From f501cb57a54b4f1fb18f087904534a2ef7cde1bf Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 11 Oct 2018 11:36:29 +0100 Subject: [PATCH 1/3] Clarify documentation of mbedtls_x509_crt_profile MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit fixes #1992: The documentation of mbedtls_x509_crt_profile previously stated that the bitfield `allowed_pks` defined which signature algorithms shall be allowed in CRT chains. In actual fact, however, the field also applies to guard the public key of the end entity certificate. This commit changes the documentation to state that `allowed_pks` applies to the public keys of all CRTs in the provided chain. Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/x509_crt.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 4cc4e13b0..c6e20cf55 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -159,7 +159,9 @@ mbedtls_x509_subject_alternative_name; typedef struct mbedtls_x509_crt_profile { uint32_t allowed_mds; /**< MDs for signatures */ - uint32_t allowed_pks; /**< PK algs for signatures */ + uint32_t allowed_pks; /**< PK algs for public keys; + * this applies to any CRT + * in the provided chain. */ uint32_t allowed_curves; /**< Elliptic curves for ECDSA */ uint32_t rsa_min_bitlen; /**< Minimum size for RSA keys */ } From c61543dc71559e5a3df42e36d8fe3a18860dddc9 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 11 Oct 2018 11:40:09 +0100 Subject: [PATCH 2/3] Adapt ChangeLog MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- ChangeLog.d/doc-x509-profile-pk.txt | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 ChangeLog.d/doc-x509-profile-pk.txt diff --git a/ChangeLog.d/doc-x509-profile-pk.txt b/ChangeLog.d/doc-x509-profile-pk.txt new file mode 100644 index 000000000..35625fe12 --- /dev/null +++ b/ChangeLog.d/doc-x509-profile-pk.txt @@ -0,0 +1,5 @@ +Bugfix + * Fix incorrect documentation of mbedtls_x509_crt_profile. The previous + documentation stated that the `allowed_pks` field applies to signatures + only, but in fact it does apply to the public key type of the end entity + certificate, too. Fixes #1992. From 2b28e4ecee62960412b255eb288f45d90130c2aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 25 Apr 2022 10:12:01 +0200 Subject: [PATCH 3/3] Clarify wording of documentation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/x509_crt.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index c6e20cf55..4435f02e8 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -160,7 +160,7 @@ typedef struct mbedtls_x509_crt_profile { uint32_t allowed_mds; /**< MDs for signatures */ uint32_t allowed_pks; /**< PK algs for public keys; - * this applies to any CRT + * this applies to all certificates * in the provided chain. */ uint32_t allowed_curves; /**< Elliptic curves for ECDSA */ uint32_t rsa_min_bitlen; /**< Minimum size for RSA keys */