10#ifndef MBEDTLS_X509_CRT_H
11#define MBEDTLS_X509_CRT_H
98#define MBEDTLS_X509_ID_FLAG(id) (1 << ((id) - 1))
135#define MBEDTLS_X509_CRT_VERSION_1 0
136#define MBEDTLS_X509_CRT_VERSION_2 1
137#define MBEDTLS_X509_CRT_VERSION_3 2
139#define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 20
140#define MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15
142#if !defined(MBEDTLS_X509_MAX_FILE_PATH_LEN)
143#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512
152#define MBEDTLS_X509_CRT_ERROR_INFO_LIST \
153 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_EXPIRED, \
154 "MBEDTLS_X509_BADCERT_EXPIRED", \
155 "The certificate validity has expired") \
156 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_REVOKED, \
157 "MBEDTLS_X509_BADCERT_REVOKED", \
158 "The certificate has been revoked (is on a CRL)") \
159 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_CN_MISMATCH, \
160 "MBEDTLS_X509_BADCERT_CN_MISMATCH", \
161 "The certificate Common Name (CN) does not match with the expected CN") \
162 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_NOT_TRUSTED, \
163 "MBEDTLS_X509_BADCERT_NOT_TRUSTED", \
164 "The certificate is not correctly signed by the trusted CA") \
165 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCRL_NOT_TRUSTED, \
166 "MBEDTLS_X509_BADCRL_NOT_TRUSTED", \
167 "The CRL is not correctly signed by the trusted CA") \
168 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCRL_EXPIRED, \
169 "MBEDTLS_X509_BADCRL_EXPIRED", \
170 "The CRL is expired") \
171 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_MISSING, \
172 "MBEDTLS_X509_BADCERT_MISSING", \
173 "Certificate was missing") \
174 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_SKIP_VERIFY, \
175 "MBEDTLS_X509_BADCERT_SKIP_VERIFY", \
176 "Certificate verification was skipped") \
177 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_OTHER, \
178 "MBEDTLS_X509_BADCERT_OTHER", \
179 "Other reason (can be used by verify callback)") \
180 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_FUTURE, \
181 "MBEDTLS_X509_BADCERT_FUTURE", \
182 "The certificate validity starts in the future") \
183 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCRL_FUTURE, \
184 "MBEDTLS_X509_BADCRL_FUTURE", \
185 "The CRL is from the future") \
186 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_KEY_USAGE, \
187 "MBEDTLS_X509_BADCERT_KEY_USAGE", \
188 "Usage does not match the keyUsage extension") \
189 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_EXT_KEY_USAGE, \
190 "MBEDTLS_X509_BADCERT_EXT_KEY_USAGE", \
191 "Usage does not match the extendedKeyUsage extension") \
192 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_NS_CERT_TYPE, \
193 "MBEDTLS_X509_BADCERT_NS_CERT_TYPE", \
194 "Usage does not match the nsCertType extension") \
195 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_BAD_MD, \
196 "MBEDTLS_X509_BADCERT_BAD_MD", \
197 "The certificate is signed with an unacceptable hash.") \
198 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_BAD_PK, \
199 "MBEDTLS_X509_BADCERT_BAD_PK", \
200 "The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA).") \
201 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_BAD_KEY, \
202 "MBEDTLS_X509_BADCERT_BAD_KEY", \
203 "The certificate is signed with an unacceptable key (eg bad curve, RSA too short).") \
204 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCRL_BAD_MD, \
205 "MBEDTLS_X509_BADCRL_BAD_MD", \
206 "The CRL is signed with an unacceptable hash.") \
207 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCRL_BAD_PK, \
208 "MBEDTLS_X509_BADCRL_BAD_PK", \
209 "The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA).") \
210 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCRL_BAD_KEY, \
211 "MBEDTLS_X509_BADCRL_BAD_KEY", \
212 "The CRL is signed with an unacceptable key (eg bad curve, RSA too short).")
