From 8e5bdfbbcf86e1867b5af22f5f7d23461fa54022 Mon Sep 17 00:00:00 2001 From: Nicholas Wilson Date: Wed, 9 Sep 2015 19:03:34 +0100 Subject: [PATCH 01/16] Improve programs/cert_write with a way to set extended key usages Signed-off-by: Dave Rodgman --- include/mbedtls/x509_crt.h | 13 ++++++++ library/x509write_crt.c | 34 +++++++++++++++++++++ programs/x509/cert_write.c | 62 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 109 insertions(+) diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 1ddc997c6a..0a5d1f5278 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -1144,6 +1144,19 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert * int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx, unsigned int key_usage ); +/** + * \brief Set the Extended Key Usage Extension + * (e.g. MBEDTLS_OID_SERVER_AUTH) + * + * \param ctx CRT context to use + * \param exts extended key usage extensions to set, a sequence of + * MBEDTLS_ASN1_OID objects + * + * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED + */ +int mbedtls_x509write_crt_set_ext_key_usage( mbedtls_x509write_cert *ctx, + const mbedtls_asn1_sequence *exts ); + /** * \brief Set the Netscape Cert Type flags * (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL) diff --git a/library/x509write_crt.c b/library/x509write_crt.c index 986e1fe128..c48c32b237 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -296,6 +296,40 @@ int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx, return( 0 ); } +int mbedtls_x509write_crt_set_ext_key_usage( mbedtls_x509write_cert *ctx, + const mbedtls_asn1_sequence *exts ) +{ + unsigned char buf[256]; + unsigned char *c = buf + sizeof(buf); + int ret; + size_t len = 0; + + if( exts == NULL ) + return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); + + while( exts != NULL ) + { + if( exts->buf.tag != MBEDTLS_ASN1_OID ) + return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( &c, buf, exts->buf.p, exts->buf.len ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, exts->buf.len ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_OID ) ); + exts = exts->next; + } + + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ); + + ret = mbedtls_x509write_crt_set_extension( ctx, + MBEDTLS_OID_EXTENDED_KEY_USAGE, + MBEDTLS_OID_SIZE( MBEDTLS_OID_EXTENDED_KEY_USAGE ), + 1, c, len ); + if( ret != 0 ) + return( ret ); + + return( 0 ); +} + int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx, unsigned char ns_cert_type ) { diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index 793982d5a8..da0a624a06 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -1,3 +1,4 @@ + /* * Certificate generation and signing * @@ -47,6 +48,7 @@ int main( void ) #include "mbedtls/x509_crt.h" #include "mbedtls/x509_csr.h" +#include "mbedtls/oid.h" #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" #include "mbedtls/md.h" @@ -56,6 +58,9 @@ int main( void ) #include #include +#define SET_OID(x, oid) \ + do { x.len = MBEDTLS_OID_SIZE(oid); x.p = (unsigned char*)oid; } while( 0 ) + #if defined(MBEDTLS_X509_CSR_PARSE_C) #define USAGE_CSR \ " request_file=%%s default: (empty)\n" \ @@ -81,6 +86,7 @@ int main( void ) #define DFL_IS_CA 0 #define DFL_MAX_PATHLEN -1 #define DFL_KEY_USAGE 0 +#define DFL_EXT_KEY_USAGE 0 #define DFL_NS_CERT_TYPE 0 #define DFL_VERSION 3 #define DFL_AUTH_IDENT 1 @@ -138,6 +144,14 @@ int main( void ) " key_cert_sign\n" \ " crl_sign\n" \ " (Considered for v3 only)\n"\ + " ext_key_usage=%%s default: (empty)\n" \ + " Comma-separated-list of values:\n" \ + " serverAuth\n" \ + " clientAuth\n" \ + " codeSigning\n" \ + " emailProtection\n" \ + " timeStamping\n" \ + " OCSPSigning\n" \ " ns_cert_type=%%s default: (empty)\n" \ " Comma-separated-list of values:\n" \ " ssl_client\n" \ @@ -176,6 +190,7 @@ struct options int version; /* CRT version */ mbedtls_md_type_t md; /* Hash used for signing */ unsigned char key_usage; /* key usage flags */ + mbedtls_asn1_sequence *ext_key_usage; /* extended key usages */ unsigned char ns_cert_type; /* NS cert type */ } opt; @@ -227,6 +242,7 @@ int main( int argc, char *argv[] ) #endif mbedtls_x509write_cert crt; mbedtls_mpi serial; + mbedtls_asn1_sequence *ext_key_usage; mbedtls_entropy_context entropy; mbedtls_ctr_drbg_context ctr_drbg; const char *pers = "crt example app"; @@ -269,6 +285,7 @@ int main( int argc, char *argv[] ) opt.is_ca = DFL_IS_CA; opt.max_pathlen = DFL_MAX_PATHLEN; opt.key_usage = DFL_KEY_USAGE; + opt.ext_key_usage = DFL_EXT_KEY_USAGE; opt.ns_cert_type = DFL_NS_CERT_TYPE; opt.version = DFL_VERSION - 1; opt.md = DFL_DIGEST; @@ -426,6 +443,35 @@ int main( int argc, char *argv[] ) q = r; } } + else if( strcmp( p, "ext_key_usage" ) == 0 ) + { + while( q != NULL ) + { + if( ( r = strchr( q, ',' ) ) != NULL ) + *r++ = '\0'; + + ext_key_usage = mbedtls_calloc( 1, sizeof(mbedtls_asn1_sequence) ); + ext_key_usage->next = opt.ext_key_usage; + ext_key_usage->buf.tag = MBEDTLS_ASN1_OID; + if( strcmp( q, "serverAuth" ) == 0 ) + SET_OID( ext_key_usage->buf, MBEDTLS_OID_SERVER_AUTH ); + else if( strcmp( q, "clientAuth" ) == 0 ) + SET_OID( ext_key_usage->buf, MBEDTLS_OID_CLIENT_AUTH ); + else if( strcmp( q, "codeSigning" ) == 0 ) + SET_OID( ext_key_usage->buf, MBEDTLS_OID_CODE_SIGNING ); + else if( strcmp( q, "emailProtection" ) == 0 ) + SET_OID( ext_key_usage->buf, MBEDTLS_OID_EMAIL_PROTECTION ); + else if( strcmp( q, "timeStamping" ) == 0 ) + SET_OID( ext_key_usage->buf, MBEDTLS_OID_TIME_STAMPING ); + else if( strcmp( q, "OCSPSigning" ) == 0 ) + SET_OID( ext_key_usage->buf, MBEDTLS_OID_OCSP_SIGNING ); + else + goto usage; + opt.ext_key_usage = ext_key_usage; + + q = r; + } + } else if( strcmp( p, "ns_cert_type" ) == 0 ) { while( q != NULL ) @@ -744,6 +790,22 @@ int main( int argc, char *argv[] ) mbedtls_printf( " ok\n" ); } + if( opt.ext_key_usage ) + { + mbedtls_printf( " . Adding the Extended Key Usage extension ..." ); + fflush( stdout ); + + ret = mbedtls_x509write_crt_set_ext_key_usage( &crt, opt.ext_key_usage ); + if( ret != 0 ) + { + mbedtls_strerror( ret, buf, 1024 ); + mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_ext_key_usage returned -0x%02x - %s\n\n", -ret, buf ); + goto exit; + } + + mbedtls_printf( " ok\n" ); + } + if( opt.version == MBEDTLS_X509_CRT_VERSION_3 && opt.ns_cert_type != 0 ) { From 99a96b1c2228ff21d9cd4503cfe23a877e6d01d9 Mon Sep 17 00:00:00 2001 From: Nicholas Wilson Date: Thu, 10 Sep 2015 18:28:01 +0100 Subject: [PATCH 02/16] Improve programs/cert_write with a way to set the signature digest This is useful for generating SHA-1 and MD5 certificates for test purposes. I guess RSA-PSS could be added too, but I don't need that now. Signed-off-by: Dave Rodgman --- programs/x509/cert_write.