Gitiles
Code Review Sign In
git01.mediatek.com / filogic / uboot / 0344c602eadc0802776b65ff90f0a02c856cf53c / . / tests / suites / test_suite_x509write.function
blob: 1db7e1cff23e7d859fb0eea3fe90065ba581b3c2 [file] [log] [blame]
Tom Rini0344c602024-10-08 13:56:50 -0600[diff] [blame^]1/* BEGIN_HEADER */
2#include "mbedtls/bignum.h"
3#include "mbedtls/x509_crt.h"
4#include "mbedtls/x509_csr.h"
5#include "x509_internal.h"
6#include "mbedtls/pem.h"
7#include "mbedtls/oid.h"
8#include "mbedtls/rsa.h"
9#include "mbedtls/asn1write.h"
10#include "mbedtls/pk.h"
11#include "mbedtls/psa_util.h"
12
13#if defined(MBEDTLS_RSA_C)
14int mbedtls_rsa_decrypt_func(void *ctx, size_t *olen,
15 const unsigned char *input, unsigned char *output,
16 size_t output_max_len)
17{
18 return mbedtls_rsa_pkcs1_decrypt((mbedtls_rsa_context *) ctx, NULL, NULL,
19 olen, input, output, output_max_len);
20}
21int mbedtls_rsa_sign_func(void *ctx,
22 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
23 mbedtls_md_type_t md_alg, unsigned int hashlen,
24 const unsigned char *hash, unsigned char *sig)
25{
26 return mbedtls_rsa_pkcs1_sign((mbedtls_rsa_context *) ctx, f_rng, p_rng,
27 md_alg, hashlen, hash, sig);
28}
29size_t mbedtls_rsa_key_len_func(void *ctx)
30{
31 return ((const mbedtls_rsa_context *) ctx)->len;
32}
33#endif /* MBEDTLS_RSA_C */
34
35#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
36 defined(MBEDTLS_PEM_WRITE_C) && defined(MBEDTLS_X509_CSR_WRITE_C)
37static int x509_crt_verifycsr(const unsigned char *buf, size_t buflen)
38{
39 unsigned char hash[PSA_HASH_MAX_SIZE];
40 mbedtls_x509_csr csr;
41 int ret = 0;
42
43 mbedtls_x509_csr_init(&csr);
44
45 if (mbedtls_x509_csr_parse(&csr, buf, buflen) != 0) {
46 ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA;
47 goto cleanup;
48 }
49
50 psa_algorithm_t psa_alg = mbedtls_md_psa_alg_from_type(csr.sig_md);
51 size_t hash_size = 0;
52 psa_status_t status = psa_hash_compute(psa_alg, csr.cri.p, csr.cri.len,
53 hash, PSA_HASH_MAX_SIZE, &hash_size);
54
55 if (status != PSA_SUCCESS) {
56 /* Note: this can't happen except after an internal error */
57 ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA;
58 goto cleanup;
59 }
60
61 if (mbedtls_pk_verify_ext(csr.sig_pk, csr.sig_opts, &csr.pk,
62 csr.sig_md, hash, mbedtls_md_get_size_from_type(csr.sig_md),
63 csr.sig.p, csr.sig.len) != 0) {
64 ret = MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;
65 goto cleanup;
66 }
67
68cleanup:
69
70 mbedtls_x509_csr_free(&csr);
71 return ret;
72}
73#endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_PEM_WRITE_C && MBEDTLS_X509_CSR_WRITE_C */
74
75#if defined(MBEDTLS_X509_CSR_WRITE_C)
76
77/*
78 * The size of this temporary buffer is given by the sequence of functions
79 * called hereinafter:
80 * - mbedtls_asn1_write_oid()
81 * - 8 bytes for MBEDTLS_OID_EXTENDED_KEY_USAGE raw value
82 * - 1 byte for MBEDTLS_OID_EXTENDED_KEY_USAGE length
83 * - 1 byte for MBEDTLS_ASN1_OID tag
84 * - mbedtls_asn1_write_len()
85 * - 1 byte since we're dealing with sizes which are less than 0x80
86 * - mbedtls_asn1_write_tag()
87 * - 1 byte
88 *
89 * This length is fine as long as this function is called using the
90 * MBEDTLS_OID_SERVER_AUTH OID. If this is changed in the future, then this
91 * buffer's length should be adjusted accordingly.
92 * Unfortunately there's no predefined max size for OIDs which can be used
93 * to set an overall upper boundary which is always guaranteed.
