1. Rename the parameters cert and certSz on the function

wolfSSL_UseTrustedCA() to certId and certIdSz.
2. Add better parameter checking to wolfSSL_UseTrustedCA() based on the
ID type.

src/ssl.c

@@ -1963,12 +1963,31 @@ int wolfSSL_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz,
 #ifdef HAVE_TRUSTED_CA
 
 WOLFSSL_API int wolfSSL_UseTrustedCA(WOLFSSL* ssl, byte type,
-            const byte* cert, word32 certSz)
+            const byte* certId, word32 certIdSz)
 {
     if (ssl == NULL)
         return BAD_FUNC_ARG;
 
-    return TLSX_UseTrustedCA(&ssl->extensions, type, cert, certSz, ssl->heap);
+    if (type == WOLFSSL_TRUSTED_CA_PRE_AGREED) {
+        if (certId != NULL || certIdSz != 0)
+            return BAD_FUNC_ARG;
+    }
+    else if (type == WOLFSSL_TRUSTED_CA_X509_NAME) {
+        if (certId == NULL || certIdSz == 0)
+            return BAD_FUNC_ARG;
+    }
+    #ifndef NO_SHA
+    else if (type == WOLFSSL_TRUSTED_CA_KEY_SHA1 ||
+            type == WOLFSSL_TRUSTED_CA_CERT_SHA1) {
+        if (certId == NULL || certIdSz != SHA_DIGEST_SIZE)
+            return BAD_FUNC_ARG;
+    }
+    #endif
+    else
+        return BAD_FUNC_ARG;
+
+    return TLSX_UseTrustedCA(&ssl->extensions,
+            type, certId, certIdSz, ssl->heap);
 }
 
 #endif /* HAVE_TRUSTED_CA */

wolfssl/ssl.h

@@ -2260,7 +2260,7 @@ enum {
 };
 
 WOLFSSL_API int wolfSSL_UseTrustedCA(WOLFSSL* ssl, unsigned char type,
-            const unsigned char* cert, unsigned int certSz);
+            const unsigned char* certId, unsigned int certIdSz);
 #endif /* HAVE_TRUSTED_CA */
 
 /* Application-Layer Protocol Negotiation */