mbedtls/programs/test/ssl_cert_test.c

230 lines
5.9 KiB
C

/*
* SSL certificate functionality tests
*
* Copyright (C) 2006-2009, Paul Bakker <polarssl_maintainer at polarssl.org>
* All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef _CRT_SECURE_NO_DEPRECATE
#define _CRT_SECURE_NO_DEPRECATE 1
#endif
#include <string.h>
#include <stdio.h>
#include "polarssl/certs.h"
#include "polarssl/x509.h"
#if defined _MSC_VER && !defined snprintf
#define snprintf _snprintf
#endif
#define MAX_CLIENT_CERTS 8
char *client_certificates[MAX_CLIENT_CERTS] =
{
"client1.crt",
"client2.crt",
"server1.crt",
"server2.crt",
"cert_sha224.crt",
"cert_sha256.crt",
"cert_sha384.crt",
"cert_sha512.crt"
};
char *client_private_keys[MAX_CLIENT_CERTS] =
{
"client1.key",
"client2.key",
"server1.key",
"server2.key",
"cert_sha224.key",
"cert_sha256.key",
"cert_sha384.key",
"cert_sha512.key"
};
int main( void )
{
int ret, i;
x509_cert cacert;
x509_crl crl;
char buf[10240];
memset( &cacert, 0, sizeof( x509_cert ) );
memset( &crl, 0, sizeof( x509_crl ) );
/*
* 1.1. Load the trusted CA
*/
printf( "\n . Loading the CA root certificate ..." );
fflush( stdout );
/*
* Alternatively, you may load the CA certificates from a .pem or
* .crt file by calling x509parse_crtfile( &cacert, "myca.crt" ).
*/
ret = x509parse_crtfile( &cacert, "ssl/test-ca/test-ca.crt" );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crtfile returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
x509parse_cert_info( buf, 1024, "CRT: ", &cacert );
printf("%s\n", buf );
/*
* 1.2. Load the CRL
*/
printf( " . Loading the CRL ..." );
fflush( stdout );
ret = x509parse_crlfile( &crl, "ssl/test-ca/crl.pem" );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crlfile returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
x509parse_crl_info( buf, 1024, "CRL: ", &crl );
printf("%s\n", buf );
for( i = 0; i < MAX_CLIENT_CERTS; i++ )
{
/*
* 1.3. Load own certificate
*/
char name[512];
int flags;
x509_cert clicert;
rsa_context rsa;
memset( &clicert, 0, sizeof( x509_cert ) );
memset( &rsa, 0, sizeof( rsa_context ) );
snprintf(name, 512, "ssl/test-ca/%s", client_certificates[i]);
printf( " . Loading the client certificate %s...", name );
fflush( stdout );
ret = x509parse_crtfile( &clicert, name );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 1.4. Verify certificate validity with CA certificate
*/
printf( " . Verify the client certificate with CA certificate..." );
fflush( stdout );
ret = x509parse_verify( &clicert, &cacert, &crl, NULL, &flags );
if( ret != 0 )
{
if( ret == POLARSSL_ERR_X509_CERT_VERIFY_FAILED )
{
if( flags & BADCERT_CN_MISMATCH )
printf( " CN_MISMATCH " );
if( flags & BADCERT_EXPIRED )
printf( " EXPIRED " );
if( flags & BADCERT_REVOKED )
printf( " REVOKED " );
if( flags & BADCERT_NOT_TRUSTED )
printf( " NOT_TRUSTED " );
if( flags & BADCRL_NOT_TRUSTED )
printf( " CRL_NOT_TRUSTED " );
if( flags & BADCRL_EXPIRED )
printf( " CRL_EXPIRED " );
} else {
printf( " failed\n ! x509parse_verify returned %d\n\n", ret );
goto exit;
}
}
printf( " ok\n" );
/*
* 1.5. Load own private key
*/
snprintf(name, 512, "ssl/test-ca/%s", client_private_keys[i]);
printf( " . Loading the client private key %s...", name );
fflush( stdout );
ret = x509parse_keyfile( &rsa, name, NULL );
if( ret != 0 )
{
printf( " failed\n ! x509parse_key returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 1.5. Verify certificate validity with private key
*/
printf( " . Verify the client certificate with private key..." );
fflush( stdout );
ret = mpi_cmp_mpi(&rsa.N, &clicert.rsa.N);
if( ret != 0 )
{
printf( " failed\n ! mpi_cmp_mpi for N returned %d\n\n", ret );
goto exit;
}
ret = mpi_cmp_mpi(&rsa.E, &clicert.rsa.E);
if( ret != 0 )
{
printf( " failed\n ! mpi_cmp_mpi for E returned %d\n\n", ret );
goto exit;
}
ret = rsa_check_privkey( &rsa );
if( ret != 0 )
{
printf( " failed\n ! rsa_check_privkey returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
x509_free( &clicert );
rsa_free( &rsa );
}
exit:
x509_free( &cacert );
x509_crl_free( &crl );
#ifdef WIN32
printf( " + Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
return( ret );
}