- Added verification callback in certificate verification chain in order to allow external blacklisting
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index 898c521..e130567 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -101,66 +101,73 @@
x509_time_expired:"data_files/test-ca.crt":valid_to:0
X509 Certificate verification #1 (Revoked Cert, Expired CRL)
-x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":NULL:BADCERT_REVOKED | BADCRL_EXPIRED
+x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":NULL:POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED | BADCRL_EXPIRED:NULL
X509 Certificate verification #2 (Revoked Cert, Expired CRL)
-x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"PolarSSL Server 1":BADCERT_REVOKED | BADCRL_EXPIRED
+x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"PolarSSL Server 1":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED | BADCRL_EXPIRED:NULL
X509 Certificate verification #3 (Revoked Cert, Expired CRL, CN Mismatch)
-x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"PolarSSL Wrong CN":BADCERT_REVOKED | BADCRL_EXPIRED | BADCERT_CN_MISMATCH
+x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"PolarSSL Wrong CN":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED | BADCRL_EXPIRED | BADCERT_CN_MISMATCH:NULL
X509 Certificate verification #4 (Valid Cert, Expired CRL)
-x509_verify:"data_files/server2.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":NULL:BADCRL_EXPIRED
+x509_verify:"data_files/server2.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":NULL:POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCRL_EXPIRED:NULL
X509 Certificate verification #5 (Revoked Cert)
-x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:BADCERT_REVOKED
+x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED:NULL
X509 Certificate verification #6 (Revoked Cert)
-x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"PolarSSL Server 1":BADCERT_REVOKED
+x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"PolarSSL Server 1":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED:NULL
X509 Certificate verification #7 (Revoked Cert, CN Mismatch)
-x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"PolarSSL Wrong CN":BADCERT_REVOKED | BADCERT_CN_MISMATCH
+x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"PolarSSL Wrong CN":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED | BADCERT_CN_MISMATCH:NULL
X509 Certificate verification #8 (Valid Cert)
-x509_verify:"data_files/server2.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:0
+x509_verify:"data_files/server2.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:0:0:NULL
X509 Certificate verification #9 (Not trusted Cert)
-x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl.pem":NULL:BADCERT_NOT_TRUSTED
+x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl.pem":NULL:POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:NULL
X509 Certificate verification #10 (Not trusted Cert, Expired CRL)
-x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_expired.pem":NULL:BADCERT_NOT_TRUSTED
+x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_expired.pem":NULL:POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:NULL
X509 Certificate verification #11 (Valid Cert MD2 Digest)
depends_on:POLARSSL_MD2_C
-x509_verify:"data_files/cert_md2.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:0
+x509_verify:"data_files/cert_md2.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:0:0:NULL
X509 Certificate verification #12 (Valid Cert MD4 Digest)
depends_on:POLARSSL_MD4_C
-x509_verify:"data_files/cert_md4.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:0
+x509_verify:"data_files/cert_md4.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:0:0:NULL
X509 Certificate verification #13 (Valid Cert MD5 Digest)
depends_on:POLARSSL_MD5_C
-x509_verify:"data_files/cert_md5.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:0
+x509_verify:"data_files/cert_md5.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:0:0:NULL
X509 Certificate verification #14 (Valid Cert SHA1 Digest)
depends_on:POLARSSL_SHA1_C
-x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:0
+x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:0:0:NULL
X509 Certificate verification #15 (Valid Cert SHA224 Digest)
depends_on:POLARSSL_SHA2_C
-x509_verify:"data_files/cert_sha224.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:0
+x509_verify:"data_files/cert_sha224.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:0:0:NULL
X509 Certificate verification #16 (Valid Cert SHA256 Digest)
depends_on:POLARSSL_SHA2_C
-x509_verify:"data_files/cert_sha256.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:0
+x509_verify:"data_files/cert_sha256.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:0:0:NULL
X509 Certificate verification #17 (Valid Cert SHA384 Digest)
depends_on:POLARSSL_SHA4_C
-x509_verify:"data_files/cert_sha384.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:0
+x509_verify:"data_files/cert_sha384.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:0:0:NULL
X509 Certificate verification #18 (Valid Cert SHA512 Digest)
depends_on:POLARSSL_SHA4_C
-x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:0
+x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:0:0:NULL
+
+X509 Certificate verification #19 (Valid Cert, denying callback)
+depends_on:POLARSSL_SHA4_C
+x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:POLARSSL_ERR_X509_CERT_VERIFY_FAILED:0:&verify_none
+
+X509 Certificate verification #20 (Not trusted Cert, allowing callback)
+x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_expired.pem":NULL:POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:&verify_all
X509 Parse Selftest
depends_on:POLARSSL_MD5_C
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index b56b893..fe9a733 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -1,5 +1,17 @@
BEGIN_HEADER
+#include <polarssl/config.h>
#include <polarssl/x509.h>
+
+int verify_none( void *data, x509_cert *crt, int certificate_depth, int preverify_ok )
+{
+ return 1;
+}
+
+int verify_all( void *data, x509_cert *crt, int certificate_depth, int preverify_ok )
+{
+ return 0;
+}
+
END_HEADER
BEGIN_CASE
@@ -43,7 +55,7 @@
END_CASE
BEGIN_CASE
-x509_verify:crt_file:ca_file:crl_file:cn_name:result
+x509_verify:crt_file:ca_file:crl_file:cn_name:result:flags:verify_callback
{
x509_cert crt;
x509_cert ca;
@@ -59,16 +71,10 @@
TEST_ASSERT( x509parse_crtfile( &ca, {ca_file} ) == 0 );
TEST_ASSERT( x509parse_crlfile( &crl, {crl_file} ) == 0 );
- res = x509parse_verify( &crt, &ca, &crl, {cn_name}, &flags );
+ res = x509parse_verify( &crt, &ca, &crl, {cn_name}, &flags, {verify_callback}, NULL );
- if( res == 0 )
- {
- TEST_ASSERT( res == ( {result} ) );
- }
- else
- {
- TEST_ASSERT( flags == ( {result} ) );
- }
+ TEST_ASSERT( res == ( {result} ) );
+ TEST_ASSERT( flags == ( {flags} ) );
}
END_CASE