10 #ifndef MBEDTLS_X509_CRT_H
11 #define MBEDTLS_X509_CRT_H
98 #define MBEDTLS_X509_ID_FLAG(id) (1 << ((id) - 1))
135 #define MBEDTLS_X509_CRT_VERSION_1 0
136 #define MBEDTLS_X509_CRT_VERSION_2 1
137 #define MBEDTLS_X509_CRT_VERSION_3 2
139 #define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 20
140 #define MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15
142 #if !defined(MBEDTLS_X509_MAX_FILE_PATH_LEN)
143 #define MBEDTLS_X509_MAX_FILE_PATH_LEN 512
152 #define MBEDTLS_X509_CRT_ERROR_INFO_LIST \
153 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_EXPIRED, \
154 "MBEDTLS_X509_BADCERT_EXPIRED", \
155 "The certificate validity has expired") \
156 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_REVOKED, \
157 "MBEDTLS_X509_BADCERT_REVOKED", \
158 "The certificate has been revoked (is on a CRL)") \
159 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_CN_MISMATCH, \
160 "MBEDTLS_X509_BADCERT_CN_MISMATCH", \
161 "The certificate Common Name (CN) does not match with the expected CN") \
162 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_NOT_TRUSTED, \
163 "MBEDTLS_X509_BADCERT_NOT_TRUSTED", \
164 "The certificate is not correctly signed by the trusted CA") \
165 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCRL_NOT_TRUSTED, \
166 "MBEDTLS_X509_BADCRL_NOT_TRUSTED", \
167 "The CRL is not correctly signed by the trusted CA") \
168 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCRL_EXPIRED, \
169 "MBEDTLS_X509_BADCRL_EXPIRED", \
170 "The CRL is expired") \
171 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_MISSING, \
172 "MBEDTLS_X509_BADCERT_MISSING", \
173 "Certificate was missing") \
174 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_SKIP_VERIFY, \
175 "MBEDTLS_X509_BADCERT_SKIP_VERIFY", \
176 "Certificate verification was skipped") \
177 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_OTHER, \
178 "MBEDTLS_X509_BADCERT_OTHER", \
179 "Other reason (can be used by verify callback)") \
180 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_FUTURE, \
181 "MBEDTLS_X509_BADCERT_FUTURE", \
182 "The certificate validity starts in the future") \
183 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCRL_FUTURE, \
184 "MBEDTLS_X509_BADCRL_FUTURE", \
185 "The CRL is from the future") \
186 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_KEY_USAGE, \
187 "MBEDTLS_X509_BADCERT_KEY_USAGE", \
188 "Usage does not match the keyUsage extension") \
189 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_EXT_KEY_USAGE, \
190 "MBEDTLS_X509_BADCERT_EXT_KEY_USAGE", \
191 "Usage does not match the extendedKeyUsage extension") \
192 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_NS_CERT_TYPE, \
193 "MBEDTLS_X509_BADCERT_NS_CERT_TYPE", \
194 "Usage does not match the nsCertType extension") \
195 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_BAD_MD, \
196 "MBEDTLS_X509_BADCERT_BAD_MD", \
197 "The certificate is signed with an unacceptable hash.") \
198 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_BAD_PK, \
199 "MBEDTLS_X509_BADCERT_BAD_PK", \
200 "The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA).") \
201 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_BAD_KEY, \
202 "MBEDTLS_X509_BADCERT_BAD_KEY", \
203 "The certificate is signed with an unacceptable key (eg bad curve, RSA too short).") \
204 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCRL_BAD_MD, \
205 "MBEDTLS_X509_BADCRL_BAD_MD", \
206 "The CRL is signed with an unacceptable hash.") \
207 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCRL_BAD_PK, \
208 "MBEDTLS_X509_BADCRL_BAD_PK", \
209 "The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA).") \
210 X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCRL_BAD_KEY, \
211 "MBEDTLS_X509_BADCRL_BAD_KEY", \
212 "The CRL is signed with an unacceptable key (eg bad curve, RSA too short).")
