From 04ee5e0bbddbe094de3ae7e6b76a6c3ad0f6e907 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Wed, 26 Sep 2018 10:48:24 +0100 Subject: [PATCH 1/4] Fix ASN1 bitstring writing Refactor the function mbedtls_asn1_write_bitstring() that removes trailing 0s at the end of DER encoded bitstrings. The function is implemented according to Hanno Becker's suggestions. This commit also changes the functions x509write_crt_set_ns_cert_type and crt_set_key_usage to call the new function as the use named bitstrings instead of the regular bitstrings. --- include/mbedtls/asn1write.h | 7 +++--- library/asn1write.c | 28 ++++++++++++++--------- library/x509write_crt.c | 45 +++++++++++++++++++++++++++++++------ library/x509write_csr.c | 36 +++++++++++++++++++++++++---- 4 files changed, 91 insertions(+), 25 deletions(-) diff --git a/include/mbedtls/asn1write.h b/include/mbedtls/asn1write.h index dc6947bf9..d62853ebf 100644 --- a/include/mbedtls/asn1write.h +++ b/include/mbedtls/asn1write.h @@ -204,9 +204,10 @@ int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start, const unsigned char *buf, size_t bits ); /** - * \brief Write an octet string tag (MBEDTLS_ASN1_OCTET_STRING) and - * value in ASN.1 format - * Note: function works backwards in data buffer + * \brief Write an octet string tag (#MBEDTLS_ASN1_OCTET_STRING) + * and value in ASN.1 format. + * + * \note This function works backwards in data buffer. * * \param p reference to current position pointer * \param start start of the buffer (for bounds-checking) diff --git a/library/asn1write.c b/library/asn1write.c index c13e85e56..b451887ed 100644 --- a/library/asn1write.c +++ b/library/asn1write.c @@ -294,22 +294,28 @@ int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start, const unsigned char *buf, size_t bits ) { int ret; - size_t len = 0, size; + size_t len = 0; + size_t unused_bits, byte_len; - size = ( bits / 8 ) + ( ( bits % 8 ) ? 1 : 0 ); + byte_len = ( bits + 7 ) / 8; + unused_bits = ( byte_len * 8 ) - bits; - // Calculate byte length - // - if( *p < start || (size_t)( *p - start ) < size + 1 ) + if( *p < start || (size_t)( *p - start ) < byte_len + 1 ) return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); - len = size + 1; - (*p) -= size; - memcpy( *p, buf, size ); + len = byte_len + 1; - // Write unused bits - // - *--(*p) = (unsigned char) (size * 8 - bits); + /* Write the bitstring. Ensure the unused bits are zeroed */ + if( byte_len > 0 ) + { + byte_len--; + *--( *p ) = buf[byte_len] & ~( ( 0x1 << unused_bits ) - 1 ); + ( *p ) -= byte_len; + memcpy( *p, buf, byte_len ); + } + + /* Write unused bits */ + *--( *p ) = (unsigned char)unused_bits; MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) ); MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_BIT_STRING ) ); diff --git a/library/x509write_crt.c b/library/x509write_crt.c index 41dfe87b7..4cdb941a1 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -222,26 +222,51 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert * } #endif /* MBEDTLS_SHA1_C */ +static size_t crt_get_unused_bits_for_named_bitstring( unsigned char bitstring, + size_t bit_offset ) +{ + size_t unused_bits; + + /* Count the unused bits removing trailing 0s */ + for( unused_bits = bit_offset; unused_bits < 8; unused_bits++ ) + if( ( ( bitstring >> unused_bits ) & 0x1 ) != 0 ) + break; + + return( unused_bits ); +} + int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx, unsigned int key_usage ) { unsigned char buf[4], ku; unsigned char *c; int ret; + size_t unused_bits; + const unsigned int allowed_bits = MBEDTLS_X509_KU_DIGITAL_SIGNATURE | + MBEDTLS_X509_KU_NON_REPUDIATION | + MBEDTLS_X509_KU_KEY_ENCIPHERMENT | + MBEDTLS_X509_KU_DATA_ENCIPHERMENT | + MBEDTLS_X509_KU_KEY_AGREEMENT | + MBEDTLS_X509_KU_KEY_CERT_SIGN | + MBEDTLS_X509_KU_CRL_SIGN; - /* We currently only support 7 bits, from 0x80 to 0x02 */ - if( ( key_usage & ~0xfe ) != 0 ) + /* Check that nothing other than the allowed flags is set */ + if( ( key_usage & ~allowed_bits ) != 0 ) return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE ); c = buf + 4; - ku = (unsigned char) key_usage; + ku = (unsigned char)key_usage; + unused_bits = crt_get_unused_bits_for_named_bitstring( ku, 1 ); + ret = mbedtls_asn1_write_bitstring( &c, buf, &ku, 8 - unused_bits ); - if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &ku, 7 ) ) != 4 ) + if( ret < 0 ) return( ret ); + else if( ret < 3 || ret > 4 ) + return( MBEDTLS_ERR_X509_INVALID_FORMAT ); ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_KEY_USAGE, MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ), - 1, buf, 4 ); + 1, c, (size_t)ret ); if( ret != 0 ) return( ret ); @@ -253,16 +278,22 @@ int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx, { unsigned char buf[4]; unsigned char *c; + size_t unused_bits; int ret; c = buf + 4; - if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &ns_cert_type, 8 ) ) != 4 ) + unused_bits = crt_get_unused_bits_for_named_bitstring( ns_cert_type, 0 ); + ret = mbedtls_asn1_write_bitstring( &c, + buf, + &ns_cert_type, + 8 - unused_bits ); + if( ret < 3 || ret > 4 ) return( ret ); ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_NS_CERT_TYPE, MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE ), - 0, buf, 4 ); + 0, c, (size_t)ret ); if( ret != 0 ) return( ret ); diff --git a/library/x509write_csr.c b/library/x509write_csr.c index e80053828..d59354dc4 100644 --- a/library/x509write_csr.c +++ b/library/x509write_csr.c @@ -85,20 +85,39 @@ int mbedtls_x509write_csr_set_extension( mbedtls_x509write_csr *ctx, 0, val, val_len ); } +static size_t csr_get_unused_bits_for_named_bitstring( unsigned char bitstring, + size_t bit_offset ) +{ + size_t unused_bits; + + /* Count the unused bits removing trailing 0s */ + for( unused_bits = bit_offset; unused_bits < 8; unused_bits++ ) + if( ( ( bitstring >> unused_bits ) & 0x1 ) != 0 ) + break; + + return( unused_bits ); +} + int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned char key_usage ) { unsigned char buf[4]; unsigned char *c; + size_t unused_bits; int ret; c = buf + 4; - if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &key_usage, 7 ) ) != 4 ) + unused_bits = csr_get_unused_bits_for_named_bitstring( key_usage, 0 ); + ret = mbedtls_asn1_write_bitstring( &c, buf, &key_usage, 8 - unused_bits ); + + if( ret < 0 ) return( ret ); + else if( ret < 3 || ret > 4 ) + return( MBEDTLS_ERR_X509_INVALID_FORMAT ); ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_KEY_USAGE, MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ), - buf, 4 ); + c, (size_t)ret ); if( ret != 0 ) return( ret ); @@ -110,16 +129,25 @@ int mbedtls_x509write_csr_set_ns_cert_type( mbedtls_x509write_csr *ctx, { unsigned char buf[4]; unsigned char *c; + size_t unused_bits; int ret; c = buf + 4; - if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &ns_cert_type, 8 ) ) != 4 ) + unused_bits = csr_get_unused_bits_for_named_bitstring( ns_cert_type, 0 ); + ret = mbedtls_asn1_write_bitstring( &c, + buf, + &ns_cert_type, + 8 - unused_bits ); + + if( ret < 0 ) + return( ret ); + else if( ret < 3 || ret > 4 ) return( ret ); ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_NS_CERT_TYPE, MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE ), - buf, 4 ); + c, (size_t)ret ); if( ret != 0 ) return( ret ); From abb7622d086893a00844700900ef6f885183a6eb Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Wed, 26 Sep 2018 10:51:16 +0100 Subject: [PATCH 2/4] Add tests for (named) bitstring to suite_asn1write --- programs/x509/cert_req.c | 91 ++++++++++++++++++- tests/data_files/Makefile | 32 +++++++ tests/data_files/server1.cert_type.crt | 12 +-- .../data_files/server1.cert_type_noauthid.crt | 14 +-- tests/data_files/server1.key_usage.crt | 14 +-- .../data_files/server1.key_usage_noauthid.crt | 14 +-- tests/data_files/server1.req.cert_type | 14 +-- tests/data_files/server1.req.cert_type_empty | 17 ++++ tests/data_files/server1.req.key_usage | 14 +-- tests/data_files/server1.req.key_usage_empty | 17 ++++ tests/data_files/server1.req.ku-ct | 14 +-- tests/data_files/server5.req.ku.sha1 | 6 +- tests/suites/test_suite_x509write.data | 46 ++++++---- tests/suites/test_suite_x509write.function | 16 ++-- 14 files changed, 241 insertions(+), 80 deletions(-) create mode 100644 tests/data_files/server1.req.cert_type_empty create mode 100644 tests/data_files/server1.req.key_usage_empty diff --git a/programs/x509/cert_req.c b/programs/x509/cert_req.c index a32ac505f..fd0481726 100644 --- a/programs/x509/cert_req.c +++ b/programs/x509/cert_req.c @@ -63,7 +63,10 @@ int main( void ) #define DFL_OUTPUT_FILENAME "cert.req" #define DFL_SUBJECT_NAME "CN=Cert,O=mbed TLS,C=UK" #define DFL_KEY_USAGE 0 +#define DFL_FORCE_KEY_USAGE 0 #define DFL_NS_CERT_TYPE 0 +#define DFL_FORCE_NS_CERT_TYPE 0 +#define DFL_MD_ALG MBEDTLS_MD_SHA256 #define USAGE \ "\n usage: cert_req param=<>...