Merge pull request #8010 from marekjansta/fix-x509-ec-algorithm-identifier-2.28

Backport 2.28: Fixed x509 certificate generation to conform to RFCs when using ECC key
2025-11-20 01:02:18 +03:00 · 2023-08-07 19:14:52 +00:00
parent 1484a53429 0a6743b2de
commit b438348774
12 changed files with 101 additions and 17 deletions
--- a/include/mbedtls/asn1write.h
+++ b/include/mbedtls/asn1write.h
@@ -158,6 +158,27 @@ int mbedtls_asn1_write_algorithm_identifier(unsigned char **p,
                                            const char *oid, size_t oid_len,
                                            size_t par_len);

+/**
+ * \brief           Write an AlgorithmIdentifier sequence in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param oid       The OID of the algorithm to write.
+ * \param oid_len   The length of the algorithm's OID.
+ * \param par_len   The length of the parameters, which must be already written.
+ * \param has_par   If there are any parameters. If 0, par_len must be 0. If 1
+ *                  and \p par_len is 0, NULL parameters are added.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_asn1_write_algorithm_identifier_ext(unsigned char **p,
+                                                unsigned char *start,
+                                                const char *oid, size_t oid_len,
+                                                size_t par_len, int has_par);
+
 /**
 * \brief           Write a boolean tag (#MBEDTLS_ASN1_BOOLEAN) and value
 *                  in ASN.1 format.
--- a/include/mbedtls/x509.h
+++ b/include/mbedtls/x509.h
@@ -361,7 +361,8 @@ int mbedtls_x509_write_names(unsigned char **p, unsigned char *start,
                             mbedtls_asn1_named_data *first);
 int mbedtls_x509_write_sig(unsigned char **p, unsigned char *start,
                           const char *oid, size_t oid_len,
-                           unsigned char *sig, size_t size);
+                           unsigned char *sig, size_t size,
+                           mbedtls_pk_type_t pk_alg);

 #define MBEDTLS_X509_SAFE_SNPRINTF                          \
    do {                                                    \