258 #define MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE (MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2)
267 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
276 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
310 #if defined(MBEDTLS_X509_CRT_PARSE_C)
369 const unsigned char *buf,
406 const unsigned char *p,
407 const unsigned char *end);
454 const unsigned char *buf,
492 const unsigned char *buf,
531 #if defined(MBEDTLS_FS_IO)
568 #if !defined(MBEDTLS_X509_REMOVE_INFO)
581 int mbedtls_x509_crt_info(
char *buf,
size_t size,
const char *prefix,
596 int mbedtls_x509_crt_verify_info(
char *buf,
size_t size,
const char *prefix,
673 const char *cn, uint32_t *flags,
715 const char *cn, uint32_t *flags,
749 const char *cn, uint32_t *flags,
752 mbedtls_x509_crt_restart_ctx *rs_ctx);
788 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
815 const char *cn, uint32_t *flags,
859 const char *usage_oid,
862 #if defined(MBEDTLS_X509_CRL_PARSE_C)
889 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
916 return ctx->MBEDTLS_PRIVATE(ext_types) & ext_type;
933 #if defined(MBEDTLS_X509_CRT_WRITE_C)
951 #if defined(MBEDTLS_BIGNUM_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
969 int MBEDTLS_DEPRECATED mbedtls_x509write_crt_set_serial(
971 #endif // MBEDTLS_BIGNUM_C && !MBEDTLS_DEPRECATED_REMOVED
987 unsigned char *serial,
size_t serial_len);
1004 const char *not_after);
1019 const char *issuer_name);
1034 const char *subject_name);
1075 const char *oid,
size_t oid_len,
1077 const unsigned char *val,
size_t val_len);
1091 int is_ca,
int max_pathlen);
1093 #if defined(MBEDTLS_MD_CAN_SHA1)
1127 unsigned int key_usage);
1152 unsigned char ns_cert_type);
1179 int (*f_rng)(
void *,
unsigned char *,
size_t),
1182 #if defined(MBEDTLS_PEM_WRITE_C)
1197 int (*f_rng)(
void *,
unsigned char *,
size_t),
int mbedtls_x509_crt_verify(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
Verify a chain of certificates.
int mbedtls_x509write_crt_set_extension(mbedtls_x509write_cert *ctx, const char *oid, size_t oid_len, int critical, const unsigned char *val, size_t val_len)
Generic function to add to or replace an extension in the CRT.
int mbedtls_x509_crt_verify_with_profile(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
Verify a chain of certificates with respect to a configurable security profile.
mbedtls_x509_sequence subject_alt_names
void mbedtls_x509write_crt_set_version(mbedtls_x509write_cert *ctx, int version)
Set the version for a Certificate Default: MBEDTLS_X509_CRT_VERSION_3.
int mbedtls_x509_crt_verify_restartable(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy, mbedtls_x509_crt_restart_ctx *rs_ctx)
Restartable version of mbedtls_crt_verify_with_profile()
int mbedtls_x509write_crt_set_subject_name(mbedtls_x509write_cert *ctx, const char *subject_name)
Set the subject name for a Certificate Subject names should contain a comma-separated list of OID typ...
int mbedtls_x509write_crt_set_subject_alternative_name(mbedtls_x509write_cert *ctx, const mbedtls_x509_san_list *san_list)
Set Subject Alternative Name.
int mbedtls_x509_crt_parse_der(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the end of the provided chained list...
#define MBEDTLS_PRIVATE(member)
mbedtls_pk_type_t
Public key types.
int mbedtls_x509_crt_is_revoked(const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl)
Verify the certificate revocation status.
void mbedtls_x509_crt_restart_free(mbedtls_x509_crt_restart_ctx *ctx)
Free the components of a restart context.
mbedtls_x509_sequence certificate_policies
struct mbedtls_x509_crt * next
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default
int mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt *crt, unsigned int usage)
Check usage of certificate against keyUsage extension.
mbedtls_x509_buf subject_id
struct mbedtls_x509write_cert mbedtls_x509write_cert
Multi-precision integer library.
mbedtls_x509_buf subject_raw
void mbedtls_x509_crt_free(mbedtls_x509_crt *crt)
Unallocate all certificate data.
mbedtls_x509_buf issuer_raw
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb
mbedtls_x509_name subject
mbedtls_x509_time valid_to
int mbedtls_x509_crt_parse(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse one DER-encoded or one or more concatenated PEM-encoded certificates and add them to the chaine...
void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx)
Initialize a CRT writing context.
struct mbedtls_x509_crt_profile mbedtls_x509_crt_profile
static int mbedtls_x509_crt_has_ext_type(const mbedtls_x509_crt *ctx, int ext_type)
Query certificate for given extension type.
int mbedtls_x509write_crt_set_validity(mbedtls_x509write_cert *ctx, const char *not_before, const char *not_after)
Set the validity period for a Certificate Timestamps should be in string format for UTC timezone i...
int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path)
Load one or more certificate files from a path and add them to the chained list. Parses permissively...
mbedtls_x509_authority authority_key_id
int mbedtls_x509write_crt_set_ns_cert_type(mbedtls_x509write_cert *ctx, unsigned char ns_cert_type)
Set the Netscape Cert Type flags (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TY...
