Add partial support for URI SubjectAltNames

Only exact matching without normalization is supported. Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2026-05-09 03:04:24 +02:00 · 2023-05-10 09:57:19 -04:00
parent 8d42cfddd6
commit 199eab97e7
4 changed files with 59 additions and 5 deletions
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -641,8 +641,12 @@ int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix,
 * \param cn       The expected Common Name. This will be checked to be
 *                 present in the certificate's subjectAltNames extension or,
 *                 if this extension is absent, as a CN component in its
- *                 Subject name. DNS names and IP addresses are supported. This
- *                 may be \c NULL if the CN need not be verified.
+ *                 Subject name. DNS names and IP addresses are fully
+ *                 supported, while the URI subtype is partially supported:
+ *                 only exact matching, without any normalization procedures
+ *                 described in 7.4 of RFC5280, will result in a positive
+ *                 URI verification.
+ *                 This may be \c NULL if the CN need not be verified.
 * \param flags    The address at which to store the result of the verification.
 *                 If the verification couldn't be completed, the flag value is
 *                 set to (uint32_t) -1.