mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-02-11 18:40:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
31,077 Commits 170 Branches 263 Tags
Commit Graph

227 Commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard
0e7aaae1fd
Merge pull request #9017 from valeriosetti/issue9010 
Improve generate_test_keys.py
 2024-05-07 11:59:54 +00:00
Valerio Setti
8284f3dcbc test: automatically generate test_certs.h and test_keys.h 
Ensure that when tests are built also test_certs.h and
test_keys.h are generated.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2024-04-29 17:14:50 +02:00
Valerio Setti
270dcd15d9 tests: update Makefile to generate tests/src/test_keys.h 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2024-04-29 17:14:50 +02:00
Gilles Peskine
014a63b2cf Convert recent RSA key files in PEM format from PKCS8 to PKCS1 
Like `openssl rsa`, `openssl genrsa` changed its output format from PKCS8 to
PKCS1 in OpenSSL 3.0. Note that the makefile instructions assume older
OpenSSL. Convert the files that were generated with OpenSSL 3.x and hence
were not in the intended format. The files are converted, not regenerated,
so the key material is the same.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2024-04-26 11:51:08 +02:00
Gilles Peskine
0652b62d5e Fix rsa_pkcs1_*_clear.der to actually be PKCS#1 files 
With OpenSSL 3.0.2 (which I used to generate the previous set of "pkcs1" DER
files), the output of `openssl rsa -outform DER` is actually a
PKCS#8-encoded key, despite what the documentation says. This is a change
from OpenSSL 1.x, where the output is a PKCS#1-encoded key. OpenSSL 3.0.8
documents the output as PKCS#8.

Change to `openssl pkey`, which seems more reliable. The documentation
states that the output is PKCS#8, but the output is actually consistently
PKCS#1 at least from 1.0.2g to 3.3.0.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2024-04-25 16:32:38 +02:00
Gilles Peskine
9c3ebe30b8 Add some test RSA keys of sizes 768 and up 
These are sufficiently large for PKCS#1v1.5 signature with SHA-512 or
SHA3-512. Cover some non-word-aligned sizes.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2024-04-24 16:21:59 +02:00
Gilles Peskine
b612f9fe7c Cleartext RSA keys: also make DER formats available 
We can use DER keys in builds without PEM, so it's good to have them around.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2024-04-24 16:21:19 +02:00
Ronald Cron
9785cf1821 Add RSA key certificates 
Add RSA key certificates using SHA256
instead of SHA1 for the signature
algorithm. Those are needed for some
TLS 1.3 compatibility tests with OpenSSL 3
to avoid having to enable in OpenSSL 3
the support for the deprecated SHA-1 based
signature algorithms.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2024-04-02 14:28:35 +02:00
Ryan Everett
791fc2e24c Merge remote-tracking branch 'upstream/development' into pkcs5_aes_new 
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
 2024-02-08 14:26:29 +00:00
Ryan Everett
d00a138075 Change test data for pkparse aes 
Test data generated using openSSL with:
openssl pkcs8 -topk8 -v2 $ENC -v2prf hmacWithSHA384 -inform PEM
-in $IN -outform PEM -out $OUT -passout "pass:PolarSSLTest"

Signed-off-by: Ryan Everett <ryan.everett@arm.com>
 2024-01-11 17:23:15 +00:00
Gilles Peskine
885bcfc9d0
Merge pull request #7649 from yuhaoth/pr/add-command-for-server9-bad-saltlen 
Add command for server9-bad-saltlen
 2023-11-20 14:07:19 +00:00
Pengyu Lv
2151ba55f6 test_suite_x509write: use plaintext key file 
Some test cases are using encrypted key file, thus have
dependency on low-level block cipher modules (e.g. AES).
This commit adds unencrypted key file so that we could
get rid of those dependencies.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-10-31 18:12:04 +08:00
Jerry Yu
6f21dd5694 move script to tests/scripts 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-10-24 15:45:41 +08:00
Jerry Yu
2f3f968033 fix wrong typo and indent issue 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-10-18 15:07:10 +08:00
Jerry Yu
ca3790d653 Add server9-bad-saltlen generate command 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-10-18 15:07:09 +08:00
Gilles Peskine
3cea3efc25
Merge pull request #8025 from AgathiyanB/accept-numericoid-hexstring-x509 
Accept numericoid hexstring x509
 2023-09-13 08:54:33 +00:00
Gilles Peskine
2e38a0d603 More spelling corrections 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-09-12 19:19:31 +02:00
Agathiyan Bragadeesh
a0ba8aab2e Add test for non ascii x509 subject name 
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
 2023-08-22 10:39:56 +01:00
Agathiyan Bragadeesh
dba8a641fe Add and update tests for x509write and x509parse 
Due to change in handling non-ascii characters, existing tests had to be
updated to handle the new implementation. New tests and certificates
are added to test the escaping functionality in edge cases.

Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
 2023-08-22 10:39:52 +01:00
Gilles Peskine
d686c2a822
Merge pull request #7971 from AgathiyanB/fix-data-files-makefile 
Fix server1.crt.der in tests/data_files/Makefile
 2023-08-21 14:43:07 +00:00
Gilles Peskine
dbd13c3689
Merge pull request #7662 from lpy4105/issue/renew_cert_2027-01-01 
Updating crt/crl files due to expiry before 2027-01-01
 2023-08-17 15:38:35 +00:00
Gilles Peskine
d370f93898
Merge pull request #7898 from AndrzejKurek/csr-rfc822-dn 
OPC UA - add support for RFC822 and DirectoryName SubjectAltNames when generating CSR's
 2023-08-16 09:19:46 +00:00
Gilles Peskine
a79256472c
Merge pull request #7788 from marekjansta/fix-x509-ec-algorithm-identifier 
Fixed x509 certificate generation to conform to RFCs when using ECC key
 2023-08-07 19:14:54 +00:00
Agathiyan Bragadeesh
8dc913899d Fix server1.crt.der in makefile 
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
 2023-07-24 10:44:00 +01:00
Andrzej Kurek
34ccd8d0b6 Test x509 csr SAN DN and RFC822 generation 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2023-07-07 08:18:43 -04:00
Jerry Yu
4d31022d90 Add missed intermediate file 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-07-06 10:16:14 +08:00
Jerry Yu
c5b2e284fa Remove workaround code 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-07-06 10:16:10 +08:00
Jerry Yu
2ef2e78837 Add commands for test_certs.h 
And update target file

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-07-06 10:13:46 +08:00
Pengyu Lv
b687c03183 Fix the command for server9-sha*.crt 
The new command could generate
parse_input/server9-sha*.crt correctly.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-07-04 17:30:21 +08:00
Pengyu Lv
49c56e651d Add target for parse_input/cert_example_multi_nocn.crt 
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-07-04 17:30:21 +08:00
Pengyu Lv
19e949e644 Fix typo and long line format 
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-07-04 17:30:21 +08:00
Jerry Yu
59f392cd4d upgrade server9-bad-saltlen.crt 
Upgrade scripts
```python
import subprocess
from asn1crypto import pem, x509,core

output_filename="server9-bad-saltlen.crt"
tmp_filename="server9-bad-saltlen.crt.tmp"
tmp1_filename="server9-bad-saltlen.crt.tmp1"

subprocess.check_call(rf''' openssl x509 -req -extfile server5.crt.openssl.v3_ext \
        -passin "pass:PolarSSLTest" -CA test-ca.crt -CAkey test-ca.key \
        -set_serial 24 -days 3650 \
        -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:max \
        -sigopt rsa_mgf1_md:sha256 -sha256 \
        -in server9.csr -out {output_filename}
''',shell=True)

with open(output_filename,'rb') as f:
    _,_,der_bytes=pem.unarmor(f.read())
    target_certificate=x509.Certificate.load(der_bytes)

with open(tmp_filename,'wb') as f:
    f.write(target_certificate['tbs_certificate'].dump())

subprocess.check_call(rf'openssl dgst -sign test-ca.key -passin "pass:PolarSSLTest" \
                        -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 \
                        -sigopt rsa_mgf1_md:sha256 -out {tmp1_filename} {tmp_filename}',
                        shell=True)

with open(tmp1_filename,'rb') as f:
    signature_value= core.OctetBitString(f.read())

with open(output_filename,'wb') as f:
    target_certificate['signature_value']=signature_value
    f.write(pem.armor('CERTIFICATE',target_certificate.dump()))
```

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-07-04 17:30:21 +08:00
Pengyu Lv
8c40c573b2 Add server9-bad-{mgfhash,saltlen}.crt 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-07-04 17:30:21 +08:00
Pengyu Lv
b5ac935e44 Add rules to generate server9*.crt 
Except for server9-bad-saltlen.crt and
server9-bad-mgfhash.crt.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-07-04 17:30:21 +08:00
Jerry Yu
4ca9520582 Update server1-nospace.crt 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-07-04 17:30:21 +08:00
Jerry Yu
0efdfcbfd3 Update v1 crt files 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-07-04 17:30:21 +08:00
Pengyu Lv
e025cb2096 Add rules to generate cert_example_multi_nocn.crt 
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-07-04 17:30:21 +08:00
Pengyu Lv
1ca5c0eae9 Add rules to generate server5.[e]ku-*.crt 
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-07-04 17:30:21 +08:00
Pengyu Lv
0063599e6f Add rules to generate server2.ku-*.crt 
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-07-04 17:30:21 +08:00
Pengyu Lv
55ee7f8e13 Add rule for server2-badsign.crt 
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-07-04 17:30:21 +08:00
Jerry Yu
0f381fd02f Update test-ca2.ku-*.crt 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-07-04 17:30:21 +08:00
Pengyu Lv
5a1dbf3d6e Fix the rule for server5-ss-forgeca.crt 
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-07-04 17:30:21 +08:00
Jerry Yu
affc294dfe Add the rule and update server6-ss-child.crt 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-07-04 17:30:21 +08:00
Jerry Yu
4d69b29076 Update server5-selfsigned.crt 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-07-04 17:30:21 +08:00
Andrzej Kurek
78ecf41f22 Change spaces to a tab in a makefile recipe 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2023-06-30 08:42:05 -04:00
Andrzej Kurek
03478d2b90
Merge branch 'development' into issue/7816/add-commands-for-files-in-parse_input 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2023-06-30 14:38:05 +02:00
Pengyu Lv
18730ddbcf fix fragile way to refer to server1.req.sha256 
The original varible $< is fragile especially
when there are multiple rules for the same
target.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-06-30 00:23:13 +08:00
Pengyu Lv
ab266491f0 Make parse_input targets depend on files in parse_input if possible 
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-06-29 13:06:55 +08:00
Pengyu Lv
7d7c208647 fix the command of server5-sha%.crt 
This makes the rule could generate
parse_input/server5-sha*.crt correctly.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-06-29 10:36:44 +08:00
Pengyu Lv
a0350f7304 fix wrong dependency file path 
This commit is generated by below script
```
for i in `ls parse_input`; do
    if [ -f $i ]; then
        continue
    fi
    # Add parse_input/ prefix when $i is a dependency.
    sed -i "/:\(.*[^\/]\)$i/,/^$/s/$i/parse_input\/$i/g" Makefile
done
```

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-06-29 10:36:34 +08:00