Detailed Description
X.509 generic defines and structures.
Copyright (C) 2006-2015, ARM Limited, All Rights Reserved SPDX-License-Identifier: Apache-2.0
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
This file is part of mbed TLS (https://tls.mbed.org)
Definition in file x509.h.
Include dependency graph for x509.h:
This graph shows which files directly or indirectly include this file:
Go to the source code of this file.
Data Structures | |
| struct | mbedtls_x509_time |
| Container for date and time (precision in seconds). More... | |
Macros | |
| #define | MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 |
| Maximum number of intermediate CAs in a verification chain. More... | |
| #define | MBEDTLS_X509_KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */ |
| #define | MBEDTLS_X509_KU_NON_REPUDIATION (0x40) /* bit 1 */ |
| #define | MBEDTLS_X509_KU_KEY_ENCIPHERMENT (0x20) /* bit 2 */ |
| #define | MBEDTLS_X509_KU_DATA_ENCIPHERMENT (0x10) /* bit 3 */ |
| #define | MBEDTLS_X509_KU_KEY_AGREEMENT (0x08) /* bit 4 */ |
| #define | MBEDTLS_X509_KU_KEY_CERT_SIGN (0x04) /* bit 5 */ |
| #define | MBEDTLS_X509_KU_CRL_SIGN (0x02) /* bit 6 */ |
| #define | MBEDTLS_X509_KU_ENCIPHER_ONLY (0x01) /* bit 7 */ |
| #define | MBEDTLS_X509_KU_DECIPHER_ONLY (0x8000) /* bit 8 */ |
| #define | MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */ |
| #define | MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */ |
| #define | MBEDTLS_X509_NS_CERT_TYPE_EMAIL (0x20) /* bit 2 */ |
| #define | MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING (0x10) /* bit 3 */ |
| #define | MBEDTLS_X509_NS_CERT_TYPE_RESERVED (0x08) /* bit 4 */ |
| #define | MBEDTLS_X509_NS_CERT_TYPE_SSL_CA (0x04) /* bit 5 */ |
| #define | MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */ |
| #define | MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */ |
| #define | MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER (1 << 0) |
| #define | MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER (1 << 1) |
| #define | MBEDTLS_X509_EXT_KEY_USAGE (1 << 2) |
| #define | MBEDTLS_X509_EXT_CERTIFICATE_POLICIES (1 << 3) |
| #define | MBEDTLS_X509_EXT_POLICY_MAPPINGS (1 << 4) |
| #define | MBEDTLS_X509_EXT_SUBJECT_ALT_NAME (1 << 5) /* Supported (DNS) */ |
| #define | MBEDTLS_X509_EXT_ISSUER_ALT_NAME (1 << 6) |
| #define | MBEDTLS_X509_EXT_SUBJECT_DIRECTORY_ATTRS (1 << 7) |
| #define | MBEDTLS_X509_EXT_BASIC_CONSTRAINTS (1 << 8) /* Supported */ |
| #define | MBEDTLS_X509_EXT_NAME_CONSTRAINTS (1 << 9) |
| #define | MBEDTLS_X509_EXT_POLICY_CONSTRAINTS (1 << 10) |
| #define | MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE (1 << 11) |
| #define | MBEDTLS_X509_EXT_CRL_DISTRIBUTION_POINTS (1 << 12) |
| #define | MBEDTLS_X509_EXT_INIHIBIT_ANYPOLICY (1 << 13) |
| #define | MBEDTLS_X509_EXT_FRESHEST_CRL (1 << 14) |
| #define | MBEDTLS_X509_EXT_NS_CERT_TYPE (1 << 16) /* Parsed (and then ?) */ |
| #define | MBEDTLS_X509_FORMAT_DER 1 |
| #define | MBEDTLS_X509_FORMAT_PEM 2 |
| #define | MBEDTLS_X509_MAX_DN_NAME_SIZE 256 |
| Maximum value size of a DN entry. More... | |
| #define | MBEDTLS_X509_SAFE_SNPRINTF |
X509 Error codes | |
| #define | MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE -0x2080 |
| Unavailable feature, e.g. More... | |
| #define | MBEDTLS_ERR_X509_UNKNOWN_OID -0x2100 |
| Requested OID is unknown. More... | |
| #define | MBEDTLS_ERR_X509_INVALID_FORMAT -0x2180 |
| The CRT/CRL/CSR format is invalid, e.g. More... | |
| #define | MBEDTLS_ERR_X509_INVALID_VERSION -0x2200 |
| The CRT/CRL/CSR version element is invalid. More... | |
| #define | MBEDTLS_ERR_X509_INVALID_SERIAL -0x2280 |
| The serial tag or value is invalid. More... | |
| #define | MBEDTLS_ERR_X509_INVALID_ALG -0x2300 |
| The algorithm tag or value is invalid. More... | |
| #define | MBEDTLS_ERR_X509_INVALID_NAME -0x2380 |
| The name tag or value is invalid. More... | |
| #define | MBEDTLS_ERR_X509_INVALID_DATE -0x2400 |
| The date tag or value is invalid. More... | |
| #define | MBEDTLS_ERR_X509_INVALID_SIGNATURE -0x2480 |
| The signature tag or value invalid. More... | |
| #define | MBEDTLS_ERR_X509_INVALID_EXTENSIONS -0x2500 |
| The extension tag or value is invalid. More... | |
| #define | MBEDTLS_ERR_X509_UNKNOWN_VERSION -0x2580 |
| CRT/CRL/CSR has an unsupported version number. More... | |
| #define | MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG -0x2600 |
| Signature algorithm (oid) is unsupported. More... | |
| #define | MBEDTLS_ERR_X509_SIG_MISMATCH -0x2680 |
| Signature algorithms do not match. More... | |
| #define | MBEDTLS_ERR_X509_CERT_VERIFY_FAILED -0x2700 |
| Certificate verification failed, e.g. More... | |
| #define | MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT -0x2780 |
| Format not recognized as DER or PEM. More... | |
| #define | MBEDTLS_ERR_X509_BAD_INPUT_DATA -0x2800 |
| Input invalid. More... | |
| #define | MBEDTLS_ERR_X509_ALLOC_FAILED -0x2880 |
| Allocation of memory failed. More... | |
| #define | MBEDTLS_ERR_X509_FILE_IO_ERROR -0x2900 |
| Read/write of file failed. More... | |
| #define | MBEDTLS_ERR_X509_BUFFER_TOO_SMALL -0x2980 |
| Destination buffer is too small. More... | |
X509 Verify codes | |
| #define | MBEDTLS_X509_BADCERT_EXPIRED 0x01 |
| The certificate validity has expired. More... | |
| #define | MBEDTLS_X509_BADCERT_REVOKED 0x02 |
| The certificate has been revoked (is on a CRL). More... | |
| #define | MBEDTLS_X509_BADCERT_CN_MISMATCH 0x04 |
| The certificate Common Name (CN) does not match with the expected CN. More... | |
| #define | MBEDTLS_X509_BADCERT_NOT_TRUSTED 0x08 |
| The certificate is not correctly signed by the trusted CA. More... | |
| #define | MBEDTLS_X509_BADCRL_NOT_TRUSTED 0x10 |
| The CRL is not correctly signed by the trusted CA. More... | |
| #define | MBEDTLS_X509_BADCRL_EXPIRED 0x20 |
| The CRL is expired. More... | |
| #define | MBEDTLS_X509_BADCERT_MISSING 0x40 |
| Certificate was missing. More... | |
| #define | MBEDTLS_X509_BADCERT_SKIP_VERIFY 0x80 |
| Certificate verification was skipped. More... | |
| #define | MBEDTLS_X509_BADCERT_OTHER 0x0100 |
| Other reason (can be used by verify callback) More... | |
| #define | MBEDTLS_X509_BADCERT_FUTURE 0x0200 |
| The certificate validity starts in the future. More... | |
| #define | MBEDTLS_X509_BADCRL_FUTURE 0x0400 |
| The CRL is from the future. More... | |
| #define | MBEDTLS_X509_BADCERT_KEY_USAGE 0x0800 |
| Usage does not match the keyUsage extension. More... | |
| #define | MBEDTLS_X509_BADCERT_EXT_KEY_USAGE 0x1000 |
| Usage does not match the extendedKeyUsage extension. More... | |
| #define | MBEDTLS_X509_BADCERT_NS_CERT_TYPE 0x2000 |
| Usage does not match the nsCertType extension. More... | |
| #define | MBEDTLS_X509_BADCERT_BAD_MD 0x4000 |
| The certificate is signed with an unacceptable hash. More... | |
| #define | MBEDTLS_X509_BADCERT_BAD_PK 0x8000 |
| The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA). More... | |
| #define | MBEDTLS_X509_BADCERT_BAD_KEY 0x010000 |
| The certificate is signed with an unacceptable key (eg bad curve, RSA too short). More... | |
| #define | MBEDTLS_X509_BADCRL_BAD_MD 0x020000 |
| The CRL is signed with an unacceptable hash. More... | |
| #define | MBEDTLS_X509_BADCRL_BAD_PK 0x040000 |
| The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA). More... | |
| #define | MBEDTLS_X509_BADCRL_BAD_KEY 0x080000 |
| The CRL is signed with an unacceptable key (eg bad curve, RSA too short). More... | |
Typedefs | |
Structures for parsing X.509 certificates, CRLs and CSRs | |
| typedef mbedtls_asn1_buf | mbedtls_x509_buf |
| Type-length-value structure that allows for ASN1 using DER. More... | |
| typedef mbedtls_asn1_bitstring | mbedtls_x509_bitstring |
| Container for ASN1 bit strings. More... | |
| typedef mbedtls_asn1_named_data | mbedtls_x509_name |
| Container for ASN1 named information objects. More... | |
| typedef mbedtls_asn1_sequence | mbedtls_x509_sequence |
