Paul Bakker | 4593aea | 2009-02-09 22:32:35 +0000 | [diff] [blame] | 1 | /* |
| 2 | * SSL certificate functionality tests |
| 3 | * |
Paul Bakker | cce9d77 | 2011-11-18 14:26:47 +0000 | [diff] [blame] | 4 | * Copyright (C) 2006-2011, Brainspark B.V. |
Paul Bakker | b96f154 | 2010-07-18 20:36:00 +0000 | [diff] [blame] | 5 | * |
| 6 | * This file is part of PolarSSL (http://www.polarssl.org) |
Paul Bakker | 84f12b7 | 2010-07-18 10:13:04 +0000 | [diff] [blame] | 7 | * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org> |
Paul Bakker | b96f154 | 2010-07-18 20:36:00 +0000 | [diff] [blame] | 8 | * |
Paul Bakker | 77b385e | 2009-07-28 17:23:11 +0000 | [diff] [blame] | 9 | * All rights reserved. |
Paul Bakker | 4593aea | 2009-02-09 22:32:35 +0000 | [diff] [blame] | 10 | * |
| 11 | * This program is free software; you can redistribute it and/or modify |
| 12 | * it under the terms of the GNU General Public License as published by |
| 13 | * the Free Software Foundation; either version 2 of the License, or |
| 14 | * (at your option) any later version. |
| 15 | * |
| 16 | * This program is distributed in the hope that it will be useful, |
| 17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 19 | * GNU General Public License for more details. |
| 20 | * |
| 21 | * You should have received a copy of the GNU General Public License along |
| 22 | * with this program; if not, write to the Free Software Foundation, Inc., |
| 23 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
| 24 | */ |
| 25 | |
Manuel Pégourié-Gonnard | abd6e02 | 2013-09-20 13:30:43 +0200 | [diff] [blame] | 26 | #include "polarssl/config.h" |
Paul Bakker | 4593aea | 2009-02-09 22:32:35 +0000 | [diff] [blame] | 27 | |
| 28 | #include <string.h> |
| 29 | #include <stdio.h> |
| 30 | |
Manuel Pégourié-Gonnard | 7831b0c | 2013-09-20 12:29:56 +0200 | [diff] [blame] | 31 | #if !defined(POLARSSL_RSA_C) || !defined(POLARSSL_X509_CRT_PARSE_C) || \ |
Manuel Pégourié-Gonnard | cbf3ef3 | 2013-09-23 12:20:02 +0200 | [diff] [blame^] | 32 | !defined(POLARSSL_FS_IO) || !defined(POLARSSL_X509_CRL_PARSE_C) |
Manuel Pégourié-Gonnard | 7831b0c | 2013-09-20 12:29:56 +0200 | [diff] [blame] | 33 | int main( int argc, char *argv[] ) |
| 34 | { |
| 35 | ((void) argc); |
| 36 | ((void) argv); |
| 37 | |
| 38 | printf("POLARSSL_RSA_C and/or POLARSSL_X509_CRT_PARSE_C " |
Manuel Pégourié-Gonnard | cbf3ef3 | 2013-09-23 12:20:02 +0200 | [diff] [blame^] | 39 | "POLARSSL_FS_IO and/or POLARSSL_X509_CRL_PARSE_C " |
Manuel Pégourié-Gonnard | 7831b0c | 2013-09-20 12:29:56 +0200 | [diff] [blame] | 40 | "not defined.\n"); |
| 41 | return( 0 ); |
| 42 | } |
| 43 | #else |
| 44 | |
Paul Bakker | 4593aea | 2009-02-09 22:32:35 +0000 | [diff] [blame] | 45 | #include "polarssl/certs.h" |
Paul Bakker | 36713e8 | 2013-09-17 13:25:29 +0200 | [diff] [blame] | 46 | #include "polarssl/x509_crt.h" |
Paul Bakker | 4593aea | 2009-02-09 22:32:35 +0000 | [diff] [blame] | 47 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 48 | #if defined _MSC_VER && !defined snprintf |
| 49 | #define snprintf _snprintf |
| 50 | #endif |
| 51 | |
