Fix missing check for RSA key length on EE certs

- also adapt tests to use lesser requirement for compatibility with old
  testing material
This commit is contained in:
Manuel Pégourié-Gonnard 2015-10-23 14:08:48 +02:00
parent 7980096899
commit 65eefc8707
6 changed files with 54 additions and 15 deletions

View file

@ -1385,6 +1385,10 @@ void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf,
/**
* \brief Set the X.509 security profile used for verification
*
* \note The restrictions are enforced for all certificates in the
* chain. However, signatures in the handshake are not covered
* by this setting but by \b mbedtls_ssl_conf_sig_hashes().
*
* \param conf SSL configuration
* \param profile Profile to use
*/
@ -1546,16 +1550,14 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
* On client: this affects the list of curves offered for any
* use. The server can override our preference order.
*
* Both sides: limits the set of curves used by peer to the
* listed curves for any use ECDHE and the end-entity
* certificate.
* Both sides: limits the set of curves accepted for use in
* ECDHE and in the peer's end-entity certificate.
*
* \note This has no influence on which curve are allowed inside the
* \note This has no influence on which curves are allowed inside the
* certificate chains, see \c mbedtls_ssl_conf_cert_profile()
* for that. For example, if the peer's certificate chain is
* EE -> CA_int -> CA_root, then the allowed curves for EE are
* controlled by \c mbedtls_ssl_conf_curves() but for CA_int
* and CA_root it's \c mbedtls_ssl_conf_cert_profile().
* for that. For the end-entity certificate however, the key
* will be accepted only if it is allowed both by this list
* and by the cert profile.
*
* \note This list should be ordered by decreasing preference
* (preferred curve first).

View file

@ -301,8 +301,8 @@ int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
* security profile.
*
* \note The restrictions on keys (RSA minimum size, allowed curves
* for ECDSA) only applys to (intermediate) CAs, not to the
* end-entity certificate.
* for ECDSA) apply to all certificates: trusted root,
* intermediate CAs if any, and end entity certificate.
*
* \param crt a certificate to be verified
* \param trust_ca the trusted CA chain