Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Profile changes on mbedtls_x509_crt_profile_default #291

Closed
Taowyoo opened this issue Jun 29, 2023 · 1 comment
Closed

Profile changes on mbedtls_x509_crt_profile_default #291

Taowyoo opened this issue Jun 29, 2023 · 1 comment
Labels
question

Comments

@Taowyoo
Copy link
Collaborator

Taowyoo commented Jun 29, 2023

In mbedtls 3.X, they changed the mbedtls_x509_crt_profile_default
From https://github.com/Mbed-TLS/mbedtls/blob/981743de6fcdbe672e482b6fd724d31d0a0d2476/library/x509_crt.c#L89-L101 :

/* Default profile. Do not remove items unless there are serious security
 * concerns. */
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
{
    /* Only SHA-2 hashes */
    MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA224) |
    MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) |
    MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) |
    MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512),
    0xFFFFFFF, /* Any PK alg    */
    0xFFFFFFF, /* Any curve     */
    2048,
};

to https://github.com/Mbed-TLS/mbedtls/blob/1873d3bfc2da771672bd8e7e8f41f57e0af77f33/library/x509_crt.c#L96-L118 :

/* Default profile. Do not remove items unless there are serious security
 * concerns. */
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
{
    /* Hashes from SHA-256 and above. Note that this selection
     * should be aligned with ssl_preset_default_hashes in ssl_tls.c. */
    MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) |
    MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) |
    MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512),
    0xFFFFFFF, /* Any PK alg    */
#if defined(MBEDTLS_ECP_C)
    /* Curves at or above 128-bit security level. Note that this selection
     * should be aligned with ssl_preset_default_curves in ssl_tls.c. */
    MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP256R1) |
    MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP384R1) |
    MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP521R1) |
    MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP256R1) |
    MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP384R1) |
    MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP512R1) |
    0,
#else
    0,
#endif
    2048,
};

In summary:

  • Md method MBEDTLS_MD_SHA224 is no longer supported
  • Only following curves are allowed now:
    • MBEDTLS_ECP_DP_SECP256R1
    • MBEDTLS_ECP_DP_SECP384R1
    • MBEDTLS_ECP_DP_SECP521R1
    • MBEDTLS_ECP_DP_BP256R1
    • MBEDTLS_ECP_DP_BP384R1
    • MBEDTLS_ECP_DP_BP512R1

We need to determine if we should use old profile or following new profile.
@Taowyoo
Copy link
Collaborator Author

Taowyoo commented Feb 9, 2024

See #320

@Taowyoo Taowyoo closed this as not planned Won't fix, can't repro, duplicate, stale Feb 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Taowyoo