258#define MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE (MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2)
267#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
276#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
296 x509_crt_rs_find_parent,
310#if defined(MBEDTLS_X509_CRT_PARSE_C)
369 const unsigned char *buf,
406 const unsigned char *p,
407 const unsigned char *end);
454 const unsigned char *buf,
492 const unsigned char *buf,
531#if defined(MBEDTLS_FS_IO)
568#if !defined(MBEDTLS_X509_REMOVE_INFO)
673 const char *cn, uint32_t *flags,
715 const char *cn, uint32_t *flags,
749 const char *cn, uint32_t *flags,
788#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
815 const char *cn, uint32_t *flags,
859 const char *usage_oid,
862#if defined(MBEDTLS_X509_CRL_PARSE_C)
889#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
916 return ctx->MBEDTLS_PRIVATE(ext_types) & ext_type;
933#if defined(MBEDTLS_X509_CRT_WRITE_C)
951#if defined(MBEDTLS_BIGNUM_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
987 unsigned char *serial,
size_t serial_len);
1004 const char *not_after);
1019 const char *issuer_name);
1034 const char *subject_name);
1075 const char *oid,
size_t oid_len,
1077 const unsigned char *val,
size_t val_len);
1091 int is_ca,
int max_pathlen);
1093#if defined(MBEDTLS_MD_CAN_SHA1)
1127 unsigned int key_usage);
1152 unsigned char ns_cert_type);
1179 int (*f_rng)(
void *,
unsigned char *,
size_t),
1182#if defined(MBEDTLS_PEM_WRITE_C)
1197 int (*f_rng)(
void *,
unsigned char *,
size_t),
Multi-precision integer library.
int mbedtls_x509_crt_parse_der(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the end of the provided chained list.
int mbedtls_x509_crt_parse_der_nocopy(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the end of the provided chained list....
void mbedtls_x509_crt_init(mbedtls_x509_crt *crt)
Initialize a certificate (chain)
int mbedtls_x509_crt_parse(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse one DER-encoded or one or more concatenated PEM-encoded certificates and add them to the chaine...
int mbedtls_x509write_crt_set_subject_key_identifier(mbedtls_x509write_cert *ctx)
Set the subjectKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_subject_key(...
int mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt *crt, unsigned int usage)
Check usage of certificate against keyUsage extension.
int mbedtls_x509_crt_is_revoked(const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl)
Verify the certificate revocation status.
void mbedtls_x509write_crt_set_subject_key(mbedtls_x509write_cert *ctx, mbedtls_pk_context *key)
Set the subject public key for the certificate.
#define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN
int mbedtls_x509write_crt_set_ext_key_usage(mbedtls_x509write_cert *ctx, const mbedtls_asn1_sequence *exts)
Set the Extended Key Usage Extension (e.g. MBEDTLS_OID_SERVER_AUTH)
int mbedtls_x509write_crt_set_subject_name(mbedtls_x509write_cert *ctx, const char *subject_name)
Set the subject name for a Certificate Subject names should contain a comma-separated list of OID typ...
int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Write a built up certificate to a X509 PEM string.
void mbedtls_x509_crt_restart_ctx
int mbedtls_x509_crt_verify_restartable(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy, mbedtls_x509_crt_restart_ctx *rs_ctx)
Restartable version of mbedtls_crt_verify_with_profile()
void mbedtls_x509write_crt_set_issuer_key(mbedtls_x509write_cert *ctx, mbedtls_pk_context *key)
Set the issuer key used for signing the certificate.
int(* mbedtls_x509_crt_ext_cb_t)(void *p_ctx, mbedtls_x509_crt const *crt, mbedtls_x509_buf const *oid, int critical, const unsigned char *p, const unsigned char *end)
The type of certificate extension callbacks.
static int mbedtls_x509_crt_has_ext_type(const mbedtls_x509_crt *ctx, int ext_type)
Query certificate for given extension type.
#define MBEDTLS_X509_RFC5280_UTC_TIME_LEN
int mbedtls_x509write_crt_set_issuer_name(mbedtls_x509write_cert *ctx, const char *issuer_name)
Set the issuer name for a Certificate Issuer names should contain a comma-separated list of OID types...
