mbed-tls February 2024

mbed-tls@lists.trustedfirmware.org

10 participants
13 discussions

Handshake is successful if the intermediate CA is revoked.

by singaravelu Balasubramani

I am checking the certificate revocation with below scenario. I have Root CA, Intermediate CA and device certificate is signed by Intermediate CA. I am makeing chain certificate by combining Root CA, Intermediate CA and this chain certificate is my active CA certificate and loaded this and device certificate to the drive. From client, I am creating client certificate which is signed by same intermeidate CA. Making ssl handshake. Handshake is success as expected. Now i am revoking the intermediate CA and creating the crl which is signed by the Root CA. This crl has the serial number of intermediate CA. Now loading the CRL to the drive and setting the crl in "mbedtls_ssl_conf_ca_chain". Now i am establishing the ssl connection with the same client ceritificate and expecting the ssl handshake failure due to intermediate CA revoked. But i get handshake is success. Is my understanding right about intermediate CA revocation? I did little background debug, and my obervation is During handshake , it goes to static int x509_crt_verify_chain function in mbedtls. Its trying to find the parent using x509_crt_find_parent for the client certificate and get intermediate CA. During this time, parent_is_trusted is set as true. after this x509_crt_verifycrl is called with client certificate (child), intermediate CA (parent) and crl(has the intermediate CA serial number-issued by Root CA). During x509_crt_verifycrl check, it check for CRL issuer with ca subject and return 0, as its not matching. now in x509_crt_verify_chain , /* prepare for next iteration */ ., they are marking child_is_trusted = parent_is_trusted and child = parent, parent = NULL; and while loop continues, in loop, x509_crt_verify_chain checks for child_is_trusted is true and return as 0. But its not checking that intermediate CA is revoked or not. /* Stop here for trusted roots (but not for trusted EE certs) */ if( child_is_trusted ) return( 0 );

9 months

Question about mbedtls_x509_parse_subject_alt_name

by Roman Janota

Hello, I would like to parse certificate's SAN fields in my application. In the documentation of the struct mbdetls_x509_crt for its member subject_alt_names the following is stated: "Optional list of raw entries of Subject Alternative Names extension. These can be later parsed by mbedtls_x509_parse_subject_alt_name.". I was using the latest development branch and tried to call the function, however, I found out I can not, because it is defined in the x509_internal.h private header. I later found out that the definition was moved from the public to the private header in the commit 25b282e <https://github.com/Mbed-TLS/mbedtls/commit/25b282ebfe5cb84e73d6194e83dc8d6c…> (partly thanks to the issue #459 <https://github.com/Mbed-TLS/mbedtls/issues/459>). So I switched to the 3.5.2 release and everything worked fine. Why was this change made? Will it be kept so that I'd have to implement my own parsing? Or was it a mistake? Thank you for clarifying, Roman.

9 months, 1 week

SHA-256 mismatch for mbedtls-3.5.2.tar.gz

by Wojtek Porczyk

Hello, list, Release notes for Mbed TLS 3.5.2 [0] have this: The SHA256 hashes for the archives are: 35890edf1a2c7a7e29eac3118d43302c3e1173e0df0ebaf5db56126dabe5bb05 mbedtls-3.5.2.tar.gz 55c1525e7d5de18b84a1d1e5540950b4a3bac70e02889cf309919b2877cba63b mbedtls-3.5.2.zip However, attempting to download mbedtls-3.5.2.tar.gz yields a file with hash: eedecc468b3f8d052ef05a9d42bf63f04c8a1c50d1c5a94c251c681365a2c723 What's going on with those hashes? [0]: https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.5.2 https://web.archive.org/web/20240126105153/https://github.com/Mbed-TLS/mbed… -- pozdrawiam / best regards Wojtek Porczyk Gramine / Invisible Things Lab I do not fear computers, I fear lack of them. -- Isaac Asimov

9 months, 3 weeks

2024

2023

2022

2021

2020

mbed-tls February 2024