Mbed TLS is now part of TrustedFirmware.org.

getting data out of the peer certificate

Jun 20, 2016 15:15

In 2.2.1, when mbedtls_ssl_get_verify_result() indicates a failure, I try to show the user what's wrong.

For MBEDTLS_X509_BADCERT_CN_MISMATCH, I haven't found a good and robust way to get the names of the hosts that the certificate is valid for.

As a lesser issue, for MBEDTLS_X509_BADCERT_BAD_MD, currently I'm checking the certificate sig_md field and then printing equivalent text strings, but that's not totally robust when new values could be added that I wouldn't recognize.

Jun 22, 2016 08:24
Paul Bakker

Not sure what you are looking for exactly.

The current way of extracting names from a certificate is to check subject_alt_names and names after parsing the certificate.

You could use the OID module to retrieve the proper information for MD OIDs

Jun 22, 2016 15:38

My goal is that when I get MBEDTLS_X509_BADCERT_CN_MISMATCH, I show the user a message saying that host example.org sent me a certificate that is only good for *.example.com, notexample.org, and somethingelse.net. Should I then be writing code that works something like x509_info_subject_alt_name() and then ...ermm... mbedtls_x509_dn_gets() on the subject field and pick out the "CN=" part?

has a look at oid.h I'm not sure whether I understand what you're saying. I'm hoping to have a string like "SHA256" so that, when I get MBEDTLS_X509_BADCERT_BAD_MD, I can print a message saying something like "the certificate is signed with the unacceptable hash algorithm %s". At present, I work from the currently-defined values for sig_md--but if new ones are added to mbed tls, I won't recognize them.

Jun 22, 2016 18:22
Paul Bakker

I think you'll want to look at mbedtls_oid_get_sig_alg_desc() then

Jun 24, 2016 00:14

Ah, yes. Thanks.