mbed TLS v2.7.17
x509_crt.h
Go to the documentation of this file.
1 
6 /*
7  * Copyright The Mbed TLS Contributors
8  * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
9  *
10  * This file is provided under the Apache License 2.0, or the
11  * GNU General Public License v2.0 or later.
12  *
13  * **********
14  * Apache License 2.0:
15  *
16  * Licensed under the Apache License, Version 2.0 (the "License"); you may
17  * not use this file except in compliance with the License.
18  * You may obtain a copy of the License at
19  *
20  * http://www.apache.org/licenses/LICENSE-2.0
21  *
22  * Unless required by applicable law or agreed to in writing, software
23  * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
24  * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
25  * See the License for the specific language governing permissions and
26  * limitations under the License.
27  *
28  * **********
29  *
30  * **********
31  * GNU General Public License v2.0 or later:
32  *
33  * This program is free software; you can redistribute it and/or modify
34  * it under the terms of the GNU General Public License as published by
35  * the Free Software Foundation; either version 2 of the License, or
36  * (at your option) any later version.
37  *
38  * This program is distributed in the hope that it will be useful,
39  * but WITHOUT ANY WARRANTY; without even the implied warranty of
40  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
41  * GNU General Public License for more details.
42  *
43  * You should have received a copy of the GNU General Public License along
44  * with this program; if not, write to the Free Software Foundation, Inc.,
45  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
46  *
47  * **********
48  */
49 #ifndef MBEDTLS_X509_CRT_H
50 #define MBEDTLS_X509_CRT_H
51 
52 #if !defined(MBEDTLS_CONFIG_FILE)
53 #include "config.h"
54 #else
55 #include MBEDTLS_CONFIG_FILE
56 #endif
57 
58 #include "x509.h"
59 #include "x509_crl.h"
60 
66 #ifdef __cplusplus
67 extern "C" {
68 #endif
69 
78 typedef struct mbedtls_x509_crt
79 {
83  int version;
103  int ext_types;
104  int ca_istrue;
107  unsigned int key_usage;
111  unsigned char ns_cert_type;
116  void *sig_opts;
119 }
121 
126 #define MBEDTLS_X509_ID_FLAG( id ) ( 1 << ( ( id ) - 1 ) )
127 
133 typedef struct
134 {
135  uint32_t allowed_mds;
136  uint32_t allowed_pks;
137  uint32_t allowed_curves;
138  uint32_t rsa_min_bitlen;
139 }
141 
142 #define MBEDTLS_X509_CRT_VERSION_1 0
143 #define MBEDTLS_X509_CRT_VERSION_2 1
144 #define MBEDTLS_X509_CRT_VERSION_3 2
145 
146 #define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32
147 #define MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15
148 
149 #if !defined( MBEDTLS_X509_MAX_FILE_PATH_LEN )
150 #define MBEDTLS_X509_MAX_FILE_PATH_LEN 512
151 #endif
152 
157 {
158  int version;
168 }
170 
171 #if defined(MBEDTLS_X509_CRT_PARSE_C)
172 
177 
183 
188 
199 int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, const unsigned char *buf,
200  size_t buflen );
201 
232 int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen );
233 
234 #if defined(MBEDTLS_FS_IO)
235 
248 int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *chain, const char *path );
249 
263 int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path );
264 #endif /* MBEDTLS_FS_IO */
265 
278 int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
279  const mbedtls_x509_crt *crt );
280 
293 int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
294  uint32_t flags );
295 
355  mbedtls_x509_crt *trust_ca,
356  mbedtls_x509_crl *ca_crl,
357  const char *cn, uint32_t *flags,
358  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
359  void *p_vrfy );
360 
389  mbedtls_x509_crt *trust_ca,
390  mbedtls_x509_crl *ca_crl,
391  const mbedtls_x509_crt_profile *profile,
392  const char *cn, uint32_t *flags,
393  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
394  void *p_vrfy );
395 
396 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
397 
419  unsigned int usage );
420 #endif /* MBEDTLS_X509_CHECK_KEY_USAGE) */
421 
422 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
423 
437  const char *usage_oid,
438  size_t usage_len );
439 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
440 
441 #if defined(MBEDTLS_X509_CRL_PARSE_C)
442 
452 #endif /* MBEDTLS_X509_CRL_PARSE_C */
