paul Bakker
9d781407bc - A error_strerror function() has been added to translate between error codes and their description.
- The error codes have been remapped and combining error codes is now done with a PLUS instead of an OR as error codes used are negative.
 - Descriptions to all error codes have been added.
 - Generation script for error.c has been created to automatically generate error.c from the available error definitions in the headers.
2011-05-09 16:17:09 +00:00
Paul Bakker
335db3f121 - Functions requiring File System functions can now be disables by undefining POLARSSL_FS_IO 2011-04-25 15:28:35 +00:00
Paul Bakker
1be81a4e5f - Removed test for MD2 certificate as OpenSSL does not support it anymore 2011-04-23 14:46:28 +00:00
Paul Bakker
400ff6f0fd - Corrected parsing of UTCTime dates before 1990 and after 1950
- Support more exotic OID's when parsing certificates
 - Support more exotic name representations when parsing certificates
 - Replaced the expired test certificates
2011-02-20 10:40:16 +00:00
Paul Bakker
96743fc5f5 - Parsing of PEM files moved to separate module (Fixes ticket #13). Also possible to remove PEM support for systems only using DER encoding
- Parsing PEM private keys encrypted with DES and AES are now supported (Fixes ticket #5)
 - Added tests for encrypted keyfiles
2011-02-12 14:30:57 +00:00
Paul Bakker
76fd75a3de - Improved certificate validation and validation against the available CRLs 2011-01-16 21:12:10 +00:00
Paul Bakker
b63b0afc05 - Added verification callback in certificate verification chain in order to allow external blacklisting 2011-01-13 17:54:59 +00:00
Paul Bakker
9120018f3d - Added support for GeneralizedTime in X509 certificates 2010-02-18 21:26:15 +00:00
Paul Bakker
46b8071641 - Added 'depends_on' for tests dependent on specific hash algorithms 2009-10-03 20:01:39 +00:00
Paul Bakker
c6ce838d8f - Better handling of extension parsing 2009-07-27 21:34:45 +00:00
Paul Bakker
e4ff413890 - Added extra coverage tests 2009-07-27 20:22:10 +00:00
Paul Bakker
345fb49cb7 - Added extra coverage and regression tests 2009-07-20 21:26:07 +00:00
Paul Bakker
6b0fa4f33b - Added extra regression and coverage tests for ASN parsing of CRL and Key data 2009-07-20 20:35:41 +00:00
Paul Bakker
c26a189189 - Added extra X509 regression and coverage tests 2009-07-19 20:30:14 +00:00
Paul Bakker
b2c38f54b4 - Added a lot of ASN1 Certificate parsing tests 2009-07-19 19:36:15 +00:00
Paul Bakker
4d6b31a999 - Added extra certificates and tests 2009-07-12 11:11:06 +00:00
Paul Bakker
37940d9ff6 - Added test coverage for X509parse
- Fixed segfault in rsa_check_privkey() and rsa_check_pubkey() and added test
2009-07-10 22:38:58 +00:00