TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 74243ee87873487cabccb992907dfab7d5678e86^! / . / tests / data_files / Makefile
commit74243ee87873487cabccb992907dfab7d5678e86[log] [tgz]
authorGilles Peskine <Gilles.Peskine@arm.com>Fri Aug 21 15:52:17 2020 +0200
committerGilles Peskine <Gilles.Peskine@arm.com>Fri Aug 21 19:15:51 2020 +0200
tree2dafeaf74b4b3f32e31061ab6075bdf4b523ee3d
parentda118e130dea8b0027220ee0163aac4f259acf06 [diff] [blame]
Regenerate server2-sha256.crt with a PrintableString issuer

server2-sha256.crt had the issuer ON and CN encoded as UTF8String, but the
corresponding CA certificate test-ca_cat12.crt had them encoded as
PrintableString. The strings matched, which is sufficient according to RFC
5280 §7.1 and RFC 4518 §2.1. However, GnuTLS 3.4.10 requires the strings to
have the same encoding, so it did not accept that the
UTF8String "PolarSSL Test CA" certificate was signed by the
PrintableString "PolarSSL Test CA" CA.

Since Mbed TLS 2.14 (specifically ebc1f40aa008f6a2ba42e7436e4596d8f780b612
merged via https://github.com/ARMmbed/mbedtls/pull/1641), server2-sha256.crt
is generated by Mbed TLS's own cert_write program, which emits a
PrintableString. In older versions, this file was generated by OpenSSL,
which started emitting UTF8String at some point.
4f928c0f374558ec352825061a399db7a37ca2fc merged via
https://github.com/ARMmbed/mbedtls/pull/2418 fixed this for the SHA-1
certificate which was used at the time. The present commit applies the same
fix for the SHA-256 certificate that is now in use.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile
index aeebf67..61edad1 100644
--- a/tests/data_files/Makefile
+++ b/tests/data_files/Makefile

@@ -136,7 +136,7 @@
 	$(MBEDTLS_CERT_WRITE) request_file=server2-rsa.csr issuer_crt=test-ca-sha256.crt issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) serial=4 not_before=20190410141727 not_after=20290410141727 md=SHA1 version=3 output_file=$@
 all_final += server2.crt
 server2-sha256.crt: server2-rsa.csr
-	$(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA test-ca-sha256.crt -CAkey $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 4 -days 3653 -sha256 -in server2-rsa.csr -out $@
+	$(MBEDTLS_CERT_WRITE) request_file=server2-rsa.csr serial=2 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144406 not_after=20290210144406 md=SHA256 version=3 output_file=$@
 all_final += server2-sha256.crt
 
 test_ca_int_rsa1 = test-int-ca.crt