mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-25 02:55:35 +00:00
15f1088ef6
As we're about to change the chain construction logic, we want to make sure
the callback will still be called exactly when it should, and not on the
(upcoming) ignored certs in the chain.
backport of 560fea3
575 lines
14 KiB
Plaintext
575 lines
14 KiB
Plaintext
/* BEGIN_HEADER */
|
|
#include "polarssl/x509_crt.h"
|
|
#include "polarssl/x509_crl.h"
|
|
#include "polarssl/x509_csr.h"
|
|
#include "polarssl/pem.h"
|
|
#include "polarssl/oid.h"
|
|
#include "polarssl/base64.h"
|
|
|
|
int verify_none( void *data, x509_crt *crt, int certificate_depth, int *flags )
|
|
{
|
|
((void) data);
|
|
((void) crt);
|
|
((void) certificate_depth);
|
|
*flags |= BADCERT_OTHER;
|
|
|
|
return 0;
|
|
}
|
|
|
|
int verify_all( void *data, x509_crt *crt, int certificate_depth, int *flags )
|
|
{
|
|
((void) data);
|
|
((void) crt);
|
|
((void) certificate_depth);
|
|
*flags = 0;
|
|
|
|
return 0;
|
|
}
|
|
|
|
#if defined(POLARSSL_X509_CRT_PARSE_C)
|
|
typedef struct {
|
|
char buf[512];
|
|
char *p;
|
|
} verify_print_context;
|
|
|
|
void verify_print_init( verify_print_context *ctx )
|
|
{
|
|
memset( ctx, 0, sizeof( verify_print_context ) );
|
|
ctx->p = ctx->buf;
|
|
}
|
|
|
|
#if defined(_MSC_VER) && !defined snprintf
|
|
#define snprintf _snprintf
|
|
#endif
|
|
|
|
#define SAFE_SNPRINTF \
|
|
do \
|
|
{ \
|
|
if( ret < 0 || (size_t) ret > n ) \
|
|
{ \
|
|
p[n - 1] = '\0'; \
|
|
return( -1 ); \
|
|
} \
|
|
\
|
|
n -= (unsigned int) ret; \
|
|
p += (unsigned int) ret; \
|
|
} while( 0 )
|
|
|
|
int verify_print( void *data, x509_crt *crt, int certificate_depth, int *flags )
|
|
{
|
|
int ret;
|
|
verify_print_context *ctx = (verify_print_context *) data;
|
|
char *p = ctx->p;
|
|
size_t n = ctx->buf + sizeof( ctx->buf ) - ctx->p;
|
|
((void) flags);
|
|
|
|
ret = polarssl_snprintf( p, n, "depth %d - serial ", certificate_depth );
|
|
SAFE_SNPRINTF;
|
|
|
|
ret = x509_serial_gets( p, n, &crt->serial );
|
|
SAFE_SNPRINTF;
|
|
|
|
ret = polarssl_snprintf( p, n, " - subject " );
|
|
SAFE_SNPRINTF;
|
|
|
|
ret = x509_dn_gets( p, n, &crt->subject );
|
|
SAFE_SNPRINTF;
|
|
|
|
ret = polarssl_snprintf( p, n, "\n" );
|
|
SAFE_SNPRINTF;
|
|
|
|
ctx->p = p;
|
|
|
|
return( 0 );
|
|
}
|
|
#endif /* POLARSSL_X509_CRT_PARSE_C */
|
|
/* END_HEADER */
|
|
|
|
/* BEGIN_DEPENDENCIES
|
|
* depends_on:POLARSSL_BIGNUM_C
|
|
* END_DEPENDENCIES
|
|
*/
|
|
|
|
/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_CRT_PARSE_C */
|
|
void x509_cert_info( char *crt_file, char *result_str )
|
|
{
|
|
x509_crt crt;
|
|
char buf[2000];
|
|
int res;
|
|
|
|
x509_crt_init( &crt );
|
|
memset( buf, 0, 2000 );
|
|
|
|
TEST_ASSERT( x509_crt_parse_file( &crt, crt_file ) == 0 );
|
|
res = x509_crt_info( buf, 2000, "", &crt );
|
|
|
|
TEST_ASSERT( res != -1 );
|
|
TEST_ASSERT( res != -2 );
|
|
|
|
TEST_ASSERT( strcmp( buf, result_str ) == 0 );
|
|
|
|
exit:
|
|
x509_crt_free( &crt );
