Fix missing check for RSA key length on EE certs
- also adapt tests to use lesser requirement for compatibility with old testing material
This commit is contained in:
parent
7980096899
commit
65eefc8707
6 changed files with 54 additions and 15 deletions
|
@ -1385,6 +1385,10 @@ void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf,
|
|||
/**
|
||||
* \brief Set the X.509 security profile used for verification
|
||||
*
|
||||
* \note The restrictions are enforced for all certificates in the
|
||||
* chain. However, signatures in the handshake are not covered
|
||||
* by this setting but by \b mbedtls_ssl_conf_sig_hashes().
|
||||
*
|
||||
* \param conf SSL configuration
|
||||
* \param profile Profile to use
|
||||
*/
|
||||
|
@ -1546,16 +1550,14 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
|
|||
* On client: this affects the list of curves offered for any
|
||||
* use. The server can override our preference order.
|
||||
*
|
||||
* Both sides: limits the set of curves used by peer to the
|
||||
* listed curves for any use ECDHE and the end-entity
|
||||
* certificate.
|
||||
* Both sides: limits the set of curves accepted for use in
|
||||
* ECDHE and in the peer's end-entity certificate.
|
||||
*
|
||||
* \note This has no influence on which curve are allowed inside the
|
||||
* \note This has no influence on which curves are allowed inside the
|
||||
* certificate chains, see \c mbedtls_ssl_conf_cert_profile()
|
||||
* for that. For example, if the peer's certificate chain is
|
||||
* EE -> CA_int -> CA_root, then the allowed curves for EE are
|
||||
* controlled by \c mbedtls_ssl_conf_curves() but for CA_int
|
||||
* and CA_root it's \c mbedtls_ssl_conf_cert_profile().
|
||||
* for that. For the end-entity certificate however, the key
|
||||
* will be accepted only if it is allowed both by this list
|
||||
* and by the cert profile.
|
||||
*
|
||||
* \note This list should be ordered by decreasing preference
|
||||
* (preferred curve first).
|
||||
|
|
|
@ -301,8 +301,8 @@ int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
|
|||
* security profile.
|
||||
*
|
||||
* \note The restrictions on keys (RSA minimum size, allowed curves
|
||||
* for ECDSA) only applys to (intermediate) CAs, not to the
|
||||
* end-entity certificate.
|
||||
* for ECDSA) apply to all certificates: trusted root,
|
||||
* intermediate CAs if any, and end entity certificate.
|
||||
*
|
||||
* \param crt a certificate to be verified
|
||||
* \param trust_ca the trusted CA chain
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue