From d95ea27e8c41d2741b6c4d4b48fbfabdb37c87f0 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Thu, 3 Jul 2025 13:21:38 +0100 Subject: [PATCH 01/12] Create new enum mbedtls_pk_sigalg_t Signed-off-by: Ben Taylor --- library/ssl_tls12_client.c | 2 +- library/ssl_tls13_generic.c | 2 +- library/x509_crt.c | 4 ++-- tests/suites/test_suite_x509write.function | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 2129da122d..e2134c594b 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -2082,7 +2082,7 @@ start_processing: #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) if (pk_alg == MBEDTLS_PK_RSASSA_PSS) { - ret = mbedtls_pk_verify_new(pk_alg, peer_pk, + ret = mbedtls_pk_verify_new((mbedtls_pk_sigalg_t)pk_alg, peer_pk, md_alg, hash, hashlen, p, sig_len); } else diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 15731ca150..3ee157a8e8 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -300,7 +300,7 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len); - if ((ret = mbedtls_pk_verify_new(sig_alg, + if ((ret = mbedtls_pk_verify_new((mbedtls_pk_sigalg_t)sig_alg, &ssl->session_negotiate->peer_cert->pk, md_alg, verify_hash, verify_hash_len, p, signature_len)) == 0) { diff --git a/library/x509_crt.c b/library/x509_crt.c index 7b65b698a3..1b05e017ef 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -2061,7 +2061,7 @@ static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca, flags |= MBEDTLS_X509_BADCERT_BAD_KEY; } - if (mbedtls_pk_verify_new(crl_list->sig_pk, &ca->pk, + if (mbedtls_pk_verify_new((mbedtls_pk_sigalg_t)crl_list->sig_pk, &ca->pk, crl_list->sig_md, hash, hash_length, crl_list->sig.p, crl_list->sig.len) != 0) { flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED; @@ -2135,7 +2135,7 @@ static int x509_crt_check_signature(const mbedtls_x509_crt *child, (void) rs_ctx; #endif - return mbedtls_pk_verify_new(child->sig_pk, &parent->pk, + return mbedtls_pk_verify_new((mbedtls_pk_sigalg_t)child->sig_pk, &parent->pk, child->sig_md, hash, hash_len, child->sig.p, child->sig.len); } diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index c2ab27b01d..74cca8c5ae 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -40,7 +40,7 @@ static int x509_crt_verifycsr(const unsigned char *buf, size_t buflen) goto cleanup; } - if (mbedtls_pk_verify_new(csr.sig_pk, &csr.pk, + if (mbedtls_pk_verify_new((mbedtls_pk_sigalg_t)csr.sig_pk, &csr.pk, csr.sig_md, hash, mbedtls_md_get_size_from_type(csr.sig_md), csr.sig.p, csr.sig.len) != 0) { ret = MBEDTLS_ERR_X509_CERT_VERIFY_FAILED; From adf5d537b29c5594467a6871108bbc4b73ba13dc Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Fri, 4 Jul 2025 08:50:40 +0100 Subject: [PATCH 02/12] Fix code style Signed-off-by: Ben Taylor --- library/ssl_tls12_client.c | 2 +- library/ssl_tls13_generic.c | 5 +++-- library/x509_crt.c | 4 ++-- tests/suites/test_suite_x509write.function | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index e2134c594b..5488eb04ce 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -2082,7 +2082,7 @@ start_processing: #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) if (pk_alg == MBEDTLS_PK_RSASSA_PSS) { - ret = mbedtls_pk_verify_new((mbedtls_pk_sigalg_t)pk_alg, peer_pk, + ret = mbedtls_pk_verify_new((mbedtls_pk_sigalg_t) pk_alg, peer_pk, md_alg, hash, hashlen, p, sig_len); } else diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 3ee157a8e8..7e2daefa74 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -300,7 +300,7 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len); - if ((ret = mbedtls_pk_verify_new((mbedtls_pk_sigalg_t)sig_alg, + if ((ret = mbedtls_pk_verify_new((mbedtls_pk_sigalg_t) sig_alg, &ssl->session_negotiate->peer_cert->pk, md_alg, verify_hash, verify_hash_len, p, signature_len)) == 0) { @@ -1144,7 +1144,8 @@ static int ssl_tls13_prepare_finished_message(mbedtls_ssl_context *ssl) ssl->handshake->state_local.finished_out.digest, sizeof(ssl->handshake->state_local.finished_out. digest), - &ssl->handshake->state_local.finished_out.digest_len, + &ssl->handshake->state_local.finished_out. + digest_len, ssl->conf->endpoint); if (ret != 0) { diff --git a/library/x509_crt.c b/library/x509_crt.c index 1b05e017ef..c2d86176ed 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -2061,7 +2061,7 @@ static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca, flags |= MBEDTLS_X509_BADCERT_BAD_KEY; } - if (mbedtls_pk_verify_new((mbedtls_pk_sigalg_t)crl_list->sig_pk, &ca->pk, + if (mbedtls_pk_verify_new((mbedtls_pk_sigalg_t) crl_list->sig_pk, &ca->pk, crl_list->sig_md, hash, hash_length, crl_list->sig.p, crl_list->sig.len) != 0) { flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED; @@ -2135,7 +2135,7 @@ static int x509_crt_check_signature(const mbedtls_x509_crt *child, (void) rs_ctx; #endif - return mbedtls_pk_verify_new((mbedtls_pk_sigalg_t)child->sig_pk, &parent->pk, + return mbedtls_pk_verify_new((mbedtls_pk_sigalg_t) child->sig_pk, &parent->pk, child->sig_md, hash, hash_len, child->sig.p, child->sig.len); } diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index 74cca8c5ae..087088ead9 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -40,7 +40,7 @@ static int x509_crt_verifycsr(const unsigned char *buf, size_t buflen) goto cleanup; } - if (mbedtls_pk_verify_new((mbedtls_pk_sigalg_t)csr.sig_pk, &csr.pk, + if (mbedtls_pk_verify_new((mbedtls_pk_sigalg_t) csr.sig_pk, &csr.pk, csr.sig_md, hash, mbedtls_md_get_size_from_type(csr.sig_md), csr.sig.p, csr.sig.len) != 0) { ret = MBEDTLS_ERR_X509_CERT_VERIFY_FAILED; From 500e497c059f6949acb992b1788177f6881b326d Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Mon, 7 Jul 2025 07:56:50 +0100 Subject: [PATCH 03/12] Fix code style issues Signed-off-by: Ben Taylor --- library/x509_crt.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/library/x509_crt.c b/library/x509_crt.c index c2d86176ed..ac36a0f1e7 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -1663,25 +1663,25 @@ cleanup: #if !defined(MBEDTLS_X509_REMOVE_INFO) #define PRINT_ITEM(i) \ - do { \ - ret = mbedtls_snprintf(p, n, "%s" i, sep); \ - MBEDTLS_X509_SAFE_SNPRINTF; \ - sep = ", "; \ - } while (0) + do { \ + ret = mbedtls_snprintf(p, n, "%s" i, sep); \ + MBEDTLS_X509_SAFE_SNPRINTF; \ + sep = ", "; \ + } while (0) #define CERT_TYPE(type, name) \ - do { \ - if (ns_cert_type & (type)) { \ - PRINT_ITEM(name); \ - } \ - } while (0) + do { \ + if (ns_cert_type & (type)) { \ + PRINT_ITEM(name); \ + } \ + } while (0) #define KEY_USAGE(code, name) \ - do { \ - if (key_usage & (code)) { \ - PRINT_ITEM(name); \ - } \ - } while (0) + do { \ + if (key_usage & (code)) { \ + PRINT_ITEM(name); \ + } \ + } while (0) static int x509_info_ext_key_usage(char **buf, size_t *size, const mbedtls_x509_sequence *extended_key_usage) From b2eecc621d31b066ac08e92dfaaa094483bfba3a Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Mon, 7 Jul 2025 14:18:37 +0100 Subject: [PATCH 04/12] switch to mbedtls_pk_sigalg_t Signed-off-by: Ben Taylor --- include/mbedtls/x509_crl.h | 2 +- include/mbedtls/x509_crt.h | 2 +- include/mbedtls/x509_csr.h | 2 +- library/x509.c | 10 +++++----- library/x509_create.c | 4 ++-- library/x509_crt.c | 8 ++++---- library/x509_internal.h | 6 +++--- library/x509write_crt.c | 2 +- library/x509write_csr.c | 2 +- 9 files changed, 19 insertions(+), 19 deletions(-) diff --git a/include/mbedtls/x509_crl.h b/include/mbedtls/x509_crl.h index e59d16502d..095cb5d9a5 100644 --- a/include/mbedtls/x509_crl.h +++ b/include/mbedtls/x509_crl.h @@ -82,7 +82,7 @@ typedef struct mbedtls_x509_crl { mbedtls_x509_buf MBEDTLS_PRIVATE(sig_oid2); mbedtls_x509_buf MBEDTLS_PRIVATE(sig); mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md); /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */ - mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ + mbedtls_pk_sigalg_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ /** Next element in the linked list of CRL. * \p NULL indicates the end of the list. diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index a3f07892f6..bf418a6851 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -81,7 +81,7 @@ typedef struct mbedtls_x509_crt { mbedtls_x509_buf MBEDTLS_PRIVATE(sig); /**< Signature: hash of the tbs part signed with the private key. */ mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md); /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */ - mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ + mbedtls_pk_sigalg_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ /** Next certificate in the linked list that constitutes the CA chain. * \p NULL indicates the end of the list. diff --git a/include/mbedtls/x509_csr.h b/include/mbedtls/x509_csr.h index bed1c953e5..b11539440c 100644 --- a/include/mbedtls/x509_csr.h +++ b/include/mbedtls/x509_csr.h @@ -55,7 +55,7 @@ typedef struct mbedtls_x509_csr { mbedtls_x509_buf sig_oid; mbedtls_x509_buf