Clarify documentation about missing CRLs

Also tune up some working while at it.
This commit is contained in:
Manuel Pégourié-Gonnard 2016-02-22 11:36:55 +01:00 committed by Simon Butcher
parent 214a84889c
commit eeef947040
2 changed files with 13 additions and 13 deletions

View file

@ -271,9 +271,14 @@ int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
* \note Same as \c mbedtls_x509_crt_verify_with_profile() with the
* default security profile.
*
* \param crt a certificate to be verified
* \param trust_ca the trusted CA chain
* \param ca_crl the CRL chain for trusted CA's
* \note It is your responsibility to provide up-to-date CRLs for
* all trusted CAs. If no CRL is provided for the CA that was
* used to sign the certificate, CRL verification is skipped
* silently, that is *without* setting any flag.
*
* \param crt a certificate (chain) to be verified
* \param trust_ca the list of trusted CAs
* \param ca_crl the list of CRLs for trusted CAs (see note above)
* \param cn expected Common Name (can be set to
* NULL if the CN must not be verified)
* \param flags result of the verification
@ -304,9 +309,9 @@ int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
* for ECDSA) apply to all certificates: trusted root,
* intermediate CAs if any, and end entity certificate.
*
* \param crt a certificate to be verified
* \param trust_ca the trusted CA chain
* \param ca_crl the CRL chain for trusted CA's
* \param crt a certificate (chain) to be verified
* \param trust_ca the list of trusted CAs
* \param ca_crl the list of CRLs for trusted CAs
* \param profile security profile for verification
* \param cn expected Common Name (can be set to
* NULL if the CN must not be verified)

View file

@ -1600,7 +1600,8 @@ int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *crt, const mbedtls_x509
}
/*
* Check that the given certificate is valid according to the CRL.
* Check that the given certificate is not revoked according to the CRL.
* Skip validation is no CRL for the given CA is present.
*/
static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
mbedtls_x509_crl *crl_list,
@ -1613,12 +1614,6 @@ static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
if( ca == NULL )
return( flags );
/*
* TODO: What happens if no CRL is present?
* Suggestion: Revocation state should be unknown if no CRL is present.
* For backwards compatibility this is not yet implemented.
*/
while( crl_list != NULL )
{
if( crl_list->version == 0 ||