mbedtls/tests
Hanno Becker 2f472140f9 Always return a high-level error code from X.509 module
Some functions within the X.509 module return an ASN.1 low level
error code where instead this error code should be wrapped by a
high-level X.509 error code as in the bulk of the module.

Specifically, the following functions are affected:
- mbedtls_x509_get_ext()
- x509_get_version()
- x509_get_uid()

This commit modifies these functions to always return an
X.509 high level error code.

Care has to be taken when adapting `mbetls_x509_get_ext()`:
Currently, the callers `mbedtls_x509_crt_ext()` treat the
return code `MBEDTLS_ERR_ASN1_UNEXPECTED_TAG` specially to
gracefully detect and continue if the extension structure is not
present. Wrapping the ASN.1 error with
`MBEDTLS_ERR_X509_INVALID_EXTENSIONS` and adapting the check
accordingly would mean that an unexpected tag somewhere
down the extension parsing would be ignored by the caller.

The way out of this is the following: Luckily, the extension
structure is always the last field in the surrounding structure,
so if there is some data remaining, it must be an Extension
structure, so we don't need to deal with a tag mismatch gracefully
in the first place.

We may therefore wrap the return code from the initial call to
`mbedtls_asn1_get_tag()` in `mbedtls_x509_get_ext()` by
`MBEDTLS_ERR_X509_INVALID_EXTENSIONS` and simply remove
the special treatment of `MBEDTLS_ERR_ASN1_UNEXPECTED_TAG`
in the callers `x509_crl_get_ext()` and `x509_crt_get_ext()`.

This renders `mbedtls_x509_get_ext()` unsuitable if it ever
happened that an Extension structure is optional and does not
occur at the end of its surrounding structure, but for CRTs
and CRLs, it's fine.

The following tests need to be adapted:
- "TBSCertificate v3, issuerID wrong tag"
  The issuerID is optional, so if we look for its presence
  but find a different tag, we silently continue and try
  parsing the subjectID, and then the extensions. The tag '00'
  used in this test doesn't match either of these, and the
  previous code would hence return LENGTH_MISMATCH after
  unsucessfully trying issuerID, subjectID and Extensions.
  With the new code, any data remaining after issuerID and
  subjectID _must_ be Extension data, so we fail with
  UNEXPECTED_TAG when trying to parse the Extension data.
- "TBSCertificate v3, UIDs, invalid length"
  The test hardcodes the expectation of
  MBEDTLS_ERR_ASN1_INVALID_LENGTH, which needs to be
  wrapped in MBEDTLS_ERR_X509_INVALID_FORMAT now.

Fixes #2431.
2019-06-04 14:01:10 +01:00
..
.jenkins Add Jenkinsfile for PR job 2018-10-19 15:25:10 +01:00
data_files Add MD[245] test CRTs to tree 2019-06-03 16:19:46 +01:00
git-scripts Add doxygen.sh script to git hooks 2018-06-27 17:41:00 +03:00
scripts list-symbols.sh: if the build fails, print the build transcript 2019-05-22 19:07:36 +02:00
suites Always return a high-level error code from X.509 module 2019-06-04 14:01:10 +01:00
.gitignore Move some ignore patterns to subdirectories 2015-01-28 15:33:23 +00:00
CMakeLists.txt Merge remote-tracking branch 'origin/pr/2293' into mbedtls-2.16 2019-03-05 16:31:02 +00:00
compat.sh Adjust DES exclude lists in test scripts 2019-03-01 10:30:11 +01:00
Descriptions.txt Add selftest program to the list of tests 2014-04-04 16:33:01 +02:00
Makefile Add a facility to skip running some test suites 2018-12-14 18:29:28 +01:00
ssl-opt.sh Merge remote-tracking branch 'origin/pr/2436' into mbedtls-2.16 2019-03-05 16:26:34 +00:00