mbed TLS v2.2.0
Data Structures | Macros | Functions
x509.h File Reference

Detailed Description

X.509 generic defines and structures.

Copyright (C) 2006-2015, ARM Limited, All Rights Reserved SPDX-License-Identifier: Apache-2.0

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

This file is part of mbed TLS (https://tls.mbed.org)

Definition in file x509.h.

#include <config-sl-crypto-all-acceleration.h>
#include "asn1.h"
#include "pk.h"
Include dependency graph for x509.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures

struct  mbedtls_x509_time
 Container for date and time (precision in seconds). More...
 

Macros

#define MBEDTLS_X509_MAX_INTERMEDIATE_CA   8
 Maximum number of intermediate CAs in a verification chain. More...
 
#define MBEDTLS_X509_KU_DIGITAL_SIGNATURE   (0x80) /* bit 0 */
 
#define MBEDTLS_X509_KU_NON_REPUDIATION   (0x40) /* bit 1 */
 
#define MBEDTLS_X509_KU_KEY_ENCIPHERMENT   (0x20) /* bit 2 */
 
#define MBEDTLS_X509_KU_DATA_ENCIPHERMENT   (0x10) /* bit 3 */
 
#define MBEDTLS_X509_KU_KEY_AGREEMENT   (0x08) /* bit 4 */
 
#define MBEDTLS_X509_KU_KEY_CERT_SIGN   (0x04) /* bit 5 */
 
#define MBEDTLS_X509_KU_CRL_SIGN   (0x02) /* bit 6 */
 
#define MBEDTLS_X509_KU_ENCIPHER_ONLY   (0x01) /* bit 7 */
 
#define MBEDTLS_X509_KU_DECIPHER_ONLY   (0x8000) /* bit 8 */
 
#define MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT   (0x80) /* bit 0 */
 
#define MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER   (0x40) /* bit 1 */
 
#define MBEDTLS_X509_NS_CERT_TYPE_EMAIL   (0x20) /* bit 2 */
 
#define MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING   (0x10) /* bit 3 */
 
#define MBEDTLS_X509_NS_CERT_TYPE_RESERVED   (0x08) /* bit 4 */
 
#define MBEDTLS_X509_NS_CERT_TYPE_SSL_CA   (0x04) /* bit 5 */
 
#define MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA   (0x02) /* bit 6 */
 
#define MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA   (0x01) /* bit 7 */
 
#define MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER   (1 << 0)
 
#define MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER   (1 << 1)
 
#define MBEDTLS_X509_EXT_KEY_USAGE   (1 << 2)
 
#define MBEDTLS_X509_EXT_CERTIFICATE_POLICIES   (1 << 3)
 
#define MBEDTLS_X509_EXT_POLICY_MAPPINGS   (1 << 4)
 
#define MBEDTLS_X509_EXT_SUBJECT_ALT_NAME   (1 << 5) /* Supported (DNS) */
 
#define MBEDTLS_X509_EXT_ISSUER_ALT_NAME   (1 << 6)
 
#define MBEDTLS_X509_EXT_SUBJECT_DIRECTORY_ATTRS   (1 << 7)
 
#define MBEDTLS_X509_EXT_BASIC_CONSTRAINTS   (1 << 8) /* Supported */
 
#define MBEDTLS_X509_EXT_NAME_CONSTRAINTS   (1 << 9)
 
#define MBEDTLS_X509_EXT_POLICY_CONSTRAINTS   (1 << 10)
 
#define MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE   (1 << 11)
 
#define MBEDTLS_X509_EXT_CRL_DISTRIBUTION_POINTS   (1 << 12)
 
#define MBEDTLS_X509_EXT_INIHIBIT_ANYPOLICY   (1 << 13)
 
#define MBEDTLS_X509_EXT_FRESHEST_CRL   (1 << 14)
 
#define MBEDTLS_X509_EXT_NS_CERT_TYPE   (1 << 16) /* Parsed (and then ?) */
 
#define MBEDTLS_X509_FORMAT_DER   1
 
#define MBEDTLS_X509_FORMAT_PEM   2
 
#define MBEDTLS_X509_MAX_DN_NAME_SIZE   256
 Maximum value size of a DN entry. More...
 
