From 51a7ae1353f623d96bd2a7821dc12c1937baf89b Mon Sep 17 00:00:00 2001 From: Andres AG Date: Wed, 22 Feb 2017 16:23:26 +0000 Subject: [PATCH 01/29] Add missing ret code checks in PEM module Add missing return code checks in the functions pem_des_decrypt(), pem_3des_decrypt() and pem_aes_decrypt() so that the calling function mbedtls_pem_read_buffer() is notified of errors reported by the crypto primitives AES, DES and 3DES. --- ChangeLog | 10 ++++++++ library/pem.c | 63 +++++++++++++++++++++++++++++++++++---------------- 2 files changed, 53 insertions(+), 20 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8797b1af6..daa9622f3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,15 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS x.x.x branch released xxxx-xx-xx + +Bugfix + * Fix unchecked return codes from AES, DES and 3DES functions in + pem_aes_decrypt(), pem_des_decrypt() and pem_des3_decrypt() respectively. + If a call to one of the functions of the cryptographic primitive modules + failed, the error may not be noticed by the function + mbedtls_pem_read_buffer() causing it to return invalid values. Found by + Guido Vranken. #756 + = mbed TLS 2.5.0 branch released 2017-05-17 Security diff --git a/library/pem.c b/library/pem.c index 8dd86a4ac..87401ba55 100644 --- a/library/pem.c +++ b/library/pem.c @@ -134,45 +134,55 @@ static void pem_pbkdf1( unsigned char *key, size_t keylen, /* * Decrypt with DES-CBC, using PBKDF1 for key derivation */ -static void pem_des_decrypt( unsigned char des_iv[8], - unsigned char *buf, size_t buflen, - const unsigned char *pwd, size_t pwdlen ) +static int pem_des_decrypt( unsigned char des_iv[8], + unsigned char *buf, size_t buflen, + const unsigned char *pwd, size_t pwdlen ) { mbedtls_des_context des_ctx; unsigned char des_key[8]; + int ret; mbedtls_des_init( &des_ctx ); pem_pbkdf1( des_key, 8, des_iv, pwd, pwdlen ); - mbedtls_des_setkey_dec( &des_ctx, des_key ); - mbedtls_des_crypt_cbc( &des_ctx, MBEDTLS_DES_DECRYPT, buflen, + if( ( ret = mbedtls_des_setkey_dec( &des_ctx, des_key ) ) != 0 ) + goto exit; + ret = mbedtls_des_crypt_cbc( &des_ctx, MBEDTLS_DES_DECRYPT, buflen, des_iv, buf, buf ); +exit: mbedtls_des_free( &des_ctx ); mbedtls_zeroize( des_key, 8 ); + + return( ret ); } /* * Decrypt with 3DES-CBC, using PBKDF1 for key derivation */ -static void pem_des3_decrypt( unsigned char des3_iv[8], - unsigned char *buf, size_t buflen, - const unsigned char *pwd, size_t pwdlen ) +static int pem_des3_decrypt( unsigned char des3_iv[8], + unsigned char *buf, size_t buflen, + const unsigned char *pwd, size_t pwdlen ) { mbedtls_des3_context des3_ctx; unsigned char des3_key[24]; + int ret; mbedtls_des3_init( &des3_ctx ); pem_pbkdf1( des3_key, 24, des3_iv, pwd, pwdlen ); - mbedtls_des3_set3key_dec( &des3_ctx, des3_key ); - mbedtls_des3_crypt_cbc( &des3_ctx, MBEDTLS_DES_DECRYPT, buflen, + if( ( ret = mbedtls_des3_set3key_dec( &des3_ctx, des3_key ) ) != 0 ) + goto exit; + ret = mbedtls_des3_crypt_cbc( &des3_ctx, MBEDTLS_DES_DECRYPT, buflen, des3_iv, buf, buf ); +exit: mbedtls_des3_free( &des3_ctx ); mbedtls_zeroize( des3_key, 24 ); + + return( ret ); } #endif /* MBEDTLS_DES_C */ @@ -180,23 +190,28 @@ static void pem_des3_decrypt( unsigned char des3_iv[8], /* * Decrypt with AES-XXX-CBC, using PBKDF1 for key derivation */ -static void pem_aes_decrypt( unsigned char aes_iv[16], unsigned int keylen, - unsigned char *buf, size_t buflen, - const unsigned char *pwd, size_t pwdlen ) +static int pem_aes_decrypt( unsigned char aes_iv[16], unsigned int keylen, + unsigned char *buf, size_t buflen, + const unsigned char *pwd, size_t pwdlen ) { mbedtls_aes_context aes_ctx; unsigned char aes_key[32]; + int ret; mbedtls_aes_init( &aes_ctx ); pem_pbkdf1( aes_key, keylen, aes_iv, pwd, pwdlen ); - mbedtls_aes_setkey_dec( &aes_ctx, aes_key, keylen * 8 ); - mbedtls_aes_crypt_cbc( &aes_ctx, MBEDTLS_AES_DECRYPT, buflen, + if( ( ret = mbedtls_aes_setkey_dec( &aes_ctx, aes_key, keylen * 8 ) ) != 0 ) + goto exit; + ret = mbedtls_aes_crypt_cbc( &aes_ctx, MBEDTLS_AES_DECRYPT, buflen, aes_iv, buf, buf ); +exit: mbedtls_aes_free( &aes_ctx ); mbedtls_zeroize( aes_key, keylen ); + + return( ret ); } #endif /* MBEDTLS_AES_C */ @@ -345,22 +360,30 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const return( MBEDTLS_ERR_PEM_PASSWORD_REQUIRED ); } + ret = 0; + #if defined(MBEDTLS_DES_C) if( enc_alg == MBEDTLS_CIPHER_DES_EDE3_CBC ) - pem_des3_decrypt( pem_iv, buf, len, pwd, pwdlen ); + ret = pem_des3_decrypt( pem_iv, buf, len, pwd, pwdlen ); else if( enc_alg == MBEDTLS_CIPHER_DES_CBC ) - pem_des_decrypt( pem_iv, buf, len, pwd, pwdlen ); + ret = pem_des_decrypt( pem_iv, buf, len, pwd, pwdlen ); #endif /* MBEDTLS_DES_C */ #if defined(MBEDTLS_AES_C) if( enc_alg == MBEDTLS_CIPHER_AES_128_CBC ) - pem_aes_decrypt( pem_iv, 16, buf, len, pwd, pwdlen ); + ret = pem_aes_decrypt( pem_iv, 16, buf, len, pwd, pwdlen ); else if( enc_alg == MBEDTLS_CIPHER_AES_192_CBC ) - pem_aes_decrypt( pem_iv, 24, buf, len, pwd, pwdlen ); + ret = pem_aes_decrypt( pem_iv, 24, buf, len, pwd, pwdlen ); else if( enc_alg == MBEDTLS_CIPHER_AES_256_CBC ) - pem_aes_decrypt( pem_iv, 32, buf, len, pwd, pwdlen ); + ret = pem_aes_decrypt( pem_iv, 32, buf, len, pwd, pwdlen ); #endif /* MBEDTLS_AES_C */ + if( ret != 0 ) + { + mbedtls_free( buf ); + return( ret ); + } + /* * The result will be ASN.1 starting with a SEQUENCE tag, with 1 to 3 * length bytes (allow 4 to be sure) in all known use cases. From a3b9adb6bd9e0d23b4e7797e5fdf2c310d9914e5 Mon Sep 17 00:00:00 2001 From: Andres AG Date: Wed, 1 Mar 2017 11:53:29 +0000 Subject: [PATCH 02/29] Add negative testing for mbedtls_pem_read_buffer() --- tests/suites/test_suite_pem.data | 17 ++++++++++++++--- tests/suites/test_suite_pem.function | 13 +++++++++---- 2 files changed, 23 insertions(+), 7 deletions(-) diff --git a/tests/suites/test_suite_pem.data b/tests/suites/test_suite_pem.data index 065e4a2b5..77546c586 100644 --- a/tests/suites/test_suite_pem.data +++ b/tests/suites/test_suite_pem.data @@ -17,11 +17,22 @@ PEM write (exactly two lines + 1) mbedtls_pem_write_buffer:"-----START TEST-----\n":"-----END TEST-----\n":"000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F00":"-----START TEST-----\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\nAA==\n-----END TEST-----\n" PEM read (DES-EDE3-CBC + invalid iv) -mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-EDE3-CBC,00$":MBEDTLS_ERR_PEM_INVALID_ENC_IV +mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-EDE3-CBC,00$":"pwd":MBEDTLS_ERR_PEM_INVALID_ENC_IV PEM read (DES-CBC + invalid iv) -mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-CBC,00$":MBEDTLS_ERR_PEM_INVALID_ENC_IV +mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-CBC,00$":"pwd":MBEDTLS_ERR_PEM_INVALID_ENC_IV PEM read (unknown encryption algorithm) -mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-,00$":MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG +mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-,00$":"pwd":MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG +PEM read (malformed PEM DES-CBC) +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC +mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-CBC,AA94892A169FA426\n\nMAAA\n-----END EC PRIVATE KEY-----":"pwd":MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH + +PEM read (malformed PEM DES-EDE3-CBC) +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC +mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-EDE3-CBC,AA94892A169FA426\n\nMAAA\n-----END EC PRIVATE KEY-----":"pwd":MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH + +PEM read (malformed PEM AES-128-CBC) +depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC +mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,AA94892A169FA426AA94892A169FA426\n\nMAAA\n-----END EC PRIVATE KEY-----":"pwd":MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH diff --git a/tests/suites/test_suite_pem.function b/tests/suites/test_suite_pem.function index 5e022109c..c24595d47 100644 --- a/tests/suites/test_suite_pem.function +++ b/tests/suites/test_suite_pem.function @@ -1,6 +1,8 @@ /* BEGIN_HEADER */ #include "mbedtls/base64.h" #include "mbedtls/pem.h" +#include "mbedtls/des.h" +#include "mbedtls/aes.h" /* END_HEADER */ /* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C */ @@ -35,16 +37,19 @@ exit: /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_AES_C:MBEDTLS_DES_C:MBEDTLS_MD5_C:MBEDTLS_CIPHER_MODE_CBC */ -void mbedtls_pem_read_buffer( char *header, char *footer, char *data, int ret ) +void mbedtls_pem_read_buffer( char *header, char *footer, char *data, + char *pwd, int res ) { mbedtls_pem_context ctx; + int ret; size_t use_len = 0; + size_t pwd_len = strlen( pwd ); mbedtls_pem_init( &ctx ); - TEST_ASSERT( mbedtls_pem_read_buffer( &ctx, header, footer, - (const unsigned char *)data, NULL, 0, - &use_len ) == ret ); + ret = mbedtls_pem_read_buffer( &ctx, header, footer, (unsigned char *)data, + (unsigned char *)pwd, pwd_len, &use_len ); + TEST_ASSERT( ret == res ); exit: mbedtls_pem_free( &ctx ); From 53c77cccc9ddb7e54f1c887cab7fcac57d68c343 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Tue, 27 Jun 2017 16:15:06 +0100 Subject: [PATCH 03/29] Initialise pointers to avoid IAR compiler warnings --- library/ssl_cli.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index a2b9f8cfe..04ce8f728 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2258,7 +2258,7 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) int ret; const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; - unsigned char *p, *end; + unsigned char *p = NULL, *end = NULL; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) ); From 79ae065117761fb32dd5b04a1f6800f0cb722e38 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Tue, 27 Jun 2017 16:17:54 +0100 Subject: [PATCH 04/29] Add ChangeLog entry for IAR compilation warnings --- ChangeLog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ChangeLog b/ChangeLog index 84a05d003..46acda75f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,11 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS x.x.x released xxxx-xx-xx + +Bugfix + * Fix variable used before assignment compilation warnings with IAR + toolchain. Found by gkerrien38. + = mbed TLS 2.5.1 released xxxx-xx-xx Security From fe9483184f9c03094353796afcad9c1d351df49d Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Thu, 6 Jul 2017 10:34:12 +0100 Subject: [PATCH 05/29] Remove malloc references in mbedtls/scripts --- scripts/find-mem-leak.cocci | 8 ++--- scripts/malloc-init.pl | 70 ------------------------------------ scripts/rm-calloc-cast.cocci | 7 ++++ scripts/rm-malloc-cast.cocci | 7 ---- 4 files changed, 11 insertions(+), 81 deletions(-) delete mode 100755 scripts/malloc-init.pl create mode 100644 scripts/rm-calloc-cast.cocci delete mode 100644 scripts/rm-malloc-cast.cocci diff --git a/scripts/find-mem-leak.cocci b/scripts/find-mem-leak.cocci index 5cfe4522d..8179e2b3e 100644 --- a/scripts/find-mem-leak.cocci +++ b/scripts/find-mem-leak.cocci @@ -2,8 +2,8 @@ expression x, y; statement S; @@ - x = mbedtls_malloc(...); - y = mbedtls_malloc(...); + x = mbedtls_calloc(...); + y = mbedtls_calloc(...); ... * if (x == NULL || y == NULL) S @@ -13,8 +13,8 @@ expression x, y; statement S; @@ if ( -* (x = mbedtls_malloc(...)) == NULL +* (x = mbedtls_calloc(...)) == NULL || -* (y = mbedtls_malloc(...)) == NULL +* (y = mbedtls_calloc(...)) == NULL ) S diff --git a/scripts/malloc-init.pl b/scripts/malloc-init.pl deleted file mode 100755 index b7d6fcfac..000000000 --- a/scripts/malloc-init.pl +++ /dev/null @@ -1,70 +0,0 @@ -#!/usr/bin/perl - -# Check for malloc calls not shortly followed by initialisation. -# -# Known limitations: -# - false negative: can't see allocations spanning more than one line -# - possible false negatives, see patterns -# - false positive: malloc-malloc-init-init is not accepted -# - false positives: "non-standard" init functions (eg, the things being -# initialised is not the first arg, or initialise struct members) -# -# Since false positives are expected, the results must be manually reviewed. -# -# Typical usage: scripts/malloc-init.pl library/*.c - -use warnings; -use strict; - -use utf8; -use open qw(:std utf8); - -my $limit = 7; -my $inits = qr/memset|memcpy|_init|fread|base64_..code/; - -# cases to bear in mind: -# -# 0. foo = malloc(...); memset( foo, ... ); -# 1. *foo = malloc(...); memset( *foo, ... ); -# 2. type *foo = malloc(...); memset( foo, ...); -# 3. foo = malloc(...); foo_init( (type *) foo ); -# 4. foo = malloc(...); for(i=0..n) { init( &foo[i] ); } -# -# The chosen patterns are a bit relaxed, but unlikely to cause false positives -# in real code (initialising *foo or &foo instead of foo will likely be caught -# by functional tests). -# -my $id = qr/([a-zA-Z-0-9_\->\.]