453 
460 
467 #endif /* MBEDTLS_X509_CRT_PARSE_C */
468 
469 /* \} name */
470 /* \} addtogroup x509_module */
471 
472 #if defined(MBEDTLS_X509_CRT_WRITE_C)
473 
479 
489 
499 
514 int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *ctx, const char *not_before,
515  const char *not_after );
516 
530  const char *issuer_name );
531 
545  const char *subject_name );
546 
554 
562 
571 
586  const char *oid, size_t oid_len,
587  int critical,
588  const unsigned char *val, size_t val_len );
589 
602  int is_ca, int max_pathlen );
603 
604 #if defined(MBEDTLS_SHA1_C)
605 
615 
626 #endif /* MBEDTLS_SHA1_C */
627 
638  unsigned int key_usage );
639 
650  unsigned char ns_cert_type );
651 
658 
679 int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
680  int (*f_rng)(void *, unsigned char *, size_t),
681  void *p_rng );
682 
683 #if defined(MBEDTLS_PEM_WRITE_C)
684 
700 int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
701  int (*f_rng)(void *, unsigned char *, size_t),
702  void *p_rng );
703 #endif /* MBEDTLS_PEM_WRITE_C */
704 #endif /* MBEDTLS_X509_CRT_WRITE_C */
705 
706 #ifdef __cplusplus
707 }
708 #endif
709 
710 #endif /* mbedtls_x509_crt.h */
int mbedtls_x509write_crt_set_authority_key_identifier(mbedtls_x509write_cert *ctx)
Set the authorityKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_issuer_key...
int mbedtls_x509_crt_verify(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
Verify the certificate signature.
Public key container.
Definition: pk.h:153
int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Write a built up certificate to a X509 DER structure Note: data is written at the end of the buffer! ...
int mbedtls_x509_crt_verify_with_profile(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
Verify the certificate signature according to profile.
mbedtls_x509_sequence subject_alt_names
Definition: x509_crt.h:101
int mbedtls_x509_crt_parse_der(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the chained list.
int mbedtls_x509write_crt_set_extension(mbedtls_x509write_cert *ctx, const char *oid, size_t oid_len, int critical, const unsigned char *val, size_t val_len)
Generic function to add to or replace an extension in the CRT.
int mbedtls_x509write_crt_set_ns_cert_type(mbedtls_x509write_cert *ctx, unsigned char ns_cert_type)
Set the Netscape Cert Type flags (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TY...
mbedtls_pk_type_t
Public key types.
Definition: pk.h:101
int mbedtls_x509_crt_is_revoked(const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl)
Verify the certificate revocation status.
Configuration options (set of defines)
char not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN+1]
Definition: x509_crt.h:166
int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Write a built up certificate to a X509 PEM string.
struct mbedtls_x509_crt * next
Definition: x509_crt.h:118
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default
int mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt *crt, unsigned int usage)
Check usage of certificate against keyUsage extension.
mbedtls_x509_name issuer
Definition: x509_crt.h:90
void mbedtls_x509write_crt_set_subject_key(mbedtls_x509write_cert *ctx, mbedtls_pk_context *key)
Set the subject public key for the certificate.
int mbedtls_x509write_crt_set_key_usage(mbedtls_x509write_cert *ctx, unsigned int key_usage)
Set the Key Usage Extension flags (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_...
void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx)
Initialize a CRT writing context.
mbedtls_x509_buf subject_id
Definition: x509_crt.h:99
struct mbedtls_x509write_cert mbedtls_x509write_cert
void mbedtls_x509write_crt_set_md_alg(mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg)
Set the MD algorithm to use for the signature (e.g. MBEDTLS_MD_SHA1)
mbedtls_x509_buf tbs
Definition: x509_crt.h:81
mbedtls_x509_buf subject_raw
Definition: x509_crt.h:88
void mbedtls_x509_crt_free(mbedtls_x509_crt *crt)
Unallocate all certificate data.
mbedtls_x509_buf sig_oid
Definition: x509_crt.h:85
mbedtls_x509_buf issuer_raw
Definition: x509_crt.h:87
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb
int mbedtls_x509write_crt_set_basic_constraints(mbedtls_x509write_cert *ctx, int is_ca, int max_pathlen)
Set the basicConstraints extension for a CRT.
