diff --git a/ChangeLog b/ChangeLog index b6d5adc81..57db9f440 100644 --- a/ChangeLog +++ b/ChangeLog @@ -70,12 +70,12 @@ Changes = mbed TLS 1.3 branch Security - * With authmode set to MBEDTLS_SSL_VERIFY_OPTIONAL, verification of keyUsage and + * With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and extendedKeyUsage on the leaf certificate was lost (results not accessible via ssl_get_verify_results()). Features - * Add mbedtls_x509_crt_verify_info() to display certificate verification results. + * Add x509_crt_verify_info() to display certificate verification results. * Add support for reading DH parameters with privateValueLength included (contributed by Daniel Kahn Gillmor). * Add support for bit strings in X.509 names (request by Fredrik Axelsson). diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 880099b53..938910ca6 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -216,6 +216,21 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix, int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix, int flags ); +/** + * \brief Returns an informational string about the + * verification status of a certificate. + * + * \param buf Buffer to write to + * \param size Maximum size of buffer + * \param prefix A line prefix + * \param flags Verification flags created by x509_crt_verify() + * + * \return The amount of data written to the buffer, or -1 in + * case of an error. + */ +int x509_crt_verify_info( char *buf, size_t size, const char *prefix, + int flags ); + /** * \brief Verify the certificate signature * diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 09c4e4263..1a4f0f02b 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -283,6 +283,27 @@ x509_verify_info:MBEDTLS_BADCERT_MISSING:" ! ":" ! Certificate was missing\n" X509 Verify Information: two issues, with prefix x509_verify_info:MBEDTLS_BADCERT_EXPIRED | MBEDTLS_X509_BADCRL_EXPIRED:" ! ":" ! The certificate validity has expired\n ! The CRL is expired\n" +X509 Verify Information: empty +x509_verify_info:0:"":"" + +X509 Verify Information: one issue +x509_verify_info:BADCERT_MISSING:"":"Certificate was missing\n" + +X509 Verify Information: two issues +x509_verify_info:BADCERT_EXPIRED | BADCRL_EXPIRED:"":"The certificate validity has expired\nThe CRL is expired\n" + +X509 Verify Information: two issues, one unknown +x509_verify_info:BADCERT_OTHER | 0x8000:"":"Other reason (can be used by verify callback)\nUnknown reason (this should not happen)\n" + +X509 Verify Information: empty, with prefix +x509_verify_info:0:" ! ":"" + +X509 Verify Information: one issue, with prefix +x509_verify_info:BADCERT_MISSING:" ! ":" ! Certificate was missing\n" + +X509 Verify Information: two issues, with prefix +x509_verify_info:BADCERT_EXPIRED | BADCRL_EXPIRED:" ! ":" ! The certificate validity has expired\n ! The CRL is expired\n" + X509 Get Distinguished Name #1 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C mbedtls_x509_dn_gets:"data_files/server1.crt":"subject":"C=NL, O=PolarSSL, CN=PolarSSL Server 1"