From 20e9fad4c14ca7ff3acd6db219fce7abbf3391bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 8 Aug 2013 18:35:29 +0200 Subject: [PATCH 01/28] Add test files for EC cert & crl validation --- tests/data_files/crl-ec-sha224.pem | 10 ++++++++++ tests/data_files/crl-ec-sha256.pem | 10 ++++++++++ tests/data_files/crl-ec-sha384.pem | 10 ++++++++++ tests/data_files/crl-ec-sha512.pem | 10 ++++++++++ tests/data_files/crl-ec.pem | 10 ++++++++++ tests/data_files/server3.crt | 17 +++++++++++++++++ tests/data_files/server3.key | 8 ++++++++ tests/data_files/server4.crt | 15 +++++++++++++++ tests/data_files/server4.key | 16 ++++++++++++++++ tests/data_files/server5-sha224.crt | 13 +++++++++++++ tests/data_files/server5-sha256.crt | 13 +++++++++++++ tests/data_files/server5-sha384.crt | 13 +++++++++++++ tests/data_files/server5-sha512.crt | 13 +++++++++++++ tests/data_files/server5.crt | 13 +++++++++++++ tests/data_files/server5.key | 8 ++++++++ tests/data_files/server6.crt | 13 +++++++++++++ tests/data_files/server6.key | 8 ++++++++ tests/data_files/server6.pem | 13 +++++++++++++ tests/data_files/test-ca2.crt | Bin 238 -> 778 bytes tests/data_files/test-ca2.key | 8 ++++---- tests/suites/test_suite_debug.data | 2 +- 21 files changed, 218 insertions(+), 5 deletions(-) create mode 100644 tests/data_files/crl-ec-sha224.pem create mode 100644 tests/data_files/crl-ec-sha256.pem create mode 100644 tests/data_files/crl-ec-sha384.pem create mode 100644 tests/data_files/crl-ec-sha512.pem create mode 100644 tests/data_files/crl-ec.pem create mode 100644 tests/data_files/server3.crt create mode 100644 tests/data_files/server3.key create mode 100644 tests/data_files/server4.crt create mode 100644 tests/data_files/server4.key create mode 100644 tests/data_files/server5-sha224.crt create mode 100644 tests/data_files/server5-sha256.crt create mode 100644 tests/data_files/server5-sha384.crt create mode 100644 tests/data_files/server5-sha512.crt create mode 100644 tests/data_files/server5.crt create mode 100644 tests/data_files/server5.key create mode 100644 tests/data_files/server6.crt create mode 100644 tests/data_files/server6.key create mode 100644 tests/data_files/server6.pem diff --git a/tests/data_files/crl-ec-sha224.pem b/tests/data_files/crl-ec-sha224.pem new file mode 100644 index 00000000..bae7063c --- /dev/null +++ b/tests/data_files/crl-ec-sha224.pem @@ -0,0 +1,10 @@ +-----BEGIN X509 CRL----- +MIIBUDCB9wIBATAKBggqhkjOPQQDATA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMI +UG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTEzMDgwOTA4 +MDYzOFoXDTIzMDgwNzA4MDYzOFowFDASAgECFw0xMzA4MDkwODA0MDNaoHIwcDBu +BgNVHSMEZzBlgBS8QO+57pq7NjnhLamiuiy7pr0QcaFCpEAwPjELMAkGA1UEBhMC +TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD +IENBggkArUJ5dp5y9uEwCgYIKoZIzj0EAwEDSAAwRQIge0CLFC7Ba9urAcQjRg2y +MlaoNZjFTLfgORXoVIr7qB0CIQD875hm+aual5qW62hMfHcb7W3BoU+vV1D42YyE +sd4POA== +-----END X509 CRL----- diff --git a/tests/data_files/crl-ec-sha256.pem b/tests/data_files/crl-ec-sha256.pem new file mode 100644 index 00000000..cc01f39e --- /dev/null +++ b/tests/data_files/crl-ec-sha256.pem @@ -0,0 +1,10 @@ +-----BEGIN X509 CRL----- +MIIBTjCB9wIBATAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMI +UG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTEzMDgwOTA4 +MDY0NFoXDTIzMDgwNzA4MDY0NFowFDASAgECFw0xMzA4MDkwODA0MDNaoHIwcDBu +BgNVHSMEZzBlgBS8QO+57pq7NjnhLamiuiy7pr0QcaFCpEAwPjELMAkGA1UEBhMC +TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD +IENBggkArUJ5dp5y9uEwCgYIKoZIzj0EAwIDRgAwQwIgZ8GDUEO/f6f6+yCdb6jj +/Sw0bkdVRGinNKBda4J87ksCHySC8j+ijdECxWR6O6Isxl9g47WSf+0tRslvqn0k +D9k= +-----END X509 CRL----- diff --git a/tests/data_files/crl-ec-sha384.pem b/tests/data_files/crl-ec-sha384.pem new file mode 100644 index 00000000..9c74f4d2 --- /dev/null +++ b/tests/data_files/crl-ec-sha384.pem @@ -0,0 +1,10 @@ +-----BEGIN X509 CRL----- +MIIBUDCB9wIBATAKBggqhkjOPQQDAzA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMI +UG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTEzMDgwOTA4 +MDY1MloXDTIzMDgwNzA4MDY1MlowFDASAgECFw0xMzA4MDkwODA0MDNaoHIwcDBu +BgNVHSMEZzBlgBS8QO+57pq7NjnhLamiuiy7pr0QcaFCpEAwPjELMAkGA1UEBhMC +TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD +IENBggkArUJ5dp5y9uEwCgYIKoZIzj0EAwMDSAAwRQIhAJpojagrap1H0VYcCkfs +JK0a304u+NLa4fkL4Qe9dXRaAiB7gx0xZL0ePad7/PiFfsJgIhMrGiRHGTXnK121 +DgSMLw== +-----END X509 CRL----- diff --git a/tests/data_files/crl-ec-sha512.pem b/tests/data_files/crl-ec-sha512.pem new file mode 100644 index 00000000..8d82a8c2 --- /dev/null +++ b/tests/data_files/crl-ec-sha512.pem @@ -0,0 +1,10 @@ +-----BEGIN X509 CRL----- +MIIBUDCB9wIBATAKBggqhkjOPQQDBDA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMI +UG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTEzMDgwOTA4 +MDcwMVoXDTIzMDgwNzA4MDcwMVowFDASAgECFw0xMzA4MDkwODA0MDNaoHIwcDBu +BgNVHSMEZzBlgBS8QO+57pq7NjnhLamiuiy7pr0QcaFCpEAwPjELMAkGA1UEBhMC +TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD +IENBggkArUJ5dp5y9uEwCgYIKoZIzj0EAwQDSAAwRQIgYkzK1SMOvmwq2qfkxQ/6 +nWz0QaNSVS589vInbPBrFt8CIQDQFZi4S+L7DN/WUl91o1xS6n9aTGoHOzaQS7Ym +fWUstQ== +-----END X509 CRL----- diff --git a/tests/data_files/crl-ec.pem b/tests/data_files/crl-ec.pem new file mode 100644 index 00000000..5388d7e4 --- /dev/null +++ b/tests/data_files/crl-ec.pem @@ -0,0 +1,10 @@ +-----BEGIN X509 CRL----- +MIIBTTCB9gIBATAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQ +b2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQRcNMTMwODA5MDgw +NjI2WhcNMjMwODA3MDgwNjI2WjAUMBICAQIXDTEzMDgwOTA4MDQwM1qgcjBwMG4G +A1UdIwRnMGWAFLxA77numrs2OeEtqaK6LLumvRBxoUKkQDA+MQswCQYDVQQGEwJO +TDERMA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMg +Q0GCCQCtQnl2nnL24TAJBgcqhkjOPQQBA0cAMEQCIDbClXv2qJc1OgDtaxLWogdO +5x51dupuJ8N+Oa2S1aPJAiBJWFhnRZRvqVRMhkJ5NQquR+crofroBOOrrdmlHvC3 ++g== +-----END X509 CRL----- diff --git a/tests/data_files/server3.crt b/tests/data_files/server3.crt new file mode 100644 index 00000000..ed0d696b --- /dev/null +++ b/tests/data_files/server3.crt @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICojCCAYqgAwIBAgIBDTANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTMwODA5MDkxNzAzWhcNMjMwODA3MDkxNzAzWjA0MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBJMBMGByqGSM49AgEG +CCqGSM49AwEBAzIABH0AoQyUhPABS38y67uEVs4O3RXmKKrBdUR7/L2QPB8EC2p5 +fQcsej6EFasvlTdJ/6OBkjCBjzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTkF2s2sgaJ +OtleQ7bgZH2Hq33eNzBjBgNVHSMEXDBagBS0WuSls97SUva51aaVD+s+vMf9/6E/ +pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQ +b2xhclNTTCBUZXN0IENBggEAMA0GCSqGSIb3DQEBBQUAA4IBAQBjmSIjGKD1eH5W +4bl2MXfNIsTwc2vv/MAAhBzBEbTXd3T37+zAGPGjKncvTB+oufUVRGkoKbfoC6Jm +DYSEUuxtnUZOko/C//XlCEtK0TuS2aLEqF3gJjBJTCfthEdAhJCtmPAQDCzeKsdx +CoOtH0NQx6Xl64oDt2wYSQNWUTGLPfRpdsVEvBHhHYATQijkl2ZH8BDjsYcBicrS +qmCeN+0T1B9vrOQVEZe+fwgzVL38n8lkJZNPIbdovA9WLHwXAEzPv4la3w0qh4Tb +kSb8HtILl4I474QxrFywylyXR/p2znPleRIRgB5HtUp9tLSWkB0bwMlqQlg2EHXu +CAQ1sXmQ +-----END CERTIFICATE----- diff --git a/tests/data_files/server3.key b/tests/data_files/server3.key new file mode 100644 index 00000000..44792583 --- /dev/null +++ b/tests/data_files/server3.key @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBAQ== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MF8CAQEEGItTogpE7AOnjvYuTqm+9OabmsX02XKIAqAKBggqhkjOPQMBAaE0AzIA +BH0AoQyUhPABS38y67uEVs4O3RXmKKrBdUR7/L2QPB8EC2p5fQcsej6EFasvlTdJ +/w== +-----END EC PRIVATE KEY----- diff --git a/tests/data_files/server4.crt b/tests/data_files/server4.crt new file mode 100644 index 00000000..ccebbd87 --- /dev/null +++ b/tests/data_files/server4.crt @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICRDCCAeugAwIBAgIBBDAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYD +VQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAeFw0x +MzA4MDkwNzU3NTdaFw0yMzA4MDcwNzU3NTdaMDQxCzAJBgNVBAYTAk5MMREwDwYD +VQQKEwhQb2xhclNTTDESMBAGA1UEAxMJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEB +AQUAA4GNADCBiQKBgQCrySYRCWA2hMyRyGXtO58nVCboGjDXfw+T78yfzrQUFMmG +sMsrjnVriz8TboJla9G5l0BO/KVInrs4X5CBJkAy1TZoJy8QJoYwfDFXQ+x2hH9l +23BF0Mom1frAJl/ju9TzIhqGM2zCFcVHH1ACCxstDp9nqEWN1B0YVW02th8pHwID +AQABo4GdMIGaMAkGA1UdEwQCMAAwHQYDVR0OBBYEFBfZRL1Q6LhG2+zv4wFMS8Yw +taURMG4GA1UdIwRnMGWAFLxA77numrs2OeEtqaK6LLumvRBxoUKkQDA+MQswCQYD +VQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRl +c3QgRUMgQ0GCCQCtQnl2nnL24TAJBgcqhkjOPQQBA0gAMEUCICi0VueSFiU2O5MP +LBPbu0Lsm4kCbWJA34HteefA29wWAiEAne8oWL9ILDpqhuB0wEv5PpKMuXLC2A1e +ATV35ATh3EM= +-----END CERTIFICATE----- diff --git a/tests/data_files/server4.key b/tests/data_files/server4.key new file mode 100644 index 00000000..ba6cf23c --- /dev/null +++ b/tests/data_files/server4.key @@ -0,0 +1,16 @@ +-----BEGIN PRIVATE KEY----- +MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAKvJJhEJYDaEzJHI +Ze07nydUJugaMNd/D5PvzJ/OtBQUyYawyyuOdWuLPxNugmVr0bmXQE78pUieuzhf +kIEmQDLVNmgnLxAmhjB8MVdD7HaEf2XbcEXQyibV+sAmX+O71PMiGoYzbMIVxUcf +UAILGy0On2eoRY3UHRhVbTa2HykfAgMBAAECgYALAPmFQdp944fPFs0gox8Qv902 +JOdYBnWS/ltXKUBzwNkf3ZdGFPwEhYjmz79ei8eFYeDmrlxQCIrpk4WIIFEgVZZA +DRFZSQDIm6i+KSKWX6dFG/ot6VBzahKX24TUNuPhTrYUb+vkqxifbN/ItXcfcG2Z +HB7AZl2RgRbeJGI/IQJBANJCx2dkCIKsrC21cAuq+fbxtSdzGho4hF1jsDHOjoCh +x53BCivk1tL0kLcmLPbJnH2KvzTV4YrizAoGKFneiokCQQDRJ7pnKabHs9qhF6kl +6m9dxAoGmeZY4RwodcVOqAjHFeMI9eSNLpsxava2RJFQVagCzwuft5lvhqeaxxZ0 +nwxnAkBFcKCCWNsmrPhAMEfM0q6zC6iUWsMoHbo5TY8HI/yUJtnSE8rULEN2cCbL +FeSLrJHuNEBppqlSQQy50sbIx2JhAkEAug8ZZ0RKNUTtrHib5DrUrxkBwjWOEGrQ +3b1GtF4O0OvLd+EmW+Gl9SQuLJ56lnhcaYM91+s/91JWLv4EH+KM6QJADR52KML6 +0IvPiOv8i98U+H5GvYT7pla+F61Y2i/h7M7wpANR8hAwK9IQ2eloeGQ3Fmyedd9l +kHGxNTIgEkw3uQ== +-----END PRIVATE KEY----- diff --git a/tests/data_files/server5-sha224.crt b/tests/data_files/server5-sha224.crt new file mode 100644 index 00000000..1bda4fb3 --- /dev/null +++ b/tests/data_files/server5-sha224.crt @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB7jCCAZWgAwIBAgIBBjAKBggqhkjOPQQDATA+MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN +MTMwODA5MDgwODEyWhcNMjMwODA3MDgwODEyWjA0MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBJMBMGByqGSM49AgEG +CCqGSM49AwEBAzIABMtC4d2X4RMAYgvI5iXxIPDRsQg6hxLc/oT4GLN+4Q8/cEzq +GPgiQ7RFHA3nYBQqaqOBnTCBmjAJBgNVHRMEAjAAMB0GA1UdDgQWBBSiLQC2KLTc +4nHwT3ey8BE7ZGJnQTBuBgNVHSMEZzBlgBS8QO+57pq7NjnhLamiuiy7pr0QcaFC +pEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQ +b2xhcnNzbCBUZXN0IEVDIENBggkArUJ5dp5y9uEwCgYIKoZIzj0EAwEDRwAwRAIg +Xm1nvMzdlO+q5tGATM/IPZxuWSZQqFqwqqdlDEe2OCcCIEbPknZFIjopDpOBMSuU +k+VDnNYzQajkdeM9T5XqaX6B +-----END CERTIFICATE----- diff --git a/tests/data_files/server5-sha256.crt b/tests/data_files/server5-sha256.crt new file mode 100644 index 00000000..43ac60aa --- /dev/null +++ b/tests/data_files/server5-sha256.crt @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB7zCCAZWgAwIBAgIBBzAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN +MTMwODA5MDgwODE3WhcNMjMwODA3MDgwODE3WjA0MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBJMBMGByqGSM49AgEG +CCqGSM49AwEBAzIABMtC4d2X4RMAYgvI5iXxIPDRsQg6hxLc/oT4GLN+4Q8/cEzq +GPgiQ7RFHA3nYBQqaqOBnTCBmjAJBgNVHRMEAjAAMB0GA1UdDgQWBBSiLQC2KLTc +4nHwT3ey8BE7ZGJnQTBuBgNVHSMEZzBlgBS8QO+57pq7NjnhLamiuiy7pr0QcaFC +pEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQ +b2xhcnNzbCBUZXN0IEVDIENBggkArUJ5dp5y9uEwCgYIKoZIzj0EAwIDSAAwRQIh +ALfqO3j3gA18v/MG+s5CJfNGBeeRIttASyiO3FOiZUfeAiBoid6STq5AvS1c9Olm +Vk7wB2zYU9v6sSoR99csMz4TTQ== +-----END CERTIFICATE----- diff --git a/tests/data_files/server5-sha384.crt b/tests/data_files/server5-sha384.crt new file mode 100644 index 00000000..cb727e7c --- /dev/null +++ b/tests/data_files/server5-sha384.crt @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB7zCCAZWgAwIBAgIBCDAKBggqhkjOPQQDAzA+MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN +MTMwODA5MDgwODI1WhcNMjMwODA3MDgwODI1WjA0MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBJMBMGByqGSM49AgEG +CCqGSM49AwEBAzIABMtC4d2X4RMAYgvI5iXxIPDRsQg6hxLc/oT4GLN+4Q8/cEzq +GPgiQ7RFHA3nYBQqaqOBnTCBmjAJBgNVHRMEAjAAMB0GA1UdDgQWBBSiLQC2KLTc +4nHwT3ey8BE7ZGJnQTBuBgNVHSMEZzBlgBS8QO+57pq7NjnhLamiuiy7pr0QcaFC +pEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQ +b2xhcnNzbCBUZXN0IEVDIENBggkArUJ5dp5y9uEwCgYIKoZIzj0EAwMDSAAwRQIh +ANRFz89Cp8ohvDHX94h+pftXR34mhGqzzi3xidVj1Sg8AiBOv+ChIGVXGmM3RFvj +kOaH0pCTLJQEpIAj5jlaCw9tDA== +-----END CERTIFICATE----- diff --git a/tests/data_files/server5-sha512.crt b/tests/data_files/server5-sha512.crt new file mode 100644 index 00000000..44f4041f --- /dev/null +++ b/tests/data_files/server5-sha512.crt @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB7zCCAZWgAwIBAgIBCTAKBggqhkjOPQQDBDA+MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN +MTMwODA5MDgwODMyWhcNMjMwODA3MDgwODMyWjA0MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBJMBMGByqGSM49AgEG +CCqGSM49AwEBAzIABMtC4d2X4RMAYgvI5iXxIPDRsQg6hxLc/oT4GLN+4Q8/cEzq +GPgiQ7RFHA3nYBQqaqOBnTCBmjAJBgNVHRMEAjAAMB0GA1UdDgQWBBSiLQC2KLTc +4nHwT3ey8BE7ZGJnQTBuBgNVHSMEZzBlgBS8QO+57pq7NjnhLamiuiy7pr0QcaFC +pEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQ +b2xhcnNzbCBUZXN0IEVDIENBggkArUJ5dp5y9uEwCgYIKoZIzj0EAwQDSAAwRQIh +AN5rRzdwAbgA4scB15w5W9DPJ6w7Q7QiEnV7PV5IAXX4AiBAFnODGe6Lk7C5YYYU +dANkEzunQUZNP1qh24SgeqBUNg== +-----END CERTIFICATE----- diff --git a/tests/data_files/server5.crt b/tests/data_files/server5.crt new file mode 100644 index 00000000..b42abf2e --- /dev/null +++ b/tests/data_files/server5.crt @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB7TCCAZSgAwIBAgIBAzAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYD +VQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAeFw0x +MzA4MDkwNzU3NDBaFw0yMzA4MDcwNzU3NDBaMDQxCzAJBgNVBAYTAk5MMREwDwYD +VQQKEwhQb2xhclNTTDESMBAGA1UEAxMJbG9jYWxob3N0MEkwEwYHKoZIzj0CAQYI +KoZIzj0DAQEDMgAEy0Lh3ZfhEwBiC8jmJfEg8NGxCDqHEtz+hPgYs37hDz9wTOoY ++CJDtEUcDedgFCpqo4GdMIGaMAkGA1UdEwQCMAAwHQYDVR0OBBYEFKItALYotNzi +cfBPd7LwETtkYmdBMG4GA1UdIwRnMGWAFLxA77numrs2OeEtqaK6LLumvRBxoUKk +QDA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1Bv +bGFyc3NsIFRlc3QgRUMgQ0GCCQCtQnl2nnL24TAJBgcqhkjOPQQBA0gAMEUCIE/J +rb3TrYL+z1OsZ2rtCmji7hrPj570X4Qkm1Pb5QEvAiEAiq46sM0+1DSAU0u8FcuL +jbRvSP9W7EJjb9QR3zNYbX4= +-----END CERTIFICATE----- diff --git a/tests/data_files/server5.key b/tests/data_files/server5.key new file mode 100644 index 00000000..3bf8b51d --- /dev/null +++ b/tests/data_files/server5.key @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBAQ== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MF8CAQEEGO82j8OXBoUhVyauCA8XZ288l595u7BXWqAKBggqhkjOPQMBAaE0AzIA +BMtC4d2X4RMAYgvI5iXxIPDRsQg6hxLc/oT4GLN+4Q8/cEzqGPgiQ7RFHA3nYBQq +ag== +-----END EC PRIVATE KEY----- diff --git a/tests/data_files/server6.crt b/tests/data_files/server6.crt new file mode 100644 index 00000000..b5f210f9 --- /dev/null +++ b/tests/data_files/server6.crt @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB7TCCAZSgAwIBAgIBAjAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYD +VQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAeFw0x +MzA4MDkwNzU3MjZaFw0yMzA4MDcwNzU3MjZaMDQxCzAJBgNVBAYTAk5MMREwDwYD +VQQKEwhQb2xhclNTTDESMBAGA1UEAxMJbG9jYWxob3N0MEkwEwYHKoZIzj0CAQYI +KoZIzj0DAQEDMgAEE2sIbSZOSEinZM3q2MMOy8egM8Y9BAcsuwxO9UpS1B8nT9u1 +1bvjTh5VQAgJAU+Oo4GdMIGaMAkGA1UdEwQCMAAwHQYDVR0OBBYEFDYreWnU1s1J +AG49ALPOQliFaJahMG4GA1UdIwRnMGWAFLxA77numrs2OeEtqaK6LLumvRBxoUKk +QDA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1Bv +bGFyc3NsIFRlc3QgRUMgQ0GCCQCtQnl2nnL24TAJBgcqhkjOPQQBA0gAMEUCICDC +Qiv7ypgB4K9x6mf3UvYmdfLHzRkUHyP2FoY/GnFwAiEAr/WVRRw8tPZq3kKaMApQ +OLFV/1jRkCd3i9vpRfdZjsI= +-----END CERTIFICATE----- diff --git a/tests/data_files/server6.key b/tests/data_files/server6.key new file mode 100644 index 00000000..d23c8f2e --- /dev/null +++ b/tests/data_files/server6.key @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBAQ== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MF8CAQEEGD5d3O02N8S/dSjU0RmPK8h2TEH64xPN6qAKBggqhkjOPQMBAaE0AzIA +BBNrCG0mTkhIp2TN6tjDDsvHoDPGPQQHLLsMTvVKUtQfJ0/btdW7404eVUAICQFP +jg== +-----END EC PRIVATE KEY----- diff --git a/tests/data_files/server6.pem b/tests/data_files/server6.pem new file mode 100644 index 00000000..f78cb104 --- /dev/null +++ b/tests/data_files/server6.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB3TCCAZSgAwIBAgIBGDAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYD +VQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJTU0wgVGVzdCBFQyBDQTAeFw0x +MzA4MDgxNjQ0MTBaFw0yMzA4MDYxNjQ0MTBaMDQxCzAJBgNVBAYTAk5MMREwDwYD +VQQKEwhQb2xhclNTTDESMBAGA1UEAxMJbG9jYWxob3N0MEkwEwYHKoZIzj0CAQYI +KoZIzj0DAQEDMgAEE2sIbSZOSEinZM3q2MMOy8egM8Y9BAcsuwxO9UpS1B8nT9u1 +1bvjTh5VQAgJAU+Oo4GdMIGaMAkGA1UdEwQCMAAwHQYDVR0OBBYEFDYreWnU1s1J +AG49ALPOQliFaJahMG4GA1UdIwRnMGWAFNCkRpkIZ/H0utlW6GcwC/zvJRZjoUKk +QDA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1Bv +bGFyU1NMIFRlc3QgRUMgQ0GCCQClZwiM/hcKsjAJBgcqhkjOPQQBAzgAMDUCGQDq +PIUaCr8u28R7V0G/TEOklXgPawdiY4ICGDzmBegZHs7BcNwENa1fn4JYUdTPqKwl +LA== +-----END CERTIFICATE----- diff --git a/tests/data_files/test-ca2.crt b/tests/data_files/test-ca2.crt index c47c496bffeb66fdd4df15a927c5090af5d72ef2..bfd3eeff641d2022062cdec37477d203c2d76854 100644 GIT binary patch literal 778 zcmcJN%dVn86h-HJMbC}#(O_SPrygL5RagpKU?ymz-~|Mwl&`-&I!-!0>@%vYoJvmi z+Wr205Ve^2f$7R+Cd1&;2kdK{F-$XzA^u81F$5`_gFV8#V6#iwc+VlX(CuWcxjsce z)iR@t2ZNDE(Vk)JU723pf}>;}z$RdLnu@xy9R!?|ptP*eSwwcG+0A za<)!%J`Q43eb`R5h;)x!GJkM#kX90m3KzDI5NA@SW-7gwlJ>HjY%X1B=<9J+)@5^< zY^HQZRs0BbHO!Ees3-(a`}eZ7m!}nQqF-?b^OvR2h1|H?p^B)d9b2Pn|I%|5u1jdb zQTcQXSMGY&vUNs|Ld@cTny`3{wW6buM5 z;eZ;W-cCg)n}L#%zn&1S&MK$s%=7Mq^3!e-ruJuU89DJ4+k;)}i&}4c+#6X2G0Jrm fgxA(vqK$roRYHDAuI-vi7DqGCp3SC${N46%<#PCa literal 238 zcmXqLd~MLUn2D3&i>OJO-tm`02Api{T5TTZY*`o$_zigtxY?LPS(t@cLQ;!M4CKUl z4UG-V4Gjz|O$-bzqr`cQfLsF$C>K+Mr-3lkI3`9m4zRh*jEu}i3@nP~)8?eckey.Q(X)' (190 bits) is\:\nMyFile(0999)\: 21 37 96 9f ab d4 e3 70 62 4a 0e 1a 33 e3 79 ca\nMyFile(0999)\: b9 50 cc e0 0e f8 c3 c3\nMyFile(0999)\: value of 'crt->eckey.Q(Y)' (192 bits) is\:\nMyFile(0999)\: e2 ad ae b7 27 1c 8f 07 65 9d 65 d3 d7 77 dc f2\nMyFile(0999)\: 16 14 36 3a e4 b6 e6 17\nMyFile(0999)\: value of 'crt->eckey.Q(Z)' (1 bits) is\:\nMyFile(0999)\: 01\n" +debug_print_crt:"data_files/test-ca2.crt":"MyFile":999:"PREFIX_":"MyFile(0999)\: PREFIX_ #1\:\nMyFile(0999)\: cert. version \: 3\nMyFile(0999)\: serial number \: AD\:42\:79\:76\:9E\:72\:F6\:E1\nMyFile(0999)\: issuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nMyFile(0999)\: subject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nMyFile(0999)\: issued on \: 2013-08-09 07\:49\:46\nMyFile(0999)\: expires on \: 2023-08-07 07\:49\:46\nMyFile(0999)\: signed using \: ECDSA with SHA1\nMyFile(0999)\: EC key size \: 256 bits\nMyFile(0999)\: value of 'crt->eckey.Q(X)' (256 bits) is\:\nMyFile(0999)\: 96 b8 b3 2c fb 29 21 7d be 90 db c2 f8 13 a9 26\nMyFile(0999)\: 7c 35 f6 d9 c0 8b 99 ec 52 7b 7c af a3 7e 28 3c\nMyFile(0999)\: value of 'crt->eckey.Q(Y)' (256 bits) is\:\nMyFile(0999)\: 9b 75 a5 54 5a 62 c8 a9 90 ab 8e e6 86 2b 03 9d\nMyFile(0999)\: 39 9b 65 fd b0 69 f0 a3 a9 2d 9e 14 0e e8 d5 fe\nMyFile(0999)\: value of 'crt->eckey.Q(Z)' (1 bits) is\:\nMyFile(0999)\: 01\n" Debug print mpi #1 debug_print_mpi:16:"01020304050607":"MyFile":999:"VALUE":"MyFile(0999)\: value of 'VALUE' (49 bits) is\:\nMyFile(0999)\: 01 02 03 04 05 06 07\n" From e7f64a8e71443e35685f3c50f62129e92f4c0042 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 9 Aug 2013 10:59:25 +0200 Subject: [PATCH 02/28] Add missing depends to some x509parse tests --- tests/suites/test_suite_x509parse.data | 64 +++++++++++++------------- 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 16d96983..0fff08f2 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -290,132 +290,132 @@ X509 Time Expired #5 depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO x509_time_expired:"data_files/test-ca.crt":"valid_from":1 -X509 Time Expired #6:POLARSSL_FS_IO +X509 Time Expired #6 depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO x509_time_expired:"data_files/test-ca.crt":"valid_to":0 X509 Certificate verification #1 (Revoked Cert, Expired CRL) -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED | BADCRL_EXPIRED:"NULL" X509 Certificate verification #2 (Revoked Cert, Expired CRL) -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"PolarSSL Server 1":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED | BADCRL_EXPIRED:"NULL" X509 Certificate verification #3 (Revoked Cert, Expired CRL, CN Mismatch) -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"PolarSSL Wrong CN":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED | BADCRL_EXPIRED | BADCERT_CN_MISMATCH:"NULL" X509 Certificate verification #4 (Valid Cert, Expired CRL) -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/server2.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCRL_EXPIRED:"NULL" X509 Certificate verification #5 (Revoked Cert) -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED:"NULL" X509 Certificate verification #6 (Revoked Cert) -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"PolarSSL Server 1":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED:"NULL" X509 Certificate verification #7 (Revoked Cert, CN Mismatch) -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"PolarSSL Wrong CN":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED | BADCERT_CN_MISMATCH:"NULL" X509 Certificate verification #8 (Valid Cert) -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/server2.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL" X509 Certificate verification #9 (Not trusted Cert) -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL" X509 Certificate verification #10 (Not trusted Cert, Expired CRL) -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_RSA_C x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_expired.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL" X509 Certificate verification #12 (Valid Cert MD4 Digest) -depends_on:POLARSSL_MD4_C:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C +depends_on:POLARSSL_MD4_C:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/cert_md4.