| Container for a sequence of ASN.1 items. More... | |
| typedef struct mbedtls_x509_time | mbedtls_x509_time |
| Container for date and time (precision in seconds). More... | |
Functions | |
| int | mbedtls_x509_dn_gets (char *buf, size_t size, const mbedtls_x509_name *dn) |
| Store the certificate DN in printable form into buf; no more than size characters will be written. More... | |
| int | mbedtls_x509_serial_gets (char *buf, size_t size, const mbedtls_x509_buf *serial) |
| Store the certificate serial in printable form into buf; no more than size characters will be written. More... | |
| int | mbedtls_x509_time_is_past (const mbedtls_x509_time *time) |
| Check a given mbedtls_x509_time against the system time and tell if it's in the past. More... | |
| int | mbedtls_x509_time_is_future (const mbedtls_x509_time *time) |
| Check a given mbedtls_x509_time against the system time and tell if it's in the future. More... | |
| int | mbedtls_x509_self_test (int verbose) |
| Checkup routine. More... | |
| int | mbedtls_x509_get_name (unsigned char **p, const unsigned char *end, mbedtls_x509_name *cur) |
| int | mbedtls_x509_get_alg_null (unsigned char **p, const unsigned char *end, mbedtls_x509_buf *alg) |
| int | mbedtls_x509_get_alg (unsigned char **p, const unsigned char *end, mbedtls_x509_buf *alg, mbedtls_x509_buf *params) |
| int | mbedtls_x509_get_sig (unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig) |
| int | mbedtls_x509_get_sig_alg (const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params, mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg, void **sig_opts) |
| int | mbedtls_x509_get_time (unsigned char **p, const unsigned char *end, mbedtls_x509_time *time) |
| int | mbedtls_x509_get_serial (unsigned char **p, const unsigned char *end, mbedtls_x509_buf *serial) |
| int | mbedtls_x509_get_ext (unsigned char **p, const unsigned char *end, mbedtls_x509_buf *ext, int tag) |
| int | mbedtls_x509_sig_alg_gets (char *buf, size_t size, const mbedtls_x509_buf *sig_oid, mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg, const void *sig_opts) |
| int | mbedtls_x509_key_size_helper (char *buf, size_t buf_size, const char *name) |
| int | mbedtls_x509_string_to_names (mbedtls_asn1_named_data **head, const char *name) |
| int | mbedtls_x509_set_extension (mbedtls_asn1_named_data **head, const char *oid, size_t oid_len, int critical, const unsigned char *val, size_t val_len) |
| int | mbedtls_x509_write_extensions (unsigned char **p, unsigned char *start, mbedtls_asn1_named_data *first) |
| int | mbedtls_x509_write_names (unsigned char **p, unsigned char *start, mbedtls_asn1_named_data *first) |
| int | mbedtls_x509_write_sig (unsigned char **p, unsigned char *start, const char *oid, size_t oid_len, unsigned char *sig, size_t size) |
Macro Definition Documentation
| #define MBEDTLS_X509_EXT_BASIC_CONSTRAINTS (1 << 8) /* Supported */ |
| #define MBEDTLS_X509_EXT_NS_CERT_TYPE (1 << 16) /* Parsed (and then ?) */ |
| #define MBEDTLS_X509_EXT_SUBJECT_ALT_NAME (1 << 5) /* Supported (DNS) */ |
| #define MBEDTLS_X509_MAX_DN_NAME_SIZE 256 |
| #define MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */ |
| #define MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING (0x10) /* bit 3 */ |
| #define MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */ |
| #define MBEDTLS_X509_NS_CERT_TYPE_RESERVED (0x08) /* bit 4 */ |
| #define MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */ |
| #define MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */ |
| #define MBEDTLS_X509_SAFE_SNPRINTF |
Value:
do { \
if( ret < 0 || (size_t) ret >= n ) \
return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL ); \
\
n -= (size_t) ret; \
p += (size_t) ret; \
} while( 0 )
Function Documentation
| int mbedtls_x509_dn_gets | ( | char * | buf, |
| size_t | size, | ||
| const mbedtls_x509_name * | dn | ||
| ) |
Store the certificate DN in printable form into buf; no more than size characters will be written.
