commit 9505164ef4d70806b836cbb889c9cc190fd35ada
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Mon Jun 15 10:39:46 2015 +0200
committer Manuel Pégourié-Gonnard <mpg@elzevir.fr> Wed Jun 17 14:27:38 2015 +0200
tree d31f110689bc6c360405bc17f86f3e356085874d
parent bc7bbbc85a3ae244ae2994591150df73777fb00a

Create cert profile API (unimplemented yet)

include/mbedtls/x509_crt.h

diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index 8aabfde..7acee57 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -94,6 +94,20 @@
 }
 mbedtls_x509_crt;
 
+/*
+ * Security profile for certificate verification
+ *
+ * All lists are terminated by the respective _NONE value.
+ */
+typedef struct
+{
+    const mbedtls_md_type_t *allowed_mds;   /**< MDs for signatures         */
+    const mbedtls_pk_type_t *allowed_pks;   /**< PK algs for signatures     */
+    size_t rsa_min_bitlen;                  /**< Minimum size for RSA keys  */
+    const mbedtls_ecp_group *allowed_curves;/**< Elliptic curves for ECDSA  */
+}
+mbedtls_x509_crt_profile;
+
 #define MBEDTLS_X509_CRT_VERSION_1              0
 #define MBEDTLS_X509_CRT_VERSION_2              1
 #define MBEDTLS_X509_CRT_VERSION_3              2
@@ -232,6 +246,9 @@
  * \note           In case verification failed, the results can be displayed
  *                 using \c mbedtls_x509_crt_verify_info()
  *
+ * \note           Same as \c mbedtls_x509_crt_verify_with_profile() with the
+ *                 default security profile.
+ *
  * \param crt      a certificate to be verified
  * \param trust_ca the trusted CA chain
  * \param ca_crl   the CRL chain for trusted CA's
@@ -255,6 +272,37 @@
                      int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
                      void *p_vrfy );
 
+/**
+ * \brief          Verify the certificate signature according to profile
+ *
+ * \note           Same as \c mbedtls_x509_crt_verify(), but with explicit
+ *                 security profile.
+ *
+ * \param crt      a certificate to be verified
+ * \param trust_ca the trusted CA chain
+ * \param ca_crl   the CRL chain for trusted CA's
+ * \param profile  security profile for verification
+ * \param cn       expected Common Name (can be set to
+ *                 NULL if the CN must not be verified)
+ * \param flags    result of the verification
+ * \param f_vrfy   verification function
+ * \param p_vrfy   verification parameter
+ *
+ * \return         0 if successful or MBEDTLS_ERR_X509_CERT_VERIFY_FAILED
+ *                 in which case *flags will have one or more
+ *                 MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX flags
+ *                 set,
+ *                 or another error in case of a fatal error encountered
+ *                 during the verification process.
+ */
+int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
+                     mbedtls_x509_crt *trust_ca,
+                     mbedtls_x509_crl *ca_crl,
+                     const mbedtls_x509_crt_profile *profile,
+                     const char *cn, uint32_t *flags,
+                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                     void *p_vrfy );
+
 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
 /**
  * \brief          Check usage of certificate against keyUsage extension.