TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 70824f2c9ea28a0c044f14d967ce21899f41441d / . / programs / x509 / cert_app.c
blob: 38fbd51bf4e8735576dabdbb91d73cabb3cf976a [file] [log] [blame]
Gilles Peskine70824f22020-02-26 19:05:33 +0100[diff] [blame^]1/*
2 * Certificate reading application
3 *
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
20 */
21
22#if !defined(MBEDTLS_CONFIG_FILE)
23#include "mbedtls/config.h"
24#else
25#include MBEDTLS_CONFIG_FILE
26#endif
27
28#if defined(MBEDTLS_PLATFORM_C)
29#include "mbedtls/platform.h"
30#else
31#include <stdio.h>
32#include <stdlib.h>
33#define mbedtls_time time
34#define mbedtls_time_t time_t
35#define mbedtls_fprintf fprintf
36#define mbedtls_printf printf
37#define mbedtls_exit exit
38#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
39#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
40#endif /* MBEDTLS_PLATFORM_C */
41
42#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \
43 !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \
44 !defined(MBEDTLS_NET_C) || !defined(MBEDTLS_RSA_C) || \
45 !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO) || \
46 !defined(MBEDTLS_CTR_DRBG_C)
47int main( void )
48{
49 mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C and/or "
50 "MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_CLI_C and/or "
51 "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
52 "MBEDTLS_X509_CRT_PARSE_C and/or MBEDTLS_FS_IO and/or "
53 "MBEDTLS_CTR_DRBG_C not defined.\n");
54 return( 0 );
55}
56#else
57
58#include "mbedtls/entropy.h"
59#include "mbedtls/ctr_drbg.h"
60#include "mbedtls/net_sockets.h"
61#include "mbedtls/ssl.h"
62#include "mbedtls/x509.h"
63#include "mbedtls/debug.h"
64
65#include <stdio.h>
66#include <stdlib.h>
67#include <string.h>
68
69#define MODE_NONE 0
70#define MODE_FILE 1
71#define MODE_SSL 2
72
73#define DFL_MODE MODE_NONE
74#define DFL_FILENAME "cert.crt"
75#define DFL_CA_FILE ""
76#define DFL_CRL_FILE ""
77#define DFL_CA_PATH ""
78#define DFL_SERVER_NAME "localhost"
79#define DFL_SERVER_PORT "4433"
80#define DFL_DEBUG_LEVEL 0
81#define DFL_PERMISSIVE 0
82
83#define USAGE_IO \
84 " ca_file=%%s The single file containing the top-level CA(s) you fully trust\n" \
85 " default: \"\" (none)\n" \
86 " crl_file=%%s The single CRL file you want to use\n" \
87 " default: \"\" (none)\n" \
88 " ca_path=%%s The path containing the top-level CA(s) you fully trust\n" \
89 " default: \"\" (none) (overrides ca_file)\n"
90
91#define USAGE \
92 "\n usage: cert_app param=<>...\n" \
93 "\n acceptable parameters:\n" \
94 " mode=file|ssl default: none\n" \
95 " filename=%%s default: cert.crt\n" \
96 USAGE_IO \
97 " server_name=%%s default: localhost\n" \
98 " server_port=%%d default: 4433\n" \
99 " debug_level=%%d default: 0 (disabled)\n" \
100 " permissive=%%d default: 0 (disabled)\n" \
101 "\n"
102
103#if defined(MBEDTLS_CHECK_PARAMS)
104#define mbedtls_exit exit
105void mbedtls_param_failed( const char *failure_condition,
106 const char *file,
107 int line )
108{
109 mbedtls_printf( "%s:%i: Input param failed - %s\n",
110 file, line, failure_condition );
111 mbedtls_exit( MBEDTLS_EXIT_FAILURE );
112}
113#endif
114
115/*
116 * global options
117 */
118struct options
119{
120 int mode; /* the mode to run the application in */
121 const char *filename; /* filename of the certificate file */
122 const char *ca_file; /* the file with the CA certificate(s) */
123 const char *crl_file; /* the file with the CRL to use */
124 const char *ca_path; /* the path with the CA certificate(s) reside */
125 const char *server_name; /* hostname of the server (client only) */
126 const char *server_port; /* port on which the ssl service runs */
127 int debug_level; /* level of debugging */
128 int permissive; /* permissive parsing */
129} opt;
130
131static void my_debug( void *ctx, int level,
132 const char *file, int line,
133 const char *str )
134{
135 ((void) level);
136
137 mbedtls_fprintf( (FILE *) ctx, "%s:%04d: %s", file, line, str );
138 fflush( (FILE *) ctx );
139}
140
141static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags )
142{
143 char buf[1024];
144 ((void) data);
145
146 mbedtls_printf( "\nVerify requested for (Depth %d):\n", depth );
147 mbedtls_x509_crt_info( buf, sizeof( buf ) - 1, "", crt );
148 mbedtls_printf( "%s", buf );
149
150 if ( ( *flags ) == 0 )
151 mbedtls_printf( " This certificate has no flags\n" );
152 else
153 {
154 mbedtls_x509_crt_verify_info( buf, sizeof( buf ), " ! ", *flags );
155 mbedtls_printf( "%s\n", buf );
156 }
157
158 return( 0 );
159}
160
161int main( int argc, char *argv[] )
162{
163 int ret = 1;
164 int exit_code = MBEDTLS_EXIT_FAILURE;
165 mbedtls_net_context server_fd;
166 unsigned char buf[1024];
167 mbedtls_entropy_context entropy;
168 mbedtls_ctr_drbg_context ctr_drbg;
169 mbedtls_ssl_context ssl;
170 mbedtls_ssl_config conf;
171 mbedtls_x509_crt cacert;
172 mbedtls_x509_crl cacrl;
173 int i, j;
174 uint32_t flags;
175 int verify = 0;
176 char *p, *q;
177 const char *pers = "cert_app";
178
179 /*
180 * Set to sane values
181 */
182 mbedtls_net_init( &server_fd );
183 mbedtls_ctr_drbg_init( &ctr_drbg );
184 mbedtls_ssl_init( &ssl );
185 mbedtls_ssl_config_init( &conf );
186 mbedtls_x509_crt_init( &cacert );
187#if defined(MBEDTLS_X509_CRL_PARSE_C)
188 mbedtls_x509_crl_init( &cacrl );
189#else
190 /* Zeroize structure as CRL parsing is not supported and we have to pass
191 it to the verify function */
192 memset( &cacrl, 0, sizeof(mbedtls_x509_crl) );
193#endif
194
195 if( argc == 0 )
196 {
197 usage:
198 mbedtls_printf( USAGE );
199 goto exit;
200 }
201
202 opt.mode = DFL_MODE;
203 opt.filename = DFL_FILENAME;
204 opt.ca_file = DFL_CA_FILE;
205 opt.crl_file = DFL_CRL_FILE;
206 opt.ca_path = DFL_CA_PATH;
207 opt.server_name = DFL_SERVER_NAME;
208 opt.server_port = DFL_SERVER_PORT;
209 opt.debug_level = DFL_DEBUG_LEVEL;
210 opt.permissive = DFL_PERMISSIVE;
211
212 for( i = 1; i < argc; i++ )
213 {
214 p = argv[i];
215 if( ( q = strchr( p, '=' ) ) == NULL )
216 goto usage;
217 *q++ = '\0';
218
219 for( j = 0; p + j < q; j++ )
220 {
221 if( argv[i][j] >= 'A' && argv[i][j] <= 'Z' )
222 argv[i][j] |= 0x20;
223 }
224
225 if( strcmp( p, "mode" ) == 0 )
226 {
227 if( strcmp( q, "file" ) == 0 )
228 opt.mode = MODE_FILE;
229 else if( strcmp( q, "ssl" ) == 0 )
230 opt.mode = MODE_SSL;
231 else
232 goto usage;
233 }
234 else if( strcmp( p, "filename" ) == 0 )
235 opt.filename = q;
236 else if( strcmp( p, "ca_file" ) == 0 )
237 opt.ca_file = q;
238 else if( strcmp( p, "crl_file" ) == 0 )
239 opt.crl_file = q;
240 else if( strcmp( p, "ca_path" ) == 0 )
241 opt.ca_path = q;
242 else if( strcmp( p, "server_name" ) == 0 )
243 opt.server_name = q;
244 else if( strcmp( p, "server_port" ) == 0 )
245 opt.server_port = q;
246 else if( strcmp( p, "debug_level" ) == 0 )
247 {
248 opt.debug_level = atoi( q );
249 if( opt.debug_level < 0 || opt.debug_level > 65535 )
250 goto usage;
251 }
252 else if( strcmp( p, "permissive" ) == 0 )
253 {
254 opt.permissive = atoi( q );
255 if( opt.permissive < 0 || opt.permissive > 1 )
256 goto usage;
257 }
258 else
259 goto usage;
260 }
261
262 /*
263 * 1.1. Load the trusted CA
264 */
265 mbedtls_printf( " . Loading the CA root certificate ..." );
266 fflush( stdout );
267
268 if( strlen( opt.ca_path ) )
269 {
270 if( ( ret = mbedtls_x509_crt_parse_path( &cacert, opt.ca_path ) ) < 0 )
271 {
272 mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_path returned -0x%x\n\n", -ret );
273 goto exit;
274 }
275
276 verify = 1;
277 }
278 else if( strlen( opt.ca_file ) )
279 {
280 if( ( ret = mbedtls_x509_crt_parse_file( &cacert, opt.ca_file ) ) < 0 )
281 {
282 mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_file returned -0x%x\n\n", -ret );
283 goto exit;
284 }
285
286 verify = 1;
287 }
288
289 mbedtls_printf( " ok (%d skipped)\n", ret );
290
291#if defined(MBEDTLS_X509_CRL_PARSE_C)
292 if( strlen( opt.crl_file ) )
293 {
294 if( ( ret = mbedtls_x509_crl_parse_file( &cacrl, opt.crl_file ) ) != 0 )
295 {
296 mbedtls_printf( " failed\n ! mbedtls_x509_crl_parse returned -0x%x\n\n", -ret );
297 goto exit;
298 }
299
300 verify = 1;
301 }
302#endif
303
304 if( opt.mode == MODE_FILE )
305 {
306 mbedtls_x509_crt crt;
307 mbedtls_x509_crt *cur = &crt;
308 mbedtls_x509_crt_init( &crt );
309
310 /*
311 * 1.1. Load the certificate(s)
312 */
313 mbedtls_printf( "\n . Loading the certificate(s) ..." );
314 fflush( stdout );
315
316 ret = mbedtls_x509_crt_parse_file( &crt, opt.filename );
317
318 if( ret < 0 )
319 {
320 mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_file returned %d\n\n", ret );
321 mbedtls_x509_crt_free( &crt );
322 goto exit;
323 }
324
325 if( opt.permissive == 0 && ret > 0 )
326 {
327 mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse failed to parse %d certificates\n\n", ret );
328 mbedtls_x509_crt_free( &crt );
329 goto exit;
330 }
331
332 mbedtls_printf( " ok\n" );
333
334 /*
335 * 1.2 Print the certificate(s)
336 */
337 while( cur != NULL )
338 {
339 mbedtls_printf( " . Peer certificate information ...\n" );
340 ret = mbedtls_x509_crt_info( (char *) buf, sizeof( buf ) - 1, " ",
341 cur );
342 if( ret == -1 )
343 {
344 mbedtls_printf( " failed\n ! mbedtls_x509_crt_info returned %d\n\n", ret );
345 mbedtls_x509_crt_free( &crt );
346 goto exit;
347 }
348
349 mbedtls_printf( "%s\n", buf );
350
351 cur = cur->next;
352 }
353
354 /*
355 * 1.3 Verify the certificate
356 */
357 if( verify )
358 {
359 mbedtls_printf( " . Verifying X.509 certificate..." );
360
361 if( ( ret = mbedtls_x509_crt_verify( &crt, &cacert, &cacrl, NULL, &flags,
362 my_verify, NULL ) ) != 0 )
363 {
364 char vrfy_buf[512];
365
366 mbedtls_printf( " failed\n" );
367
368 mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
369
370 mbedtls_printf( "%s\n", vrfy_buf );
371 }
372 else
373 mbedtls_printf( " ok\n" );
374 }
375
376 mbedtls_x509_crt_free( &crt );
377 }
378 else if( opt.mode == MODE_SSL )
379 {
380 /*
381 * 1. Initialize the RNG and the session data
382 */
383 mbedtls_printf( "\n . Seeding the random number generator..." );
384 fflush( stdout );
385
386 mbedtls_entropy_init( &entropy );
387 if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
388 (const unsigned char *) pers,
389 strlen( pers ) ) ) != 0 )
390 {
391 mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret );
392 goto ssl_exit;
393 }
394
395 mbedtls_printf( " ok\n" );
396
397#if defined(MBEDTLS_DEBUG_C)
398 mbedtls_debug_set_threshold( opt.debug_level );
399#endif
400
401 /*
402 * 2. Start the connection
403 */
404 mbedtls_printf( " . SSL connection to tcp/%s/%s...", opt.server_name,
405 opt.server_port );
406 fflush( stdout );
407
408 if( ( ret = mbedtls_net_connect( &server_fd, opt.server_name,
409 opt.server_port, MBEDTLS_NET_PROTO_TCP ) ) != 0 )
410 {
411 mbedtls_printf( " failed\n ! mbedtls_net_connect returned %d\n\n", ret );
412 goto ssl_exit;
413 }
414
415 /*
416 * 3. Setup stuff
417 */
418 if( ( ret = mbedtls_ssl_config_defaults( &conf,
419 MBEDTLS_SSL_IS_CLIENT,
420 MBEDTLS_SSL_TRANSPORT_STREAM,
421 MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
422 {
423 mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
424 goto exit;
425 }
426
427 if( verify )
428 {
429 mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED );
430 mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
431 mbedtls_ssl_conf_verify( &conf, my_verify, NULL );
432 }
433 else
434 mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_NONE );
435
436 mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
437 mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
438
439 if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
440 {
441 mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
442 goto ssl_exit;
443 }
444
445 if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 )
446 {
447 mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
448 goto ssl_exit;
449 }
450
451 mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL );
452
453 /*
454 * 4. Handshake
455 */
456 while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 )
457 {
458 if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
459 {
460 mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned %d\n\n", ret );
461 goto ssl_exit;
462 }
463 }
464
465 mbedtls_printf( " ok\n" );
466
467 /*
468 * 5. Print the certificate
469 */
470#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
471 mbedtls_printf( " . Peer certificate information ... skipped\n" );
472#else
473 mbedtls_printf( " . Peer certificate information ...\n" );
474 ret = mbedtls_x509_crt_info( (char *) buf, sizeof( buf ) - 1, " ",
475 mbedtls_ssl_get_peer_cert( &ssl ) );
476 if( ret == -1 )
477 {
478 mbedtls_printf( " failed\n ! mbedtls_x509_crt_info returned %d\n\n", ret );
479 goto ssl_exit;
480 }
481
482 mbedtls_printf( "%s\n", buf );
483#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
484
485 mbedtls_ssl_close_notify( &ssl );
486
487ssl_exit:
488 mbedtls_ssl_free( &ssl );
489 mbedtls_ssl_config_free( &conf );
490 }
491 else
492 goto usage;
493
494 exit_code = MBEDTLS_EXIT_SUCCESS;
495
496exit:
497
498 mbedtls_net_free( &server_fd );
499 mbedtls_x509_crt_free( &cacert );
500#if defined(MBEDTLS_X509_CRL_PARSE_C)
501 mbedtls_x509_crl_free( &cacrl );
502#endif
503 mbedtls_ctr_drbg_free( &ctr_drbg );
504 mbedtls_entropy_free( &entropy );
505
506#if defined(_WIN32)
507 mbedtls_printf( " + Press Enter to exit this program.\n" );
508 fflush( stdout ); getchar();
509#endif
510
511 return( exit_code );
512}
513#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C && MBEDTLS_SSL_TLS_C &&
514 MBEDTLS_SSL_CLI_C && MBEDTLS_NET_C && MBEDTLS_RSA_C &&
515 MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_FS_IO && MBEDTLS_CTR_DRBG_C */