Manuel Pégourié-Gonnard | 7831b0c | 2013-09-20 12:29:56 +0200 | [diff] [blame] | 52 | |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 53 | #define MAX_CLIENT_CERTS 8 |
Paul Bakker | 4593aea | 2009-02-09 22:32:35 +0000 | [diff] [blame] | 54 | |
Paul Bakker | ef3f8c7 | 2013-06-24 13:01:08 +0200 | [diff] [blame] | 55 | const char *client_certificates[MAX_CLIENT_CERTS] = |
Paul Bakker | 4593aea | 2009-02-09 22:32:35 +0000 | [diff] [blame] | 56 | { |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 57 | "client1.crt", |
| 58 | "client2.crt", |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 59 | "server1.crt", |
| 60 | "server2.crt", |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 61 | "cert_sha224.crt", |
| 62 | "cert_sha256.crt", |
| 63 | "cert_sha384.crt", |
| 64 | "cert_sha512.crt" |
Paul Bakker | 4593aea | 2009-02-09 22:32:35 +0000 | [diff] [blame] | 65 | }; |
| 66 | |
Paul Bakker | ef3f8c7 | 2013-06-24 13:01:08 +0200 | [diff] [blame] | 67 | const char *client_private_keys[MAX_CLIENT_CERTS] = |
Paul Bakker | a1d3e5f | 2009-03-28 17:30:26 +0000 | [diff] [blame] | 68 | { |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 69 | "client1.key", |
| 70 | "client2.key", |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 71 | "server1.key", |
| 72 | "server2.key", |
Paul Bakker | f17ed28 | 2011-02-09 17:10:48 +0000 | [diff] [blame] | 73 | "cert_digest.key", |
| 74 | "cert_digest.key", |
| 75 | "cert_digest.key", |
| 76 | "cert_digest.key" |
Paul Bakker | a1d3e5f | 2009-03-28 17:30:26 +0000 | [diff] [blame] | 77 | }; |
| 78 | |
Paul Bakker | cce9d77 | 2011-11-18 14:26:47 +0000 | [diff] [blame] | 79 | int main( int argc, char *argv[] ) |
Paul Bakker | 4593aea | 2009-02-09 22:32:35 +0000 | [diff] [blame] | 80 | { |
| 81 | int ret, i; |
Paul Bakker | c559c7a | 2013-09-18 14:13:26 +0200 | [diff] [blame] | 82 | x509_crt cacert; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 83 | x509_crl crl; |
| 84 | char buf[10240]; |
| 85 | |
Paul Bakker | cce9d77 | 2011-11-18 14:26:47 +0000 | [diff] [blame] | 86 | ((void) argc); |
| 87 | ((void) argv); |
| 88 | |
Paul Bakker | 369d2eb | 2013-09-18 11:58:25 +0200 | [diff] [blame] | 89 | x509_crt_init( &cacert ); |
| 90 | x509_crl_init( &crl ); |
Paul Bakker | 4593aea | 2009-02-09 22:32:35 +0000 | [diff] [blame] | 91 | |
| 92 | /* |
| 93 | * 1.1. Load the trusted CA |
| 94 | */ |
| 95 | printf( "\n . Loading the CA root certificate ..." ); |
| 96 | fflush( stdout ); |
| 97 | |
Paul Bakker | 4593aea | 2009-02-09 22:32:35 +0000 | [diff] [blame] | 98 | /* |
| 99 | * Alternatively, you may load the CA certificates from a .pem or |
Paul Bakker | ddf26b4 | 2013-09-18 13:46:23 +0200 | [diff] [blame] | 100 | * .crt file by calling x509_crt_parse_file( &cacert, "myca.crt" ). |
Paul Bakker | 4593aea | 2009-02-09 22:32:35 +0000 | [diff] [blame] | 101 | */ |
Paul Bakker | ddf26b4 | 2013-09-18 13:46:23 +0200 | [diff] [blame] | 102 | ret = x509_crt_parse_file( &cacert, "ssl/test-ca/test-ca.crt" ); |
Paul Bakker | 4593aea | 2009-02-09 22:32:35 +0000 | [diff] [blame] | 103 | if( ret != 0 ) |
| 104 | { |