*)/; -my $prefix = qr/\s(?:\*?|\&?|\([a-z_]* \*\))\s*/; - -my $name; -my $line; -my @bad; - -die "Usage: $0 file.c [...]\n" unless @ARGV; - -while (my $file = shift @ARGV) -{ - open my $fh, "<", $file or die "read $file failed: $!\n"; - while (<$fh>) - { - if( /mbedtls_malloc\(/ ) { - if( /$id\s*=.*mbedtls_malloc\(/ ) { - push @bad, "$file:$line:$name" if $name; - $name = $1; - $line = $.; - } else { - push @bad, "$file:$.:???" unless /return mbedtls_malloc/; - } - } elsif( $name && /(?:$inits)\($prefix\Q$name\E\b/ ) { - undef $name; - } elsif( $name && $. - $line > $limit ) { - push @bad, "$file:$line:$name"; - undef $name; - undef $line; - } - } - close $fh or die; -} - -print "$_\n" for @bad; diff --git a/scripts/rm-calloc-cast.cocci b/scripts/rm-calloc-cast.cocci new file mode 100644 index 000000000..89481c01a --- /dev/null +++ b/scripts/rm-calloc-cast.cocci @@ -0,0 +1,7 @@ +@rm_calloc_cast@ +expression x, n, m; +type T; +@@ + x = +- (T *) + mbedtls_calloc(n, m) diff --git a/scripts/rm-malloc-cast.cocci b/scripts/rm-malloc-cast.cocci deleted file mode 100644 index 9337dc501..000000000 --- a/scripts/rm-malloc-cast.cocci +++ /dev/null @@ -1,7 +0,0 @@ -@rm_malloc_cast@ -expression x, n; -type T; -@@ - x = -- (T *) - mbedtls_malloc(n) From 7e8e57c6d1192d7cf867166935a0d66e6e71743f Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sun, 23 Jul 2017 10:19:29 +0100 Subject: [PATCH 06/29] Initialize RSA context in RSA test suite before first potentially failing operation The function `mbedtls_rsa_gen_key` from `test_suite_rsa.function` initialized a stack allocated RSA context only after seeding the CTR DRBG. If the latter operation failed, the cleanup code tried to free the uninitialized RSA context, potentially resulting in a segmentation fault. Fixes one aspect of #1023. --- tests/suites/test_suite_rsa.function | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index d48bc8595..e9ae1bf96 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -667,13 +667,12 @@ void mbedtls_rsa_gen_key( int nrbits, int exponent, int result) const char *pers = "test_suite_rsa"; mbedtls_ctr_drbg_init( &ctr_drbg ); - mbedtls_entropy_init( &entropy ); + mbedtls_rsa_init ( &ctx, 0, 0 ); + TEST_ASSERT( mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *) pers, strlen( pers ) ) == 0 ); - mbedtls_rsa_init( &ctx, 0, 0 ); - TEST_ASSERT( mbedtls_rsa_gen_key( &ctx, mbedtls_ctr_drbg_random, &ctr_drbg, nrbits, exponent ) == result ); if( result == 0 ) { From 1b841cc9bf8f4756938946cce312f4dbff8bd87a Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sun, 23 Jul 2017 10:22:45 +0100 Subject: [PATCH 07/29] Correct typo in entropy test suite data --- tests/suites/test_suite_entropy.data | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_entropy.data b/tests/suites/test_suite_entropy.data index e0dfae32a..5cff39984 100644 --- a/tests/suites/test_suite_entropy.data +++ b/tests/suites/test_suite_entropy.data @@ -34,10 +34,10 @@ entropy_threshold:16:2:8 Entropy threshold #2 entropy_threshold:32:1:32 -Entropy thershold #3 +Entropy threshold #3 entropy_threshold:16:0:MBEDTLS_ERR_ENTROPY_SOURCE_FAILED -Entropy thershold #4 +Entropy threshold #4 entropy_threshold:1024:1:MBEDTLS_ERR_ENTROPY_SOURCE_FAILED Check NV seed standard IO From 910f662cd7e804b5ecff9abb97d0e216122a675d Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sun, 23 Jul 2017 10:23:24 +0100 Subject: [PATCH 08/29] Increase readability of verbose test suite output --- tests/suites/main_test.function | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/suites/main_test.function b/tests/suites/main_test.function index a7bb41de3..fe49bdfd8 100644 --- a/tests/suites/main_test.function +++ b/tests/suites/main_test.function @@ -432,24 +432,24 @@ int main(int argc, const char *argv[]) if( unmet_dep_count > 0 || ret == DISPATCH_UNSUPPORTED_SUITE ) { total_skipped++; - mbedtls_fprintf( stdout, "----\n" ); + mbedtls_fprintf( stdout, "----" ); if( 1 == option_verbose && ret == DISPATCH_UNSUPPORTED_SUITE ) { - mbedtls_fprintf( stdout, " Test Suite not enabled" ); + mbedtls_fprintf( stdout, "\n Test Suite not enabled" ); } if( 1 == option_verbose && unmet_dep_count > 0 ) { - mbedtls_fprintf( stdout, " Unmet dependencies: " ); + mbedtls_fprintf( stdout, "\n Unmet dependencies: " ); for( i = 0; i < unmet_dep_count; i++ ) { mbedtls_fprintf(stdout, "%s ", unmet_dependencies[i]); free(unmet_dependencies[i]); } - mbedtls_fprintf( stdout, "\n" ); } + mbedtls_fprintf( stdout, "\n" ); fflush( stdout ); unmet_dep_count = 0; From 75efa792013d00bc35fab91e28cc0ebd29a86f71 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sun, 23 Jul 2017 10:23:43 +0100 Subject: [PATCH 09/29] Adapt generic test suite file to coding standard --- tests/suites/main_test.function | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/tests/suites/main_test.function b/tests/suites/main_test.function index fe49bdfd8..5d1e9ecf0 100644 --- a/tests/suites/main_test.function +++ b/tests/suites/main_test.function @@ -396,7 +396,7 @@ int main(int argc, const char *argv[]) break; cnt = parse_arguments( buf, strlen(buf), params ); } - + // If there are no unmet dependencies execute the test if( unmet_dep_count == 0 ) { @@ -462,22 +462,22 @@ int main(int argc, const char *argv[]) else if( ret == DISPATCH_INVALID_TEST_DATA ) { mbedtls_fprintf( stderr, "FAILED: FATAL PARSE ERROR\n" ); - fclose(file); + fclose( file ); mbedtls_exit( 2 ); } else total_errors++; - if( ( ret = get_line( file, buf, sizeof(buf) ) ) != 0 ) + if( ( ret = get_line( file, buf, sizeof( buf ) ) ) != 0 ) break; - if( strlen(buf) != 0 ) + if( strlen( buf ) != 0 ) { mbedtls_fprintf( stderr, "Should be empty %d\n", - (int) strlen(buf) ); + (int) strlen( buf ) ); return( 1 ); } } - fclose(file); + fclose( file ); /* In case we encounter early end of file */ for( i = 0; i < unmet_dep_count; i++ ) @@ -508,4 +508,3 @@ int main(int argc, const char *argv[]) return( total_errors != 0 ); } - From f058f34b5a892e73c0fe465e3180feab4659080a Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sun, 23 Jul 2017 10:24:22 +0100 Subject: [PATCH 10/29] Support negative dependencies in test cases The entropy test suite uses a negative dependency "depends_on:!CONFIG_FLAG" for one of its tests. This kind of dependency (running a test only if some configuration flag is not defined) is currently not supported and instead results in the respective test case being dropped. This commit adds support for negative dependencies in test cases. --- tests/scripts/generate_code.pl | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/tests/scripts/generate_code.pl b/tests/scripts/generate_code.pl index 84e949dfa..f803a803d 100755 --- a/tests/scripts/generate_code.pl +++ b/tests/scripts/generate_code.pl @@ -312,7 +312,7 @@ END # and make check code my $dep_check_code; -my @res = $test_data =~ /^depends_on:([\w:]+)/msg; +my @res = $test_data =~ /^depends_on:([!:\w]+)/msg; my %case_deps; foreach my $deps (@res) { @@ -323,7 +323,23 @@ foreach my $deps (@res) } while( my ($key, $value) = each(%case_deps) ) { - $dep_check_code .= << "END"; + if( substr($key, 0, 1) eq "!" ) + { + my $key = substr($key, 1); + $dep_check_code .= << "END"; + if( strcmp( str, "!$key" ) == 0 ) + { +#if !defined($key) + return( DEPENDENCY_SUPPORTED ); +#else + return( DEPENDENCY_NOT_SUPPORTED ); +#endif + } +END + } + else + { + $dep_check_code .= << "END"; if( strcmp( str, "$key" ) == 0 ) { #if defined($key) @@ -333,6 +349,7 @@ while( my ($key, $value) = each(%case_deps) ) #endif } END + } } # Make mapping code From c6deafc0d495b3e80cd42cf8de451960f6e2190d Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sun, 23 Jul 2017 14:06:42 +0100 Subject: [PATCH 11/29] Omit RSA key generation test if no strong entropy is present The RSA key generation test needs strong entropy to succeed. This commit captures the presence of a strong entropy source in a preprocessor flag and only runs the key generation test if that flag is set. --- include/mbedtls/entropy.h | 10 ++++++++++ library/entropy.c | 3 +++ tests/suites/test_suite_entropy.data | 8 ++++++-- tests/suites/test_suite_rsa.function | 2 +- 4 files changed, 20 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/entropy.h b/include/mbedtls/entropy.h index 747aca4df..b374b34ec 100644 --- a/include/mbedtls/entropy.h +++ b/include/mbedtls/entropy.h @@ -55,6 +55,16 @@ #define MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE -0x003D /**< No strong sources have been added to poll. */ #define MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR -0x003F /**< Read/write error in file. */ +/* Indicates whether at least one standard strong entropy source is enabled. */ +#if defined(MBEDTLS_TEST_NULL_ENTROPY) || \ + ( !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES) && \ + ( !defined(MBEDTLS_NO_PLATFORM_ENTROPY) || \ + defined(MBEDTLS_HAVEGE_C) || \ + defined(MBEDTLS_ENTROPY_HARDWARE_ALT) || \ + defined(ENTROPY_NV_SEED) ) ) +#define MBEDTLS_ENTROPY_HAVE_STRONG +#endif + /** * \name SECTION: Module settings * diff --git a/library/entropy.c b/library/entropy.c index d4d1b27b7..4de168250 100644 --- a/library/entropy.c +++ b/library/entropy.c @@ -83,6 +83,9 @@ void mbedtls_entropy_init( mbedtls_entropy_context *ctx ) mbedtls_havege_init( &ctx->havege_data ); #endif + /* Reminder: Update MBEDTLS_ENTROPY_HAVE_STRONG when + * adding more strong entropy sources here. */ + #if defined(MBEDTLS_TEST_NULL_ENTROPY) mbedtls_entropy_add_source( ctx, mbedtls_null_entropy_poll, NULL, 1, MBEDTLS_ENTROPY_SOURCE_STRONG ); diff --git a/tests/suites/test_suite_entropy.data b/tests/suites/test_suite_entropy.data index 5cff39984..bf9ce49ed 100644 --- a/tests/suites/test_suite_entropy.data +++ b/tests/suites/test_suite_entropy.data @@ -52,10 +52,14 @@ entropy_nv_seed:"000000000000000000000000000000000000000000000000000000000000000 Check NV seed manually #3 entropy_nv_seed:"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" -Entropy self test -depends_on:!MBEDTLS_TEST_NULL_ENTROPY +Entropy self test (with strong entropy) +depends_on:!MBEDTLS_TEST_NULL_ENTROPY:MBEDTLS_ENTROPY_HAVE_STRONG entropy_selftest:0 +Entropy self test (without strong entropy) +depends_on:!MBEDTLS_TEST_NULL_ENTROPY:!MBEDTLS_ENTROPY_HAVE_STRONG +entropy_selftest:1 + Entropy self test (MBEDTLS_TEST_NULL_ENTROPY) depends_on:MBEDTLS_TEST_NULL_ENTROPY entropy_selftest:1 diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index e9ae1bf96..f64e1a73a 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -658,7 +658,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_CTR_DRBG_C:MBEDTLS_ENTROPY_C */ +/* BEGIN_CASE depends_on:MBEDTLS_CTR_DRBG_C:MBEDTLS_ENTROPY_C:MBEDTLS_ENTROPY_HAVE_STRONG */ void mbedtls_rsa_gen_key( int nrbits, int exponent, int result) { mbedtls_rsa_context ctx; From 47deec488f8da931ee82961d47c5e6eb9ffb94c4 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 24 Jul 2017 12:27:09 +0100 Subject: [PATCH 12/29] Move flag indicating presence of strong entropy to test code --- include/mbedtls/entropy.h | 10 ---------- library/entropy.c | 4 ++-- tests/suites/helpers.function | 16 +++++++++++++++- tests/suites/test_suite_entropy.data | 8 ++------ tests/suites/test_suite_entropy.function | 6 +++--- tests/suites/test_suite_rsa.function | 1 + 6 files changed, 23 insertions(+), 22 deletions(-) diff --git a/include/mbedtls/entropy.h b/include/mbedtls/entropy.h index b374b34ec..747aca4df 100644 --- a/include/mbedtls/entropy.h +++ b/include/mbedtls/entropy.h @@ -55,16 +55,6 @@ #define MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE -0x003D /**< No strong sources have been added to poll. */ #define MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR -0x003F /**< Read/write error in file. */ -/* Indicates whether at least one standard strong entropy source is enabled. */ -#if defined(MBEDTLS_TEST_NULL_ENTROPY) || \ - ( !