TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 43aa905d1e0c5c3e8fbec98adc496bcd7d46b51f / . / tests / suites / test_suite_x509write.function
blob: e15802ff11aefbe9c490dd809b791b92acd94d52 [file] [log] [blame]
Gilles Peskine7dc97042020-02-26 19:48:43 +0100[diff] [blame]1/* BEGIN_HEADER */
2#include "mbedtls/bignum.h"
3#include "mbedtls/x509_crt.h"
4#include "mbedtls/x509_csr.h"
5#include "mbedtls/pem.h"
6#include "mbedtls/oid.h"
7#include "mbedtls/rsa.h"
8#if defined(MBEDTLS_USE_PSA_CRYPTO)
9#include "psa/crypto.h"
10#include "mbedtls/psa_util.h"
11#endif
12
13
14#if defined(MBEDTLS_RSA_C)
15int mbedtls_rsa_decrypt_func( void *ctx, int mode, size_t *olen,
16 const unsigned char *input, unsigned char *output,
17 size_t output_max_len )
18{
19 return( mbedtls_rsa_pkcs1_decrypt( (mbedtls_rsa_context *) ctx, NULL, NULL, mode, olen,
20 input, output, output_max_len ) );
21}
22int mbedtls_rsa_sign_func( void *ctx,
23 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
24 int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,
25 const unsigned char *hash, unsigned char *sig )
26{
27 return( mbedtls_rsa_pkcs1_sign( (mbedtls_rsa_context *) ctx, f_rng, p_rng, mode,
28 md_alg, hashlen, hash, sig ) );
29}
30size_t mbedtls_rsa_key_len_func( void *ctx )
31{
32 return( ((const mbedtls_rsa_context *) ctx)->len );
33}
34#endif /* MBEDTLS_RSA_C */
35
36#if defined(MBEDTLS_USE_PSA_CRYPTO)
37static int x509_crt_verifycsr( const unsigned char *buf, size_t buflen )
38{
39 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
40 const mbedtls_md_info_t *md_info;
41 mbedtls_x509_csr csr;
42
43 if( mbedtls_x509_csr_parse( &csr, buf, buflen ) != 0 )
44 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
45
46 md_info = mbedtls_md_info_from_type( csr.sig_md );
47 if( mbedtls_md( md_info, csr.cri.p, csr.cri.len, hash ) != 0 )
48 {
49 /* Note: this can't happen except after an internal error */
50 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
51 }
52
53 if( mbedtls_pk_verify_ext( csr.sig_pk, csr.sig_opts, &csr.pk,
54 csr.sig_md, hash, mbedtls_md_get_size( md_info ),
55 csr.sig.p, csr.sig.len ) != 0 )
56 {
57 return( MBEDTLS_ERR_X509_CERT_VERIFY_FAILED );
58 }
59
60 return( 0 );
61}
62#endif /* MBEDTLS_USE_PSA_CRYPTO */
63
64/* END_HEADER */
65
66/* BEGIN_DEPENDENCIES
67 * depends_on:MBEDTLS_BIGNUM_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C
68 * END_DEPENDENCIES
69 */
70
71/* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CSR_WRITE_C */
72void x509_csr_check( char * key_file, char * cert_req_check_file, int md_type,
73 int key_usage, int set_key_usage, int cert_type,
74 int set_cert_type )
75{
76 mbedtls_pk_context key;
77 mbedtls_x509write_csr req;
78 unsigned char buf[4096];
79 unsigned char check_buf[4000];
80 int ret;
81 size_t olen = 0, pem_len = 0;
82 int der_len = -1;
83 FILE *f;
84 const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1";
