Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for trusted CA callbacks #2532

Merged
merged 29 commits into from
Apr 16, 2019
Merged

Add support for trusted CA callbacks #2532

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
29 commits
Select commit Hold shift + click to select a range
288dedc
Add compile-time option to enable X.509 CA callbacks
Mar 27, 2019
5c8df78
Add X.509 CRT verification API using trusted CA callbacks
Mar 27, 2019
902451d
Improve documentation of old X.509 CRT verification functions
Mar 27, 2019
8bf74f3
Add SSL configuration API for trusted CA callbacks
Mar 27, 2019
03cd120
Test for ca list callback
Mar 27, 2019
912ed33
Change callback name to ca_callback
Mar 27, 2019
557426a
Add a failure testcase for ca callback
Mar 27, 2019
1b4a2ba
Add possibility to use ca_callbacks in ssl programs
Mar 27, 2019
5adaad9
Add X.509 CA callback to SSL configuration and implement setter API
Mar 27, 2019
afd0b0a
Make use of CA callback if present when verifying peer CRT chain
Mar 27, 2019
3116fb3
Add prototype for CRT verification with static and dynamic CA list
Mar 28, 2019
f53893b
Implement X.509 CRT verification using CA callback
Mar 28, 2019
e15dae7
Declare CA callback type even if feature is disabled
Mar 28, 2019
cbb5903
Minor fixes to CA callback tests
Mar 28, 2019
0350d56
Only run X.509 CRT verification tests with CA callback tests if !CRL
Mar 28, 2019
746aaf3
Add ssl-opt.sh tests for trusted CA callbacks
Mar 28, 2019
fa738d1
Update query_config.c
Mar 28, 2019
3f932bb
Remove trailing whitespace in test_suite_x509parse.function
Mar 28, 2019
fed5d9d
Update version_features.c
Mar 28, 2019
1bac87c
Correct placement of usage macro in ssl_client2
Mar 29, 2019
d6d100b
Fix ssl_client2 and ssl_server2 if !PLATFORM_C
Mar 30, 2019
31d9db6
Change the verify function naming
Apr 1, 2019
f49fedc
Change docs according to review comments
Apr 1, 2019
2ee67a6
Remove mbedtls_ from the static function name
Apr 1, 2019
f7a7f9e
Address review comments regarding ssl_client2 and ssl tests
Apr 1, 2019
dfd22c4
Address comments for x509 tests
Apr 1, 2019
9822c0d
Fix name to function call
Apr 1, 2019
d7ecbd6
Fix style issues and a typo
yanesca Apr 5, 2019
846ae7a
Document and test flags in x509_verify
yanesca Apr 5, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 4 additions & 0 deletions tests/suites/test_suite_x509parse.data
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -827,6 +827,10 @@ X509 Certificate verification #97 (next profile Valid Cert SHA256 Digest)
depends_on:MBEDTLS_SHA256_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_ECDSA_C:MBEDTLS_SHA1_C
x509_verify:"data_files/cert_sha256.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"next":"NULL"

X509 Certificate verification with ca callback: failure
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
x509_verify_ca_cb_failure:"data_files/server1.crt":"data_files/test-ca.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 1 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1 - flags 0x00000000\n"
mpg marked this conversation as resolved.
Show resolved Hide resolved

X509 Certificate verification callback: bad name
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
x509_verify_callback:"data_files/server5.crt":"data_files/test-ca2.crt":"globalhost":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 1 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 0 - serial 09 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000004\n"
Expand Down
36 changes: 36 additions & 0 deletions tests/suites/test_suite_x509parse.function
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,15 @@ int verify_all( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32
}

#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
int ca_callback_fail( void *data, mbedtls_x509_crt *child, mbedtls_x509_crt **candidates)
{
((void) data);
((void) child);
((void) candidates);

return -1;
}

int ca_callback( void *data, mbedtls_x509_crt *child, mbedtls_x509_crt **candidates)
{
mbedtls_x509_crt *ca = (mbedtls_x509_crt *) data;
Expand Down Expand Up @@ -408,6 +417,33 @@ exit:
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CRL_PARSE_C:MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
void x509_verify_ca_cb_failure( char *crt_file, char *ca_file, char *name,
int exp_ret, char *exp_vrfy_out )
{
int ret;
mbedtls_x509_crt crt;
mbedtls_x509_crt ca;
uint32_t flags = 0;

mbedtls_x509_crt_init( &crt );
mbedtls_x509_crt_init( &ca );

TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 );
TEST_ASSERT( mbedtls_x509_crt_parse_file( &ca, ca_file ) == 0 );

if( strcmp( name, "NULL" ) == 0 )
name = NULL;

ret = mbedtls_x509_crt_verify_with_cb( &crt, ca_callback_fail, &ca, &compat_profile, name, &flags, verify_all, NULL );

TEST_ASSERT( ret == exp_ret );
exit:
mbedtls_x509_crt_free( &crt );
mbedtls_x509_crt_free( &ca );
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */
void x509_verify_callback( char *crt_file, char *ca_file, char *name,
int exp_ret, char *exp_vrfy_out )
Expand Down