cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-11-03 20:22:59 -05:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4671 from mpg/x509-crt-profile-public

Browse Source 
Make the fields of mbedtls_x509_crt_profile public
This commit is contained in:
Dave Rodgman 2021-06-23 16:06:12 +01:00 committed by GitHub
commit cb17fc34cf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 41 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
include/mbedtls/x509_crt.h
View File

@ -156,13 +156,33 @@ mbedtls_x509_subject_alternative_name;
* Security profile for certificate verification.
*
* All lists are bitfields, built by ORing flags from MBEDTLS_X509_ID_FLAG().
*
* The fields of this structure are part of the public API and can be
* manipulated directly by applications. Future versions of the library may
* add extra fields or reorder existing fields.
*
* You can create custom profiles by starting from a copy of
* an existing profile, such as mbedtls_x509_crt_profile_default or
* mbedtls_x509_ctr_profile_none and then tune it to your needs.
*
* For example to allow SHA-224 in addition to the default:
*
* mbedtls_x509_crt_profile my_profile = mbedtls_x509_crt_profile_default;
* my_profile.allowed_mds |= MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 );
*
* Or to allow only RSA-3072+ with SHA-256:
*
* mbedtls_x509_crt_profile my_profile = mbedtls_x509_crt_profile_none;
* my_profile.allowed_mds = MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 );
* my_profile.allowed_pks = MBEDTLS_X509_ID_FLAG( MBEDTLS_PK_RSA );
* my_profile.rsa_min_bitlen = 3072;
*/
typedef struct mbedtls_x509_crt_profile
{
uint32_t MBEDTLS_PRIVATE(allowed_mds); /**< MDs for signatures */
uint32_t MBEDTLS_PRIVATE(allowed_pks); /**< PK algs for signatures */
uint32_t MBEDTLS_PRIVATE(allowed_curves); /**< Elliptic curves for ECDSA */
uint32_t MBEDTLS_PRIVATE(rsa_min_bitlen); /**< Minimum size for RSA keys */
uint32_t allowed_mds; /**< MDs for signatures */
uint32_t allowed_pks; /**< PK algs for signatures */
uint32_t allowed_curves; /**< Elliptic curves for ECDSA */
uint32_t rsa_min_bitlen; /**< Minimum size for RSA keys */
}
mbedtls_x509_crt_profile;
@ -356,6 +376,12 @@ extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next;
*/
extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb;
/**
* Empty profile that allows nothing. Useful as a basis for constructing
* custom profiles.
*/
extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_none;
/**
* \brief Parse a single DER formatted certificate and add it
* to the end of the provided chained list.

11
library/x509_crt.c
View File

@ -166,6 +166,17 @@ const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb =
0,
};
/*
* Empty / all-forbidden profile
*/
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_none =
{
0,
0,
0,
(uint32_t) -1,
};
/*
* Check md_alg against profile
* Return 0 if md_alg is acceptable for this profile, -1 otherwise