From 4fa6bed0c67fee5900c9df5d3c1336153ac2e481 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 11 May 2017 16:41:25 +0200 Subject: [PATCH] X.509 tests: obey compile-time SHA-1 support option There is now one test case to validate that SHA-1 is rejected in certificates by default, and one test case to validate that SHA-1 is supported if MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 is #defined. --- include/mbedtls/x509_crt.h | 5 +++++ tests/suites/test_suite_x509parse.data | 6 +++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 383e484f7..78ee6e2aa 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -651,4 +651,9 @@ int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *ctx, unsigned char *buf, } #endif +#ifndef MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 +/* The test infrastructure requires a positive define */ +#define MBEDTLS_X509__DEFAULT_FORBID_SHA1 +#endif + #endif /* mbedtls_x509_crt.h */ diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index e6e6d69b1..f8118b0a3 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -431,8 +431,12 @@ X509 Certificate verification #14 (Valid Cert SHA1 Digest explicitly allowed in depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" +X509 Certificate verification #14 (Valid Cert SHA1 Digest allowed in compile-time default profile) +depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 +x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"default":"NULL" + X509 Certificate verification #14 (Valid Cert SHA1 Digest forbidden in default profile) -depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_X509__DEFAULT_FORBID_SHA1 x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_BAD_MD | MBEDTLS_X509_BADCERT_BAD_MD:"default":"NULL" X509 Certificate verification #15 (Valid Cert SHA224 Digest)