Merge pull request #10166 from gilles-peskine-arm/oid-split-restore-x509
Restore the OID module for use in X.509
diff --git a/include/mbedtls/x509_crl.h b/include/mbedtls/x509_crl.h
index e08767e..e59d165 100644
--- a/include/mbedtls/x509_crl.h
+++ b/include/mbedtls/x509_crl.h
@@ -83,7 +83,6 @@
mbedtls_x509_buf MBEDTLS_PRIVATE(sig);
mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md); /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
- void *MBEDTLS_PRIVATE(sig_opts); /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
/** Next element in the linked list of CRL.
* \p NULL indicates the end of the list.
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index 9817d35..8a220cd 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -82,7 +82,6 @@
mbedtls_x509_buf MBEDTLS_PRIVATE(sig); /**< Signature: hash of the tbs part signed with the private key. */
mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md); /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
- void *MBEDTLS_PRIVATE(sig_opts); /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
/** Next certificate in the linked list that constitutes the CA chain.
* \p NULL indicates the end of the list.
diff --git a/include/mbedtls/x509_csr.h b/include/mbedtls/x509_csr.h
index f9eb04d..bed1c95 100644
--- a/include/mbedtls/x509_csr.h
+++ b/include/mbedtls/x509_csr.h
@@ -56,7 +56,6 @@
mbedtls_x509_buf MBEDTLS_PRIVATE(sig);
mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md); /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
- void *MBEDTLS_PRIVATE(sig_opts); /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
}
mbedtls_x509_csr;
diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index df7dfbf..114c32a 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@@ -2100,15 +2100,7 @@
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
if (pk_alg == MBEDTLS_PK_RSASSA_PSS) {
- mbedtls_pk_rsassa_pss_options rsassa_pss_options;
- rsassa_pss_options.mgf1_hash_id = md_alg;
- rsassa_pss_options.expected_salt_len =
- mbedtls_md_get_size_from_type(md_alg);
- if (rsassa_pss_options.expected_salt_len == 0) {
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- ret = mbedtls_pk_verify_ext(pk_alg, &rsassa_pss_options,
+ ret = mbedtls_pk_verify_ext(pk_alg, NULL,
peer_pk,
md_alg, hash, hashlen,
p, sig_len);
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index deba2ae..70175e0 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -227,11 +227,6 @@
unsigned char verify_hash[PSA_HASH_MAX_SIZE];
size_t verify_hash_len;
- void const *options = NULL;
-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
- mbedtls_pk_rsassa_pss_options rsassa_pss_options;
-#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
-
/*
* struct {
* SignatureScheme algorithm;
@@ -304,16 +299,8 @@
}
MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len);
-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
- if (sig_alg == MBEDTLS_PK_RSASSA_PSS) {
- rsassa_pss_options.mgf1_hash_id = md_alg;
- rsassa_pss_options.expected_salt_len = PSA_HASH_LENGTH(hash_alg);
- options = (const void *) &rsassa_pss_options;
- }
-#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
-
- if ((ret = mbedtls_pk_verify_ext(sig_alg, options,
+ if ((ret = mbedtls_pk_verify_ext(sig_alg, NULL,
&ssl->session_negotiate->peer_cert->pk,
md_alg, verify_hash, verify_hash_len,
p, signature_len)) == 0) {
diff --git a/library/x509.c b/library/x509.c
index 0571687..9fc6389 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -715,38 +715,30 @@
* Get signature algorithm from alg OID and optional parameters
*/
int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params,
- mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg,
- void **sig_opts)
+ mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- if (*sig_opts != NULL) {
- return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
- }
-
if ((ret = mbedtls_oid_get_sig_alg(sig_oid, md_alg, pk_alg)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG, ret);
}
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
if (*pk_alg == MBEDTLS_PK_RSASSA_PSS) {
- mbedtls_pk_rsassa_pss_options *pss_opts;
-
- pss_opts = mbedtls_calloc(1, sizeof(mbedtls_pk_rsassa_pss_options));
- if (pss_opts == NULL) {
- return MBEDTLS_ERR_X509_ALLOC_FAILED;
- }
+ mbedtls_md_type_t mgf1_hash_id;
+ int expected_salt_len;
ret = mbedtls_x509_get_rsassa_pss_params(sig_params,
md_alg,
