Add pre-defined profiles for cert verification

This commit is contained in:
Manuel Pégourié-Gonnard 2015-06-15 14:34:59 +02:00
parent 9505164ef4
commit 88db5da117
4 changed files with 144 additions and 5 deletions

View file

@ -94,8 +94,8 @@ typedef struct mbedtls_x509_crt
}
mbedtls_x509_crt;
/*
* Security profile for certificate verification
/**
* Security profile for certificate verification.
*
* All lists are terminated by the respective _NONE value.
*/
@ -103,8 +103,9 @@ typedef struct
{
const mbedtls_md_type_t *allowed_mds; /**< MDs for signatures */
const mbedtls_pk_type_t *allowed_pks; /**< PK algs for signatures */
size_t rsa_min_bitlen; /**< Minimum size for RSA keys */
const mbedtls_ecp_group *allowed_curves;/**< Elliptic curves for ECDSA */
const mbedtls_ecp_group_id *allowed_curves; /**< Elliptic curves */
size_t rsa_min_bitlen; /**< Minimum size for RSA keys
(must be non-zero) */
}
mbedtls_x509_crt_profile;
@ -134,6 +135,23 @@ typedef struct mbedtls_x509write_cert
mbedtls_x509write_cert;
#if defined(MBEDTLS_X509_CRT_PARSE_C)
/**
* Default security profile. Should provide a good balance between security
* and compatibility with current deployments.
*/
extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default;
/**
* Expected next default profile. Recommended for new deployments.
* Currently targets a 128-bit security level, except for RSA-2048.
*/
extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next;
/**
* NSA Suite B profile.
*/
extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb;
/**
* \brief Parse a single DER formatted certificate and add it
* to the chained list.

View file

@ -124,6 +124,8 @@ typedef enum
*
* Curves are listed in order: largest curves first, and for a given size,
* fastest curves first. This provides the default order for the SSL module.
*
* Reminder: update profiles in x509_crt.c when adding a new curves!
*/
static const mbedtls_ecp_curve_info ecp_supported_curves[] =
{

View file

@ -54,6 +54,9 @@ static void mbedtls_zeroize( void *v, size_t n ) {
volatile unsigned char *p = v; while( n-- ) *p++ = 0;
}
/*
* Reminder: update profiles in x509_crt.c when adding a new hash!
*/
static const int supported_digests[] = {
#if defined(MBEDTLS_SHA512_C)

View file

@ -81,6 +81,122 @@ static void mbedtls_zeroize( void *v, size_t n ) {
volatile unsigned char *p = v; while( n-- ) *p++ = 0;
}
/*
* Default profile
*/
static const mbedtls_md_type_t x509_prof_default_mds[] =
{
MBEDTLS_MD_SHA1,
MBEDTLS_MD_RIPEMD160,
MBEDTLS_MD_SHA224,
MBEDTLS_MD_SHA256,
MBEDTLS_MD_SHA384,
MBEDTLS_MD_SHA512,
MBEDTLS_MD_NONE
};
static const mbedtls_pk_type_t x509_prof_default_pks[] =
{
MBEDTLS_PK_RSA,
MBEDTLS_PK_ECDSA,
MBEDTLS_PK_NONE
};
#if defined(MBEDTLS_ECP_C)
static const mbedtls_ecp_group_id x509_prof_default_curves[] =
{
MBEDTLS_ECP_DP_SECP192R1,
MBEDTLS_ECP_DP_SECP224R1,
MBEDTLS_ECP_DP_SECP256R1,
MBEDTLS_ECP_DP_SECP384R1,
MBEDTLS_ECP_DP_SECP521R1,
MBEDTLS_ECP_DP_BP256R1,
MBEDTLS_ECP_DP_BP384R1,
MBEDTLS_ECP_DP_BP512R1,
MBEDTLS_ECP_DP_SECP192K1,
MBEDTLS_ECP_DP_SECP224K1,
MBEDTLS_ECP_DP_SECP256K1,
};
#else
static const mbedtls_ecp_group_id *x509_prof_default_curves = NULL;
#endif
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
{
x509_prof_default_mds,
x509_prof_default_pks,
x509_prof_default_curves,
2048,
};
/*
* Next-default profile
*/
static const mbedtls_md_type_t x509_prof_next_mds[] =
{
MBEDTLS_MD_SHA256,
MBEDTLS_MD_SHA384,
MBEDTLS_MD_SHA512,
MBEDTLS_MD_NONE
};
#if defined(MBEDTLS_ECP_C)
static const mbedtls_ecp_group_id x509_prof_next_curves[] =
{
MBEDTLS_ECP_DP_SECP256R1,
MBEDTLS_ECP_DP_SECP384R1,
MBEDTLS_ECP_DP_SECP521R1,
MBEDTLS_ECP_DP_BP256R1,
MBEDTLS_ECP_DP_BP384R1,
MBEDTLS_ECP_DP_BP512R1,
MBEDTLS_ECP_DP_SECP256K1,
};
#else
static const mbedtls_ecp_group_id *x509_prof_next_curves = NULL;
#endif
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next =
{
x509_prof_next_mds,
x509_prof_default_pks,
x509_prof_next_curves,
2048,
};
/*
* NSA Suite B Profile
*/
static const mbedtls_md_type_t x509_prof_suiteb_mds[] =
{
MBEDTLS_MD_SHA256,
MBEDTLS_MD_SHA384,
MBEDTLS_MD_NONE
};
static const mbedtls_pk_type_t x509_prof_suiteb_pks[] =
{
MBEDTLS_PK_ECDSA,
MBEDTLS_PK_NONE
};
#if defined(MBEDTLS_ECP_C)
static const mbedtls_ecp_group_id x509_prof_suiteb_curves[] =
{
MBEDTLS_ECP_DP_SECP256R1,
MBEDTLS_ECP_DP_SECP384R1,
};
#else
static const mbedtls_ecp_group_id *x509_prof_suiteb_curves = NULL;
#endif
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb =
{
x509_prof_suiteb_mds,
x509_prof_suiteb_pks,
x509_prof_suiteb_curves,
2048,
};
/*
* Version ::= INTEGER { v1(0), v2(1), v3(2) }
*/
@ -1995,7 +2111,7 @@ int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
void *p_vrfy )
{
return( mbedtls_x509_crt_verify_with_profile( crt, trust_ca, ca_crl,
NULL /* WIP */, cn, flags, f_vrfy, p_vrfy ) );
&mbedtls_x509_crt_profile_default, cn, flags, f_vrfy, p_vrfy ) );
}