mbed TLS v2.28.0
x509_crt.h
Go to the documentation of this file.
1 
6 /*
7  * Copyright The Mbed TLS Contributors
8  * SPDX-License-Identifier: Apache-2.0
9  *
10  * Licensed under the Apache License, Version 2.0 (the "License"); you may
11  * not use this file except in compliance with the License.
12  * You may obtain a copy of the License at
13  *
14  * http://www.apache.org/licenses/LICENSE-2.0
15  *
16  * Unless required by applicable law or agreed to in writing, software
17  * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
18  * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19  * See the License for the specific language governing permissions and
20  * limitations under the License.
21  */
22 #ifndef MBEDTLS_X509_CRT_H
23 #define MBEDTLS_X509_CRT_H
24 
25 #if !defined(MBEDTLS_CONFIG_FILE)
26 #include "mbedtls/config.h"
27 #else
28 #include MBEDTLS_CONFIG_FILE
29 #endif
30 
31 #include "mbedtls/x509.h"
32 #include "mbedtls/x509_crl.h"
33 #include "mbedtls/bignum.h"
34 
40 #ifdef __cplusplus
41 extern "C" {
42 #endif
43 
52 typedef struct mbedtls_x509_crt
53 {
54  int own_buffer;
59  int version;
82  int ext_types;
83  int ca_istrue;
86  unsigned int key_usage;
90  unsigned char ns_cert_type;
95  void *sig_opts;
98 }
100 
108 {
115  union
116  {
123  struct
124  {
127  }
129  }
130  value;
131 }
133 
138 {
139  int type;
140  union {
143  }
144  san;
145 }
147 
152 #define MBEDTLS_X509_ID_FLAG( id ) ( 1 << ( (id) - 1 ) )
153 
160 {
161  uint32_t allowed_mds;
162  uint32_t allowed_pks;
163  uint32_t allowed_curves;
164  uint32_t rsa_min_bitlen;
165 }
167 
168 #define MBEDTLS_X509_CRT_VERSION_1 0
169 #define MBEDTLS_X509_CRT_VERSION_2 1
170 #define MBEDTLS_X509_CRT_VERSION_3 2
171 
172 #define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32
173 #define MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15
174 
175 #if !defined( MBEDTLS_X509_MAX_FILE_PATH_LEN )
176 #define MBEDTLS_X509_MAX_FILE_PATH_LEN 512
177 #endif
178 
183 {
184  int version;
194 }
196 
200 typedef struct {
202  uint32_t flags;
204 
208 #define MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE ( MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2 )
209 
213 typedef struct
214 {
216  unsigned len;
217 
218 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
219  /* This stores the list of potential trusted signers obtained from
220  * the CA callback used for the CRT verification, if configured.
221  * We must track it somewhere because the callback passes its
222  * ownership to the caller. */
223  mbedtls_x509_crt *trust_ca_cb_result;
224 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
226 
227 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
228 
232 typedef struct
233 {
234  /* for check_signature() */
236 
237  /* for find_parent_in() */
238  mbedtls_x509_crt *parent; /* non-null iff parent_in in progress */
239  mbedtls_x509_crt *fallback_parent;
240  int fallback_signature_is_good;
241 
242  /* for find_parent() */
243  int parent_is_trusted; /* -1 if find_parent is not in progress */
244 
245  /* for verify_chain() */
246  enum {
247  x509_crt_rs_none,
248  x509_crt_rs_find_parent,
249  } in_progress; /* none if no operation is in progress */
250  int self_cnt;
252 
254 
255 #else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
256 
257 /* Now we can declare functions that take a pointer to that */
259 
260 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
261 
262 #if defined(MBEDTLS_X509_CRT_PARSE_C)
263 
277 
283 
288 
310  const unsigned char *buf,
311  size_t buflen );
312 
343 typedef int (*mbedtls_x509_crt_ext_cb_t)( void *p_ctx,
344  mbedtls_x509_crt const *crt,
345  mbedtls_x509_buf const *oid,
346  int critical,
347  const unsigned char *p,
348  const unsigned char *end );
349 
391  const unsigned char *buf,
392  size_t buflen,
393  int make_copy,
395  void *p_ctx );
396 
425  const unsigned char *buf,
426  size_t buflen );