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL" X509 Certificate verification #13 (Valid Cert MD5 Digest) -depends_on:POLARSSL_MD5_C:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C +depends_on:POLARSSL_MD5_C:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/cert_md5.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL" X509 Certificate verification #14 (Valid Cert SHA1 Digest) -depends_on:POLARSSL_SHA1_C:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C +depends_on:POLARSSL_SHA1_C:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL" X509 Certificate verification #15 (Valid Cert SHA224 Digest) -depends_on:POLARSSL_SHA256_C:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C +depends_on:POLARSSL_SHA256_C:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/cert_sha224.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL" X509 Certificate verification #16 (Valid Cert SHA256 Digest) -depends_on:POLARSSL_SHA256_C:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C +depends_on:POLARSSL_SHA256_C:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/cert_sha256.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL" X509 Certificate verification #17 (Valid Cert SHA384 Digest) -depends_on:POLARSSL_SHA512_C:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C +depends_on:POLARSSL_SHA512_C:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/cert_sha384.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL" X509 Certificate verification #18 (Valid Cert SHA512 Digest) -depends_on:POLARSSL_SHA512_C:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C +depends_on:POLARSSL_SHA512_C:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL" X509 Certificate verification #19 (Valid Cert, denying callback) -depends_on:POLARSSL_SHA512_C:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C +depends_on:POLARSSL_SHA512_C:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_OTHER:"verify_none" X509 Certificate verification #20 (Not trusted Cert, allowing callback) -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_RSA_C x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_expired.pem":"NULL":0:0:"verify_all" X509 Certificate verification #21 (domain matching wildcard certificate) -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.example.com":0:0:"NULL" X509 Certificate verification #22 (domain not matching wildcard certificate) -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.example.net":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_CN_MISMATCH:"NULL" X509 Certificate verification #23 (domain not matching wildcard certificate) -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.com":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_CN_MISMATCH:"NULL" X509 Certificate verification #24 (domain matching CN of multi certificate) -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.com":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_CN_MISMATCH:"NULL" X509 Certificate verification #25 (domain matching multi certificate) -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.net":0:0:"NULL" X509 Certificate verification #26 (domain not matching multi certificate) -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.net":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_CN_MISMATCH:"NULL" X509 Certificate verification #27 (domain not matching multi certificate) -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"xample.net":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_CN_MISMATCH:"NULL" X509 Certificate verification #27 (domain not matching multi certificate) -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"bexample.net":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_CN_MISMATCH:"NULL" X509 Certificate verification #28 (domain not matching wildcard in multi certificate) -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.org":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_CN_MISMATCH:"NULL" X509 Certificate verification #29 (domain matching wildcard in multi certificate) -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.example.org":0:0:"NULL" X509 Certificate verification #30 (domain matching multi certificate without CN) -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/cert_example_multi_nocn.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.shotokan-braunschweig.de":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL" X509 Certificate verification #31 (domain not matching multi certificate without CN) -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/cert_example_multi_nocn.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.net":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_CN_MISMATCH + BADCERT_NOT_TRUSTED:"NULL" X509 Parse Selftest From 6009c3ae5e912168f470018734d083480ac68d91 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 9 Aug 2013 11:27:14 +0200 Subject: [PATCH 03/28] Add tests for EC cert and crl validation --- tests/suites/test_suite_x509parse.data | 32 ++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 0fff08f2..259ab50f 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -418,6 +418,38 @@ X509 Certificate verification #31 (domain not matching multi certificate without depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/cert_example_multi_nocn.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.net":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_CN_MISMATCH + BADCERT_NOT_TRUSTED:"NULL" +X509 Certificate verification #33 (Valid, EC cert, RSA CA) +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_RSA_C:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP192R1_ENABLED +x509_verify:"data_files/server3.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:0:0:NULL + +X509 Certificate verification #33 (Valid, RSA cert, EC CA) +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_RSA_C:POLARSSL_ECP_C:POLARSSL_SHA1_C:POLARSSL_ECP_DP_SECP256R1_ENABLED +x509_verify:"data_files/server4.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":NULL:0:0:NULL + +X509 Certificate verification #34 (Valid, EC cert, EC CA) +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECP_C:POLARSSL_SHA1_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP192R1_ENABLED +x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":NULL:0:0:NULL + +X509 Certificate verification #35 (Revoked, EC CA) +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECP_C:POLARSSL_SHA1_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP192R1_ENABLED +x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":NULL:POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED:NULL + +X509 Certificate verification #36 (Valid, EC CA, SHA224 Digest) +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECP_C:POLARSSL_SHA256_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP192R1_ENABLED +x509_verify:"data_files/server5-sha224.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":NULL:0:0:NULL + +X509 Certificate verification #37 (Valid, EC CA, SHA256 Digest) +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECP_C:POLARSSL_SHA256_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP192R1_ENABLED +x509_verify:"data_files/server5-sha256.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":NULL:0:0:NULL + +X509 Certificate verification #38 (Valid, EC CA, SHA384 Digest) +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECP_C:POLARSSL_SHA512_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP192R1_ENABLED +x509_verify:"data_files/server5-sha384.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":NULL:0:0:NULL + +X509 Certificate verification #39 (Valid, EC CA, SHA512 Digest) +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECP_C:POLARSSL_SHA512_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP192R1_ENABLED +x509_verify:"data_files/server5-sha512.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":NULL:0:0:NULL + X509 Parse Selftest depends_on:POLARSSL_MD5_C:POLARSSL_PEM_C:POLARSSL_SELF_TEST x509_selftest: From b4d69c41f8d1e01bc9a4472d166f575dcd8cce2e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 9 Aug 2013 12:30:45 +0200 Subject: [PATCH 04/28] Prepare for EC cert & crl validation --- library/x509parse.c | 82 +++++++++++++++++++++++++++++++-------------- 1 file changed, 56 insertions(+), 26 deletions(-) diff --git a/library/x509parse.c b/library/x509parse.c index 08dc4d0b..12962b21 100644 --- a/library/x509parse.c +++ b/library/x509parse.c @@ -3344,19 +3344,29 @@ static int x509parse_verifycrl(x509_cert *crt, x509_cert *ca, md( md_info, crl_list->tbs.p, crl_list->tbs.len, hash ); - /* EC NOT IMPLEMENTED YET */ - if( ca->pk.type != POLARSSL_PK_RSA ) - return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); - - if( !rsa_pkcs1_verify( pk_rsa( ca->pk ), RSA_PUBLIC, crl_list->sig_md, - 0, hash, crl_list->sig.p ) == 0 ) +#if defined(POLARSSL_RSA_C) + if( ca->pk.type == POLARSSL_PK_RSA ) { - /* - * CRL is not trusted - */ - flags |= BADCRL_NOT_TRUSTED; - break; + if( !rsa_pkcs1_verify( pk_rsa( ca->pk ), RSA_PUBLIC, + crl_list->sig_md, 0, hash, crl_list->sig.p ) == 0 ) + { + /* + * CRL is not trusted + */ + flags |= BADCRL_NOT_TRUSTED; + break; + } } + else +#endif /* POLARSSL_RSA_C */ +#if defined(POLARSSL_ECDSA_C) + if( ca->pk.type == POLARSSL_PK_ECKEY ) { + /* EC NOT IMPLEMENTED YET */ + return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); + } + else +#endif /* POLARSSL_ECDSA_C */ + return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); /* * Check for validity of CRL (Do not drop out) @@ -3467,16 +3477,26 @@ static int x509parse_verify_top( md( md_info, child->tbs.p, child->tbs.len, hash ); - /* EC NOT IMPLEMENTED YET */ - if( trust_ca->pk.type != POLARSSL_PK_RSA ) - return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); - - if( rsa_pkcs1_verify( pk_rsa( trust_ca->pk ), RSA_PUBLIC, child->sig_md, - 0, hash, child->sig.p ) != 0 ) +#if defined(POLARSSL_RSA_C) + if( trust_ca->pk.type == POLARSSL_PK_RSA ) { - trust_ca = trust_ca->next; - continue; + if( rsa_pkcs1_verify( pk_rsa( trust_ca->pk ), RSA_PUBLIC, + child->sig_md, 0, hash, child->sig.p ) != 0 ) + { + trust_ca = trust_ca->next; + continue; + } } + else +#endif /* POLARSSL_RSA_C */ +#if defined(POLARSSL_ECDSA_C) + if( trust_ca->pk.type == POLARSSL_PK_ECKEY ) { + /* EC NOT IMPLEMENTED YET */ + return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); + } + else +#endif /* POLARSSL_ECDSA_C */ + return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); /* * Top of chain is signed by a trusted CA @@ -3547,15 +3567,25 @@ static int x509parse_verify_child( { md( md_info, child->tbs.p, child->tbs.len, hash ); - /* EC NOT IMPLEMENTED YET */ - if( parent->pk.type != POLARSSL_PK_RSA ) - return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); - - if( rsa_pkcs1_verify( pk_rsa( parent->pk ), RSA_PUBLIC, child->sig_md, - 0, hash, child->sig.p ) != 0 ) +#if defined(POLARSSL_RSA_C) + if( parent->pk.type == POLARSSL_PK_RSA ) { - *flags |= BADCERT_NOT_TRUSTED; + if( rsa_pkcs1_verify( pk_rsa( parent->pk ), RSA_PUBLIC, + child->sig_md, 0, hash, child->sig.p ) != 0 ) + { + *flags |= BADCERT_NOT_TRUSTED; + } } + else +#endif /* POLARSSL_RSA_C */ +#if defined(POLARSSL_ECDSA_C) + if( parent->pk.type == POLARSSL_PK_ECKEY ) { + /* EC NOT IMPLEMENTED YET */ + return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); + } + else +#endif /* POLARSSL_ECDSA_C */ + return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); } /* Check trusted CA's CRL for the given crt */ From 211a64c79f496de1a82083f517230e7fd1b009fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 9 Aug 2013 15:04:26 +0200 Subject: [PATCH 05/28] Add eckey to ecdsa conversion in the PK layer --- include/polarssl/ecdsa.h | 2 ++ include/polarssl/pk.h | 31 +++++++++++++++++++++++++++++++ library/pk.c | 36 ++++++++++++++++++++++++++++++++++++ 3 files changed, 69 insertions(+) diff --git a/include/polarssl/ecdsa.h b/include/polarssl/ecdsa.h index d61e82c2..15b90e66 100644 --- a/include/polarssl/ecdsa.h +++ b/include/polarssl/ecdsa.h @@ -31,6 +31,8 @@ /** * \brief ECDSA context structure + * + * \note Purposefully begins with the same members as struct ecp_keypair. */ typedef struct { diff --git a/include/polarssl/pk.h b/include/polarssl/pk.h index df3fc44d..2f700851 100644 --- a/include/polarssl/pk.h +++ b/include/polarssl/pk.h @@ -33,6 +33,10 @@ #include "rsa.h" #endif +#if defined(POLARSSL_ECDSA_C) +#include "ecdsa.h" +#endif + #define POLARSSL_ERR_PK_MALLOC_FAILED -0x2F80 /**< Memory alloation failed. */ #define POLARSSL_ERR_PK_TYPE_MISMATCH -0x2F00 /**< Type mismatch, eg attempt to use a RSA key as EC, or to modify key type */ @@ -107,6 +111,33 @@ void pk_free( pk_context *ctx ); */ int pk_set_type( pk_context *ctx, pk_type_t type ); +#if defined(POLARSSL_ECDSA_C) +/** + * \brief Convert a generic EC key into an ECDSA context + * + * \param ctx Context to convert + * + * \return 0 on success, or + * POLARSSL_ERR_PK_MALLOC_FAILED or + * POLARSSL_ERR_PK_TYPE_MISMATCH. + */ +int pk_ec_to_ecdsa( pk_context *ctx ); + +/** + * \brief Tell if a PK context can be used for ECDSA + * + * \param ctx Context to check + * + * \return 0 if context cannot be used for ECDSA, + * 1 otherwise + */ +static inline int pk_can_ecdsa( pk_context ctx ) +{ + return( ctx.type == POLARSSL_PK_ECKEY || + ctx.type == POLARSSL_PK_ECDSA ); +} +#endif /* POLARSSL_ECDSA_C */ + #if defined(POLARSSL_RSA_C) /** * \brief Wrap a RSA context in a PK context diff --git a/library/pk.c b/library/pk.c index 3755fbcf..c5583c36 100644 --- a/library/pk.c +++ b/library/pk.c @@ -132,6 +132,42 @@ int pk_set_type( pk_context *ctx, pk_type_t type ) return( 0 ); } +#if defined(POLARSSL_ECDSA_C) +/* + * Convert generic EC context to ECDSA + */ +int pk_ec_to_ecdsa( pk_context *ctx ) +{ + ecp_keypair *eckey; + ecdsa_context *ecdsa; + + if( ctx->type == POLARSSL_PK_ECDSA ) + return( 0 ); + + if( ctx->type != POLARSSL_PK_ECKEY ) + return( POLARSSL_ERR_PK_TYPE_MISMATCH ); + + eckey = (ecp_keypair *) ctx->data; + + if( ( ecdsa = polarssl_malloc( sizeof( ecdsa_context ) ) ) == NULL ) + return( POLARSSL_ERR_PK_MALLOC_FAILED ); + + ecdsa_init( ecdsa ); + + /* struct ecdsa_context begins the same as struct ecp_keypair */ + memcpy( ecdsa, eckey, sizeof( ecp_keypair ) ); + + if( ! ctx->dont_free ) + polarssl_free( eckey ); + + ctx->dont_free = 0; + ctx->type = POLARSSL_PK_ECDSA; + ctx->data = ecdsa; + + return( 0 ); +} +#endif /* POLARSSL_ECDSA_C */ + #if defined(POLARSSL_RSA_C) /* * Wrap an RSA context in a PK context From 96d5912088e60d1e822106fac10e70b778a6b1b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 9 Aug 2013 15:12:46 +0200 Subject: [PATCH 06/28] Implement EC cert and crl verification --- library/x509parse.c | 45 ++++++++++++++++++++++++++++++++++++--------- 1 file changed, 36 insertions(+), 9 deletions(-) diff --git a/library/x509parse.c b/library/x509parse.c index 12962b21..a44cf11c 100644 --- a/library/x509parse.c +++ b/library/x509parse.c @@ -3305,6 +3305,7 @@ int x509parse_revoked( const x509_cert *crt, const x509_crl *crl ) static int x509parse_verifycrl(x509_cert *crt, x509_cert *ca, x509_crl *crl_list) { + int ret; int flags = 0; unsigned char hash[POLARSSL_MD_MAX_SIZE]; const md_info_t *md_info; @@ -3360,9 +3361,20 @@ static int x509parse_verifycrl(x509_cert *crt, x509_cert *ca, else #endif /* POLARSSL_RSA_C */ #if defined(POLARSSL_ECDSA_C) - if( ca->pk.type == POLARSSL_PK_ECKEY ) { - /* EC NOT IMPLEMENTED YET */ - return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); + if( pk_can_ecdsa( ca->pk ) ) { + if( ( ret = pk_ec_to_ecdsa( &ca->pk ) ) != 0 ) + return( ret ); + + if( ecdsa_read_signature( (ecdsa_context *) ca->pk.data, + hash, md_info->size, + crl_list->sig.p, crl_list->sig.len ) != 0 ) + { + /* + * CRL is not trusted + */ + flags |= BADCRL_NOT_TRUSTED; + break; + } } else #endif /* POLARSSL_ECDSA_C */ @@ -3490,9 +3502,17 @@ static int x509parse_verify_top( else #endif /* POLARSSL_RSA_C */ #if defined(POLARSSL_ECDSA_C) - if( trust_ca->pk.type == POLARSSL_PK_ECKEY ) { - /* EC NOT IMPLEMENTED YET */ - return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); + if( pk_can_ecdsa( trust_ca->pk ) ) { + if( ( ret = pk_ec_to_ecdsa( &trust_ca->pk ) ) != 0 ) + return( ret ); + + if( ecdsa_read_signature( (ecdsa_context *) trust_ca->pk.data, + hash, md_info->size, + child->sig.p, child->sig.len ) != 0 ) + { + trust_ca = trust_ca->next; + continue; + } } else #endif /* POLARSSL_ECDSA_C */ @@ -3579,9 +3599,16 @@ static int x509parse_verify_child( else #endif /* POLARSSL_RSA_C */ #if defined(POLARSSL_ECDSA_C) - if( parent->pk.type == POLARSSL_PK_ECKEY ) { - /* EC NOT IMPLEMENTED YET */ - return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); + if( pk_can_ecdsa( parent->pk ) ) { + if( ( ret = pk_ec_to_ecdsa( &parent->pk ) ) != 0 ) + return( ret ); + + if( ecdsa_read_signature( (ecdsa_context *) parent->pk.data, + hash, md_info->size, + child->sig.p, child->sig.len ) != 0 ) + { + *flags |= BADCERT_NOT_TRUSTED; + } } else #endif /* POLARSSL_ECDSA_C */ From 6d29ff209bb54093d7adf780653aefbb2029af1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Sat, 10 Aug 2013 09:44:43 +0200 Subject: [PATCH 07/28] Add cert_info tests for EC and mixed certificates --- tests/suites/test_suite_x509parse.data | 50 ++++++++++++++++++++------ 1 file changed, 39 insertions(+), 11 deletions(-) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 259ab50f..a85a3e8b 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -1,47 +1,75 @@ X509 Certificate information #1 -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_RSA_C x509_cert_info:"data_files/server1.crt":"cert. version \: 3\nserial number \: 01\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2011-02-12 14\:44\:06\nexpires on \: 2021-02-12 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\n" X509 Certificate information #2 -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_RSA_C x509_cert_info:"data_files/server2.crt":"cert. version \: 3\nserial number \: 02\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2011-02-12 14\:44\:06\nexpires on \: 2021-02-12 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\n" X509 Certificate information #3 -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_RSA_C x509_cert_info:"data_files/test-ca.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2011-02-12 14\:44\:00\nexpires on \: 2021-02-12 14\:44\:00\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\n" X509 Certificate information MD2 Digest -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_RSA_C x509_cert_info:"data_files/cert_md2.crt":"cert. version \: 3\nserial number \: 09\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert MD2\nissued on \: 2009-07-12 10\:56\:59\nexpires on \: 2011-07-12 10\:56\:59\nsigned using \: RSA with MD2\nRSA key size \: 2048 bits\n" X509 Certificate information MD4 Digest -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_RSA_C x509_cert_info:"data_files/cert_md4.crt":"cert. version \: 3\nserial number \: 05\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert MD4\nissued on \: 2011-02-12 14\:44\:07\nexpires on \: 2021-02-12 14\:44\:07\nsigned using \: RSA with MD4\nRSA key size \: 2048 bits\n" X509 Certificate information MD5 Digest -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_RSA_C x509_cert_info:"data_files/cert_md5.crt":"cert. version \: 3\nserial number \: 06\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert MD5\nissued on \: 2011-02-12 14\:44\:07\nexpires on \: 2021-02-12 14\:44\:07\nsigned using \: RSA with MD5\nRSA key size \: 2048 bits\n" X509 Certificate information SHA1 Digest -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_RSA_C x509_cert_info:"data_files/cert_sha1.crt":"cert. version \: 3\nserial number \: 07\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA1\nissued on \: 2011-02-12 14\:44\:07\nexpires on \: 2021-02-12 14\:44\:07\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\n" X509 Certificate information SHA224 Digest -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_RSA_C x509_cert_info:"data_files/cert_sha224.crt":"cert. version \: 3\nserial number \: 08\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA224\nissued on \: 2011-02-12 14\:44\:07\nexpires on \: 2021-02-12 14\:44\:07\nsigned using \: RSA with SHA-224\nRSA key size \: 2048 bits\n" X509 Certificate information SHA256 Digest -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_RSA_C x509_cert_info:"data_files/cert_sha256.crt":"cert. version \: 3\nserial number \: 09\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA256\nissued on \: 2011-02-12 14\:44\:07\nexpires on \: 2021-02-12 14\:44\:07\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\n" X509 Certificate information SHA384 Digest -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_RSA_C x509_cert_info:"data_files/cert_sha384.crt":"cert. version \: 3\nserial number \: 0A\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA384\nissued on \: 2011-02-12 14\:44\:07\nexpires on \: 2021-02-12 14\:44\:07\nsigned using \: RSA with SHA-384\nRSA key size \: 2048 bits\n" X509 Certificate information SHA512 Digest -depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_RSA_C x509_cert_info:"data_files/cert_sha512.crt":"cert. version \: 3\nserial number \: 0B\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA512\nissued on \: 2011-02-12 14\:44\:07\nexpires on \: 2021-02-12 14\:44\:07\nsigned using \: RSA with SHA-512\nRSA key size \: 2048 bits\n" +X509 Certificate information EC, SHA1 Digest +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECP_C +x509_cert_info:"data_files/server5.crt":"cert. version \: 3\nserial number \: 03\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-08-09 07\:57\:40\nexpires on \: 2023-08-07 07\:57\:40\nsigned using \: ECDSA with SHA1\nEC key size \: 192 bits\n" + +X509 Certificate information EC, SHA224 Digest +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECP_C +x509_cert_info:"data_files/server5-sha224.crt":"cert. version \: 3\nserial number \: 06\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-08-09 08\:08\:12\nexpires on \: 2023-08-07 08\:08\:12\nsigned using \: ECDSA with SHA224\nEC key size \: 192 bits\n" + +X509 Certificate information EC, SHA256 Digest +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECP_C +x509_cert_info:"data_files/server5-sha256.crt":"cert. version \: 3\nserial number \: 07\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-08-09 08\:08\:17\nexpires on \: 2023-08-07 08\:08\:17\nsigned using \: ECDSA with SHA256\nEC key size \: 192 bits\n" + +X509 Certificate information EC, SHA384 Digest +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECP_C +x509_cert_info:"data_files/server5-sha384.crt":"cert. version \: 3\nserial number \: 08\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-08-09 08\:08\:25\nexpires on \: 2023-08-07 08\:08\:25\nsigned using \: ECDSA with SHA384\nEC key size \: 192 bits\n" + +X509 Certificate information EC, SHA512 Digest +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECP_C +x509_cert_info:"data_files/server5-sha512.crt":"cert. version \: 3\nserial number \: 09\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-08-09 08\:08\:32\nexpires on \: 2023-08-07 08\:08\:32\nsigned using \: ECDSA with SHA512\nEC key size \: 192 bits\n" + +X509 Certificate information RSA signed by EC +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_RSA_C +x509_cert_info:"data_files/server4.crt":"cert. version \: 3\nserial number \: 04\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-08-09 07\:57\:57\nexpires on \: 2023-08-07 07\:57\:57\nsigned using \: ECDSA with SHA1\nRSA key size \: 1024 bits\n" + +X509 Certificate information EC signed by RSA +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECP_C +x509_cert_info:"data_files/server3.crt":"cert. version \: 3\nserial number \: 0D\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-08-09 09\:17\:03\nexpires on \: 2023-08-07 09\:17\:03\nsigned using \: RSA with SHA1\nEC key size \: 192 bits\n" + X509 CRL information #1 depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO x509_crl_info:"data_files/crl_expired.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-20 10\:24\:19\nnext update \: 2011-02-20 11\:24\:19\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA1\n" From 05b9dce20ba37de414f6c463165050ce62b26036 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Sat, 10 Aug 2013 10:19:03 +0200 Subject: [PATCH 08/28] Add tests for crl_info with EC CA --- tests/suites/test_suite_x509parse.data | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index a85a3e8b..72105108 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -106,6 +106,26 @@ X509 CRL Information SHA512 Digest depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO x509_crl_info:"data_files/crl_sha512.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA-512\n" +X509 CRL Information EC, SHA1 Digest +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO +x509_crl_info:"data_files/crl-ec.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-08-09 08\:06\:26\nnext update \: 2023-08-07 08\:06\:26\nRevoked certificates\:\nserial number\: 02 revocation date\: 2013-08-09 08\:04\:03\nsigned using \: ECDSA with SHA1\n" + +X509 CRL Information EC, SHA224 Digest +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO +x509_crl_info:"data_files/crl-ec-sha224.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-08-09 08\:06\:38\nnext update \: 2023-08-07 08\:06\:38\nRevoked certificates\:\nserial number\: 02 revocation date\: 2013-08-09 08\:04\:03\nsigned using \: ECDSA with SHA224\n" + +X509 CRL Information EC, SHA256 Digest +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO +x509_crl_info:"data_files/crl-ec-sha256.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-08-09 08\:06\:44\nnext update \: 2023-08-07 08\:06\:44\nRevoked certificates\:\nserial number\: 02 revocation date\: 2013-08-09 08\:04\:03\nsigned using \: ECDSA with SHA256\n" + +X509 CRL Information EC, SHA384 Digest +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO +x509_crl_info:"data_files/crl-ec-sha384.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-08-09 08\:06\:52\nnext update \: 2023-08-07 08\:06\:52\nRevoked certificates\:\nserial number\: 02 revocation date\: 2013-08-09 08\:04\:03\nsigned using \: ECDSA with SHA384\n" + +X509 CRL Information EC, SHA512 Digest +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO +x509_crl_info:"data_files/crl-ec-sha512.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-08-09 08\:07\:01\nnext update \: 2023-08-07 08\:07\:01\nRevoked certificates\:\nserial number\: 02 revocation date\: 2013-08-09 08\:04\:03\nsigned using \: ECDSA with SHA512\n" + X509 Parse RSA Key #1 (No password when required) depends_on:POLARSSL_MD5_C:POLARSSL_PEM_C:POLARSSL_FS_IO x509parse_keyfile_rsa:"data_files/test-ca.key":"NULL":POLARSSL_ERR_X509_PASSWORD_REQUIRED From b4e9ca96504b541205e57af8488cbff63f9f8013 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Sat, 10 Aug 2013 10:52:01 +0200 Subject: [PATCH 09/28] Add some more x509_verify tests - trust chain of depth 0 - invalid signature - trust chain of depth 2 - multiple trusted CA's --- tests/data_files/server2-badsign.crt | 20 ++++++ tests/data_files/server3.key | 3 - tests/data_files/server5-badsign.crt | 13 ++++ tests/data_files/server5.key | 3 - tests/data_files/server6.key | 3 - tests/data_files/server7.crt | 14 ++++ tests/data_files/server7.key | 5 ++ tests/data_files/server7_int-ca.crt | 29 ++++++++ tests/data_files/server8.crt | 13 ++++ tests/data_files/server8.key | 8 +++ tests/data_files/server8_int-ca2.crt | 30 ++++++++ tests/data_files/test-ca2.key | 3 - tests/data_files/test-ca_cat12.crt | 94 ++++++++++++++++++++++++++ tests/data_files/test-ca_cat21.crt | 94 ++++++++++++++++++++++++++ tests/data_files/test-int-ca.crt | 15 ++++ tests/data_files/test-int-ca.key | 16 +++++ tests/data_files/test-int-ca2.crt | 17 +++++ tests/data_files/test-int-ca2.key | 5 ++ tests/suites/test_suite_x509parse.data | 68 ++++++++++++++++--- 19 files changed, 431 insertions(+), 22 deletions(-) create mode 100644 tests/data_files/server2-badsign.crt create mode 100644 tests/data_files/server5-badsign.crt create mode 100644 tests/data_files/server7.crt create mode 100644 tests/data_files/server7.key create mode 100644 tests/data_files/server7_int-ca.crt create mode 100644 tests/data_files/server8.crt create mode 100644 tests/data_files/server8.key create mode 100644 tests/data_files/server8_int-ca2.crt create mode 100644 tests/data_files/test-ca_cat12.crt create mode 100644 tests/data_files/test-ca_cat21.crt create mode 100644 tests/data_files/test-int-ca.crt create mode 100644 tests/data_files/test-int-ca.key create mode 100644 tests/data_files/test-int-ca2.crt create mode 100644 tests/data_files/test-int-ca2.key diff --git a/tests/data_files/server2-badsign.crt b/tests/data_files/server2-badsign.crt new file mode 100644 index 00000000..7e32d3b9 --- /dev/null +++ b/tests/data_files/server2-badsign.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN +owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz +NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM +tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P +hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya +HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD +VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw +FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQADggEBAJxnXClY +oHkbp70cqBrsGXLybA74czbO5RdLEgFs7rHVS9r+c293luS/KdliLScZqAzYVylw +UfRWvKMoWhHYKp3dEIS4xTXk6/5zXxhv9Rw8SGc8qn6vITHk1S1mPevtekgasY5Y +iWQuM3h4YVlRH3HHEMAD1TnAexfXHHDFQGe+Bd1iAbz1/sH9H8l4StwX6egvTK3M +wXRwkKkvjKaEDA9ATbZx0mI8LGsxSuCqe9r9dyjmttd47J1p1Rulz3CLzaRcVIuS +RRQfaD8neM9c1S/iJ/amTVqJxA1KOdOS5780WhPfSArA+g4qAmSjelc3p4wWpha8 +zhuYwjVuX6JHG08= +-----END CERTIFICATE----- diff --git a/tests/data_files/server3.key b/tests/data_files/server3.key index 44792583..fecf44db 100644 --- a/tests/data_files/server3.key +++ b/tests/data_files/server3.key @@ -1,6 +1,3 @@ ------BEGIN EC PARAMETERS----- -BggqhkjOPQMBAQ== ------END EC PARAMETERS----- -----BEGIN EC PRIVATE KEY----- MF8CAQEEGItTogpE7AOnjvYuTqm+9OabmsX02XKIAqAKBggqhkjOPQMBAaE0AzIA BH0AoQyUhPABS38y67uEVs4O3RXmKKrBdUR7/L2QPB8EC2p5fQcsej6EFasvlTdJ diff --git a/tests/data_files/server5-badsign.crt b/tests/data_files/server5-badsign.crt new file mode 100644 index 00000000..8e602435 --- /dev/null +++ b/tests/data_files/server5-badsign.crt @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB7TCCAZSgAwIBAgIBAzAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYD +VQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAeFw0x +MzA4MDkwNzU3NDBaFw0yMzA4MDcwNzU3NDBaMDQxCzAJBgNVBAYTAk5MMREwDwYD +VQQKEwhQb2xhclNTTDESMBAGA1UEAxMJbG9jYWxob3N0MEkwEwYHKoZIzj0CAQYI +KoZIzj0DAQEDMgAEy0Lh3ZfhEwBiC8jmJfEg8NGxCDqHEtz+hPgYs37hDz9wTOoY ++CJDtEUcDedgFCpqo4GdMIGaMAkGA1UdEwQCMAAwHQYDVR0OBBYEFKItALYotNzi +cfBPd7LwETtkYmdBMG4GA1UdIwRnMGWAFLxA77numrs2OeEtqaK6LLumvRBxoUKk +QDA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1Bv +bGFyc3NsIFRlc3QgRUMgQ0GCCQCtQnl2nnL24TAJBgcqhkjOPQQBA0gAMEUCIE/J +rb3TrYL+z1OsZ2rtCmji7hrPj570X4Qkm1Pb5QEvAiEAiq46sM0+1DSAU0u8FcuL +jbRvSP9W7EJjb9QR3zNYbf4= +-----END CERTIFICATE----- diff --git a/tests/data_files/server5.key b/tests/data_files/server5.key index 3bf8b51d..844bb449 100644 --- a/tests/data_files/server5.key +++ b/tests/data_files/server5.key @@ -1,6 +1,3 @@ ------BEGIN EC PARAMETERS----- -BggqhkjOPQMBAQ== ------END EC PARAMETERS----- -----BEGIN EC PRIVATE KEY----- MF8CAQEEGO82j8OXBoUhVyauCA8XZ288l595u7BXWqAKBggqhkjOPQMBAaE0AzIA BMtC4d2X4RMAYgvI5iXxIPDRsQg6hxLc/oT4GLN+4Q8/cEzqGPgiQ7RFHA3nYBQq diff --git a/tests/data_files/server6.key b/tests/data_files/server6.key index d23c8f2e..9b582dc4 100644 --- a/tests/data_files/server6.key +++ b/tests/data_files/server6.key @@ -1,6 +1,3 @@ ------BEGIN EC PARAMETERS----- -BggqhkjOPQMBAQ== ------END EC PARAMETERS----- -----BEGIN EC PRIVATE KEY----- MF8CAQEEGD5d3O02N8S/dSjU0RmPK8h2TEH64xPN6qAKBggqhkjOPQMBAaE0AzIA BBNrCG0mTkhIp2TN6tjDDsvHoDPGPQQHLLsMTvVKUtQfJ0/btdW7404eVUAICQFP diff --git a/tests/data_files/server7.crt b/tests/data_files/server7.crt new file mode 100644 index 00000000..5040bec9 --- /dev/null +++ b/tests/data_files/server7.crt @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICMTCCAZqgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJOTDER +MA8GA1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJt +ZWRpYXRlIENBMB4XDTEzMDgxMDA5Mzc1OVoXDTIzMDgwODA5Mzc1OVowNDELMAkG +A1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3Qw +STATBgcqhkjOPQIBBggqhkjOPQMBAQMyAATLQuHdl+ETAGILyOYl8SDw0bEIOocS +3P6E+BizfuEPP3BM6hj4IkO0RRwN52AUKmqjgZUwgZIwCQYDVR0TBAIwADAdBgNV +HQ4EFgQUoi0Atii03OJx8E93svARO2RiZ0EwZgYDVR0jBF8wXYAUSWP5COj9AlpE +9UEpjc+8T9LAHryhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNT +TDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIBDzANBgkqhkiG9w0BAQUF +AAOBgQDXdaDKbre+goT5vJ8GHr3APTsHed40sS/UvbGtjC4XsZ+liUMhAZn85nWd +95FifmASBWG7R8eyU+nOL1yDQNxIcN1nqzX+UNUnXI5P2gNLF+lllr9T9zYmFo4s +Qg4vVTIZIidwJtB60ZwboTx1au0bDPGDF1oniyLPBJdwcY4jsA== +-----END CERTIFICATE----- diff --git a/tests/data_files/server7.key b/tests/data_files/server7.key new file mode 100644 index 00000000..844bb449 --- /dev/null +++ b/tests/data_files/server7.key @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MF8CAQEEGO82j8OXBoUhVyauCA8XZ288l595u7BXWqAKBggqhkjOPQMBAaE0AzIA +BMtC4d2X4RMAYgvI5iXxIPDRsQg6hxLc/oT4GLN+4Q8/cEzqGPgiQ7RFHA3nYBQq +ag== +-----END EC PRIVATE KEY----- diff --git a/tests/data_files/server7_int-ca.crt b/tests/data_files/server7_int-ca.crt new file mode 100644 index 00000000..75c9dc61 --- /dev/null +++ b/tests/data_files/server7_int-ca.crt @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIICMTCCAZqgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJOTDER +MA8GA1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJt +ZWRpYXRlIENBMB4XDTEzMDgxMDA5Mzc1OVoXDTIzMDgwODA5Mzc1OVowNDELMAkG +A1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3Qw +STATBgcqhkjOPQIBBggqhkjOPQMBAQMyAATLQuHdl+ETAGILyOYl8SDw0bEIOocS +3P6E+BizfuEPP3BM6hj4IkO0RRwN52AUKmqjgZUwgZIwCQYDVR0TBAIwADAdBgNV +HQ4EFgQUoi0Atii03OJx8E93svARO2RiZ0EwZgYDVR0jBF8wXYAUSWP5COj9AlpE +9UEpjc+8T9LAHryhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNT +TDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIBDzANBgkqhkiG9w0BAQUF +AAOBgQDXdaDKbre+goT5vJ8GHr3APTsHed40sS/UvbGtjC4XsZ+liUMhAZn85nWd +95FifmASBWG7R8eyU+nOL1yDQNxIcN1nqzX+UNUnXI5P2gNLF+lllr9T9zYmFo4s +Qg4vVTIZIidwJtB60ZwboTx1au0bDPGDF1oniyLPBJdwcY4jsA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICWjCCAgKgAwIBAgIBDzAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYD +VQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAeFw0x +MzA4MTAwOTA4NTFaFw0yMzA4MTAwOTA4NTFaMEgxCzAJBgNVBAYTAk5MMREwDwYD +VQQKEwhQb2xhclNTTDEmMCQGA1UEAxMdUG9sYXJTU0wgVGVzdCBJbnRlcm1lZGlh +dGUgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN/CgAVAhMzUJ7kFpAjx +7vwq2Vs4qmy6nuwOJ7UNBHXaWKSBUUP9KhExuTGMeNvYZmLiwfrd7p22Cgj1VFwp +V/5FEuEk4C7pXSZxqn2bXTaD1ivOVu9I0yKmA3+95f34V72fiqQ2U/SssGhI0EX4 +pSMEEbX8NOR31MCFut8ACzQ1AgMBAAGjgaAwgZ0wHQYDVR0OBBYEFElj+Qjo/QJa +RPVBKY3PvE/SwB68MG4GA1UdIwRnMGWAFLxA77numrs2OeEtqaK6LLumvRBxoUKk +QDA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1Bv +bGFyc3NsIFRlc3QgRUMgQ0GCCQCtQnl2nnL24TAMBgNVHRMEBTADAQH/MAkGByqG +SM49BAEDRwAwRAIgfIwD+A0rcrrJWKLR1g88ImIx5765D0ZAixZy9Q1j8EgCIFPo +AAs001kkpocmMwGv3Mz8bYCK+0GwSteAoWtZmTz0 +-----END CERTIFICATE----- diff --git a/tests/data_files/server8.crt b/tests/data_files/server8.crt new file mode 100644 index 00000000..53300608 --- /dev/null +++ b/tests/data_files/server8.crt @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB4TCCAZmgAwIBAgIBAzAJBgcqhkjOPQQBMEsxCzAJBgNVBAYTAk5MMREwDwYD +VQQKEwhQb2xhclNTTDEpMCcGA1UEAxMgUG9sYXJTU0wgVGVzdCBJbnRlcm1lZGlh +dGUgRUMgQ0EwHhcNMTMwODEwMTA0ODQyWhcNMjMwODEwMTA0ODQyWjA0MQswCQYD +VQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBJ +MBMGByqGSM49AgEGCCqGSM49AwEBAzIABH0AoQyUhPABS38y67uEVs4O3RXmKKrB +dUR7/L2QPB8EC2p5fQcsej6EFasvlTdJ/6OBlTCBkjAdBgNVHQ4EFgQU5BdrNrIG +iTrZXkO24GR9h6t93jcwYwYDVR0jBFwwWoAUsdlE7s/zeovBx8go2LphSL+Nu9mh +P6Q9MDsxCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQ +UG9sYXJTU0wgVGVzdCBDQYIBETAMBgNVHRMEBTADAQH/MAkGByqGSM49BAEDNwAw +NAIYPH5MSjau/MPc+rjSbYt+Q9rlv4idlJ84AhhWuxV7gaFzJzCs7acgX6WbfOAB +SAnWzz4= +-----END CERTIFICATE----- diff --git a/tests/data_files/server8.key b/tests/data_files/server8.key new file mode 100644 index 00000000..44792583 --- /dev/null +++ b/tests/data_files/server8.key @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBAQ== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MF8CAQEEGItTogpE7AOnjvYuTqm+9OabmsX02XKIAqAKBggqhkjOPQMBAaE0AzIA +BH0AoQyUhPABS38y67uEVs4O3RXmKKrBdUR7/L2QPB8EC2p5fQcsej6EFasvlTdJ +/w== +-----END EC PRIVATE KEY----- diff --git a/tests/data_files/server8_int-ca2.crt b/tests/data_files/server8_int-ca2.crt new file mode 100644 index 00000000..e43e6b8c --- /dev/null +++ b/tests/data_files/server8_int-ca2.crt @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIB4TCCAZmgAwIBAgIBAzAJBgcqhkjOPQQBMEsxCzAJBgNVBAYTAk5MMREwDwYD +VQQKEwhQb2xhclNTTDEpMCcGA1UEAxMgUG9sYXJTU0wgVGVzdCBJbnRlcm1lZGlh +dGUgRUMgQ0EwHhcNMTMwODEwMTA0ODQyWhcNMjMwODEwMTA0ODQyWjA0MQswCQYD +VQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBJ +MBMGByqGSM49AgEGCCqGSM49AwEBAzIABH0AoQyUhPABS38y67uEVs4O3RXmKKrB +dUR7/L2QPB8EC2p5fQcsej6EFasvlTdJ/6OBlTCBkjAdBgNVHQ4EFgQU5BdrNrIG +iTrZXkO24GR9h6t93jcwYwYDVR0jBFwwWoAUsdlE7s/zeovBx8go2LphSL+Nu9mh +P6Q9MDsxCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQ +UG9sYXJTU0wgVGVzdCBDQYIBETAMBgNVHRMEBTADAQH/MAkGByqGSM49BAEDNwAw +NAIYPH5MSjau/MPc+rjSbYt+Q9rlv4idlJ84AhhWuxV7gaFzJzCs7acgX6WbfOAB +SAnWzz4= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICvDCCAaSgAwIBAgIBETANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTMwODEwMTA0NzM5WhcNMjMwODEwMTA0NzM5WjBLMQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp +YXRlIEVDIENBMEkwEwYHKoZIzj0CAQYIKoZIzj0DAQEDMgAEF/Nw4VH9gt/WUMJt +dKRsyselY6ngTpfw1XDtlLMT2XewBCAgIHDQoeQlVIkxsdRGo4GVMIGSMB0GA1Ud +DgQWBBSx2UTuz/N6i8HHyCjYumFIv4272TBjBgNVHSMEXDBagBS0WuSls97SUva5 +1aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NM +MRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBggEAMAwGA1UdEwQFMAMBAf8wDQYJ +KoZIhvcNAQEFBQADggEBABKWcjM5s2rqe3Ha3MR8rj5Ki6sXnda6mDFga4sWrkzR +aK8FOzHNtGgZvua7mQ3slvxa1b4rdl0ZiCzs16FxeIPrdilo2EqzKKZNbTNx8hGu +f593cXnjRijU4O4ysqNdPfrmUrJHl+gME6C5eLJsrdlhYXa8zog+eOUn/94EFq6I +QW/7hcaAN8mr1ZPCml+dWNynkYd7TqtqIkukB6pqZU9SkSIX6iNaRZXhSjge/+iB +XkJS7NXqwQZ3ktUhHYrkqSuVkdL61hrkB20T3NaPaYGPj/PcnCfk9nOmTmWlqHhl +FZM816w2/AT6G98zJgU0iAG53ANVO1k+FgbUFjrqRDQ= +-----END CERTIFICATE----- diff --git a/tests/data_files/test-ca2.key b/tests/data_files/test-ca2.key index 5d765cc6..4f6fa672 100644 --- a/tests/data_files/test-ca2.key +++ b/tests/data_files/test-ca2.key @@ -1,6 +1,3 @@ ------BEGIN EC PARAMETERS----- -BggqhkjOPQMBBw== ------END EC PARAMETERS----- -----BEGIN EC PRIVATE KEY----- MHcCAQEEIBgsCX6wjouYFLrghn4s8iRrt9krCKiFHZYtzY8J7+p3oAoGCCqGSM49 AwEHoUQDQgAElrizLPspIX2+kNvC+BOpJnw19tnAi5nsUnt8r6N+KDybdaVUWmLI diff --git a/tests/data_files/test-ca_cat12.crt b/tests/data_files/test-ca_cat12.crt new file mode 100644 index 00000000..18aa919b --- /dev/null +++ b/tests/data_files/test-ca_cat12.crt @@ -0,0 +1,94 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 0 (0x0) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=NL, O=PolarSSL, CN=PolarSSL Test CA + Validity + Not Before: Feb 12 14:44:00 2011 GMT + Not After : Feb 12 14:44:00 2021 GMT + Subject: C=NL, O=PolarSSL, CN=PolarSSL Test CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:c0:df:37:fc:17:bb:e0:96:9d:3f:86:de:96:32: + 7d:44:a5:16:a0:cd:21:f1:99:d4:ec:ea:cb:7c:18: + 58:08:94:a5:ec:9b:c5:8b:df:1a:1e:99:38:99:87: + 1e:7b:c0:8d:39:df:38:5d:70:78:07:d3:9e:d9:93: + e8:b9:72:51:c5:ce:a3:30:52:a9:f2:e7:40:70:14: + cb:44:a2:72:0b:c2:e5:40:f9:3e:e5:a6:0e:b3:f9: + ec:4a:63:c0:b8:29:00:74:9c:57:3b:a8:a5:04:90: + 71:f1:bd:83:d9:3f:d6:a5:e2:3c:2a:8f:ef:27:60: + c3:c6:9f:cb:ba:ec:60:7d:b7:e6:84:32:be:4f:fb: + 58:26:22:03:5b:d4:b4:d5:fb:f5:e3:96:2e:70:c0: + e4:2e:bd:fc:2e:ee:e2:41:55:c0:34:2e:7d:24:72: + 69:cb:47:b1:14:40:83:7d:67:f4:86:f6:31:ab:f1: + 79:a4:b2:b5:2e:12:f9:84:17:f0:62:6f:27:3e:13: + 58:b1:54:0d:21:9a:73:37:a1:30:cf:6f:92:dc:f6: + e9:fc:ac:db:2e:28:d1:7e:02:4b:23:a0:15:f2:38: + 65:64:09:ea:0c:6e:8e:1b:17:a0:71:c8:b3:9b:c9: + ab:e9:c3:f2:cf:87:96:8f:80:02:32:9e:99:58:6f: + a2:d5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + B4:5A:E4:A5:B3:DE:D2:52:F6:B9:D5:A6:95:0F:EB:3E:BC:C7:FD:FF + X509v3 Authority Key Identifier: + keyid:B4:5A:E4:A5:B3:DE:D2:52:F6:B9:D5:A6:95:0F:EB:3E:BC:C7:FD:FF + DirName:/C=NL/O=PolarSSL/CN=PolarSSL Test CA + serial:00 + + Signature Algorithm: sha1WithRSAEncryption + b8:fd:54:d8:00:54:90:8b:25:b0:27:dd:95:cd:a2:f7:84:07: + 1d:87:89:4a:c4:78:11:d8:07:b5:d7:22:50:8e:48:eb:62:7a: + 32:89:be:63:47:53:ff:b6:be:f1:2e:8c:54:c0:99:3f:a0:b9: + 37:23:72:5f:0d:46:59:8f:d8:47:cd:97:4c:9f:07:0c:12:62: + 09:3a:24:e4:36:d9:e9:2c:da:38:d0:73:75:61:d7:c1:6c:26: + 8b:9b:e0:d5:dc:67:ed:8c:6b:33:d7:74:22:3c:4c:db:b5:8d: + 2a:ce:2c:0d:08:59:05:09:05:a6:39:9f:b3:67:1b:e2:83:e5: + e1:8f:53:f6:67:93:c7:f9:6f:76:44:58:12:e8:3a:d4:97:e7: + e9:c0:3e:a8:7a:72:3d:87:53:1f:e5:2c:84:84:e7:9a:9e:7f: + 66:d9:1f:9b:f5:13:48:b0:4d:14:d1:de:b2:24:d9:78:7d:f5: + 35:cc:58:19:d1:d2:99:ef:4d:73:f8:1f:89:d4:5a:d0:52:ce: + 09:f5:b1:46:51:6a:00:8e:3b:cc:6f:63:01:00:99:ed:9d:a6: + 08:60:cd:32:18:d0:73:e0:58:71:d9:e5:d2:53:d7:8d:d0:ca: + e9:5d:2a:0a:0d:5d:55:ec:21:50:17:16:e6:06:4a:cd:5e:de: + f7:e0:e9:54 +-----BEGIN CERTIFICATE----- +MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx +mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny +50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n +YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL +R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu +KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj +gZUwgZIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtFrkpbPe0lL2udWmlQ/rPrzH +/f8wYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNV +BAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVz +dCBDQYIBADANBgkqhkiG9w0BAQUFAAOCAQEAuP1U2ABUkIslsCfdlc2i94QHHYeJ +SsR4EdgHtdciUI5I62J6Mom+Y0dT/7a+8S6MVMCZP6C5NyNyXw1GWY/YR82XTJ8H +DBJiCTok5DbZ6SzaONBzdWHXwWwmi5vg1dxn7YxrM9d0IjxM27WNKs4sDQhZBQkF +pjmfs2cb4oPl4Y9T9meTx/lvdkRYEug61Jfn6cA+qHpyPYdTH+UshITnmp5/Ztkf +m/UTSLBNFNHesiTZeH31NcxYGdHSme9Nc/gfidRa0FLOCfWxRlFqAI47zG9jAQCZ +7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICEjCCAbmgAwIBAgIJAK1CeXaecvbhMAkGByqGSM49BAEwPjELMAkGA1UEBhMC +TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD +IENBMB4XDTEzMDgwOTA3NDk0NloXDTIzMDgwNzA3NDk0NlowPjELMAkGA1UEBhMC +TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD +IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElrizLPspIX2+kNvC+BOpJnw1 +9tnAi5nsUnt8r6N+KDybdaVUWmLIqZCrjuaGKwOdOZtl/bBp8KOpLZ4UDujV/qOB +oDCBnTAdBgNVHQ4EFgQUvEDvue6auzY54S2porosu6a9EHEwbgYDVR0jBGcwZYAU +vEDvue6auzY54S2porosu6a9EHGhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQK +EwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAK1CeXae +cvbhMAwGA1UdEwQFMAMBAf8wCQYHKoZIzj0EAQNIADBFAiBs5rd9NzQs/wQZVS6D +rjpOpzFteqBkqe6YgKWkG5kDVwIhAKr4Lr4v+MU1G5D5oSZXYxvUPBa4yARcD7QM +espQnlFX +-----END CERTIFICATE----- diff --git a/tests/data_files/test-ca_cat21.crt b/tests/data_files/test-ca_cat21.crt new file mode 100644 index 00000000..18a2c0d0 --- /dev/null +++ b/tests/data_files/test-ca_cat21.crt @@ -0,0 +1,94 @@ +-----BEGIN CERTIFICATE----- +MIICEjCCAbmgAwIBAgIJAK1CeXaecvbhMAkGByqGSM49BAEwPjELMAkGA1UEBhMC +TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD +IENBMB4XDTEzMDgwOTA3NDk0NloXDTIzMDgwNzA3NDk0NlowPjELMAkGA1UEBhMC +TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD +IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElrizLPspIX2+kNvC+BOpJnw1 +9tnAi5nsUnt8r6N+KDybdaVUWmLIqZCrjuaGKwOdOZtl/bBp8KOpLZ4UDujV/qOB +oDCBnTAdBgNVHQ4EFgQUvEDvue6auzY54S2porosu6a9EHEwbgYDVR0jBGcwZYAU +vEDvue6auzY54S2porosu6a9EHGhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQK +EwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAK1CeXae +cvbhMAwGA1UdEwQFMAMBAf8wCQYHKoZIzj0EAQNIADBFAiBs5rd9NzQs/wQZVS6D +rjpOpzFteqBkqe6YgKWkG5kDVwIhAKr4Lr4v+MU1G5D5oSZXYxvUPBa4yARcD7QM +espQnlFX +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 0 (0x0) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=NL, O=PolarSSL, CN=PolarSSL Test CA + Validity + Not Before: Feb 12 14:44:00 2011 GMT + Not After : Feb 12 14:44:00 2021 GMT + Subject: C=NL, O=PolarSSL, CN=PolarSSL Test CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:c0:df:37:fc:17:bb:e0:96:9d:3f:86:de:96:32: + 7d:44:a5:16:a0:cd:21:f1:99:d4:ec:ea:cb:7c:18: + 58:08:94:a5:ec:9b:c5:8b:df:1a:1e:99:38:99:87: + 1e:7b:c0:8d:39:df:38:5d:70:78:07:d3:9e:d9:93: + e8:b9:72:51:c5:ce:a3:30:52:a9:f2:e7:40:70:14: + cb:44:a2:72:0b:c2:e5:40:f9:3e:e5:a6:0e:b3:f9: + ec:4a:63:c0:b8:29:00:74:9c:57:3b:a8:a5:04:90: + 71:f1:bd:83:d9:3f:d6:a5:e2:3c:2a:8f:ef:27:60: + c3:c6:9f:cb:ba:ec:60:7d:b7:e6:84:32:be:4f:fb: + 58:26:22:03:5b:d4:b4:d5:fb:f5:e3:96:2e:70:c0: + e4:2e:bd:fc:2e:ee:e2:41:55:c0:34:2e:7d:24:72: + 69:cb:47:b1:14:40:83:7d:67:f4:86:f6:31:ab:f1: + 79:a4:b2:b5:2e:12:f9:84:17:f0:62:6f:27:3e:13: + 58:b1:54:0d:21:9a:73:37:a1:30:cf:6f:92:dc:f6: + e9:fc:ac:db:2e:28:d1:7e:02:4b:23:a0:15:f2:38: + 65:64:09:ea:0c:6e:8e:1b:17:a0:71:c8:b3:9b:c9: + ab:e9:c3:f2:cf:87:96:8f:80:02:32:9e:99:58:6f: + a2:d5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + B4:5A:E4:A5:B3:DE:D2:52:F6:B9:D5:A6:95:0F:EB:3E:BC:C7:FD:FF + X509v3 Authority Key Identifier: + keyid:B4:5A:E4:A5:B3:DE:D2:52:F6:B9:D5:A6:95:0F:EB:3E:BC:C7:FD:FF + DirName:/C=NL/O=PolarSSL/CN=PolarSSL Test CA + serial:00 + + Signature Algorithm: sha1WithRSAEncryption + b8:fd:54:d8:00:54:90:8b:25:b0:27:dd:95:cd:a2:f7:84:07: + 1d:87:89:4a:c4:78:11:d8:07:b5:d7:22:50:8e:48:eb:62:7a: + 32:89:be:63:47:53:ff:b6:be:f1:2e:8c:54:c0:99:3f:a0:b9: + 37:23:72:5f:0d:46:59:8f:d8:47:cd:97:4c:9f:07:0c:12:62: + 09:3a:24:e4:36:d9:e9:2c:da:38:d0:73:75:61:d7:c1:6c:26: + 8b:9b:e0:d5:dc:67:ed:8c:6b:33:d7:74:22:3c:4c:db:b5:8d: + 2a:ce:2c:0d:08:59:05:09:05:a6:39:9f:b3:67:1b:e2:83:e5: + e1:8f:53:f6:67:93:c7:f9:6f:76:44:58:12:e8:3a:d4:97:e7: + e9:c0:3e:a8:7a:72:3d:87:53:1f:e5:2c:84:84:e7:9a:9e:7f: + 66:d9:1f:9b:f5:13:48:b0:4d:14:d1:de:b2:24:d9:78:7d:f5: + 35:cc:58:19:d1:d2:99:ef:4d:73:f8:1f:89:d4:5a:d0:52:ce: + 09:f5:b1:46:51:6a:00:8e:3b:cc:6f:63:01:00:99:ed:9d:a6: + 08:60:cd:32:18:d0:73:e0:58:71:d9:e5:d2:53:d7:8d:d0:ca: + e9:5d:2a:0a:0d:5d:55:ec:21:50:17:16:e6:06:4a:cd:5e:de: + f7:e0:e9:54 +-----BEGIN CERTIFICATE----- +MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx +mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny +50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n +YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL +R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu +KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj +gZUwgZIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtFrkpbPe0lL2udWmlQ/rPrzH +/f8wYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNV +BAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVz +dCBDQYIBADANBgkqhkiG9w0BAQUFAAOCAQEAuP1U2ABUkIslsCfdlc2i94QHHYeJ +SsR4EdgHtdciUI5I62J6Mom+Y0dT/7a+8S6MVMCZP6C5NyNyXw1GWY/YR82XTJ8H +DBJiCTok5DbZ6SzaONBzdWHXwWwmi5vg1dxn7YxrM9d0IjxM27WNKs4sDQhZBQkF +pjmfs2cb4oPl4Y9T9meTx/lvdkRYEug61Jfn6cA+qHpyPYdTH+UshITnmp5/Ztkf +m/UTSLBNFNHesiTZeH31NcxYGdHSme9Nc/gfidRa0FLOCfWxRlFqAI47zG9jAQCZ +7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA== +-----END CERTIFICATE----- diff --git a/tests/data_files/test-int-ca.crt b/tests/data_files/test-int-ca.crt new file mode 100644 index 00000000..1bb5a991 --- /dev/null +++ b/tests/data_files/test-int-ca.crt @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICWjCCAgKgAwIBAgIBDzAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYD +VQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAeFw0x +MzA4MTAwOTA4NTFaFw0yMzA4MTAwOTA4NTFaMEgxCzAJBgNVBAYTAk5MMREwDwYD +VQQKEwhQb2xhclNTTDEmMCQGA1UEAxMdUG9sYXJTU0wgVGVzdCBJbnRlcm1lZGlh +dGUgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN/CgAVAhMzUJ7kFpAjx +7vwq2Vs4qmy6nuwOJ7UNBHXaWKSBUUP9KhExuTGMeNvYZmLiwfrd7p22Cgj1VFwp +V/5FEuEk4C7pXSZxqn2bXTaD1ivOVu9I0yKmA3+95f34V72fiqQ2U/SssGhI0EX4 +pSMEEbX8NOR31MCFut8ACzQ1AgMBAAGjgaAwgZ0wHQYDVR0OBBYEFElj+Qjo/QJa +RPVBKY3PvE/SwB68MG4GA1UdIwRnMGWAFLxA77numrs2OeEtqaK6LLumvRBxoUKk +QDA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1Bv +bGFyc3NsIFRlc3QgRUMgQ0GCCQCtQnl2nnL24TAMBgNVHRMEBTADAQH/MAkGByqG +SM49BAEDRwAwRAIgfIwD+A0rcrrJWKLR1g88ImIx5765D0ZAixZy9Q1j8EgCIFPo +AAs001kkpocmMwGv3Mz8bYCK+0GwSteAoWtZmTz0 +-----END CERTIFICATE----- diff --git a/tests/data_files/test-int-ca.key b/tests/data_files/test-int-ca.key new file mode 100644 index 00000000..9d0e234c --- /dev/null +++ b/tests/data_files/test-int-ca.key @@ -0,0 +1,16 @@ +-----BEGIN PRIVATE KEY----- +MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAN/CgAVAhMzUJ7kF +pAjx7vwq2Vs4qmy6nuwOJ7UNBHXaWKSBUUP9KhExuTGMeNvYZmLiwfrd7p22Cgj1 +VFwpV/5FEuEk4C7pXSZxqn2bXTaD1ivOVu9I0yKmA3+95f34V72fiqQ2U/SssGhI +0EX4pSMEEbX8NOR31MCFut8ACzQ1AgMBAAECgYB+yAibcTQNjoO3TN/lhZcgX/Lp +wdCmbJMRMvACoI6PbBjflLoD6NTGC0NgNLRh9FoG226HgunpiDRlYQPceDx3MP5p +1bcUInatOdAMbYoYw+O+y+/w9qDQWiWOskkdaiktFlaZFC9jaI37jr5ChCsH+3v3 +bjnX/8YWYeBZHZEowQJBAPvvhioS4b2RcrkLSUI7pJx3Dlj4m/crlK0v0un1ikNg +ahplDMZoTFhvagUGDKXE4Uqj3Iz9c4QKsZozcwBio4UCQQDjXpyXHscDqo6iXaAz +8McsxXQs1ITs3R9F6SwPbhmF1W7WiMgR5udEHnBkagyFzl2LpwJdFUW3BFHOpPhe +63TxAkEAorlQ9PgBKoo5iV/Kz6bqac1UTQ823e0eOMZ8+nSH+4DYx3ehSr2vIifE +WL5RiPijc6xnFgHWjODDWhAFJaiQaQJBAL1weu++iPqZBLZrY6tjFdBLw/wGJapk +okXRfRBuH33O0saUuH2R8WZkJijD4yMpSe+tet6rdqaCRtbxxK7xZ0ECQFxKE1Zb +nzECNNfhXkswM4X5ieCZAGvh8P0WvmyvPUGkgQIcsQb+exw2FCvsdetqdVHQqzNl +LKLwwuNT9u4/XCo= +-----END PRIVATE KEY----- diff --git a/tests/data_files/test-int-ca2.crt b/tests/data_files/test-int-ca2.crt new file mode 100644 index 00000000..8fed9179 --- /dev/null +++ b/tests/data_files/test-int-ca2.crt @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICvDCCAaSgAwIBAgIBETANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTMwODEwMTA0NzM5WhcNMjMwODEwMTA0NzM5WjBLMQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp +YXRlIEVDIENBMEkwEwYHKoZIzj0CAQYIKoZIzj0DAQEDMgAEF/Nw4VH9gt/WUMJt +dKRsyselY6ngTpfw1XDtlLMT2XewBCAgIHDQoeQlVIkxsdRGo4GVMIGSMB0GA1Ud +DgQWBBSx2UTuz/N6i8HHyCjYumFIv4272TBjBgNVHSMEXDBagBS0WuSls97SUva5 +1aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NM +MRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBggEAMAwGA1UdEwQFMAMBAf8wDQYJ +KoZIhvcNAQEFBQADggEBABKWcjM5s2rqe3Ha3MR8rj5Ki6sXnda6mDFga4sWrkzR +aK8FOzHNtGgZvua7mQ3slvxa1b4rdl0ZiCzs16FxeIPrdilo2EqzKKZNbTNx8hGu +f593cXnjRijU4O4ysqNdPfrmUrJHl+gME6C5eLJsrdlhYXa8zog+eOUn/94EFq6I +QW/7hcaAN8mr1ZPCml+dWNynkYd7TqtqIkukB6pqZU9SkSIX6iNaRZXhSjge/+iB +XkJS7NXqwQZ3ktUhHYrkqSuVkdL61hrkB20T3NaPaYGPj/PcnCfk9nOmTmWlqHhl +FZM816w2/AT6G98zJgU0iAG53ANVO1k+FgbUFjrqRDQ= +-----END CERTIFICATE----- diff --git a/tests/data_files/test-int-ca2.key b/tests/data_files/test-int-ca2.key new file mode 100644 index 00000000..ef3798c2 --- /dev/null +++ b/tests/data_files/test-int-ca2.key @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MF8CAQEEGFgy1xMAKfxIVYM/GIkSort30RcWwJOv3aAKBggqhkjOPQMBAaE0AzIA +BBfzcOFR/YLf1lDCbXSkbMrHpWOp4E6X8NVw7ZSzE9l3sAQgICBw0KHkJVSJMbHU +Rg== +-----END EC PRIVATE KEY----- diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 72105108..a4a5257b 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -414,7 +414,7 @@ X509 Certificate verification #19 (Valid Cert, denying callback) depends_on:POLARSSL_SHA512_C:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_OTHER:"verify_none" -X509 Certificate verification #20 (Not trusted Cert, allowing callback) +X509 Certificate verification #19 (Not trusted Cert, allowing callback) depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_RSA_C x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_expired.pem":"NULL":0:0:"verify_all" @@ -466,37 +466,85 @@ X509 Certificate verification #31 (domain not matching multi certificate without depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_SHA1_C:POLARSSL_RSA_C x509_verify:"data_files/cert_example_multi_nocn.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.net":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_CN_MISMATCH + BADCERT_NOT_TRUSTED:"NULL" -X509 Certificate verification #33 (Valid, EC cert, RSA CA) +X509 Certificate verification #32 (Valid, EC cert, RSA CA) depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_RSA_C:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP192R1_ENABLED -x509_verify:"data_files/server3.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:0:0:NULL +x509_verify:"data_files/server3.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL" X509 Certificate verification #33 (Valid, RSA cert, EC CA) depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_RSA_C:POLARSSL_ECP_C:POLARSSL_SHA1_C:POLARSSL_ECP_DP_SECP256R1_ENABLED -x509_verify:"data_files/server4.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":NULL:0:0:NULL +x509_verify:"data_files/server4.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":"NULL":0:0:"NULL" X509 Certificate verification #34 (Valid, EC cert, EC CA) depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECP_C:POLARSSL_SHA1_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP192R1_ENABLED -x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":NULL:0:0:NULL +x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":"NULL":0:0:"NULL" X509 Certificate verification #35 (Revoked, EC CA) depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECP_C:POLARSSL_SHA1_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP192R1_ENABLED -x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":NULL:POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED:NULL +x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED:"NULL" X509 Certificate verification #36 (Valid, EC CA, SHA224 Digest) depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECP_C:POLARSSL_SHA256_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP192R1_ENABLED -x509_verify:"data_files/server5-sha224.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":NULL:0:0:NULL +x509_verify:"data_files/server5-sha224.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":"NULL":0:0:"NULL" X509 Certificate verification #37 (Valid, EC CA, SHA256 Digest) depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECP_C:POLARSSL_SHA256_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP192R1_ENABLED -x509_verify:"data_files/server5-sha256.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":NULL:0:0:NULL +x509_verify:"data_files/server5-sha256.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":"NULL":0:0:"NULL" X509 Certificate verification #38 (Valid, EC CA, SHA384 Digest) depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECP_C:POLARSSL_SHA512_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP192R1_ENABLED -x509_verify:"data_files/server5-sha384.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":NULL:0:0:NULL +x509_verify:"data_files/server5-sha384.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":"NULL":0:0:"NULL" X509 Certificate verification #39 (Valid, EC CA, SHA512 Digest) depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECP_C:POLARSSL_SHA512_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP192R1_ENABLED -x509_verify:"data_files/server5-sha512.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":NULL:0:0:NULL +x509_verify:"data_files/server5-sha512.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":"NULL":0:0:"NULL" + +X509 Certificate verification #40 (Valid, depth 0, RSA, CA) +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_RSA_C +x509_verify:"data_files/test-ca.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL" + +X509 Certificate verification #41 (Valid, depth 0, EC, CA) +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECP_C +x509_verify:"data_files/test-ca2.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":"NULL":0:0:"NULL" + +X509 Certificate verification #42 (Depth 0, not CA, RSA) +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_RSA_C +x509_verify:"data_files/server2.crt":"data_files/server2.crt":"data_files/crl.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL" + +X509 Certificate verification #43 (Depth 0, not CA, EC) +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECDSA_C +x509_verify:"data_files/server5.crt":"data_files/server5.crt":"data_files/crl-ec.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL" + +X509 Certificate verification #44 (Corrupted signature, EC) +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP192R1_ENABLED +x509_verify:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL" + +X509 Certificate verification #45 (Corrupted signature, RSA) +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_RSA_C +x509_verify:"data_files/server2-badsign.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL" + +X509 Certificate verification #46 (Valid, depth 2, EC-RSA-EC) +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECDSA_C:POLARSSL_RSA_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP192R1_ENABLED +x509_verify:"data_files/server7_int-ca.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":"NULL":0:0:"NULL" + +X509 Certificate verification #47 (Untrusted, depth 2, EC-RSA-EC) +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECDSA_C:POLARSSL_RSA_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP192R1_ENABLED +x509_verify:"data_files/server7_int-ca.crt":"data_files/test-ca.crt":"data_files/crl-ec.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL" + +X509 Certificate verification #48 (Missing intermediate CA, EC-RSA-EC) +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECDSA_C:POLARSSL_RSA_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP192R1_ENABLED +x509_verify:"data_files/server7.crt":"data_files/test-ca.crt":"data_files/crl-ec.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL" + +X509 Certificate verification #49 (Valid, depth 2, RSA-EC-RSA) +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECDSA_C:POLARSSL_RSA_C:POLARSSL_ECP_DP_SECP192R1_ENABLED +x509_verify:"data_files/server8_int-ca2.crt":"data_files/test-ca.crt":"data_files/crl-ec.pem":"NULL":0:0:"NULL" + +X509 Certificate verification #50 (Valid, multiple CAs) +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECDSA_C:POLARSSL_RSA_C:POLARSSL_ECP_DP_SECP192R1_ENABLED +x509_verify:"data_files/server2.crt":"data_files/test-ca_cat12.crt":"data_files/crl.pem":"NULL":0:0:"NULL" + +X509 Certificate verification #51 (Valid, multiple CAs, reverse order) +depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECDSA_C:POLARSSL_RSA_C:POLARSSL_ECP_DP_SECP192R1_ENABLED +x509_verify:"data_files/server2.crt":"data_files/test-ca_cat21.crt":"data_files/crl.pem":"NULL":0:0:"NULL" X509 Parse Selftest depends_on:POLARSSL_MD5_C:POLARSSL_PEM_C:POLARSSL_SELF_TEST From f84b4d64987b6b4aebbab19b5670261e61228909 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 12 Aug 2013 10:39:28 +0200 Subject: [PATCH 10/28] Check sig_pk for signature verification --- library/x509parse.c | 54 +++++++++++++++++++++------------------------ 1 file changed, 25 insertions(+), 29 deletions(-) diff --git a/library/x509parse.c b/library/x509parse.c index a44cf11c..b6864036 100644 --- a/library/x509parse.c +++ b/library/x509parse.c @@ -3305,7 +3305,6 @@ int x509parse_revoked( const x509_cert *crt, const x509_crl *crl ) static int x509parse_verifycrl(x509_cert *crt, x509_cert *ca, x509_crl *crl_list) { - int ret; int flags = 0; unsigned char hash[POLARSSL_MD_MAX_SIZE]; const md_info_t *md_info; @@ -3346,14 +3345,12 @@ static int x509parse_verifycrl(x509_cert *crt, x509_cert *ca, md( md_info, crl_list->tbs.p, crl_list->tbs.len, hash ); #if defined(POLARSSL_RSA_C) - if( ca->pk.type == POLARSSL_PK_RSA ) + if( crl_list->sig_pk == POLARSSL_PK_RSA ) { - if( !rsa_pkcs1_verify( pk_rsa( ca->pk ), RSA_PUBLIC, - crl_list->sig_md, 0, hash, crl_list->sig.p ) == 0 ) + if( ca->pk.type != POLARSSL_PK_RSA || + rsa_pkcs1_verify( pk_rsa( ca->pk ), RSA_PUBLIC, + crl_list->sig_md, 0, hash, crl_list->sig.p ) != 0 ) { - /* - * CRL is not trusted - */ flags |= BADCRL_NOT_TRUSTED; break; } @@ -3361,17 +3358,14 @@ static int x509parse_verifycrl(x509_cert *crt, x509_cert *ca, else #endif /* POLARSSL_RSA_C */ #if defined(POLARSSL_ECDSA_C) - if( pk_can_ecdsa( ca->pk ) ) { - if( ( ret = pk_ec_to_ecdsa( &ca->pk ) ) != 0 ) - return( ret ); - - if( ecdsa_read_signature( (ecdsa_context *) ca->pk.data, + if( crl_list->sig_pk == POLARSSL_PK_ECDSA ) + { + if( ! pk_can_ecdsa( ca->pk ) || + pk_ec_to_ecdsa( &ca->pk ) != 0 || + ecdsa_read_signature( (ecdsa_context *) ca->pk.data, hash, md_info->size, crl_list->sig.p, crl_list->sig.len ) != 0 ) { - /* - * CRL is not trusted - */ flags |= BADCRL_NOT_TRUSTED; break; } @@ -3490,9 +3484,10 @@ static int x509parse_verify_top( md( md_info, child->tbs.p, child->tbs.len, hash ); #if defined(POLARSSL_RSA_C) - if( trust_ca->pk.type == POLARSSL_PK_RSA ) + if( child->sig_pk == POLARSSL_PK_RSA ) { - if( rsa_pkcs1_verify( pk_rsa( trust_ca->pk ), RSA_PUBLIC, + if( trust_ca->pk.type != POLARSSL_PK_RSA || + rsa_pkcs1_verify( pk_rsa( trust_ca->pk ), RSA_PUBLIC, child->sig_md, 0, hash, child->sig.p ) != 0 ) { trust_ca = trust_ca->next; @@ -3502,11 +3497,11 @@ static int x509parse_verify_top( else #endif /* POLARSSL_RSA_C */ #if defined(POLARSSL_ECDSA_C) - if( pk_can_ecdsa( trust_ca->pk ) ) { - if( ( ret = pk_ec_to_ecdsa( &trust_ca->pk ) ) != 0 ) - return( ret ); - - if( ecdsa_read_signature( (ecdsa_context *) trust_ca->pk.data, + if( child->sig_pk == POLARSSL_PK_ECDSA ) + { + if( ! pk_can_ecdsa( trust_ca->pk ) || + pk_ec_to_ecdsa( &trust_ca->pk ) != 0 || + ecdsa_read_signature( (ecdsa_context *) trust_ca->pk.data, hash, md_info->size, child->sig.p, child->sig.len ) != 0 ) { @@ -3588,9 +3583,10 @@ static int x509parse_verify_child( md( md_info, child->tbs.p, child->tbs.len, hash ); #if defined(POLARSSL_RSA_C) - if( parent->pk.type == POLARSSL_PK_RSA ) + if( child->sig_pk == POLARSSL_PK_RSA ) { - if( rsa_pkcs1_verify( pk_rsa( parent->pk ), RSA_PUBLIC, + if( parent->pk.type != POLARSSL_PK_RSA || + rsa_pkcs1_verify( pk_rsa( parent->pk ), RSA_PUBLIC, child->sig_md, 0, hash, child->sig.p ) != 0 ) { *flags |= BADCERT_NOT_TRUSTED; @@ -3599,11 +3595,11 @@ static int x509parse_verify_child( else #endif /* POLARSSL_RSA_C */ #if defined(POLARSSL_ECDSA_C) - if( pk_can_ecdsa( parent->pk ) ) { - if( ( ret = pk_ec_to_ecdsa( &parent->pk ) ) != 0 ) - return( ret ); - - if( ecdsa_read_signature( (ecdsa_context *) parent->pk.data, + if( child->sig_pk == POLARSSL_PK_ECDSA ) + { + if( ! pk_can_ecdsa( parent->pk ) || + pk_ec_to_ecdsa( &parent->pk ) != 0 || + ecdsa_read_signature( (ecdsa_context *) parent->pk.data, hash, md_info->size, child->sig.p, child->sig.len ) != 0 ) { From cc0a9d040d5a1bafec31209e8ed0d424dd7c84b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 12 Aug 2013 11:34:35 +0200 Subject: [PATCH 11/28] Fix const-correctness of rsa_*_verify() --- include/polarssl/rsa.h | 6 +++--- library/rsa.c | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/include/polarssl/rsa.h b/include/polarssl/rsa.h index 7daa05a4..a513a773 100644 --- a/include/polarssl/rsa.h +++ b/include/polarssl/rsa.h @@ -451,7 +451,7 @@ int rsa_pkcs1_verify( rsa_context *ctx, md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, - unsigned char *sig ); + const unsigned char *sig ); /** * \brief Perform a PKCS#1 v1.5 verification (RSASSA-PKCS1-v1_5-VERIFY) @@ -474,7 +474,7 @@ int rsa_rsassa_pkcs1_v15_verify( rsa_context *ctx, md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, - unsigned char *sig ); + const unsigned char *sig ); /** * \brief Perform a PKCS#1 v2.1 PSS verification (RSASSA-PSS-VERIFY) @@ -504,7 +504,7 @@ int rsa_rsassa_pss_verify( rsa_context *ctx, md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, - unsigned char *sig ); + const unsigned char *sig ); /** * \brief Free the components of an RSA key diff --git a/library/rsa.c b/library/rsa.c index 146b4a3d..8a9b0f42 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -953,7 +953,7 @@ int rsa_rsassa_pss_verify( rsa_context *ctx, md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, - unsigned char *sig ) + const unsigned char *sig ) { int ret; size_t siglen; @@ -1063,7 +1063,7 @@ int rsa_rsassa_pkcs1_v15_verify( rsa_context *ctx, md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, - unsigned char *sig ) + const unsigned char *sig ) { int ret; size_t len, siglen, asn1_len; @@ -1177,7 +1177,7 @@ int rsa_pkcs1_verify( rsa_context *ctx, md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, - unsigned char *sig ) + const unsigned char *sig ) { switch( ctx->padding ) { From f499993cb289964ab052b702951b1e248d7a875b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 12 Aug 2013 17:02:59 +0200 Subject: [PATCH 12/28] Add ecdsa_from_keypair() Also fix bug/limitation in mpi_copy: would segfault if src just initialised and not set to a value yet. (This case occurs when copying a context which contains only the public part of the key, eg.) --- include/polarssl/ecdsa.h | 10 ++++++++++ library/bignum.c | 6 ++++++ library/ecdsa.c | 14 ++++++++++++++ 3 files changed, 30 insertions(+) diff --git a/include/polarssl/ecdsa.h b/include/polarssl/ecdsa.h index 15b90e66..47382e58 100644 --- a/include/polarssl/ecdsa.h +++ b/include/polarssl/ecdsa.h @@ -142,6 +142,16 @@ int ecdsa_read_signature( ecdsa_context *ctx, int