| /* BEGIN_HEADER */ |
| #include "mbedtls/bignum.h" |
| #include "mbedtls/x509_crt.h" |
| #include "mbedtls/x509_csr.h" |
| #include "mbedtls/pem.h" |
| #include "mbedtls/oid.h" |
| #include "mbedtls/rsa.h" |
| |
| #if defined(MBEDTLS_RSA_C) |
| int mbedtls_rsa_decrypt_func( void *ctx, size_t *olen, |
| const unsigned char *input, unsigned char *output, |
| size_t output_max_len ) |
| { |
| return( mbedtls_rsa_pkcs1_decrypt( (mbedtls_rsa_context *) ctx, NULL, NULL, |
| olen, input, output, output_max_len ) ); |
| } |
| int mbedtls_rsa_sign_func( void *ctx, |
| int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, |
| mbedtls_md_type_t md_alg, unsigned int hashlen, |
| const unsigned char *hash, unsigned char *sig ) |
| { |
| return( mbedtls_rsa_pkcs1_sign( (mbedtls_rsa_context *) ctx, f_rng, p_rng, |
| md_alg, hashlen, hash, sig ) ); |
| } |
| size_t mbedtls_rsa_key_len_func( void *ctx ) |
| { |
| return( ((const mbedtls_rsa_context *) ctx)->len ); |
| } |
| #endif /* MBEDTLS_RSA_C */ |
| |
| #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ |
| defined(MBEDTLS_PEM_WRITE_C) && defined(MBEDTLS_X509_CSR_WRITE_C) |
| static int x509_crt_verifycsr( const unsigned char *buf, size_t buflen ) |
| { |
| unsigned char hash[MBEDTLS_MD_MAX_SIZE]; |
| const mbedtls_md_info_t *md_info; |
| mbedtls_x509_csr csr; |
| int ret = 0; |
| |
| mbedtls_x509_csr_init( &csr ); |
| |
| if( mbedtls_x509_csr_parse( &csr, buf, buflen ) != 0 ) |
| { |
| ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA; |
| goto cleanup; |
| } |
| |
| md_info = mbedtls_md_info_from_type( csr.sig_md ); |
| if( mbedtls_md( md_info, csr.cri.p, csr.cri.len, hash ) != 0 ) |
| { |
| /* Note: this can't happen except after an internal error */ |
| ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA; |
| goto cleanup; |
| } |
| |
| if( mbedtls_pk_verify_ext( csr.sig_pk, csr.sig_opts, &csr.pk, |
| csr.sig_md, hash, mbedtls_md_get_size( md_info ), |
| csr.sig.p, csr.sig.len ) != 0 ) |
| { |
| ret = MBEDTLS_ERR_X509_CERT_VERIFY_FAILED; |
| goto cleanup; |
| } |
| |
| cleanup: |
| |
| mbedtls_x509_csr_free( &csr ); |
| return( ret ); |
| } |
| #endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_PEM_WRITE_C && MBEDTLS_X509_CSR_WRITE_C */ |
| |
| /* END_HEADER */ |
| |
| /* BEGIN_DEPENDENCIES |
| * depends_on:MBEDTLS_BIGNUM_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C |
| * END_DEPENDENCIES |
| */ |
| |
| /* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CSR_WRITE_C */ |
| void x509_csr_check( char * key_file, char * cert_req_check_file, int md_type, |
| int key_usage, int set_key_usage, int cert_type, |
| int set_cert_type ) |
| { |
| mbedtls_pk_context key; |
| mbedtls_x509write_csr req; |
| unsigned char buf[4096]; |
| unsigned char check_buf[4000]; |
| int ret; |
| size_t olen = 0, pem_len = 0, buf_index; |
| int der_len = -1; |
| FILE *f; |
| const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1"; |
| mbedtls_test_rnd_pseudo_info rnd_info; |
| |
| memset( &rnd_info, 0x2a, sizeof( mbedtls_test_rnd_pseudo_info ) ); |
| |
| mbedtls_pk_init( &key ); |
