Clarify documentation about missing CRLs

Also tune up some working while at it.
This commit is contained in:
Manuel Pégourié-Gonnard 2016-02-22 11:36:55 +01:00 committed by Simon Butcher
parent a6062607f1
commit e66dd1dcef
2 changed files with 13 additions and 13 deletions

View File

@ -271,9 +271,14 @@ int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
* \note Same as \c mbedtls_x509_crt_verify_with_profile() with the * \note Same as \c mbedtls_x509_crt_verify_with_profile() with the
* default security profile. * default security profile.
* *
* \param crt a certificate to be verified * \note It is your responsibility to provide up-to-date CRLs for
* \param trust_ca the trusted CA chain * all trusted CAs. If no CRL is provided for the CA that was
* \param ca_crl the CRL chain for trusted CA's * used to sign the certificate, CRL verification is skipped
* silently, that is *without* setting any flag.
*
* \param crt a certificate (chain) to be verified
* \param trust_ca the list of trusted CAs
* \param ca_crl the list of CRLs for trusted CAs (see note above)
* \param cn expected Common Name (can be set to * \param cn expected Common Name (can be set to
* NULL if the CN must not be verified) * NULL if the CN must not be verified)
* \param flags result of the verification * \param flags result of the verification
@ -304,9 +309,9 @@ int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
* for ECDSA) apply to all certificates: trusted root, * for ECDSA) apply to all certificates: trusted root,
* intermediate CAs if any, and end entity certificate. * intermediate CAs if any, and end entity certificate.
* *
* \param crt a certificate to be verified * \param crt a certificate (chain) to be verified
* \param trust_ca the trusted CA chain * \param trust_ca the list of trusted CAs
* \param ca_crl the CRL chain for trusted CA's * \param ca_crl the list of CRLs for trusted CAs
* \param profile security profile for verification * \param profile security profile for verification
* \param cn expected Common Name (can be set to * \param cn expected Common Name (can be set to
* NULL if the CN must not be verified) * NULL if the CN must not be verified)

View File

@ -1600,7 +1600,8 @@ int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *crt, const mbedtls_x509
} }
/* /*
* Check that the given certificate is valid according to the CRL. * Check that the given certificate is not revoked according to the CRL.
* Skip validation is no CRL for the given CA is present.
*/ */
static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca, static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
mbedtls_x509_crl *crl_list, mbedtls_x509_crl *crl_list,
@ -1613,12 +1614,6 @@ static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
if( ca == NULL ) if( ca == NULL )
return( flags ); return( flags );
/*
* TODO: What happens if no CRL is present?
* Suggestion: Revocation state should be unknown if no CRL is present.
* For backwards compatibility this is not yet implemented.
*/
while( crl_list != NULL ) while( crl_list != NULL )
{ {
if( crl_list->version == 0 || if( crl_list->version == 0 ||