ecdsa_genkey( ecdsa_context *ctx, ecp_group_id gid, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); +/** + * \brief Set an ECDSA context from an EC key pair + * + * \param ctx ECDSA context to set + * \param key EC key to use + * + * \return 0 on success, or a POLARSSL_ERR_ECP code. + */ +int ecdsa_from_keypair( ecdsa_context *ctx, const ecp_keypair *key ); + /** * \brief Initialize context * diff --git a/library/bignum.c b/library/bignum.c index cc4b1f36..b0bbf8f9 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -130,6 +130,12 @@ int mpi_copy( mpi *X, const mpi *Y ) if( X == Y ) return( 0 ); + if( Y->p == NULL ) + { + mpi_free( X ); + return( 0 ); + } + for( i = Y->n - 1; i > 0; i-- ) if( Y->p[i] != 0 ) break; diff --git a/library/ecdsa.c b/library/ecdsa.c index 6746233b..bdb35675 100644 --- a/library/ecdsa.c +++ b/library/ecdsa.c @@ -283,6 +283,20 @@ int ecdsa_genkey( ecdsa_context *ctx, ecp_group_id gid, ecp_gen_keypair( &ctx->grp, &ctx->d, &ctx->Q, f_rng, p_rng ) ); } +/* + * Set context from an ecp_keypair + */ +int ecdsa_from_keypair( ecdsa_context *ctx, const ecp_keypair *key ) +{ + int ret = ecp_group_copy( &ctx->grp, &key->grp ) || + mpi_copy( &ctx->d, &key->d ) || + ecp_copy( &ctx->Q, &key->Q ); + + if( ret != 0 ) + ecdsa_free( ctx ); + + return( ret ); +} /* * Initialize context From d73b3c13bed9d9ff32a29ad6cdd1d8275c265ce2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 12 Aug 2013 17:06:05 +0200 Subject: [PATCH 13/28] PK: use wrappers and function pointers for verify --- include/polarssl/pk.h | 28 ++++++++-- include/polarssl/pk_wrap.h | 47 ++++++++++++++++ library/CMakeLists.txt | 1 + library/Makefile | 2 +- library/pk.c | 14 +++++ library/pk_wrap.c | 106 +++++++++++++++++++++++++++++++++++++ library/x509parse.c | 30 +++++------ 7 files changed, 205 insertions(+), 23 deletions(-) create mode 100644 include/polarssl/pk_wrap.h create mode 100644 library/pk_wrap.c diff --git a/include/polarssl/pk.h b/include/polarssl/pk.h index 2f700851..f06ec68a 100644 --- a/include/polarssl/pk.h +++ b/include/polarssl/pk.h @@ -24,6 +24,7 @@ * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ + #ifndef POLARSSL_PK_H #define POLARSSL_PK_H @@ -33,6 +34,10 @@ #include "rsa.h" #endif +#if defined(POLARSSL_ECP_C) +#include "ecp.h" +#endif + #if defined(POLARSSL_ECDSA_C) #include "ecdsa.h" #endif @@ -76,14 +81,29 @@ typedef enum { POLARSSL_PK_ECDSA, } pk_type_t; +/** + * \brief Public key info + */ +typedef struct +{ + /** Public key type */ + pk_type_t type; + + /** Verify signature */ + int (*verify_func)( void *ctx, + const unsigned char *hash, const md_info_t *md_info, + const unsigned char *sig, size_t sig_len ); +} pk_info_t; + /** * \brief Public key container */ typedef struct { - pk_type_t type; /**< Public key type */ - void * data; /**< Public key data */ - int dont_free; /**< True if data must not be freed */ + const pk_info_t * info; /**< Public key informations */ + pk_type_t type; /**< Public key type (temporary) */ + void * data; /**< Public key data */ + int dont_free; /**< True if data must not be freed */ } pk_context; /** @@ -157,4 +177,4 @@ int pk_wrap_rsa( pk_context *ctx, const rsa_context *rsa); } #endif -#endif /* pk.h */ +#endif /* POLARSSL_PK_H */ diff --git a/include/polarssl/pk_wrap.h b/include/polarssl/pk_wrap.h new file mode 100644 index 00000000..7d2c3dd8 --- /dev/null +++ b/include/polarssl/pk_wrap.h @@ -0,0 +1,47 @@ +/** + * \file pk.h + * + * \brief Public Key abstraction layer: wrapper functions + * + * Copyright (C) 2006-2013, Brainspark B.V. + * + * This file is part of PolarSSL (http://www.polarssl.org) + * Lead Maintainer: Paul Bakker + * + * All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifndef POLARSSL_PK_WRAP_H +#define POLARSSL_PK_WRAP_H + +#include "config.h" + +#include "pk.h" + +#if defined(POLARSSL_RSA_C) +extern const pk_info_t rsa_info; +#endif + +#if defined(POLARSSL_ECP_C) +extern const pk_info_t eckey_info; +#endif + +#if defined(POLARSSL_ECDSA_C) +extern const pk_info_t ecdsa_info; +#endif + +#endif /* POLARSSL_PK_WRAP_H */ diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 3fa76a97..9eea7dc0 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -40,6 +40,7 @@ set(src pkcs11.c pkcs12.c pk.c + pk_wrap.c rsa.c sha1.c sha256.c diff --git a/library/Makefile b/library/Makefile index 48c3bdcb..044e2b7a 100644 --- a/library/Makefile +++ b/library/Makefile @@ -49,7 +49,7 @@ OBJS= aes.o arc4.o asn1parse.o \ oid.o \ padlock.o pbkdf2.o pem.o \ pkcs5.o pkcs11.o pkcs12.o \ - pk.o \ + pk.o pk_wrap.o \ rsa.o sha1.o sha256.o \ sha512.o ssl_cache.o ssl_cli.o \ ssl_srv.o ssl_ciphersuites.o \ diff --git a/library/pk.c b/library/pk.c index c5583c36..12104905 100644 --- a/library/pk.c +++ b/library/pk.c @@ -26,6 +26,7 @@ #include "polarssl/config.h" #include "polarssl/pk.h" +#include "polarssl/pk_wrap.h" #if defined(POLARSSL_RSA_C) #include "polarssl/rsa.h" @@ -54,6 +55,7 @@ void pk_init( pk_context *ctx ) if( ctx == NULL ) return; + ctx->info = NULL; ctx->type = POLARSSL_PK_NONE; ctx->data = NULL; ctx->dont_free = 0; @@ -89,6 +91,7 @@ void pk_free( pk_context *ctx ) if( ! ctx->dont_free ) polarssl_free( ctx->data ); + ctx->info = NULL; ctx->type = POLARSSL_PK_NONE; ctx->data = NULL; } @@ -99,6 +102,7 @@ void pk_free( pk_context *ctx ) int pk_set_type( pk_context *ctx, pk_type_t type ) { size_t size; + const pk_info_t *info; if( ctx->type == type ) return( 0 ); @@ -108,17 +112,26 @@ int pk_set_type( pk_context *ctx, pk_type_t type ) #if defined(POLARSSL_RSA_C) if( type == POLARSSL_PK_RSA ) + { size = sizeof( rsa_context ); + info = &rsa_info; + } else #endif #if defined(POLARSSL_ECP_C) if( type == POLARSSL_PK_ECKEY || type == POLARSSL_PK_ECKEY_DH ) + { size = sizeof( ecp_keypair ); + info = &eckey_info; + } else #endif #if defined(POLARSSL_ECDSA_C) if( type == POLARSSL_PK_ECDSA ) + { size = sizeof( ecdsa_context ); + info = &ecdsa_info; + } else #endif return( POLARSSL_ERR_PK_TYPE_MISMATCH ); @@ -128,6 +141,7 @@ int pk_set_type( pk_context *ctx, pk_type_t type ) memset( ctx->data, 0, size ); ctx->type = type; + ctx->info = info; return( 0 ); } diff --git a/library/pk_wrap.c b/library/pk_wrap.c new file mode 100644 index 00000000..fe47b388 --- /dev/null +++ b/library/pk_wrap.c @@ -0,0 +1,106 @@ +/* + * Public Key abstraction layer: wrapper functions + * + * Copyright (C) 2006-2013, Brainspark B.V. + * + * This file is part of PolarSSL (http://www.polarssl.org) + * Lead Maintainer: Paul Bakker + * + * All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#include "polarssl/config.h" + +#include "polarssl/pk_wrap.h" + +#if defined(POLARSSL_RSA_C) +#include "polarssl/rsa.h" +#endif + +#if defined(POLARSSL_ECP_C) +#include "polarssl/ecp.h" +#endif + +#if defined(POLARSSL_ECDSA_C) +#include "polarssl/ecdsa.h" +#endif + +#if defined(POLARSSL_RSA_C) +static int rsa_verify_wrap( void *ctx, + const unsigned char *hash, const md_info_t *md_info, + const unsigned char *sig, size_t sig_len ) +{ + ((void) sig_len); + + return( rsa_pkcs1_verify( (rsa_context *) ctx, + RSA_PUBLIC, md_info->type, 0, hash, sig ) ); +} + +const pk_info_t rsa_info = { + POLARSSL_PK_RSA, + rsa_verify_wrap, +}; +#endif /* POLARSSL_RSA_C */ + +#if defined(POLARSSL_ECDSA_C) +int ecdsa_verify_wrap( void *ctx, + const unsigned char *hash, const md_info_t *md_info, + const unsigned char *sig, size_t sig_len ) +{ + return( ecdsa_read_signature( (ecdsa_context *) ctx, + hash, md_info->size, sig, sig_len ) ); +} + +const pk_info_t ecdsa_info = { + POLARSSL_PK_ECDSA, + ecdsa_verify_wrap, +}; +#endif /* POLARSSL_ECDSA_C */ + +#if defined(POLARSSL_ECP_C) +static int eckey_verify_wrap( void *ctx, + const unsigned char *hash, const md_info_t *md_info, + const unsigned char *sig, size_t sig_len ) +{ +#if !defined(POLARSSL_ECDSA_C) + ((void) ctx); + ((void) hash); + ((void) md_info); + ((void) sig); + ((void) sig_len); + + return( POLARSSL_ERR_PK_TYPE_MISMATCH ); +#else + int ret; + ecdsa_context ecdsa; + + ecdsa_init( &ecdsa ); + + ret = ecdsa_from_keypair( &ecdsa, ctx ) || + ecdsa_verify_wrap( &ecdsa, hash, md_info, sig, sig_len ); + + ecdsa_free( &ecdsa ); + + return( ret ); +#endif /* POLARSSL_ECDSA_C */ +} + +const pk_info_t eckey_info = { + POLARSSL_PK_ECKEY, + eckey_verify_wrap, +}; +#endif /* POLARSSL_ECP_C */ diff --git a/library/x509parse.c b/library/x509parse.c index b6864036..15823bd9 100644 --- a/library/x509parse.c +++ b/library/x509parse.c @@ -3348,8 +3348,8 @@ static int x509parse_verifycrl(x509_cert *crt, x509_cert *ca, if( crl_list->sig_pk == POLARSSL_PK_RSA ) { if( ca->pk.type != POLARSSL_PK_RSA || - rsa_pkcs1_verify( pk_rsa( ca->pk ), RSA_PUBLIC, - crl_list->sig_md, 0, hash, crl_list->sig.p ) != 0 ) + ca->pk.info->verify_func( ca->pk.data, + hash, md_info, crl_list->sig.p, crl_list->sig.len ) != 0 ) { flags |= BADCRL_NOT_TRUSTED; break; @@ -3361,10 +3361,8 @@ static int x509parse_verifycrl(x509_cert *crt, x509_cert *ca, if( crl_list->sig_pk == POLARSSL_PK_ECDSA ) { if( ! pk_can_ecdsa( ca->pk ) || - pk_ec_to_ecdsa( &ca->pk ) != 0 || - ecdsa_read_signature( (ecdsa_context *) ca->pk.data, - hash, md_info->size, - crl_list->sig.p, crl_list->sig.len ) != 0 ) + ca->pk.info->verify_func( ca->pk.data, + hash, md_info, crl_list->sig.p, crl_list->sig.len ) != 0 ) { flags |= BADCRL_NOT_TRUSTED; break; @@ -3487,8 +3485,8 @@ static int x509parse_verify_top( if( child->sig_pk == POLARSSL_PK_RSA ) { if( trust_ca->pk.type != POLARSSL_PK_RSA || - rsa_pkcs1_verify( pk_rsa( trust_ca->pk ), RSA_PUBLIC, - child->sig_md, 0, hash, child->sig.p ) != 0 ) + trust_ca->pk.info->verify_func( trust_ca->pk.data, + hash, md_info, child->sig.p, child->sig.len ) != 0 ) { trust_ca = trust_ca->next; continue; @@ -3500,10 +3498,8 @@ static int x509parse_verify_top( if( child->sig_pk == POLARSSL_PK_ECDSA ) { if( ! pk_can_ecdsa( trust_ca->pk ) || - pk_ec_to_ecdsa( &trust_ca->pk ) != 0 || - ecdsa_read_signature( (ecdsa_context *) trust_ca->pk.data, - hash, md_info->size, - child->sig.p, child->sig.len ) != 0 ) + trust_ca->pk.info->verify_func( trust_ca->pk.data, + hash, md_info, child->sig.p, child->sig.len ) != 0 ) { trust_ca = trust_ca->next; continue; @@ -3586,8 +3582,8 @@ static int x509parse_verify_child( if( child->sig_pk == POLARSSL_PK_RSA ) { if( parent->pk.type != POLARSSL_PK_RSA || - rsa_pkcs1_verify( pk_rsa( parent->pk ), RSA_PUBLIC, - child->sig_md, 0, hash, child->sig.p ) != 0 ) + parent->pk.info->verify_func( parent->pk.data, + hash, md_info, child->sig.p, child->sig.len ) != 0 ) { *flags |= BADCERT_NOT_TRUSTED; } @@ -3598,10 +3594,8 @@ static int x509parse_verify_child( if( child->sig_pk == POLARSSL_PK_ECDSA ) { if( ! pk_can_ecdsa( parent->pk ) || - pk_ec_to_ecdsa( &parent->pk ) != 0 || - ecdsa_read_signature( (ecdsa_context *) parent->pk.data, - hash, md_info->size, - child->sig.p, child->sig.len ) != 0 ) + parent->pk.info->verify_func( parent->pk.data, + hash, md_info, child->sig.p, child->sig.len ) != 0 ) { *flags |= BADCERT_NOT_TRUSTED; } From f18c3e03789ff1f92c81680fe8dc6516f58506fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 12 Aug 2013 18:41:18 +0200 Subject: [PATCH 14/28] Add a PK can_do() method and simplify code --- include/polarssl/pk.h | 30 ++------------- library/pk.c | 36 ----------------- library/pk_wrap.c | 20 ++++++++++ library/x509parse.c | 89 ++++++++----------------------------------- 4 files changed, 38 insertions(+), 137 deletions(-) diff --git a/include/polarssl/pk.h b/include/polarssl/pk.h index f06ec68a..a2d166f3 100644 --- a/include/polarssl/pk.h +++ b/include/polarssl/pk.h @@ -89,6 +89,9 @@ typedef struct /** Public key type */ pk_type_t type; + /** Tell if the context implements this type (eg ECKEY can do ECDSA) */ + int (*can_do)( pk_type_t type ); + /** Verify signature */ int (*verify_func)( void *ctx, const unsigned char *hash, const md_info_t *md_info, @@ -131,33 +134,6 @@ void pk_free( pk_context *ctx ); */ int pk_set_type( pk_context *ctx, pk_type_t type ); -#if defined(POLARSSL_ECDSA_C) -/** - * \brief Convert a generic EC key into an ECDSA context - * - * \param ctx Context to convert - * - * \return 0 on success, or - * POLARSSL_ERR_PK_MALLOC_FAILED or - * POLARSSL_ERR_PK_TYPE_MISMATCH. - */ -int pk_ec_to_ecdsa( pk_context *ctx ); - -/** - * \brief Tell if a PK context can be used for ECDSA - * - * \param ctx Context to check - * - * \return 0 if context cannot be used for ECDSA, - * 1 otherwise - */ -static inline int pk_can_ecdsa( pk_context ctx ) -{ - return( ctx.type == POLARSSL_PK_ECKEY || - ctx.type == POLARSSL_PK_ECDSA ); -} -#endif /* POLARSSL_ECDSA_C */ - #if defined(POLARSSL_RSA_C) /** * \brief Wrap a RSA context in a PK context diff --git a/library/pk.c b/library/pk.c index 12104905..6cfc16bb 100644 --- a/library/pk.c +++ b/library/pk.c @@ -146,42 +146,6 @@ int pk_set_type( pk_context *ctx, pk_type_t type ) return( 0 ); } -#if defined(POLARSSL_ECDSA_C) -/* - * Convert generic EC context to ECDSA - */ -int pk_ec_to_ecdsa( pk_context *ctx ) -{ - ecp_keypair *eckey; - ecdsa_context *ecdsa; - - if( ctx->type == POLARSSL_PK_ECDSA ) - return( 0 ); - - if( ctx->type != POLARSSL_PK_ECKEY ) - return( POLARSSL_ERR_PK_TYPE_MISMATCH ); - - eckey = (ecp_keypair *) ctx->data; - - if( ( ecdsa = polarssl_malloc( sizeof( ecdsa_context ) ) ) == NULL ) - return( POLARSSL_ERR_PK_MALLOC_FAILED ); - - ecdsa_init( ecdsa ); - - /* struct ecdsa_context begins the same as struct ecp_keypair */ - memcpy( ecdsa, eckey, sizeof( ecp_keypair ) ); - - if( ! ctx->dont_free ) - polarssl_free( eckey ); - - ctx->dont_free = 0; - ctx->type = POLARSSL_PK_ECDSA; - ctx->data = ecdsa; - - return( 0 ); -} -#endif /* POLARSSL_ECDSA_C */ - #if defined(POLARSSL_RSA_C) /* * Wrap an RSA context in a PK context diff --git a/library/pk_wrap.c b/library/pk_wrap.c index fe47b388..f7b0833e 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -40,6 +40,11 @@ #endif #if defined(POLARSSL_RSA_C) +static int rsa_can_do( pk_type_t type ) +{ + return( type == POLARSSL_PK_RSA ); +} + static int rsa_verify_wrap( void *ctx, const unsigned char *hash, const md_info_t *md_info, const unsigned char *sig, size_t sig_len ) @@ -52,11 +57,17 @@ static int rsa_verify_wrap( void *ctx, const pk_info_t rsa_info = { POLARSSL_PK_RSA, + rsa_can_do, rsa_verify_wrap, }; #endif /* POLARSSL_RSA_C */ #if defined(POLARSSL_ECDSA_C) +int ecdsa_can_do( pk_type_t type ) +{ + return( type == POLARSSL_PK_ECDSA ); +} + int ecdsa_verify_wrap( void *ctx, const unsigned char *hash, const md_info_t *md_info, const unsigned char *sig, size_t sig_len ) @@ -67,11 +78,19 @@ int ecdsa_verify_wrap( void *ctx, const pk_info_t ecdsa_info = { POLARSSL_PK_ECDSA, + ecdsa_can_do, ecdsa_verify_wrap, }; #endif /* POLARSSL_ECDSA_C */ #if defined(POLARSSL_ECP_C) +static int eckey_can_do( pk_type_t type ) +{ + return( type == POLARSSL_PK_ECKEY || + type == POLARSSL_PK_ECKEY_DH || + type == POLARSSL_PK_ECDSA ); +} + static int eckey_verify_wrap( void *ctx, const unsigned char *hash, const md_info_t *md_info, const unsigned char *sig, size_t sig_len ) @@ -101,6 +120,7 @@ static int eckey_verify_wrap( void *ctx, const pk_info_t eckey_info = { POLARSSL_PK_ECKEY, + eckey_can_do, eckey_verify_wrap, }; #endif /* POLARSSL_ECP_C */ diff --git a/library/x509parse.c b/library/x509parse.c index 15823bd9..31b1fa06 100644 --- a/library/x509parse.c +++ b/library/x509parse.c @@ -3344,33 +3344,13 @@ static int x509parse_verifycrl(x509_cert *crt, x509_cert *ca, md( md_info, crl_list->tbs.p, crl_list->tbs.len, hash ); -#if defined(POLARSSL_RSA_C) - if( crl_list->sig_pk == POLARSSL_PK_RSA ) + if( ca->pk.info->can_do( crl_list->sig_pk ) == 0 || + ca->pk.info->verify_func( ca->pk.data, hash, md_info, + crl_list->sig.p, crl_list->sig.len ) != 0 ) { - if( ca->pk.type != POLARSSL_PK_RSA || - ca->pk.info->verify_func( ca->pk.data, - hash, md_info, crl_list->sig.p, crl_list->sig.len ) != 0 ) - { - flags |= BADCRL_NOT_TRUSTED; - break; - } + flags |= BADCRL_NOT_TRUSTED; + break; } - else -#endif /* POLARSSL_RSA_C */ -#if defined(POLARSSL_ECDSA_C) - if( crl_list->sig_pk == POLARSSL_PK_ECDSA ) - { - if( ! pk_can_ecdsa( ca->pk ) || - ca->pk.info->verify_func( ca->pk.data, - hash, md_info, crl_list->sig.p, crl_list->sig.len ) != 0 ) - { - flags |= BADCRL_NOT_TRUSTED; - break; - } - } - else -#endif /* POLARSSL_ECDSA_C */ - return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); /* * Check for validity of CRL (Do not drop out) @@ -3457,7 +3437,7 @@ static int x509parse_verify_top( */ if( child->subject_raw.len == trust_ca->subject_raw.len && memcmp( child->subject_raw.p, trust_ca->subject_raw.p, - child->issuer_raw.len ) == 0 ) + child->issuer_raw.len ) == 0 ) { check_path_cnt--; } @@ -3481,33 +3461,13 @@ static int x509parse_verify_top( md( md_info, child->tbs.p, child->tbs.len, hash ); -#if defined(POLARSSL_RSA_C) - if( child->sig_pk == POLARSSL_PK_RSA ) + if( trust_ca->pk.info->can_do( child->sig_pk ) == 0 || + trust_ca->pk.info->verify_func( trust_ca->pk.data, hash, md_info, + child->sig.p, child->sig.len ) != 0 ) { - if( trust_ca->pk.type != POLARSSL_PK_RSA || - trust_ca->pk.info->verify_func( trust_ca->pk.data, - hash, md_info, child->sig.p, child->sig.len ) != 0 ) - { - trust_ca = trust_ca->next; - continue; - } + trust_ca = trust_ca->next; + continue; } - else -#endif /* POLARSSL_RSA_C */ -#if defined(POLARSSL_ECDSA_C) - if( child->sig_pk == POLARSSL_PK_ECDSA ) - { - if( ! pk_can_ecdsa( trust_ca->pk ) || - trust_ca->pk.info->verify_func( trust_ca->pk.data, - hash, md_info, child->sig.p, child->sig.len ) != 0 ) - { - trust_ca = trust_ca->next; - continue; - } - } - else -#endif /* POLARSSL_ECDSA_C */ - return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); /* * Top of chain is signed by a trusted CA @@ -3578,31 +3538,12 @@ static int x509parse_verify_child( { md( md_info, child->tbs.p, child->tbs.len, hash ); -#if defined(POLARSSL_RSA_C) - if( child->sig_pk == POLARSSL_PK_RSA ) + if( parent->pk.info->can_do( child->sig_pk ) == 0 || + parent->pk.info->verify_func( parent->pk.data, hash, md_info, + child->sig.p, child->sig.len ) != 0 ) { - if( parent->pk.type != POLARSSL_PK_RSA || - parent->pk.info->verify_func( parent->pk.data, - hash, md_info, child->sig.p, child->sig.len ) != 0 ) - { - *flags |= BADCERT_NOT_TRUSTED; - } + *flags |= BADCERT_NOT_TRUSTED; } - else -#endif /* POLARSSL_RSA_C */ -#if defined(POLARSSL_ECDSA_C) - if( child->sig_pk == POLARSSL_PK_ECDSA ) - { - if( ! pk_can_ecdsa( parent->pk ) || - parent->pk.info->verify_func( parent->pk.data, - hash, md_info, child->sig.p, child->sig.len ) != 0 ) - { - *flags |= BADCERT_NOT_TRUSTED; - } - } - else -#endif /* POLARSSL_ECDSA_C */ - return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); } /* Check trusted CA's CRL for the given crt */ From 835eb59c6a6e2453e18c326dc437f375e1904c9a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 12 Aug 2013 18:51:26 +0200 Subject: [PATCH 15/28] PK: fix support for ECKEY_DH --- include/polarssl/pk_wrap.h | 1 + library/pk.c | 7 ++++++- library/pk_wrap.c | 31 +++++++++++++++++++++++++++++++ 3 files changed, 38 insertions(+), 1 deletion(-) diff --git a/include/polarssl/pk_wrap.h b/include/polarssl/pk_wrap.h index 7d2c3dd8..a24fbd1d 100644 --- a/include/polarssl/pk_wrap.h +++ b/include/polarssl/pk_wrap.h @@ -38,6 +38,7 @@ extern const pk_info_t rsa_info; #if defined(POLARSSL_ECP_C) extern const pk_info_t eckey_info; +extern const pk_info_t eckeydh_info; #endif #if defined(POLARSSL_ECDSA_C) diff --git a/library/pk.c b/library/pk.c index 6cfc16bb..c83d02bd 100644 --- a/library/pk.c +++ b/library/pk.c @@ -119,11 +119,16 @@ int pk_set_type( pk_context *ctx, pk_type_t type ) else #endif #if defined(POLARSSL_ECP_C) - if( type == POLARSSL_PK_ECKEY || type == POLARSSL_PK_ECKEY_DH ) + if( type == POLARSSL_PK_ECKEY ) { size = sizeof( ecp_keypair ); info = &eckey_info; } + else if( type == POLARSSL_PK_ECKEY_DH ) + { + size = sizeof( ecp_keypair ); + info = &eckeydh_info; + } else #endif #if defined(POLARSSL_ECDSA_C) diff --git a/library/pk_wrap.c b/library/pk_wrap.c index f7b0833e..9a897960 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -84,6 +84,9 @@ const pk_info_t ecdsa_info = { #endif /* POLARSSL_ECDSA_C */ #if defined(POLARSSL_ECP_C) +/* + * Generic EC key + */ static int eckey_can_do( pk_type_t type ) { return( type == POLARSSL_PK_ECKEY || @@ -123,4 +126,32 @@ const pk_info_t eckey_info = { eckey_can_do, eckey_verify_wrap, }; + +/* + * EC key resticted to ECDH + */ +static int eckeydh_can_do( pk_type_t type ) +{ + return( type == POLARSSL_PK_ECKEY || + type == POLARSSL_PK_ECKEY_DH ); +} + +static int eckeydh_verify_wrap( void *ctx, + const unsigned char *hash, const md_info_t *md_info, + const unsigned char *sig, size_t sig_len ) +{ + ((void) ctx); + ((void) hash); + ((void) md_info); + ((void) sig); + ((void) sig_len); + + return( POLARSSL_ERR_PK_TYPE_MISMATCH ); +} + +const pk_info_t eckeydh_info = { + POLARSSL_PK_ECKEY_DH, + eckeydh_can_do, + eckeydh_verify_wrap, +}; #endif /* POLARSSL_ECP_C */ From f8c948a674b5bdfbd5b6ce79ef736e697b241d86 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 12 Aug 2013 19:45:32 +0200 Subject: [PATCH 16/28] Add name and get_size() members in PK --- include/polarssl/pk.h | 6 ++++++ library/pk_wrap.c | 23 +++++++++++++++++++++++ library/x509parse.c | 43 +++++++++++++++++++++++++++++-------------- 3 files changed, 58 insertions(+), 14 deletions(-) diff --git a/include/polarssl/pk.h b/include/polarssl/pk.h index a2d166f3..43b9f093 100644 --- a/include/polarssl/pk.h +++ b/include/polarssl/pk.h @@ -89,6 +89,12 @@ typedef struct /** Public key type */ pk_type_t type; + /** Type name */ + const char *name; + + /** Get key size in bits */ + size_t (*get_size)( void * ); + /** Tell if the context implements this type (eg ECKEY can do ECDSA) */ int (*can_do)( pk_type_t type ); diff --git a/library/pk_wrap.c b/library/pk_wrap.c index 9a897960..f8985912 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -45,6 +45,11 @@ static int rsa_can_do( pk_type_t type ) return( type == POLARSSL_PK_RSA ); } +static size_t rsa_get_size( void * ctx ) +{ + return( mpi_size( &((rsa_context *) ctx)->N ) * 8 ); +} + static int rsa_verify_wrap( void *ctx, const unsigned char *hash, const md_info_t *md_info, const unsigned char *sig, size_t sig_len ) @@ -57,6 +62,8 @@ static int rsa_verify_wrap( void *ctx, const pk_info_t rsa_info = { POLARSSL_PK_RSA, + "RSA", + rsa_get_size, rsa_can_do, rsa_verify_wrap, }; @@ -68,6 +75,11 @@ int ecdsa_can_do( pk_type_t type ) return( type == POLARSSL_PK_ECDSA ); } +static size_t ecdsa_get_size( void *ctx ) +{ + return( ((ecdsa_context *) ctx)->grp.pbits ); +} + int ecdsa_verify_wrap( void *ctx, const unsigned char *hash, const md_info_t *md_info, const unsigned char *sig, size_t sig_len ) @@ -78,6 +90,8 @@ int ecdsa_verify_wrap( void *ctx, const pk_info_t ecdsa_info = { POLARSSL_PK_ECDSA, + "ECDSA", + ecdsa_get_size, ecdsa_can_do, ecdsa_verify_wrap, }; @@ -94,6 +108,11 @@ static int eckey_can_do( pk_type_t type ) type == POLARSSL_PK_ECDSA ); } +static size_t eckey_get_size( void *ctx ) +{ + return( ((ecp_keypair *) ctx)->grp.pbits ); +} + static int eckey_verify_wrap( void *ctx, const unsigned char *hash, const md_info_t *md_info, const unsigned char *sig, size_t sig_len ) @@ -123,6 +142,8 @@ static int eckey_verify_wrap( void *ctx, const pk_info_t eckey_info = { POLARSSL_PK_ECKEY, + "EC", + eckey_get_size, eckey_can_do, eckey_verify_wrap, }; @@ -151,6 +172,8 @@ static int eckeydh_verify_wrap( void *ctx, const pk_info_t eckeydh_info = { POLARSSL_PK_ECKEY_DH, + "EC_DH", + eckey_get_size, /* Same underlying key structure */ eckeydh_can_do, eckeydh_verify_wrap, }; diff --git a/library/x509parse.c b/library/x509parse.c index 31b1fa06..82483737 100644 --- a/library/x509parse.c +++ b/library/x509parse.c @@ -3021,9 +3021,29 @@ int x509parse_serial_gets( char *buf, size_t size, const x509_buf *serial ) return( (int) ( size - n ) ); } +/* + * Helper for writing "RSA key size", "EC key size", etc + */ +static int x509_key_size_helper( char *buf, size_t size, const char *name ) +{ + char *p = buf; + size_t n = size; + int ret; + + if( strlen( name ) + sizeof( " key size" ) > size ) + return POLARSSL_ERR_DEBUG_BUF_TOO_SMALL; + + ret = snprintf( p, n, "%s key size", name ); + SAFE_SNPRINTF(); + + return( 0 ); +} + /* * Return an informational string about the certificate. */ +#define BEFORE_COLON 14 +#define BC "14" int x509parse_cert_info( char *buf, size_t size, const char *prefix, const x509_cert *crt ) { @@ -3031,6 +3051,7 @@ int x509parse_cert_info( char *buf, size_t size, const char *prefix, size_t n; char *p; const char *desc = NULL; + char key_size_str[BEFORE_COLON]; p = buf; n = size; @@ -3079,20 +3100,14 @@ int x509parse_cert_info( char *buf, size_t size, const char *prefix, ret = snprintf( p, n, desc ); SAFE_SNPRINTF(); -#if defined(POLARSSL_RSA_C) - if( crt->pk.type == POLARSSL_PK_RSA ) - ret = snprintf( p, n, "\n%sRSA key size : %d bits\n", prefix, - (int) pk_rsa( crt->pk )->N.n * (int) sizeof( t_uint ) * 8 ); - else -#endif /* POLARSSL_RSA_C */ -#if defined(POLARSSL_ECP_C) - if( crt->pk.type == POLARSSL_PK_ECKEY || - crt->pk.type == POLARSSL_PK_ECKEY_DH ) - ret = snprintf( p, n, "\n%sEC key size : %d bits\n", prefix, - (int) pk_ec( crt->pk )->grp.pbits ); - else -#endif /* POLARSSL_ECP_C */ - ret = snprintf(p, n, "\n%sPK type looks wrong!", prefix); + if( ( ret = x509_key_size_helper( key_size_str, BEFORE_COLON, + crt->pk.info->name ) ) != 0 ) + { + return( ret ); + } + + ret = snprintf( p, n, "\n%s%-" BC "s: %d bits\n", prefix, key_size_str, + (int) crt->pk.info->get_size( crt->pk.data ) ); SAFE_SNPRINTF(); return( (int) ( size - n ) ); From 3053f5bcb47ee346eadcbba1f07d179776ba6797 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 14 Aug 2013 13:39:57 +0200 Subject: [PATCH 17/28] Get rid of pk_wrap_rsa() --- include/polarssl/pk.h | 16 ------------ include/polarssl/rsa.h | 11 +++++++++ library/pk.c | 21 +--------------- library/rsa.c | 34 +++++++++++++++++++++++++ library/x509parse.c | 56 ++++++++++++++++++++++++++++++++++++------ 5 files changed, 94 insertions(+), 44 deletions(-) diff --git a/include/polarssl/pk.h b/include/polarssl/pk.h index 43b9f093..8626b604 100644 --- a/include/polarssl/pk.h +++ b/include/polarssl/pk.h @@ -112,7 +112,6 @@ typedef struct const pk_info_t * info; /**< Public key informations */ pk_type_t type; /**< Public key type (temporary) */ void * data; /**< Public key data */ - int dont_free; /**< True if data must not be freed */ } pk_context; /** @@ -140,21 +139,6 @@ void pk_free( pk_context *ctx ); */ int pk_set_type( pk_context *ctx, pk_type_t type ); -#if defined(POLARSSL_RSA_C) -/** - * \brief Wrap a RSA context in a PK context - * - * \param ctx PK context to initiliaze - * \param rsa RSA context to use - * - * \note The PK context must be freshly initialized. - * - * \return O on success, - * POLARSSL_ERR_PK_TYPE_MISMATCH if ctx was not empty. - */ -int pk_wrap_rsa( pk_context *ctx, const rsa_context *rsa); -#endif /* POLARSSL_RSA_C */ - #ifdef __cplusplus } #endif diff --git a/include/polarssl/rsa.h b/include/polarssl/rsa.h index a513a773..8e52e7d1 100644 --- a/include/polarssl/rsa.h +++ b/include/polarssl/rsa.h @@ -506,6 +506,17 @@ int rsa_rsassa_pss_verify( rsa_context *ctx, const unsigned char *hash, const unsigned char *sig ); +/** + * \brief Copy the components of an RSA context + * + * \param dst Destination context + * \param src Source context + * + * \return O on success, + * POLARSSL_ERR_MPI_MALLOC_FAILED on memory allocation failure + */ +int rsa_copy( rsa_context *dst, const rsa_context *src ); + /** * \brief Free the components of an RSA key * diff --git a/library/pk.c b/library/pk.c index c83d02bd..19bc79bb 100644 --- a/library/pk.c +++ b/library/pk.c @@ -58,7 +58,6 @@ void pk_init( pk_context *ctx ) ctx->info = NULL; ctx->type = POLARSSL_PK_NONE; ctx->data = NULL; - ctx->dont_free = 0; } /* @@ -88,8 +87,7 @@ void pk_free( pk_context *ctx ) ; /* guard for the else's above */ } - if( ! ctx->dont_free ) - polarssl_free( ctx->data ); + polarssl_free( ctx->data ); ctx->info = NULL; ctx->type = POLARSSL_PK_NONE; @@ -150,20 +148,3 @@ int pk_set_type( pk_context *ctx, pk_type_t type ) return( 0 ); } - -#if defined(POLARSSL_RSA_C) -/* - * Wrap an RSA context in a PK context - */ -int pk_wrap_rsa( pk_context *ctx, const rsa_context *rsa) -{ - if( ctx->type != POLARSSL_PK_NONE ) - return( POLARSSL_ERR_PK_TYPE_MISMATCH ); - - ctx->type = POLARSSL_PK_RSA; - ctx->data = (rsa_context *) rsa; - ctx->dont_free = 1; - - return( 0 ); -} -#endif diff --git a/library/rsa.c b/library/rsa.c index 8a9b0f42..ccdd0481 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -1196,6 +1196,40 @@ int rsa_pkcs1_verify( rsa_context *ctx, } } +/* + * Copy the components of an RSA key + */ +int rsa_copy( rsa_context *dst, const rsa_context *src ) +{ + int ret; + + dst->ver = src->ver; + dst->len = src->len; + + MPI_CHK( mpi_copy( &dst->N, &src->N ) ); + MPI_CHK( mpi_copy( &dst->E, &src->E ) ); + + MPI_CHK( mpi_copy( &dst->D, &src->D ) ); + MPI_CHK( mpi_copy( &dst->P, &src->P ) ); + MPI_CHK( mpi_copy( &dst->Q, &src->Q ) ); + MPI_CHK( mpi_copy( &dst->DP, &src->DP ) ); + MPI_CHK( mpi_copy( &dst->DQ, &src->DQ ) ); + MPI_CHK( mpi_copy( &dst->QP, &src->QP ) ); + + MPI_CHK( mpi_copy( &dst->RN, &src->RN ) ); + MPI_CHK( mpi_copy( &dst->RP, &src->RP ) ); + MPI_CHK( mpi_copy( &dst->RQ, &src->RQ ) ); + + dst->padding = src->padding; + dst->hash_id = src->padding; + +cleanup: + if( ret != 0 ) + rsa_free( dst ); + + return( ret ); +} + /* * Free the components of an RSA key */ diff --git a/library/x509parse.c b/library/x509parse.c index 82483737..a8fcc0bf 100644 --- a/library/x509parse.c +++ b/library/x509parse.c @@ -2138,12 +2138,22 @@ int x509parse_public_keyfile( pk_context *ctx, const char *path ) */ int x509parse_keyfile_rsa( rsa_context *rsa, const char *path, const char *pwd ) { + int ret; pk_context pk; pk_init( &pk ); - pk_wrap_rsa( &pk, rsa ); + pk_set_type( &pk, POLARSSL_PK_RSA ); - return( x509parse_keyfile( &pk, path, pwd ) ); + ret = x509parse_keyfile( &pk, path, pwd ); + + if( ret == 0 ) + rsa_copy( rsa, pk.data ); + else + rsa_free( rsa ); + + pk_free( &pk ); + + return( ret ); } /* @@ -2151,12 +2161,22 @@ int x509parse_keyfile_rsa( rsa_context *rsa, const char *path, const char *pwd ) */ int x509parse_public_keyfile_rsa( rsa_context *rsa, const char *path ) { + int ret; pk_context pk; pk_init( &pk ); - pk_wrap_rsa( &pk, rsa ); + pk_set_type( &pk, POLARSSL_PK_RSA ); - return( x509parse_public_keyfile( &pk, path ) ); + ret = x509parse_public_keyfile( &pk, path ); + + if( ret == 0 ) + rsa_copy( rsa, pk.data ); + else + rsa_free( rsa ); + + pk_free( &pk ); + + return( ret ); } #endif /* POLARSSL_RSA_C */ #endif /* POLARSSL_FS_IO */ @@ -2745,12 +2765,22 @@ int x509parse_key_rsa( rsa_context *rsa, const unsigned char *key, size_t keylen, const unsigned char *pwd, size_t pwdlen ) { + int ret; pk_context pk; pk_init( &pk ); - pk_wrap_rsa( &pk, rsa ); + pk_set_type( &pk, POLARSSL_PK_RSA ); - return( x509parse_key( &pk, key, keylen, pwd, pwdlen ) ); + ret = x509parse_key( &pk, key, keylen, pwd, pwdlen ); + + if( ret == 0 ) + rsa_copy( rsa, pk.data ); + else + rsa_free( rsa ); + + pk_free( &pk ); + + return( ret ); } /* @@ -2759,12 +2789,22 @@ int x509parse_key_rsa( rsa_context *rsa, int x509parse_public_key_rsa( rsa_context *rsa, const unsigned char *key, size_t keylen ) { + int ret; pk_context pk; pk_init( &pk ); - pk_wrap_rsa( &pk, rsa ); + pk_set_type( &pk, POLARSSL_PK_RSA ); - return( x509parse_public_key( &pk, key, keylen ) ); + ret = x509parse_public_key( &pk, key, keylen ); + + if( ret == 0 ) + rsa_copy( rsa, pk.data ); + else + rsa_free( rsa ); + + pk_free( &pk ); + + return( ret ); } #endif /* POLARSSL_RSA_C */ From 765db07dfbb68f9eb0bfdd7d0a5a02386580d3a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 14 Aug 2013 15:00:27 +0200 Subject: [PATCH 18/28] PK: use alloc and free function pointers --- include/polarssl/pk.h | 7 ++++ library/pk.c | 84 ++++++++++++++++--------------------------- library/pk_wrap.c | 64 +++++++++++++++++++++++++++++++++ 3 files changed, 101 insertions(+), 54 deletions(-) diff --git a/include/polarssl/pk.h b/include/polarssl/pk.h index 8626b604..83dc2d07 100644 --- a/include/polarssl/pk.h +++ b/include/polarssl/pk.h @@ -102,6 +102,13 @@ typedef struct int (*verify_func)( void *ctx, const unsigned char *hash, const md_info_t *md_info, const unsigned char *sig, size_t sig_len ); + + /** Allocate a new context */ + void * (*ctx_alloc_func)( void ); + + /** Free the given context */ + void (*ctx_free_func)( void *ctx ); + } pk_info_t; /** diff --git a/library/pk.c b/library/pk.c index 19bc79bb..9f336417 100644 --- a/library/pk.c +++ b/library/pk.c @@ -65,33 +65,39 @@ void pk_init( pk_context *ctx ) */ void pk_free( pk_context *ctx ) { - if( ctx == NULL ) + if( ctx == NULL || ctx->info == NULL) return; -#if defined(POLARSSL_RSA_C) - if( ctx->type == POLARSSL_PK_RSA ) - rsa_free( ctx->data ); - else -#endif -#if defined(POLARSSL_ECP_C) - if( ctx->type == POLARSSL_PK_ECKEY || ctx->type == POLARSSL_PK_ECKEY_DH ) - ecp_keypair_free( ctx->data ); - else -#endif -#if defined(POLARSSL_ECDSA_C) - if( ctx->type == POLARSSL_PK_ECDSA ) - ecdsa_free( ctx->data ); - else -#endif - { - ; /* guard for the else's above */ - } - - polarssl_free( ctx->data ); + ctx->info->ctx_free_func( ctx->data ); + ctx->data = NULL; ctx->info = NULL; ctx->type = POLARSSL_PK_NONE; - ctx->data = NULL; +} + +/* + * Get pk_info structure from type + */ +static const pk_info_t * pk_info_from_type( pk_type_t pk_type ) +{ + switch( pk_type ) { +#if defined(POLARSSL_RSA_C) + case POLARSSL_PK_RSA: + return &rsa_info; +#endif +#if defined(POLARSSL_ECP_C) + case POLARSSL_PK_ECKEY: + return &eckey_info; + case POLARSSL_PK_ECKEY_DH: + return &eckeydh_info; +#endif +#if defined(POLARSSL_ECDSA_C) + case POLARSSL_PK_ECDSA: + return &ecdsa_info; +#endif + default: + return NULL; + } } /* @@ -99,7 +105,6 @@ void pk_free( pk_context *ctx ) */ int pk_set_type( pk_context *ctx, pk_type_t type ) { - size_t size; const pk_info_t *info; if( ctx->type == type ) @@ -108,41 +113,12 @@ int pk_set_type( pk_context *ctx, pk_type_t type ) if( ctx->type != POLARSSL_PK_NONE ) return( POLARSSL_ERR_PK_TYPE_MISMATCH ); -#if defined(POLARSSL_RSA_C) - if( type == POLARSSL_PK_RSA ) - { - size = sizeof( rsa_context ); - info = &rsa_info; - } - else -#endif -#if defined(POLARSSL_ECP_C) - if( type == POLARSSL_PK_ECKEY ) - { - size = sizeof( ecp_keypair ); - info = &eckey_info; - } - else if( type == POLARSSL_PK_ECKEY_DH ) - { - size = sizeof( ecp_keypair ); - info = &eckeydh_info; - } - else -#endif -#if defined(POLARSSL_ECDSA_C) - if( type == POLARSSL_PK_ECDSA ) - { - size = sizeof( ecdsa_context ); - info = &ecdsa_info; - } - else -#endif + if( ( info = pk_info_from_type( type ) ) == NULL ) return( POLARSSL_ERR_PK_TYPE_MISMATCH ); - if( ( ctx->data = polarssl_malloc( size ) ) == NULL ) + if( ( ctx->data = info->ctx_alloc_func() ) == NULL ) return( POLARSSL_ERR_PK_MALLOC_FAILED ); - memset( ctx->data, 0, size ); ctx->type = type; ctx->info = info; diff --git a/library/pk_wrap.c b/library/pk_wrap.c index f8985912..50e8db52 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -39,6 +39,14 @@ #include "polarssl/ecdsa.h" #endif +#if defined(POLARSSL_MEMORY_C) +#include "polarssl/memory.h" +#else +#include +#define polarssl_malloc malloc +#define polarssl_free free +#endif + #if defined(POLARSSL_RSA_C) static int rsa_can_do( pk_type_t type ) { @@ -60,12 +68,30 @@ static int rsa_verify_wrap( void *ctx, RSA_PUBLIC, md_info->type, 0, hash, sig ) ); } +static void *rsa_alloc_wrap( void ) +{ + void *ctx = polarssl_malloc( sizeof( rsa_context ) ); + + if( ctx != NULL ) + rsa_init( (rsa_context *) ctx, 0, 0 ); + + return ctx; +} + +static void rsa_free_wrap( void *ctx ) +{ + rsa_free( (rsa_context *) ctx ); + polarssl_free( ctx ); +} + const pk_info_t rsa_info = { POLARSSL_PK_RSA, "RSA", rsa_get_size, rsa_can_do, rsa_verify_wrap, + rsa_alloc_wrap, + rsa_free_wrap, }; #endif /* POLARSSL_RSA_C */ @@ -88,12 +114,30 @@ int ecdsa_verify_wrap( void *ctx, hash, md_info->size, sig, sig_len ) ); } +static void *ecdsa_alloc_wrap( void ) +{ + void *ctx = polarssl_malloc( sizeof( ecdsa_context ) ); + + if( ctx != NULL ) + ecdsa_init( (ecdsa_context *) ctx ); + + return( ctx ); +} + +static void ecdsa_free_wrap( void *ctx ) +{ + ecdsa_free( (ecdsa_context *) ctx ); + polarssl_free( ctx ); +} + const pk_info_t ecdsa_info = { POLARSSL_PK_ECDSA, "ECDSA", ecdsa_get_size, ecdsa_can_do, ecdsa_verify_wrap, + ecdsa_alloc_wrap, + ecdsa_free_wrap, }; #endif /* POLARSSL_ECDSA_C */ @@ -140,12 +184,30 @@ static int eckey_verify_wrap( void *ctx, #endif /* POLARSSL_ECDSA_C */ } +static void *eckey_alloc_wrap( void ) +{ + void *ctx = polarssl_malloc( sizeof( ecp_keypair ) ); + + if( ctx != NULL ) + ecp_keypair_init( ctx ); + + return( ctx ); +} + +static void eckey_free_wrap( void *ctx ) +{ + ecp_keypair_free( (ecp_keypair *) ctx ); + polarssl_free( ctx ); +} + const pk_info_t eckey_info = { POLARSSL_PK_ECKEY, "EC", eckey_get_size, eckey_can_do, eckey_verify_wrap, + eckey_alloc_wrap, + eckey_free_wrap, }; /* @@ -176,5 +238,7 @@ const pk_info_t eckeydh_info = { eckey_get_size, /* Same underlying key structure */ eckeydh_can_do, eckeydh_verify_wrap, + eckey_alloc_wrap, /* Same underlying key structure */ + eckey_free_wrap, /* Same underlying key structure */ }; #endif /* POLARSSL_ECP_C */ From b3d9187cea02e745b05d4fd686d95f0836d81c08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 14 Aug 2013 15:56:19 +0200 Subject: [PATCH 19/28] PK: add nice interface functions Also fix a const-corectness issue. --- include/polarssl/error.h | 2 +- include/polarssl/pk.h | 38 +++++++++++++++++++++++++++++++++++++- include/polarssl/ssl.h | 2 +- library/error.c | 2 ++ library/pk.c | 36 ++++++++++++++++++++++++++++++++++++ library/pk_wrap.c | 8 ++++---- library/ssl_cli.c | 24 +++++++++++++++--------- library/ssl_srv.c | 7 +++++-- library/x509parse.c | 20 ++++++++++---------- 9 files changed, 111 insertions(+), 28 deletions(-) diff --git a/include/polarssl/error.h b/include/polarssl/error.h index 45a66401..10e68f83 100644 --- a/include/polarssl/error.h +++ b/include/polarssl/error.h @@ -84,7 +84,7 @@ * ECP 4 4 (Started from top) * MD 5 4 * CIPHER 6 5 - * SSL 6 5 (Started from top) + * SSL 6 6 (Started from top) * SSL 7 31 * * Module dependent error code (5 bits 0x.08.-0x.F8.) diff --git a/include/polarssl/pk.h b/include/polarssl/pk.h index 83dc2d07..4f9fdb19 100644 --- a/include/polarssl/pk.h +++ b/include/polarssl/pk.h @@ -93,7 +93,7 @@ typedef struct const char *name; /** Get key size in bits */ - size_t (*get_size)( void * ); + size_t (*get_size)( const void * ); /** Tell if the context implements this type (eg ECKEY can do ECDSA) */ int (*can_do)( pk_type_t type ); @@ -146,6 +146,42 @@ void pk_free( pk_context *ctx ); */ int pk_set_type( pk_context *ctx, pk_type_t type ); +/** + * \brief Get the size in bits of the underlying key + * + * \param ctx Context to use + * + * \return Key size in bits, or 0 on error + */ +size_t pk_get_size( const pk_context *ctx ); + +/** + * \brief Tell if a context can do the operation given by type + * + * \param ctx Context to test + * \param type Target type + * + * \return 0 if context can't do the operations, + * 1 otherwise. + */ +int pk_can_do( pk_context *ctx, pk_type_t type ); + +/** + * \brief Verify signature + * + * \param ctx PK context to use + * \param hash Hash of the message to sign + * \param md_info Information about the hash function used + * \param sig Signature to verify + * \param sig_len Signature length + * + * \return 0 on success (signature is valid), + * or a specific error code. + */ +int pk_verify( pk_context *ctx, + const unsigned char *hash, const md_info_t *md_info, + const unsigned char *sig, size_t sig_len ); + #ifdef __cplusplus } #endif diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index 7a468c46..d5a2fc00 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -110,7 +110,7 @@ #define POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION -0x6E80 /**< Handshake protocol not within min/max boundaries */ #define POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET -0x6E00 /**< Processing of the NewSessionTicket handshake message failed. */ #define POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED -0x6D80 /**< Session ticket has expired. */ - +#define POLARSSL_ERR_SSL_PK_TYPE_MISMATCH -0x6D00 /**< Public key type mismatch (eg, asked for RSA key exchange and presented EC key) */ /* * Various constants diff --git a/library/error.c b/library/error.c index 23f4a85d..333a8f85 100644 --- a/library/error.c +++ b/library/error.c @@ -373,6 +373,8 @@ void polarssl_strerror( int ret, char *buf, size_t buflen ) snprintf( buf, buflen, "SSL - Processing of the NewSessionTicket handshake message failed" ); if( use_ret == -(POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED) ) snprintf( buf, buflen, "SSL - Session ticket has expired" ); + if( use_ret == -(POLARSSL_ERR_SSL_PK_TYPE_MISMATCH) ) + snprintf( buf, buflen, "SSL - Public key type mismatch (eg, asked for RSA key exchange and presented EC key)" ); #endif /* POLARSSL_SSL_TLS_C */ #if defined(POLARSSL_X509_PARSE_C) diff --git a/library/pk.c b/library/pk.c index 9f336417..ce3b88a1 100644 --- a/library/pk.c +++ b/library/pk.c @@ -124,3 +124,39 @@ int pk_set_type( pk_context *ctx, pk_type_t type ) return( 0 ); } + +/* + * Tell if a PK can do the operations of the given type + */ +int pk_can_do( pk_context *ctx, pk_type_t type ) +{ + /* null of NONE context can't do anything */ + if( ctx == NULL || ctx->info == NULL ) + return( 0 ); + + return( ctx->info->can_do( type ) ); +} + +/* + * Verify a signature + */ +int pk_verify( pk_context *ctx, + const unsigned char *hash, const md_info_t *md_info, + const unsigned char *sig, size_t sig_len ) +{ + if( ctx == NULL || ctx->info == NULL ) + return( POLARSSL_ERR_PK_TYPE_MISMATCH ); // TODO + + return( ctx->info->verify_func( ctx->data, hash, md_info, sig, sig_len ) ); +} + +/* + * Get key size in bits + */ +size_t pk_get_size( const pk_context *ctx ) +{ + if( ctx == NULL || ctx->info == NULL ) + return( 0 ); + + return( ctx->info->get_size( ctx->data ) ); +} diff --git a/library/pk_wrap.c b/library/pk_wrap.c index 50e8db52..239ff78e 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -53,9 +53,9 @@ static int rsa_can_do( pk_type_t type ) return( type == POLARSSL_PK_RSA ); } -static size_t rsa_get_size( void * ctx ) +static size_t rsa_get_size( const void * ctx ) { - return( mpi_size( &((rsa_context *) ctx)->N ) * 8 ); + return( 8 * ((rsa_context *) ctx)->len ); } static int rsa_verify_wrap( void *ctx, @@ -101,7 +101,7 @@ int ecdsa_can_do( pk_type_t type ) return( type == POLARSSL_PK_ECDSA ); } -static size_t ecdsa_get_size( void *ctx ) +static size_t ecdsa_get_size( const void *ctx ) { return( ((ecdsa_context *) ctx)->grp.pbits ); } @@ -152,7 +152,7 @@ static int eckey_can_do( pk_type_t type ) type == POLARSSL_PK_ECDSA ); } -static size_t eckey_get_size( void *ctx ) +static size_t eckey_get_size( const void *ctx ) { return( ((ecp_keypair *) ctx)->grp.pbits ); } diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 66743481..1c2c395d 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1346,12 +1346,15 @@ static int ssl_parse_server_key_exchange( ssl_context *ssl ) return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); } - /* EC NOT IMPLEMENTED YET */ - if( ssl->session_negotiate->peer_cert->pk.type != POLARSSL_PK_RSA ) - return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE ); + if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, + POLARSSL_PK_RSA ) ) + { + SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); + return( POLARSSL_ERR_SSL_PK_TYPE_MISMATCH ); + } - if( (unsigned int)( end - p ) != - pk_rsa( ssl->session_negotiate->peer_cert->pk )->len ) + if( 8 * (unsigned int)( end - p ) != + pk_get_size( &ssl->session_negotiate->peer_cert->pk ) ) { SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); @@ -1795,12 +1798,15 @@ static int ssl_write_client_key_exchange( ssl_context *ssl ) if( ret != 0 ) return( ret ); - /* EC NOT IMPLEMENTED YET */ - if( ssl->session_negotiate->peer_cert->pk.type != POLARSSL_PK_RSA ) - return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE ); + if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, + POLARSSL_PK_RSA ) ) + { + SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) ); + return( POLARSSL_ERR_SSL_PK_TYPE_MISMATCH ); + } i = 4; - n = pk_rsa( ssl->session_negotiate->peer_cert->pk )->len; + n = pk_get_size( &ssl->session_negotiate->peer_cert->pk ) / 8; if( ssl->minor_ver != SSL_MINOR_VERSION_0 ) { diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 36c4f2f3..0780da51 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2517,10 +2517,13 @@ static int ssl_parse_certificate_verify( ssl_context *ssl ) } /* EC NOT IMPLEMENTED YET */ - if( ssl->session_negotiate->peer_cert->pk.type != POLARSSL_PK_RSA ) + if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, + POLARSSL_PK_RSA ) ) + { return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE ); + } - n1 = pk_rsa( ssl->session_negotiate->peer_cert->pk )->len; + n1 = pk_get_size( &ssl->session_negotiate->peer_cert->pk ) / 8; n2 = ( ssl->in_msg[4 + n] << 8 ) | ssl->in_msg[5 + n]; if( n + n1 + 6 != ssl->in_hslen || n1 != n2 ) diff --git a/library/x509parse.c b/library/x509parse.c index a8fcc0bf..225f45d1 100644 --- a/library/x509parse.c +++ b/library/x509parse.c @@ -3147,7 +3147,7 @@ int x509parse_cert_info( char *buf, size_t size, const char *prefix, } ret = snprintf( p, n, "\n%s%-" BC "s: %d bits\n", prefix, key_size_str, - (int) crt->pk.info->get_size( crt->pk.data ) ); + (int) pk_get_size( &crt->pk ) ); SAFE_SNPRINTF(); return( (int) ( size - n ) ); @@ -3399,9 +3399,9 @@ static int x509parse_verifycrl(x509_cert *crt, x509_cert *ca, md( md_info, crl_list->tbs.p, crl_list->tbs.len, hash ); - if( ca->pk.info->can_do( crl_list->sig_pk ) == 0 || - ca->pk.info->verify_func( ca->pk.data, hash, md_info, - crl_list->sig.p, crl_list->sig.len ) != 0 ) + if( pk_can_do( &ca->pk, crl_list->sig_pk ) == 0 || + pk_verify( &ca->pk, hash, md_info, + crl_list->sig.p, crl_list->sig.len ) != 0 ) { flags |= BADCRL_NOT_TRUSTED; break; @@ -3516,9 +3516,9 @@ static int x509parse_verify_top( md( md_info, child->tbs.p, child->tbs.len, hash ); - if( trust_ca->pk.info->can_do( child->sig_pk ) == 0 || - trust_ca->pk.info->verify_func( trust_ca->pk.data, hash, md_info, - child->sig.p, child->sig.len ) != 0 ) + if( pk_can_do( &trust_ca->pk, child->sig_pk ) == 0 || + pk_verify( &trust_ca->pk, hash, md_info, + child->sig.p, child->sig.len ) != 0 ) { trust_ca = trust_ca->next; continue; @@ -3593,9 +3593,9 @@ static int x509parse_verify_child( { md( md_info, child->tbs.p, child->tbs.len, hash ); - if( parent->pk.info->can_do( child->sig_pk ) == 0 || - parent->pk.info->verify_func( parent->pk.data, hash, md_info, - child->sig.p, child->sig.len ) != 0 ) + if( pk_can_do( &parent->pk, child->sig_pk ) == 0 || + pk_verify( &parent->pk, hash, md_info, + child->sig.p, child->sig.len ) != 0 ) { *flags |= BADCERT_NOT_TRUSTED; } From c6ac8870d5bb9d0cb60b412c14b9b4e7c5e5dc7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 14 Aug 2013 18:04:18 +0200 Subject: [PATCH 20/28] Nicer interface between PK and debug. Finally get rid of pk_context.type member, too. --- include/polarssl/pk.h | 37 ++++++++++++++- library/debug.c | 53 ++++++++++++++-------- library/pk.c | 23 +++++++--- library/pk_wrap.c | 24 ++++++++++ tests/suites/test_suite_x509parse.function | 4 +- 5 files changed, 113 insertions(+), 28 deletions(-) diff --git a/include/polarssl/pk.h b/include/polarssl/pk.h index 4f9fdb19..778efa70 100644 --- a/include/polarssl/pk.h +++ b/include/polarssl/pk.h @@ -81,6 +81,29 @@ typedef enum { POLARSSL_PK_ECDSA, } pk_type_t; +/** + * \brief Types for interfacing with the debug module + */ +typedef enum +{ + POLARSSL_PK_DEBUG_NONE = 0, + POLARSSL_PK_DEBUG_MPI, + POLARSSL_PK_DEBUG_ECP, +} pk_debug_type; + +/** + * \brief Item to send to the debug module + */ +typedef struct +{ + pk_debug_type type; + char *name; + void *value; +} pk_debug_item; + +/** Maximum number of item send for debugging, plus 1 */ +#define POLARSSL_PK_DEBUG_MAX_ITEMS 3 + /** * \brief Public key info */ @@ -109,6 +132,9 @@ typedef struct /** Free the given context */ void (*ctx_free_func)( void *ctx ); + /** Interface with the debug module */ + void (*debug_func)( const void *ctx, pk_debug_item *items ); + } pk_info_t; /** @@ -117,7 +143,6 @@ typedef struct typedef struct { const pk_info_t * info; /**< Public key informations */ - pk_type_t type; /**< Public key type (temporary) */ void * data; /**< Public key data */ } pk_context; @@ -182,6 +207,16 @@ int pk_verify( pk_context *ctx, const unsigned char *hash, const md_info_t *md_info, const unsigned char *sig, size_t sig_len ); +/** + * \brief Export debug information + * + * \param ctx Context to use + * \param items Place to write debug items + * + * \return 0 on sucess or POLARSSL_ERR_PK_BAD_INPUT_DATA + */ +int pk_debug( const pk_context *ctx, pk_debug_item *items ); + #ifdef __cplusplus } #endif diff --git a/library/debug.c b/library/debug.c index 8e3dd03a..5522fb64 100644 --- a/library/debug.c +++ b/library/debug.c @@ -225,6 +225,39 @@ void debug_print_mpi( const ssl_context *ssl, int level, #endif /* POLARSSL_BIGNUM_C */ #if defined(POLARSSL_X509_PARSE_C) +static void debug_print_pk( const ssl_context *ssl, int level, + const char *file, int line, + const char *text, const pk_context *pk ) +{ + size_t i; + pk_debug_item items[POLARSSL_PK_DEBUG_MAX_ITEMS]; + char name[16]; + + memset( items, 0, sizeof( items ) ); + + if( pk_debug( pk, items ) != 0 ) + { + debug_print_msg( ssl, level, file, line, "invalid PK context" ); + return; + } + + for( i = 0; i < sizeof( items ); i++ ) + { + if( items[i].type == POLARSSL_PK_DEBUG_NONE ) + return; + + snprintf( name, sizeof( name ), "%s%s", text, items[i].name ); + name[sizeof( name ) - 1] = '\0'; + + if( items[i].type == POLARSSL_PK_DEBUG_MPI ) + debug_print_mpi( ssl, level, file, line, name, items[i].value ); + else if( items[i].type == POLARSSL_PK_DEBUG_ECP ) + debug_print_ecp( ssl, level, file, line, name, items[i].value ); + else + debug_print_msg( ssl, level, file, line, "should not happen" ); + } +} + void debug_print_crt( const ssl_context *ssl, int level, const char *file, int line, const char *text, const x509_cert *crt ) @@ -250,25 +283,7 @@ void debug_print_crt( const ssl_context *ssl, int level, str[maxlen] = '\0'; ssl->f_dbg( ssl->p_dbg, level, str ); -#if defined(POLARSSL_RSA_C) - if( crt->pk.type == POLARSSL_PK_RSA ) - { - debug_print_mpi( ssl, level, file, line, - "crt->rsa.N", &pk_rsa( crt->pk )->N ); - debug_print_mpi( ssl, level, file, line, - "crt->rsa.E", &pk_rsa( crt->pk )->E ); - } else -#endif /* POLARSSL_RSA_C */ -#if defined(POLARSSL_ECP_C) - if( crt->pk.type == POLARSSL_PK_ECKEY || - crt->pk.type == POLARSSL_PK_ECKEY_DH ) - { - debug_print_ecp( ssl, level, file, line, - "crt->eckey.Q", &pk_ec( crt->pk )->Q ); - } else -#endif /* POLARSSL_ECP_C */ - debug_print_msg( ssl, level, file, line, - "crt->pk.type is not valid" ); + debug_print_pk( ssl, level, file, line, "crt->", &crt->pk ); crt = crt->next; } diff --git a/library/pk.c b/library/pk.c index ce3b88a1..f3c64cb4 100644 --- a/library/pk.c +++ b/library/pk.c @@ -56,7 +56,6 @@ void pk_init( pk_context *ctx ) return; ctx->info = NULL; - ctx->type = POLARSSL_PK_NONE; ctx->data = NULL; } @@ -72,7 +71,6 @@ void pk_free( pk_context *ctx ) ctx->data = NULL; ctx->info = NULL; - ctx->type = POLARSSL_PK_NONE; } /* @@ -107,11 +105,13 @@ int pk_set_type( pk_context *ctx, pk_type_t type ) { const pk_info_t *info; - if( ctx->type == type ) - return( 0 ); + if( ctx->info != NULL ) + { + if( ctx->info->type == type ) + return 0; - if( ctx->type != POLARSSL_PK_NONE ) return( POLARSSL_ERR_PK_TYPE_MISMATCH ); + } if( ( info = pk_info_from_type( type ) ) == NULL ) return( POLARSSL_ERR_PK_TYPE_MISMATCH ); @@ -119,7 +119,6 @@ int pk_set_type( pk_context *ctx, pk_type_t type ) if( ( ctx->data = info->ctx_alloc_func() ) == NULL ) return( POLARSSL_ERR_PK_MALLOC_FAILED ); - ctx->type = type; ctx->info = info; return( 0 ); @@ -160,3 +159,15 @@ size_t pk_get_size( const pk_context *ctx ) return( ctx->info->get_size( ctx->data ) ); } + +/* + * Export debug information + */ +int pk_debug( const pk_context *ctx, pk_debug_item *items ) +{ + if( ctx == NULL || ctx->info == NULL ) + return( POLARSSL_ERR_PK_TYPE_MISMATCH ); // TODO + + ctx->info->debug_func( ctx->data, items ); + return( 0 ); +} diff --git a/library/pk_wrap.c b/library/pk_wrap.c index 239ff78e..284bd1db 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -84,6 +84,19 @@ static void rsa_free_wrap( void *ctx ) polarssl_free( ctx ); } +static void rsa_debug( const void *ctx, pk_debug_item *items ) +{ + items->type = POLARSSL_PK_DEBUG_MPI; + items->name = "rsa.N"; + items->value = &( ((rsa_context *) ctx)->N ); + + items++; + + items->type = POLARSSL_PK_DEBUG_MPI; + items->name = "rsa.E"; + items->value = &( ((rsa_context *) ctx)->E ); +} + const pk_info_t rsa_info = { POLARSSL_PK_RSA, "RSA", @@ -92,6 +105,7 @@ const pk_info_t rsa_info = { rsa_verify_wrap, rsa_alloc_wrap, rsa_free_wrap, + rsa_debug, }; #endif /* POLARSSL_RSA_C */ @@ -138,6 +152,7 @@ const pk_info_t ecdsa_info = { ecdsa_verify_wrap, ecdsa_alloc_wrap, ecdsa_free_wrap, + NULL, }; #endif /* POLARSSL_ECDSA_C */ @@ -200,6 +215,13 @@ static void eckey_free_wrap( void *ctx ) polarssl_free( ctx ); } +static void eckey_debug( const void *ctx, pk_debug_item *items ) +{ + items->type = POLARSSL_PK_DEBUG_ECP; + items->name = "eckey.Q"; + items->value = &( ((ecp_keypair *) ctx)->Q ); +} + const pk_info_t eckey_info = { POLARSSL_PK_ECKEY, "EC", @@ -208,6 +230,7 @@ const pk_info_t eckey_info = { eckey_verify_wrap, eckey_alloc_wrap, eckey_free_wrap, + eckey_debug, }; /* @@ -240,5 +263,6 @@ const pk_info_t eckeydh_info = { eckeydh_verify_wrap, eckey_alloc_wrap, /* Same underlying key structure */ eckey_free_wrap, /* Same underlying key structure */ + NULL, }; #endif /* POLARSSL_ECP_C */ diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index cec4d8d8..6bda6faa 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -226,7 +226,7 @@ void x509parse_public_keyfile_ec( char *key_file, int result ) if( res == 0 ) { ecp_keypair *eckey; - TEST_ASSERT( ctx.type == POLARSSL_PK_ECKEY ); + TEST_ASSERT( pk_can_do( &ctx, POLARSSL_PK_ECKEY ) ); eckey = (ecp_keypair *) ctx.data; TEST_ASSERT( ecp_check_pubkey( &eckey->grp, &eckey->Q ) == 0 ); } @@ -250,7 +250,7 @@ void x509parse_keyfile_ec( char *key_file, char *password, int result ) if( res == 0 ) { ecp_keypair *eckey; - TEST_ASSERT( ctx.type == POLARSSL_PK_ECKEY ); + TEST_ASSERT( pk_can_do( &ctx, POLARSSL_PK_ECKEY ) ); eckey = (ecp_keypair *) ctx.data; TEST_ASSERT( ecp_check_privkey( &eckey->grp, &eckey->d ) == 0 ); } From 09162ddcaac01844a79fef28ef13cfca80133c8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 14 Aug 2013 18:16:50 +0200 Subject: [PATCH 21/28] PK: reuse some eckey functions for ecdsa Also add some forgotten 'static' while at it. --- include/polarssl/ecp.h | 2 + library/pk_wrap.c | 98 +++++++++++++++++++++--------------------- 2 files changed, 52 insertions(+), 48 deletions(-) diff --git a/include/polarssl/ecp.h b/include/polarssl/ecp.h index 2082bd96..36c61854 100644 --- a/include/polarssl/ecp.h +++ b/include/polarssl/ecp.h @@ -95,6 +95,8 @@ ecp_group; * \brief ECP key pair structure * * A generic key pair that could be used for ECDSA, fixed ECDH, etc. + * + * \note Members purposefully in the same order as struc ecdsa_context. */ typedef struct { diff --git a/library/pk_wrap.c b/library/pk_wrap.c index 284bd1db..e2c9bb12 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -109,53 +109,6 @@ const pk_info_t rsa_info = { }; #endif /* POLARSSL_RSA_C */ -#if defined(POLARSSL_ECDSA_C) -int ecdsa_can_do( pk_type_t type ) -{ - return( type == POLARSSL_PK_ECDSA ); -} - -static size_t ecdsa_get_size( const void *ctx ) -{ - return( ((ecdsa_context *) ctx)->grp.pbits ); -} - -int ecdsa_verify_wrap( void *ctx, - const unsigned char *hash, const md_info_t *md_info, - const unsigned char *sig, size_t sig_len ) -{ - return( ecdsa_read_signature( (ecdsa_context *) ctx, - hash, md_info->size, sig, sig_len ) ); -} - -static void *ecdsa_alloc_wrap( void ) -{ - void *ctx = polarssl_malloc( sizeof( ecdsa_context ) ); - - if( ctx != NULL ) - ecdsa_init( (ecdsa_context *) ctx ); - - return( ctx ); -} - -static void ecdsa_free_wrap( void *ctx ) -{ - ecdsa_free( (ecdsa_context *) ctx ); - polarssl_free( ctx ); -} - -const pk_info_t ecdsa_info = { - POLARSSL_PK_ECDSA, - "ECDSA", - ecdsa_get_size, - ecdsa_can_do, - ecdsa_verify_wrap, - ecdsa_alloc_wrap, - ecdsa_free_wrap, - NULL, -}; -#endif /* POLARSSL_ECDSA_C */ - #if defined(POLARSSL_ECP_C) /* * Generic EC key @@ -172,6 +125,13 @@ static size_t eckey_get_size( const void *ctx ) return( ((ecp_keypair *) ctx)->grp.pbits ); } +#if defined(POLARSSL_ECDSA_C) +/* Forward declaration */ +static int ecdsa_verify_wrap( void *ctx, + const unsigned char *hash, const md_info_t *md_info, + const unsigned char *sig, size_t sig_len ); +#endif + static int eckey_verify_wrap( void *ctx, const unsigned char *hash, const md_info_t *md_info, const unsigned char *sig, size_t sig_len ) @@ -263,6 +223,48 @@ const pk_info_t eckeydh_info = { eckeydh_verify_wrap, eckey_alloc_wrap, /* Same underlying key structure */ eckey_free_wrap, /* Same underlying key structure */ - NULL, + eckey_debug, /* Same underlying key structure */ }; #endif /* POLARSSL_ECP_C */ + +#if defined(POLARSSL_ECDSA_C) +static int ecdsa_can_do( pk_type_t type ) +{ + return( type == POLARSSL_PK_ECDSA ); +} + +static int ecdsa_verify_wrap( void *ctx, + const unsigned char *hash, const md_info_t *md_info, + const unsigned char *sig, size_t sig_len ) +{ + return( ecdsa_read_signature( (ecdsa_context *) ctx, + hash, md_info->size, sig, sig_len ) ); +} + +static void *ecdsa_alloc_wrap( void ) +{ + void *ctx = polarssl_malloc( sizeof( ecdsa_context ) ); + + if( ctx != NULL ) + ecdsa_init( (ecdsa_context *) ctx ); + + return( ctx ); +} + +static void ecdsa_free_wrap( void *ctx ) +{ + ecdsa_free( (ecdsa_context *) ctx ); + polarssl_free( ctx ); +} + +const pk_info_t ecdsa_info = { + POLARSSL_PK_ECDSA, + "ECDSA", + eckey_get_size, /* Compatible key structures */ + ecdsa_can_do, + ecdsa_verify_wrap, + ecdsa_alloc_wrap, + ecdsa_free_wrap, + eckey_debug, /* Compatible key structures */ +}; +#endif /* POLARSSL_ECDSA_C */ From 3fb5c5ee1c275f44f51ece1c497ca6133d6fddd1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 14 Aug 2013 18:26:41 +0200 Subject: [PATCH 22/28] PK: rename members for consistency CIPHER, MD Also add pk_get_name() to remove a direct access to pk_type --- include/polarssl/pk.h | 19 ++++++--- library/pk.c | 47 +++++++++++++--------- library/x509parse.c | 10 ++--- tests/suites/test_suite_x509parse.function | 4 +- 4 files changed, 50 insertions(+), 30 deletions(-) diff --git a/include/polarssl/pk.h b/include/polarssl/pk.h index 778efa70..6a3d4b8a 100644 --- a/include/polarssl/pk.h +++ b/include/polarssl/pk.h @@ -52,7 +52,7 @@ * \warning You must make sure the PK context actually holds an RSA context * before using this macro! */ -#define pk_rsa( pk ) ( (rsa_context *) (pk).data ) +#define pk_rsa( pk ) ( (rsa_context *) (pk).pk_ctx ) #endif /* POLARSSL_RSA_C */ #if defined(POLARSSL_ECP_C) @@ -62,7 +62,7 @@ * \warning You must make sure the PK context actually holds an EC context * before using this macro! */ -#define pk_ec( pk ) ( (ecp_keypair *) (pk).data ) +#define pk_ec( pk ) ( (ecp_keypair *) (pk).pk_ctx ) #endif /* POLARSSL_ECP_C */ @@ -105,7 +105,7 @@ typedef struct #define POLARSSL_PK_DEBUG_MAX_ITEMS 3 /** - * \brief Public key info + * \brief Public key information and operations */ typedef struct { @@ -142,8 +142,8 @@ typedef struct */ typedef struct { - const pk_info_t * info; /**< Public key informations */ - void * data; /**< Public key data */ + const pk_info_t * pk_info; /**< Public key informations */ + void * pk_ctx; /**< Underlying public key context */ } pk_context; /** @@ -217,6 +217,15 @@ int pk_verify( pk_context *ctx, */ int pk_debug( const pk_context *ctx, pk_debug_item *items ); +/** + * \brief Access the type name + * + * \param ctx Context to use + * + * \return Type name on success, or "invalid PK" + */ +const char * pk_get_name( const pk_context *ctx ); + #ifdef __cplusplus } #endif diff --git a/library/pk.c b/library/pk.c index f3c64cb4..d8b4c859 100644 --- a/library/pk.c +++ b/library/pk.c @@ -55,8 +55,8 @@ void pk_init( pk_context *ctx ) if( ctx == NULL ) return; - ctx->info = NULL; - ctx->data = NULL; + ctx->pk_info = NULL; + ctx->pk_ctx = NULL; } /* @@ -64,13 +64,13 @@ void pk_init( pk_context *ctx ) */ void pk_free( pk_context *ctx ) { - if( ctx == NULL || ctx->info == NULL) + if( ctx == NULL || ctx->pk_info == NULL) return; - ctx->info->ctx_free_func( ctx->data ); - ctx->data = NULL; + ctx->pk_info->ctx_free_func( ctx->pk_ctx ); + ctx->pk_ctx = NULL; - ctx->info = NULL; + ctx->pk_info = NULL; } /* @@ -105,9 +105,9 @@ int pk_set_type( pk_context *ctx, pk_type_t type ) { const pk_info_t *info; - if( ctx->info != NULL ) + if( ctx->pk_info != NULL ) { - if( ctx->info->type == type ) + if( ctx->pk_info->type == type ) return 0; return( POLARSSL_ERR_PK_TYPE_MISMATCH ); @@ -116,10 +116,10 @@ int pk_set_type( pk_context *ctx, pk_type_t type ) if( ( info = pk_info_from_type( type ) ) == NULL ) return( POLARSSL_ERR_PK_TYPE_MISMATCH ); - if( ( ctx->data = info->ctx_alloc_func() ) == NULL ) + if( ( ctx->pk_ctx = info->ctx_alloc_func() ) == NULL ) return( POLARSSL_ERR_PK_MALLOC_FAILED ); - ctx->info = info; + ctx->pk_info = info; return( 0 ); } @@ -130,10 +130,10 @@ int pk_set_type( pk_context *ctx, pk_type_t type ) int pk_can_do( pk_context *ctx, pk_type_t type ) { /* null of NONE context can't do anything */ - if( ctx == NULL || ctx->info == NULL ) + if( ctx == NULL || ctx->pk_info == NULL ) return( 0 ); - return( ctx->info->can_do( type ) ); + return( ctx->pk_info->can_do( type ) ); } /* @@ -143,10 +143,10 @@ int pk_verify( pk_context *ctx, const unsigned char *hash, const md_info_t *md_info, const unsigned char *sig, size_t sig_len ) { - if( ctx == NULL || ctx->info == NULL ) + if( ctx == NULL || ctx->pk_info == NULL ) return( POLARSSL_ERR_PK_TYPE_MISMATCH ); // TODO - return( ctx->info->verify_func( ctx->data, hash, md_info, sig, sig_len ) ); + return( ctx->pk_info->verify_func( ctx->pk_ctx, hash, md_info, sig, sig_len ) ); } /* @@ -154,10 +154,10 @@ int pk_verify( pk_context *ctx, */ size_t pk_get_size( const pk_context *ctx ) { - if( ctx == NULL || ctx->info == NULL ) + if( ctx == NULL || ctx->pk_info == NULL ) return( 0 ); - return( ctx->info->get_size( ctx->data ) ); + return( ctx->pk_info->get_size( ctx->pk_ctx ) ); } /* @@ -165,9 +165,20 @@ size_t pk_get_size( const pk_context *ctx ) */ int pk_debug( const pk_context *ctx, pk_debug_item *items ) { - if( ctx == NULL || ctx->info == NULL ) + if( ctx == NULL || ctx->pk_info == NULL ) return( POLARSSL_ERR_PK_TYPE_MISMATCH ); // TODO - ctx->info->debug_func( ctx->data, items ); + ctx->pk_info->debug_func( ctx->pk_ctx, items ); return( 0 ); } + +/* + * Access the PK type name + */ +const char * pk_get_name( const pk_context *ctx ) +{ + if( ctx == NULL || ctx->pk_info == NULL ) + return( "invalid PK" ); + + return( ctx->pk_info->name ); +} diff --git a/library/x509parse.c b/library/x509parse.c index 225f45d1..e080174e 100644 --- a/library/x509parse.c +++ b/library/x509parse.c @@ -2147,7 +2147,7 @@ int x509parse_keyfile_rsa( rsa_context *rsa, const char *path, const char *pwd ) ret = x509parse_keyfile( &pk, path, pwd ); if( ret == 0 ) - rsa_copy( rsa, pk.data ); + rsa_copy( rsa, pk_rsa( pk ) ); else rsa_free( rsa ); @@ -2170,7 +2170,7 @@ int x509parse_public_keyfile_rsa( rsa_context *rsa, const char *path ) ret = x509parse_public_keyfile( &pk, path ); if( ret == 0 ) - rsa_copy( rsa, pk.data ); + rsa_copy( rsa, pk_rsa( pk ) ); else rsa_free( rsa ); @@ -2774,7 +2774,7 @@ int x509parse_key_rsa( rsa_context *rsa, ret = x509parse_key( &pk, key, keylen, pwd, pwdlen ); if( ret == 0 ) - rsa_copy( rsa, pk.data ); + rsa_copy( rsa, pk_rsa( pk ) ); else rsa_free( rsa ); @@ -2798,7 +2798,7 @@ int x509parse_public_key_rsa( rsa_context *rsa, ret = x509parse_public_key( &pk, key, keylen ); if( ret == 0 ) - rsa_copy( rsa, pk.data ); + rsa_copy( rsa, pk_rsa( pk ) ); else rsa_free( rsa ); @@ -3141,7 +3141,7 @@ int x509parse_cert_info( char *buf, size_t size, const char *prefix, SAFE_SNPRINTF(); if( ( ret = x509_key_size_helper( key_size_str, BEFORE_COLON, - crt->pk.info->name ) ) != 0 ) + pk_get_name( &crt->pk ) ) ) != 0 ) { return( ret ); } diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 6bda6faa..ce27a9f3 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -227,7 +227,7 @@ void x509parse_public_keyfile_ec( char *key_file, int result ) { ecp_keypair *eckey; TEST_ASSERT( pk_can_do( &ctx, POLARSSL_PK_ECKEY ) ); - eckey = (ecp_keypair *) ctx.data; + eckey = pk_ec( ctx ); TEST_ASSERT( ecp_check_pubkey( &eckey->grp, &eckey->Q ) == 0 ); } @@ -251,7 +251,7 @@ void x509parse_keyfile_ec( char *key_file, char *password, int result ) { ecp_keypair *eckey; TEST_ASSERT( pk_can_do( &ctx, POLARSSL_PK_ECKEY ) ); - eckey = (ecp_keypair *) ctx.data; + eckey = pk_ec( ctx ); TEST_ASSERT( ecp_check_privkey( &eckey->grp, &eckey->d ) == 0 ); } From 15699380e59253223604ffa5183292dc03321aa5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 14 Aug 2013 19:22:48 +0200 Subject: [PATCH 23/28] Small PK cleanups - better error codes - rm now-useless include --- include/polarssl/error.h | 2 +- include/polarssl/pk.h | 3 ++- library/error.c | 2 ++ library/pk.c | 15 +++------------ 4 files changed, 8 insertions(+), 14 deletions(-) diff --git a/include/polarssl/error.h b/include/polarssl/error.h index 10e68f83..889e4beb 100644 --- a/include/polarssl/error.h +++ b/include/polarssl/error.h @@ -77,7 +77,7 @@ * PEM 1 9 * PKCS#12 1 4 (Started from top) * X509 2 25 - * PK 2 1 (Started from top) + * PK 2 3 (Started from top) * DHM 3 6 * PKCS5 3 4 (Started from top) * RSA 4 9 diff --git a/include/polarssl/pk.h b/include/polarssl/pk.h index 6a3d4b8a..a39fadf7 100644 --- a/include/polarssl/pk.h +++ b/include/polarssl/pk.h @@ -43,7 +43,8 @@ #endif #define POLARSSL_ERR_PK_MALLOC_FAILED -0x2F80 /**< Memory alloation failed. */ -#define POLARSSL_ERR_PK_TYPE_MISMATCH -0x2F00 /**< Type mismatch, eg attempt to use a RSA key as EC, or to modify key type */ +#define POLARSSL_ERR_PK_TYPE_MISMATCH -0x2F00 /**< Type mismatch, eg attempt to use a RSA key as EC, or to modify key type. */ +#define POLARSSL_ERR_PK_BAD_INPUT_DATA -0x2E80 /**< Bad input parameters to function. */ #if defined(POLARSSL_RSA_C) /** diff --git a/library/error.c b/library/error.c index 333a8f85..0ea3c297 100644 --- a/library/error.c +++ b/library/error.c @@ -252,6 +252,8 @@ void polarssl_strerror( int ret, char *buf, size_t buflen ) snprintf( buf, buflen, "PK - Memory alloation failed" ); if( use_ret == -(POLARSSL_ERR_PK_TYPE_MISMATCH) ) snprintf( buf, buflen, "PK - Type mismatch, eg attempt to use a RSA key as EC, or to modify key type" ); + if( use_ret == -(POLARSSL_ERR_PK_BAD_INPUT_DATA) ) + snprintf( buf, buflen, "PK - Bad input parameters to function" ); #endif /* POLARSSL_PK_C */ #if defined(POLARSSL_PKCS12_C) diff --git a/library/pk.c b/library/pk.c index d8b4c859..61544ebd 100644 --- a/library/pk.c +++ b/library/pk.c @@ -38,15 +38,6 @@ #include "polarssl/ecdsa.h" #endif -#if defined(POLARSSL_MEMORY_C) -#include "polarssl/memory.h" -#else -#define polarssl_malloc malloc -#define polarssl_free free -#endif - -#include - /* * Initialise a pk_context */ @@ -114,7 +105,7 @@ int pk_set_type( pk_context *ctx, pk_type_t type ) } if( ( info = pk_info_from_type( type ) ) == NULL ) - return( POLARSSL_ERR_PK_TYPE_MISMATCH ); + return( POLARSSL_ERR_PK_BAD_INPUT_DATA ); if( ( ctx->pk_ctx = info->ctx_alloc_func() ) == NULL ) return( POLARSSL_ERR_PK_MALLOC_FAILED ); @@ -144,7 +135,7 @@ int pk_verify( pk_context *ctx, const unsigned char *sig, size_t sig_len ) { if( ctx == NULL || ctx->pk_info == NULL ) - return( POLARSSL_ERR_PK_TYPE_MISMATCH ); // TODO + return( POLARSSL_ERR_PK_BAD_INPUT_DATA ); return( ctx->pk_info->verify_func( ctx->pk_ctx, hash, md_info, sig, sig_len ) ); } @@ -166,7 +157,7 @@ size_t pk_get_size( const pk_context *ctx ) int pk_debug( const pk_context *ctx, pk_debug_item *items ) { if( ctx == NULL || ctx->pk_info == NULL ) - return( POLARSSL_ERR_PK_TYPE_MISMATCH ); // TODO + return( POLARSSL_ERR_PK_BAD_INPUT_DATA ); ctx->pk_info->debug_func( ctx->pk_ctx, items ); return( 0 ); From ac4cd362973e9cf57c3aaf0857260950757af461 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 14 Aug 2013 20:20:41 +0200 Subject: [PATCH 24/28] PK rsa_verify: check signature length --- library/pk_wrap.