Merge pull request #8728 from minosgalanakis/features/add_mbedtls_x509_crt_get_ca_istrue_accesor_6151
[MBEDTLS_PRIVATE] Add mbedtls_x509_crt_get_ca_istrue() accesor
diff --git a/ChangeLog.d/x509-add-ca_istrue.txt b/ChangeLog.d/x509-add-ca_istrue.txt
new file mode 100644
index 0000000..c950dbc
--- /dev/null
+++ b/ChangeLog.d/x509-add-ca_istrue.txt
@@ -0,0 +1,5 @@
+Features
+ * Add new accessor to expose the `MBEDTLS_PRIVATE(ca_istrue)` member of
+ `mbedtls_x509_crt` structure. This requires setting
+ the MBEDTLS_X509_EXT_BASIC_CONSTRAINTS bit in the certificate's
+ ext_types field.
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index 3f1a1e7..1ce0d23 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -916,6 +916,18 @@
return ctx->MBEDTLS_PRIVATE(ext_types) & ext_type;
}
+/**
+ * \brief Access the ca_istrue field
+ *
+ * \param[in] crt Certificate to be queried, must not be \c NULL
+ *
+ * \return \c 1 if this a CA certificate \c 0 otherwise.
+ * \return MBEDTLS_ERR_X509_INVALID_EXTENSIONS if the certificate does not contain
+ * the Optional Basic Constraint extension.
+ *
+ */
+int mbedtls_x509_crt_get_ca_istrue(const mbedtls_x509_crt *crt);
+
/** \} name Structures and functions for parsing and writing X.509 certificates */
#if defined(MBEDTLS_X509_CRT_WRITE_C)
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 7f0160a..2fd56fb 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -3290,4 +3290,12 @@
}
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+int mbedtls_x509_crt_get_ca_istrue(const mbedtls_x509_crt *crt)
+{
+ if ((crt->ext_types & MBEDTLS_X509_EXT_BASIC_CONSTRAINTS) != 0) {
+ return crt->MBEDTLS_PRIVATE(ca_istrue);
+ }
+ return MBEDTLS_ERR_X509_INVALID_EXTENSIONS;
+}
+
#endif /* MBEDTLS_X509_CRT_PARSE_C */
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index 2b0920d..754660c 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -3155,6 +3155,18 @@
depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256
x509parse_crt_file:"data_files/parse_input/server5.crt":0
+X509 File parse & read the ca_istrue field (Not Set)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1
+mbedtls_x509_get_ca_istrue:"data_files/parse_input/server1.crt":0
+
+X509 File parse & read the ca_istrue field (Set)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1
+mbedtls_x509_get_ca_istrue:"data_files/test-ca.crt":1
+
+X509 File parse & read the ca_istrue field (Legacy Certificate)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256
+mbedtls_x509_get_ca_istrue:"data_files/server1-v1.crt":MBEDTLS_ERR_X509_INVALID_EXTENSIONS
+
X509 Get time (UTC no issues)
depends_on:MBEDTLS_X509_USE_C
x509_get_time:MBEDTLS_ASN1_UTC_TIME:"500101000000Z":0:1950:1:1:0:0:0
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index 66477e0..f3ae0f4 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -1083,6 +1083,21 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_FS_IO */
+void mbedtls_x509_get_ca_istrue(char *crt_file, int result)
+{
+ mbedtls_x509_crt crt;
+ mbedtls_x509_crt_init(&crt);
+ USE_PSA_INIT();
+
+ TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0);
+ TEST_EQUAL(mbedtls_x509_crt_get_ca_istrue(&crt), result);
+exit:
+ mbedtls_x509_crt_free(&crt);
+ USE_PSA_DONE();
+}
+/* END_CASE */
+
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */
void x509parse_crt(data_t *buf, char *result_str, int result)
{