94 */
95#define EXT_KEY_USAGE_TMP_BUF_MAX_LENGTH 12
96
97static int csr_set_extended_key_usage(mbedtls_x509write_csr *ctx,
98 const char *oid, size_t oid_len)
99{
100 unsigned char buf[EXT_KEY_USAGE_TMP_BUF_MAX_LENGTH] = { 0 };
101 unsigned char *p = buf + sizeof(buf);
102 int ret;
103 size_t len = 0;
104
105 /*
106 * Following functions fail anyway if the temporary buffer is not large,
107 * but we set an extra check here to emphasize a possible source of errors
108 */
109 if (oid_len > EXT_KEY_USAGE_TMP_BUF_MAX_LENGTH) {
110 return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
111 }
112
113 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_oid(&p, buf, oid, oid_len));
114 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&p, buf, ret));
115 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&p, buf,
116 MBEDTLS_ASN1_CONSTRUCTED |
117 MBEDTLS_ASN1_SEQUENCE));
118
119 ret = mbedtls_x509write_csr_set_extension(ctx,
120 MBEDTLS_OID_EXTENDED_KEY_USAGE,
121 MBEDTLS_OID_SIZE(MBEDTLS_OID_EXTENDED_KEY_USAGE),
122 0,
123 p,
124 len);
125
126 return ret;
127}
128#endif /* MBEDTLS_X509_CSR_WRITE_C */
129
130/* Due to inconsistencies in the input size limits applied by different
131 * library functions, some write-parse tests may fail. */
132#define MAY_FAIL_GET_NAME 0x0001
133#define MAY_FAIL_DN_GETS 0x0002
134
135/* END_HEADER */
136
137/* BEGIN_DEPENDENCIES
138 * depends_on:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C
139 * END_DEPENDENCIES
140 */
141
142/* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CSR_WRITE_C */
143void x509_csr_check(char *key_file, char *cert_req_check_file, int md_type,
144 int key_usage, int set_key_usage, int cert_type,
145 int set_cert_type, int set_extension)
146{
147 mbedtls_pk_context key;
148 mbedtls_x509write_csr req;
149 unsigned char buf[4096];
150 int ret;
151#if !defined(MBEDTLS_USE_PSA_CRYPTO)
152 unsigned char check_buf[4000];
153 FILE *f;
154 size_t olen = 0;
155#endif /* !MBEDTLS_USE_PSA_CRYPTO */
156 size_t pem_len = 0, buf_index;
157 int der_len = -1;
158 const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1";
159 mbedtls_test_rnd_pseudo_info rnd_info;
160 mbedtls_x509_san_list san_ip;
161 mbedtls_x509_san_list san_dns;
162 mbedtls_x509_san_list san_uri;
163 mbedtls_x509_san_list san_mail;
164 mbedtls_x509_san_list san_dn;
165 mbedtls_x509_san_list *san_list = NULL;
166 mbedtls_asn1_named_data *ext_san_dirname = NULL;
167
168 const char san_ip_name[] = { 0x7f, 0x00, 0x00, 0x01 }; // 127.0.0.1
169 const char *san_dns_name = "example.com";
170 const char *san_dn_name = "C=UK,O=Mbed TLS,CN=Mbed TLS directoryName SAN";
171 const char *san_mail_name = "mail@example.com";
172 const char *san_uri_name = "http://pki.example.com";
173
174 san_mail.node.type = MBEDTLS_X509_SAN_RFC822_NAME;
175 san_mail.node.san.unstructured_name.p = (unsigned char *) san_mail_name;
176 san_mail.node.san.unstructured_name.len = strlen(san_mail_name);
177 san_mail.next = NULL;
178
179 san_dns.node.type = MBEDTLS_X509_SAN_DNS_NAME;
180 san_dns.node.san.unstructured_name.p = (unsigned char *) san_dns_name;
181 san_dns.node.san.unstructured_name.len = strlen(san_dns_name);
182 san_dns.next = &san_mail;
183
184 san_dn.node.type = MBEDTLS_X509_SAN_DIRECTORY_NAME;
