Add tests for verify_restartable()
For selection of test cases, see comments added in the commit. It makes the most sense to test with chains using ECC only, so for the chain of length 2 we use server10 -> int-ca3 -> int-ca2 and trust int-ca2 directly. Note: server10.crt was created by copying server10_int3_int-ca2.crt and manually truncating it to remove the intermediates. That base can now be used to create derived certs (without or with a chain) in a programmatic way.
This commit is contained in:
parent
bc3f44ae9c
commit
d19a41d9aa
@ -2069,6 +2069,16 @@ static int x509_crt_check_ee_locally_trusted(
|
||||
* - EE, Ci1, ..., Ciq cannot be continued with a trusted root
|
||||
* -> return that chain with NOT_TRUSTED set on Ciq
|
||||
*
|
||||
* Tests for (aspects of) this function should include at least:
|
||||
* - trusted EE
|
||||
* - EE -> trusted root
|
||||
* - EE -> intermedate CA -> trusted root
|
||||
* - if relevant: EE untrusted
|
||||
* - if relevant: EE -> intermediate, untrusted
|
||||
* with the aspect under test checked at each relevant level (EE, int, root).
|
||||
* For some aspects longer chains are required, but usually length 2 is
|
||||
* enough (but length 1 is not in general).
|
||||
*
|
||||
* Arguments:
|
||||
* - [in] crt: the cert list EE, C1, ..., Cn
|
||||
* - [in] trust_ca: the trusted list R1, ..., Rp
|
||||
|
@ -104,7 +104,7 @@ server7-future.crt: server7.csr $(test_ca_int_rsa1)
|
||||
$(FAKETIME) -f +3653d $(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA $(test_ca_int_rsa1) -CAkey test-int-ca.key -set_serial 16 -days 3653 -sha256 -in server7.csr | cat - $(test_ca_int_rsa1) > $@
|
||||
all_final += server7-future.crt
|
||||
server7-badsign.crt: server7.crt $(test_ca_int_rsa1)
|
||||
{ head -n-2 server7.crt; tail -n-2 server7.crt | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; cat test-int-ca.crt; } > server7-badsign.crt
|
||||
{ head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; cat $(test_ca_int_rsa1); } > $@
|
||||
all_final += server7-badsign.crt
|
||||
server7_int-ca-exp.crt: server7.crt test-int-ca-exp.crt
|
||||
cat server7.crt test-int-ca-exp.crt > $@
|
||||
@ -119,7 +119,18 @@ server5-ss-forgeca.crt: server5.key
|
||||
$(FAKETIME) '2015-09-01 14:08:43' $(OPENSSL) req -x509 -new -subj "/C=UK/O=mbed TLS/CN=mbed TLS Test intermediate CA 3" -set_serial 77 -config $(test_ca_config_file) -extensions noext_ca -days 3650 -sha256 -key $< -out $@
|
||||
all_final += server5-ss-forgeca.crt
|
||||
|
||||
|
||||
server10-badsign.crt: server10.crt
|
||||
{ head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; } > $@
|
||||
all_final += server10-badsign.crt
|
||||
server10-bs_int3.pem: server10-badsign.crt test-int-ca3.crt
|
||||
cat server10-badsign.crt test-int-ca3.crt > $@
|
||||
all_final += server10-bs_int3.pem
|
||||
test-int-ca3-badsign.crt: test-int-ca3.crt
|
||||
{ head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; } > $@
|
||||
all_final += test-int-ca3-badsign.crt
|
||||
server10_int3-bs.pem: server10.crt test-int-ca3-badsign.crt
|
||||
cat server10.crt test-int-ca3-badsign.crt > $@
|
||||
all_final += server10-bs_int3-bs.pem
|
||||
|
||||
