commit ecff9e989171d59463ed4d508f8752d0f0fd2f9a
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu Jun 29 09:48:08 2017 +0200
committer Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Mon Mar 05 13:44:22 2018 +0100
tree ad2c82dccb49c7a6e881912cd9d67c1a318095ee
parent 9c9a2286a3dd7a7e991256952a29d20294d5af3c

Add test for CA forgery attempt

As we accept EE certs that are explicitly trusted (in the list of trusted
roots) and usually look for parent by subject, and in the future we might want
to avoid checking the self-signature on trusted certs, there could a risk that we
incorrectly accept a cert that looks like a trusted root except it doesn't
have the same key. This test ensures this will never happen.

tests/data_files/Makefile

diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile
index d7a57a9..07998bd 100644
--- a/tests/data_files/Makefile
+++ b/tests/data_files/Makefile
@@ -99,6 +99,13 @@
 	$(FAKETIME) -f -3653d $(OPENSSL) req -x509 -new -subj "/C=UK/O=mbed TLS/OU=testsuite/CN=localhost" -days 3653 -sha256 -key $< -out $@
 all_final += server5-ss-expired.crt
 
+# try to forge a copy of test-int-ca3 with different key
+server5-ss-forgeca.crt: server5.key
+	$(FAKETIME) '2015-09-01 14:08:43' $(OPENSSL) req -x509 -new -subj "/C=UK/O=mbed TLS/CN=mbed TLS Test intermediate CA 3" -set_serial 77 -config $(test_ca_config_file) -extensions noext_ca -days 3650 -sha256 -key $< -out $@
+all_final += server5-ss-forgeca.crt
+
+
+
 
 ################################################################
 #### Generate various RSA keys

tests/data_files/server5-ss-forgeca.crt

diff --git a/tests/data_files/server5-ss-forgeca.crt b/tests/data_files/server5-ss-forgeca.crt
new file mode 100644
index 0000000..bfd7b70
--- /dev/null
+++ b/tests/data_files/server5-ss-forgeca.crt
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBlDCCATmgAwIBAgIBTTAKBggqhkjOPQQDAjBKMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxKDAmBgNVBAMMH21iZWQgVExTIFRlc3QgaW50ZXJtZWRp
+YXRlIENBIDMwHhcNMTUwOTAxMTIwODQzWhcNMjUwODI5MTIwODQzWjBKMQswCQYD
+VQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMxKDAmBgNVBAMMH21iZWQgVExTIFRl
+c3QgaW50ZXJtZWRpYXRlIENBIDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ3
+zFbZdgkeWnI+x1kt/yBu7nz5BpF00K0UtfdoIllikk7lANgjEf/qL9I0XV0WvYqI
+wmt3DVXNiioO+gHItO3/oxAwDjAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0kA
+MEYCIQDF5pY54AUMNbhy3jk+8sdgsZS6bmeH/QI4D0I6UiIhXQIhAO7Y8V7Z8bx2
+gZyyk/wZpswb53ZaIP2XsJiJ/CPMCCVq
+-----END CERTIFICATE-----

tests/data_files/test-ca.opensslconf

diff --git a/tests/data_files/test-ca.opensslconf b/tests/data_files/test-ca.opensslconf
index 12835df..343d75e 100644
--- a/tests/data_files/test-ca.opensslconf
+++ b/tests/data_files/test-ca.opensslconf
@@ -11,3 +11,6 @@
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer:always
 basicConstraints = CA:true
+
+[noext_ca]
+basicConstraints = CA:true