mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-23 02:35:38 +01:00
Add prototype for CRT verification with static and dynamic CA list
So far, there were the following CRT verification functions: - `mbedtls_x509_crt_verify()` -- no profile, no restartable ECC - `mbedtls_x509_crt_verify_with_profile()` -- profile, no restartable ECC - `mbedtls_x509_crt_verify_restartable()` -- profile, restartable ECC all publicly declared and offering increasing functionality. On the implementation-side, - `mbedtls_x509_crt_verify()` resolves to a call to `mbedtls_x509_crt_verify_with_profile()` setting the profile to `NULL`, and - `mbedtls_x509_crt_verify_with_profile()` resolves to a call to ``mbedtls_x509_crt_verify_restartable()` setting the ECC restart context to NULL. This commit adds two more functions to this zoo: - `mbedtls_x509_crt_verify_with_cb()` - `x509_crt_verify_restartable_cb()` Here, `mbedtls_x509_crt_verify_with_cb()` is similar to `mbedtls_x509_crt_verify_with_profile()` but uses a CA callback instead of a static CA list, and no restart context. `x509_crt_verify_restartable_cb()` is similar to `mbedtls_x509_crt_verify_restartable()` but allows to either use a static list of trusted CAs _or_ a trusted CA callback. On the implementation-side, - the body of `mbedtls_x509_crt_verify_restartable()` is moved to `x509_crt_verify_restartable_cb()`, and the new version of `mbedtls_x509_crt_verify_restartable()` just resolves to `x509_crt_verify_restartable_cb()` with the trusted CA callback set to NULL. - The new function `mbedtls_x509_crt_verify_with_cb()` forward to `x509_crt_verify_restartable_cb()` with the restart context set to `NULL`. There's no change to the implementation yet, and in particular, `mbedtls_x509_crt_verify_with_cb()` isn't yet usable.
This commit is contained in:
parent
afd0b0a1a7
commit
3116fb362c
@ -2309,6 +2309,8 @@ static int x509_crt_verify_chain(
|
||||
mbedtls_x509_crt *crt,
|
||||
mbedtls_x509_crt *trust_ca,
|
||||
mbedtls_x509_crl *ca_crl,
|
||||
mbedtls_x509_crt_ca_cb_t f_ca_cb,
|
||||
void *p_ca_cb,
|
||||
const mbedtls_x509_crt_profile *profile,
|
||||
mbedtls_x509_crt_verify_chain *ver_chain,
|
||||
mbedtls_x509_crt_restart_ctx *rs_ctx )
|
||||
@ -2539,36 +2541,6 @@ static int x509_crt_merge_flags_with_cb(
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
/*
|
||||
* Verify the certificate validity (default profile, not restartable)
|
||||
*/
|
||||
int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
|
||||
mbedtls_x509_crt *trust_ca,
|
||||
mbedtls_x509_crl *ca_crl,
|
||||
const char *cn, uint32_t *flags,
|
||||
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
|
||||
void *p_vrfy )
|
||||
{
|
||||
return( mbedtls_x509_crt_verify_restartable( crt, trust_ca, ca_crl,
|
||||
&mbedtls_x509_crt_profile_default, cn, flags,
|
||||
f_vrfy, p_vrfy, NULL ) );
|
||||
}
|
||||
|
||||
/*
|
||||
* Verify the certificate validity (user-chosen profile, not restartable)
|
||||
*/
|
||||
int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
|
||||
mbedtls_x509_crt *trust_ca,
|
||||
mbedtls_x509_crl *ca_crl,
|
||||
const mbedtls_x509_crt_profile *profile,
|
||||
const char *cn, uint32_t *flags,
|
||||
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
|
||||
void *p_vrfy )
|
||||
{
|
||||
return( mbedtls_x509_crt_verify_restartable( crt, trust_ca, ca_crl,
|
||||
profile, cn, flags, f_vrfy, p_vrfy, NULL ) );
|
||||
}
|
||||
|
||||
/*
|
||||
* Verify the certificate validity, with profile, restartable version
|
||||
*
|
||||
@ -2578,10 +2550,19 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
|
||||
* as that isn't done as part of chain building/verification currently
|
||||
* - builds and verifies the chain
|
||||
* - then calls the callback and merges the flags
|
||||
*
|
||||
* The parameters pairs `trust_ca`, `ca_crl` and `f_ca_cb`, `p_ca_cb`
|
||||
* are mutually exclusive: If `f_ca_cb != NULL`, it will be used by the
|
||||
* verification routine to search for trusted signers, and CRLs will
|
||||
* be disabled. Otherwise, `trust_ca` will be used as the static list
|
||||
* of trusted signers, and `ca_crl` will be use as the static list
|
||||
* of CRLs.