\n" \ @@ -81,6 +84,8 @@ int main( void ) " key_agreement\n" \ " key_cert_sign\n" \ " crl_sign\n" \ + " force_key_usage=0/1 default: off\n" \ + " Add KeyUsage even if it is empty\n" \ " ns_cert_type=%%s default: (empty)\n" \ " Comma-separated-list of values:\n" \ " ssl_client\n" \ @@ -90,6 +95,13 @@ int main( void ) " ssl_ca\n" \ " email_ca\n" \ " object_signing_ca\n" \ + " force_ns_cert_type=0/1 default: off\n" \ + " Add NsCertType even if it is empty\n" \ + " md=%%s default: SHA256\n" \ + " possible values:\n" \ + " MD4, MD5, SHA1\n" \ + " SHA224, SHA256\n" \ + " SHA384, SHA512\n" \ "\n" /* @@ -102,7 +114,10 @@ struct options const char *output_file; /* where to store the constructed key file */ const char *subject_name; /* subject name for certificate request */ unsigned char key_usage; /* key usage flags */ + int force_key_usage; /* Force adding the KeyUsage extension */ unsigned char ns_cert_type; /* NS cert type */ + int force_ns_cert_type; /* Force adding NsCertType extension */ + mbedtls_md_type_t md_alg; /* Hash algorithm used for signature. */ } opt; int write_certificate_request( mbedtls_x509write_csr *req, const char *output_file, @@ -151,7 +166,6 @@ int main( int argc, char *argv[] ) * Set to sane values */ mbedtls_x509write_csr_init( &req ); - mbedtls_x509write_csr_set_md_alg( &req, MBEDTLS_MD_SHA256 ); mbedtls_pk_init( &key ); mbedtls_ctr_drbg_init( &ctr_drbg ); memset( buf, 0, sizeof( buf ) ); @@ -168,7 +182,10 @@ int main( int argc, char *argv[] ) opt.output_file = DFL_OUTPUT_FILENAME; opt.subject_name = DFL_SUBJECT_NAME; opt.key_usage = DFL_KEY_USAGE; + opt.force_key_usage = DFL_FORCE_KEY_USAGE; opt.ns_cert_type = DFL_NS_CERT_TYPE; + opt.force_ns_cert_type = DFL_FORCE_NS_CERT_TYPE; + opt.md_alg = DFL_MD_ALG; for( i = 1; i < argc; i++ ) { @@ -192,6 +209,54 @@ int main( int argc, char *argv[] ) { opt.subject_name = q; } + else if( strcmp( p, "md" ) == 0 ) + { + if( strcmp( q, "SHA256" ) == 0 ) + { + opt.md_alg = MBEDTLS_MD_SHA256; + } + else if( strcmp( q, "SHA224" ) == 0 ) + { + opt.md_alg = MBEDTLS_MD_SHA224; + } + else +#if defined(MBEDTLS_MD5_C) + if( strcmp( q, "MD5" ) == 0 ) + { + opt.md_alg = MBEDTLS_MD_MD5; + } + else +#endif /* MBEDTLS_MD5_C */ +#if defined(MBEDTLS_MD4_C) + if( strcmp( q, "MD4" ) == 0 ) + { + opt.md_alg = MBEDTLS_MD_MD4; + } + else +#endif /* MBEDTLS_MD5_C */ +#if defined(MBEDTLS_SHA1_C) + if( strcmp( q, "SHA1" ) == 0 ) + { + opt.md_alg = MBEDTLS_MD_SHA1; + } + else +#endif /* MBEDTLS_SHA1_C */ +#if defined(MBEDTLS_SHA512_C) + if( strcmp( q, "SHA384" ) == 0 ) + { + opt.md_alg = MBEDTLS_MD_SHA384; + } + else + if( strcmp( q, "SHA512" ) == 0 ) + { + opt.md_alg = MBEDTLS_MD_SHA512; + } + else +#endif /* MBEDTLS_SHA512_C */ + { + goto usage; + } + } else if( strcmp( p, "key_usage" ) == 0 ) { while( q != NULL ) @@ -219,6 +284,15 @@ int main( int argc, char *argv[] ) q = r; } } + else if( strcmp( p, "force_key_usage" ) == 0 ) + { + switch( atoi( q ) ) + { + case 0: opt.force_key_usage = 0; break; + case 1: opt.force_key_usage = 1; break; + default: goto usage; + } + } else if( strcmp( p, "ns_cert_type" ) == 0 ) { while( q != NULL ) @@ -246,14 +320,25 @@ int main( int argc, char *argv[] ) q = r; } } + else if( strcmp( p, "force_ns_cert_type" ) == 0 ) + { + switch( atoi( q ) ) + { + case 0: opt.force_ns_cert_type = 0; break; + case 1: opt.force_ns_cert_type = 1; break; + default: goto usage; + } + } else goto usage; } - if( opt.key_usage ) + mbedtls_x509write_csr_set_md_alg( &req, opt.md_alg ); + + if( opt.key_usage || opt.force_key_usage == 1 ) mbedtls_x509write_csr_set_key_usage( &req, opt.key_usage ); - if( opt.ns_cert_type ) + if( opt.ns_cert_type || opt.force_ns_cert_type == 1 ) mbedtls_x509write_csr_set_ns_cert_type( &req, opt.ns_cert_type ); /* diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 2a7a50c2e..af1898c3a 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -14,6 +14,7 @@ OPENSSL ?= openssl FAKETIME ?= faketime MBEDTLS_CERT_WRITE ?= $(PWD)/../../programs/x509/cert_write +MBEDTLS_CERT_REQ ?= $(PWD)/../../programs/x509/cert_req ## Build the generated test data. Note that since the final outputs ## are committed to the repository, this target should do nothing on a @@ -701,6 +702,37 @@ ec_prv.pk8param.pem: ec_prv.pk8param.der $(OPENSSL) pkey -in $< -inform DER -out $@ all_final += ec_prv.pk8param.pem +# server5* + +# The use of 'Server 1' in the DN is intentional here, as the DN is hardcoded in the x509_write test suite.' +server5.req.ku.sha1: server5.key + $(MBEDTLS_CERT_REQ) output_file=$@ filename=$< key_usage=digital_signature,non_repudiation subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1 +all_final += server5.req.ku.sha1 + +################################################################ +### Generate CSRs for X.509 write test suite +################################################################ + +server1.req.cert_type: server1.key + $(MBEDTLS_CERT_REQ) output_file=$@ filename=$< ns_cert_type=ssl_server subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1 +all_final += server1.req.cert_type + +server1.req.key_usage: server1.key + $(MBEDTLS_CERT_REQ) output_file=$@ filename=$< key_usage=digital_signature,non_repudiation,key_encipherment subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1 +all_final += server1.req.key_usage + +server1.req.ku-ct: server1.key + $(MBEDTLS_CERT_REQ) output_file=$@ filename=$< key_usage=digital_signature,non_repudiation,key_encipherment ns_cert_type=ssl_server subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1 +all_final += server1.req.ku-ct + +server1.req.key_usage_empty: server1.key + $(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1 force_key_usage=1 +all_final += server1.req.key_usage_empty + +server1.req.cert_type_empty: server1.key + $(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1 force_ns_cert_type=1 +all_final += server1.req.cert_type_empty + ################################################################ ### Generate certificates for CRT write check tests ################################################################ diff --git a/tests/data_files/server1.cert_type.crt b/tests/data_files/server1.cert_type.crt index 91c3a9021..107328edf 100644 --- a/tests/data_files/server1.cert_type.crt +++ b/tests/data_files/server1.cert_type.crt @@ -11,10 +11,10 @@ lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB o2AwXjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zARBglghkgBhvhCAQEEBAMC -AEAwDQYJKoZIhvcNAQEFBQADggEBAJ28VuktjDGkUWcVpM/W+YjohFDay676Yozx -BbBLU3QZiDkcdXZbX/jOaKKBGWrjWiB6txchV4XrlvEtVtPgPrQLil2xaD20LOqJ -e/ZEFIAIndf06CAcimdQaPD6mww04v3gZw3cwPQd/aMQCw9tm93tyf6YU4uIh/o8 -evG1ZBrNHRyiW18kbuueLNZ2daYQIISRJSIFrAERacfOvA8r7yXJCqZnB6AU5j9u -V+ySNW3sdZIOTfs1nWKU6SECWo72dd89Yvs7wCf3NSZNM2UemLeOjQOmZIHBiR8L -PAhDxhra5B/QBKaWeTVQohEvKz75pLAWouUGIKlgHiqJ4cvBGcg= +BkAwDQYJKoZIhvcNAQEFBQADggEBAL+IvLnq101fUrpfWA1s9HhyOrnJH+N2gO1F +6UnLmDw4NuX9pttIK60Xesb5pEhtU76y2hP2EAICe8tTQgGgZG4MW4TxIvAliuHl +qvUB/lfmAAGJoQ9WrKriL90IxcKnH3I4aIzNyG2TSIHYo6L8FXVoSrPAuL3X133D +JF6Ie0H8GUK7UOY0pZ0c6x8LCium4Ho/1UNfouSW3x7uq8gEz8lUn2blWUr0HlQr +HDyxTV4tjZ1jKPh0VHYBmcpxdNbObK4NRZanYRKAUCIUCD+kHi67akMAukv0qjbm +Y8DPy+gTLyl89BHnXDR/xCzlta5KkG1oKh3jgV7QQ6BS2+mR7+4= -----END CERTIFICATE----- diff --git a/tests/data_files/server1.cert_type_noauthid.crt b/tests/data_files/server1.cert_type_noauthid.crt index ed8b80baa..0f71ecb14 100644 --- a/tests/data_files/server1.cert_type_noauthid.crt +++ b/tests/data_files/server1.cert_type_noauthid.crt @@ -10,11 +10,11 @@ CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB oz8wPTAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAR -BglghkgBhvhCAQEEBAMCAEAwDQYJKoZIhvcNAQEFBQADggEBABNT+r+6vvlpjtyz -mewrGOKPt5iwb8w2aReJ0AWuyQzTiduN26MhXq93cXHV0pHj2rD7MfiBEwBSWnf9 -FcxkE0g77GVyM9Vs9Uy/MspIqOce7JD0c36G4EI8lYce2TYwQLE9CGNl+LDxqkLy -prijXBl/FaD+IO/SNMr3VVnfFEZqPUxg+BSTaGgD+52Z7B4nPP0xGPjlW367RGDv -9dIkr1thve2WOeC9ixxl9K/864I7/0GdbgKSf77xl3/5vnQUOY7kugRvkvxWIgHS -HNVnmEN2I2Nb0M8lQNF1sFDbpFwVbh9CkBF5LJNesy0VWd67Ho6EntPEb7vBFF/x -jz0b2l4= +BglghkgBhvhCAQEEBAMCBkAwDQYJKoZIhvcNAQEFBQADggEBADAWS7qdGNShzKm+ +AO7vfM3/+6YyIq7Jelm4T7n1GkmiGJ0bf2KhX3ohvaRz5gl0165teWVhLAivaIqB +lK3wLU9TSEaLAtgCMxw+TZhq11qq07FuaawH3nbdMAo4qA2UT0eu2CM1NJjgg8iL +b5FYGwsNcaCmmQYWVRbKlqkA1VNY2p/4PDn8xgRcgVgmqrHf7BUrEPoRA5RXBAhM +huceZxFpA+15x789xKUZHmMoOYvDeZNYw2Fg6Dk4jV403kxzrcP8sSx8Abu6aROb +b2ktuUS5hS8FjrbhDgeosDTU10PQR0Ov9LpMYO4WshkYUBpgC3pSR81pGOKxJuuH +8EV3rhc= -----END CERTIFICATE----- diff --git a/tests/data_files/server1.key_usage.crt b/tests/data_files/server1.key_usage.crt index 8f4e59f2d..303a22207 100644 --- a/tests/data_files/server1.key_usage.crt +++ b/tests/data_files/server1.key_usage.crt @@ -10,11 +10,11 @@ CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB o10wWzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf -BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zAOBgNVHQ8BAf8EBAMCAeAw -DQYJKoZIhvcNAQEFBQADggEBABKC/1x0m57EY4H412ue3ghCWgg07VcRKamnUSTs -tnqI5T0mSvuPrxhINdQB6360ibctBkXP3S9rxGHiUdeK/JqxYs2YamCs50TSWpon -p4Hzcmjsw1YgXsQ6pmYwkzU03zqs361gt7JSOzL2dN0IjwIy47qfLQb/AXhX2Ims -7gBuqVpYqJuSHR0qsN/c6WgIE3IrbK1MB6CJTkxBfcSc5E4oUIBHmww+RSVLOczM -nGk3U13dmfG0ndhMtrMyyxBZZSUwoZLjRZ6J5mHSv+k8oo1PYQeiivNEP53mgVaY -ha0gLUIk6zNBRpY1uUmxQ+RQSMIyYPBb1RedHn2s8El2mlo= +BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zAOBgNVHQ8BAf8EBAMCBeAw +DQYJKoZIhvcNAQEFBQADggEBAFqG4NbAqtsec3lFOiUDKQiGmMCO4Yq3NHhnRWkD +e9r9jWo+gfLgfUJKe02a76ciE5forJRFxG4+pa3Lo38WsF5/2YRz3IfQLOjcK6c6 +DdHrTEsPXgdqhVYJZgZbCeD5Yu5YBXlegGOrlXB9+71BKX0H+AkrR2oXsdg/31Kn +R17yP84tLucQpLdh079ecE8QTZ/21n0VTag6fQFHMeMY35MWkT4K6eRrz/Dta2tm +keHSq/coKsmm0poYPzoMPcbh/D+kSa05Ut03NL2Y+2Q9uTjv5/K/zOgGef/mJbV2 +QxB+1as+WLTtpwc20IqAz3PVBoxbRyN2Z6vjiqqAzGlfB4M= -----END CERTIFICATE----- diff --git a/tests/data_files/server1.key_usage_noauthid.crt