1/* BEGIN_HEADER */ 2#include "mbedtls/bignum.h" 3#include "mbedtls/x509_crt.h" 4#include "mbedtls/x509_csr.h" 5#include "x509_internal.h" 6#include "mbedtls/pem.h" 7#include "mbedtls/oid.h" 8#include "x509_oid.h" 9#include "mbedtls/rsa.h" 10#include "mbedtls/asn1.h" 11#include "mbedtls/asn1write.h" 12#include "mbedtls/pk.h" 13#if defined(MBEDTLS_PK_HAVE_PRIVATE_HEADER) 14#include <mbedtls/private/pk_private.h> 15#endif /* MBEDTLS_PK_HAVE_PRIVATE_HEADER */ 16#include "mbedtls/psa_util.h" 17 18#if defined(MBEDTLS_PEM_WRITE_C) && defined(MBEDTLS_X509_CSR_WRITE_C) 19static int x509_crt_verifycsr(const unsigned char *buf, size_t buflen) 20{ 21 unsigned char hash[PSA_HASH_MAX_SIZE]; 22 mbedtls_x509_csr csr; 23 int ret = 0; 24 25 mbedtls_x509_csr_init(&csr); 26 27 if (mbedtls_x509_csr_parse(&csr, buf, buflen) != 0) { 28 ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA; 29 goto cleanup; 30 } 31 32 psa_algorithm_t psa_alg = mbedtls_md_psa_alg_from_type(csr.sig_md); 33 size_t hash_size = 0; 34 psa_status_t status = psa_hash_compute(psa_alg, csr.cri.p, csr.cri.len, 35 hash, PSA_HASH_MAX_SIZE, &hash_size); 36 37 if (status != PSA_SUCCESS) { 38 /* Note: this can't happen except after an internal error */ 39 ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA; 40 goto cleanup; 41 } 42 43 if (mbedtls_pk_verify_ext(csr.sig_pk, &csr.pk, 44 csr.sig_md, hash, mbedtls_md_get_size_from_type(csr.sig_md), 45 csr.sig.p, csr.sig.len) != 0) { 46 ret = MBEDTLS_ERR_X509_CERT_VERIFY_FAILED; 47 goto cleanup; 48 } 49 50cleanup: 51 52 mbedtls_x509_csr_free(&csr); 53 return ret; 54} 55#endif /* MBEDTLS_PEM_WRITE_C && MBEDTLS_X509_CSR_WRITE_C */ 56 57#if defined(MBEDTLS_X509_CSR_WRITE_C) 58 59/* 60 * The size of this temporary buffer is given by the sequence of functions 61 * called hereinafter: 62 * - mbedtls_asn1_write_oid() 63 * - 8 bytes for MBEDTLS_OID_EXTENDED_KEY_USAGE raw value 64 * - 1 byte for MBEDTLS_OID_EXTENDED_KEY_USAGE length 65 * - 1 byte for MBEDTLS_ASN1_OID tag 66 * - mbedtls_asn1_write_len() 67 * - 1 byte since we're dealing with sizes which are less than 0x80 68 * - mbedtls_asn1_write_tag() 69 * - 1 byte 70 * 71 * This length is fine as long as this function is called using the 72 * MBEDTLS_OID_SERVER_AUTH OID. If this is changed in the future, then this 73 * buffer's length should be adjusted accordingly. 74 * Unfortunately there's no predefined max size for OIDs which can be used 75 * to set an overall upper boundary which is always guaranteed. 76 */ 77#define EXT_KEY_USAGE_TMP_BUF_MAX_LENGTH 12 78 79static int csr_set_extended_key_usage(mbedtls_x509write_csr *ctx, 80 const char *oid, size_t oid_len) 81{ 82 unsigned char buf[EXT_KEY_USAGE_TMP_BUF_MAX_LENGTH] = { 0 }; 83 unsigned char *p = buf + sizeof(buf); 84 int ret; 85 size_t len = 0; 86 87 /* 88 * Following functions fail anyway if the temporary buffer is not large, 89 * but we set an extra check here to emphasize a possible source of errors 90 */ 91 if (oid_len > EXT_KEY_USAGE_TMP_BUF_MAX_LENGTH) { 92 return MBEDTLS_ERR_X509_BAD_INPUT_DATA; 93 } 94 95 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_oid(&p, buf, oid, oid_len)); 96 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&p, buf, ret)); 97 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&p, buf, 98 MBEDTLS_ASN1_CONSTRUCTED | 99 MBEDTLS_ASN1_SEQUENCE)); 100 101 ret = mbedtls_x509write_csr_set_extension(ctx, 102 MBEDTLS_OID_EXTENDED_KEY_USAGE, 103 MBEDTLS_OID_SIZE(MBEDTLS_OID_EXTENDED_KEY_USAGE), 104 0, 105 p, 106 len); 107 108 return ret; 109} 110#endif /* MBEDTLS_X509_CSR_WRITE_C */ 111 112/* Due to inconsistencies in the input size limits applied by different 113 * library functions, some write-parse tests may fail. */ 114#define MAY_FAIL_GET_NAME 0x0001 115#define MAY_FAIL_DN_GETS 0x0002 116 117/* END_HEADER */ 118 119/* BEGIN_DEPENDENCIES 120 * depends_on:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C 121 * END_DEPENDENCIES 122 */ 123 124/* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CSR_WRITE_C */ 125void x509_csr_check(char *key_file, char *cert_req_check_file, int md_type, 126 int key_usage, int set_key_usage, int cert_type, 127 int set_cert_type, int set_extension) 128{ 129 mbedtls_pk_context key; 130 mbedtls_x509write_csr req; 131 unsigned char buf[4096]; 132 int ret; 133 unsigned char check_buf[4000]; 134 FILE *f; 135 size_t olen = 0; 136 size_t pem_len = 0, buf_index; 137 int der_len = -1; 138 const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1"; 139 mbedtls_test_rnd_pseudo_info rnd_info; 140 mbedtls_x509_san_list san_ip; 141 mbedtls_x509_san_list san_dns; 142 mbedtls_x509_san_list san_uri; 143 mbedtls_x509_san_list san_mail; 144 mbedtls_x509_san_list san_dn; 145 mbedtls_x509_san_list *san_list = NULL; 146 mbedtls_asn1_named_data *ext_san_dirname = NULL; 147 148 const char san_ip_name[] = { 0x7f, 0x00, 0x00, 0x01 }; // 127.0.0.1 149 const char *san_dns_name = "example.com"; 150 const char *san_dn_name = "C=UK,O=Mbed TLS,CN=Mbed TLS directoryName SAN"; 151 const char *san_mail_name = "mail@example.com"; 152 const char *san_uri_name = "http://pki.example.com"; 153 154 san_mail.node.type = MBEDTLS_X509_SAN_RFC822_NAME; 155 san_mail.node.san.unstructured_name.p = (unsigned char *) san_mail_name; 156 san_mail.node.san.unstructured_name.len = strlen(san_mail_name); 157 san_mail.next = NULL; 158 159 san_dns.node.type = MBEDTLS_X509_SAN_DNS_NAME; 160 san_dns.node.san.unstructured_name.p = (unsigned char *) san_dns_name; 161 san_dns.node.san.unstructured_name.len = strlen(san_dns_name); 162 san_dns.next = &san_mail; 163 164 san_dn.node.type = MBEDTLS_X509_SAN_DIRECTORY_NAME; 165 TEST_ASSERT(mbedtls_x509_string_to_names(&ext_san_dirname, 166 san_dn_name) == 0); 167 san_dn.node.san.directory_name = *ext_san_dirname; 168 san_dn.next = &san_dns; 169 170 san_ip.node.type = MBEDTLS_X509_SAN_IP_ADDRESS; 171 san_ip.node.san.unstructured_name.p = (unsigned char *) san_ip_name; 172 