- use SHA-256 instead of SHA-1 for "server5-rsa-signed.crt". This change is
not applied to "server11.crt" because the goal there is to have as many
features as possible which are _not_ part of suite-b (and SHA-1 is not
part of it).
- move start/end dates forward so that certificates are valid for the
next 10 years.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
This is almost identical to "server5-rsa-signed.crt" in the sense that it
includes an EC public key and it's signed with an RSA one.
The main difference compared to "server5-rsa-signed.crt" is that in this
case we're using a secp256k1 key, instead the companion one uses a
secp256r1. The important thing here is that the "k1" type does not belong
to "suite-b", while "r1" does.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
This is a secp256k1 EC key. The goal is to use it in tests where a key
that does not belong to the "suite-b" list is required.
For example it can be used as counterpart of "server5.key" since this one
is secp256r1 and this curve type belong to "suite-b".
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
This is basically identical to "server3.crt", i.e. it contains an EC public
key and it's signed by a RSA one. The difference is that in this case
we're using a secp256r1 EC key, instead of the secp192r1 that was used
in "server3.crt".
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
The include and exclude lists use different library functions which have
different semantics for wildcards.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Don't insist so much on exact directory and file names. In particular, be
tolerant to new subdirectories of `include` directories.
The resulting list of files is almost the same, except that a few more
Everest files are getting parsed, which is harmless (and perhaps technically
a bug fix).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Update data collected a few weeks before the release to the actual releases.
This fixes `check_names.py` failing on `MBEDTLS_DES_C` in
`tf_psa_crypto_config_check_user.h` when generated files are present in the
source tree.
```
scripts/save_config_history.sh mbedtls-4.0.0 4.0
scripts/save_config_history.sh tf-psa-crypto-1.0.0 1.0
```
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
`scripts/generate_config_checks.py` had to be included conditionally so that
consuming branches could transition from it not existing to it existing. Now
that both TF-PSA-Crypto/development and mbedtls/development have this
script, include it unconditionally.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This is necessary when the tool that consumes the path requires
slash-separated paths, notably when it's CMake. I'm not aware of a potential
consumer that would require a path using backslashes.
FixesMbed-TLS/mbedtls#10502.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This makes it easier to run the script on a machine where the
system-installed uncrustify is a different version.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
We know that using a different version of uncrustify produces different
results. So make that an error rather than a warning.
Also make the error output more helpful if uncrustify is not found.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Now that they aren't public headers any longer, there's no reason to have a
different mechanism.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Discuss why some configurations are undesirable. Document the current
`check_config.h`. Document new generated checks: why and how, but not the
details of what (RTFS).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
- there was already a SEC1 formatted EC file for secp256r1 so
ec_256_prv.sec1.der was useless;
- all other ec_256_[pub|priv] files should be generated starting from
ec_256_prv.pem
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Previously the file format was PEM even though the extension suggests it
should be DER. This commit set the correct format.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Valerio Setti