commit 4770dbc913025cfcb36fad6e2dec124455f97526
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Mon Jun 05 13:49:44 2017 +0200
committer Simon Butcher <simon.butcher@arm.com> Fri Jul 28 12:19:49 2017 +0100
tree 4e73516e4a2d0e7c91e58832bd72b18ff2d9b804
parent ad6cf99d6deea7b870276a5232e2c2e3483809d0

Add test for limit on intermediate certificates

Inspired by test code provided by Nicholas Wilson in PR #351.

The test will fail if someone sets MAX_INTERMEDIATE_CA to a value larger than
18 (default is 8), which is hopefully unlikely and can easily be fixed by
running long.sh again with a larger value if it ever happens.

Current behaviour is suboptimal as flags are not set, but currently the goal
is only to document/test existing behaviour.

tests/suites/test_suite_x509parse.data

diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index 30620c8..d11f5e3 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -1176,6 +1176,18 @@
 depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
 mbedtls_x509_crt_parse_path:"data_files/dir3":1:2
 
+X509 CRT verify long chain (max intermediate CA, trusted)
+depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+mbedtls_x509_crt_verify_max:"data_files/dir-maxpath/00.crt":"data_files/dir-maxpath":MBEDTLS_X509_MAX_INTERMEDIATE_CA:0:0
+
+X509 CRT verify long chain (max intermediate CA, untrusted)
+depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+mbedtls_x509_crt_verify_max:"data_files/test-ca2.crt":"data_files/dir-maxpath":MBEDTLS_X509_MAX_INTERMEDIATE_CA-1:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED
+
+X509 CRT verify long chain (max intermediate CA + 1)
+depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+mbedtls_x509_crt_verify_max:"data_files/dir-maxpath/00.crt":"data_files/dir-maxpath":MBEDTLS_X509_MAX_INTERMEDIATE_CA+1:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:0
+
 X509 CRT verify chain #1 (zero pathlen intermediate)
 depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
 mbedtls_x509_crt_verify_chain:"data_files/dir4/cert14.crt data_files/dir4/cert13.crt data_files/dir4/cert12.crt":"data_files/dir4/cert11.crt":MBEDTLS_X509_BADCERT_NOT_TRUSTED

tests/suites/test_suite_x509parse.function

diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index ef888d9..093b787 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -501,6 +501,45 @@
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */
+void mbedtls_x509_crt_verify_max( char *ca_file, char *chain_dir, int nb_int,
+                                  int ret_chk, int flags_chk )
+{
+    char file_buf[128];
+    int ret;
+    uint32_t flags;
+    mbedtls_x509_crt trusted, chain;
+
+    /*
+     * We expect chain_dir to contain certificates 00.crt, 01.crt, etc.
+     * with NN.crt signed by NN-1.crt
+     */
+
+    mbedtls_x509_crt_init( &trusted );
+    mbedtls_x509_crt_init( &chain );
+
+    /* Load trusted root */
+    TEST_ASSERT( mbedtls_x509_crt_parse_file( &trusted, ca_file ) == 0 );
+
+    /* Load a chain with nb_int intermediates (from 01 to nb_int),
+     * plus one "end-entity" cert (nb_int + 1) */
+    ret = mbedtls_snprintf( file_buf, sizeof file_buf, "%s/c%02d.pem", chain_dir,
+                                                            nb_int + 1 );
+    TEST_ASSERT( ret > 0 && (size_t) ret < sizeof file_buf );
+    TEST_ASSERT( mbedtls_x509_crt_parse_file( &chain, file_buf ) == 0 );
+
+    /* Try to verify that chain */
+    ret = mbedtls_x509_crt_verify( &chain, &trusted, NULL, NULL, &flags,
+                                   NULL, NULL );
+    TEST_ASSERT( ret == ret_chk );
+    TEST_ASSERT( flags == (uint32_t) flags_chk );
+
+exit:
+    mbedtls_x509_crt_free( &chain );
+    mbedtls_x509_crt_free( &trusted );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */
 void mbedtls_x509_crt_verify_chain(  char *chain_paths, char *trusted_ca, int flags_result )
 {
     char* act;