Google Git
Sign in
pigweed / third_party / github / ARMmbed / mbedtls / 6c0ceb3f9aacdabeb475acdeae741685bb9d46bb^! / .
commit6c0ceb3f9aacdabeb475acdeae741685bb9d46bb[log] [tgz]
authorPaul Bakker <p.j.bakker@polarssl.org>Sun Dec 04 12:24:18 2011 +0000
committerPaul Bakker <p.j.bakker@polarssl.org>Sun Dec 04 12:24:18 2011 +0000
tree3225512c927b0e73ac28b4abca7e8c064e5a7be6
parenta17bcc3033e5193213b05a9c713829689c9f7692 [diff]
 -  Added permissive certificate parsing to x509parse_crt() and x509parse_crtfile(). With permissive parsing the parsing does not stop on encountering a parse-error


diff --git a/ChangeLog b/ChangeLog
index 8817d9f..fc7287e 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -35,6 +35,9 @@
    * Changed the used random function pointer to more flexible format. Renamed
      havege_rand() to havege_random() to prevent mistakes. Lots of changes as
 	 a consequence in library code and programs
+   * Added permissive certificate parsing to x509parse_crt() and
+     x509parse_crtfile(). With permissive parsing the parsing does not stop on
+	 encountering a parse-error
 
 Bugfix
    * Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes

diff --git a/include/polarssl/x509.h b/include/polarssl/x509.h
index 93ef265..11f1a31 100644
--- a/include/polarssl/x509.h
+++ b/include/polarssl/x509.h

@@ -58,7 +58,7 @@
 #define POLARSSL_ERR_X509_CERT_VERIFY_FAILED               -0x2800  /**< Certificate verification failed, e.g. CRL, CA or signature check failed. */
 #define POLARSSL_ERR_X509_KEY_INVALID_VERSION              -0x2880  /**< Unsupported RSA key version */
 #define POLARSSL_ERR_X509_KEY_INVALID_FORMAT               -0x2900  /**< Invalid RSA key tag or value. */
-#define POLARSSL_ERR_X509_POINT_ERROR                      -0x2980  /**< Not used. */
+#define POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT              -0x2980  /**< Format not recognized as DER or PEM. */
 #define POLARSSL_ERR_X509_VALUE_TO_LENGTH                  -0x2A00  /**< Not used. */
 /* \} name */
 
@@ -220,6 +220,17 @@
 
 #define EXT_NS_CERT_TYPE                (1 << 16)
 
+/*
+ * Storage format identifiers
+ * Recognized formats: PEM and DER
+ */
+#define X509_FORMAT_DER                 1
+#define X509_FORMAT_PEM                 2
+
+#define X509_NON_PERMISSIVE             0
+#define X509_PERMISSIVE                 1
+
+
 /** 
  * \addtogroup x509_module
  * \{ */
@@ -409,27 +420,34 @@
 /** \ingroup x509_module */
 /**
  * \brief          Parse one or more certificates and add them
- *                 to the chained list
+ *                 to the chained list. With permissive parsing enabled
+ *                 all certificates that cannot be parsed are ignored.
+ *                 If none complete correctly, the first error is returned.
  *
  * \param chain    points to the start of the chain
  * \param buf      buffer holding the certificate data
  * \param buflen   size of the buffer
+ * \param permissive    X509_PERMISSIVE or X509_NON_PERMISSIVE
  *
  * \return         0 if successful, or a specific X509 or PEM error code
  */
-int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen );
+int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen,
+                   int permissive );
 
 /** \ingroup x509_module */
 /**
  * \brief          Load one or more certificates and add them
- *                 to the chained list
+ *                 to the chained list. With permissive parsing enabled
+ *                 all certificates that cannot be parsed are ignored.
+ *                 If none complete correctly, the first error is returned.
  *
  * \param chain    points to the start of the chain
  * \param path     filename to read the certificates from
+ * \param permissive    X509_PERMISSIVE or X509_NON_PERMISSIVE
  *
  * \return         0 if successful, or a specific X509 or PEM error code
  */
-int x509parse_crtfile( x509_cert *chain, const char *path );
+int x509parse_crtfile( x509_cert *chain, const char *path, int permissive );
 
 /** \ingroup x509_module */
 /**

diff --git a/library/error.c b/library/error.c
index d5ad617..33fad85 100644
--- a/library/error.c
+++ b/library/error.c

