/* * Checkup routine */ int mbedtls_x509_self_test( int verbose ) { #if defined(MBEDTLS_CERTS_C) && defined(MBEDTLS_SHA256_C) int ret; uint32_t flags; mbedtls_x509_crt cacert; mbedtls_x509_crt clicert; if( verbose != 0 ) mbedtls_printf( " X.509 certificate load: " ); mbedtls_x509_crt_init( &clicert ); ret = mbedtls_x509_crt_parse( &clicert, (const unsigned char *) mbedtls_test_cli_crt, mbedtls_test_cli_crt_len ); if( ret != 0 ) { if( verbose != 0 ) mbedtls_printf( "failed\n" ); return( ret ); } mbedtls_x509_crt_init( &cacert ); ret = mbedtls_x509_crt_parse( &cacert, (const unsigned char *) mbedtls_test_ca_crt, mbedtls_test_ca_crt_len ); if( ret != 0 ) { if( verbose != 0 ) mbedtls_printf( "failed\n" ); return( ret ); } if( verbose != 0 ) mbedtls_printf( "passed\n X.509 signature verify: "); ret = mbedtls_x509_crt_verify( &clicert, &cacert, NULL, NULL, &flags, NULL, NULL ); if( ret != 0 ) { if( verbose != 0 ) mbedtls_printf( "failed\n" ); return( ret ); } if( verbose != 0 ) mbedtls_printf( "passed\n\n"); mbedtls_x509_crt_free( &cacert ); mbedtls_x509_crt_free( &clicert ); return( 0 ); #else ((void) verbose); return( 0 ); #endif /* MBEDTLS_CERTS_C && MBEDTLS_SHA1_C */ }
result_t X509Cert::verify(X509Cert_base *cert, bool &retVal, AsyncEvent *ac) { int32_t ret; uint32_t flags; ret = mbedtls_x509_crt_verify(&(((X509Cert *)cert)->m_crt), &m_crt, NULL, NULL, &flags, NULL, NULL); if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) { retVal = false; return 0; } else if (ret != 0) return CHECK_ERROR(_ssl::setError(ret)); retVal = true; return 0; }
int main( void ) { int ret, i; mbedtls_x509_crt cacert; mbedtls_x509_crl crl; char buf[10240]; mbedtls_x509_crt_init( &cacert ); mbedtls_x509_crl_init( &crl ); /* * 1.1. Load the trusted CA */ mbedtls_printf( "\n . Loading the CA root certificate ..." ); fflush( stdout ); /* * Alternatively, you may load the CA certificates from a .pem or * .crt file by calling mbedtls_x509_crt_parse_file( &cacert, "myca.crt" ). */ ret = mbedtls_x509_crt_parse_file( &cacert, "ssl/test-ca/test-ca.crt" ); if( ret != 0 ) { mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_file returned %d\n\n", ret ); goto exit; } mbedtls_printf( " ok\n" ); mbedtls_x509_crt_info( buf, 1024, "CRT: ", &cacert ); mbedtls_printf("%s\n", buf ); /* * 1.2. Load the CRL */ mbedtls_printf( " . Loading the CRL ..." ); fflush( stdout ); ret = mbedtls_x509_crl_parse_file( &crl, "ssl/test-ca/crl.pem" ); if( ret != 0 ) { mbedtls_printf( " failed\n ! mbedtls_x509_crl_parse_file returned %d\n\n", ret ); goto exit; } mbedtls_printf( " ok\n" ); mbedtls_x509_crl_info( buf, 1024, "CRL: ", &crl ); mbedtls_printf("%s\n", buf ); for( i = 0; i < MAX_CLIENT_CERTS; i++ ) { /* * 1.3. Load own certificate */ char name[512]; uint32_t flags; mbedtls_x509_crt clicert; mbedtls_pk_context pk; mbedtls_x509_crt_init( &clicert ); mbedtls_pk_init( &pk ); mbedtls_snprintf(name, 512, "ssl/test-ca/%s", client_certificates[i]); mbedtls_printf( " . Loading the client certificate %s...", name ); fflush( stdout ); ret = mbedtls_x509_crt_parse_file( &clicert, name ); if( ret != 0 ) { mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_file returned %d\n\n", ret ); goto exit; } mbedtls_printf( " ok\n" ); /* * 1.4. Verify certificate validity with CA certificate */ mbedtls_printf( " . Verify the client certificate with CA certificate..." ); fflush( stdout ); ret = mbedtls_x509_crt_verify( &clicert, &cacert, &crl, NULL, &flags, NULL, NULL ); if( ret != 0 ) { if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ) { char vrfy_buf[512]; mbedtls_printf( " failed\n" ); mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags ); mbedtls_printf( "%s\n", vrfy_buf ); } else { mbedtls_printf( " failed\n ! mbedtls_x509_crt_verify returned %d\n\n", ret ); goto exit; } } mbedtls_printf( " ok\n" ); /* * 1.5. Load own private key */ mbedtls_snprintf(name, 512, "ssl/test-ca/%s", client_private_keys[i]); mbedtls_printf( " . Loading