Commit graph

300 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard f346bab139 Start parsing RSASSA-PSS parameters 2014-06-02 16:10:29 +02:00
Manuel Pégourié-Gonnard 59a75d5b9d Basic parsing of certs signed with RSASSA-PSS 2014-06-02 16:10:29 +02:00
Paul Bakker 1ebc0c592c Fix typos 2014-05-22 15:47:58 +02:00
Paul Bakker 4cdb4d9bb7 X509 time-related tests depend on POLARSSL_HAVE_TIME 2014-05-22 14:22:59 +02:00
Manuel Pégourié-Gonnard 3d41370645 Fix hash dependencies in X.509 tests 2014-04-29 15:29:41 +02:00
Manuel Pégourié-Gonnard edc81ff8c2 Fix some more curve depends in X.509 tests 2014-04-29 15:10:40 +02:00
Manuel Pégourié-Gonnard ec4d27398a Fix curve dependencies in *keyusage tests 2014-04-29 15:06:41 +02:00
Paul Bakker b6487dade9 Fixed result for test case in test_suite_x509parse 2014-04-17 16:04:33 +02:00
Manuel Pégourié-Gonnard add05d7125 Fix some dependency declarations in X.509 tests 2014-04-11 11:12:40 +02:00
Manuel Pégourié-Gonnard 7afb8a0dca Add x509_crt_check_extended_key_usage() 2014-04-11 11:09:00 +02:00
Manuel Pégourié-Gonnard 99d4f19111 Add keyUsage checking for CAs 2014-04-09 15:50:58 +02:00
Manuel Pégourié-Gonnard 603116c570 Add x509_crt_check_key_usage() 2014-04-09 15:50:57 +02:00
Manuel Pégourié-Gonnard 7afdb88216 Test and fix x509_oid functions 2014-04-04 16:34:30 +02:00
Manuel Pégourié-Gonnard 7b30cfc5b0 x509_crt_info() list output cosmectics 2014-04-04 14:01:39 +02:00
Manuel Pégourié-Gonnard f6f4ab40d3 Print extended key usage in x509_crt_info() 2014-04-04 14:01:39 +02:00
Manuel Pégourié-Gonnard 65c2ddc318 Print key_usage in x509_crt_info() 2014-04-04 14:01:39 +02:00
Manuel Pégourié-Gonnard bce2b30855 Print subject alt name in x509_crt_info() 2014-04-04 14:01:39 +02:00
Manuel Pégourié-Gonnard 919f8f5829 Print NS Cert Type in x509_crt_info() 2014-04-04 14:01:39 +02:00
Manuel Pégourié-Gonnard b28487db1f Start printing extensions in x509_crt_info() 2014-04-04 14:01:39 +02:00
Manuel Pégourié-Gonnard c7a88a960d Fix more depend issues on specific curves 2014-03-13 19:25:06 +01:00
Manuel Pégourié-Gonnard 9533765b25 Reject certs and CRLs from the future 2014-03-13 19:25:06 +01:00
Manuel Pégourié-Gonnard 6304f786e0 Add x509_time_future() 2014-03-13 19:25:06 +01:00
Manuel Pégourié-Gonnard c9093085ed Revert "Merged RSA-PSS support in Certificate, CSR and CRL"
This reverts commit ab50d8d30c, reversing
changes made to e31b1d992a.
2014-02-12 09:39:59 +01:00
Manuel Pégourié-Gonnard 41cae8e1f9 Parse CSRs signed with RSASSA-PSS 2014-01-25 12:48:58 +01:00
Manuel Pégourié-Gonnard d4fd57dda4 Add tests for parsing CSRs 2014-01-25 12:48:58 +01:00
Manuel Pégourié-Gonnard 5eeb32b552 Parse CRLs signed with RSASSA-PSS 2014-01-25 12:48:58 +01:00
Manuel Pégourié-Gonnard ce7c6fd433 Fix dependencies 2014-01-25 12:48:58 +01:00
Manuel Pégourié-Gonnard 3c1e8b539c Finish parsing RSASSA-PSS parameters 2014-01-25 12:48:58 +01:00
Manuel Pégourié-Gonnard d9fd87be33 Start parsing RSASSA-PSS parameters 2014-01-25 12:48:58 +01:00
Manuel Pégourié-Gonnard b1d4eb16e4 Basic parsing of certs signed with RSASSA-PSS 2014-01-25 12:48:58 +01:00
Paul Bakker 474c2ce05f Fixed dependencies for some tests 2013-12-19 16:40:30 +01:00
Paul Bakker c680405135 Removed test for empty data_files/dir0
dir0 is not in git (empty directories cannot be added to git)
2013-12-02 15:26:02 +01:00
Manuel Pégourié-Gonnard fbae2a1f53 Add tests for x509_crt_parse_path() 2013-11-28 18:07:39 +01:00
Manuel Pégourié-Gonnard 420edcaf1d Clean up config-suite-b.h thanks to new certs 2013-09-25 11:52:38 +02:00
Manuel Pégourié-Gonnard cc648d19dc Adapt test cases to new certs and file names 2013-09-24 21:25:54 +02:00