Paul Bakker | ddf26b4 | 2013-09-18 13:46:23 +0200 | [diff] [blame] | 105 | printf( " failed\n ! x509_crt_parse_file returned %d\n\n", ret ); |
Paul Bakker | 4593aea | 2009-02-09 22:32:35 +0000 | [diff] [blame] | 106 | goto exit; |
| 107 | } |
| 108 | |
| 109 | printf( " ok\n" ); |
| 110 | |
Paul Bakker | ddf26b4 | 2013-09-18 13:46:23 +0200 | [diff] [blame] | 111 | x509_crt_info( buf, 1024, "CRT: ", &cacert ); |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 112 | printf("%s\n", buf ); |
| 113 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 114 | /* |
| 115 | * 1.2. Load the CRL |
| 116 | */ |
| 117 | printf( " . Loading the CRL ..." ); |
| 118 | fflush( stdout ); |
| 119 | |
Paul Bakker | ddf26b4 | 2013-09-18 13:46:23 +0200 | [diff] [blame] | 120 | ret = x509_crl_parse_file( &crl, "ssl/test-ca/crl.pem" ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 121 | if( ret != 0 ) |
| 122 | { |
Paul Bakker | ddf26b4 | 2013-09-18 13:46:23 +0200 | [diff] [blame] | 123 | printf( " failed\n ! x509_crl_parse_file returned %d\n\n", ret ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 124 | goto exit; |
| 125 | } |
| 126 | |
| 127 | printf( " ok\n" ); |
| 128 | |
Paul Bakker | ddf26b4 | 2013-09-18 13:46:23 +0200 | [diff] [blame] | 129 | x509_crl_info( buf, 1024, "CRL: ", &crl ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 130 | printf("%s\n", buf ); |
| 131 | |
Paul Bakker | 4593aea | 2009-02-09 22:32:35 +0000 | [diff] [blame] | 132 | for( i = 0; i < MAX_CLIENT_CERTS; i++ ) |
| 133 | { |
| 134 | /* |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 135 | * 1.3. Load own certificate |
Paul Bakker | 4593aea | 2009-02-09 22:32:35 +0000 | [diff] [blame] | 136 | */ |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 137 | char name[512]; |
| 138 | int flags; |
Paul Bakker | c559c7a | 2013-09-18 14:13:26 +0200 | [diff] [blame] | 139 | x509_crt clicert; |
Paul Bakker | 36713e8 | 2013-09-17 13:25:29 +0200 | [diff] [blame] | 140 | pk_context pk; |
Paul Bakker | 4593aea | 2009-02-09 22:32:35 +0000 | [diff] [blame] | 141 | |
Paul Bakker | 369d2eb | 2013-09-18 11:58:25 +0200 | [diff] [blame] | 142 | x509_crt_init( &clicert ); |
Paul Bakker | 36713e8 | 2013-09-17 13:25:29 +0200 | [diff] [blame] | 143 | pk_init( &pk ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 144 | |
| 145 | snprintf(name, 512, "ssl/test-ca/%s", client_certificates[i]); |
| 146 | |
| 147 | printf( " . Loading the client certificate %s...", name ); |
| 148 | fflush( stdout ); |
Paul Bakker | 4593aea | 2009-02-09 22:32:35 +0000 | [diff] [blame] | 149 | |
Paul Bakker | ddf26b4 | 2013-09-18 13:46:23 +0200 | [diff] [blame] | 150 | ret = x509_crt_parse_file( &clicert, name ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 151 | if( ret != 0 ) |
| 152 | { |
Paul Bakker | ddf26b4 | 2013-09-18 13:46:23 +0200 | [diff] [blame] | 153 | printf( " failed\n ! x509_crt_parse_file returned %d\n\n", ret ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 154 | goto exit; |
| 155 | } |
Paul Bakker | 4593aea | 2009-02-09 22:32:35 +0000 | [diff] [blame] | 156 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 157 | printf( " ok\n" ); |