san_ip.node.san.unstructured_name.len = sizeof(san_ip_name); 173 san_ip.next = &san_dn; 174 175 san_uri.node.type = MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER; 176 san_uri.node.san.unstructured_name.p = (unsigned char *) san_uri_name; 177 san_uri.node.san.unstructured_name.len = strlen(san_uri_name); 178 san_uri.next = &san_ip; 179 180 san_list = &san_uri; 181 182 memset(&rnd_info, 0x2a, sizeof(mbedtls_test_rnd_pseudo_info)); 183 184 mbedtls_x509write_csr_init(&req); 185 mbedtls_pk_init(&key); 186 MD_OR_USE_PSA_INIT(); 187 188 TEST_ASSERT(mbedtls_pk_parse_keyfile(&key, key_file, NULL) == 0); 189 190 mbedtls_x509write_csr_set_md_alg(&req, md_type); 191 mbedtls_x509write_csr_set_key(&req, &key); 192 TEST_ASSERT(mbedtls_x509write_csr_set_subject_name(&req, subject_name) == 0); 193 if (set_key_usage != 0) { 194 TEST_ASSERT(mbedtls_x509write_csr_set_key_usage(&req, key_usage) == 0); 195 } 196 if (set_cert_type != 0) { 197 TEST_ASSERT(mbedtls_x509write_csr_set_ns_cert_type(&req, cert_type) == 0); 198 } 199 if (set_extension != 0) { 200 TEST_ASSERT(csr_set_extended_key_usage(&req, MBEDTLS_OID_SERVER_AUTH, 201 MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH)) == 0); 202 203 TEST_ASSERT(mbedtls_x509write_csr_set_subject_alternative_name(&req, san_list) == 0); 204 } 205 206 ret = mbedtls_x509write_csr_pem(&req, buf, sizeof(buf)); 207 TEST_ASSERT(ret == 0); 208 209 pem_len = strlen((char *) buf); 210 211 for (buf_index = pem_len; buf_index < sizeof(buf); ++buf_index) { 212 TEST_ASSERT(buf[buf_index] == 0); 213 } 214 215 f = fopen(cert_req_check_file, "r"); //open the file 216 TEST_ASSERT(f != NULL); //check the file has been opened. 217 olen = fread(check_buf, 1, sizeof(check_buf), f); // read the file 218 fclose(f); // close the file 219 220 TEST_ASSERT(olen >= pem_len - 1); 221 TEST_ASSERT(memcmp(buf, check_buf, pem_len - 1) == 0); 222 223 224 der_len = mbedtls_x509write_csr_der(&req, buf, sizeof(buf)); 225 TEST_ASSERT(der_len >= 0); 226 227 if (der_len == 0) { 228 goto exit; 229 } 230 231 der_len -= 1; 232 ret = mbedtls_x509write_csr_der(&req, buf, (size_t) (der_len)); 233 TEST_ASSERT(ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL); 234 235exit: 236 mbedtls_asn1_free_named_data_list(&ext_san_dirname); 237 mbedtls_x509write_csr_free(&req); 238 mbedtls_pk_free(&key); 239 MD_OR_USE_PSA_DONE(); 240} 241/* END_CASE */ 242 243/* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CSR_WRITE_C */ 244void x509_csr_check_opaque(char *key_file, int md_type, int key_usage, 245 int cert_type) 246{ 247 mbedtls_pk_context key; 248 mbedtls_pk_init(&key); 249 250 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; 251 psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; 252 253 mbedtls_x509write_csr req; 254 mbedtls_x509write_csr_init(&req); 255 256 unsigned char buf[4096]; 257 int ret; 258 size_t pem_len = 0; 259 const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1"; 260 mbedtls_test_rnd_pseudo_info