185 TEST_ASSERT(mbedtls_x509_string_to_names(&ext_san_dirname,
186 san_dn_name) == 0);
187 san_dn.node.san.directory_name = *ext_san_dirname;
188 san_dn.next = &san_dns;
189
190 san_ip.node.type = MBEDTLS_X509_SAN_IP_ADDRESS;
191 san_ip.node.san.unstructured_name.p = (unsigned char *) san_ip_name;
192 san_ip.node.san.unstructured_name.len = sizeof(san_ip_name);
193 san_ip.next = &san_dn;
194
195 san_uri.node.type = MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER;
196 san_uri.node.san.unstructured_name.p = (unsigned char *) san_uri_name;
197 san_uri.node.san.unstructured_name.len = strlen(san_uri_name);
198 san_uri.next = &san_ip;
199
200 san_list = &san_uri;
201
202 memset(&rnd_info, 0x2a, sizeof(mbedtls_test_rnd_pseudo_info));
203
204 mbedtls_x509write_csr_init(&req);
205 mbedtls_pk_init(&key);
206 MD_OR_USE_PSA_INIT();
207
208 TEST_ASSERT(mbedtls_pk_parse_keyfile(&key, key_file, NULL,
209 mbedtls_test_rnd_std_rand, NULL) == 0);
210
211 mbedtls_x509write_csr_set_md_alg(&req, md_type);
212 mbedtls_x509write_csr_set_key(&req, &key);
213 TEST_ASSERT(mbedtls_x509write_csr_set_subject_name(&req, subject_name) == 0);
214 if (set_key_usage != 0) {
215 TEST_ASSERT(mbedtls_x509write_csr_set_key_usage(&req, key_usage) == 0);
216 }
217 if (set_cert_type != 0) {
218 TEST_ASSERT(mbedtls_x509write_csr_set_ns_cert_type(&req, cert_type) == 0);
219 }
220 if (set_extension != 0) {
221 TEST_ASSERT(csr_set_extended_key_usage(&req, MBEDTLS_OID_SERVER_AUTH,
222 MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH)) == 0);
223
224 TEST_ASSERT(mbedtls_x509write_csr_set_subject_alternative_name(&req, san_list) == 0);
225 }
226
227 ret = mbedtls_x509write_csr_pem(&req, buf, sizeof(buf),
228 mbedtls_test_rnd_pseudo_rand, &rnd_info);
229 TEST_ASSERT(ret == 0);
230
231 pem_len = strlen((char *) buf);
232
233 for (buf_index = pem_len; buf_index < sizeof(buf); ++buf_index) {
234 TEST_ASSERT(buf[buf_index] == 0);
235 }
236
237#if defined(MBEDTLS_USE_PSA_CRYPTO)
238 // When using PSA crypto, RNG isn't controllable, so cert_req_check_file can't be used
239 (void) cert_req_check_file;
240 buf[pem_len] = '\0';
241 TEST_ASSERT(x509_crt_verifycsr(buf, pem_len + 1) == 0);
242#else
243 f = fopen(cert_req_check_file, "r");
244 TEST_ASSERT(f != NULL);
245 olen = fread(check_buf, 1, sizeof(check_buf), f);
246 fclose(f);
247
248 TEST_ASSERT(olen >= pem_len - 1);
249 TEST_ASSERT(memcmp(buf, check_buf, pem_len - 1) == 0);
250#endif /* MBEDTLS_USE_PSA_CRYPTO */
251
252 der_len = mbedtls_x509write_csr_der(&req, buf, sizeof(buf),
253 mbedtls_test_rnd_pseudo_rand,
254 &rnd_info);
255 TEST_ASSERT(der_len >= 0);
256
257 if (der_len == 0) {
258 goto exit;
259 }
260
261#if defined(MBEDTLS_USE_PSA_CRYPTO)
262 // When using PSA crypto, RNG isn't controllable, result length isn't
263 // deterministic over multiple runs, removing a single byte isn't enough to
264 // go into the MBEDTLS_ERR_ASN1_BUF_TOO_SMALL error case
265 der_len /= 2;
266#else
267 der_len -= 1;
268#endif
269 ret = mbedtls_x509write_csr_der(&req, buf, (size_t) (der_len),
270 mbedtls_test_rnd_pseudo_rand, &rnd_info);
271 TEST_ASSERT(ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL);
272
273exit:
274 mbedtls_asn1_free_named_data_list(&ext_san_dirname);
275 mbedtls_x509write_csr_free(&req);