Paul Bakker c27c4e2efb Support faulty X509 v1 certificates with extensions
(POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3)
2013-09-23 15:01:36 +02:00
Manuel Pégourié-Gonnard 387a211fad Fix some dependencies in tests 2013-09-20 10:58:59 +02:00
Paul Bakker 5187656211 Renamed X509 / X509WRITE error codes to generic (non-cert-specific) 2013-09-17 14:36:05 +02:00
Paul Bakker cff6842b39 POLARSSL_PEM_C split into POLARSSL_PEM_PARSE_C and POLARSSL_PEM_WRITE_C 2013-09-16 13:36:18 +02:00
Paul Bakker 428b9ba3b7 Moved POLARSSL_FS_IO check to .function from .data 2013-09-15 15:20:37 +02:00
Paul Bakker e827ce013f Fix for parse commit 2013-09-15 15:08:31 +02:00
Paul Bakker 1a7550ac67 Moved PK key parsing from X509 module to PK module 2013-09-15 13:47:30 +02:00
Manuel Pégourié-Gonnard 92cb1d3a91 Make CBC an option, step 3: individual ciphers 2013-09-13 17:25:43 +02:00
Manuel Pégourié-Gonnard 989ed38de2 Make CBC an option, step 2: cipher layer 2013-09-13 15:48:40 +02:00
Paul Bakker a5943858d8 x509_verify() now case insensitive for cn (RFC 6125 6.4) 2013-09-09 17:21:45 +02:00
Paul Bakker 48377d9834 Configuration option to enable/disable POLARSSL_PKCS1_V15 operations 2013-08-30 13:41:14 +02:00
Manuel Pégourié-Gonnard df0142bd17 Fix some dependencies in tests 2013-08-27 22:21:21 +02:00
Manuel Pégourié-Gonnard b4e9ca9650 Add some more x509_verify tests
- trust chain of depth 0
- invalid signature
- trust chain of depth 2
- multiple trusted CA's
2013-08-20 20:46:03 +02:00
Manuel Pégourié-Gonnard 05b9dce20b Add tests for crl_info with EC CA 2013-08-20 20:26:29 +02:00
Manuel Pégourié-Gonnard 6d29ff209b Add cert_info tests for EC and mixed certificates 2013-08-20 20:26:29 +02:00
Manuel Pégourié-Gonnard 6009c3ae5e Add tests for EC cert and crl validation 2013-08-20 20:26:28 +02:00
Manuel Pégourié-Gonnard e7f64a8e71 Add missing depends to some x509parse tests 2013-08-20 20:26:28 +02:00
Paul Bakker 5a8a62ce1c Fixed some x509parse tests after merge of new test framework 2013-08-20 14:27:21 +02:00
Paul Bakker 898edb7744 Merged the revamped test framework into development 2013-08-20 14:23:02 +02:00
Paul Bakker 68a4fce8aa Added missing dependencies on functions and tests 2013-08-20 12:42:31 +02:00
Manuel Pégourié-Gonnard b03de8bcbe Add test for EC keys with all curves.
(Made possible by the OID fix.)
2013-08-16 14:00:52 +02:00
Manuel Pégourié-Gonnard 06dab806ce Fix memory error in asn1_get_bitstring_null()
When *len is 0, **p would be read, which is out of bounds.
2013-08-16 14:00:52 +02:00
Paul Bakker dbd443dca6 Adapted .function files and .data files to new test framework
Changes include:
 - Integers marked with '#' in the .function files.
 - Strings should have "" in .data files.
 - String comparison instead of preprocessor-like replace for e.g. '=='
 - Params and variables cannot have the same name in .function files
2013-08-16 13:51:37 +02:00
Manuel Pégourié-Gonnard 4f47538ad8 Fix some 'depends' in tests 2013-07-17 15:59:44 +02:00
Manuel Pégourié-Gonnard a2d4e644ac Some more EC pubkey parsing refactoring
Fix a bug in pk_rsa() and pk_ec() along the way
2013-07-17 15:59:43 +02:00
Manuel Pégourié-Gonnard a3c86c334c Certificates with EC key and/or sig parsed 2013-07-17 15:59:42 +02:00
Manuel Pégourié-Gonnard 72ef0b775d Add test certificate signed with ECDSA 2013-07-17 15:59:41 +02:00
Manuel Pégourié-Gonnard 244569f4b1 Use generic x509_get_pubkey() for RSA functions 2013-07-17 15:59:40 +02:00
Manuel Pégourié-Gonnard 2b9252cd8f Add tests for x509parse_key_ec()
Test files were generated as follows:

openssl ecparam -name prime192v1 -genkey > key.pem

openssl ec -in key.pem -pubout -outform PEM > pub.pem
openssl ec -in key.pem -pubout -outform DER > pub.der

openssl ec -in key.pem -outform pem > prv.sec1.pem
openssl ec -in key.pem -outform der > prv.sec1.der
openssl ec -in key.pem -des -passout pass:polar -outform pem > prv.sec1.pw.pem

openssl pkcs8 -topk8 -in key.pem -nocrypt -outform pem > prv.pk8.pem
openssl pkcs8 -topk8 -in key.pem -nocrypt -outform der > prv.pk8.der
openssl pkcs8 -topk8 -in key.pem -passout pass:polar -outform der \
    > prv.pk8.pw.der
openssl pkcs8 -topk8 -in key.pem -passout pass:polar -outform pem \
    > prv.pk8.pw.pem
2013-07-08 17:32:26 +02:00
Manuel Pégourié-Gonnard 1bc6931f8c Add test for x509parse_public_keyfile_ec 2013-07-08 15:31:19 +02:00
Manuel Pégourié-Gonnard ba4878aa64 Rename x509parse_key & co with _rsa suffix 2013-07-08 15:31:18 +02:00
Paul Bakker 9e36f0475f SHA2 renamed to SHA256, SHA4 renamed to SHA512 and functions accordingly
The SHA4 name was not clear with regards to the new SHA-3 standard. So
SHA2 and SHA4 have been renamed to better represent what they are:
SHA256 and SHA512 modules.
2013-06-30 14:34:05 +02:00
Paul Bakker f8d018a274 Made asn1_get_alg() and asn1_get_alg_null() as generic functions
A generic function for retrieving the AlgorithmIdentifier structure with
its parameters and adapted X509, PKCS#5 and PKCS#12 to use them.
2013-06-29 18:35:40 +02:00
Paul Bakker f67edd9db8 Made x509parse PKCS#12 and PKCS#5 tests dependent on defines
(cherry picked from commit db7ea6f162)
2013-06-25 15:06:53 +02:00
Paul Bakker 38b50d73a1 Moved PKCS#12 PBE functions to cipher / md layer where possible
The 3-key and 2-key Triple DES PBE functions have been replaced with a
single pkcs12_pbe() function that handles both situations (and more).