rnd_info; 261 262 MD_OR_USE_PSA_INIT(); 263 264 memset(&rnd_info, 0x2a, sizeof(mbedtls_test_rnd_pseudo_info)); 265 266 TEST_ASSERT(mbedtls_pk_parse_keyfile(&key, key_file, NULL) == 0); 267 268 /* Turn the PK context into an opaque one. */ 269 TEST_EQUAL(mbedtls_pk_get_psa_attributes(&key, PSA_KEY_USAGE_SIGN_HASH, &key_attr), 0); 270 TEST_EQUAL(mbedtls_pk_import_into_psa(&key, &key_attr, &key_id), 0); 271 mbedtls_pk_free(&key); 272 mbedtls_pk_init(&key); 273 TEST_EQUAL(mbedtls_pk_wrap_psa(&key, key_id), 0); 274 275 mbedtls_x509write_csr_set_md_alg(&req, md_type); 276 mbedtls_x509write_csr_set_key(&req, &key); 277 TEST_ASSERT(mbedtls_x509write_csr_set_subject_name(&req, subject_name) == 0); 278 if (key_usage != 0) { 279 TEST_ASSERT(mbedtls_x509write_csr_set_key_usage(&req, key_usage) == 0); 280 } 281 if (cert_type != 0) { 282 TEST_ASSERT(mbedtls_x509write_csr_set_ns_cert_type(&req, cert_type) == 0); 283 } 284 285 ret = mbedtls_x509write_csr_pem(&req, buf, sizeof(buf) - 1); 286 287 TEST_ASSERT(ret == 0); 288 289 pem_len = strlen((char *) buf); 290 buf[pem_len] = '\0'; 291 TEST_ASSERT(x509_crt_verifycsr(buf, pem_len + 1) == 0); 292 293 294exit: 295 mbedtls_x509write_csr_free(&req); 296 mbedtls_pk_free(&key); 297 psa_destroy_key(key_id); 298 MD_OR_USE_PSA_DONE(); 299} 300/* END_CASE */ 301 302/* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CRT_WRITE_C:MBEDTLS_X509_CRT_PARSE_C:PSA_WANT_ALG_SHA_1 */ 303void x509_crt_check(char *subject_key_file, char *subject_pwd, 304 char *subject_name, char *issuer_key_file, 305 char *issuer_pwd, char *issuer_name, 306 data_t *serial_arg, char *not_before, char *not_after, 307 int md_type, int key_usage, int set_key_usage, 308 char *ext_key_usage, 309 int cert_type, int set_cert_type, int auth_ident, 310 int ver, char *cert_check_file, int pk_wrap, int is_ca, 311 char *cert_verify_file, int set_subjectAltNames) 312{ 313 mbedtls_pk_context subject_key, issuer_key, issuer_key_alt; 314 mbedtls_pk_context *key = &issuer_key; 315 316 mbedtls_x509write_cert crt; 317 unsigned char buf[4096]; 318 unsigned char check_buf[5000]; 319 unsigned char *p, *end; 320 unsigned char tag, sz; 321#if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C) 322 mbedtls_mpi serial_mpi; 323#endif 324 int ret, before_tag, after_tag; 325 size_t olen = 0, pem_len = 0, buf_index = 0; 326 int der_len = -1; 327 FILE *f; 328 mbedtls_test_rnd_pseudo_info rnd_info; 329 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; 330 psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; 331 mbedtls_pk_type_t issuer_key_type; 332 mbedtls_x509_san_list san_ip; 333 mbedtls_x509_san_list san_dns; 334 mbedtls_x509_san_list san_uri; 335 mbedtls_x509_san_list san_mail; 336 mbedtls_x509_san_list san_dn; 337 mbedtls_asn1_named_data *ext_san_dirname = NULL; 338 const char san_ip_name[] = { 0x01, 0x02, 0x03, 0x04 }; 339 const char *san_dns_name = "example.com"; 340 const char *san_dn_name = "C=UK,O=Mbed TLS,CN=SubjectAltName