eden-emu/mbedtls
20
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Create cert profile API (unimplemented yet)

Browse source
This commit is contained in:
Manuel Pégourié-Gonnard 2015-06-15 10:39:46 +02:00
parent bc7bbbc85a
commit 9505164ef4
4 changed files with 101 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

7
include/mbedtls/x509.h
View file

@ -97,6 +97,13 @@
#define MBEDTLS_X509_BADCERT_KEY_USAGE 0x0800 /**< Usage does not match the keyUsage extension. */
#define MBEDTLS_X509_BADCERT_EXT_KEY_USAGE 0x1000 /**< Usage does not match the extendedKeyUsage extension. */
#define MBEDTLS_X509_BADCERT_NS_CERT_TYPE 0x2000 /**< Usage does not match the nsCertType extension. */
#define MBEDTLS_X509_BADCERT_BAD_MD 0x4000 /**< The certificate is signed with an unacceptable hash. */
#define MBEDTLS_X509_BADCERT_BAD_PK 0x8000 /**< The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA). */
#define MBEDTLS_X509_BADCERT_BAD_KEY 0x010000 /**< The certificate is signed with an unacceptable key (eg bad curve, RSA too short). */
#define MBEDTLS_X509_BADCRL_BAD_MD 0x020000 /**< The CRL is signed with an unacceptable hash. */
#define MBEDTLS_X509_BADCRL_BAD_PK 0x040000 /**< The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA). */
#define MBEDTLS_X509_BADCRL_BAD_KEY 0x080000 /**< The CRL is signed with an unacceptable key (eg bad curve, RSA too short). */
/* \} name */
/* \} addtogroup x509_module */

48
include/mbedtls/x509_crt.h
View file

@ -94,6 +94,20 @@ typedef struct mbedtls_x509_crt
}
mbedtls_x509_crt;
/*
* Security profile for certificate verification
*
* All lists are terminated by the respective _NONE value.
*/
typedef struct
{
const mbedtls_md_type_t *allowed_mds; /**< MDs for signatures */
const mbedtls_pk_type_t *allowed_pks; /**< PK algs for signatures */
size_t rsa_min_bitlen; /**< Minimum size for RSA keys */
const mbedtls_ecp_group *allowed_curves;/**< Elliptic curves for ECDSA */
}
mbedtls_x509_crt_profile;
#define MBEDTLS_X509_CRT_VERSION_1 0
#define MBEDTLS_X509_CRT_VERSION_2 1
#define MBEDTLS_X509_CRT_VERSION_3 2
@ -232,6 +246,9 @@ int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
* \note In case verification failed, the results can be displayed
* using \c mbedtls_x509_crt_verify_info()
*
* \note Same as \c mbedtls_x509_crt_verify_with_profile() with the
* default security profile.
*
* \param crt a certificate to be verified
* \param trust_ca the trusted CA chain
* \param ca_crl the CRL chain for trusted CA's
@ -255,6 +272,37 @@ int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy );
/**
* \brief Verify the certificate signature according to profile
*
* \note Same as \c mbedtls_x509_crt_verify(), but with explicit
* security profile.
*
* \param crt a certificate to be verified
* \param trust_ca the trusted CA chain
* \param ca_crl the CRL chain for trusted CA's
* \param profile security profile for verification
* \param cn expected Common Name (can be set to
* NULL if the CN must not be verified)
* \param flags result of the verification
* \param f_vrfy verification function
* \param p_vrfy verification parameter
*
* \return 0 if successful or MBEDTLS_ERR_X509_CERT_VERIFY_FAILED
* in which case *flags will have one or more
* MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX flags
* set,
* or another error in case of a fatal error encountered
* during the verification process.
*/
int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
mbedtls_x509_crt *trust_ca,
mbedtls_x509_crl *ca_crl,
const mbedtls_x509_crt_profile *profile,
const char *cn, uint32_t *flags,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy );
#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
/**
* \brief Check usage of certificate against keyUsage extension.