@@ -297,8 +297,8 @@
             snprintf( buf, buflen, "X509 - Unsupported RSA key version" );
         if( use_ret == -(POLARSSL_ERR_X509_KEY_INVALID_FORMAT) )
             snprintf( buf, buflen, "X509 - Invalid RSA key tag or value" );
-        if( use_ret == -(POLARSSL_ERR_X509_POINT_ERROR) )
-            snprintf( buf, buflen, "X509 - Not used" );
+        if( use_ret == -(POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT) )
+            snprintf( buf, buflen, "X509 - Format not recognized as DER or PEM" );
         if( use_ret == -(POLARSSL_ERR_X509_VALUE_TO_LENGTH) )
             snprintf( buf, buflen, "X509 - Not used" );
 #endif /* POLARSSL_X509_PARSE_C */

diff --git a/library/pem.c b/library/pem.c
index 3e8f79e..33e74ab 100644
--- a/library/pem.c
+++ b/library/pem.c

@@ -345,6 +345,8 @@
 
     if( ctx->info )
         free( ctx->info );
+
+    memset( ctx, 0, sizeof( pem_context ) );
 }
 
 #endif

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index a865a75..26e7dfa 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c

@@ -1401,7 +1401,8 @@
             return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
         }
 
-        ret = x509parse_crt( ssl->peer_cert, ssl->in_msg + i, n );
+        ret = x509parse_crt( ssl->peer_cert, ssl->in_msg + i, n,
+                             X509_NON_PERMISSIVE );
         if( ret != 0 )
         {
             SSL_DEBUG_RET( 1, " x509parse_crt", ret );

diff --git a/library/x509parse.c b/library/x509parse.c
index e14a163..326c986 100644
--- a/library/x509parse.c
+++ b/library/x509parse.c

@@ -1006,20 +1006,13 @@
 }
 
 /*
- * Parse one or more certificates and add them to the chained list
+ * Parse and fill a single X.509 certificate in DER format
  */
-int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen )
+int x509parse_crt_der( x509_cert *crt, const unsigned char *buf, size_t buflen )
 {
     int ret;
     size_t len;
     unsigned char *p, *end;
-    x509_cert *crt;
-#if defined(POLARSSL_PEM_C)
-    pem_context pem;
-    size_t use_len;
-#endif
-
-    crt = chain;
 
     /*
      * Check for valid input
@@ -1027,69 +1020,6 @@
     if( crt == NULL || buf == NULL )
         return( 1 );
 
-    while( crt->version != 0 && crt->next != NULL )
-        crt = crt->next;
-
-    /*
-     * Add new certificate on the end of the chain if needed.
-     */
-    if ( crt->version != 0 && crt->next == NULL)
-    {
-        crt->next = (x509_cert *) malloc( sizeof( x509_cert ) );
-
-        if( crt->next == NULL )
-        {
-            x509_free( crt );
-            return( 1 );
-        }
-
-        crt = crt->next;
-        memset( crt, 0, sizeof( x509_cert ) );
-    }
-
-#if defined(POLARSSL_PEM_C)
-    pem_init( &pem );
-    ret = pem_read_buffer( &pem,
-                           "-----BEGIN CERTIFICATE-----",
-                           "-----END CERTIFICATE-----",
-                           buf, NULL, 0, &use_len );
-
-    if( ret == 0 )
-    {
-        /*
-         * Was PEM encoded
-         */
-        buflen -= use_len;
-        buf += use_len;
-
-        /*
-         * Steal PEM buffer
-         */
-        p = pem.buf;
-        pem.buf = NULL;
-        len = pem.buflen;
-        pem_free( &pem );
-    }
-    else if( ret != POLARSSL_ERR_PEM_NO_HEADER_PRESENT )
-    {
-        pem_free( &pem );
-        return( ret );
-    }
-    else
-    {
-        /*
-         * nope, copy the raw DER data
-         */
-        p = (unsigned char *) malloc( len = buflen );
-
-        if( p == NULL )
-            return( 1 );
-
-        memcpy( p, buf, buflen );
-
-        buflen = 0;
-    }
-#else
     p = (unsigned char *) malloc( len = buflen );
 
     if( p == NULL )
@@ -1098,7 +1028,6 @@
     memcpy( p, buf, buflen );
 
     buflen = 0;
-#endif
 
     crt->raw.p = p;
     crt->raw.len = len;
@@ -1324,23 +1253,154 @@
                 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
     }
 