mbedtls_x509_name subject
Definition: x509_crt.h:91
mbedtls_x509_time valid_to
Definition: x509_crt.h:94
int mbedtls_x509_crt_parse(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse one DER-encoded or one or more concatenated PEM-encoded certificates and add them to the chaine...
unsigned char ns_cert_type
Definition: x509_crt.h:111
int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path)
Load one or more certificate files from a path and add them to the chained list. Parses permissively...
int mbedtls_x509write_crt_set_subject_key_identifier(mbedtls_x509write_cert *ctx)
Set the subjectKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_subject_key(...
int mbedtls_x509write_crt_set_subject_name(mbedtls_x509write_cert *ctx, const char *subject_name)
Set the subject name for a Certificate Subject names should contain a comma-separated list of OID typ...
mbedtls_x509_buf serial
Definition: x509_crt.h:84
void mbedtls_x509write_crt_set_version(mbedtls_x509write_cert *ctx, int version)
Set the verion for a Certificate Default: MBEDTLS_X509_CRT_VERSION_3.
mbedtls_x509_time valid_from
Definition: x509_crt.h:93
mbedtls_x509_buf raw
Definition: x509_crt.h:80
int mbedtls_x509_crt_check_extended_key_usage(const mbedtls_x509_crt *crt, const char *usage_oid, size_t usage_len)
Check usage of certificate against extendedKeyUsage.
int mbedtls_x509write_crt_set_validity(mbedtls_x509write_cert *ctx, const char *not_before, const char *not_after)
Set the validity period for a Certificate Timestamps should be in string format for UTC timezone i...
#define MBEDTLS_X509_RFC5280_UTC_TIME_LEN
Definition: x509_crt.h:147
void mbedtls_x509write_crt_set_issuer_key(mbedtls_x509write_cert *ctx, mbedtls_pk_context *key)
Set the issuer key used for signing the certificate.
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next
mbedtls_pk_context * subject_key
Definition: x509_crt.h:160
mbedtls_pk_type_t sig_pk
Definition: x509_crt.h:115
X.509 generic defines and structures.
int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix, const mbedtls_x509_crt *crt)
Returns an informational string about the certificate.
int mbedtls_x509write_crt_set_issuer_name(mbedtls_x509write_cert *ctx, const char *issuer_name)
Set the issuer name for a Certificate Issuer names should contain a comma-separated list of OID types...
mbedtls_asn1_named_data * subject
Definition: x509_crt.h:162
int mbedtls_x509_crt_parse_file(mbedtls_x509_crt *chain, const char *path)
Load one or more certificates and add them to the chained list. Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.
mbedtls_pk_context * issuer_key
Definition: x509_crt.h:161
void * sig_opts
Definition: x509_crt.h:116
char not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN+1]
Definition: x509_crt.h:165
mbedtls_md_type_t md_alg
Definition: x509_crt.h:164
mbedtls_x509_buf issuer_id
Definition: x509_crt.h:98
int mbedtls_x509write_crt_set_serial(mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial)
Set the serial number for a Certificate.
MPI structure.
Definition: bignum.h:205
X.509 certificate revocation list parsing.
void mbedtls_x509write_crt_free(mbedtls_x509write_cert *ctx)
Free the contents of a CRT write context.
struct mbedtls_x509_crt mbedtls_x509_crt
mbedtls_x509_sequence ext_key_usage
Definition: x509_crt.h:109
void mbedtls_x509_crt_init(mbedtls_x509_crt *crt)
Initialize a certificate (chain)
mbedtls_asn1_named_data * extensions
Definition: x509_crt.h:167
unsigned int key_usage
Definition: x509_crt.h:107
mbedtls_pk_context pk
Definition: x509_crt.h:96
mbedtls_x509_buf sig
Definition: x509_crt.h:113
mbedtls_md_type_t
Enumeration of supported message digests.
Definition: md.h:81
int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix, uint32_t flags)
Returns an informational string about the verification status of a certificate.
mbedtls_asn1_named_data * issuer
Definition: x509_crt.h:163
mbedtls_mpi serial
Definition: x509_crt.h:159
mbedtls_x509_buf v3_ext
Definition: x509_crt.h:100
mbedtls_md_type_t sig_md
Definition: x509_crt.h:114