From 2b9fb88281187667a848582a3f30c1607bc64991 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 11 Oct 2018 11:36:29 +0100 Subject: [PATCH 1/3] Clarify documentation of mbedtls_x509_crt_profile MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit fixes #1992: The documentation of mbedtls_x509_crt_profile previously stated that the bitfield `allowed_pks` defined which signature algorithms shall be allowed in CRT chains. In actual fact, however, the field also applies to guard the public key of the end entity certificate. This commit changes the documentation to state that `allowed_pks` applies to the public keys of all CRTs in the provided chain. Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/x509_crt.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 51883dc86..551c624d6 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -190,7 +190,9 @@ mbedtls_x509_subject_alternative_name; typedef struct mbedtls_x509_crt_profile { uint32_t allowed_mds; /**< MDs for signatures */ - uint32_t allowed_pks; /**< PK algs for signatures */ + uint32_t allowed_pks; /**< PK algs for public keys; + * this applies to any CRT + * in the provided chain. */ uint32_t allowed_curves; /**< Elliptic curves for ECDSA */ uint32_t rsa_min_bitlen; /**< Minimum size for RSA keys */ } From 002a7b20eca0b0830b0e77c98ceaf388ee11de65 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 11 Oct 2018 11:40:09 +0100 Subject: [PATCH 2/3] Adapt ChangeLog MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- ChangeLog.d/doc-x509-profile-pk.txt | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 ChangeLog.d/doc-x509-profile-pk.txt diff --git a/ChangeLog.d/doc-x509-profile-pk.txt b/ChangeLog.d/doc-x509-profile-pk.txt new file mode 100644 index 000000000..35625fe12 --- /dev/null +++ b/ChangeLog.d/doc-x509-profile-pk.txt @@ -0,0 +1,5 @@ +Bugfix + * Fix incorrect documentation of mbedtls_x509_crt_profile. The previous + documentation stated that the `allowed_pks` field applies to signatures + only, but in fact it does apply to the public key type of the end entity + certificate, too. Fixes #1992. From 8ba99e736ab2d3bcd8005a460c238edd285855d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 25 Apr 2022 10:12:01 +0200 Subject: [PATCH 3/3] Clarify wording of documentation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/x509_crt.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 551c624d6..51ce25713 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -191,7 +191,7 @@ typedef struct mbedtls_x509_crt_profile { uint32_t allowed_mds; /**< MDs for signatures */ uint32_t allowed_pks; /**< PK algs for public keys; - * this applies to any CRT + * this applies to all certificates * in the provided chain. */ uint32_t allowed_curves; /**< Elliptic curves for ECDSA */ uint32_t rsa_min_bitlen; /**< Minimum size for RSA keys */