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index da0a624a06..e0d88b207d 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -85,6 +85,7 @@ int main( void ) #define DFL_SELFSIGN 0 #define DFL_IS_CA 0 #define DFL_MAX_PATHLEN -1 +#define DFL_SIG_ALG MBEDTLS_MD_SHA256 #define DFL_KEY_USAGE 0 #define DFL_EXT_KEY_USAGE 0 #define DFL_NS_CERT_TYPE 0 @@ -134,6 +135,7 @@ int main( void ) " basic_constraints=%%d default: 1\n" \ " Possible values: 0, 1\n" \ " (Considered for v3 only)\n"\ + " sig_alg=%%s default: SHA-256\n" \ " key_usage=%%s default: (empty)\n" \ " Comma-separated-list of values:\n" \ " digital_signature\n" \ @@ -189,6 +191,7 @@ struct options int basic_constraints; /* add basic constraints ext to CRT */ int version; /* CRT version */ mbedtls_md_type_t md; /* Hash used for signing */ + mbedtls_md_type_t sig_alg; /* MD to use generating signature */ unsigned char key_usage; /* key usage flags */ mbedtls_asn1_sequence *ext_key_usage; /* extended key usages */ unsigned char ns_cert_type; /* NS cert type */ @@ -284,6 +287,7 @@ int main( int argc, char *argv[] ) opt.selfsign = DFL_SELFSIGN; opt.is_ca = DFL_IS_CA; opt.max_pathlen = DFL_MAX_PATHLEN; + opt.sig_alg = DFL_SIG_ALG; opt.key_usage = DFL_KEY_USAGE; opt.ext_key_usage = DFL_EXT_KEY_USAGE; opt.ns_cert_type = DFL_NS_CERT_TYPE; @@ -413,6 +417,17 @@ int main( int argc, char *argv[] ) goto usage; } } + else if( strcmp( p, "sig_alg") == 0 ) + { + if( strcmp( q, "SHA-1" ) == 0 ) + opt.sig_alg = MBEDTLS_MD_SHA1; + else if( strcmp( q, "SHA-256" ) == 0 ) + opt.sig_alg = MBEDTLS_MD_SHA256; + else if( strcmp( q, "MD5" ) == 0 ) + opt.sig_alg = MBEDTLS_MD_MD5; + else + goto usage; + } else if( strcmp( p, "key_usage" ) == 0 ) { while( q != NULL ) @@ -732,6 +747,8 @@ int main( int argc, char *argv[] ) mbedtls_printf( " ok\n" ); } + mbedtls_x509write_crt_set_md_alg( &crt, opt.sig_alg ); + #if defined(MBEDTLS_SHA1_C) if( opt.version == MBEDTLS_X509_CRT_VERSION_3 && opt.subject_identifier != 0 ) From ca841d32db0bbd433bca1d41c922fdcff7472d00 Mon Sep 17 00:00:00 2001 From: Nicholas Wilson Date: Fri, 13 Nov 2015 14:22:36 +0000 Subject: [PATCH 03/16] Add test for mbedtls_x509write_crt_set_ext_key_usage, and fix reversed order Signed-off-by: Dave Rodgman --- library/x509write_crt.c | 14 +++--- tests/data_files/server1.key_ext_usage.crt | 20 +++++++++ tests/data_files/server1.key_ext_usages.crt | 21 +++++++++ tests/suites/test_suite_x509write.data | 50 ++++++++++++--------- tests/suites/test_suite_x509write.function | 19 ++++++++ 5 files changed, 98 insertions(+), 26 deletions(-) create mode 100644 tests/data_files/server1.key_ext_usage.crt create mode 100644 tests/data_files/server1.key_ext_usages.crt diff --git a/library/x509write_crt.c b/library/x509write_crt.c index c48c32b237..d0aaa9f1b5 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -303,18 +303,22 @@ int mbedtls_x509write_crt_set_ext_key_usage( mbedtls_x509write_cert *ctx, unsigned char *c = buf + sizeof(buf); int ret; size_t len = 0; + const mbedtls_asn1_sequence *last_ext = 0, *ext; + /* We need at least one extension: SEQUENCE SIZE (1..MAX) OF KeyPurposeId */ if( exts == NULL ) return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); - while( exts != NULL ) + /* Iterate over exts backwards, so we write them out in the requested order */ + while( last_ext != exts ) { - if( exts->buf.tag != MBEDTLS_ASN1_OID ) + for( ext = exts; ext->next != last_ext; ext = ext->next ) {} + if( ext->buf.tag != MBEDTLS_ASN1_OID ) return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( &c, buf, exts->buf.p, exts->buf.len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, exts->buf.len ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( &c, buf, ext->buf.p, ext->buf.len ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, ext->buf.len ) ); MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_OID ) ); - exts = exts->next; + last_ext = ext; } MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) ); diff --git a/tests/data_files/server1.key_ext_usage.crt b/tests/data_files/server1.key_ext_usage.crt new file mode 100644 index 0000000000..4e7f21482b --- /dev/null +++ b/tests/data_files/server1.key_ext_usage.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDVzCCAj+gAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/ +uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD +d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf +CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr +lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w +bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB +o2UwYzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf +BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zAWBgNVHSUBAf8EDDAKBggr +BgEFBQcDATANBgkqhkiG9w0BAQUFAAOCAQEAloyGLaLVS/Ce+q08AkCcqn+/ymu3 +l25lMU99gW7MPccDuNoy83ZveJ654/ZEcswR0sc3T/BPShf0Hx8Ze3p0VvLjcRK8 +HME4GCRONnkuXhi784jkoxCU4N6NczcnDF8YOXdrCuosyS48dSrCpj/ouPxhFg2O +tjDkoZZqA0G0oWXn0d7nzSELLXatsUh52vsrlpu2UhnmCHjv8OOZYPa0agUUFmzm +gJ3Of7uK1w+WwBUyQbkQJvPpIT2MwMs8SBZZOZH/jluSn+4GfULAuRDbWaTj8VsN +g7WVjskm5kRQaGwi7ez4ajAJUzHQExUwt62ciFSETn6EYtw4f2EsyIgNXA== +-----END CERTIFICATE----- diff --git a/tests/data_files/server1.key_ext_usages.crt b/tests/data_files/server1.key_ext_usages.crt new file mode 100644 index 0000000000..491364349f --- /dev/null +++ b/tests/data_files/server1.key_ext_usages.