From da0afcc2fb5eab22b30d761ef86330858ba35f89 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 5 Jan 2023 16:46:59 +0100 Subject: [PATCH 01/17] x509: remove direct dependency from BIGNUM_C Signed-off-by: Valerio Setti --- include/mbedtls/x509_crt.h | 32 +++++++++- library/x509write_crt.c | 70 +++++++++++++++++++--- programs/x509/cert_write.c | 13 ++++ tests/suites/test_suite_x509write.function | 7 +++ 4 files changed, 113 insertions(+), 9 deletions(-) diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 661f8aa7b8..f552345f44 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -197,7 +197,7 @@ mbedtls_x509_crt_profile; #define MBEDTLS_X509_CRT_VERSION_2 1 #define MBEDTLS_X509_CRT_VERSION_3 2 -#define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32 +#define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 20 #define MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15 #if !defined(MBEDTLS_X509_MAX_FILE_PATH_LEN) @@ -277,7 +277,8 @@ mbedtls_x509_crt_profile; */ typedef struct mbedtls_x509write_cert { int MBEDTLS_PRIVATE(version); - mbedtls_mpi MBEDTLS_PRIVATE(serial); + unsigned char MBEDTLS_PRIVATE(serial)[MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN]; + size_t MBEDTLS_PRIVATE(serial_len); mbedtls_pk_context *MBEDTLS_PRIVATE(subject_key); mbedtls_pk_context *MBEDTLS_PRIVATE(issuer_key); mbedtls_asn1_named_data *MBEDTLS_PRIVATE(subject); @@ -986,15 +987,42 @@ void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx); */ void mbedtls_x509write_crt_set_version(mbedtls_x509write_cert *ctx, int version); +#if defined(MBEDTLS_BIGNUM_C) /** * \brief Set the serial number for a Certificate. * + * \deprecated This function is deprecated and will be removed in a + * future version of the library. Please use + * mbedtls_x509write_crt_set_serial_new() instead. + * + * \note Even though the MBEDTLS_BIGNUM_C guard looks redundant since + * X509 depends on PK and PK depends on BIGNUM, this emphasizes + * a direct dependency between X509 and BIGNUM which is going + * to be deprecated in the future. + * * \param ctx CRT context to use * \param serial serial number to set * * \return 0 if successful */ int mbedtls_x509write_crt_set_serial(mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial); +#endif + +/** + * \brief Set the serial number for a Certificate. + * + * \param ctx CRT context to use + * \param serial_buff Input buffer containing the serial number in big + * endian format + * \param serial_buff_len Length of the previous input buffer buffer + * + * \return 0 if successful, or + * MBEDTLS_ERR_X509_BAD_INPUT_DATA if the provided input buffer: + * - is too big (longer than MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN) + * - contains invalid chars + */ +int mbedtls_x509write_crt_set_serial_new(mbedtls_x509write_cert *ctx, + char *serial_buff, size_t serial_buff_len); /** * \brief Set the validity period for a Certificate diff --git a/library/x509write_crt.c b/library/x509write_crt.c index febd0e6f3f..53c2ac4ec9 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -52,14 +52,11 @@ void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx) { memset(ctx, 0, sizeof(mbedtls_x509write_cert)); - mbedtls_mpi_init(&ctx->serial); ctx->version = MBEDTLS_X509_CRT_VERSION_3; } void mbedtls_x509write_crt_free(mbedtls_x509write_cert *ctx) { - mbedtls_mpi_free(&ctx->serial); - mbedtls_asn1_free_named_data_list(&ctx->subject); mbedtls_asn1_free_named_data_list(&ctx->issuer); mbedtls_asn1_free_named_data_list(&ctx->extensions); @@ -103,15 +100,65 @@ int mbedtls_x509write_crt_set_issuer_name(mbedtls_x509write_cert *ctx, return mbedtls_x509_string_to_names(&ctx->issuer, issuer_name); } +#if defined(MBEDTLS_BIGNUM_C) int mbedtls_x509write_crt_set_serial(mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial) { - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + int ret; + unsigned char tmp[MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN]; + size_t tmp_len; - if ((ret = mbedtls_mpi_copy(&ctx->serial, serial)) != 0) { + /* Ensure that the MPI value fits into the buffer */ + tmp_len = mbedtls_mpi_size(serial); + if (tmp_len > MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN) { + return MBEDTLS_ERR_X509_BAD_INPUT_DATA; + } + + ctx->serial_len = tmp_len; + + ret = mbedtls_mpi_write_binary(serial, tmp, + MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN); + if (ret < 0) { return ret; } + /* Reverse the string since "tmp" is in big endian format */ + for (int i = 0; i < MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN; i++) { + ctx->serial[i] = tmp[MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN - 1 - i]; + } + + return 0; +} +#endif + +int mbedtls_x509write_crt_set_serial_new(mbedtls_x509write_cert *ctx, + char *serial_buff, size_t serial_buff_len) +{ + int i, j; + char c; + unsigned char val; + + if (serial_buff_len > MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN) { + return MBEDTLS_ERR_X509_BAD_INPUT_DATA; + } + + /* Store data in little endian format */ + for (i = 0, j = serial_buff_len - 1; j == 0; i++, j--) { + c = serial_buff[j]; + if (c >= 0x30 && c <= 0x39) { + val = c - 0x30; + } else if (c >= 0x41 && c <= 0x46) { + val = c - 0x37; + } else if (c >= 0x61 && c <= 0x66) { + val = c - 0x57; + } else { + return MBEDTLS_ERR_X509_BAD_INPUT_DATA; + } + + ctx->serial[i] = val; + } + ctx->serial_len = i; + return 0; } @@ -510,9 +557,18 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, /* * Serial ::= INTEGER + * + * Written data is: + * - [ctx->serial_len] bytes for the raw serial buffer + * - 1 byte for the length + * - 1 byte for the TAG */ - MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_mpi(&c, buf, - &ctx->serial)); + MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_raw_buffer(&c, buf, + ctx->serial, ctx->serial_len)); + MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, + ctx->serial_len)); + MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&c, buf, + MBEDTLS_ASN1_INTEGER)); /* * Version ::= INTEGER { v1(0), v2(1), v3(2) } diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index 3e134dd6ad..363ed8d8d2 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -514,12 +514,14 @@ usage: mbedtls_printf(" . Reading serial number..."); fflush(stdout); +#if defined(MBEDTLS_BIGNUM_C) if ((ret = mbedtls_mpi_read_string(&serial, 10, opt.serial)) != 0) { mbedtls_strerror(ret, buf, sizeof(buf)); mbedtls_printf(" failed\n ! mbedtls_mpi_read_string " "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf); goto exit; } +#endif mbedtls_printf(" ok\n"); @@ -661,6 +663,7 @@ usage: mbedtls_x509write_crt_set_version(&crt, opt.version); mbedtls_x509write_crt_set_md_alg(&crt, opt.md); +#if defined(MBEDTLS_BIGNUM_C) ret = mbedtls_x509write_crt_set_serial(&crt, &serial); if (ret != 0) { mbedtls_strerror(ret, buf, sizeof(buf)); @@ -668,6 +671,16 @@ usage: "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf); goto exit; } +#else + ret = mbedtls_x509write_crt_set_serial_new(&crt, opt.serial, + strlen(opt.serial)); + if (ret != 0) { + mbedtls_strerror(ret, buf, sizeof(buf)); + mbedtls_printf(" failed\n ! mbedtls_x509write_crt_set_serial_new " + "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf); + goto exit; + } +#endif ret = mbedtls_x509write_crt_set_validity(&crt, opt.not_before, opt.not_after); if (ret != 0) { diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index a21ad475a8..2bf8024abe 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -384,13 +384,20 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd, TEST_ASSERT(mbedtls_pk_get_type(&issuer_key) == MBEDTLS_PK_OPAQUE); } +#if !defined(MBEDTLS_BIGNUM_C) TEST_ASSERT(mbedtls_test_read_mpi(&serial, serial_str) == 0); +#endif if (ver != -1) { mbedtls_x509write_crt_set_version(&crt, ver); } +#if !defined(MBEDTLS_BIGNUM_C) TEST_ASSERT(mbedtls_x509write_crt_set_serial(&crt, &serial) == 0); +#else + TEST_ASSERT(mbedtls_x509write_crt_set_serial_new(&crt, serial_str, + strlen(serial_str)) == 