[zephyr] Added framework as a flattened directory

Previously done in 2c824b4

Signed-off-by: Flavio Ceolin <[email protected]>

Author: ceolin

framework/CMakeLists.txt

@@ -0,0 +1 @@
+# This file is intentionally left blank. It soon won't be.

framework/CONTRIBUTING.md

@@ -0,0 +1,26 @@
+Contributing
+============
+We gratefully accept bug reports and contributions from the community. All PRs are reviewed by the project team / community, and may need some modifications to
+be accepted.
+
+Most contributions in this repository will be associated with [Mbed TLS](https://github.com/Mbed-TLS/mbedtls/blob/development/CONTRIBUTING.md) or TF-PSA-Crypto. Please consult their respective contribution guidelines for more information.
+
+What can I contribute here?
+---------------------------
+
+This repository is intended to contain files that are shared between multiple maintained branches of Mbed TLS and TF-PSA-Crypto. The exact policies are not yet written down. Please contribute in this repository if you wish to update one of the files that are present here.
+
+License and Copyright
+---------------------
+
+Unless specifically indicated otherwise in a file, Mbed TLS framework files are provided under a dual [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) OR [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) license. See the [LICENSE](LICENSE) file for the full text of these licenses. This means that users may choose which of these licenses they take the code under.
+
+Contributors must accept that their contributions are made under both the Apache-2.0 AND [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) licenses.
+
+All new files should include the standard SPDX license identifier where possible, i.e. "SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later".
+
+The copyright on contributions is retained by the original authors of the code. Where possible for new files, this should be noted in a comment at the top of the file in the form: "Copyright The Mbed TLS Contributors".
+
+When contributing code to us, the committer and all authors are required to make the submission under the terms of the [Developer Certificate of Origin](dco.txt), confirming that the code submitted can (legally) become part of the project, and is submitted under both the Apache-2.0 AND GPL-2.0-or-later licenses.
+
+This is done by including the standard Git `Signed-off-by:` line in every commit message. If more than one person contributed to the commit, they should also add their own `Signed-off-by:` line.

framework/LICENSE

@@ -0,0 +1,24 @@
+# Mbed TLS framework
+
+This repository contains a version-independent build and test framework for [TF-PSA-Crypto](https://github.com/Mbed-TLS/TF-PSA-Crypto) and [Mbed TLS](https://github.com/Mbed-TLS/mbedtls-framework).
+
+You need this repository as a Git submodule in a branch of one of the above repositories if:
+
+* You want to build, test or contribute to Mbed TLS 3.6.0 or above, and you are working from a snapshot of a Git commit on a development branch.
+* You want to build, test or contribute to TF-PSA-Crypto, and you are working from a snapshot of a Git commit on a development branch.
+
+You do not need this repository if:
+
+* You are working with Mbed TLS 2.28.
+* You want to build a release of Mbed TLS and run its unit tests.
+
+Contributing
+------------
+
+We gratefully accept bug reports and contributions from the community. Please see the [contributing guidelines](CONTRIBUTING.md) for details on how to do this.
+
+License
+-------
+
+Unless specifically indicated otherwise in a file, Mbed TLS framework files are provided under a dual [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) OR [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) license. See the [LICENSE](LICENSE) file for the full text of these licenses, and [the 'License and Copyright' section in the contributing guidelines](CONTRIBUTING.md#License-and-Copyright) for more information.
+

framework/README.md

@@ -0,0 +1,8 @@
+cli-rsa.csr
+server2-rsa.csr
+test-ca.csr
+
+mpi_write
+hmac_drbg_seed
+ctr_drbg_seed
+entropy_seed