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDYTCCAkmgAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/ +uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD +d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf +CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr +lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w +bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB +o28wbTAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf +BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zAgBgNVHSUBAf8EFjAUBggr +BgEFBQcDAwYIKwYBBQUHAwgwDQYJKoZIhvcNAQEFBQADggEBAAy0NlGQTgb9VSq9 +cAcetc1dQlnkMLGg9iBYSvwZ3n1AAd484zmfj062mavixlEKyiGfh8qYZDLLi4Ne +oXVuaBiz7X0XRhnj4Lsm+s4dO8rTzktvmbXE3J1ahW16hqZEj+mjbckyr5GfZZOq +aoX2DqxPwO0Glg5X879vWZQ7iUUrI38cMX869xLgBJRl1zC1KyWeeXG3QduT1LZY +sJI/OxpkA/vDP6rFDD3YjgUmQ9vpil2YD9gyb6eMVuTbChZh/7T9T4/zgkc1KIFt +LLpXRUQQDGI/7TTwoT26M7xryoj0S2RlxW/VJz5KrBRaQYyaMDmE7scePqIaFNc+ +siqNj9s= +-----END CERTIFICATE----- diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index 1844e5cf68..8411557d58 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -56,87 +56,95 @@ x509_csr_check_opaque:"data_files/server5.key":MBEDTLS_MD_SHA256:MBEDTLS_X509_KU Certificate write check Server1 SHA1 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:0:0:1:-1:"data_files/server1.crt":0:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.crt":0:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, not before 1970 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"19700210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:0:0:1:-1:"":0:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"19700210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, not after 2050 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20500210144406":MBEDTLS_MD_SHA1:0:0:0:0:1:-1:"":0:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20500210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, not before 1970, not after 2050 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"19700210144406":"20500210144406":MBEDTLS_MD_SHA1:0:0:0:0:1:-1:"":0:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"19700210144406":"20500210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, not before 2050, not after 2059 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20500210144406":"20590210144406":MBEDTLS_MD_SHA1:0:0:0:0:1:-1:"":0:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20500210144406":"20590210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, key_usage depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:0:0:1:-1:"data_files/server1.key_usage.crt":0:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:1:-1:"data_files/server1.key_usage.crt":0:0:"data_files/test-ca.crt" + +Certificate write check Server1 SHA1, one ext_key_usage +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:"serverAuth":0:0:1:-1:"data_files/server1.key_ext_usage.crt":0:0:"data_files/test-ca.crt" + +Certificate write check Server1 SHA1, two ext_key_usages +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:"codeSigning,timeStamping":0:0:1:-1:"data_files/server1.key_ext_usages.crt":0:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, ns_cert_type depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"data_files/server1.cert_type.crt":0:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"data_files/server1.cert_type.crt":0:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, version 1 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":0:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":0:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, CA depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:0:0:1:-1:"data_files/server1.ca.crt":0:1:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.ca.crt":0:1:"data_files/test-ca.crt" Certificate write check Server1 SHA1, RSA_ALT depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:0:0:0:-1:"data_files/server1.noauthid.crt":1:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:-1:"data_files/server1.noauthid.crt":1:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, RSA_ALT, key_usage depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:0:0:0:-1:"data_files/server1.key_usage_noauthid.crt":1:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:0:-1:"data_files/server1.key_usage_noauthid.crt":1:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, RSA_ALT, ns_cert_type depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0:-1:"data_files/server1.cert_type_noauthid.crt":1:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0:-1:"data_files/server1.cert_type_noauthid.crt":1:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, RSA_ALT, version 1 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:0:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":1:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":1:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, RSA_ALT, CA depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:0:0:0:-1:"data_files/server1.ca_noauthid.crt":1:1:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:-1:"data_files/server1.ca_noauthid.crt":1:1:"data_files/test-ca.crt" Certificate write check Server1 SHA1, Opaque depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_USE_PSA_CRYPTO -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:0:0:1:-1:"data_files/server1.crt":2:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.crt":2:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, Opaque, key_usage depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_USE_PSA_CRYPTO -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:0:0:1:-1:"data_files/server1.key_usage.crt":2:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:1:-1:"data_files/server1.key_usage.crt":2:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, Opaque, ns_cert_type depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_USE_PSA_CRYPTO -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"data_files/server1.cert_type.crt":2:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"data_files/server1.cert_type.crt":2:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, Opaque, version 1 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_USE_PSA_CRYPTO -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":2:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":2:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, Opaque, CA depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_USE_PSA_CRYPTO -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:0:0:1:-1:"data_files/server1.ca.crt":2:1:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.ca.crt":2:1:"data_files/test-ca.crt" Certificate write check Server5 ECDSA depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_ECDSA_C:MBEDTLS_ECDSA_DETERMINISTIC:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED -x509_crt_check:"data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:0:0:1:-1:"data_files/server5.crt":0:0:"data_files/test-ca2.crt" +x509_crt_check:"data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"data_files/server5.crt":0:0:"data_files/test-ca2.crt" Certificate write check Server5 ECDSA, Opaque depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_ECDSA_C:MBEDTLS_ECDSA_DETERMINISTIC:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_USE_PSA_CRYPTO -x509_crt_check:"data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:0:0:1:-1:"":2:0:"data_files/test-ca2.crt" +x509_crt_check:"data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"":2:0:"data_files/test-ca2.crt" X509 String to Names #1 mbedtls_x509_string_to_names:"C=NL,O=Offspark\, Inc., OU=PolarSSL":"C=NL, O=Offspark\, Inc., OU=PolarSSL":0 diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index 9cb3dd4eb2..324223252b 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -238,6 +238,7 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd, char *issuer_pwd, char *issuer_name, char *serial_str, char *not_before, char *not_after, int md_type, int key_usage, int set_key_usage, + char *ext_key_usage, int cert_type, int set_cert_type, int auth_ident, int ver, char *cert_check_file, int pk_wrap, int is_ca, char *cert_verify_file ) @@ -346,6 +347,24 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd, TEST_ASSERT( mbedtls_x509write_crt_set_key_usage( &crt, key_usage ) == 0 ); if( set_cert_type != 0 ) TEST_ASSERT( mbedtls_x509write_crt_set_ns_cert_type( &crt, cert_type ) == 0 ); + if( strcmp( ext_key_usage, "NULL" ) != 0 ) + { + mbedtls_asn1_sequence exts[2] = { }; +#define SET_OID(x, oid) \ + do { x.len = MBEDTLS_OID_SIZE(oid); x.p = (unsigned char*)oid; \ + x.tag = MBEDTLS_ASN1_OID; } while( 0 ) + if( strcmp( ext_key_usage, "serverAuth" ) == 0 ) + { + SET_OID( exts[0].buf, MBEDTLS_OID_SERVER_AUTH ); + } + else if( strcmp( ext_key_usage, "codeSigning,timeStamping" ) == 0 ) + { + SET_OID( exts[0].buf, MBEDTLS_OID_CODE_SIGNING ); + exts[0].next = &exts[1]; + SET_OID( exts[1].buf, MBEDTLS_OID_TIME_STAMPING ); + } + TEST_ASSERT( mbedtls_x509write_crt_set_ext_key_usage( &crt, exts ) == 0 ); + } } ret = mbedtls_x509write_crt_pem( &crt, buf, sizeof( buf ), From abdb0df91d841d9a2ea759a7ebb23fdfc4f491f0 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 22 Jul 2022 15:45:30 +0100 Subject: [PATCH 04/16] Fix test fails due to changes in cert generation Test certs were originally generated with an old version of Mbed TLS that used printableString where we now use utf8string (e.g., in the organizationName). Otherwise the certs are identical. Signed-off-by: Dave Rodgman --- tests/data_files/server1.key_ext_usage.crt | 16 ++++++++-------- tests/data_files/server1.key_ext_usages.crt | 18 +++++++++--------- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/tests/data_files/server1.key_ext_usage.crt b/tests/data_files/server1.key_ext_usage.crt index 4e7f21482b..bbe2c356f6 100644 --- a/tests/data_files/server1.key_ext_usage.crt +++ b/tests/data_files/server1.key_ext_usage.crt @@ -1,8 +1,8 @@ -----BEGIN CERTIFICATE----- MIIDVzCCAj+gAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER -MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN +A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/ uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf @@ -11,10 +11,10 @@ lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB o2UwYzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zAWBgNVHSUBAf8EDDAKBggr -BgEFBQcDATANBgkqhkiG9w0BAQUFAAOCAQEAloyGLaLVS/Ce+q08AkCcqn+/ymu3 -l25lMU99gW7MPccDuNoy83ZveJ654/ZEcswR0sc3T/BPShf0Hx8Ze3p0VvLjcRK8 -HME4GCRONnkuXhi784jkoxCU4N6NczcnDF8YOXdrCuosyS48dSrCpj/ouPxhFg2O -tjDkoZZqA0G0oWXn0d7nzSELLXatsUh52vsrlpu2UhnmCHjv8OOZYPa0agUUFmzm -gJ3Of7uK1w+WwBUyQbkQJvPpIT2MwMs8SBZZOZH/jluSn+4GfULAuRDbWaTj8VsN -g7WVjskm5kRQaGwi7ez4ajAJUzHQExUwt62ciFSETn6EYtw4f2EsyIgNXA== +BgEFBQcDATANBgkqhkiG9w0BAQUFAAOCAQEAegtCN4EObE69RjW1hKUEQ/InrIsf +poKIgJCh3sck+FYKjcsMhRPBztnZaqjvkLnmCcq0Yv7uUDThHsNuu+NbeVr4flZL +gUoSSdHXYrJ8qDYez6oGoxttoZ33sqD3LQfzWZhDoTyjGUHTiWaA6KidCsWzkhKY +aNXF7O8dHO7k06I2UWt7SKbBm1dPj8OM4285kkQ7KCpG27ABtHePkp9aG66O/ktD +GbZs0AaYpeVnB9v1vSp6xInDCWydDFbmEE0mzAQr285UU07QEpnU1W/2qZHfLxnQ +GiDpR5pxoKXkskj2VuHPZPqbIkv9v2+bjeyXHDRSL7Rj087xhD5uXKb9fw== -----END CERTIFICATE----- diff --git a/tests/data_files/server1.key_ext_usages.crt b/tests/data_files/server1.key_ext_usages.crt index 491364349f..0c3d963eb2 100644 --- a/tests/data_files/server1.key_ext_usages.crt +++ b/tests/data_files/server1.key_ext_usages.crt @@ -1,8 +1,8 @@ -----BEGIN CERTIFICATE----- MIIDYTCCAkmgAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER -MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN +A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/ uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf @@ -11,11 +11,11 @@ lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB o28wbTAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zAgBgNVHSUBAf8EFjAUBggr -BgEFBQcDAwYIKwYBBQUHAwgwDQYJKoZIhvcNAQEFBQADggEBAAy0NlGQTgb9VSq9 -cAcetc1dQlnkMLGg9iBYSvwZ3n1AAd484zmfj062mavixlEKyiGfh8qYZDLLi4Ne -oXVuaBiz7X0XRhnj4Lsm+s4dO8rTzktvmbXE3J1ahW16hqZEj+mjbckyr5GfZZOq -aoX2DqxPwO0Glg5X879vWZQ7iUUrI38cMX869xLgBJRl1zC1KyWeeXG3QduT1LZY -sJI/OxpkA/vDP6rFDD3YjgUmQ9vpil2YD9gyb6eMVuTbChZh/7T9T4/zgkc1KIFt -LLpXRUQQDGI/7TTwoT26M7xryoj0S2RlxW/VJz5KrBRaQYyaMDmE7scePqIaFNc+ -siqNj9s= +BgEFBQcDAwYIKwYBBQUHAwgwDQYJKoZIhvcNAQEFBQADggEBADIT9M10vT5yzMSR +GaaImXjyTRIBK683Vxnq5jqAJ75KzNUC52aiCOfd9/hAMkq3Pj+r6tIsH+jsl5PL +E4iv8GVDlbjA57icTD30XbolL4YPUvZYclxVopfRhTiDa5KJ1lYkUwWAE/Glj66Q +WO7Hihl+GYXap2e7dBZ7hGHdv6J1gRfA1OW6iB23Wl4xb0Y1CGc16yJZwuFbtbwM +w8z8a0XNd2UQTYesYlIvVpVcx2atgkbZwehPWGNCLGngz60fultj7JdLuUHi+r0z +DtjbSPsHDZDAer6ZxjaA4hkcnppacFttC+deD8bQ8+2JjHF6Gb/MBnaYIbOZOBgC +8CPIBjk= -----END CERTIFICATE----- From ec9f6b4de1e50289588b9794c5e0cad89dc4d471 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 27 Jul 2022 14:34:58 +0100 Subject: [PATCH 05/16] Fix minor compile errors Signed-off-by: Dave Rodgman --- programs/x509/cert_write.c | 2 +- tests/suites/test_suite_x509write.function | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index e0d88b207d..bffc4ab863 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -816,7 +816,7 @@ int main( int argc, char *argv[] ) if( ret != 0 ) { mbedtls_strerror( ret, buf, 1024 ); - mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_ext_key_usage returned -0x%02x - %s\n\n", -ret, buf ); + mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_ext_key_usage returned -0x%02x - %s\n\n", (unsigned int) -ret, buf ); goto exit; } diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index 324223252b..5781fe0d8f 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -349,7 +349,8 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd, TEST_ASSERT( mbedtls_x509write_crt_set_ns_cert_type( &crt, cert_type ) == 0 ); if( strcmp( ext_key_usage, "NULL" ) != 0 ) { - mbedtls_asn1_sequence exts[2] = { }; + mbedtls_asn1_sequence exts[2]; + memset(exts, 0, sizeof(exts)); #define SET_OID(x, oid) \ do { x.len = MBEDTLS_OID_SIZE(oid); x.p = (unsigned char*)oid; \ x.tag = MBEDTLS_ASN1_OID; } while( 0 ) From 5f3f0d06e6734e78390a4e58a1c5af139a13c6e1 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 11 Aug 2022 14:38:26 +0100 Subject: [PATCH 06/16] Address minor review comments Signed-off-by: Dave Rodgman --- library/x509write_crt.c | 11 +++++------ programs/x509/cert_write.c | 3 +-- tests/suites/test_suite_x509write.function | 21 +++++++++++++-------- 3 files changed, 19 insertions(+), 16 deletions(-) diff --git a/library/x509write_crt.c b/library/x509write_crt.c index d0aaa9f1b5..21e36b5987 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -303,7 +303,10 @@ int mbedtls_x509write_crt_set_ext_key_usage( mbedtls_x509write_cert *ctx, unsigned char *c = buf + sizeof(buf); int ret; size_t len = 0; - const mbedtls_asn1_sequence *last_ext = 0, *ext; + const mbedtls_asn1_sequence *last_ext = NULL; + mbedtls_asn1_sequence *ext; + + memset( buf, 0, sizeof(buf) ); /* We need at least one extension: SEQUENCE SIZE (1..MAX) OF KeyPurposeId */ if( exts == NULL ) @@ -324,14 +327,10 @@ int mbedtls_x509write_crt_set_ext_key_usage( mbedtls_x509write_cert *ctx, MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) ); MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ); - ret = mbedtls_x509write_crt_set_extension( ctx, + return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_EXTENDED_KEY_USAGE, MBEDTLS_OID_SIZE( MBEDTLS_OID_EXTENDED_KEY_USAGE ), 1, c, len ); - if( ret != 0 ) - return( ret ); - - return( 0 ); } int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx, diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index bffc4ab863..dbdc4eebf1 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -1,4 +1,3 @@ - /* * Certificate generation and signing * @@ -832,7 +831,7 @@ int main( int argc, char *argv[] ) ret = mbedtls_x509write_crt_set_ns_cert_type( &crt, opt.ns_cert_type ); if( ret != 0 ) { - mbedtls_strerror( ret, buf, 1024 ); + mbedtls_strerror( ret, buf, sizeof(buf) ); mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_ns_cert_type " "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf ); goto exit; diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index 5781fe0d8f..2e59658649 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -350,19 +350,24 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd, if( strcmp( ext_key_usage, "NULL" ) != 0 ) { mbedtls_asn1_sequence exts[2]; - memset(exts, 0, sizeof(exts)); -#define SET_OID(x, oid) \ - do { x.len = MBEDTLS_OID_SIZE(oid); x.p = (unsigned char*)oid; \ - x.tag = MBEDTLS_ASN1_OID; } while( 0 ) + memset( exts, 0, sizeof(exts) ); + +#define SET_OID(x, oid) \ + do { \ + x.len = MBEDTLS_OID_SIZE(oid); \ + x.p = (unsigned char*)oid; \ + x.tag = MBEDTLS_ASN1_OID; \ + } while( 0 ) + if( strcmp( ext_key_usage, "serverAuth" ) == 0 ) { - SET_OID( exts[0].buf, MBEDTLS_OID_SERVER_AUTH ); + SET_OID( exts[0].buf, MBEDTLS_OID_SERVER_AUTH ); } else if( strcmp( ext_key_usage, "codeSigning,timeStamping" ) == 0 ) { - SET_OID( exts[0].buf, MBEDTLS_OID_CODE_SIGNING ); - exts[0].next = &exts[1]; - SET_OID( exts[1].buf, MBEDTLS_OID_TIME_STAMPING ); + SET_OID( exts[0].buf, MBEDTLS_OID_CODE_SIGNING ); + exts[0].next = &exts[1]; + SET_OID( exts[1].buf, MBEDTLS_OID_TIME_STAMPING ); } TEST_ASSERT( mbedtls_x509write_crt_set_ext_key_usage( &crt, exts ) == 0 ); } From