| TEST_ASSERT( mbedtls_pk_parse_keyfile( &key, key_file, NULL, |
| mbedtls_test_rnd_std_rand, NULL ) == 0 ); |
| |
| mbedtls_x509write_csr_init( &req ); |
| mbedtls_x509write_csr_set_md_alg( &req, md_type ); |
| mbedtls_x509write_csr_set_key( &req, &key ); |
| TEST_ASSERT( mbedtls_x509write_csr_set_subject_name( &req, subject_name ) == 0 ); |
| if( set_key_usage != 0 ) |
| TEST_ASSERT( mbedtls_x509write_csr_set_key_usage( &req, key_usage ) == 0 ); |
| if( set_cert_type != 0 ) |
| TEST_ASSERT( mbedtls_x509write_csr_set_ns_cert_type( &req, cert_type ) == 0 ); |
| |
| ret = mbedtls_x509write_csr_pem( &req, buf, sizeof( buf ), |
| mbedtls_test_rnd_pseudo_rand, &rnd_info ); |
| TEST_ASSERT( ret == 0 ); |
| |
| pem_len = strlen( (char *) buf ); |
| |
| for( buf_index = pem_len; buf_index < sizeof( buf ); ++buf_index ) |
| { |
| TEST_ASSERT( buf[buf_index] == 0 ); |
| } |
| |
| f = fopen( cert_req_check_file, "r" ); |
| TEST_ASSERT( f != NULL ); |
| olen = fread( check_buf, 1, sizeof( check_buf ), f ); |
| fclose( f ); |
| |
| TEST_ASSERT( olen >= pem_len - 1 ); |
| TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 ); |
| |
| der_len = mbedtls_x509write_csr_der( &req, buf, sizeof( buf ), |
| mbedtls_test_rnd_pseudo_rand, |
| &rnd_info ); |
| TEST_ASSERT( der_len >= 0 ); |
| |
| if( der_len == 0 ) |
| goto exit; |
| |
| ret = mbedtls_x509write_csr_der( &req, buf, (size_t)( der_len - 1 ), |
| mbedtls_test_rnd_pseudo_rand, &rnd_info ); |
| TEST_ASSERT( ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); |
| |
| exit: |
| mbedtls_x509write_csr_free( &req ); |
| mbedtls_pk_free( &key ); |
| } |
| /* END_CASE */ |
| |
| /* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CSR_WRITE_C:MBEDTLS_USE_PSA_CRYPTO */ |
| void x509_csr_check_opaque( char *key_file, int md_type, int key_usage, |
| int cert_type ) |
| { |
| mbedtls_pk_context key; |
| mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; |
| psa_algorithm_t md_alg_psa; |
| mbedtls_x509write_csr req; |
| unsigned char buf[4096]; |
| int ret; |
| size_t pem_len = 0; |
| const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1"; |
| mbedtls_test_rnd_pseudo_info rnd_info; |
| |
| PSA_INIT( ); |
| memset( &rnd_info, 0x2a, sizeof( mbedtls_test_rnd_pseudo_info ) ); |
| |
| md_alg_psa = mbedtls_psa_translate_md( (mbedtls_md_type_t) md_type ); |
| TEST_ASSERT( md_alg_psa != MBEDTLS_MD_NONE ); |
| |
| mbedtls_pk_init( &key ); |
| TEST_ASSERT( mbedtls_pk_parse_keyfile( &key, key_file, NULL, |
| mbedtls_test_rnd_std_rand, NULL ) == 0 ); |
| TEST_ASSERT( mbedtls_pk_wrap_as_opaque( &key, &key_id, md_alg_psa ) == 0 ); |
| |
| mbedtls_x509write_csr_init( &req ); |
| mbedtls_x509write_csr_set_md_alg( &req, md_type ); |
| mbedtls_x509write_csr_set_key( &req, &key ); |
| TEST_ASSERT( mbedtls_x509write_csr_set_subject_name( &req, subject_name ) == 0 ); |
| if( key_usage != 0 ) |
| TEST_ASSERT( mbedtls_x509write_csr_set_key_usage( &req, key_usage ) == 0 ); |
| if( cert_type != 0 ) |
| TEST_ASSERT( mbedtls_x509write_csr_set_ns_cert_type( &req, cert_type ) == 0 ); |
| |
| ret = mbedtls_x509write_csr_pem( &req, buf, sizeof( buf ) - 1, |
