diff options
author | Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> | 2022-12-30 10:13:41 +0100 |
---|---|---|
committer | Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> | 2022-12-30 10:13:41 +0100 |
commit | 4511ca063afa82ee0023c0594e72da2d6f3c3725 (patch) | |
tree | 9646c6ccb83e145fa56f061a0a6ee9733f51622a | |
parent | 6ea0a8d88349f1d132ebb0477c0010b70f5949b3 (diff) | |
download | mbedtls-4511ca063afa82ee0023c0594e72da2d6f3c3725.zip mbedtls-4511ca063afa82ee0023c0594e72da2d6f3c3725.tar.gz mbedtls-4511ca063afa82ee0023c0594e72da2d6f3c3725.tar.bz2 |
Use PSS-signed CRL for PSS tests
Otherwise, in builds without PKSC1_V15, tests that are supposed to
accept the certificate will fail, because once the cert is OK they will
move on to checking the CRL and will choke on its non-PSS signature.
Tests that are supposed to reject the cert due to an invalid signature
from the CA will not check the CRL because they don't recognize the CA
as valid, so they have no reason to check the CA's CRL. This was hiding
the problem until the recent commit that added a test where the cert is
supposed to be accepted.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
-rw-r--r-- | tests/suites/test_suite_x509parse.data | 4 | ||||
-rw-r--r-- | tests/suites/test_suite_x509parse.function | 4 |
2 files changed, 4 insertions, 4 deletions
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index ee204f8..914dffa 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -833,11 +833,11 @@ x509_verify:"data_files/server9-defaults.crt":"data_files/test-ca.crt":"data_fil X509 CRT verification #68 (RSASSA-PSS, wrong salt_len, !USE_PSA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_USE_PSA_CRYPTO -x509_verify:"data_files/server9-bad-saltlen.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" +x509_verify:"data_files/server9-bad-saltlen.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" X509 CRT verification #68 (RSASSA-PSS, wrong salt_len, USE_PSA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_USE_PSA_CRYPTO -x509_verify:"data_files/server9-bad-saltlen.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"data_files/server9-bad-saltlen.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #69 (RSASSA-PSS, wrong mgf_hash) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index dc36b81..388d45e 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -665,8 +665,8 @@ void x509_verify( char *crt_file, char *ca_file, char *crl_file, res = mbedtls_x509_crt_verify_with_profile( &crt, &ca, &crl, profile, cn_name, &flags, f_vrfy, NULL ); - TEST_ASSERT( res == ( result ) ); - TEST_ASSERT( flags == (uint32_t)( flags_result ) ); + TEST_EQUAL( res, result ); + TEST_EQUAL( flags, (uint32_t) flags_result ); #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) /* CRLs aren't supported with CA callbacks, so skip the CA callback |