|
||||
################################################################
|
||||
|
@ -21,6 +21,7 @@ Two intermediate CAs are signed by them:
|
||||
|
||||
A third intermediate CA is signed by test-int-ca2.crt:
|
||||
- test-int-ca3.crt "C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3"
|
||||
uses an EC key with NIST P-256, signed by test-int-ca2
|
||||
|
||||
Finally, other CAs for specific purposes:
|
||||
- enco-ca-prstr.pem: has its CN encoded as a printable string, but child cert
|
||||
|
10
tests/data_files/server10-badsign.crt
Normal file
10
tests/data_files/server10-badsign.crt
Normal file
@ -0,0 +1,10 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIBWjCCAQCgAwIBAgIBSzAKBggqhkjOPQQDAjBKMQswCQYDVQQGEwJVSzERMA8G
|
||||
A1UEChMIbWJlZCBUTFMxKDAmBgNVBAMTH21iZWQgVExTIFRlc3QgaW50ZXJtZWRp
|
||||
YXRlIENBIDMwHhcNMTUwOTAxMTM0NzU1WhcNMjUwODI5MTM0NzU1WjAUMRIwEAYD
|
||||
VQQDEwlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXq
|
||||
oZyychmoCRxzrd4Vu96m47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeY
|
||||
Bmskr22rlKjyow0wCzAJBgNVHRMEAjAAMAoGCCqGSM49BAMCA0gAMEUCIQDLc+Io
|
||||
rg8VxEbCgVv8iH+kOIEn9MjhpvKzvwUoV+6rjQIgZU/RXAyc1a+H2+soGfNEIOBQ
|
||||
AzO3pJx7WJAApZuBX10=
|
||||
-----END CERTIFICATE-----
|
22
tests/data_files/server10-bs_int3.pem
Normal file
22
tests/data_files/server10-bs_int3.pem
Normal file
@ -0,0 +1,22 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIBWjCCAQCgAwIBAgIBSzAKBggqhkjOPQQDAjBKMQswCQYDVQQGEwJVSzERMA8G
|
||||
A1UEChMIbWJlZCBUTFMxKDAmBgNVBAMTH21iZWQgVExTIFRlc3QgaW50ZXJtZWRp
|
||||
YXRlIENBIDMwHhcNMTUwOTAxMTM0NzU1WhcNMjUwODI5MTM0NzU1WjAUMRIwEAYD
|
||||
VQQDEwlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXq
|
||||
oZyychmoCRxzrd4Vu96m47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeY
|
||||
Bmskr22rlKjyow0wCzAJBgNVHRMEAjAAMAoGCCqGSM49BAMCA0gAMEUCIQDLc+Io
|
||||
rg8VxEbCgVv8iH+kOIEn9MjhpvKzvwUoV+6rjQIgZU/RXAyc1a+H2+soGfNEIOBQ
|
||||
AzO3pJx7WJAApZuBX10=
|
||||
-----END CERTIFICATE-----
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIBtDCCATqgAwIBAgIBTTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G
|
||||
A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
|
||||
YXRlIEVDIENBMB4XDTE1MDkwMTE0MDg0M1oXDTI1MDgyOTE0MDg0M1owSjELMAkG
|
||||
A1UEBhMCVUsxETAPBgNVBAoTCG1iZWQgVExTMSgwJgYDVQQDEx9tYmVkIFRMUyBU
|
||||
ZXN0IGludGVybWVkaWF0ZSBDQSAzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
|
||||
732fWHLNPMPsP1U1ibXvb55erlEVMlpXBGsj+KYwVqU1XCmW9Z9hhP7X/5js/DX9
|
||||
2J/utoHyjUtVpQOzdTrbsaMQMA4wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNo
|
||||
ADBlAjAJRxbGRas3NBmk9MnGWXg7PT1xnRELHRWWIvfLdVQt06l1/xFg3ZuPdQdt
|
||||
Qh7CK80CMQD7wa1o1a8qyDKBfLN636uKmKGga0E+vYXBeFCy9oARBangGCB0B2vt
|
||||
pz590JvGWfM=
|
||||
-----END CERTIFICATE-----
|
10
tests/data_files/server10.crt
Normal file
10
tests/data_files/server10.crt
Normal file
@ -0,0 +1,10 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIBWjCCAQCgAwIBAgIBSzAKBggqhkjOPQQDAjBKMQswCQYDVQQGEwJVSzERMA8G
|
||||
A1UEChMIbWJlZCBUTFMxKDAmBgNVBAMTH21iZWQgVExTIFRlc3QgaW50ZXJtZWRp
|
||||
YXRlIENBIDMwHhcNMTUwOTAxMTM0NzU1WhcNMjUwODI5MTM0NzU1WjAUMRIwEAYD
|
||||
VQQDEwlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXq
|
||||
oZyychmoCRxzrd4Vu96m47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeY
|
||||
Bmskr22rlKjyow0wCzAJBgNVHRMEAjAAMAoGCCqGSM49BAMCA0gAMEUCIQDLc+Io
|
||||
rg8VxEbCgVv8iH+kOIEn9MjhpvKzvwUoV+6rjQIgZU/RXAyc1a+H2+soGfNEIOBQ
|
||||
AzO3pJx7WJAApZuBX1Q=
|
||||
-----END CERTIFICATE-----
|
22
tests/data_files/server10_int3-bs.pem
Normal file
22
tests/data_files/server10_int3-bs.pem
Normal file
@ -0,0 +1,22 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIBWjCCAQCgAwIBAgIBSzAKBggqhkjOPQQDAjBKMQswCQYDVQQGEwJVSzERMA8G
|
||||
A1UEChMIbWJlZCBUTFMxKDAmBgNVBAMTH21iZWQgVExTIFRlc3QgaW50ZXJtZWRp
|
||||
YXRlIENBIDMwHhcNMTUwOTAxMTM0NzU1WhcNMjUwODI5MTM0NzU1WjAUMRIwEAYD
|
||||
VQQDEwlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXq
|
||||
oZyychmoCRxzrd4Vu96m47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeY
|
||||
Bmskr22rlKjyow0wCzAJBgNVHRMEAjAAMAoGCCqGSM49BAMCA0gAMEUCIQDLc+Io
|
||||
rg8VxEbCgVv8iH+kOIEn9MjhpvKzvwUoV+6rjQIgZU/RXAyc1a+H2+soGfNEIOBQ
|
||||
AzO3pJx7WJAApZuBX1Q=
|
||||
-----END CERTIFICATE-----
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIBtDCCATqgAwIBAgIBTTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G
|
||||
A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
|
||||
YXRlIEVDIENBMB4XDTE1MDkwMTE0MDg0M1oXDTI1MDgyOTE0MDg0M1owSjELMAkG
|
||||
A1UEBhMCVUsxETAPBgNVBAoTCG1iZWQgVExTMSgwJgYDVQQDEx9tYmVkIFRMUyBU
|
||||
ZXN0IGludGVybWVkaWF0ZSBDQSAzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
|
||||
732fWHLNPMPsP1U1ibXvb55erlEVMlpXBGsj+KYwVqU1XCmW9Z9hhP7X/5js/DX9
|
||||
2J/utoHyjUtVpQOzdTrbsaMQMA4wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNo
|
||||
ADBlAjAJRxbGRas3NBmk9MnGWXg7PT1xnRELHRWWIvfLdVQt06l1/xFg3ZuPdQdt
|
||||
Qh7CK80CMQD7wa1o1a8qyDKBfLN636uKmKGga0E+vYXBeFCy9oARBangGCB0B2vt
|
||||
pz590JvGWf0=
|
||||
-----END CERTIFICATE-----
|
12
tests/data_files/test-int-ca3-badsign.crt
Normal file
12
tests/data_files/test-int-ca3-badsign.crt
Normal file
@ -0,0 +1,12 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIBtDCCATqgAwIBAgIBTTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G
|
||||
A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
|
||||
YXRlIEVDIENBMB4XDTE1MDkwMTE0MDg0M1oXDTI1MDgyOTE0MDg0M1owSjELMAkG
|
||||
A1UEBhMCVUsxETAPBgNVBAoTCG1iZWQgVExTMSgwJgYDVQQDEx9tYmVkIFRMUyBU
|
||||
ZXN0IGludGVybWVkaWF0ZSBDQSAzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
|
||||
732fWHLNPMPsP1U1ibXvb55erlEVMlpXBGsj+KYwVqU1XCmW9Z9hhP7X/5js/DX9
|
||||
2J/utoHyjUtVpQOzdTrbsaMQMA4wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNo
|
||||
ADBlAjAJRxbGRas3NBmk9MnGWXg7PT1xnRELHRWWIvfLdVQt06l1/xFg3ZuPdQdt
|
||||
Qh7CK80CMQD7wa1o1a8qyDKBfLN636uKmKGga0E+vYXBeFCy9oARBangGCB0B2vt
|
||||
pz590JvGWf0=
|
||||
-----END CERTIFICATE-----
|
@ -1806,3 +1806,26 @@ X509 Get time (UTC invalid character in sec)
|
||||
depends_on:MBEDTLS_X509_USE_C
|
||||
x509_get_time:MBEDTLS_ASN1_UTC_TIME:"0011302359n0Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
|
||||
|
||||
X509 cert verify restart: trusted EE, max_ops=0
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
||||
x509_verify_restart:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":0:0:0:0:0
