Merge pull request #242 from valeriosetti/issue568-framework

valeriosetti · web-flow · commit f58263d00f28 · 2025-12-02T17:18:40.000+01:00
[framework] Remove support for secp192[k|r]1 curves
diff --git a/data_files/Makefile b/data_files/Makefile
@@ -469,6 +469,17 @@ server5-selfsigned.crt: server5.key
         -out $@
 all_final += server5-selfsigned.crt
 
+# Create a certificate which is almost identical to "server3.crt", i.e.
+# it contains a public EC key and it is signed with RSA. The main difference
+# compared to "server3.crt" is that in this case we use a secp256r1 key ("server5.key")
+# instead of secp192r1 one that is used in "server3.crt".
+parse_input/server5-rsa-signed.crt server5-rsa-signed.crt: server5.key
+	$(MBEDTLS_CERT_WRITE) subject_key=$< subject_name="C=NL,O=PolarSSL,CN=localhost" serial=13 \
+		issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) \
+		not_before=20251201101530 not_after=20351201101530 \
+		md=SHA256 version=3 output_file=$@
+all_final += server5-rsa-signed.crt
+
 parse_input/server5-othername.crt.der: server5.key
 	$(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS othername SAN" -set_serial 77 -config $(test_ca_config_file) -extensions othername_san -days 3650 -sha256 -key $< -outform der -out $@
 
@@ -625,6 +636,18 @@ server10_int3_spurious_int-ca2.crt: server10.crt test-int-ca3.crt $(test_ca_int_
 	cat $^ > $@
 all_final += server10_int3_spurious_int-ca2.crt
 
+# server11 *
+
+# This is basically identical to "server5-rsa-signed.crt" but using a secp256k1
+# key instead of secp256r1 one in order not to fall in the list of allowed curves
+# for suite-b profile.
+server11-rsa-signed.crt: server11.key
+	$(MBEDTLS_CERT_WRITE) subject_key=$< subject_name="C=NL,O=PolarSSL,CN=localhost" serial=13 \
+		issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) \
+		not_before=20251201101530 not_after=20351201101530 \
+		md=SHA1 version=3 output_file=$@
+all_final += server11-rsa-signed.crt
+
 rsa_pkcs1_2048_public.pem: server8.key
 	$(OPENSSL)  rsa -in $< -outform PEM -RSAPublicKey_out -out $@
 all_final += rsa_pkcs1_2048_public.pem
diff --git a/data_files/parse_input/server5-rsa-signed.crt b/data_files/parse_input/server5-rsa-signed.crt
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICbDCCAVSgAwIBAgIBDTANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MjUxMjAxMTAxNTMwWhcNMzUxMjAxMTAxNTMwWjA0MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
+CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
+2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jTTBLMAkGA1UdEwQCMAAwHQYD
+VR0OBBYEFFBhpY/UB9nXggEM5WV/jGNGpxO+MB8GA1UdIwQYMBaAFLRa5KWz3tJS
+9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBCwUAA4IBAQBFbdhHbGhpR2TXjHDMqRTx
+epceYFPm0bL8h/gWUMsZ196DgrInm4u42txiWX6Ckekv/yeEOUEx90faACLmGGfk
+1QwWWVGShgUcl5d6DljtgTTx6jHiH3tHbcG8Rmmfmh+DKZ/4wjQ80FgbW7gEUyis
+xizhFI8+gYH6aT4fdYicyIzysul/0FF3c9nzn+Mt+VRzaPIAYgIujkQAiJO4/QB8
+2wuET09K9uWeHseXbjQ8O7yPnIpimX7G3TrUwBKb0QEE9IoDTbHjnxM0nxWkPSht
+wCZFuTfCcnjBi5ps+KJE2iJeK4D5zjS42VX08/ysFViejtY4vUMz3SXrulGg7NKE
+-----END CERTIFICATE-----
diff --git a/data_files/server11-rsa-signed.crt b/data_files/server11-rsa-signed.crt
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICaTCCAVGgAwIBAgIBDTANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MjUxMjAxMTAxNTMwWhcNMzUxMjAxMTAxNTMwWjA0MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDBWMBAGByqGSM49AgEG
+BSuBBAAKA0IABITn/L3s9+4MXRDenn1V/4T4B0igjlPW52BKcl5ZNS5jMqDOOUjl
+zXShWMqz2Izhsa29cxsTOZN8eT4p8BedD6ujTTBLMAkGA1UdEwQCMAAwHQYDVR0O
+BBYEFE8fs/ywDn6xlnYK1tDkG/lCZ0ZmMB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnV
+ppUP6z68x/3/MA0GCSqGSIb3DQEBBQUAA4IBAQAC/yhdzzdYHCSmvg+Hp9UjWR4l
+7g2g+AjeecH3zPNwzXXoFTMQh9oVNlwJf0Kohit24GTfkOu9jgDFm2Os5HQudLJj
+QBxdN5D/hCa7ZMT5ing8CFYPoMovlJBqFwtVVVNs+zTGwnij3el+96fTm/qXg2+L
+DjulIeKmxylY8RZxbEZfOpaC/krWvYlVrX2OWE0/FsTFJQDYLIJF1mJi90+lbIKN
+vn68o5WLRahn9Om20AE3ZLshBsMtprkXo7IR/P8bPzGaaC/WZ13A7rI6ZSsRGKKr
+sWZ0fOLEXylcbzaEhkNEPcKUQTFs9JzcvS5Z0sP8bB8nAtQgRzwFhW9rqFyc
+-----END CERTIFICATE-----
diff --git a/data_files/server11.key b/data_files/server11.key
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHQCAQEEIDzXde5ZiqF4VOJ4mFFJyzLOPz0RHkeJdF9quDdy67oGoAcGBSuBBAAK
+oUQDQgAEhOf8vez37gxdEN6efVX/hPgHSKCOU9bnYEpyXlk1LmMyoM45SOXNdKFY
+yrPYjOGxrb1zGxM5k3x5PinwF50Pqw==
+-----END EC PRIVATE KEY-----
diff --git a/data_files/server5-rsa-signed.crt b/data_files/server5-rsa-signed.crt
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICbDCCAVSgAwIBAgIBDTANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MjUxMjAxMTAxNTMwWhcNMzUxMjAxMTAxNTMwWjA0MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
+CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
+2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jTTBLMAkGA1UdEwQCMAAwHQYD
+VR0OBBYEFFBhpY/UB9nXggEM5WV/jGNGpxO+MB8GA1UdIwQYMBaAFLRa5KWz3tJS
+9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBCwUAA4IBAQBFbdhHbGhpR2TXjHDMqRTx
+epceYFPm0bL8h/gWUMsZ196DgrInm4u42txiWX6Ckekv/yeEOUEx90faACLmGGfk
+1QwWWVGShgUcl5d6DljtgTTx6jHiH3tHbcG8Rmmfmh+DKZ/4wjQ80FgbW7gEUyis
+xizhFI8+gYH6aT4fdYicyIzysul/0FF3c9nzn+Mt+VRzaPIAYgIujkQAiJO4/QB8
+2wuET09K9uWeHseXbjQ8O7yPnIpimX7G3TrUwBKb0QEE9IoDTbHjnxM0nxWkPSht
+wCZFuTfCcnjBi5ps+KJE2iJeK4D5zjS42VX08/ysFViejtY4vUMz3SXrulGg7NKE
+-----END CERTIFICATE-----
