From ad72ea02b3b5817bd5f91b6c578252e50cd7bcaf Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 13 Apr 2023 18:13:48 +0200 Subject: [PATCH 1/4] Improve testing of mbedtls_x509_crt_parse_file Check the number of certificates found, as was done in the test of mbedtls_x509_crt_parse_path(). Signed-off-by: Gilles Peskine --- tests/suites/test_suite_x509parse.data | 14 ++++++------ tests/suites/test_suite_x509parse.function | 26 ++++++++++++++++++++++ 2 files changed, 33 insertions(+), 7 deletions(-) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 685106babb2a..1a6e5f936a9b 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -1896,11 +1896,11 @@ x509parse_crt:"3081b030819aa0030201028204deadbeef300d06092a864886f70d01010b05003 X509 CRT ASN1 (inv extBasicConstraint, pathlen is INT_MAX) depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C -x509parse_crt_file:"data_files/server1_pathlen_int_max.crt":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_INVALID_LENGTH +mbedtls_x509_crt_parse_file:"data_files/server1_pathlen_int_max.crt":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_INVALID_LENGTH:0 X509 CRT ASN1 (pathlen is INT_MAX-1) depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C -x509parse_crt_file:"data_files/server1_pathlen_int_max-1.crt":0 +mbedtls_x509_crt_parse_file:"data_files/server1_pathlen_int_max-1.crt":0:1 X509 CRT ASN1 (TBS, inv extBasicConstraint, pathlen inv length encoding) depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C @@ -2858,23 +2858,23 @@ mbedtls_x509_csr_parse:"3008300602047fffffff":"":MBEDTLS_ERR_X509_UNKNOWN_VERSIO X509 File parse (no issues) depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C -x509parse_crt_file:"data_files/server7_int-ca.crt":0 +mbedtls_x509_crt_parse_file:"data_files/server7_int-ca.crt":0:2 X509 File parse (extra space in one certificate) depends_on:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_RSA_C -x509parse_crt_file:"data_files/server7_pem_space.crt":1 +mbedtls_x509_crt_parse_file:"data_files/server7_pem_space.crt":1:1 X509 File parse (all certificates fail) depends_on:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C -x509parse_crt_file:"data_files/server7_all_space.crt":MBEDTLS_ERR_PEM_INVALID_DATA + MBEDTLS_ERR_BASE64_INVALID_CHARACTER +mbedtls_x509_crt_parse_file:"data_files/server7_all_space.crt":MBEDTLS_ERR_PEM_INVALID_DATA + MBEDTLS_ERR_BASE64_INVALID_CHARACTER:0 X509 File parse (trailing spaces, OK) depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C -x509parse_crt_file:"data_files/server7_trailing_space.crt":0 +mbedtls_x509_crt_parse_file:"data_files/server7_trailing_space.crt":0:2 X509 File parse (Algorithm Params Tag mismatch) depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C -x509parse_crt_file:"data_files/cli-rsa-sha256-badalg.crt.der":MBEDTLS_ERR_X509_SIG_MISMATCH +mbedtls_x509_crt_parse_file:"data_files/cli-rsa-sha256-badalg.crt.der":MBEDTLS_ERR_X509_SIG_MISMATCH:0 X509 Get time (UTC no issues) depends_on:MBEDTLS_X509_USE_C diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 6831b0d4b240..c62ba80d3d43 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -1107,6 +1107,32 @@ exit: } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ +void mbedtls_x509_crt_parse_file(char *crt_path, int ret, int nb_crt) +{ + mbedtls_x509_crt chain, *cur; + int i; + + mbedtls_x509_crt_init(&chain); + USE_PSA_INIT(); + + TEST_EQUAL(mbedtls_x509_crt_parse_file(&chain, crt_path), ret); + + /* Check how many certs we got */ + for (i = 0, cur = &chain; cur != NULL; cur = cur->next) { + if (cur->raw.p != NULL) { + i++; + } + } + + TEST_EQUAL(i, nb_crt); + +exit: + mbedtls_x509_crt_free(&chain); + USE_PSA_DONE(); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ void mbedtls_x509_crt_parse_path(char *crt_path, int ret, int nb_crt) { From a4394d4be1fcde2df4deaa28095839a78267c351 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 13 Apr 2023 18:14:45 +0200 Subject: [PATCH 2/4] Document a known issue with testing of mbedtls_x509_crt_parse_path The parse_path tests are known to fail when compiled for a 32-btt architecture and run via qemu-user on Linux on a 64-bit host. This is due to a known bug in Qemu: https://gitlab.com/qemu-project/qemu/-/issues/263 Document this, and add test cases to parse the files involved to confirm that the problem is only with parse_path. Signed-off-by: Gilles Peskine --- tests/suites/test_suite_x509parse.data | 22 ++++++++++++++++++---- tests/suites/test_suite_x509parse.function | 4 ++-- 2 files changed, 20 insertions(+), 6 deletions(-) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 1a6e5f936a9b..e096d5e7ae1d 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -2428,15 +2428,29 @@ X509 CRL ASN1 (extension not critical