Paul Bakker | a1d3e5f | 2009-03-28 17:30:26 +0000 | [diff] [blame] | 158 | |
| 159 | /* |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 160 | * 1.4. Verify certificate validity with CA certificate |
Paul Bakker | a1d3e5f | 2009-03-28 17:30:26 +0000 | [diff] [blame] | 161 | */ |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 162 | printf( " . Verify the client certificate with CA certificate..." ); |
| 163 | fflush( stdout ); |
| 164 | |
Paul Bakker | ddf26b4 | 2013-09-18 13:46:23 +0200 | [diff] [blame] | 165 | ret = x509_crt_verify( &clicert, &cacert, &crl, NULL, &flags, NULL, |
| 166 | NULL ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 167 | if( ret != 0 ) |
| 168 | { |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 169 | if( ret == POLARSSL_ERR_X509_CERT_VERIFY_FAILED ) |
| 170 | { |
Paul Bakker | 860d36b | 2009-05-03 17:29:56 +0000 | [diff] [blame] | 171 | if( flags & BADCERT_CN_MISMATCH ) |
| 172 | printf( " CN_MISMATCH " ); |
| 173 | if( flags & BADCERT_EXPIRED ) |
| 174 | printf( " EXPIRED " ); |
| 175 | if( flags & BADCERT_REVOKED ) |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 176 | printf( " REVOKED " ); |
Paul Bakker | 860d36b | 2009-05-03 17:29:56 +0000 | [diff] [blame] | 177 | if( flags & BADCERT_NOT_TRUSTED ) |
| 178 | printf( " NOT_TRUSTED " ); |
| 179 | if( flags & BADCRL_NOT_TRUSTED ) |
| 180 | printf( " CRL_NOT_TRUSTED " ); |
| 181 | if( flags & BADCRL_EXPIRED ) |
| 182 | printf( " CRL_EXPIRED " ); |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 183 | } else { |
Paul Bakker | ddf26b4 | 2013-09-18 13:46:23 +0200 | [diff] [blame] | 184 | printf( " failed\n ! x509_crt_verify returned %d\n\n", ret ); |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 185 | goto exit; |
| 186 | } |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 187 | } |
| 188 | |
| 189 | printf( " ok\n" ); |
| 190 | |
| 191 | /* |
| 192 | * 1.5. Load own private key |
| 193 | */ |
| 194 | snprintf(name, 512, "ssl/test-ca/%s", client_private_keys[i]); |
Paul Bakker | a1d3e5f | 2009-03-28 17:30:26 +0000 | [diff] [blame] | 195 | |
| 196 | printf( " . Loading the client private key %s...", name ); |
| 197 | fflush( stdout ); |
| 198 | |
Paul Bakker | 36713e8 | 2013-09-17 13:25:29 +0200 | [diff] [blame] | 199 | ret = pk_parse_keyfile( &pk, name, NULL ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 200 | if( ret != 0 ) |
| 201 | { |
Paul Bakker | 36713e8 | 2013-09-17 13:25:29 +0200 | [diff] [blame] | 202 | printf( " failed\n ! pk_parse_keyfile returned %d\n\n", ret ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 203 | goto exit; |
| 204 | } |
Paul Bakker | a1d3e5f | 2009-03-28 17:30:26 +0000 | [diff] [blame] | 205 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 206 | printf( " ok\n" ); |
Paul Bakker | a1d3e5f | 2009-03-28 17:30:26 +0000 | [diff] [blame] | 207 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 208 | /* |
Manuel Pégourié-Gonnard | be50680 | 2013-07-11 13:17:21 +0200 | [diff] [blame] | 209 | * 1.6. Verify certificate validity with private key |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 210 | */ |