276 mbedtls_pk_free(&key);
277 MD_OR_USE_PSA_DONE();
278}
279/* END_CASE */
280
281/* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CSR_WRITE_C:MBEDTLS_USE_PSA_CRYPTO */
282void x509_csr_check_opaque(char *key_file, int md_type, int key_usage,
283 int cert_type)
284{
285 mbedtls_pk_context key;
286 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
287 psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
288 mbedtls_x509write_csr req;
289 unsigned char buf[4096];
290 int ret;
291 size_t pem_len = 0;
292 const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1";
293 mbedtls_test_rnd_pseudo_info rnd_info;
294
295 mbedtls_x509write_csr_init(&req);
296 MD_OR_USE_PSA_INIT();
297
298 memset(&rnd_info, 0x2a, sizeof(mbedtls_test_rnd_pseudo_info));
299
300 mbedtls_pk_init(&key);
301 TEST_ASSERT(mbedtls_pk_parse_keyfile(&key, key_file, NULL,
302 mbedtls_test_rnd_std_rand, NULL) == 0);
303
304 /* Turn the PK context into an opaque one. */
305 TEST_EQUAL(mbedtls_pk_get_psa_attributes(&key, PSA_KEY_USAGE_SIGN_HASH, &key_attr), 0);
306 TEST_EQUAL(mbedtls_pk_import_into_psa(&key, &key_attr, &key_id), 0);
307 mbedtls_pk_free(&key);
308 mbedtls_pk_init(&key);
309 TEST_EQUAL(mbedtls_pk_setup_opaque(&key, key_id), 0);
310
311 mbedtls_x509write_csr_set_md_alg(&req, md_type);
312 mbedtls_x509write_csr_set_key(&req, &key);
313 TEST_ASSERT(mbedtls_x509write_csr_set_subject_name(&req, subject_name) == 0);
314 if (key_usage != 0) {
315 TEST_ASSERT(mbedtls_x509write_csr_set_key_usage(&req, key_usage) == 0);
316 }
317 if (cert_type != 0) {
318 TEST_ASSERT(mbedtls_x509write_csr_set_ns_cert_type(&req, cert_type) == 0);
319 }
320
321 ret = mbedtls_x509write_csr_pem(&req, buf, sizeof(buf) - 1,
322 mbedtls_test_rnd_pseudo_rand, &rnd_info);
323
324 TEST_ASSERT(ret == 0);
325
326 pem_len = strlen((char *) buf);
327 buf[pem_len] = '\0';
328 TEST_ASSERT(x509_crt_verifycsr(buf, pem_len + 1) == 0);
329
330
331exit:
332 mbedtls_x509write_csr_free(&req);
333 mbedtls_pk_free(&key);
334 psa_destroy_key(key_id);
335 MD_OR_USE_PSA_DONE();
336}
337/* END_CASE */
338
339/* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CRT_WRITE_C:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_MD_CAN_SHA1 */
340void x509_crt_check(char *subject_key_file, char *subject_pwd,
341 char *subject_name, char *issuer_key_file,
342 char *issuer_pwd, char *issuer_name,
343 data_t *serial_arg, char *not_before, char *not_after,
344 int md_type, int key_usage, int set_key_usage,
345 char *ext_key_usage,
346 int cert_type, int set_cert_type, int auth_ident,
347 int ver, char *cert_check_file, int pk_wrap, int is_ca,
348 char *cert_verify_file, int set_subjectAltNames)
349{
350 mbedtls_pk_context subject_key, issuer_key, issuer_key_alt;
351 mbedtls_pk_context *key = &issuer_key;
352
353 mbedtls_x509write_cert crt;
354 unsigned char buf[4096];
355 unsigned char check_buf[5000];
356 unsigned char *p, *end;
357 unsigned char tag, sz;
358#if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C)
359 mbedtls_mpi serial_mpi;
360#endif
361 int ret, before_tag, after_tag;
362 size_t olen = 0, pem_len = 0, buf_index = 0;
363 int der_len = -1;
364 FILE *f;
365 mbedtls_test_rnd_pseudo_info rnd_info;
366#if defined(MBEDTLS_USE_PSA_CRYPTO)
367 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
