123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364 |
- /* BEGIN_HEADER */
- #include "mbedtls/bignum.h"
- #include "mbedtls/x509_crt.h"
- #include "mbedtls/x509_csr.h"
- #include "mbedtls/pem.h"
- #include "mbedtls/oid.h"
- #include "mbedtls/rsa.h"
- #if defined(MBEDTLS_RSA_C)
- int mbedtls_rsa_decrypt_func( void *ctx, int mode, size_t *olen,
- const unsigned char *input, unsigned char *output,
- size_t output_max_len )
- {
- return( mbedtls_rsa_pkcs1_decrypt( (mbedtls_rsa_context *) ctx, NULL, NULL, mode, olen,
- input, output, output_max_len ) );
- }
- int mbedtls_rsa_sign_func( void *ctx,
- int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
- int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,
- const unsigned char *hash, unsigned char *sig )
- {
- return( mbedtls_rsa_pkcs1_sign( (mbedtls_rsa_context *) ctx, f_rng, p_rng, mode,
- md_alg, hashlen, hash, sig ) );
- }
- size_t mbedtls_rsa_key_len_func( void *ctx )
- {
- return( ((const mbedtls_rsa_context *) ctx)->len );
- }
- #endif /* MBEDTLS_RSA_C */
- #if defined(MBEDTLS_USE_PSA_CRYPTO) && \
- defined(MBEDTLS_PEM_WRITE_C) && defined(MBEDTLS_X509_CSR_WRITE_C)
- static int x509_crt_verifycsr( const unsigned char *buf, size_t buflen )
- {
- unsigned char hash[MBEDTLS_MD_MAX_SIZE];
- const mbedtls_md_info_t *md_info;
- mbedtls_x509_csr csr;
- int ret = 0;
- mbedtls_x509_csr_init( &csr );
- if( mbedtls_x509_csr_parse( &csr, buf, buflen ) != 0 )
- {
- ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA;
- goto cleanup;
- }
- md_info = mbedtls_md_info_from_type( csr.sig_md );
- if( mbedtls_md( md_info, csr.cri.p, csr.cri.len, hash ) != 0 )
- {
- /* Note: this can't happen except after an internal error */
- ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA;
- goto cleanup;
- }
- if( mbedtls_pk_verify_ext( csr.sig_pk, csr.sig_opts, &csr.pk,
- csr.sig_md, hash, mbedtls_md_get_size( md_info ),
- csr.sig.p, csr.sig.len ) != 0 )
- {
- ret = MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;
- goto cleanup;
- }
- cleanup:
- mbedtls_x509_csr_free( &csr );
- return( ret );
- }
- #endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_PEM_WRITE_C && MBEDTLS_X509_CSR_WRITE_C */
- /* END_HEADER */
- /* BEGIN_DEPENDENCIES
- * depends_on:MBEDTLS_BIGNUM_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C
- * END_DEPENDENCIES
- */
- /* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CSR_WRITE_C */
- void x509_csr_check( char * key_file, char * cert_req_check_file, int md_type,
- int key_usage, int set_key_usage, int cert_type,
- int set_cert_type )
- {
- mbedtls_pk_context key;
- mbedtls_x509write_csr req;
- unsigned char buf[4096];
- unsigned char check_buf[4000];
- int ret;
- size_t olen = 0, pem_len = 0, buf_index;
- int der_len = -1;
- FILE *f;
- const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1";
- mbedtls_test_rnd_pseudo_info rnd_info;
- memset( &rnd_info, 0x2a, sizeof( mbedtls_test_rnd_pseudo_info ) );
- mbedtls_pk_init( &key );
- TEST_ASSERT( mbedtls_pk_parse_keyfile( &key, key_file, NULL ) == 0 );
- mbedtls_x509write_csr_init( &req );
- mbedtls_x509write_csr_set_md_alg( &req, md_type );
- mbedtls_x509write_csr_set_key( &req, &key );
- TEST_ASSERT( mbedtls_x509write_csr_set_subject_name( &req, subject_name ) == 0 );
- if( set_key_usage != 0 )
- TEST_ASSERT( mbedtls_x509write_csr_set_key_usage( &req, key_usage ) == 0 );
- if( set_cert_type != 0 )
- TEST_ASSERT( mbedtls_x509write_csr_set_ns_cert_type( &req, cert_type ) == 0 );
- ret = mbedtls_x509write_csr_pem( &req, buf, sizeof( buf ),
- mbedtls_test_rnd_pseudo_rand, &rnd_info );
- TEST_ASSERT( ret == 0 );
- pem_len = strlen( (char *) buf );
- for( buf_index = pem_len; buf_index < sizeof( buf ); ++buf_index )
- {
- TEST_ASSERT( buf[buf_index] == 0 );
- }
- f = fopen( cert_req_check_file, "r" );
- TEST_ASSERT( f != NULL );
