mbed TLS v2.7.16
x509_crt.h
Go to the documentation of this file.
1 
6 /*
7  * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
8  * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
9  *
10  * This file is provided under the Apache License 2.0, or the
11  * GNU General Public License v2.0 or later.
12  *
13  * **********
14  * Apache License 2.0:
15  *
16  * Licensed under the Apache License, Version 2.0 (the "License"); you may
17  * not use this file except in compliance with the License.
18  * You may obtain a copy of the License at
19  *
20  * http://www.apache.org/licenses/LICENSE-2.0
21  *
22  * Unless required by applicable law or agreed to in writing, software
23  * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
24  * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
25  * See the License for the specific language governing permissions and
26  * limitations under the License.
27  *
28  * **********
29  *
30  * **********
31  * GNU General Public License v2.0 or later:
32  *
33  * This program is free software; you can redistribute it and/or modify
34  * it under the terms of the GNU General Public License as published by
35  * the Free Software Foundation; either version 2 of the License, or
36  * (at your option) any later version.
37  *
38  * This program is distributed in the hope that it will be useful,
39  * but WITHOUT ANY WARRANTY; without even the implied warranty of
40  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
41  * GNU General Public License for more details.
42  *
43  * You should have received a copy of the GNU General Public License along
44  * with this program; if not, write to the Free Software Foundation, Inc.,
45  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
46  *
47  * **********
48  *
49  * This file is part of mbed TLS (https://tls.mbed.org)
50  */
51 #ifndef MBEDTLS_X509_CRT_H
52 #define MBEDTLS_X509_CRT_H
53 
54 #if !defined(MBEDTLS_CONFIG_FILE)
55 #include "config.h"
56 #else
57 #include MBEDTLS_CONFIG_FILE
58 #endif
59 
60 #include "x509.h"
61 #include "x509_crl.h"
62 
68 #ifdef __cplusplus
69 extern "C" {
70 #endif
71 
80 typedef struct mbedtls_x509_crt
81 {
85  int version;
105  int ext_types;
106  int ca_istrue;
109  unsigned int key_usage;
113  unsigned char ns_cert_type;
118  void *sig_opts;
121 }
123 
128 #define MBEDTLS_X509_ID_FLAG( id ) ( 1 << ( ( id ) - 1 ) )
129 
135 typedef struct
136 {
137  uint32_t allowed_mds;
138  uint32_t allowed_pks;
139  uint32_t allowed_curves;
140  uint32_t rsa_min_bitlen;
141 }
143 
144 #define MBEDTLS_X509_CRT_VERSION_1 0
145 #define MBEDTLS_X509_CRT_VERSION_2 1
146 #define MBEDTLS_X509_CRT_VERSION_3 2
147 
148 #define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32
149 #define MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15
150 
151 #if !defined( MBEDTLS_X509_MAX_FILE_PATH_LEN )
152 #define MBEDTLS_X509_MAX_FILE_PATH_LEN 512
153 #endif
154 
159 {
160  int version;
170 }
172 
173 #if defined(MBEDTLS_X509_CRT_PARSE_C)
174 
179 
185 
190 
201 int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, const unsigned char *buf,
202  size_t buflen );
203 
234 int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen );
235 
236 #if defined(MBEDTLS_FS_IO)
237 
250 int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *chain, const char *path );
251 
265 int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path );
266 #endif /* MBEDTLS_FS_IO */
267 
280 int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
281  const mbedtls_x509_crt *crt );
282 
295 int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
296  uint32_t flags );
297 
357  mbedtls_x509_crt *trust_ca,
358  mbedtls_x509_crl *ca_crl,
359  const char *cn, uint32_t *flags,
360  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
361  void *p_vrfy );
362 
391  mbedtls_x509_crt *trust_ca,
392  mbedtls_x509_crl *ca_crl,
393  const mbedtls_x509_crt_profile *profile,
394  const char *cn, uint32_t *flags,
395  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
396  void *p_vrfy );
397 
398 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
399 
421  unsigned int usage );
422 #endif /* MBEDTLS_X509_CHECK_KEY_USAGE) */
423 
424 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
425 
439  const char *usage_oid,
440  size_t usage_len );
441 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
442 
443 #if defined(MBEDTLS_X509_CRL_PARSE_C)