b/tests/data_files/server1.key_usage_noauthid.crt index d66e51535..7ff26924a 100644 --- a/tests/data_files/server1.key_usage_noauthid.crt +++ b/tests/data_files/server1.key_usage_noauthid.crt @@ -10,11 +10,11 @@ CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB ozwwOjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAO -BgNVHQ8BAf8EBAMCAeAwDQYJKoZIhvcNAQEFBQADggEBAJZRIISo4+rDvHXXaS43 -shfSkyJyur588mNJFzty1WVfhaIkwjMIGHeGlHS29fwgPsBUgelZ3Qv3J7wsm42+ -3BwQet0l36FIBIJtFhcrTGlaCFUo/5bZJUPGgiOFB9ec/8lOszVlX8cH34UimWqg -q2wXRGoXWPbuRnUWlJhI2bAv5ri9Mt7Rs4nK4wyS1ZjC8ByXMn4tk3yMjkUEqu0o -37zoQiF+FJApu0eTKK5goA2hisyfCX9eJMppAbcyvJwoj/AmiBkXW8J3kEMJtLmZ -VoxXYknnXumxBLxUrGuamR/3cmbaJHIHE1Dqox7hB+9miyp4lue1/uXHCocGAIeF -JTo= +BgNVHQ8BAf8EBAMCBeAwDQYJKoZIhvcNAQEFBQADggEBALIkgZjEfQcV7d7zovec +tNVvaPO5hSE8kDVjMCdUZsKgZjMxpY8gJ4CLNIOamkIqN8sSd1zdhdexMdn3iE/O +z5y3rQBQLs8UjLippm3abKksKrpTEkM9x7Z1X8KS7GOrnOgBWLzoE9D4F/2ay7yk +H57qRUXEw1NlnAwKYS6hmEwf497szNKXvgr7MGbahQ/N+WfQbILW6+OSUttuoDrD +t2uBZsGAVQGDzcQGyOuo7k8CE0D62HHZqA+ZPo/xicvyTbkk+lUfY6q6QA8sojaU +2LuU0nBtd+LmY8odaUsQItwbIyfYZrZbXKruevVHfMKb9VuoYj6anA5jEl0pe7wN +Tu0= -----END CERTIFICATE----- diff --git a/tests/data_files/server1.req.cert_type b/tests/data_files/server1.req.cert_type index 5677f32be..3feb1fc9b 100644 --- a/tests/data_files/server1.req.cert_type +++ b/tests/data_files/server1.req.cert_type @@ -7,11 +7,11 @@ HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/ DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAkMCIGCSqGSIb3DQEJDjEV -MBMwEQYJYIZIAYb4QgEBBAQDAgBAMA0GCSqGSIb3DQEBBQUAA4IBAQB95Pkjpg/N -Jbgl5nZcAk8maGMpUFlrhJS4kGutQKZugNX9v8cfABW905IHYXV1dm6zxVcyeqZM -FiOgbV943fu5JbufoazdYXnnR2/iKMigqX4CzZrK3F5ZzegxkfDIfDrn/shC+rWb -SS5WBVLJ3QNj9vwn3/b66IRbp/ViOwHx7+9JT4K/rLId/ynjYf2T57AsmNd/jptc -Zs19fGgtrUXweWkliEZN2zE47Cc53jkx6+Li4TNs4Bjk5P/aXrCP0fBwgGt2K6YW -dQ/nr0PwIbXzVlgUukSTHkJJfhF4Y/WqcUfOPrRdw+zxOLusJ9nzJBR0FOohcBxM -kPBVna0dze/o +MBMwEQYJYIZIAYb4QgEBBAQDAgZAMA0GCSqGSIb3DQEBBQUAA4IBAQBfm+BA0PSA +9EFSFgdVODuBtjVoe+RzjiwrHVjja9/GAMurams5WSeJ0g3n0QJuNPf4m3vpSgQE +qXZrkn2aNYSRPipiPYFUj0NMvji2gmyzmvy6VJyyerZ/saPfuySiVSJbCycA88/V +vSv93qVHQ7QGwXlwg5dkhw4VNn1NK5CtA0DSEsGITKhdLZUZKkEdylwdjFdi+NTf +Qx/LQ+cEECBM31s/88C6+ynd4ni42/YYRRcpj5+4TAyKt+nl9a0osrR1y3MmBeo3 +/9s9QEIpXPHMJnJDVq0q03FZwAkgGTaKI8bRsf125eh1CSBynvC6vC+LJSkPrW9g +HUYYkPMQiQ2C -----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/server1.req.cert_type_empty b/tests/data_files/server1.req.cert_type_empty new file mode 100644 index 000000000..d61ef6bcf --- /dev/null +++ b/tests/data_files/server1.req.cert_type_empty @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICpDCCAYwCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRow +GAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ +ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ +HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF +W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs +FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/ +DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAjMCEGCSqGSIb3DQEJDjEU +MBIwEAYJYIZIAYb4QgEBBAMDAQAwDQYJKoZIhvcNAQEFBQADggEBAFsbkVHizurV +Ub9uDSTEEFm7R/TcCYjqAbP243sEOVfyCwZh49E7hrjq7lp1n/myILHX+keaxKEY +hUq9B0Rpa61H5lTJPG3Iy1mDHcF0et4cPkDEsQw4GgjZ/A0RCNfYD+OZLATsDKMy +AgGCZcYhjoL/8iZaYljfuE+a8Bo3xMePo+jignUhB+hEK2cNmUN2m7HqT22Ba4ag +eJQtY0NUmBoXGJlNaDbzO79mwLl0HHxDmanLVnSzKXqzrH4U0fuoGZFuxY7Dn7AM +vJujuWOxN1FtHOfJIimnVepuEG6wvDXMLgEPJTXSKbW6CMTgaz6fudEZzgVB6OKR +zIbUGFi6kLg= +-----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/server1.req.key_usage b/tests/data_files/server1.req.key_usage index 053aed909..5df41e1d2 100644 --- a/tests/data_files/server1.req.key_usage +++ b/tests/data_files/server1.req.key_usage @@ -7,11 +7,11 @@ HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/ DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAeMBwGCSqGSIb3DQEJDjEP -MA0wCwYDVR0PBAQDAgHgMA0GCSqGSIb3DQEBBQUAA4IBAQCj6jCu0wE5OQ1JGQwZ -FNwPqZrvKntSq2yLIbgmGxwlvDLxOzn0KmidSFiKRqh0KXwj9siodlz5C0d9tUqq -7xUXg+j+wDHqUV8zo42Jke+UmWXFPpnXx/fDFGTITdLSn8ZDxkt31ESLTEVZvPFD -odm+C+zWJtKpyL+9op4KvyBQ1MZ9nWZpwMaK4g4mdtOIsz75gMa74w8ZT7VzhGMY -cZGmafsl7x++GDDtf0oCPgrj9xy+Ovv/GyUBaB+6lweflTfPDTRSoN0meFlP5ynF -vqcBM5JKH2FUQIizfc9o6Z8tKxe9FCov3x8szAuoMRA7bjhVngeQIrEkTcaQBvBY -NalC +MA0wCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBBQUAA4IBAQCn0RjrgOyNn5ZQ9Hfn +zhN5q7EAMBYdKBQayeJQQkmreqTdzG/rCHZtt3bIZ/8SWIPNiIOkvsnsGzdBLp8B +zAAwINhcDIQtIQVObgTLZmvC1syjXfjdH02mYKAccP9OxlnWIVivSPRp9jr9IwYO +cnT6pzGvP/RWoQen+DougM2WwiZ8YJTrtoe8DlzDq+hbTgoGeQuEGhOnxMlkiLzs ++g6yoi/1F3nsUwJI+QhBxG7Xf74gCCHZckCtSs2MBEavhcPu7o9QjuWR0YFRTaCf +5uBL7/gNIVmrWnsQLcH1+DexxzW7lPBN1iFXUXNcweoo0fX3ykkvBYdKKicF7bM1 +zZzQ -----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/server1.req.key_usage_empty b/tests/data_files/server1.req.key_usage_empty new file mode 100644 index 000000000..1ac1bc3d4 --- /dev/null +++ b/tests/data_files/server1.req.key_usage_empty @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICnjCCAYYCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRow +GAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ +ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ +HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF +W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs +FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/ +DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAdMBsGCSqGSIb3DQEJDjEO +MAwwCgYDVR0PBAMDAQAwDQYJKoZIhvcNAQEFBQADggEBAHkw230TfJnAoc+6j/5R +oGfXR92g/k2DTlDaFQywO2j03h97isp47bEq/peOlKhAuMA+aHt5n8J1w6eWsr8B +VpoQ079jDnMtlLVAtgsEAjhwEPZchB9oZzfGztzBC4kVKchMGiSHLVQptIM3DiOT +/5JBlfGkAfap4V4V6qRYiNESBSpEdU/wGctg4ELgQgdpRSlqRud2LgClmMy3+A3o +rHjyAY+1oANNNOV+TBwA58OKqwsniyqmSWkhlj4c0O4n8FdE+o1eKyrsQfH9LBx7 +DBo2ilAkp0O/+G0n9Wisov2i6QuOraxW3g5/YBdfrqoVpJ5+8YZvoSGJFYDYoWvN +CvU= +-----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/server1.req.ku-ct b/tests/data_files/server1.req.ku-ct index 0e057d58a..4a0eab88e 100644 --- a/tests/data_files/server1.req.ku-ct +++ b/tests/data_files/server1.req.ku-ct @@ -7,11 +7,11 @@ HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/ DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAxMC8GCSqGSIb3DQEJDjEi -MCAwCwYDVR0PBAQDAgHgMBEGCWCGSAGG+EIBAQQEAwIAQDANBgkqhkiG9w0BAQUF -AAOCAQEANlNG9hW852OzVKj2Z8TtU9jxstAoSCH9yc9Coj4Vw2TTjs1zcuBWsMl1 -2bf2I6ZvEH6ZhcQY7i7nyHQyPlqE4l6U9D8ct967QN7smuAHNY2HiQ2++eCBTHck -PdtGJAzIvNlXcoqNi8UC5fGepNtI1usNo41SKMvbg6nGA5gdcQKk7CVlk8lrD0qI -Xn/HvjSRoDE4ZGxAtNvPXWorGSxtgcy8EMPoXVUab5fNt8q//x/NQ4yEQKPrexmR -IuOiQ8VW8QZtkORGpZbGSvskU0WfKANui4zCcXYRc4mVR4Wf0C+fyHeihhjslSnT -RbC7nQn5HSHp31qJlr80QodywaK1Dg== +MCAwCwYDVR0PBAQDAgXgMBEGCWCGSAGG+EIBAQQEAwIGQDANBgkqhkiG9w0BAQUF +AAOCAQEAKIF06WMMbkfDi6z3FzG0OVqGVgCIdQjJUK2S8VrVXJ74goM8SD7jp2RC +2d5nszk0do3ruAqaI3YOk5U9HQR0qHMSXEcAeB/qqIYWXrlZKacdzSk6vd88VC01 +uAWBSE2IQ4TWPSiWLCN54VtO8AXuF5wJgjGOh4yixVqKzcQh5b+mJs3e7cgMsC5a +3iPt0EemCT+irT4cXtcJe9/DAvnvvvCZ5UCcvc3shBIA5pBsOOmd1yCYCbxrq3aL +PhFf/vbbf9eORMwWsqOWopnRgBkPpVnTu9G27t/Nyjencjfk8NEaM9q8YnF0x5lD +elCFyt+HGwoCeOBN9odfQmKQpW+eGg== -----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/server5.req.ku.sha1 b/tests/data_files/server5.req.ku.sha1 index 7556d1a05..6f3b7aaf4 100644 --- a/tests/data_files/server5.req.ku.sha1 +++ b/tests/data_files/server5.req.ku.sha1 @@ -1,8 +1,8 @@ -----BEGIN CERTIFICATE REQUEST----- -MIIBFjCBvAIBADA8MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxGjAY +MIIBFzCBvAIBADA8MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxGjAY BgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD QgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDYIxH/6i/SNF1d Fr2KiMJrdw1VzYoqDvoByLTt/6AeMBwGCSqGSIb3DQEJDjEPMA0wCwYDVR0PBAQD -AgHAMAsGByqGSM49BAEFAANIADBFAiBjnnD7nwsFnCL+MpPPFJE3K/Tgj+5rAgXj -e5UejDX2CAIhAKdbigWJL/ZatvG9CFHq7ykrRns2x8JEXehWu8DsXdx9 +AgbAMAsGByqGSM49BAEFAANJADBGAiEAmhkNVnF6mGzzyHxGMMuUM2tYw5/y5tlF +3424Bs7DbG8CIQCJteTtpZ8RJ7PjpxcmVpP4fcYHFTR50zoc9jOV0AYPLQ== -----END CERTIFICATE REQUEST----- diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index 5b54d8588..c19662503 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -1,78 +1,86 @@ Certificate Request check Server1 SHA1 depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha1":MBEDTLS_MD_SHA1:0:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha1":MBEDTLS_MD_SHA1:0:0:0:0 Certificate Request check Server1 SHA224 depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha224":MBEDTLS_MD_SHA224:0:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha224":MBEDTLS_MD_SHA224:0:0:0:0 Certificate Request check Server1 SHA256 depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha256":MBEDTLS_MD_SHA256:0:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha256":MBEDTLS_MD_SHA256:0:0:0:0 Certificate Request check Server1 SHA384 depends_on:MBEDTLS_SHA512_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha384":MBEDTLS_MD_SHA384:0:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha384":MBEDTLS_MD_SHA384:0:0:0:0 Certificate Request check Server1 SHA512 depends_on:MBEDTLS_SHA512_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha512":MBEDTLS_MD_SHA512:0:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha512":MBEDTLS_MD_SHA512:0:0:0:0 Certificate Request check Server1 MD4 depends_on:MBEDTLS_MD4_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.md4":MBEDTLS_MD_MD4:0:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.md4":MBEDTLS_MD_MD4:0:0:0:0 