Document more precisely what goes into the default profile

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-11-22 22:35:43 +01:00 · 2021-06-07 21:24:26 +02:00 · 2021-06-07 21:24:26 +02:00 · 0ecd719edf
commit 0ecd719edf
parent 62da8ac37a
2 changed files with 12 additions and 4 deletions
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@ -263,12 +263,21 @@ typedef void mbedtls_x509_crt_restart_ctx;
 /**
 * Default security profile. Should provide a good balance between security
 * and compatibility with current deployments.
+ *
+ * This profile permits:
+ * - SHA2 hashes.
+ * - All supported elliptic curves.
+ * - RSA with 2048 bits and above.
+ *
+ * New minor versions of Mbed TLS may extend this profile, for example if
+ * new curves are added to the library. New minor versions of Mbed TLS will
+ * not reduce this profile unless serious security concerns require it.
 */
 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default;

 /**
 * Expected next default profile. Recommended for new deployments.
- * Currently targets a 128-bit security level, except for RSA-2048.
+ * Currently targets a 128-bit security level, except for allowing RSA-2048.
 */
 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next;

--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@ -91,9 +91,8 @@ typedef struct {
 */
 #define X509_MAX_VERIFY_CHAIN_SIZE    ( MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2 )

-/*
- * Default profile
- */
+/* Default profile. Do not remove items unless there are serious security
+ * concerns. */
 const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
 {
 #if defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES)