mbed TLS v2.28.1
x509_crt.h
Go to the documentation of this file.
1 
6 /*
7  * Copyright The Mbed TLS Contributors
8  * SPDX-License-Identifier: Apache-2.0
9  *
10  * Licensed under the Apache License, Version 2.0 (the "License"); you may
11  * not use this file except in compliance with the License.
12  * You may obtain a copy of the License at
13  *
14  * http://www.apache.org/licenses/LICENSE-2.0
15  *
16  * Unless required by applicable law or agreed to in writing, software
17  * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
18  * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19  * See the License for the specific language governing permissions and
20  * limitations under the License.
21  */
22 #ifndef MBEDTLS_X509_CRT_H
23 #define MBEDTLS_X509_CRT_H
24 
25 #if !defined(MBEDTLS_CONFIG_FILE)
26 #include "mbedtls/config.h"
27 #else
28 #include MBEDTLS_CONFIG_FILE
29 #endif
30 
31 #include "mbedtls/x509.h"
32 #include "mbedtls/x509_crl.h"
33 #include "mbedtls/bignum.h"
34 
40 #ifdef __cplusplus
41 extern "C" {
42 #endif
43 
52 typedef struct mbedtls_x509_crt
53 {
54  int own_buffer;
59  int version;
82  int ext_types;
83  int ca_istrue;
86  unsigned int key_usage;
90  unsigned char ns_cert_type;
95  void *sig_opts;
98 }
100 
108 {
115  union
116  {
123  struct
124  {
127  }
129  }
131 }
133 
138 {
139  int type;
140  union {
143  }
144  san;
145 }
147 
152 #define MBEDTLS_X509_ID_FLAG( id ) ( 1 << ( (id) - 1 ) )
153 
160 {
161  uint32_t allowed_mds;
162  uint32_t allowed_pks;
165  uint32_t allowed_curves;
166  uint32_t rsa_min_bitlen;
167 }
169 
170 #define MBEDTLS_X509_CRT_VERSION_1 0
171 #define MBEDTLS_X509_CRT_VERSION_2 1
172 #define MBEDTLS_X509_CRT_VERSION_3 2
173 
174 #define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32
175 #define MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15
176 
177 #if !defined( MBEDTLS_X509_MAX_FILE_PATH_LEN )
178 #define MBEDTLS_X509_MAX_FILE_PATH_LEN 512
179 #endif
180 
185 {
186  int version;
196 }
198 
202 typedef struct {
204  uint32_t flags;
206 
210 #define MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE ( MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2 )
211 
215 typedef struct
216 {
218  unsigned len;
219 
220 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
221  /* This stores the list of potential trusted signers obtained from
222  * the CA callback used for the CRT verification, if configured.
223  * We must track it somewhere because the callback passes its
224  * ownership to the caller. */
225  mbedtls_x509_crt *trust_ca_cb_result;
226 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
228 
229 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
230 
234 typedef struct
235 {
236  /* for check_signature() */
238 
239  /* for find_parent_in() */
240  mbedtls_x509_crt *parent; /* non-null iff parent_in in progress */
241  mbedtls_x509_crt *fallback_parent;
242  int fallback_signature_is_good;
243 
244  /* for find_parent() */
245  int parent_is_trusted; /* -1 if find_parent is not in progress */
246 
247  /* for verify_chain() */
248  enum {
249  x509_crt_rs_none,
250  x509_crt_rs_find_parent,
251  } in_progress; /* none if no operation is in progress */
252  int self_cnt;
254 
256 
257 #else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
258 
259 /* Now we can declare functions that take a pointer to that */
261 
262 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
263 
264 #if defined(MBEDTLS_X509_CRT_PARSE_C)
279 
285 
290 
312  const unsigned char *buf,
313  size_t buflen );
314 
345 typedef int (*mbedtls_x509_crt_ext_cb_t)( void *p_ctx,
346  mbedtls_x509_crt const *crt,
347  mbedtls_x509_buf const *oid,
348  int critical,
349  const unsigned char *p,
350  const unsigned char *end );
351 
393  const unsigned char *buf,
394  size_t buflen,
395  int make_copy,
397  void *p_ctx );
398 
427  const unsigned char *buf,
428  size_t buflen );
429 
460 int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen );
461 
462 #if defined(MBEDTLS_FS_IO)
476 int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *chain, const char *path );
477 
491 int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path );
492 
493 #endif /* MBEDTLS_FS_IO */
535 int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
536  const mbedtls_x509_crt *crt );
537 
550 int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
551  uint32_t flags );
552 
620  mbedtls_x509_crt *trust_ca,
621  mbedtls_x509_crl *ca_crl,
622  const char *cn, uint32_t *flags,
623  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
624  void *p_vrfy );
625 
661  mbedtls_x509_crt *trust_ca,
662  mbedtls_x509_crl *ca_crl,
663  const mbedtls_x509_crt_profile *profile,
664  const char *cn, uint32_t *flags,
665  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
666  void *p_vrfy );
667 
695  mbedtls_x509_crt *trust_ca,
696  mbedtls_x509_crl *ca_crl,
697  const mbedtls_x509_crt_profile *profile,
698  const char *cn, uint32_t *flags,
699  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
700  void *p_vrfy,
702 
733 typedef int (*mbedtls_x509_crt_ca_cb_t)( void *p_ctx,
734  mbedtls_x509_crt const *child,
735  mbedtls_x509_crt **candidate_cas );
736 
737 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
760 int mbedtls_x509_crt_verify_with_ca_cb( mbedtls_x509_crt *crt,
761  mbedtls_x509_crt_ca_cb_t f_ca_cb,
762  void *p_ca_cb,
763  const mbedtls_x509_crt_profile *profile,
764  const char *cn, uint32_t *flags,
765  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
766  void *p_vrfy );
767 
768 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
769 
770 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
793  unsigned int usage );
794 #endif /* MBEDTLS_X509_CHECK_KEY_USAGE) */
795 
796 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
811  const char *usage_oid,
812  size_t usage_len );
813 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
814 
815 #if defined(MBEDTLS_X509_CRL_PARSE_C)
826 #endif /* MBEDTLS_X509_CRL_PARSE_C */
827 
834 
841 
842 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
846 void mbedtls_x509_crt_restart_init( mbedtls_x509_crt_restart_ctx *ctx );
847 
851 void mbedtls_x509_crt_restart_free( mbedtls_x509_crt_restart_ctx *ctx );
852 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
853 #endif /* MBEDTLS_X509_CRT_PARSE_C */
854 
857 #if defined(MBEDTLS_X509_CRT_WRITE_C)
864 
874 
884 
900  const char *not_after );
901 
915  const char *issuer_name );
916 
930  const char *subject_name );
931 
939 
947 
956 
971  const char *oid, size_t oid_len,
972  int critical,
973  const unsigned char *val, size_t val_len );
974 
987  int is_ca, int max_pathlen );
988 
989 #if defined(MBEDTLS_SHA1_C)
1000 
1011 #endif /* MBEDTLS_SHA1_C */
1012 
1023  unsigned int key_usage );
1024 
1035  unsigned char ns_cert_type );
1036 
1043 
1064 int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
1065  int (*f_rng)(void *, unsigned char *, size_t),
1066  void *p_rng );
1067 
1068 #if defined(MBEDTLS_PEM_WRITE_C)
1085 int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
1086  int (*f_rng)(void *, unsigned char *, size_t),
1087  void *p_rng );
1088 #endif /* MBEDTLS_PEM_WRITE_C */
1089 #endif /* MBEDTLS_X509_CRT_WRITE_C */
1090 
1093 #ifdef __cplusplus
1094 }
1095 #endif
1096 
1097 #endif /* mbedtls_x509_crt.h */
Multi-precision integer library.
Configuration options (set of defines)
int mbedtls_x509_crt_parse_der(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the end of the provided chained list.
int mbedtls_x509_crt_parse_der_nocopy(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the end of the provided chained list....
void mbedtls_x509_crt_init(mbedtls_x509_crt *crt)
Initialize a certificate (chain)
int mbedtls_x509_crt_parse(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse one DER-encoded or one or more concatenated PEM-encoded certificates and add them to the chaine...
int mbedtls_x509write_crt_set_subject_key_identifier(mbedtls_x509write_cert *ctx)
Set the subjectKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_subject_key(...
int mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt *crt, unsigned int usage)
Check usage of certificate against keyUsage extension.
int mbedtls_x509_crt_is_revoked(const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl)
Verify the certificate revocation status.