#define MBEDTLS_X509_SAFE_SNPRINTF
 
X509 Error codes
#define MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE   -0x2080
 Unavailable feature, e.g. More...
 
#define MBEDTLS_ERR_X509_UNKNOWN_OID   -0x2100
 Requested OID is unknown. More...
 
#define MBEDTLS_ERR_X509_INVALID_FORMAT   -0x2180
 The CRT/CRL/CSR format is invalid, e.g. More...
 
#define MBEDTLS_ERR_X509_INVALID_VERSION   -0x2200
 The CRT/CRL/CSR version element is invalid. More...
 
#define MBEDTLS_ERR_X509_INVALID_SERIAL   -0x2280
 The serial tag or value is invalid. More...
 
#define MBEDTLS_ERR_X509_INVALID_ALG   -0x2300
 The algorithm tag or value is invalid. More...
 
#define MBEDTLS_ERR_X509_INVALID_NAME   -0x2380
 The name tag or value is invalid. More...
 
#define MBEDTLS_ERR_X509_INVALID_DATE   -0x2400
 The date tag or value is invalid. More...
 
#define MBEDTLS_ERR_X509_INVALID_SIGNATURE   -0x2480
 The signature tag or value invalid. More...
 
#define MBEDTLS_ERR_X509_INVALID_EXTENSIONS   -0x2500
 The extension tag or value is invalid. More...
 
#define MBEDTLS_ERR_X509_UNKNOWN_VERSION   -0x2580
 CRT/CRL/CSR has an unsupported version number. More...
 
#define MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG   -0x2600
 Signature algorithm (oid) is unsupported. More...
 
#define MBEDTLS_ERR_X509_SIG_MISMATCH   -0x2680
 Signature algorithms do not match. More...
 
#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED   -0x2700
 Certificate verification failed, e.g. More...
 
#define MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT   -0x2780
 Format not recognized as DER or PEM. More...
 
#define MBEDTLS_ERR_X509_BAD_INPUT_DATA   -0x2800
 Input invalid. More...
 
#define MBEDTLS_ERR_X509_ALLOC_FAILED   -0x2880
 Allocation of memory failed. More...
 
#define MBEDTLS_ERR_X509_FILE_IO_ERROR   -0x2900
 Read/write of file failed. More...
 
#define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL   -0x2980
 Destination buffer is too small. More...
 
X509 Verify codes
#define MBEDTLS_X509_BADCERT_EXPIRED   0x01
 The certificate validity has expired. More...
 
#define MBEDTLS_X509_BADCERT_REVOKED   0x02
 The certificate has been revoked (is on a CRL). More...
 
#define MBEDTLS_X509_BADCERT_CN_MISMATCH   0x04
 The certificate Common Name (CN) does not match with the expected CN. More...
 
#define MBEDTLS_X509_BADCERT_NOT_TRUSTED   0x08
 The certificate is not correctly signed by the trusted CA. More...
 
#define MBEDTLS_X509_BADCRL_NOT_TRUSTED   0x10
 The CRL is not correctly signed by the trusted CA. More...
 
#define MBEDTLS_X509_BADCRL_EXPIRED   0x20
 The CRL is expired. More...
 
#define MBEDTLS_X509_BADCERT_MISSING   0x40
 Certificate was missing. More...
 
#define MBEDTLS_X509_BADCERT_SKIP_VERIFY   0x80
 Certificate verification was skipped. More...
 
#define MBEDTLS_X509_BADCERT_OTHER   0x0100
 Other reason (can be used by verify callback) More...
 
#define MBEDTLS_X509_BADCERT_FUTURE   0x0200
 The certificate validity starts in the future. More...
 
#define MBEDTLS_X509_BADCRL_FUTURE   0x0400
 The CRL is from the future. More...
 
#define MBEDTLS_X509_BADCERT_KEY_USAGE   0x0800
 Usage does not match the keyUsage extension. More...
 