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES) && \ - ( !defined(MBEDTLS_NO_PLATFORM_ENTROPY) || \ - defined(MBEDTLS_HAVEGE_C) || \ - defined(MBEDTLS_ENTROPY_HARDWARE_ALT) || \ - defined(ENTROPY_NV_SEED) ) ) -#define MBEDTLS_ENTROPY_HAVE_STRONG -#endif - /** * \name SECTION: Module settings * diff --git a/library/entropy.c b/library/entropy.c index 4de168250..10449b8d0 100644 --- a/library/entropy.c +++ b/library/entropy.c @@ -83,8 +83,8 @@ void mbedtls_entropy_init( mbedtls_entropy_context *ctx ) mbedtls_havege_init( &ctx->havege_data ); #endif - /* Reminder: Update MBEDTLS_ENTROPY_HAVE_STRONG when - * adding more strong entropy sources here. */ + /* Reminder: Update MBEDTLS_ENTROPY_HAVE_STRONG in the test files + * when adding more strong entropy sources here. */ #if defined(MBEDTLS_TEST_NULL_ENTROPY) mbedtls_entropy_add_source( ctx, mbedtls_null_entropy_poll, NULL, diff --git a/tests/suites/helpers.function b/tests/suites/helpers.function index 63815df85..39cd3c768 100644 --- a/tests/suites/helpers.function +++ b/tests/suites/helpers.function @@ -102,6 +102,21 @@ typedef UINT32 uint32_t; static int test_errors = 0; +/*----------------------------------------------------------------------------*/ +/* Helper flags for complex dependencies */ + +/* Indicates whether we expect mbedtls_entropy_init + * to initialize some strong entropy source. */ +#if defined(MBEDTLS_TEST_NULL_ENTROPY) || \ + ( !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES) && \ + ( !defined(MBEDTLS_NO_PLATFORM_ENTROPY) || \ + defined(MBEDTLS_HAVEGE_C) || \ + defined(MBEDTLS_ENTROPY_HARDWARE_ALT) || \ + defined(ENTROPY_NV_SEED) ) ) +#define MBEDTLS_ENTROPY_HAVE_STRONG +#endif + + /*----------------------------------------------------------------------------*/ /* Helper Functions */ @@ -401,4 +416,3 @@ static void test_fail( const char *test, int line_no, const char* filename ) mbedtls_fprintf( stdout, " %s\n at line %d, %s\n", test, line_no, filename ); } - diff --git a/tests/suites/test_suite_entropy.data b/tests/suites/test_suite_entropy.data index bf9ce49ed..5cff39984 100644 --- a/tests/suites/test_suite_entropy.data +++ b/tests/suites/test_suite_entropy.data @@ -52,14 +52,10 @@ entropy_nv_seed:"000000000000000000000000000000000000000000000000000000000000000 Check NV seed manually #3 entropy_nv_seed:"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" -Entropy self test (with strong entropy) -depends_on:!MBEDTLS_TEST_NULL_ENTROPY:MBEDTLS_ENTROPY_HAVE_STRONG +Entropy self test +depends_on:!MBEDTLS_TEST_NULL_ENTROPY entropy_selftest:0 -Entropy self test (without strong entropy) -depends_on:!MBEDTLS_TEST_NULL_ENTROPY:!MBEDTLS_ENTROPY_HAVE_STRONG -entropy_selftest:1 - Entropy self test (MBEDTLS_TEST_NULL_ENTROPY) depends_on:MBEDTLS_TEST_NULL_ENTROPY entropy_selftest:1 diff --git a/tests/suites/test_suite_entropy.function b/tests/suites/test_suite_entropy.function index 97a21bc18..7983c767e 100644 --- a/tests/suites/test_suite_entropy.function +++ b/tests/suites/test_suite_entropy.function @@ -163,7 +163,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_ENTROPY_HAVE_STRONG */ void entropy_func_len( int len, int ret ) { mbedtls_entropy_context ctx; @@ -224,7 +224,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_ENTROPY_HAVE_STRONG */ void entropy_threshold( int threshold, int chunk_size, int result ) { mbedtls_entropy_context ctx; @@ -377,7 +377,7 @@ void entropy_nv_seed( char *read_seed_str ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */ +/* BEGIN_CASE depends_on:MBEDTLS_ENTROPY_HAVE_STRONG:MBEDTLS_SELF_TEST */ void entropy_selftest( int result ) { TEST_ASSERT( mbedtls_entropy_self_test( 1 ) == result ); diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index f64e1a73a..f41b14cc3 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -8,6 +8,7 @@ #include "mbedtls/sha512.h" #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" + /* END_HEADER */ /* BEGIN_DEPENDENCIES From f231eaae28c5272e1ebbc1d56ed6d0b44a9a5bd1 Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Tue, 22 Aug 2017 14:50:14 +0300 Subject: [PATCH 13/29] Add configuration file in md.h include `*config.h*` in md.h as MACROS in the header file get ignored. Fix for #1001. --- ChangeLog | 2 ++ include/mbedtls/md.h | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/ChangeLog b/ChangeLog index e8d1da5c9..a58975ee6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -41,6 +41,8 @@ Bugfix * Fix a potential integer overflow in the version verification for DER encoded X509 certificates. The overflow would enable maliciously constructed certificates to bypass the certificate verification check. + * Include configuration file in md.h, to fix compilation warnings. + Reported by aaronmdjones in #1001 Changes * Added config.h option MBEDTLS_NO_UDBL_DIVISION, to prevent the use of diff --git a/include/mbedtls/md.h b/include/mbedtls/md.h index 9b996a951..89be847ce 100644 --- a/include/mbedtls/md.h +++ b/include/mbedtls/md.h @@ -27,6 +27,12 @@ #include +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #define MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE -0x5080 /**< The selected feature is not available. */ #define MBEDTLS_ERR_MD_BAD_INPUT_DATA -0x5100 /**< Bad input parameters to function. */ #define MBEDTLS_ERR_MD_ALLOC_FAILED -0x5180 /**< Failed to allocate memory. */ From 6c13d37961288dbd5b3e8627ec5cf1b367635f4c Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 13 Sep 2017 12:49:22 +0100 Subject: [PATCH 14/29] Extend cert_write example program by multiple cmd line options This commit adds the following command line options to programs/x509/cert_write: - version (val 1, 2, 3): Set the certificate's version (v1, v2, v3) - authority_identifier (val 0, 1): Enable or disable the addition of the authority identifier extension. - subject_identifier (val 0, 1): Enable or disable the addition of the subject identifier extension. - basic_constraints (val 0, 1): Enable or disable the addition of the basic constraints extension. - md (val MD5, SHA1, SHA256, SHA512): Set the hash function used when creating the CRT. --- programs/x509/cert_write.c | 161 +++++++++++++++++++++++++++++-------- 1 file changed, 127 insertions(+), 34 deletions(-) diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index 66e5f1dab..45fd059b0 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -51,6 +51,7 @@ int main( void ) #include "mbedtls/x509_csr.h" #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" +#include "mbedtls/md.h" #include "mbedtls/error.h" #include @@ -83,6 +84,11 @@ int main( void ) #define DFL_MAX_PATHLEN -1 #define DFL_KEY_USAGE 0 #define DFL_NS_CERT_TYPE 0 +#define DFL_VERSION 3 +#define DFL_AUTH_IDENT 1 +#define DFL_SUBJ_IDENT 1 +#define DFL_CONSTRAINTS 1 +#define DFL_DIGEST MBEDTLS_MD_SHA256 #define USAGE \ "\n usage: cert_write param=<>...\n" \ @@ -109,6 +115,20 @@ int main( void ) " not_after=%%s default: 20301231235959\n"\ " is_ca=%%d default: 0 (disabled)\n" \ " max_pathlen=%%d default: -1 (none)\n" \ + " md=%%s default: SHA256\n" \ + " Supported values:\n" \ + " MD5, SHA1, SHA256, SHA512\n"\ + " version=%%d default: 3\n" \ + " Possible values: 1, 2, 3\n"\ + " subject_identifier default: 1\n" \ + " Possible values: 0, 1\n" \ + " (Considered for v3 only)\n"\ + " authority_identifier default: 1\n" \ + " Possible values: 0, 1\n" \ + " (Considered for v3 only)\n"\ + " basic_constraints default: 1\n" \ + " Possible values: 0, 1\n" \ + " (Considered for v3 only)\n"\ " key_usage=%%s default: (empty)\n" \ " Comma-separated-list of values:\n" \ " digital_signature\n" \ @@ -118,6 +138,7 @@ int main( void ) " key_agreement\n" \ " key_cert_sign\n" \ " crl_sign\n" \ + " (Considered for v3 only)\n"\ " ns_cert_type=%%s default: (empty)\n" \ " Comma-separated-list of values:\n" \ " ssl_client\n" \ @@ -149,6 +170,11 @@ struct options int selfsign; /* selfsign the certificate */ int is_ca; /* is a CA certificate */ int max_pathlen; /* maximum CA path length */ + int authority_identifier; /* add authority identifier id to CRT */ + int subject_identifier; /* add subject identifier id to CRT */ + int basic_constraints; /* add basic constraints ext to CRT */ + int version; /* CRT version */ + mbedtls_md_type_t md; /* Hash used for signing */ unsigned char key_usage; /* key usage flags */ unsigned char ns_cert_type; /* NS cert type */ } opt; @@ -207,7 +233,6 @@ int main( int argc, char *argv[] ) * Set to sane values */ mbedtls_x509write_crt_init( &crt ); - mbedtls_x509write_crt_set_md_alg( &crt, MBEDTLS_MD_SHA256 ); mbedtls_pk_init( &loaded_issuer_key ); mbedtls_pk_init( &loaded_subject_key ); mbedtls_mpi_init( &serial ); @@ -243,6 +268,11 @@ int main( int argc, char *argv[] ) opt.max_pathlen = DFL_MAX_PATHLEN; opt.key_usage = DFL_KEY_USAGE; opt.ns_cert_type = DFL_NS_CERT_TYPE; + opt.version = DFL_VERSION; + opt.md = DFL_DIGEST; + opt.subject_identifier = DFL_SUBJ_IDENT; + opt.authority_identifier = DFL_AUTH_IDENT; + opt.basic_constraints = DFL_CONSTRAINTS; for( i = 1; i < argc; i++ ) { @@ -286,6 +316,52 @@ int main( int argc, char *argv[] ) { opt.serial = q; } + else if( strcmp( p, "authority_identifier" ) == 0 ) + { + opt.authority_identifier = atoi( q ); + if( opt.authority_identifier != 0 && + opt.authority_identifier != 1 ) + { + goto usage; + } + } + else if( strcmp( p, "subject_identifier" ) == 0 ) + { + opt.subject_identifier = atoi( q ); + if( opt.subject_identifier != 0 && + opt.subject_identifier != 1 ) + { + goto usage; + } + } + else if( strcmp( p, "basic_constraints" ) == 0 ) + { + opt.basic_constraints = atoi( q ); + if( opt.basic_constraints != 0 && + opt.basic_constraints != 1 ) + { + goto usage; + } + } + else if( strcmp( p, "md" ) == 0 ) + { + if( strcmp( q, "SHA1" ) == 0 ) + opt.md = MBEDTLS_MD_SHA1; + else if( strcmp( q, "SHA256" ) == 0 ) + opt.md = MBEDTLS_MD_SHA256; + else if( strcmp( q, "SHA512" ) == 0 ) + opt.md = MBEDTLS_MD_SHA512; + else if( strcmp( q, "MD5" ) == 0 ) + opt.md = MBEDTLS_MD_MD5; + else + goto usage; + } + else if( strcmp( p, "version" ) == 0 ) + { + opt.version = atoi( q ); + if( opt.version < 1 || opt.version > 3 ) + goto usage; + } else if( strcmp( p, "selfsign" ) == 0 ) { opt.selfsign = atoi( q ); @@ -540,6 +616,9 @@ int main( int argc, char *argv[] ) mbedtls_printf( " . Setting certificate values ..." ); fflush( stdout ); + mbedtls_x509write_crt_set_version( &crt, opt.version - 1 ); + mbedtls_x509write_crt_set_md_alg( &crt, opt.md ); + ret = mbedtls_x509write_crt_set_serial( &crt, &serial ); if( ret != 0 ) { @@ -558,49 +637,63 @@ int main( int argc, char *argv[] ) mbedtls_printf( " ok\n" ); - mbedtls_printf( " . Adding the Basic Constraints extension ..." ); - fflush( stdout ); - - ret = mbedtls_x509write_crt_set_basic_constraints( &crt, opt.is_ca, - opt.max_pathlen ); - if( ret != 0 ) + if( opt.version == 3 && opt.basic_constraints ) { - mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! x509write_crt_set_basic_contraints returned -0x%02x - %s\n\n", -ret, buf ); - goto exit; - } + mbedtls_printf( " . Adding the Basic Constraints extension ..." ); + fflush( stdout ); - mbedtls_printf( " ok\n" ); + ret = mbedtls_x509write_crt_set_basic_constraints( &crt, opt.is_ca, + opt.max_pathlen ); + if( ret != 0 ) + { + mbedtls_strerror( ret, buf, 1024 ); + mbedtls_printf( " failed\n ! x509write_crt_set_basic_contraints " + "returned -0x%02x - %s\n\n", -ret, buf ); + goto exit; + } + + mbedtls_printf( " ok\n" ); + } #if defined(MBEDTLS_SHA1_C) - mbedtls_printf( " . Adding the Subject Key Identifier ..." ); - fflush( stdout ); - - ret = mbedtls_x509write_crt_set_subject_key_identifier( &crt ); - if( ret != 0 ) + if( opt.version == 3 && opt.subject_identifier ) { - mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject_key_identifier returned -0x%02x - %s\n\n", -ret, buf ); - goto exit; + mbedtls_printf( " . Adding the Subject Key Identifier ..." ); + fflush( stdout ); + + ret = mbedtls_x509write_crt_set_subject_key_identifier( &crt ); + if( ret != 0 ) + { + mbedtls_strerror( ret, buf, 1024 ); + mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject" + "_key_identifier returned -0x%02x - %s\n\n", + -ret, buf ); + goto exit; + } + + mbedtls_printf( " ok\n" ); } - mbedtls_printf( " ok\n" ); - - mbedtls_printf( " . Adding the Authority Key Identifier ..." ); - fflush( stdout ); - - ret = mbedtls_x509write_crt_set_authority_key_identifier( &crt ); - if( ret != 0 ) + if( opt.version == 3 && opt.authority_identifier ) { - mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_authority_key_identifier returned -0x%02x - %s\n\n", -ret, buf ); - goto exit; - } + mbedtls_printf( " . Adding the Authority Key Identifier ..." ); + fflush( stdout ); - mbedtls_printf( " ok\n" ); + ret = mbedtls_x509write_crt_set_authority_key_identifier( &crt ); + if( ret != 0 ) + { + mbedtls_strerror( ret, buf, 1024 ); + mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_authority_" + "key_identifier returned -0x%02x - %s\n\n", + -ret, buf ); + goto exit; + } + + mbedtls_printf( " ok\n" ); + } #endif /* MBEDTLS_SHA1_C */ - if( opt.key_usage ) + if( opt.version == 3 && opt.key_usage ) { mbedtls_printf( " . Adding the Key Usage extension ..." ); fflush( stdout ); @@ -616,7 +709,7 @@ int main( int argc, char *argv[] ) mbedtls_printf( " ok\n" ); } - if( opt.ns_cert_type ) + if( opt.version == 3 && opt.ns_cert_type ) { mbedtls_printf( " . Adding the NS Cert Type extension ..." ); fflush( stdout ); From 418a62242b57248846d9136de89e34ac84a38cad Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 14 Sep 2017 07:51:28 +0100 Subject: [PATCH 15/29] Extend tests/data_files/Makefile to include CRT's for CRT write test --- tests/data_files/Makefile | 74 ++++++++++++++++++- .../server1.cert_type.crt.openssl.v3_ext | 5 ++ .../data_files/server1.cert_type_noauthid.crt | 20 +++++ tests/data_files/server1.crt.openssl.v3_ext | 4 + tests/data_files/server1.csr | 16 ++++ .../server1.key_usage.crt.openssl.v3_ext | 5 ++ .../data_files/server1.key_usage_noauthid.crt | 20 +++++ tests/data_files/server1.noauthid.crt | 19 +++++ tests/data_files/server1_csr.opensslconf | 10 +++ tests/data_files/test-ca.server1.opensslconf | 18 +++++ tests/suites/test_suite_x509write.data | 24 +++++- tests/suites/test_suite_x509write.function | 63 ++++++++++++++-- 12 files changed, 265 insertions(+), 13 deletions(-) create mode 100644 tests/data_files/server1.cert_type.crt.openssl.v3_ext create mode 100644 tests/data_files/server1.cert_type_noauthid.crt create mode 100644 tests/data_files/server1.crt.openssl.v3_ext create mode 100644 tests/data_files/server1.csr create mode 100644 tests/data_files/server1.key_usage.crt.openssl.v3_ext create mode 100644 tests/data_files/server1.key_usage_noauthid.crt create mode 100644 tests/data_files/server1.noauthid.crt create mode 100644 tests/data_files/server1_csr.opensslconf create mode 100644 tests/data_files/test-ca.server1.opensslconf diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index f7826d435..f90654574 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -12,6 +12,7 @@ ## Tools OPENSSL ?= openssl +MBEDTLS_CERT_WRITE ?= $(PWD)/../../programs/x509/cert_write ## Build the generated test data. Note that since the final outputs ## are committed to the repository, this target should do nothing on a @@ -30,6 +31,7 @@ all_final := # files used by tests #### Generate certificates from existing keys ################################################################ +test_ca_crt = test-ca.crt test_ca_key_file_rsa = test-ca.key test_ca_pwd_rsa = PolarSSLTest test_ca_config_file = test-ca.opensslconf @@ -64,7 +66,77 @@ server2-sha256.crt: server2-rsa.csr $(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA test-ca-sha256.crt -CAkey $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 4 -days 3653 -sha256 -in server2-rsa.csr -out $@ all_final += server2-sha256.crt +### Generate certificates for CRT write check tests +### The test files use the Mbed TLS generated certificates server1*.crt, +### but for comparison with OpenSSL also rules for OpenSSL-generated +### certificates server1*.crt.openssl are offered. +### +### Known differences: +### * OpenSSL encodes trailing zero-bits in bit-strings occurring in X.509 extension +### as unused bits, while Mbed TLS doesn't. +test_ca_server1_db = test-ca.server1.db +test_ca_server1_serial = test-ca.server1.serial +test_ca_server1_config_file = test-ca.server1.opensslconf + +server1.csr: server1.key server1_csr.opensslconf + $(OPENSSL) req -keyform PEM -key server1.key -config server1_csr.opensslconf -out $@ -new +all_final += server1.csr + +server1.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa) + $(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 version=3 output_file=$@ +server1.noauthid.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa) + $(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20110212144406 not_after=20210212144406 md=SHA1 authority_identifier=0 version=3 output_file=$@ +server1.der: server1.crt + $(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@ +all_final += server1.crt server1.noauthid.crt server1.der + +server1.key_usage.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa) + $(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 key_usage=digital_signature,non_repudiation,key_encipherment version=3 output_file=$@ +server1.key_usage_noauthid.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa) + $(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 key_usage=digital_signature,non_repudiation,key_encipherment authority_identifier=0 version=3 output_file=$@ +server1.key_usage.der: server1.key_usage.crt + $(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@ +all_final += server1.key_usage.crt server1.key_usage_noauthid.crt server1.key_usage.der + +server1.cert_type.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa) + $(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 ns_cert_type=ssl_server version=3 output_file=$@ +server1.cert_type_noauthid.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa) + $(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 ns_cert_type=ssl_server authority_identifier=0 version=3 output_file=$@ +server1.cert_type.der: server1.cert_type.crt + $(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@ +all_final += server1.cert_type.crt server1.cert_type_noauthid.crt server1.cert_type.der + +server1.v1.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa) + $(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 version=1 output_file=$@ +server1.v1.der: server1.v1.crt + $(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@ +all_final += server1.v1.crt server1.v1.der + +# OpenSSL-generated certificates for comparison +# Also provide certificates to DER format to allow +# direct binary comparison using e.g. dumpasn1 +server1.crt.openssl server1.key_usage.crt.openssl server1.cert_type.crt.openssl: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa) $(test_ca_server1_config_file) + echo "01" > $(test_ca_server1_serial) + rm -f $(test_ca_server1_db) + touch $(test_ca_server1_db) + $(OPENSSL) ca -batch -passin "pass:$(test_ca_pwd_rsa)" -config $(test_ca_server1_config_file) -in server1.csr -extensions v3_ext -extfile $@.v3_ext -out $@ +server1.der.openssl: server1.crt.openssl + $(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@ +server1.key_usage.der.openssl: server1.key_usage.crt.openssl + $(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@ +server1.cert_type.der.openssl: server1.cert_type.crt.openssl + $(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@ + +server1.v1.crt.openssl: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa) $(test_ca_server1_config_file) + echo "01" > $(test_ca_server1_serial) + rm -f $(test_ca_server1_db) + touch $(test_ca_server1_db) + $(OPENSSL) ca -batch -passin "pass:$(test_ca_pwd_rsa)" -config $(test_ca_server1_config_file) -in server1.csr -out $@ +server1.v1.der.openssl: server1.v1.crt.openssl + $(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@ + +server1_all: server1.csr server1.crt server1.noauthid.crt server1.crt.openssl server1.v1.crt server1.v1.crt.openssl server1.key_usage.crt server1.key_usage_noauthid.crt server1.key_usage.crt.openssl server1.cert_type.crt server1.cert_type_noauthid.crt server1.cert_type.crt.openssl server1.der server1.der.openssl server1.v1.der server1.v1.der.openssl server1.key_usage.der server1.key_usage.der.openssl server1.cert_type.der server1.cert_type.der.openssl ################################################################ #### Meta targets @@ -73,7 +145,7 @@ all_final += server2-sha256.crt all_final: $(all_final) all: $(all_intermediate) $(all_final) -.PHONY: default all_final all +.PHONY: default all_final all server1_all # These files should not be committed to the repository. list_intermediate: diff --git a/tests/data_files/server1.cert_type.crt.openssl.v3_ext b/tests/data_files/server1.cert_type.crt.openssl.v3_ext new file mode 100644 index 000000000..bd225ff74 --- /dev/null +++ b/tests/data_files/server1.cert_type.crt.openssl.v3_ext @@ -0,0 +1,5 @@ +[v3_ext] +basicConstraints = CA:false +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid +nsCertType=server diff --git a/tests/data_files/server1.cert_type_noauthid.crt b/tests/data_files/server1.cert_type_noauthid.crt new file mode 100644 index 000000000..ed8b80baa --- /dev/null +++ b/tests/data_files/server1.cert_type_noauthid.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDMTCCAhmgAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/ +uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD +d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf +CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr +lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w +bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB +oz8wPTAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAR +BglghkgBhvhCAQEEBAMCAEAwDQYJKoZIhvcNAQEFBQADggEBABNT+r+6vvlpjtyz +mewrGOKPt5iwb8w2aReJ0AWuyQzTiduN26MhXq93cXHV0pHj2rD7MfiBEwBSWnf9 +FcxkE0g77GVyM9Vs9Uy/MspIqOce7JD0c36G4EI8lYce2TYwQLE9CGNl+LDxqkLy +prijXBl/FaD+IO/SNMr3VVnfFEZqPUxg+BSTaGgD+52Z7B4nPP0xGPjlW367RGDv +9dIkr1thve2WOeC9ixxl9K/864I7/0GdbgKSf77xl3/5vnQUOY7kugRvkvxWIgHS +HNVnmEN2I2Nb0M8lQNF1sFDbpFwVbh9CkBF5LJNesy0VWd67Ho6EntPEb7vBFF/x +jz0b2l4= +-----END CERTIFICATE----- diff --git a/tests/data_files/server1.crt.openssl.v3_ext b/tests/data_files/server1.crt.openssl.v3_ext new file mode 100644 index 000000000..239d56ac2 --- /dev/null +++ b/tests/data_files/server1.crt.openssl.v3_ext @@ -0,0 +1,4 @@ +[v3_ext] +basicConstraints = CA:false +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid diff --git a/tests/data_files/server1.csr b/tests/data_files/server1.csr new file mode 100644 index 000000000..804c4a551 --- /dev/null +++ b/tests/data_files/server1.csr @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRow +GAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ +ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ +HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF +W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs +FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/ +DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBCwUA +A4IBAQBY/1nnYQ3ThVyeZb1Z2wLYoHZ5rfeJCedyP7N/gjJZjhrMbwioUft2uHpb ++OZQfxRXJTbtj/1wpRMCoUMLWzapS7/xGx3IjoPtl42aM4M+xVYvbLjExL13kUAr +eE4JWcMIbTEPol2zSdX/LuB+m27jEp5VsvM2ty9qOw/T4iKwjFSe6pcYZ2spks19 +3ltgjnaamwqKcN9zUA3IERTsWjr5exKYgfXm2OeeuSP0tHr7Dh+w/2XA9dGcLhrm +TA4P8QjIgSDlyzmhYYmsrioFPuCfdi1uzs8bxmbLXbiCGZ8TDMy5oLqLo1K+j2pF +ox+ATHKxQ/XpRQP+2OTb9sw1kM59 +-----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/server1.key_usage.crt.openssl.v3_ext b/tests/data_files/server1.key_usage.crt.openssl.v3_ext new file mode 100644 index 000000000..e255027ee --- /dev/null +++ b/tests/data_files/server1.key_usage.crt.openssl.v3_ext @@ -0,0 +1,5 @@ +[v3_ext] +basicConstraints = CA:false +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid +keyUsage=critical, digitalSignature, nonRepudiation, keyEncipherment diff --git a/tests/data_files/server1.key_usage_noauthid.crt b/tests/data_files/server1.key_usage_noauthid.crt new file mode 100644 index 000000000..d66e51535 --- /dev/null +++ b/tests/data_files/server1.key_usage_noauthid.