|
||||
*/
|
||||
int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
|
||||
static int mbedtls_x509_crt_verify_restartable_cb( mbedtls_x509_crt *crt,
|
||||
mbedtls_x509_crt *trust_ca,
|
||||
mbedtls_x509_crl *ca_crl,
|
||||
mbedtls_x509_crt_ca_cb_t f_ca_cb,
|
||||
void *p_ca_cb,
|
||||
const mbedtls_x509_crt_profile *profile,
|
||||
const char *cn, uint32_t *flags,
|
||||
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
|
||||
@ -2617,7 +2598,8 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
|
||||
ee_flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
|
||||
|
||||
/* Check the chain */
|
||||
ret = x509_crt_verify_chain( crt, trust_ca, ca_crl, profile,
|
||||
ret = x509_crt_verify_chain( crt, trust_ca, ca_crl,
|
||||
f_ca_cb, p_ca_cb, profile,
|
||||
&ver_chain, rs_ctx );
|
||||
|
||||
if( ret != 0 )
|
||||
@ -2653,6 +2635,77 @@ exit:
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Verify the certificate validity (default profile, not restartable)
|
||||
*/
|
||||
int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
|
||||
mbedtls_x509_crt *trust_ca,
|
||||
mbedtls_x509_crl *ca_crl,
|
||||
const char *cn, uint32_t *flags,
|
||||
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
|
||||
void *p_vrfy )
|
||||
{
|
||||
return( mbedtls_x509_crt_verify_restartable_cb( crt, trust_ca, ca_crl,
|
||||
NULL, NULL,
|
||||
&mbedtls_x509_crt_profile_default,
|
||||
cn, flags,
|
||||
f_vrfy, p_vrfy, NULL ) );
|
||||
}
|
||||
|
||||
/*
|
||||
* Verify the certificate validity (user-chosen profile, not restartable)
|
||||
*/
|
||||
int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
|
||||
mbedtls_x509_crt *trust_ca,
|
||||
mbedtls_x509_crl *ca_crl,
|
||||
const mbedtls_x509_crt_profile *profile,
|
||||
const char *cn, uint32_t *flags,
|
||||
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
|
||||
void *p_vrfy )
|
||||
{
|
||||
return( mbedtls_x509_crt_verify_restartable_cb( crt, trust_ca, ca_crl,
|
||||
NULL, NULL,
|
||||
profile, cn, flags,
|
||||
f_vrfy, p_vrfy, NULL ) );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
|
||||
/*
|
||||
* Verify the certificate validity (user-chosen profile, CA callback,
|
||||
* not restartable).
|
||||
*/
|
||||
int mbedtls_x509_crt_verify_with_cb( mbedtls_x509_crt *crt,
|
||||
mbedtls_x509_crt_ca_cb_t f_ca_cb,
|
||||
void *p_ca_cb,
|
||||
const mbedtls_x509_crt_profile *profile,
|
||||
const char *cn, uint32_t *flags,
|
||||
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
|
||||
void *p_vrfy )
|
||||
{
|
||||
return( mbedtls_x509_crt_verify_restartable_cb( crt, NULL, NULL,
|
||||
f_ca_cb, p_ca_cb,
|
||||
profile, cn, flags,
|
||||
f_vrfy, p_vrfy, NULL ) );
|
||||
}
|
||||
#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
|
||||
|
||||
int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
|
||||
mbedtls_x509_crt *trust_ca,
|
||||
mbedtls_x509_crl *ca_crl,
|
||||
const mbedtls_x509_crt_profile *profile,
|
||||
const char *cn, uint32_t *flags,
|
||||
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
|
||||
void *p_vrfy,
|
||||
mbedtls_x509_crt_restart_ctx *rs_ctx )
|
||||
{
|
||||
return( mbedtls_x509_crt_verify_restartable_cb( crt, trust_ca, ca_crl,
|
||||
NULL, NULL,
|
||||
profile, cn, flags,
|
||||
f_vrfy, p_vrfy, rs_ctx ) );
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Initialize a certificate chain
|
||||
*/
|
||||
|
Loading…
Reference in New Issue
Block a user