mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-22 17:45:38 +01:00
Clarify documentation about missing CRLs
Also tune up some working while at it.
This commit is contained in:
parent
214a84889c
commit
eeef947040
@ -271,9 +271,14 @@ int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
|
||||
* \note Same as \c mbedtls_x509_crt_verify_with_profile() with the
|
||||
* default security profile.
|
||||
*
|
||||
* \param crt a certificate to be verified
|
||||
* \param trust_ca the trusted CA chain
|
||||
* \param ca_crl the CRL chain for trusted CA's
|
||||
* \note It is your responsibility to provide up-to-date CRLs for
|
||||
* all trusted CAs. If no CRL is provided for the CA that was
|
||||
* used to sign the certificate, CRL verification is skipped
|
||||
* silently, that is *without* setting any flag.
|
||||
*
|
||||
* \param crt a certificate (chain) to be verified
|
||||
* \param trust_ca the list of trusted CAs
|
||||
* \param ca_crl the list of CRLs for trusted CAs (see note above)
|
||||
* \param cn expected Common Name (can be set to
|
||||
* NULL if the CN must not be verified)
|
||||
* \param flags result of the verification
|
||||
@ -304,9 +309,9 @@ int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
|
||||
* for ECDSA) apply to all certificates: trusted root,
|
||||
* intermediate CAs if any, and end entity certificate.
|
||||
*
|
||||
* \param crt a certificate to be verified
|
||||
* \param trust_ca the trusted CA chain
|
||||
* \param ca_crl the CRL chain for trusted CA's
|
||||
* \param crt a certificate (chain) to be verified
|
||||
* \param trust_ca the list of trusted CAs
|
||||
* \param ca_crl the list of CRLs for trusted CAs
|
||||
* \param profile security profile for verification
|
||||
* \param cn expected Common Name (can be set to
|
||||
* NULL if the CN must not be verified)
|
||||
|
@ -1600,7 +1600,8 @@ int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *crt, const mbedtls_x509
|
||||
}
|
||||
|
||||
/*
|
||||
* Check that the given certificate is valid according to the CRL.
|
||||
* Check that the given certificate is not revoked according to the CRL.
|
||||
* Skip validation is no CRL for the given CA is present.
|
||||
*/
|
||||
static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
|
||||
mbedtls_x509_crl *crl_list,
|
||||
@ -1613,12 +1614,6 @@ static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
|
||||
if( ca == NULL )
|
||||
return( flags );
|
||||
|
||||
/*
|
||||
* TODO: What happens if no CRL is present?
|
||||
* Suggestion: Revocation state should be unknown if no CRL is present.
|
||||
* For backwards compatibility this is not yet implemented.
|
||||
*/
|
||||
|
||||
while( crl_list != NULL )
|
||||
{
|
||||
if( crl_list->version == 0 ||
|
||||
|
Loading…
Reference in New Issue
Block a user