mbed TLS v2.7.6
x509_crt.h
Go to the documentation of this file.
1 
6 /*
7  * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
8  * SPDX-License-Identifier: Apache-2.0
9  *
10  * Licensed under the Apache License, Version 2.0 (the "License"); you may
11  * not use this file except in compliance with the License.
12  * You may obtain a copy of the License at
13  *
14  * http://www.apache.org/licenses/LICENSE-2.0
15  *
16  * Unless required by applicable law or agreed to in writing, software
17  * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
18  * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19  * See the License for the specific language governing permissions and
20  * limitations under the License.
21  *
22  * This file is part of mbed TLS (https://tls.mbed.org)
23  */
24 #ifndef MBEDTLS_X509_CRT_H
25 #define MBEDTLS_X509_CRT_H
26 
27 #if !defined(MBEDTLS_CONFIG_FILE)
28 #include "config.h"
29 #else
30 #include MBEDTLS_CONFIG_FILE
31 #endif
32 
33 #include "x509.h"
34 #include "x509_crl.h"
35 
41 #ifdef __cplusplus
42 extern "C" {
43 #endif
44 
53 typedef struct mbedtls_x509_crt
54 {
58  int version;
78  int ext_types;
79  int ca_istrue;
82  unsigned int key_usage;
86  unsigned char ns_cert_type;
91  void *sig_opts;
94 }
96 
101 #define MBEDTLS_X509_ID_FLAG( id ) ( 1 << ( id - 1 ) )
102 
108 typedef struct
109 {
110  uint32_t allowed_mds;
111  uint32_t allowed_pks;
112  uint32_t allowed_curves;
113  uint32_t rsa_min_bitlen;
114 }
116 
117 #define MBEDTLS_X509_CRT_VERSION_1 0
118 #define MBEDTLS_X509_CRT_VERSION_2 1
119 #define MBEDTLS_X509_CRT_VERSION_3 2
120 
121 #define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32
122 #define MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15
123 
124 #if !defined( MBEDTLS_X509_MAX_FILE_PATH_LEN )
125 #define MBEDTLS_X509_MAX_FILE_PATH_LEN 512
126 #endif
127 
132 {
133  int version;
140  char not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1];
143 }
145 
146 #if defined(MBEDTLS_X509_CRT_PARSE_C)
147 
152 
158 
163 
174 int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, const unsigned char *buf,
175  size_t buflen );
176 
192 int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen );
193 
194 #if defined(MBEDTLS_FS_IO)
195 
208 int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *chain, const char *path );
209 
223 int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path );
224 #endif /* MBEDTLS_FS_IO */
225 
238 int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
239  const mbedtls_x509_crt *crt );
240 
253 int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
254  uint32_t flags );
255 
315  mbedtls_x509_crt *trust_ca,
316  mbedtls_x509_crl *ca_crl,
317  const char *cn, uint32_t *flags,
318  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
319  void *p_vrfy );
320 
349  mbedtls_x509_crt *trust_ca,
350  mbedtls_x509_crl *ca_crl,
351  const mbedtls_x509_crt_profile *profile,
352  const char *cn, uint32_t *flags,
353  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
354  void *p_vrfy );
355 
356 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
357 
379  unsigned int usage );
380 #endif /* MBEDTLS_X509_CHECK_KEY_USAGE) */
381 
382 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
383 
397  const char *usage_oid,
398  size_t usage_len );
399 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
400 
401 #if defined(MBEDTLS_X509_CRL_PARSE_C)
402 
412 #endif /* MBEDTLS_X509_CRL_PARSE_C */
413 
420 
427 #endif /* MBEDTLS_X509_CRT_PARSE_C */
428 
429 /* \} name */
430 /* \} addtogroup x509_module */
431 
432 #if defined(MBEDTLS_X509_CRT_WRITE_C)
433 
439 
449 
459 
474 int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *ctx, const char *not_before,
475  const char *not_after );
476 
490  const char *issuer_name );
491 
505  const char *subject_name );
506 
514 
522 
531 
546  const char *oid, size_t oid_len,
547  int critical,
548  const unsigned char *val, size_t val_len );
549 
562  int is_ca, int max_pathlen );
563 
564 #if defined(MBEDTLS_SHA1_C)
565 
575 
586 #endif /* MBEDTLS_SHA1_C */
587 
598  unsigned int key_usage );
599 
610  unsigned char ns_cert_type );
611 
618 
639 int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
640  int (*f_rng)(void *, unsigned char *, size_t),
641  void *p_rng );
642 
643 #if defined(MBEDTLS_PEM_WRITE_C)
644 
660 int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
661  int (*f_rng)(void *, unsigned char *, size_t),
662  void *p_rng );
663 #endif /* MBEDTLS_PEM_WRITE_C */
664 #endif /* MBEDTLS_X509_CRT_WRITE_C */
665 
666 #ifdef __cplusplus
667 }
668 #endif
669 
670 #endif /* mbedtls_x509_crt.h */
int mbedtls_x509write_crt_set_authority_key_identifier(mbedtls_x509write_cert *ctx)
Set the authorityKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_issuer_key...
int mbedtls_x509_crt_verify(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
Verify the certificate signature.
Public key container.
Definition: pk.h:128
int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Write a built up certificate to a X509 DER structure Note: data is written at the end of the buffer! ...
int mbedtls_x509_crt_verify_with_profile(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
Verify the certificate signature according to profile.
mbedtls_x509_sequence subject_alt_names
Definition: x509_crt.h:76
int mbedtls_x509_crt_parse_der(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the chained list.
int mbedtls_x509write_crt_set_extension(mbedtls_x509write_cert *ctx, const char *oid, size_t oid_len, int critical, const unsigned char *val, size_t val_len)
Generic function to add to or replace an extension in the CRT.
int mbedtls_x509write_crt_set_ns_cert_type(mbedtls_x509write_cert *ctx, unsigned char ns_cert_type)
Set the Netscape Cert Type flags (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TY...
mbedtls_pk_type_t
Public key types.
Definition: pk.h:76
int mbedtls_x509_crt_is_revoked(const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl)
Verify the certificate revocation status.
Configuration options (set of defines)
int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Write a built up certificate to a X509 PEM string.
struct mbedtls_x509_crt * next
Definition: x509_crt.h:93
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default
int mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt *crt, unsigned int usage)
Check usage of certificate against keyUsage extension.
mbedtls_x509_name issuer
Definition: x509_crt.h:65
void mbedtls_x509write_crt_set_subject_key(mbedtls_x509write_cert *ctx, mbedtls_pk_context *key)
Set the subject public key for the certificate.
int mbedtls_x509write_crt_set_key_usage(mbedtls_x509write_cert *ctx, unsigned int key_usage)
Set the Key Usage Extension flags (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_...
void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx)
Initialize a CRT writing context.
mbedtls_x509_buf subject_id
Definition: x509_crt.h:74
struct mbedtls_x509write_cert mbedtls_x509write_cert
void mbedtls_x509write_crt_set_md_alg(mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg)
Set the MD algorithm to use for the signature (e.g. MBEDTLS_MD_SHA1)
mbedtls_x509_buf tbs
Definition: x509_crt.h:56
mbedtls_x509_buf subject_raw
Definition: x509_crt.h:63
void mbedtls_x509_crt_free(mbedtls_x509_crt *crt)
Unallocate all certificate data.
mbedtls_x509_buf sig_oid
Definition: x509_crt.h:60
mbedtls_x509_buf issuer_raw
Definition: x509_crt.h:62
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb
int mbedtls_x509write_crt_set_basic_constraints(mbedtls_x509write_cert *ctx, int is_ca, int max_pathlen)
Set the basicConstraints extension for a CRT.
mbedtls_x509_name subject
Definition: x509_crt.h:66
mbedtls_x509_time valid_to
Definition: x509_crt.h:69
int mbedtls_x509_crt_parse(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse one or more certificates and add them to the chained list. Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.
