mirror of
https://github.com/yuzu-emu/mbedtls
synced 2024-11-24 13:38:24 +00:00
Clarify documentation for directly-trusted certs
The fact that self-signed end-entity certs can be explicitly trusted by putting them in the CA list even if they don't have the CA bit was not documented though it's intentional, and tested by "Certificate verification #73 (selfsigned trusted without CA bit)" in test_suite_x509parse.data It is unclear to me whether the restriction that explicitly trusted end-entity certs must be self-signed is a good one. However, it seems intentional as it is tested in tests #42 and #43, so I'm not touching it for now.
This commit is contained in:
parent
602544e659
commit
a4a206e834
2 changed files with 12 additions and 1 deletions
|
@ -1586,6 +1586,10 @@ void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,
|
|||
/**
|
||||
* \brief Set the data required to verify peer certificate
|
||||
*
|
||||
* \note See \c mbedtls_x509_verify() for notes regarding the
|
||||
* parameters ca_chain (maps to trust_ca for that function)
|
||||
* and ca_crl.
|
||||
*
|
||||
* \param conf SSL configuration
|
||||
* \param ca_chain trusted CA chain (meaning all fully trusted top-level CAs)
|
||||
* \param ca_crl trusted CA CRLs
|
||||
|
|
|
@ -286,8 +286,15 @@ int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
|
|||
* used to sign the certificate, CRL verification is skipped
|
||||
* silently, that is *without* setting any flag.
|
||||
*
|
||||
* \note The \c trust_ca list can contain two type of certificates:
|
||||
* (1) those of trusted root CAs, so that certificates
|
||||
* chaining up to those CAs will be trusted, and (2)
|
||||
* self-signed end-entity certificates to be trusted (for
|
||||
* specific peers you know) - in that case, the self-signed
|
||||
* certificate doens't need to have the CA bit set.
|
||||
*
|
||||
* \param crt a certificate (chain) to be verified
|
||||
* \param trust_ca the list of trusted CAs
|
||||
* \param trust_ca the list of trusted CAs (see note above)
|
||||
* \param ca_crl the list of CRLs for trusted CAs (see note above)
|
||||
* \param cn expected Common Name (can be set to
|
||||
* NULL if the CN must not be verified)
|
||||
|
|
Loading…
Reference in a new issue