espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-07-30 10:47:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'cert/skipping_keyelements_validation' into 'master'

Browse Source 
MbedTLS: Add config option for key elements and key element extension for SSL connection

See merge request espressif/esp-idf!12898

(cherry picked from commit 76bd33e9a4)

38d67725 mbedtls: Add config option key element and key element ext
This commit is contained in:
Mahavir Jain
2021-07-13 07:55:49 +00:00
committed by Kapil Gupta
parent 8807d8a5d8
commit dd12e9f8cd
2 changed files with 24 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
components/mbedtls/Kconfig
View File

@ -563,6 +563,22 @@ menu "mbedTLS"
Client support for RFC 5077 session tickets. See mbedTLS documentation for more details. Client support for RFC 5077 session tickets. See mbedTLS documentation for more details.
Disabling this option will save some code size. Disabling this option will save some code size.
config MBEDTLS_X509_CHECK_KEY_USAGE
bool "Enable verification of the keyUsage extension"
default y
depends on MBEDTLS_TLS_ENABLED
help
Disabling this avoids problems with mis-issued and/or misused (intermediate) CA and leaf certificates.
Depending on your PKI use, disabling this can be a security risk.
config MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
bool "Enable verification of the extendedKeyUsage extension"
default y
depends on MBEDTLS_TLS_ENABLED
help
Disabling this avoids problems with mis-issued and/or misused certificates.
Depending on your PKI use, disabling this can be a security risk.
config MBEDTLS_SERVER_SSL_SESSION_TICKETS config MBEDTLS_SERVER_SSL_SESSION_TICKETS
bool "TLS: Server Support for RFC 5077 SSL session tickets" bool "TLS: Server Support for RFC 5077 SSL session tickets"
default y default y

8
components/mbedtls/port/include/mbedtls/esp_config.h
View File

@ -1193,7 +1193,11 @@
* *
* Comment to skip keyUsage checking for both CA and leaf certificates. * Comment to skip keyUsage checking for both CA and leaf certificates.
*/ */
#ifdef CONFIG_MBEDTLS_X509_CHECK_KEY_USAGE
#define MBEDTLS_X509_CHECK_KEY_USAGE #define MBEDTLS_X509_CHECK_KEY_USAGE
#else
#undef MBEDTLS_X509_CHECK_KEY_USAGE
#endif
/** /**
* \def MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE * \def MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
@ -1206,7 +1210,11 @@
* *
* Comment to skip extendedKeyUsage checking for certificates. * Comment to skip extendedKeyUsage checking for certificates.
*/ */
#ifdef CONFIG_MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE #define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
#else
#undef MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
#endif
/** /**
* \def MBEDTLS_X509_RSASSA_PSS_SUPPORT * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT