Simon Butcher 
							
						 
						
							
							
							
							
								
							
							
								fc794ff2b7 
								
							 
						 
						
							
							
								
								Merge branch 'iotssl-1071-ca-flags'  
							
							... 
							
							
							
							Fixes a regression introduced by an earlier commit that modified
x509_crt_verify_top() to ensure that valid certificates that are after past or
future valid in the chain are processed. However the change introduced a change
in behaviour that caused the verification flags MBEDTLS_X509_BADCERT_EXPIRED and
MBEDTLS_BADCERT_FUTURE to always be set whenever there is a failure in the
verification regardless of the cause.
The fix maintains both behaviours:
 * Ensure that valid certificates after future and past are verified
 * Ensure that the correct verification flags are set. 
							
						 
						
							2017-02-27 19:06:05 +00:00 
							
								 
							
						 
					 
				
					
						
							
							
								Andres AG 
							
						 
						
							
							
							
							
								
							
							
								9f430c15d8 
								
							 
						 
						
							
							
								
								Add tests for out flags from x509_crt_verify_top()  
							
							... 
							
							
							
							The tests load certificate chains from files. The CA chains contain a
past or future certificate and an invalid certificate. The test then
checks that the flags set are MBEDTLS_X509_BADCERT_EXPIRED or
MBEDTLS_X509_BADCERT_FUTURE. 
							
						 
						
							2017-01-20 13:52:01 +00:00 
							
								 
							
						 
					 
				
					
						
							
							
								Andres AG 
							
						 
						
							
							
							
							
								
							
							
								a39db394db 
								
							 
						 
						
							
							
								
								Add test for infinite loop in CRL parse  
							
							
							
						 
						
							2017-01-19 17:10:51 +00:00 
							
								 
							
						 
					 
				
					
						
							
							
								Simon Butcher 
							
						 
						
							
							
							
							
								
							
							
								4b852db299 
								
							 
						 
						
							
							
								
								Merge branch 'iotssl-629-der-trailing-bytes'  
							
							... 
							
							
							
							Fixes bug in mbedtls_x509_crt_parse that caused trailing extra data in the
buffer following DER certificates to be included in the raw representation. 
							
						 
						
							2016-03-12 23:28:26 +00:00 
							
								 
							
						 
					 
				
					
						
							
							
								Simon Butcher 
							
						 
						
							
							
							
							
								
							
							
								f59e66ba24 
								
							 
						 
						
							
							
								
								Remove redundant test certificates and clarify ChangeLog  
							
							
							
						 
						
							2016-03-09 19:32:10 +00:00 
							
								 
							
						 
					 
				
					
						
							
							
								Janos Follath 
							
						 
						
							
							
							
							
								
							
							
								df4bca2029 
								
							 
						 
						
							
							
								
								X509: Future CA among trusted: add more tests  
							
							
							
						 
						
							2016-03-09 19:32:10 +00:00 
							
								 
							
						 
					 
				
					
						
							
							
								Janos Follath 
							
						 
						
							
							
							
							
								
							
							
								12c868c5d6 
								
							 
						 
						
							
							
								
								X509: Future CA among trusted: add unit tests  
							
							
							
						 
						
							2016-03-09 19:32:10 +00:00 
							
								 
							
						 
					 
				
					
						
							
							
								Janos Follath 
							
						 
						
							
							
							
							
								
							
							
								0b2423403c 
								
							 
						 
						
							
							
								
								x509: trailing bytes in DER: add integration tests  
							
							
							
						 
						
							2016-02-17 10:11:21 +00:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								8b4331aa56 
								
							 
						 
						
							
							
								
								Add test case for root with max_pathlen=0  
							
							... 
							
							
							
							This was already working but not tested so far
(Test case from previous commit still failing.)
Test certificates generated with:
programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert91.key
programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert92.key
programs/x509/cert_write serial=91 output_file=cert91.crt is_ca=1 \
    issuer_key=cert91.key issuer_name="CN=Root 9,O=mbed TLS,C=UK" \
    selfsign=1 max_pathlen=0
programs/x509/cert_write serial=92 output_file=cert92.crt \
    issuer_key=cert91.key issuer_name="CN=Root 9,O=mbed TLS,C=UK" \
    subject_key=cert92.key subject_name="CN=EE 92,O=mbed TLS,C=UK"
mv cert9?.crt tests/data_files/dir4
rm cert9?.key 
							
						 
						
							2015-11-19 11:10:33 +01:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								a3aa43da5f 
								
							 
						 
						
							
							
								
								Add test case for first intermediate max_pathlen=0  
							
							... 
							
