Arcola / mbedtls

Important changes to repositories hosted on mbed.com

Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.

To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.

It is also possible to export all your personal repositories from the account settings page.

Fork of mbedtls by Mark Radbourne

Diff: tests/suites/test_suite_x509parse.function

Revision:
2:bbdeda018a3c
Parent:
1:9ebc941037d5
diff -r 9ebc941037d5 -r bbdeda018a3c tests/suites/test_suite_x509parse.function
--- a/tests/suites/test_suite_x509parse.function	Fri Sep 29 18:41:59 2017 +0100
+++ b/tests/suites/test_suite_x509parse.function	Fri Sep 29 19:50:30 2017 +0100
@@ -7,6 +7,14 @@
 #include "mbedtls/oid.h"
 #include "mbedtls/base64.h"
 
+#if MBEDTLS_X509_MAX_INTERMEDIATE_CA > 19
+#error "The value of MBEDTLS_X509_MAX_INTERMEDIATE_C is larger \
+than the current threshold 19. To test larger values, please \
+adapt the script tests/data_files/dir-max/long.sh."
+#endif
+
+/* Profile for backward compatibility. Allows SHA-1, unlike the default
+   profile. */
 const mbedtls_x509_crt_profile compat_profile =
 {
     MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
@@ -221,6 +229,7 @@
 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CRL_PARSE_C */
 void x509_verify( char *crt_file, char *ca_file, char *crl_file,
                   char *cn_name_str, int result, int flags_result,
+                  char *profile_str,
                   char *verify_callback )
 {
     mbedtls_x509_crt   crt;
@@ -230,6 +239,7 @@
     int         res;
     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *) = NULL;
     char *      cn_name = NULL;
+    const mbedtls_x509_crt_profile *profile;
 
     mbedtls_x509_crt_init( &crt );
     mbedtls_x509_crt_init( &ca );
@@ -238,6 +248,13 @@
     if( strcmp( cn_name_str, "NULL" ) != 0 )
         cn_name = cn_name_str;
 
+    if( strcmp( profile_str, "default" ) == 0 )
+        profile = &mbedtls_x509_crt_profile_default;
+    else if( strcmp( profile_str, "compat" ) == 0 )
+        profile = &compat_profile;
+    else
+        TEST_ASSERT( "Unknown algorithm profile" == 0 );
+
     if( strcmp( verify_callback, "NULL" ) == 0 )
         f_vrfy = NULL;
     else if( strcmp( verify_callback, "verify_none" ) == 0 )
@@ -251,7 +268,7 @@
     TEST_ASSERT( mbedtls_x509_crt_parse_file( &ca, ca_file ) == 0 );
     TEST_ASSERT( mbedtls_x509_crl_parse_file( &crl, crl_file ) == 0 );
 
-    res = mbedtls_x509_crt_verify_with_profile( &crt, &ca, &crl, &compat_profile, cn_name, &flags, f_vrfy, NULL );
+    res = mbedtls_x509_crt_verify_with_profile( &crt, &ca, &crl, profile, cn_name, &flags, f_vrfy, NULL );
 
     TEST_ASSERT( res == ( result ) );
     TEST_ASSERT( flags == (uint32_t)( flags_result ) );
@@ -280,8 +297,10 @@
     TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 );
     TEST_ASSERT( mbedtls_x509_crt_parse_file( &ca, ca_file ) == 0 );
 
-    ret = mbedtls_x509_crt_verify( &crt, &ca, NULL, NULL, &flags,
-                                   verify_print, &vrfy_ctx );
+    ret = mbedtls_x509_crt_verify_with_profile( &crt, &ca, NULL,
+                                                &compat_profile,
+                                                NULL, &flags,
+                                                verify_print, &vrfy_ctx );
 
     TEST_ASSERT( ret == exp_ret );
     TEST_ASSERT( strcmp( vrfy_ctx.buf, exp_vrfy_out ) == 0 );
@@ -488,6 +507,45 @@
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */
+void mbedtls_x509_crt_verify_max( char *ca_file, char *chain_dir, int nb_int,
+                                  int ret_chk, int flags_chk )
+{
+    char file_buf[128];
+    int ret;
+    uint32_t flags;
+    mbedtls_x509_crt trusted, chain;
+
+    /*
+     * We expect chain_dir to contain certificates 00.crt, 01.crt, etc.
+     * with NN.crt signed by NN-1.crt
+     */
+
+    mbedtls_x509_crt_init( &trusted );
+    mbedtls_x509_crt_init( &chain );
+
+    /* Load trusted root */
+    TEST_ASSERT( mbedtls_x509_crt_parse_file( &trusted, ca_file ) == 0 );
+
+    /* Load a chain with nb_int intermediates (from 01 to nb_int),
+     * plus one "end-entity" cert (nb_int + 1) */
+    ret = mbedtls_snprintf( file_buf, sizeof file_buf, "%s/c%02d.pem", chain_dir,
+                                                            nb_int + 1 );
+    TEST_ASSERT( ret > 0 && (size_t) ret < sizeof file_buf );
+    TEST_ASSERT( mbedtls_x509_crt_parse_file( &chain, file_buf ) == 0 );
+
+    /* Try to verify that chain */
+    ret = mbedtls_x509_crt_verify( &chain, &trusted, NULL, NULL, &flags,
+                                   NULL, NULL );
+    TEST_ASSERT( ret == ret_chk );
+    TEST_ASSERT( flags == (uint32_t) flags_chk );
+
+exit:
+    mbedtls_x509_crt_free( &chain );
+    mbedtls_x509_crt_free( &trusted );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */
 void mbedtls_x509_crt_verify_chain(  char *chain_paths, char *trusted_ca, int flags_result )
 {
     char* act;