Security profile for certificate verification.

All lists are bitfields, built by ORing flags from MBEDTLS_X509_ID_FLAG().

The fields of this structure are part of the public API and can be manipulated directly by applications. Future versions of the library may add extra fields or reorder existing fields.

You can create custom profiles by starting from a copy of an existing profile, such as mbedtls_x509_crt_profile_default or mbedtls_x509_ctr_profile_none and then tune it to your needs.

For example to allow SHA-224 in addition to the default:

mbedtls_x509_crt_profile my_profile = mbedtls_x509_crt_profile_default; my_profile.allowed_mds |= MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 );

Or to allow only RSA-3072+ with SHA-256:

mbedtls_x509_crt_profile my_profile = mbedtls_x509_crt_profile_none; my_profile.allowed_mds = MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ); my_profile.allowed_pks = MBEDTLS_X509_ID_FLAG( MBEDTLS_PK_RSA ); my_profile.rsa_min_bitlen = 3072;

Public Attributes#

uint32_t
allowed_mds

MDs for signatures

uint32_t
allowed_pks

PK algs for public keys; this applies to all certificates in the provided chain.

uint32_t
allowed_curves

Elliptic curves for ECDSA

uint32_t
rsa_min_bitlen

Minimum size for RSA keys

Public Attribute Documentation#

allowed_mds#

uint32_t mbedtls_x509_crt_profile::allowed_mds

MDs for signatures


Definition at line 138 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

allowed_pks#

uint32_t mbedtls_x509_crt_profile::allowed_pks

PK algs for public keys; this applies to all certificates in the provided chain.


Definition at line 139 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

allowed_curves#

uint32_t mbedtls_x509_crt_profile::allowed_curves

Elliptic curves for ECDSA


Definition at line 142 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

rsa_min_bitlen#

uint32_t mbedtls_x509_crt_profile::rsa_min_bitlen

Minimum size for RSA keys


Definition at line 143 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h