Commit Graph

151 Commits

Author SHA1 Message Date
John Safranek 61ac7315e2 a certificate was named in an automake include that isn't actually in the tree, a similar named certificate is actually used 2018-07-31 17:25:35 -07:00
Sean Parkinson 6d3e145571 Changes to build with X25519 and Ed25519 only
Allows configurations without RSA, DH and ECC but with Curve25519
algorithms to work with SSL/TLS using X25519 key exchange and Ed25519
certificates.
Fix Ed25519 code to call wc_Sha512Free().
Add certificates to test.h and fix examples to use them.
2018-07-23 10:20:18 +10:00
John Safranek 0240cc7795 add missing certificates to the automake include 2018-07-12 17:06:02 -07:00
John Safranek adb3cc5a5a Subject Alt Name Matching
1. Added certificates for localhost where the CN and SAN match and differ.
2. Change subject name matching so the CN is checked if the SAN list doesn't exit, and only check the SAN list if present.
3. Added a test case for the CN/SAN mismatch.
4. Old matching behavior restored with build option WOLFSSL_ALLOW_NO_CN_IN_SAN.
5. Add test case for a correct certificate.

Note: The test for the garbage certificate should fail. If you enable the old behavior, that test case will start succeeding, causing the test to fail.
2018-07-02 13:39:11 -07:00
toddouska 0c74e778dc Merge pull request #1633 from dgarske/bench_3072
Benchmark support for 3072-bit RSA and DH
2018-06-27 07:17:53 -07:00
Jacob Barthelmeh 8c9e0cd427 add options for OCSP test and combine certs 2018-06-22 15:58:27 -06:00
David Garske ed1c56a4fc Benchmark support for 3072-bit RSA and DH when USE_CERT_BUFFERS_3072 is defined. 2018-06-22 09:30:33 -07:00
Jacob Barthelmeh 518c987c61 update CA for ocsp test 2018-06-21 12:13:33 -06:00
toddouska 15348d4936 Merge pull request #1612 from dgarske/fixmatchdomainname
Fixes for `MatchDomainName` to properly detect failures
2018-06-13 13:13:52 -07:00
David Garske 61056829c5 Added success test cases for domain name match (SNI) in common name and alternate name. 2018-06-13 09:26:54 -07:00
David Garske 8fa1592542 Fix to use SHA256 for the self-signed test certificates. 2018-06-12 16:12:29 -07:00
David Garske 1f16b36402 Fixes for MatchDomainName to properly detect failures:
* Fix `MatchDomainName` to also check for remaining len on success check.
* Enhanced `DNS_entry` to include actual ASN.1 length and use it thoughout (was using XSTRLEN).

