Clarify documentation for directly-trusted certs

The fact that self-signed end-entity certs can be explicitly trusted by putting them in the CA list even if they don't have the CA bit was not documented though it's intentional, and tested by "Certificate verification #73 (selfsigned trusted without CA bit)" in test_suite_x509parse.data It is unclear to me whether the restriction that explicitly trusted end-entity certs must be self-signed is a good one. However, it seems intentional as it is tested in tests #42 and #43, so I'm not touching it for now.
2017-06-21 09:35:44 +02:00 · 2017-06-21 09:35:44 +02:00 · a4a206e834
commit a4a206e834
parent 602544e659
2 changed files with 12 additions and 1 deletions
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@ -1586,6 +1586,10 @@ void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,
 /**
 * \brief          Set the data required to verify peer certificate
 *
+ * \note           See \c mbedtls_x509_verify() for notes regarding the
+ *                 parameters ca_chain (maps to trust_ca for that function)
+ *                 and ca_crl.
+ *
 * \param conf     SSL configuration
 * \param ca_chain trusted CA chain (meaning all fully trusted top-level CAs)
 * \param ca_crl   trusted CA CRLs
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@ -286,8 +286,15 @@ int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
 *                 used to sign the certificate, CRL verification is skipped
 *                 silently, that is *without* setting any flag.
 *
+ * \note           The \c trust_ca list can contain two type of certificates:
+ *                 (1) those of trusted root CAs, so that certificates
+ *                 chaining up to those CAs will be trusted, and (2)
+ *                 self-signed end-entity certificates to be trusted (for
+ *                 specific peers you know) - in that case, the self-signed
+ *                 certificate doens't need to have the CA bit set.
+ *
 * \param crt      a certificate (chain) to be verified
- * \param trust_ca the list of trusted CAs
+ * \param trust_ca the list of trusted CAs (see note above)
 * \param ca_crl   the list of CRLs for trusted CAs (see note above)
 * \param cn       expected Common Name (can be set to
 *                 NULL if the CN must not be verified)