MBEDTLS_PRIVATE(sig); mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md); /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */ - mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ + mbedtls_pk_sigalg_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ } mbedtls_x509_csr; diff --git a/library/x509.c b/library/x509.c index 03ca1b72e6..14f9ba59b3 100644 --- a/library/x509.c +++ b/library/x509.c @@ -717,16 +717,16 @@ int mbedtls_x509_get_sig(unsigned char **p, const unsigned char *end, mbedtls_x5 * Get signature algorithm from alg OID and optional parameters */ int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params, - mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg) + mbedtls_md_type_t *md_alg, mbedtls_pk_sigalg_t *pk_alg) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - if ((ret = mbedtls_x509_oid_get_sig_alg(sig_oid, md_alg, pk_alg)) != 0) { + if ((ret = mbedtls_x509_oid_get_sig_alg(sig_oid, md_alg, (mbedtls_pk_type_t*)pk_alg)) != 0) { return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG, ret); } #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) - if (*pk_alg == MBEDTLS_PK_RSASSA_PSS) { + if (*pk_alg == MBEDTLS_PK_SIGALG_RSA_PSS) { mbedtls_md_type_t mgf1_hash_id; int expected_salt_len; @@ -1039,7 +1039,7 @@ int mbedtls_x509_serial_gets(char *buf, size_t size, const mbedtls_x509_buf *ser * Helper for writing signature algorithms */ int mbedtls_x509_sig_alg_gets(char *buf, size_t size, const mbedtls_x509_buf *sig_oid, - mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg) + mbedtls_pk_sigalg_t pk_alg, mbedtls_md_type_t md_alg) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; char *p = buf; @@ -1055,7 +1055,7 @@ int mbedtls_x509_sig_alg_gets(char *buf, size_t size, const mbedtls_x509_buf *si MBEDTLS_X509_SAFE_SNPRINTF; #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) - if (pk_alg == MBEDTLS_PK_RSASSA_PSS) { + if (pk_alg == MBEDTLS_PK_SIGALG_RSA_PSS) { const char *name = md_type_to_string(md_alg); if (name != NULL) { ret = mbedtls_snprintf(p, n, " (%s)", name); diff --git a/library/x509_create.c b/library/x509_create.c index 09ac69d00b..370eb9b2e1 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -646,7 +646,7 @@ int mbedtls_x509_write_names(unsigned char **p, unsigned char *start, int mbedtls_x509_write_sig(unsigned char **p, unsigned char *start, const char *oid, size_t oid_len, unsigned char *sig, size_t size, - mbedtls_pk_type_t pk_alg) + mbedtls_pk_sigalg_t pk_alg) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int write_null_par; @@ -672,7 +672,7 @@ int mbedtls_x509_write_sig(unsigned char **p, unsigned char *start, // Write OID // - if (pk_alg == MBEDTLS_PK_ECDSA) { + if (pk_alg == MBEDTLS_PK_SIGALG_ECDSA) { /* * The AlgorithmIdentifier's parameters field must be absent for DSA/ECDSA signature * algorithms, see https://www.rfc-editor.org/rfc/rfc5480#page-17 and diff --git a/library/x509_crt.c b/library/x509_crt.c index ac36a0f1e7..ded1317b0e 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -188,9 +188,9 @@ static int x509_profile_check_md_alg(const mbedtls_x509_crt_profile *profile, * Return 0 if pk_alg is acceptable for this profile, -1 otherwise */ static int x509_profile_check_pk_alg(const mbedtls_x509_crt_profile *profile, - mbedtls_pk_type_t pk_alg) + mbedtls_pk_sigalg_t pk_alg) { - if (pk_alg == MBEDTLS_PK_NONE) { + if (pk_alg == MBEDTLS_PK_SIGALG_NONE) { return -1; } @@ -2121,7 +2121,7 @@ static int x509_crt_check_signature(const mbedtls_x509_crt *child, } /* Skip expensive computation on obvious mismatch */ - if (!mbedtls_pk_can_do(&parent->pk, child->sig_pk)) { + if (!mbedtls_pk_can_do(&parent->pk, (mbedtls_pk_type_t) child->sig_pk)) { return -1; } @@ -3057,7 +3057,7 @@ static int x509_crt_verify_restartable_ca_cb(mbedtls_x509_crt *crt, /* Check the type and size of the key */ pk_type = mbedtls_pk_get_type(&crt->pk); - if (x509_profile_check_pk_alg(profile, pk_type) != 0) { + if (x509_profile_check_pk_alg(profile, (mbedtls_pk_sigalg_t)pk_type) != 0) { ee_flags |= MBEDTLS_X509_BADCERT_BAD_PK; } diff --git a/library/x509_internal.h b/library/x509_internal.h index 8160270be1..b44b957f9b 100644 --- a/library/x509_internal.h +++ b/library/x509_internal.h @@ -35,7 +35,7 @@ int mbedtls_x509_get_rsassa_pss_params(const mbedtls_x509_buf *params, #endif int mbedtls_x509_get_sig(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig); int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params, - mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg); + mbedtls_md_type_t *md_alg, mbedtls_pk_sigalg_t *pk_alg); int mbedtls_x509_get_time(unsigned char **p, const unsigned char *end, mbedtls_x509_time *t); int mbedtls_x509_get_serial(unsigned char **p, const unsigned char *end, @@ -44,7 +44,7 @@ int mbedtls_x509_get_ext(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *ext, int tag); #if !defined(MBEDTLS_X509_REMOVE_INFO) int mbedtls_x509_sig_alg_gets(char *buf, size_t size, const mbedtls_x509_buf *sig_oid, - mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg); + mbedtls_pk_sigalg_t pk_alg, mbedtls_md_type_t md_alg); #endif int mbedtls_x509_key_size_helper(char *buf, size_t buf_size, const char *name); int mbedtls_x509_set_extension(mbedtls_asn1_named_data **head, const char *oid, size_t oid_len, @@ -57,7 +57,7 @@ int mbedtls_x509_write_names(unsigned char **p, unsigned char *start, int mbedtls_x509_write_sig(unsigned char **p, unsigned char *start, const char *oid, size_t oid_len, unsigned char *sig, size_t size, - mbedtls_pk_type_t pk_alg); + mbedtls_pk_sigalg_t pk_alg); int mbedtls_x509_get_ns_cert_type(unsigned char **p, const unsigned char *end, unsigned char *ns_cert_type); diff --git a/library/x509write_crt.c b/library/x509write_crt.c index 09c2328b1a..93cdd2c151 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -587,7 +587,7 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, c2 = buf + size; MBEDTLS_ASN1_CHK_ADD(sig_and_oid_len, mbedtls_x509_write_sig(&c2, c, sig_oid, sig_oid_len, - sig, sig_len, pk_alg)); + sig, sig_len, (mbedtls_pk_sigalg_t)pk_alg)); /* * Memory layout after this step: diff --git a/library/x509write_csr.c b/library/x509write_csr.c index 88adf794f7..9040d63ed4 100644 --- a/library/x509write_csr.c +++ b/library/x509write_csr.c @@ -249,7 +249,7 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx, c2 = buf + size; MBEDTLS_ASN1_CHK_ADD(sig_and_oid_len, mbedtls_x509_write_sig(&c2, buf + len, sig_oid, sig_oid_len, - sig, sig_len, pk_alg)); + sig, sig_len, (mbedtls_pk_sigalg_t)pk_alg)); /* * Compact the space between the CSR data and signature by moving the From 1c118a564dce57e63e43feee688ecd1e5ea62120 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Tue, 5 Aug 2025 10:40:08 +0100 Subject: [PATCH 05/12] reverted enum in pk_verify_new Signed-off-by: Ben Taylor --- library/ssl_tls12_client.c | 2 +- library/ssl_tls13_generic.c | 2 +- library/x509_crt.c | 4 ++-- tests/suites/test_suite_x509write.function | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 5488eb04ce..2129da122d 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -2082,7 +2082,7 @@ start_processing: #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) if (pk_alg == MBEDTLS_PK_RSASSA_PSS) { - ret = mbedtls_pk_verify_new((mbedtls_pk_sigalg_t) pk_alg, peer_pk, + ret = mbedtls_pk_verify_new(pk_alg, peer_pk, md_alg, hash, hashlen, p, sig_len); } else diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 7e2daefa74..e88c00a564 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -300,7 +300,7 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len); - if ((ret = mbedtls_pk_verify_new((mbedtls_pk_sigalg_t) sig_alg, + if ((ret = mbedtls_pk_verify_new(sig_alg, &ssl->session_negotiate->peer_cert->pk, md_alg, verify_hash, verify_hash_len, p, signature_len)) == 0) { diff --git a/library/x509_crt.c b/library/x509_crt.c index ded1317b0e..ed85d06636 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -2061,7 +2061,7 @@ static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca, flags |= MBEDTLS_X509_BADCERT_BAD_KEY; } - if (mbedtls_pk_verify_new((mbedtls_pk_sigalg_t) crl_list->sig_pk, &ca->pk, + if (mbedtls_pk_verify_new((mbedtls_pk_type_t) crl_list->sig_pk, &ca->pk, crl_list->sig_md, hash, hash_length, crl_list->sig.p, crl_list->sig.len) != 0) { flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED; @@ -2135,7 +2135,7 @@ static int x509_crt_check_signature(const mbedtls_x509_crt *child, (void) rs_ctx; #endif - return mbedtls_pk_verify_new((mbedtls_pk_sigalg_t) child->sig_pk, &parent->pk, + return mbedtls_pk_verify_new((mbedtls_pk_type_t) child->sig_pk, &parent->pk, child->sig_md, hash, hash_len, child->sig.p, child->sig.len); } diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index 087088ead9..cb372014cd 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -40,7 +40,7 @@ static int x509_crt_verifycsr(const unsigned char *buf, size_t buflen) goto cleanup; } - if (mbedtls_pk_verify_new((mbedtls_pk_sigalg_t) csr.sig_pk, &csr.pk, + if (mbedtls_pk_verify_new((mbedtls_pk_type_t) csr.sig_pk, &csr.pk, csr.sig_md, hash, mbedtls_md_get_size_from_type(csr.sig_md), csr.sig.p, csr.sig.len) != 0) { ret = MBEDTLS_ERR_X509_CERT_VERIFY_FAILED; From 8e832b6594e9985a559cec9e2babe977f3bfaf89 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Tue, 5 Aug 2025 13:30:05 +0100 Subject: [PATCH 06/12] Add sigalg types to x509_crt.c Signed-off-by: Ben Taylor --- library/x509_crt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/x509_crt.c b/library/x509_crt.c index ed85d06636..dca46792a0 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -2126,7 +2126,7 @@ static int x509_crt_check_signature(const mbedtls_x509_crt *child, } #if defined(MBEDTLS_ECP_RESTARTABLE) - if (rs_ctx != NULL && child->sig_pk == MBEDTLS_PK_ECDSA) { + if (rs_ctx != NULL && child->sig_pk == MBEDTLS_PK_SIGALG_ECDSA) { return mbedtls_pk_verify_restartable(&parent->pk, child->sig_md, hash, hash_len, child->sig.p, child->sig.len, &rs_ctx->pk); From 7573321f61ff6e6b29f6b9907473406a19104919 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Tue, 5 Aug 2025 14:14:18 +0100 Subject: [PATCH 07/12] Fix style issues Signed-off-by: Ben Taylor --- library/x509.c | 2 +- library/x509_crt.c | 32 ++++++++++++++++---------------- library/x509write_crt.c | 3 ++- library/x509write_csr.c | 2 +- 4 files changed, 20 insertions(+), 19 deletions(-) diff --git a/library/x509.c b/library/x509.c index 14f9ba59b3..b8f2847437 100644 --- a/library/x509.c +++ b/library/x509.c @@ -721,7 +721,7 @@ int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid, const mbedtls_x509 { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - if ((ret = mbedtls_x509_oid_get_sig_alg(sig_oid, md_alg, (mbedtls_pk_type_t*)pk_alg)) != 0) { + if ((ret = mbedtls_x509_oid_get_sig_alg(sig_oid, md_alg, (mbedtls_pk_type_t *) pk_alg)) != 0) { return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG, ret); } diff --git a/library/x509_crt.c b/library/x509_crt.c index dca46792a0..dde6513927 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -1663,25 +1663,25 @@ cleanup: #if !defined(MBEDTLS_X509_REMOVE_INFO) #define PRINT_ITEM(i) \ - do { \ - ret = mbedtls_snprintf(p, n, "%s" i, sep); \ - MBEDTLS_X509_SAFE_SNPRINTF; \ - sep = ", "; \ - } while (0) + do { \ + ret = mbedtls_snprintf(p, n, "%s" i, sep); \ + MBEDTLS_X509_SAFE_SNPRINTF; \ + sep = ", "; \ + } while (0) #define CERT_TYPE(type, name) \ - do { \ - if (ns_cert_type & (type)) { \ - PRINT_ITEM(name); \ - } \ - } while (0) + do { \ + if (ns_cert_type & (type)) { \ + PRINT_ITEM(name); \ + } \ + } while (0) #define KEY_USAGE(code, name) \ - do { \ - if (key_usage & (code)) { \ - PRINT_ITEM(name); \ - } \ - } while (0) + do { \ + if (key_usage & (code)) { \ + PRINT_ITEM(name); \ + } \ + } while (0) static int x509_info_ext_key_usage(char **buf, size_t *size, const mbedtls_x509_sequence *extended_key_usage) @@ -3057,7 +3057,7 @@ static int x509_crt_verify_restartable_ca_cb(mbedtls_x509_crt *crt, /* Check the type and size of the key */ pk_type = mbedtls_pk_get_type(&crt->pk); - if (x509_profile_check_pk_alg(profile, (mbedtls_pk_sigalg_t)pk_type) != 0) { + if (x509_profile_check_pk_alg(profile, (mbedtls_pk_sigalg_t) pk_type) != 0) { ee_flags |= MBEDTLS_X509_BADCERT_BAD_PK; } diff --git a/library/x509write_crt.c b/library/x509write_crt.c index 93cdd2c151..e1d5758f7c 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -587,7 +587,8 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, c2 = buf + size; MBEDTLS_ASN1_CHK_ADD(sig_and_oid_len, mbedtls_x509_write_sig(&c2, c, sig_oid, sig_oid_len, - sig, sig_len, (mbedtls_pk_sigalg_t)pk_alg)); + sig, sig_len, + (mbedtls_pk_sigalg_t) pk_alg)); /* * Memory layout after this step: diff --git a/library/x509write_csr.c b/library/x509write_csr.c index 9040d63ed4..5b2a17b0bc 100644 --- a/library/x509write_csr.c +++ b/library/x509write_csr.c @@ -249,7 +249,7 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx, c2 = buf + size; MBEDTLS_ASN1_CHK_ADD(sig_and_oid_len, mbedtls_x509_write_sig(&c2, buf + len, sig_oid, sig_oid_len, - sig, sig_len, (mbedtls_pk_sigalg_t)pk_alg)); + sig, sig_len, (mbedtls_pk_sigalg_t) pk_alg)); /* * Compact the space between the CSR data and signature by moving the From df6a6eacedcc9f6af094a4a1e5eeb22e379e97b2 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Wed, 6 Aug 2025 08:08:10 +0100 Subject: [PATCH 08/12] Add ChangeLog Signed-off-by: Ben Taylor --- ChangeLog.d/remove_mbedtls_pk_type.txt | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 ChangeLog.d/remove_mbedtls_pk_type.txt diff --git a/ChangeLog.d/remove_mbedtls_pk_type.txt b/ChangeLog.d/remove_mbedtls_pk_type.txt new file mode 100644 index 0000000000..0ad38e0a50 --- /dev/null +++ b/ChangeLog.d/remove_mbedtls_pk_type.txt @@ -0,0 +1,4 @@ + +Removals + * Remove mbedtls_pk_type_t from the public interface and replace it with + mbedtls_pk_sigalg_t. From 563d360a9bcdac46d2e2f7b5fe4786ad87eaacd9 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Wed, 6 Aug 2025 08:22:25 +0100 Subject: [PATCH 09/12] Fix ChangeLog format Signed-off-by: Ben Taylor --- ChangeLog.d/remove_mbedtls_pk_type.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/ChangeLog.d/remove_mbedtls_pk_type.txt b/ChangeLog.d/remove_mbedtls_pk_type.txt index 0ad38e0a50..4b33d1e110 100644 --- a/ChangeLog.d/remove_mbedtls_pk_type.txt +++ b/ChangeLog.d/remove_mbedtls_pk_type.txt @@ -1,4 +1,3 @@ - Removals * Remove mbedtls_pk_type_t from the public interface and replace it with mbedtls_pk_sigalg_t. From 6816fd781e89e3fa83a7d5ba363edb74d9fb4de8 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Wed, 6 Aug 2025 13:50:24 +0100 Subject: [PATCH 10/12] Adjust for change in mbedtls_pk_verify_new function prototype Signed-off-by: Ben Taylor --- library/ssl_tls12_client.c | 2 +- library/ssl_tls13_generic.c | 2 +- library/x509_crt.c | 4 ++-- tests/suites/test_suite_x509write.function | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 2129da122d..5488eb04ce 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -2082,7 +2082,7 @@ start_processing: #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) if (pk_alg == MBEDTLS_PK_RSASSA_PSS) { - ret = mbedtls_pk_verify_new(pk_alg, peer_pk, + ret = mbedtls_pk_verify_new((mbedtls_pk_sigalg_t) pk_alg, peer_pk, md_alg, hash, hashlen, p, sig_len); } else diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index e88c00a564..7e2daefa74 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -300,7 +300,7 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len); - if ((ret = mbedtls_pk_verify_new(sig_alg, + if ((ret = mbedtls_pk_verify_new((mbedtls_pk_sigalg_t) sig_alg, &ssl->session_negotiate->peer_cert->pk, md_alg, verify_hash, verify_hash_len, p, signature_len)) == 0) { diff --git a/library/x509_crt.c b/library/x509_crt.c index dde6513927..9ac9658009 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -2061,7 +2061,7 @@ static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca, flags |= MBEDTLS_X509_BADCERT_BAD_KEY; } - if (mbedtls_pk_verify_new((mbedtls_pk_type_t) crl_list->sig_pk, &ca->pk, + if (mbedtls_pk_verify_new(crl_list->sig_pk, &ca->pk, crl_list->sig_md, hash, hash_length, crl_list->sig.p, crl_list->sig.len) != 0) { flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED; @@ -2135,7 +2135,7 @@ static int x509_crt_check_signature(const mbedtls_x509_crt *child, (void) rs_ctx; #endif - return mbedtls_pk_verify_new((mbedtls_pk_type_t) child->sig_pk, &parent->pk, + return mbedtls_pk_verify_new(child->sig_pk, &parent->pk, child->sig_md, hash, hash_len, child->sig.p, child->sig.len); } diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index cb372014cd..c2ab27b01d 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -40,7 +40,7 @@ static int x509_crt_verifycsr(const unsigned char *buf, size_t buflen) goto cleanup; } - if (mbedtls_pk_verify_new((mbedtls_pk_type_t) csr.sig_pk, &csr.pk, + if (mbedtls_pk_verify_new(csr.sig_pk, &csr.pk, csr.sig_md, hash, mbedtls_md_get_size_from_type(csr.sig_md), csr.sig.p, csr.sig.len) != 0) { ret = MBEDTLS_ERR_X509_CERT_VERIFY_FAILED; From 8b3b7e5cacdde75f9a650d2739d7183f6cd4526f Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Wed, 6 Aug 2025 15:23:33 +0100 Subject: [PATCH 11/12] Update further type mismatches Signed-off-by: Ben Taylor --- library/ssl_tls12_client.c | 2 +- library/ssl_tls13_generic.c | 2 +- library/x509_crt.c | 4 ++-- tests/suites/test_suite_x509write.function | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 5488eb04ce..2129da122d 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -2082,7 +2082,7 @@ start_processing: #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) if (pk_alg == MBEDTLS_PK_RSASSA_PSS) { - ret = mbedtls_pk_verify_new((mbedtls_pk_sigalg_t) pk_alg, peer_pk, + ret = mbedtls_pk_verify_new(pk_alg, peer_pk, md_alg, hash, hashlen, p, sig_len); } else diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 