-    if( buflen > 0 )
+    return( 0 );
+}
+
+/*
+ * Parse one or more PEM certificates from a buffer and add them to the chained list
+ */
+int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen,
+                   int permissive )
+{
+    int ret, success = 0, first_error = 0;
+    x509_cert *crt, *prev = NULL;
+    int buf_format = X509_FORMAT_DER;
+
+    crt = chain;
+
+    /*
+     * Check for valid input
+     */
+    if( crt == NULL || buf == NULL )
+        return( 1 );
+
+    while( crt->version != 0 && crt->next != NULL )
+    {
+        prev = crt;
+        crt = crt->next;
+    }
+
+    /*
+     * Add new certificate on the end of the chain if needed.
+     */
+    if ( crt->version != 0 && crt->next == NULL)
     {
         crt->next = (x509_cert *) malloc( sizeof( x509_cert ) );
 
         if( crt->next == NULL )
-        {
-            x509_free( crt );
             return( 1 );
-        }
 
+        prev = crt;
         crt = crt->next;
         memset( crt, 0, sizeof( x509_cert ) );
-
-        return( x509parse_crt( crt, buf, buflen ) );
     }
 
-    return( 0 );
+    /*
+     * Determine buffer content. Buffer contains either one DER certificate or
+     * one or more PEM certificates.
+     */
+#if defined(POLARSSL_PEM_C)
+    if( strstr( (char *) buf, "-----BEGIN CERTIFICATE-----" ) != NULL )
+        buf_format = X509_FORMAT_PEM;
+#endif
+
+    if( buf_format == X509_FORMAT_DER )
+        return x509parse_crt_der( crt, buf, buflen );
+    
+#if defined(POLARSSL_PEM_C)
+    if( buf_format == X509_FORMAT_PEM )
+    {
+        pem_context pem;
+
+        while( buflen > 0 )
+        {
+            size_t use_len;
+            pem_init( &pem );
+
+            ret = pem_read_buffer( &pem,
+                           "-----BEGIN CERTIFICATE-----",
+                           "-----END CERTIFICATE-----",
+                           buf, NULL, 0, &use_len );
+
+            if( ret == 0 )
+            {
+                /*
+                 * Was PEM encoded
+                 */
+                buflen -= use_len;
+                buf += use_len;
+            }
+            else if( ret != POLARSSL_ERR_PEM_NO_HEADER_PRESENT )
+            {
+                pem_free( &pem );
+
+                if( first_error == 0 )
+                    first_error = ret;
+
+                continue;
+            }
+            else
+                break;
+
+            ret = x509parse_crt_der( crt, pem.buf, pem.buflen );
+
+            pem_free( &pem );
+
+            if( ret != 0 )
+            {
+                /*
+                 * quit parsing on a memory error or if in non-permissive parsing mode
+                 */
+                if( ret == 1 || permissive != 1 )
+                {
+                    if( prev )
+                        prev->next = NULL;
+
+                    if( crt != chain )
+                        free( crt );
+
+                    return( ret );
+                }
+
+                if( first_error == 0 )
+                    first_error = ret;
+
+                memset( crt, 0, sizeof( x509_cert ) );
+                continue;
+            }
+
+            success = 1;
+
+            /*
+             * Add new certificate to the list
+             */
+            crt->next = (x509_cert *) malloc( sizeof( x509_cert ) );
+
+            if( crt->next == NULL )
+                return( 1 );
+
+            prev = crt;
+            crt = crt->next;
+            memset( crt, 0, sizeof( x509_cert ) );
+        }
+    }
+#endif
+
+    if( crt->version == 0 )
+    {
+        if( prev )
+            prev->next = NULL;
+
+        if( crt != chain )
+            free( crt );
+    }
+
+    if( success )
+        return( 0 );
+    else if( first_error )
+        return( first_error );
+    else
+        return( POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT );
 }
 
 /*
@@ -1667,7 +1727,7 @@
 /*
  * Load one or more certificates and add them to the chained list
  */
-int x509parse_crtfile( x509_cert *chain, const char *path )
+int x509parse_crtfile( x509_cert *chain, const char *path, int permissive )
 {
     int ret;
     size_t n;
@@ -1676,7 +1736,7 @@
     if ( load_file( path, &buf, &n ) )
         return( 1 );
 