							
							
							!!! This test case is currently failing !!!
(See fix in next-next commit.)
Test certificates generated with the following script:
programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert81.key
programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert82.key
programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert83.key
programs/x509/cert_write serial=81 output_file=cert81.crt is_ca=1 \
    issuer_key=cert81.key issuer_name="CN=Root 8,O=mbed TLS,C=UK" \
    selfsign=1
programs/x509/cert_write serial=82 output_file=cert82.crt is_ca=1 \
    issuer_key=cert81.key issuer_name="CN=Root 8,O=mbed TLS,C=UK" \
    subject_key=cert82.key subject_name="CN=Int 82,O=mbed TLS,C=UK" \
    max_pathlen=0
programs/x509/cert_write serial=83 output_file=cert83.crt \
    issuer_key=cert82.key issuer_name="CN=Int 82,O=mbed TLS,C=UK" \
    subject_key=cert83.key subject_name="CN=EE 83,O=mbed TLS,C=UK"
mv cert8?.crt tests/data_files/dir4
rm cert8?.key 
							
						 
						
							2015-11-19 10:56:30 +01:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								0a543a8bc5 
								
							 
						 
						
							
							
								
								Merge pull request  #320  from Inikup/fix-issue-318  
							
							... 
							
							
							
							Fix boolean values according to DER specs 
							
						 
						
							2015-11-02 05:52:42 +09:00 
							
								 
							
						 
					 
				
					
						
							
							
								Jonathan Leroy 
							
						 
						
							
							
								
								
							
							
							
								
							
							
								00ee6eee54 
								
							 
						 
						
							
							
								
								Test certificate "Server1 SHA1, key_usage" reissued.  
							
							
							
						 
						
							2015-10-14 13:15:22 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Janos Follath 
							
						 
						
							
							
							
							
								
							
							
								ef4f2588f3 
								
							 
						 
						
							
							
								
								Additional corner cases for testing pathlen constrains. Just in case.  
							
							
							
						 
						
							2015-10-11 16:17:27 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Janos Follath 
							
						 
						
							
							
							
							
								
							
							
								822b2c33b9 
								
							 
						 
						
							
							
								
								Added test case for pathlen constrains in intermediate certificates  
							
							
							
						 
						
							2015-10-11 10:39:15 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								560fea3767 
								
							 
						 
						
							
							
								
								Add tests for verify callback  
							
							... 
							
							
							
							As we're about to change the chain construction logic, we want to make sure
the callback will still be called exactly when it should, and not on the
(upcoming) ignored certs in the chain. 
							
						 
						
							2015-09-01 17:24:42 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								052d10c9d5 
								
							 
						 
						
							
							
								
								Accept a trailing space at end of PEM lines  
							
							... 
							
							
							
							With certs being copy-pasted from webmails and all, this will probably become
more and more common.
closes  #226  
							
						 
						
							2015-07-31 11:11:26 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								9a702255f4 
								
							 
						 
						
							
							
								
								Add parsing/printing for new X.509 keyUsage flags  
							
							
							
						 
						
							2015-06-23 13:09:10 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								6ea831dcf4 
								
							 
						 
						
							
							
								
								Add tests for mbedtls_set_hs_ca_chain()  
							
							
							
						 
						
							2015-06-22 17:30:18 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								7a010aabde 
								
							 
						 
						
							
							
								
								Add tests for dhm_min_bitlen  
							
							
							
						 
						
							2015-06-17 14:27:38 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								5119df2022 
								
							 
						 
						
							
							
								
								Add test case for dh params with privateValueLength  
							
							
							
						 
						
							2015-04-15 13:50:29 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								e6c8366b46 
								
							 
						 
						
							
							
								
								Fix bug in pk_parse_key()  
							
							
							
						 
						
							2015-04-15 11:21:24 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Paul Bakker 
							
						 
						
							
							
							
							
								
							
							
								6152b0267c 
								
							 
						 
						
							
							
								
								Fixed typos  
							
							
							
						 
						
							2015-04-14 15:00:09 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								39ead3ef2f 
								
							 
						 
						
							
							
								
								Add test certificate for bitstring in DN  
							
							
							
						 
						
							2015-03-27 13:11:33 +01:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								57a5d60abb 
								
							 
						 
						
							
							
								
								Add tests for concatenated CRLs  
							
							
							
						 
						
							2014-11-19 16:08:34 +01:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								4be3449dbc 
								
							 
						 
						
							
							
								
								Add Readme about X.509 test files  
							
							
							
						 
						
							2014-11-19 14:03:59 +01:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								9c911da68f 
								
							 
						 
						
							
							
								
								Add tests for X.509 name encoding mismatch  
							
							
							
						 
						
							2014-10-17 12:42:31 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								64938c63f0 
								
							 
						 
						
							
							
								
								Accept spaces at end of line/buffer in base64  
							
							
							
						 
						
							2014-10-15 23:53:33 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								da1b4de0e4 
								
							 
						 
						
							
							
								
								Increase MPI_MAX_BYTES to allow RSA 8192  
							
							
							
						 
						
							2014-10-15 22:06:46 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Paul Bakker 
							
						 
						
							
							
							
							
								
							
							
								5a5fa92bfe 
								
							 
						 
						
							
							
								
								x509_crt_parse() did not increase total_failed on PEM error  
							
							... 
							