85 rnd_pseudo_info rnd_info;
86
87 memset( &rnd_info, 0x2a, sizeof( rnd_pseudo_info ) );
88
89 mbedtls_pk_init( &key );
90 TEST_ASSERT( mbedtls_pk_parse_keyfile( &key, key_file, NULL ) == 0 );
91
92 mbedtls_x509write_csr_init( &req );
93 mbedtls_x509write_csr_set_md_alg( &req, md_type );
94 mbedtls_x509write_csr_set_key( &req, &key );
95 TEST_ASSERT( mbedtls_x509write_csr_set_subject_name( &req, subject_name ) == 0 );
96 if( set_key_usage != 0 )
97 TEST_ASSERT( mbedtls_x509write_csr_set_key_usage( &req, key_usage ) == 0 );
98 if( set_cert_type != 0 )
99 TEST_ASSERT( mbedtls_x509write_csr_set_ns_cert_type( &req, cert_type ) == 0 );
100
101 ret = mbedtls_x509write_csr_pem( &req, buf, sizeof( buf ),
102 rnd_pseudo_rand, &rnd_info );
103 TEST_ASSERT( ret == 0 );
104
105 pem_len = strlen( (char *) buf );
106
107 f = fopen( cert_req_check_file, "r" );
108 TEST_ASSERT( f != NULL );
109 olen = fread( check_buf, 1, sizeof( check_buf ), f );
110 fclose( f );
111
112 TEST_ASSERT( olen >= pem_len - 1 );
113 TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 );
114
115 der_len = mbedtls_x509write_csr_der( &req, buf, sizeof( buf ),
116 rnd_pseudo_rand, &rnd_info );
117 TEST_ASSERT( der_len >= 0 );
118
119 if( der_len == 0 )
120 goto exit;
121
122 ret = mbedtls_x509write_csr_der( &req, buf, (size_t)( der_len - 1 ),
123 rnd_pseudo_rand, &rnd_info );
124 TEST_ASSERT( ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
125
126exit:
127 mbedtls_x509write_csr_free( &req );
128 mbedtls_pk_free( &key );
129}
130/* END_CASE */
131
132/* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CSR_WRITE_C:MBEDTLS_USE_PSA_CRYPTO */
133void x509_csr_check_opaque( char *key_file, int md_type, int key_usage,
134 int cert_type )
135{
136 mbedtls_pk_context key;
137 psa_key_handle_t slot;
138 psa_algorithm_t md_alg_psa;
139 mbedtls_x509write_csr req;
140 unsigned char buf[4096];
141 int ret;
142 size_t pem_len = 0;
143 const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1";
144 rnd_pseudo_info rnd_info;
145
146 psa_crypto_init();
147 memset( &rnd_info, 0x2a, sizeof( rnd_pseudo_info ) );
148
149 md_alg_psa = mbedtls_psa_translate_md( (mbedtls_md_type_t) md_type );
150 TEST_ASSERT( md_alg_psa != MBEDTLS_MD_NONE );
151
152 mbedtls_pk_init( &key );
153 TEST_ASSERT( mbedtls_pk_parse_keyfile( &key, key_file, NULL ) == 0 );
154 TEST_ASSERT( mbedtls_pk_wrap_as_opaque( &key, &slot, md_alg_psa ) == 0 );
155
156 mbedtls_x509write_csr_init( &req );
157 mbedtls_x509write_csr_set_md_alg( &req, md_type );
158 mbedtls_x509write_csr_set_key( &req, &key );
159 TEST_ASSERT( mbedtls_x509write_csr_set_subject_name( &req, subject_name ) == 0 );
160 if( key_usage != 0 )
161 TEST_ASSERT( mbedtls_x509write_csr_set_key_usage( &req, key_usage ) == 0 );
162 if( cert_type != 0 )
163 TEST_ASSERT( mbedtls_x509write_csr_set_ns_cert_type( &req, cert_type ) == 0 );