-    ret = x509parse_crt( chain, buf, n );
+    ret = x509parse_crt( chain, buf, n, permissive );
 
     memset( buf, 0, n + 1 );
     free( buf );
@@ -3099,7 +3159,7 @@
     memset( &clicert, 0, sizeof( x509_cert ) );
 
     ret = x509parse_crt( &clicert, (unsigned char *) test_cli_crt,
-                         strlen( test_cli_crt ) );
+                         strlen( test_cli_crt ), X509_NON_PERMISSIVE );
     if( ret != 0 )
     {
         if( verbose != 0 )
@@ -3111,7 +3171,7 @@
     memset( &cacert, 0, sizeof( x509_cert ) );
 
     ret = x509parse_crt( &cacert, (unsigned char *) test_ca_crt,
-                         strlen( test_ca_crt ) );
+                         strlen( test_ca_crt ), X509_NON_PERMISSIVE );
     if( ret != 0 )
     {
         if( verbose != 0 )

diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 3825106..fea43ee 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c

@@ -224,12 +224,12 @@
 
 #if defined(POLARSSL_FS_IO)
     if( strlen( opt.ca_file ) )
-        ret = x509parse_crtfile( &cacert, opt.ca_file );
+        ret = x509parse_crtfile( &cacert, opt.ca_file, X509_NON_PERMISSIVE );
     else 
 #endif
 #if defined(POLARSSL_CERTS_C)
         ret = x509parse_crt( &cacert, (unsigned char *) test_ca_crt,
-                strlen( test_ca_crt ) );
+                strlen( test_ca_crt ), X509_NON_PERMISSIVE );
 #else
     {
         ret = 1;
@@ -254,12 +254,12 @@
 
 #if defined(POLARSSL_FS_IO)
     if( strlen( opt.crt_file ) )
-        ret = x509parse_crtfile( &clicert, opt.crt_file );
+        ret = x509parse_crtfile( &clicert, opt.crt_file, X509_NON_PERMISSIVE );
     else 
 #endif
 #if defined(POLARSSL_CERTS_C)
         ret = x509parse_crt( &clicert, (unsigned char *) test_cli_crt,
-                strlen( test_cli_crt ) );
+                strlen( test_cli_crt ), X509_NON_PERMISSIVE );
 #else
     {
         ret = 1;

diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c
index 85803d3..0f0cfc3 100644
--- a/programs/ssl/ssl_fork_server.c
+++ b/programs/ssl/ssl_fork_server.c

@@ -230,7 +230,7 @@
      * server and CA certificates, as well as x509parse_keyfile().
      */
     ret = x509parse_crt( &srvcert, (unsigned char *) test_srv_crt,
-                         strlen( test_srv_crt ) );
+                         strlen( test_srv_crt ), X509_NON_PERMISSIVE );
     if( ret != 0 )
     {
         printf( " failed\n  !  x509parse_crt returned %d\n\n", ret );
@@ -238,7 +238,7 @@
     }
 
     ret = x509parse_crt( &srvcert, (unsigned char *) test_ca_crt,
-                         strlen( test_ca_crt ) );
+                         strlen( test_ca_crt ), X509_NON_PERMISSIVE );
     if( ret != 0 )
     {
         printf( " failed\n  !  x509parse_crt returned %d\n\n", ret );

diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c
index 3f4bd75..08ecd1a 100644
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c

@@ -476,12 +476,12 @@
 
 #if defined(POLARSSL_FS_IO)
     if( strlen( opt.ca_file ) )
-        ret = x509parse_crtfile( &cacert, opt.ca_file );
+        ret = x509parse_crtfile( &cacert, opt.ca_file, X509_NON_PERMISSIVE );
     else
 #endif
 #if defined(POLARSSL_CERTS_C)
         ret = x509parse_crt( &cacert, (unsigned char *) test_ca_crt,
-                strlen( test_ca_crt ) );
+                strlen( test_ca_crt ), X509_NON_PERMISSIVE );
 #else
     {
         ret = 1;
@@ -506,12 +506,12 @@
 
 #if defined(POLARSSL_FS_IO)
     if( strlen( opt.crt_file ) )
-        ret = x509parse_crtfile( &clicert, opt.crt_file );
+        ret = x509parse_crtfile( &clicert, opt.crt_file, X509_NON_PERMISSIVE );
     else 
 #endif
 #if defined(POLARSSL_CERTS_C)
         ret = x509parse_crt( &clicert, (unsigned char *) test_cli_crt,
-                strlen( test_cli_crt ) );
+                strlen( test_cli_crt ), X509_NON_PERMISSIVE );
 #else
     {
         ret = 1;

diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c
index 8a49140..a673f52 100644
--- a/programs/ssl/ssl_server.c
+++ b/programs/ssl/ssl_server.c

