mbed TLS v2.2.0
|
The X.509 module provides X.509 support which includes:
x509parse_crt()
and x509parse_crtfile()
).x509parse_crl()
andx509parse_crlfile()
).x509parse_key()
and x509parse_keyfile()
).x509parse_verify()
)mbedtls_x509write_crt_der()
and mbedtls_x509write_csr_der()
).This module can be used to build a certificate authority (CA) chain and verify its signature. It is also used to generate Certificate Signing Requests and X509 certificates just as a CA would do.
Data Structures | |
struct | mbedtls_x509_time |
Container for date and time (precision in seconds). More... | |
struct | mbedtls_x509_crl_entry |
Certificate revocation list entry. More... | |
struct | mbedtls_x509_crl |
Certificate revocation list structure. More... | |
struct | mbedtls_x509_crt |
Container for an X.509 certificate. More... | |
struct | mbedtls_x509_crt_profile |
Security profile for certificate verification. More... | |
struct | mbedtls_x509write_cert |
Container for writing a certificate (CRT) More... | |
struct | mbedtls_x509_csr |
Certificate Signing Request (CSR) structure. More... | |
struct | mbedtls_x509write_csr |
Container for writing a CSR. More... | |
Macros | |
#define | MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 |
Maximum number of intermediate CAs in a verification chain. More... | |
X509 Error codes | |
#define | MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE -0x2080 |
Unavailable feature, e.g. More... | |
#define | MBEDTLS_ERR_X509_UNKNOWN_OID -0x2100 |
Requested OID is unknown. More... | |
#define | MBEDTLS_ERR_X509_INVALID_FORMAT -0x2180 |
The CRT/CRL/CSR format is invalid, e.g. More... | |
#define | MBEDTLS_ERR_X509_INVALID_VERSION -0x2200 |
The CRT/CRL/CSR version element is invalid. More... | |
#define | MBEDTLS_ERR_X509_INVALID_SERIAL -0x2280 |
The serial tag or value is invalid. More... | |
#define | MBEDTLS_ERR_X509_INVALID_ALG -0x2300 |
The algorithm tag or value is invalid. More... | |
#define | MBEDTLS_ERR_X509_INVALID_NAME -0x2380 |
The name tag or value is invalid. More... | |
#define | MBEDTLS_ERR_X509_INVALID_DATE -0x2400 |
The date tag or value is invalid. More... | |
#define | MBEDTLS_ERR_X509_INVALID_SIGNATURE -0x2480 |
The signature tag or value invalid. More... | |
#define | MBEDTLS_ERR_X509_INVALID_EXTENSIONS -0x2500 |
The extension tag or value is invalid. More... | |
#define | MBEDTLS_ERR_X509_UNKNOWN_VERSION -0x2580 |
CRT/CRL/CSR has an unsupported version number. More... | |
#define | MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG -0x2600 |
Signature algorithm (oid) is unsupported. More... | |
#define | MBEDTLS_ERR_X509_SIG_MISMATCH -0x2680 |
Signature algorithms do not match. More... | |
#define | MBEDTLS_ERR_X509_CERT_VERIFY_FAILED -0x2700 |
Certificate verification failed, e.g. More... | |
#define | MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT -0x2780 |
Format not recognized as DER or PEM. More... | |
#define | MBEDTLS_ERR_X509_BAD_INPUT_DATA -0x2800 |
Input invalid. More... | |
#define | MBEDTLS_ERR_X509_ALLOC_FAILED -0x2880 |
Allocation of memory failed. More... | |
#define | MBEDTLS_ERR_X509_FILE_IO_ERROR -0x2900 |
Read/write of file failed. More... | |
#define | MBEDTLS_ERR_X509_BUFFER_TOO_SMALL -0x2980 |
Destination buffer is too small. More... | |
X509 Verify codes | |
#define | MBEDTLS_X509_BADCERT_EXPIRED 0x01 |
The certificate validity has expired. More... | |
