mbed TLS v2.2.0
Data Structures | Macros
X.509 module

Detailed Description

The X.509 module provides X.509 support which includes:

This module can be used to build a certificate authority (CA) chain and verify its signature. It is also used to generate Certificate Signing Requests and X509 certificates just as a CA would do.

Data Structures

struct  mbedtls_x509_time
 Container for date and time (precision in seconds). More...
 
struct  mbedtls_x509_crl_entry
 Certificate revocation list entry. More...
 
struct  mbedtls_x509_crl
 Certificate revocation list structure. More...
 
struct  mbedtls_x509_crt
 Container for an X.509 certificate. More...
 
struct  mbedtls_x509_crt_profile
 Security profile for certificate verification. More...
 
struct  mbedtls_x509write_cert
 Container for writing a certificate (CRT) More...
 
struct  mbedtls_x509_csr
 Certificate Signing Request (CSR) structure. More...
 
struct  mbedtls_x509write_csr
 Container for writing a CSR. More...
 

Macros

#define MBEDTLS_X509_MAX_INTERMEDIATE_CA   8
 Maximum number of intermediate CAs in a verification chain. More...
 

X509 Error codes

#define MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE   -0x2080
 Unavailable feature, e.g. More...
 
#define MBEDTLS_ERR_X509_UNKNOWN_OID   -0x2100
 Requested OID is unknown. More...
 
#define MBEDTLS_ERR_X509_INVALID_FORMAT   -0x2180
 The CRT/CRL/CSR format is invalid, e.g. More...
 
#define MBEDTLS_ERR_X509_INVALID_VERSION   -0x2200
 The CRT/CRL/CSR version element is invalid. More...
 
#define MBEDTLS_ERR_X509_INVALID_SERIAL   -0x2280
 The serial tag or value is invalid. More...
 
#define MBEDTLS_ERR_X509_INVALID_ALG   -0x2300
 The algorithm tag or value is invalid. More...
 
#define MBEDTLS_ERR_X509_INVALID_NAME   -0x2380
 The name tag or value is invalid. More...
 
#define MBEDTLS_ERR_X509_INVALID_DATE   -0x2400
 The date tag or value is invalid. More...
 
#define MBEDTLS_ERR_X509_INVALID_SIGNATURE   -0x2480
 The signature tag or value invalid. More...
 
#define MBEDTLS_ERR_X509_INVALID_EXTENSIONS   -0x2500
 The extension tag or value is invalid. More...
 
#define MBEDTLS_ERR_X509_UNKNOWN_VERSION   -0x2580
 CRT/CRL/CSR has an unsupported version number. More...
 
#define MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG   -0x2600
 Signature algorithm (oid) is unsupported. More...
 
#define MBEDTLS_ERR_X509_SIG_MISMATCH   -0x2680
 Signature algorithms do not match. More...
 
#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED   -0x2700
 Certificate verification failed, e.g. More...
 
#define MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT   -0x2780
 Format not recognized as DER or PEM. More...
 
#define MBEDTLS_ERR_X509_BAD_INPUT_DATA   -0x2800
 Input invalid. More...
 
#define MBEDTLS_ERR_X509_ALLOC_FAILED   -0x2880
 Allocation of memory failed. More...
 
#define MBEDTLS_ERR_X509_FILE_IO_ERROR   -0x2900
 Read/write of file failed. More...
 
#define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL   -0x2980
 Destination buffer is too small. More...
 

X509 Verify codes

#define MBEDTLS_X509_BADCERT_EXPIRED   0x01
 The certificate validity has expired. More...
 
#define MBEDTLS_X509_BADCERT_REVOKED   0x02
 The certificate has been revoked (is on a CRL). More...
 
#define MBEDTLS_X509_BADCERT_CN_MISMATCH   0x04
 The certificate Common Name (CN) does not match with the expected CN. More...
 
#define MBEDTLS_X509_BADCERT_NOT_TRUSTED   0x08
 The certificate is not correctly signed by the trusted CA. More...
 
#define MBEDTLS_X509_BADCRL_NOT_TRUSTED   0x10
 The CRL is not correctly signed by the trusted CA. More...
 
#define MBEDTLS_X509_BADCRL_EXPIRED   0x20
 The CRL is expired. More...
 
#define MBEDTLS_X509_BADCERT_MISSING   0x40
 Certificate was missing. More...
 
#define MBEDTLS_X509_BADCERT_SKIP_VERIFY   0x80
 Certificate verification was skipped. More...
 
#define MBEDTLS_X509_BADCERT_OTHER   0x0100
 Other reason (can be used by verify callback) More...
 