0); +#endif TEST_ASSERT(mbedtls_x509write_crt_set_validity(&crt, not_before, not_after) == 0); mbedtls_x509write_crt_set_md_alg(&crt, md_type); From 903b6aa87d868f21c3fa5aa100020907a2fa7ba9 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 5 Jan 2023 17:06:14 +0100 Subject: [PATCH 02/17] Changelog: list changes in x509write_crt module Signed-off-by: Valerio Setti --- ...rove_x509_cert_writing_serial_number_management.txt | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt diff --git a/ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt b/ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt new file mode 100644 index 0000000000..64d1b279a4 --- /dev/null +++ b/ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt @@ -0,0 +1,10 @@ +Bugfix + * mbedtls_x509write_crt_set_serial() now explicitly rejects serial numbers + whose binary representation is longer than 20 bytes. This was already + forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being + enforced also at code level. + +New deprecations + * mbedtls_x509write_crt_set_serial() is now being deprecated in favor of + mbedtls_x509write_crt_set_serial_new(). The goal here is to remove any + direct dependency of X509 from BIGNUM_C. From 5d164c4e2308dfd8185293c0a1996e2e12525b36 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 9 Jan 2023 12:19:40 +0100 Subject: [PATCH 03/17] fix: add missing deprecation guards Signed-off-by: Valerio Setti --- include/mbedtls/x509_crt.h | 7 ++++--- library/x509write_crt.c | 4 ++-- programs/x509/cert_write.c | 2 +- tests/suites/test_suite_x509write.function | 7 ++----- 4 files changed, 9 insertions(+), 11 deletions(-) diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index f552345f44..810873c51d 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -987,7 +987,7 @@ void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx); */ void mbedtls_x509write_crt_set_version(mbedtls_x509write_cert *ctx, int version); -#if defined(MBEDTLS_BIGNUM_C) +#if defined(MBEDTLS_BIGNUM_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) /** * \brief Set the serial number for a Certificate. * @@ -1005,8 +1005,9 @@ void mbedtls_x509write_crt_set_version(mbedtls_x509write_cert *ctx, int version) * * \return 0 if successful */ -int mbedtls_x509write_crt_set_serial(mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial); -#endif +int MBEDTLS_DEPRECATED mbedtls_x509write_crt_set_serial( + mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial); +#endif // MBEDTLS_BIGNUM_C && !MBEDTLS_DEPRECATED_REMOVED /** * \brief Set the serial number for a Certificate. diff --git a/library/x509write_crt.c b/library/x509write_crt.c index 53c2ac4ec9..718b6f0748 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -100,7 +100,7 @@ int mbedtls_x509write_crt_set_issuer_name(mbedtls_x509write_cert *ctx, return mbedtls_x509_string_to_names(&ctx->issuer, issuer_name); } -#if defined(MBEDTLS_BIGNUM_C) +#if defined(MBEDTLS_BIGNUM_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) int mbedtls_x509write_crt_set_serial(mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial) { @@ -129,7 +129,7 @@ int mbedtls_x509write_crt_set_serial(mbedtls_x509write_cert *ctx, return 0; } -#endif +#endif // MBEDTLS_BIGNUM_C && !MBEDTLS_DEPRECATED_REMOVED int mbedtls_x509write_crt_set_serial_new(mbedtls_x509write_cert *ctx, char *serial_buff, size_t serial_buff_len) diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index 363ed8d8d2..ec4d325270 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -663,7 +663,7 @@ usage: mbedtls_x509write_crt_set_version(&crt, opt.version); mbedtls_x509write_crt_set_md_alg(&crt, opt.md); -#if defined(MBEDTLS_BIGNUM_C) +#if defined(MBEDTLS_BIGNUM_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) ret = mbedtls_x509write_crt_set_serial(&crt, &serial); if (ret != 0) { mbedtls_strerror(ret, buf, sizeof(buf)); diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index 2bf8024abe..e09c4c5dc3 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -384,15 +384,12 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd, TEST_ASSERT(mbedtls_pk_get_type(&issuer_key) == MBEDTLS_PK_OPAQUE); } -#if !defined(MBEDTLS_BIGNUM_C) - TEST_ASSERT(mbedtls_test_read_mpi(&serial, serial_str) == 0); -#endif - if (ver != -1) { mbedtls_x509write_crt_set_version(&crt, ver); } -#if !defined(MBEDTLS_BIGNUM_C) +#if defined(MBEDTLS_BIGNUM_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) + TEST_ASSERT(mbedtls_test_read_mpi(&serial, serial_str) == 0); TEST_ASSERT(mbedtls_x509write_crt_set_serial(&crt, &serial) == 0); #else TEST_ASSERT(mbedtls_x509write_crt_set_serial_new(&crt, serial_str, From 41b5fb653607543482717b5663e97d0612cb4437 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 9 Jan 2023 12:20:45 +0100 Subject: [PATCH 04/17] test: ensure X509 has no dependency on BIGNUM when built without MBEDTLS_DEPRECATED_REMOVED Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 6b11346d11..0cfb9bd964 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1767,6 +1767,9 @@ component_test_full_no_deprecated () { msg "test: make, full_no_deprecated config" # ~ 5s make test + + msg "test: ensure that X509 has no direct dependency on BIGNUM_C" + not grep mbedtls_mpi library/libmbedx509.a } component_test_full_no_deprecated_deprecated_warning () { From acf12fb744442f1ba03378ae4245b9ec3840634a Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 9 Jan 2023 17:19:26 +0100 Subject: [PATCH 05/17] x509: fix endianness and input data format for x509write_crt_set_serial_new Signed-off-by: Valerio Setti --- include/mbedtls/x509_crt.h | 12 +++---- library/x509write_crt.c | 32 +++++-------------- programs/x509/cert_write.c | 64 +++++++++++++++++++++++++------------- 3 files changed, 55 insertions(+), 53 deletions(-) diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 810873c51d..f88e8cc2c9 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -1013,17 +1013,17 @@ int MBEDTLS_DEPRECATED mbedtls_x509write_crt_set_serial( * \brief Set the serial number for a Certificate. * * \param ctx CRT context to use - * \param serial_buff Input buffer containing the serial number in big - * endian format + * \param serial_buff A raw array of bytes containing the serial number + * in big endian format * \param serial_buff_len Length of the previous input buffer buffer * * \return 0 if successful, or - * MBEDTLS_ERR_X509_BAD_INPUT_DATA if the provided input buffer: - * - is too big (longer than MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN) - * - contains invalid chars + * MBEDTLS_ERR_X509_BAD_INPUT_DATA if the provided input buffer + * is too big (longer than MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN) */ int mbedtls_x509write_crt_set_serial_new(mbedtls_x509write_cert *ctx, - char *serial_buff, size_t serial_buff_len); + unsigned char *serial_buff, + size_t serial_buff_len); /** * \brief Set the validity period for a Certificate diff --git a/library/x509write_crt.c b/library/x509write_crt.c index 718b6f0748..da9ef6c12c 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -122,42 +122,24 @@ int mbedtls_x509write_crt_set_serial(mbedtls_x509write_cert *ctx, return ret; } - /* Reverse the string since "tmp" is in big endian format */ - for (int i = 0; i < MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN; i++) { - ctx->serial[i] = tmp[MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN - 1 - i]; - } + /* Copy data to the internal structure skipping leading zeros */ + memcpy(ctx->serial, &tmp[MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN - tmp_len], + tmp_len); return 0; } #endif // MBEDTLS_BIGNUM_C && !MBEDTLS_DEPRECATED_REMOVED int mbedtls_x509write_crt_set_serial_new(mbedtls_x509write_cert *ctx, - char *serial_buff, size_t serial_buff_len) + unsigned char *serial_buff, + size_t serial_buff_len) { - int i, j; - char c; - unsigned char val; - if (serial_buff_len > MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN) { return