Merge branch 'mbedtls-1.3' into development
* mbedtls-1.3:
Make results of (ext)KeyUsage accessible
Use x509_crt_verify_info() in programs
Add x509_crt_verify_info()
Conflicts:
ChangeLog
include/mbedtls/x509_crt.h
include/polarssl/ssl.h
include/polarssl/x509.h
library/ssl_srv.c
library/ssl_tls.c
library/x509_crt.c
programs/ssl/ssl_client1.c
programs/ssl/ssl_client2.c
programs/ssl/ssl_mail_client.c
programs/ssl/ssl_server2.c
programs/test/ssl_cert_test.c
programs/x509/cert_app.c
tests/ssl-opt.sh
tests/suites/test_suite_x509parse.function
diff --git a/ChangeLog b/ChangeLog
index b6d5adc..57db9f4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -70,12 +70,12 @@
= mbed TLS 1.3 branch
Security
- * With authmode set to MBEDTLS_SSL_VERIFY_OPTIONAL, verification of keyUsage and
+ * With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and
extendedKeyUsage on the leaf certificate was lost (results not accessible
via ssl_get_verify_results()).
Features
- * Add mbedtls_x509_crt_verify_info() to display certificate verification results.
+ * Add x509_crt_verify_info() to display certificate verification results.
* Add support for reading DH parameters with privateValueLength included
(contributed by Daniel Kahn Gillmor).
* Add support for bit strings in X.509 names (request by Fredrik Axelsson).
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index 880099b..938910c 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -217,6 +217,21 @@
int flags );
/**
+ * \brief Returns an informational string about the
+ * verification status of a certificate.
+ *
+ * \param buf Buffer to write to
+ * \param size Maximum size of buffer
+ * \param prefix A line prefix
+ * \param flags Verification flags created by x509_crt_verify()
+ *
+ * \return The amount of data written to the buffer, or -1 in
+ * case of an error.
+ */
+int x509_crt_verify_info( char *buf, size_t size, const char *prefix,
+ int flags );
+
+/**
* \brief Verify the certificate signature
*
* The verify callback is a user-supplied callback that
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index 09c4e42..1a4f0f0 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -283,6 +283,27 @@
X509 Verify Information: two issues, with prefix
x509_verify_info:MBEDTLS_BADCERT_EXPIRED | MBEDTLS_X509_BADCRL_EXPIRED:" ! ":" ! The certificate validity has expired\n ! The CRL is expired\n"
+X509 Verify Information: empty
+x509_verify_info:0:"":""
+
+X509 Verify Information: one issue
+x509_verify_info:BADCERT_MISSING:"":"Certificate was missing\n"
+
+X509 Verify Information: two issues
+x509_verify_info:BADCERT_EXPIRED | BADCRL_EXPIRED:"":"The certificate validity has expired\nThe CRL is expired\n"
+
+X509 Verify Information: two issues, one unknown
+x509_verify_info:BADCERT_OTHER | 0x8000:"":"Other reason (can be used by verify callback)\nUnknown reason (this should not happen)\n"
+
+X509 Verify Information: empty, with prefix
+x509_verify_info:0:" ! ":""
+
+X509 Verify Information: one issue, with prefix
+x509_verify_info:BADCERT_MISSING:" ! ":" ! Certificate was missing\n"
+
+X509 Verify Information: two issues, with prefix
+x509_verify_info:BADCERT_EXPIRED | BADCRL_EXPIRED:" ! ":" ! The certificate validity has expired\n ! The CRL is expired\n"
+
X509 Get Distinguished Name #1
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C
mbedtls_x509_dn_gets:"data_files/server1.crt":"subject":"C=NL, O=PolarSSL, CN=PolarSSL Server 1"