| mbedtls_test_rnd_pseudo_rand, &rnd_info ); |
| |
| TEST_ASSERT( ret == 0 ); |
| |
| pem_len = strlen( (char *) buf ); |
| buf[pem_len] = '\0'; |
| TEST_ASSERT( x509_crt_verifycsr( buf, pem_len + 1 ) == 0 ); |
| |
| |
| exit: |
| mbedtls_x509write_csr_free( &req ); |
| mbedtls_pk_free( &key ); |
| psa_destroy_key( key_id ); |
| PSA_DONE( ); |
| } |
| /* END_CASE */ |
| |
| /* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CRT_WRITE_C:MBEDTLS_SHA1_C */ |
| void x509_crt_check( char *subject_key_file, char *subject_pwd, |
| char *subject_name, char *issuer_key_file, |
| char *issuer_pwd, char *issuer_name, |
| char *serial_str, char *not_before, char *not_after, |
| int md_type, int key_usage, int set_key_usage, |
| int cert_type, int set_cert_type, int auth_ident, |
| int ver, char *cert_check_file, int rsa_alt, int is_ca ) |
| { |
| mbedtls_pk_context subject_key, issuer_key, issuer_key_alt; |
| mbedtls_pk_context *key = &issuer_key; |
| |
| mbedtls_x509write_cert crt; |
| unsigned char buf[4096]; |
| unsigned char check_buf[5000]; |
| mbedtls_mpi serial; |
| int ret; |
| size_t olen = 0, pem_len = 0, buf_index = 0; |
| int der_len = -1; |
| FILE *f; |
| mbedtls_test_rnd_pseudo_info rnd_info; |
| |
| memset( &rnd_info, 0x2a, sizeof( mbedtls_test_rnd_pseudo_info ) ); |
| mbedtls_mpi_init( &serial ); |
| |
| mbedtls_pk_init( &subject_key ); |
| mbedtls_pk_init( &issuer_key ); |
| mbedtls_pk_init( &issuer_key_alt ); |
| |
| mbedtls_x509write_crt_init( &crt ); |
| |
| TEST_ASSERT( mbedtls_pk_parse_keyfile( &subject_key, subject_key_file, |
| subject_pwd, mbedtls_test_rnd_std_rand, NULL ) == 0 ); |
| |
| TEST_ASSERT( mbedtls_pk_parse_keyfile( &issuer_key, issuer_key_file, |
| issuer_pwd, mbedtls_test_rnd_std_rand, NULL ) == 0 ); |
| |
| #if defined(MBEDTLS_RSA_C) |
| /* For RSA PK contexts, create a copy as an alternative RSA context. */ |
| if( rsa_alt == 1 && mbedtls_pk_get_type( &issuer_key ) == MBEDTLS_PK_RSA ) |
| { |
| TEST_ASSERT( mbedtls_pk_setup_rsa_alt( &issuer_key_alt, |
| mbedtls_pk_rsa( issuer_key ), |
| mbedtls_rsa_decrypt_func, |
| mbedtls_rsa_sign_func, |
| mbedtls_rsa_key_len_func ) == 0 ); |
| |
| key = &issuer_key_alt; |
| } |
| #else |
| (void) rsa_alt; |
| #endif |
| |
| TEST_ASSERT( mbedtls_test_read_mpi( &serial, 10, serial_str ) == 0 ); |
| |
| if( ver != -1 ) |
| mbedtls_x509write_crt_set_version( &crt, ver ); |
| |
| TEST_ASSERT( mbedtls_x509write_crt_set_serial( &crt, &serial ) == 0 ); |
| TEST_ASSERT( mbedtls_x509write_crt_set_validity( &crt, not_before, |
| not_after ) == 0 ); |
| mbedtls_x509write_crt_set_md_alg( &crt, md_type ); |
| TEST_ASSERT( mbedtls_x509write_crt_set_issuer_name( &crt, issuer_name ) == 0 ); |
| TEST_ASSERT( mbedtls_x509write_crt_set_subject_name( &crt, subject_name ) == 0 ); |
| mbedtls_x509write_crt_set_subject_key( &crt, &subject_key ); |
| |
| mbedtls_x509write_crt_set_issuer_key( &crt, key ); |
| |
| if( crt.version >= MBEDTLS_X509_CRT_VERSION_3 ) |
| { |
| /* For the CA case, a path length of -1 means unlimited. */ |
| TEST_ASSERT( mbedtls_x509write_crt_set_basic_constraints( &crt, is_ca, |