Added additional tests for matching on domain name:
* Check for bad common name with embedded null (CN=localhost\0h, Alt=None) - Note: Trouble creating cert with this criteria
* Check for bad alternate name with embedded null (CN=www.nomatch.com, Alt=localhost\0h)
* Check for bad common name (CN=www.nomatch.com, Alt=None)
* Check for bad alternate name (CN=www.nomatch.com, Alt=www.nomatch.com)
* Check for good wildcard common name (CN=*localhost, Alt=None)
* Check for good wildcard alternate name (CN=www.nomatch.com, Alt=*localhost)
2018-06-12 14:15:34 -07:00
Sean Parkinson 5547a7b4bd Fix private-only keys and make them script generated 2018-06-08 17:38:11 +10:00
John Safranek f1588e0ad9 Fix Cert Includes
1. Added files that were missing from the certs directory include.am files.
2. Fixed the duplicate items in the certs directory's include.am files.
3. Reorganized the certs directory include.am files to be a tree.
2018-05-31 17:38:47 -07:00
John Safranek 8a61b7303a Remove execute bit from a few files. 2018-05-31 10:14:47 -07:00
toddouska 999663fae1 Merge pull request #1498 from JacobBarthelmeh/Certs
update before/after dates with certificates
2018-05-30 10:09:49 -07:00
Jacob Barthelmeh 1a7d208a60 add crl2.pem to renew certs script 2018-05-29 16:57:30 -06:00
David Garske a5c2e8b912 Added test for common name with invalid domain fails as expected when set with wolfSSL_check_domain_name. 2018-05-24 14:39:35 -07:00
toddouska 453daee965 Merge pull request #1523 from SparkiDev/ed25519_key
Allow Ed25519 private-only keys to work in TLS
2018-05-24 09:56:17 -07:00
Sean Parkinson 9358edf5dd Fixes from code review
Include new private key files in release.
Set messages field to NULL after free.
2018-05-24 08:43:28 +10:00
Sean Parkinson 58f523beba Allow Ed25519 private-only keys to work in TLS
Change Ed25519 in TLS 1.2 to keep a copy of all the messages for
certificate verification - interop with OpenSSL.
2018-05-24 08:43:28 +10:00
Jacob Barthelmeh 63a0e872c5 add test for fail case when parsing relative URI path 2018-05-14 14:27:02 -06:00
Jacob Barthelmeh bb979980ca add test case for parsing URI from certificate 2018-05-08 16:24:41 -06:00
David Garske 89a4c98670 * Added support for expected fail test cases with example client/server and suites unit test.
* Added test for certificate with bad alt name containing a null character mid byte stream.
* Fix for issue with suites unit test where last arg in file doesn't conain data for a param, causing it to skip test.
* Fix for last test in tests/test.conf not being run for `TLSv1.2 RSA 3072-bit DH 3072-bit`.
* Moved the `tls-cert-fail.test` tests into the new expected failure suite test (`./tests/test-fails.conf`). Now it explicilty checks RSA and ECC for the no signer and no sig tests.
2018-05-03 09:40:51 -07:00
Jacob Barthelmeh e895bacbba update before/after dates with certificates 2018-04-13 09:31:32 -06:00
Jacob Barthelmeh 607bd96317 add ocsp cert renew and test-pathlen to script 2018-03-14 16:35:16 -06:00
Jacob Barthelmeh e41f5de556 default generate ed25519 cert with renew and add ecc crls to script 2018-03-09 14:09:34 -07:00
Jacob Barthelmeh d9738563af add ed25519 certificate generation to renewcerts.sh 2018-03-09 10:43:36 -07:00
Jacob Barthelmeh f6b5427f2b bad sig certificate renew script 2018-03-09 09:50:52 -07:00
Jacob Barthelmeh 849e1eb10d updating renewcerts script 2018-03-09 00:35:14 -07:00
Jacob Barthelmeh f223f8fdfd update certificate after dates 2018-03-02 14:31:08 -07:00
John Safranek 7b1f6967c8 added another CA to the wolfssl website ca file 2018-03-01 11:57:12 -08:00
toddouska 9a4fe0fe4e Merge pull request #1353 from dgarske/asn_strict
Added RFC 5280 "must" checks
2018-02-14 10:01:58 -08:00
Jacob Barthelmeh 62b8c0c3fd add test case for order of certificates with PKCS12 parse 2018-02-07 16:52:39 -07:00
David Garske c2a0de93b8 Fix to resolve wolfCrypt test for `cert_test nameConstraints test. Fixed ASN check to properly determine if certificate is CA type. 2018-02-07 12:48:33 -08:00
David Garske d7ae1df778 Fix to add keyUsage keyAgreement for the ECC server certificate. Resolves issue with openssl test using "ECDH-ECDSA" cipher suite. 2017-10-20 11:26:15 -07:00
David Garske 024c8725ad Testing improvements for cert gen and TLS cert validation:
* Fixes to support certificate generation (`WOLFSSL_CERT_GEN`) without RSA enabled.
* Added new ECC CA for 384-bit tests.
* Created new server cert chain (ECC CA for 256-bit that signs server-ecc.pem)
* Created new `./certs/ecc/genecc.sh` script for generating all ECC CA's, generated server cert req (CSR), signing with CA and the required CRL.
* Moved the wolfCrypt ECC CA / ECC cert gen test into `ecc_test` as `ecc_test_cert_gen`.
* Refactor duplicate code that saves DER to disk, converts DER to PEM and saves PEM to disk into SaveDerAndPem function.
* Changed `ecc_test_make_pub` and `ecc_test_key_gen` to use XMALLOC for temp buffers (uses heap instead of stack).
* Cleanup to combine all certificate subject information into global `certDefaultName`.
* Updated cert request info to use wolfSSL instead of Yassl.
* Cleanup to combine keyUsage into `certKeyUsage` and `certKeyUsage2`.
* Re-number error codes in rsa_test.
* Moved the certext_test after the ecc_test, since it uses a file generated in `ecc_test_cert_gen`.
2017-10-19 16:17:51 -07:00
Sean Parkinson f724206e37 Add test for 3072-bit RSA and DH and fix modexp 2017-10-17 08:36:39 +10:00
Sean Parkinson 90f8f67982 Single Precision maths for RSA (and DH)
Single Precision ECC implementation
2017-10-17 08:36:39 +10:00
Chris Conlon af00787f80 update root certs for ocsp scripts 2017-08-14 12:58:36 -06:00
Chris Conlon 667b8431cc Merge pull request #683 from moisesguimaraes/wolfssl-py
wolfssl python wrapper
2017-07-19 09:22:02 -07:00
Moisés Guimarães 54177c14b4 imports certs from ./certs 2017-07-03 12:31:47 -03:00
Jacob Barthelmeh b0f87fdcf7 update .am files for make dist 2017-06-22 14:14:45 -06:00
Moisés Guimarães a9d5dcae58 updates ocsp tests; adds check for OCSP response signed by issuer. 2017-06-21 14:12:12 -07:00
Sean Parkinson 13c4fe6cc4 Add test 2017-06-14 09:44:26 +10:00
Sean Parkinson 1db52f0c04 Fix to use different PEM header for EDDSA keys
Include new cert and key files in distribution
Fix compile issue when only doing TLS13.
2017-06-08 09:26:49 +10:00
Sean Parkinson 613d30bcae ED25519 TLS support 2017-06-08 09:26:49 +10:00
Sean Parkinson ff4fcf21d6 Add test for private key only ecc key 2017-05-15 10:04:42 +10:00
Sean Parkinson 4d77e80d04 Fix loading of CRLs and certs.
Change function wolfSSL_X509_LOOKUP_load_file to load multiple CRLs and
certificates from a file.
Change CRL loading to have a flag to not verify CRL signature - only do
this when using wolfSSL_X509_LOOKUP_load_file() as the certificate is
not always available.
Add test case for loading multiple CRLs in one file without certificate.
2017-05-15 10:04:42 +10:00
Jacob Barthelmeh 4c8fdf99c5 add digsigku to renewcerts script and update the not after date 2017-05-02 18:08:10 -06:00