Certificate Request check Server1 MD5 depends_on:MBEDTLS_MD5_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.md5":MBEDTLS_MD_MD5:0:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.md5":MBEDTLS_MD_MD5:0:0:0:0 Certificate Request check Server1 key_usage depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.key_usage":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.key_usage":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:0:0 + +Certificate Request check Server1 key_usage empty +depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.key_usage_empty":MBEDTLS_MD_SHA1:0:1:0:0 Certificate Request check Server1 ns_cert_type depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.cert_type":MBEDTLS_MD_SHA1:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER +x509_csr_check:"data_files/server1.key":"data_files/server1.req.cert_type":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1 + +Certificate Request check Server1 ns_cert_type empty +depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.cert_type_empty":MBEDTLS_MD_SHA1:0:0:0:1 Certificate Request check Server1 key_usage + ns_cert_type depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.ku-ct":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER +x509_csr_check:"data_files/server1.key":"data_files/server1.req.ku-ct":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1 Certificate Request check Server5 ECDSA, key_usage depends_on:MBEDTLS_SHA1_C:MBEDTLS_ECDSA_C:MBEDTLS_ECDSA_DETERMINISTIC:MBEDTLS_ECP_DP_SECP256R1_ENABLED -x509_csr_check:"data_files/server5.key":"data_files/server5.req.ku.sha1":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:0 +x509_csr_check:"data_files/server5.key":"data_files/server5.req.ku.sha1":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:1:0:0 Certificate write check Server1 SHA1 depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:1:-1:"data_files/server1.crt":0 +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:0:1:-1:"data_files/server1.crt":0 Certificate write check Server1 SHA1, key_usage depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0:1:-1:"data_files/server1.key_usage.crt":0 +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:0:0:1:-1:"data_files/server1.key_usage.crt":0 Certificate write check Server1 SHA1, ns_cert_type depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:-1:"data_files/server1.cert_type.crt":0 +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"data_files/server1.cert_type.crt":0 Certificate write check Server1 SHA1, version 1 depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":0 +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":0 Certificate write check Server1 SHA1, RSA_ALT depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:-1:"data_files/server1.noauthid.crt":1 +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:0:0:-1:"data_files/server1.noauthid.crt":1 Certificate write check Server1 SHA1, RSA_ALT, key_usage depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0:0:-1:"data_files/server1.key_usage_noauthid.crt":1 +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:0:0:0:-1:"data_files/server1.key_usage_noauthid.crt":1 Certificate write check Server1 SHA1, RSA_ALT, ns_cert_type depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:0:-1:"data_files/server1.cert_type_noauthid.crt":1 +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0:-1:"data_files/server1.cert_type_noauthid.crt":1 Certificate write check Server1 SHA1, RSA_ALT, version 1 depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":1 +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":1 X509 String to Names #1 mbedtls_x509_string_to_names:"C=NL,O=Offspark\, Inc., OU=PolarSSL":"C=NL, O=Offspark, Inc., OU=PolarSSL":0 diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index 62f82e8a0..aba23d4c9 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -35,8 +35,9 @@ size_t mbedtls_rsa_key_len_func( void *ctx ) */ /* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CSR_WRITE_C */ -void x509_csr_check( char *key_file, char *cert_req_check_file, - int md_type, int key_usage, int cert_type ) +void x509_csr_check( char * key_file, char * cert_req_check_file, int md_type, + int key_usage, int set_key_usage, int cert_type, + int set_cert_type ) { mbedtls_pk_context key; mbedtls_x509write_csr req; @@ -58,9 +59,9 @@ void x509_csr_check( char *key_file, char *cert_req_check_file, mbedtls_x509write_csr_set_md_alg( &req, md_type ); mbedtls_x509write_csr_set_key( &req, &key ); TEST_ASSERT( mbedtls_x509write_csr_set_subject_name( &req, subject_name ) == 0 ); - if( key_usage != 0 ) + if( set_key_usage != 0 ) TEST_ASSERT( mbedtls_x509write_csr_set_key_usage( &req, key_usage ) == 0 ); - if( cert_type != 0 ) + if( set_cert_type != 0 ) TEST_ASSERT( mbedtls_x509write_csr_set_ns_cert_type( &req, cert_type ) == 0 ); ret = mbedtls_x509write_csr_pem( &req, buf, sizeof( buf ), @@ -99,7 +100,8 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd, char *subject_name, char *issuer_key_file, char *issuer_pwd, char *issuer_name, char *serial_str, char *not_before, char *not_after, - int md_type, int key_usage, int cert_type, int auth_ident, + int md_type, int key_usage, int set_key_usage, + int cert_type, int set_cert_type, int auth_ident, int ver, char *cert_check_file, int rsa_alt ) { mbedtls_pk_context subject_key, issuer_key, issuer_key_alt; @@ -167,9 +169,9 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd, TEST_ASSERT( mbedtls_x509write_crt_set_subject_key_identifier( &crt ) == 0 ); if( auth_ident ) TEST_ASSERT( mbedtls_x509write_crt_set_authority_key_identifier( &crt ) == 0 ); - if( key_usage != 0 ) + if( set_key_usage != 0 ) TEST_ASSERT( mbedtls_x509write_crt_set_key_usage( &crt, key_usage ) == 0 ); - if( cert_type != 0 ) + if( set_cert_type != 0 ) TEST_ASSERT( mbedtls_x509write_crt_set_ns_cert_type( &crt, cert_type ) == 0 ); } From e730ff68ee9fef8705e75a3fc2311d2da5eeeb4e Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Mon, 8 Oct 2018 19:44:55 +0100 Subject: [PATCH 3/4] Improve docs for ASN.1 bitstrings and their usage --- include/mbedtls/asn1write.h | 18 ++++++++++-------- include/mbedtls/x509_csr.h | 8 ++++++++ 2 files changed, 18 insertions(+), 8 deletions(-) diff --git a/include/mbedtls/asn1write.h b/include/mbedtls/asn1write.h index d62853ebf..083601af3 100644 --- a/include/mbedtls/asn1write.h +++ b/include/mbedtls/asn1write.h @@ -189,16 +189,18 @@ int mbedtls_asn1_write_ia5_string( unsigned char **p, unsigned char *start, const char *text, size_t text_len ); /** - * \brief Write a bitstring tag (MBEDTLS_ASN1_BIT_STRING) and - * value in ASN.1 format - * Note: function works backwards in data buffer + * \brief Write a bitstring tag (#MBEDTLS_ASN1_BIT_STRING) and + * value in ASN.1 format. * - * \param p reference to current position pointer - * \param start start of the buffer (for bounds-checking) - * \param buf the bitstring - * \param bits the total number of bits in the bitstring + * \note This function works backwards in data buffer. * - * \return the length written or a negative error code + * \param p The reference to the current position pointer. + * \param start The start of the buffer, for bounds-checking. + * \param buf The bitstring to write. + * \param bits The total number of bits in the bitstring. + * + * \return The number of bytes written to \p p on success. + * \return A negative error code on failure. */ int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start, const unsigned char *buf, size_t bits ); diff --git a/include/mbedtls/x509_csr.h b/include/mbedtls/x509_csr.h index 0c6ccad78..a3c28048e 100644 --- a/include/mbedtls/x509_csr.h +++ b/include/mbedtls/x509_csr.h @@ -205,6 +205,14 @@ void mbedtls_x509write_csr_set_md_alg( mbedtls_x509write_csr *ctx, mbedtls_md_ty * \param key_usage key usage flags to set * * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED + * + * \note The decipherOnly flag from the Key Usage + * extension is represented by bit 8 (i.e. + * 0x8000), which cannot typically be represented + * in an unsigned char. Therefore, the flag + * decipherOnly (i.e. + * #MBEDTLS_X509_KU_DECIPHER_ONLY) cannot be set using this + * function. */ int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned char key_usage ); From fc547ffb921f88a4d4325058b65207960b289830 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Wed, 26 Sep 2018 10:59:20 +0100 Subject: [PATCH 4/4] Add ChangeLog entry for unused bits in bitstrings --- ChangeLog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ChangeLog b/ChangeLog index 07cc87692..05ae29e1f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,12 @@ Bugfix * Remove a duplicate #include in a sample program. Fixed by Masashi Honma #2326. * Reduce stack usage of `mpi_write_hlp()` by eliminating recursion. Fixes #2190. + * Ensure that unused bits are zero when writing ASN.1 bitstrings when using + mbedtls_asn1_write_bitstring(). + * Fix issue when writing the named bitstrings in KeyUsage and NsCertType + extensions in CSRs and CRTs that caused these bitstrings to not be encoded + correctly as trailing zeroes were not accounted for as unused bits in the + leading content octet. Fixes #1610. Changes * Include configuration file in all header files that use configuration,