Merge branch 'mbedtls-1.3' into development
* mbedtls-1.3: Make results of (ext)KeyUsage accessible Use x509_crt_verify_info() in programs Add x509_crt_verify_info() Conflicts: ChangeLog include/mbedtls/x509_crt.h include/polarssl/ssl.h include/polarssl/x509.h library/ssl_srv.c library/ssl_tls.c library/x509_crt.c programs/ssl/ssl_client1.c programs/ssl/ssl_client2.c programs/ssl/ssl_mail_client.c programs/ssl/ssl_server2.c programs/test/ssl_cert_test.c programs/x509/cert_app.c tests/ssl-opt.sh tests/suites/test_suite_x509parse.function
This commit is contained in:
commit
e75fa70b36
3 changed files with 38 additions and 2 deletions
|
@ -70,12 +70,12 @@ Changes
|
|||
= mbed TLS 1.3 branch
|
||||
|
||||
Security
|
||||
* With authmode set to MBEDTLS_SSL_VERIFY_OPTIONAL, verification of keyUsage and
|
||||
* With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and
|
||||
extendedKeyUsage on the leaf certificate was lost (results not accessible
|
||||
via ssl_get_verify_results()).
|
||||
|
||||
Features
|
||||
* Add mbedtls_x509_crt_verify_info() to display certificate verification results.
|
||||
* Add x509_crt_verify_info() to display certificate verification results.
|
||||
* Add support for reading DH parameters with privateValueLength included
|
||||
(contributed by Daniel Kahn Gillmor).
|
||||
* Add support for bit strings in X.509 names (request by Fredrik Axelsson).
|
||||
|
|
|
@ -216,6 +216,21 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
|
|||
int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
|
||||
int flags );
|
||||
|
||||
/**
|
||||
* \brief Returns an informational string about the
|
||||
* verification status of a certificate.
|
||||
*
|
||||
* \param buf Buffer to write to
|
||||
* \param size Maximum size of buffer
|
||||
* \param prefix A line prefix
|
||||
* \param flags Verification flags created by x509_crt_verify()
|
||||
*
|
||||
* \return The amount of data written to the buffer, or -1 in
|
||||
* case of an error.
|
||||
*/
|
||||
int x509_crt_verify_info( char *buf, size_t size, const char *prefix,
|
||||
int flags );
|
||||
|
||||
/**
|
||||
* \brief Verify the certificate signature
|
||||
*
|
||||
|
|
|
@ -283,6 +283,27 @@ x509_verify_info:MBEDTLS_BADCERT_MISSING:" ! ":" ! Certificate was missing\n"
|
|||
X509 Verify Information: two issues, with prefix
|
||||
x509_verify_info:MBEDTLS_BADCERT_EXPIRED | MBEDTLS_X509_BADCRL_EXPIRED:" ! ":" ! The certificate validity has expired\n ! The CRL is expired\n"
|
||||
|
||||
X509 Verify Information: empty
|
||||
x509_verify_info:0:"":""
|
||||
|
||||
X509 Verify Information: one issue
|
||||
x509_verify_info:BADCERT_MISSING:"":"Certificate was missing\n"
|
||||
|
||||
X509 Verify Information: two issues
|
||||
x509_verify_info:BADCERT_EXPIRED | BADCRL_EXPIRED:"":"The certificate validity has expired\nThe CRL is expired\n"
|
||||
|
||||
X509 Verify Information: two issues, one unknown
|
||||
x509_verify_info:BADCERT_OTHER | 0x8000:"":"Other reason (can be used by verify callback)\nUnknown reason (this should not happen)\n"
|
||||
|
||||
X509 Verify Information: empty, with prefix
|
||||
x509_verify_info:0:" ! ":""
|
||||
|
||||
X509 Verify Information: one issue, with prefix
|
||||
x509_verify_info:BADCERT_MISSING:" ! ":" ! Certificate was missing\n"
|
||||
|
||||
X509 Verify Information: two issues, with prefix
|
||||
x509_verify_info:BADCERT_EXPIRED | BADCRL_EXPIRED:" ! ":" ! The certificate validity has expired\n ! The CRL is expired\n"
|
||||
|
||||
X509 Get Distinguished Name #1
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C
|
||||
mbedtls_x509_dn_gets:"data_files/server1.crt":"subject":"C=NL, O=PolarSSL, CN=PolarSSL Server 1"
|
||||
|
|
Loading…
Reference in a new issue