getting data out of the peer certificate
In 2.2.1, when mbedtls_ssl_get_verify_result() indicates a failure, I try to show the user what's wrong.
For MBEDTLS_X509_BADCERT_CN_MISMATCH, I haven't found a good and robust way to get the names of the hosts that the certificate is valid for.
As a lesser issue, for MBEDTLS_X509_BADCERT_BAD_MD, currently I'm checking the certificate sig_md field and then printing equivalent text strings, but that's not totally robust when new values could be added that I wouldn't recognize.
Not sure what you are looking for exactly.
The current way of extracting names from a certificate is to check
names after parsing the certificate.
You could use the OID module to retrieve the proper information for MD OIDs
My goal is that when I get MBEDTLS_X509_BADCERT_CN_MISMATCH, I show the user a message saying that host example.org sent me a certificate that is only good for *.example.com, notexample.org, and somethingelse.net. Should I then be writing code that works something like x509_info_subject_alt_name() and then ...ermm... mbedtls_x509_dn_gets() on the subject field and pick out the "CN=" part?
has a look at oid.h I'm not sure whether I understand what you're saying. I'm hoping to have a string like "SHA256" so that, when I get MBEDTLS_X509_BADCERT_BAD_MD, I can print a message saying something like "the certificate is signed with the unacceptable hash algorithm %s". At present, I work from the currently-defined values for sig_md--but if new ones are added to mbed tls, I won't recognize them.
I think you'll want to look at
Ah, yes. Thanks.