Add tests for profile enforcement
Now all checks related to profile are covered in:
- verify_with_profile()
- verify_child()
- verify_top()
(that's 10 lines that were previously not covered)
Leaving aside profile enforcement in CRLs for now, as the focus is on
preparing to refactor cert verification.
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index 48bdee8..73727b5 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -28,6 +28,24 @@
1024,
};
+const mbedtls_x509_crt_profile profile_rsa3072 =
+{
+ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
+ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
+ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
+ MBEDTLS_X509_ID_FLAG( MBEDTLS_PK_RSA ),
+ 0,
+ 3072,
+};
+
+const mbedtls_x509_crt_profile profile_sha512 =
+{
+ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
+ 0xFFFFFFF, /* Any PK alg */
+ 0xFFFFFFF, /* Any curve */
+ 1024,
+};
+
int verify_none( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags )
{
((void) data);
@@ -569,6 +587,10 @@
profile = &mbedtls_x509_crt_profile_next;
else if( strcmp(profile_name, "suiteb") == 0 )
profile = &mbedtls_x509_crt_profile_suiteb;
+ else if( strcmp(profile_name, "rsa3072") == 0 )
+ profile = &profile_rsa3072;
+ else if( strcmp(profile_name, "sha512") == 0 )
+ profile = &profile_sha512;
res = mbedtls_x509_crt_verify_with_profile( &chain, &trusted, NULL, profile,
NULL, &flags, NULL, NULL );