MBEDTLS_ERR_X509_BAD_INPUT_DATA; } - /* Store data in little endian format */ - for (i = 0, j = serial_buff_len - 1; j == 0; i++, j--) { - c = serial_buff[j]; - if (c >= 0x30 && c <= 0x39) { - val = c - 0x30; - } else if (c >= 0x41 && c <= 0x46) { - val = c - 0x37; - } else if (c >= 0x61 && c <= 0x66) { - val = c - 0x57; - } else { - return MBEDTLS_ERR_X509_BAD_INPUT_DATA; - } - - ctx->serial[i] = val; - } - ctx->serial_len = i; + ctx->serial_len = serial_buff_len; + memcpy(ctx->serial, serial_buff, serial_buff_len); return 0; } diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index ec4d325270..05d7677c78 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -235,6 +235,42 @@ int write_certificate(mbedtls_x509write_cert *crt, const char *output_file, return 0; } +/* + * Convert the input "in_buff" string to a raw byte array "out_buff". The amount + * of converted data is returned on "written_data". + */ +static int parse_serial(const char *in_buff, size_t in_buff_len, + unsigned char *out_buff, size_t out_buff_len, + size_t *written_data) +{ + char c; + unsigned char val; + int i; + + if (out_buff_len < in_buff_len) { + return -1; + } + + *written_data = 0; + + for (i = 0; i < (int) in_buff_len; i++, (*written_data)++) { + c = in_buff[i]; + if (c >= 0x30 && c <= 0x39) { + val = c - 0x30; + } else if (c >= 0x41 && c <= 0x46) { + val = c - 0x37; + } else if (c >= 0x61 && c <= 0x66) { + val = c - 0x57; + } else { + return -1; + } + + out_buff[i] = val; + } + + return 0; +} + int main(int argc, char *argv[]) { int ret = 1; @@ -252,7 +288,8 @@ int main(int argc, char *argv[]) mbedtls_x509_csr csr; #endif mbedtls_x509write_cert crt; - mbedtls_mpi serial; + unsigned char serial[MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN]; + size_t serial_len; mbedtls_asn1_sequence *ext_key_usage; mbedtls_entropy_context entropy; mbedtls_ctr_drbg_context ctr_drbg; @@ -264,7 +301,6 @@ int main(int argc, char *argv[]) mbedtls_x509write_crt_init(&crt); mbedtls_pk_init(&loaded_issuer_key); mbedtls_pk_init(&loaded_subject_key); - mbedtls_mpi_init(&serial); mbedtls_ctr_drbg_init(&ctr_drbg); mbedtls_entropy_init(&entropy); #if defined(MBEDTLS_X509_CSR_PARSE_C) @@ -514,15 +550,6 @@ usage: mbedtls_printf(" . Reading serial number..."); fflush(stdout); -#if defined(MBEDTLS_BIGNUM_C) - if ((ret = mbedtls_mpi_read_string(&serial, 10, opt.serial)) != 0) { - mbedtls_strerror(ret, buf, sizeof(buf)); - mbedtls_printf(" failed\n ! mbedtls_mpi_read_string " - "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf); - goto exit; - } -#endif - mbedtls_printf(" ok\n"); // Parse issuer certificate if present @@ -663,24 +690,18 @@ usage: mbedtls_x509write_crt_set_version(&crt, opt.version); mbedtls_x509write_crt_set_md_alg(&crt, opt.md); -#if defined(MBEDTLS_BIGNUM_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) - ret = mbedtls_x509write_crt_set_serial(&crt, &serial); - if (ret != 0) { - mbedtls_strerror(ret, buf, sizeof(buf)); - mbedtls_printf(" failed\n ! mbedtls_x509write_crt_set_serial " - "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf); + if (parse_serial(opt.serial, strlen(opt.serial), + serial, sizeof(serial), &serial_len) < 0) { + mbedtls_printf(" failed\n ! Unable to parse serial\n\n"); goto exit; } -#else - ret = mbedtls_x509write_crt_set_serial_new(&crt, opt.serial, - strlen(opt.serial)); + ret = mbedtls_x509write_crt_set_serial_new(&crt, serial, serial_len); if (ret != 0) { mbedtls_strerror(ret, buf, sizeof(buf)); mbedtls_printf(" failed\n ! mbedtls_x509write_crt_set_serial_new " "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf); goto exit; } -#endif ret = mbedtls_x509write_crt_set_validity(&crt, opt.not_before, opt.not_after); if (ret != 0) { @@ -820,7 +841,6 @@ exit: mbedtls_x509write_crt_free(&crt); mbedtls_pk_free(&loaded_subject_key); mbedtls_pk_free(&loaded_issuer_key); - mbedtls_mpi_free(&serial); mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_entropy_free(&entropy); From aad8dbd38d7078574997f2b516e6fd246e9f5588 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 9 Jan 2023 17:20:25 +0100 Subject: [PATCH 06/17] test: fix tests for x509write_crt_set_serial(_new) Signed-off-by: Valerio Setti --- tests/suites/test_suite_x509write.data | 49 ++++++++++---------- tests/suites/test_suite_x509write.function | 52 ++++++++++++++++++---- 2 files changed, 69 insertions(+), 32 deletions(-) diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index c55c9d1ed7..6cfbf24471 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -60,95 +60,95 @@ x509_csr_check_opaque:"data_files/server5.key":MBEDTLS_MD_SHA256:MBEDTLS_X509_KU Certificate write check Server1 SHA1 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.crt":0:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.crt":0:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, not before 1970 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"19700210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"19700210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, not after 2050 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20500210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20500210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, not before 1970, not after 2050 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"19700210144406":"20500210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"19700210144406":"20500210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, not before 2050, not after 2059 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20500210144406":"20590210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20500210144406":"20590210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, key_usage depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:1:-1:"data_files/server1.key_usage.crt":0:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:1:-1:"data_files/server1.key_usage.crt":0:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, one ext_key_usage depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:"serverAuth":0:0:1:-1:"data_files/server1.key_ext_usage.crt":0:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:"serverAuth":0:0:1:-1:"data_files/server1.key_ext_usage.crt":0:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, two ext_key_usages depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:"codeSigning,timeStamping":0:0:1:-1:"data_files/server1.key_ext_usages.crt":0:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:"codeSigning,timeStamping":0:0:1:-1:"data_files/server1.key_ext_usages.crt":0:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, ns_cert_type depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"data_files/server1.cert_type.crt":0:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"data_files/server1.cert_type.crt":0:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, version 1 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":0:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":0:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, CA depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.ca.crt":0:1:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.ca.crt":0:1:"data_files/test-ca.crt" Certificate write check Server1 SHA1, RSA_ALT depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:-1:"data_files/server1.noauthid.crt":1:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:-1:"data_files/server1.noauthid.crt":1:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, RSA_ALT, key_usage depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:0:-1:"data_files/server1.key_usage_noauthid.crt":1:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:0:-1:"data_files/server1.key_usage_noauthid.crt":1:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, RSA_ALT, ns_cert_type depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0:-1:"data_files/server1.cert_type_noauthid.crt":1:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0:-1:"data_files/server1.cert_type_noauthid.crt":1:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, RSA_ALT, version 