| (is_ca ? -1 : 0) ) == 0 ); |
| TEST_ASSERT( mbedtls_x509write_crt_set_subject_key_identifier( &crt ) == 0 ); |
| if( auth_ident ) |
| TEST_ASSERT( mbedtls_x509write_crt_set_authority_key_identifier( &crt ) == 0 ); |
| if( set_key_usage != 0 ) |
| TEST_ASSERT( mbedtls_x509write_crt_set_key_usage( &crt, key_usage ) == 0 ); |
| if( set_cert_type != 0 ) |
| TEST_ASSERT( mbedtls_x509write_crt_set_ns_cert_type( &crt, cert_type ) == 0 ); |
| } |
| |
| ret = mbedtls_x509write_crt_pem( &crt, buf, sizeof( buf ), |
| mbedtls_test_rnd_pseudo_rand, &rnd_info ); |
| TEST_ASSERT( ret == 0 ); |
| |
| pem_len = strlen( (char *) buf ); |
| |
| // check that the rest of the buffer remains clear |
| for( buf_index = pem_len; buf_index < sizeof( buf ); ++buf_index ) |
| { |
| TEST_ASSERT( buf[buf_index] == 0 ); |
| } |
| |
| f = fopen( cert_check_file, "r" ); |
| TEST_ASSERT( f != NULL ); |
| olen = fread( check_buf, 1, sizeof( check_buf ), f ); |
| fclose( f ); |
| TEST_ASSERT( olen < sizeof( check_buf ) ); |
| |
| TEST_ASSERT( olen >= pem_len - 1 ); |
| TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 ); |
| |
| der_len = mbedtls_x509write_crt_der( &crt, buf, sizeof( buf ), |
| mbedtls_test_rnd_pseudo_rand, |
| &rnd_info ); |
| TEST_ASSERT( der_len >= 0 ); |
| |
| if( der_len == 0 ) |
| goto exit; |
| |
| ret = mbedtls_x509write_crt_der( &crt, buf, (size_t)( der_len - 1 ), |
| mbedtls_test_rnd_pseudo_rand, &rnd_info ); |
| TEST_ASSERT( ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); |
| |
| exit: |
| mbedtls_x509write_crt_free( &crt ); |
| mbedtls_pk_free( &issuer_key_alt ); |
| mbedtls_pk_free( &subject_key ); |
| mbedtls_pk_free( &issuer_key ); |
| mbedtls_mpi_free( &serial ); |
| } |
| /* END_CASE */ |
| |
| /* BEGIN_CASE depends_on:MBEDTLS_X509_CREATE_C:MBEDTLS_X509_USE_C */ |
| void mbedtls_x509_string_to_names( char * name, char * parsed_name, int result |
| ) |
| { |
| int ret; |
| size_t len = 0; |
| mbedtls_asn1_named_data *names = NULL; |
| mbedtls_x509_name parsed, *parsed_cur, *parsed_prv; |
| unsigned char buf[1024], out[1024], *c; |
| |
| memset( &parsed, 0, sizeof( parsed ) ); |
| memset( out, 0, sizeof( out ) ); |
| memset( buf, 0, sizeof( buf ) ); |
| c = buf + sizeof( buf ); |
| |
| ret = mbedtls_x509_string_to_names( &names, name ); |
| TEST_ASSERT( ret == result ); |
| |
| if( ret != 0 ) |
| goto exit; |
| |
| ret = mbedtls_x509_write_names( &c, buf, names ); |
| TEST_ASSERT( ret > 0 ); |
| |
| TEST_ASSERT( mbedtls_asn1_get_tag( &c, buf + sizeof( buf ), &len, |
| MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) == 0 ); |
| TEST_ASSERT( mbedtls_x509_get_name( &c, buf + sizeof( buf ), &parsed ) == 0 ); |
| |
| ret = mbedtls_x509_dn_gets( (char *) out, sizeof( out ), &parsed ); |
| TEST_ASSERT( ret > 0 ); |
| |
| TEST_ASSERT( strcmp( (char *) out, parsed_name ) == 0 ); |
| |
| exit: |
| mbedtls_asn1_free_named_data_list( &names ); |
| |
| parsed_cur = parsed.next; |
| while( parsed_cur != 0 ) |
| { |
| parsed_prv = parsed_cur; |
| parsed_cur = parsed_cur->next; |
| mbedtls_free( parsed_prv ); |
| } |
| } |
| /* END_CASE */ |