From 979aa49d1cee5374dc607c0d869df4047c8d5b6e Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Thu, 21 Apr 2022 11:53:55 +0100 Subject: [PATCH 1/6] Add accessor for x509 certificate extension types Add accessor for x509 certificate extension types Signed-off-by: Thomas Daubney --- include/mbedtls/x509_crt.h | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 51883dc86b..0b0120b70b 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -1137,6 +1137,23 @@ int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx, int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx, unsigned char ns_cert_type ); +/** + * \brief Query certificate for given extension type + * + * \param[in] ctx Certificate context to be queried, must not be \c NULL + * \param ext_type Extension type being queried for, must be a valid + * extension type. Must be one of the MBEDTLS_X509_EXT_XXX + * values + * + * \return 0 if the given extension type is not present, + * non-zero otherwise + */ +static inline int mbedtls_x509_crt_has_ext_type( const mbedtls_x509_crt *ctx, + int ext_type ) +{ + return ctx->MBEDTLS_PRIVATE(ext_types) & ext_type; +} + /** * \brief Free the contents of a CRT write context * From bd5466ab7e11a2f40b685c7fc76e3b78d051714b Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Tue, 31 May 2022 14:16:42 +0100 Subject: [PATCH 2/6] Add test for accessor Add test logic for accessor. Signed-off-by: Thomas Daubney --- tests/suites/test_suite_x509parse.function | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index fea02f362c..6ed5ea121f 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -400,6 +400,22 @@ int parse_crt_ext_cb( void *p_ctx, mbedtls_x509_crt const *crt, mbedtls_x509_buf * END_DEPENDENCIES */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_WRITE_C */ +void x509_accessor_ext_types( int ext_type, int has_ext_type ) +{ + mbedtls_x509_crt crt; + int expected_result = ext_type & has_ext_type; + + mbedtls_x509_crt_init( &crt ); + + crt.ext_types = ext_type; + + TEST_ASSERT( mbedtls_x509_crt_has_ext_type( &crt, has_ext_type ) == expected_result ); + + mbedtls_x509_crt_free( &crt ); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ void x509_parse_san( char * crt_file, char * result_str ) { From 3ff4fc6997d046d1ef8b6bbb4d4d53a6eaf1a308 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Tue, 31 May 2022 14:17:24 +0100 Subject: [PATCH 3/6] Add test data Add two test cases for accessor test. One test where desired ext type is presentent and the other of when the ext type is not present. Signed-off-by: Thomas Daubney --- tests/suites/test_suite_x509parse.data | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index e21b450b95..dd7485310d 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -2791,3 +2791,11 @@ x509_verify_restart:"data_files/server10_int3-bs.pem":"data_files/test-int-ca2.c X509 CRT verify restart: one int, int badsign, max_ops=500 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C x509_verify_restart:"data_files/server10_int3-bs.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:500:25:100 + +X509 ext types accessor: ext type present +depends_on:MBEDTLS_X509_CRT_WRITE_C +x509_accessor_ext_types:MBEDTLS_X509_EXT_KEY_USAGE:MBEDTLS_X509_EXT_KEY_USAGE + +X509 ext types accessor: ext type not present +depends_on:MBEDTLS_X509_CRT_WRITE_C +x509_accessor_ext_types:MBEDTLS_X509_EXT_KEY_USAGE:MBEDTLS_X509_EXT_SUBJECT_ALT_NAME From 3d3cfc5553923eab92618adc8172e28ef3f5f69c Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Tue, 31 May 2022 14:34:35 +0100 Subject: [PATCH 4/6] Add Changelog entry Add Changelog entry for changes made in this PR. Signed-off-by: Thomas Daubney --- ChangeLog.d/x509_ext_types_accessor.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 ChangeLog.d/x509_ext_types_accessor.txt diff --git a/ChangeLog.d/x509_ext_types_accessor.txt b/ChangeLog.d/x509_ext_types_accessor.txt new file mode 100644 index 0000000000..13a31521ff --- /dev/null +++ b/ChangeLog.d/x509_ext_types_accessor.txt @@ -0,0 +1,3 @@ +Features + * Add the function mbedtls_x509_crt_has_ext_type() to access the ext types + field within mbedtls_x509_crt context, as requested in #5585. From a5f39e0ec28db56878488d4ed094e2a8ec798d77 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Mon, 6 Jun 2022 15:42:32 +0100 Subject: [PATCH 5/6] Move accessor definition Move the definition of the accessor so that it is not defined within the MBEDTLS_X509_CRT_WRITE_C guards. Thus remove the dependency