unsigned char ns_cert_type
Definition: x509_crt.h:86
int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path)
Load one or more certificate files from a path and add them to the chained list. Parses permissively...
int mbedtls_x509write_crt_set_subject_key_identifier(mbedtls_x509write_cert *ctx)
Set the subjectKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_subject_key(...
int mbedtls_x509write_crt_set_subject_name(mbedtls_x509write_cert *ctx, const char *subject_name)
Set the subject name for a Certificate Subject names should contain a comma-separated list of OID typ...
mbedtls_x509_buf serial
Definition: x509_crt.h:59
void mbedtls_x509write_crt_set_version(mbedtls_x509write_cert *ctx, int version)
Set the verion for a Certificate Default: MBEDTLS_X509_CRT_VERSION_3.
mbedtls_x509_time valid_from
Definition: x509_crt.h:68
mbedtls_x509_buf raw
Definition: x509_crt.h:55
int mbedtls_x509_crt_check_extended_key_usage(const mbedtls_x509_crt *crt, const char *usage_oid, size_t usage_len)
Check usage of certificate against extendedKeyUsage.
int mbedtls_x509write_crt_set_validity(mbedtls_x509write_cert *ctx, const char *not_before, const char *not_after)
Set the validity period for a Certificate Timestamps should be in string format for UTC timezone i...
#define MBEDTLS_X509_RFC5280_UTC_TIME_LEN
Definition: x509_crt.h:122
void mbedtls_x509write_crt_set_issuer_key(mbedtls_x509write_cert *ctx, mbedtls_pk_context *key)
Set the issuer key used for signing the certificate.
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next
mbedtls_pk_context * subject_key
Definition: x509_crt.h:135
mbedtls_pk_type_t sig_pk
Definition: x509_crt.h:90
X.509 generic defines and structures.
int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix, const mbedtls_x509_crt *crt)
Returns an informational string about the certificate.
int mbedtls_x509write_crt_set_issuer_name(mbedtls_x509write_cert *ctx, const char *issuer_name)
Set the issuer name for a Certificate Issuer names should contain a comma-separated list of OID types...
mbedtls_asn1_named_data * subject
Definition: x509_crt.h:137
int mbedtls_x509_crt_parse_file(mbedtls_x509_crt *chain, const char *path)
Load one or more certificates and add them to the chained list. Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.
mbedtls_pk_context * issuer_key
Definition: x509_crt.h:136
void * sig_opts
Definition: x509_crt.h:91
mbedtls_md_type_t md_alg
Definition: x509_crt.h:139
mbedtls_x509_buf issuer_id
Definition: x509_crt.h:73
int mbedtls_x509write_crt_set_serial(mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial)
Set the serial number for a Certificate.
MPI structure.
Definition: bignum.h:180
X.509 certificate revocation list parsing.
void mbedtls_x509write_crt_free(mbedtls_x509write_cert *ctx)
Free the contents of a CRT write context.
struct mbedtls_x509_crt mbedtls_x509_crt
mbedtls_x509_sequence ext_key_usage
Definition: x509_crt.h:84
void mbedtls_x509_crt_init(mbedtls_x509_crt *crt)
Initialize a certificate (chain)
mbedtls_asn1_named_data * extensions
Definition: x509_crt.h:142
unsigned int key_usage
Definition: x509_crt.h:82
mbedtls_pk_context pk
Definition: x509_crt.h:71
mbedtls_x509_buf sig
Definition: x509_crt.h:88
mbedtls_md_type_t
Enumeration of supported message digests.
Definition: md.h:56
int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix, uint32_t flags)
Returns an informational string about the verification status of a certificate.
mbedtls_asn1_named_data * issuer
Definition: x509_crt.h:138
mbedtls_mpi serial
Definition: x509_crt.h:134
mbedtls_x509_buf v3_ext
Definition: x509_crt.h:75
mbedtls_md_type_t sig_md
Definition: x509_crt.h:89