e2b772d1b6849345852308bbfa9c017f0f2f32c0 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 11 Aug 2022 16:04:13 +0100 Subject: [PATCH 07/16] Fix whitespace, missing const Signed-off-by: Dave Rodgman --- library/x509write_crt.c | 2 +- tests/suites/test_suite_x509write.function | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/library/x509write_crt.c b/library/x509write_crt.c index 21e36b5987..b5f7af5cf6 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -304,7 +304,7 @@ int mbedtls_x509write_crt_set_ext_key_usage( mbedtls_x509write_cert *ctx, int ret; size_t len = 0; const mbedtls_asn1_sequence *last_ext = NULL; - mbedtls_asn1_sequence *ext; + const mbedtls_asn1_sequence *ext; memset( buf, 0, sizeof(buf) ); diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index 2e59658649..8e246ec411 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -357,7 +357,8 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd, x.len = MBEDTLS_OID_SIZE(oid); \ x.p = (unsigned char*)oid; \ x.tag = MBEDTLS_ASN1_OID; \ - } while( 0 ) + } \ + while( 0 ) if( strcmp( ext_key_usage, "serverAuth" ) == 0 ) { From 2ee7bbd10a123db3b45f6e524756e1a77ce62af3 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 11 Aug 2022 16:23:17 +0100 Subject: [PATCH 08/16] Replace some constant values with sizeof Signed-off-by: Dave Rodgman --- programs/x509/cert_write.c | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index dbdc4eebf1..0f0703f4b2 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -262,7 +262,7 @@ int main( int argc, char *argv[] ) mbedtls_x509_csr_init( &csr ); #endif mbedtls_x509_crt_init( &issuer_crt ); - memset( buf, 0, 1024 ); + memset( buf, 0, sizeof(buf) ); if( argc == 0 ) { @@ -532,7 +532,7 @@ int main( int argc, char *argv[] ) (const unsigned char *) pers, strlen( pers ) ) ) != 0 ) { - mbedtls_strerror( ret, buf, 1024 ); + mbedtls_strerror( ret, buf, sizeof(buf) ); mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d - %s\n", ret, buf ); goto exit; @@ -547,7 +547,7 @@ int main( int argc, char *argv[] ) if( ( ret = mbedtls_mpi_read_string( &serial, 10, opt.serial ) ) != 0 ) { - mbedtls_strerror( ret, buf, 1024 ); + mbedtls_strerror( ret, buf, sizeof(buf) ); mbedtls_printf( " failed\n ! mbedtls_mpi_read_string " "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf ); goto exit; @@ -567,7 +567,7 @@ int main( int argc, char *argv[] ) if( ( ret = mbedtls_x509_crt_parse_file( &issuer_crt, opt.issuer_crt ) ) != 0 ) { - mbedtls_strerror( ret, buf, 1024 ); + mbedtls_strerror( ret, buf, sizeof(buf) ); mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_file " "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf ); goto exit; @@ -577,7 +577,7 @@ int main( int argc, char *argv[] ) &issuer_crt.subject ); if( ret < 0 ) { - mbedtls_strerror( ret, buf, 1024 ); + mbedtls_strerror( ret, buf, sizeof(buf) ); mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets " "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf ); goto exit; @@ -601,7 +601,7 @@ int main( int argc, char *argv[] ) if( ( ret = mbedtls_x509_csr_parse_file( &csr, opt.request_file ) ) != 0 ) { - mbedtls_strerror( ret, buf, 1024 ); + mbedtls_strerror( ret, buf, sizeof(buf) ); mbedtls_printf( " failed\n ! mbedtls_x509_csr_parse_file " "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf ); goto exit; @@ -611,7 +611,7 @@ int main( int argc, char *argv[] ) &csr.subject ); if( ret < 0 ) { - mbedtls_strerror( ret, buf, 1024 ); + mbedtls_strerror( ret, buf, sizeof(buf) ); mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets " "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf ); goto exit; @@ -636,7 +636,7 @@ int main( int argc, char *argv[] ) opt.subject_pwd, mbedtls_ctr_drbg_random, &ctr_drbg ); if( ret != 0 ) { - mbedtls_strerror( ret, buf, 1024 ); + mbedtls_strerror( ret, buf, sizeof(buf) ); mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile " "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf ); goto exit; @@ -652,7 +652,7 @@ int main( int argc, char *argv[] ) opt.issuer_pwd, mbedtls_ctr_drbg_random, &ctr_drbg ); if( ret != 0 ) { - mbedtls_strerror( ret, buf, 1024 ); + mbedtls_strerror( ret, buf, sizeof(buf) ); mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile " "returned -x%02x - %s\n\n", (unsigned int) -ret, buf ); goto exit; @@ -687,7 +687,7 @@ int main( int argc, char *argv[] ) */ if( ( ret = mbedtls_x509write_crt_set_subject_name( &crt, opt.subject_name ) ) != 0 ) { - mbedtls_strerror( ret, buf, 1024 ); + mbedtls_strerror( ret, buf, sizeof(buf) ); mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject_name " "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf ); goto exit; @@ -695,7 +695,7 @@ int main( int argc, char *argv[] ) if( ( ret = mbedtls_x509write_crt_set_issuer_name( &crt, opt.issuer_name ) ) != 0 ) { - mbedtls_strerror( ret, buf, 1024 ); + mbedtls_strerror( ret, buf, sizeof(buf) ); mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_issuer_name " "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf ); goto exit; @@ -710,7 +710,7 @@ int main( int argc, char *argv[] ) ret = mbedtls_x509write_crt_set_serial( &crt, &serial ); if( ret != 0 ) { - mbedtls_strerror( ret, buf, 1024 ); + mbedtls_strerror( ret, buf, sizeof(buf) ); mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_serial " "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf ); goto exit; @@ -719,7 +719,7 @@ int main( int argc, char *argv[] ) ret = mbedtls_x509write_crt_set_validity( &crt, opt.not_before, opt.not_after ); if( ret != 0 ) { - mbedtls_strerror( ret, buf, 1024 ); + mbedtls_strerror( ret, buf, sizeof(buf) ); mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_validity " "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf ); goto exit; @@ -737,7 +737,7 @@ int main( int argc, char *argv[] ) opt.max_pathlen ); if( ret != 0 ) { - mbedtls_strerror( ret, buf, 1024 ); + mbedtls_strerror( ret, buf, sizeof(buf) ); mbedtls_printf( " failed\n ! x509write_crt_set_basic_contraints " "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf ); goto exit; @@ -758,7 +758,7 @@ int main( int argc, char *argv[] ) ret = mbedtls_x509write_crt_set_subject_key_identifier( &crt ); if( ret != 0 ) { - mbedtls_strerror( ret, buf, 1024 ); + mbedtls_strerror( ret, buf, sizeof(buf) ); mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject" "_key_identifier returned -0x%04x - %s\n\n", (unsigned int) -ret, buf ); @@ -777,7 +777,7 @@ int main( int argc, char *argv[] ) ret = mbedtls_x509write_crt_set_authority_key_identifier( &crt ); if( ret != 0 ) { - mbedtls_strerror( ret, buf, 1024 ); + mbedtls_strerror( ret, buf, sizeof(buf) ); mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_authority_" "key_identifier returned -0x%04x - %s\n\n", (unsigned int) -ret, buf ); @@ -797,7 +797,7 @@ int main( int argc, char *argv[] ) ret = mbedtls_x509write_crt_set_key_usage( &crt, opt.key_usage ); if( ret != 0 ) { - mbedtls_strerror( ret, buf, 1024 ); + mbedtls_strerror( ret, buf, sizeof(buf) ); mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_key_usage " "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf ); goto exit; @@ -814,7 +814,7 @@ int main( int argc, char *argv[] ) ret = mbedtls_x509write_crt_set_ext_key_usage( &crt, opt.ext_key_usage ); if( ret != 0 ) { - mbedtls_strerror( ret, buf, 1024 ); + mbedtls_strerror( ret, buf, sizeof(buf) ); mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_ext_key_usage returned -0x%02x - %s\n\n", (unsigned int) -ret, buf ); goto exit; } @@ -849,7 +849,7 @@ int main( int argc, char *argv[] ) if( ( ret = write_certificate( &crt, opt.output_file, mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 ) { - mbedtls_strerror( ret, buf, 1024 ); + mbedtls_strerror( ret, buf, sizeof(buf) ); mbedtls_printf( " failed\n ! write_certificate -0x%04x - %s\n\n", (unsigned int) -ret, buf ); goto exit; From 18b02d35d625967d6a3ce8cc034289cc75d6b04a Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 15 Aug 2022 11:01:54 +0100 Subject: [PATCH 09/16] Remove redundant sig_alg argument Signed-off-by: Dave Rodgman --- programs/x509/cert_write.c | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index 0f0703f4b2..d1c716b8a4 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -134,7 +134,6 @@ int main( void ) " basic_constraints=%%d default: 1\n" \ " Possible values: 0, 1\n" \ " (Considered for v3 only)\n"\ - " sig_alg=%%s default: SHA-256\n" \ " key_usage=%%s default: (empty)\n" \ " Comma-separated-list of values:\n" \ " digital_signature\n" \ @@ -190,7 +189,6 @@ struct options int basic_constraints; /* add basic constraints ext to CRT */ int version; /* CRT version */ mbedtls_md_type_t md; /* Hash used for signing */ - mbedtls_md_type_t sig_alg; /* MD to use generating signature */ unsigned char key_usage; /* key usage flags */ mbedtls_asn1_sequence *ext_key_usage; /* extended key usages */ unsigned char ns_cert_type; /* NS cert type */ @@ -286,7 +284,6 @@ int main( int argc, char *argv[] ) opt.selfsign = DFL_SELFSIGN; opt.is_ca = DFL_IS_CA; opt.max_pathlen = DFL_MAX_PATHLEN; - opt.sig_alg = DFL_SIG_ALG; opt.key_usage = DFL_KEY_USAGE; opt.ext_key_usage = DFL_EXT_KEY_USAGE; opt.ns_cert_type = DFL_NS_CERT_TYPE; @@ -416,17 +413,6 @@ int main( int argc, char *argv[] ) goto usage; } } - else if( strcmp( p, "sig_alg") == 0 ) - { - if( strcmp( q, "SHA-1" ) == 0 ) - opt.sig_alg = MBEDTLS_MD_SHA1; - else if( strcmp( q, "SHA-256" ) == 0 ) - opt.sig_alg = MBEDTLS_MD_SHA256; - else if( strcmp( q, "MD5" ) == 0 ) - opt.sig_alg = MBEDTLS_MD_MD5; - else - goto usage; - } else if( strcmp( p, "key_usage" ) == 0 ) { while( q != NULL ) @@ -746,8 +732,6 @@ int main( int argc, char *argv[] ) mbedtls_printf( " ok\n" ); } - mbedtls_x509write_crt_set_md_alg( &crt, opt.sig_alg ); - #if defined(MBEDTLS_SHA1_C) if( opt.version == MBEDTLS_X509_CRT_VERSION_3 && opt.subject_identifier != 0 ) From 64937856e07a7fc611bfd48ce30e8abd0e727406 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 15 Aug 2022 14:12:25 +0100 Subject: [PATCH 10/16] Correct order of extended key usage attributes Signed-off-by: Dave Rodgman --- programs/x509/cert_write.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index d1c716b8a4..2f51e19c87 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -445,13 +445,14 @@ int main( int argc, char *argv[] ) } else if( strcmp( p, "ext_key_usage" ) == 0 ) { + mbedtls_asn1_sequence **tail = &opt.ext_key_usage; + while( q != NULL ) { if( ( r = strchr( q, ',' ) ) != NULL ) *r++ = '\0'; ext_key_usage = mbedtls_calloc( 1, sizeof(mbedtls_asn1_sequence) ); - ext_key_usage->next = opt.ext_key_usage; ext_key_usage->buf.tag = MBEDTLS_ASN1_OID; if( strcmp( q, "serverAuth" ) == 0 ) SET_OID( ext_key_usage->buf, MBEDTLS_OID_SERVER_AUTH ); @@ -467,7 +468,9 @@ int main( int argc, char *argv[] ) SET_OID( ext_key_usage->buf, MBEDTLS_OID_OCSP_SIGNING ); else goto usage; - opt.ext_key_usage = ext_key_usage; + + *tail = ext_key_usage; + tail = &ext_key_usage->next; q = r; } From c5e0a8a890fbf5db7451759b64b4729b113adf11 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 15 Aug 2022 14:24:22 +0100 Subject: [PATCH 11/16] Add missing error message Signed-off-by: Dave Rodgman --- programs/x509/cert_write.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index 2f51e19c87..0118abd208 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -467,7 +467,10 @@ int main( int argc, char *argv[] ) else if( strcmp( q, "OCSPSigning" ) == 0 ) SET_OID( ext_key_usage->buf, MBEDTLS_OID_OCSP_SIGNING ); else + { + mbedtls_printf( "Invalid argument for option %s\n", p ); goto usage; + } *tail = ext_key_usage; tail = &ext_key_usage->next; From 1577c548d18bdff22cd7bf127a57969d82402e3b Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 9 Sep 2022 10:22:15 +0100 Subject: [PATCH 12/16] Use NULL instead of 0 Signed-off-by: Dave Rodgman --- programs/x509/cert_write.