7e2daefa74..e88c00a564 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -300,7 +300,7 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len); - if ((ret = mbedtls_pk_verify_new((mbedtls_pk_sigalg_t) sig_alg, + if ((ret = mbedtls_pk_verify_new(sig_alg, &ssl->session_negotiate->peer_cert->pk, md_alg, verify_hash, verify_hash_len, p, signature_len)) == 0) { diff --git a/library/x509_crt.c b/library/x509_crt.c index 9ac9658009..e6b9252859 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -2061,7 +2061,7 @@ static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca, flags |= MBEDTLS_X509_BADCERT_BAD_KEY; } - if (mbedtls_pk_verify_new(crl_list->sig_pk, &ca->pk, + if (mbedtls_pk_verify_ext(crl_list->sig_pk, &ca->pk, crl_list->sig_md, hash, hash_length, crl_list->sig.p, crl_list->sig.len) != 0) { flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED; @@ -2135,7 +2135,7 @@ static int x509_crt_check_signature(const mbedtls_x509_crt *child, (void) rs_ctx; #endif - return mbedtls_pk_verify_new(child->sig_pk, &parent->pk, + return mbedtls_pk_verify_ext(child->sig_pk, &parent->pk, child->sig_md, hash, hash_len, child->sig.p, child->sig.len); } diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index c2ab27b01d..000c09a950 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -40,7 +40,7 @@ static int x509_crt_verifycsr(const unsigned char *buf, size_t buflen) goto cleanup; } - if (mbedtls_pk_verify_new(csr.sig_pk, &csr.pk, + if (mbedtls_pk_verify_ext(csr.sig_pk, &csr.pk, csr.sig_md, hash, mbedtls_md_get_size_from_type(csr.sig_md), csr.sig.p, csr.sig.len) != 0) { ret = MBEDTLS_ERR_X509_CERT_VERIFY_FAILED; From 8dfed9fc15527c44f4dc22988300565dcf626ada Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Wed, 6 Aug 2025 15:46:21 +0100 Subject: [PATCH 12/12] Remove pointer cast in mbedtls_x509_oid_get_sig_alg Signed-off-by: Ben Taylor --- library/x509.c | 2 +- library/x509_oid.c | 34 +++++++++++++++++----------------- library/x509_oid.h | 4 ++-- library/x509write_crt.c | 2 +- library/x509write_csr.c | 2 +- 5 files changed, 22 insertions(+), 22 deletions(-) diff --git a/library/x509.c b/library/x509.c index b8f2847437..1adff8fafc 100644 --- a/library/x509.c +++ b/library/x509.c @@ -721,7 +721,7 @@ int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid, const mbedtls_x509 { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - if ((ret = mbedtls_x509_oid_get_sig_alg(sig_oid, md_alg, (mbedtls_pk_type_t *) pk_alg)) != 0) { + if ((ret = mbedtls_x509_oid_get_sig_alg(sig_oid, md_alg, pk_alg)) != 0) { return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG, ret); } diff --git a/library/x509_oid.c b/library/x509_oid.c index d69fd513ba..cc0063bcd3 100644 --- a/library/x509_oid.c +++ b/library/x509_oid.c @@ -381,7 +381,7 @@ FN_OID_GET_ATTR1(mbedtls_x509_oid_get_certificate_policies, typedef struct { mbedtls_x509_oid_descriptor_t descriptor; mbedtls_md_type_t md_alg; - mbedtls_pk_type_t pk_alg; + mbedtls_pk_sigalg_t pk_alg; } oid_sig_alg_t; static const oid_sig_alg_t oid_sig_alg[] = @@ -390,47 +390,47 @@ static const oid_sig_alg_t oid_sig_alg[] = #if defined(PSA_WANT_ALG_MD5) { OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_MD5, "md5WithRSAEncryption", "RSA with MD5"), - MBEDTLS_MD_MD5, MBEDTLS_PK_RSA, + MBEDTLS_MD_MD5, MBEDTLS_PK_SIGALG_RSA_PKCS1V15, }, #endif /* PSA_WANT_ALG_MD5 */ #if defined(PSA_WANT_ALG_SHA_1) { OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_SHA1, "sha-1WithRSAEncryption", "RSA with SHA1"), - MBEDTLS_MD_SHA1, MBEDTLS_PK_RSA, + MBEDTLS_MD_SHA1, MBEDTLS_PK_SIGALG_RSA_PKCS1V15, }, #endif /* PSA_WANT_ALG_SHA_1 */ #if defined(PSA_WANT_ALG_SHA_224) { OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_SHA224, "sha224WithRSAEncryption", "RSA with SHA-224"), - MBEDTLS_MD_SHA224, MBEDTLS_PK_RSA, + MBEDTLS_MD_SHA224, MBEDTLS_PK_SIGALG_RSA_PKCS1V15, }, #endif /* PSA_WANT_ALG_SHA_224 */ #if defined(PSA_WANT_ALG_SHA_256) { OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_SHA256, "sha256WithRSAEncryption", "RSA with SHA-256"), - MBEDTLS_MD_SHA256, MBEDTLS_PK_RSA, + MBEDTLS_MD_SHA256, MBEDTLS_PK_SIGALG_RSA_PKCS1V15, }, #endif /* PSA_WANT_ALG_SHA_256 */ #if defined(PSA_WANT_ALG_SHA_384) { OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_SHA384, "sha384WithRSAEncryption", "RSA with SHA-384"), - MBEDTLS_MD_SHA384, MBEDTLS_PK_RSA, + MBEDTLS_MD_SHA384, MBEDTLS_PK_SIGALG_RSA_PKCS1V15, }, #endif /* PSA_WANT_ALG_SHA_384 */ #if defined(PSA_WANT_ALG_SHA_512) { OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_SHA512, "sha512WithRSAEncryption", "RSA with SHA-512"), - MBEDTLS_MD_SHA512, MBEDTLS_PK_RSA, + MBEDTLS_MD_SHA512, MBEDTLS_PK_SIGALG_RSA_PKCS1V15, }, #endif /* PSA_WANT_ALG_SHA_512 */ #if defined(PSA_WANT_ALG_SHA_1) { OID_DESCRIPTOR(MBEDTLS_OID_RSA_SHA_OBS, "sha-1WithRSAEncryption", "RSA with SHA1"), - MBEDTLS_MD_SHA1, MBEDTLS_PK_RSA, + MBEDTLS_MD_SHA1, MBEDTLS_PK_SIGALG_RSA_PKCS1V15, }, #endif /* PSA_WANT_ALG_SHA_1 */ #endif /* MBEDTLS_RSA_C */ @@ -438,43 +438,43 @@ static const oid_sig_alg_t oid_sig_alg[] = #if defined(PSA_WANT_ALG_SHA_1) { OID_DESCRIPTOR(MBEDTLS_OID_ECDSA_SHA1, "ecdsa-with-SHA1", "ECDSA with SHA1"), - MBEDTLS_MD_SHA1, MBEDTLS_PK_ECDSA, + MBEDTLS_MD_SHA1, MBEDTLS_PK_SIGALG_ECDSA, }, #endif /* PSA_WANT_ALG_SHA_1 */ #if defined(PSA_WANT_ALG_SHA_224) { OID_DESCRIPTOR(MBEDTLS_OID_ECDSA_SHA224, "ecdsa-with-SHA224", "ECDSA with SHA224"), - MBEDTLS_MD_SHA224, MBEDTLS_PK_ECDSA, + MBEDTLS_MD_SHA224, MBEDTLS_PK_SIGALG_ECDSA, }, #endif #if defined(PSA_WANT_ALG_SHA_256) { OID_DESCRIPTOR(MBEDTLS_OID_ECDSA_SHA256, "ecdsa-with-SHA256", "ECDSA with SHA256"), - MBEDTLS_MD_SHA256, MBEDTLS_PK_ECDSA, + MBEDTLS_MD_SHA256, MBEDTLS_PK_SIGALG_ECDSA, }, #endif /* PSA_WANT_ALG_SHA_256 */ #if defined(PSA_WANT_ALG_SHA_384) { OID_DESCRIPTOR(MBEDTLS_OID_ECDSA_SHA384, "ecdsa-with-SHA384", "ECDSA with SHA384"), - MBEDTLS_MD_SHA384, MBEDTLS_PK_ECDSA, + MBEDTLS_MD_SHA384, MBEDTLS_PK_SIGALG_ECDSA, }, #endif /* PSA_WANT_ALG_SHA_384 */ #if defined(PSA_WANT_ALG_SHA_512) { OID_DESCRIPTOR(MBEDTLS_OID_ECDSA_SHA512, "ecdsa-with-SHA512", "ECDSA with SHA512"), - MBEDTLS_MD_SHA512, MBEDTLS_PK_ECDSA, + MBEDTLS_MD_SHA512, MBEDTLS_PK_SIGALG_ECDSA, }, #endif /* PSA_WANT_ALG_SHA_512 */ #endif /* PSA_HAVE_ALG_SOME_ECDSA */ #if defined(MBEDTLS_RSA_C) { OID_DESCRIPTOR(MBEDTLS_OID_RSASSA_PSS, "RSASSA-PSS", "RSASSA-PSS"), - MBEDTLS_MD_NONE, MBEDTLS_PK_RSASSA_PSS, + MBEDTLS_MD_NONE, MBEDTLS_PK_SIGALG_RSA_PSS, }, #endif /* MBEDTLS_RSA_C */ { NULL_OID_DESCRIPTOR, - MBEDTLS_MD_NONE, MBEDTLS_PK_NONE, + MBEDTLS_MD_NONE, MBEDTLS_PK_SIGALG_NONE, }, }; @@ -494,14 +494,14 @@ FN_OID_GET_ATTR2(mbedtls_x509_oid_get_sig_alg, sig_alg, mbedtls_md_type_t, md_alg, - mbedtls_pk_type_t, + mbedtls_pk_sigalg_t, pk_alg) #endif /* MBEDTLS_X509_USE_C */ #if defined(MBEDTLS_X509_CRT_WRITE_C) || defined(MBEDTLS_X509_CSR_WRITE_C) FN_OID_GET_OID_BY_ATTR2(mbedtls_x509_oid_get_oid_by_sig_alg, oid_sig_alg_t, oid_sig_alg, - mbedtls_pk_type_t, + mbedtls_pk_sigalg_t, pk_alg, mbedtls_md_type_t, md_alg) diff --git a/library/x509_oid.h b/library/x509_oid.h index 8d5e1bbff1..0752953aac 100644 --- a/library/x509_oid.h +++ b/library/x509_oid.h @@ -80,7 +80,7 @@ int mbedtls_x509_oid_get_attr_short_name(const mbedtls_asn1_buf *oid, const char * \return 0 if successful, or MBEDTLS_ERR_X509_UNKNOWN_OID */ int mbedtls_x509_oid_get_sig_alg(const mbedtls_asn1_buf *oid, - mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg); + mbedtls_md_type_t *md_alg, mbedtls_pk_sigalg_t *pk_alg); #if !defined(MBEDTLS_X509_REMOVE_INFO) /** @@ -106,7 +106,7 @@ int mbedtls_x509_oid_get_sig_alg_desc(const mbedtls_asn1_buf *oid, const char ** * * \return 0 if successful, or MBEDTLS_ERR_X509_UNKNOWN_OID */ -int mbedtls_x509_oid_get_oid_by_sig_alg(mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg, +int mbedtls_x509_oid_get_oid_by_sig_alg(mbedtls_pk_sigalg_t pk_alg, mbedtls_md_type_t md_alg, const char **oid, size_t *olen); #endif /* MBEDTLS_X509_CRT_WRITE_C || MBEDTLS_X509_CSR_WRITE_C */ diff --git a/library/x509write_crt.c b/library/x509write_crt.c index e1d5758f7c..1f8a006de6 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -416,7 +416,7 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, return MBEDTLS_ERR_X509_INVALID_ALG; } - if ((ret = mbedtls_x509_oid_get_oid_by_sig_alg(pk_alg, ctx->md_alg, + if ((ret = mbedtls_x509_oid_get_oid_by_sig_alg((mbedtls_pk_sigalg_t) pk_alg, ctx->md_alg, &sig_oid, &sig_oid_len)) != 0) { return ret; } diff --git a/library/x509write_csr.c b/library/x509write_csr.c index 5b2a17b0bc..8e37278f95 100644 --- a/library/x509write_csr.c +++ b/library/x509write_csr.c @@ -230,7 +230,7 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx, return MBEDTLS_ERR_X509_INVALID_ALG; } - if ((ret = mbedtls_x509_oid_get_oid_by_sig_alg(pk_alg, ctx->md_alg, + if ((ret = mbedtls_x509_oid_get_oid_by_sig_alg((mbedtls_pk_sigalg_t) pk_alg, ctx->md_alg, &sig_oid, &sig_oid_len)) != 0) { return ret; }