From f58e5cc4f4d0729a8762e98ebcd17028b6aba059 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 24 Jul 2020 10:31:37 +0200 Subject: [PATCH] Improve documentation of cn in x509_crt_verify() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Mention explicitly that only DNS names are supported so far, and while at it explain where the name is searched. Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/x509_crt.h | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index ab0d0cdbcd..d24204db3f 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -585,8 +585,11 @@ int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix, * \param crt The certificate chain to be verified. * \param trust_ca The list of trusted CAs. * \param ca_crl The list of CRLs for trusted CAs. - * \param cn The expected Common Name. This may be \c NULL if the - * CN need not be verified. + * \param cn The expected Common Name. This will be checked to be + * present in the certificate's subjectAltNames extension or, + * if this extension is absent, as a CN component in its + * Subject name. Currently only DNS names are supported. This + * may be \c NULL if the CN need not be verified. * \param flags The address at which to store the result of the verification. * If the verification couldn't be completed, the flag value is * set to (uint32_t) -1.