from the test and test cases. Signed-off-by: Thomas Daubney --- include/mbedtls/x509_crt.h | 34 +++++++++++----------- tests/suites/test_suite_x509parse.data | 2 -- tests/suites/test_suite_x509parse.function | 2 +- 3 files changed, 18 insertions(+), 20 deletions(-) diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 0b0120b70b..5ce14438b0 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -955,6 +955,23 @@ void mbedtls_x509_crt_restart_free( mbedtls_x509_crt_restart_ctx *ctx ); #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ +/** + * \brief Query certificate for given extension type + * + * \param[in] ctx Certificate context to be queried, must not be \c NULL + * \param ext_type Extension type being queried for, must be a valid + * extension type. Must be one of the MBEDTLS_X509_EXT_XXX + * values + * + * \return 0 if the given extension type is not present, + * non-zero otherwise + */ +static inline int mbedtls_x509_crt_has_ext_type( const mbedtls_x509_crt *ctx, + int ext_type ) +{ + return ctx->MBEDTLS_PRIVATE(ext_types) & ext_type; +} + /** \} name Structures and functions for parsing and writing X.509 certificates */ #if defined(MBEDTLS_X509_CRT_WRITE_C) @@ -1137,23 +1154,6 @@ int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx, int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx, unsigned char ns_cert_type ); -/** - * \brief Query certificate for given extension type - * - * \param[in] ctx Certificate context to be queried, must not be \c NULL - * \param ext_type Extension type being queried for, must be a valid - * extension type. Must be one of the MBEDTLS_X509_EXT_XXX - * values - * - * \return 0 if the given extension type is not present, - * non-zero otherwise - */ -static inline int mbedtls_x509_crt_has_ext_type( const mbedtls_x509_crt *ctx, - int ext_type ) -{ - return ctx->MBEDTLS_PRIVATE(ext_types) & ext_type; -} - /** * \brief Free the contents of a CRT write context * diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index dd7485310d..28bf7337fc 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -2793,9 +2793,7 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_S x509_verify_restart:"data_files/server10_int3-bs.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:500:25:100 X509 ext types accessor: ext type present -depends_on:MBEDTLS_X509_CRT_WRITE_C x509_accessor_ext_types:MBEDTLS_X509_EXT_KEY_USAGE:MBEDTLS_X509_EXT_KEY_USAGE X509 ext types accessor: ext type not present -depends_on:MBEDTLS_X509_CRT_WRITE_C x509_accessor_ext_types:MBEDTLS_X509_EXT_KEY_USAGE:MBEDTLS_X509_EXT_SUBJECT_ALT_NAME diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 6ed5ea121f..29057b7d38 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -400,7 +400,7 @@ int parse_crt_ext_cb( void *p_ctx, mbedtls_x509_crt const *crt, mbedtls_x509_buf * END_DEPENDENCIES */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_WRITE_C */ +/* BEGIN_CASE */ void x509_accessor_ext_types( int ext_type, int has_ext_type ) { mbedtls_x509_crt crt; From 5c9c2ce86dba43be01326619e66706de58d7245a Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Mon, 6 Jun 2022 16:36:43 +0100 Subject: [PATCH 6/6] Add correct test dependencies Functions called within the test mean that MBEDTLS_X509_CRT_PARSE_C is a test dependency and so is declared in this commit. Signed-off-by: Thomas Daubney --- tests/suites/test_suite_x509parse.data | 2 ++ tests/suites/test_suite_x509parse.function | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 28bf7337fc..d04b7d84b3 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -2793,7 +2793,9 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_S x509_verify_restart:"data_files/server10_int3-bs.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:500:25:100 X509 ext types accessor: ext type present +depends_on:MBEDTLS_X509_CRT_PARSE_C x509_accessor_ext_types:MBEDTLS_X509_EXT_KEY_USAGE:MBEDTLS_X509_EXT_KEY_USAGE X509 ext types accessor: ext type not present +depends_on:MBEDTLS_X509_CRT_PARSE_C x509_accessor_ext_types:MBEDTLS_X509_EXT_KEY_USAGE:MBEDTLS_X509_EXT_SUBJECT_ALT_NAME diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 29057b7d38..fbc6545fb0 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -400,7 +400,7 @@ int parse_crt_ext_cb( void *p_ctx, mbedtls_x509_crt const *crt, mbedtls_x509_buf * END_DEPENDENCIES */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */ void x509_accessor_ext_types( int ext_type, int has_ext_type ) { mbedtls_x509_crt crt;