mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-01-23 21:11:06 +00:00
Add tests for profile enforcement
Now all checks related to profile are covered in: - verify_with_profile() - verify_child() - verify_top() (that's 10 lines that were previously not covered) Leaving aside profile enforcement in CRLs for now, as the focus is on preparing to refactor cert verification.
This commit is contained in:
parent
94f2aa344d
commit
189bb40e60
|
@ -1282,6 +1282,30 @@ X509 CRT verify chain #11 (valid chain, missing profile)
|
||||||
depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
||||||
mbedtls_x509_crt_verify_chain:"data_files/dir4/cert92.crt":"data_files/dir4/cert91.crt":-1:MBEDTLS_ERR_X509_BAD_INPUT_DATA:"nonesuch"
|
mbedtls_x509_crt_verify_chain:"data_files/dir4/cert92.crt":"data_files/dir4/cert91.crt":-1:MBEDTLS_ERR_X509_BAD_INPUT_DATA:"nonesuch"
|
||||||
|
|
||||||
|
X509 CRT verify chain #12 (suiteb profile, RSA root)
|
||||||
|
depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
||||||
|
mbedtls_x509_crt_verify_chain:"data_files/server3.crt":"data_files/test-ca.crt":MBEDTLS_X509_BADCERT_BAD_MD|MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"suiteb"
|
||||||
|
|
||||||
|
X509 CRT verify chain #13 (RSA only profile, EC root)
|
||||||
|
depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
|
||||||
|
mbedtls_x509_crt_verify_chain:"data_files/server4.crt":"data_files/test-ca2.crt":MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"rsa3072"
|
||||||
|
|
||||||
|
X509 CRT verify chain #14 (RSA-3072 profile, root key too small)
|
||||||
|
depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
|
||||||
|
mbedtls_x509_crt_verify_chain:"data_files/server1.crt":"data_files/test-ca.crt":MBEDTLS_X509_BADCERT_BAD_MD|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"rsa3072"
|
||||||
|
|
||||||
|
X509 CRT verify chain #15 (suiteb profile, rsa intermediate)
|
||||||
|
depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
||||||
|
mbedtls_x509_crt_verify_chain:"data_files/server7.crt data_files/test-int-ca.crt":"data_files/test-ca2.crt":MBEDTLS_X509_BADCERT_BAD_PK:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"suiteb"
|
||||||
|
|
||||||
|
X509 CRT verify chain #16 (RSA-only profile, EC intermediate)
|
||||||
|
depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
||||||
|
mbedtls_x509_crt_verify_chain:"data_files/server8.crt data_files/test-int-ca2.crt":"data_files/test-ca.crt":MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"rsa3072"
|
||||||
|
|
||||||
|
X509 CRT verify chain #17 (SHA-512 profile)
|
||||||
|
depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
||||||
|
mbedtls_x509_crt_verify_chain:"data_files/server7.crt data_files/test-int-ca.crt":"data_files/test-ca2.crt":MBEDTLS_X509_BADCERT_BAD_MD:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"sha512"
|
||||||
|
|
||||||
X509 OID description #1
|
X509 OID description #1
|
||||||
x509_oid_desc:"2B06010505070301":"TLS Web Server Authentication"
|
x509_oid_desc:"2B06010505070301":"TLS Web Server Authentication"
|
||||||
|
|
||||||
|
|
|
@ -28,6 +28,24 @@ const mbedtls_x509_crt_profile compat_profile =
|
||||||
1024,
|
1024,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
const mbedtls_x509_crt_profile profile_rsa3072 =
|
||||||
|
{
|
||||||
|
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
|
||||||
|
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
|
||||||
|
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
|
||||||
|
MBEDTLS_X509_ID_FLAG( MBEDTLS_PK_RSA ),
|
||||||
|
0,
|
||||||
|
3072,
|
||||||
|
};
|
||||||
|
|
||||||
|
const mbedtls_x509_crt_profile profile_sha512 =
|
||||||
|
{
|
||||||
|
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
|
||||||
|
0xFFFFFFF, /* Any PK alg */
|
||||||
|
0xFFFFFFF, /* Any curve */
|
||||||
|
1024,
|
||||||
|
};
|
||||||
|
|
||||||
int verify_none( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags )
|
int verify_none( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags )
|
||||||
{
|
{
|
||||||
((void) data);
|
((void) data);
|
||||||
|
@ -573,6 +591,10 @@ void mbedtls_x509_crt_verify_chain( char *chain_paths, char *trusted_ca,
|
||||||
profile = &mbedtls_x509_crt_profile_next;
|
profile = &mbedtls_x509_crt_profile_next;
|
||||||
else if( strcmp(profile_name, "suiteb") == 0 )
|
else if( strcmp(profile_name, "suiteb") == 0 )
|
||||||
profile = &mbedtls_x509_crt_profile_suiteb;
|
profile = &mbedtls_x509_crt_profile_suiteb;
|
||||||
|
else if( strcmp(profile_name, "rsa3072") == 0 )
|
||||||
|
profile = &profile_rsa3072;
|
||||||
|
else if( strcmp(profile_name, "sha512") == 0 )
|
||||||
|
profile = &profile_sha512;
|
||||||
|
|
||||||
res = mbedtls_x509_crt_verify_with_profile( &chain, &trusted, NULL, profile,
|
res = mbedtls_x509_crt_verify_with_profile( &chain, &trusted, NULL, profile,
|
||||||
NULL, &flags, NULL, NULL );
|
NULL, &flags, NULL, NULL );
|
||||||
|
|
Loading…
Reference in a new issue