PK restartable operations are now implemented using PSA interruptible
ones, so mbedtls_ecp_set_max_ops() can be removed in favor of
psa_interruptible_set_max_ops().
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
For each function in `x509_oid.c`, determine where it is used and only
include it in the build if it is needed by the X.509 code. Define the
corresponding internal tables only when they are consumed by a function.
This makes Mbed TLS completely independent of the compilation option
`MBEDTLS_OID_C`. This option remains present only in sample configs for
crypto, where it must stay until TF-PSA-Crypto no longer relies on this
option.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Some code that parses or writes X.509 needs to know OID values. We provide a
convenient list. Don't remove this list from the public interface of the
library.
For user convenience, expose these values in the same header as before and
with the same name as before: `MBEDTLS_OID_xxx` in `<mbedtls/oid.h>`.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Both PKCS7 and X509 rely on PK module under the hood and the latter can
use PSA to store keys and perform operations. Therefore psa_crypto_init()
must be called before any operation can be done with PKCS7 and X509.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Set also psa_interruptible_set_max_ops() when mbedtls_ecp_set_max_ops()
is set so that the same amount of operations will be used both if legacy
ECDSA_C or PSA is used under the hood to perform the operation.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This commit moves all related mbedtls_oid_get_numeric_string unit tests
from test_suite_oid to test_suite_x509parse.
Signed-off-by: Sam Berry <sam.berry@arm.com>
crl_file is a test argument and can't be null. Besides the code above
already assumes that it's non-null.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The official spelling of the trade mark changed from all-lowercase "mbed"
to normal proper noun capitalization "Mbed" a few years ago. We've been
using the new spelling in new text but still have the old spelling in a
lot of text. This commit updates most occurrences of "mbed TLS":
```
sed -i -e 's/mbed TLS/Mbed TLS/g' $(git ls-files ':!ChangeLog' ':!tests/data_files/**' ':!tests/suites/*.data' ':!programs/x509/*' ':!configs/tfm*')
```
Justification for the omissions:
* `ChangeLog`: historical text.
* `test/data_files/**`, `tests/suites/*.data`, `programs/x509/*`: many
occurrences are significant names in certificates and such. Changing
the spelling would invalidate many signatures and tests.
* `configs/tfm*`: this is an imported file. We'll follow the upstream
updates.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The hardware module name otherName SAN contains 2 OIDs:
OtherName ::= SEQUENCE {
type-id OBJECT IDENTIFIER,
value [0] EXPLICIT ANY DEFINED BY type-id }
HardwareModuleName ::= SEQUENCE {
hwType OBJECT IDENTIFIER,
hwSerialNum OCTET STRING }
The first, type-id, is the one that identifies the otherName as a
HardwareModuleName. The second, hwType, identifies the type of hardware.
This change fixes 2 issues:
1. We were erroneously trying to identify HardwareModuleNames by looking
at hwType, not type-id.
2. We accidentally inverted the check so that we were checking that
hwType did NOT match HardwareModuleName.
This fix ensures that type-id is correctly checked to make sure that it
matches the OID for HardwareModuleName.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Remove custom parsing code in AuthorityKeyIdentifier tests and use
mbedtls_x509_dn_gets() and strcmp() instead.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
