Add tests for mbedtls_set_hs_ca_chain()
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 12d4f1f..6ac2406 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -1941,6 +1941,19 @@
else if( ret != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", -ret );
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED )
+ {
+ char vrfy_buf[512];
+ uint32_t flags = mbedtls_ssl_get_verify_result( &ssl );
+
+ mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
+
+ mbedtls_printf( "%s\n", vrfy_buf );
+ }
+#endif
+
goto reset;
}
else /* ret == 0 */
diff --git a/tests/data_files/Readme-x509.txt b/tests/data_files/Readme-x509.txt
index 2077f3a..b68ae51 100644
--- a/tests/data_files/Readme-x509.txt
+++ b/tests/data_files/Readme-x509.txt
@@ -72,7 +72,7 @@
Signing CA in parentheses (same meaning as certificates).
-- crl-ec-sha*: (2) server6.crt
+- crl-ec-sha*.pem: (2) server6.crt
- crl-future.pem: (2) server6.crt + unknown
- crl-rsa-pss-*.pem: (1) server9{,badsign,with-ca}.crt + cert_sha384.crt + unknown
- crl.pem, crl_expired.pem: (1) server1{,.cert_type,.key_usage,.v1}.crt + unknown
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 2ea220e..f87ede5 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -1597,7 +1597,7 @@
-C "skip write certificate verify" \
-S "skip parse certificate verify" \
-s "x509_verify_cert() returned" \
- -S "! The certificate is not correctly signed by the trusted CA" \
+ -s "! The certificate is not correctly signed by the trusted CA" \
-s "! mbedtls_ssl_handshake returned" \
-c "! mbedtls_ssl_handshake returned" \
-s "X509 - Certificate verification failed"
@@ -1750,49 +1750,49 @@
"$P_SRV debug_level=3 \
crt_file=data_files/server5.crt key_file=data_files/server5.key" \
"$P_CLI server_name=localhost" \
- 0 \
- -S "parse ServerName extension" \
- -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
- -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
+ 0 \
+ -S "parse ServerName extension" \
+ -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
+ -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
run_test "SNI: matching cert 1" \
"$P_SRV debug_level=3 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
"$P_CLI server_name=localhost" \
- 0 \
- -s "parse ServerName extension" \
- -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
- -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
+ 0 \
+ -s "parse ServerName extension" \
+ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
+ -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
run_test "SNI: matching cert 2" \
"$P_SRV debug_level=3 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
"$P_CLI server_name=polarssl.example" \
- 0 \
- -s "parse ServerName extension" \
- -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
- -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
+ 0 \
+ -s "parse ServerName extension" \
+ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
+ -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
run_test "SNI: no matching cert" \
"$P_SRV debug_level=3 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
"$P_CLI server_name=nonesuch.example" \
- 1 \
- -s "parse ServerName extension" \
- -s "ssl_sni_wrapper() returned" \
- -s "mbedtls_ssl_handshake returned" \
- -c "mbedtls_ssl_handshake returned" \
- -c "SSL - A fatal alert message was received from our peer"
+ 1 \
+ -s "parse ServerName extension" \
+ -s "ssl_sni_wrapper() returned" \
+ -s "mbedtls_ssl_handshake returned" \
+ -c "mbedtls_ssl_handshake returned" \
+ -c "SSL - A fatal alert message was received from our peer"
run_test "SNI: client auth no override: optional" \
"$P_SRV debug_level=3 auth_mode=optional \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
"$P_CLI debug_level=3 server_name=localhost" \
- 0 \
+ 0 \
-S "skip write certificate request" \
-C "skip parse certificate request" \
-c "got a certificate request" \
@@ -1805,7 +1805,7 @@
crt_file=data_files/server5.crt key_file=data_files/server5.key \
sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
"$P_CLI debug_level=3 server_name=localhost" \
- 0 \
+ 0 \
-S "skip write certificate request" \
-C "skip parse certificate request" \
-c "got a certificate request" \
@@ -1818,7 +1818,7 @@
crt_file=data_files/server5.crt key_file=data_files/server5.key \
sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
"$P_CLI debug_level=3 server_name=localhost" \
- 0 \
+ 0 \
-s "skip write certificate request" \
-C "skip parse certificate request" \
-c "got no certificate request" \
@@ -1826,6 +1826,60 @@
-c "skip write certificate verify" \
-s "skip parse certificate verify"
+run_test "SNI: CA no override" \
+ "$P_SRV debug_level=3 auth_mode=optional \
+ crt_file=data_files/server5.crt key_file=data_files/server5.key \
+ ca_file=data_files/test-ca.crt \
+ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
+ "$P_CLI debug_level=3 server_name=localhost \
+ crt_file=data_files/server6.crt key_file=data_files/server6.key" \
+ 1 \
+ -S "skip write certificate request" \
+ -C "skip parse certificate request" \
+ -c "got a certificate request" \
+ -C "skip write certificate" \
+ -C "skip write certificate verify" \
+ -S "skip parse certificate verify" \
+ -s "x509_verify_cert() returned" \
+ -s "! The certificate is not correctly signed by the trusted CA" \
+ -S "The certificate has been revoked (is on a CRL)"
+
+run_test "SNI: CA override" \
+ "$P_SRV debug_level=3 auth_mode=optional \
+ crt_file=data_files/server5.crt key_file=data_files/server5.key \
+ ca_file=data_files/test-ca.crt \
+ sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
+ "$P_CLI debug_level=3 server_name=localhost \
+ crt_file=data_files/server6.crt key_file=data_files/server6.key" \
+ 0 \
+ -S "skip write certificate request" \
+ -C "skip parse certificate request" \
+ -c "got a certificate request" \
+ -C "skip write certificate" \
+ -C "skip write certificate verify" \
+ -S "skip parse certificate verify" \
+ -S "x509_verify_cert() returned" \
+ -S "! The certificate is not correctly signed by the trusted CA" \
+ -S "The certificate has been revoked (is on a CRL)"
+
+run_test "SNI: CA override with CRL" \
+ "$P_SRV debug_level=3 auth_mode=optional \
+ crt_file=data_files/server5.crt key_file=data_files/server5.key \
+ ca_file=data_files/test-ca.crt \
+ sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
+ "$P_CLI debug_level=3 server_name=localhost \
+ crt_file=data_files/server6.crt key_file=data_files/server6.key" \
+ 1 \
+ -S "skip write certificate request" \
+ -C "skip parse certificate request" \
+ -c "got a certificate request" \
+ -C "skip write certificate" \
+ -C "skip write certificate verify" \
+ -S "skip parse certificate verify" \
+ -s "x509_verify_cert() returned" \
+ -S "! The certificate is not correctly signed by the trusted CA" \
+ -s "The certificate has been revoked (is on a CRL)"
+
# Tests for non-blocking I/O: exercise a variety of handshake flows
run_test "Non-blocking I/O: basic handshake" \