Symbols ![]()
loading...
Files ![]()
loading...
mbedtls_x509_crt_verify() function
Verify the certificate signature The verify callback is a user-supplied callback that can clear / modify / add flags for a certificate. If set, the verification callback is called for each certificate in the chain (from the trust-ca down to the presented crt). The parameters for the callback are: (void *parameter, mbedtls_x509_crt *crt, int certificate_depth, int *flags). With the flags representing current flags for that specific certificate and the certificate depth from the bottom (Peer cert depth = 0). All flags left after returning from the callback are also returned to the application. The function should return 0 for anything (including invalid certificates) other than fatal error, as a non-zero return code immediately aborts the verification process. For fatal errors, a specific error code should be used (different from MBEDTLS_ERR_X509_CERT_VERIFY_FAILED which should not be returned at this point), or MBEDTLS_ERR_X509_FATAL_ERROR can be used if no better code is available.
Syntax
int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
mbedtls_x509_crt *trust_ca,
mbedtls_x509_crl *ca_crl,
const char *cn,
uint32_t *flags,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy );
Implemented in ![]()
x509_crt.c:2497
Return value
0 (and flags set to 0) if the chain was verified and valid, MBEDTLS_ERR_X509_CERT_VERIFY_FAILED if the chain was verified but found to be invalid, in which case *flags will have one or more MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX flags set, or another error (and flags set to 0xffffffff) in case of a fatal error encountered during the verification process.
Notes
In case verification failed, the results can be displayed using \c mbedtls_x509_crt_verify_info() Same as \c mbedtls_x509_crt_verify_with_profile() with the default security profile. It is your responsibility to provide up-to-date CRLs for all trusted CAs. If no CRL is provided for the CA that was used to sign the certificate, CRL verification is skipped silently, that is *without* setting any flag. The \c trust_ca list can contain two types of certificates: (1) those of trusted root CAs, so that certificates chaining up to those CAs will be trusted, and (2) self-signed end-entity certificates to be trusted (for specific peers you know) - in that case, the self-signed certificate doesn't need to have the CA bit set.
Related Functions
Found 21 other functions taking a ![]()
mbedtls_x509_crt
argument:
Function
Description
Unallocate all certificate data
Initialize a certificate (chain)
Parse one DER-encoded or one or more concatenated PEM-encoded certificates and add them to the chained list. For CRTs in PEM encoding, the function parses permissively: if at least one certificate can be parsed, the function returns the number of certificates for which parsing failed (hence \c 0 if all certificates were parsed successfully). If no certificate could be parsed, the function returns the first (negative) error encountered during parsing. PEM encoded certificates may be interleaved by other data such as human readable descriptions of their content, as long as the certificates are enclosed in the PEM specific '-----{BEGIN/END} CERTIFICATE-----' delimiters.
Set the data required to verify peer certificate
Parse a single DER formatted certificate and add it to the chained list.
Set own certificate chain and private key
Restartable version of \c mbedtls_crt_verify_with_profile()
Returns an informational string about the certificate.
Verify the certificate signature according to profile
Print a X.509 certificate structure to the debug output. This function is always used through the MBEDTLS_SSL_DEBUG_CRT() macro, which supplies the ssl context, file and line number parameters. \attention This function is intended for INTERNAL usage within the library only.