- &pss_opts->mgf1_hash_id,
- &pss_opts->expected_salt_len);
+ &mgf1_hash_id,
+ &expected_salt_len);
if (ret != 0) {
- mbedtls_free(pss_opts);
return ret;
}
-
- *sig_opts = (void *) pss_opts;
+ /* Ensure MGF1 hash alg is the same as the one used to hash the message. */
+ if (mgf1_hash_id != *md_alg) {
+ return MBEDTLS_ERR_X509_INVALID_ALG;
+ }
} else
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
{
@@ -1045,8 +1037,7 @@
* Helper for writing signature algorithms
*/
int mbedtls_x509_sig_alg_gets(char *buf, size_t size, const mbedtls_x509_buf *sig_oid,
- mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg,
- const void *sig_opts)
+ mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
char *p = buf;
@@ -1063,23 +1054,17 @@
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
if (pk_alg == MBEDTLS_PK_RSASSA_PSS) {
- const mbedtls_pk_rsassa_pss_options *pss_opts;
-
- pss_opts = (const mbedtls_pk_rsassa_pss_options *) sig_opts;
-
const char *name = md_type_to_string(md_alg);
- const char *mgf_name = md_type_to_string(pss_opts->mgf1_hash_id);
-
- ret = mbedtls_snprintf(p, n, " (%s, MGF1-%s, 0x%02X)",
- name ? name : "???",
- mgf_name ? mgf_name : "???",
- (unsigned int) pss_opts->expected_salt_len);
+ if (name != NULL) {
+ ret = mbedtls_snprintf(p, n, " (%s)", name);
+ } else {
+ ret = mbedtls_snprintf(p, n, " (?)");
+ }
MBEDTLS_X509_SAFE_SNPRINTF;
}
#else
((void) pk_alg);
((void) md_alg);
- ((void) sig_opts);
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
return (int) (size - n);
diff --git a/library/x509_crl.c b/library/x509_crl.c
index bc4fdbb..0b98ba4 100644
--- a/library/x509_crl.c
+++ b/library/x509_crl.c
@@ -389,8 +389,7 @@
crl->version++;
if ((ret = mbedtls_x509_get_sig_alg(&crl->sig_oid, &sig_params1,
- &crl->sig_md, &crl->sig_pk,
- &crl->sig_opts)) != 0) {
+ &crl->sig_md, &crl->sig_pk)) != 0) {
mbedtls_x509_crl_free(crl);
return MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG;
}
@@ -646,8 +645,7 @@
ret = mbedtls_snprintf(p, n, "\n%ssigned using : ", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;
- ret = mbedtls_x509_sig_alg_gets(p, n, &crl->sig_oid, crl->sig_pk, crl->sig_md,
- crl->sig_opts);
+ ret = mbedtls_x509_sig_alg_gets(p, n, &crl->sig_oid, crl->sig_pk, crl->sig_md);
MBEDTLS_X509_SAFE_SNPRINTF;
ret = mbedtls_snprintf(p, n, "\n");
@@ -676,10 +674,6 @@
mbedtls_x509_crl_entry *entry_prv;
while (crl_cur != NULL) {
-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
- mbedtls_free(crl_cur->sig_opts);
-#endif
-
mbedtls_asn1_free_named_data_list_shallow(crl_cur->issuer.next);
entry_cur = crl_cur->entry.next;
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 5d26ebb..faea404 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1163,8 +1163,7 @@
crt->version++;
if ((ret = mbedtls_x509_get_sig_alg(&crt->sig_oid, &sig_params1,
- &crt->sig_md, &crt->sig_pk,
- &crt->sig_opts)) != 0) {
+ &crt->sig_md, &crt->sig_pk)) != 0) {
mbedtls_x509_crt_free(crt);
return ret;
}
@@ -1800,8 +1799,7 @@
ret = mbedtls_snprintf(p, n, "\n%ssigned using : ", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;
- ret = mbedtls_x509_sig_alg_gets(p, n, &crt->sig_oid, crt->sig_pk,
- crt->sig_md, crt->sig_opts);
+ ret = mbedtls_x509_sig_alg_gets(p, n, &crt->sig_oid, crt->sig_pk, crt->sig_md);
MBEDTLS_X509_SAFE_SNPRINTF;
/* Key size */
@@ -2061,7 +2059,7 @@
flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
}
- if (mbedtls_pk_verify_ext(crl_list->sig_pk, crl_list->sig_opts, &ca->pk,
+ if (mbedtls_pk_verify_ext(crl_list->sig_pk, NULL, &ca->pk,
crl_list->sig_md, hash, hash_length,
crl_list->sig.p, crl_list->sig.len) != 0) {
flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
@@ -2135,7 +2133,7 @@
(void) rs_ctx;
#endif
- return mbedtls_pk_verify_ext(child->sig_pk, child->sig_opts, &parent->pk,
+ return mbedtls_pk_verify_ext(child->sig_pk, NULL, &parent->pk,
child->sig_md, hash, hash_len,
child->sig.p, child->sig.len);
}
@@ -3203,10 +3201,6 @@
while (cert_cur != NULL) {
mbedtls_pk_free(&cert_cur->pk);
-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
- mbedtls_free(cert_cur->sig_opts);
-#endif
-
mbedtls_asn1_free_named_data_list_shallow(cert_cur->issuer.next);
mbedtls_asn1_free_named_data_list_shallow(cert_cur->subject.next);
mbedtls_asn1_sequence_free(cert_cur->ext_key_usage.next);
diff --git a/library/x509_csr.c b/library/x509_csr.c
index 8e5fdb6..2e43564 100644
--- a/library/x509_csr.c
+++ b/library/x509_csr.c
@@ -407,8 +407,7 @@