164
165 ret = mbedtls_x509write_csr_pem( &req, buf, sizeof( buf ) - 1,
166 rnd_pseudo_rand, &rnd_info );
167 TEST_ASSERT( ret == 0 );
168
169 pem_len = strlen( (char *) buf );
170 buf[pem_len] = '\0';
171 TEST_ASSERT( x509_crt_verifycsr( buf, pem_len + 1 ) == 0 );
172
173exit:
174 mbedtls_x509write_csr_free( &req );
175 mbedtls_pk_free( &key );
176}
177/* END_CASE */
178
179/* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CRT_WRITE_C:MBEDTLS_SHA1_C */
180void x509_crt_check( char *subject_key_file, char *subject_pwd,
181 char *subject_name, char *issuer_key_file,
182 char *issuer_pwd, char *issuer_name,
183 char *serial_str, char *not_before, char *not_after,
184 int md_type, int key_usage, int set_key_usage,
185 int cert_type, int set_cert_type, int auth_ident,
186 int ver, char *cert_check_file, int rsa_alt )
187{
188 mbedtls_pk_context subject_key, issuer_key, issuer_key_alt;
189 mbedtls_pk_context *key = &issuer_key;
190
191 mbedtls_x509write_cert crt;
192 unsigned char buf[4096];
193 unsigned char check_buf[5000];
194 mbedtls_mpi serial;
195 int ret;
196 size_t olen = 0, pem_len = 0;
197 int der_len = -1;
198 FILE *f;
199 rnd_pseudo_info rnd_info;
200
201 memset( &rnd_info, 0x2a, sizeof( rnd_pseudo_info ) );
202 mbedtls_mpi_init( &serial );
203
204 mbedtls_pk_init( &subject_key );
205 mbedtls_pk_init( &issuer_key );
206 mbedtls_pk_init( &issuer_key_alt );
207
208 mbedtls_x509write_crt_init( &crt );
209
210 TEST_ASSERT( mbedtls_pk_parse_keyfile( &subject_key, subject_key_file,
211 subject_pwd ) == 0 );
212
213 TEST_ASSERT( mbedtls_pk_parse_keyfile( &issuer_key, issuer_key_file,
214 issuer_pwd ) == 0 );
215
216#if defined(MBEDTLS_RSA_C)
217 /* For RSA PK contexts, create a copy as an alternative RSA context. */
218 if( rsa_alt == 1 && mbedtls_pk_get_type( &issuer_key ) == MBEDTLS_PK_RSA )
219 {
220 TEST_ASSERT( mbedtls_pk_setup_rsa_alt( &issuer_key_alt,
221 mbedtls_pk_rsa( issuer_key ),
222 mbedtls_rsa_decrypt_func,
223 mbedtls_rsa_sign_func,
224 mbedtls_rsa_key_len_func ) == 0 );
225
226 key = &issuer_key_alt;
227 }
228#else
229 (void) rsa_alt;
230#endif
231
232 TEST_ASSERT( mbedtls_mpi_read_string( &serial, 10, serial_str ) == 0 );
233
234 if( ver != -1 )
235 mbedtls_x509write_crt_set_version( &crt, ver );
236
237 TEST_ASSERT( mbedtls_x509write_crt_set_serial( &crt, &serial ) == 0 );
238 TEST_ASSERT( mbedtls_x509write_crt_set_validity( &crt, not_before,
239 not_after ) == 0 );
240 mbedtls_x509write_crt_set_md_alg( &crt, md_type );
241 TEST_ASSERT( mbedtls_x509write_crt_set_issuer_name( &crt, issuer_name ) == 0 );
242 TEST_ASSERT( mbedtls_x509write_crt_set_subject_name( &crt, subject_name ) == 0 );
243 mbedtls_x509write_crt_set_subject_key( &crt, &subject_key );
244
245 mbedtls_x509write_crt_set_issuer_key( &crt, key );
246
247 if( crt.version >= MBEDTLS_X509_CRT_VERSION_3 )
248 {
