From a6e640264ffb985a3f01376b4dc046b5ccf7b57a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 21 Aug 2020 12:06:47 +0200 Subject: [PATCH 1/7] compat.sh: enable CBC-SHA-2 suites for GnuTLS MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Recent GnuTLS packages on Ubuntu 16.04 have them disabled. From /usr/share/doc/libgnutls30/changelog.Debian.gz: gnutls28 (3.4.10-4ubuntu1.5) xenial-security; urgency=medium * SECURITY UPDATE: Lucky-13 issues [...] - debian/patches/CVE-2018-1084x-4.patch: hmac-sha384 and sha256 ciphersuites were removed from defaults in lib/gnutls_priority.c, tests/priorities.c. Since we do want to test the ciphersuites, explicitly re-enable them in the server's priority string. (This is a no-op with versions of GnuTLS where those are already enabled by default.) Signed-off-by: Manuel Pégourié-Gonnard --- tests/compat.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/compat.sh b/tests/compat.sh index 97b91892b..2124c1bfa 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -810,7 +810,7 @@ setup_arguments() M_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE arc4=1" O_SERVER_ARGS="-accept $PORT -cipher NULL,ALL -$MODE -dhparam data_files/dhparams.pem" G_SERVER_ARGS="-p $PORT --http $G_MODE" - G_SERVER_PRIO="NORMAL:+ARCFOUR-128:+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE" + G_SERVER_PRIO="NORMAL:+ARCFOUR-128:+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+SHA256:+SHA384:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE" # with OpenSSL 1.0.1h, -www, -WWW and -HTTP break DTLS handshakes if is_dtls "$MODE"; then From 351dd59e9a33a2ee2603204e09e956314abf508c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 21 Aug 2020 12:24:32 +0200 Subject: [PATCH 2/7] compat.sh: quit using SHA-1 certificates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace server2.crt with server2-sha256.crt which, as the name implies, is just the SHA-256 version of the same certificate. Replace server1.crt with cert_sha256.crt which, as the name doesn't imply, is associated with the same key and just have a slightly different Subject Name, which doesn't matter in this instance. The other certificates used in this script (server5.crt and server6.crt) are already signed with SHA-256. This change is motivated by the fact that recent versions of GnuTLS (or older versions with the Debian patches) reject SHA-1 in certificates by default, as they should. There are options to still accept it (%VERIFY_ALLOW_BROKEN and %VERIFY_ALLOW_SIGN_WITH_SHA1) but: - they're not available in all versions that reject SHA-1-signed certs; - moving to SHA-2 just seems cleaner anyway. Signed-off-by: Manuel Pégourié-Gonnard --- tests/compat.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tests/compat.sh b/tests/compat.sh index 2124c1bfa..62f23a457 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -859,14 +859,14 @@ setup_arguments() ;; "RSA") - M_SERVER_ARGS="$M_SERVER_ARGS crt_file=data_files/server2.crt key_file=data_files/server2.key" - O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server2.crt -key data_files/server2.key" - G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2.crt --x509keyfile data_files/server2.key" + M_SERVER_ARGS="$M_SERVER_ARGS crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key" + O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server2-sha256.crt -key data_files/server2.key" + G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key" if [ "X$VERIFY" = "XYES" ]; then - M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=data_files/server1.crt key_file=data_files/server1.key" - O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/server1.crt -key data_files/server1.key" - G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile data_files/server1.crt --x509keyfile data_files/server1.key" + M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=data_files/cert_sha256.crt key_file=data_files/server1.key" + O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/cert_sha256.crt -key data_files/server1.key" + G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile data_files/cert_sha256.crt --x509keyfile data_files/server1.key" else M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=none key_file=none" fi @@ -880,9 +880,9 @@ setup_arguments() "PSK") # give RSA-PSK-capable server a RSA cert # (should be a separate type, but harder to close with openssl) - M_SERVER_ARGS="$M_SERVER_ARGS psk=6162636465666768696a6b6c6d6e6f70 ca_file=none crt_file=data_files/server2.crt key_file=data_files/server2.key" + M_SERVER_ARGS="$M_SERVER_ARGS psk=6162636465666768696a6b6c6d6e6f70 ca_file=none crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key" O_SERVER_ARGS="$O_SERVER_ARGS -psk 6162636465666768696a6b6c6d6e6f70 -nocert" - G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2.crt --x509keyfile data_files/server2.key --pskpasswd data_files/passwd.psk" + G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --pskpasswd data_files/passwd.psk" M_CLIENT_ARGS="$M_CLIENT_ARGS psk=6162636465666768696a6b6c6d6e6f70 crt_file=none key_file=none" O_CLIENT_ARGS="$O_CLIENT_ARGS -psk 6162636465666768696a6b6c6d6e6f70" From 741c4e2d645034db722e76eb6ff537866d1a3e2e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 21 Aug 2020 12:34:05 +0200 Subject: [PATCH 3/7] compat.sh: stop using allow_sha1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit After the changes of certificates, it's no longer needed. Signed-off-by: Manuel Pégourié-Gonnard --- tests/compat.sh | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/tests/compat.sh b/tests/compat.sh index 62f23a457..53db751ed 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -870,11 +870,6 @@ setup_arguments() else M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=none key_file=none" fi - - # Allow SHA-1. It's disabled by default for security reasons but - # our tests still use certificates signed with it. - M_SERVER_ARGS="$M_SERVER_ARGS allow_sha1=1" - M_CLIENT_ARGS="$M_CLIENT_ARGS allow_sha1=1" ;; "PSK") @@ -887,11 +882,6 @@ setup_arguments() M_CLIENT_ARGS="$M_CLIENT_ARGS psk=6162636465666768696a6b6c6d6e6f70 crt_file=none key_file=none" O_CLIENT_ARGS="$O_CLIENT_ARGS -psk 6162636465666768696a6b6c6d6e6f70" G_CLIENT_ARGS="$G_CLIENT_ARGS --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70" - - # Allow SHA-1. It's disabled by default for security reasons but - # our tests still use certificates signed with it. - M_SERVER_ARGS="$M_SERVER_ARGS allow_sha1=1" - M_CLIENT_ARGS="$M_CLIENT_ARGS allow_sha1=1" ;; esac } From a3511b97c1065e79fb1ad5b6f90cd8cce34bd8bb Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 21 Aug 2020 18:58:33 +0200 Subject: [PATCH 4/7] cert_write: support all hash algorithms For some reason, RIPEMD160, SHA224 and SHA384 were not supported. This fixes the build recipes for tests/data_files/cert_sha224.crt and tests/data_files/cert_sha384.crt . Signed-off-by: Gilles Peskine --- programs/x509/cert_write.c | 22 +++++++--------------- 1 file changed, 7 insertions(+), 15 deletions(-) diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index 4f813371b..1e584cfc6 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -145,8 +145,9 @@ int main( void ) " is_ca=%%d default: 0 (disabled)\n" \ " max_pathlen=%%d default: -1 (none)\n" \ " md=%%s default: SHA256\n" \ - " Supported values:\n" \ - " MD2, MD4, MD5, SHA1, SHA256, SHA512\n"\ + " Supported values (if enabled):\n" \ + " MD2, MD4, MD5, RIPEMD160, SHA1,\n" \ + " SHA224, SHA256, SHA384, SHA512\n" \ " version=%%d default: 3\n" \ " Possible values: 1, 2, 3\n"\ " subject_identifier=%%s default: 1\n" \ @@ -379,23 +380,14 @@ int main( int argc, char *argv[] ) } else if( strcmp( p, "md" ) == 0 ) { - if( strcmp( q, "SHA1" ) == 0 ) - opt.md = MBEDTLS_MD_SHA1; - else if( strcmp( q, "SHA256" ) == 0 ) - opt.md = MBEDTLS_MD_SHA256; - else if( strcmp( q, "SHA512" ) == 0 ) - opt.md = MBEDTLS_MD_SHA512; - else if( strcmp( q, "MD2" ) == 0 ) - opt.md = MBEDTLS_MD_MD2; - else if( strcmp( q, "MD4" ) == 0 ) - opt.md = MBEDTLS_MD_MD4; - else if( strcmp( q, "MD5" ) == 0 ) - opt.md = MBEDTLS_MD_MD5; - else + const mbedtls_md_info_t *md_info = + mbedtls_md_info_from_string( q ); + if( md_info == NULL ) { mbedtls_printf( "Invalid argument for option %s\n", p ); goto usage; } + opt.md = mbedtls_md_get_type( md_info ); } else if( strcmp( p, "version" ) == 0 ) { From da118e130dea8b0027220ee0163aac4f259acf06 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 21 Aug 2020 19:09:34 +0200 Subject: [PATCH 5/7] Regenerate test client certificates with a PrintableString issuer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The test certificate used for clients in compat.sh, cert_sha256.crt, had the issuer ON and CN encoded as UTF8String, but the corresponding CA certificate test-ca_cat12.crt had them encoded as PrintableString. The strings matched, which is sufficient according to RFC 5280 §7.1 and RFC 4518 §2.1. However, GnuTLS 3.4.10 requires the strings to have the same encoding, so it did not accept that the certificate issued by UTF8String "PolarSSL Test CA" was validly issued by the PrintableString "PolarSSL Test CA" CA. ebc1f40aa008f6a2ba42e7436e4596d8f780b612, merged via https://github.com/ARMmbed/mbedtls/pull/1641 and released in Mbed TLS 2.14, updated these certificates. 4f928c0f374558ec352825061a399db7a37ca2fc merged, via https://github.com/ARMmbed/mbedtls/pull/2418 fixed this in the 2.7 LTS branch for the SHA-1 certificate which was used at the time. The present commit applies the same fix for the SHA-256 certificate that is now in use. For uniformity, this commit regenerates all the cert_*.crt. Signed-off-by: Gilles Peskine --- tests/data_files/cert_md2.crt | 16 ++++++------- tests/data_files/cert_md4.crt | 16 ++++++------- tests/data_files/cert_md5.crt | 32 +++++++++++++------------- tests/data_files/cert_sha1.crt | 16 ++++++------- tests/data_files/cert_sha224.crt | 16 ++++++------- tests/data_files/cert_sha256.crt | 16 ++++++------- tests/data_files/cert_sha384.crt | 16 ++++++------- tests/data_files/cert_sha512.crt | 16 ++++++------- tests/suites/test_suite_x509parse.data | 2 +- 9 files changed, 73 insertions(+), 73 deletions(-) diff --git a/tests/data_files/cert_md2.crt b/tests/data_files/cert_md2.crt index 94b89afce..d2e0cd391 100644 --- a/tests/data_files/cert_md2.crt +++ b/tests/data_files/cert_md2.crt @@ -1,8 +1,8 @@ -----BEGIN CERTIFICATE----- MIIDPzCCAiegAwIBAgIBCTANBgkqhkiG9w0BAQIFADA7MQswCQYDVQQGEwJOTDER -MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN MDAwMTAxMTIxMjEyWhcNMzAwMTAxMTIxMjEyWjA8MQswCQYDVQQGEwJOTDERMA8G -A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIENlcnQgTUQyMIIBIjAN +A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIENlcnQgTUQyMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6f M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu 1C93KYRhTYJQj6eVSHD1bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEw @@ -11,10 +11,10 @@ MjDV0/YI0FZPRo7yX/k9Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v /DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITAf BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQIFAAOC -AQEAXLWqy34iaZ2YV+5eE1QMV/9m9nQI2X/yumRH1MT1R3oYde/YDV7+HSOM6qLs -qSgH1DSyXv1YnJww2OyTtAVhPalICLjVjUQCyeUCiFpAIO6Xz1VE6v4GMFLqhlV1 -Nox9dDtR5Go2zwPaH64Ze9GxuDZfW+VnPRNgYOrqqCBnuhnp2uPRfOewus2AAo50 -dx1XTooCEqElQlB9EIPWbvPdJZjRjruCUtDbz+oxG4J4Ml4KCYm+/MyXNPqxV9+H -5A9oQltuHMWasMWSfXeimQI5PPpdjndmJOhfT4RGmvTw/uNC/Xuy1kPxXQKoocz6 -93U8RQvyJxdIPtQuARNMRZ7G+Q== +AQEAt7KLikhhl8deDSoY7tkxidvgmcllfck8M43j2gBsRqRDuoH145SppFWu9izG +B4TomcWF3KJildK8Np3I+kafqlxXyVrHA+/185pl+qi1V5RQ6GjPSwm8KAoWOdEl +OObjornC7g/Pj5xK8KZIL3NonRBV1KzjwydeWlEiiNjGu1qnOunGS8r6URoG2+3/ +zVbS47GuXHnri10y2nOsSySJ7k07HnmpPQvWDl8sDcFajVae7YXxKH1E25Ba1B+u +kG/NENkFT9aP0GBVqnNaQQU5nEmjClbWxDY7ZqsrwiW+U4KSW+UFLX2fkoQtKTko +BzvaJq7A2ek4PUjX19M2GwPpZQ== -----END CERTIFICATE----- diff --git a/tests/data_files/cert_md4.crt b/tests/data_files/cert_md4.crt index 7d0f7cb1b..a9d32ed90 100644 --- a/tests/data_files/cert_md4.crt +++ b/tests/data_files/cert_md4.crt @@ -1,8 +1,8 @@ -----BEGIN CERTIFICATE----- MIIDPzCCAiegAwIBAgIBBTANBgkqhkiG9w0BAQMFADA7MQswCQYDVQQGEwJOTDER -MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN MDAwMTAxMTIxMjEyWhcNMzAwMTAxMTIxMjEyWjA8MQswCQYDVQQGEwJOTDERMA8G -A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIENlcnQgTUQ0MIIBIjAN +A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIENlcnQgTUQ0MIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6f M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu 1C93KYRhTYJQj6eVSHD1bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEw @@ -11,10 +11,10 @@ MjDV0/YI0FZPRo7yX/k9Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v /DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITAf BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQMFAAOC -AQEArXIW7Dy1hBXMKY8/TAfACqkFZzbGDJdD5ohQknENk6FzUHVw9SVibhi5J+nh -/mhUhoczFg78T8ZopDcsPHKQTuy0LNcLWhZDD4S4CJCibmsf+8BWmPcSp1tsS9Zj -etO5qNuUarL74W+rRa3qQcCXcglYTubv/PcCV+LGVqZ4XDlO5EBFJJREAREzG+iK -Epm2y0mi1WTwjy7m7rxYHs5i5ybDHDDwU55H5wh50Vs4/vDx2kZab2K9gx6V2ggY -CCYmRWKQHdI4XZBkpYFbbREZxMY4Y5c2PUMlr8GUq6s6eu9/GvmnIx/+EySSfxgv -9GpN+gnyx03hjYNGO7iX8nPnXA== +AQEAKn97PfdTx8Ivb0F52sxmIlER6XSjYP5ZQOee0U/g/o5PWjPseg+kuwYtvJeT +kHP4+sTbJA+O2RVqU+Imu2TKHg8EW6CT86/DogUykEXkTuEa3pLcO77ryuQo2PxI +Pa3DoUIiGuZuiwlPZCMnNiw+liegV6rEexLJ19CEx6g5WYTRCWzrJL7PR1cGl14D +IE4Z8+C6kqsMWvj1v9zoqALaOiIIFitnoSPzWUIr5qY3WdoNHRsGGcJuvwNpCAUr +icF3nGjZTKOu86K8Lgg2T8z8sgyHhdlXCicTlYPkepeo1phxo2ncoROp5OlZseDn +lBPOFc5JDpNfX5xYJ/EdRID0hQ== -----END CERTIFICATE----- diff --git a/tests/data_files/cert_md5.crt b/tests/data_files/cert_md5.crt index 8b4d089bb..55215b7a1 100644 --- a/tests/data_files/cert_md5.crt +++ b/tests/data_files/cert_md5.crt @@ -1,20 +1,20 @@ -----BEGIN CERTIFICATE----- MIIDPzCCAiegAwIBAgIBBjANBgkqhkiG9w0BAQQFADA7MQswCQYDVQQGEwJOTDER -MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN -MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G -A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIENlcnQgTUQ1MIIBIjAN -BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/ -uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD -d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf -CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr -lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w -bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB -o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MDAwMTAxMTIxMjEyWhcNMzAwMTAxMTIxMjEyWjA8MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIENlcnQgTUQ1MIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6f +M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu +1C93KYRhTYJQj6eVSHD1bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEw +MjDV0/YI0FZPRo7yX/k9Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v +4Jv4EFbMs44TFeY0BGbH7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx/ +/DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB +o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITAf BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQQFAAOC -AQEAPO/yXYVCQfm1gRzYoPP4T8Dd7jfpS0Yz5hAWMDi73aXufk9ltGdXauQxA4Pu -NQLWBMFMtJyO2OUb0p+oPGCxQayLx1sIjS9Gfy70xHlL3jnZy4kLXtkiARz8ZptW -krxzQh017mXIn8W2VGYWA1gCNrg/Xb3VtlxVCzPa2zGCkIJHKe/dqNtKY3xx/SEQ -gsVvdT8lpI8HfeElBfWvFxGps77pvE2HDcAdrIkjrsBWoSIq6CqIQjyW7WSN7UgI -bTczqejHkrggI8yWIIoDAiUX9OGT76Mv4wpmOPww8hqoVfpvvPQ2l6byVNJYPj/L -oiUV6sDYenOgMJ3Tf7UzTR91MA== +AQEAEHBIek3RHDZM7/s+jYBk7j6rJIyLOlk2mZiLtfLdkjIX/147PoHAm2iSdXMC +ICPCu26JAjvd3vUiaZ01Hc6x8ztZZBD6VFqVdmHwpfvY9cYOGyUK1jaArdSlowrl +G13zL6f+VJ/CEK1cV1s6CyRV4d4QYaYiZ+7anuTuz2aHe79FhGEETi76Lo93O5bz +2hySTkvFuuAyFgyHPBO2NyNoXY3YrxhbOJ7qqTdxZfxKac88ZjIuTnRuPiduLcYA +p5QmD9/pE1tqK0fONsChNPuSRYOhhuFBrKH6qTfNozTTg76u7Tszeow1ooKcG44D +HN0g+Gz5/WKPKoqSftXK8P0hzA== -----END CERTIFICATE----- diff --git a/tests/data_files/cert_sha1.crt b/tests/data_files/cert_sha1.crt index 1e23585c5..ae8c6147d 100644 --- a/tests/data_files/cert_sha1.crt +++ b/tests/data_files/cert_sha1.crt @@ -1,8 +1,8 @@ -----BEGIN CERTIFICATE----- MIIDQDCCAiigAwIBAgIBBzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER -MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA9MQswCQYDVQQGEwJOTDERMA8G -A1UECgwIUG9sYXJTU0wxGzAZBgNVBAMMElBvbGFyU1NMIENlcnQgU0hBMTCCASIw +A1UEChMIUG9sYXJTU0wxGzAZBgNVBAMTElBvbGFyU1NMIENlcnQgU0hBMTCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6J v7joRZDb7ogWUtPxQ1BHlhJZZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVB Q3dfOXwJBEeCsFc5cO2j7BUZHqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYEl @@ -11,10 +11,10 @@ XwqxU8YwfhU5rPla7n+SnqYFW+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk cG6ezr1YieJTWZ5uWpJl4og/DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEA AaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUH3TWPynBdHRFOwUSLD2ovUNZAqYw HwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQAD -ggEBAFAHuWfjOp+GaM5dP3NBaUayXmjbrsY5fo/ysfOVV9xipzbPWvE2Bu679iU1 -Eg+5hME9VlMmQejGzG09ReXE+30gyhtO3vWA8U21YrsL3ybvS6EREHGKk238bIBh -yDP/b0VuoNsS3xRn9WyH3TRu5re0vK68OSkLIWPd01fgvcfl6YyUY+WuuSrpYcDv -nrgKvFZws/EE4RNldtRC1Blwy497AtmWBQWs65zj5JkNdNnm4JJqXZAArNh2GSZo -83C/1ZSFrNo9GONsCJ0GVGEt7IK7FPqXYW7rXi30BRse33ziU7RPWGDT13bh9Rdz -RqsoZ5h5VjtHOnMUUD99gIWinBE= +ggEBALkA7HJAh0esl6X4OQp2S0cRROxM5UfM9rgvhUnt1CVaem0Di3jzICvKJVwM +zL70KmCEQCxqEfXFV8ArnhBiFlRSQSvcdD9Ze77OrMt7Tmcrjvbyw3IuFGyFW3Az +d9BxpTsZ11Yxq7riGe1ZgsiIckY/aPoaoCSQCcMHefIXfuL/4D9VdkSLH1E1J77r +/rDU2DVgSlHp6r4p2wKMuH/xgeECgKrVM/SNoShQZ5ntFjKmMGo8C/oFD5LqKdm2 +PXrcrnLBXPb0RLBUInAgb28BXM4UCJxaMCIPUMY1lcLvyjpomA5A2HOEWX+rW2Zw +ZY6lXi0pa+SmmdursI1iNCeJhyw= -----END CERTIFICATE----- diff --git a/tests/data_files/cert_sha224.crt b/tests/data_files/cert_sha224.crt index c8a209d0c..540667c6b 100644 --- a/tests/data_files/cert_sha224.crt +++ b/tests/data_files/cert_sha224.crt @@ -1,8 +1,8 @@ -----BEGIN CERTIFICATE----- MIIDQjCCAiqgAwIBAgIBCDANBgkqhkiG9w0BAQ4FADA7MQswCQYDVQQGEwJOTDER -MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA/MQswCQYDVQQGEwJOTDERMA8G -A1UECgwIUG9sYXJTU0wxHTAbBgNVBAMMFFBvbGFyU1NMIENlcnQgU0hBMjI0MIIB +A1UEChMIUG9sYXJTU0wxHTAbBgNVBAMTFFBvbGFyU1NMIENlcnQgU0hBMjI0MIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVh Xom/uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq 1UFDd185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPht @@ -11,10 +11,10 @@ LGTrlZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsu pk9wbp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQID AQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kC pjAfBgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQ4F -AAOCAQEATdo7p7dok8gcxS0dYGluXMOsAEALyHAgvAJSZUt0x8RxemJfpquv4XG/ -rppQmtA5aPf59Fo0z5GcS0zzYFLTQIcLHKnuuG0W6yjhx3e+5J1hjLbv///vvKGN -jq55z+CANkragMk6XQ/t+iXkh/Fq00FS+zbf1JLaMXOLst5dfv3uPQaJHwzX/EaE -VdognXxWudNQgIvemindk9TTQon27zBS/z6nwcBCIXMDfesAjcHuBCfxl6pofK6E -28qs4up/JayptG2CX98LGsEyAgegwTMSYGLJoWcHhrUcbF0fNOcXPgQKGTcZO4Tg -yPYGbkG9FjgaASc2gTrYVPRZ6mY19g== +AAOCAQEAeRpMhu1KTn2NQjCCPaRkOO38EPhlc6/jolqvb+2h7evGk0u606uHLDPg +ejUUmuHpJTGbVgU27dRucSUaAlGOE0SJvLyRlvhjFwKQczdZBi4zGbsokTl9Oi6r +BOHDTpDr3OQ1FIxGHyTnxKgw1/WBHaqPmT5tS6UwItQ22XRhrZffi9QZJ8AQElAd +7Z7whSwsV77SCQow4VbHYl5o+vUB1jG0MrQu8FoOVt6/HXHyKCZsGzkp8SXhGzl+ +Oy0eCbLETKieg9bUGH3hVYsH64JsZpVfTp1WaDm0Duui2gRIL2ROetA6xoROwl5j +PmTT7I0AJVzCvnt4kYxHAMD0RGBd1A== -----END CERTIFICATE----- diff --git a/tests/data_files/cert_sha256.crt b/tests/data_files/cert_sha256.crt index e56d42853..946202e8b 100644 --- a/tests/data_files/cert_sha256.crt +++ b/tests/data_files/cert_sha256.crt @@ -1,8 +1,8 @@ -----BEGIN CERTIFICATE----- MIIDQjCCAiqgAwIBAgIBCTANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER -MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA/MQswCQYDVQQGEwJOTDERMA8G -A1UECgwIUG9sYXJTU0wxHTAbBgNVBAMMFFBvbGFyU1NMIENlcnQgU0hBMjU2MIIB +A1UEChMIUG9sYXJTU0wxHTAbBgNVBAMTFFBvbGFyU1NMIENlcnQgU0hBMjU2MIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVh Xom/uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq 1UFDd185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPht @@ -11,10 +11,10 @@ LGTrlZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsu pk9wbp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQID AQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kC pjAfBgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQsF -AAOCAQEAuo8kRDdQj3+rgqbz7bS3ZfBVCqgbQfruRZncP0s3IQJ6g7k6BNfCTO+N -tIgnCDhnhjK9DS4l1LTkQJKfcd6sfuwBxjHKWGZUqTqHWFm/O5MJwfMpxI305xXE -evDzh8LK1W3moX5OcT4bx3QsY9I4nqXQkOzjGidxhOXYA2v+X5OhRt3IJ2dzmQQu -BVXnDbzuchUfP5aeCwW6l7VX+RJOE2zlqO5yt0ejT02E44qtC5sBf24V9ko5LORw -1J7Zk34QwsKrSPSGxOuoWNwH3fJpgZQImKgJIQCsksJ+A45CK6iz0km8oTiI3Hoo -2LpE6UNx2M8jiZWVzH1L4tkg4fcCoQ== +AAOCAQEAPT4SOxVXMQ4NFxxh8qD8xRef6ku9QxpSSuUiiLOxzPTRn+t2fTP4GMRJ +3cjmdU+oHBd+Qoj4zwrnmCgi3ym8rMvGWGHKiRyrCwejb/cnm9EtzK88nqiot55+ +oDpdCnuQZhVF5gfwR7nH1qbgQfnshKlBzYTQq+mC/s99mWV4fGDlmriuj9+rbHLA +s+ZPwb0WmLf9lynbZwdK9m+rOnJJV2b00r7vW8z4IAhExuwjeQULSt0wJvz4rV/M +DAJZoytApGjS5EzVFF0KiElPgwgkXJvKefMW80wL0JDaayX6+OmEFNnkQ98Tvhdq +veKLS/v6TyMOZ8CxaCmSEWqlvXhz3Q== -----END CERTIFICATE----- diff --git a/tests/data_files/cert_sha384.crt b/tests/data_files/cert_sha384.crt index f8ec10b66..da07c8034 100644 --- a/tests/data_files/cert_sha384.crt +++ b/tests/data_files/cert_sha384.crt @@ -1,8 +1,8 @@ -----BEGIN CERTIFICATE----- MIIDQjCCAiqgAwIBAgIBCjANBgkqhkiG9w0BAQwFADA7MQswCQYDVQQGEwJOTDER -MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA/MQswCQYDVQQGEwJOTDERMA8G -A1UECgwIUG9sYXJTU0wxHTAbBgNVBAMMFFBvbGFyU1NMIENlcnQgU0hBMzg0MIIB +A1UEChMIUG9sYXJTU0wxHTAbBgNVBAMTFFBvbGFyU1NMIENlcnQgU0hBMzg0MIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVh Xom/uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq 1UFDd185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPht @@ -11,10 +11,10 @@ LGTrlZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsu pk9wbp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQID AQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kC pjAfBgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQwF -AAOCAQEAeyHm+emo4/QHqEVKj/MYPOsPrrcr5MupNE7WmoUA7SilVUlceIy8ApWR -MUdwnh7UPkCa6K1yvayknEbHzD2Lv9BLEf5A1/a+F/LmFXiV0kXIFue13u+z7laV -N/s/jphPVgjPwZiC1ZtOoD7WvSkIInB53j4Q3VCH6EpZxZuDO/u8CGBQ0g+9Eqhn -W3+4GFnxUPYeN17u/opt16mEPx6WFbRl9hs5wUvND/FCDEJ/9uVNiVYlPYyHKzzq -e3WXCHLYUKGESQX+85IrnmlwbAb33bM+sAM6naFafXTZEimeEpX3iYrHzhoU7aR7 -piojwAE+Yb3Ac+Hu1fY4CRO4ZHL6Zg== +AAOCAQEAG7yZky+I80qfJEhzMkoTSMy72hPeD1jBkGDjTyjOH/uprWrfENSRRn6n +anZSH1PaVycvOdHOhSy+x4YJZkdiK89UftPWNpigZqWAkiY7Udis1TKUaytJWYWA +GrPIzhY/ewmRugkUzMHT+usx4qfvo3JyQeqOmCzCwQH1Z7iBA8xkKkvRa+848JrY +T7BwioJHp525QrzXsP6cwGTRa5ncSiMLlhjnr0eA0rcFGtHez+rJjCzkqjmBBL3Q +B/lt3j5BAKIqiE2SlD7T2+Mr/hhfylW9CTb8NqCjDbvbz+k/eeIA8DUetzNDx3ug +AXwYB3rDJqwrLgFYq49NhH4UyRvMrw== -----END CERTIFICATE----- diff --git a/tests/data_files/cert_sha512.crt b/tests/data_files/cert_sha512.crt index b2254fa72..353977425 100644 --- a/tests/data_files/cert_sha512.crt +++ b/tests/data_files/cert_sha512.crt @@ -1,8 +1,8 @@ -----BEGIN CERTIFICATE----- MIIDQjCCAiqgAwIBAgIBCzANBgkqhkiG9w0BAQ0FADA7MQswCQYDVQQGEwJOTDER -MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA/MQswCQYDVQQGEwJOTDERMA8G -A1UECgwIUG9sYXJTU0wxHTAbBgNVBAMMFFBvbGFyU1NMIENlcnQgU0hBNTEyMIIB +A1UEChMIUG9sYXJTU0wxHTAbBgNVBAMTFFBvbGFyU1NMIENlcnQgU0hBNTEyMIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVh Xom/uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq 1UFDd185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPht @@ -11,10 +11,10 @@ LGTrlZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsu pk9wbp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQID AQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kC pjAfBgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQ0F -AAOCAQEABnuq7gMU6EWqcmEcj2/wiqOFUBeH9ro0tni9JZzaDAKkBMwoeJ3RP/59 -wY92UZC/SoWPm0yLK25KTwxJhd645a5ZeRk+yi1SG+oXNgZFS03F1Orat0bM5u94 -RtzLRInGzTxhlVS8HPRya2+nEaPT9YNO25vORczPDjtrI82UnysaWiKx1OCPhdP3 -ZySAkX/zE1U8Te0+948C0vmg2aTWCSk5zutryFgHH5UojmmWAkBHpX3tIm8JMRG9 -tvp6fbIDan0LmSsVK8rq5OPSwAKMso6GF4Iuxou/jP2gI+NutenX26wrffSjlPiW -KksLNj8oL6vIUap28Oh+Gwph02biSQ== +AAOCAQEAbS9rH1M6TRw38l6NfMkSLXf3FtUEH5FV/cBLUYd6laDJVOELgeJ3dwaY +Rz/N8nGGvKu8cvY4uBk7coI0PtjZbfZ1JSOLqX3GC5dBMGof3MyHhrOUbgUsu1ku +W8puUhsYdG0AZlAQFqY5x7msfnrj1XWwlYoPfr9wl+oLUQ7HeNv5DlgSGOr+MUMW +FZonT8++2J5uTq4b1g7slRkoFoW4jXhQbPw8Ru13OCHpAs0P0RTb+Rh+f7yfqR6+ +CY2PGQgVdpZxLdccHHQXa5oPhUqjTAWFTgUbxk3lKGqNc2xXdweGmJe3uRC6WxlD +/6dg12ZkWAnhRnrOd4LrgzGoKpRPrQ== -----END CERTIFICATE----- diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 75543b156..e5d5fed65 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -20,7 +20,7 @@ x509_cert_info:"data_files/cert_md4.crt":"cert. version \: 3\nserial number X509 Certificate information MD5 Digest depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD5_C -x509_cert_info:"data_files/cert_md5.crt":"cert. version \: 3\nserial number \: 06\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert MD5\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with MD5\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" +x509_cert_info:"data_files/cert_md5.crt":"cert. version \: 3\nserial number \: 06\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert MD5\nissued on \: 2000-01-01 12\:12\:12\nexpires on \: 2030-01-01 12\:12\:12\nsigned using \: RSA with MD5\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" X509 Certificate information SHA1 Digest depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C From 74243ee87873487cabccb992907dfab7d5678e86 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 21 Aug 2020 15:52:17 +0200 Subject: [PATCH 6/7] Regenerate server2-sha256.crt with a PrintableString issuer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit server2-sha256.crt had the issuer ON and CN encoded as UTF8String, but the corresponding CA certificate test-ca_cat12.crt had them encoded as PrintableString. The strings matched, which is sufficient according to RFC 5280 §7.1 and RFC 4518 §2.1. However, GnuTLS 3.4.10 requires the strings to have the same encoding, so it did not accept that the UTF8String "PolarSSL Test CA" certificate was signed by the PrintableString "PolarSSL Test CA" CA. Since Mbed TLS 2.14 (specifically ebc1f40aa008f6a2ba42e7436e4596d8f780b612 merged via https://github.com/ARMmbed/mbedtls/pull/1641), server2-sha256.crt is generated by Mbed TLS's own cert_write program, which emits a PrintableString. In older versions, this file was generated by OpenSSL, which started emitting UTF8String at some point. 4f928c0f374558ec352825061a399db7a37ca2fc merged via https://github.com/ARMmbed/mbedtls/pull/2418 fixed this for the SHA-1 certificate which was used at the time. The present commit applies the same fix for the SHA-256 certificate that is now in use. Signed-off-by: Gilles Peskine --- tests/data_files/Makefile | 2 +- tests/data_files/server2-sha256.crt | 27 +++++++++++++-------------- 2 files changed, 14 insertions(+), 15 deletions(-) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index aeebf67bd..61edad1d4 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -136,7 +136,7 @@ server2.crt: server2-rsa.csr $(MBEDTLS_CERT_WRITE) request_file=server2-rsa.csr issuer_crt=test-ca-sha256.crt issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) serial=4 not_before=20190410141727 not_after=20290410141727 md=SHA1 version=3 output_file=$@ all_final += server2.crt server2-sha256.crt: server2-rsa.csr - $(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA test-ca-sha256.crt -CAkey $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 4 -days 3653 -sha256 -in server2-rsa.csr -out $@ + $(MBEDTLS_CERT_WRITE) request_file=server2-rsa.csr serial=2 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144406 not_after=20290210144406 md=SHA256 version=3 output_file=$@ all_final += server2-sha256.crt test_ca_int_rsa1 = test-int-ca.crt diff --git a/tests/data_files/server2-sha256.crt b/tests/data_files/server2-sha256.crt index f13fe6499..7b2e95efc 100644 --- a/tests/data_files/server2-sha256.crt +++ b/tests/data_files/server2-sha256.crt @@ -1,21 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIDfTCCAmWgAwIBAgIBBDANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER -MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN -MTkwMzEyMTAwNzA0WhcNMjkwMzEyMTAwNzA0WjA0MQswCQYDVQQGEwJOTDERMA8G -A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN +MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya -HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaOBkjCBjzAd -BgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwYwYDVR0jBFwwWoAUtFrkpbPe -0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xh -clNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVzdCBDQYIBAzAJBgNVHRMEAjAAMA0G -CSqGSIb3DQEBCwUAA4IBAQCI8yvc3JSUnfBoWZbyia9BZJ3ZhqbH8V4fN7Co7l5J -5985ZRPZ6Wz8pF3Cf97VrbqTHmC8PCYwXaxUbQif4apfEhvJP0luOGefAY5S87bw -iQHEW7WcQwVwGxRIMLqlFwhJrNDyvvilTgLeILZIsY81HY+mw1FNtzZY94SRsyth -x2dH/bJt/GeJq6XYAwQlurU6dFFTGPsvkg9tjMJyOcYRkT6+KvlpR8xSC/V673hH -T7o2ePkWW73wWG1Qit3de6e2eMIHNZZTSVerd/IKiPfW6ro/123EWSZXbQ3DHHLD -/0JVgqo90NrhRJQA249h/Og43ewiex75ToVoLWuijFx/ +HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD +VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw +FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBALVvYxsd +o5YSOIaApPlpnFUnz5zD/TbI9/63iJH+ae61jvpjTY1bqLBBEcqMMg9tVFUdt4xd +9MifL5zRZOGqKpfhWyoUZv7kXXMtfJsy0A6sqK11FcUE9r2Mt50tAO1MLZLJ5tKD +XY9/dTqXnENPxCGUo89/UwIFuNhKPUDBRMeyx8FaKsGVksF/lGxYVFWrfzZFlW0M +SXduk5xjoHE83erLEtZoxWIgrx7LXXgkDtswGkH+VpFt9dFFXJaeAQPeUBDAhEE9 +UDkaCx5tPlyriwUW1w1xDx40VFV+Dgg9CFxiHCF+ppg+MG8HV0LVDRJlhN94QHNg +DAAVd5iuv8P+00Y= -----END CERTIFICATE----- From 1323fba357940ede3b531ad33fe4f91f0e8c183b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 24 Aug 2020 12:40:08 +0200 Subject: [PATCH 7/7] Update the copy of tests/data_files/server2-sha256.crt in certs.c Before this commit, certs.c had a copy of a different version of tests/data_files/server2-sha256.crt (from the then development branch) which was generated by cert_write. Update certs.c with the new tests/data_files/server2-sha256.crt which is also generated by cert_write. The new copy has the same size as the old copy so there is no concern about existing application binaries relying on the size. (The old tests/data_files/server2-sha256.crt had a different size because it had been generated by openssl and so had slightly different content.) Signed-off-by: Gilles Peskine --- library/certs.c | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/library/certs.c b/library/certs.c index 22caca2a4..360325c85 100644 --- a/library/certs.c +++ b/library/certs.c @@ -205,16 +205,12 @@ const size_t mbedtls_test_ca_crt_rsa_len = sizeof( mbedtls_test_ca_crt_rsa ); #if defined(MBEDTLS_SHA256_C) /* tests/data_files/server2-sha256.crt */ -/* Or more precisely, this is the contents of the version of this file - * that's in the mbedtls-2.16 branch, due to a backporting mistake. - * We don't want to change the contents now, as that would change the size - * which is part of the ABI, which should be stable in LTS branches. */ #define TEST_SRV_CRT_RSA_SHA256 \ "-----BEGIN CERTIFICATE-----\r\n" \ "MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n" \ -"MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \ +"MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \ "MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n" \ -"A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n" \ +"A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n" \ "AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n" \ "owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n" \ "NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n" \ @@ -222,13 +218,13 @@ const size_t mbedtls_test_ca_crt_rsa_len = sizeof( mbedtls_test_ca_crt_rsa ); "hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n" \ "HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n" \ "VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n" \ -"FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAC465FJh\r\n" \ -"Pqel7zJngHIHJrqj/wVAxGAFOTF396XKATGAp+HRCqJ81Ry60CNK1jDzk8dv6M6U\r\n" \ -"HoS7RIFiM/9rXQCbJfiPD5xMTejZp5n5UYHAmxsxDaazfA5FuBhkfokKK6jD4Eq9\r\n" \ -"1C94xGKb6X4/VkaPF7cqoBBw/bHxawXc0UEPjqayiBpCYU/rJoVZgLqFVP7Px3sv\r\n" \ -"a1nOrNx8rPPI1hJ+ZOg8maiPTxHZnBVLakSSLQy/sWeWyazO1RnrbxjrbgQtYKz0\r\n" \ -"e3nwGpu1w13vfckFmUSBhHXH7AAS/HpKC4IH7G2GAk3+n8iSSN71sZzpxonQwVbo\r\n" \ -"pMZqLmbBm/7WPLc=\r\n" \ +"FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBALVvYxsd\r\n" \ +"o5YSOIaApPlpnFUnz5zD/TbI9/63iJH+ae61jvpjTY1bqLBBEcqMMg9tVFUdt4xd\r\n" \ +"9MifL5zRZOGqKpfhWyoUZv7kXXMtfJsy0A6sqK11FcUE9r2Mt50tAO1MLZLJ5tKD\r\n" \ +"XY9/dTqXnENPxCGUo89/UwIFuNhKPUDBRMeyx8FaKsGVksF/lGxYVFWrfzZFlW0M\r\n" \ +"SXduk5xjoHE83erLEtZoxWIgrx7LXXgkDtswGkH+VpFt9dFFXJaeAQPeUBDAhEE9\r\n" \ +"UDkaCx5tPlyriwUW1w1xDx40VFV+Dgg9CFxiHCF+ppg+MG8HV0LVDRJlhN94QHNg\r\n" \ +"DAAVd5iuv8P+00Y=\r\n" \ "-----END CERTIFICATE-----\r\n" const char mbedtls_test_srv_crt_rsa[] = TEST_SRV_CRT_RSA_SHA256;