368 psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
369#endif
370 mbedtls_pk_type_t issuer_key_type;
371 mbedtls_x509_san_list san_ip;
372 mbedtls_x509_san_list san_dns;
373 mbedtls_x509_san_list san_uri;
374 mbedtls_x509_san_list san_mail;
375 mbedtls_x509_san_list san_dn;
376 mbedtls_asn1_named_data *ext_san_dirname = NULL;
377 const char san_ip_name[] = { 0x01, 0x02, 0x03, 0x04 };
378 const char *san_dns_name = "example.com";
379 const char *san_dn_name = "C=UK,O=Mbed TLS,CN=SubjectAltName test";
380 const char *san_mail_name = "mail@example.com";
381 const char *san_uri_name = "http://pki.example.com";
382 mbedtls_x509_san_list *san_list = NULL;
383
384 if (set_subjectAltNames) {
385 san_mail.node.type = MBEDTLS_X509_SAN_RFC822_NAME;
386 san_mail.node.san.unstructured_name.p = (unsigned char *) san_mail_name;
387 san_mail.node.san.unstructured_name.len = strlen(san_mail_name);
388 san_mail.next = NULL;
389
390 san_dns.node.type = MBEDTLS_X509_SAN_DNS_NAME;
391 san_dns.node.san.unstructured_name.p = (unsigned char *) san_dns_name;
392 san_dns.node.san.unstructured_name.len = strlen(san_dns_name);
393 san_dns.next = &san_mail;
394
395 san_dn.node.type = MBEDTLS_X509_SAN_DIRECTORY_NAME;
396 TEST_ASSERT(mbedtls_x509_string_to_names(&ext_san_dirname,
397 san_dn_name) == 0);
398 san_dn.node.san.directory_name = *ext_san_dirname;
399 san_dn.next = &san_dns;
400
401 san_ip.node.type = MBEDTLS_X509_SAN_IP_ADDRESS;
402 san_ip.node.san.unstructured_name.p = (unsigned char *) san_ip_name;
403 san_ip.node.san.unstructured_name.len = sizeof(san_ip_name);
404 san_ip.next = &san_dn;
405
406 san_uri.node.type = MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER;
407 san_uri.node.san.unstructured_name.p = (unsigned char *) san_uri_name;
408 san_uri.node.san.unstructured_name.len = strlen(san_uri_name);
409 san_uri.next = &san_ip;
410
411 san_list = &san_uri;
412 }
413
414 memset(&rnd_info, 0x2a, sizeof(mbedtls_test_rnd_pseudo_info));
415#if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C)
416 mbedtls_mpi_init(&serial_mpi);
417#endif
418
419 mbedtls_pk_init(&subject_key);
420 mbedtls_pk_init(&issuer_key);
421 mbedtls_pk_init(&issuer_key_alt);
422 mbedtls_x509write_crt_init(&crt);
423 MD_OR_USE_PSA_INIT();
424
425 TEST_ASSERT(mbedtls_pk_parse_keyfile(&subject_key, subject_key_file,
426 subject_pwd, mbedtls_test_rnd_std_rand, NULL) == 0);
427
428 TEST_ASSERT(mbedtls_pk_parse_keyfile(&issuer_key, issuer_key_file,
429 issuer_pwd, mbedtls_test_rnd_std_rand, NULL) == 0);
430
431 issuer_key_type = mbedtls_pk_get_type(&issuer_key);
432
433#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
434 /* For RSA PK contexts, create a copy as an alternative RSA context. */
435 if (pk_wrap == 1 && issuer_key_type == MBEDTLS_PK_RSA) {
436 TEST_ASSERT(mbedtls_pk_setup_rsa_alt(&issuer_key_alt,
437 mbedtls_pk_rsa(issuer_key),
438 mbedtls_rsa_decrypt_func,
439 mbedtls_rsa_sign_func,
440 mbedtls_rsa_key_len_func) == 0);
441
442 key = &issuer_key_alt;
443 }
444#endif
445
446#if defined(MBEDTLS_USE_PSA_CRYPTO)
447 /* Turn the issuer PK context into an opaque one. */
448 if (pk_wrap == 2) {
449 TEST_EQUAL(mbedtls_pk_get_psa_attributes(&issuer_key, PSA_KEY_USAGE_SIGN_HASH,
450 &key_attr), 0);