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDLjCCAhagAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/ +uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD +d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf +CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr +lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w +bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB +ozwwOjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAO +BgNVHQ8BAf8EBAMCAeAwDQYJKoZIhvcNAQEFBQADggEBAJZRIISo4+rDvHXXaS43 +shfSkyJyur588mNJFzty1WVfhaIkwjMIGHeGlHS29fwgPsBUgelZ3Qv3J7wsm42+ +3BwQet0l36FIBIJtFhcrTGlaCFUo/5bZJUPGgiOFB9ec/8lOszVlX8cH34UimWqg +q2wXRGoXWPbuRnUWlJhI2bAv5ri9Mt7Rs4nK4wyS1ZjC8ByXMn4tk3yMjkUEqu0o +37zoQiF+FJApu0eTKK5goA2hisyfCX9eJMppAbcyvJwoj/AmiBkXW8J3kEMJtLmZ +VoxXYknnXumxBLxUrGuamR/3cmbaJHIHE1Dqox7hB+9miyp4lue1/uXHCocGAIeF +JTo= +-----END CERTIFICATE----- diff --git a/tests/data_files/server1.noauthid.crt b/tests/data_files/server1.noauthid.crt new file mode 100644 index 000000000..99c004f62 --- /dev/null +++ b/tests/data_files/server1.noauthid.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDHjCCAgagAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/ +uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD +d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf +CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr +lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w +bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB +oywwKjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAN +BgkqhkiG9w0BAQUFAAOCAQEAUMDKviuchRc4ICoVwi9LFyfQjxFQLgjnX1UYSqc5 +UptiJsDpbJ+TMbOhNBs7YRV7ju61J33ax1fqgcFWkc2M2Vsqzz9+3zJlQoQuOLxH +5C6v5/rhUEV9HMy3K5SIa/BVem9osWvMwDnB8g5k3wCZAnOuFcT6ttvzRqz6Oh9d +avozrYHsATzPXBal41Gf95cNVcJ1pn/JgE4EOijMqmAPldVbCqfXLl6TB0nJS6dm +q9z73DGrVQlOwmCVI+qD2POJI67LuQ0g6Y0WVMxsWilMppt+UrEknMzk4O4qOaUs +1B20vI/bN4XPDnw58psazdoBxFL+fAk5MbTNKETNHjBsIg== +-----END CERTIFICATE----- diff --git a/tests/data_files/server1_csr.opensslconf b/tests/data_files/server1_csr.opensslconf new file mode 100644 index 000000000..6e7075ea6 --- /dev/null +++ b/tests/data_files/server1_csr.opensslconf @@ -0,0 +1,10 @@ +[ req ] +distinguished_name = req_distinguished_name +prompt = no +# Restrict to non-UTF8 PrintableStrings. +string_mask = nombstr + +[ req_distinguished_name ] +C = NL +O = PolarSSL +CN = PolarSSL Server 1 diff --git a/tests/data_files/test-ca.server1.opensslconf b/tests/data_files/test-ca.server1.opensslconf new file mode 100644 index 000000000..4a5072eae --- /dev/null +++ b/tests/data_files/test-ca.server1.opensslconf @@ -0,0 +1,18 @@ + [ ca ] + default_ca = test-ca + + [ test-ca ] + certificate = test-ca.crt + private_key = test-ca.key + serial = test-ca.server1.serial + default_md = sha1 + default_startdate = 110212144406Z + default_enddate = 210212144406Z + new_certs_dir = ./ + database = ./test-ca.server1.db + policy = policy_match + + [policy_match] + countryName = supplied + organizationName = supplied + commonName = supplied diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index d4d2a98ce..5b54d8588 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -44,19 +44,35 @@ x509_csr_check:"data_files/server5.key":"data_files/server5.req.ku.sha1":MBEDTLS Certificate write check Server1 SHA1 depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:-1:"data_files/server1.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:1:-1:"data_files/server1.crt":0 Certificate write check Server1 SHA1, key_usage depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0:-1:"data_files/server1.key_usage.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0:1:-1:"data_files/server1.key_usage.crt":0 Certificate write check Server1 SHA1, ns_cert_type depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:-1:"data_files/server1.cert_type.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:-1:"data_files/server1.cert_type.crt":0 Certificate write check Server1 SHA1, version 1 depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":0 + +Certificate write check Server1 SHA1, RSA_ALT +depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:-1:"data_files/server1.noauthid.crt":1 + +Certificate write check Server1 SHA1, RSA_ALT, key_usage +depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0:0:-1:"data_files/server1.key_usage_noauthid.crt":1 + +Certificate write check Server1 SHA1, RSA_ALT, ns_cert_type +depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:0:-1:"data_files/server1.cert_type_noauthid.crt":1 + +Certificate write check Server1 SHA1, RSA_ALT, version 1 +depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":1 X509 String to Names #1 mbedtls_x509_string_to_names:"C=NL,O=Offspark\, Inc., OU=PolarSSL":"C=NL, O=Offspark, Inc., OU=PolarSSL":0 diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index 89be31f9a..0b6e60220 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -3,6 +3,30 @@ #include "mbedtls/x509_csr.h" #include "mbedtls/pem.h" #include "mbedtls/oid.h" +#include "mbedtls/rsa.h" + +#if defined(MBEDTLS_RSA_C) +int mbedtls_rsa_decrypt_func( void *ctx, int mode, size_t *olen, + const unsigned char *input, unsigned char *output, + size_t output_max_len ) +{ + return( mbedtls_rsa_pkcs1_decrypt( (mbedtls_rsa_context *) ctx, NULL, NULL, mode, olen, + input, output, output_max_len ) ); +} +int mbedtls_rsa_sign_func( void *ctx, + int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, + int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, + const unsigned char *hash, unsigned char *sig ) +{ + return( mbedtls_rsa_pkcs1_sign( (mbedtls_rsa_context *) ctx, f_rng, p_rng, mode, + md_alg, hashlen, hash, sig ) ); +} +size_t mbedtls_rsa_key_len_func( void *ctx ) +{ + return( ((const mbedtls_rsa_context *) ctx)->len ); +} +#endif /* MBEDTLS_RSA_C */ + /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -75,10 +99,12 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd, char *subject_name, char *issuer_key_file, char *issuer_pwd, char *issuer_name, char *serial_str, char *not_before, char *not_after, - int md_type, int key_usage, int cert_type, int ver, - char *cert_check_file ) + int md_type, int key_usage, int cert_type, int auth_ident, + int ver, char *cert_check_file, int rsa_alt ) { - mbedtls_pk_context subject_key, issuer_key; + mbedtls_pk_context subject_key, issuer_key, issuer_key_alt; + mbedtls_pk_context *key = &issuer_key; + mbedtls_x509write_cert crt; unsigned char buf[4096]; unsigned char check_buf[5000]; @@ -91,18 +117,36 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd, memset( &rnd_info, 0x2a, sizeof( rnd_pseudo_info ) ); mbedtls_mpi_init( &serial ); + mbedtls_pk_init( &subject_key ); - mbedtls_pk_init( &issuer_key ); + mbedtls_pk_init( &issuer_key ); + mbedtls_pk_init( &issuer_key_alt ); + + mbedtls_x509write_crt_init( &crt ); TEST_ASSERT( mbedtls_pk_parse_keyfile( &subject_key, subject_key_file, subject_pwd ) == 0 ); + TEST_ASSERT( mbedtls_pk_parse_keyfile( &issuer_key, issuer_key_file, issuer_pwd ) == 0 ); + + /* For RSA PK contexts, create a copy as an alternative RSA context. */ + if( rsa_alt == 1 && mbedtls_pk_get_type( &issuer_key ) == MBEDTLS_PK_RSA ) + { + TEST_ASSERT( mbedtls_pk_setup_rsa_alt( &issuer_key_alt, + mbedtls_pk_rsa( issuer_key ), + mbedtls_rsa_decrypt_func, + mbedtls_rsa_sign_func, + mbedtls_rsa_key_len_func ) == 0 ); + + key = &issuer_key_alt; + } + TEST_ASSERT( mbedtls_mpi_read_string( &serial, 10, serial_str ) == 0 ); - mbedtls_x509write_crt_init( &crt ); if( ver != -1 ) mbedtls_x509write_crt_set_version( &crt, ver ); + TEST_ASSERT( mbedtls_x509write_crt_set_serial( &crt, &serial ) == 0 ); TEST_ASSERT( mbedtls_x509write_crt_set_validity( &crt, not_before, not_after ) == 0 ); @@ -110,13 +154,15 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd, TEST_ASSERT( mbedtls_x509write_crt_set_issuer_name( &crt, issuer_name ) == 0 ); TEST_ASSERT( mbedtls_x509write_crt_set_subject_name( &crt, subject_name ) == 0 ); mbedtls_x509write_crt_set_subject_key( &crt, &subject_key ); - mbedtls_x509write_crt_set_issuer_key( &crt, &issuer_key ); + + mbedtls_x509write_crt_set_issuer_key( &crt, key ); if( crt.version >= MBEDTLS_X509_CRT_VERSION_3 ) { TEST_ASSERT( mbedtls_x509write_crt_set_basic_constraints( &crt, 0, 0 ) == 0 ); TEST_ASSERT( mbedtls_x509write_crt_set_subject_key_identifier( &crt ) == 0 ); - TEST_ASSERT( mbedtls_x509write_crt_set_authority_key_identifier( &crt ) == 0 ); + if( auth_ident ) + TEST_ASSERT( mbedtls_x509write_crt_set_authority_key_identifier( &crt ) == 0 ); if( key_usage != 0 ) TEST_ASSERT( mbedtls_x509write_crt_set_key_usage( &crt, key_usage ) == 0 ); if( cert_type != 0 ) @@ -151,8 +197,9 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd, exit: mbedtls_x509write_crt_free( &crt ); - mbedtls_pk_free( &issuer_key ); + mbedtls_pk_free( &issuer_key_alt ); mbedtls_pk_free( &subject_key ); + mbedtls_pk_free( &issuer_key ); mbedtls_mpi_free( &serial ); } /* END_CASE */ From fc7714480207fa19b3b7e4161e89dd6028e50b52 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 13 Sep 2017 08:45:48 +0100 Subject: [PATCH 16/29] Fix extraction of signature-type from PK context instance --- library/x509write_crt.c | 10 ++++++++-- library/x509write_csr.c | 21 ++++++++++++++------- 2 files changed, 22 insertions(+), 9 deletions(-) diff --git a/library/x509write_crt.c b/library/x509write_crt.c index 4d674abcf..0e5827e85 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -313,9 +313,15 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, c = tmp_buf + sizeof( tmp_buf ); /* Signature algorithm needed in TBS, and later for actual signature */ - pk_alg = mbedtls_pk_get_type( ctx->issuer_key ); - if( pk_alg == MBEDTLS_PK_ECKEY ) + + /* There's no direct way of extracting a signature algorithm + * (represented as an element of mbedtls_pk_type_t) from a PK instance. */ + if( mbedtls_pk_can_do( ctx->issuer_key, MBEDTLS_PK_RSA ) ) + pk_alg = MBEDTLS_PK_RSA; + else if( mbedtls_pk_can_do( ctx->issuer_key, MBEDTLS_PK_ECDSA ) ) pk_alg = MBEDTLS_PK_ECDSA; + else + pk_alg = MBEDTLS_PK_NONE; if( ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg, &sig_oid, &sig_oid_len ) ) != 0 ) diff --git a/library/x509write_csr.c b/library/x509write_csr.c index 8fd856b2a..fd22c2890 100644 --- a/library/x509write_csr.c +++ b/library/x509write_csr.c @@ -194,14 +194,21 @@ int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf, s */ mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c, len, hash ); - pk_alg = mbedtls_pk_get_type( ctx->key ); - if( pk_alg == MBEDTLS_PK_ECKEY ) - pk_alg = MBEDTLS_PK_ECDSA; - if( ( ret = mbedtls_pk_sign( ctx->key, ctx->md_alg, hash, 0, sig, &sig_len, - f_rng, p_rng ) ) != 0 || - ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg, - &sig_oid, &sig_oid_len ) ) != 0 ) + f_rng, p_rng ) ) != 0 ) + { + return( ret ); + } + + if( mbedtls_pk_can_do( ctx->key, MBEDTLS_PK_RSA ) ) + pk_alg = MBEDTLS_PK_RSA; + else if( mbedtls_pk_can_do( ctx->key, MBEDTLS_PK_ECDSA ) ) + pk_alg = MBEDTLS_PK_ECDSA; + else + pk_alg = MBEDTLS_PK_NONE; + + if( ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg, + &sig_oid, &sig_oid_len ) ) != 0 ) { return( ret ); } From d7f3520360d37080dc3a44ec4b7c0a370aea8a3b Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 13 Sep 2017 12:00:15 +0100 Subject: [PATCH 17/29] Don't add extensions for X.509 non-v3 certificates This commit removes extension-writing code for X.509 non-v3 certificates from mbedtls_x509write_crt_der. Previously, even if no extensions were present an empty sequence would have been added. --- library/x509write_crt.c | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/library/x509write_crt.c b/library/x509write_crt.c index 0e5827e85..c970b6ff0 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -332,13 +332,18 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, /* * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension */ - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED | - MBEDTLS_ASN1_SEQUENCE ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC | - MBEDTLS_ASN1_CONSTRUCTED | 3 ) ); + + /* Only for v3 */ + if( ctx->version == 2 ) + { + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC | + MBEDTLS_ASN1_CONSTRUCTED | 3 ) ); + } /* * SubjectPublicKeyInfo From 476986547b5658657749017be6b0754220f66130 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 13 Sep 2017 11:59:26 +0100 Subject: [PATCH 18/29] Omit version from X.509 v1 certificates The version field in an X.509 certificate is optional and defaults to v1, so it may be omitted in this case. --- library/x509write_crt.c | 19 ++++++++++++------- tests/data_files/server1.v1.crt | 32 ++++++++++++++++---------------- 2 files changed, 28 insertions(+), 23 deletions(-) diff --git a/library/x509write_crt.c b/library/x509write_crt.c index c970b6ff0..8e4bc35b4 