added KConfig option to allow loading CA certs with unsupported extensions

Close https://github.com/espressif/esp-idf/pull/4445
2024-10-05 20:47:46 -04:00 · 2019-12-05 17:30:17 +13:00 · 2019-12-05 17:30:17 +13:00 · 4ee78f8496
commit 4ee78f8496
parent 8e28226935
2 changed files with 31 additions and 0 deletions
--- a/components/mbedtls/Kconfig
+++ b/components/mbedtls/Kconfig
@ -601,4 +601,16 @@ menu "mbedTLS"

            # end of Elliptic Curve options

+    menuconfig MBEDTLS_SECURITY_RISKS
+        bool "Show configurations with potential security risks"
+        default n
+
+    config MBEDTLS_ALLOW_UNSUPPORTED_CRITICAL_EXT
+        bool "X.509 CRT parsing with unsupported critical extensions"
+        depends on MBEDTLS_SECURITY_RISKS
+        default n
+        help
+            Allow the X.509 certificate parser to load certificates
+            with unsupported critical extensions
+
 endmenu  # mbedTLS
--- a/components/mbedtls/port/include/mbedtls/esp_config.h
+++ b/components/mbedtls/port/include/mbedtls/esp_config.h
@ -2214,6 +2214,25 @@
 */
 #define MBEDTLS_X509_CRT_WRITE_C

+/**
+ * \def MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
+ *
+  * Alow the X509 parser to not break-off when parsing an X509 certificate
+ * and encountering an unknown critical extension.
+ *
+ * Module:  library/x509_crt.c
+ *
+ * Requires: MBEDTLS_X509_CRT_PARSE_C
+ *
+ * This module is supports loading of certificates with extensions that
+ * may not be supported by mbedtls.
+ */
+#ifdef CONFIG_MBEDTLS_ALLOW_UNSUPPORTED_CRITICAL_EXT
+#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
+#else
+#undef MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
+#endif
+
 /**
 * \def MBEDTLS_X509_CSR_WRITE_C
 *