test"; 341 const char *san_mail_name = "mail@example.com"; 342 const char *san_uri_name = "http://pki.example.com"; 343 mbedtls_x509_san_list *san_list = NULL; 344 345 if (set_subjectAltNames) { 346 san_mail.node.type = MBEDTLS_X509_SAN_RFC822_NAME; 347 san_mail.node.san.unstructured_name.p = (unsigned char *) san_mail_name; 348 san_mail.node.san.unstructured_name.len = strlen(san_mail_name); 349 san_mail.next = NULL; 350 351 san_dns.node.type = MBEDTLS_X509_SAN_DNS_NAME; 352 san_dns.node.san.unstructured_name.p = (unsigned char *) san_dns_name; 353 san_dns.node.san.unstructured_name.len = strlen(san_dns_name); 354 san_dns.next = &san_mail; 355 356 san_dn.node.type = MBEDTLS_X509_SAN_DIRECTORY_NAME; 357 TEST_ASSERT(mbedtls_x509_string_to_names(&ext_san_dirname, 358 san_dn_name) == 0); 359 san_dn.node.san.directory_name = *ext_san_dirname; 360 san_dn.next = &san_dns; 361 362 san_ip.node.type = MBEDTLS_X509_SAN_IP_ADDRESS; 363 san_ip.node.san.unstructured_name.p = (unsigned char *) san_ip_name; 364 san_ip.node.san.unstructured_name.len = sizeof(san_ip_name); 365 san_ip.next = &san_dn; 366 367 san_uri.node.type = MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER; 368 san_uri.node.san.unstructured_name.p = (unsigned char *) san_uri_name; 369 san_uri.node.san.unstructured_name.len = strlen(san_uri_name); 370 san_uri.next = &san_ip; 371 372 san_list = &san_uri; 373 } 374 375 memset(&rnd_info, 0x2a, sizeof(mbedtls_test_rnd_pseudo_info)); 376#if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C) 377 mbedtls_mpi_init(&serial_mpi); 378#endif 379 380 mbedtls_pk_init(&subject_key); 381 mbedtls_pk_init(&issuer_key); 382 mbedtls_pk_init(&issuer_key_alt); 383 mbedtls_x509write_crt_init(&crt); 384 MD_OR_USE_PSA_INIT(); 385 386 TEST_ASSERT(mbedtls_pk_parse_keyfile(&subject_key, subject_key_file, 387 subject_pwd) == 0); 388 389 TEST_ASSERT(mbedtls_pk_parse_keyfile(&issuer_key, issuer_key_file, 390 issuer_pwd) == 0); 391 392 issuer_key_type = mbedtls_pk_get_type(&issuer_key); 393 394 /* Turn the issuer PK context into an opaque one. */ 395 if (pk_wrap == 2) { 396 TEST_EQUAL(mbedtls_pk_get_psa_attributes(&issuer_key, PSA_KEY_USAGE_SIGN_HASH, 397 &key_attr), 0); 398 TEST_EQUAL(mbedtls_pk_import_into_psa(&issuer_key, &key_attr, &key_id), 0); 399 mbedtls_pk_free(&issuer_key); 400 mbedtls_pk_init(&issuer_key); 401 TEST_EQUAL(mbedtls_pk_wrap_psa(&issuer_key, key_id), 0); 402 } 403 404 if (pk_wrap == 2) { 405 TEST_ASSERT(mbedtls_pk_get_type(&issuer_key) == MBEDTLS_PK_OPAQUE); 406 } 407 408 if (ver != -1) { 409 mbedtls_x509write_crt_set_version(&crt, ver); 410 } 411 412 TEST_ASSERT(mbedtls_x509write_crt_set_serial_raw(&crt, serial_arg->x, 413 serial_arg->len) == 0); 414 TEST_ASSERT(mbedtls_x509write_crt_set_validity(&crt, not_before, 415 not_after) == 0); 416 mbedtls_x509write_crt_set_md_alg(&crt, md_type); 417 TEST_ASSERT(mbedtls_x509write_crt_set_issuer_name(&crt, issuer_name) == 0); 418 TEST_ASSERT(mbedtls_x509write_crt_set_subject_name(&crt, subject_name) == 