#define MBEDTLS_X509_BADCERT_FUTURE   0x0200
 The certificate validity starts in the future. More...
 
#define MBEDTLS_X509_BADCRL_FUTURE   0x0400
 The CRL is from the future. More...
 
#define MBEDTLS_X509_BADCERT_KEY_USAGE   0x0800
 Usage does not match the keyUsage extension. More...
 
#define MBEDTLS_X509_BADCERT_EXT_KEY_USAGE   0x1000
 Usage does not match the extendedKeyUsage extension. More...
 
#define MBEDTLS_X509_BADCERT_NS_CERT_TYPE   0x2000
 Usage does not match the nsCertType extension. More...
 
#define MBEDTLS_X509_BADCERT_BAD_MD   0x4000
 The certificate is signed with an unacceptable hash. More...
 
#define MBEDTLS_X509_BADCERT_BAD_PK   0x8000
 The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA). More...
 
#define MBEDTLS_X509_BADCERT_BAD_KEY   0x010000
 The certificate is signed with an unacceptable key (eg bad curve, RSA too short). More...
 
#define MBEDTLS_X509_BADCRL_BAD_MD   0x020000
 The CRL is signed with an unacceptable hash. More...
 
#define MBEDTLS_X509_BADCRL_BAD_PK   0x040000
 The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA). More...
 
#define MBEDTLS_X509_BADCRL_BAD_KEY   0x080000
 The CRL is signed with an unacceptable key (eg bad curve, RSA too short). More...
 

Structures for parsing X.509 certificates, CRLs and CSRs

typedef mbedtls_asn1_buf mbedtls_x509_buf
 Type-length-value structure that allows for ASN1 using DER. More...
 
typedef mbedtls_asn1_bitstring mbedtls_x509_bitstring
 Container for ASN1 bit strings. More...
 
typedef mbedtls_asn1_named_data mbedtls_x509_name
 Container for ASN1 named information objects. More...
 
typedef mbedtls_asn1_sequence mbedtls_x509_sequence
 Container for a sequence of ASN.1 items. More...
 
typedef struct mbedtls_x509_time mbedtls_x509_time
 Container for date and time (precision in seconds). More...
 

Structures and functions for parsing CRLs

typedef struct mbedtls_x509_crl_entry mbedtls_x509_crl_entry
 Certificate revocation list entry. More...
 
typedef struct mbedtls_x509_crl mbedtls_x509_crl
 Certificate revocation list structure. More...
 
int mbedtls_x509_crl_parse_der (mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen)
 Parse a DER-encoded CRL and append it to the chained list. More...
 
int mbedtls_x509_crl_parse (mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen)
 Parse one or more CRLs and append them to the chained list. More...
 
int mbedtls_x509_crl_info (char *buf, size_t size, const char *prefix, const mbedtls_x509_crl *crl)
 Returns an informational string about the CRL. More...
 
void mbedtls_x509_crl_init (mbedtls_x509_crl *crl)
 Initialize a CRL (chain) More...
 
void mbedtls_x509_crl_free (mbedtls_x509_crl *crl)
 Unallocate all CRL data. More...
 

Structures and functions for parsing and writing X.509 certificates

typedef struct mbedtls_x509_crt mbedtls_x509_crt
 Container for an X.509 certificate. More...
 
typedef struct mbedtls_x509write_cert mbedtls_x509write_cert
 Container for writing a certificate (CRT) More...
 
#define MBEDTLS_X509_ID_FLAG(id)    ( 1 << ( id - 1 ) )
 Build flag from an algorithm/curve identifier (pk, md, ecp) Since 0 is always XXX_NONE, ignore it. More...
 
#define MBEDTLS_X509_CRT_VERSION_1   0
 
#define MBEDTLS_X509_CRT_VERSION_2   1
 
#define MBEDTLS_X509_CRT_VERSION_3   2
 
#define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN   32
 
#define MBEDTLS_X509_RFC5280_UTC_TIME_LEN   15
 

Structures and functions for X.509 Certificate Signing Requests (CSR)

typedef struct mbedtls_x509_csr mbedtls_x509_csr
 Certificate Signing Request (CSR) structure. More...
 
typedef struct mbedtls_x509write_csr mbedtls_x509write_csr
 Container for writing a CSR. More...
 

Macro Definition Documentation

#define MBEDTLS_ERR_X509_ALLOC_FAILED   -0x2880

Allocation of memory failed.

Definition at line 76 of file x509.h.

#define MBEDTLS_ERR_X509_BAD_INPUT_DATA   -0x2800

Input invalid.

Definition at line 75 of file x509.h.

#define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL   -0x2980

Destination buffer is too small.

Definition at line 78 of file x509.h.

#define MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT   -0x2780

Format not recognized as DER or PEM.

Definition at line 74 of file x509.h.

#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED   -0x2700

Certificate verification failed, e.g.

CRL, CA or signature check failed.

Definition at line 73 of file x509.h.

#define MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE   -0x2080

Unavailable feature, e.g.

RSA hashing/encryption combination.

Definition at line 60 of file x509.h.

#define MBEDTLS_ERR_X509_FILE_IO_ERROR   -0x2900

Read/write of file failed.

Definition at line 77 of file x509.h.

#define MBEDTLS_ERR_X509_INVALID_ALG   -0x2300

The algorithm tag or value is invalid.

Definition at line 65 of file x509.h.

#define MBEDTLS_ERR_X509_INVALID_DATE   -0x2400

The date tag or value is invalid.

Definition at line 67 of file x509.h.

#define MBEDTLS_ERR_X509_INVALID_EXTENSIONS   -0x2500

The extension tag or value is invalid.

Definition at line 69 of file x509.h.

#define MBEDTLS_ERR_X509_INVALID_FORMAT   -0x2180

The CRT/CRL/CSR format is invalid, e.g.

different type expected.

Definition at line 62 of file x509.h.

#define MBEDTLS_ERR_X509_INVALID_NAME   -0x2380

The name tag or value is invalid.

Definition at line 66 of file x509.h.

#define MBEDTLS_ERR_X509_INVALID_SERIAL   -0x2280

The serial tag or value is invalid.

Definition at line 64 of file x509.h.

#define MBEDTLS_ERR_X509_INVALID_SIGNATURE   -0x2480

The signature tag or value invalid.

Definition at line 68 of file x509.h.

#define MBEDTLS_ERR_X509_INVALID_VERSION   -0x2200

The CRT/CRL/CSR version element is invalid.

Definition at line 63 of file x509.h.

#define MBEDTLS_ERR_X509_SIG_MISMATCH   -0x2680

Signature algorithms do not match.

(see mbedtls_x509_crt sig_oid)

Definition at line 72 of file x509.h.

#define MBEDTLS_ERR_X509_UNKNOWN_OID   -0x2100

Requested OID is unknown.

Definition at line 61 of file x509.h.

#define MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG   -0x2600

Signature algorithm (oid) is unsupported.

Definition at line 71 of file x509.h.

#define MBEDTLS_ERR_X509_UNKNOWN_VERSION   -0x2580

CRT/CRL/CSR has an unsupported version number.

Definition at line 70 of file x509.h.

#define MBEDTLS_X509_BADCERT_BAD_KEY   0x010000

The certificate is signed with an unacceptable key (eg bad curve, RSA too short).

Definition at line 102 of file x509.h.

#define MBEDTLS_X509_BADCERT_BAD_MD   0x4000

The certificate is signed with an unacceptable hash.

Definition at line 100 of file x509.h.

#define MBEDTLS_X509_BADCERT_BAD_PK   0x8000

The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA).

Definition at line 101 of file x509.h.

#define MBEDTLS_X509_BADCERT_CN_MISMATCH   0x04

The certificate Common Name (CN) does not match with the expected CN.

Definition at line 88 of file x509.h.

#define MBEDTLS_X509_BADCERT_EXPIRED   0x01

The certificate validity has expired.

Definition at line 86 of file x509.h.

#define MBEDTLS_X509_BADCERT_EXT_KEY_USAGE   0x1000

Usage does not match the extendedKeyUsage extension.

Definition at line 98 of file x509.h.

#define MBEDTLS_X509_BADCERT_FUTURE   0x0200

The certificate validity starts in the future.

Definition at line 95 of file x509.h.

#define MBEDTLS_X509_BADCERT_KEY_USAGE   0x0800

Usage does not match the keyUsage extension.

Definition at line 97 of file x509.h.

#define MBEDTLS_X509_BADCERT_MISSING   0x40

Certificate was missing.

Definition at line 92 of file x509.h.

#define MBEDTLS_X509_BADCERT_NOT_TRUSTED   0x08

The certificate is not correctly signed by the trusted CA.

Definition at line 89 of file x509.h.

#define MBEDTLS_X509_BADCERT_NS_CERT_TYPE   0x2000

Usage does not match the nsCertType extension.

Definition at line 99 of file x509.h.

#define MBEDTLS_X509_BADCERT_OTHER   0x0100

Other reason (can be used by verify callback)

Definition at line 94 of file x509.h.

#define MBEDTLS_X509_BADCERT_REVOKED   0x02

The certificate has been revoked (is on a CRL).

Definition at line 87 of file x509.h.

#define MBEDTLS_X509_BADCERT_SKIP_VERIFY   0x80

Certificate verification was skipped.

Definition at line 93 of file x509.h.

#define MBEDTLS_X509_BADCRL_BAD_KEY   0x080000

The CRL is signed with an unacceptable key (eg bad curve, RSA too short).

Definition at line 105 of file x509.h.

#define MBEDTLS_X509_BADCRL_BAD_MD   0x020000

The CRL is signed with an unacceptable hash.

Definition at line 103 of file x509.h.

#define MBEDTLS_X509_BADCRL_BAD_PK   0x040000

The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA).

Definition at line 104 of file x509.h.

#define MBEDTLS_X509_BADCRL_EXPIRED   0x20

The CRL is expired.

Definition at line 91 of file x509.h.

#define MBEDTLS_X509_BADCRL_FUTURE   0x0400

The CRL is from the future.

Definition at line 96 of file x509.h.

#define MBEDTLS_X509_BADCRL_NOT_TRUSTED   0x10

The CRL is not correctly signed by the trusted CA.

Definition at line 90 of file x509.h.

#define MBEDTLS_X509_CRT_VERSION_1   0

Definition at line 116 of file x509_crt.h.

#define MBEDTLS_X509_CRT_VERSION_2   1

Definition at line 117 of file x509_crt.h.

#define MBEDTLS_X509_CRT_VERSION_3   2

Definition at line 118 of file x509_crt.h.

#define MBEDTLS_X509_ID_FLAG (   id)    ( 1 << ( id - 1 ) )

Build flag from an algorithm/curve identifier (pk, md, ecp) Since 0 is always XXX_NONE, ignore it.

Definition at line 100 of file x509_crt.h.

#define MBEDTLS_X509_MAX_INTERMEDIATE_CA   8

Maximum number of intermediate CAs in a verification chain.

That is, maximum length of the chain, excluding the end-entity certificate and the trusted root certificate.

Set this to a low value to prevent an adversary from making you waste resources verifying an overlong certificate chain.

Definition at line 53 of file x509.h.

#define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN   32

Definition at line 120 of file x509_crt.h.

#define MBEDTLS_X509_RFC5280_UTC_TIME_LEN   15

Definition at line 121 of file x509_crt.h.

Typedef Documentation

Container for ASN1 bit strings.

Definition at line 192 of file x509.h.

Type-length-value structure that allows for ASN1 using DER.

Definition at line 187 of file x509.h.

Certificate revocation list structure.

Every CRL may have multiple entries.

Certificate revocation list entry.

Contains the CA-specific serial numbers and revocation dates.

Container for an X.509 certificate.

The certificate may be chained.

Certificate Signing Request (CSR) structure.

Container for ASN1 named information objects.

It allows for Relative Distinguished Names (e.g. cn=localhost,ou=code,etc.).

Definition at line 198 of file x509.h.

Container for a sequence of ASN.1 items.

Definition at line 203 of file x509.h.

Container for date and time (precision in seconds).

Container for writing a certificate (CRT)

Container for writing a CSR.

Function Documentation

void mbedtls_x509_crl_free ( mbedtls_x509_crl crl)

Unallocate all CRL data.

Parameters
crlCRL chain to free
int mbedtls_x509_crl_info ( char *  buf,
size_t  size,
const char *  prefix,
const mbedtls_x509_crl crl 
)

Returns an informational string about the CRL.

Parameters
bufBuffer to write to
sizeMaximum size of buffer
prefixA line prefix
crlThe X509 CRL to represent
Returns
The length of the string written (not including the terminated nul byte), or a negative error code.
void mbedtls_x509_crl_init ( mbedtls_x509_crl crl)

Initialize a CRL (chain)

Parameters
crlCRL chain to initialize
int mbedtls_x509_crl_parse ( mbedtls_x509_crl chain,
const unsigned char *  buf,
size_t  buflen 
)

Parse one or more CRLs and append them to the chained list.

Note
Mutliple CRLs are accepted only if using PEM format
Parameters
chainpoints to the start of the chain
bufbuffer holding the CRL data in PEM or DER format
buflensize of the buffer (including the terminating null byte for PEM data)
Returns
0 if successful, or a specific X509 or PEM error code
int mbedtls_x509_crl_parse_der ( mbedtls_x509_crl chain,
const unsigned char *  buf,
size_t  buflen 
)

Parse a DER-encoded CRL and append it to the chained list.

Parameters
chainpoints to the start of the chain
bufbuffer holding the CRL data in DER format (including the terminating null byte for PEM data)
buflensize of the buffer
Returns
0 if successful, or a specific X509 or PEM error code