From 2abbac74dc89f5367eabed0bc03ad3e42499d206 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 18 Jan 2024 17:05:21 +0000 Subject: [PATCH 1/5] x509: Added `mbedtls_x509_crt_get_ca_istrue()` API accessor. Signed-off-by: Minos Galanakis --- include/mbedtls/x509_crt.h | 12 ++++++++++++ library/x509_crt.c | 8 ++++++++ 2 files changed, 20 insertions(+) diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 3f1a1e761..fc1d0bc7b 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -916,6 +916,18 @@ static inline int mbedtls_x509_crt_has_ext_type(const mbedtls_x509_crt *ctx, return ctx->MBEDTLS_PRIVATE(ext_types) & ext_type; } +/** + * \brief Access the ca_istrue field + * + * \param[in] crt Certificate to be queried, must not be \c NULL + * + * \return \c 1 if this a CA certificate \c 0 otherwise. + * \return MBEDTLS_ERR_X509_INVALID_EXTENSIONS if the certificate does not support + * the Optional Basic Constraint extension. + * + */ +int mbedtls_x509_crt_get_ca_istrue(const mbedtls_x509_crt *crt); + /** \} name Structures and functions for parsing and writing X.509 certificates */ #if defined(MBEDTLS_X509_CRT_WRITE_C) diff --git a/library/x509_crt.c b/library/x509_crt.c index 7f0160a00..2fd56fbd7 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -3290,4 +3290,12 @@ void mbedtls_x509_crt_restart_free(mbedtls_x509_crt_restart_ctx *ctx) } #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */ +int mbedtls_x509_crt_get_ca_istrue(const mbedtls_x509_crt *crt) +{ + if ((crt->ext_types & MBEDTLS_X509_EXT_BASIC_CONSTRAINTS) != 0) { + return crt->MBEDTLS_PRIVATE(ca_istrue); + } + return MBEDTLS_ERR_X509_INVALID_EXTENSIONS; +} + #endif /* MBEDTLS_X509_CRT_PARSE_C */ From a83ada4eba4f32f012a638a52890559f6d634970 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Fri, 19 Jan 2024 10:59:07 +0000 Subject: [PATCH 2/5] tests: Added test for `mbedtls_x509_crt_get_ca_istrue()` Signed-off-by: Minos Galanakis --- tests/suites/test_suite_x509parse.data | 8 ++++++++ tests/suites/test_suite_x509parse.function | 15 +++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 2b0920d80..7519d82d2 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -3155,6 +3155,14 @@ X509 File parse (conforms to RFC 5480 / RFC 5758 - AlgorithmIdentifier's paramet depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256 x509parse_crt_file:"data_files/parse_input/server5.crt":0 +X509 File parse & read the ca_istrue field (Not Set) +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1 +mbedtls_x509_get_ca_istrue:"data_files/parse_input/server1.crt":0 + +X509 File parse & read the ca_istrue field (Set) +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1 +mbedtls_x509_get_ca_istrue:"data_files/test-ca.crt":1 + X509 Get time (UTC no issues) depends_on:MBEDTLS_X509_USE_C x509_get_time:MBEDTLS_ASN1_UTC_TIME:"500101000000Z":0:1950:1:1:0:0:0 diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 66477e0d1..f3ae0f4d0 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -1083,6 +1083,21 @@ exit: } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_FS_IO */ +void mbedtls_x509_get_ca_istrue(char *crt_file, int result) +{ + mbedtls_x509_crt crt; + mbedtls_x509_crt_init(&crt); + USE_PSA_INIT(); + + TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); + TEST_EQUAL(mbedtls_x509_crt_get_ca_istrue(&crt), result); +exit: + mbedtls_x509_crt_free(&crt); + USE_PSA_DONE(); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */ void x509parse_crt(data_t *buf, char *result_str, int result) { From 79ee110446e9ac37c3fdef5cd3c3c72bbce8b2cd Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Wed, 14 Feb 2024 21:34:21 +0000 Subject: [PATCH 3/5] Added changelog Signed-off-by: Minos Galanakis --- ChangeLog.d/x509-add-ca_istrue.txt | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 ChangeLog.d/x509-add-ca_istrue.txt diff --git a/ChangeLog.d/x509-add-ca_istrue.txt b/ChangeLog.d/x509-add-ca_istrue.txt new file mode 100644 index 000000000..4594c2296 --- /dev/null +++ b/ChangeLog.d/x509-add-ca_istrue.txt @@ -0,0 +1,4 @@ +Features + * Add new accessor to expose the `MBEDTLS_PRIVATE(ca_istrue)` member of + `mbedtls_x509_crt` structure. This requires setting + MBEDTLS_X509_EXT_BASIC_CONSTRAINTS. From 87b4f6d86c17fa4f6f08ff1df71b78001b85e883 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 5 Mar 2024 11:05:51 +0000 Subject: [PATCH 4/5] x509: Reworded documentation bits. Signed-off-by: Minos Galanakis --- ChangeLog.d/x509-add-ca_istrue.txt | 3 ++- include/mbedtls/x509_crt.h | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ChangeLog.d/x509-add-ca_istrue.txt b/ChangeLog.d/x509-add-ca_istrue.txt index 4594c2296..c950dbc08 100644 --- a/ChangeLog.d/x509-add-ca_istrue.txt +++ b/ChangeLog.d/x509-add-ca_istrue.txt @@ -1,4 +1,5 @@ Features * Add new accessor to expose the `MBEDTLS_PRIVATE(ca_istrue)` member of `mbedtls_x509_crt` structure. This requires setting - MBEDTLS_X509_EXT_BASIC_CONSTRAINTS. + the MBEDTLS_X509_EXT_BASIC_CONSTRAINTS bit in the certificate's + ext_types field. diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index fc1d0bc7b..1ce0d2361 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -922,7 +922,7 @@ static inline int mbedtls_x509_crt_has_ext_type(const mbedtls_x509_crt *ctx, * \param[in] crt Certificate to be queried, must not be \c NULL * * \return \c 1 if this a CA certificate \c 0 otherwise. - * \return MBEDTLS_ERR_X509_INVALID_EXTENSIONS if the certificate does not support + * \return MBEDTLS_ERR_X509_INVALID_EXTENSIONS if the certificate does not contain * the Optional Basic Constraint extension. * */ From 581e63637acec0e4b5e14ef909124ce0a2f2a947 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 5 Mar 2024 11:46:22 +0000 Subject: [PATCH 5/5] test_suite_x509parse: Added test-case for legacy certificate Signed-off-by: Minos Galanakis --- tests/suites/test_suite_x509parse.data | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 7519d82d2..754660c56 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -3163,6 +3163,10 @@ X509 File parse & read the ca_istrue field (Set) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1 mbedtls_x509_get_ca_istrue:"data_files/test-ca.crt":1 +X509 File parse & read the ca_istrue field (Legacy Certificate) +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256 +mbedtls_x509_get_ca_istrue:"data_files/server1-v1.crt":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + X509 Get time (UTC no issues) depends_on:MBEDTLS_X509_USE_C x509_get_time:MBEDTLS_ASN1_UTC_TIME:"500101000000Z":0:1950:1:1:0:0:0