explicit, crl-idp.pem byte 129) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C x509parse_crl:"308201b330819c020101300d06092a864886f70d01010b0500303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c2054657374204341170d3138303331343037333134385a170d3238303331343037333134385aa02d302b30290603551d1c010100041f301da01ba0198617687474703a2f2f706b692e6578616d706c652e636f6d2f300d06092a864886f70d01010b05000382010100b3fbe9d586eaf4b8ff60cf8edae06a85135db78f78198498719725b5b403c0b803c2c150f52faae7306d6a7871885dc2e9dc83a164bac7263776474ef642b660040b35a1410ac291ac8f6f18ab85e7fd6e22bd1af1c41ca95cf2448f6e2b42a018493dfc03c6b6aa1b9e3fe7b76af2182fb2121db4166bf0167d6f379c5a58adee5082423434d97be2909f5e7488053f996646db10dd49782626da53ad8eada01813c031b2bacdb0203bc017aac1735951a11d013ee4d1d5f7143ccbebf2371e66a1bec6e1febe69148f50784eef8adbb66664c96196d7e0c0bcdc807f447b54e058f37642a3337995bfbcd332208bd6016936705c82263eabd7affdba92fae3":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2018-03-14 07\:31\:48\nnext update \: 2028-03-14 07\:31\:48\nRevoked certificates\:\nsigned using \: RSA with SHA-256\n":0 -X509 CRT parse path #2 (one cert) +X509 CRT parse file dir3/Readme +mbedtls_x509_crt_parse_file:"data_files/dir3/Readme":MBEDTLS_ERR_X509_INVALID_FORMAT:0 + +X509 CRT parse file dir3/test-ca.crt +depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C +mbedtls_x509_crt_parse_file:"data_files/dir3/test-ca.crt":0:1 + +X509 CRT parse file dir3/test-ca2.crt +depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED +mbedtls_x509_crt_parse_file:"data_files/dir3/test-ca2.crt":0:1 + +# The parse_path tests are known to fail when compiled for a 32-btt architecture +# and run via qemu-user on Linux on a 64-bit host. This is due to a known +# bug in Qemu: https://gitlab.com/qemu-project/qemu/-/issues/263 +X509 CRT parse path #1 (one cert) depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C mbedtls_x509_crt_parse_path:"data_files/dir1":0:1 -X509 CRT parse path #3 (two certs) -depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED +X509 CRT parse path #2 (two certs) +depends_ondepends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED mbedtls_x509_crt_parse_path:"data_files/dir2":0:2 -X509 CRT parse path #4 (two certs, one non-cert) +X509 CRT parse path #3 (two certs, one non-cert) depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED mbedtls_x509_crt_parse_path:"data_files/dir3":1:2 diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index c62ba80d3d43..ff56dd209ecb 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -1142,7 +1142,7 @@ void mbedtls_x509_crt_parse_path(char *crt_path, int ret, int nb_crt) mbedtls_x509_crt_init(&chain); USE_PSA_INIT(); - TEST_ASSERT(mbedtls_x509_crt_parse_path(&chain, crt_path) == ret); + TEST_EQUAL(mbedtls_x509_crt_parse_path(&chain, crt_path), ret); /* Check how many certs we got */ for (i = 0, cur = &chain; cur != NULL; cur = cur->next) { @@ -1151,7 +1151,7 @@ void mbedtls_x509_crt_parse_path(char *crt_path, int ret, int nb_crt) } } - TEST_ASSERT(i == nb_crt); + TEST_EQUAL(i, nb_crt); exit: mbedtls_x509_crt_free(&chain); From 25c9f4bb8cb8d6b6e7798d48320eb0fe0726395e Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 18 Apr 2023 22:31:38 +0200 Subject: [PATCH 3/4] typo Signed-off-by: Gilles Peskine --- tests/suites/test_suite_x509parse.data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index e096d5e7ae1d..680ad328f6b4 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -2439,7 +2439,7 @@ X509 CRT parse file dir3/test-ca2.crt depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED mbedtls_x509_crt_parse_file:"data_files/dir3/test-ca2.crt":0:1 -# The parse_path tests are known to fail when compiled for a 32-btt architecture +# The parse_path tests are known to fail when compiled for a 32-bit architecture # and run via qemu-user on Linux on a 64-bit host. This is due to a known # bug in Qemu: https://gitlab.com/qemu-project/qemu/-/issues/263 X509 CRT parse path #1 (one cert) From 4ac90508f80f75fe0560f59a7d953ebdcb8d162d Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 21 Apr 2023 21:19:46 +0200 Subject: [PATCH 4/4] Fix pastapasta Signed-off-by: Gilles Peskine --- tests/suites/test_suite_x509parse.data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 680ad328f6b4..913f7bdc9283 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -2447,7 +2447,7 @@ depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C mbedtls_x509_crt_parse_path:"data_files/dir1":0:1 X509 CRT parse path #2 (two certs) -depends_ondepends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED +depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED mbedtls_x509_crt_parse_path:"data_files/dir2":0:2 X509 CRT parse path #3 (two certs, one non-cert)