ssl_cert_test.c 7.03 KB
Newer Older
1 2 3
/*
 *  SSL certificate functionality tests
 *
4
 *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5
 *  SPDX-License-Identifier: Apache-2.0
6
 *
7 8 9
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
10
 *
11
 *  http://www.apache.org/licenses/LICENSE-2.0
12
 *
13 14 15 16 17
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
18
 *
19
 *  This file is part of mbed TLS (https://tls.mbed.org)
20 21
 */

22
#if !defined(MBEDTLS_CONFIG_FILE)
23
#include "mbedtls/config.h"
24
#else
25
#include MBEDTLS_CONFIG_FILE
26
#endif
27

28
#if defined(MBEDTLS_PLATFORM_C)
29
#include "mbedtls/platform.h"
30
#else
Rich Evans's avatar
Rich Evans committed
31
#include <stdio.h>
32 33
#define mbedtls_snprintf   snprintf
#define mbedtls_printf     printf
34 35
#endif

36 37
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_X509_CRT_PARSE_C) && \
    defined(MBEDTLS_FS_IO) && defined(MBEDTLS_X509_CRL_PARSE_C)
38 39
#include "mbedtls/certs.h"
#include "mbedtls/x509_crt.h"
Rich Evans's avatar
Rich Evans committed
40

41
#include <stdio.h>
Rich Evans's avatar
Rich Evans committed
42 43 44 45
#include <string.h>
#endif

#define MAX_CLIENT_CERTS    8
46

47 48
#if !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \
    !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_X509_CRL_PARSE_C)
Rich Evans's avatar
Rich Evans committed
49
int main( void )
50
{
51 52
    mbedtls_printf("MBEDTLS_RSA_C and/or MBEDTLS_X509_CRT_PARSE_C "
           "MBEDTLS_FS_IO and/or MBEDTLS_X509_CRL_PARSE_C "
53 54 55 56
           "not defined.\n");
    return( 0 );
}
#else
57
const char *client_certificates[MAX_CLIENT_CERTS] =
58
{
59 60
    "client1.crt",
    "client2.crt",
61 62
    "server1.crt",
    "server2.crt",
63 64 65 66
    "cert_sha224.crt",
    "cert_sha256.crt",
    "cert_sha384.crt",
    "cert_sha512.crt"
67 68
};

69
const char *client_private_keys[MAX_CLIENT_CERTS] =
70
{
71 72
    "client1.key",
    "client2.key",
73 74
    "server1.key",
    "server2.key",
75 76 77 78
    "cert_digest.key",
    "cert_digest.key",
    "cert_digest.key",
    "cert_digest.key"
79 80
};

Rich Evans's avatar
Rich Evans committed
81
int main( void )
82 83
{
    int ret, i;
84 85
    mbedtls_x509_crt cacert;
    mbedtls_x509_crl crl;
86 87
    char buf[10240];

88 89
    mbedtls_x509_crt_init( &cacert );
    mbedtls_x509_crl_init( &crl );
90 91 92 93

    /*
     * 1.1. Load the trusted CA
     */
94
    mbedtls_printf( "\n  . Loading the CA root certificate ..." );
95 96 97 98
    fflush( stdout );

    /*
     * Alternatively, you may load the CA certificates from a .pem or
99
     * .crt file by calling mbedtls_x509_crt_parse_file( &cacert, "myca.crt" ).
100
     */
101
    ret = mbedtls_x509_crt_parse_file( &cacert, "ssl/test-ca/test-ca.crt" );
102 103
    if( ret != 0 )
    {
104
        mbedtls_printf( " failed\n  !  mbedtls_x509_crt_parse_file returned %d\n\n", ret );
105 106 107
        goto exit;
    }

108
    mbedtls_printf( " ok\n" );
109

110 111
    mbedtls_x509_crt_info( buf, 1024, "CRT: ", &cacert );
    mbedtls_printf("%s\n", buf );
112

113 114 115
    /*
     * 1.2. Load the CRL
     */
116
    mbedtls_printf( "  . Loading the CRL ..." );
117 118
    fflush( stdout );

119
    ret = mbedtls_x509_crl_parse_file( &crl, "ssl/test-ca/crl.pem" );
120 121
    if( ret != 0 )
    {
122
        mbedtls_printf( " failed\n  !  mbedtls_x509_crl_parse_file returned %d\n\n", ret );
123 124 125
        goto exit;
    }

126
    mbedtls_printf( " ok\n" );
127

128 129
    mbedtls_x509_crl_info( buf, 1024, "CRL: ", &crl );
    mbedtls_printf("%s\n", buf );
130