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_CRL_PARSE_C */
|
|
void x509_crl_info( char *crl_file, char *result_str )
|
|
{
|
|
x509_crl crl;
|
|
char buf[2000];
|
|
int res;
|
|
|
|
x509_crl_init( &crl );
|
|
memset( buf, 0, 2000 );
|
|
|
|
TEST_ASSERT( x509_crl_parse_file( &crl, crl_file ) == 0 );
|
|
res = x509_crl_info( buf, 2000, "", &crl );
|
|
|
|
TEST_ASSERT( res != -1 );
|
|
TEST_ASSERT( res != -2 );
|
|
|
|
TEST_ASSERT( strcmp( buf, result_str ) == 0 );
|
|
|
|
exit:
|
|
x509_crl_free( &crl );
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_CSR_PARSE_C */
|
|
void x509_csr_info( char *csr_file, char *result_str )
|
|
{
|
|
x509_csr csr;
|
|
char buf[2000];
|
|
int res;
|
|
|
|
x509_csr_init( &csr );
|
|
memset( buf, 0, 2000 );
|
|
|
|
TEST_ASSERT( x509_csr_parse_file( &csr, csr_file ) == 0 );
|
|
res = x509_csr_info( buf, 2000, "", &csr );
|
|
|
|
TEST_ASSERT( res != -1 );
|
|
TEST_ASSERT( res != -2 );
|
|
|
|
TEST_ASSERT( strcmp( buf, result_str ) == 0 );
|
|
|
|
exit:
|
|
x509_csr_free( &csr );
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE depends_on:POLARSSL_X509_CRT_PARSE_C */
|
|
void x509_verify_info( int flags, char *prefix, char *result_str )
|
|
{
|
|
char buf[2000];
|
|
int res;
|
|
|
|
memset( buf, 0, sizeof( buf ) );
|
|
|
|
res = x509_crt_verify_info( buf, sizeof( buf ), prefix, flags );
|
|
|
|
TEST_ASSERT( res >= 0 );
|
|
|
|
TEST_ASSERT( strcmp( buf, result_str ) == 0 );
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_CRT_PARSE_C:POLARSSL_X509_CRL_PARSE_C */
|
|
void x509_verify( char *crt_file, char *ca_file, char *crl_file,
|
|
char *cn_name_str, int result, int flags_result,
|
|
char *verify_callback )
|
|
{
|
|
x509_crt crt;
|
|
x509_crt ca;
|
|
x509_crl crl;
|
|
int flags = 0;
|
|
int res;
|
|
int (*f_vrfy)(void *, x509_crt *, int, int *) = NULL;
|
|
char * cn_name = NULL;
|
|
|
|
x509_crt_init( &crt );
|
|
x509_crt_init( &ca );
|
|
x509_crl_init( &crl );
|
|
|
|
if( strcmp( cn_name_str, "NULL" ) != 0 )
|
|
cn_name = cn_name_str;
|
|
|
|
if( strcmp( verify_callback, "NULL" ) == 0 )
|
|
f_vrfy = NULL;
|
|
else if( strcmp( verify_callback, "verify_none" ) == 0 )
|
|
f_vrfy = verify_none;
|
|
else if( strcmp( verify_callback, "verify_all" ) == 0 )
|
|
f_vrfy = verify_all;
|
|
else
|
|
TEST_ASSERT( "No known verify callback selected" == 0 );
|
|
|
|
TEST_ASSERT( x509_crt_parse_file( &crt, crt_file ) == 0 );
|
|
TEST_ASSERT( x509_crt_parse_file( &ca, ca_file ) == 0 );
|
|
TEST_ASSERT( x509_crl_parse_file( &crl, crl_file ) == 0 );
|
|
|
|
res = x509_crt_verify( &crt, &ca, &crl, cn_name, &flags, f_vrfy, NULL );
|
|
|
|
TEST_ASSERT( res == ( result ) );
|
|
TEST_ASSERT( flags == ( flags_result ) );
|
|
|
|
exit:
|
|
x509_crt_free( &crt );
|
|
x509_crt_free( &ca );
|
|
x509_crl_free( &crl );
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_CRT_PARSE_C */
|
|
void x509_verify_callback( char *crt_file, char *ca_file,
|
|
int exp_ret, char *exp_vrfy_out )
|
|
{
|
|
int ret;
|
|
x509_crt crt;
|
|
