Merge branch 'mbedtls-1.3' into development

* mbedtls-1.3:
  Make results of (ext)KeyUsage accessible
  Use x509_crt_verify_info() in programs
  Add x509_crt_verify_info()

Conflicts:
	ChangeLog
	include/mbedtls/x509_crt.h
	include/polarssl/ssl.h
	include/polarssl/x509.h
	library/ssl_srv.c
	library/ssl_tls.c
	library/x509_crt.c
	programs/ssl/ssl_client1.c
	programs/ssl/ssl_client2.c
	programs/ssl/ssl_mail_client.c
	programs/ssl/ssl_server2.c
	programs/test/ssl_cert_test.c
	programs/x509/cert_app.c
	tests/ssl-opt.sh
	tests/suites/test_suite_x509parse.function
This commit is contained in:
Manuel Pégourié-Gonnard 2015-04-20 11:51:34 +01:00
commit e75fa70b36
3 changed files with 38 additions and 2 deletions

View file

@ -70,12 +70,12 @@ Changes
= mbed TLS 1.3 branch
Security
* With authmode set to MBEDTLS_SSL_VERIFY_OPTIONAL, verification of keyUsage and
* With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and
extendedKeyUsage on the leaf certificate was lost (results not accessible
via ssl_get_verify_results()).
Features
* Add mbedtls_x509_crt_verify_info() to display certificate verification results.
* Add x509_crt_verify_info() to display certificate verification results.
* Add support for reading DH parameters with privateValueLength included
(contributed by Daniel Kahn Gillmor).
* Add support for bit strings in X.509 names (request by Fredrik Axelsson).

View file

@ -216,6 +216,21 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
int flags );
/**
* \brief Returns an informational string about the
* verification status of a certificate.
*
* \param buf Buffer to write to
* \param size Maximum size of buffer
* \param prefix A line prefix
* \param flags Verification flags created by x509_crt_verify()
*
* \return The amount of data written to the buffer, or -1 in
* case of an error.
*/
int x509_crt_verify_info( char *buf, size_t size, const char *prefix,
int flags );
/**
* \brief Verify the certificate signature
*

View file

@ -283,6 +283,27 @@ x509_verify_info:MBEDTLS_BADCERT_MISSING:" ! ":" ! Certificate was missing\n"
X509 Verify Information: two issues, with prefix
x509_verify_info:MBEDTLS_BADCERT_EXPIRED | MBEDTLS_X509_BADCRL_EXPIRED:" ! ":" ! The certificate validity has expired\n ! The CRL is expired\n"
X509 Verify Information: empty
x509_verify_info:0:"":""
X509 Verify Information: one issue
x509_verify_info:BADCERT_MISSING:"":"Certificate was missing\n"
X509 Verify Information: two issues
x509_verify_info:BADCERT_EXPIRED | BADCRL_EXPIRED:"":"The certificate validity has expired\nThe CRL is expired\n"
X509 Verify Information: two issues, one unknown
x509_verify_info:BADCERT_OTHER | 0x8000:"":"Other reason (can be used by verify callback)\nUnknown reason (this should not happen)\n"
X509 Verify Information: empty, with prefix
x509_verify_info:0:" ! ":""
X509 Verify Information: one issue, with prefix
x509_verify_info:BADCERT_MISSING:" ! ":" ! Certificate was missing\n"
X509 Verify Information: two issues, with prefix
x509_verify_info:BADCERT_EXPIRED | BADCRL_EXPIRED:" ! ":" ! The certificate validity has expired\n ! The CRL is expired\n"
X509 Get Distinguished Name #1
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C
mbedtls_x509_dn_gets:"data_files/server1.crt":"subject":"C=NL, O=PolarSSL, CN=PolarSSL Server 1"