#define MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE
int mbedtls_x509write_crt_set_serial_raw(mbedtls_x509write_cert *ctx, unsigned char *serial, size_t serial_len)
Set the serial number for a Certificate.
int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path)
Load one or more certificate files from a path and add them to the chained list. Parses permissively....
int mbedtls_x509write_crt_set_extension(mbedtls_x509write_cert *ctx, const char *oid, size_t oid_len, int critical, const unsigned char *val, size_t val_len)
Generic function to add to or replace an extension in the CRT.
int mbedtls_x509write_crt_set_key_usage(mbedtls_x509write_cert *ctx, unsigned int key_usage)
Set the Key Usage Extension flags (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_...
int mbedtls_x509write_crt_set_ns_cert_type(mbedtls_x509write_cert *ctx, unsigned char ns_cert_type)
Set the Netscape Cert Type flags (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TY...
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_none
int(* mbedtls_x509_crt_ca_cb_t)(void *p_ctx, mbedtls_x509_crt const *child, mbedtls_x509_crt **candidate_cas)
The type of trusted certificate callbacks.
int mbedtls_x509write_crt_set_subject_alternative_name(mbedtls_x509write_cert *ctx, const mbedtls_x509_san_list *san_list)
Set Subject Alternative Name.
int mbedtls_x509write_crt_set_authority_key_identifier(mbedtls_x509write_cert *ctx)
Set the authorityKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_issuer_key...
int mbedtls_x509_crt_parse_der_with_ext_cb(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen, int make_copy, mbedtls_x509_crt_ext_cb_t cb, void *p_ctx)
Parse a single DER formatted certificate and add it to the end of the provided chained list.
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next
int mbedtls_x509_crt_verify(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
Verify a chain of certificates.
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default
void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx)
Initialize a CRT writing context.
int MBEDTLS_DEPRECATED mbedtls_x509write_crt_set_serial(mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial)
Set the serial number for a Certificate.
void mbedtls_x509write_crt_set_version(mbedtls_x509write_cert *ctx, int version)
Set the version for a Certificate Default: MBEDTLS_X509_CRT_VERSION_3.
void mbedtls_x509write_crt_free(mbedtls_x509write_cert *ctx)
Free the contents of a CRT write context.
void mbedtls_x509_crt_free(mbedtls_x509_crt *crt)
Unallocate all certificate data.
int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix, const mbedtls_x509_crt *crt)
Returns an informational string about the certificate.
void mbedtls_x509write_crt_set_md_alg(mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg)
Set the MD algorithm to use for the signature (e.g. MBEDTLS_MD_SHA1)
int mbedtls_x509write_crt_set_validity(mbedtls_x509write_cert *ctx, const char *not_before, const char *not_after)
Set the validity period for a Certificate Timestamps should be in string format for UTC timezone i....
int mbedtls_x509_crt_check_extended_key_usage(const mbedtls_x509_crt *crt, const char *usage_oid, size_t usage_len)
Check usage of certificate against extendedKeyUsage.
int mbedtls_x509_crt_parse_file(mbedtls_x509_crt *chain, const char *path)
Load one or more certificates and add them to the chained list. Parses permissively....
int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Write a built up certificate to a X509 DER structure Note: data is written at the end of the buffer!...
int mbedtls_x509write_crt_set_basic_constraints(mbedtls_x509write_cert *ctx, int is_ca, int max_pathlen)
Set the basicConstraints extension for a CRT.
int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix, uint32_t flags)
Returns an informational string about the verification status of a certificate.
int mbedtls_x509_crt_verify_with_profile(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
Verify a chain of certificates with respect to a configurable security profile.
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb
int mbedtls_x509_crt_get_ca_istrue(const mbedtls_x509_crt *crt)
Access the ca_istrue field.
Build-time configuration info.
mbedtls_md_type_t
Supported message digests.
mbedtls_pk_type_t
Public key types.
void mbedtls_pk_restart_ctx
Macro wrapper for struct's members.
#define MBEDTLS_PRIVATE(member)
mbedtls_x509_time valid_to
mbedtls_x509_sequence subject_alt_names
mbedtls_x509_authority authority_key_id
mbedtls_x509_buf subject_key_id
mbedtls_x509_buf issuer_id
mbedtls_x509_name subject
mbedtls_x509_sequence certificate_policies
mbedtls_x509_time valid_from
mbedtls_x509_buf subject_raw
mbedtls_x509_sequence ext_key_usage
struct mbedtls_x509_crt * next
mbedtls_x509_buf subject_id
mbedtls_x509_buf issuer_raw
X.509 generic defines and structures.
X.509 certificate revocation list parsing.