451 TEST_EQUAL(mbedtls_pk_import_into_psa(&issuer_key, &key_attr, &key_id), 0);
452 mbedtls_pk_free(&issuer_key);
453 mbedtls_pk_init(&issuer_key);
454 TEST_EQUAL(mbedtls_pk_setup_opaque(&issuer_key, key_id), 0);
455 }
456#endif /* MBEDTLS_USE_PSA_CRYPTO */
457
458 if (pk_wrap == 2) {
459 TEST_ASSERT(mbedtls_pk_get_type(&issuer_key) == MBEDTLS_PK_OPAQUE);
460 }
461
462 if (ver != -1) {
463 mbedtls_x509write_crt_set_version(&crt, ver);
464 }
465
466#if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C)
467 TEST_ASSERT(mbedtls_mpi_read_binary(&serial_mpi, serial_arg->x,
468 serial_arg->len) == 0);
469 TEST_ASSERT(mbedtls_x509write_crt_set_serial(&crt, &serial_mpi) == 0);
470#else
471 TEST_ASSERT(mbedtls_x509write_crt_set_serial_raw(&crt, serial_arg->x,
472 serial_arg->len) == 0);
473#endif
474 TEST_ASSERT(mbedtls_x509write_crt_set_validity(&crt, not_before,
475 not_after) == 0);
476 mbedtls_x509write_crt_set_md_alg(&crt, md_type);
477 TEST_ASSERT(mbedtls_x509write_crt_set_issuer_name(&crt, issuer_name) == 0);
478 TEST_ASSERT(mbedtls_x509write_crt_set_subject_name(&crt, subject_name) == 0);
479 mbedtls_x509write_crt_set_subject_key(&crt, &subject_key);
480
481 mbedtls_x509write_crt_set_issuer_key(&crt, key);
482
483 if (crt.version >= MBEDTLS_X509_CRT_VERSION_3) {
484 /* For the CA case, a path length of -1 means unlimited. */
485 TEST_ASSERT(mbedtls_x509write_crt_set_basic_constraints(&crt, is_ca,
486 (is_ca ? -1 : 0)) == 0);
487 TEST_ASSERT(mbedtls_x509write_crt_set_subject_key_identifier(&crt) == 0);
488 if (auth_ident) {
489 TEST_ASSERT(mbedtls_x509write_crt_set_authority_key_identifier(&crt) == 0);
490 }
491 if (set_key_usage != 0) {
492 TEST_ASSERT(mbedtls_x509write_crt_set_key_usage(&crt, key_usage) == 0);
493 }
494 if (set_cert_type != 0) {
495 TEST_ASSERT(mbedtls_x509write_crt_set_ns_cert_type(&crt, cert_type) == 0);
496 }
497 if (strcmp(ext_key_usage, "NULL") != 0) {
498 mbedtls_asn1_sequence exts[2];
499 memset(exts, 0, sizeof(exts));
500
501#define SET_OID(x, oid) \
502 do { \
503 x.len = MBEDTLS_OID_SIZE(oid); \
504 x.p = (unsigned char *) oid; \
505 x.tag = MBEDTLS_ASN1_OID; \
506 } \
507 while (0)
508
509 if (strcmp(ext_key_usage, "serverAuth") == 0) {
510 SET_OID(exts[0].buf, MBEDTLS_OID_SERVER_AUTH);
511 } else if (strcmp(ext_key_usage, "codeSigning,timeStamping") == 0) {
512 SET_OID(exts[0].buf, MBEDTLS_OID_CODE_SIGNING);
513 exts[0].next = &exts[1];
514 SET_OID(exts[1].buf, MBEDTLS_OID_TIME_STAMPING);
515 }
516 TEST_ASSERT(mbedtls_x509write_crt_set_ext_key_usage(&crt, exts) == 0);
517 }
518 }
519
520 if (set_subjectAltNames) {
521 TEST_ASSERT(mbedtls_x509write_crt_set_subject_alternative_name(&crt, san_list) == 0);
522 }
523 ret = mbedtls_x509write_crt_pem(&crt, buf, sizeof(buf),
524 mbedtls_test_rnd_pseudo_rand, &rnd_info);
525 TEST_ASSERT(ret == 0);
526
527 pem_len = strlen((char *) buf);
528
529 // check that the rest of the buffer remains clear
530 for (buf_index = pem_len; buf_index < sizeof(buf); ++buf_index) {
531 TEST_ASSERT(buf[buf_index] == 0);
532 }
533
534 if (issuer_key_type != MBEDTLS_PK_RSA) {
535 mbedtls_x509_crt crt_parse, trusted;
536 uint32_t flags;
537
538 mbedtls_x509_crt_init(&crt_parse);
539 mbedtls_x509_crt_init(&trusted);
540
541 TEST_ASSERT(mbedtls_x509_crt_parse_file(&trusted,
542 cert_verify_file) == 0);