void mbedtls_x509write_crt_set_subject_key(mbedtls_x509write_cert *ctx, mbedtls_pk_context *key)
Set the subject public key for the certificate.
int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf, mbedtls_x509_subject_alternative_name *san)
This function parses an item in the SubjectAlternativeNames extension.
int mbedtls_x509write_crt_set_subject_name(mbedtls_x509write_cert *ctx, const char *subject_name)
Set the subject name for a Certificate Subject names should contain a comma-separated list of OID typ...
int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Write a built up certificate to a X509 PEM string.
void mbedtls_x509_crt_restart_ctx
Definition: x509_crt.h:260
int mbedtls_x509write_crt_set_serial(mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial)
Set the serial number for a Certificate.
int mbedtls_x509_crt_verify_restartable(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy, mbedtls_x509_crt_restart_ctx *rs_ctx)
Restartable version of mbedtls_crt_verify_with_profile()
void mbedtls_x509write_crt_set_issuer_key(mbedtls_x509write_cert *ctx, mbedtls_pk_context *key)
Set the issuer key used for signing the certificate.
int(* mbedtls_x509_crt_ext_cb_t)(void *p_ctx, mbedtls_x509_crt const *crt, mbedtls_x509_buf const *oid, int critical, const unsigned char *p, const unsigned char *end)
The type of certificate extension callbacks.
Definition: x509_crt.h:345
#define MBEDTLS_X509_RFC5280_UTC_TIME_LEN
Definition: x509_crt.h:175
int mbedtls_x509write_crt_set_issuer_name(mbedtls_x509write_cert *ctx, const char *issuer_name)
Set the issuer name for a Certificate Issuer names should contain a comma-separated list of OID types...
#define MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE
Definition: x509_crt.h:210
int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path)
Load one or more certificate files from a path and add them to the chained list. Parses permissively....
int mbedtls_x509write_crt_set_extension(mbedtls_x509write_cert *ctx, const char *oid, size_t oid_len, int critical, const unsigned char *val, size_t val_len)
Generic function to add to or replace an extension in the CRT.
int mbedtls_x509write_crt_set_key_usage(mbedtls_x509write_cert *ctx, unsigned int key_usage)
Set the Key Usage Extension flags (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_...
int mbedtls_x509write_crt_set_ns_cert_type(mbedtls_x509write_cert *ctx, unsigned char ns_cert_type)
Set the Netscape Cert Type flags (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TY...
int(* mbedtls_x509_crt_ca_cb_t)(void *p_ctx, mbedtls_x509_crt const *child, mbedtls_x509_crt **candidate_cas)
The type of trusted certificate callbacks.
Definition: x509_crt.h:733
int mbedtls_x509write_crt_set_authority_key_identifier(mbedtls_x509write_cert *ctx)
Set the authorityKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_issuer_key...
struct mbedtls_x509_san_other_name mbedtls_x509_san_other_name
int mbedtls_x509_crt_parse_der_with_ext_cb(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen, int make_copy, mbedtls_x509_crt_ext_cb_t cb, void *p_ctx)
Parse a single DER formatted certificate and add it to the end of the provided chained list.
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next
struct mbedtls_x509_crt mbedtls_x509_crt
struct mbedtls_x509_crt_profile mbedtls_x509_crt_profile
int mbedtls_x509_crt_verify(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
Verify a chain of certificates.
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default
void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx)
Initialize a CRT writing context.
void mbedtls_x509write_crt_set_version(mbedtls_x509write_cert *ctx, int version)
Set the version for a Certificate Default: MBEDTLS_X509_CRT_VERSION_3.
void mbedtls_x509write_crt_free(mbedtls_x509write_cert *ctx)
Free the contents of a CRT write context.
void mbedtls_x509_crt_free(mbedtls_x509_crt *crt)
Unallocate all certificate data.
int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix, const mbedtls_x509_crt *crt)
Returns an informational string about the certificate.
void mbedtls_x509write_crt_set_md_alg(mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg)
Set the MD algorithm to use for the signature (e.g. MBEDTLS_MD_SHA1)
int mbedtls_x509write_crt_set_validity(mbedtls_x509write_cert *ctx, const char *not_before, const char *not_after)
Set the validity period for a Certificate Timestamps should be in string format for UTC timezone i....
struct mbedtls_x509_subject_alternative_name mbedtls_x509_subject_alternative_name
int mbedtls_x509_crt_check_extended_key_usage(const mbedtls_x509_crt *crt, const char *usage_oid, size_t usage_len)
Check usage of certificate against extendedKeyUsage.
int mbedtls_x509_crt_parse_file(mbedtls_x509_crt *chain, const char *path)
Load one or more certificates and add them to the chained list. Parses permissively....
int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Write a built up certificate to a X509 DER structure Note: data is written at the end of the buffer!...
int mbedtls_x509write_crt_set_basic_constraints(mbedtls_x509write_cert *ctx, int is_ca, int max_pathlen)
Set the basicConstraints extension for a CRT.
struct mbedtls_x509write_cert mbedtls_x509write_cert
int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix, uint32_t flags)
Returns an informational string about the verification status of a certificate.
int mbedtls_x509_crt_verify_with_profile(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
Verify a chain of certificates with respect to a configurable security profile.
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb
mbedtls_md_type_t
Supported message digests.
Definition: md.h:62
mbedtls_pk_type_t
Public key types.
Definition: pk.h:95
void mbedtls_pk_restart_ctx
Definition: pk.h:217
MPI structure.
Definition: bignum.h:193
Public key container.
Definition: pk.h:201
mbedtls_x509_time valid_to
Definition: x509_crt.h:70
mbedtls_x509_buf sig_oid
Definition: x509_crt.h:61
mbedtls_x509_sequence subject_alt_names
Definition: x509_crt.h:78
unsigned int key_usage
Definition: x509_crt.h:86
mbedtls_x509_buf tbs
Definition: x509_crt.h:57
mbedtls_x509_buf raw
Definition: x509_crt.h:56
mbedtls_x509_buf serial
Definition: x509_crt.h:60
mbedtls_md_type_t sig_md
Definition: x509_crt.h:93
mbedtls_pk_context pk
Definition: x509_crt.h:73
mbedtls_pk_type_t sig_pk
Definition: x509_crt.h:94
void * sig_opts
Definition: x509_crt.h:95
mbedtls_x509_buf v3_ext
Definition: x509_crt.h:77
mbedtls_x509_buf issuer_id
Definition: x509_crt.h:75
mbedtls_x509_name subject
Definition: x509_crt.h:67
mbedtls_x509_sequence certificate_policies
Definition: x509_crt.h:80
mbedtls_x509_buf pk_raw
Definition: x509_crt.h:72
mbedtls_x509_time valid_from
Definition: x509_crt.h:69
mbedtls_x509_buf subject_raw
Definition: x509_crt.h:64
mbedtls_x509_sequence ext_key_usage
Definition: x509_crt.h:88
struct mbedtls_x509_crt * next
Definition: x509_crt.h:97
mbedtls_x509_buf subject_id
Definition: x509_crt.h:76
unsigned char ns_cert_type
Definition: x509_crt.h:90
mbedtls_x509_name issuer
Definition: x509_crt.h:66
mbedtls_x509_buf sig
Definition: x509_crt.h:92
mbedtls_x509_buf issuer_raw
Definition: x509_crt.h:63
mbedtls_x509_buf oid
Definition: x509_crt.h:125
mbedtls_x509_buf val
Definition: x509_crt.h:126
struct mbedtls_x509_san_other_name::@1::@2 hardware_module_name
union mbedtls_x509_san_other_name::@1 value
mbedtls_x509_buf type_id
Definition: x509_crt.h:114
union mbedtls_x509_subject_alternative_name::@3 san
mbedtls_x509_san_other_name other_name
Definition: x509_crt.h:141
mbedtls_md_type_t md_alg
Definition: x509_crt.h:192
mbedtls_pk_context * issuer_key
Definition: x509_crt.h:189
mbedtls_asn1_named_data * issuer
Definition: x509_crt.h:191
char not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN+1]
Definition: x509_crt.h:194
mbedtls_asn1_named_data * subject
Definition: x509_crt.h:190
mbedtls_mpi serial
Definition: x509_crt.h:187
mbedtls_pk_context * subject_key
Definition: x509_crt.h:188
mbedtls_asn1_named_data * extensions
Definition: x509_crt.h:195
char not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN+1]
Definition: x509_crt.h:193
X.509 generic defines and structures.
X.509 certificate revocation list parsing.