mbed TLS v2.6.0
x509_crt.h
Go to the documentation of this file.
1 
25 #ifndef MBEDTLS_X509_CRT_H
26 #define MBEDTLS_X509_CRT_H
27 
28 #if !defined(MBEDTLS_CONFIG_FILE)
29 #include "config.h"
30 #else
31 #include MBEDTLS_CONFIG_FILE
32 #endif
33 
34 #include "x509.h"
35 #include "x509_crl.h"
36 
42 #ifdef __cplusplus
43 extern "C" {
44 #endif
45 
54 typedef struct mbedtls_x509_crt
55 {
59  int version;
79  int ext_types;
80  int ca_istrue;
83  unsigned int key_usage;
87  unsigned char ns_cert_type;
92  void *sig_opts;
95 }
97 
102 #define MBEDTLS_X509_ID_FLAG( id ) ( 1 << ( id - 1 ) )
103 
109 typedef struct
110 {
111  uint32_t allowed_mds;
112  uint32_t allowed_pks;
113  uint32_t allowed_curves;
114  uint32_t rsa_min_bitlen;
115 }
117 
118 #define MBEDTLS_X509_CRT_VERSION_1 0
119 #define MBEDTLS_X509_CRT_VERSION_2 1
120 #define MBEDTLS_X509_CRT_VERSION_3 2
121 
122 #define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32
123 #define MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15
124 
125 #if !defined( MBEDTLS_X509_MAX_FILE_PATH_LEN )
126 #define MBEDTLS_X509_MAX_FILE_PATH_LEN 512
127 #endif
128 
133 {
134  int version;
144 }
146 
147 #if defined(MBEDTLS_X509_CRT_PARSE_C)
148 
153 
159 
164 
175 int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, const unsigned char *buf,
176  size_t buflen );
177 
193 int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen );
194 
195 #if defined(MBEDTLS_FS_IO)
196 
209 int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *chain, const char *path );
210 
224 int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path );
225 #endif /* MBEDTLS_FS_IO */
226 
239 int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
240  const mbedtls_x509_crt *crt );
241 
254 int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
255  uint32_t flags );
256 
309  mbedtls_x509_crt *trust_ca,
310  mbedtls_x509_crl *ca_crl,
311  const char *cn, uint32_t *flags,
312  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
313  void *p_vrfy );
314 
343  mbedtls_x509_crt *trust_ca,
344  mbedtls_x509_crl *ca_crl,
345  const mbedtls_x509_crt_profile *profile,
346  const char *cn, uint32_t *flags,
347  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
348  void *p_vrfy );
349 
350 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
351 
373  unsigned int usage );
374 #endif /* MBEDTLS_X509_CHECK_KEY_USAGE) */
375 
376 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
377 
390  const char *usage_oid,
391  size_t usage_len );
392 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) */
393 
394 #if defined(MBEDTLS_X509_CRL_PARSE_C)
395 
405 #endif /* MBEDTLS_X509_CRL_PARSE_C */
406 
413 
420 #endif /* MBEDTLS_X509_CRT_PARSE_C */
421 
422 /* \} name */
423 /* \} addtogroup x509_module */
424 
425 #if defined(MBEDTLS_X509_CRT_WRITE_C)
426 
432 
442 
452 
467 int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *ctx, const char *not_before,
468  const char *not_after );
469 
483  const char *issuer_name );
484 
498  const char *subject_name );
499 
507 
515 
524 
539  const char *oid, size_t oid_len,
540  int critical,
541  const unsigned char *val, size_t val_len );
542 
555  int is_ca, int max_pathlen );
556 
557 #if defined(MBEDTLS_SHA1_C)
558 
568 
579 #endif /* MBEDTLS_SHA1_C */
580 
591  unsigned int key_usage );
592 
603  unsigned char ns_cert_type );
604 
611 
632 int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
633  int (*f_rng)(void *, unsigned char *, size_t),
634  void *p_rng );
635 
636 #if defined(MBEDTLS_PEM_WRITE_C)
637 
653 int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
654  int (*f_rng)(void *, unsigned char *, size_t),
655  void *p_rng );
656 #endif /* MBEDTLS_PEM_WRITE_C */
657 #endif /* MBEDTLS_X509_CRT_WRITE_C */
658 
659 #ifdef __cplusplus
660 }
661 #endif
662 
663 #endif /* mbedtls_x509_crt.h */
int mbedtls_x509write_crt_set_authority_key_identifier(mbedtls_x509write_cert *ctx)
Set the authorityKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_issuer_key...
int mbedtls_x509_crt_verify(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
Verify the certificate signature.