427 
458 int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen );
459 
460 #if defined(MBEDTLS_FS_IO)
461 
474 int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *chain, const char *path );
475 
489 int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path );
490 
491 #endif /* MBEDTLS_FS_IO */
492 
533 int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
534  const mbedtls_x509_crt *crt );
535 
548 int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
549  uint32_t flags );
550 
618  mbedtls_x509_crt *trust_ca,
619  mbedtls_x509_crl *ca_crl,
620  const char *cn, uint32_t *flags,
621  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
622  void *p_vrfy );
623 
659  mbedtls_x509_crt *trust_ca,
660  mbedtls_x509_crl *ca_crl,
661  const mbedtls_x509_crt_profile *profile,
662  const char *cn, uint32_t *flags,
663  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
664  void *p_vrfy );
665 
693  mbedtls_x509_crt *trust_ca,
694  mbedtls_x509_crl *ca_crl,
695  const mbedtls_x509_crt_profile *profile,
696  const char *cn, uint32_t *flags,
697  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
698  void *p_vrfy,
700 
731 typedef int (*mbedtls_x509_crt_ca_cb_t)( void *p_ctx,
732  mbedtls_x509_crt const *child,
733  mbedtls_x509_crt **candidate_cas );
734 
735 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
736 
758 int mbedtls_x509_crt_verify_with_ca_cb( mbedtls_x509_crt *crt,
759  mbedtls_x509_crt_ca_cb_t f_ca_cb,
760  void *p_ca_cb,
761  const mbedtls_x509_crt_profile *profile,
762  const char *cn, uint32_t *flags,
763  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
764  void *p_vrfy );
765 
766 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
767 
768 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
769 
791  unsigned int usage );
792 #endif /* MBEDTLS_X509_CHECK_KEY_USAGE) */
793 
794 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
795 
809  const char *usage_oid,
810  size_t usage_len );
811 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
812 
813 #if defined(MBEDTLS_X509_CRL_PARSE_C)
814 
824 #endif /* MBEDTLS_X509_CRL_PARSE_C */
825 
832 
839 
840 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
841 
844 void mbedtls_x509_crt_restart_init( mbedtls_x509_crt_restart_ctx *ctx );
845 
849 void mbedtls_x509_crt_restart_free( mbedtls_x509_crt_restart_ctx *ctx );
850 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
851 #endif /* MBEDTLS_X509_CRT_PARSE_C */
852 
853 /* \} name */
854 /* \} addtogroup x509_module */
855 
856 #if defined(MBEDTLS_X509_CRT_WRITE_C)
857 
863 
873 
883 
898 int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *ctx, const char *not_before,
899  const char *not_after );
900 
914  const char *issuer_name );
915 
929  const char *subject_name );
930 
938 
946 
955 
970  const char *oid, size_t oid_len,
971  int critical,
972  const unsigned char *val, size_t val_len );
973 
986  int is_ca, int max_pathlen );
987 
988 #if defined(MBEDTLS_SHA1_C)
989 
999 
1010 #endif /* MBEDTLS_SHA1_C */
1011 
1022  unsigned int key_usage );
1023 
1034  unsigned char ns_cert_type );
1035 
1042 
1063 int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
1064  int (*f_rng)(void *, unsigned char *, size_t),
1065  void *p_rng );
1066 
1067 #if defined(MBEDTLS_PEM_WRITE_C)
1068 
1084 int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
1085  int (*f_rng)(void *, unsigned char *, size_t),
1086  void *p_rng );
1087 #endif /* MBEDTLS_PEM_WRITE_C */
1088 #endif /* MBEDTLS_X509_CRT_WRITE_C */
1089 
1090 #ifdef __cplusplus
1091 }
1092 #endif
1093 
1094 #endif /* mbedtls_x509_crt.h */
int mbedtls_x509write_crt_set_authority_key_identifier(mbedtls_x509write_cert *ctx)
Set the authorityKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_issuer_key...
int mbedtls_x509_crt_verify(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
Verify a chain of certificates.
Public key container.
