commit 199eab97e7af6848ea7ee8e671d170ee4603855a
author Andrzej Kurek <andrzej.kurek@arm.com> Wed May 10 09:57:19 2023 -0400
committer Andrzej Kurek <andrzej.kurek@arm.com> Wed May 10 09:57:19 2023 -0400
tree 0eaf8acd82b00ac418cf96bab3479619907a43d2
parent 8d42cfddd65f5d379c21e910e546cf9d7d1b212f

Add partial support for URI SubjectAltNames

Only exact matching without normalization is supported.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>

include/mbedtls/x509_crt.h

diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index e1b4aa2..6675bf8 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -641,8 +641,12 @@
  * \param cn       The expected Common Name. This will be checked to be
  *                 present in the certificate's subjectAltNames extension or,
  *                 if this extension is absent, as a CN component in its
- *                 Subject name. DNS names and IP addresses are supported. This
- *                 may be \c NULL if the CN need not be verified.
+ *                 Subject name. DNS names and IP addresses are fully
+ *                 supported, while the URI subtype is partially supported:
+ *                 only exact matching, without any normalization procedures
+ *                 described in 7.4 of RFC5280, will result in a positive
+ *                 URI verification.
+ *                 This may be \c NULL if the CN need not be verified.
  * \param flags    The address at which to store the result of the verification.
  *                 If the verification couldn't be completed, the flag value is
  *                 set to (uint32_t) -1.