}
if ((ret = mbedtls_x509_get_sig_alg(&csr->sig_oid, &sig_params,
- &csr->sig_md, &csr->sig_pk,
- &csr->sig_opts)) != 0) {
+ &csr->sig_md, &csr->sig_pk)) != 0) {
mbedtls_x509_csr_free(csr);
return MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG;
}
@@ -547,8 +546,7 @@
ret = mbedtls_snprintf(p, n, "\n%ssigned using : ", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;
- ret = mbedtls_x509_sig_alg_gets(p, n, &csr->sig_oid, csr->sig_pk, csr->sig_md,
- csr->sig_opts);
+ ret = mbedtls_x509_sig_alg_gets(p, n, &csr->sig_oid, csr->sig_pk, csr->sig_md);
MBEDTLS_X509_SAFE_SNPRINTF;
if ((ret = mbedtls_x509_key_size_helper(key_size_str, MBEDTLS_BEFORE_COLON,
@@ -621,10 +619,6 @@
mbedtls_pk_free(&csr->pk);
-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
- mbedtls_free(csr->sig_opts);
-#endif
-
mbedtls_asn1_free_named_data_list_shallow(csr->subject.next);
mbedtls_asn1_sequence_free(csr->subject_alt_names.next);
diff --git a/library/x509_internal.h b/library/x509_internal.h
index 36cbc65..9360471 100644
--- a/library/x509_internal.h
+++ b/library/x509_internal.h
@@ -35,8 +35,7 @@
#endif
int mbedtls_x509_get_sig(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig);
int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params,
- mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg,
- void **sig_opts);
+ mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg);
int mbedtls_x509_get_time(unsigned char **p, const unsigned char *end,
mbedtls_x509_time *t);
int mbedtls_x509_get_serial(unsigned char **p, const unsigned char *end,
@@ -45,8 +44,7 @@
mbedtls_x509_buf *ext, int tag);
#if !defined(MBEDTLS_X509_REMOVE_INFO)
int mbedtls_x509_sig_alg_gets(char *buf, size_t size, const mbedtls_x509_buf *sig_oid,
- mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg,
- const void *sig_opts);
+ mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg);
#endif
int mbedtls_x509_key_size_helper(char *buf, size_t buf_size, const char *name);
int mbedtls_x509_set_extension(mbedtls_asn1_named_data **head, const char *oid, size_t oid_len,
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index d962f34..bbdd9f9 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -48,23 +48,23 @@
X509 CRT information RSA-PSS, SHA1 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_1
-x509_cert_info:"../framework/data_files/parse_input/server9.crt":"cert. version \: 3\nserial number \: 16\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:38\:16\nexpires on \: 2024-01-18 13\:38\:16\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 0xEA)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"../framework/data_files/parse_input/server9.crt":"cert. version \: 3\nserial number \: 16\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:38\:16\nexpires on \: 2024-01-18 13\:38\:16\nsigned using \: RSASSA-PSS (SHA1)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n"
X509 CRT information RSA-PSS, SHA224 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_224
-x509_cert_info:"../framework/data_files/parse_input/server9-sha224.crt":"cert. version \: 3\nserial number \: 17\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:57\:36\nexpires on \: 2024-01-18 13\:57\:36\nsigned using \: RSASSA-PSS (SHA224, MGF1-SHA224, 0xE2)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"../framework/data_files/parse_input/server9-sha224.crt":"cert. version \: 3\nserial number \: 17\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:57\:36\nexpires on \: 2024-01-18 13\:57\:36\nsigned using \: RSASSA-PSS (SHA224)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n"
X509 CRT information RSA-PSS, SHA256 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_256
-x509_cert_info:"../framework/data_files/parse_input/server9-sha256.crt":"cert. version \: 3\nserial number \: 18\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:57\:45\nexpires on \: 2024-01-18 13\:57\:45\nsigned using \: RSASSA-PSS (SHA256, MGF1-SHA256, 0xDE)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"../framework/data_files/parse_input/server9-sha256.crt":"cert. version \: 3\nserial number \: 18\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:57\:45\nexpires on \: 2024-01-18 13\:57\:45\nsigned using \: RSASSA-PSS (SHA256)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n"
X509 CRT information RSA-PSS, SHA384 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_384
