Mbed TLS v2.28.8
Loading...
Searching...
No Matches
x509_crt.h
Go to the documentation of this file.
1
6/*
7 * Copyright The Mbed TLS Contributors
8 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
9 */
10#ifndef MBEDTLS_X509_CRT_H
11#define MBEDTLS_X509_CRT_H
12
13#if !defined(MBEDTLS_CONFIG_FILE)
14#include "mbedtls/config.h"
15#else
16#include MBEDTLS_CONFIG_FILE
17#endif
18
19#include "mbedtls/x509.h"
20#include "mbedtls/x509_crl.h"
21#include "mbedtls/bignum.h"
22
28#ifdef __cplusplus
29extern "C" {
30#endif
31
87
117
130
135#define MBEDTLS_X509_ID_FLAG(id) (1 << ((id) - 1))
136
143 uint32_t allowed_mds;
144 uint32_t allowed_pks;
147 uint32_t allowed_curves;
148 uint32_t rsa_min_bitlen;
149}
151
152#define MBEDTLS_X509_CRT_VERSION_1 0
153#define MBEDTLS_X509_CRT_VERSION_2 1
154#define MBEDTLS_X509_CRT_VERSION_3 2
155
156#define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32
157#define MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15
158
159#if !defined(MBEDTLS_X509_MAX_FILE_PATH_LEN)
160#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512
161#endif
162
179
187
191#define MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE (MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2)
192
196typedef struct {
198 unsigned len;
199
200#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
201 /* This stores the list of potential trusted signers obtained from
202 * the CA callback used for the CRT verification, if configured.
203 * We must track it somewhere because the callback passes its
204 * ownership to the caller. */
205 mbedtls_x509_crt *trust_ca_cb_result;
206#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
208
209#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
210
214typedef struct {
215 /* for check_signature() */
217
218 /* for find_parent_in() */
219 mbedtls_x509_crt *parent; /* non-null iff parent_in in progress */
220 mbedtls_x509_crt *fallback_parent;
221 int fallback_signature_is_good;
222
223 /* for find_parent() */
224 int parent_is_trusted; /* -1 if find_parent is not in progress */
225
226 /* for verify_chain() */
227 enum {
228 x509_crt_rs_none,
229 x509_crt_rs_find_parent,
230 } in_progress; /* none if no operation is in progress */
231 int self_cnt;
233
235
236#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
237
238/* Now we can declare functions that take a pointer to that */
240
241#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
242
243#if defined(MBEDTLS_X509_CRT_PARSE_C)
258
264
269
295 const unsigned char *buf,
296 size_t buflen);
297
328typedef int (*mbedtls_x509_crt_ext_cb_t)(void *p_ctx,
329 mbedtls_x509_crt const *crt,
330 mbedtls_x509_buf const *oid,
331 int critical,
332 const unsigned char *p,
333 const unsigned char *end);
334
380 const unsigned char *buf,
381 size_t buflen,
382 int make_copy,
384 void *p_ctx);
385
418 const unsigned char *buf,
419 size_t buflen);
420
455int mbedtls_x509_crt_parse(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen);
456
457#if defined(MBEDTLS_FS_IO)
475int mbedtls_x509_crt_parse_file(mbedtls_x509_crt *chain, const char *path);
476
490int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path);
491
492#endif /* MBEDTLS_FS_IO */
534int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix,
535 const mbedtls_x509_crt *crt);
536
549int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix,
550 uint32_t flags);
551
619 mbedtls_x509_crt *trust_ca,
620 mbedtls_x509_crl *ca_crl,
621 const char *cn, uint32_t *flags,
622 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
623 void *p_vrfy);
624
660 mbedtls_x509_crt *trust_ca,
661 mbedtls_x509_crl *ca_crl,
662 const mbedtls_x509_crt_profile *profile,
663 const char *cn, uint32_t *flags,
664 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
665 void *p_vrfy);
666
694 mbedtls_x509_crt *trust_ca,
695 mbedtls_x509_crl *ca_crl,
696 const mbedtls_x509_crt_profile *profile,
697 const char *cn, uint32_t *flags,
698 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