x509_crt ca;
|
|
int flags = 0;
|
|
verify_print_context vrfy_ctx;
|
|
|
|
x509_crt_init( &crt );
|
|
x509_crt_init( &ca );
|
|
verify_print_init( &vrfy_ctx );
|
|
|
|
TEST_ASSERT( x509_crt_parse_file( &crt, crt_file ) == 0 );
|
|
TEST_ASSERT( x509_crt_parse_file( &ca, ca_file ) == 0 );
|
|
|
|
ret = x509_crt_verify( &crt, &ca, NULL, NULL, &flags,
|
|
verify_print, &vrfy_ctx );
|
|
|
|
TEST_ASSERT( ret == exp_ret );
|
|
TEST_ASSERT( strcmp( vrfy_ctx.buf, exp_vrfy_out ) == 0 );
|
|
|
|
exit:
|
|
x509_crt_free( &crt );
|
|
x509_crt_free( &ca );
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_CRT_C */
|
|
void x509_dn_gets( char *crt_file, char *entity, char *result_str )
|
|
{
|
|
x509_crt crt;
|
|
char buf[2000];
|
|
int res = 0;
|
|
|
|
x509_crt_init( &crt );
|
|
memset( buf, 0, 2000 );
|
|
|
|
TEST_ASSERT( x509_crt_parse_file( &crt, crt_file ) == 0 );
|
|
if( strcmp( entity, "subject" ) == 0 )
|
|
res = x509_dn_gets( buf, 2000, &crt.subject );
|
|
else if( strcmp( entity, "issuer" ) == 0 )
|
|
res = x509_dn_gets( buf, 2000, &crt.issuer );
|
|
else
|
|
TEST_ASSERT( "Unknown entity" == 0 );
|
|
|
|
TEST_ASSERT( res != -1 );
|
|
TEST_ASSERT( res != -2 );
|
|
|
|
TEST_ASSERT( strcmp( buf, result_str ) == 0 );
|
|
|
|
exit:
|
|
x509_crt_free( &crt );
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_CRT_C */
|
|
void x509_time_expired( char *crt_file, char *entity, int result )
|
|
{
|
|
x509_crt crt;
|
|
|
|
x509_crt_init( &crt );
|
|
|
|
TEST_ASSERT( x509_crt_parse_file( &crt, crt_file ) == 0 );
|
|
|
|
if( strcmp( entity, "valid_from" ) == 0 )
|
|
TEST_ASSERT( x509_time_expired( &crt.valid_from ) == result );
|
|
else if( strcmp( entity, "valid_to" ) == 0 )
|
|
TEST_ASSERT( x509_time_expired( &crt.valid_to ) == result );
|
|
else
|
|
TEST_ASSERT( "Unknown entity" == 0 );
|
|
|
|
exit:
|
|
x509_crt_free( &crt );
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_CRT_C */
|
|
void x509_time_future( char *crt_file, char *entity, int result )
|
|
{
|
|
x509_crt crt;
|
|
|
|
x509_crt_init( &crt );
|
|
|
|
TEST_ASSERT( x509_crt_parse_file( &crt, crt_file ) == 0 );
|
|
|
|
if( strcmp( entity, "valid_from" ) == 0 )
|
|
TEST_ASSERT( x509_time_future( &crt.valid_from ) == result );
|
|
else if( strcmp( entity, "valid_to" ) == 0 )
|
|
TEST_ASSERT( x509_time_future( &crt.valid_to ) == result );
|
|
else
|
|
TEST_ASSERT( "Unknown entity" == 0 );
|
|
|
|
exit:
|
|
x509_crt_free( &crt );
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE depends_on:POLARSSL_X509_CRT_PARSE_C:POLARSSL_FS_IO */
|
|
void x509parse_crt_file( char *crt_file, int result )
|
|
{
|
|
x509_crt crt;
|
|
|
|
x509_crt_init( &crt );
|
|
|
|
TEST_ASSERT( x509_crt_parse_file( &crt, crt_file ) == result );
|
|
|
|
exit:
|
|
x509_crt_free( &crt );
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE depends_on:POLARSSL_X509_CRT_PARSE_C */
|
|
void x509parse_crt( char *crt_data, char *result_str, int result )
|
|
{
|
|
x509_crt crt;
|
|
unsigned char buf[2000];
|
|