@@ -216,7 +216,7 @@
      * server and CA certificates, as well as x509parse_keyfile().
      */
     ret = x509parse_crt( &srvcert, (unsigned char *) test_srv_crt,
-                         strlen( test_srv_crt ) );
+                         strlen( test_srv_crt ), X509_NON_PERMISSIVE );
     if( ret != 0 )
     {
         printf( " failed\n  !  x509parse_crt returned %d\n\n", ret );
@@ -224,7 +224,7 @@
     }
 
     ret = x509parse_crt( &srvcert, (unsigned char *) test_ca_crt,
-                         strlen( test_ca_crt ) );
+                         strlen( test_ca_crt ), X509_NON_PERMISSIVE );
     if( ret != 0 )
     {
         printf( " failed\n  !  x509parse_crt returned %d\n\n", ret );

diff --git a/programs/test/ssl_cert_test.c b/programs/test/ssl_cert_test.c
index 57ea32c..2e4e6c5 100644
--- a/programs/test/ssl_cert_test.c
+++ b/programs/test/ssl_cert_test.c

@@ -100,7 +100,7 @@
      * Alternatively, you may load the CA certificates from a .pem or
      * .crt file by calling x509parse_crtfile( &cacert, "myca.crt" ).
      */
-    ret = x509parse_crtfile( &cacert, "ssl/test-ca/test-ca.crt" );
+    ret = x509parse_crtfile( &cacert, "ssl/test-ca/test-ca.crt", X509_NON_PERMISSIVE );
     if( ret != 0 )
     {
         printf( " failed\n  !  x509parse_crtfile returned %d\n\n", ret );
@@ -148,7 +148,7 @@
         printf( "  . Loading the client certificate %s...", name );
         fflush( stdout );
 
-        ret = x509parse_crtfile( &clicert, name );
+        ret = x509parse_crtfile( &clicert, name, X509_NON_PERMISSIVE );
         if( ret != 0 )
         {
             printf( " failed\n  !  x509parse_crt returned %d\n\n", ret );

diff --git a/programs/test/ssl_test.c b/programs/test/ssl_test.c
index 8bac4b2..b9c9572 100644
--- a/programs/test/ssl_test.c
+++ b/programs/test/ssl_test.c

@@ -203,7 +203,7 @@
         goto exit;
 #else
         ret =  x509parse_crt( &srvcert, (unsigned char *) test_srv_crt,
-                              strlen( test_srv_crt ) );
+                              strlen( test_srv_crt ), X509_NON_PERMISSIVE );
         if( ret != 0 )
         {
             printf( "  !  x509parse_crt returned %d\n\n", ret );
@@ -211,7 +211,7 @@
         }
 
         ret =  x509parse_crt( &srvcert, (unsigned char *) test_ca_crt,
-                              strlen( test_ca_crt ) );
+                              strlen( test_ca_crt ), X509_NON_PERMISSIVE );
         if( ret != 0 )
         {
             printf( "  !  x509parse_crt returned %d\n\n", ret );

diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c
index cde96af..24b9727 100644
--- a/programs/x509/cert_app.c
+++ b/programs/x509/cert_app.c

@@ -47,6 +47,7 @@
 #define DFL_SERVER_NAME         "localhost"
 #define DFL_SERVER_PORT         4433
 #define DFL_DEBUG_LEVEL         0
+#define DFL_PERMISSIVE          0
 
 /*
  * global options
@@ -58,6 +59,7 @@
     char *server_name;          /* hostname of the server (client only) */
     int server_port;            /* port on which the ssl service runs   */
     int debug_level;            /* level of debugging                   */
+    int permissive;             /* permissive parsing                   */
 } opt;
 
 void my_debug( void *ctx, int level, const char *str )
@@ -77,6 +79,7 @@
     "    server_name=%%s      default: localhost\n"     \
     "    server_port=%%d      default: 4433\n"          \
     "    debug_level=%%d      default: 0 (disabled)\n"  \
+    "    permissive=%%d       default: 0 (disabled)\n"  \
     "\n"
 