|
||||
|
||||
X509 cert verify restart: no intermediate, max_ops=0
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
|
||||
x509_verify_restart:"data_files/server5.crt":"data_files/test-ca2.crt":0:0:0:0:0
|
||||
|
||||
X509 cert verify restart: no intermediate, badsign, max_ops=0
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
|
||||
x509_verify_restart:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:0:0:0
|
||||
|
||||
X509 cert verify restart: one intermediate, max_ops=0
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
|
||||
x509_verify_restart:"data_files/server10_int3_int-ca2.crt":"data_files/test-int-ca2.crt":0:0:0:0:0
|
||||
|
||||
X509 cert verify restart: one intermediate, EE badsign, max_ops=0
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
|
||||
x509_verify_restart:"data_files/server10-bs_int3.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:0:0:0
|
||||
|
||||
X509 cert verify restart: one intermediate, int badsign, max_ops=0
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
|
||||
x509_verify_restart:"data_files/server10_int3-bs.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:0:0:0
|
||||
|
@ -261,6 +261,52 @@ void x509_verify_info( int flags, char *prefix, char *result_str )
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CRL_PARSE_C:MBEDTLS_ECP_RESTARTABLE:MBEDTLS_ECDSA_C */
|
||||
void x509_verify_restart( char *crt_file, char *ca_file,
|
||||
int result, int flags_result,
|
||||
int max_ops, int min_restart, int max_restart )
|
||||
{
|
||||
int ret, cnt_restart;
|
||||
mbedtls_x509_crt_restart_ctx rs_ctx;
|
||||
mbedtls_x509_crt crt;
|
||||
mbedtls_x509_crt ca;
|
||||
uint32_t flags = 0;
|
||||
|
||||
mbedtls_x509_crt_restart_init( &rs_ctx );
|
||||
mbedtls_x509_crt_init( &crt );
|
||||
mbedtls_x509_crt_init( &ca );
|
||||
|
||||
TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 );
|
||||
TEST_ASSERT( mbedtls_x509_crt_parse_file( &ca, ca_file ) == 0 );
|
||||
|
||||
mbedtls_ecp_set_max_ops( max_ops );
|
||||
|
||||
cnt_restart = 0;
|
||||
do {
|
||||
ret = mbedtls_x509_crt_verify_restartable( &crt, &ca, NULL,
|
||||
&mbedtls_x509_crt_profile_default, NULL, &flags,
|
||||
NULL, NULL, &rs_ctx );
|
||||
} while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart );
|
||||
|
||||
TEST_ASSERT( ret == result );
|
||||
TEST_ASSERT( flags == (uint32_t) flags_result );
|
||||
|
||||
TEST_ASSERT( cnt_restart >= min_restart );
|
||||
TEST_ASSERT( cnt_restart <= max_restart );
|
||||
|
||||
/* Do we leak memory when aborting? */
|
||||
ret = mbedtls_x509_crt_verify_restartable( &crt, &ca, NULL,
|
||||
&mbedtls_x509_crt_profile_default, NULL, &flags,
|
||||
NULL, NULL, &rs_ctx );
|
||||
TEST_ASSERT( ret == result || ret == MBEDTLS_ERR_ECP_IN_PROGRESS );
|
||||
|
||||
exit:
|
||||
mbedtls_x509_crt_restart_free( &rs_ctx );
|
||||
mbedtls_x509_crt_free( &crt );
|
||||
mbedtls_x509_crt_free( &ca );
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CRL_PARSE_C */
|
||||
void x509_verify( char *crt_file, char *ca_file, char *crl_file,
|
||||
char *cn_name_str, int result, int flags_result,
|
||||
|
Loading…
Reference in New Issue
Block a user