- Parameters
-
buf Buffer to write to size Maximum size of buffer dn The X509 name to represent
- Returns
- The length of the string written (not including the terminated nul byte), or a negative error code.
| int mbedtls_x509_get_alg | ( | unsigned char ** | p, |
| const unsigned char * | end, | ||
| mbedtls_x509_buf * | alg, | ||
| mbedtls_x509_buf * | params | ||
| ) |
| int mbedtls_x509_get_alg_null | ( | unsigned char ** | p, |
| const unsigned char * | end, | ||
| mbedtls_x509_buf * | alg | ||
| ) |
| int mbedtls_x509_get_ext | ( | unsigned char ** | p, |
| const unsigned char * | end, | ||
| mbedtls_x509_buf * | ext, | ||
| int | tag | ||
| ) |
| int mbedtls_x509_get_name | ( | unsigned char ** | p, |
| const unsigned char * | end, | ||
| mbedtls_x509_name * | cur | ||
| ) |
| int mbedtls_x509_get_serial | ( | unsigned char ** | p, |
| const unsigned char * | end, | ||
| mbedtls_x509_buf * | serial | ||
| ) |
| int mbedtls_x509_get_sig | ( | unsigned char ** | p, |
| const unsigned char * | end, | ||
| mbedtls_x509_buf * | sig | ||
| ) |
| int mbedtls_x509_get_sig_alg | ( | const mbedtls_x509_buf * | sig_oid, |
| const mbedtls_x509_buf * | sig_params, | ||
| mbedtls_md_type_t * | md_alg, | ||
| mbedtls_pk_type_t * | pk_alg, | ||
| void ** | sig_opts | ||
| ) |
| int mbedtls_x509_get_time | ( | unsigned char ** | p, |
| const unsigned char * | end, | ||
| mbedtls_x509_time * | time | ||
| ) |
| int mbedtls_x509_key_size_helper | ( | char * | buf, |
| size_t | buf_size, | ||
| const char * | name | ||
| ) |
| int mbedtls_x509_self_test | ( | int | verbose | ) |
Checkup routine.
- Returns
- 0 if successful, or 1 if the test failed
| int mbedtls_x509_serial_gets | ( | char * | buf, |
| size_t | size, | ||
| const mbedtls_x509_buf * | serial | ||
| ) |
Store the certificate serial in printable form into buf; no more than size characters will be written.
- Parameters
-
buf Buffer to write to size Maximum size of buffer serial The X509 serial to represent
- Returns
- The length of the string written (not including the terminated nul byte), or a negative error code.
| int mbedtls_x509_set_extension | ( | mbedtls_asn1_named_data ** | head, |
| const char * | oid, | ||
| size_t | oid_len, | ||
| int | critical, | ||
| const unsigned char * | val, | ||
| size_t | val_len | ||
| ) |
| int mbedtls_x509_sig_alg_gets | ( | char * | buf, |
| size_t | size, | ||
| const mbedtls_x509_buf * | sig_oid, | ||
| mbedtls_pk_type_t | pk_alg, | ||
| mbedtls_md_type_t | md_alg, | ||
| const void * | sig_opts | ||
| ) |
| int mbedtls_x509_string_to_names | ( | mbedtls_asn1_named_data ** | head, |
| const char * | name | ||
| ) |
| int mbedtls_x509_time_is_future | ( | const mbedtls_x509_time * | time | ) |
Check a given mbedtls_x509_time against the system time and tell if it's in the future.
- Note
- Intended usage is "if( is_future( valid_from ) ) ERROR". Hence the return value of 1 if on internal errors.
- Parameters
-
time mbedtls_x509_time to check
- Returns
- 1 if the given time is in the future or an error occured, 0 otherwise.
| int mbedtls_x509_time_is_past | ( | const mbedtls_x509_time * | time | ) |
Check a given mbedtls_x509_time against the system time and tell if it's in the past.
- Note
- Intended usage is "if( is_past( valid_to ) ) ERROR". Hence the return value of 1 if on internal errors.
- Parameters
-
time mbedtls_x509_time to check
- Returns
- 1 if the given time is in the past or an error occured, 0 otherwise.
| int mbedtls_x509_write_extensions | ( | unsigned char ** | p, |
| unsigned char * | start, | ||
| mbedtls_asn1_named_data * | first | ||
| ) |
| int mbedtls_x509_write_names | ( | unsigned char ** | p, |
| unsigned char * | start, | ||
| mbedtls_asn1_named_data * | first | ||
| ) |
| int mbedtls_x509_write_sig | ( | unsigned char ** | p, |
| unsigned char * | start, | ||
| const char * | oid, | ||
| size_t | oid_len, | ||
| unsigned char * | sig, | ||
| size_t | size | ||
| ) |