444 
454 #endif /* MBEDTLS_X509_CRL_PARSE_C */
455 
462 
469 #endif /* MBEDTLS_X509_CRT_PARSE_C */
470 
471 /* \} name */
472 /* \} addtogroup x509_module */
473 
474 #if defined(MBEDTLS_X509_CRT_WRITE_C)
475 
481 
491 
501 
516 int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *ctx, const char *not_before,
517  const char *not_after );
518 
532  const char *issuer_name );
533 
547  const char *subject_name );
548 
556 
564 
573 
588  const char *oid, size_t oid_len,
589  int critical,
590  const unsigned char *val, size_t val_len );
591 
604  int is_ca, int max_pathlen );
605 
606 #if defined(MBEDTLS_SHA1_C)
607 
617 
628 #endif /* MBEDTLS_SHA1_C */
629 
640  unsigned int key_usage );
641 
652  unsigned char ns_cert_type );
653 
660 
681 int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
682  int (*f_rng)(void *, unsigned char *, size_t),
683  void *p_rng );
684 
685 #if defined(MBEDTLS_PEM_WRITE_C)
686 
702 int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
703  int (*f_rng)(void *, unsigned char *, size_t),
704  void *p_rng );
705 #endif /* MBEDTLS_PEM_WRITE_C */
706 #endif /* MBEDTLS_X509_CRT_WRITE_C */
707 
708 #ifdef __cplusplus
709 }
710 #endif
711 
712 #endif /* mbedtls_x509_crt.h */
int mbedtls_x509write_crt_set_authority_key_identifier(mbedtls_x509write_cert *ctx)
Set the authorityKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_issuer_key...
int mbedtls_x509_crt_verify(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
Verify the certificate signature.
Public key container.
Definition: pk.h:155
int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Write a built up certificate to a X509 DER structure Note: data is written at the end of the buffer! ...
int mbedtls_x509_crt_verify_with_profile(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
Verify the certificate signature according to profile.
mbedtls_x509_sequence subject_alt_names
Definition: x509_crt.h:103
int mbedtls_x509_crt_parse_der(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the chained list.
int mbedtls_x509write_crt_set_extension(mbedtls_x509write_cert *ctx, const char *oid, size_t oid_len, int critical, const unsigned char *val, size_t val_len)
Generic function to add to or replace an extension in the CRT.
int mbedtls_x509write_crt_set_ns_cert_type(mbedtls_x509write_cert *ctx, unsigned char ns_cert_type)
Set the Netscape Cert Type flags (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TY...
mbedtls_pk_type_t
Public key types.
Definition: pk.h:103
int mbedtls_x509_crt_is_revoked(const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl)
Verify the certificate revocation status.
Configuration options (set of defines)
char not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN+1]
Definition: x509_crt.h:168
int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Write a built up certificate to a X509 PEM string.
struct mbedtls_x509_crt * next
Definition: x509_crt.h:120
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default
int mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt *crt, unsigned int usage)
Check usage of certificate against keyUsage extension.
mbedtls_x509_name issuer
Definition: x509_crt.h:92
void mbedtls_x509write_crt_set_subject_key(mbedtls_x509write_cert *ctx, mbedtls_pk_context *key)
Set the subject public key for the certificate.
int mbedtls_x509write_crt_set_key_usage(mbedtls_x509write_cert *ctx, unsigned int key_usage)
Set the Key Usage Extension flags (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_...
void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx)
Initialize a CRT writing context.
mbedtls_x509_buf subject_id
Definition: x509_crt.h:101
struct mbedtls_x509write_cert mbedtls_x509write_cert
void mbedtls_x509write_crt_set_md_alg(mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg)
Set the MD algorithm to use for the signature (e.g. MBEDTLS_MD_SHA1)
mbedtls_x509_buf tbs
Definition: x509_crt.h:83
mbedtls_x509_buf subject_raw
Definition: x509_crt.h:90
void mbedtls_x509_crt_free(mbedtls_x509_crt *crt)
Unallocate all certificate data.
mbedtls_x509_buf sig_oid
Definition: x509_crt.h:87
mbedtls_x509_buf issuer_raw
Definition: x509_crt.h:89
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb
int mbedtls_x509write_crt_set_basic_constraints(mbedtls_x509write_cert *ctx, int is_ca, int max_pathlen)
Set the basicConstraints extension for a CRT.