 #if !defined(POLARSSL_BIGNUM_C) || !defined(POLARSSL_HAVEGE_C) ||   \
@@ -128,6 +131,7 @@
     opt.server_name         = DFL_SERVER_NAME;
     opt.server_port         = DFL_SERVER_PORT;
     opt.debug_level         = DFL_DEBUG_LEVEL;
+    opt.permissive          = DFL_PERMISSIVE;
 
     for( i = 1; i < argc; i++ )
     {
@@ -169,6 +173,12 @@
             if( opt.debug_level < 0 || opt.debug_level > 65535 )
                 goto usage;
         }
+        else if( strcmp( p, "permissive" ) == 0 )
+        {
+            opt.permissive = atoi( q );
+            if( opt.permissive < 0 || opt.permissive > 1 )
+                goto usage;
+        }
         else
             goto usage;
     }
@@ -185,7 +195,7 @@
         printf( "\n  . Loading the certificate(s) ..." );
         fflush( stdout );
 
-        ret = x509parse_crtfile( &crt, opt.filename );
+        ret = x509parse_crtfile( &crt, opt.filename, opt.permissive );
 
         if( ret != 0 )
         {

diff --git a/tests/suites/test_suite_debug.function b/tests/suites/test_suite_debug.function
index 02381ca..950c7ea 100644
--- a/tests/suites/test_suite_debug.function
+++ b/tests/suites/test_suite_debug.function

@@ -35,7 +35,7 @@
 
     ssl_set_dbg(&ssl, string_debug, &buffer);
 
-    TEST_ASSERT( x509parse_crtfile( &crt, {crt_file} ) == 0 );
+    TEST_ASSERT( x509parse_crtfile( &crt, {crt_file}, X509_NON_PERMISSIVE ) == 0 );
     debug_print_crt( &ssl, 0, {file}, {line}, {prefix}, &crt);
 
     TEST_ASSERT( strcmp( buffer.buf, {result_str} ) == 0 );

diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index 18e1c41..deac249 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function

@@ -38,7 +38,7 @@
     memset( &crt, 0, sizeof( x509_cert ) );
     memset( buf, 0, 2000 );
 
-    TEST_ASSERT( x509parse_crtfile( &crt, {crt_file} ) == 0 );
+    TEST_ASSERT( x509parse_crtfile( &crt, {crt_file}, X509_NON_PERMISSIVE ) == 0 );
     res = x509parse_cert_info( buf, 2000, "", &crt );
 
     TEST_ASSERT( res != -1 );
@@ -81,8 +81,8 @@
     memset( &ca, 0, sizeof( x509_cert ) );
     memset( &crl, 0, sizeof( x509_crl ) );
 
-    TEST_ASSERT( x509parse_crtfile( &crt, {crt_file} ) == 0 );
-    TEST_ASSERT( x509parse_crtfile( &ca, {ca_file} ) == 0 );
+    TEST_ASSERT( x509parse_crtfile( &crt, {crt_file}, X509_NON_PERMISSIVE ) == 0 );
+    TEST_ASSERT( x509parse_crtfile( &ca, {ca_file}, X509_NON_PERMISSIVE ) == 0 );
     TEST_ASSERT( x509parse_crlfile( &crl, {crl_file} ) == 0 );
 
     res = x509parse_verify( &crt, &ca, &crl, {cn_name}, &flags, {verify_callback}, NULL );
@@ -102,7 +102,7 @@
     memset( &crt, 0, sizeof( x509_cert ) );
     memset( buf, 0, 2000 );
 
-    TEST_ASSERT( x509parse_crtfile( &crt, {crt_file} ) == 0 );
+    TEST_ASSERT( x509parse_crtfile( &crt, {crt_file}, X509_NON_PERMISSIVE ) == 0 );
     res =  x509parse_dn_gets( buf, 2000, &crt.{entity} );
 
     TEST_ASSERT( res != -1 );
@@ -119,7 +119,7 @@
 
     memset( &crt, 0, sizeof( x509_cert ) );
 
-    TEST_ASSERT( x509parse_crtfile( &crt, {crt_file} ) == 0 );
+    TEST_ASSERT( x509parse_crtfile( &crt, {crt_file}, X509_NON_PERMISSIVE ) == 0 );
     TEST_ASSERT( x509parse_time_expired( &crt.{entity} ) == {result} );
 }
 END_CASE
@@ -176,7 +176,7 @@
 
     data_len = unhexify( buf, {crt_data} );
 
-    TEST_ASSERT( x509parse_crt( &crt, buf, data_len ) == ( {result} ) );
+    TEST_ASSERT( x509parse_crt( &crt, buf, data_len, X509_NON_PERMISSIVE ) == ( {result} ) );
     if( ( {result} ) == 0 )
     {
         res = x509parse_cert_info( (char *) output, 2000, "", &crt );