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/library/pk_wrap.c b/library/pk_wrap.c index e2c9bb12..8f615002 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -62,7 +62,8 @@ static int rsa_verify_wrap( void *ctx, const unsigned char *hash, const md_info_t *md_info, const unsigned char *sig, size_t sig_len ) { - ((void) sig_len); + if( sig_len != ((rsa_context *) ctx)->len ) + return( POLARSSL_ERR_RSA_VERIFY_FAILED ); return( rsa_pkcs1_verify( (rsa_context *) ctx, RSA_PUBLIC, md_info->type, 0, hash, sig ) ); From 7e56de1671b43e48102ff33d0a2ad21275259ae2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 14 Aug 2013 21:15:53 +0200 Subject: [PATCH 25/28] Adapt ssl_cert_test to changes in PK --- programs/test/ssl_cert_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/programs/test/ssl_cert_test.c b/programs/test/ssl_cert_test.c index ec824c9e..a77a314a 100644 --- a/programs/test/ssl_cert_test.c +++ b/programs/test/ssl_cert_test.c @@ -213,7 +213,7 @@ int main( int argc, char *argv[] ) /* EC NOT IMPLEMENTED YET */ - if( clicert.pk.type != POLARSSL_PK_RSA ) + if( ! pk_can_do( &clicert.pk, POLARSSL_PK_RSA ) ) { printf( " failed\n ! certificate's key is not RSA\n\n" ); ret = POLARSSL_ERR_X509_FEATURE_UNAVAILABLE; From ab46694558faec41599e8469e5e0b0900af0e365 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 15 Aug 2013 11:30:27 +0200 Subject: [PATCH 26/28] Change pk_set_type to pk_init_ctx for consistency --- include/polarssl/pk.h | 37 +++++++++++++++++++------------- library/pk.c | 18 ++++------------ library/x509parse.c | 49 ++++++++++++++++++++++++++++++++++--------- 3 files changed, 65 insertions(+), 39 deletions(-) diff --git a/include/polarssl/pk.h b/include/polarssl/pk.h index a39fadf7..da13136a 100644 --- a/include/polarssl/pk.h +++ b/include/polarssl/pk.h @@ -147,31 +147,38 @@ typedef struct void * pk_ctx; /**< Underlying public key context */ } pk_context; +/** + * \brief Return information associated with the given PK type + * + * \param type PK type to search for. + * + * \return The PK info associated with the type or NULL if not found. + */ +const pk_info_t *pk_info_from_type( pk_type_t pk_type ); + /** * \brief Initialize a pk_context (as NONE) */ void pk_init( pk_context *ctx ); +/** + * \brief Initialize a PK context with the information given + * and allocates the type-specific PK subcontext. + * + * \param ctx Context to initialize. Must be empty (type NONE). + * \param info Information to use + * + * \return 0 on success, + * POLARSSL_ERR_PK_BAD_INPUT_DATA on invalid input, + * POLARSSL_ERR_PK_MALLOC_FAILED on allocation failure. + */ +int pk_init_ctx( pk_context *ctx, const pk_info_t *info ); + /** * \brief Free a pk_context */ void pk_free( pk_context *ctx ); -/** - * \brief Set a pk_context to a given type - * - * \param ctx Context to initialize - * \param type Type of key - * - * \note Once the type of a key has been set, it cannot be reset. - * If you want to do so, you need to use pk_free() first. - * - * \return O on success, - * POLARSSL_ERR_PK_MALLOC_FAILED on memory allocation fail, - * POLARSSL_ERR_PK_TYPE_MISMATCH on attempts to reset type. - */ -int pk_set_type( pk_context *ctx, pk_type_t type ); - /** * \brief Get the size in bits of the underlying key * diff --git a/library/pk.c b/library/pk.c index 61544ebd..4c16de8d 100644 --- a/library/pk.c +++ b/library/pk.c @@ -67,7 +67,7 @@ void pk_free( pk_context *ctx ) /* * Get pk_info structure from type */ -static const pk_info_t * pk_info_from_type( pk_type_t pk_type ) +const pk_info_t * pk_info_from_type( pk_type_t pk_type ) { switch( pk_type ) { #if defined(POLARSSL_RSA_C) @@ -90,21 +90,11 @@ static const pk_info_t * pk_info_from_type( pk_type_t pk_type ) } /* - * Set a pk_context to a given type + * Initialise context */ -int pk_set_type( pk_context *ctx, pk_type_t type ) +int pk_init_ctx( pk_context *ctx, const pk_info_t *info ) { - const pk_info_t *info; - - if( ctx->pk_info != NULL ) - { - if( ctx->pk_info->type == type ) - return 0; - - return( POLARSSL_ERR_PK_TYPE_MISMATCH ); - } - - if( ( info = pk_info_from_type( type ) ) == NULL ) + if( ctx == NULL || info == NULL || ctx->pk_info != NULL ) return( POLARSSL_ERR_PK_BAD_INPUT_DATA ); if( ( ctx->pk_ctx = info->ctx_alloc_func() ) == NULL ) diff --git a/library/x509parse.c b/library/x509parse.c index e080174e..4da4e751 100644 --- a/library/x509parse.c +++ b/library/x509parse.c @@ -570,6 +570,7 @@ static int x509_get_pubkey( unsigned char **p, size_t len; x509_buf alg_params; pk_type_t pk_alg = POLARSSL_PK_NONE; + const pk_info_t *pk_info; if( ( ret = asn1_get_tag( p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) @@ -589,7 +590,10 @@ static int x509_get_pubkey( unsigned char **p, return( POLARSSL_ERR_X509_CERT_INVALID_PUBKEY + POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); - if( ( ret = pk_set_type( pk, pk_alg ) ) != 0 ) + if( ( pk_info = pk_info_from_type( pk_alg ) ) == NULL ) + return( POLARSSL_ERR_X509_UNKNOWN_PK_ALG ); + + if( ( ret = pk_init_ctx( pk, pk_info ) ) != 0 ) return( ret ); #if defined(POLARSSL_RSA_C) @@ -2142,10 +2146,12 @@ int x509parse_keyfile_rsa( rsa_context *rsa, const char *path, const char *pwd ) pk_context pk; pk_init( &pk ); - pk_set_type( &pk, POLARSSL_PK_RSA ); ret = x509parse_keyfile( &pk, path, pwd ); + if( ret == 0 && ! pk_can_do( &pk, POLARSSL_PK_RSA ) ) + ret = POLARSSL_ERR_PK_TYPE_MISMATCH; + if( ret == 0 ) rsa_copy( rsa, pk_rsa( pk ) ); else @@ -2165,10 +2171,12 @@ int x509parse_public_keyfile_rsa( rsa_context *rsa, const char *path ) pk_context pk; pk_init( &pk ); - pk_set_type( &pk, POLARSSL_PK_RSA ); ret = x509parse_public_keyfile( &pk, path ); + if( ret == 0 && ! pk_can_do( &pk, POLARSSL_PK_RSA ) ) + ret = POLARSSL_ERR_PK_TYPE_MISMATCH; + if( ret == 0 ) rsa_copy( rsa, pk_rsa( pk ) ); else @@ -2380,6 +2388,7 @@ static int x509parse_key_pkcs8_unencrypted_der( unsigned char *p = (unsigned char *) key; unsigned char *end = p + keylen; pk_type_t pk_alg = POLARSSL_PK_NONE; + const pk_info_t *pk_info; /* * This function parses the PrivatKeyInfo object (PKCS#8 v1.2 = RFC 5208) @@ -2421,7 +2430,10 @@ static int x509parse_key_pkcs8_unencrypted_der( return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + POLARSSL_ERR_ASN1_OUT_OF_DATA ); - if( ( ret = pk_set_type( pk, pk_alg ) ) != 0 ) + if( ( pk_info = pk_info_from_type( pk_alg ) ) == NULL ) + return( POLARSSL_ERR_X509_UNKNOWN_PK_ALG ); + + if( ( ret = pk_init_ctx( pk, pk_info ) ) != 0 ) return( ret ); #if defined(POLARSSL_RSA_C) @@ -2568,6 +2580,7 @@ int x509parse_key( pk_context *pk, const unsigned char *pwd, size_t pwdlen ) { int ret; + const pk_info_t *pk_info; #if defined(POLARSSL_PEM_C) size_t len; @@ -2582,7 +2595,10 @@ int x509parse_key( pk_context *pk, key, pwd, pwdlen, &len ); if( ret == 0 ) { - if( ( ret = pk_set_type( pk, POLARSSL_PK_RSA ) ) != 0 || + if( ( pk_info = pk_info_from_type( POLARSSL_PK_RSA ) ) == NULL ) + return( POLARSSL_ERR_X509_UNKNOWN_PK_ALG ); + + if( ( ret = pk_init_ctx( pk, pk_info ) ) != 0 || ( ret = x509parse_key_pkcs1_der( pk_rsa( *pk ), pem.buf, pem.buflen ) ) != 0 ) { @@ -2607,7 +2623,10 @@ int x509parse_key( pk_context *pk, key, pwd, pwdlen, &len ); if( ret == 0 ) { - if( ( ret = pk_set_type( pk, POLARSSL_PK_ECKEY ) ) != 0 || + if( ( pk_info = pk_info_from_type( POLARSSL_PK_ECKEY ) ) == NULL ) + return( POLARSSL_ERR_X509_UNKNOWN_PK_ALG ); + + if( ( ret = pk_init_ctx( pk, pk_info ) ) != 0 || ( ret = x509parse_key_sec1_der( pk_ec( *pk ), pem.buf, pem.buflen ) ) != 0 ) { @@ -2692,7 +2711,10 @@ int x509parse_key( pk_context *pk, pk_free( pk ); #if defined(POLARSSL_RSA_C) - if( ( ret = pk_set_type( pk, POLARSSL_PK_RSA ) ) == 0 && + if( ( pk_info = pk_info_from_type( POLARSSL_PK_RSA ) ) == NULL ) + return( POLARSSL_ERR_X509_UNKNOWN_PK_ALG ); + + if( ( ret = pk_init_ctx( pk, pk_info ) ) != 0 || ( ret = x509parse_key_pkcs1_der( pk_rsa( *pk ), key, keylen ) ) == 0 ) { return( 0 ); @@ -2702,7 +2724,10 @@ int x509parse_key( pk_context *pk, #endif /* POLARSSL_RSA_C */ #if defined(POLARSSL_ECP_C) - if( ( ret = pk_set_type( pk, POLARSSL_PK_ECKEY ) ) == 0 && + if( ( pk_info = pk_info_from_type( POLARSSL_PK_ECKEY ) ) == NULL ) + return( POLARSSL_ERR_X509_UNKNOWN_PK_ALG ); + + if( ( ret = pk_init_ctx( pk, pk_info ) ) != 0 || ( ret = x509parse_key_sec1_der( pk_ec( *pk ), key, keylen ) ) == 0 ) { return( 0 ); @@ -2769,10 +2794,12 @@ int x509parse_key_rsa( rsa_context *rsa, pk_context pk; pk_init( &pk ); - pk_set_type( &pk, POLARSSL_PK_RSA ); ret = x509parse_key( &pk, key, keylen, pwd, pwdlen ); + if( ret == 0 && ! pk_can_do( &pk, POLARSSL_PK_RSA ) ) + ret = POLARSSL_ERR_PK_TYPE_MISMATCH; + if( ret == 0 ) rsa_copy( rsa, pk_rsa( pk ) ); else @@ -2793,10 +2820,12 @@ int x509parse_public_key_rsa( rsa_context *rsa, pk_context pk; pk_init( &pk ); - pk_set_type( &pk, POLARSSL_PK_RSA ); ret = x509parse_public_key( &pk, key, keylen ); + if( ret == 0 && ! pk_can_do( &pk, POLARSSL_PK_RSA ) ) + ret = POLARSSL_ERR_PK_TYPE_MISMATCH; + if( ret == 0 ) rsa_copy( rsa, pk_rsa( pk ) ); else From f73da02962b2ca1e75c3355cd3c1eebc0943b8d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Sat, 17 Aug 2013 14:36:32 +0200 Subject: [PATCH 27/28] PK: change pk_verify arguments (md_info "optional") --- include/polarssl/pk.h | 13 ++++++++----- library/pk.c | 10 ++++++---- library/pk_wrap.c | 34 +++++++++++++++++++--------------- library/x509parse.c | 6 +++--- 4 files changed, 36 insertions(+), 27 deletions(-) diff --git a/include/polarssl/pk.h b/include/polarssl/pk.h index da13136a..5104bc02 100644 --- a/include/polarssl/pk.h +++ b/include/polarssl/pk.h @@ -30,6 +30,8 @@ #include "config.h" +#include "md.h" + #if defined(POLARSSL_RSA_C) #include "rsa.h" #endif @@ -123,8 +125,8 @@ typedef struct int (*can_do)( pk_type_t type ); /** Verify signature */ - int (*verify_func)( void *ctx, - const unsigned char *hash, const md_info_t *md_info, + int (*verify_func)( void *ctx, md_type_t md_alg, + const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len ); /** Allocate a new context */ @@ -203,16 +205,17 @@ int pk_can_do( pk_context *ctx, pk_type_t type ); * \brief Verify signature * * \param ctx PK context to use + * \param md_alg Hash algorithm used * \param hash Hash of the message to sign - * \param md_info Information about the hash function used + * \param hash_len Hash length * \param sig Signature to verify * \param sig_len Signature length * * \return 0 on success (signature is valid), * or a specific error code. */ -int pk_verify( pk_context *ctx, - const unsigned char *hash, const md_info_t *md_info, +int pk_verify( pk_context *ctx, md_type_t md_alg, + const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len ); /** diff --git a/library/pk.c b/library/pk.c index 4c16de8d..62302b05 100644 --- a/library/pk.c +++ b/library/pk.c @@ -110,7 +110,7 @@ int pk_init_ctx( pk_context *ctx, const pk_info_t *info ) */ int pk_can_do( pk_context *ctx, pk_type_t type ) { - /* null of NONE context can't do anything */ + /* null or NONE context can't do anything */ if( ctx == NULL || ctx->pk_info == NULL ) return( 0 ); @@ -120,14 +120,16 @@ int pk_can_do( pk_context *ctx, pk_type_t type ) /* * Verify a signature */ -int pk_verify( pk_context *ctx, - const unsigned char *hash, const md_info_t *md_info, +int pk_verify( pk_context *ctx, md_type_t md_alg, + const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len ) { if( ctx == NULL || ctx->pk_info == NULL ) return( POLARSSL_ERR_PK_BAD_INPUT_DATA ); - return( ctx->pk_info->verify_func( ctx->pk_ctx, hash, md_info, sig, sig_len ) ); + return( ctx->pk_info->verify_func( ctx->pk_ctx, md_alg, + hash, hash_len, + sig, sig_len ) ); } /* diff --git a/library/pk_wrap.c b/library/pk_wrap.c index 8f615002..beaa3fd4 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -58,15 +58,15 @@ static size_t rsa_get_size( const void * ctx ) return( 8 * ((rsa_context *) ctx)->len ); } -static int rsa_verify_wrap( void *ctx, - const unsigned char *hash, const md_info_t *md_info, +static int rsa_verify_wrap( void *ctx, md_type_t md_alg, + const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len ) { if( sig_len != ((rsa_context *) ctx)->len ) return( POLARSSL_ERR_RSA_VERIFY_FAILED ); return( rsa_pkcs1_verify( (rsa_context *) ctx, - RSA_PUBLIC, md_info->type, 0, hash, sig ) ); + RSA_PUBLIC, md_alg, hash_len, hash, sig ) ); } static void *rsa_alloc_wrap( void ) @@ -128,19 +128,20 @@ static size_t eckey_get_size( const void *ctx ) #if defined(POLARSSL_ECDSA_C) /* Forward declaration */ -static int ecdsa_verify_wrap( void *ctx, - const unsigned char *hash, const md_info_t *md_info, +static int ecdsa_verify_wrap( void *ctx, md_type_t md_alg, + const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len ); #endif -static int eckey_verify_wrap( void *ctx, - const unsigned char *hash, const md_info_t *md_info, +static int eckey_verify_wrap( void *ctx, md_type_t md_alg, + const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len ) { #if !defined(POLARSSL_ECDSA_C) ((void) ctx); + ((void) md_alg); ((void) hash); - ((void) md_info); + ((void) hash_len); ((void) sig); ((void) sig_len); @@ -152,7 +153,7 @@ static int eckey_verify_wrap( void *ctx, ecdsa_init( &ecdsa ); ret = ecdsa_from_keypair( &ecdsa, ctx ) || - ecdsa_verify_wrap( &ecdsa, hash, md_info, sig, sig_len ); + ecdsa_verify_wrap( &ecdsa, md_alg, hash, hash_len, sig, sig_len ); ecdsa_free( &ecdsa ); @@ -203,13 +204,14 @@ static int eckeydh_can_do( pk_type_t type ) type == POLARSSL_PK_ECKEY_DH ); } -static int eckeydh_verify_wrap( void *ctx, - const unsigned char *hash, const md_info_t *md_info, +static int eckeydh_verify_wrap( void *ctx, md_type_t md_alg, + const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len ) { ((void) ctx); + ((void) md_alg); ((void) hash); - ((void) md_info); + ((void) hash_len); ((void) sig); ((void) sig_len); @@ -234,12 +236,14 @@ static int ecdsa_can_do( pk_type_t type ) return( type == POLARSSL_PK_ECDSA ); } -static int ecdsa_verify_wrap( void *ctx, - const unsigned char *hash, const md_info_t *md_info, +static int ecdsa_verify_wrap( void *ctx, md_type_t md_alg, + const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len ) { + ((void) md_alg); + return( ecdsa_read_signature( (ecdsa_context *) ctx, - hash, md_info->size, sig, sig_len ) ); + hash, hash_len, sig, sig_len ) ); } static void *ecdsa_alloc_wrap( void ) diff --git a/library/x509parse.c b/library/x509parse.c index 4da4e751..bbaca8ea 100644 --- a/library/x509parse.c +++ b/library/x509parse.c @@ -3429,7 +3429,7 @@ static int x509parse_verifycrl(x509_cert *crt, x509_cert *ca, md( md_info, crl_list->tbs.p, crl_list->tbs.len, hash ); if( pk_can_do( &ca->pk, crl_list->sig_pk ) == 0 || - pk_verify( &ca->pk, hash, md_info, + pk_verify( &ca->pk, crl_list->sig_md, hash, md_info->size, crl_list->sig.p, crl_list->sig.len ) != 0 ) { flags |= BADCRL_NOT_TRUSTED; @@ -3546,7 +3546,7 @@ static int x509parse_verify_top( md( md_info, child->tbs.p, child->tbs.len, hash ); if( pk_can_do( &trust_ca->pk, child->sig_pk ) == 0 || - pk_verify( &trust_ca->pk, hash, md_info, + pk_verify( &trust_ca->pk, child->sig_md, hash, md_info->size, child->sig.p, child->sig.len ) != 0 ) { trust_ca = trust_ca->next; @@ -3623,7 +3623,7 @@ static int x509parse_verify_child( md( md_info, child->tbs.p, child->tbs.len, hash ); if( pk_can_do( &parent->pk, child->sig_pk ) == 0 || - pk_verify( &parent->pk, hash, md_info, + pk_verify( &parent->pk, child->sig_md, hash, md_info->size, child->sig.p, child->sig.len ) != 0 ) { *flags |= BADCERT_NOT_TRUSTED; From fff80f8879dbbafc8e0ee7c007f85bf90d8dc3de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Sat, 17 Aug 2013 15:20:06 +0200 Subject: [PATCH 28/28] PK: use NULL for unimplemented operations --- include/polarssl/pk.h | 2 +- library/pk.c | 3 +++ library/pk_wrap.c | 33 ++++++--------------------------- 3 files changed, 10 insertions(+), 28 deletions(-) diff --git a/include/polarssl/pk.h b/include/polarssl/pk.h index 5104bc02..fb0e92ec 100644 --- a/include/polarssl/pk.h +++ b/include/polarssl/pk.h @@ -45,7 +45,7 @@ #endif #define POLARSSL_ERR_PK_MALLOC_FAILED -0x2F80 /**< Memory alloation failed. */ -#define POLARSSL_ERR_PK_TYPE_MISMATCH -0x2F00 /**< Type mismatch, eg attempt to use a RSA key as EC, or to modify key type. */ +#define POLARSSL_ERR_PK_TYPE_MISMATCH -0x2F00 /**< Type mismatch, eg attempt to encrypt with an ECDSA key */ #define POLARSSL_ERR_PK_BAD_INPUT_DATA -0x2E80 /**< Bad input parameters to function. */ #if defined(POLARSSL_RSA_C) diff --git a/library/pk.c b/library/pk.c index 62302b05..3711794e 100644 --- a/library/pk.c +++ b/library/pk.c @@ -127,6 +127,9 @@ int pk_verify( pk_context *ctx, md_type_t md_alg, if( ctx == NULL || ctx->pk_info == NULL ) return( POLARSSL_ERR_PK_BAD_INPUT_DATA ); + if( ctx->pk_info->verify_func == NULL ) + return( POLARSSL_ERR_PK_TYPE_MISMATCH ); + return( ctx->pk_info->verify_func( ctx->pk_ctx, md_alg, hash, hash_len, sig, sig_len ) ); diff --git a/library/pk_wrap.c b/library/pk_wrap.c index beaa3fd4..c2a4c7fc 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -131,22 +131,11 @@ static size_t eckey_get_size( const void *ctx ) static int ecdsa_verify_wrap( void *ctx, md_type_t md_alg, const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len ); -#endif static int eckey_verify_wrap( void *ctx, md_type_t md_alg, const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len ) { -#if !defined(POLARSSL_ECDSA_C) - ((void) ctx); - ((void) md_alg); - ((void) hash); - ((void) hash_len); - ((void) sig); - ((void) sig_len); - - return( POLARSSL_ERR_PK_TYPE_MISMATCH ); -#else int ret; ecdsa_context ecdsa; @@ -158,8 +147,8 @@ static int eckey_verify_wrap( void *ctx, md_type_t md_alg, ecdsa_free( &ecdsa ); return( ret ); -#endif /* POLARSSL_ECDSA_C */ } +#endif /* POLARSSL_ECDSA_C */ static void *eckey_alloc_wrap( void ) { @@ -189,7 +178,11 @@ const pk_info_t eckey_info = { "EC", eckey_get_size, eckey_can_do, +#if defined(POLARSSL_ECDSA_C) eckey_verify_wrap, +#else + NULL, +#endif eckey_alloc_wrap, eckey_free_wrap, eckey_debug, @@ -204,26 +197,12 @@ static int eckeydh_can_do( pk_type_t type ) type == POLARSSL_PK_ECKEY_DH ); } -static int eckeydh_verify_wrap( void *ctx, md_type_t md_alg, - const unsigned char *hash, size_t hash_len, - const unsigned char *sig, size_t sig_len ) -{ - ((void) ctx); - ((void) md_alg); - ((void) hash); - ((void) hash_len); - ((void) sig); - ((void) sig_len); - - return( POLARSSL_ERR_PK_TYPE_MISMATCH ); -} - const pk_info_t eckeydh_info = { POLARSSL_PK_ECKEY_DH, "EC_DH", eckey_get_size, /* Same underlying key structure */ eckeydh_can_do, - eckeydh_verify_wrap, + NULL, eckey_alloc_wrap, /* Same underlying key structure */ eckey_free_wrap, /* Same underlying key structure */ eckey_debug, /* Same underlying key structure */