Hi,
I'm currently working on adding mbedTLS 3.x support for Privoxy [0].
Everything seems to be working but I ifdef'ed out the following code in [1] that worked with mbedTLS 2.28.8:
/* * Check if key and issuer certificate match */ if (!mbedtls_pk_can_do(&issuer_cert.pk, MBEDTLS_PK_RSA) || mbedtls_mpi_cmp_mpi(&mbedtls_pk_rsa(issuer_cert.pk)->N, &mbedtls_pk_rsa(*issuer_key)->N) != 0 || mbedtls_mpi_cmp_mpi(&mbedtls_pk_rsa(issuer_cert.pk)->E, &mbedtls_pk_rsa(*issuer_key)->E) != 0) { log_error(LOG_LEVEL_ERROR, "Issuer key doesn't match issuer certificate"); ret = -1; goto exit; }
As N and E are private now it no longer compiles.
Is there a way to implement the check with mbedTLS 3.x?
My impression is that the sanity check is overly cautious and we don't have equivalent code for OpenSSL and wolfSSL but I'm curious.
Thanks, Fabian
[0] https://www.privoxy.org/ [1] https://www.privoxy.org/gitweb/?p=privoxy.git;a=blob;f=ssl.c;h=e8007cd9adad65ea10c5f98d385dc75fa8eab51f;hb=HEAD#l1547