0); 419 mbedtls_x509write_crt_set_subject_key(&crt, &subject_key); 420 421 mbedtls_x509write_crt_set_issuer_key(&crt, key); 422 423 if (crt.version >= MBEDTLS_X509_CRT_VERSION_3) { 424 /* For the CA case, a path length of -1 means unlimited. */ 425 TEST_ASSERT(mbedtls_x509write_crt_set_basic_constraints(&crt, is_ca, 426 (is_ca ? -1 : 0)) == 0); 427 TEST_ASSERT(mbedtls_x509write_crt_set_subject_key_identifier(&crt) == 0); 428 if (auth_ident) { 429 TEST_ASSERT(mbedtls_x509write_crt_set_authority_key_identifier(&crt) == 0); 430 } 431 if (set_key_usage != 0) { 432 TEST_ASSERT(mbedtls_x509write_crt_set_key_usage(&crt, key_usage) == 0); 433 } 434 if (set_cert_type != 0) { 435 TEST_ASSERT(mbedtls_x509write_crt_set_ns_cert_type(&crt, cert_type) == 0); 436 } 437 if (strcmp(ext_key_usage, "NULL") != 0) { 438 mbedtls_asn1_sequence exts[2]; 439 memset(exts, 0, sizeof(exts)); 440 441#define SET_OID(x, oid) \ 442 do { \ 443 x.len = MBEDTLS_OID_SIZE(oid); \ 444 x.p = (unsigned char *) oid; \ 445 x.tag = MBEDTLS_ASN1_OID; \ 446 } \ 447 while (0) 448 449 if (strcmp(ext_key_usage, "serverAuth") == 0) { 450 SET_OID(exts[0].buf, MBEDTLS_OID_SERVER_AUTH); 451 } else if (strcmp(ext_key_usage, "codeSigning,timeStamping") == 0) { 452 SET_OID(exts[0].buf, MBEDTLS_OID_CODE_SIGNING); 453 exts[0].next = &exts[1]; 454 SET_OID(exts[1].buf, MBEDTLS_OID_TIME_STAMPING); 455 } 456 TEST_ASSERT(mbedtls_x509write_crt_set_ext_key_usage(&crt, exts) == 0); 457 } 458 } 459 460 if (set_subjectAltNames) { 461 TEST_ASSERT(mbedtls_x509write_crt_set_subject_alternative_name(&crt, san_list) == 0); 462 } 463 ret = mbedtls_x509write_crt_pem(&crt, buf, sizeof(buf)); 464 TEST_ASSERT(ret == 0); 465 466 pem_len = strlen((char *) buf); 467 468 // check that the rest of the buffer remains clear 469 for (buf_index = pem_len; buf_index < sizeof(buf); ++buf_index) { 470 TEST_ASSERT(buf[buf_index] == 0); 471 } 472 473 if (issuer_key_type != MBEDTLS_PK_RSA) { 474 mbedtls_x509_crt crt_parse, trusted; 475 uint32_t flags; 476 477 mbedtls_x509_crt_init(&crt_parse); 478 mbedtls_x509_crt_init(&trusted); 479 480 TEST_ASSERT(mbedtls_x509_crt_parse_file(&trusted, 481 cert_verify_file) == 0); 482 TEST_ASSERT(mbedtls_x509_crt_parse(&crt_parse, 483 buf, sizeof(buf)) == 0); 484 485 ret = mbedtls_x509_crt_verify(&crt_parse, &trusted, NULL, NULL, &flags, 486 NULL, NULL); 487 488 mbedtls_x509_crt_free(&crt_parse); 489 mbedtls_x509_crt_free(&trusted); 490 491 TEST_EQUAL(flags, 0); 492 TEST_EQUAL(ret, 0); 493 } else if (*cert_check_file != '\0') { 494 f = fopen(cert_check_file, "r"); 495 TEST_ASSERT(f != NULL); 496 olen = fread(check_buf, 1, sizeof(check_buf), f); 497 fclose(f); 498 TEST_ASSERT(olen < sizeof(check_buf)); 499 500 TEST_EQUAL(olen, pem_len); 501 TEST_ASSERT(olen >= pem_len - 1); 502 TEST_ASSERT(memcmp(buf, check_buf, pem_len - 1) == 0); 503 } 504 505 der_len = mbedtls_x509write_crt_der(&crt, buf, sizeof(buf)); 506 TEST_ASSERT(der_len >= 0); 507 508 if (der_len == 0) { 509 goto exit; 510 } 511 512 // Not testing against file, check date format 513 if (*cert_check_file == '\0') { 514 // UTC tag if before 2050, 2 digits less for year 515 if (not_before[0] == '2' && (not_before[1] > '0' || not_before[2] > '4')) { 516 before_tag = MBEDTLS_ASN1_GENERALIZED_TIME; 517 } else { 518 before_tag = MBEDTLS_ASN1_UTC_TIME; 519 not_before += 2; 520 } 521 if (not_after[0] == '2' && (not_after[1] > '0' || not_after[2] > '4')) { 522 after_tag = MBEDTLS_ASN1_GENERALIZED_TIME; 523 } else { 524 after_tag = MBEDTLS_ASN1_UTC_TIME; 525 not_after += 2; 526 } 527 end = buf + sizeof(buf); 528 for (p = end - der_len; p < end;) { 529 tag = *p++; 530 sz = *p++; 531 if (tag == MBEDTLS_ASN1_UTC_TIME || tag == MBEDTLS_ASN1_GENERALIZED_TIME) { 532 // Check correct tag and time written 533 TEST_ASSERT(before_tag == tag); 534 TEST_ASSERT(memcmp(p, not_before, sz - 1) == 0); 535 p += sz; 536 tag = *p++; 537 sz = *p++; 538 TEST_ASSERT(after_tag == tag); 539 TEST_ASSERT(memcmp(p, not_after, sz - 1) == 0); 540 break; 541 } 542 // Increment if long form ASN1 length 543 if (sz & 0x80) { 544 p += sz & 0x0F; 545 } 546 if (tag != (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) { 547 p += sz; 548 } 549 } 550 TEST_ASSERT(p < end); 551 } 552 553 der_len -= 1; 554 555 ret = mbedtls_x509write_crt_der(&crt, buf, (size_t) (der_len)); 556 TEST_ASSERT(ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL); 557 558exit: 559 mbedtls_asn1_free_named_data_list(&ext_san_dirname); 560 mbedtls_x509write_crt_free(&crt); 561 mbedtls_pk_free(&issuer_key_alt); 562 mbedtls_pk_free(&subject_key); 563 mbedtls_pk_free(&issuer_key); 564#if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C) 565 mbedtls_mpi_free(&serial_mpi); 566#endif 567 psa_destroy_key(key_id); 568 MD_OR_USE_PSA_DONE(); 569} 570/* END_CASE */ 571 572/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_WRITE_C */ 573void x509_set_serial_check() 574{ 575 mbedtls_x509write_cert ctx; 576 uint8_t invalid_serial[MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN + 1]; 577 578#if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C) 579 mbedtls_mpi serial_mpi; 580 mbedtls_mpi_init(&serial_mpi); 581#endif 582 583 USE_PSA_INIT(); 584 memset(invalid_serial, 0x01, sizeof(invalid_serial)); 585 586 TEST_EQUAL(mbedtls_x509write_crt_set_serial_raw(&ctx, invalid_serial, 587 sizeof(invalid_serial)), 588 MBEDTLS_ERR_X509_BAD_INPUT_DATA); 589 590exit: 591#if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C) 592 mbedtls_mpi_free(&serial_mpi); 593#else 594 ; 595#endif 596 USE_PSA_DONE(); 597} 598/* END_CASE */ 599 600/* BEGIN_CASE depends_on:MBEDTLS_X509_CREATE_C:MBEDTLS_X509_USE_C */ 601void mbedtls_x509_string_to_names(char *name, char *parsed_name, 602 int result, int may_fail) 603{ 604 int ret; 605 size_t len = 0; 606 mbedtls_asn1_named_data *names = NULL; 607 mbedtls_x509_name parsed; 608 memset(&parsed, 0, sizeof(parsed)); 609 mbedtls_x509_name *parsed_cur = NULL; 610 mbedtls_x509_name *parsed_prv = NULL; 611 unsigned char buf[1024] = { 0 }; 612 unsigned char out[1024] = { 0 }; 613 unsigned char *c = buf + sizeof(buf); 614 615 USE_PSA_INIT(); 616 617 ret = mbedtls_x509_string_to_names(&names, name); 618 TEST_EQUAL(ret, result); 619 620 if (ret != 0) { 621 goto exit; 622 } 623 624 ret = mbedtls_x509_write_names(&c, buf, names); 625 TEST_LE_S(1, ret); 626 627 TEST_EQUAL(mbedtls_asn1_get_tag(&c, buf + sizeof(buf), &len, 628 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE), 0); 629 ret = mbedtls_x509_get_name(&c, buf + sizeof(buf), &parsed); 630 if ((may_fail & MAY_FAIL_GET_NAME) && ret < 0) { 631 /* Validation inconsistency between mbedtls_x509_string_to_names() and 632 * mbedtls_x509_get_name(). Accept it for now. */ 633 goto exit; 634 } 635 TEST_EQUAL(ret, 0); 636 637 ret = mbedtls_x509_dn_gets((char *) out, sizeof(out), &parsed); 638 if ((may_fail & MAY_FAIL_DN_GETS) && ret < 0) { 639 /* Validation inconsistency between mbedtls_x509_string_to_names() and 640 * mbedtls_x509_dn_gets(). Accept it for now. */ 641 goto exit; 642 } 643 TEST_LE_S(1, ret); 644 TEST_ASSERT(strcmp((char *) out, parsed_name) == 0); 645 646 /* Check that calling a 2nd time with the same param (now non-NULL) 647 * returns an error as expected. */ 648 ret = mbedtls_x509_string_to_names(&names, name); 649 TEST_EQUAL(ret, MBEDTLS_ERR_X509_BAD_INPUT_DATA); 650 651exit: 652 mbedtls_asn1_free_named_data_list(&names); 653 654 parsed_cur = parsed.next; 655 while (parsed_cur != 0) { 656 parsed_prv = parsed_cur; 657 parsed_cur = parsed_cur->next; 658 mbedtls_free(parsed_prv); 659 } 660 USE_PSA_DONE(); 661} 662/* END_CASE */ 663 664/* BEGIN_CASE depends_on:MBEDTLS_X509_CSR_WRITE_C */ 665void x509_set_extension_length_check() 666{ 667 int ret = 0; 668 669 mbedtls_x509write_csr ctx; 670 mbedtls_x509write_csr_init(&ctx); 671 672 unsigned char buf[EXT_KEY_USAGE_TMP_BUF_MAX_LENGTH] = { 0 }; 673 unsigned char *p = buf + sizeof(buf); 674 675 ret = mbedtls_x509_set_extension(&(ctx.MBEDTLS_PRIVATE(extensions)), 676 MBEDTLS_OID_EXTENDED_KEY_USAGE, 677 MBEDTLS_OID_SIZE(MBEDTLS_OID_EXTENDED_KEY_USAGE), 678 0, 679 p, 680 SIZE_MAX); 681 TEST_ASSERT(MBEDTLS_ERR_X509_BAD_INPUT_DATA == ret); 682} 683/* END_CASE */ 684 685/* BEGIN_CASE depends_on:MBEDTLS_X509_CREATE_C */ 686void oid_from_numeric_string(char *oid_str, int error_ret, 687 data_t *exp_oid_buf) 688{ 689 mbedtls_asn1_buf oid = { 0, 0, NULL }; 690 mbedtls_asn1_buf exp_oid = { 0, 0, NULL }; 691 int ret; 692 693 exp_oid.tag = MBEDTLS_ASN1_OID; 694 exp_oid.p = exp_oid_buf->x; 695 exp_oid.len = exp_oid_buf->len; 696 697 ret = mbedtls_oid_from_numeric_string(&oid, oid_str, strlen(oid_str)); 698 699 if (error_ret == 0) { 700 TEST_EQUAL(oid.len, exp_oid.len); 701 TEST_ASSERT(memcmp(oid.p, exp_oid.p, oid.len) == 0); 702 mbedtls_free(oid.p); 703 oid.p = NULL; 704 oid.len = 0; 705 } else { 706 TEST_EQUAL(ret, error_ret); 707 } 708} 709/* END_CASE */ 710