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -395,16 +395,21 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, /* * Version ::= INTEGER { v1(0), v2(1), v3(2) } */ - sub_len = 0; - MBEDTLS_ASN1_CHK_ADD( sub_len, mbedtls_asn1_write_int( &c, tmp_buf, ctx->version ) ); - len += sub_len; - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC | - MBEDTLS_ASN1_CONSTRUCTED | 0 ) ); + + /* Can be omitted for v1 */ + if( ctx->version > 0 ) + { + sub_len = 0; + MBEDTLS_ASN1_CHK_ADD( sub_len, mbedtls_asn1_write_int( &c, tmp_buf, ctx->version ) ); + len += sub_len; + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC | + MBEDTLS_ASN1_CONSTRUCTED | 0 ) ); + } MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) ); MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED | - MBEDTLS_ASN1_SEQUENCE ) ); + MBEDTLS_ASN1_SEQUENCE ) ); /* * Make signature diff --git a/tests/data_files/server1.v1.crt b/tests/data_files/server1.v1.crt index 0a4b2a5cc..b13be4351 100644 --- a/tests/data_files/server1.v1.crt +++ b/tests/data_files/server1.v1.crt @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- -MIIC9DCCAdygAwIBAAIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER -MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN -MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN -BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/ -uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD -d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf -CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr -lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w -bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB -owIwADANBgkqhkiG9w0BAQUFAAOCAQEAoZVuVi7bIslKgMJhejSFXiO+ICMz1fmK -b0tPN68mRYhI/gsjRT0cmX6GUNrg+U5mcBWhMwHgyvx1CARU4YToKZxcXGNL0DPd -Z1hF8nCrJCZBQvNuWE7s0ufw92xz5ZfuKkVxi94RYR529F6gzgl4rpX8UQVu2ym/ -9pTlHKr4MKi9LNppyJMS89uRcb2FJFMdhAKbhNtbIjI9qGZ7x//0belAaWhq389u -6XWFnZt35PU6Zz6YbAQ5pjZYsTaohuufgrpOlFPUuc4uR+RfGHIQ6id12lZaQC2m -OFIBDcU0x1cFfPfMgVdBLf6klPt/v/tD77mwx0eztSp28NIf+ACw8A== +MIIC6zCCAdMCAQEwDQYJKoZIhvcNAQEFBQAwOzELMAkGA1UEBhMCTkwxETAPBgNV +BAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBMB4XDTExMDIx +MjE0NDQwNloXDTIxMDIxMjE0NDQwNlowPDELMAkGA1UEBhMCTkwxETAPBgNVBAoT +CFBvbGFyU1NMMRowGAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb +7ogWUtPxQ1BHlhJZZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJ +BEeCsFc5cO2j7BUZHqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8Yw +fhU5rPla7n+SnqYFW+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5B +Xhem2mxbacwCuhQsFiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1Y +ieJTWZ5uWpJl4og/DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAATANBgkq +hkiG9w0BAQUFAAOCAQEAPMRfR9ql7b06b5DdNyJhD96lBzuVSUOW2MgVHT2Vs7NB +tk5L1htpA5N4uaIeyt6YM0xU0nHdHUKaywNcDiXcnzvRoctGWiWdpcEvdA0rYRF5 +T4MGPpjEuLJcG3aTU8mV8wUEbrY6IEnSpC1G9iasjhkwAF7pb/Ic8+/riwmPD/Fh +zBrRfBCgi5VXbX9IvY+yQHRVRal8y+n4eh9/hFxBKDbvuidFropGzcuparEwCIRi +U7L/7aZ3A5wsQp9GPDliSjpeYCf5tok/bvjG4xU041pGQ7yVNpu2mEIoqDz9v+Ay +IKqsWradEnFG/1ov78a2RB+2+iIPE4iCDtmKUkgPjQ== -----END CERTIFICATE----- From 81535d00115cbe3d8474c85cdaf71ec1e61cd267 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 13 Sep 2017 15:39:59 +0100 Subject: [PATCH 19/29] Minor style and typo corrections --- library/x509write_crt.c | 14 +- library/x509write_csr.c | 4 +- programs/x509/cert_write.c | 161 ++++++++++++--------- tests/data_files/Makefile | 2 +- tests/suites/test_suite_x509write.function | 16 +- 5 files changed, 107 insertions(+), 90 deletions(-) diff --git a/library/x509write_crt.c b/library/x509write_crt.c index 8e4bc35b4..0611cc847 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -51,7 +51,7 @@ static void mbedtls_zeroize( void *v, size_t n ) { void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx ) { - memset( ctx, 0, sizeof(mbedtls_x509write_cert) ); + memset( ctx, 0, sizeof( mbedtls_x509write_cert ) ); mbedtls_mpi_init( &ctx->serial ); ctx->version = MBEDTLS_X509_CRT_VERSION_3; @@ -65,7 +65,7 @@ void mbedtls_x509write_crt_free( mbedtls_x509write_cert *ctx ) mbedtls_asn1_free_named_data_list( &ctx->issuer ); mbedtls_asn1_free_named_data_list( &ctx->extensions ); - mbedtls_zeroize( ctx, sizeof(mbedtls_x509write_cert) ); + mbedtls_zeroize( ctx, sizeof( mbedtls_x509write_cert ) ); } void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *ctx, int version ) @@ -193,14 +193,14 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert * { int ret; unsigned char buf[MBEDTLS_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */ - unsigned char *c = buf + sizeof(buf); + unsigned char *c = buf + sizeof( buf ); size_t len = 0; memset( buf, 0, sizeof(buf) ); MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, ctx->issuer_key ) ); - mbedtls_sha1( buf + sizeof(buf) - len, len, buf + sizeof(buf) - 20 ); - c = buf + sizeof(buf) - 20; + mbedtls_sha1( buf + sizeof( buf ) - len, len, buf + sizeof( buf ) - 20 ); + c = buf + sizeof( buf ) - 20; len = 20; MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) ); @@ -212,7 +212,7 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert * return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER, MBEDTLS_OID_SIZE( MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER ), - 0, buf + sizeof(buf) - len, len ); + 0, buf + sizeof( buf ) - len, len ); } #endif /* MBEDTLS_SHA1_C */ @@ -324,7 +324,7 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, pk_alg = MBEDTLS_PK_NONE; if( ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg, - &sig_oid, &sig_oid_len ) ) != 0 ) + &sig_oid, &sig_oid_len ) ) != 0 ) { return( ret ); } diff --git a/library/x509write_csr.c b/library/x509write_csr.c index fd22c2890..da40eb5c1 100644 --- a/library/x509write_csr.c +++ b/library/x509write_csr.c @@ -50,7 +50,7 @@ static void mbedtls_zeroize( void *v, size_t n ) { void mbedtls_x509write_csr_init( mbedtls_x509write_csr *ctx ) { - memset( ctx, 0, sizeof(mbedtls_x509write_csr) ); + memset( ctx, 0, sizeof( mbedtls_x509write_csr ) ); } void mbedtls_x509write_csr_free( mbedtls_x509write_csr *ctx ) @@ -58,7 +58,7 @@ void mbedtls_x509write_csr_free( mbedtls_x509write_csr *ctx ) mbedtls_asn1_free_named_data_list( &ctx->subject ); mbedtls_asn1_free_named_data_list( &ctx->extensions ); - mbedtls_zeroize( ctx, sizeof(mbedtls_x509write_csr) ); + mbedtls_zeroize( ctx, sizeof( mbedtls_x509write_csr ) ); } void mbedtls_x509write_csr_set_md_alg( mbedtls_x509write_csr *ctx, mbedtls_md_type_t md_alg ) diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index 45fd059b0..6504dcd62 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -60,9 +60,9 @@ int main( void ) #if defined(MBEDTLS_X509_CSR_PARSE_C) #define USAGE_CSR \ - " request_file=%%s default: (empty)\n" \ - " If request_file is specified, subject_key,\n" \ - " subject_pwd and subject_name are ignored!\n" + " request_file=%%s default: (empty)\n" \ + " If request_file is specified, subject_key,\n" \ + " subject_pwd and subject_name are ignored!\n" #else #define USAGE_CSR "" #endif /* MBEDTLS_X509_CSR_PARSE_C */ @@ -94,60 +94,60 @@ int main( void ) "\n usage: cert_write param=<>...\n" \ "\n acceptable parameters:\n" \ USAGE_CSR \ - " subject_key=%%s default: subject.key\n" \ - " subject_pwd=%%s default: (empty)\n" \ - " subject_name=%%s default: CN=Cert,O=mbed TLS,C=UK\n" \ + " subject_key=%%s default: subject.key\n" \ + " subject_pwd=%%s default: (empty)\n" \ + " subject_name=%%s default: CN=Cert,O=mbed TLS,C=UK\n" \ "\n" \ - " issuer_crt=%%s default: (empty)\n" \ - " If issuer_crt is specified, issuer_name is\n" \ - " ignored!\n" \ - " issuer_name=%%s default: CN=CA,O=mbed TLS,C=UK\n" \ + " issuer_crt=%%s default: (empty)\n" \ + " If issuer_crt is specified, issuer_name is\n" \ + " ignored!\n" \ + " issuer_name=%%s default: CN=CA,O=mbed TLS,C=UK\n" \ "\n" \ - " selfsign=%%d default: 0 (false)\n" \ - " If selfsign is enabled, issuer_name and\n" \ - " issuer_key are required (issuer_crt and\n" \ - " subject_* are ignored\n" \ - " issuer_key=%%s default: ca.key\n" \ - " issuer_pwd=%%s default: (empty)\n" \ - " output_file=%%s default: cert.crt\n" \ - " serial=%%s default: 1\n" \ - " not_before=%%s default: 20010101000000\n"\ - " not_after=%%s default: 20301231235959\n"\ - " is_ca=%%d default: 0 (disabled)\n" \ - " max_pathlen=%%d default: -1 (none)\n" \ - " md=%%s default: SHA256\n" \ - " Supported values:\n" \ - " MD5, SHA1, SHA256, SHA512\n"\ - " version=%%d default: 3\n" \ - " Possible values: 1, 2, 3\n"\ - " subject_identifier default: 1\n" \ - " Possible values: 0, 1\n" \ - " (Considered for v3 only)\n"\ - " authority_identifier default: 1\n" \ - " Possible values: 0, 1\n" \ - " (Considered for v3 only)\n"\ - " basic_constraints default: 1\n" \ - " Possible values: 0, 1\n" \ - " (Considered for v3 only)\n"\ - " key_usage=%%s default: (empty)\n" \ - " Comma-separated-list of values:\n" \ - " digital_signature\n" \ - " non_repudiation\n" \ - " key_encipherment\n" \ - " data_encipherment\n" \ - " key_agreement\n" \ - " key_cert_sign\n" \ - " crl_sign\n" \ - " (Considered for v3 only)\n"\ - " ns_cert_type=%%s default: (empty)\n" \ - " Comma-separated-list of values:\n" \ - " ssl_client\n" \ - " ssl_server\n" \ - " email\n" \ - " object_signing\n" \ - " ssl_ca\n" \ - " email_ca\n" \ - " object_signing_ca\n" \ + " selfsign=%%d default: 0 (false)\n" \ + " If selfsign is enabled, issuer_name and\n" \ + " issuer_key are required (issuer_crt and\n" \ + " subject_* are ignored\n" \ + " issuer_key=%%s default: ca.key\n" \ + " issuer_pwd=%%s default: (empty)\n" \ + " output_file=%%s default: cert.crt\n" \ + " serial=%%s default: 1\n" \ + " not_before=%%s default: 20010101000000\n"\ + " not_after=%%s default: 20301231235959\n"\ + " is_ca=%%d default: 0 (disabled)\n" \ + " max_pathlen=%%d default: -1 (none)\n" \ + " md=%%s default: SHA256\n" \ + " Supported values:\n" \ + " MD5, SHA1, SHA256, SHA512\n"\ + " version=%%d default: 3\n" \ + " Possible values: 1, 2, 3\n"\ + " subject_identifier=%%s default: 1\n" \ + " Possible values: 0, 1\n" \ + " (Considered for v3 only)\n"\ + " authority_identifier=%%s default: 1\n" \ + " Possible values: 0, 1\n" \ + " (Considered for v3 only)\n"\ + " basic_constraints=%%d default: 1\n" \ + " Possible values: 0, 1\n" \ + " (Considered for v3 only)\n"\ + " key_usage=%%s default: (empty)\n" \ + " Comma-separated-list of values:\n" \ + " digital_signature\n" \ + " non_repudiation\n" \ + " key_encipherment\n" \ + " data_encipherment\n" \ + " key_agreement\n" \ + " key_cert_sign\n" \ + " crl_sign\n" \ + " (Considered for v3 only)\n"\ + " ns_cert_type=%%s default: (empty)\n" \ + " Comma-separated-list of values:\n" \ + " ssl_client\n" \ + " ssl_server\n" \ + " email\n" \ + " object_signing\n" \ + " ssl_ca\n" \ + " email_ca\n" \ + " object_signing_ca\n" \ "\n" /* @@ -189,7 +189,8 @@ int write_certificate( mbedtls_x509write_cert *crt, const char *output_file, size_t len = 0; memset( output_buf, 0, 4096 ); - if( ( ret = mbedtls_x509write_crt_pem( crt, output_buf, 4096, f_rng, p_rng ) ) < 0 ) + if( ( ret = mbedtls_x509write_crt_pem( crt, output_buf, 4096, + f_rng, p_rng ) ) < 0 ) return( ret ); len = strlen( (char *) output_buf ); @@ -452,7 +453,8 @@ int main( int argc, char *argv[] ) strlen( pers ) ) ) != 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d - %s\n", ret, buf ); + mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d - %s\n", + ret, buf ); goto exit; } @@ -466,7 +468,8 @@ int main( int argc, char *argv[] ) if( ( ret = mbedtls_mpi_read_string( &serial, 10, opt.serial ) ) != 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_mpi_read_string returned -0x%02x - %s\n\n", -ret, buf ); + mbedtls_printf( " failed\n ! mbedtls_mpi_read_string " + "returned -0x%02x - %s\n\n", -ret, buf ); goto exit; } @@ -485,7 +488,8 @@ int main( int argc, char *argv[] ) if( ( ret = mbedtls_x509_crt_parse_file( &issuer_crt, opt.issuer_crt ) ) != 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_file returned -0x%02x - %s\n\n", -ret, buf ); + mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_file " + "returned -0x%02x - %s\n\n", -ret, buf ); goto exit; } @@ -494,7 +498,8 @@ int main( int argc, char *argv[] ) if( ret < 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets returned -0x%02x - %s\n\n", -ret, buf ); + mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets " + "returned -0x%02x - %s\n\n", -ret, buf ); goto exit; } @@ -517,7 +522,8 @@ int main( int argc, char *argv[] ) if( ( ret = mbedtls_x509_csr_parse_file( &csr, opt.request_file ) ) != 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_x509_csr_parse_file returned -0x%02x - %s\n\n", -ret, buf ); + mbedtls_printf( " failed\n ! mbedtls_x509_csr_parse_file " + "returned -0x%02x - %s\n\n", -ret, buf ); goto exit; } @@ -526,7 +532,8 @@ int main( int argc, char *argv[] ) if( ret < 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets returned -0x%02x - %s\n\n", -ret, buf ); + mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets " + "returned -0x%02x - %s\n\n", -ret, buf ); goto exit; } @@ -550,7 +557,8 @@ int main( int argc, char *argv[] ) if( ret != 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile returned -0x%02x - %s\n\n", -ret, buf ); + mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile " + "returned -0x%02x - %s\n\n", -ret, buf ); goto exit; } @@ -565,7 +573,8 @@ int main( int argc, char *argv[] ) if( ret != 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile returned -x%02x - %s\n\n", -ret, buf ); + mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile " + "returned -x%02x - %s\n\n", -ret, buf ); goto exit; } @@ -579,7 +588,8 @@ int main( int argc, char *argv[] ) mbedtls_mpi_cmp_mpi( &mbedtls_pk_rsa( issuer_crt.pk )->E, &mbedtls_pk_rsa( *issuer_key )->E ) != 0 ) { - mbedtls_printf( " failed\n ! issuer_key does not match issuer certificate\n\n" ); + mbedtls_printf( " failed\n ! issuer_key does not match " + "issuer certificate\n\n" ); ret = -1; goto exit; } @@ -602,14 +612,16 @@ int main( int argc, char *argv[] ) if( ( ret = mbedtls_x509write_crt_set_subject_name( &crt, opt.subject_name ) ) != 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject_name returned -0x%02x - %s\n\n", -ret, buf ); + mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject_name " + "returned -0x%02x - %s\n\n", -ret, buf ); goto exit; } if( ( ret = mbedtls_x509write_crt_set_issuer_name( &crt, opt.issuer_name ) ) != 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_issuer_name returned -0x%02x - %s\n\n", -ret, buf ); + mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_issuer_name " + "returned -0x%02x - %s\n\n", -ret, buf ); goto exit; } @@ -623,7 +635,8 @@ int main( int argc, char *argv[] ) if( ret != 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_serial returned -0x%02x - %s\n\n", -ret, buf ); + mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_serial " + "returned -0x%02x - %s\n\n", -ret, buf ); goto exit; } @@ -631,7 +644,8 @@ int main( int argc, char *argv[] ) if( ret != 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_validity returned -0x%02x - %s\n\n", -ret, buf ); + mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_validity " + "returned -0x%02x - %s\n\n", -ret, buf ); goto exit; } @@ -702,7 +716,8 @@ int main( int argc, char *argv[] ) if( ret != 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_key_usage returned -0x%02x - %s\n\n", -ret, buf ); + mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_key_usage " + "returned -0x%02x - %s\n\n", -ret, buf ); goto exit; } @@ -718,7 +733,8 @@ int main( int argc, char *argv[] ) if( ret != 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_ns_cert_type returned -0x%02x - %s\n\n", -ret, buf ); + mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_ns_cert_type " + "returned -0x%02x - %s\n\n", -ret, buf ); goto exit; } @@ -735,7 +751,8 @@ int main( int argc, char *argv[] ) mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! write_certifcate -0x%02x - %s\n\n", -ret, buf ); + mbedtls_printf( " failed\n ! write_certificate -0x%02x - %s\n\n", + -ret, buf ); goto exit; } diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index f90654574..3bd2c3591 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -114,7 +114,7 @@ server1.v1.der: server1.v1.crt all_final += server1.v1.crt server1.v1.der # OpenSSL-generated certificates for comparison -# Also provide certificates to DER format to allow +# Also provide certificates in DER format to allow # direct binary comparison using e.g. dumpasn1 server1.crt.openssl server1.key_usage.crt.openssl server1.cert_type.crt.openssl: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa) $(test_ca_server1_config_file) echo "01" > $(test_ca_server1_serial) diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index 0b6e60220..ca76e861d 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -63,7 +63,7 @@ void x509_csr_check( char *key_file, char *cert_req_check_file, if( cert_type != 0 ) TEST_ASSERT( mbedtls_x509write_csr_set_ns_cert_type( &req, cert_type ) == 0 ); - ret = mbedtls_x509write_csr_pem( &req, buf, sizeof(buf), + ret = mbedtls_x509write_csr_pem( &req, buf, sizeof( buf ), rnd_pseudo_rand, &rnd_info ); TEST_ASSERT( ret == 0 ); @@ -149,7 +149,7 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd, TEST_ASSERT( mbedtls_x509write_crt_set_serial( &crt, &serial ) == 0 ); TEST_ASSERT( mbedtls_x509write_crt_set_validity( &crt, not_before, - not_after ) == 0 ); + not_after ) == 0 ); mbedtls_x509write_crt_set_md_alg( &crt, md_type ); TEST_ASSERT( mbedtls_x509write_crt_set_issuer_name( &crt, issuer_name ) == 0 ); TEST_ASSERT( mbedtls_x509write_crt_set_subject_name( &crt, subject_name ) == 0 ); @@ -169,30 +169,30 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd, TEST_ASSERT( mbedtls_x509write_crt_set_ns_cert_type( &crt, cert_type ) == 0 ); } - ret = mbedtls_x509write_crt_pem( &crt, buf, sizeof(buf), - rnd_pseudo_rand, &rnd_info ); + ret = mbedtls_x509write_crt_pem( &crt, buf, sizeof( buf ), + rnd_pseudo_rand, &rnd_info ); TEST_ASSERT( ret == 0 ); pem_len = strlen( (char *) buf ); f = fopen( cert_check_file, "r" ); TEST_ASSERT( f != NULL ); - olen = fread( check_buf, 1, sizeof(check_buf), f ); + olen = fread( check_buf, 1, sizeof( check_buf ), f ); fclose( f ); - TEST_ASSERT( olen < sizeof(check_buf) ); + TEST_ASSERT( olen < sizeof( check_buf ) ); TEST_ASSERT( olen >= pem_len - 1 ); TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 ); der_len = mbedtls_x509write_crt_der( &crt, buf, sizeof( buf ), - rnd_pseudo_rand, &rnd_info ); + rnd_pseudo_rand, &rnd_info ); TEST_ASSERT( der_len >= 0 ); if( der_len == 0 ) goto exit; ret = mbedtls_x509write_crt_der( &crt, buf, (size_t)( der_len - 1 ), - rnd_pseudo_rand, &rnd_info ); + rnd_pseudo_rand, &rnd_info ); TEST_ASSERT( ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); exit: From d4a872ee678ece252f052087564eb69c62871782 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 7 Sep 2017 08:09:33 +0100 Subject: [PATCH 20/29] Rename internal MBEDTLS_ENTROPY_HAVE_STRONG to ENTROPY_HAVE_STRONG This commit renames the test-only flag MBEDTLS_ENTROPY_HAVE_STRONG to ENTROPY_HAVE_STRONG to make it more transparent that it's an internal flag, and also to content the testscript tests/scripts/check-names.pl which previously complained about the macro occurring in a comment in `entropy.c` without being defined in a library file. --- library/entropy.c | 2 +- tests/suites/helpers.function | 2 +- tests/suites/test_suite_entropy.function | 6 +++--- tests/suites/test_suite_rsa.function | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/library/entropy.c b/library/entropy.c index 10449b8d0..7c0915676 100644 --- a/library/entropy.c +++ b/library/entropy.c @@ -83,7 +83,7 @@ void mbedtls_entropy_init( mbedtls_entropy_context *ctx ) mbedtls_havege_init( &ctx->havege_data ); #endif - /* Reminder: Update MBEDTLS_ENTROPY_HAVE_STRONG in the test files + /* Reminder: Update ENTROPY_HAVE_STRONG in the test files * when adding more strong entropy sources here. */ #if defined(MBEDTLS_TEST_NULL_ENTROPY) diff --git a/tests/suites/helpers.function b/tests/suites/helpers.function index 39cd3c768..d36746789 100644 --- a/tests/suites/helpers.function +++ b/tests/suites/helpers.function @@ -113,7 +113,7 @@ static int test_errors = 0; defined(MBEDTLS_HAVEGE_C) || \ defined(MBEDTLS_ENTROPY_HARDWARE_ALT) || \ defined(ENTROPY_NV_SEED) ) ) -#define MBEDTLS_ENTROPY_HAVE_STRONG +#define ENTROPY_HAVE_STRONG #endif diff --git a/tests/suites/test_suite_entropy.function b/tests/suites/test_suite_entropy.function index 7983c767e..2bab796d1 100644 --- a/tests/suites/test_suite_entropy.function +++ b/tests/suites/test_suite_entropy.function @@ -163,7 +163,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_ENTROPY_HAVE_STRONG */ +/* BEGIN_CASE depends_on:ENTROPY_HAVE_STRONG */ void entropy_func_len( int len, int ret ) { mbedtls_entropy_context ctx; @@ -224,7 +224,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_ENTROPY_HAVE_STRONG */ +/* BEGIN_CASE depends_on:ENTROPY_HAVE_STRONG */ void entropy_threshold( int threshold, int chunk_size, int result ) { mbedtls_entropy_context ctx; @@ -377,7 +377,7 @@ void entropy_nv_seed( char *read_seed_str ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_ENTROPY_HAVE_STRONG:MBEDTLS_SELF_TEST */ +/* BEGIN_CASE depends_on:ENTROPY_HAVE_STRONG:MBEDTLS_SELF_TEST */ void entropy_selftest( int result ) { TEST_ASSERT( mbedtls_entropy_self_test( 1 ) == result ); diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index f41b14cc3..270e2d989 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -659,7 +659,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_CTR_DRBG_C:MBEDTLS_ENTROPY_C:MBEDTLS_ENTROPY_HAVE_STRONG */ +/* BEGIN_CASE depends_on:MBEDTLS_CTR_DRBG_C:MBEDTLS_ENTROPY_C:ENTROPY_HAVE_STRONG */ void mbedtls_rsa_gen_key( int nrbits, int exponent, int result) { mbedtls_rsa_context ctx; From e1b1d0af8ea5049e062f83e0411a5f22e35a81f1 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 22 Sep 2017 15:35:16 +0100 Subject: [PATCH 21/29] Fix senseless comment --- programs/x509/cert_write.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index 6504dcd62..bc38be280 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -170,8 +170,8 @@ struct options int selfsign; /* selfsign the certificate */ int is_ca; /* is a CA certificate */ int max_pathlen; /* maximum CA path length */ - int authority_identifier; /* add authority identifier id to CRT */ - int subject_identifier; /* add subject identifier id to CRT */ + int authority_identifier; /* add authority identifier to CRT */ + int subject_identifier; /* add subject identifier to CRT */ int basic_constraints; /* add basic constraints ext to CRT */ int version; /* CRT version */ mbedtls_md_type_t md; /* Hash used for signing */ From 38eff437910eb3a46912478f4993d50870222b19 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 22 Sep 2017 15:38:20 +0100 Subject: [PATCH 22/29] Use X509 CRT version macros in cert_write program --- programs/x509/cert_write.