-x509_cert_info:"../framework/data_files/parse_input/server9-sha384.crt":"cert. version \: 3\nserial number \: 19\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:57\:58\nexpires on \: 2024-01-18 13\:57\:58\nsigned using \: RSASSA-PSS (SHA384, MGF1-SHA384, 0xCE)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"../framework/data_files/parse_input/server9-sha384.crt":"cert. version \: 3\nserial number \: 19\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:57\:58\nexpires on \: 2024-01-18 13\:57\:58\nsigned using \: RSASSA-PSS (SHA384)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n"
X509 CRT information RSA-PSS, SHA512 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_512
-x509_cert_info:"../framework/data_files/parse_input/server9-sha512.crt":"cert. version \: 3\nserial number \: 1A\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:58\:12\nexpires on \: 2024-01-18 13\:58\:12\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0xBE)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"../framework/data_files/parse_input/server9-sha512.crt":"cert. version \: 3\nserial number \: 1A\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:58\:12\nexpires on \: 2024-01-18 13\:58\:12\nsigned using \: RSASSA-PSS (SHA512)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n"
X509 CRT information EC, SHA1 Digest
depends_on:MBEDTLS_PEM_PARSE_C:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_1
@@ -268,23 +268,23 @@
X509 CRL information RSA-PSS, SHA1 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_1
-mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl-rsa-pss-sha1.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:46\:35\nnext update \: 2024-01-18 13\:46\:35\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 0xEA)\n"
+mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl-rsa-pss-sha1.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:46\:35\nnext update \: 2024-01-18 13\:46\:35\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA1)\n"
X509 CRL information RSA-PSS, SHA224 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_224
-mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl-rsa-pss-sha224.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:06\nnext update \: 2024-01-18 13\:56\:06\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA224, MGF1-SHA224, 0xE2)\n"
+mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl-rsa-pss-sha224.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:06\nnext update \: 2024-01-18 13\:56\:06\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA224)\n"
X509 CRL information RSA-PSS, SHA256 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_256
-mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl-rsa-pss-sha256.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:16\nnext update \: 2024-01-18 13\:56\:16\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA256, MGF1-SHA256, 0xDE)\n"
+mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl-rsa-pss-sha256.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:16\nnext update \: 2024-01-18 13\:56\:16\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA256)\n"
X509 CRL information RSA-PSS, SHA384 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_384
-mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl-rsa-pss-sha384.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:28\nnext update \: 2024-01-18 13\:56\:28\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA384, MGF1-SHA384, 0xCE)\n"
+mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl-rsa-pss-sha384.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:28\nnext update \: 2024-01-18 13\:56\:28\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA384)\n"
X509 CRL information RSA-PSS, SHA512 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_512
-mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl-rsa-pss-sha512.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:38\nnext update \: 2024-01-18 13\:56\:38\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0xBE)\n"
+mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl-rsa-pss-sha512.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:38\nnext update \: 2024-01-18 13\:56\:38\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA512)\n"
X509 CRL Information EC, SHA1 Digest
depends_on:MBEDTLS_PEM_PARSE_C:PSA_WANT_ALG_SHA_1:PSA_HAVE_ALG_SOME_ECDSA
@@ -368,23 +368,23 @@
