Create cert profile API (unimplemented yet)
diff --git a/library/x509_crt.c b/library/x509_crt.c
index a26715a..e3d7cc7 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1401,6 +1401,12 @@
{ MBEDTLS_X509_BADCERT_KEY_USAGE, "Usage does not match the keyUsage extension" },
{ MBEDTLS_X509_BADCERT_EXT_KEY_USAGE, "Usage does not match the extendedKeyUsage extension" },
{ MBEDTLS_X509_BADCERT_NS_CERT_TYPE, "Usage does not match the nsCertType extension" },
+ { MBEDTLS_X509_BADCERT_BAD_MD, "The certificate is signed with an unacceptable hash." },
+ { MBEDTLS_X509_BADCERT_BAD_PK, "The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA)." },
+ { MBEDTLS_X509_BADCERT_BAD_KEY, "The certificate is signed with an unacceptable key (eg bad curve, RSA too short)." },
+ { MBEDTLS_X509_BADCRL_BAD_MD, "The CRL is signed with an unacceptable hash." },
+ { MBEDTLS_X509_BADCRL_BAD_PK, "The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA)." },
+ { MBEDTLS_X509_BADCRL_BAD_KEY, "The CRL is signed with an unacceptable key (eg bad curve, RSA too short)." },
{ 0, NULL }
};
@@ -1502,7 +1508,8 @@
* Check that the given certificate is valid according to the CRL.
*/
static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
- mbedtls_x509_crl *crl_list)
+ mbedtls_x509_crl *crl_list,
+ const mbedtls_x509_crt_profile *profile )
{
int flags = 0;
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
@@ -1554,6 +1561,8 @@
mbedtls_md( md_info, crl_list->tbs.p, crl_list->tbs.len, hash );
+ (void) profile; /* WIP:TODO: check profile */
+
if( mbedtls_pk_verify_ext( crl_list->sig_pk, crl_list->sig_opts, &ca->pk,
crl_list->sig_md, hash, mbedtls_md_get_size( md_info ),
crl_list->sig.p, crl_list->sig.len ) != 0 )
@@ -1764,7 +1773,9 @@
static int x509_crt_verify_top(
mbedtls_x509_crt *child, mbedtls_x509_crt *trust_ca,
- mbedtls_x509_crl *ca_crl, int path_cnt, uint32_t *flags,
+ mbedtls_x509_crl *ca_crl,
+ const mbedtls_x509_crt_profile *profile,
+ int path_cnt, uint32_t *flags,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy )
{
@@ -1796,6 +1807,8 @@
else
mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash );
+ (void) profile; /* WIP:TODO: check profile */
+
for( /* trust_ca */ ; trust_ca != NULL; trust_ca = trust_ca->next )
{
if( x509_crt_check_parent( child, trust_ca, 1, path_cnt == 0 ) != 0 )
@@ -1846,7 +1859,7 @@
{
#if defined(MBEDTLS_X509_CRL_PARSE_C)
/* Check trusted CA's CRL for the chain's top crt */
- *flags |= x509_crt_verifycrl( child, trust_ca, ca_crl );
+ *flags |= x509_crt_verifycrl( child, trust_ca, ca_crl, profile );
#else
((void) ca_crl);
#endif
@@ -1880,8 +1893,10 @@
}
static int x509_crt_verify_child(
- mbedtls_x509_crt *child, mbedtls_x509_crt *parent, mbedtls_x509_crt *trust_ca,
- mbedtls_x509_crl *ca_crl, int path_cnt, uint32_t *flags,
+ mbedtls_x509_crt *child, mbedtls_x509_crt *parent,
+ mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl,
+ const mbedtls_x509_crt_profile *profile,
+ int path_cnt, uint32_t *flags,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy )
{
@@ -1891,6 +1906,8 @@
mbedtls_x509_crt *grandparent;
const mbedtls_md_info_t *md_info;
+ (void) profile; /* WIP */
+
/* path_cnt is 0 for the first intermediate CA */
if( 1 + path_cnt > MBEDTLS_X509_MAX_INTERMEDIATE_CA )
{
@@ -1914,6 +1931,8 @@
}
else
{
+ (void) profile; /* WIP:TODO: check profile */
+
mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash );
if( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &parent->pk,
@@ -1926,7 +1945,7 @@
#if defined(MBEDTLS_X509_CRL_PARSE_C)
/* Check trusted CA's CRL for the given crt */
- *flags |= x509_crt_verifycrl(child, parent, ca_crl);
+ *flags |= x509_crt_verifycrl(child, parent, ca_crl, profile );
#endif
/* Look for a grandparent upwards the chain */
@@ -1942,14 +1961,14 @@
/* Is our parent part of the chain or at the top? */
if( grandparent != NULL )
{
- ret = x509_crt_verify_child( parent, grandparent, trust_ca, ca_crl,
+ ret = x509_crt_verify_child( parent, grandparent, trust_ca, ca_crl, profile,
path_cnt + 1, &parent_flags, f_vrfy, p_vrfy );
if( ret != 0 )
return( ret );
}
else
{
- ret = x509_crt_verify_top( parent, trust_ca, ca_crl,
+ ret = x509_crt_verify_top( parent, trust_ca, ca_crl, profile,
path_cnt + 1, &parent_flags, f_vrfy, p_vrfy );
if( ret != 0 )
return( ret );
@@ -1975,6 +1994,22 @@
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy )
{
+ return( mbedtls_x509_crt_verify_with_profile( crt, trust_ca, ca_crl,
+ NULL /* WIP */, cn, flags, f_vrfy, p_vrfy ) );
+}
+
+
+/*
+ * Verify the certificate validity, with profile
+ */
+int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
+ mbedtls_x509_crt *trust_ca,
+ mbedtls_x509_crl *ca_crl,
+ const mbedtls_x509_crt_profile *profile,
+ const char *cn, uint32_t *flags,
+ int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+ void *p_vrfy )
+{
size_t cn_len;
int ret;
int pathlen = 0;
@@ -2044,14 +2079,14 @@
/* Are we part of the chain or at the top? */
if( parent != NULL )
{
- ret = x509_crt_verify_child( crt, parent, trust_ca, ca_crl,
+ ret = x509_crt_verify_child( crt, parent, trust_ca, ca_crl, profile,
pathlen, flags, f_vrfy, p_vrfy );
if( ret != 0 )
return( ret );
}
else
{
- ret = x509_crt_verify_top( crt, trust_ca, ca_crl,
+ ret = x509_crt_verify_top( crt, trust_ca, ca_crl, profile,
pathlen, flags, f_vrfy, p_vrfy );
if( ret != 0 )
return( ret );