1 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":1:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":1:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, RSA_ALT, CA depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:-1:"data_files/server1.ca_noauthid.crt":1:1:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:-1:"data_files/server1.ca_noauthid.crt":1:1:"data_files/test-ca.crt" Certificate write check Server1 SHA1, Opaque depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_USE_PSA_CRYPTO -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.crt":2:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.crt":2:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, Opaque, key_usage depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_USE_PSA_CRYPTO -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:1:-1:"data_files/server1.key_usage.crt":2:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:1:-1:"data_files/server1.key_usage.crt":2:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, Opaque, ns_cert_type depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_USE_PSA_CRYPTO -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"data_files/server1.cert_type.crt":2:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"data_files/server1.cert_type.crt":2:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, Opaque, version 1 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_USE_PSA_CRYPTO -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":2:0:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":2:0:"data_files/test-ca.crt" Certificate write check Server1 SHA1, Opaque, CA depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_USE_PSA_CRYPTO -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.ca.crt":2:1:"data_files/test-ca.crt" +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.ca.crt":2:1:"data_files/test-ca.crt" Certificate write check Server5 ECDSA depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_ECDSA_C:MBEDTLS_ECDSA_DETERMINISTIC:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED -x509_crt_check:"data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"data_files/server5.crt":0:0:"data_files/test-ca2.crt" +x509_crt_check:"data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"data_files/server5.crt":0:0:"data_files/test-ca2.crt" Certificate write check Server5 ECDSA, Opaque depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_ECDSA_C:MBEDTLS_ECDSA_DETERMINISTIC:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_USE_PSA_CRYPTO -x509_crt_check:"data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"":2:0:"data_files/test-ca2.crt" +x509_crt_check:"data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"":2:0:"data_files/test-ca2.crt" X509 String to Names #1 mbedtls_x509_string_to_names:"C=NL,O=Offspark\, Inc., OU=PolarSSL":"C=NL, O=Offspark\, Inc., OU=PolarSSL":0 @@ -167,3 +167,6 @@ mbedtls_x509_string_to_names:"C=NL, O=Offspark\a Inc., OU=PolarSSL":"":MBEDTLS_E X509 String to Names #6 (Escape at end) mbedtls_x509_string_to_names:"C=NL, O=Offspark\":"":MBEDTLS_ERR_X509_INVALID_NAME + +Check max serial length +x509_set_serial_check: \ No newline at end of file diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index e09c4c5dc3..c9a38d6532 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -300,7 +300,7 @@ exit: void x509_crt_check(char *subject_key_file, char *subject_pwd, char *subject_name, char *issuer_key_file, char *issuer_pwd, char *issuer_name, - char *serial_str, char *not_before, char *not_after, + data_t *serial_arg, char *not_before, char *not_after, int md_type, int key_usage, int set_key_usage, char *ext_key_usage, int cert_type, int set_cert_type, int auth_ident, @@ -315,7 +315,9 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd, unsigned char check_buf[5000]; unsigned char *p, *end; unsigned char tag, sz; - mbedtls_mpi serial; +#if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C) + mbedtls_mpi serial_mpi; +#endif int ret, before_tag, after_tag; size_t olen = 0, pem_len = 0, buf_index = 0; int der_len = -1; @@ -327,7 +329,9 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd, mbedtls_pk_type_t issuer_key_type; memset(&rnd_info, 0x2a, sizeof(mbedtls_test_rnd_pseudo_info)); - mbedtls_mpi_init(&serial); +#if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C) + mbedtls_mpi_init(&serial_mpi); +#endif USE_PSA_INIT(); @@ -388,12 +392,14 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd, mbedtls_x509write_crt_set_version(&crt, ver); } -#if defined(MBEDTLS_BIGNUM_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) - TEST_ASSERT(mbedtls_test_read_mpi(&serial, serial_str) == 0); - TEST_ASSERT(mbedtls_x509write_crt_set_serial(&crt, &serial) == 0); +#if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C) + /* Try to set an invalid */ + TEST_ASSERT(mbedtls_mpi_read_binary(&serial_mpi, serial_arg->x, + serial_arg->len) == 0); + TEST_ASSERT(mbedtls_x509write_crt_set_serial(&crt, &serial_mpi) == 0); #else - TEST_ASSERT(mbedtls_x509write_crt_set_serial_new(&crt, serial_str, - strlen(serial_str)) == 0); + TEST_ASSERT(mbedtls_x509write_crt_set_serial_new(&crt, serial_arg->x, + serial_arg->len) == 0); #endif TEST_ASSERT(mbedtls_x509write_crt_set_validity(&crt, not_before, not_after) == 0); @@ -553,7 +559,9 @@ exit: mbedtls_pk_free(&issuer_key_alt); mbedtls_pk_free(&subject_key); mbedtls_pk_free(&issuer_key); - mbedtls_mpi_free(&serial); +#if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C) + mbedtls_mpi_free(&serial_mpi); +#endif #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_destroy_key(key_id); #endif @@ -561,6 +569,32 @@ exit: } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_WRITE_C */ +void x509_set_serial_check() +{ + mbedtls_x509write_cert ctx; + uint8_t invalid_serial[MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN + 1]; + + memset(invalid_serial, 0x01, sizeof(invalid_serial)); + +#if defined(MBEDTLS_BIGNUM_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) + mbedtls_mpi serial_mpi; + + mbedtls_mpi_init(&serial_mpi); + TEST_EQUAL(mbedtls_mpi_read_binary(&serial_mpi, invalid_serial, + sizeof(invalid_serial)), 0); + TEST_EQUAL(mbedtls_x509write_crt_set_serial(&ctx, &serial_mpi), + MBEDTLS_ERR_X509_BAD_INPUT_DATA); + mbedtls_mpi_free(&serial_mpi); +#endif + + TEST_EQUAL(mbedtls_x509write_crt_set_serial_new(&ctx, invalid_serial, + sizeof(invalid_serial)), + MBEDTLS_ERR_X509_BAD_INPUT_DATA); + +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_X509_CREATE_C:MBEDTLS_X509_USE_C */ void mbedtls_x509_string_to_names(char *name, char *parsed_name, int result ) From ea19d2db733198e4cfbbbf36da372290eb6db11b Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 9 Jan 2023 17:21:17 +0100 Subject: [PATCH 07/17] changelog: fixed typos Signed-off-by: Valerio Setti --- .../improve_x509_cert_writing_serial_number_management.txt | 2 +- tests/suites/test_suite_x509write.data | 2 +- tests/suites/test_suite_x509write.function | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt b/ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt index 64d1b279a4..17286b007f 100644 --- a/ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt +++ b/ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt @@ -7,4 +7,4 @@ Bugfix New deprecations * mbedtls_x509write_crt_set_serial() is now being deprecated in favor of mbedtls_x509write_crt_set_serial_new(). The goal here is to remove any - direct dependency of X509 from BIGNUM_C. + direct dependency of X509 on BIGNUM_C. diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index 6cfbf24471..a986436cd2 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -169,4 +169,4 @@ X509 String to Names #6 (Escape at end) mbedtls_x509_string_to_names:"C=NL, O=Offspark\":"":MBEDTLS_ERR_X509_INVALID_NAME Check max serial length -x509_set_serial_check: \ No newline at