From db1e7a8f7ba0d2f688e9c04c7e0ebcfccfd0259f Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 21 Aug 2020 18:58:33 +0200 Subject: [PATCH 1/5] cert_write: support all hash algorithms For some reason, RIPEMD160, SHA224 and SHA384 were not supported. This fixes the build recipes for tests/data_files/cert_sha224.crt and tests/data_files/cert_sha384.crt . Signed-off-by: Gilles Peskine --- programs/x509/cert_write.c | 22 +++++++--------------- 1 file changed, 7 insertions(+), 15 deletions(-) diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index bccc3b7b4..f0f044de7 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -145,8 +145,9 @@ int main( void ) " is_ca=%%d default: 0 (disabled)\n" \ " max_pathlen=%%d default: -1 (none)\n" \ " md=%%s default: SHA256\n" \ - " Supported values:\n" \ - " MD2, MD4, MD5, SHA1, SHA256, SHA512\n"\ + " Supported values (if enabled):\n" \ + " MD2, MD4, MD5, RIPEMD160, SHA1,\n" \ + " SHA224, SHA256, SHA384, SHA512\n" \ " version=%%d default: 3\n" \ " Possible values: 1, 2, 3\n"\ " subject_identifier=%%s default: 1\n" \ @@ -380,23 +381,14 @@ int main( int argc, char *argv[] ) } else if( strcmp( p, "md" ) == 0 ) { - if( strcmp( q, "SHA1" ) == 0 ) - opt.md = MBEDTLS_MD_SHA1; - else if( strcmp( q, "SHA256" ) == 0 ) - opt.md = MBEDTLS_MD_SHA256; - else if( strcmp( q, "SHA512" ) == 0 ) - opt.md = MBEDTLS_MD_SHA512; - else if( strcmp( q, "MD2" ) == 0 ) - opt.md = MBEDTLS_MD_MD2; - else if( strcmp( q, "MD4" ) == 0 ) - opt.md = MBEDTLS_MD_MD4; - else if( strcmp( q, "MD5" ) == 0 ) - opt.md = MBEDTLS_MD_MD5; - else + const mbedtls_md_info_t *md_info = + mbedtls_md_info_from_string( q ); + if( md_info == NULL ) { mbedtls_printf( "Invalid argument for option %s\n", p ); goto usage; } + opt.md = mbedtls_md_get_type( md_info ); } else if( strcmp( p, "version" ) == 0 ) { From c3d0a7f1ec67e723a40f7ee96d42ceab90280133 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 21 Aug 2020 19:51:13 +0200 Subject: [PATCH 2/5] cert_req: discover hash algorithms automatically Discover hash algorithms automatically rather than hard-coding a list, as was previously done in cert_write. Signed-off-by: Gilles Peskine --- programs/x509/cert_req.c | 59 +++++----------------------------------- 1 file changed, 7 insertions(+), 52 deletions(-) diff --git a/programs/x509/cert_req.c b/programs/x509/cert_req.c index c88050cde..dc796034c 100644 --- a/programs/x509/cert_req.c +++ b/programs/x509/cert_req.c @@ -127,9 +127,8 @@ int main( void ) " Add NsCertType even if it is empty\n" \ " md=%%s default: SHA256\n" \ " possible values:\n" \ - " MD2, MD4, MD5, SHA1\n" \ - " SHA224, SHA256\n" \ - " SHA384, SHA512\n" \ + " MD2, MD4, MD5, RIPEMD160, SHA1,\n" \ + " SHA224, SHA256, SHA384, SHA512\n" \ "\n" @@ -244,58 +243,14 @@ int main( int argc, char *argv[] ) } else if( strcmp( p, "md" ) == 0 ) { - if( strcmp( q, "SHA256" ) == 0 ) - { - opt.md_alg = MBEDTLS_MD_SHA256; - } - else if( strcmp( q, "SHA224" ) == 0 ) - { - opt.md_alg = MBEDTLS_MD_SHA224; - } - else -#if defined(MBEDTLS_MD5_C) - if( strcmp( q, "MD5" ) == 0 ) - { - opt.md_alg = MBEDTLS_MD_MD5; - } - else -#endif /* MBEDTLS_MD5_C */ -#if defined(MBEDTLS_MD4_C) - if( strcmp( q, "MD4" ) == 0 ) - { - opt.md_alg = MBEDTLS_MD_MD4; - } - else -#endif /* MBEDTLS_MD5_C */ -#if defined(MBEDTLS_MD2_C) - if( strcmp( q, "MD2" ) == 0 ) - { - opt.md_alg = MBEDTLS_MD_MD2; - } - else -#endif /* MBEDTLS_MD2_C */ -#if defined(MBEDTLS_SHA1_C) - if( strcmp( q, "SHA1" ) == 0 ) - { - opt.md_alg = MBEDTLS_MD_SHA1; - } - else -#endif /* MBEDTLS_SHA1_C */ -#if defined(MBEDTLS_SHA512_C) - if( strcmp( q, "SHA384" ) == 0 ) - { - opt.md_alg = MBEDTLS_MD_SHA384; - } - else - if( strcmp( q, "SHA512" ) == 0 ) - { - opt.md_alg = MBEDTLS_MD_SHA512; - } - else -#endif /* MBEDTLS_SHA512_C */ + const mbedtls_md_info_t *md_info = + mbedtls_md_info_from_string( q ); + if( md_info == NULL ) { + mbedtls_printf( "Invalid argument for option %s\n", p ); goto usage; } + opt.md_alg = mbedtls_md_get_type( md_info ); } else if( strcmp( p, "key_usage" ) == 0 ) { From 6b739bb138db055383eaeb74992d4401f4745b4e Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 21 Aug 2020 19:47:22 +0200 Subject: [PATCH 3/5] Fix "make -C tests/data_files" It wasn't working when invoking programs/x509/cert_write or programs/x509/cert_req due to relying on the current directory rather than the location of the makefile. Signed-off-by: Gilles Peskine --- tests/data_files/Makefile | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 0429bddd1..1f9389b93 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -13,8 +13,10 @@ ## Tools OPENSSL ?= openssl FAKETIME ?= faketime -MBEDTLS_CERT_WRITE ?= $(PWD)/../../programs/x509/cert_write -MBEDTLS_CERT_REQ ?= $(PWD)/../../programs/x509/cert_req + +TOP_DIR = $(dir $(firstword $(MAKEFILE_LIST)))/../.. +MBEDTLS_CERT_WRITE ?= $(TOP_DIR)/programs/x509/cert_write +MBEDTLS_CERT_REQ ?= $(TOP_DIR)/programs/x509/cert_req ## Build the generated test data. Note that since the final outputs ## are committed to the repository, this target should do nothing on a From e6e812a712de63c60119fe7b23e827499eaaffb2 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 21 Aug 2020 20:32:21 +0200 Subject: [PATCH 4/5] Commit the intermediate files cert_md*.csr They are used to generate cert_md*.crt. Regenerate cert_md5.crt which had previously been generated for a different key. Signed-off-by: Gilles Peskine --- tests/data_files/cert_md2.csr | 16 ++++++++++++++++ tests/data_files/cert_md4.csr | 16 ++++++++++++++++ tests/data_files/cert_md5.crt | 26 +++++++++++++------------- tests/data_files/cert_md5.csr | 16 ++++++++++++++++ 4 files changed, 61 insertions(+), 13 deletions(-) create mode 100644 tests/data_files/cert_md2.csr create mode 100644 tests/data_files/cert_md4.csr create mode 100644 tests/data_files/cert_md5.csr diff --git a/tests/data_files/cert_md2.csr b/tests/data_files/cert_md2.csr new file mode 100644 index 000000000..a8c39bdb3 --- /dev/null +++ b/tests/data_files/cert_md2.csr @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow +GAYDVQQDDBFQb2xhclNTTCBDZXJ0IE1EMjCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAMh0xMy5+bV56UXZFGCwfbuT8msenzOtDY+KPFZl5dxE2cxmhQfV ++CewSjXQY54Kbhu32vB+q+4MEJOGSRg086gq0lf1LtQvdymEYU2CUI+nlUhw9W5N +stUTw9Ia7eZD6kIU63TqwO0f1FdOqfOo7dLgwTBxMDIw1dP2CNBWT0aO8l/5PWeR +iDAuQrLfffvlDHf/7DHAeI+/wn/KrWwh1o3Zi2qOb+Cb+BBWzLOOExXmNARmx+75 +Ng5qlfYJmgZn9GVx+MqksSXg/jyLNQRnuuBPdoX8f/w2a7XpzS0DYk6zPQDPr3ag +aVaDatKo1OdQcea1NgV3BW17yOTE/UzVIV8CAwEAAaAAMA0GCSqGSIb3DQEBAgUA +A4IBAQBPUqodRcH2ZUa8A3fQX/nxrIwWiLmQ9BaOI6G7vzEWVE1sxmkrHP+pXgi9 +1eFceN9xUBKEd+LmUPmHpObZ4nwRSprFj3DeIXpn9aSBr+jGY8RaaC9cMkaSq5Mb +q65THEJ1xemIfZvbhjvNi/ycXXu/v1Gpj62dpIFGbm+o4AXQF2ocYGEM+X1u2eVn +mnuuvPAHTllGjB0daTSYoQtMy3luPUEj0Yct3iVR1pUeTrHchOs9p5ACDZcf6D3x +sm9atH2ZIaXo1c9SqHzdk/uLt/CwxQrn1WU1inwOkzjim2Yq9vWgpQypfGZdScXV +oHOmuGG901WMMemzZXjoLi+8ZpVL +-----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/cert_md4.csr b/tests/data_files/cert_md4.csr new file mode 100644 index 000000000..d8a3dbf20 --- /dev/null +++ b/tests/data_files/cert_md4.csr @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow +GAYDVQQDDBFQb2xhclNTTCBDZXJ0IE1ENDCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAMh0xMy5+bV56UXZFGCwfbuT8msenzOtDY+KPFZl5dxE2cxmhQfV ++CewSjXQY54Kbhu32vB+q+4MEJOGSRg086gq0lf1LtQvdymEYU2CUI+nlUhw9W5N +stUTw9Ia7eZD6kIU63TqwO0f1FdOqfOo7dLgwTBxMDIw1dP2CNBWT0aO8l/5PWeR +iDAuQrLfffvlDHf/7DHAeI+/wn/KrWwh1o3Zi2qOb+Cb+BBWzLOOExXmNARmx+75 +Ng5qlfYJmgZn9GVx+MqksSXg/jyLNQRnuuBPdoX8f/w2a7XpzS0DYk6zPQDPr3ag +aVaDatKo1OdQcea1NgV3BW17yOTE/UzVIV8CAwEAAaAAMA0GCSqGSIb3DQEBAwUA +A4IBAQAztRb+vAecvhelhszzCctzmhGs4TGmr9h4zddZoQ8dTdy1OCsnmU+yz3oh +oiQjy7UPLt8DS2ZKhGhvwPvtwFh5icMWQVnv2kE4Evz8xJT12VRw+U6L5rfKmf/L +mVNxsuk17MDyBcMlwuNk+CHrYVdrXhSWUH3UCQQUH1iqqBMKmNiPa1UGU0budZ9X +HZjn9uqyyOGy8l3hffqjDxsDjZyBDf5aqKIdnvukdrUiacPdUYVF0fwK8d1/1PA9 +dA4JjTvz+tTK6mL9Ic9Pv+64v1vwMU4Qu8IJHk5x3I0e7KuK2A/lK6az2Vb6FAh6 +MkGpWB68T8FRBoVrWLOh+a9yNwyp +-----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/cert_md5.crt b/tests/data_files/cert_md5.crt index 8b4d089bb..d69b0b775 100644 --- a/tests/data_files/cert_md5.crt +++ b/tests/data_files/cert_md5.crt @@ -3,18 +3,18 @@ MIIDPzCCAiegAwIBAgIBBjANBgkqhkiG9w0BAQQFADA7MQswCQYDVQQGEwJOTDER MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIENlcnQgTUQ1MIIBIjAN -BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/ -uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD -d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf -CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr -lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w -bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB -o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6f +M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu +1C93KYRhTYJQj6eVSHD1bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEw +MjDV0/YI0FZPRo7yX/k9Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v +4Jv4EFbMs44TFeY0BGbH7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx/ +/DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB +o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITAf BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQQFAAOC -AQEAPO/yXYVCQfm1gRzYoPP4T8Dd7jfpS0Yz5hAWMDi73aXufk9ltGdXauQxA4Pu -NQLWBMFMtJyO2OUb0p+oPGCxQayLx1sIjS9Gfy70xHlL3jnZy4kLXtkiARz8ZptW -krxzQh017mXIn8W2VGYWA1gCNrg/Xb3VtlxVCzPa2zGCkIJHKe/dqNtKY3xx/SEQ -gsVvdT8lpI8HfeElBfWvFxGps77pvE2HDcAdrIkjrsBWoSIq6CqIQjyW7WSN7UgI -bTczqejHkrggI8yWIIoDAiUX9OGT76Mv4wpmOPww8hqoVfpvvPQ2l6byVNJYPj/L -oiUV6sDYenOgMJ3Tf7UzTR91MA== +AQEANsxVCbbev5mngG0+PvQ4y/s0jNjz6i+tn4fTOtMNBOC77clNju65vlHWqD9Y +rZP6wqGSzdYbOoojCq0l65T6os1CFcaygIpUSFF57MbfTiiwZaLF93qf9Jf+VHln +CQA/tQolZJDjef8LXAYK68GVVxenZI9ITnMIg6Qd9vpHqK44a6xWU226pG7g+6ae +97dhpLsYMxggv6t/ATFt7KiIXC4cOQBzQobRfsRcxWlaOxlFEXeCFoonQaHHaU9c +KqLO1sqygLIhP7ZA2qmfodVLc5B3WxrogaupPCbpKNdieR43HvGZ+3ig/gLjyLg1 +L8qiSesxaHvjtkW9N7sjPxRS8Q== -----END CERTIFICATE----- diff --git a/tests/data_files/cert_md5.csr b/tests/data_files/cert_md5.csr new file mode 100644 index 000000000..dc6792d38 --- /dev/null +++ b/tests/data_files/cert_md5.csr @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow +GAYDVQQDDBFQb2xhclNTTCBDZXJ0IE1ENTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAMh0xMy5+bV56UXZFGCwfbuT8msenzOtDY+KPFZl5dxE2cxmhQfV ++CewSjXQY54Kbhu32vB+q+4MEJOGSRg086gq0lf1LtQvdymEYU2CUI+nlUhw9W5N +stUTw9Ia7eZD6kIU63TqwO0f1FdOqfOo7dLgwTBxMDIw1dP2CNBWT0aO8l/5PWeR +iDAuQrLfffvlDHf/7DHAeI+/wn/KrWwh1o3Zi2qOb+Cb+BBWzLOOExXmNARmx+75 +Ng5qlfYJmgZn9GVx+MqksSXg/jyLNQRnuuBPdoX8f/w2a7XpzS0DYk6zPQDPr3ag +aVaDatKo1OdQcea1NgV3BW17yOTE/UzVIV8CAwEAAaAAMA0GCSqGSIb3DQEBBAUA +A4IBAQBNEvxgn3Pc62hsMgMz33IdeNpazeK3ae2gwQQFgL7qMp/kskfpIKF4m8eB +YrmjKn9cqszRD606/ZtWYDwINUUc6O7bQGmpGIFd7bSPm/pbsajc6R7kzA/tD/bk +G5zqu9Bj0x92hEwdku0zY+Hx9PgT2dK8M72iFylHBwT3X1tNyXhh7xWJ9RlAfSvN +KdS6s3kRjK4qcir0MnflV5f2HD6r1v9cSVyme6eVLvOmup89z0cihH7NDwDJaYbi +oqcKXFbro8/2ruEzPUS6U8NA9cjlX9DW8buIu4cQACVx5YevlwKoayYfXcRRvIFo +OLiPq14TuZj3c0+HFOxWj4UBAjvI +-----END CERTIFICATE REQUEST----- From e39d14b142d64ea535529b3a6fd36e0a03c459f9 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 24 Sep 2020 16:36:04 +0200 Subject: [PATCH 5/5] Fix "make -C tests/data_files -f ..." The toplevel directory is actually just ../..: the makefile commands are executed in the subdirectory. $(PWD) earlier was wrong because it comes from the shell, not from make. Looking up $(MAKEFILE_LIST) is wrong because it indicates where the makefile is (make -f), not which directory to work in (make -C). Signed-off-by: Gilles Peskine --- tests/data_files/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 1f9389b93..3578b6ba1 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -14,7 +14,7 @@ OPENSSL ?= openssl FAKETIME ?= faketime -TOP_DIR = $(dir $(firstword $(MAKEFILE_LIST)))/../.. +TOP_DIR = ../.. MBEDTLS_CERT_WRITE ?= $(TOP_DIR)/programs/x509/cert_write MBEDTLS_CERT_REQ ?= $(TOP_DIR)/programs/x509/cert_req