X509 CSR Information RSA-PSS with SHA1
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_1:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"../framework/data_files/parse_input/server9.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 0x6A)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
+mbedtls_x509_csr_info:"../framework/data_files/parse_input/server9.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA1)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 CSR Information RSA-PSS with SHA224
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_224:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"../framework/data_files/parse_input/server9.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA224, MGF1-SHA224, 0x62)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
+mbedtls_x509_csr_info:"../framework/data_files/parse_input/server9.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA224)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 CSR Information RSA-PSS with SHA256
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_256:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"../framework/data_files/parse_input/server9.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA256, MGF1-SHA256, 0x5E)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
+mbedtls_x509_csr_info:"../framework/data_files/parse_input/server9.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA256)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 CSR Information RSA-PSS with SHA384
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_384:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"../framework/data_files/parse_input/server9.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA384, MGF1-SHA384, 0x4E)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
+mbedtls_x509_csr_info:"../framework/data_files/parse_input/server9.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA384)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 CSR Information RSA-PSS with SHA512
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_512:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"../framework/data_files/parse_input/server9.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0x3E)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
+mbedtls_x509_csr_info:"../framework/data_files/parse_input/server9.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA512)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 CSR Information RSA with SHA256 - Microsoft header
depends_on:MBEDTLS_PEM_PARSE_C:PSA_WANT_ALG_SHA_256:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
@@ -903,10 +903,6 @@
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_SHA_1:MBEDTLS_USE_PSA_CRYPTO
x509_verify:"../framework/data_files/server9-bad-saltlen.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha1.pem":"NULL":0:0:"compat":"NULL"
-X509 CRT verification #69 (RSASSA-PSS, wrong mgf_hash)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_SHA_224:PSA_WANT_ALG_SHA_1
-x509_verify:"../framework/data_files/server9-bad-mgfhash.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
-
X509 CRT verification #70 (v1 trusted CA)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_SHA_1
x509_verify:"../framework/data_files/server1-v1.crt":"../framework/data_files/test-ca-v1.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL"
@@ -3151,6 +3147,10 @@
depends_on:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
x509parse_crt_file:"../framework/data_files/parse_input/server5.crt":0
+X509 File parse (RSASSA-PSS, MGF1 hash alg != message hash alg)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_SHA_224:PSA_WANT_ALG_SHA_1
+x509parse_crt_file:"../framework/data_files/server9-bad-mgfhash.crt":MBEDTLS_ERR_X509_INVALID_ALG
+
X509 File parse & read the ca_istrue field (Not Set)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:PSA_WANT_ALG_SHA_1
mbedtls_x509_get_ca_istrue:"../framework/data_files/parse_input/server1.crt":0
diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index 107d923..f3a161c 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@@ -37,7 +37,7 @@
goto cleanup;
}
- if (mbedtls_pk_verify_ext(csr.sig_pk, csr.sig_opts, &csr.pk,
+ if (mbedtls_pk_verify_ext(csr.sig_pk, NULL, &csr.pk,
csr.sig_md, hash, mbedtls_md_get_size_from_type(csr.sig_md),
csr.sig.p, csr.sig.len) != 0) {
ret = MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;