/* BEGIN_HEADER */ #include "mbedtls/bignum.h" #include "mbedtls/x509.h" #include "mbedtls/x509_crt.h" #include "mbedtls/x509_crl.h" #include "mbedtls/x509_csr.h" #include "mbedtls/pem.h" #include "mbedtls/oid.h" #include "mbedtls/base64.h" #include "string.h" #if MBEDTLS_X509_MAX_INTERMEDIATE_CA > 19 #error "The value of MBEDTLS_X509_MAX_INTERMEDIATE_C is larger \ than the current threshold 19. To test larger values, please \ adapt the script tests/data_files/dir-max/long.sh." #endif /* Profile for backward compatibility. Allows SHA-1, unlike the default profile. */ const mbedtls_x509_crt_profile compat_profile = { MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) | MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_RIPEMD160 ) | MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) | MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) | MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) | MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ), 0xFFFFFFF, /* Any PK alg */ 0xFFFFFFF, /* Any curve */ 1024, }; const mbedtls_x509_crt_profile profile_rsa3072 = { MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) | MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) | MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ), MBEDTLS_X509_ID_FLAG( MBEDTLS_PK_RSA ), 0, 3072, }; const mbedtls_x509_crt_profile profile_sha512 = { MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ), 0xFFFFFFF, /* Any PK alg */ 0xFFFFFFF, /* Any curve */ 1024, }; int verify_none( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags ) { ((void) data); ((void) crt); ((void) certificate_depth); *flags |= MBEDTLS_X509_BADCERT_OTHER; return 0; } int verify_all( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags ) { ((void) data); ((void) crt); ((void) certificate_depth); *flags = 0; return 0; } #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) int verify_cb( void *data, mbedtls_x509_crt *child, mbedtls_x509_crt **candidates) { mbedtls_x509_crt *ca = (mbedtls_x509_crt *) data; mbedtls_x509_crt *first = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ); TEST_ASSERT( first != NULL); TEST_ASSERT( mbedtls_x509_crt_init( first ) == 0 ); TEST_ASSERT( mbedtls_x509_crt_parse_der( first, ca->raw.p, ca->raw.len ) == 0); while( ca->next != NULL ) { ca = ca->next; TEST_ASSERT( mbedtls_x509_crt_parse_der( first, ca->raw.p, ca->raw.len ) == 0); } *candidates = first; return 0; } #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ int verify_fatal( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags ) { int *levels = (int *) data; ((void) crt); ((void) certificate_depth); /* Simulate a fatal error in the callback */ if( *levels & ( 1 << certificate_depth ) ) { *flags |= ( 1 << certificate_depth ); return( -1 - certificate_depth ); } return( 0 ); } /* strsep() not available on Windows */ char *mystrsep(char **stringp, const char *delim) { const char *p; char *ret = *stringp; if( *stringp == NULL ) return( NULL ); for( ; ; (*stringp)++ ) { if( **stringp == '\0' ) { *stringp = NULL; goto done; } for( p = delim; *p != '\0'; p++ ) if( **stringp == *p ) { **stringp = '\0'; (*stringp)++; goto done; } } done: return( ret ); } #if defined(MBEDTLS_X509_CRT_PARSE_C) typedef struct { char buf[512]; char *p; } verify_print_context; void verify_print_init( verify_print_context *ctx ) { memset( ctx, 0, sizeof( verify_print_context ) ); ctx->p = ctx->buf; } int verify_print( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags ) { int ret; verify_print_context *ctx = (verify_print_context *) data; char *p = ctx->p; size_t n = ctx->buf + sizeof( ctx->buf ) - ctx->p; ((void) flags); ret = mbedtls_snprintf( p, n, "depth %d - serial ", certificate_depth ); MBEDTLS_X509_SAFE_SNPRINTF; ret = mbedtls_x509_serial_gets( p, n, &crt->serial ); MBEDTLS_X509_SAFE_SNPRINTF; ret = mbedtls_snprintf( p, n, " - subject " ); MBEDTLS_X509_SAFE_SNPRINTF; ret = mbedtls_x509_dn_gets( p, n, &crt->subject ); MBEDTLS_X509_SAFE_SNPRINTF; ret = mbedtls_snprintf( p, n, " - flags 0x%08x\n", *flags ); MBEDTLS_X509_SAFE_SNPRINTF; ctx->p = p; return( 0 ); } #endif /* MBEDTLS_X509_CRT_PARSE_C */ /* END_HEADER */ /* BEGIN_DEPENDENCIES * depends_on:MBEDTLS_BIGNUM_C * END_DEPENDENCIES */ /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ void x509_cert_info( char * crt_file, char * result_str ) { mbedtls_x509_crt crt; char buf[2000]; int res; mbedtls_x509_crt_init( &crt ); memset( buf, 0, 2000 ); TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 ); res = mbedtls_x509_crt_info( buf, 2000, "", &crt ); TEST_ASSERT( res != -1 ); TEST_ASSERT( res != -2 ); TEST_ASSERT( strcmp( buf, result_str ) == 0 ); exit: mbedtls_x509_crt_free( &crt ); } /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRL_PARSE_C */ void mbedtls_x509_crl_info( char * crl_file, char * result_str ) { mbedtls_x509_crl crl; char buf[2000]; int res; mbedtls_x509_crl_init( &crl ); memset( buf, 0, 2000 ); TEST_ASSERT( mbedtls_x509_crl_parse_file( &crl, crl_file ) == 0 ); res = mbedtls_x509_crl_info( buf, 2000, "", &crl ); TEST_ASSERT( res != -1 ); TEST_ASSERT( res != -2 ); TEST_ASSERT( strcmp( buf, result_str ) == 0 ); exit: mbedtls_x509_crl_free( &crl ); } /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRL_PARSE_C */ void mbedtls_x509_crl_parse( char * crl_file, int result ) { mbedtls_x509_crl crl; char buf[2000]; mbedtls_x509_crl_init( &crl ); memset( buf, 0, 2000 ); TEST_ASSERT( mbedtls_x509_crl_parse_file( &crl, crl_file ) == result ); exit: mbedtls_x509_crl_free( &crl ); } /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CSR_PARSE_C */ void mbedtls_x509_csr_info( char * csr_file, char * result_str ) { mbedtls_x509_csr csr; char buf[2000]; int res; mbedtls_x509_csr_init( &csr ); memset( buf, 0, 2000 ); TEST_ASSERT( mbedtls_x509_csr_parse_file( &csr, csr_file ) == 0 ); res = mbedtls_x509_csr_info( buf, 2000, "", &csr ); TEST_ASSERT( res != -1 ); TEST_ASSERT( res != -2 ); TEST_ASSERT( strcmp( buf, result_str ) == 0 ); exit: mbedtls_x509_csr_free( &csr ); } /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */ void x509_verify_info( int flags, char * prefix, char * result_str ) { char buf[2000]; int res; memset( buf, 0, sizeof( buf ) ); res = mbedtls_x509_crt_verify_info( buf, sizeof( buf ), prefix, flags ); TEST_ASSERT( res >= 0 ); TEST_ASSERT( strcmp( buf, result_str ) == 0 ); } /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CRL_PARSE_C:MBEDTLS_ECP_RESTARTABLE:MBEDTLS_ECDSA_C */ void x509_verify_restart( char *crt_file, char *ca_file, int result, int flags_result, int max_ops, int min_restart, int max_restart ) { int ret, cnt_restart; mbedtls_x509_crt_restart_ctx rs_ctx; mbedtls_x509_crt crt; mbedtls_x509_crt ca; uint32_t flags = 0; /* * See comments on ecp_test_vect_restart() for op count precision. * * For reference, with mbed TLS 2.6 and default settings: * - ecdsa_verify() for P-256: ~ 6700 * - ecdsa_verify() for P-384: ~ 18800 * - x509_verify() for server5 -> test-ca2: ~ 18800 * - x509_verify() for server10 -> int-ca3 -> int-ca2: ~ 25500 */ mbedtls_x509_crt_restart_init( &rs_ctx ); mbedtls_x509_crt_init( &crt ); mbedtls_x509_crt_init( &ca ); TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 ); TEST_ASSERT( mbedtls_x509_crt_parse_file( &ca, ca_file ) == 0 ); mbedtls_ecp_set_max_ops( max_ops ); cnt_restart = 0; do { ret = mbedtls_x509_crt_verify_restartable( &crt, &ca, NULL, &mbedtls_x509_crt_profile_default, NULL, &flags, NULL, NULL, &rs_ctx ); } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart ); TEST_ASSERT( ret == result ); TEST_ASSERT( flags == (uint32_t) flags_result ); TEST_ASSERT( cnt_restart >= min_restart ); TEST_ASSERT( cnt_restart <= max_restart ); /* Do we leak memory when aborting? */ ret = mbedtls_x509_crt_verify_restartable( &crt, &ca, NULL, &mbedtls_x509_crt_profile_default, NULL, &flags, NULL, NULL, &rs_ctx ); TEST_ASSERT( ret == result || ret == MBEDTLS_ERR_ECP_IN_PROGRESS ); exit: mbedtls_x509_crt_restart_free( &rs_ctx ); mbedtls_x509_crt_free( &crt ); mbedtls_x509_crt_free( &ca ); } /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CRL_PARSE_C */ void x509_verify( char *crt_file, char *ca_file, char *crl_file, char *cn_name_str, int result, int flags_result, char *profile_str, char *verify_callback ) { mbedtls_x509_crt crt; mbedtls_x509_crt ca; mbedtls_x509_crl crl; uint32_t flags = 0; int res; int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *) = NULL; char * cn_name = NULL; const mbedtls_x509_crt_profile *profile; #if defined(MBEDTLS_USE_PSA_CRYPTO) TEST_ASSERT( psa_crypto_init() == 0 ); #endif mbedtls_x509_crt_init( &crt ); mbedtls_x509_crt_init( &ca ); mbedtls_x509_crl_init( &crl ); if( strcmp( cn_name_str, "NULL" ) != 0 ) cn_name = cn_name_str; if( strcmp( profile_str, "" ) == 0 ) profile = &mbedtls_x509_crt_profile_default; else if( strcmp( profile_str, "next" ) == 0 ) profile = &mbedtls_x509_crt_profile_next; else if( strcmp( profile_str, "suite_b" ) == 0 ) profile = &mbedtls_x509_crt_profile_suiteb; else if( strcmp( profile_str, "compat" ) == 0 ) profile = &compat_profile; else TEST_ASSERT( "Unknown algorithm profile" == 0 ); if( strcmp( verify_callback, "NULL" ) == 0 ) f_vrfy = NULL; else if( strcmp( verify_callback, "verify_none" ) == 0 ) f_vrfy = verify_none; else if( strcmp( verify_callback, "verify_all" ) == 0 ) f_vrfy = verify_all; else TEST_ASSERT( "No known verify callback selected" == 0 ); TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 ); TEST_ASSERT( mbedtls_x509_crt_parse_file( &ca, ca_file ) == 0 ); TEST_ASSERT( mbedtls_x509_crl_parse_file( &crl, crl_file ) == 0 ); res = mbedtls_x509_crt_verify_with_profile( &crt, &ca, &crl, profile, cn_name, &flags, f_vrfy, NULL ); TEST_ASSERT( res == ( result ) ); TEST_ASSERT( flags == (uint32_t)( flags_result ) ); #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) flags = 0; res = mbedtls_x509_crt_verify_with_cb( &crt, verify_cb, &ca, profile, cn_name, &flags, f_vrfy, NULL ); TEST_ASSERT( res == ( result ) ); TEST_ASSERT( flags == (uint32_t)( flags_result ) ); #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ exit: mbedtls_x509_crt_free( &crt ); mbedtls_x509_crt_free( &ca ); mbedtls_x509_crl_free( &crl ); } /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ void x509_verify_callback( char *crt_file, char *ca_file, char *name, int exp_ret, char *exp_vrfy_out ) { int ret; mbedtls_x509_crt crt; mbedtls_x509_crt ca; uint32_t flags = 0; verify_print_context vrfy_ctx; #if defined(MBEDTLS_USE_PSA_CRYPTO) TEST_ASSERT( psa_crypto_init() == 0 ); #endif mbedtls_x509_crt_init( &crt ); mbedtls_x509_crt_init( &ca ); verify_print_init( &vrfy_ctx ); TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 ); TEST_ASSERT( mbedtls_x509_crt_parse_file( &ca, ca_file ) == 0 ); if( strcmp( name, "NULL" ) == 0 ) name = NULL; ret = mbedtls_x509_crt_verify_with_profile( &crt, &ca, NULL, &compat_profile, name, &flags, verify_print, &vrfy_ctx ); TEST_ASSERT( ret == exp_ret ); TEST_ASSERT( strcmp( vrfy_ctx.buf, exp_vrfy_out ) == 0 ); exit: mbedtls_x509_crt_free( &crt ); mbedtls_x509_crt_free( &ca ); } /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ void mbedtls_x509_dn_gets( char * crt_file, char * entity, char * result_str ) { mbedtls_x509_crt crt; char buf[2000]; int res = 0; mbedtls_x509_crt_init( &crt ); memset( buf, 0, 2000 ); TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 ); if( strcmp( entity, "subject" ) == 0 ) res = mbedtls_x509_dn_gets( buf, 2000, &crt.subject ); else if( strcmp( entity, "issuer" ) == 0 ) res = mbedtls_x509_dn_gets( buf, 2000, &crt.issuer ); else TEST_ASSERT( "Unknown entity" == 0 ); TEST_ASSERT( res != -1 ); TEST_ASSERT( res != -2 ); TEST_ASSERT( strcmp( buf, result_str ) == 0 ); exit: mbedtls_x509_crt_free( &crt ); } /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ void mbedtls_x509_time_is_past( char * crt_file, char * entity, int result ) { mbedtls_x509_crt crt; mbedtls_x509_crt_init( &crt ); TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 ); if( strcmp( entity, "valid_from" ) == 0 ) TEST_ASSERT( mbedtls_x509_time_is_past( &crt.valid_from ) == result ); else if( strcmp( entity, "valid_to" ) == 0 ) TEST_ASSERT( mbedtls_x509_time_is_past( &crt.valid_to ) == result ); else TEST_ASSERT( "Unknown entity" == 0 ); exit: mbedtls_x509_crt_free( &crt ); } /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ void mbedtls_x509_time_is_future( char * crt_file, char * entity, int result ) { mbedtls_x509_crt crt; mbedtls_x509_crt_init( &crt ); TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 ); if( strcmp( entity, "valid_from" ) == 0 ) TEST_ASSERT( mbedtls_x509_time_is_future( &crt.valid_from ) == result ); else if( strcmp( entity, "valid_to" ) == 0 ) TEST_ASSERT( mbedtls_x509_time_is_future( &crt.valid_to ) == result ); else TEST_ASSERT( "Unknown entity" == 0 ); exit: mbedtls_x509_crt_free( &crt ); } /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_FS_IO */ void x509parse_crt_file( char * crt_file, int result ) { mbedtls_x509_crt crt; mbedtls_x509_crt_init( &crt ); TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == result ); exit: mbedtls_x509_crt_free( &crt ); } /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */ void x509parse_crt( data_t * buf, char * result_str, int result ) { mbedtls_x509_crt crt; unsigned char output[2000]; int res; mbedtls_x509_crt_init( &crt ); memset( output, 0, 2000 ); TEST_ASSERT( mbedtls_x509_crt_parse_der( &crt, buf->x, buf->len ) == ( result ) ); if( ( result ) == 0 ) { res = mbedtls_x509_crt_info( (char *) output, 2000, "", &crt ); TEST_ASSERT( res != -1 ); TEST_ASSERT( res != -2 ); TEST_ASSERT( strcmp( (char *) output, result_str ) == 0 ); } mbedtls_x509_crt_free( &crt ); mbedtls_x509_crt_init( &crt ); memset( output, 0, 2000 ); TEST_ASSERT( mbedtls_x509_crt_parse_der_nocopy( &crt, buf->x, buf->len ) == ( result ) ); if( ( result ) == 0 ) { res = mbedtls_x509_crt_info( (char *) output, 2000, "", &crt ); TEST_ASSERT( res != -1 ); TEST_ASSERT( res != -2 ); TEST_ASSERT( strcmp( (char *) output, result_str ) == 0 ); } exit: mbedtls_x509_crt_free( &crt ); } /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_X509_CRL_PARSE_C */ void x509parse_crl( data_t * buf, char * result_str, int result ) { mbedtls_x509_crl crl; unsigned char output[2000]; int res; mbedtls_x509_crl_init( &crl ); memset( output, 0, 2000 ); TEST_ASSERT( mbedtls_x509_crl_parse( &crl, buf->x, buf->len ) == ( result ) ); if( ( result ) == 0 ) { res = mbedtls_x509_crl_info( (char *) output, 2000, "", &crl ); TEST_ASSERT( res != -1 ); TEST_ASSERT( res != -2 ); TEST_ASSERT( strcmp( (char *) output, result_str ) == 0 ); } exit: mbedtls_x509_crl_free( &crl ); } /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_X509_CSR_PARSE_C */ void mbedtls_x509_csr_parse( data_t * csr_der, char * ref_out, int ref_ret ) { mbedtls_x509_csr csr; char my_out[1000]; int my_ret; mbedtls_x509_csr_init( &csr ); memset( my_out, 0, sizeof( my_out ) ); my_ret = mbedtls_x509_csr_parse_der( &csr, csr_der->x, csr_der->len ); TEST_ASSERT( my_ret == ref_ret ); if( ref_ret == 0 ) { size_t my_out_len = mbedtls_x509_csr_info( my_out, sizeof( my_out ), "", &csr ); TEST_ASSERT( my_out_len == strlen( ref_out ) ); TEST_ASSERT( strcmp( my_out, ref_out ) == 0 ); } exit: mbedtls_x509_csr_free( &csr ); } /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ void mbedtls_x509_crt_parse_path( char * crt_path, int ret, int nb_crt ) { mbedtls_x509_crt chain, *cur; int i; mbedtls_x509_crt_init( &chain ); TEST_ASSERT( mbedtls_x509_crt_parse_path( &chain, crt_path ) == ret ); /* Check how many certs we got */ for( i = 0, cur = &chain; cur != NULL; cur = cur->next ) if( cur->raw.p != NULL ) i++; TEST_ASSERT( i == nb_crt ); exit: mbedtls_x509_crt_free( &chain ); } /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ void mbedtls_x509_crt_verify_max( char *ca_file, char *chain_dir, int nb_int, int ret_chk, int flags_chk ) { char file_buf[128]; int ret; uint32_t flags; mbedtls_x509_crt trusted, chain; #if defined(MBEDTLS_USE_PSA_CRYPTO) TEST_ASSERT( psa_crypto_init() == 0 ); #endif /* * We expect chain_dir to contain certificates 00.crt, 01.crt, etc. * with NN.crt signed by NN-1.crt */ mbedtls_x509_crt_init( &trusted ); mbedtls_x509_crt_init( &chain ); /* Load trusted root */ TEST_ASSERT( mbedtls_x509_crt_parse_file( &trusted, ca_file ) == 0 ); /* Load a chain with nb_int intermediates (from 01 to nb_int), * plus one "end-entity" cert (nb_int + 1) */ ret = mbedtls_snprintf( file_buf, sizeof file_buf, "%s/c%02d.pem", chain_dir, nb_int + 1 ); TEST_ASSERT( ret > 0 && (size_t) ret < sizeof file_buf ); TEST_ASSERT( mbedtls_x509_crt_parse_file( &chain, file_buf ) == 0 ); /* Try to verify that chain */ ret = mbedtls_x509_crt_verify( &chain, &trusted, NULL, NULL, &flags, NULL, NULL ); TEST_ASSERT( ret == ret_chk ); TEST_ASSERT( flags == (uint32_t) flags_chk ); exit: mbedtls_x509_crt_free( &chain ); mbedtls_x509_crt_free( &trusted ); } /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ void mbedtls_x509_crt_verify_chain( char *chain_paths, char *trusted_ca, int flags_result, int result, char *profile_name, int vrfy_fatal_lvls ) { char* act; uint32_t flags; int res; mbedtls_x509_crt trusted, chain; const mbedtls_x509_crt_profile *profile = NULL; #if defined(MBEDTLS_USE_PSA_CRYPTO) TEST_ASSERT( psa_crypto_init() == 0 ); #endif mbedtls_x509_crt_init( &chain ); mbedtls_x509_crt_init( &trusted ); while( ( act = mystrsep( &chain_paths, " " ) ) != NULL ) TEST_ASSERT( mbedtls_x509_crt_parse_file( &chain, act ) == 0 ); TEST_ASSERT( mbedtls_x509_crt_parse_file( &trusted, trusted_ca ) == 0 ); if( strcmp( profile_name, "" ) == 0 ) profile = &mbedtls_x509_crt_profile_default; else if( strcmp( profile_name, "next" ) == 0 ) profile = &mbedtls_x509_crt_profile_next; else if( strcmp( profile_name, "suiteb" ) == 0 ) profile = &mbedtls_x509_crt_profile_suiteb; else if( strcmp( profile_name, "rsa3072" ) == 0 ) profile = &profile_rsa3072; else if( strcmp( profile_name, "sha512" ) == 0 ) profile = &profile_sha512; res = mbedtls_x509_crt_verify_with_profile( &chain, &trusted, NULL, profile, NULL, &flags, verify_fatal, &vrfy_fatal_lvls ); TEST_ASSERT( res == ( result ) ); TEST_ASSERT( flags == (uint32_t)( flags_result ) ); exit: mbedtls_x509_crt_free( &trusted ); mbedtls_x509_crt_free( &chain ); } /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_X509_USE_C */ void x509_oid_desc( data_t * buf, char * ref_desc ) { mbedtls_x509_buf oid; const char *desc = NULL; int ret; oid.tag = MBEDTLS_ASN1_OID; oid.p = buf->x; oid.len = buf->len; ret = mbedtls_oid_get_extended_key_usage( &oid, &desc ); if( strcmp( ref_desc, "notfound" ) == 0 ) { TEST_ASSERT( ret != 0 ); TEST_ASSERT( desc == NULL ); } else { TEST_ASSERT( ret == 0 ); TEST_ASSERT( desc != NULL ); TEST_ASSERT( strcmp( desc, ref_desc ) == 0 ); } } /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_X509_USE_C */ void x509_oid_numstr( data_t * oid_buf, char * numstr, int blen, int ret ) { mbedtls_x509_buf oid; char num_buf[100]; memset( num_buf, 0x2a, sizeof num_buf ); oid.tag = MBEDTLS_ASN1_OID; oid.p = oid_buf->x; oid.len = oid_buf->len; TEST_ASSERT( (size_t) blen <= sizeof num_buf ); TEST_ASSERT( mbedtls_oid_get_numeric_string( num_buf, blen, &oid ) == ret ); if( ret >= 0 ) { TEST_ASSERT( num_buf[ret] == 0 ); TEST_ASSERT( strcmp( num_buf, numstr ) == 0 ); } } /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CHECK_KEY_USAGE */ void x509_check_key_usage( char * crt_file, int usage, int ret ) { mbedtls_x509_crt crt; mbedtls_x509_crt_init( &crt ); TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 ); TEST_ASSERT( mbedtls_x509_crt_check_key_usage( &crt, usage ) == ret ); exit: mbedtls_x509_crt_free( &crt ); } /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */ void x509_check_extended_key_usage( char * crt_file, data_t * oid, int ret ) { mbedtls_x509_crt crt; mbedtls_x509_crt_init( &crt ); TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 ); TEST_ASSERT( mbedtls_x509_crt_check_extended_key_usage( &crt, (const char *)oid->x, oid->len ) == ret ); exit: mbedtls_x509_crt_free( &crt ); } /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_X509_USE_C */ void x509_get_time( int tag, char * time_str, int ret, int year, int mon, int day, int hour, int min, int sec ) { mbedtls_x509_time time; unsigned char buf[21]; unsigned char* start = buf; unsigned char* end = buf; memset( &time, 0x00, sizeof( time ) ); *end = (unsigned char)tag; end++; *end = strlen( time_str ); TEST_ASSERT( *end < 20 ); end++; memcpy( end, time_str, (size_t)*(end - 1) ); end += *(end - 1); TEST_ASSERT( mbedtls_x509_get_time( &start, end, &time ) == ret ); if( ret == 0 ) { TEST_ASSERT( year == time.year ); TEST_ASSERT( mon == time.mon ); TEST_ASSERT( day == time.day ); TEST_ASSERT( hour == time.hour ); TEST_ASSERT( min == time.min ); TEST_ASSERT( sec == time.sec ); } } /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT */ void x509_parse_rsassa_pss_params( data_t * hex_params, int params_tag, int ref_msg_md, int ref_mgf_md, int ref_salt_len, int ref_ret ) { int my_ret; mbedtls_x509_buf params; mbedtls_md_type_t my_msg_md, my_mgf_md; int my_salt_len; params.p = hex_params->x; params.len = hex_params->len; params.tag = params_tag; my_ret = mbedtls_x509_get_rsassa_pss_params( ¶ms, &my_msg_md, &my_mgf_md, &my_salt_len ); TEST_ASSERT( my_ret == ref_ret ); if( ref_ret == 0 ) { TEST_ASSERT( my_msg_md == (mbedtls_md_type_t) ref_msg_md ); TEST_ASSERT( my_mgf_md == (mbedtls_md_type_t) ref_mgf_md ); TEST_ASSERT( my_salt_len == ref_salt_len ); } exit: ;; } /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_SELF_TEST */ void x509_selftest( ) { TEST_ASSERT( mbedtls_x509_self_test( 1 ) == 0 ); } /* END_CASE */