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_none
int mbedtls_x509write_crt_set_authority_key_identifier(mbedtls_x509write_cert *ctx)
Set the authorityKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_issuer_key...
mbedtls_x509_time valid_from
int mbedtls_x509_crt_check_extended_key_usage(const mbedtls_x509_crt *crt, const char *usage_oid, size_t usage_len)
Check usage of certificate against extendedKeyUsage.
void mbedtls_x509write_crt_set_md_alg(mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg)
Set the MD algorithm to use for the signature (e.g. MBEDTLS_MD_SHA1)
Macro wrapper for struct's members.
#define MBEDTLS_X509_RFC5280_UTC_TIME_LEN
#define MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE
void mbedtls_x509write_crt_set_issuer_key(mbedtls_x509write_cert *ctx, mbedtls_pk_context *key)
Set the issuer key used for signing the certificate.
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next
X.509 generic defines and structures.
int mbedtls_x509_crt_verify_with_ca_cb(mbedtls_x509_crt *crt, mbedtls_x509_crt_ca_cb_t f_ca_cb, void *p_ca_cb, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
Version of mbedtls_x509_crt_verify_with_profile() which uses a callback to acquire the list of truste...
int mbedtls_x509write_crt_set_key_usage(mbedtls_x509write_cert *ctx, unsigned int key_usage)
Set the Key Usage Extension flags (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_...
Build-time configuration info.
mbedtls_x509_buf subject_key_id
void mbedtls_x509write_crt_free(mbedtls_x509write_cert *ctx)
Free the contents of a CRT write context.
int mbedtls_x509_crt_parse_der_with_ext_cb(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen, int make_copy, mbedtls_x509_crt_ext_cb_t cb, void *p_ctx)
Parse a single DER formatted certificate and add it to the end of the provided chained list...
void mbedtls_x509_crt_restart_init(mbedtls_x509_crt_restart_ctx *ctx)
Initialize a restart context.
int mbedtls_x509_crt_parse_file(mbedtls_x509_crt *chain, const char *path)
Load one or more certificates and add them to the chained list. Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.
int mbedtls_x509write_crt_set_subject_key_identifier(mbedtls_x509write_cert *ctx)
Set the subjectKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_subject_key(...
int mbedtls_x509_crt_get_ca_istrue(const mbedtls_x509_crt *crt)
Access the ca_istrue field.
mbedtls_x509_buf issuer_id
X.509 certificate revocation list parsing.
struct mbedtls_x509_crt mbedtls_x509_crt
mbedtls_x509_sequence ext_key_usage
int(* mbedtls_x509_crt_ext_cb_t)(void *p_ctx, mbedtls_x509_crt const *crt, mbedtls_x509_buf const *oid, int critical, const unsigned char *p, const unsigned char *end)
The type of certificate extension callbacks.
int mbedtls_x509write_crt_set_serial_raw(mbedtls_x509write_cert *ctx, unsigned char *serial, size_t serial_len)
Set the serial number for a Certificate.
int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Write a built up certificate to a X509 DER structure Note: data is written at the end of the buffer! ...
int mbedtls_x509_crt_parse_der_nocopy(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the end of the provided chained list...
int mbedtls_x509write_crt_set_issuer_name(mbedtls_x509write_cert *ctx, const char *issuer_name)
Set the issuer name for a Certificate Issuer names should contain a comma-separated list of OID types...
Context for resuming operations.
void mbedtls_x509_crt_init(mbedtls_x509_crt *crt)
Initialize a certificate (chain)
int mbedtls_x509write_crt_set_basic_constraints(mbedtls_x509write_cert *ctx, int is_ca, int max_pathlen)
Set the basicConstraints extension for a CRT.
void mbedtls_x509write_crt_set_subject_key(mbedtls_x509write_cert *ctx, mbedtls_pk_context *key)
Set the subject public key for the certificate.
Context for resuming X.509 verify operations.
mbedtls_md_type_t
Supported message digests.
int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Write a built up certificate to a X509 PEM string.
int mbedtls_x509write_crt_set_ext_key_usage(mbedtls_x509write_cert *ctx, const mbedtls_asn1_sequence *exts)
Set the Extended Key Usage Extension (e.g. MBEDTLS_OID_SERVER_AUTH)
#define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN
int(* mbedtls_x509_crt_ca_cb_t)(void *p_ctx, mbedtls_x509_crt const *child, mbedtls_x509_crt **candidate_cas)
The type of trusted certificate callbacks.