diff --git a/ChangeLog.d/doc-x509-profile-pk.txt b/ChangeLog.d/doc-x509-profile-pk.txt new file mode 100644 index 000000000..35625fe12 --- /dev/null +++ b/ChangeLog.d/doc-x509-profile-pk.txt @@ -0,0 +1,5 @@ +Bugfix + * Fix incorrect documentation of mbedtls_x509_crt_profile. The previous + documentation stated that the `allowed_pks` field applies to signatures + only, but in fact it does apply to the public key type of the end entity + certificate, too. Fixes #1992. diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 51883dc86..51ce25713 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -190,7 +190,9 @@ mbedtls_x509_subject_alternative_name; typedef struct mbedtls_x509_crt_profile { uint32_t allowed_mds; /**< MDs for signatures */ - uint32_t allowed_pks; /**< PK algs for signatures */ + uint32_t allowed_pks; /**< PK algs for public keys; + * this applies to all certificates + * in the provided chain. */ uint32_t allowed_curves; /**< Elliptic curves for ECDSA */ uint32_t rsa_min_bitlen; /**< Minimum size for RSA keys */ }