search

Mbed-TLS / mbedtls

An open source, portable, easy to use, readable and flexible TLS library, and reference implementation of the PSA Cryptography API. Releases are on a varying cadence, typically around 3 - 6 months between releases.
https://www.trustedfirmware.org/projects/mbed-tls/
Other
5.55k stars 2.6k forks source link

Deprecate mbedtls_asn1_write_algorithm_identifier #7963

Open gilles-peskine-arm opened 1 year ago

gilles-peskine-arm commented 1 year ago

After https://github.com/Mbed-TLS/mbedtls/pull/7788, we are no longer using mbedtls_asn1_write_algorithm_identifier, only mbedtls_asn1_write_algorithm_identifier_ext. I think this makes sense in general: the behavior of mbedtls_asn1_write_algorithm_identifier is specific to RSA-only code and can't be used by code that supports ECC (or DSA). So I think we should deprecate mbedtls_asn1_write_algorithm_identifier.

Note that this means that mbedtls_asn1_write_algorithm_identifier_ext should be tested independently of mbedtls_asn1_write_algorithm_identifier. This should have been the case anyway, but it currently isn't.

Note: I'm not sure if the interface of mbedtls_asn1_write_algorithm_identifier_ext really makes sense. We could just require the caller to write the null parameter before calling writing the function, just like the caller has to write any other parameter before calling the function. As I write, we can still change that because mbedtls_asn1_write_algorithm_identifier_ext was added after the last release, but we have to do it before the 3.5 release or else we're stuck until 4.0.

gilles-peskine-arm commented 3 months ago

Now that we've released the last 3.x minor release, all that's left is to remove mbedtls_asn1_write_algorithm_identifier. We need to adapt the tests to test mbedtls_asn1_write_algorithm_identifier_ext.

Changing the interface of mbedtls_asn1_write_algorithm_identifier_ext as described in the issue is an optional improvement which we may do at the same time we adjust the tests.