Public key container.
Definition: pk.h:128
int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Write a built up certificate to a X509 DER structure Note: data is written at the end of the buffer! ...
int mbedtls_x509_crt_verify_with_profile(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
Verify the certificate signature according to profile.
mbedtls_x509_sequence subject_alt_names
Optional list of Subject Alternative Names (Only dNSName supported).
Definition: x509_crt.h:77
int ext_types
Bit string containing detected and parsed extensions.
Definition: x509_crt.h:79
uint32_t allowed_curves
Elliptic curves for ECDSA.
Definition: x509_crt.h:113
Certificate revocation list structure.
Definition: x509_crl.h:71
int mbedtls_x509_crt_parse_der(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the chained list.
int mbedtls_x509write_crt_set_extension(mbedtls_x509write_cert *ctx, const char *oid, size_t oid_len, int critical, const unsigned char *val, size_t val_len)
Generic function to add to or replace an extension in the CRT.
int mbedtls_x509write_crt_set_ns_cert_type(mbedtls_x509write_cert *ctx, unsigned char ns_cert_type)
Set the Netscape Cert Type flags (e.g.
mbedtls_pk_type_t
Public key types.
Definition: pk.h:76
int mbedtls_x509_crt_is_revoked(const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl)
Verify the certificate revocation status.
Configuration options (set of defines)
char not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN+1]
Definition: x509_crt.h:142
int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Write a built up certificate to a X509 PEM string.
struct mbedtls_x509_crt * next
Next certificate in the CA-chain.
Definition: x509_crt.h:94
Container for a sequence of ASN.1 items.
Definition: asn1.h:142
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default
Default security profile.
int mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt *crt, unsigned int usage)
Check usage of certificate against keyUsage extension.
mbedtls_x509_name issuer
The parsed issuer data (named information object).
Definition: x509_crt.h:66
void mbedtls_x509write_crt_set_subject_key(mbedtls_x509write_cert *ctx, mbedtls_pk_context *key)
Set the subject public key for the certificate.
int mbedtls_x509write_crt_set_key_usage(mbedtls_x509write_cert *ctx, unsigned int key_usage)
Set the Key Usage Extension flags (e.g.
void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx)
Initialize a CRT writing context.
mbedtls_x509_buf subject_id
Optional X.509 v2/v3 subject unique identifier.
Definition: x509_crt.h:75
struct mbedtls_x509write_cert mbedtls_x509write_cert
Container for writing a certificate (CRT)
void mbedtls_x509write_crt_set_md_alg(mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg)
Set the MD algorithm to use for the signature (e.g.
mbedtls_x509_buf tbs
The raw certificate body (DER).
Definition: x509_crt.h:57
Container for a sequence or list of 'named' ASN.1 data items.
Definition: asn1.h:152
mbedtls_x509_buf subject_raw
The raw subject data (DER).
Definition: x509_crt.h:64
void mbedtls_x509_crt_free(mbedtls_x509_crt *crt)
Unallocate all certificate data.
mbedtls_x509_buf sig_oid
Signature algorithm, e.g.
Definition: x509_crt.h:61
mbedtls_x509_buf issuer_raw
The raw issuer data (DER).
Definition: x509_crt.h:63
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb
NSA Suite B profile.
int mbedtls_x509write_crt_set_basic_constraints(mbedtls_x509write_cert *ctx, int is_ca, int max_pathlen)
Set the basicConstraints extension for a CRT.
mbedtls_x509_name subject
The parsed subject data (named information object).
Definition: x509_crt.h:67
mbedtls_x509_time valid_to
End time of certificate validity.
Definition: x509_crt.h:70
int mbedtls_x509_crt_parse(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse one or more certificates and add them to the chained list.
unsigned char ns_cert_type
Optional Netscape certificate type extension value: See the values in x509.h.
Definition: x509_crt.h:87
Type-length-value structure that allows for ASN1 using DER.
Definition: asn1.h:120
Container for date and time (precision in seconds).
Definition: x509.h:209
int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path)
Load one or more certificate files from a path and add them to the chained list.
Container for writing a certificate (CRT)
Definition: x509_crt.h:132
int mbedtls_x509write_crt_set_subject_key_identifier(mbedtls_x509write_cert *ctx)
Set the subjectKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_subject_key(...
int mbedtls_x509write_crt_set_subject_name(mbedtls_x509write_cert *ctx, const char *subject_name)
Set the subject name for a Certificate Subject names should contain a comma-separated list of OID typ...
mbedtls_x509_buf serial
Unique id for certificate issued by a specific CA.