Definition: pk.h:200
int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Write a built up certificate to a X509 DER structure Note: data is written at the end of the buffer! ...
int mbedtls_x509_crt_verify_with_profile(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
Verify a chain of certificates with respect to a configurable security profile.
mbedtls_x509_sequence subject_alt_names
Definition: x509_crt.h:78
mbedtls_x509_buf oid
Definition: x509_crt.h:125
int mbedtls_x509_crt_verify_restartable(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy, mbedtls_x509_crt_restart_ctx *rs_ctx)
Restartable version of mbedtls_crt_verify_with_profile()
struct mbedtls_x509_san_other_name::@1::@2 hardware_module_name
struct mbedtls_x509_san_other_name mbedtls_x509_san_other_name
mbedtls_x509_buf pk_raw
Definition: x509_crt.h:72
int mbedtls_x509_crt_parse_der(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the end of the provided chained list...
int mbedtls_x509write_crt_set_extension(mbedtls_x509write_cert *ctx, const char *oid, size_t oid_len, int critical, const unsigned char *val, size_t val_len)
Generic function to add to or replace an extension in the CRT.
int mbedtls_x509write_crt_set_ns_cert_type(mbedtls_x509write_cert *ctx, unsigned char ns_cert_type)
Set the Netscape Cert Type flags (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TY...
mbedtls_pk_type_t
Public key types.
Definition: pk.h:95
int(* mbedtls_x509_crt_ca_cb_t)(void *p_ctx, mbedtls_x509_crt const *child, mbedtls_x509_crt **candidate_cas)
The type of trusted certificate callbacks.
Definition: x509_crt.h:731
int mbedtls_x509_crt_is_revoked(const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl)
Verify the certificate revocation status.
Configuration options (set of defines)
char not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN+1]
Definition: x509_crt.h:192
int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Write a built up certificate to a X509 PEM string.
mbedtls_x509_sequence certificate_policies
Definition: x509_crt.h:80
struct mbedtls_x509_crt * next
Definition: x509_crt.h:97
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default
int mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt *crt, unsigned int usage)
Check usage of certificate against keyUsage extension.
mbedtls_x509_name issuer
Definition: x509_crt.h:66
void mbedtls_x509write_crt_set_subject_key(mbedtls_x509write_cert *ctx, mbedtls_pk_context *key)
Set the subject public key for the certificate.
int mbedtls_x509write_crt_set_key_usage(mbedtls_x509write_cert *ctx, unsigned int key_usage)
Set the Key Usage Extension flags (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_...
void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx)
Initialize a CRT writing context.
mbedtls_x509_buf subject_id
Definition: x509_crt.h:76
struct mbedtls_x509write_cert mbedtls_x509write_cert
void mbedtls_x509write_crt_set_md_alg(mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg)
Set the MD algorithm to use for the signature (e.g. MBEDTLS_MD_SHA1)
mbedtls_x509_buf tbs
Definition: x509_crt.h:57
Multi-precision integer library.
mbedtls_x509_buf subject_raw
Definition: x509_crt.h:64
void mbedtls_x509_crt_free(mbedtls_x509_crt *crt)
Unallocate all certificate data.
mbedtls_x509_buf sig_oid
Definition: x509_crt.h:61
void mbedtls_pk_restart_ctx
Definition: pk.h:217
mbedtls_x509_buf issuer_raw
Definition: x509_crt.h:63
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb
mbedtls_x509_san_other_name other_name
Definition: x509_crt.h:141
int mbedtls_x509write_crt_set_basic_constraints(mbedtls_x509write_cert *ctx, int is_ca, int max_pathlen)
Set the basicConstraints extension for a CRT.
mbedtls_x509_name subject
Definition: x509_crt.h:67
mbedtls_x509_time valid_to
Definition: x509_crt.h:70
int mbedtls_x509_crt_parse(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse one DER-encoded or one or more concatenated PEM-encoded certificates and add them to the chaine...
struct mbedtls_x509_crt_profile mbedtls_x509_crt_profile
unsigned char ns_cert_type
Definition: x509_crt.h:90
int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path)
Load one or more certificate files from a path and add them to the chained list. Parses permissively...
int mbedtls_x509write_crt_set_subject_key_identifier(mbedtls_x509write_cert *ctx)
Set the subjectKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_subject_key(...
int mbedtls_x509write_crt_set_subject_name(mbedtls_x509write_cert *ctx, const char *subject_name)
Set the subject name for a Certificate Subject names should contain a comma-separated list of OID typ...
mbedtls_x509_buf serial
Definition: x509_crt.h:60
void mbedtls_x509_crt_restart_ctx
Definition: x509_crt.h:258
void mbedtls_x509write_crt_set_version(mbedtls_x509write_cert *ctx, int version)
Set the verion for a Certificate Default: MBEDTLS_X509_CRT_VERSION_3.
