From 4ee78f84968bbff345c8f7ce73bc97976aa1aac1 Mon Sep 17 00:00:00 2001 From: Ryan Kurte Date: Thu, 5 Dec 2019 17:30:17 +1300 Subject: [PATCH] added KConfig option to allow loading CA certs with unsupported extensions Close https://github.com/espressif/esp-idf/pull/4445 --- components/mbedtls/Kconfig | 12 ++++++++++++ .../mbedtls/port/include/mbedtls/esp_config.h | 19 +++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig index f9dd804731..3aaa3dead6 100644 --- a/components/mbedtls/Kconfig +++ b/components/mbedtls/Kconfig @@ -601,4 +601,16 @@ menu "mbedTLS" # end of Elliptic Curve options + menuconfig MBEDTLS_SECURITY_RISKS + bool "Show configurations with potential security risks" + default n + + config MBEDTLS_ALLOW_UNSUPPORTED_CRITICAL_EXT + bool "X.509 CRT parsing with unsupported critical extensions" + depends on MBEDTLS_SECURITY_RISKS + default n + help + Allow the X.509 certificate parser to load certificates + with unsupported critical extensions + endmenu # mbedTLS diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h index d971ab8db4..f702ae1d59 100644 --- a/components/mbedtls/port/include/mbedtls/esp_config.h +++ b/components/mbedtls/port/include/mbedtls/esp_config.h @@ -2214,6 +2214,25 @@ */ #define MBEDTLS_X509_CRT_WRITE_C +/** + * \def MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION + * + * Alow the X509 parser to not break-off when parsing an X509 certificate + * and encountering an unknown critical extension. + * + * Module: library/x509_crt.c + * + * Requires: MBEDTLS_X509_CRT_PARSE_C + * + * This module is supports loading of certificates with extensions that + * may not be supported by mbedtls. + */ +#ifdef CONFIG_MBEDTLS_ALLOW_UNSUPPORTED_CRITICAL_EXT +#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION +#else +#undef MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION +#endif + /** * \def MBEDTLS_X509_CSR_WRITE_C *