mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-27 15:04:17 +01:00
Clarify documentation about missing CRLs
Also tune up some working while at it.
This commit is contained in:
parent
a6062607f1
commit
e66dd1dcef
@ -271,9 +271,14 @@ int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
|
|||||||
* \note Same as \c mbedtls_x509_crt_verify_with_profile() with the
|
* \note Same as \c mbedtls_x509_crt_verify_with_profile() with the
|
||||||
* default security profile.
|
* default security profile.
|
||||||
*
|
*
|
||||||
* \param crt a certificate to be verified
|
* \note It is your responsibility to provide up-to-date CRLs for
|
||||||
* \param trust_ca the trusted CA chain
|
* all trusted CAs. If no CRL is provided for the CA that was
|
||||||
* \param ca_crl the CRL chain for trusted CA's
|
* used to sign the certificate, CRL verification is skipped
|
||||||
|
* silently, that is *without* setting any flag.
|
||||||
|
*
|
||||||
|
* \param crt a certificate (chain) to be verified
|
||||||
|
* \param trust_ca the list of trusted CAs
|
||||||
|
* \param ca_crl the list of CRLs for trusted CAs (see note above)
|
||||||
* \param cn expected Common Name (can be set to
|
* \param cn expected Common Name (can be set to
|
||||||
* NULL if the CN must not be verified)
|
* NULL if the CN must not be verified)
|
||||||
* \param flags result of the verification
|
* \param flags result of the verification
|
||||||
@ -304,9 +309,9 @@ int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
|
|||||||
* for ECDSA) apply to all certificates: trusted root,
|
* for ECDSA) apply to all certificates: trusted root,
|
||||||
* intermediate CAs if any, and end entity certificate.
|
* intermediate CAs if any, and end entity certificate.
|
||||||
*
|
*
|
||||||
* \param crt a certificate to be verified
|
* \param crt a certificate (chain) to be verified
|
||||||
* \param trust_ca the trusted CA chain
|
* \param trust_ca the list of trusted CAs
|
||||||
* \param ca_crl the CRL chain for trusted CA's
|
* \param ca_crl the list of CRLs for trusted CAs
|
||||||
* \param profile security profile for verification
|
* \param profile security profile for verification
|
||||||
* \param cn expected Common Name (can be set to
|
* \param cn expected Common Name (can be set to
|
||||||
* NULL if the CN must not be verified)
|
* NULL if the CN must not be verified)
|
||||||
|
@ -1600,7 +1600,8 @@ int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *crt, const mbedtls_x509
|
|||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Check that the given certificate is valid according to the CRL.
|
* Check that the given certificate is not revoked according to the CRL.
|
||||||
|
* Skip validation is no CRL for the given CA is present.
|
||||||
*/
|
*/
|
||||||
static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
|
static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
|
||||||
mbedtls_x509_crl *crl_list,
|
mbedtls_x509_crl *crl_list,
|
||||||
@ -1613,12 +1614,6 @@ static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
|
|||||||
if( ca == NULL )
|
if( ca == NULL )
|
||||||
return( flags );
|
return( flags );
|
||||||
|
|
||||||
/*
|
|
||||||
* TODO: What happens if no CRL is present?
|
|
||||||
* Suggestion: Revocation state should be unknown if no CRL is present.
|
|
||||||
* For backwards compatibility this is not yet implemented.
|
|
||||||
*/
|
|
||||||
|
|
||||||
while( crl_list != NULL )
|
while( crl_list != NULL )
|
||||||
{
|
{
|
||||||
if( crl_list->version == 0 ||
|
if( crl_list->version == 0 ||
|
||||||
|
Loading…
Reference in New Issue
Block a user