end of file +x509_set_serial_check: diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index c9a38d6532..d321bd3867 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -577,7 +577,7 @@ void x509_set_serial_check() memset(invalid_serial, 0x01, sizeof(invalid_serial)); -#if defined(MBEDTLS_BIGNUM_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) +#if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C) mbedtls_mpi serial_mpi; mbedtls_mpi_init(&serial_mpi); From 746def5adeb3aa1a41d144dff1c77e57eb434937 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 10 Jan 2023 11:46:34 +0100 Subject: [PATCH 08/17] x509: renaming of buffer variables in new serial setting function Signed-off-by: Valerio Setti --- include/mbedtls/x509_crt.h | 11 +++++------ library/x509write_crt.c | 9 ++++----- 2 files changed, 9 insertions(+), 11 deletions(-) diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index f88e8cc2c9..56cc56be0d 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -1012,18 +1012,17 @@ int MBEDTLS_DEPRECATED mbedtls_x509write_crt_set_serial( /** * \brief Set the serial number for a Certificate. * - * \param ctx CRT context to use - * \param serial_buff A raw array of bytes containing the serial number - * in big endian format - * \param serial_buff_len Length of the previous input buffer buffer + * \param ctx CRT context to use + * \param serial A raw array of bytes containing the serial number in big + * endian format + * \param serial_len Length of the previous input buffer buffer * * \return 0 if successful, or * MBEDTLS_ERR_X509_BAD_INPUT_DATA if the provided input buffer * is too big (longer than MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN) */ int mbedtls_x509write_crt_set_serial_new(mbedtls_x509write_cert *ctx, - unsigned char *serial_buff, - size_t serial_buff_len); + unsigned char *serial, size_t serial_len); /** * \brief Set the validity period for a Certificate diff --git a/library/x509write_crt.c b/library/x509write_crt.c index da9ef6c12c..5cd1e30d4b 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -131,15 +131,14 @@ int mbedtls_x509write_crt_set_serial(mbedtls_x509write_cert *ctx, #endif // MBEDTLS_BIGNUM_C && !MBEDTLS_DEPRECATED_REMOVED int mbedtls_x509write_crt_set_serial_new(mbedtls_x509write_cert *ctx, - unsigned char *serial_buff, - size_t serial_buff_len) + unsigned char *serial, size_t serial_len) { - if (serial_buff_len > MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN) { + if (serial_len > MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN) { return MBEDTLS_ERR_X509_BAD_INPUT_DATA; } - ctx->serial_len = serial_buff_len; - memcpy(ctx->serial, serial_buff, serial_buff_len); + ctx->serial_len = serial_len; + memcpy(ctx->serial, serial, serial_len); return 0; } From b8dc18f3b63e2886a891ba7345ab4e877c43f0c5 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 10 Jan 2023 14:55:31 +0100 Subject: [PATCH 09/17] test: fix: remove invalid comment Signed-off-by: Valerio Setti --- tests/suites/test_suite_x509write.function | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index d321bd3867..5d68e16098 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -393,7 +393,6 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd, } #if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C) - /* Try to set an invalid */ TEST_ASSERT(mbedtls_mpi_read_binary(&serial_mpi, serial_arg->x, serial_arg->len) == 0); TEST_ASSERT(mbedtls_x509write_crt_set_serial(&crt, &serial_mpi) == 0); From 4752aac11d21b7e0ec284d588f70a4d814f38ed6 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 10 Jan 2023 16:00:15 +0100 Subject: [PATCH 10/17] x509: enhancement and fixes - enhance mbedtls_x509write_crt_set_serial(): avoid use of useless temporary buffer - fix mbedtls_x509write_crt_der(): add an extra 0x00 byte at the beginning of serial if the MSb of serial is 1, as required from ASN.1 Signed-off-by: Valerio Setti --- library/x509write_crt.c | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/library/x509write_crt.c b/library/x509write_crt.c index 5cd1e30d4b..4725c5fe77 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -105,7 +105,6 @@ int mbedtls_x509write_crt_set_serial(mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial) { int ret; - unsigned char tmp[MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN]; size_t tmp_len; /* Ensure that the MPI value fits into the buffer */ @@ -116,16 +115,11 @@ int mbedtls_x509write_crt_set_serial(mbedtls_x509write_cert *ctx, ctx->serial_len = tmp_len; - ret = mbedtls_mpi_write_binary(serial, tmp, - MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN); + ret = mbedtls_mpi_write_binary(serial, ctx->serial, tmp_len); if (ret < 0) { return ret; } - /* Copy data to the internal structure skipping leading zeros */ - memcpy(ctx->serial, &tmp[MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN - tmp_len], - tmp_len); - return 0; } #endif // MBEDTLS_BIGNUM_C && !MBEDTLS_DEPRECATED_REMOVED @@ -540,14 +534,25 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, * Serial ::= INTEGER * * Written data is: - * - [ctx->serial_len] bytes for the raw serial buffer + * - "ctx->serial_len" bytes for the raw serial buffer + * - if MSb of "serial" is 1, then prepend an extra 0x00 byte * - 1 byte for the length * - 1 byte for the TAG */ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_raw_buffer(&c, buf, ctx->serial, ctx->serial_len)); - MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, - ctx->serial_len)); + if (*c & 0x80) { + if (c - buf < 1) { + return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; + } + *(c--) = 0x0; + len++; + MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, + ctx->serial_len + 1)); + } else { + MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, + ctx->serial_len)); + } MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&c, buf, MBEDTLS_ASN1_INTEGER)); From 791bbe629d1e525c7d98f2be771ef1f480e74007 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 11 Jan 2023 10:40:18 +0100 Subject: [PATCH 11/17] programs: improved cert_write serial management Now it can accept serial both as decimal and hex number (only one format at a time, of course, not simultaneously). Signed-off-by: Valerio Setti --- ..._cert_writing_serial_number_management.txt | 9 ++ programs/x509/cert_write.c | 95 +++++++++++++------ 2 files changed, 77 insertions(+), 27 deletions(-) diff --git a/ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt b/ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt index 17286b007f..29f16972c4 100644 --- a/ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt +++ b/ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt @@ -8,3 +8,12 @@ New deprecations * mbedtls_x509write_crt_set_serial() is now being deprecated in favor of mbedtls_x509write_crt_set_serial_new(). The goal here is to remove any direct dependency of X509 on BIGNUM_C. + +Changes + * programs/x509/cert_write: + - now it accepts the serial number in 2 different formats: decimal and + hex. They cannot be used simultaneously + - "serial" is used for the decimal format and it's limted in size to + unsigned long long int + - "serial_hex" is used for the hex format; max length here is + MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN*2 diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index 05d7677c78..d44c6f022d 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -43,10 +43,12 @@ int main(void) #include "mbedtls/ctr_drbg.h" #include "mbedtls/md.h" #include "mbedtls/error.h" +#include "test/helpers.h" #include #include #include +#include #define SET_OID(x, oid) \ do { x.len = MBEDTLS_OID_SIZE(oid); x.p = (unsigned char *) oid; } while (0) @@ -75,6 +77,7 @@ int main(void) #define DFL_NOT_BEFORE "20010101000000" #define DFL_NOT_AFTER "20301231235959" #define DFL_SERIAL "1" +#define DFL_SERIAL_HEX "1" #define DFL_SELFSIGN 0 #define DFL_IS_CA 0 #define DFL_MAX_PATHLEN -1 @@ -110,6 +113,13 @@ int main(void) " issuer_pwd=%%s default: (empty)\n" \ " output_file=%%s default: cert.crt\n" \ " serial=%%s default: 1\n" \ + " In decimal format; it can be used as\n" \ + " alternative to serial_hex, but it's\n" \ + " limited in max length to\n" \ + " unsigned long long int\n" \ + " serial_hex=%%s default: 1\n" \ + " In hex format; it can be used as\n" \ + " alternative to serial\n" \ " not_before=%%s default: 20010101000000\n" \ " not_after=%%s default: 20301231235959\n" \ " is_ca=%%d default: 0 (disabled)\n" \ @@ -159,6 +169,11 @@ int main(void) " format=pem|der default: pem\n" \ "\n" +typedef enum { + SERIAL_FRMT_UNSPEC, + SERIAL_FRMT_DEC, + SERIAL_FRMT_HEX +} serial_format_t; /* * global options @@ -175,7 +190,8 @@ struct options { const char *issuer_name; /* issuer name for certificate */ const char *not_before; /* validity period not before */ const char *not_after; /* validity period not after */ - const char *serial; /* serial number string */ + const char *serial; /* serial number string (decimal) */ + const char *serial_hex; /* serial number string (hex) */ int selfsign; /* selfsign the certificate */ int is_ca; /* is a CA certificate */ int max_pathlen; /* maximum CA path length */ @@ -235,37 +251,39 @@ int write_certificate(mbedtls_x509write_cert *crt, const char *output_file, return 0; } -/* - * Convert the input "in_buff" string to a raw byte array "out_buff". The amount - * of converted data is returned on "written_data". - */ -static int parse_serial(const char *in_buff, size_t in_buff_len, - unsigned char *out_buff, size_t out_buff_len, - size_t *written_data) +int parse_serial_decimal_format(unsigned char *obuf, size_t obufmax, + const char *ibuf, size_t *len) { - char c; + unsigned long long int dec; + unsigned int remaining_bytes = sizeof(dec); + unsigned char *p = obuf; unsigned char val; - int i; + char *end_ptr = NULL; - if (out_buff_len < in_buff_len) { + errno = 0; + dec = strtoull(ibuf, &end_ptr, 10); + + if ((errno != 0) || (end_ptr == ibuf)) { return -1; } - *written_data = 0; + *len = 0; - for (i = 0; i < (int) in_buff_len; i++, (*written_data)++) { - c = in_buff[i]; - if (c >= 0x30 && c <= 0x39) { - val = c - 0x30; - } else if (c >= 0x41 && c <= 0x46) { - val = c - 0x37; - } else if (c >= 0x61 && c <= 0x66) { - val = c - 0x57; - } else { + while (remaining_bytes > 0) { + if (obufmax < (*len + 1)) { return -1; } - out_buff[i] = val; + val = (dec >> ((remaining_bytes - 1) * 8)) & 0xFF; + + /* Skip leading zeros */ + if ((val) != 0) { + *p = val; + (*len)++; + p++; + } + + remaining_bytes--; } return 0; @@ -288,6 +306,7 @@ int main(int argc, char *argv[]) mbedtls_x509_csr csr; #endif mbedtls_x509write_cert crt; + serial_format_t serial_frmt = SERIAL_FRMT_UNSPEC; unsigned char serial[MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN]; size_t serial_len; mbedtls_asn1_sequence *ext_key_usage; @@ -308,6 +327,7 @@ int main(int argc, char *argv[]) #endif mbedtls_x509_crt_init(&issuer_crt); memset(buf, 0, sizeof(buf)); + memset(serial, 0, sizeof(serial)); if (argc == 0) { usage: @@ -327,6 +347,7 @@ usage: opt.not_before = DFL_NOT_BEFORE; opt.not_after = DFL_NOT_AFTER; opt.serial = DFL_SERIAL; + opt.serial_hex = DFL_SERIAL_HEX; opt.selfsign = DFL_SELFSIGN; opt.is_ca = DFL_IS_CA; opt.max_pathlen = DFL_MAX_PATHLEN; @@ -371,7 +392,19 @@ usage: } else if (strcmp(p, "not_after") == 0) { opt.not_after = q; } else if (strcmp(p, "serial") == 0) { + if (serial_frmt != SERIAL_FRMT_UNSPEC) { + mbedtls_printf("Invalid attempt to set the serial more than once\n"); + goto usage; + } + serial_frmt = SERIAL_FRMT_DEC; opt.serial = q; + } else if (strcmp(p, "serial_hex") == 0) { + if (serial_frmt != SERIAL_FRMT_UNSPEC) { + mbedtls_printf("Invalid attempt to set the serial more than once\n"); + goto usage; + } + serial_frmt = SERIAL_FRMT_HEX; + opt.serial_hex = q; } else if (strcmp(p, "authority_identifier") == 0) { opt.authority_identifier = atoi(q); if (opt.authority_identifier != 0 && @@ -550,6 +583,19 @@ usage: mbedtls_printf(" . Reading serial number..."); fflush(stdout); + if (serial_frmt == SERIAL_FRMT_HEX) { + ret = mbedtls_test_unhexify(serial, sizeof(serial), + opt.serial_hex, &serial_len); + } else { // SERIAL_FRMT_DEC || SERIAL_FRMT_UNSPEC + ret = parse_serial_decimal_format(serial, sizeof(serial), + opt.serial, &serial_len); + } + + if (ret != 0) { + mbedtls_printf(" failed\n ! Unable to parse serial\n"); + goto exit; + } + mbedtls_printf(" ok\n"); // Parse issuer certificate if present @@ -690,11 +736,6 @@ usage: mbedtls_x509write_crt_set_version(&crt, opt.version); mbedtls_x509write_crt_set_md_alg(&crt, opt.md); - if (parse_serial(opt.serial, strlen(opt.serial), - serial, sizeof(serial), &serial_len) < 0) { - mbedtls_printf(" failed\n ! Unable to parse serial\n\n"); - goto exit; - } ret = mbedtls_x509write_crt_set_serial_new(&crt, serial, serial_len); if (ret != 0) { mbedtls_strerror(ret, buf, sizeof(buf)); From 856cec45eb4d89fbf8adf71de322b3efce1d1dd9 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 12 Jan 2023 14:56:54 +0100 Subject: [PATCH 12/17] test: x509: add more tests for checking certificate serial - added 2 new certificates: 1 for testing a serial which is full lenght and another one for a serial which starts with 0x80 - added also proper Makefile and openssl configuration file to generate these 2 new certificates Signed-off-by: Valerio Setti --- library/x509write_crt.c | 2 +- tests/data_files/Makefile | 6 +++++ tests/data_files/server1.80serial.crt | 20 +++++++++++++++ tests/data_files/server1.long_serial.crt | 20 +++++++++++++++ .../test-ca.server1.test_serial.opensslconf | 25 +++++++++++++++++++ tests/suites/test_suite_x509write.data | 8 ++++++ 6 files changed, 80 insertions(+), 1 deletion(-) create mode 100644 tests/data_files/server1.80serial.crt create mode 100644 tests/data_files/server1.long_serial.crt create mode 100644 tests/data_files/test-ca.server1.test_serial.opensslconf diff --git a/library/x509write_crt.c b/library/x509write_crt.c index 4725c5fe77..bac849f09e 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -545,7 +545,7 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, if (c - buf < 1) { return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; } - *(c--) = 0x0; + *(--c) = 0x0; len++; MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, ctx->serial_len + 1)); diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 388b0ce413..340d95190c 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -972,6 +972,12 @@ test_ca_server1_config_file = test-ca.server1.opensslconf server1.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa) $(MBEDTLS_CERT_WRITE) request_file=server1.req.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20190210144406 not_after=20290210144406 md=SHA1 version=3 output_file=$@ +server1.long_serial.crt: server1.long_serial.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa) + echo "112233445566778899aabbccddeeff0011223344" > test-ca.server1.tmp.serial + $(OPENSSL) ca -in server1.req.sha256 -key PolarSSLTest -config test-ca.server1.test_serial.opensslconf -notext -batch -out $@ +server1.80serial.crt: server1.long_serial.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa) + echo "8011223344" > test-ca.server1.tmp.serial + $(OPENSSL) ca -in server1.req.sha256 -key PolarSSLTest -config test-ca.server1.test_serial.opensslconf -notext -batch -out $@ server1.noauthid.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa) $(MBEDTLS_CERT_WRITE) request_file=server1.req.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144406 not_after=20290210144406 md=SHA1 authority_identifier=0 version=3 output_file=$@ server1.crt.der: server1.crt diff --git a/tests/data_files/server1.80serial.crt b/tests/data_files/server1.80serial.crt new file mode 100644 index 0000000000..3ce8570ea2 --- /dev/null +++ b/tests/data_files/server1.80serial.