699 void *p_vrfy,
701
732typedef int (*mbedtls_x509_crt_ca_cb_t)(void *p_ctx,
733 mbedtls_x509_crt const *child,
734 mbedtls_x509_crt **candidate_cas);
735
736#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
759int mbedtls_x509_crt_verify_with_ca_cb(mbedtls_x509_crt *crt,
761 void *p_ca_cb,
762 const mbedtls_x509_crt_profile *profile,
763 const char *cn, uint32_t *flags,
764 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
765 void *p_vrfy);
766
767#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
768
769#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
792 unsigned int usage);
793#endif /* MBEDTLS_X509_CHECK_KEY_USAGE) */
794
795#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
810 const char *usage_oid,
811 size_t usage_len);
812#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
813
814#if defined(MBEDTLS_X509_CRL_PARSE_C)
825#endif /* MBEDTLS_X509_CRL_PARSE_C */
826
833
840
841#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
845void mbedtls_x509_crt_restart_init(mbedtls_x509_crt_restart_ctx *ctx);
846
850void mbedtls_x509_crt_restart_free(mbedtls_x509_crt_restart_ctx *ctx);
851#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
852#endif /* MBEDTLS_X509_CRT_PARSE_C */
853
856#if defined(MBEDTLS_X509_CRT_WRITE_C)
863
873
883
899 const char *not_after);
900
914 const char *issuer_name);
915
929 const char *subject_name);
930
938
946
955
970 const char *oid, size_t oid_len,
971 int critical,
972 const unsigned char *val, size_t val_len);
973
986 int is_ca, int max_pathlen);
987
988#if defined(MBEDTLS_SHA1_C)
999
1010#endif /* MBEDTLS_SHA1_C */
1011
1022 unsigned int key_usage);
1023
1034 unsigned char ns_cert_type);
1035
1042
1063int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
1064 int (*f_rng)(void *, unsigned char *, size_t),
1065 void *p_rng);
1066
1067#if defined(MBEDTLS_PEM_WRITE_C)
1084int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
1085 int (*f_rng)(void *, unsigned char *, size_t),
1086 void *p_rng);
1087#endif /* MBEDTLS_PEM_WRITE_C */
1088#endif /* MBEDTLS_X509_CRT_WRITE_C */
1089
1092#ifdef __cplusplus
1093}
1094#endif
1095
1096#endif /* mbedtls_x509_crt.h */
Multi-precision integer library.
Configuration options (set of defines)
int mbedtls_x509_crt_parse_der(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the end of the provided chained list.
int mbedtls_x509_crt_parse_der_nocopy(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the end of the provided chained list....
void mbedtls_x509_crt_init(mbedtls_x509_crt *crt)
Initialize a certificate (chain)
int mbedtls_x509_crt_parse(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse one DER-encoded or one or more concatenated PEM-encoded certificates and add them to the chaine...
int mbedtls_x509write_crt_set_subject_key_identifier(mbedtls_x509write_cert *ctx)
Set the subjectKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_subject_key(...
int mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt *crt, unsigned int usage)
Check usage of certificate against keyUsage extension.
int mbedtls_x509_crt_is_revoked(const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl)
Verify the certificate revocation status.
void mbedtls_x509write_crt_set_subject_key(mbedtls_x509write_cert *ctx, mbedtls_pk_context *key)
Set the subject public key for the certificate.
int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf, mbedtls_x509_subject_alternative_name *san)
This function parses an item in the SubjectAlternativeNames extension.
int mbedtls_x509write_crt_set_subject_name(mbedtls_x509write_cert *ctx, const char *subject_name)
Set the subject name for a Certificate Subject names should contain a comma-separated list of OID typ...
int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Write a built up certificate to a X509 PEM string.
void mbedtls_x509_crt_restart_ctx
Definition x509_crt.h:239
int mbedtls_x509write_crt_set_serial(mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial)
Set the serial number for a Certificate.