#define MBEDTLS_X509_BADCERT_EXT_KEY_USAGE   0x1000
 Usage does not match the extendedKeyUsage extension. More...
 
#define MBEDTLS_X509_BADCERT_NS_CERT_TYPE   0x2000
 Usage does not match the nsCertType extension. More...
 
#define MBEDTLS_X509_BADCERT_BAD_MD   0x4000
 The certificate is signed with an unacceptable hash. More...
 
#define MBEDTLS_X509_BADCERT_BAD_PK   0x8000
 The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA). More...
 
#define MBEDTLS_X509_BADCERT_BAD_KEY   0x010000
 The certificate is signed with an unacceptable key (eg bad curve, RSA too short). More...
 
#define MBEDTLS_X509_BADCRL_BAD_MD   0x020000
 The CRL is signed with an unacceptable hash. More...
 
#define MBEDTLS_X509_BADCRL_BAD_PK   0x040000
 The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA). More...
 
#define MBEDTLS_X509_BADCRL_BAD_KEY   0x080000
 The CRL is signed with an unacceptable key (eg bad curve, RSA too short). More...
 

Typedefs

Structures for parsing X.509 certificates, CRLs and CSRs
typedef mbedtls_asn1_buf mbedtls_x509_buf
 Type-length-value structure that allows for ASN1 using DER. More...
 
typedef mbedtls_asn1_bitstring mbedtls_x509_bitstring
 Container for ASN1 bit strings. More...
 
typedef mbedtls_asn1_named_data mbedtls_x509_name
 Container for ASN1 named information objects. More...
 
typedef mbedtls_asn1_sequence mbedtls_x509_sequence
 Container for a sequence of ASN.1 items. More...
 
typedef struct mbedtls_x509_time mbedtls_x509_time
 Container for date and time (precision in seconds). More...
 

Functions

int mbedtls_x509_dn_gets (char *buf, size_t size, const mbedtls_x509_name *dn)
 Store the certificate DN in printable form into buf; no more than size characters will be written. More...
 
int mbedtls_x509_serial_gets (char *buf, size_t size, const mbedtls_x509_buf *serial)
 Store the certificate serial in printable form into buf; no more than size characters will be written. More...
 
int mbedtls_x509_time_is_past (const mbedtls_x509_time *time)
 Check a given mbedtls_x509_time against the system time and tell if it's in the past. More...
 
int mbedtls_x509_time_is_future (const mbedtls_x509_time *time)
 Check a given mbedtls_x509_time against the system time and tell if it's in the future. More...
 
int mbedtls_x509_self_test (int verbose)
 Checkup routine. More...
 
int mbedtls_x509_get_name (unsigned char **p, const unsigned char *end, mbedtls_x509_name *cur)
 
int mbedtls_x509_get_alg_null (unsigned char **p, const unsigned char *end, mbedtls_x509_buf *alg)
 
int mbedtls_x509_get_alg (unsigned char **p, const unsigned char *end, mbedtls_x509_buf *alg, mbedtls_x509_buf *params)
 
int mbedtls_x509_get_sig (unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig)
 
int mbedtls_x509_get_sig_alg (const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params, mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg, void **sig_opts)
 
int mbedtls_x509_get_time (unsigned char **p, const unsigned char *end, mbedtls_x509_time *time)
 
int mbedtls_x509_get_serial (unsigned char **p, const unsigned char *end, mbedtls_x509_buf *serial)
 
int mbedtls_x509_get_ext (unsigned char **p, const unsigned char *end, mbedtls_x509_buf *ext, int tag)
 
int mbedtls_x509_sig_alg_gets (char *buf, size_t size, const mbedtls_x509_buf *sig_oid, mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg, const void *sig_opts)
 
int mbedtls_x509_key_size_helper (char *buf, size_t buf_size, const char *name)
 
int mbedtls_x509_string_to_names (mbedtls_asn1_named_data **head, const char *name)
 
int mbedtls_x509_set_extension (mbedtls_asn1_named_data **head, const char *oid, size_t oid_len, int critical, const unsigned char *val, size_t val_len)
 
int mbedtls_x509_write_extensions (unsigned char **p, unsigned char *start, mbedtls_asn1_named_data *first)
 
int mbedtls_x509_write_names (unsigned char **p, unsigned char *start, mbedtls_asn1_named_data *first)
 
int mbedtls_x509_write_sig (unsigned char **p, unsigned char *start, const char *oid, size_t oid_len, unsigned char *sig, size_t size)
 

Macro Definition Documentation

#define MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER   (1 << 0)

Definition at line 144 of file x509.h.