131 132 133
    for( i = 0; i < MAX_CLIENT_CERTS; i++ )
    {
        /*
134
         * 1.3. Load own certificate
135
         */
136
        char    name[512];
137
        uint32_t flags;
138 139
        mbedtls_x509_crt clicert;
        mbedtls_pk_context pk;
140

141 142
        mbedtls_x509_crt_init( &clicert );
        mbedtls_pk_init( &pk );
143

144
        mbedtls_snprintf(name, 512, "ssl/test-ca/%s", client_certificates[i]);
145

146
        mbedtls_printf( "  . Loading the client certificate %s...", name );
147
        fflush( stdout );
148

149
        ret = mbedtls_x509_crt_parse_file( &clicert, name );
150 151
        if( ret != 0 )
        {
152
            mbedtls_printf( " failed\n  !  mbedtls_x509_crt_parse_file returned %d\n\n", ret );
153 154
            goto exit;
        }
155

156
        mbedtls_printf( " ok\n" );
157

158 159 160
        /*
         * 1.4. Verify certificate validity with CA certificate
         */
161
        mbedtls_printf( "  . Verify the client certificate with CA certificate..." );
162
        fflush( stdout );
163

164
        ret = mbedtls_x509_crt_verify( &clicert, &cacert, &crl, NULL, &flags, NULL,
165
                               NULL );
166 167
        if( ret != 0 )
        {
168
            if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED )
169
            {
170 171 172
                 char vrfy_buf[512];

                 mbedtls_printf( " failed\n" );
173
                 mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", flags );
174 175 176 177
                 mbedtls_printf( "%s\n", vrfy_buf );
             }
             else
             {
178
                mbedtls_printf( " failed\n  !  mbedtls_x509_crt_verify returned %d\n\n", ret );
179 180
                goto exit;
            }
181
        }
182

183
        mbedtls_printf( " ok\n" );
184 185

        /*
186
         * 1.5. Load own private key
187
         */
188
        mbedtls_snprintf(name, 512, "ssl/test-ca/%s", client_private_keys[i]);
189

190
        mbedtls_printf( "  . Loading the client private key %s...", name );
191 192
        fflush( stdout );

193
        ret = mbedtls_pk_parse_keyfile( &pk, name, NULL );
194 195
        if( ret != 0 )
        {
196
            mbedtls_printf( " failed\n  !  mbedtls_pk_parse_keyfile returned %d\n\n", ret );
197 198 199
            goto exit;
        }

200
        mbedtls_printf( " ok\n" );
201 202

        /*
203
         * 1.6. Verify certificate validity with private key
204
         */
205
        mbedtls_printf( "  . Verify the client certificate with private key..." );
206 207
        fflush( stdout );

208 209

        /* EC NOT IMPLEMENTED YET */
210
        if( ! mbedtls_pk_can_do( &clicert.pk, MBEDTLS_PK_RSA ) )
211
        {
212 213
            mbedtls_printf( " failed\n  !  certificate's key is not RSA\n\n" );
            ret = MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
214 215 216
            goto exit;
        }

217
        ret = mbedtls_mpi_cmp_mpi(&mbedtls_pk_rsa( pk )->N, &mbedtls_pk_rsa( clicert.pk )->N);
218 219
        if( ret != 0 )
        {
220
            mbedtls_printf( " failed\n  !  mbedtls_mpi_cmp_mpi for N returned %d\n\n", ret );
221 222 223
            goto exit;
        }

224
        ret = mbedtls_mpi_cmp_mpi(&mbedtls_pk_rsa( pk )->E, &mbedtls_pk_rsa( clicert.pk )->E);
225 226
        if( ret != 0 )
        {
227
            mbedtls_printf( " failed\n  !  mbedtls_mpi_cmp_mpi for E returned %d\n\n", ret );
228 229 230
            goto exit;
        }

231
        ret = mbedtls_rsa_check_privkey( mbedtls_pk_rsa( pk ) );
232 233
        if( ret != 0 )
        {
234
            mbedtls_printf( " failed\n  !  mbedtls_rsa_check_privkey returned %d\n\n", ret );
235 236 237
            goto exit;
        }

238
        mbedtls_printf( " ok\n" );
239

240 241
        mbedtls_x509_crt_free( &clicert );
        mbedtls_pk_free( &pk );
242 243 244
    }

exit:
245 246
    mbedtls_x509_crt_free( &cacert );
    mbedtls_x509_crl_free( &crl );
247

248
#if defined(_WIN32)
249
    mbedtls_printf( "  + Press Enter to exit this program.\n" );
250 251 252 253 254
    fflush( stdout ); getchar();
#endif

    return( ret );
}
255 256
#endif /* MBEDTLS_RSA_C && MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_FS_IO &&
          MBEDTLS_X509_CRL_PARSE_C */