| 211 | printf( " . Verify the client certificate with private key..." ); |
| 212 | fflush( stdout ); |
Paul Bakker | a1d3e5f | 2009-03-28 17:30:26 +0000 | [diff] [blame] | 213 | |
Manuel Pégourié-Gonnard | be50680 | 2013-07-11 13:17:21 +0200 | [diff] [blame] | 214 | |
| 215 | /* EC NOT IMPLEMENTED YET */ |
Manuel Pégourié-Gonnard | 7e56de1 | 2013-08-14 21:15:53 +0200 | [diff] [blame] | 216 | if( ! pk_can_do( &clicert.pk, POLARSSL_PK_RSA ) ) |
Manuel Pégourié-Gonnard | be50680 | 2013-07-11 13:17:21 +0200 | [diff] [blame] | 217 | { |
| 218 | printf( " failed\n ! certificate's key is not RSA\n\n" ); |
| 219 | ret = POLARSSL_ERR_X509_FEATURE_UNAVAILABLE; |
| 220 | goto exit; |
| 221 | } |
| 222 | |
Paul Bakker | 36713e8 | 2013-09-17 13:25:29 +0200 | [diff] [blame] | 223 | ret = mpi_cmp_mpi(&pk_rsa( pk )->N, &pk_rsa( clicert.pk )->N); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 224 | if( ret != 0 ) |
| 225 | { |
| 226 | printf( " failed\n ! mpi_cmp_mpi for N returned %d\n\n", ret ); |
| 227 | goto exit; |
| 228 | } |
Paul Bakker | a1d3e5f | 2009-03-28 17:30:26 +0000 | [diff] [blame] | 229 | |
Paul Bakker | 36713e8 | 2013-09-17 13:25:29 +0200 | [diff] [blame] | 230 | ret = mpi_cmp_mpi(&pk_rsa( pk )->E, &pk_rsa( clicert.pk )->E); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 231 | if( ret != 0 ) |
| 232 | { |
| 233 | printf( " failed\n ! mpi_cmp_mpi for E returned %d\n\n", ret ); |
| 234 | goto exit; |
| 235 | } |
Paul Bakker | a1d3e5f | 2009-03-28 17:30:26 +0000 | [diff] [blame] | 236 | |
Paul Bakker | 36713e8 | 2013-09-17 13:25:29 +0200 | [diff] [blame] | 237 | ret = rsa_check_privkey( pk_rsa( pk ) ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 238 | if( ret != 0 ) |
| 239 | { |
| 240 | printf( " failed\n ! rsa_check_privkey returned %d\n\n", ret ); |
| 241 | goto exit; |
| 242 | } |
Paul Bakker | a1d3e5f | 2009-03-28 17:30:26 +0000 | [diff] [blame] | 243 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 244 | printf( " ok\n" ); |
Paul Bakker | a1d3e5f | 2009-03-28 17:30:26 +0000 | [diff] [blame] | 245 | |
Paul Bakker | 36713e8 | 2013-09-17 13:25:29 +0200 | [diff] [blame] | 246 | x509_crt_free( &clicert ); |
| 247 | pk_free( &pk ); |
Paul Bakker | 4593aea | 2009-02-09 22:32:35 +0000 | [diff] [blame] | 248 | } |
| 249 | |
| 250 | exit: |
Paul Bakker | 36713e8 | 2013-09-17 13:25:29 +0200 | [diff] [blame] | 251 | x509_crt_free( &cacert ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 252 | x509_crl_free( &crl ); |
Paul Bakker | 4593aea | 2009-02-09 22:32:35 +0000 | [diff] [blame] | 253 | |
Paul Bakker | cce9d77 | 2011-11-18 14:26:47 +0000 | [diff] [blame] | 254 | #if defined(_WIN32) |
Paul Bakker | 4593aea | 2009-02-09 22:32:35 +0000 | [diff] [blame] | 255 | printf( " + Press Enter to exit this program.\n" ); |
| 256 | fflush( stdout ); getchar(); |
| 257 | #endif |
| 258 | |
| 259 | return( ret ); |
| 260 | } |
Manuel Pégourié-Gonnard | cbf3ef3 | 2013-09-23 12:20:02 +0200 | [diff] [blame^] | 261 | #endif /* POLARSSL_RSA_C && POLARSSL_X509_CRT_PARSE_C && POLARSSL_FS_IO && |
| 262 | POLARSSL_X509_CRL_PARSE_C */ |