From 6e95914f0e53184a48bc517d347e01b7071630cf Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Wed, 26 Sep 2018 10:48:24 +0100 Subject: [PATCH 1/7] Add new function mbedtls_asn1_write_named_bitstring() Add a new function mbedtls_asn1_write_named_bitstring() that removes trailing 0s at the end of DER encoded bitstrings. The function is implemented according to Hanno Becker's suggestions. This commit also changes the functions x509write_crt_set_ns_cert_type and crt_set_key_usage to call the new function as the use named bitstrings instead of the regular bitstrings. --- include/mbedtls/asn1write.h | 20 +++++++++++ library/asn1write.c | 71 +++++++++++++++++++++++++++++++------ library/x509write_crt.c | 32 ++++++++++++----- library/x509write_csr.c | 10 +++--- 4 files changed, 109 insertions(+), 24 deletions(-) diff --git a/include/mbedtls/asn1write.h b/include/mbedtls/asn1write.h index 360540a00..04a8767c8 100644 --- a/include/mbedtls/asn1write.h +++ b/include/mbedtls/asn1write.h @@ -282,6 +282,26 @@ int mbedtls_asn1_write_ia5_string( unsigned char **p, unsigned char *start, int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start, const unsigned char *buf, size_t bits ); +/** + * \brief Write a named bitstring tag (MBEDTLS_ASN1_BIT_STRING) and + * value in ASN.1 format + * Note: function works backwards in data buffer + * + * As stated in RFC5280 Appending B, trailing zeroes are + * omitted when encoding named bitstrings in DER. + * + * \param p Reference to current position pointer. + * \param start Start of the buffer (for bounds-checking). + * \param buf The bitstring. + * \param bits The total number of bits in the bitstring. + * + * \return The length written or a negative error code. + */ +int mbedtls_asn1_write_named_bitstring( unsigned char **p, + unsigned char *start, + const unsigned char *buf, + size_t bits ); + /** * \brief Write an octet string tag (#MBEDTLS_ASN1_OCTET_STRING) * and value in ASN.1 format. diff --git a/library/asn1write.c b/library/asn1write.c index a4d23f619..b54e26bd8 100644 --- a/library/asn1write.c +++ b/library/asn1write.c @@ -290,26 +290,75 @@ int mbedtls_asn1_write_ia5_string( unsigned char **p, unsigned char *start, return( mbedtls_asn1_write_tagged_string(p, start, MBEDTLS_ASN1_IA5_STRING, text, text_len) ); } +int mbedtls_asn1_write_named_bitstring( unsigned char **p, + unsigned char *start, + const unsigned char *buf, + size_t bits ) +{ + size_t unused_bits, byte_len; + const unsigned char *cur_byte; + unsigned char cur_byte_shifted; + unsigned char bit; + + byte_len = ( bits + 7 ) / 8; + unused_bits = ( byte_len * 8 ) - bits; + + /* + * Named bitstrings require that trailing 0s are excluded in the encoding + * of the bitstring. Trailing 0s are considered part of the 'unused' bits + * when encoding this value in the first content octet + */ + if( bits != 0 ) + { + cur_byte = buf + byte_len - 1; + cur_byte_shifted = *cur_byte >> unused_bits; + + for( ; ; ) + { + bit = cur_byte_shifted & 0x1; + cur_byte_shifted >>= 1; + + if( bit != 0 ) + break; + + bits--; + if( bits == 0 ) + break; + + if( bits % 8 == 0 ) + cur_byte_shifted = *--cur_byte; + } + } + + return( mbedtls_asn1_write_bitstring( p, start, buf, bits ) ); +} + int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start, const unsigned char *buf, size_t bits ) { int ret; - size_t len = 0, size; + size_t len = 0; + size_t unused_bits, byte_len; - size = ( bits / 8 ) + ( ( bits % 8 ) ? 1 : 0 ); + byte_len = ( bits + 7 ) / 8; + unused_bits = ( byte_len * 8 ) - bits; - // Calculate byte length - // - if( *p < start || (size_t)( *p - start ) < size + 1 ) + if( *p < start || (size_t)( *p - start ) < byte_len + 1 ) return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); - len = size + 1; - (*p) -= size; - memcpy( *p, buf, size ); + len = byte_len + 1; - // Write unused bits - // - *--(*p) = (unsigned char) (size * 8 - bits); + /* Write the bitstring. Ensure the unused bits are zeroed */ + if( byte_len > 0 ) + { + byte_len--; + *--( *p ) = buf[byte_len] & ~( ( 0x1 << unused_bits ) - 1 ); + ( *p ) -= byte_len; + memcpy( *p, buf, byte_len ); + } + + /* Write unused bits */ + *--( *p ) = (unsigned char)unused_bits; MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) ); MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_BIT_STRING ) ); diff --git a/library/x509write_crt.c b/library/x509write_crt.c index b1ef216c9..b6cb745a3 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -221,23 +221,36 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert * int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx, unsigned int key_usage ) { - unsigned char buf[4], ku; + unsigned char buf[5], ku[2]; unsigned char *c; int ret; + const unsigned int allowed_bits = MBEDTLS_X509_KU_DIGITAL_SIGNATURE | + MBEDTLS_X509_KU_NON_REPUDIATION | + MBEDTLS_X509_KU_KEY_ENCIPHERMENT | + MBEDTLS_X509_KU_DATA_ENCIPHERMENT | + MBEDTLS_X509_KU_KEY_AGREEMENT | + MBEDTLS_X509_KU_KEY_CERT_SIGN | + MBEDTLS_X509_KU_CRL_SIGN | + MBEDTLS_X509_KU_ENCIPHER_ONLY | + MBEDTLS_X509_KU_DECIPHER_ONLY; - /* We currently only support 7 bits, from 0x80 to 0x02 */ - if( ( key_usage & ~0xfe ) != 0 ) + /* Check that nothing other than the allowed flags is set */ + if( ( key_usage & ~allowed_bits ) != 0 ) return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE ); - c = buf + 4; - ku = (unsigned char) key_usage; + c = buf + 5; + ku[0] = (unsigned char)( key_usage ); + ku[1] = (unsigned char)( key_usage >> 8 ); + ret = mbedtls_asn1_write_named_bitstring( &c, buf, ku, 9 ); - if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &ku, 7 ) ) != 4 ) + if( ret < 0 ) return( ret ); + else if( ret < 3 || ret > 5 ) + return( MBEDTLS_ERR_X509_INVALID_FORMAT ); ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_KEY_USAGE, MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ), - 1, buf, 4 ); + 1, c, (size_t)ret ); if( ret != 0 ) return( ret ); @@ -253,12 +266,13 @@ int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx, c = buf + 4; - if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &ns_cert_type, 8 ) ) != 4 ) + ret = mbedtls_asn1_write_named_bitstring( &c, buf, &ns_cert_type, 8 ); + if( ret < 3 || ret > 4 ) return( ret ); ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_NS_CERT_TYPE, MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE ), - 0, buf, 4 ); + 0, c, (size_t)ret ); if( ret != 0 ) return( ret ); diff --git a/library/x509write_csr.c b/library/x509write_csr.c index 777a6325f..8dc39e7a5 100644 --- a/library/x509write_csr.c +++ b/library/x509write_csr.c @@ -94,12 +94,13 @@ int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned ch c = buf + 4; - if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &key_usage, 7 ) ) != 4 ) + ret = mbedtls_asn1_write_named_bitstring( &c, buf, &key_usage, 8 ); + if( ret < 3 || ret > 4 ) return( ret ); ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_KEY_USAGE, MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ), - buf, 4 ); + c, (size_t)ret ); if( ret != 0 ) return( ret ); @@ -115,12 +116,13 @@ int mbedtls_x509write_csr_set_ns_cert_type( mbedtls_x509write_csr *ctx, c = buf + 4; - if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &ns_cert_type, 8 ) ) != 4 ) + ret = mbedtls_asn1_write_named_bitstring( &c, buf, &ns_cert_type, 8 ); + if( ret < 3 || ret > 4 ) return( ret ); ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_NS_CERT_TYPE, MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE ), - buf, 4 ); + c, (size_t)ret ); if( ret != 0 ) return( ret ); From 7067f812f875ab7210316dc4bd1d7e28ecd2eacc Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Wed, 26 Sep 2018 10:51:16 +0100 Subject: [PATCH 2/7] Add tests for (named) bitstring to suite_asn1write --- programs/x509/cert_req.c | 32 ++++++++- tests/data_files/Makefile | 8 +++ tests/data_files/server1.cert_type.crt | 12 ++-- .../data_files/server1.cert_type_noauthid.crt | 14 ++-- tests/data_files/server1.key_usage.crt | 14 ++-- .../data_files/server1.key_usage_noauthid.crt | 14 ++-- tests/data_files/server1.req.cert_type | 14 ++-- tests/data_files/server1.req.cert_type_empty | 17 +++++ tests/data_files/server1.req.key_usage | 14 ++-- tests/data_files/server1.req.key_usage_empty | 17 +++++ tests/data_files/server1.req.ku-ct | 14 ++-- tests/data_files/server5.req.ku.sha1 | 6 +- tests/suites/test_suite_asn1write.data | 72 +++++++++++++++++++ tests/suites/test_suite_asn1write.function | 44 ++++++++++++ tests/suites/test_suite_x509write.data | 46 +++++++----- tests/suites/test_suite_x509write.function | 14 ++-- 16 files changed, 274 insertions(+), 78 deletions(-) create mode 100644 tests/data_files/server1.req.cert_type_empty create mode 100644 tests/data_files/server1.req.key_usage_empty diff --git a/programs/x509/cert_req.c b/programs/x509/cert_req.c index 027050c07..d25ad4c56 100644 --- a/programs/x509/cert_req.c +++ b/programs/x509/cert_req.c @@ -65,7 +65,9 @@ int main( void ) #define DFL_OUTPUT_FILENAME "cert.req" #define DFL_SUBJECT_NAME "CN=Cert,O=mbed TLS,C=UK" #define DFL_KEY_USAGE 0 +#define DFL_FORCE_KEY_USAGE 0 #define DFL_NS_CERT_TYPE 0 +#define DFL_FORCE_NS_CERT_TYPE 0 #define DFL_MD_ALG MBEDTLS_MD_SHA256 #define USAGE \ @@ -85,6 +87,8 @@ int main( void ) " key_agreement\n" \ " key_cert_sign\n" \ " crl_sign\n" \ + " force_key_usage=0/1 default: off\n" \ + " Add KeyUsage even if it is empty\n" \ " ns_cert_type=%%s default: (empty)\n" \ " Comma-separated-list of values:\n" \ " ssl_client\n" \ @@ -94,6 +98,8 @@ int main( void ) " ssl_ca\n" \ " email_ca\n" \ " object_signing_ca\n" \ + " force_ns_cert_type=0/1 default: off\n" \ + " Add NsCertType even if it is empty\n" \ " md=%%s default: SHA256\n" \ " possible values:\n" \ " MD4, MD5, SHA1\n" \ @@ -123,7 +129,9 @@ struct options const char *output_file; /* where to store the constructed key file */ const char *subject_name; /* subject name for certificate request */ unsigned char key_usage; /* key usage flags */ + int force_key_usage; /* Force adding the KeyUsage extension */ unsigned char ns_cert_type; /* NS cert type */ + int force_ns_cert_type; /* Force adding NsCertType extension */ mbedtls_md_type_t md_alg; /* Hash algorithm used for signature. */ } opt; @@ -190,7 +198,9 @@ int main( int argc, char *argv[] ) opt.output_file = DFL_OUTPUT_FILENAME; opt.subject_name = DFL_SUBJECT_NAME; opt.key_usage = DFL_KEY_USAGE; + opt.force_key_usage = DFL_FORCE_KEY_USAGE; opt.ns_cert_type = DFL_NS_CERT_TYPE; + opt.force_ns_cert_type = DFL_FORCE_NS_CERT_TYPE; opt.md_alg = DFL_MD_ALG; for( i = 1; i < argc; i++ ) @@ -292,6 +302,15 @@ int main( int argc, char *argv[] ) q = r; } } + else if( strcmp( p, "force_key_usage" ) == 0 ) + { + switch( atoi( q ) ) + { + case 0: opt.force_key_usage = 0; break; + case 1: opt.force_key_usage = 1; break; + default: goto usage; + } + } else if( strcmp( p, "ns_cert_type" ) == 0 ) { while( q != NULL ) @@ -319,16 +338,25 @@ int main( int argc, char *argv[] ) q = r; } } + else if( strcmp( p, "force_ns_cert_type" ) == 0 ) + { + switch( atoi( q ) ) + { + case 0: opt.force_ns_cert_type = 0; break; + case 1: opt.force_ns_cert_type = 1; break; + default: goto usage; + } + } else goto usage; } mbedtls_x509write_csr_set_md_alg( &req, opt.md_alg ); - if( opt.key_usage ) + if( opt.key_usage || opt.force_key_usage == 1 ) mbedtls_x509write_csr_set_key_usage( &req, opt.key_usage ); - if( opt.ns_cert_type ) + if( opt.ns_cert_type || opt.force_ns_cert_type == 1 ) mbedtls_x509write_csr_set_ns_cert_type( &req, opt.ns_cert_type ); /* diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index ff8947686..aa9fc36b4 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -785,6 +785,14 @@ server1.req.ku-ct: server1.key $(MBEDTLS_CERT_REQ) output_file=$@ filename=$< key_usage=digital_signature,non_repudiation,key_encipherment ns_cert_type=ssl_server subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1 all_final += server1.req.ku-ct +server1.req.key_usage_empty: server1.key + $(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1 force_key_usage=1 +all_final += server1.req.key_usage_empty + +server1.req.cert_type_empty: server1.key + $(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1 force_ns_cert_type=1 +all_final += server1.req.cert_type_empty + # server2* server2.req.sha256: server2.key diff --git a/tests/data_files/server1.cert_type.crt b/tests/data_files/server1.cert_type.crt index cf384cbaf..fb59ab8bd 100644 --- a/tests/data_files/server1.cert_type.crt +++ b/tests/data_files/server1.cert_type.crt @@ -11,10 +11,10 @@ lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB o2AwXjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zARBglghkgBhvhCAQEEBAMC -AEAwDQYJKoZIhvcNAQEFBQADggEBAEQOk5Ejgu/GsxvMo+RknXcta5Qr6MiNo1EM -G5Xrf++aaf4Mi38p5ZxWDxQDyBmutSnuJgzO+Dxe5w/RNojFa4ri4g5Zk8zwfIcQ -8jR6a9DJtxarxDj/UqEzaiBa5MpxsbQqbmou7X7YW9LHDzmCgzbaabyWCuGYxvmh -lDbcISST73G+vJEeExcBHyom/GV9TNcFAGa66YV/FtABg2tiy9znmUeMnZeYkC9S -05m6UstAU6pMdwiTpjZjovsTlAcmC76XmE/GpREhRvtGCKTb2pUi3agqsrapABmF -EGZT9cpwkrl3cxh+jxAMEuhJLdEScDWHVsiNS5y9yxitWC4NqR4= +BkAwDQYJKoZIhvcNAQEFBQADggEBAK1WXZYd6k7/zE2NcszT6rxNaSixPZrDYzRt +Iz5rpH33IHkCdR956/ExCcDMqGNVtKtBdr8kw3+jzyPQhwyHVPNv4C/cgt0C89Pf +qZLQGuEPVp1X4tzEY2Kno9c1tllLVzJdvz1mRhSb9z5CWQKNMT+8MMl3k+0NZ4LT +NEx4gTZxYEsAGEuO/Yij9ctxp4RdSP585FXgiMC00ieMe/aJxlOIgpIhuWdu0KPP +G5guYd4hQ9ZrGVOGdjv2cZbh4DuQOsCwU9in/e1RKFV6eMmyOdvLJ4jkTauwkGJG +lCclZZQwzGawOiMl2OYPUia5bkaEsdE/0QW/lf36lco8CNjpUfY= -----END CERTIFICATE----- diff --git a/tests/data_files/server1.cert_type_noauthid.crt b/tests/data_files/server1.cert_type_noauthid.crt index 7545e0b46..0082b148c 100644 --- a/tests/data_files/server1.cert_type_noauthid.crt +++ b/tests/data_files/server1.cert_type_noauthid.crt @@ -10,11 +10,11 @@ CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB oz8wPTAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAR -BglghkgBhvhCAQEEBAMCAEAwDQYJKoZIhvcNAQEFBQADggEBAJc3yZUS9X3/lb63 -Nlt8rtXC45wbWZUoOK8N55IzEJC7FrttAStq24kq9QV0qiox8m1WLA+6xVaeZaXu -h2z3WlUlyCNaKqHEpuSYu/XQ0td6j3jCMj3VDSZGHnKgliQ9fkkt+waPVCAZldwj -rHsZibl2Dqzb3KttKqD1VyEVOUJ+saXRDJLFdK1M9nwdWMfOg/XE0WbqfVzw9COs -08dJ6KL7SOvXtiOVQLNv7XN/2j+wF6+IoLDdLCDByj5VtK2q2vyVk5tpDJI1S696 -dP8Zi7VbBTS9OlVC+Gw3CntDKZA8e215MNG6iBuEM2mgi4i0umo7mN8FoA1zusnE -8mCO55Q= +BglghkgBhvhCAQEEBAMCBkAwDQYJKoZIhvcNAQEFBQADggEBAGl6bYCGKvDCvfSU +PTyaiFPNGXV98AnIG0Hu4EJjs1owBU/Yf8UdFbWJtOymR80SbzmeQ6rEIoY1oXDA +o9Y8yRgW8t25Wmq/0DCu/5P0/L6asstLTxLG4qajClVwqDLEqZNixmq8QorAOtK1 +JngFA+A5jzc70Ikl9+Hbx/2SEMrCpo0QLSco7KDK7XpNOHbkRz2AqSm0se4jDMP1 +Cwd2UtcpctIZEbECZo6S9WrVMqIhRF1Y5FeauBA2ORvGIHohaYJ9VzYWYXIp7N8d +QXGv+M7ffpZiERcRr8lxtboPnTXKlv1mLCEX7g+KuiJQUm4OGfTCd5VHzWM7O5Id +b+IvZD0= -----END CERTIFICATE----- diff --git a/tests/data_files/server1.key_usage.crt b/tests/data_files/server1.key_usage.crt index 3a678ff31..b5a2532c2 100644 --- a/tests/data_files/server1.key_usage.crt +++ b/tests/data_files/server1.key_usage.crt @@ -10,11 +10,11 @@ CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB o10wWzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf -BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zAOBgNVHQ8BAf8EBAMCAeAw -DQYJKoZIhvcNAQEFBQADggEBAE4sz3ghfpolZ0rH6Q3CWIYQ1Q+aGBwQiCCBsApP -8qZd880Kt+BiEdSsaU16S8CIMdOcHGQGB7dXK9wdTWkIqaW9I7fRPgDNDIhJoYDD -67h1P+cEQeXT9900H173nYlM1vL9zLcnmmqEO7j8jXSpsR5mcCMPkR52RqxweLJw -LGPeSlA+DF0WbezJc28FUgXAl8Kxm3Od40exMeicHtfgCnIykH1NEW3gXpc91nFT -RoNRdEAIGHMX5Dd5QDlt2vlaKNXFtcx2xUXXIi71YNQybH3p6KXayPMFQzrBwoXJ -YHevmjUaw7UH31fULa1dtd/dWmp8cCaKB4vBr0DBJPiMJMw= +BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zAOBgNVHQ8BAf8EBAMCBeAw +DQYJKoZIhvcNAQEFBQADggEBAE6xegEHvwuQ8I4YCLX7oXmDJiDb7m2nMin+um0v +TMqHAE3B9GvdWGUgMIEMf76ee7OMDzxfzM2vyNGemB0rn1djEv+knJBSdMQKD9X8 +tkT8cPqMHlRMYYbFFkkZEOeqeihZXQdUORao9ZSXrokYwv+Fr+PAmiUJEmkZHbA1 +Gqp6tPfGxJ2ah50Og9oAPwyND6kvE2o++Dth2evjljPCPM2Gw5kjQGw3V9CAUyUo +KtLrtZdOeRHRCWCf3UQ/tYkG70tY/+grftrHqKB2E4qkmDiCPS9sEpa7jOGT6e4k +jGVeZFNZZ10mD2Svr3xl/60++c7yLxrquujo8NOTCVcshfs= -----END CERTIFICATE----- diff --git a/tests/data_files/server1.key_usage_noauthid.crt b/tests/data_files/server1.key_usage_noauthid.crt index 4a72ac1bc..c82a97972 100644 --- a/tests/data_files/server1.key_usage_noauthid.crt +++ b/tests/data_files/server1.key_usage_noauthid.crt @@ -10,11 +10,11 @@ CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB ozwwOjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAO -BgNVHQ8BAf8EBAMCAeAwDQYJKoZIhvcNAQEFBQADggEBALqfFzzWOViKBXoFhtcc -Ulzg1ShK20z3zeD6TL5Ss2+kMIGhvvvUMtcATIFa9LxZ//a0as1CACphxmrsqaju -LDvnXjWLB+e7pJPQ+4XixKmA3QoQI6sduH03/4eRp/Er/+zXD7+uapz+GimiExJt -mjW1Oz5n2Q7L9vQabqz0n9+8rM/chsfgipQSKmV0rXe/K1N4yuggh62r8kn9UaUR -TKm6HaMIFBrZNwMy8TAc3gSq5rqbN8/ONiCBpW/LvwTnd7fFSl7yeetAbj08gpu2 -dkfYp/DK9Hs1KQFCi0u1pr9JIqFxNy6tUTO90ydq6QXj4E5yZhmitLPk5wPCozN+ -rIc= +BgNVHQ8BAf8EBAMCBeAwDQYJKoZIhvcNAQEFBQADggEBAKuveVlnjgJIkiH6HqZk ++oGpLPxpcoMEMskzyFxTfjP4L2Mj798qydBbobyVJdH5p/sIpcHsI0xajM/dcZKS +7b28KVwxOk+87DtwCikFT+jzWPe8fzowqsNAaKtvtDQnLYh8u2tDT1vhABwgTVAy +aHCzs+nm3o36NPSN9K+wmI+r1KFnhjtyOQ++7M8wRRT5jrC+1tYicjsnVMu07yB5 +04C99Fa3MToilg66Jos95U3gBF5GbSfDXYtd3/etNMkUiG8FEZJlkhKbTO+4E03a +X6+z2VojrAroYyO/F5ZlaC3/CsMQ8Zcate64nH/Lu/U78XAo8iKz5DLLOPBqodER +z4A= -----END CERTIFICATE----- diff --git a/tests/data_files/server1.req.cert_type b/tests/data_files/server1.req.cert_type index b9b9f067c..39ff3fdba 100644 --- a/tests/data_files/server1.req.cert_type +++ b/tests/data_files/server1.req.cert_type @@ -7,11 +7,11 @@ HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/ DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAkMCIGCSqGSIb3DQEJDjEV -MBMwEQYJYIZIAYb4QgEBBAQDAgBAMA0GCSqGSIb3DQEBBQUAA4IBAQCMX3H6BiGP -VRvLu8UHIhsj9WgrGDRogOMVHOrQm+0fnGyxZa2UwftSZf2qLBZ+DmJStHabXibw -QuWA9BMVFDih5yGMhdzQC8iQQCjfYOS0sfhy7p76q89rVO0E9KAtvFH2ApbaDAck -m1WdQvYey2rYnT1ucHGdn017Iu1CaY8qnmh7Fhuov++69eGGG4MjRVT/7Ywufjo5 -Fn+JsMhj4IonP/jwKIUBskK15MkTQhKpyl5rQK/8v+7bWlsuqhiNPSYg6rgIrjmN -QxxzqP5NLPdlS4ksN6zcuwdq21l+li8zakjbeUvyqZb7E6vTHJaNBOp7Y7jv25gG -5/PjwquYbKFr +MBMwEQYJYIZIAYb4QgEBBAQDAgZAMA0GCSqGSIb3DQEBBQUAA4IBAQBErZcEaEEO +hLbRVuB3+N5by0mogdJsatJFSgW2/VztLvQBYu0O+VmTbZwCAWejA8U+cr6uPlyf +b4lDqj3W+XykeK9bSzoSr1yNO2VAcE74Y0ZrSz2yXMfT5R9IyKqQZspaKD8MOmYH +BqUH9o/phnGcaEG5xeSfhM1O/YNZuGnlLDQBGwT5puHOaLfjECvs8eZLopIWEBlD +QkRlhYqZBwhGZ8D/TxqG4teFtnBX5FG7UoSSVuneBrkREQM7ElhtD9jCWjfMnqm1 +59G84OycClwaKU7/Dm6zeMGDyFoMksBud7lyDHMhxvwSbzb1JR5v8iBsmVY2dhHt +Ot3Fx2be0gIr -----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/server1.req.cert_type_empty b/tests/data_files/server1.req.cert_type_empty new file mode 100644 index 000000000..70fd11133 --- /dev/null +++ b/tests/data_files/server1.req.cert_type_empty @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICpDCCAYwCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow +GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ +ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ +HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF +W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs +FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/ +DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAjMCEGCSqGSIb3DQEJDjEU +MBIwEAYJYIZIAYb4QgEBBAMDAQAwDQYJKoZIhvcNAQEFBQADggEBACU0LLDBIMgG +B7gyNANHv42RovhQdzmUulqJPHNHx3v9G17F00bEykJb/r3awW6l5fhY/6oPydsY +hnWEM6VVCUkJ6Zqm2/wE49uaNTbFd9JU4OywRBfjHHSTOGnYFg+BYSfwaIkSCkx2 +kVhyklFm7My5wkyDPpFSU2tTfgsgaQMyTm93a2kxM7qJ/X3gFDG8o7R0vyojFVSI +mwsF9QsC6N9cygdFx23zCB0KsJ9KfmBqaTsdbKh8BsocYm5FJCw4WS/CBrCWBj+z +N7yEJj4SR5F+P7sFc5I0HANov5wQe8E3+WxxQt8jcqIje6DlaaGja44cXOzvFQyx +Hg/6H5EtBQc= +-----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/server1.req.key_usage b/tests/data_files/server1.req.key_usage index 4c20eeded..30e481243 100644 --- a/tests/data_files/server1.req.key_usage +++ b/tests/data_files/server1.req.key_usage @@ -7,11 +7,11 @@ HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/ DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAeMBwGCSqGSIb3DQEJDjEP -MA0wCwYDVR0PBAQDAgHgMA0GCSqGSIb3DQEBBQUAA4IBAQAIDkjGHokLINOSKAij -DuBWyW72udNBwSmRAFYDyNoybWX+KJLFckyReF1S0YRHXWOljwxERF6htUEqIJDI -vIzlXyV0YqHNmWEFpyRxyIllQ7X4NWnVm3zHYORx2utdy3EyNsNb4Rb/JNh6Qpqr -27DB+frWaBYk27RPTdZz/ItZIicX8iHrAHL0aC6raQYvZfM1ybYehAh7Qx3asHKI -XDcrbV50Kzrd0SgC4P6Z6/5C5uUL9AfcKnB2oj5VP2TM0BA6q+XRQFkJ3TO1UTLB -lCKb9B1cIpVsT0YsOg/qptUh90zgd0x7FDa084ccwUJG73VXtHC6eioE4fbfrm5L -9BNK +MA0wCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBBQUAA4IBAQBsJ3v1Ar2X28GJsRSJ +WRQwFQwIbR/D0cHrwTf0ZfZttClytuc18JZlwkH3EG/rNkWaFp6MKIZoRMOBuSPc +MNvvKIo4nPaeouDPruymx0gNenlyRL3D4OZpBO/BmQIQjbUKWFbzEnEqvwvMDUnG +8w7UjPSFcxj2HzENr62HLPKKnVpL3nDXWK1a2A77KF9aMxyoWQ6FXb2xPD9cJjdo +c1jwskQbgosQzKKwwp5yxq0zRD3EAGw4A78mgHMfgFprq9e9azaB0JeyFG2Vn0t0 +L+vfiDEVQ3eJXSCen1kEVyHRju8g53UcSgd+JicWFboFj2/mJBuyW6yM++RGA9B5 +Zd62 -----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/server1.req.key_usage_empty b/tests/data_files/server1.req.key_usage_empty new file mode 100644 index 000000000..47e56bf1e --- /dev/null +++ b/tests/data_files/server1.req.key_usage_empty @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICnjCCAYYCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow +GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ +ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ +HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF +W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs +FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/ +DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAdMBsGCSqGSIb3DQEJDjEO +MAwwCgYDVR0PBAMDAQAwDQYJKoZIhvcNAQEFBQADggEBAAqQ/EU/3oMt7YW4vWgm +0Q7F4v7DrFEoVMWfBzNWhMNIijzoaWKY8jwseZMzu8aCNQlJnM7c9FJF+OCgS7L5 +0ctwzjfCOi5I5cKgqv8WpuMZWHXNtB7YtjUWIZVri/RazCncZEwJGCKQjmQYrGJm +Qmu2+D+DWY+nEW47ZfDH9jOJtatnREjSNsKzc44L9zUaEy3bi+m455XGH+ABmeb7 +Iqmguh10xUyY6rEOFEuqvFyFr5g1eb53Rr5CQxGfw1j+2bbSh+rVb6Ehf9LAijyu +Ygqa91hGab/CjykS6HMrD91ouWtt2Rt3zCKo4Xxe8dlAszKB4W83M9OgDVVpiCfC +t3A= +-----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/server1.req.ku-ct b/tests/data_files/server1.req.ku-ct index 98666d272..ebd01f5cc 100644 --- a/tests/data_files/server1.req.ku-ct +++ b/tests/data_files/server1.req.ku-ct @@ -7,11 +7,11 @@ HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/ DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAxMC8GCSqGSIb3DQEJDjEi -MCAwCwYDVR0PBAQDAgHgMBEGCWCGSAGG+EIBAQQEAwIAQDANBgkqhkiG9w0BAQUF -AAOCAQEAhDH3BQWViy67+9sdlrTvv0cIJ1IbogaM221MUasNIbfLi+KKfw50mzTa -V/BCXPT+EzmOptBl+F2iZVQyr2c0nWbBZBHnykS3f0fgifm6yWVEYwJqxUC5+uxK -bZztsHocTuqODpqYILycYkFXCcY8ZFHmz9XZorpUVTpZULW33EmLee5/BYI7whkA -bVoSNB5tAb8kGZQffDnGkHiRfu8dbbEnkPYqm/cerN+4yCh1v1CGFh2lMn4d5p0L -o9GvMsPM8pxdffZWZI9T0JnlHwtAJDA5G/MFYJdHzLzcHpvDA99MdNO4DMAiUyWb -PCDL5e7mJ0lnBp8RppLBR7GEkznIQQ== +MCAwCwYDVR0PBAQDAgXgMBEGCWCGSAGG+EIBAQQEAwIGQDANBgkqhkiG9w0BAQUF +AAOCAQEAWUMyIXHi4BbIxOeCD/Vtu9LGV8ENMV7dwYVEQcwrt1AHahtYgUtkoGcP +lOPqg1lbg22bu8dLPoY4HAzxCOAGs27otWL5LlE9M5QPH1RedEycmOuYrMl6K988 +hfDBJ+OkgCShcM91+udrc0gpDEI7N01A+fmukQ6EiaQjIf7HME/EKQqhEuEQMXHC +GBvdNuEF5BfV3aAYuT+xfdXDU2ZWwXXWAHGmVh3ntnhtEG6SnXSnBATU2wa4tpBd +KLbEbcsiy2uj0OLJlvG6LqsNggtkD58GCGpLpaVxdW80yw+f/krwLpeyocE1KGcT +7eX+9yhLe9NIZojvevw+53dNE7BUfw== -----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/server5.req.ku.sha1 b/tests/data_files/server5.req.ku.sha1 index 39fc346b4..3281c9460 100644 --- a/tests/data_files/server5.req.ku.sha1 +++ b/tests/data_files/server5.req.ku.sha1 @@ -1,8 +1,8 @@ -----BEGIN CERTIFICATE REQUEST----- -MIIBFzCBvAIBADA8MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGjAY +MIIBFjCBvAIBADA8MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGjAY BgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD QgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDYIxH/6i/SNF1d Fr2KiMJrdw1VzYoqDvoByLTt/6AeMBwGCSqGSIb3DQEJDjEPMA0wCwYDVR0PBAQD -AgHAMAsGByqGSM49BAEFAANJADBGAiEA5MGFTJkpOtCV7bAx+N+t4gP3JDM9RH3W -mIXzSpcBwvACIQDf7f9ytclwouV1DQTFSUKxExIm48H60hk3lh19i3bGOw== +AgbAMAsGByqGSM49BAEFAANIADBFAiEAnIKF+xKk0iEuN4MHd4FZWNvrznLQgkeg +2n8ejjreTzcCIAH34z2TycuMpWQRhpV+YT988pBWR67LAg7REyZnjSAB -----END CERTIFICATE REQUEST----- diff --git a/tests/suites/test_suite_asn1write.data b/tests/suites/test_suite_asn1write.data index c2a78b1af..9982d03a7 100644 --- a/tests/suites/test_suite_asn1write.data +++ b/tests/suites/test_suite_asn1write.data @@ -90,3 +90,75 @@ mbedtls_asn1_write_len:16909060:"8401020304":5:5 ASN.1 Write / Read Length #12 (Len = 16909060, buffer too small) mbedtls_asn1_write_len:16909060:"8401020304":4:MBEDTLS_ERR_ASN1_BUF_TOO_SMALL + +ASN.1 Write Named Bitstring / Unused bits #0 +test_asn1_write_bitstrings:"FF":8:"030200FF":4:1 + +ASN.1 Write Named Bitstring / Unused bits #1 +test_asn1_write_bitstrings:"FE":8:"030201FE":4:1 + +ASN.1 Write Named Bitstring / Unused bits #2 +test_asn1_write_bitstrings:"FC":7:"030202FC":4:1 + +ASN.1 Write Named Bitstring / Unused bits #3 +test_asn1_write_bitstrings:"F8":8:"030203F8":4:1 + +ASN.1 Write Named Bitstring / Unused bits #4 +test_asn1_write_bitstrings:"F0":6:"030204F0":4:1 + +ASN.1 Write Named Bitstring / Unused bits #5 +test_asn1_write_bitstrings:"E0":6:"030205E0":4:1 + +ASN.1 Write Named Bitstring / Unused bits #6 +test_asn1_write_bitstrings:"C0":8:"030206C0":4:1 + +ASN.1 Write Named Bitstring / Unused bits #7 +test_asn1_write_bitstrings:"80":8:"03020780":4:1 + +ASN.1 Write Named Bitstring / Empty bitstring +test_asn1_write_bitstrings:"00":7:"030100":3:1 + +ASN.1 Write Named Bitstring / Empty bitstring (bits = 16) +test_asn1_write_bitstrings:"0000":16:"030100":3:1 + +ASN.1 Write Named Bitstring / Empty bitstring (bits = 24) +test_asn1_write_bitstrings:"FFFFFF":0:"030100":3:1 + +ASN.1 Write Named Bitstring / 15 trailing bits all unset +test_asn1_write_bitstrings:"F88000":24:"030307F880":5:1 + +ASN.1 Write Named Bitstring / 15 trailing bits all set +test_asn1_write_bitstrings:"F8FFFF":9:"030307F880":5:1 + +ASN.1 Write Bitstring / Unused bits #0 +test_asn1_write_bitstrings:"FF":8:"030200FF":4:0 + +ASN.1 Write Bitstring / Unused bits #1 +test_asn1_write_bitstrings:"FF":7:"030201FE":4:0 + +ASN.1 Write Bitstring / Unused bits #2 +test_asn1_write_bitstrings:"FF":6:"030202FC":4:0 + +ASN.1 Write Bitstring / Unused bits #3 +test_asn1_write_bitstrings:"FF":5:"030203F8":4:0 + +ASN.1 Write Bitstring / Unused bits #4 +test_asn1_write_bitstrings:"FF":4:"030204F0":4:0 + +ASN.1 Write Bitstring / Unused bits #5 +test_asn1_write_bitstrings:"FF":3:"030205E0":4:0 + +ASN.1 Write Bitstring / Unused bits #6 +test_asn1_write_bitstrings:"FF":2:"030206C0":4:0 + +ASN.1 Write Bitstring / Unused bits #7 +test_asn1_write_bitstrings:"FF":1:"03020780":4:0 + +ASN.1 Write Bitstring / 1 trailing bit (bits 15) +test_asn1_write_bitstrings:"0003":15:"0303010002":5:0 + +ASN.1 Write Bitstring / 0 bits +test_asn1_write_bitstrings:"":0:"030100":3:0 + +ASN.1 Write Bitstring / long string all bits unset except trailing bits +test_asn1_write_bitstrings:"000000000007":45:"030703000000000000":9:0 diff --git a/tests/suites/test_suite_asn1write.function b/tests/suites/test_suite_asn1write.function index 57a974125..e45583cbb 100644 --- a/tests/suites/test_suite_asn1write.function +++ b/tests/suites/test_suite_asn1write.function @@ -128,3 +128,47 @@ void mbedtls_asn1_write_len( int len, data_t * asn1, int buf_len, } } /* END_CASE */ + +/* BEGIN_CASE */ +void test_asn1_write_bitstrings( data_t *bitstring, int bits, + data_t *expected_asn1, int result, + int is_named ) +{ + int ret; + size_t i; + unsigned char buf[150]; + unsigned char *p; + + memset( buf, GUARD_VAL, sizeof( buf ) ); + + p = buf + GUARD_LEN + expected_asn1->len; + + if ( is_named == 0 ) + { + ret = mbedtls_asn1_write_bitstring( &p, + buf, + (unsigned char *)bitstring->x, + (size_t) bits ); + } + else + { + ret = mbedtls_asn1_write_named_bitstring( &p, + buf, + (unsigned char *)bitstring->x, + (size_t) bits ); + } + TEST_ASSERT( ret == result ); + + /* Check for buffer overwrite on both sides */ + for( i = 0; i < GUARD_LEN; i++ ) + { + TEST_ASSERT( buf[i] == GUARD_VAL ); + TEST_ASSERT( buf[GUARD_LEN + expected_asn1->len + i] == GUARD_VAL ); + } + + if ( result >= 0 ) + { + TEST_ASSERT( memcmp( p, expected_asn1->x, expected_asn1->len ) == 0 ); + } +} +/* END_CASE */ diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index 40964258b..b891ef29d 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -1,46 +1,54 @@ Certificate Request check Server1 SHA1 depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha1":MBEDTLS_MD_SHA1:0:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha1":MBEDTLS_MD_SHA1:0:0:0:0 Certificate Request check Server1 SHA224 depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha224":MBEDTLS_MD_SHA224:0:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha224":MBEDTLS_MD_SHA224:0:0:0:0 Certificate Request check Server1 SHA256 depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha256":MBEDTLS_MD_SHA256:0:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha256":MBEDTLS_MD_SHA256:0:0:0:0 Certificate Request check Server1 SHA384 depends_on:MBEDTLS_SHA512_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha384":MBEDTLS_MD_SHA384:0:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha384":MBEDTLS_MD_SHA384:0:0:0:0 Certificate Request check Server1 SHA512 depends_on:MBEDTLS_SHA512_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha512":MBEDTLS_MD_SHA512:0:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha512":MBEDTLS_MD_SHA512:0:0:0:0 Certificate Request check Server1 MD4 depends_on:MBEDTLS_MD4_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.md4":MBEDTLS_MD_MD4:0:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.md4":MBEDTLS_MD_MD4:0:0:0:0 Certificate Request check Server1 MD5 depends_on:MBEDTLS_MD5_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.md5":MBEDTLS_MD_MD5:0:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.md5":MBEDTLS_MD_MD5:0:0:0:0 Certificate Request check Server1 key_usage depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.key_usage":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.key_usage":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:0:0 + +Certificate Request check Server1 key_usage empty +depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.key_usage_empty":MBEDTLS_MD_SHA1:0:1:0:0 Certificate Request check Server1 ns_cert_type depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.cert_type":MBEDTLS_MD_SHA1:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER +x509_csr_check:"data_files/server1.key":"data_files/server1.req.cert_type":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1 + +Certificate Request check Server1 ns_cert_type empty +depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.cert_type_empty":MBEDTLS_MD_SHA1:0:0:0:1 Certificate Request check Server1 key_usage + ns_cert_type depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.ku-ct":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER +x509_csr_check:"data_files/server1.key":"data_files/server1.req.ku-ct":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1 Certificate Request check Server5 ECDSA, key_usage depends_on:MBEDTLS_SHA1_C:MBEDTLS_ECDSA_C:MBEDTLS_ECDSA_DETERMINISTIC:MBEDTLS_ECP_DP_SECP256R1_ENABLED -x509_csr_check:"data_files/server5.key":"data_files/server5.req.ku.sha1":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:0 +x509_csr_check:"data_files/server5.key":"data_files/server5.req.ku.sha1":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:1:0:0 Certificate Request check opaque Server5 ECDSA, key_usage depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED @@ -48,35 +56,35 @@ x509_csr_check_opaque:"data_files/server5.key":MBEDTLS_MD_SHA256:MBEDTLS_X509_KU Certificate write