Definition: x509_crt.h:60
void mbedtls_x509write_crt_set_version(mbedtls_x509write_cert *ctx, int version)
Set the verion for a Certificate Default: MBEDTLS_X509_CRT_VERSION_3.
uint32_t rsa_min_bitlen
Minimum size for RSA keys.
Definition: x509_crt.h:114
mbedtls_x509_time valid_from
Start time of certificate validity.
Definition: x509_crt.h:69
mbedtls_x509_buf raw
The raw certificate data (DER).
Definition: x509_crt.h:56
int mbedtls_x509_crt_check_extended_key_usage(const mbedtls_x509_crt *crt, const char *usage_oid, size_t usage_len)
Check usage of certificate against extentedJeyUsage.
int mbedtls_x509write_crt_set_validity(mbedtls_x509write_cert *ctx, const char *not_before, const char *not_after)
Set the validity period for a Certificate Timestamps should be in string format for UTC timezone i...
#define MBEDTLS_X509_RFC5280_UTC_TIME_LEN
Definition: x509_crt.h:123
void mbedtls_x509write_crt_set_issuer_key(mbedtls_x509write_cert *ctx, mbedtls_pk_context *key)
Set the issuer key used for signing the certificate.
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next
Expected next default profile.
mbedtls_pk_context * subject_key
Definition: x509_crt.h:136
mbedtls_pk_type_t sig_pk
Internal representation of the Public Key algorithm of the signature algorithm, e.g.
Definition: x509_crt.h:91
X.509 generic defines and structures.
int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix, const mbedtls_x509_crt *crt)
Returns an informational string about the certificate.
int mbedtls_x509write_crt_set_issuer_name(mbedtls_x509write_cert *ctx, const char *issuer_name)
Set the issuer name for a Certificate Issuer names should contain a comma-separated list of OID types...
mbedtls_asn1_named_data * subject
Definition: x509_crt.h:138
int mbedtls_x509_crt_parse_file(mbedtls_x509_crt *chain, const char *path)
Load one or more certificates and add them to the chained list.
mbedtls_pk_context * issuer_key
Definition: x509_crt.h:137
void * sig_opts
Signature options to be passed to mbedtls_pk_verify_ext(), e.g.
Definition: x509_crt.h:92
char not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN+1]
Definition: x509_crt.h:141
mbedtls_md_type_t md_alg
Definition: x509_crt.h:140
mbedtls_x509_buf issuer_id
Optional X.509 v2/v3 issuer unique identifier.
Definition: x509_crt.h:74
int mbedtls_x509write_crt_set_serial(mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial)
Set the serial number for a Certificate.
MPI structure.
Definition: bignum.h:181
X.509 certificate revocation list parsing.
void mbedtls_x509write_crt_free(mbedtls_x509write_cert *ctx)
Free the contents of a CRT write context.
Container for an X.509 certificate.
Definition: x509_crt.h:54
struct mbedtls_x509_crt mbedtls_x509_crt
Container for an X.509 certificate.
mbedtls_x509_sequence ext_key_usage
Optional list of extended key usage OIDs.
Definition: x509_crt.h:85
int max_pathlen
Optional Basic Constraint extension value: The maximum path length to the root certificate.
Definition: x509_crt.h:81
Security profile for certificate verification.
Definition: x509_crt.h:109
void mbedtls_x509_crt_init(mbedtls_x509_crt *crt)
Initialize a certificate (chain)
mbedtls_asn1_named_data * extensions
Definition: x509_crt.h:143
unsigned int key_usage
Optional key usage extension value: See the values in x509.h.
Definition: x509_crt.h:83
uint32_t allowed_pks
PK algs for signatures.
Definition: x509_crt.h:112
uint32_t allowed_mds
MDs for signatures.
Definition: x509_crt.h:111
mbedtls_pk_context pk
Container for the public key context.
Definition: x509_crt.h:72
mbedtls_x509_buf sig
Signature: hash of the tbs part signed with the private key.
Definition: x509_crt.h:89
mbedtls_md_type_t
Definition: md.h:41
int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix, uint32_t flags)
Returns an informational string about the verification status of a certificate.
mbedtls_asn1_named_data * issuer
Definition: x509_crt.h:139
mbedtls_mpi serial
Definition: x509_crt.h:135
mbedtls_x509_buf v3_ext
Optional X.509 v3 extensions.
Definition: x509_crt.h:76
int ca_istrue
Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise...
Definition: x509_crt.h:80
int version
The X.509 version.
Definition: x509_crt.h:59
mbedtls_md_type_t sig_md
Internal representation of the MD algorithm of the signature algorithm, e.g.
Definition: x509_crt.h:90