Add tests for profile enforcement

Now all checks related to profile are covered in: - verify_with_profile() - verify_child() - verify_top() (that's 10 lines that were previously not covered) Leaving aside profile enforcement in CRLs for now, as the focus is on preparing to refactor cert verification.
2026-03-24 03:52:58 +00:00 · 2017-05-23 11:29:29 +02:00
parent 9832ceaa2a
commit 6622fed524
2 changed files with 46 additions and 0 deletions
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -28,6 +28,24 @@ const mbedtls_x509_crt_profile compat_profile =
    1024,
 };

+const mbedtls_x509_crt_profile profile_rsa3072 =
+{
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_PK_RSA ),
+    0,
+    3072,
+};
+
+const mbedtls_x509_crt_profile profile_sha512 =
+{
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
+    0xFFFFFFF, /* Any PK alg    */
+    0xFFFFFFF, /* Any curve     */
+    1024,
+};
+
 int verify_none( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags )
 {
    ((void) data);
@@ -569,6 +587,10 @@ void mbedtls_x509_crt_verify_chain(  char *chain_paths, char *trusted_ca,
        profile = &mbedtls_x509_crt_profile_next;
    else if( strcmp(profile_name, "suiteb") == 0 )
        profile = &mbedtls_x509_crt_profile_suiteb;
+    else if( strcmp(profile_name, "rsa3072") == 0 )
+        profile = &profile_rsa3072;
+    else if( strcmp(profile_name, "sha512") == 0 )
+        profile = &profile_sha512;

    res = mbedtls_x509_crt_verify_with_profile( &chain, &trusted, NULL, profile,
            NULL, &flags, NULL, NULL );