mbedtls_x509_time valid_from
Definition: x509_crt.h:69
mbedtls_x509_buf raw
Definition: x509_crt.h:56
int mbedtls_x509_crt_check_extended_key_usage(const mbedtls_x509_crt *crt, const char *usage_oid, size_t usage_len)
Check usage of certificate against extendedKeyUsage.
int mbedtls_x509write_crt_set_validity(mbedtls_x509write_cert *ctx, const char *not_before, const char *not_after)
Set the validity period for a Certificate Timestamps should be in string format for UTC timezone i...
union mbedtls_x509_subject_alternative_name::@3 san
#define MBEDTLS_X509_RFC5280_UTC_TIME_LEN
Definition: x509_crt.h:173
#define MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE
Definition: x509_crt.h:208
void mbedtls_x509write_crt_set_issuer_key(mbedtls_x509write_cert *ctx, mbedtls_pk_context *key)
Set the issuer key used for signing the certificate.
mbedtls_x509_buf val
Definition: x509_crt.h:126
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next
mbedtls_pk_context * subject_key
Definition: x509_crt.h:186
mbedtls_pk_type_t sig_pk
Definition: x509_crt.h:94
int(* mbedtls_x509_crt_ext_cb_t)(void *p_ctx, mbedtls_x509_crt const *crt, mbedtls_x509_buf const *oid, int critical, const unsigned char *p, const unsigned char *end)
The type of certificate extension callbacks.
Definition: x509_crt.h:343
X.509 generic defines and structures.
int mbedtls_x509_crt_parse_der_with_ext_cb(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen, int make_copy, mbedtls_x509_crt_ext_cb_t cb, void *p_ctx)
Parse a single DER formatted certificate and add it to the end of the provided chained list...
int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix, const mbedtls_x509_crt *crt)
Returns an informational string about the certificate.
int mbedtls_x509write_crt_set_issuer_name(mbedtls_x509write_cert *ctx, const char *issuer_name)
Set the issuer name for a Certificate Issuer names should contain a comma-separated list of OID types...
mbedtls_asn1_named_data * subject
Definition: x509_crt.h:188
int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf, mbedtls_x509_subject_alternative_name *san)
This function parses an item in the SubjectAlternativeNames extension.
int mbedtls_x509_crt_parse_file(mbedtls_x509_crt *chain, const char *path)
Load one or more certificates and add them to the chained list. Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.
mbedtls_pk_context * issuer_key
Definition: x509_crt.h:187
void * sig_opts
Definition: x509_crt.h:95
char not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN+1]
Definition: x509_crt.h:191
mbedtls_md_type_t md_alg
Definition: x509_crt.h:190
mbedtls_x509_buf issuer_id
Definition: x509_crt.h:75
int mbedtls_x509write_crt_set_serial(mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial)
Set the serial number for a Certificate.
MPI structure.
Definition: bignum.h:192
X.509 certificate revocation list parsing.
void mbedtls_x509write_crt_free(mbedtls_x509write_cert *ctx)
Free the contents of a CRT write context.
struct mbedtls_x509_crt mbedtls_x509_crt
mbedtls_x509_sequence ext_key_usage
Definition: x509_crt.h:88
int mbedtls_x509_crt_parse_der_nocopy(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the end of the provided chained list...
void mbedtls_x509_crt_init(mbedtls_x509_crt *crt)
Initialize a certificate (chain)
mbedtls_asn1_named_data * extensions
Definition: x509_crt.h:193
unsigned int key_usage
Definition: x509_crt.h:86
union mbedtls_x509_san_other_name::@1 value
mbedtls_x509_buf type_id
Definition: x509_crt.h:114
mbedtls_pk_context pk
Definition: x509_crt.h:73
mbedtls_x509_buf sig
Definition: x509_crt.h:92
mbedtls_md_type_t
Supported message digests.
Definition: md.h:62
int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix, uint32_t flags)
Returns an informational string about the verification status of a certificate.
struct mbedtls_x509_subject_alternative_name mbedtls_x509_subject_alternative_name
mbedtls_asn1_named_data * issuer
Definition: x509_crt.h:189
mbedtls_mpi serial
Definition: x509_crt.h:185
mbedtls_x509_buf v3_ext
Definition: x509_crt.h:77
mbedtls_md_type_t sig_md
Definition: x509_crt.h:93