From cc77fe8e52d65fbe596ed73ee824903751c253cf Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Sat, 11 Mar 2023 09:46:13 +0000 Subject: [PATCH 1/3] Fix PKCS #7 tests when MBEDTLS_HAVE_TIME_DATE unset Ensure that verification of an expired cert still fails, but update the test to handle the different error code. Signed-off-by: Dave Rodgman --- tests/suites/test_suite_pkcs7.data | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data index 7b32fa4c27..500f3ce1f3 100644 --- a/tests/suites/test_suite_pkcs7.data +++ b/tests/suites/test_suite_pkcs7.data @@ -134,10 +134,14 @@ PKCS7 Signed Data Hash Verify Fail with multiple signers #18 depends_on:MBEDTLS_SHA256_C:MBEDTLS_SHA512_C pkcs7_verify:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin":MBEDTLS_MD_SHA512:MBEDTLS_ERR_PKCS7_VERIFY_FAIL -PKCS7 Signed Data Verify Fail Expired Cert #19 -depends_on:MBEDTLS_SHA256_C +PKCS7 Signed Data Verify Fail Expired Cert #19 have DATE_TIME +depends_on:MBEDTLS_SHA256_C:MBEDTLS_HAVE_TIME_DATE pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-expired.crt":"data_files/pkcs7_data.bin":0:MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID +PKCS7 Signed Data Verify Fail Expired Cert #19 no DATE_TIME +depends_on:MBEDTLS_SHA256_C:!MBEDTLS_HAVE_TIME_DATE +pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-expired.crt":"data_files/pkcs7_data.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED + PKCS7 Parse Failure Invalid ASN1: Add null byte to start #20.0 depends_on:MBEDTLS_SHA256_C pkcs7_asn1_fail:"003082050006092a864886f70d010702a08204f1308204ed020101310f300d06096086480165030402010500300b06092a864886f70d010701a082034d3082034930820231a00302010202147bdeddd2444cd1cdfe5c41a8102c89b7df2e6cbf300d06092a864886f70d01010b05003034310b3009060355040613024e4c310e300c060355040a0c05504b4353373115301306035504030c0c504b43533720436572742031301e170d3232313032383136313035365a170d3233313032383136313035365a3034310b3009060355040613024e4c310e300c060355040a0c05504b4353373115301306035504030c0c504b4353372043657274203130820122300d06092a864886f70d01010105000382010f003082010a0282010100c8b6cf69899cd1f0ebb4ca645c05e70e0d2efeddcc61d089cbd515a39a3579b92343b61ec750060fb4ed37876332400e425f1d376c7e75c2973314edf4bb30c8f8dd03b9fcff955a245d49137ad6e60056cac19552a865d52187187cc042c9c49e3e3a9c17a534b453cdabc0cb113b4f63f5b3174b9ee9902b1910d11496a279a74326adcfee10bfd9e7ebafbb377be9b63959165d13dd5751171cadad3c1d3adac68bc8011d61b54cf60178be36839a89ac91ab419e3ca37d6ba881d25518c4db68bca6f7c83602f699a86b17fb1e773bcbe74bb93a49b251ae86428b5740e1868bb1d6fab9e28712e98ec319ad8fca4d73010c4b09c4b80458961e7cf083530203010001a3533051301d0603551d0e041604148aeee5947cc67c5dd515a76e2a7ecd31ee52fdc8301f0603551d230418301680148aeee5947cc67c5dd515a76e2a7ecd31ee52fdc8300f0603551d130101ff040530030101ff300d06092a864886f70d01010b05000382010100821d6b98cd457debd2b081aca27ebecd4f93acc828443b39eabffa9fa4e9e4543b46fcc31e2b5b48177903dea6969ac4a2cc6570650390f1b08d43a4c2f975c7ed8bf3356c7218380212451a8f11de46553cbcd65b4254ddb8f66834eb21dda2a8f33b581e1484557aca1b94ee8931ddf16037b7a7171321a91936afc27ffce395de75d5f70cb8b5aee05ff507088d65af1e43966cd42cbe6f7facf8dae055dd8222b1696521723f81245178595c985ae917fd4b3998773e1a97b7bd10085446f4259bcc09a454929282c1b89b71ed587a775