#define | MBEDTLS_X509_BADCERT_REVOKED 0x02 |
The certificate has been revoked (is on a CRL). More... | |
#define | MBEDTLS_X509_BADCERT_CN_MISMATCH 0x04 |
The certificate Common Name (CN) does not match with the expected CN. More... | |
#define | MBEDTLS_X509_BADCERT_NOT_TRUSTED 0x08 |
The certificate is not correctly signed by the trusted CA. More... | |
#define | MBEDTLS_X509_BADCRL_NOT_TRUSTED 0x10 |
The CRL is not correctly signed by the trusted CA. More... | |
#define | MBEDTLS_X509_BADCRL_EXPIRED 0x20 |
The CRL is expired. More... | |
#define | MBEDTLS_X509_BADCERT_MISSING 0x40 |
Certificate was missing. More... | |
#define | MBEDTLS_X509_BADCERT_SKIP_VERIFY 0x80 |
Certificate verification was skipped. More... | |
#define | MBEDTLS_X509_BADCERT_OTHER 0x0100 |
Other reason (can be used by verify callback) More... | |
#define | MBEDTLS_X509_BADCERT_FUTURE 0x0200 |
The certificate validity starts in the future. More... | |
#define | MBEDTLS_X509_BADCRL_FUTURE 0x0400 |
The CRL is from the future. More... | |
#define | MBEDTLS_X509_BADCERT_KEY_USAGE 0x0800 |
Usage does not match the keyUsage extension. More... | |
#define | MBEDTLS_X509_BADCERT_EXT_KEY_USAGE 0x1000 |
Usage does not match the extendedKeyUsage extension. More... | |
#define | MBEDTLS_X509_BADCERT_NS_CERT_TYPE 0x2000 |
Usage does not match the nsCertType extension. More... | |
#define | MBEDTLS_X509_BADCERT_BAD_MD 0x4000 |
The certificate is signed with an unacceptable hash. More... | |
#define | MBEDTLS_X509_BADCERT_BAD_PK 0x8000 |
The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA). More... | |
#define | MBEDTLS_X509_BADCERT_BAD_KEY 0x010000 |
The certificate is signed with an unacceptable key (eg bad curve, RSA too short). More... | |
#define | MBEDTLS_X509_BADCRL_BAD_MD 0x020000 |
The CRL is signed with an unacceptable hash. More... | |
#define | MBEDTLS_X509_BADCRL_BAD_PK 0x040000 |
The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA). More... | |
#define | MBEDTLS_X509_BADCRL_BAD_KEY 0x080000 |
The CRL is signed with an unacceptable key (eg bad curve, RSA too short). More... | |
Structures for parsing X.509 certificates, CRLs and CSRs | |
typedef mbedtls_asn1_buf | mbedtls_x509_buf |
Type-length-value structure that allows for ASN1 using DER. More... | |
typedef mbedtls_asn1_bitstring | mbedtls_x509_bitstring |
Container for ASN1 bit strings. More... | |
typedef mbedtls_asn1_named_data | mbedtls_x509_name |
Container for ASN1 named information objects. More... | |
typedef mbedtls_asn1_sequence | mbedtls_x509_sequence |
Container for a sequence of ASN.1 items. More... | |
typedef struct mbedtls_x509_time | mbedtls_x509_time |
Container for date and time (precision in seconds). More... | |
Structures and functions for parsing CRLs | |
typedef struct mbedtls_x509_crl_entry | mbedtls_x509_crl_entry |
Certificate revocation list entry. More... | |
typedef struct mbedtls_x509_crl | mbedtls_x509_crl |
Certificate revocation list structure. More... | |
int | mbedtls_x509_crl_parse_der (mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen) |
Parse a DER-encoded CRL and append it to the chained list. More... | |
int | mbedtls_x509_crl_parse (mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen) |
Parse one or more CRLs and append them to the chained list. More... | |
int | mbedtls_x509_crl_info (char *buf, size_t size, const char *prefix, const mbedtls_x509_crl *crl) |
