eden-emu/mbedtls
15
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #4671 from mpg/x509-crt-profile-public

Browse source 
Make the fields of mbedtls_x509_crt_profile public
This commit is contained in:
Dave Rodgman 2021-06-23 16:06:12 +01:00 committed by GitHub
commit cb17fc34cf
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 41 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

34
include/mbedtls/x509_crt.h
View file

@ -156,13 +156,33 @@ mbedtls_x509_subject_alternative_name;
* Security profile for certificate verification. * Security profile for certificate verification.
* *
* All lists are bitfields, built by ORing flags from MBEDTLS_X509_ID_FLAG(). * All lists are bitfields, built by ORing flags from MBEDTLS_X509_ID_FLAG().
*
* The fields of this structure are part of the public API and can be
* manipulated directly by applications. Future versions of the library may
* add extra fields or reorder existing fields.
*
* You can create custom profiles by starting from a copy of
* an existing profile, such as mbedtls_x509_crt_profile_default or
* mbedtls_x509_ctr_profile_none and then tune it to your needs.
*
* For example to allow SHA-224 in addition to the default:
*
* mbedtls_x509_crt_profile my_profile = mbedtls_x509_crt_profile_default;
* my_profile.allowed_mds |= MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 );
*
* Or to allow only RSA-3072+ with SHA-256:
*
* mbedtls_x509_crt_profile my_profile = mbedtls_x509_crt_profile_none;
* my_profile.allowed_mds = MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 );
* my_profile.allowed_pks = MBEDTLS_X509_ID_FLAG( MBEDTLS_PK_RSA );
* my_profile.rsa_min_bitlen = 3072;
*/ */
typedef struct mbedtls_x509_crt_profile typedef struct mbedtls_x509_crt_profile
{ {
uint32_t MBEDTLS_PRIVATE(allowed_mds); /**< MDs for signatures */ uint32_t allowed_mds; /**< MDs for signatures */
uint32_t MBEDTLS_PRIVATE(allowed_pks); /**< PK algs for signatures */ uint32_t allowed_pks; /**< PK algs for signatures */
uint32_t MBEDTLS_PRIVATE(allowed_curves); /**< Elliptic curves for ECDSA */ uint32_t allowed_curves; /**< Elliptic curves for ECDSA */
uint32_t MBEDTLS_PRIVATE(rsa_min_bitlen); /**< Minimum size for RSA keys */ uint32_t rsa_min_bitlen; /**< Minimum size for RSA keys */
} }
mbedtls_x509_crt_profile; mbedtls_x509_crt_profile;
@ -356,6 +376,12 @@ extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next;
*/ */
extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb; extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb;
/**
* Empty profile that allows nothing. Useful as a basis for constructing
* custom profiles.
*/
extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_none;
/** /**
* \brief Parse a single DER formatted certificate and add it * \brief Parse a single DER formatted certificate and add it
* to the end of the provided chained list. * to the end of the provided chained list.

11
library/x509_crt.c
View file

@ -166,6 +166,17 @@ const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb =
0, 0,
}; };
/*
* Empty / all-forbidden profile
*/
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_none =
{
0,
0,
0,
(uint32_t) -1,
};
/* /*
* Check md_alg against profile * Check md_alg against profile
* Return 0 if md_alg is acceptable for this profile, -1 otherwise * Return 0 if md_alg is acceptable for this profile, -1 otherwise