							
							
							Result was that PEM errors in files with multiple certificates were not
detectable by the user. 
							
						 
						
							2014-10-03 15:47:13 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								192253aaa9 
								
							 
						 
						
							
							
								
								Fix buffer size in pk_write_*_pem()  
							
							
							
						 
						
							2014-08-14 11:34:35 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								d249b7ab9a 
								
							 
						 
						
							
							
								
								Restore ability to trust non-CA selfsigned EE cert  
							
							
							
						 
						
							2014-06-25 11:26:13 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								c4eff16516 
								
							 
						 
						
							
							
								
								Restore ability to use v1 CA if trusted locally  
							
							
							
						 
						
							2014-06-25 11:26:12 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								5873b00b7f 
								
							 
						 
						
							
							
								
								Add pathological RSASSA-PSS test certificates  
							
							... 
							
							
							
							Certificates announcing different PSS options than the ones actually used for
the signature. Makes sure the options are correctly passed to the verification
function. 
							
						 
						
							2014-06-07 11:21:52 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								eacccb7fb9 
								
							 
						 
						
							
							
								
								Add RSASSA-PSS certificate with all defaults  
							
							
							
						 
						
							2014-06-05 18:00:08 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								53882023e7 
								
							 
						 
						
							
							
								
								Also verify CRLs signed with RSASSA-PSS  
							
							
							
						 
						
							2014-06-05 17:59:55 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								920e1cd5e2 
								
							 
						 
						
							
							
								
								Add basic PSS cert verification  
							
							... 
							
							
							
							Still todo:
- handle MGF-hash != sign-hash
- check effective salt len == announced salt len
- add support in the PK layer so that we don't have to bypass it here 
							
						 
						
							2014-06-04 12:09:08 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								39868ee301 
								
							 
						 
						
							
							
								
								Parse CSRs signed with RSASSA-PSS  
							
							
							
						 
						
							2014-06-02 16:10:30 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								2a8d7fd76e 
								
							 
						 
						
							
							
								
								Add tests for parsing CSRs  
							
							
							
						 
						
							2014-06-02 16:10:29 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								8e42ff6bde 
								
							 
						 
						
							
							
								
								Parse CRLs signed with RSASSA-PSS  
							
							
							
						 
						
							2014-06-02 16:10:29 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								e76b750b69 
								
							 
						 
						
							
							
								
								Finish parsing RSASSA-PSS parameters  
							
							
							
						 
						
							2014-06-02 16:10:29 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								59a75d5b9d 
								
							 
						 
						
							
							
								
								Basic parsing of certs signed with RSASSA-PSS  
							
							
							
						 
						
							2014-06-02 16:10:29 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								7afb8a0dca 
								
							 
						 
						
							
							
								
								Add x509_crt_check_extended_key_usage()  
							
							
							
						 
						
							2014-04-11 11:09:00 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								99d4f19111 
								
							 
						 
						
							
							
								
								Add keyUsage checking for CAs  
							
							
							
						 
						
							2014-04-09 15:50:58 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								7f2a07d7b2 
								
							 
						 
						
							
							
								
								Check keyUsage in SSL client and server  
							
							
							
						 
						
							2014-04-09 15:50:57 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								3fec220a33 
								
							 
						 
						
							
							
								
								Add test for dhm_parse_dhmfile  
							
							
							
						 
						
							2014-04-04 16:42:44 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								6c1a73e061 
								
							 
						 
						
							
							
								
								Improve x509xrite_csr testing: extensions, version  
							
							
							
						 
						
							2014-04-04 16:33:01 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								c5ce83a3b8 
								
							 
						 
						
							
							
								
								Improve x509xrite_csr testing: extensions, ECDSA  
							
							
							
						 
						
							2014-04-04 16:33:01 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								6c33a16dae 
								
							 
						 
						
							
							
								
								Add previously forgotten test files... oops!  
							
							
							
						 
						
							2014-04-04 16:23:29 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								f6f4ab40d3 
								
							 
						 
						
							
							
								
								Print extended key usage in x509_crt_info()  
							
							
							
						 
						
							2014-04-04 14:01:39 +02:00 
							
								 
							
						 
					 
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
						
							
							
							
							
								
							
							
								76b8ab73cd 
								
							 
						 
						
							
							
								
								ssl-opt.sh: address some robustness issues  
							
							
							
						 
						
							2014-03-26 14:21:34 +01:00