Returns an informational string about the CRL. More... | |
void | mbedtls_x509_crl_init (mbedtls_x509_crl *crl) |
Initialize a CRL (chain) More... | |
void | mbedtls_x509_crl_free (mbedtls_x509_crl *crl) |
Unallocate all CRL data. More... | |
Structures and functions for parsing and writing X.509 certificates | |
typedef struct mbedtls_x509_crt | mbedtls_x509_crt |
Container for an X.509 certificate. More... | |
typedef struct mbedtls_x509write_cert | mbedtls_x509write_cert |
Container for writing a certificate (CRT) More... | |
#define | MBEDTLS_X509_ID_FLAG(id) ( 1 << ( id - 1 ) ) |
Build flag from an algorithm/curve identifier (pk, md, ecp) Since 0 is always XXX_NONE, ignore it. More... | |
#define | MBEDTLS_X509_CRT_VERSION_1 0 |
#define | MBEDTLS_X509_CRT_VERSION_2 1 |
#define | MBEDTLS_X509_CRT_VERSION_3 2 |
#define | MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32 |
#define | MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15 |
Structures and functions for X.509 Certificate Signing Requests (CSR) | |
typedef struct mbedtls_x509_csr | mbedtls_x509_csr |
Certificate Signing Request (CSR) structure. More... | |
typedef struct mbedtls_x509write_csr | mbedtls_x509write_csr |
Container for writing a CSR. More... | |
#define MBEDTLS_ERR_X509_ALLOC_FAILED -0x2880 |
#define MBEDTLS_ERR_X509_BAD_INPUT_DATA -0x2800 |
#define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL -0x2980 |
#define MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT -0x2780 |
#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED -0x2700 |
#define MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE -0x2080 |
#define MBEDTLS_ERR_X509_FILE_IO_ERROR -0x2900 |
#define MBEDTLS_ERR_X509_INVALID_ALG -0x2300 |
#define MBEDTLS_ERR_X509_INVALID_DATE -0x2400 |
#define MBEDTLS_ERR_X509_INVALID_EXTENSIONS -0x2500 |
#define MBEDTLS_ERR_X509_INVALID_FORMAT -0x2180 |
#define MBEDTLS_ERR_X509_INVALID_NAME -0x2380 |
#define MBEDTLS_ERR_X509_INVALID_SERIAL -0x2280 |
#define MBEDTLS_ERR_X509_INVALID_SIGNATURE -0x2480 |
#define MBEDTLS_ERR_X509_INVALID_VERSION -0x2200 |
#define MBEDTLS_ERR_X509_SIG_MISMATCH -0x2680 |
Signature algorithms do not match.
(see mbedtls_x509_crt
sig_oid)
#define MBEDTLS_ERR_X509_UNKNOWN_OID -0x2100 |
#define MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG -0x2600 |
#define MBEDTLS_ERR_X509_UNKNOWN_VERSION -0x2580 |
#define MBEDTLS_X509_BADCERT_BAD_KEY 0x010000 |
#define MBEDTLS_X509_BADCERT_BAD_MD 0x4000 |
#define MBEDTLS_X509_BADCERT_BAD_PK 0x8000 |
#define MBEDTLS_X509_BADCERT_CN_MISMATCH 0x04 |
#define MBEDTLS_X509_BADCERT_EXPIRED 0x01 |
#define MBEDTLS_X509_BADCERT_EXT_KEY_USAGE 0x1000 |
#define MBEDTLS_X509_BADCERT_FUTURE 0x0200 |
#define MBEDTLS_X509_BADCERT_KEY_USAGE 0x0800 |
#define MBEDTLS_X509_BADCERT_MISSING 0x40 |
#define MBEDTLS_X509_BADCERT_NOT_TRUSTED 0x08 |
#define MBEDTLS_X509_BADCERT_NS_CERT_TYPE 0x2000 |
#define MBEDTLS_X509_BADCERT_OTHER 0x0100 |
#define MBEDTLS_X509_BADCERT_REVOKED 0x02 |
#define MBEDTLS_X509_BADCERT_SKIP_VERIFY 0x80 |
#define MBEDTLS_X509_BADCRL_BAD_KEY 0x080000 |
#define MBEDTLS_X509_BADCRL_BAD_MD 0x020000 |
#define MBEDTLS_X509_BADCRL_BAD_PK 0x040000 |
#define MBEDTLS_X509_BADCRL_FUTURE 0x0400 |
#define MBEDTLS_X509_BADCRL_NOT_TRUSTED 0x10 |
#define MBEDTLS_X509_CRT_VERSION_1 0 |
Definition at line 116 of file x509_crt.h.
#define MBEDTLS_X509_CRT_VERSION_2 1 |
Definition at line 117 of file x509_crt.h.
#define MBEDTLS_X509_CRT_VERSION_3 2 |
Definition at line 118 of file x509_crt.h.
#define MBEDTLS_X509_ID_FLAG | ( | id | ) | ( 1 << ( id - 1 ) ) |
Build flag from an algorithm/curve identifier (pk, md, ecp) Since 0 is always XXX_NONE, ignore it.
Definition at line 100 of file x509_crt.h.
#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 |
Maximum number of intermediate CAs in a verification chain.
That is, maximum length of the chain, excluding the end-entity certificate and the trusted root certificate.
Set this to a low value to prevent an adversary from making you waste resources verifying an overlong certificate chain.
#define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32 |
Definition at line 120 of file x509_crt.h.
#define MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15 |
Definition at line 121 of file x509_crt.h.
typedef mbedtls_asn1_buf mbedtls_x509_buf |
typedef struct mbedtls_x509_crl mbedtls_x509_crl |
Certificate revocation list structure.
Every CRL may have multiple entries.
typedef struct mbedtls_x509_crl_entry mbedtls_x509_crl_entry |
Certificate revocation list entry.
Contains the CA-specific serial numbers and revocation dates.
typedef struct mbedtls_x509_crt mbedtls_x509_crt |
Container for an X.509 certificate.
The certificate may be chained.
typedef struct mbedtls_x509_csr mbedtls_x509_csr |
Certificate Signing Request (CSR) structure.
typedef struct mbedtls_x509_time mbedtls_x509_time |
Container for date and time (precision in seconds).
typedef struct mbedtls_x509write_cert mbedtls_x509write_cert |
Container for writing a certificate (CRT)
typedef struct mbedtls_x509write_csr mbedtls_x509write_csr |
Container for writing a CSR.
void mbedtls_x509_crl_free | ( | mbedtls_x509_crl * | crl | ) |
Unallocate all CRL data.
crl | CRL chain to free |
int mbedtls_x509_crl_info | ( | char * | buf, |
size_t | size, | ||
const char * | prefix, | ||
const mbedtls_x509_crl * | crl | ||
) |
Returns an informational string about the CRL.
buf | Buffer to write to |
size | Maximum size of buffer |
prefix | A line prefix |
crl | The X509 CRL to represent |
void mbedtls_x509_crl_init | ( | mbedtls_x509_crl * | crl | ) |
Initialize a CRL (chain)
crl | CRL chain to initialize |
int mbedtls_x509_crl_parse | ( | mbedtls_x509_crl * | chain, |
const unsigned char * | buf, | ||
size_t | buflen | ||
) |
Parse one or more CRLs and append them to the chained list.
chain | points to the start of the chain |
buf | buffer holding the CRL data in PEM or DER format |
buflen | size of the buffer (including the terminating null byte for PEM data) |
int mbedtls_x509_crl_parse_der | ( | mbedtls_x509_crl * | chain, |
const unsigned char * | buf, | ||
size_t | buflen | ||
) |
Parse a DER-encoded CRL and append it to the chained list.
chain | points to the start of the chain |
buf | buffer holding the CRL data in DER format (including the terminating null byte for PEM data) |
buflen | size of the buffer |