Add SSL configuration API for trusted CA callbacks

This commit is contained in:
Hanno Becker 2019-03-27 11:01:30 +00:00
parent 902451db8b
commit 8bf74f37dc
2 changed files with 62 additions and 0 deletions

View file

@ -2071,6 +2071,63 @@ void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
mbedtls_x509_crt *ca_chain,
mbedtls_x509_crl *ca_crl );
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
/**
* \brief Set the trusted certificate callback.
*
* This API allows to register the set of trusted certificates
* through a callback, instead of a linked list as configured
* by mbedtls_ssl_conf_ca_chain().
*
* This is useful for example in contexts where a large number
* of CAs are used, and the inefficiency of maintaining them
* in a linked list cannot be tolerated. It is also useful when
* the set of trusted CAs needs to be modified frequently.
*
* See the documentation of `mbedtls_x509_crt_ca_cb_t` for
* more information.
*
* \param conf The SSL configuration to register the callback with.
* \param f_ca_cb The trusted certificate callback to use when verifying
* certificate chains.
* \param p_ca_cb The context to be passed to \p f_ca_cb (for example,
* a reference to a trusted CA database).
*
* \note This API is incompatible with mbedtls_ssl_conf_ca_chain():
* Any call to this function overwrites the values set through
* earlier calls to mbedtls_ssl_conf_ca_chain() or
* mbedtls_ssl_conf_ca_cb().
*
* \note This API is incompatible with CA indication in
* CertificateRequest messages: A server-side SSL context which
* is bound to an SSL configuration that uses a CA callback
* configured via mbedtls_ssl_conf_ca_cb(), and which requires
* client authentication, will send an empty CA list in the
* corresponding CertificateRequest message.
*
* \note This API is incompatible with mbedtls_ssl_set_hs_ca_chain():
* If an SSL context is bound to an SSL configuration which uses
* CA callbacks configured via mbedtls_ssl_conf_ca_cb(), then
* calls to mbedtls_ssl_set_hs_ca_chain() have no effect.
*
* \note The use of this API disables the use of restartable ECC
* during X.509 CRT signature verification (but doesn't affect
* other uses).
*
* \warning This API is incompatible with the use of CRLs. Any call to
* mbedtls_ssl_conf_ca_cb() unsets CRLs configured through
* earlier calls to mbedtls_ssl_conf_ca_chain().
*
* \warning In multi-threaded environments, the callback \p f_ca_cb
* must be thread-safe, and it is the user's responsibility
* to guaranteee this (for example through a mutex
* contained in the callback context pointed to by \p p_ca_cb).
*/
void mbedtls_ssl_conf_ca_cb( mbedtls_ssl_config *conf,
mbedtls_x509_crt_ca_cb_t f_ca_cb,
void *p_ca_cb );
#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
/**
* \brief Set own certificate chain and private key
*

View file

@ -2818,6 +2818,11 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
if( ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED )
{
/* NOTE: If trusted certificates are provisioned
* via a CA callback (configured through
* `mbedtls_ssl_conf_ca_cb()`, then the
* CertificateRequest is currently left empty. */
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
if( ssl->handshake->sni_ca_chain != NULL )
crt = ssl->handshake->sni_ca_chain;