the client private key %s...", name ); fflush( stdout ); ret = mbedtls_pk_parse_keyfile( &pk, name, NULL ); if( ret != 0 ) { mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile returned %d\n\n", ret ); goto exit; } mbedtls_printf( " ok\n" ); /* * 1.6. Verify certificate validity with private key */ mbedtls_printf( " . Verify the client certificate with private key..." ); fflush( stdout ); /* EC NOT IMPLEMENTED YET */ if( ! mbedtls_pk_can_do( &clicert.pk, MBEDTLS_PK_RSA ) ) { mbedtls_printf( " failed\n ! certificate's key is not RSA\n\n" ); ret = MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE; goto exit; } ret = mbedtls_mpi_cmp_mpi(&mbedtls_pk_rsa( pk )->N, &mbedtls_pk_rsa( clicert.pk )->N); if( ret != 0 ) { mbedtls_printf( " failed\n ! mbedtls_mpi_cmp_mpi for N returned %d\n\n", ret ); goto exit; } ret = mbedtls_mpi_cmp_mpi(&mbedtls_pk_rsa( pk )->E, &mbedtls_pk_rsa( clicert.pk )->E); if( ret != 0 ) { mbedtls_printf( " failed\n ! mbedtls_mpi_cmp_mpi for E returned %d\n\n", ret ); goto exit; } ret = mbedtls_rsa_check_privkey( mbedtls_pk_rsa( pk ) ); if( ret != 0 ) { mbedtls_printf( " failed\n ! mbedtls_rsa_check_privkey returned %d\n\n", ret ); goto exit; } mbedtls_printf( " ok\n" ); mbedtls_x509_crt_free( &clicert ); mbedtls_pk_free( &pk ); } exit: mbedtls_x509_crt_free( &cacert ); mbedtls_x509_crl_free( &crl ); #if defined(_WIN32) mbedtls_printf( " + Press Enter to exit this program.\n" ); fflush( stdout ); getchar(); #endif return( ret ); }
mbedtls_x509_crt *load_cert_file( const char *ca_file, const char *certfile ) { int ret = 0; unsigned char buf[1024]; mbedtls_net_context server_fd; mbedtls_entropy_context entropy; mbedtls_ctr_drbg_context ctr_drbg; mbedtls_ssl_context ssl; mbedtls_ssl_config conf; mbedtls_x509_crt cacert; mbedtls_x509_crt *cur; mbedtls_x509_crt *cert; mbedtls_pk_context pkey; int i; uint32_t flags; int verify = 0; char *p, *q; /* * Set to sane values */ cert = (mbedtls_x509_crt *)mbedtls_calloc(1, sizeof(*cert)); cur = cert; mbedtls_x509_crt_init( cert ); mbedtls_ctr_drbg_init( &ctr_drbg ); mbedtls_x509_crt_init( &cacert ); /* Zeroize structure as CRL parsing is not supported and we have to pass it to the verify function */ mbedtls_pk_init( &pkey ); /* * 1.1. Load the trusted CA */ mbedtls_printf( " . Loading the CA root certificate ..." ); fflush( stdout ); ret = mbedtls_x509_crt_parse_file( &cacert, ca_file ); if( ret < 0 ) { fprintf(stderr, " failed\n ! mbedtls_x509_crt_parse returned -0x%x\n\n", -ret ); return NULL; } mbedtls_printf( " ok (%d skipped)\n", ret ); /* * 1.1. Load the certificate(s) */ printf( "\n . Loading the certificate at: %s ...", certfile); ret = mbedtls_x509_crt_parse_file( cert, certfile ); if( ret < 0 ) { char errorbuf[256]; mbedtls_strerror( ret, errorbuf, sizeof(errorbuf)); printf( " failed\n ! mbedtls_x509_crt_parse_file returned %d: %s\n\n", ret, errorbuf ); mbedtls_x509_crt_free( cert ); goto exit; } printf( " ok\n" ); /* * 1.2 Print the certificate(s) */ while( cur != NULL ) { printf( " . Peer certificate information ...\n" ); ret = mbedtls_x509_crt_info( (char *) buf, sizeof( buf ) - 1, " ", cur ); if( ret == -1 ) { printf( " failed\n ! mbedtls_x509_crt_info returned %d\n\n", ret ); goto exit; } printf( "%s\n", buf ); cur = cur->next; } ret = 0; /* * 1.3 Verify the certificate */ printf( " . Verifying X.509 certificate..." ); if( ( ret = mbedtls_x509_crt_verify( cert, &cacert, NULL, NULL, &flags, my_verify, NULL ) ) != 0 ) { char vrfy_buf[512]; printf( " failed\n" ); mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags ); printf( "%s\n", vrfy_buf ); goto exit; } else printf( " ok\n" ); exit: //mbedtls_net_free( &server_fd ); mbedtls_x509_crt_free( &cacert ); mbedtls_pk_free( &pkey ); mbedtls_ctr_drbg_free( &ctr_drbg ); mbedtls_entropy_free( &entropy ); if( ret < 0 ) { mbedtls_x509_crt_free( cert ); mbedtls_free(cert); return NULL; } return cert; }