commit 803183f5fe62b27c54eefec101c0994fcd17557b
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Wed Jan 27 15:16:16 2016 +0100
committer Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Wed Jan 27 15:16:16 2016 +0100
tree a16dd7b96f40086b05e1c7f6f47541eedd4f17c5
parent bdae02ce90e081a2904f550f069ce7c11565c3dc

Improve error string about X.509 name mismatch

The name is actually check against either SAN or CN, so mentioning only one
in the error string might wrongfully suggest the other was ignored.

OTOH, keep the same error code for both, as the distinction between both types
is a rather low-level detail (and anyway changing the error code returned in
some cases would be an API change so is not an option at this point).

library/x509_crt.c

diff --git a/library/x509_crt.c b/library/x509_crt.c
index 6dc5ad3..9573438 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1470,7 +1470,7 @@
 static const struct x509_crt_verify_string x509_crt_verify_strings[] = {
     { MBEDTLS_X509_BADCERT_EXPIRED,       "The certificate validity has expired" },
     { MBEDTLS_X509_BADCERT_REVOKED,       "The certificate has been revoked (is on a CRL)" },
-    { MBEDTLS_X509_BADCERT_CN_MISMATCH,   "The certificate Common Name (CN) does not match with the expected CN" },
+    { MBEDTLS_X509_BADCERT_CN_MISMATCH,   "The certificate Common Name (CN) or subjectAltName (SAN) does not match with the expected name" },
     { MBEDTLS_X509_BADCERT_NOT_TRUSTED,   "The certificate is not correctly signed by the trusted CA" },
     { MBEDTLS_X509_BADCRL_NOT_TRUSTED,    "The CRL is not correctly signed by the trusted CA" },
     { MBEDTLS_X509_BADCRL_EXPIRED,        "The CRL is expired" },