Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Add support for trusted CA callbacks #2532
This PR adds a new compile-time option
So far, users configure trusted CAs and CRLs statically through the following API:
void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf, mbedtls_x509_crt *ca_chain, mbedtls_x509_crl *ca_crl );
This has the following disadvantages:
Approach: CA callbacks
This PR suggests adding an API to allow the user to register a callback which takes a child certificate and returns a list of potential trusted signers.
typedef int (*mbedtls_x509_ca_cb_t)( void* ctx, mbedtls_x509_crt *child, mbedtls_x509_crt **candidates );
The intended semantics is that
No CRT verification checks are offloaded to the callback, and no assumptions are made on the list of certificates returned. For example, it is functionally correct to always return list of all trusted certificates, but the intended use of the callback is that it searches through an efficient presentation of the database
New X.509 API for CRT verification using CA callbacks
The callback type
int mbedtls_x509_crt_verify_with_cb( mbedtls_x509_crt *crt, mbedtls_x509_crt_ca_cb_t f_ca_cb, void *p_ca_cb, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy );
This is almost equivalent to the existing API
int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy ); int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const char *cn, uint32_t *flags, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy );
but replaces the linked list
New SSL API for handshakes using CA callbacks
The following new API allows to make use of CA callbacks in TLS handshakes:
void mbedtls_ssl_conf_ca_cb( mbedtls_ssl_config *conf, mbedtls_x509_crt_ca_cb_t f_ca_cb, void *p_ca_cb );
It should be used in place of the existing API
The new SSL API
Please see the documentation for more information.
Unfortunately the CI for both the pr-head and pr-merge jobs are failing at the same point:
The PR looks good to me overall, except that I agree with Jarno that the name of the new public function X.509 should be more explicit as there are now 2 callbacks, and in the future there might be more of them (CRL callback? OCSP callback?). As names of public APIs are long-term and can't easily be fixed after the first release, I'm going to consider this one a blocker and request the public name to be fixed before I approve the PR.
The rest of my feedback is minor and doesn't block merging or this PR. Feel free to fix some low-hanging fruits (eg typos) depending on your available time and ignore the rest for now - we can still fix it later if we really care.