- olen = fread( check_buf, 1, sizeof( check_buf ), f );
- fclose( f );
- TEST_ASSERT( olen >= pem_len - 1 );
- TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 );
- der_len = mbedtls_x509write_csr_der( &req, buf, sizeof( buf ),
- mbedtls_test_rnd_pseudo_rand,
- &rnd_info );
- TEST_ASSERT( der_len >= 0 );
- if( der_len == 0 )
- goto exit;
- ret = mbedtls_x509write_csr_der( &req, buf, (size_t)( der_len - 1 ),
- mbedtls_test_rnd_pseudo_rand, &rnd_info );
- TEST_ASSERT( ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
- exit:
- mbedtls_x509write_csr_free( &req );
- mbedtls_pk_free( &key );
- }
- /* END_CASE */
- /* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CSR_WRITE_C:MBEDTLS_USE_PSA_CRYPTO */
- void x509_csr_check_opaque( char *key_file, int md_type, int key_usage,
- int cert_type )
- {
- mbedtls_pk_context key;
- mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
- psa_algorithm_t md_alg_psa;
- mbedtls_x509write_csr req;
- unsigned char buf[4096];
- int ret;
- size_t pem_len = 0;
- const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1";
- mbedtls_test_rnd_pseudo_info rnd_info;
- PSA_INIT( );
- memset( &rnd_info, 0x2a, sizeof( mbedtls_test_rnd_pseudo_info ) );
- md_alg_psa = mbedtls_psa_translate_md( (mbedtls_md_type_t) md_type );
- TEST_ASSERT( md_alg_psa != MBEDTLS_MD_NONE );
- mbedtls_pk_init( &key );
- TEST_ASSERT( mbedtls_pk_parse_keyfile( &key, key_file, NULL ) == 0 );
- TEST_ASSERT( mbedtls_pk_wrap_as_opaque( &key, &key_id, md_alg_psa ) == 0 );
- mbedtls_x509write_csr_init( &req );
- mbedtls_x509write_csr_set_md_alg( &req, md_type );
- mbedtls_x509write_csr_set_key( &req, &key );
- TEST_ASSERT( mbedtls_x509write_csr_set_subject_name( &req, subject_name ) == 0 );
- if( key_usage != 0 )
- TEST_ASSERT( mbedtls_x509write_csr_set_key_usage( &req, key_usage ) == 0 );
- if( cert_type != 0 )
- TEST_ASSERT( mbedtls_x509write_csr_set_ns_cert_type( &req, cert_type ) == 0 );
- ret = mbedtls_x509write_csr_pem( &req, buf, sizeof( buf ) - 1,
- mbedtls_test_rnd_pseudo_rand, &rnd_info );
- TEST_ASSERT( ret == 0 );
- pem_len = strlen( (char *) buf );
- buf[pem_len] = '\0';
- TEST_ASSERT( x509_crt_verifycsr( buf, pem_len + 1 ) == 0 );
- exit:
- mbedtls_x509write_csr_free( &req );
- mbedtls_pk_free( &key );
- psa_destroy_key( key_id );
- PSA_DONE( );
- }
- /* END_CASE */
- /* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CRT_WRITE_C:MBEDTLS_SHA1_C */
- void x509_crt_check( char *subject_key_file, char *subject_pwd,
- char *subject_name, char *issuer_key_file,
- char *issuer_pwd, char *issuer_name,
- char *serial_str, char *not_before, char *not_after,
- int md_type, int key_usage, int set_key_usage,
- int cert_type, int set_cert_type, int auth_ident,
- int ver, char *cert_check_file, int rsa_alt, int is_ca )
- {
- mbedtls_pk_context subject_key, issuer_key, issuer_key_alt;
- mbedtls_pk_context *key = &issuer_key;
- mbedtls_x509write_cert crt;
- unsigned char buf[4096];
- unsigned char check_buf[5000];
- mbedtls_mpi serial;
- int ret;
- size_t olen = 0, pem_len = 0, buf_index = 0;
- int der_len = -1;
- FILE *f;
- mbedtls_test_rnd_pseudo_info rnd_info;
- memset( &rnd_info, 0x2a, sizeof( mbedtls_test_rnd_pseudo_info ) );
- mbedtls_mpi_init( &serial );
- mbedtls_pk_init( &subject_key );
- mbedtls_pk_init( &issuer_key );
- mbedtls_pk_init( &issuer_key_alt );
- mbedtls_x509write_crt_init( &crt );
- TEST_ASSERT( mbedtls_pk_parse_keyfile( &subject_key, subject_key_file,
- subject_pwd ) == 0 );
- TEST_ASSERT( mbedtls_pk_parse_keyfile( &issuer_key, issuer_key_file,
- issuer_pwd ) == 0 );
- #if defined(MBEDTLS_RSA_C)
- /* For RSA PK contexts, create a copy as an alternative RSA context. */
- if( rsa_alt == 1 && mbedtls_pk_get_type( &issuer_key ) == MBEDTLS_PK_RSA )
- {
- TEST_ASSERT( mbedtls_pk_setup_rsa_alt( &issuer_key_alt,
- mbedtls_pk_rsa( issuer_key ),
- mbedtls_rsa_decrypt_func,
- mbedtls_rsa_sign_func,
- mbedtls_rsa_key_len_func ) == 0 );
- key = &issuer_key_alt;
- }
- #else
- (void) rsa_alt;
- #endif
- TEST_ASSERT( mbedtls_test_read_mpi( &serial, 10, serial_str ) == 0 );
- if( ver != -1 )
- mbedtls_x509write_crt_set_version( &crt, ver );
- TEST_ASSERT( mbedtls_x509write_crt_set_serial( &crt, &serial ) == 0 );
- TEST_ASSERT( mbedtls_x509write_crt_set_validity( &crt, not_before,
- not_after ) == 0 );
- mbedtls_x509write_crt_set_md_alg( &crt, md_type );
- TEST_ASSERT( mbedtls_x509write_crt_set_issuer_name( &crt, issuer_name ) == 0 );
- TEST_ASSERT( mbedtls_x509write_crt_set_subject_name( &crt, subject_name ) == 0 );
- mbedtls_x509write_crt_set_subject_key( &crt, &subject_key );
- mbedtls_x509write_crt_set_issuer_key( &crt, key );
- if( crt.version >= MBEDTLS_X509_CRT_VERSION_3 )
- {
- /* For the CA case, a path length of -1 means unlimited. */
- TEST_ASSERT( mbedtls_x509write_crt_set_basic_constraints( &crt, is_ca,
- (is_ca ? -1 : 0) ) == 0 );
- TEST_ASSERT( mbedtls_x509write_crt_set_subject_key_identifier( &crt ) == 0 );
- if( auth_ident )
- TEST_ASSERT( mbedtls_x509write_crt_set_authority_key_identifier( &crt ) == 0 );
- if( set_key_usage != 0 )
- TEST_ASSERT( mbedtls_x509write_crt_set_key_usage( &crt, key_usage ) == 0 );
- if( set_cert_type != 0 )
- TEST_ASSERT( mbedtls_x509write_crt_set_ns_cert_type( &crt, cert_type ) == 0 );
- }
- ret = mbedtls_x509write_crt_pem( &crt, buf, sizeof( buf ),
- mbedtls_test_rnd_pseudo_rand, &rnd_info );
- TEST_ASSERT( ret == 0 );
- pem_len = strlen( (char *) buf );
- // check that the rest of the buffer remains clear
- for( buf_index = pem_len; buf_index < sizeof( buf ); ++buf_index )
- {
- TEST_ASSERT( buf[buf_index] == 0 );
- }
- f = fopen( cert_check_file, "r" );
- TEST_ASSERT( f != NULL );
- olen = fread( check_buf, 1, sizeof( check_buf ), f );
- fclose( f );
- TEST_ASSERT( olen < sizeof( check_buf ) );
- TEST_ASSERT( olen >= pem_len - 1 );
- TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 );
- der_len = mbedtls_x509write_crt_der( &crt, buf, sizeof( buf ),
- mbedtls_test_rnd_pseudo_rand,
- &rnd_info );
- TEST_ASSERT( der_len >= 0 );
- if( der_len == 0 )
- goto exit;
- ret = mbedtls_x509write_crt_der( &crt, buf, (size_t)( der_len - 1 ),
- mbedtls_test_rnd_pseudo_rand, &rnd_info );
- TEST_ASSERT( ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
- exit:
- mbedtls_x509write_crt_free( &crt );
- mbedtls_pk_free( &issuer_key_alt );
- mbedtls_pk_free( &subject_key );
- mbedtls_pk_free( &issuer_key );
- mbedtls_mpi_free( &serial );
- }
- /* END_CASE */
- /* BEGIN_CASE depends_on:MBEDTLS_X509_CREATE_C:MBEDTLS_X509_USE_C */
- void mbedtls_x509_string_to_names( char * name, char * parsed_name, int result
- )
- {
- int ret;
- size_t len = 0;
- mbedtls_asn1_named_data *names = NULL;
- mbedtls_x509_name parsed, *parsed_cur, *parsed_prv;
- unsigned char buf[1024], out[1024], *c;
- memset( &parsed, 0, sizeof( parsed ) );
- memset( out, 0, sizeof( out ) );
- memset( buf, 0, sizeof( buf ) );
- c = buf + sizeof( buf );
- ret = mbedtls_x509_string_to_names( &names, name );
- TEST_ASSERT( ret == result );
- if( ret != 0 )
- goto exit;
- ret = mbedtls_x509_write_names( &c, buf, names );
- TEST_ASSERT( ret > 0 );
- TEST_ASSERT( mbedtls_asn1_get_tag( &c, buf + sizeof( buf ), &len,
- MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) == 0 );
- TEST_ASSERT( mbedtls_x509_get_name( &c, buf + sizeof( buf ), &parsed ) == 0 );
- ret = mbedtls_x509_dn_gets( (char *) out, sizeof( out ), &parsed );
- TEST_ASSERT( ret > 0 );
- TEST_ASSERT( strcmp( (char *) out, parsed_name ) == 0 );
- exit:
- mbedtls_asn1_free_named_data_list( &names );
- parsed_cur = parsed.next;
- while( parsed_cur != 0 )
- {
- parsed_prv = parsed_cur;
- parsed_cur = parsed_cur->next;
- mbedtls_free( parsed_prv );
- }
- }
- /* END_CASE */
|