Clarify documentation for directly-trusted certs

The fact that self-signed end-entity certs can be explicitly trusted by
putting them in the CA list even if they don't have the CA bit was not
documented though it's intentional, and tested by "Certificate verification #73
(selfsigned trusted without CA bit)" in test_suite_x509parse.data

It is unclear to me whether the restriction that explicitly trusted end-entity
certs must be self-signed is a good one. However, it seems intentional as it is
tested in tests #42 and #43, so I'm not touching it for now.
This commit is contained in:
Manuel Pégourié-Gonnard 2017-06-21 09:35:44 +02:00
parent 602544e659
commit a4a206e834
2 changed files with 12 additions and 1 deletions

View File

@ -1586,6 +1586,10 @@ void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,
/**
* \brief Set the data required to verify peer certificate
*
* \note See \c mbedtls_x509_verify() for notes regarding the
* parameters ca_chain (maps to trust_ca for that function)
* and ca_crl.
*
* \param conf SSL configuration
* \param ca_chain trusted CA chain (meaning all fully trusted top-level CAs)
* \param ca_crl trusted CA CRLs

View File

@ -286,8 +286,15 @@ int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
* used to sign the certificate, CRL verification is skipped
* silently, that is *without* setting any flag.
*
* \note The \c trust_ca list can contain two type of certificates:
* (1) those of trusted root CAs, so that certificates
* chaining up to those CAs will be trusted, and (2)
* self-signed end-entity certificates to be trusted (for
* specific peers you know) - in that case, the self-signed
* certificate doens't need to have the CA bit set.
*
* \param crt a certificate (chain) to be verified
* \param trust_ca the list of trusted CAs
* \param trust_ca the list of trusted CAs (see note above)
* \param ca_crl the list of CRLs for trusted CAs (see note above)
* \param cn expected Common Name (can be set to
* NULL if the CN must not be verified)