unsigned char output[2000];
|
|
int data_len, res;
|
|
|
|
x509_crt_init( &crt );
|
|
memset( buf, 0, 2000 );
|
|
memset( output, 0, 2000 );
|
|
|
|
data_len = unhexify( buf, crt_data );
|
|
|
|
TEST_ASSERT( x509_crt_parse( &crt, buf, data_len ) == ( result ) );
|
|
if( ( result ) == 0 )
|
|
{
|
|
res = x509_crt_info( (char *) output, 2000, "", &crt );
|
|
|
|
TEST_ASSERT( res != -1 );
|
|
TEST_ASSERT( res != -2 );
|
|
|
|
TEST_ASSERT( strcmp( (char *) output, result_str ) == 0 );
|
|
}
|
|
|
|
exit:
|
|
x509_crt_free( &crt );
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE depends_on:POLARSSL_X509_CRL_PARSE_C */
|
|
void x509parse_crl( char *crl_data, char *result_str, int result )
|
|
{
|
|
x509_crl crl;
|
|
unsigned char buf[2000];
|
|
unsigned char output[2000];
|
|
int data_len, res;
|
|
|
|
x509_crl_init( &crl );
|
|
memset( buf, 0, 2000 );
|
|
memset( output, 0, 2000 );
|
|
|
|
data_len = unhexify( buf, crl_data );
|
|
|
|
TEST_ASSERT( x509_crl_parse( &crl, buf, data_len ) == ( result ) );
|
|
if( ( result ) == 0 )
|
|
{
|
|
res = x509_crl_info( (char *) output, 2000, "", &crl );
|
|
|
|
TEST_ASSERT( res != -1 );
|
|
TEST_ASSERT( res != -2 );
|
|
|
|
TEST_ASSERT( strcmp( (char *) output, result_str ) == 0 );
|
|
}
|
|
|
|
exit:
|
|
x509_crl_free( &crl );
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE depends_on:POLARSSL_X509_CSR_PARSE_C */
|
|
void x509_csr_parse( char *csr_der_hex, char *ref_out, int ref_ret )
|
|
{
|
|
x509_csr csr;
|
|
unsigned char *csr_der = NULL;
|
|
char my_out[1000];
|
|
size_t csr_der_len;
|
|
int my_ret;
|
|
|
|
x509_csr_init( &csr );
|
|
memset( my_out, 0, sizeof( my_out ) );
|
|
csr_der = unhexify_alloc( csr_der_hex, &csr_der_len );
|
|
|
|
my_ret = x509_csr_parse_der( &csr, csr_der, csr_der_len );
|
|
TEST_ASSERT( my_ret == ref_ret );
|
|
|
|
if( ref_ret == 0 )
|
|
{
|
|
size_t my_out_len = x509_csr_info( my_out, sizeof( my_out ), "", &csr );
|
|
TEST_ASSERT( my_out_len == strlen( ref_out ) );
|
|
TEST_ASSERT( strcmp( my_out, ref_out ) == 0 );
|
|
}
|
|
|
|
exit:
|
|
x509_csr_free( &csr );
|
|
polarssl_free( csr_der );
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_CRT_PARSE_C */
|
|
void x509_crt_parse_path( char *crt_path, int ret, int nb_crt )
|
|
{
|
|
x509_crt chain, *cur;
|
|
int i;
|
|
|
|
x509_crt_init( &chain );
|
|
|
|
TEST_ASSERT( x509_crt_parse_path( &chain, crt_path ) == ret );
|
|
|
|
/* Check how many certs we got */
|
|
for( i = 0, cur = &chain; cur != NULL; cur = cur->next )
|
|
if( cur->raw.p != NULL )
|
|
i++;
|
|
|
|
TEST_ASSERT( i == nb_crt );
|
|
|
|
exit:
|
|
x509_crt_free( &chain );
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE depends_on:POLARSSL_X509_USE_C */
|
|
void x509_oid_desc( char *oid_str, char *ref_desc )
|
|
{
|
|
x509_buf oid;
|
|
const char *desc = NULL;
|
|
unsigned char buf[20];
|
|
int ret;
|
|
|
|
memset( buf, 0, sizeof buf );
|
|
|
|
oid.tag = ASN1_OID;
|
|
oid.len = unhexify( buf, oid_str );
|
|
oid.p = buf;
|
|
|
|