In addition this allows for some PASSWORD_MISMATCH checking
(cherry picked from commit 14a222cef2)
2013-06-25 15:06:53 +02:00
Paul Bakker a4232a7ccb x509parse_crt() and x509parse_crt_der() return X509 password related codes
POLARSSL_ERR_X509_PASSWORD_MISMATCH is returned instead of
POLARSSL_ERR_PEM_PASSWORD_MISMATCH and
POLARSSL_ERR_X509_PASSWORD_REQUIRED instead of
POLARSSL_ERR_PEM_PASSWORD_REQUIRED

Rationale: For PKCS#8 encrypted keys the same are returned
(cherry picked from commit b495d3a2c7)
2013-06-25 15:06:53 +02:00
Paul Bakker 28144decef PKCS#5 v2 PBES2 support and use in PKCS#8 encrypted certificates
The error code POLARSSL_ERR_X509_PASSWORD_MISMATCH is now properly
returned in case of an encryption failure in the padding. The
POLARSSL_ERR_X509_PASSWORD_REQUIRED error code is only returned for PEM
formatted private keys as for DER formatted ones it is impossible to
distinguish if a DER blob is PKCS#8 encrypted or not.
(cherry picked from commit 1fd4321ba2)

Conflicts:
	include/polarssl/error.h
	scripts/generate_errors.pl
2013-06-25 15:06:52 +02:00
Paul Bakker f1f21fe825 Parsing of PKCS#8 encrypted private key files added and PKCS#12 basis
PKCS#8 encrypted key file support has been added to x509parse_key() with
support for some PCKS#12 PBE functions (pbeWithSHAAnd128BitRC4,
pbeWithSHAAnd3-KeyTripleDES-CBC and pbeWithSHAAnd2-KeyTripleDES-CBC)
(cherry picked from commit cf6e95d9a8)

Conflicts:
	scripts/generate_errors.pl
2013-06-25 15:06:51 +02:00
Paul Bakker e2f5040876 Internally split up x509parse_key()
Split up x509parse_key() into a (PEM) handler function and specific
DER parser functions for the PKCS#1 (x509parse_key_pkcs1_der()) and
unencrypted PKCS#8 (x509parse_key_pkcs8_unencrypted_der()) private
key formats.
(cherry picked from commit 65a1909dc6)

Conflicts:
	library/x509parse.c
2013-06-25 15:06:50 +02:00
Paul Bakker c70b982056 OID functionality moved to a separate module.
A new OID module has been created that contains the main OID searching
functionality based on type-dependent arrays. A base type is used to
contain the basic values (oid_descriptor_t) and that type is extended to
contain type specific information (like a pk_alg_t).

As a result the rsa sign and verify function prototypes have changed. They
now expect a md_type_t identifier instead of the removed RSA_SIG_XXX
defines.

All OID definitions have been moved to oid.h
All OID matching code is in the OID module.

The RSA PKCS#1 functions cleaned up as a result and adapted to use the
MD layer.

The SSL layer cleanup up as a result and adapted to use the MD layer.

The X509 parser cleaned up and matches OIDs in certificates with new
module and adapted to use the MD layer.

The X509 writer cleaned up and adapted to use the MD layer.