int mbedtls_x509_crt_verify_restartable(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy, mbedtls_x509_crt_restart_ctx *rs_ctx)
Restartable version of mbedtls_crt_verify_with_profile()
void mbedtls_x509write_crt_set_issuer_key(mbedtls_x509write_cert *ctx, mbedtls_pk_context *key)
Set the issuer key used for signing the certificate.
int(* mbedtls_x509_crt_ext_cb_t)(void *p_ctx, mbedtls_x509_crt const *crt, mbedtls_x509_buf const *oid, int critical, const unsigned char *p, const unsigned char *end)
The type of certificate extension callbacks.
Definition x509_crt.h:328
#define MBEDTLS_X509_RFC5280_UTC_TIME_LEN
Definition x509_crt.h:157
int mbedtls_x509write_crt_set_issuer_name(mbedtls_x509write_cert *ctx, const char *issuer_name)
Set the issuer name for a Certificate Issuer names should contain a comma-separated list of OID types...
#define MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE
Definition x509_crt.h:191
int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path)
Load one or more certificate files from a path and add them to the chained list. Parses permissively....
int mbedtls_x509write_crt_set_extension(mbedtls_x509write_cert *ctx, const char *oid, size_t oid_len, int critical, const unsigned char *val, size_t val_len)
Generic function to add to or replace an extension in the CRT.
int mbedtls_x509write_crt_set_key_usage(mbedtls_x509write_cert *ctx, unsigned int key_usage)
Set the Key Usage Extension flags (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_...
int mbedtls_x509write_crt_set_ns_cert_type(mbedtls_x509write_cert *ctx, unsigned char ns_cert_type)
Set the Netscape Cert Type flags (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TY...
int(* mbedtls_x509_crt_ca_cb_t)(void *p_ctx, mbedtls_x509_crt const *child, mbedtls_x509_crt **candidate_cas)
The type of trusted certificate callbacks.
Definition x509_crt.h:732
int mbedtls_x509write_crt_set_authority_key_identifier(mbedtls_x509write_cert *ctx)
Set the authorityKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_issuer_key...
struct mbedtls_x509_san_other_name mbedtls_x509_san_other_name
int mbedtls_x509_crt_parse_der_with_ext_cb(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen, int make_copy, mbedtls_x509_crt_ext_cb_t cb, void *p_ctx)
Parse a single DER formatted certificate and add it to the end of the provided chained list.
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next
struct mbedtls_x509_crt mbedtls_x509_crt
struct mbedtls_x509_crt_profile mbedtls_x509_crt_profile
int mbedtls_x509_crt_verify(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
Verify a chain of certificates.
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default
void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx)
Initialize a CRT writing context.
void mbedtls_x509write_crt_set_version(mbedtls_x509write_cert *ctx, int version)
Set the version for a Certificate Default: MBEDTLS_X509_CRT_VERSION_3.
void mbedtls_x509write_crt_free(mbedtls_x509write_cert *ctx)
Free the contents of a CRT write context.
void mbedtls_x509_crt_free(mbedtls_x509_crt *crt)
Unallocate all certificate data.
int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix, const mbedtls_x509_crt *crt)
Returns an informational string about the certificate.
void mbedtls_x509write_crt_set_md_alg(mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg)
Set the MD algorithm to use for the signature (e.g. MBEDTLS_MD_SHA1)
int mbedtls_x509write_crt_set_validity(mbedtls_x509write_cert *ctx, const char *not_before, const char *not_after)
Set the validity period for a Certificate Timestamps should be in string format for UTC timezone i....
struct mbedtls_x509_subject_alternative_name mbedtls_x509_subject_alternative_name
int mbedtls_x509_crt_check_extended_key_usage(const mbedtls_x509_crt *crt, const char *usage_oid, size_t usage_len)
Check usage of certificate against extendedKeyUsage.