ret = oid_get_extended_key_usage( &oid, &desc );
|
|
|
|
if( strcmp( ref_desc, "notfound" ) == 0 )
|
|
{
|
|
TEST_ASSERT( ret != 0 );
|
|
TEST_ASSERT( desc == NULL );
|
|
}
|
|
else
|
|
{
|
|
TEST_ASSERT( ret == 0 );
|
|
TEST_ASSERT( desc != NULL );
|
|
TEST_ASSERT( strcmp( desc, ref_desc ) == 0 );
|
|
}
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE depends_on:POLARSSL_X509_USE_C */
|
|
void x509_oid_numstr( char *oid_str, char *numstr, int blen, int ret )
|
|
{
|
|
x509_buf oid;
|
|
unsigned char oid_buf[20];
|
|
char num_buf[100];
|
|
|
|
memset( oid_buf, 0x00, sizeof oid_buf );
|
|
memset( num_buf, 0x2a, sizeof num_buf );
|
|
|
|
oid.tag = ASN1_OID;
|
|
oid.len = unhexify( oid_buf, oid_str );
|
|
oid.p = oid_buf;
|
|
|
|
TEST_ASSERT( (size_t) blen <= sizeof num_buf );
|
|
|
|
TEST_ASSERT( oid_get_numeric_string( num_buf, blen, &oid ) == ret );
|
|
|
|
if( ret >= 0 )
|
|
{
|
|
TEST_ASSERT( num_buf[ret] == 0 );
|
|
TEST_ASSERT( strcmp( num_buf, numstr ) == 0 );
|
|
}
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_CRT_PARSE_C:POLARSSL_X509_CHECK_KEY_USAGE */
|
|
void x509_check_key_usage( char *crt_file, int usage, int ret )
|
|
{
|
|
x509_crt crt;
|
|
|
|
x509_crt_init( &crt );
|
|
|
|
TEST_ASSERT( x509_crt_parse_file( &crt, crt_file ) == 0 );
|
|
|
|
TEST_ASSERT( x509_crt_check_key_usage( &crt, usage ) == ret );
|
|
|
|
exit:
|
|
x509_crt_free( &crt );
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_CRT_PARSE_C:POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE */
|
|
void x509_check_extended_key_usage( char *crt_file, char *usage_hex, int ret )
|
|
{
|
|
x509_crt crt;
|
|
char oid[50];
|
|
size_t len;
|
|
|
|
x509_crt_init( &crt );
|
|
|
|
len = unhexify( (unsigned char *) oid, usage_hex );
|
|
|
|
TEST_ASSERT( x509_crt_parse_file( &crt, crt_file ) == 0 );
|
|
|
|
TEST_ASSERT( x509_crt_check_extended_key_usage( &crt, oid, len ) == ret );
|
|
|
|
exit:
|
|
x509_crt_free( &crt );
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE depends_on:POLARSSL_X509_CRT_PARSE_C:POLARSSL_X509_RSASSA_PSS_SUPPORT */
|
|
void x509_parse_rsassa_pss_params( char *hex_params, int params_tag,
|
|
int ref_msg_md, int ref_mgf_md,
|
|
int ref_salt_len, int ref_ret )
|
|
{
|
|
int my_ret;
|
|
x509_buf params;
|
|
md_type_t my_msg_md, my_mgf_md;
|
|
int my_salt_len;
|
|
|
|
params.p = unhexify_alloc( hex_params, ¶ms.len );
|
|
params.tag = params_tag;
|
|
|
|
my_ret = x509_get_rsassa_pss_params( ¶ms, &my_msg_md, &my_mgf_md,
|
|
&my_salt_len );
|
|
|
|
TEST_ASSERT( my_ret == ref_ret );
|
|
|
|
if( ref_ret == 0 )
|
|
{
|
|
TEST_ASSERT( my_msg_md == (md_type_t) ref_msg_md );
|
|
TEST_ASSERT( my_mgf_md == (md_type_t) ref_mgf_md );
|
|
TEST_ASSERT( my_salt_len == ref_salt_len );
|
|
}
|
|
|
|
exit:
|
|
polarssl_free( params.p );
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE depends_on:POLARSSL_X509_CRT_PARSE_C:POLARSSL_SELF_TEST */
|
|
void x509_selftest()
|
|
{
|
|
TEST_ASSERT( x509_self_test( 0 ) == 0 );
|
|
}
|
|
/* END_CASE */
|