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index bc38be280..59afb61e6 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -269,7 +269,7 @@ int main( int argc, char *argv[] ) opt.max_pathlen = DFL_MAX_PATHLEN; opt.key_usage = DFL_KEY_USAGE; opt.ns_cert_type = DFL_NS_CERT_TYPE; - opt.version = DFL_VERSION; + opt.version = DFL_VERSION - 1; opt.md = DFL_DIGEST; opt.subject_identifier = DFL_SUBJ_IDENT; opt.authority_identifier = DFL_AUTH_IDENT; @@ -362,6 +362,7 @@ int main( int argc, char *argv[] ) opt.version = atoi( q ); if( opt.version < 1 || opt.version > 3 ) goto usage; + opt.version--; } else if( strcmp( p, "selfsign" ) == 0 ) { @@ -628,7 +629,7 @@ int main( int argc, char *argv[] ) mbedtls_printf( " . Setting certificate values ..." ); fflush( stdout ); - mbedtls_x509write_crt_set_version( &crt, opt.version - 1 ); + mbedtls_x509write_crt_set_version( &crt, opt.version ); mbedtls_x509write_crt_set_md_alg( &crt, opt.md ); ret = mbedtls_x509write_crt_set_serial( &crt, &serial ); @@ -651,7 +652,8 @@ int main( int argc, char *argv[] ) mbedtls_printf( " ok\n" ); - if( opt.version == 3 && opt.basic_constraints ) + if( opt.version == MBEDTLS_X509_CRT_VERSION_3 && + opt.basic_constraints != 0 ) { mbedtls_printf( " . Adding the Basic Constraints extension ..." ); fflush( stdout ); @@ -670,7 +672,8 @@ int main( int argc, char *argv[] ) } #if defined(MBEDTLS_SHA1_C) - if( opt.version == 3 && opt.subject_identifier ) + if( opt.version == MBEDTLS_X509_CRT_VERSION_3 && + opt.subject_identifier != 0 ) { mbedtls_printf( " . Adding the Subject Key Identifier ..." ); fflush( stdout ); @@ -688,7 +691,8 @@ int main( int argc, char *argv[] ) mbedtls_printf( " ok\n" ); } - if( opt.version == 3 && opt.authority_identifier ) + if( opt.version == MBEDTLS_X509_CRT_VERSION_3 && + opt.authority_identifier != 0 ) { mbedtls_printf( " . Adding the Authority Key Identifier ..." ); fflush( stdout ); @@ -707,7 +711,8 @@ int main( int argc, char *argv[] ) } #endif /* MBEDTLS_SHA1_C */ - if( opt.version == 3 && opt.key_usage ) + if( opt.version == MBEDTLS_X509_CRT_VERSION_3 && + opt.key_usage != 0 ) { mbedtls_printf( " . Adding the Key Usage extension ..." ); fflush( stdout ); @@ -724,7 +729,8 @@ int main( int argc, char *argv[] ) mbedtls_printf( " ok\n" ); } - if( opt.version == 3 && opt.ns_cert_type ) + if( opt.version == MBEDTLS_X509_CRT_VERSION_3 && + opt.ns_cert_type != 0 ) { mbedtls_printf( " . Adding the NS Cert Type extension ..." ); fflush( stdout ); From 7f3652ddf1d9598236c5551ec4e74a1c926a8eac Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 22 Sep 2017 15:39:02 +0100 Subject: [PATCH 23/29] Fix error code printing in cert_write Error codes can consume up to two bytes, but only one was printed so far. --- programs/x509/cert_write.c | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index 59afb61e6..d04739389 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -470,7 +470,7 @@ int main( int argc, char *argv[] ) { mbedtls_strerror( ret, buf, 1024 ); mbedtls_printf( " failed\n ! mbedtls_mpi_read_string " - "returned -0x%02x - %s\n\n", -ret, buf ); + "returned -0x%04x - %s\n\n", -ret, buf ); goto exit; } @@ -490,7 +490,7 @@ int main( int argc, char *argv[] ) { mbedtls_strerror( ret, buf, 1024 ); mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_file " - "returned -0x%02x - %s\n\n", -ret, buf ); + "returned -0x%04x - %s\n\n", -ret, buf ); goto exit; } @@ -500,7 +500,7 @@ int main( int argc, char *argv[] ) { mbedtls_strerror( ret, buf, 1024 ); mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets " - "returned -0x%02x - %s\n\n", -ret, buf ); + "returned -0x%04x - %s\n\n", -ret, buf ); goto exit; } @@ -524,7 +524,7 @@ int main( int argc, char *argv[] ) { mbedtls_strerror( ret, buf, 1024 ); mbedtls_printf( " failed\n ! mbedtls_x509_csr_parse_file " - "returned -0x%02x - %s\n\n", -ret, buf ); + "returned -0x%04x - %s\n\n", -ret, buf ); goto exit; } @@ -534,7 +534,7 @@ int main( int argc, char *argv[] ) { mbedtls_strerror( ret, buf, 1024 ); mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets " - "returned -0x%02x - %s\n\n", -ret, buf ); + "returned -0x%04x - %s\n\n", -ret, buf ); goto exit; } @@ -559,7 +559,7 @@ int main( int argc, char *argv[] ) { mbedtls_strerror( ret, buf, 1024 ); mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile " - "returned -0x%02x - %s\n\n", -ret, buf ); + "returned -0x%04x - %s\n\n", -ret, buf ); goto exit; } @@ -614,7 +614,7 @@ int main( int argc, char *argv[] ) { mbedtls_strerror( ret, buf, 1024 ); mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject_name " - "returned -0x%02x - %s\n\n", -ret, buf ); + "returned -0x%04x - %s\n\n", -ret, buf ); goto exit; } @@ -622,7 +622,7 @@ int main( int argc, char *argv[] ) { mbedtls_strerror( ret, buf, 1024 ); mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_issuer_name " - "returned -0x%02x - %s\n\n", -ret, buf ); + "returned -0x%04x - %s\n\n", -ret, buf ); goto exit; } @@ -637,7 +637,7 @@ int main( int argc, char *argv[] ) { mbedtls_strerror( ret, buf, 1024 ); mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_serial " - "returned -0x%02x - %s\n\n", -ret, buf ); + "returned -0x%04x - %s\n\n", -ret, buf ); goto exit; } @@ -646,7 +646,7 @@ int main( int argc, char *argv[] ) { mbedtls_strerror( ret, buf, 1024 ); mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_validity " - "returned -0x%02x - %s\n\n", -ret, buf ); + "returned -0x%04x - %s\n\n", -ret, buf ); goto exit; } @@ -664,7 +664,7 @@ int main( int argc, char *argv[] ) { mbedtls_strerror( ret, buf, 1024 ); mbedtls_printf( " failed\n ! x509write_crt_set_basic_contraints " - "returned -0x%02x - %s\n\n", -ret, buf ); + "returned -0x%04x - %s\n\n", -ret, buf ); goto exit; } @@ -683,7 +683,7 @@ int main( int argc, char *argv[] ) { mbedtls_strerror( ret, buf, 1024 ); mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject" - "_key_identifier returned -0x%02x - %s\n\n", + "_key_identifier returned -0x%04x - %s\n\n", -ret, buf ); goto exit; } @@ -702,7 +702,7 @@ int main( int argc, char *argv[] ) { mbedtls_strerror( ret, buf, 1024 ); mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_authority_" - "key_identifier returned -0x%02x - %s\n\n", + "key_identifier returned -0x%04x - %s\n\n", -ret, buf ); goto exit; } @@ -722,7 +722,7 @@ int main( int argc, char *argv[] ) { mbedtls_strerror( ret, buf, 1024 ); mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_key_usage " - "returned -0x%02x - %s\n\n", -ret, buf ); + "returned -0x%04x - %s\n\n", -ret, buf ); goto exit; } @@ -740,7 +740,7 @@ int main( int argc, char *argv[] ) { mbedtls_strerror( ret, buf, 1024 ); mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_ns_cert_type " - "returned -0x%02x - %s\n\n", -ret, buf ); + "returned -0x%04x - %s\n\n", -ret, buf ); goto exit; } @@ -757,7 +757,7 @@ int main( int argc, char *argv[] ) mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! write_certificate -0x%02x - %s\n\n", + mbedtls_printf( " failed\n ! write_certificate -0x%04x - %s\n\n", -ret, buf ); goto exit; } From a20e33ad59193567c4bdedf2b483adcc597d9517 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 22 Sep 2017 15:40:01 +0100 Subject: [PATCH 24/29] Use X509 CRT version macros for version checks in x509write_crt_der --- library/x509write_crt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/x509write_crt.c b/library/x509write_crt.c index 0611cc847..e8d5cbdbf 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -334,7 +334,7 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, */ /* Only for v3 */ - if( ctx->version == 2 ) + if( ctx->version == MBEDTLS_X509_CRT_VERSION_3 ) { MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) ); MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) ); @@ -397,7 +397,7 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, */ /* Can be omitted for v1 */ - if( ctx->version > 0 ) + if( ctx->version != MBEDTLS_X509_CRT_VERSION_1 ) { sub_len = 0; MBEDTLS_ASN1_CHK_ADD( sub_len, mbedtls_asn1_write_int( &c, tmp_buf, ctx->version ) ); From d8a6f7cfbe2b506e5c571022bbe620b7a30f6796 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 22 Sep 2017 16:05:43 +0100 Subject: [PATCH 25/29] Clarify code-paths in x509write_csr and x509write_crt --- library/x509write_crt.c | 2 +- library/x509write_csr.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/library/x509write_crt.c b/library/x509write_crt.c index e8d5cbdbf..0af23d7fa 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -321,7 +321,7 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, else if( mbedtls_pk_can_do( ctx->issuer_key, MBEDTLS_PK_ECDSA ) ) pk_alg = MBEDTLS_PK_ECDSA; else - pk_alg = MBEDTLS_PK_NONE; + return( MBEDTLS_ERR_X509_INVALID_ALG ); if( ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg, &sig_oid, &sig_oid_len ) ) != 0 ) diff --git a/library/x509write_csr.c b/library/x509write_csr.c index da40eb5c1..e80053828 100644 --- a/library/x509write_csr.c +++ b/library/x509write_csr.c @@ -205,7 +205,7 @@ int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf, s else if( mbedtls_pk_can_do( ctx->key, MBEDTLS_PK_ECDSA ) ) pk_alg = MBEDTLS_PK_ECDSA; else - pk_alg = MBEDTLS_PK_NONE; + return( MBEDTLS_ERR_X509_INVALID_ALG ); if( ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg, &sig_oid, &sig_oid_len ) ) != 0 ) From 041a6b030f2c3628d34abb8360efc3988a18484e Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 28 Sep 2017 14:52:26 +0100 Subject: [PATCH 26/29] Adapt ChangeLog --- ChangeLog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ChangeLog b/ChangeLog index 227faed6b..4436237ae 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,12 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS x.x.x branch released xxxx-xx-xx + +Bugfix + * Correct extraction of signature-type from PK instance in X.509 CRT and CSR + writing routines that prevented these functions to work with alternative + RSA implementations. Raised by J.B. in the Mbed TLS forum. Fixes #1011. + = mbed TLS 2.6.0 branch released 2017-08-10 Security From 17c3276a2e2f2983a341d2121678a5b80764e0f9 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 3 Oct 2017 14:56:04 +0100 Subject: [PATCH 27/29] Improve output on bad cmd line args in `programs/x509/cert_write` --- programs/x509/cert_write.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index d04739389..9cc582d61 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -323,6 +323,7 @@ int main( int argc, char *argv[] ) if( opt.authority_identifier != 0 && opt.authority_identifier != 1 ) { + mbedtls_printf( "Invalid argument for option %s\n", p ); goto usage; } } @@ -332,6 +333,7 @@ int main( int argc, char *argv[] ) if( opt.subject_identifier != 0 && opt.subject_identifier != 1 ) { + mbedtls_printf( "Invalid argument for option %s\n", p ); goto usage; } } @@ -341,6 +343,7 @@ int main( int argc, char *argv[] ) if( opt.basic_constraints != 0 && opt.basic_constraints != 1 ) { + mbedtls_printf( "Invalid argument for option %s\n", p ); goto usage; } } @@ -355,32 +358,47 @@ int main( int argc, char *argv[] ) else if( strcmp( q, "MD5" ) == 0 ) opt.md = MBEDTLS_MD_MD5; else + { + mbedtls_printf( "Invalid argument for option %s\n", p ); goto usage; + } } else if( strcmp( p, "version" ) == 0 ) { opt.version = atoi( q ); if( opt.version < 1 || opt.version > 3 ) + { + mbedtls_printf( "Invalid argument for option %s\n", p ); goto usage; + } opt.version--; } else if( strcmp( p, "selfsign" ) == 0 ) { opt.selfsign = atoi( q ); if( opt.selfsign < 0 || opt.selfsign > 1 ) + { + mbedtls_printf( "Invalid argument for option %s\n", p ); goto usage; + } } else if( strcmp( p, "is_ca" ) == 0 ) { opt.is_ca = atoi( q ); if( opt.is_ca < 0 || opt.is_ca > 1 ) + { + mbedtls_printf( "Invalid argument for option %s\n", p ); goto usage; + } } else if( strcmp( p, "max_pathlen" ) == 0 ) { opt.max_pathlen = atoi( q ); if( opt.max_pathlen < -1 || opt.max_pathlen > 127 ) + { + mbedtls_printf( "Invalid argument for option %s\n", p ); goto usage; + } } else if( strcmp( p, "key_usage" ) == 0 ) { @@ -404,7 +422,10 @@ int main( int argc, char *argv[] ) else if( strcmp( q, "crl_sign" ) == 0 ) opt.key_usage |= MBEDTLS_X509_KU_CRL_SIGN; else + { + mbedtls_printf( "Invalid argument for option %s\n", p ); goto usage; + } q = r; } @@ -431,7 +452,10 @@ int main( int argc, char *argv[] ) else if( strcmp( q, "object_signing_ca" ) == 0 ) opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA; else + { + mbedtls_printf( "Invalid argument for option %s\n", p ); goto usage; + } q = r; } From 86e5230e548ae792bd2d8bd14483c2ac7479da9e Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 5 Oct 2017 09:08:53 +0100 Subject: [PATCH 28/29] Adapt ChangeLog --- ChangeLog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ChangeLog b/ChangeLog index 4436237ae..8bf697a22 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,13 @@ Bugfix * Correct extraction of signature-type from PK instance in X.509 CRT and CSR writing routines that prevented these functions to work with alternative RSA implementations. Raised by J.B. in the Mbed TLS forum. Fixes #1011. + * Don't print X.509 version tag for v1 CRT's, and omit extensions for + non-v3 CRT's. + +Changes + * Extend cert_write example program by options to set the CRT version + and the message digest. Further, allow enabling/disabling of authority + identifier, subject identifier and basic constraints extensions. = mbed TLS 2.6.0 branch released 2017-08-10 From d742b748388e550e2f5ba3f03c6aa10fc3a7dc6f Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 28 Nov 2017 17:40:56 +0100 Subject: [PATCH 29/29] Add ChangeLog entry --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 40b4fae44..a65b7ae87 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,7 @@ Bugfix Found by redplait #590 * Add MBEDTLS_MPI_CHK to check for error value of mbedtls_mpi_fill_random. Reported and fix suggested by guidovranken in #740 + * Fix bugs in RSA test suite under MBEDTLS_NO_PLATFORM_ENTROPY. #1023 #1024 Features * Add the functions mbedtls_platform_setup() and mbedtls_platform_teardown()