Mbed TLS is now part of TrustedFirmware.org.

CI Plus certificates parsing / verification

Apr 25, 2014 13:27


do you have any plan supporting the almost specific CI Plus certificates format and signature as described page 100 of the CI Plus specification V1.3.1 ( http://www.ci-plus.com ) ?

Best regards,


Apr 25, 2014 14:01
Paul Bakker

If I read the specification correctly,

CI Plus uses regular X.509 certificates.. So these are already supported by PolarSSL..

The only things currently not supported would be the 3 extensions: Scrambler capabilities, CI Plus info and CICAM brand identifier.

These are easy to add by any developer, or by us for a potential client.

All the rest is standard and already supported.

Apr 25, 2014 14:24

It seems to have some others differences:

It fails with error 0x2368, coming from function x509_get_alg_null(..) (call at line 595 of x509_crt.c) because there is parameters in the algorithm identifier.

And then if I patch the file, I've got a 0x262E, because of unknown OID.

Apr 25, 2014 15:08
Paul Bakker

If you can provide a few test certificates, we might be able to have a look at it for you..

Apr 25, 2014 15:21

I can provide test certificate, where can I send them ?

Apr 25, 2014 15:33
Paul Bakker

'paul @ (this site)' will work..

Jun 19, 2014 15:53
Manuel Pégourié-Gonnard

Quick update on this... The test certificates you provided (thanks!) are mostly parsed and verified correctly with our development version (to be released soon), except for the following points:

  • you need to uncomment POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION in config.h, or parsing of the client cert will fail. This allows parsing to complete, but some unrecognised extensions are ignored.

  • the interpretation of two-digit years differs in CI+ and PKIX, leading to your certificate being considered expired.

We'll be working on improving support for CI+. Please check with Paul for specific requests.