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index 0118abd208..5a13f4e78b 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -86,7 +86,7 @@ int main( void ) #define DFL_MAX_PATHLEN -1 #define DFL_SIG_ALG MBEDTLS_MD_SHA256 #define DFL_KEY_USAGE 0 -#define DFL_EXT_KEY_USAGE 0 +#define DFL_EXT_KEY_USAGE NULL #define DFL_NS_CERT_TYPE 0 #define DFL_VERSION 3 #define DFL_AUTH_IDENT 1 From 66e05505b627c5a34799ff53f99540024d391d92 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 27 Oct 2022 16:29:38 +0100 Subject: [PATCH 13/16] Support generating DER format certificates Signed-off-by: Dave Rodgman --- programs/x509/cert_write.c | 41 +++++++++++++++++++++++++++++++++----- 1 file changed, 36 insertions(+), 5 deletions(-) diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index 5a13f4e78b..1f4b1a09a6 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -69,6 +69,9 @@ int main( void ) #define USAGE_CSR "" #endif /* MBEDTLS_X509_CSR_PARSE_C */ +#define FORMAT_PEM 0 +#define FORMAT_DER 1 + #define DFL_ISSUER_CRT "" #define DFL_REQUEST_FILE "" #define DFL_SUBJECT_KEY "subject.key" @@ -93,6 +96,7 @@ int main( void ) #define DFL_SUBJ_IDENT 1 #define DFL_CONSTRAINTS 1 #define DFL_DIGEST MBEDTLS_MD_SHA256 +#define DFL_FORMAT FORMAT_PEM #define USAGE \ "\n usage: cert_write param=<>...\n" \ @@ -161,6 +165,7 @@ int main( void ) " ssl_ca\n" \ " email_ca\n" \ " object_signing_ca\n" \ + " format=pem|der default: pem\n" \ "\n" @@ -192,6 +197,7 @@ struct options unsigned char key_usage; /* key usage flags */ mbedtls_asn1_sequence *ext_key_usage; /* extended key usages */ unsigned char ns_cert_type; /* NS cert type */ + int format; /* format */ } opt; int write_certificate( mbedtls_x509write_cert *crt, const char *output_file, @@ -201,19 +207,33 @@ int write_certificate( mbedtls_x509write_cert *crt, const char *output_file, int ret; FILE *f; unsigned char output_buf[4096]; + unsigned char *output_start; size_t len = 0; memset( output_buf, 0, 4096 ); - if( ( ret = mbedtls_x509write_crt_pem( crt, output_buf, 4096, - f_rng, p_rng ) ) < 0 ) - return( ret ); + if ( opt.format == FORMAT_DER ) + { + ret = mbedtls_x509write_crt_der( crt, output_buf, 4096, + f_rng, p_rng ); + if( ret < 0 ) + return( ret ); - len = strlen( (char *) output_buf ); + len = ret; + output_start = output_buf + 4096 - len; + } else { + ret = mbedtls_x509write_crt_pem( crt, output_buf, 4096, + f_rng, p_rng ); + if( ret < 0 ) + return( ret ); + + len = strlen( (char *) output_buf ); + output_start = output_buf; + } if( ( f = fopen( output_file, "w" ) ) == NULL ) return( -1 ); - if( fwrite( output_buf, 1, len, f ) != len ) + if( fwrite( output_start, 1, len, f ) != len ) { fclose( f ); return( -1 ); @@ -292,6 +312,7 @@ int main( int argc, char *argv[] ) opt.subject_identifier = DFL_SUBJ_IDENT; opt.authority_identifier = DFL_AUTH_IDENT; opt.basic_constraints = DFL_CONSTRAINTS; + opt.format = DFL_FORMAT; for( i = 1; i < argc; i++ ) { @@ -508,6 +529,16 @@ int main( int argc, char *argv[] ) q = r; } } + else if( strcmp( p, "format" ) == 0 ) + { + if ( strcmp(q, "der" ) == 0 ) opt.format = FORMAT_DER; + else if ( strcmp(q, "pem" ) == 0 ) opt.format = FORMAT_PEM; + else + { + mbedtls_printf( "Invalid argument for option %s\n", p ); + goto usage; + } + } else goto usage; } From 169ae4f528244653eb6629351c4eeab4932ac30c Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 28 Oct 2022 11:24:29 +0100 Subject: [PATCH 14/16] Add Changelog entry Signed-off-by: Dave Rodgman --- ChangeLog.d/cert_write-set-extended-key-usages.txt | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 ChangeLog.d/cert_write-set-extended-key-usages.txt diff --git a/ChangeLog.d/cert_write-set-extended-key-usages.txt b/ChangeLog.d/cert_write-set-extended-key-usages.txt new file mode 100644 index 0000000000..5843d9e70c --- /dev/null +++ b/ChangeLog.d/cert_write-set-extended-key-usages.txt @@ -0,0 +1,4 @@ +Features + * cert_write: support for setting extended key usage attributes. + * cert_write: support for writing certificate files in either PEM + or DER format. From d7dfc0922efc8211a511710482418240b18eb07f Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 28 Oct 2022 11:38:05 +0100 Subject: [PATCH 15/16] Update Changelog Signed-off-by: Dave Rodgman --- ChangeLog.d/cert_write-set-extended-key-usages.txt | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ChangeLog.d/cert_write-set-extended-key-usages.txt b/ChangeLog.d/cert_write-set-extended-key-usages.txt index 5843d9e70c..02bc8013c2 100644 --- a/ChangeLog.d/cert_write-set-extended-key-usages.txt +++ b/ChangeLog.d/cert_write-set-extended-key-usages.txt @@ -1,4 +1,6 @@ Features - * cert_write: support for setting extended key usage attributes. + * cert_write: support for setting extended key usage attributes. A + corresponding new public API call has been added in the library, + mbedtls_x509write_crt_set_ext_key_usage. * cert_write: support for writing certificate files in either PEM or DER format. From b3166f4b2f9577aeb04afba02062d61d6b1c1334 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 28 Oct 2022 11:39:04 +0100 Subject: [PATCH 16/16] Update Changelog Signed-off-by: Dave Rodgman --- ChangeLog.d/cert_write-set-extended-key-usages.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog.d/cert_write-set-extended-key-usages.txt b/ChangeLog.d/cert_write-set-extended-key-usages.txt index 02bc8013c2..18b7b040d1 100644 --- a/ChangeLog.d/cert_write-set-extended-key-usages.txt +++ b/ChangeLog.d/cert_write-set-extended-key-usages.txt @@ -1,6 +1,6 @@ Features * cert_write: support for setting extended key usage attributes. A corresponding new public API call has been added in the library, - mbedtls_x509write_crt_set_ext_key_usage. + mbedtls_x509write_crt_set_ext_key_usage(). * cert_write: support for writing certificate files in either PEM or DER format.