Add test for limit on intermediate certificates
Inspired by test code provided by Nicholas Wilson in PR #351.
The test will fail if someone sets MAX_INTERMEDIATE_CA to a value larger than
18 (default is 8), which is hopefully unlikely and can easily be fixed by
running long.sh again with a larger value if it ever happens.
Current behaviour is suboptimal as flags are not set, but currently the goal
is only to document/test existing behaviour.
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index 4a5da03..a1a861e 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -1172,6 +1172,18 @@
depends_on:POLARSSL_SHA1_C:POLARSSL_RSA_C:POLARSSL_SHA256_C:POLARSSL_ECDSA_C:POLARSSL_ECP_DP_SECP384R1_ENABLED
x509_crt_parse_path:"data_files/dir3":1:2
+X509 CRT verify long chain (max intermediate CA, trusted)
+depends_on:POLARSSL_SHA256_C:POLARSSL_ECDSA_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
+x509_crt_verify_max:"data_files/dir-maxpath/00.crt":"data_files/dir-maxpath":POLARSSL_X509_MAX_INTERMEDIATE_CA:0:0
+
+X509 CRT verify long chain (max intermediate CA, untrusted)
+depends_on:POLARSSL_SHA256_C:POLARSSL_ECDSA_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP384R1_ENABLED
+x509_crt_verify_max:"data_files/test-ca2.crt":"data_files/dir-maxpath":POLARSSL_X509_MAX_INTERMEDIATE_CA-1:POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED
+
+X509 CRT verify long chain (max intermediate CA + 1)
+depends_on:POLARSSL_SHA256_C:POLARSSL_ECDSA_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
+x509_crt_verify_max:"data_files/dir-maxpath/00.crt":"data_files/dir-maxpath":POLARSSL_X509_MAX_INTERMEDIATE_CA+1:POLARSSL_ERR_X509_CERT_VERIFY_FAILED:0
+
X509 CRT verify chain #1 (zero pathlen intermediate)
depends_on:POLARSSL_SHA256_C:POLARSSL_RSA_C
x509_crt_verify_chain:"data_files/dir4/cert14.crt data_files/dir4/cert13.crt data_files/dir4/cert12.crt":"data_files/dir4/cert11.crt":BADCERT_NOT_TRUSTED
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index 4ae3c9f..b84cf64 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -492,6 +492,45 @@
/* END_CASE */
/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_CRT_PARSE_C */
+void x509_crt_verify_max( char *ca_file, char *chain_dir, int nb_int,
+ int ret_chk, int flags_chk )
+{
+ char file_buf[128];
+ int ret;
+ uint32_t flags;
+ x509_crt trusted, chain;
+
+ /*
+ * We expect chain_dir to contain certificates 00.crt, 01.crt, etc.
+ * with NN.crt signed by NN-1.crt
+ */
+
+ x509_crt_init( &trusted );
+ x509_crt_init( &chain );
+
+ /* Load trusted root */
+ TEST_ASSERT( x509_crt_parse_file( &trusted, ca_file ) == 0 );
+
+ /* Load a chain with nb_int intermediates (from 01 to nb_int),
+ * plus one "end-entity" cert (nb_int + 1) */
+ ret = snprintf( file_buf, sizeof file_buf, "%s/c%02d.pem", chain_dir,
+ nb_int + 1 );
+ TEST_ASSERT( ret > 0 && (size_t) ret < sizeof file_buf );
+ TEST_ASSERT( x509_crt_parse_file( &chain, file_buf ) == 0 );
+
+ /* Try to verify that chain */
+ ret = x509_crt_verify( &chain, &trusted, NULL, NULL, &flags,
+ NULL, NULL );
+ TEST_ASSERT( ret == ret_chk );
+ TEST_ASSERT( flags == (uint32_t) flags_chk );
+
+exit:
+ x509_crt_free( &chain );
+ x509_crt_free( &trusted );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_CRT_PARSE_C */
void x509_crt_verify_chain( char *chain_paths, char *trusted_ca, int flags_result )
{
char* act;