e0a3d4536341f45dae969e806c96fefc71067776c02ba22122b9199b14c0c28c04487509070b97f3dd2d6d972733182017730820173020101304c3034310b3009060355040613024e4c310e300c060355040a0c05504b4353373115301306035504030c0c504b4353372043657274203102147bdeddd2444cd1cdfe5c41a8102c89b7df2e6cbf300d06096086480165030402010500300d06092a864886f70d0101010500048201005becd87195c1deff90c24c91269b55b3f069bc225c326c314c1a51786ffe14c830be4e4bc73cba36c97677b44168279be91e7cdf7c19386ae21862719d13a3a0fff0803d460962f2cda8371484873252c3d7054db8143e2b081a3816ed0804ca5099ae5fece83d5c2c3783b1988b4b46dc94e55587a107ea1546bf22d28a097f652a4066dc2965269069af2f5176bb8ce9ca6d11f96757f03204f756703587d00ad424796c92fc7aeb6f494431999eda30990e4f5773632ed258fe0276673599da6fce35cdad7726a0bb024cad996b88e0cb98854ceb5c0b6ec748d9f9ce6a6cd437858bacb814618a272ff3a415c6e07f3db0988777fdec845a97bf7d102dd0" From 2e8442565a5a67ca935abee573259cf419eaf7fe Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Sat, 11 Mar 2023 10:24:30 +0000 Subject: [PATCH 2/3] Add PKCS #7 test files using expired cert Signed-off-by: Dave Rodgman --- tests/data_files/Makefile | 9 +++++++++ tests/data_files/pkcs7-rsa-expired.der | Bin 0 -> 857 bytes tests/data_files/pkcs7_data_rsa_expired.der | Bin 0 -> 1302 bytes 3 files changed, 9 insertions(+) create mode 100644 tests/data_files/pkcs7-rsa-expired.der create mode 100644 tests/data_files/pkcs7_data_rsa_expired.der diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 80bdd25737..e638cafe68 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -1306,6 +1306,11 @@ pkcs7-rsa-expired.crt: $(FAKETIME) -f -3650d $(OPENSSL) req -x509 -subj="/C=NL/O=PKCS7/CN=PKCS7 Cert Expired" -sha256 -nodes -days 365 -newkey rsa:2048 -keyout pkcs7-rsa-expired.key -out pkcs7-rsa-expired.crt all_final += pkcs7-rsa-expired.crt +# File with an otherwise valid signature signed with an expired cert +pkcs7_data_rsa_expired.der: pkcs7-rsa-expired.key pkcs7-rsa-expired.crt pkcs7_data.bin + $(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -inkey pkcs7-rsa-expired.key -signer pkcs7-rsa-expired.crt -noattr -outform DER -out $@ +all_final += pkcs7_data_rsa_expired.der + # Convert signing certs to DER for testing PEM-free builds pkcs7-rsa-sha256-1.der: $(pkcs7_test_cert_1) $(OPENSSL) x509 -in pkcs7-rsa-sha256-1.crt -out $@ -outform DER @@ -1315,6 +1320,10 @@ pkcs7-rsa-sha256-2.der: $(pkcs7_test_cert_2) $(OPENSSL) x509 -in pkcs7-rsa-sha256-2.crt -out $@ -outform DER all_final += pkcs7-rsa-sha256-2.der +pkcs7-rsa-expired.der: pkcs7-rsa-expired.crt + $(OPENSSL) x509 -in pkcs7-rsa-expired.crt -out $@ -outform DER +all_final += pkcs7-rsa-expired.der + # pkcs7 signature file over zero-len data pkcs7_zerolendata_detached.der: pkcs7_zerolendata.bin pkcs7-rsa-sha256-1.key pkcs7-rsa-sha256-1.crt $(OPENSSL) smime -sign -md sha256 -nocerts -noattr -in pkcs7_zerolendata.bin -inkey pkcs7-rsa-sha256-1.key -outform DER -binary -signer pkcs7-rsa-sha256-1.crt -out pkcs7_zerolendata_detached.der diff --git a/tests/data_files/pkcs7-rsa-expired.der b/tests/data_files/pkcs7-rsa-expired.der new file mode 100644 index 0000000000000000000000000000000000000000..508ec5c29a04659cc22494dfdda906c5512310fe GIT binary patch literal 857 zcmXqLVh%NEVzOPp%*4pVBx1F7(v4q_f3_dF99xx_C%#{5zFVXLFB_*;n@8JsUPeZ4 zRt5trLv903Hs(+kHen_|A45I^9uS9%hc&?4IoRA#+CUP-XXX(C^A(&^i%Jw+D+)4; zQd11%#CZ*kfY98~(#YJT0`2H@QSIxHI9&>m@daye>@3OxAqN=TpIcbLGd+PtV&(O*cI(R&^{>-{QQtZlBs| zp5!-QHvL&BGr=QTZ+2mjaYC~{-vSZkh|q@WdV6QRs|!DA@XgGPoMBBEFPyX55MuwyF>YOe%pRWKbEjxscdUBOUZlcMAF(WD z?snhznQy0*=jXa6Wy?-^VB}kFoo6vk=0<|5-qvMFzP2ZBX-~P$5@(|MnJ;;h@x!U? z>PCu8%!~|-i-QdU4P=24B+JJl#v)=oT}<&%Nvfsbwq?5{{%r9Q$w@FbkOxUCvq%_- zHDFi34^kk^$oQXy)qojDAqP7!g#d${k%5=_)6w^WcHsfp=HeWAYSwMl`I3I6v6k;v{C@#6<|BMH7C--O5E09~&i%0O zV%zV3EbC77t-ICF!KvuH(UMO?O|`6i7T?`&g-?&lA}7zi^(r#<`I!e3R_-poU_9G5 z)azpX!?-USZ~0DqA1#0Ni+7~r83&ny>Sp0$)%$U)9pg!60FaqLSO5S3 literal 0 HcmV?d00001 diff --git a/tests/data_files/pkcs7_data_rsa_expired.der b/tests/data_files/pkcs7_data_rsa_expired.der new file mode 100644 index 0000000000000000000000000000000000000000..63af49d6a9d8334faca425e3c7cede1be7cdc6ad GIT binary patch literal 1302 zcmXqLVijWJ)N1o+`_9YA&a|M3mD!+)$PF~Y%8=WD zlZ`o)g-w{r&&QC@fCt3k;$aQ&b`CZ-ls1qA@tJvqzT0`2H@QSI zxHI9&>m@daye>@3OxAqN=TpIcbLGd+PtV&(O*cI(R&^{>-{QQtZlBs|p5!-QHvL&B zGr=QTZ+2mjaYC~{-vSZkh|q@WdV6QRs|!DA@XgGPoMBBEFPyX55MuwyF>YOe%pRWKbEjxscdUBOUZlcMAF(WD?snhznQy0* z=jXa6Wy?-^VB}kFoo6vk=0<|5-qvMFzP2ZBX-~P$5@(|MnJ;;h@x!U?>PCu8%!~|- zi-QdU4P=24B+JJl#v)=oT}<&%Nvfsbwq?5{{%r9Q$w@FbkOxUCvq%_-HDFi34^kk^ z$oQXy)qojDAqP7!g#d${k%5=_)6w^WcHsfp=HeWAYSwMl`I3I6v6k;v{C@#6<|BMH7C--O5E09~&i%0OV%zV3EbC77 zt-ICF!KvuH(UMO?O|`6i7T?`&g-?&lA}7zi^(r#<`I!e3R_-poU_9G5)azpX!?-US zZ~0DqA1#0Ni+7~r83&ny>Sp0$)%$U)9pg#H*u+>1OnQ~TTxbwPNxH_JDUtIvQXT~+ ze3m9ghAFT6(xUf@{ym%6vsEzDPD=LCsk)a=mmVH5+pR4Cyq5g} z>#iR=ek@i^ef;_4%IT}Ly^k+Qn~>D(CSRKnx9z&WSk{stDV2NY^{O+}*Tu0vMM3Q<>y?S9T?{y_Vg35(ApOgYY|fLUw&Ci;P0O`ck@oqmfSIyHMT9L zWO9>&<1%xpfLCQZ>tz+V8a5Ps;jR#q^tSmfT$RXnXuI+IgB!okvN-Q+(J6n1`Sa0B Sv($r)ZeP_5tz=$xa{&OMyW?d5 literal 0 HcmV?d00001 From f8565b3c2b895827e393c103967531e823e078e0 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Sat, 11 Mar 2023 10:26:39 +0000 Subject: [PATCH 3/3] Add more PKCS #7 tests with expired cert Add test which uses an expired cert but is otherwise OK, which passes if and only if MBEDTLS_HAVE_TIME_DATE is not set. Add similar test which verifies against a different data file, which must fail regardless of MBEDTLS_HAVE_TIME_DATE. Signed-off-by: Dave Rodgman --- tests/suites/test_suite_pkcs7.data | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data index 500f3ce1f3..89c223dcbf 100644 --- a/tests/suites/test_suite_pkcs7.data +++ b/tests/suites/test_suite_pkcs7.data @@ -134,14 +134,22 @@ PKCS7 Signed Data Hash Verify Fail with multiple signers #18 depends_on:MBEDTLS_SHA256_C:MBEDTLS_SHA512_C pkcs7_verify:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin":MBEDTLS_MD_SHA512:MBEDTLS_ERR_PKCS7_VERIFY_FAIL +PKCS7 Signed Data Verify Pass Expired Cert #19 no TIME_DATE +depends_on:MBEDTLS_SHA256_C:!MBEDTLS_HAVE_TIME_DATE +pkcs7_verify:"data_files/pkcs7_data_rsa_expired.der":"data_files/pkcs7-rsa-expired.crt":"data_files/pkcs7_data.bin":0:0 + PKCS7 Signed Data Verify Fail Expired Cert #19 have DATE_TIME depends_on:MBEDTLS_SHA256_C:MBEDTLS_HAVE_TIME_DATE pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-expired.crt":"data_files/pkcs7_data.bin":0:MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID -PKCS7 Signed Data Verify Fail Expired Cert #19 no DATE_TIME +PKCS7 Signed Data Verify Fail Expired Cert #19 no DATE_TIME 1 depends_on:MBEDTLS_SHA256_C:!MBEDTLS_HAVE_TIME_DATE pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-expired.crt":"data_files/pkcs7_data.