Age | Commit message (Collapse) | Author | Files | Lines |
|
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
|
|
Fix typo 'unsupoported' -> 'unsupported'
|
|
mbedtls_x509_name allocates memory, which must be freed if there is a
subsequent error.
Credit to OSS-Fuzz (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53811).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
|
|
This fixes a use-after-free in PKCS#7 parsing when the signer data is
malformed.
Credit to OSS-Fuzz (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53798).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
|
|
Signed-off-by: David Horstmann <david.horstmann@arm.com>
|
|
|
|
Adding unit test for mbedtls_x509write_csr_set_extension()
|
|
The already existing "x509_csr_check()" function is extended in order
to support/test also CSR's extensions. The test is performed by
adding an extended key usage.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
|
|
|
|
`x509_info_subject_alt_name`: Render HardwareModuleName as hex
|
|
Windows tests are failing pkcs7 verification due to differnt line
endings. Therefore, add make instuctions for building the data
files with Windows EOF instead. As a result, regenerate other data
files so that verification works.
Add these CRLF EOF files to the exception in check_files to ignore
the line endings.
Signed-off-by: Nick Child <nick.child@ibm.com>
|
|
cert_write - add a way to set extended key usages - rebase
|
|
Various responses to feedback regarding the
pkcs7_verify_signed_data/hash functions. Mainly, merge these two
functions into one to reduce redudant logic [1]. As a result, an
identified bug about skipping over a signer is patched [2].
Additionally, add a conditional in the verify logic that checks if
the given x509 validity period is expired [3]. During testing of this
conditional, it turned out that all of the testing data was expired.
So, rebuild all of the pkcs7 testing data to refresh timestamps.
[1] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r999652525
[2] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r997090215
[3] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r967238206
Signed-off-by: Nick Child <nick.child@ibm.com>
|
|
PSA with RSA requires PK_WRITE and PK_PARSE
|
|
Signed-off-by: Raef Coles <raef.coles@arm.com>
|
|
And remove now-unnecessary modification to check_files.py
Signed-off-by: Raef Coles <raef.coles@arm.com>
|
|
Signed-off-by: Raef Coles <raef.coles@arm.com>
|
|
Add more interop tests, and use real data for the negative tests
Signed-off-by: Raef Coles <raef.coles@arm.com>
|
|
dh.optlen.der is the result of converting dh.optlen.pem from PEM to DER.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
|
|
Signed-off-by: Victor Barpp Gomes <17840319+Kabbah@users.noreply.github.com>
|
|
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
|
|
Fixes include removing PEM dependency for greater
coverage when PEM config is not set and defining
test dependencies at the appropriate level.
Signed-off-by: Nick Child <nick.child@ibm.com>
|
|
Also, text files don't need to be generated by the Makefile.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
|
|
This commit adds the static test data generated by
commands from Makefile.
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
|
|
OpenSSL provides APIs to generate only the signted data
format PKCS7 i.e. without content type OID. This patch
adds support to parse the data correctly even if formatted
only as signed data
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
|
|
PKCS7 signing format is used by OpenPOWER Key Management, which is
using mbedtls as its crypto library.
This patch adds the limited support of pkcs7 parser and verification
to the mbedtls. The limitations are:
* Only signed data is supported.
* CRLs are not currently handled.
* Single signer is supported.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Eric Richter <erichte@linux.ibm.com>
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
|
|
Test certs were originally generated with an old version of Mbed TLS
that used printableString where we now use utf8string (e.g., in the
organizationName). Otherwise the certs are identical.
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
|
|
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
|
|
Functions which are not covered by script, changes made to use radix
16.
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
|
|
Use escape mechanism defined in RFC 1779 when parsing commas and other
special characters in X509 DN values. Resolves failures when generating
a certificate with a CSR containing a comma in subject value.
Fixes #769.
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
|
|
Signed-off-by: Shaun Case <warmsocks@gmail.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
|
|
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
|
|
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
|
|
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
|
|
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
|
|
Reverting some deleted tests and changing the deprecated algo
Deleting deprecated headers from /alt-dummy dir
Corrections to the comments
Removal of deleted functions from compat-2.x.h
Corrections to tests/data_files/Makefile
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
|
|
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
|
|
An SSL client can be configured to insist on a minimum size for the
Diffie-Hellman (DHM) parameters sent by the server. Add several test
cases where the server sends parameters with exactly the minimum
size (must be accepted) or parameters that are one bit too short (must
be rejected). Make sure that there are test cases both where the
boundary is byte-aligned and where it isn't.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
|
|
Mark basic constraints critical as appropriate.
|
|
Signed-off-by: Darren Krahn <dkrahn@google.com>
|
|
Add missing tag check to signature check on certificate load
|
|
Add missing tag check for algorithm parameters when comparing the
signature in the description part of the cert against the actual
signature whilst loading a certificate. This was found by a
certificate (created by fuzzing) that openssl would not verify, but
mbedtls would.
Regression test added (one of the client certs modified accordingly)
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
|
|
Add a non-regression test for ssl_context_info to ensure the base64
decoder doesn't stop processing when it encounters a 0xFF character.
Signed-off-by: David Brown <david.brown@linaro.org>
|
|
gilles-peskine-arm/cert-gen-cleanup-202008-development
Minor cleanups in certificate generation
|
|
The toplevel directory is actually just ../..: the makefile commands
are executed in the subdirectory. $(PWD) earlier was wrong because it
comes from the shell, not from make. Looking up $(MAKEFILE_LIST) is
wrong because it indicates where the makefile is (make -f), not which
directory to work in (make -C).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
|
|
Per RFC 5280 4.2.1.9 if the 'cA' field is set to true, the extension
must be marked critical.
Signed-off-by: Darren Krahn <dkrahn@google.com>
|
|
Always revoke certificate on CRL
|
|
Add support for password protected key files to ssl_server2 and ssl_client2
|
|
They are used to generate cert_md*.crt.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
|
|
It wasn't working when invoking programs/x509/cert_write or
programs/x509/cert_req due to relying on the current directory rather
than the location of the makefile.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
|