x509:
-
diff --git a/include/mbedtls/x509_csr.h b/include/mbedtls/x509_csr.h
index 34998a3..7a9c2e0 100644
--- a/include/mbedtls/x509_csr.h
+++ b/include/mbedtls/x509_csr.h
@@ -83,6 +83,8 @@
/**
* \brief Load a Certificate Signing Request (CSR) in DER format
*
+ * \note CSR attributes (if any) are currently silently ignored.
+ *
* \param csr CSR context to fill
* \param buf buffer holding the CRL data
* \param buflen size of the buffer
@@ -95,6 +97,8 @@
/**
* \brief Load a Certificate Signing Request (CSR), DER or PEM format
*
+ * \note See notes for \c mbedtls_x509_csr_parse_der()
+ *
* \param csr CSR context to fill
* \param buf buffer holding the CRL data
* \param buflen size of the buffer
@@ -108,6 +112,8 @@
/**
* \brief Load a Certificate Signing Request (CSR)
*
+ * \note See notes for \c mbedtls_x509_csr_parse()
+ *
* \param csr CSR context to fill
* \param path filename to read the CSR from
*
diff --git a/library/x509_csr.c b/library/x509_csr.c
index dbf659b..f8c45f8 100644
--- a/library/x509_csr.c
+++ b/library/x509_csr.c
@@ -207,6 +207,13 @@
/*
* attributes [0] Attributes
+ *
+ * The list of possible attributes is open-ended, though RFC 2985
+ * (PKCS#9) defines a few in section 5.4. We currently don't support any,
+ * so we just ignore them. This is a safe thing to do as the worst thing
+ * that could happen is that we issue a certificate that does not match
+ * the requester's expectations - this cannot cause a violation of our
+ * signature policies.
*/
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC ) ) != 0 )
@@ -214,7 +221,6 @@
mbedtls_x509_csr_free( csr );
return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
}
- // TODO Parse Attributes / extension requests
p += len;