int mbedtls_x509_crt_parse_file(mbedtls_x509_crt *chain, const char *path)
Load one or more certificates and add them to the chained list. Parses permissively....
int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Write a built up certificate to a X509 DER structure Note: data is written at the end of the buffer!...
int mbedtls_x509write_crt_set_basic_constraints(mbedtls_x509write_cert *ctx, int is_ca, int max_pathlen)
Set the basicConstraints extension for a CRT.
struct mbedtls_x509write_cert mbedtls_x509write_cert
int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix, uint32_t flags)
Returns an informational string about the verification status of a certificate.
int mbedtls_x509_crt_verify_with_profile(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
Verify a chain of certificates with respect to a configurable security profile.
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb
mbedtls_md_type_t
Supported message digests.
Definition md.h:50
mbedtls_pk_type_t
Public key types.
Definition pk.h:83
void mbedtls_pk_restart_ctx
Definition pk.h:200
MPI structure.
Definition bignum.h:196
Public key container.
Definition pk.h:185
mbedtls_x509_time valid_to
Definition x509_crt.h:57
mbedtls_x509_buf sig_oid
Definition x509_crt.h:48
mbedtls_x509_sequence subject_alt_names
Definition x509_crt.h:65
unsigned int key_usage
Definition x509_crt.h:73
mbedtls_x509_buf tbs
Definition x509_crt.h:44
mbedtls_x509_buf raw
Definition x509_crt.h:43
mbedtls_x509_buf serial
Definition x509_crt.h:47
mbedtls_md_type_t sig_md
Definition x509_crt.h:80
mbedtls_pk_context pk
Definition x509_crt.h:60
mbedtls_pk_type_t sig_pk
Definition x509_crt.h:81
void * sig_opts
Definition x509_crt.h:82
mbedtls_x509_buf v3_ext
Definition x509_crt.h:64
mbedtls_x509_buf issuer_id
Definition x509_crt.h:62
mbedtls_x509_name subject
Definition x509_crt.h:54
mbedtls_x509_sequence certificate_policies
Definition x509_crt.h:67
mbedtls_x509_buf pk_raw
Definition x509_crt.h:59
mbedtls_x509_time valid_from
Definition x509_crt.h:56
mbedtls_x509_buf subject_raw
Definition x509_crt.h:51
mbedtls_x509_sequence ext_key_usage
Definition x509_crt.h:75
struct mbedtls_x509_crt * next
Definition x509_crt.h:84
mbedtls_x509_buf subject_id
Definition x509_crt.h:63
unsigned char ns_cert_type
Definition x509_crt.h:77
mbedtls_x509_name issuer
Definition x509_crt.h:53
mbedtls_x509_buf sig
Definition x509_crt.h:79
mbedtls_x509_buf issuer_raw
Definition x509_crt.h:50
mbedtls_x509_buf oid
Definition x509_crt.h:109
union mbedtls_x509_san_other_name::@043167274155330232301377265235375254114162047151 value
mbedtls_x509_buf val
Definition x509_crt.h:110
struct mbedtls_x509_san_other_name::@043167274155330232301377265235375254114162047151::@213206214177242077347125166105121133227234213324 hardware_module_name
mbedtls_x509_buf type_id
Definition x509_crt.h:100
mbedtls_x509_san_other_name other_name
Definition x509_crt.h:124
union mbedtls_x509_subject_alternative_name::@331046356164357350362012225117357277021116273247 san
mbedtls_md_type_t md_alg
Definition x509_crt.h:173
mbedtls_pk_context * issuer_key
Definition x509_crt.h:170
mbedtls_asn1_named_data * issuer
Definition x509_crt.h:172
char not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN+1]
Definition x509_crt.h:175
mbedtls_asn1_named_data * subject
Definition x509_crt.h:171
mbedtls_pk_context * subject_key
Definition x509_crt.h:169
mbedtls_asn1_named_data * extensions
Definition x509_crt.h:176
char not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN+1]
Definition x509_crt.h:174
X.509 generic defines and structures.
X.509 certificate revocation list parsing.