249 TEST_ASSERT( mbedtls_x509write_crt_set_basic_constraints( &crt, 0, 0 ) == 0 );
250 TEST_ASSERT( mbedtls_x509write_crt_set_subject_key_identifier( &crt ) == 0 );
251 if( auth_ident )
252 TEST_ASSERT( mbedtls_x509write_crt_set_authority_key_identifier( &crt ) == 0 );
253 if( set_key_usage != 0 )
254 TEST_ASSERT( mbedtls_x509write_crt_set_key_usage( &crt, key_usage ) == 0 );
255 if( set_cert_type != 0 )
256 TEST_ASSERT( mbedtls_x509write_crt_set_ns_cert_type( &crt, cert_type ) == 0 );
257 }
258
259 ret = mbedtls_x509write_crt_pem( &crt, buf, sizeof( buf ),
260 rnd_pseudo_rand, &rnd_info );
261 TEST_ASSERT( ret == 0 );
262
263 pem_len = strlen( (char *) buf );
264
265 f = fopen( cert_check_file, "r" );
266 TEST_ASSERT( f != NULL );
267 olen = fread( check_buf, 1, sizeof( check_buf ), f );
268 fclose( f );
269 TEST_ASSERT( olen < sizeof( check_buf ) );
270
271 TEST_ASSERT( olen >= pem_len - 1 );
272 TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 );
273
274 der_len = mbedtls_x509write_crt_der( &crt, buf, sizeof( buf ),
275 rnd_pseudo_rand, &rnd_info );
276 TEST_ASSERT( der_len >= 0 );
277
278 if( der_len == 0 )
279 goto exit;
280
281 ret = mbedtls_x509write_crt_der( &crt, buf, (size_t)( der_len - 1 ),
282 rnd_pseudo_rand, &rnd_info );
283 TEST_ASSERT( ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
284
285exit:
286 mbedtls_x509write_crt_free( &crt );
287 mbedtls_pk_free( &issuer_key_alt );
288 mbedtls_pk_free( &subject_key );
289 mbedtls_pk_free( &issuer_key );
290 mbedtls_mpi_free( &serial );
291}
292/* END_CASE */
293
294/* BEGIN_CASE depends_on:MBEDTLS_X509_CREATE_C:MBEDTLS_X509_USE_C */
295void mbedtls_x509_string_to_names( char * name, char * parsed_name, int result
296 )
297{
298 int ret;
299 size_t len = 0;
300 mbedtls_asn1_named_data *names = NULL;
301 mbedtls_x509_name parsed, *parsed_cur, *parsed_prv;
302 unsigned char buf[1024], out[1024], *c;
303
304 memset( &parsed, 0, sizeof( parsed ) );
305 memset( out, 0, sizeof( out ) );
306 memset( buf, 0, sizeof( buf ) );
307 c = buf + sizeof( buf );
308
309 ret = mbedtls_x509_string_to_names( &names, name );
310 TEST_ASSERT( ret == result );
311
312 if( ret != 0 )
313 goto exit;
314
315 ret = mbedtls_x509_write_names( &c, buf, names );
316 TEST_ASSERT( ret > 0 );
317
318 TEST_ASSERT( mbedtls_asn1_get_tag( &c, buf + sizeof( buf ), &len,
319 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) == 0 );
320 TEST_ASSERT( mbedtls_x509_get_name( &c, buf + sizeof( buf ), &parsed ) == 0 );
321
322 ret = mbedtls_x509_dn_gets( (char *) out, sizeof( out ), &parsed );
323 TEST_ASSERT( ret > 0 );
324
325 TEST_ASSERT( strcmp( (char *) out, parsed_name ) == 0 );
326
327exit:
328 mbedtls_asn1_free_named_data_list( &names );
329
330 parsed_cur = parsed.next;
331 while( parsed_cur != 0 )
332 {
333 parsed_prv = parsed_cur;
334 parsed_cur = parsed_cur->next;
335 mbedtls_free( parsed_prv );
336 }
337}
338/* END_CASE */