Apps and tests modified accordingly
2013-04-07 22:00:46 +02:00
Paul Bakker 915275ba78 - Revamped x509_verify() and the SSL f_vrfy callback implementations 2012-09-28 07:10:55 +00:00
Paul Bakker 1a0f552030 - Fixed test for 'trust extension' change 2012-09-25 21:53:55 +00:00
Paul Bakker 9195662a4c - Added test for no-subject certificates with altSubjectNames 2012-08-23 10:46:54 +00:00
Paul Bakker 4d2c1243b1 - Changed certificate verify behaviour to comply with RFC 6125 section 6.3 to not match CN if subjectAltName extension is present. 2012-05-10 14:12:46 +00:00
Paul Bakker 57b12982b3 - Multi-domain certificates support wildcards as well 2012-02-11 17:38:38 +00:00
Paul Bakker a8cd239d6b - Added support for wildcard certificates
- Added support for multi-domain certificates through the X509 Subject Alternative Name extension
2012-02-11 16:09:32 +00:00
Paul Bakker fae618fa8b - Updated tests to reflect recent changes 2011-10-12 11:53:52 +00:00
Paul Bakker 36f1b197ca - Added test for PKCS#8 wrapped private and public keys 2011-07-13 11:32:29 +00:00
Paul Bakker 9d781407bc - A error_strerror function() has been added to translate between error codes and their description.
- The error codes have been remapped and combining error codes is now done with a PLUS instead of an OR as error codes used are negative.
 - Descriptions to all error codes have been added.
 - Generation script for error.c has been created to automatically generate error.c from the available error definitions in the headers.
2011-05-09 16:17:09 +00:00
Paul Bakker 335db3f121 - Functions requiring File System functions can now be disables by undefining POLARSSL_FS_IO 2011-04-25 15:28:35 +00:00
Paul Bakker 1be81a4e5f - Removed test for MD2 certificate as OpenSSL does not support it anymore 2011-04-23 14:46:28 +00:00
Paul Bakker 400ff6f0fd - Corrected parsing of UTCTime dates before 1990 and after 1950
- Support more exotic OID's when parsing certificates
 - Support more exotic name representations when parsing certificates
 - Replaced the expired test certificates
2011-02-20 10:40:16 +00:00
Paul Bakker 96743fc5f5 - Parsing of PEM files moved to separate module (Fixes ticket #13). Also possible to remove PEM support for systems only using DER encoding
- Parsing PEM private keys encrypted with DES and AES are now supported (Fixes ticket #5)
 - Added tests for encrypted keyfiles
2011-02-12 14:30:57 +00:00
Paul Bakker 76fd75a3de - Improved certificate validation and validation against the available CRLs 2011-01-16 21:12:10 +00:00
Paul Bakker b63b0afc05 - Added verification callback in certificate verification chain in order to allow external blacklisting 2011-01-13 17:54:59 +00:00
Paul Bakker 9120018f3d - Added support for GeneralizedTime in X509 certificates 2010-02-18 21:26:15 +00:00
Paul Bakker 46b8071641 - Added 'depends_on' for tests dependent on specific hash algorithms 2009-10-03 20:01:39 +00:00
Paul Bakker c6ce838d8f - Better handling of extension parsing 2009-07-27 21:34:45 +00:00
Paul Bakker e4ff413890 - Added extra coverage tests 2009-07-27 20:22:10 +00:00
Paul Bakker 345fb49cb7 - Added extra coverage and regression tests 2009-07-20 21:26:07 +00:00
Paul Bakker 6b0fa4f33b - Added extra regression and coverage tests for ASN parsing of CRL and Key data 2009-07-20 20:35:41 +00:00
Paul Bakker c26a189189 - Added extra X509 regression and coverage tests 2009-07-19 20:30:14 +00:00
Paul Bakker b2c38f54b4 - Added a lot of ASN1 Certificate parsing tests 2009-07-19 19:36:15 +00:00
Paul Bakker 4d6b31a999 - Added extra certificates and tests 2009-07-12 11:11:06 +00:00
Paul Bakker 37940d9ff6 - Added test coverage for X509parse
- Fixed segfault in rsa_check_privkey() and rsa_check_pubkey() and added test
2009-07-10 22:38:58 +00:00