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED +PKCS7 Signed Data Verify Fail Expired Cert #19 no TIME_DATE 2 +depends_on:MBEDTLS_SHA256_C:!MBEDTLS_HAVE_TIME_DATE +pkcs7_verify:"data_files/pkcs7_data_rsa_expired.der":"data_files/pkcs7-rsa-expired.crt":"data_files/pkcs7_data_1.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED + PKCS7 Parse Failure Invalid ASN1: Add null byte to start #20.0 depends_on:MBEDTLS_SHA256_C pkcs7_asn1_fail:"003082050006092a864886f70d010702a08204f1308204ed020101310f300d06096086480165030402010500300b06092a864886f70d010701a082034d3082034930820231a00302010202147bdeddd2444cd1cdfe5c41a8102c89b7df2e6cbf300d06092a864886f70d01010b05003034310b3009060355040613024e4c310e300c060355040a0c05504b4353373115301306035504030c0c504b43533720436572742031301e170d3232313032383136313035365a170d3233313032383136313035365a3034310b3009060355040613024e4c310e300c060355040a0c05504b4353373115301306035504030c0c504b4353372043657274203130820122300d06092a864886f70d01010105000382010f003082010a0282010100c8b6cf69899cd1f0ebb4ca645c05e70e0d2efeddcc61d089cbd515a39a3579b92343b61ec750060fb4ed37876332400e425f1d376c7e75c2973314edf4bb30c8f8dd03b9fcff955a245d49137ad6e60056cac19552a865d52187187cc042c9c49e3e3a9c17a534b453cdabc0cb113b4f63f5b3174b9ee9902b1910d11496a279a74326adcfee10bfd9e7ebafbb377be9b63959165d13dd5751171cadad3c1d3adac68bc8011d61b54cf60178be36839a89ac91ab419e3ca37d6ba881d25518c4db68bca6f7c83602f699a86b17fb1e773bcbe74bb93a49b251ae86428b5740e1868bb1d6fab9e28712e98ec319ad8fca4d73010c4b09c4b80458961e7cf083530203010001a3533051301d0603551d0e041604148aeee5947cc67c5dd515a76e2a7ecd31ee52fdc8301f0603551d230418301680148aeee5947cc67c5dd515a76e2a7ecd31ee52fdc8300f0603551d130101ff040530030101ff300d06092a864886f70d01010b05000382010100821d6b98cd457debd2b081aca27ebecd4f93acc828443b39eabffa9fa4e9e4543b46fcc31e2b5b48177903dea6969ac4a2cc6570650390f1b08d43a4c2f975c7ed8bf3356c7218380212451a8f11de46553cbcd65b4254ddb8f66834eb21dda2a8f33b581e1484557aca1b94ee8931ddf16037b7a7171321a91936afc27ffce395de75d5f70cb8b5aee05ff507088d65af1e43966cd42cbe6f7facf8dae055dd8222b1696521723f81245178595c985ae917fd4b3998773e1a97b7bd10085446f4259bcc09a454929282c1b89b71ed587a775e0a3d4536341f45dae969e806c96fefc71067776c02ba22122b9199b14c0c28c04487509070b97f3dd2d6d972733182017730820173020101304c3034310b3009060355040613024e4c310e300c060355040a0c05504b4353373115301306035504030c0c504b4353372043657274203102147bdeddd2444cd1cdfe5c41a8102c89b7df2e6cbf300d06096086480165030402010500300d06092a864886f70d0101010500048201005becd87195c1deff90c24c91269b55b3f069bc225c326c314c1a51786ffe14c830be4e4bc73cba36c97677b44168279be91e7cdf7c19386ae21862719d13a3a0fff0803d460962f2cda8371484873252c3d7054db8143e2b081a3816ed0804ca5099ae5fece83d5c2c3783b1988b4b46dc94e55587a107ea1546bf22d28a097f652a4066dc2965269069af2f5176bb8ce9ca6d11f96757f03204f756703587d00ad424796c92fc7aeb6f494431999eda30990e4f5773632ed258fe0276673599da6fce35cdad7726a0bb024cad996b88e0cb98854ceb5c0b6ec748d9f9ce6a6cd437858bacb814618a272ff3a415c6e07f3db0988777fdec845a97bf7d102dd0"