mbedtls_x509_name subject
Definition: x509_crt.h:93
mbedtls_x509_time valid_to
Definition: x509_crt.h:96
int mbedtls_x509_crt_parse(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse one DER-encoded or one or more concatenated PEM-encoded certificates and add them to the chaine...
unsigned char ns_cert_type
Definition: x509_crt.h:113
int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path)
Load one or more certificate files from a path and add them to the chained list. Parses permissively...
int mbedtls_x509write_crt_set_subject_key_identifier(mbedtls_x509write_cert *ctx)
Set the subjectKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_subject_key(...
int mbedtls_x509write_crt_set_subject_name(mbedtls_x509write_cert *ctx, const char *subject_name)
Set the subject name for a Certificate Subject names should contain a comma-separated list of OID typ...
mbedtls_x509_buf serial
Definition: x509_crt.h:86
void mbedtls_x509write_crt_set_version(mbedtls_x509write_cert *ctx, int version)
Set the verion for a Certificate Default: MBEDTLS_X509_CRT_VERSION_3.
mbedtls_x509_time valid_from
Definition: x509_crt.h:95
mbedtls_x509_buf raw
Definition: x509_crt.h:82
int mbedtls_x509_crt_check_extended_key_usage(const mbedtls_x509_crt *crt, const char *usage_oid, size_t usage_len)
Check usage of certificate against extendedKeyUsage.
int mbedtls_x509write_crt_set_validity(mbedtls_x509write_cert *ctx, const char *not_before, const char *not_after)
Set the validity period for a Certificate Timestamps should be in string format for UTC timezone i...
#define MBEDTLS_X509_RFC5280_UTC_TIME_LEN
Definition: x509_crt.h:149
void mbedtls_x509write_crt_set_issuer_key(mbedtls_x509write_cert *ctx, mbedtls_pk_context *key)
Set the issuer key used for signing the certificate.
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next
mbedtls_pk_context * subject_key
Definition: x509_crt.h:162
mbedtls_pk_type_t sig_pk
Definition: x509_crt.h:117
X.509 generic defines and structures.
int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix, const mbedtls_x509_crt *crt)
Returns an informational string about the certificate.
int mbedtls_x509write_crt_set_issuer_name(mbedtls_x509write_cert *ctx, const char *issuer_name)
Set the issuer name for a Certificate Issuer names should contain a comma-separated list of OID types...
mbedtls_asn1_named_data * subject
Definition: x509_crt.h:164
int mbedtls_x509_crt_parse_file(mbedtls_x509_crt *chain, const char *path)
Load one or more certificates and add them to the chained list. Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.
mbedtls_pk_context * issuer_key
Definition: x509_crt.h:163
void * sig_opts
Definition: x509_crt.h:118
char not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN+1]
Definition: x509_crt.h:167
mbedtls_md_type_t md_alg
Definition: x509_crt.h:166
mbedtls_x509_buf issuer_id
Definition: x509_crt.h:100
int mbedtls_x509write_crt_set_serial(mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial)
Set the serial number for a Certificate.
MPI structure.
Definition: bignum.h:207
X.509 certificate revocation list parsing.
void mbedtls_x509write_crt_free(mbedtls_x509write_cert *ctx)
Free the contents of a CRT write context.
struct mbedtls_x509_crt mbedtls_x509_crt
mbedtls_x509_sequence ext_key_usage
Definition: x509_crt.h:111
void mbedtls_x509_crt_init(mbedtls_x509_crt *crt)
Initialize a certificate (chain)
mbedtls_asn1_named_data * extensions
Definition: x509_crt.h:169
unsigned int key_usage
Definition: x509_crt.h:109
mbedtls_pk_context pk
Definition: x509_crt.h:98
mbedtls_x509_buf sig
Definition: x509_crt.h:115
mbedtls_md_type_t
Enumeration of supported message digests.
Definition: md.h:83
int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix, uint32_t flags)
Returns an informational string about the verification status of a certificate.
mbedtls_asn1_named_data * issuer
Definition: x509_crt.h:165
mbedtls_mpi serial
Definition: x509_crt.h:161
mbedtls_x509_buf v3_ext
Definition: x509_crt.h:102
mbedtls_md_type_t sig_md
Definition: x509_crt.h:116