manually merge 39a183a add x509_crt_verify_info()
diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h
index bd98628..bdb5749 100644
--- a/include/mbedtls/x509.h
+++ b/include/mbedtls/x509.h
@@ -82,17 +82,21 @@
* \name X509 Verify codes
* \{
*/
+/* Reminder: update x509_crt_verify_strings[] in library/x509_crt.c */
#define MBEDTLS_BADCERT_EXPIRED 0x01 /**< The certificate validity has expired. */
#define MBEDTLS_X509_BADCERT_REVOKED 0x02 /**< The certificate has been revoked (is on a CRL). */
#define MBEDTLS_X509_BADCERT_CN_MISMATCH 0x04 /**< The certificate Common Name (CN) does not match with the expected CN. */
#define MBEDTLS_X509_BADCERT_NOT_TRUSTED 0x08 /**< The certificate is not correctly signed by the trusted CA. */
-#define MBEDTLS_X509_BADCRL_NOT_TRUSTED 0x10 /**< CRL is not correctly signed by the trusted CA. */
-#define MBEDTLS_X509_BADCRL_EXPIRED 0x20 /**< CRL is expired. */
+#define MBEDTLS_X509_BADCRL_NOT_TRUSTED 0x10 /**< The CRL is not correctly signed by the trusted CA. */
+#define MBEDTLS_X509_BADCRL_EXPIRED 0x20 /**< The CRL is expired. */
#define MBEDTLS_BADCERT_MISSING 0x40 /**< Certificate was missing. */
#define MBEDTLS_BADCERT_SKIP_VERIFY 0x80 /**< Certificate verification was skipped. */
#define MBEDTLS_BADCERT_OTHER 0x0100 /**< Other reason (can be used by verify callback) */
#define MBEDTLS_X509_BADCERT_FUTURE 0x0200 /**< The certificate validity starts in the future. */
#define MBEDTLS_BADCRL_FUTURE 0x0400 /**< The CRL is from the future */
+#define MBEDTLS_BADCERT_KEY_USAGE 0x0800 /**< Usage does not match the keyUsage extension. */
+#define MBEDTLS_BADCERT_EXT_KEY_USAGE 0x1000 /**< Usage does not match the extendedKeyUsage extension. */
+#define MBEDTLS_BADCERT_NS_CERT_TYPE 0x2000 /**< Usage does not match the nsCertType extension. */
/* \} name */
/* \} addtogroup x509_module */
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index 23d7fb9..880099b 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -202,6 +202,21 @@
const mbedtls_x509_crt *crt );
/**
+ * \brief Returns an informational string about the
+ * verification status of a certificate.
+ *
+ * \param buf Buffer to write to
+ * \param size Maximum size of buffer
+ * \param prefix A line prefix
+ * \param flags Verification flags created by mbedtls_x509_crt_verify()
+ *
+ * \return The amount of data written to the buffer, or -1 in
+ * case of an error.
+ */
+int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
+ int flags );
+
+/**
* \brief Verify the certificate signature
*
* The verify callback is a user-supplied callback that
@@ -218,6 +233,9 @@
* are also returned to the application. The function should
* return 0 for anything but a fatal error.
*
+ * \note In case verification failed, the results can be displayed
+ * using \c mbedtls_x509_crt_verify_info()
+ *
* \param crt a certificate to be verified
* \param trust_ca the trusted CA chain
* \param ca_crl the CRL chain for trusted CA's
@@ -228,12 +246,9 @@
* \param p_vrfy verification parameter
*
* \return 0 if successful or MBEDTLS_ERR_X509_CERT_VERIFY_FAILED
- * in which case *flags will have one or more of
- * the following values set:
- * MBEDTLS_BADCERT_EXPIRED --
- * MBEDTLS_X509_BADCERT_REVOKED --
- * MBEDTLS_X509_BADCERT_CN_MISMATCH --
- * MBEDTLS_X509_BADCERT_NOT_TRUSTED
+ * in which case *flags will have one or more
+ * MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX flags
+ * set,
* or another error in case of a fatal error encountered
* during the verification process.
*/