543 TEST_ASSERT(mbedtls_x509_crt_parse(&crt_parse,
544 buf, sizeof(buf)) == 0);
545
546 ret = mbedtls_x509_crt_verify(&crt_parse, &trusted, NULL, NULL, &flags,
547 NULL, NULL);
548
549 mbedtls_x509_crt_free(&crt_parse);
550 mbedtls_x509_crt_free(&trusted);
551
552 TEST_EQUAL(flags, 0);
553 TEST_EQUAL(ret, 0);
554 } else if (*cert_check_file != '\0') {
555 f = fopen(cert_check_file, "r");
556 TEST_ASSERT(f != NULL);
557 olen = fread(check_buf, 1, sizeof(check_buf), f);
558 fclose(f);
559 TEST_ASSERT(olen < sizeof(check_buf));
560
561 TEST_EQUAL(olen, pem_len);
562 TEST_ASSERT(olen >= pem_len - 1);
563 TEST_ASSERT(memcmp(buf, check_buf, pem_len - 1) == 0);
564 }
565
566 der_len = mbedtls_x509write_crt_der(&crt, buf, sizeof(buf),
567 mbedtls_test_rnd_pseudo_rand,
568 &rnd_info);
569 TEST_ASSERT(der_len >= 0);
570
571 if (der_len == 0) {
572 goto exit;
573 }
574
575 // Not testing against file, check date format
576 if (*cert_check_file == '\0') {
577 // UTC tag if before 2050, 2 digits less for year
578 if (not_before[0] == '2' && (not_before[1] > '0' || not_before[2] > '4')) {
579 before_tag = MBEDTLS_ASN1_GENERALIZED_TIME;
580 } else {
581 before_tag = MBEDTLS_ASN1_UTC_TIME;
582 not_before += 2;
583 }
584 if (not_after[0] == '2' && (not_after[1] > '0' || not_after[2] > '4')) {
585 after_tag = MBEDTLS_ASN1_GENERALIZED_TIME;
586 } else {
587 after_tag = MBEDTLS_ASN1_UTC_TIME;
588 not_after += 2;
589 }
590 end = buf + sizeof(buf);
591 for (p = end - der_len; p < end;) {
592 tag = *p++;
593 sz = *p++;
594 if (tag == MBEDTLS_ASN1_UTC_TIME || tag == MBEDTLS_ASN1_GENERALIZED_TIME) {
595 // Check correct tag and time written
596 TEST_ASSERT(before_tag == tag);
597 TEST_ASSERT(memcmp(p, not_before, sz - 1) == 0);
598 p += sz;
599 tag = *p++;
600 sz = *p++;
601 TEST_ASSERT(after_tag == tag);
602 TEST_ASSERT(memcmp(p, not_after, sz - 1) == 0);
603 break;
604 }
605 // Increment if long form ASN1 length
606 if (sz & 0x80) {
607 p += sz & 0x0F;
608 }
609 if (tag != (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) {
610 p += sz;
611 }
612 }
613 TEST_ASSERT(p < end);
614 }
615
616#if defined(MBEDTLS_USE_PSA_CRYPTO)
617 // When using PSA crypto, RNG isn't controllable, result length isn't
618 // deterministic over multiple runs, removing a single byte isn't enough to
619 // go into the MBEDTLS_ERR_ASN1_BUF_TOO_SMALL error case
620 if (issuer_key_type != MBEDTLS_PK_RSA) {
621 der_len /= 2;
622 } else
623#endif
624 der_len -= 1;
625
626 ret = mbedtls_x509write_crt_der(&crt, buf, (size_t) (der_len),
627 mbedtls_test_rnd_pseudo_rand, &rnd_info);
628 TEST_ASSERT(ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL);
629
630exit:
631 mbedtls_asn1_free_named_data_list(&ext_san_dirname);
632 mbedtls_x509write_crt_free(&crt);
633 mbedtls_pk_free(&issuer_key_alt);
634 mbedtls_pk_free(&subject_key);
635 mbedtls_pk_free(&issuer_key);
636#if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C)
637 mbedtls_mpi_free(&serial_mpi);
638#endif
639#if defined(MBEDTLS_USE_PSA_CRYPTO)
640 psa_destroy_key(key_id);
641#endif
642 MD_OR_USE_PSA_DONE();
643}
644/* END_CASE */
645
646/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_WRITE_C */
647void x509_set_serial_check()
648{
649 mbedtls_x509write_cert ctx;