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDRDCCAiygAwIBAgIGAIARIjNEMA0GCSqGSIb3DQEBBQUAMDsxCzAJBgNVBAYT +Ak5MMREwDwYDVQQKDAhQb2xhclNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVzdCBD +QTAeFw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMDwxCzAJBgNVBAYTAk5M +MREwDwYDVQQKDAhQb2xhclNTTDEaMBgGA1UEAwwRUG9sYXJTU0wgU2VydmVyIDEw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpAh89QGrVVVOL/TbugmUu +FWFeib+46EWQ2+6IFlLT8UNQR5YSWWSHa/0r4Eb5c77dz5LhkVvtZqBviSl5RYDQ +g2rVQUN3Xzl8CQRHgrBXOXDto+wVGR6oMwhHwQVCqf1Mw7Tf3QYfTRBRQGdzEw9A ++G2BJV8KsVPGMH4VOaz5Wu5/kp6mBVvnE5eFtSOS2dQkBtUJJYl1B92mGo8/CRm+ +rWUsZOuVm9z+QV4XptpsW2nMAroULBYknErczdD3Umdz8S2gI/1+9DHKLXDKiQsE +2y6mT3Buns69WIniU1meblqSZeKIPwyUGaPd5eidlRPtKdurcBLcWsprF6tSglSx +AgMBAAGjTTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFB901j8pwXR0RTsFEiw9qL1D +WQKmMB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEB +BQUAA4IBAQBJKeTUCctb/wCxBte2AIiaTfATzukTVtGhKkdy3cY6U2DVSXc+s+jr +Kut8AYnjp1T6bho98RHbbk+hu+0gBWL2ysJd1+slLBUEotUMTkzgA1YdBXy9J/eM +HJ2a0ydFll/m2rXx7RRJWSbcgPZxQLDfollnNVfhcb75O3GsT3YfEIsjLmon7NHr +rJmTp773trg0cNJ6j5dKMA/2SQH5PL1cmcFgNfVZ+etNRIhwpIQYySWJ/468Mcg5 +ZKPY6nubIIj+HPB3Mhy8d9U3gAJvc9iEdzbKjrkJdVROONsyMYge4vnbjyKUr7/m +ZN1O6pZy9Fvgbdhvx4ZHpfgEsa1qfLCH +-----END CERTIFICATE----- diff --git a/tests/data_files/server1.long_serial.crt b/tests/data_files/server1.long_serial.crt new file mode 100644 index 0000000000..1bd6955a4b --- /dev/null +++ b/tests/data_files/server1.long_serial.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDUjCCAjqgAwIBAgIUESIzRFVmd4iZqrvM3e7/ABEiM0QwDQYJKoZIhvcNAQEF +BQAwOzELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQ +b2xhclNTTCBUZXN0IENBMB4XDTE5MDIxMDE0NDQwNloXDTI5MDIxMDE0NDQwNlow +PDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRowGAYDVQQDDBFQb2xh +clNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKkC +Hz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZZIdr/SvgRvlzvt3P +kuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZHqgzCEfBBUKp/UzD +tN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYFW+cTl4W1I5LZ1CQG +1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQsFiScStzN0PdSZ3Px +LaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/DJQZo93l6J2VE+0p +26twEtxaymsXq1KCVLECAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUH3TW +PynBdHRFOwUSLD2ovUNZAqYwHwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH +/f8wDQYJKoZIhvcNAQEFBQADggEBAC9qt4BC8zKb5o00ZVtTX0XYKWchHKYSrHk2 +r+zfW8pRcSaTGRTtMGkF7vozFrCX4Pr4vCKXOYFKQ/UEpWv5WzW7nB0+Ja0g4gnc +9bLtg51n+IIG93ITGDm5+9YpsX6HsXSBpfY0vo9TwKg3bG1X26WG8j6m+V684hwV +yveRUIrSvvgVJOBSe5rhn/pLmcpbI0nkPBGlqPd10qWc0RYSrSAa3bq/dpoqR7hY +BGbbV1/9IgFhr2r44R17bhqevK3VhK4KOPRT5VMXjTh1iG4L13lIxBIuu+Lw0Pc0 +s+gQTGntA/sZkijC7mw0/q3nsRDKhHHXTDf2gjdUhMvFwYzmKBI= +-----END CERTIFICATE----- diff --git a/tests/data_files/test-ca.server1.test_serial.opensslconf b/tests/data_files/test-ca.server1.test_serial.opensslconf new file mode 100644 index 0000000000..43a520ee29 --- /dev/null +++ b/tests/data_files/test-ca.server1.test_serial.opensslconf @@ -0,0 +1,25 @@ + [ ca ] + default_ca = test-ca + + [ test-ca ] + certificate = test-ca.crt + private_key = test-ca.key + serial = test-ca.server1.tmp.serial + default_md = sha1 + default_startdate = 20190210144406Z + default_enddate = 20290210144406Z + x509_extensions = v3_ca + new_certs_dir = ./ + database = ./test-ca.server1.db + policy = policy_match + unique_subject = no + + [v3_ca] + basicConstraints = CA:false + subjectKeyIdentifier=hash + authorityKeyIdentifier=keyid:always + + [policy_match] + countryName = supplied + organizationName = supplied + commonName = supplied diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index a986436cd2..b5e07f5456 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -142,6 +142,14 @@ Certificate write check Server1 SHA1, Opaque, CA depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_USE_PSA_CRYPTO x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.ca.crt":2:1:"data_files/test-ca.crt" +Certificate write check Server1 SHA1, Full length serial +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"112233445566778899aabbccddeeff0011223344":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.long_serial.crt":0:0:"data_files/test-ca.crt" + +Certificate write check Server1 SHA1, Serial starting with 0x80 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"8011223344":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.80serial.crt":0:0:"data_files/test-ca.crt" + Certificate write check Server5 ECDSA depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_ECDSA_C:MBEDTLS_ECDSA_DETERMINISTIC:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED x509_crt_check:"data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"data_files/server5.crt":0:0:"data_files/test-ca2.crt" From 48fdbb39402551eb5a9b36a8e753918175728982 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 12 Jan 2023 15:31:35 +0100 Subject: [PATCH 13/17] programs: cert_write: fixed bug in parsing dec serial Signed-off-by: Valerio Setti --- programs/x509/cert_write.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index d44c6f022d..13debceaed 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -277,7 +277,7 @@ int parse_serial_decimal_format(unsigned char *obuf, size_t obufmax, val = (dec >> ((remaining_bytes - 1) * 8)) & 0xFF; /* Skip leading zeros */ - if ((val) != 0) { + if ((val != 0) || (*len != 0)) { *p = val; (*len)++; p++; From af4815c6a48a112661c4465a10c28e4f4a564b30 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 26 Jan 2023 17:43:09 +0100 Subject: [PATCH 14/17] x509: replace/fix name of new function for setting serial Signed-off-by: Valerio Setti --- .../improve_x509_cert_writing_serial_number_management.txt | 2 +- include/mbedtls/x509_crt.h | 4 ++-- library/x509write_crt.c | 2 +- programs/x509/cert_write.c | 4 ++-- tests/suites/test_suite_x509write.function | 4 ++-- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt b/ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt index 29f16972c4..1764c2f64e 100644 --- a/ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt +++ b/ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt @@ -6,7 +6,7 @@ Bugfix New deprecations * mbedtls_x509write_crt_set_serial() is now being deprecated in favor of - mbedtls_x509write_crt_set_serial_new(). The goal here is to remove any + mbedtls_x509write_crt_set_serial_raw(). The goal here is to remove any direct dependency of X509 on BIGNUM_C. Changes diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 56cc56be0d..157e3a68c5 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -993,7 +993,7 @@ void mbedtls_x509write_crt_set_version(mbedtls_x509write_cert *ctx, int version) * * \deprecated This function is deprecated and will be removed in a * future version of the library. Please use - * mbedtls_x509write_crt_set_serial_new() instead. + * mbedtls_x509write_crt_set_serial_raw() instead. * * \note Even though the MBEDTLS_BIGNUM_C guard looks redundant since * X509 depends on PK and PK depends on BIGNUM, this emphasizes @@ -1021,7 +1021,7 @@ int MBEDTLS_DEPRECATED mbedtls_x509write_crt_set_serial( * MBEDTLS_ERR_X509_BAD_INPUT_DATA if the provided input buffer * is too big (longer than MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN) */ -int mbedtls_x509write_crt_set_serial_new(mbedtls_x509write_cert *ctx, +int mbedtls_x509write_crt_set_serial_raw(mbedtls_x509write_cert *ctx, unsigned char *serial, size_t serial_len); /** diff --git a/library/x509write_crt.c b/library/x509write_crt.c index bac849f09e..4f233953c3 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -124,7 +124,7 @@ int mbedtls_x509write_crt_set_serial(mbedtls_x509write_cert *ctx, } #endif // MBEDTLS_BIGNUM_C && !MBEDTLS_DEPRECATED_REMOVED -int mbedtls_x509write_crt_set_serial_new(mbedtls_x509write_cert *ctx, +int mbedtls_x509write_crt_set_serial_raw(mbedtls_x509write_cert *ctx, unsigned char *serial, size_t serial_len) { if (serial_len > MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN) { diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index 