check Server1 SHA1 depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:1:-1:"data_files/server1.crt":0 +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0::0:0:1:-1:"data_files/server1.crt":0 Certificate write check Server1 SHA1, key_usage depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0:1:-1:"data_files/server1.key_usage.crt":0 +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:0:0:1:-1:"data_files/server1.key_usage.crt":0 Certificate write check Server1 SHA1, ns_cert_type depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:-1:"data_files/server1.cert_type.crt":0 +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"data_files/server1.cert_type.crt":0 Certificate write check Server1 SHA1, version 1 depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":0 +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":0 Certificate write check Server1 SHA1, RSA_ALT depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:-1:"data_files/server1.noauthid.crt":1 +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:0:0:-1:"data_files/server1.noauthid.crt":1 Certificate write check Server1 SHA1, RSA_ALT, key_usage depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0:0:-1:"data_files/server1.key_usage_noauthid.crt":1 +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:0:0:0:-1:"data_files/server1.key_usage_noauthid.crt":1 Certificate write check Server1 SHA1, RSA_ALT, ns_cert_type depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:0:-1:"data_files/server1.cert_type_noauthid.crt":1 +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0:-1:"data_files/server1.cert_type_noauthid.crt":1 Certificate write check Server1 SHA1, RSA_ALT, version 1 depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":1 +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":1 X509 String to Names #1 mbedtls_x509_string_to_names:"C=NL,O=Offspark\, Inc., OU=PolarSSL":"C=NL, O=Offspark, Inc., OU=PolarSSL":0 diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index 268b4bbeb..e15802ff1 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -70,7 +70,8 @@ static int x509_crt_verifycsr( const unsigned char *buf, size_t buflen ) /* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CSR_WRITE_C */ void x509_csr_check( char * key_file, char * cert_req_check_file, int md_type, - int key_usage, int cert_type ) + int key_usage, int set_key_usage, int cert_type, + int set_cert_type ) { mbedtls_pk_context key; mbedtls_x509write_csr req; @@ -92,9 +93,9 @@ void x509_csr_check( char * key_file, char * cert_req_check_file, int md_type, mbedtls_x509write_csr_set_md_alg( &req, md_type ); mbedtls_x509write_csr_set_key( &req, &key ); TEST_ASSERT( mbedtls_x509write_csr_set_subject_name( &req, subject_name ) == 0 ); - if( key_usage != 0 ) + if( set_key_usage != 0 ) TEST_ASSERT( mbedtls_x509write_csr_set_key_usage( &req, key_usage ) == 0 ); - if( cert_type != 0 ) + if( set_cert_type != 0 ) TEST_ASSERT( mbedtls_x509write_csr_set_ns_cert_type( &req, cert_type ) == 0 ); ret = mbedtls_x509write_csr_pem( &req, buf, sizeof( buf ), @@ -180,7 +181,8 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd, char *subject_name, char *issuer_key_file, char *issuer_pwd, char *issuer_name, char *serial_str, char *not_before, char *not_after, - int md_type, int key_usage, int cert_type, int auth_ident, + int md_type, int key_usage, int set_key_usage, + int cert_type, int set_cert_type, int auth_ident, int ver, char *cert_check_file, int rsa_alt ) { mbedtls_pk_context subject_key, issuer_key, issuer_key_alt; @@ -248,9 +250,9 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd, TEST_ASSERT( mbedtls_x509write_crt_set_subject_key_identifier( &crt ) == 0 ); if( auth_ident ) TEST_ASSERT( mbedtls_x509write_crt_set_authority_key_identifier( &crt ) == 0 ); - if( key_usage != 0 ) + if( set_key_usage != 0 ) TEST_ASSERT( mbedtls_x509write_crt_set_key_usage( &crt, key_usage ) == 0 ); - if( cert_type != 0 ) + if( set_cert_type != 0 ) TEST_ASSERT( mbedtls_x509write_crt_set_ns_cert_type( &crt, cert_type ) == 0 ); } From d8233f76db89f04612e3fed5f427329f8d3e4932 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Mon, 8 Oct 2018 19:44:55 +0100 Subject: [PATCH 3/7] Improve docs for named bitstrings and their usage --- include/mbedtls/asn1write.h | 18 ++++++++++-------- include/mbedtls/x509_csr.h | 8 ++++++++ 2 files changed, 18 insertions(+), 8 deletions(-) diff --git a/include/mbedtls/asn1write.h b/include/mbedtls/asn1write.h index 04a8767c8..dc81782c4 100644 --- a/include/mbedtls/asn1write.h +++ b/include/mbedtls/asn1write.h @@ -283,19 +283,21 @@ int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start, const unsigned char *buf, size_t bits ); /** - * \brief Write a named bitstring tag (MBEDTLS_ASN1_BIT_STRING) and - * value in ASN.1 format - * Note: function works backwards in data buffer + * \brief This function writes a named bitstring tag + * (#MBEDTLS_ASN1_BIT_STRING) and value in ASN.1 format. * - * As stated in RFC5280 Appending B, trailing zeroes are + * As stated in RFC 5280 Appendix B, trailing zeroes are * omitted when encoding named bitstrings in DER. * - * \param p Reference to current position pointer. - * \param start Start of the buffer (for bounds-checking). - * \param buf The bitstring. + * \note