650 uint8_t invalid_serial[MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN + 1];
651
652#if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C)
653 mbedtls_mpi serial_mpi;
654 mbedtls_mpi_init(&serial_mpi);
655#endif
656
657 USE_PSA_INIT();
658 memset(invalid_serial, 0x01, sizeof(invalid_serial));
659
660#if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C)
661 TEST_EQUAL(mbedtls_mpi_read_binary(&serial_mpi, invalid_serial,
662 sizeof(invalid_serial)), 0);
663 TEST_EQUAL(mbedtls_x509write_crt_set_serial(&ctx, &serial_mpi),
664 MBEDTLS_ERR_X509_BAD_INPUT_DATA);
665#endif
666
667 TEST_EQUAL(mbedtls_x509write_crt_set_serial_raw(&ctx, invalid_serial,
668 sizeof(invalid_serial)),
669 MBEDTLS_ERR_X509_BAD_INPUT_DATA);
670
671exit:
672#if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C)
673 mbedtls_mpi_free(&serial_mpi);
674#else
675 ;
676#endif
677 USE_PSA_DONE();
678}
679/* END_CASE */
680
681/* BEGIN_CASE depends_on:MBEDTLS_X509_CREATE_C:MBEDTLS_X509_USE_C */
682void mbedtls_x509_string_to_names(char *name, char *parsed_name,
683 int result, int may_fail)
684{
685 int ret;
686 size_t len = 0;
687 mbedtls_asn1_named_data *names = NULL;
688 mbedtls_x509_name parsed;
689 memset(&parsed, 0, sizeof(parsed));
690 mbedtls_x509_name *parsed_cur = NULL;
691 mbedtls_x509_name *parsed_prv = NULL;
692 unsigned char buf[1024] = { 0 };
693 unsigned char out[1024] = { 0 };
694 unsigned char *c = buf + sizeof(buf);
695
696 USE_PSA_INIT();
697
698 ret = mbedtls_x509_string_to_names(&names, name);
699 TEST_EQUAL(ret, result);
700
701 if (ret != 0) {
702 goto exit;
703 }
704
705 ret = mbedtls_x509_write_names(&c, buf, names);
706 TEST_LE_S(1, ret);
707
708 TEST_EQUAL(mbedtls_asn1_get_tag(&c, buf + sizeof(buf), &len,
709 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE), 0);
710 ret = mbedtls_x509_get_name(&c, buf + sizeof(buf), &parsed);
711 if ((may_fail & MAY_FAIL_GET_NAME) && ret < 0) {
712 /* Validation inconsistency between mbedtls_x509_string_to_names() and
713 * mbedtls_x509_get_name(). Accept it for now. */
714 goto exit;
715 }
716 TEST_EQUAL(ret, 0);
717
718 ret = mbedtls_x509_dn_gets((char *) out, sizeof(out), &parsed);
719 if ((may_fail & MAY_FAIL_DN_GETS) && ret < 0) {
720 /* Validation inconsistency between mbedtls_x509_string_to_names() and
721 * mbedtls_x509_dn_gets(). Accept it for now. */
722 goto exit;
723 }
724 TEST_LE_S(1, ret);
725 TEST_ASSERT(strcmp((char *) out, parsed_name) == 0);
726
727exit:
728 mbedtls_asn1_free_named_data_list(&names);
729
730 parsed_cur = parsed.next;
731 while (parsed_cur != 0) {
732 parsed_prv = parsed_cur;
733 parsed_cur = parsed_cur->next;
734 mbedtls_free(parsed_prv);
735 }
736 USE_PSA_DONE();
737}
738/* END_CASE */
739
740/* BEGIN_CASE depends_on:MBEDTLS_X509_CSR_WRITE_C */
741void x509_set_extension_length_check()
742{
743 int ret = 0;
744
745 mbedtls_x509write_csr ctx;
746 mbedtls_x509write_csr_init(&ctx);
747
748 unsigned char buf[EXT_KEY_USAGE_TMP_BUF_MAX_LENGTH] = { 0 };
749 unsigned char *p = buf + sizeof(buf);
750
751 ret = mbedtls_x509_set_extension(&(ctx.MBEDTLS_PRIVATE(extensions)),
752 MBEDTLS_OID_EXTENDED_KEY_USAGE,
753 MBEDTLS_OID_SIZE(MBEDTLS_OID_EXTENDED_KEY_USAGE),
754 0,
755 p,
756 SIZE_MAX);
757 TEST_ASSERT(MBEDTLS_ERR_X509_BAD_INPUT_DATA == ret);
758}
759/* END_CASE */