13debceaed..287dd344ab 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -736,10 +736,10 @@ usage: mbedtls_x509write_crt_set_version(&crt, opt.version); mbedtls_x509write_crt_set_md_alg(&crt, opt.md); - ret = mbedtls_x509write_crt_set_serial_new(&crt, serial, serial_len); + ret = mbedtls_x509write_crt_set_serial_raw(&crt, serial, serial_len); if (ret != 0) { mbedtls_strerror(ret, buf, sizeof(buf)); - mbedtls_printf(" failed\n ! mbedtls_x509write_crt_set_serial_new " + mbedtls_printf(" failed\n ! mbedtls_x509write_crt_set_serial_raw " "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf); goto exit; } diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index 5d68e16098..24094ec6a3 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -397,7 +397,7 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd, serial_arg->len) == 0); TEST_ASSERT(mbedtls_x509write_crt_set_serial(&crt, &serial_mpi) == 0); #else - TEST_ASSERT(mbedtls_x509write_crt_set_serial_new(&crt, serial_arg->x, + TEST_ASSERT(mbedtls_x509write_crt_set_serial_raw(&crt, serial_arg->x, serial_arg->len) == 0); #endif TEST_ASSERT(mbedtls_x509write_crt_set_validity(&crt, not_before, @@ -587,7 +587,7 @@ void x509_set_serial_check() mbedtls_mpi_free(&serial_mpi); #endif - TEST_EQUAL(mbedtls_x509write_crt_set_serial_new(&ctx, invalid_serial, + TEST_EQUAL(mbedtls_x509write_crt_set_serial_raw(&ctx, invalid_serial, sizeof(invalid_serial)), MBEDTLS_ERR_X509_BAD_INPUT_DATA); From 9b5e1da8f84a25ae6a552008d6b49b10aacf762f Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 26 Jan 2023 17:49:10 +0100 Subject: [PATCH 15/17] fixing a typo in comment Signed-off-by: Valerio Setti --- include/mbedtls/x509_crt.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 157e3a68c5..7c3a6257c6 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -1015,7 +1015,8 @@ int MBEDTLS_DEPRECATED mbedtls_x509write_crt_set_serial( * \param ctx CRT context to use * \param serial A raw array of bytes containing the serial number in big * endian format - * \param serial_len Length of the previous input buffer buffer + * \param serial_len Length of valid bytes (expressed in bytes) in \p serial + * input buffer * * \return 0 if successful, or * MBEDTLS_ERR_X509_BAD_INPUT_DATA if the provided input buffer From a87f839113e217cd0551fffad693d38fce91ea4f Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 26 Jan 2023 18:00:50 +0100 Subject: [PATCH 16/17] test: improve error handling in x509_set_serial_check() Signed-off-by: Valerio Setti --- tests/suites/test_suite_x509write.function | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index 24094ec6a3..c719b9660a 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -584,13 +584,18 @@ void x509_set_serial_check() sizeof(invalid_serial)), 0); TEST_EQUAL(mbedtls_x509write_crt_set_serial(&ctx, &serial_mpi), MBEDTLS_ERR_X509_BAD_INPUT_DATA); - mbedtls_mpi_free(&serial_mpi); #endif TEST_EQUAL(mbedtls_x509write_crt_set_serial_raw(&ctx, invalid_serial, sizeof(invalid_serial)), MBEDTLS_ERR_X509_BAD_INPUT_DATA); +exit: +#if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C) + mbedtls_mpi_free(&serial_mpi); +#else + ; +#endif } /* END_CASE */ From 18b9b035ada7a1fd63835bc7d7f1adfb37de44b8 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 27 Jan 2023 11:47:57 +0100 Subject: [PATCH 17/17] test: add test for a full length serial of 0xFF Signed-off-by: Valerio Setti --- tests/data_files/Makefile | 7 +++++-- tests/data_files/server1.long_serial_FF.crt | 20 ++++++++++++++++++++ tests/suites/test_suite_x509write.data | 4 ++++ 3 files changed, 29 insertions(+), 2 deletions(-) create mode 100644 tests/data_files/server1.long_serial_FF.crt diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 340d95190c..9c7a95d10a 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -972,12 +972,15 @@ test_ca_server1_config_file = test-ca.server1.opensslconf server1.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa) $(MBEDTLS_CERT_WRITE) request_file=server1.req.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20190210144406 not_after=20290210144406 md=SHA1 version=3 output_file=$@ -server1.long_serial.crt: server1.long_serial.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa) +server1.long_serial.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa) echo "112233445566778899aabbccddeeff0011223344" > test-ca.server1.tmp.serial $(OPENSSL) ca -in server1.req.sha256 -key PolarSSLTest -config test-ca.server1.test_serial.opensslconf -notext -batch -out $@ -server1.80serial.crt: server1.long_serial.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa) +server1.80serial.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa) echo "8011223344" > test-ca.server1.tmp.serial $(OPENSSL) ca -in server1.req.sha256 -key PolarSSLTest -config test-ca.server1.test_serial.opensslconf -notext -batch -out $@ +server1.long_serial_FF.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa) + echo "ffffffffffffffffffffffffffffffff" > test-ca.server1.tmp.serial + $(OPENSSL) ca -in server1.req.sha256 -key PolarSSLTest -config test-ca.server1.test_serial.opensslconf -notext -batch -out $@ server1.noauthid.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa) $(MBEDTLS_CERT_WRITE) request_file=server1.req.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144406 not_after=20290210144406 md=SHA1 authority_identifier=0 version=3 output_file=$@ server1.crt.der: server1.crt diff --git a/tests/data_files/server1.long_serial_FF.crt b/tests/data_files/server1.long_serial_FF.crt new file mode 100644 index 0000000000..8094fd7d6d --- /dev/null +++ b/tests/data_files/server1.long_serial_FF.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDTzCCAjegAwIBAgIRAP////////////////////8wDQYJKoZIhvcNAQEFBQAw +OzELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xh +clNTTCBUZXN0IENBMB4XDTE5MDIxMDE0NDQwNloXDTI5MDIxMDE0NDQwNlowPDEL +MAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRowGAYDVQQDDBFQb2xhclNT +TCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKkCHz1A +atVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZZIdr/SvgRvlzvt3PkuGR +W+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZHqgzCEfBBUKp/UzDtN/d +Bh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYFW+cTl4W1I5LZ1CQG1Qkl +iXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQsFiScStzN0PdSZ3PxLaAj +/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/DJQZo93l6J2VE+0p26tw +EtxaymsXq1KCVLECAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUH3TWPynB +dHRFOwUSLD2ovUNZAqYwHwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8w +DQYJKoZIhvcNAQEFBQADggEBADYfhZU2lWxBamt7m3A4XQj6bZ4BZlabv5IbLI32 +nej6w/6/gsXPI85nfZqpIn6IYwAeDRdJo/eUqYkIdoy5DEP+50pgCGJK5HAoBWVJ +THKeVJn/vPH3Dz/CaCYQoHTmSi+ChfIhPh84UUdfVpv2qNInII4RxFlSAHUkRMbV +BX6imMSD5M508G6vWGUUc6G/sx/s7vtVeGGPyNOQPgwMTes60Mewpu9LKKaSwfqQ +DgEa8WzxPrPEyOUiIp7ClwlXe3JECHIjm445qmENgfY/8tlsyAdYKSkotfiuoUWb +daylD6QVUXn67loYDPZALghpDxmSm21VE7feTWOUbOpe14U= +-----END CERTIFICATE----- diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index b5e07f5456..885ba006e8 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -150,6 +150,10 @@ Certificate write check Server1 SHA1, Serial starting with 0x80 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"8011223344":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.80serial.crt":0:0:"data_files/test-ca.crt" +Certificate write check Server1 SHA1, All 0xFF full length serial +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA +x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"ffffffffffffffffffffffffffffffff":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.long_serial_FF.crt":0:0:"data_files/test-ca.crt" + Certificate write check Server5 ECDSA depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_ECDSA_C:MBEDTLS_ECDSA_DETERMINISTIC:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED x509_crt_check:"data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"data_files/server5.crt":0:0:"data_files/test-ca2.crt"