This function works backwards within the data buffer. + * + * \param p The reference to the current position pointer. + * \param start The start of the buffer which is used for bounds-checking. + * \param buf The bitstring to write. * \param bits The total number of bits in the bitstring. * - * \return The length written or a negative error code. + * \return The number of bytes written to \p p on success. + * \return A negative error code on failure. */ int mbedtls_asn1_write_named_bitstring( unsigned char **p, unsigned char *start, diff --git a/include/mbedtls/x509_csr.h b/include/mbedtls/x509_csr.h index 0c6ccad78..a3c28048e 100644 --- a/include/mbedtls/x509_csr.h +++ b/include/mbedtls/x509_csr.h @@ -205,6 +205,14 @@ void mbedtls_x509write_csr_set_md_alg( mbedtls_x509write_csr *ctx, mbedtls_md_ty * \param key_usage key usage flags to set * * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED + * + * \note The decipherOnly flag from the Key Usage + * extension is represented by bit 8 (i.e. + * 0x8000), which cannot typically be represented + * in an unsigned char. Therefore, the flag + * decipherOnly (i.e. + * #MBEDTLS_X509_KU_DECIPHER_ONLY) cannot be set using this + * function. */ int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned char key_usage ); From d588ff7156f0030e0e6ded4454d6afbfe918c167 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Wed, 26 Sep 2018 10:59:20 +0100 Subject: [PATCH 4/7] Add ChangeLog entry for unused bits in bitstrings --- ChangeLog | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ChangeLog b/ChangeLog index 2500919d8..3fab19995 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,6 +31,12 @@ Bugfix Fixes #2190. * Fix false failure in all.sh when backup files exist in include/mbedtls (e.g. config.h.bak). Fixed by Peter Kolbus (Garmin) #2407. + * Ensure that unused bits are zero when writing ASN.1 bitstrings when using + mbedtls_asn1_write_bitstring(). + * Fix issue when writing the named bitstrings in KeyUsage and NsCertType + extensions in CSRs and CRTs that caused these bitstrings to not be encoded + correctly as trailing zeroes were not accounted for as unused bits in the + leading content octet. Fixes #1610. Changes * Reduce RAM consumption during session renegotiation by not storing @@ -65,6 +71,8 @@ Features function to see for which parameter values it is defined. This feature is disabled by default. See its API documentation in config.h for additional steps you have to take when enabling it. + * Add a new function mbedtls_asn1_write_named_bitstring() to write ASN.1 + named bitstring in DER as required by RFC 5280 Appendix B. API Changes * The following functions in the random generator modules have been From 412ddf3812580bab47e12fd8e5bd44c0f3df94c0 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Mon, 11 Feb 2019 21:33:10 +0000 Subject: [PATCH 5/7] Fix typo in x509write test data --- tests/suites/test_suite_x509write.data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index b891ef29d..54d72701e 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -56,7 +56,7 @@ x509_csr_check_opaque:"data_files/server5.key":MBEDTLS_MD_SHA256:MBEDTLS_X509_KU Certificate write check Server1 SHA1 depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0::0:0:1:-1:"data_files/server1.crt":0 +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:0:1:-1:"data_files/server1.crt":0 Certificate write check Server1 SHA1, key_usage depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C From ce04951a6cb4b8e1c5bf105c42f28100bd5e3284 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Wed, 20 Feb 2019 10:00:03 +0000 Subject: [PATCH 6/7] Fix ChangeLog entry to correct release version --- ChangeLog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3fab19995..1d25ed611 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,8 @@ Features which allows copy-less parsing of DER encoded X.509 CRTs, at the cost of additional lifetime constraints on the input buffer, but at the benefit of reduced RAM consumption. + * Add a new function mbedtls_asn1_write_named_bitstring() to write ASN.1 + named bitstring in DER as required by RFC 5280 Appendix B. API Changes * Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`. @@ -71,8 +73,6 @@ Features function to see for which parameter values it is defined. This feature is disabled by default. See its API documentation in config.h for additional steps you have to take when enabling it. - * Add a new function mbedtls_asn1_write_named_bitstring() to write ASN.1 - named bitstring in DER as required by RFC 5280 Appendix B. API Changes * The following functions in the random generator modules have been From 1e198f5a98db868a96b0c5469009c94dbd57d94f Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Thu, 28 Feb 2019 09:54:01 +0000 Subject: [PATCH 7/7] Update the crypto submodule to a78c958 Update the crypto submodule to commit a78c958b17d75ddf63d8dd17255b6379dcbf259f to include the equivalent changes in this PR within the submodule. --- crypto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto b/crypto index bf61ca7a0..a78c958b1 160000 --- a/crypto +++ b/crypto @@ -1 +1 @@ -Subproject commit bf61ca7a0429ae81adfa82d1bbee4e58e3f6ecef +Subproject commit a78c958b17d75ddf63d8dd17255b6379dcbf259f