framework/data_files/.gitignore

@@ -0,0 +1,135 @@
+This documents the X.509 CAs, certificates, and CRLS used for testing.
+
+Certification authorities
+-------------------------
+
+There are two main CAs for use as trusted roots:
+- test-ca.crt aka "C=NL, O=PolarSSL, CN=PolarSSL Test CA"
+  uses a RSA-2048 key
+  test-ca-sha1.crt and test-ca-sha256.crt use the same key, signed with
+  different hashes.
+- test-ca2*.crt aka "C=NL, O=PolarSSL, CN=Polarssl Test EC CA"
+  uses an EC key with NIST P-384 (aka secp384r1)
+  variants used to test the keyUsage extension
+The files test-ca_cat12 and test-ca_cat21 contain them concatenated both ways.
+
+Two intermediate CAs are signed by them:
+- test-int-ca.crt "C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA"
+  uses RSA-4096, signed by test-ca2
+    - test-int-ca-exp.crt is a copy that is expired
+- test-int-ca2.crt "C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA"
+  uses an EC key with NIST P-384, signed by test-ca
+
+A third intermediate CA is signed by test-int-ca2.crt:
+- test-int-ca3.crt "C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3"
+  uses an EC key with NIST P-256, signed by test-int-ca2
+
+Finally, other CAs for specific purposes:
+- enco-ca-prstr.pem: has its CN encoded as a printable string, but child cert
+  enco-cert-utf8str.pem has its issuer's CN encoded as a UTF-8 string.
+- test-ca-v1.crt: v1 "CA", signs
+    server1-v1.crt: v1 "intermediate CA", signs
+        server2-v1*.crt: EE cert (without of with chain in same file)
+- keyUsage.decipherOnly.crt: has the decipherOnly keyUsage bit set
+
+End-entity certificates
+-----------------------
+
+Short information fields:
+
+- name or pattern
+- issuing CA:   1   -> test-ca.crt
+                2   -> test-ca2.crt
+                I1  -> test-int-ca.crt
+                I2  -> test-int-ca2.crt
+                I3  -> test-int-ca3.crt
+                O   -> other
+- key type: R -> RSA, E -> EC
+- C -> there is a CRL revoking this cert (see below)
+- L -> CN=localhost (useful for local test servers)
+- P1, P2 if the file includes parent (resp. parent + grandparent)
+- free-form comments
+
+List of certificates:
+
+- cert_example_multi*.crt: 1/O R: subjectAltName
+- cert_example_wildcard.crt: 1 R: wildcard in subject's CN
+- cert_md*.crt, cert_sha*.crt: 1 R: signature hash
+- cert_v1_with_ext.crt: 1 R: v1 with extensions (illegal)
+- cli2.crt: 2 E: basic
+- cli-rsa.key, cli-rsa-*.crt: RSA key used for test clients, signed by
+  the RSA test CA.
+- enco-cert-utf8str.pem: see enco-ca-prstr.pem above
+- server1*.crt: 1* R C* P1*: misc *(server1-v1 see test-ca-v1.crt above)
+    *CRL for: .cert_type.crt, .crt, .key_usage.crt, .v1.crt
+    P1 only for _ca.crt
+- server2-v1*.crt: O R: see test-ca-v1.crt above
+- server2*.crt: 1 R L: misc
+- server3.crt: 1 E L: EC cert signed by RSA CA
+- server4.crt: 2 R L: RSA cert signed by EC CA
+- server5*.crt: 2* E L: misc *(except -selfsigned and -ss-*)
+    -sha*: hashes
+    .eku*: extendeKeyUsage (cli/srv = www client/server, cs = codesign, etc)
+    .ku*: keyUsage (ds = signatures, ke/ka = key exchange/agreement)
+    .req*: CSR, not certificate
+    -der*: trailing bytes in der (?)
+    -badsign.crt: S5 with corrupted signature
+    -expired.crt: S5 with "not after" date in the past
+    -future.crt: S5 with "not before" date in the future
+    -non-compliant.crt: S5, RFC non-compliant
+      (with forbidden EC algorithm identifier NULL parameter)
+      generated by (before fix):
+        cert_write subject_key=server5.key subject_name="CN=Test EC RFC non-compliant" issuer_crt=test-ca2.crt issuer_key=test-ca2.key
+    -selfsigned.crt: Self-signed cert with S5 key
+    -ss-expired.crt: Self-signed cert with S5 key, expired
+    -ss-forgeca.crt: Copy of test-int-ca3 self-signed with S5 key
+- server6-ss-child.crt: O E: "child" of non-CA server5-selfsigned
+- server6.crt, server6.pem: 2 E L C: revoked
+- server7.crt: I1 E L P1(usually): EC signed by RSA signed by EC
+    -badsign.crt: S7 with corrupted signature + I1
+    -expired.crt: S7 with "not after" date in the past + I1
+    -future.crt: S7 with "not before" date in the future + I1
+    _int-ca-exp.crt: S7 + expired I1
+    _int-ca.crt: S7 + I1
+    _int-ca_ca2.crt: S7 + I1 + 2
+    _all_space.crt: S7 + I1 both with misplaced spaces (invalid PEM)
+    _pem_space.crt: S7 with misplaced space (invalid PEM) + I1
+    _trailing_space.crt: S7 + I1 both with trailing space (valid PEM)
+    _spurious_int-ca.crt: S7 + I2(spurious) + I1
+- server8*.crt: I2 R L: RSA signed by EC signed by RSA (P1 for _int-ca2)
+- server9*.crt: 1 R C* L P1*: signed using RSASSA-PSS
+    *CRL for: 9.crt, -badsign, -with-ca (P1)
+- server10.crt: I3 E L
+    -badsign.crt: S10 with corrupted signature
+    -bs_int3.pem: S10-badsign + I3
+    _int3-bs.pem: S10 + I3-badsign
+    _int3_int-ca2.crt: S10 + I3 + I2
+    _int3_int-ca2_ca.crt: S10 + I3 + I2 + 1
+    _int3_spurious_int-ca2.crt: S10 + I3 + I1(spurious) + I2
+
+Certificate revocation lists
+----------------------------
+
+Signing CA in parentheses (same meaning as certificates).
+
+- crl-ec-sha*.pem: (2) server6.crt
+- crl-future.pem: (2) server6.crt + unknown
+- crl-rsa-pss-*.pem: (1) server9{,badsign,with-ca}.crt + cert_sha384.crt + unknown
+- crl.pem, crl-futureRevocationDate.pem, crl_expired.pem: (1) server1{,.cert_type,.key_usage,.v1}.crt + unknown
+- crl_md*.pem: crl_sha*.pem: (1) same as crl.pem
+- crt_cat_*.pem: (1+2) concatenations in various orders:
+    ec = crl-ec-sha256.pem, ecfut = crl-future.pem
+    rsa = crl.pem, rsabadpem = same with pem error, rsaexp = crl_expired.pem
+
+Note: crl_future would revoke server9 and cert_sha384.crt if signed by CA 1
+      crl-rsa-pss* would revoke server6.crt if signed by CA 2
+
+Generation
+----------
+
+Newer test files have been generated through commands in the Makefile. The
+resulting files are committed to the repository so that the tests can
+run without having to re-do the generation and so that the output is the
+same for everyone (the generation process is randomized).
+
+The origin of older certificates has not been recorded.