#define MBEDTLS_X509_EXT_BASIC_CONSTRAINTS   (1 << 8) /* Supported */

Definition at line 152 of file x509.h.

#define MBEDTLS_X509_EXT_CERTIFICATE_POLICIES   (1 << 3)

Definition at line 147 of file x509.h.

#define MBEDTLS_X509_EXT_CRL_DISTRIBUTION_POINTS   (1 << 12)

Definition at line 156 of file x509.h.

#define MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE   (1 << 11)

Definition at line 155 of file x509.h.

#define MBEDTLS_X509_EXT_FRESHEST_CRL   (1 << 14)

Definition at line 158 of file x509.h.

#define MBEDTLS_X509_EXT_INIHIBIT_ANYPOLICY   (1 << 13)

Definition at line 157 of file x509.h.

#define MBEDTLS_X509_EXT_ISSUER_ALT_NAME   (1 << 6)

Definition at line 150 of file x509.h.

#define MBEDTLS_X509_EXT_KEY_USAGE   (1 << 2)

Definition at line 146 of file x509.h.

#define MBEDTLS_X509_EXT_NAME_CONSTRAINTS   (1 << 9)

Definition at line 153 of file x509.h.

#define MBEDTLS_X509_EXT_NS_CERT_TYPE   (1 << 16) /* Parsed (and then ?) */

Definition at line 160 of file x509.h.

#define MBEDTLS_X509_EXT_POLICY_CONSTRAINTS   (1 << 10)

Definition at line 154 of file x509.h.

#define MBEDTLS_X509_EXT_POLICY_MAPPINGS   (1 << 4)

Definition at line 148 of file x509.h.

#define MBEDTLS_X509_EXT_SUBJECT_ALT_NAME   (1 << 5) /* Supported (DNS) */

Definition at line 149 of file x509.h.

#define MBEDTLS_X509_EXT_SUBJECT_DIRECTORY_ATTRS   (1 << 7)

Definition at line 151 of file x509.h.

#define MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER   (1 << 1)

Definition at line 145 of file x509.h.

#define MBEDTLS_X509_FORMAT_DER   1

Definition at line 166 of file x509.h.

#define MBEDTLS_X509_FORMAT_PEM   2

Definition at line 167 of file x509.h.

#define MBEDTLS_X509_KU_CRL_SIGN   (0x02) /* bit 6 */

Definition at line 120 of file x509.h.

#define MBEDTLS_X509_KU_DATA_ENCIPHERMENT   (0x10) /* bit 3 */

Definition at line 117 of file x509.h.

#define MBEDTLS_X509_KU_DECIPHER_ONLY   (0x8000) /* bit 8 */

Definition at line 122 of file x509.h.

#define MBEDTLS_X509_KU_DIGITAL_SIGNATURE   (0x80) /* bit 0 */

Definition at line 114 of file x509.h.

#define MBEDTLS_X509_KU_ENCIPHER_ONLY   (0x01) /* bit 7 */

Definition at line 121 of file x509.h.

#define MBEDTLS_X509_KU_KEY_AGREEMENT   (0x08) /* bit 4 */

Definition at line 118 of file x509.h.

#define MBEDTLS_X509_KU_KEY_CERT_SIGN   (0x04) /* bit 5 */

Definition at line 119 of file x509.h.

#define MBEDTLS_X509_KU_KEY_ENCIPHERMENT   (0x20) /* bit 2 */

Definition at line 116 of file x509.h.

#define MBEDTLS_X509_KU_NON_REPUDIATION   (0x40) /* bit 1 */

Definition at line 115 of file x509.h.

#define MBEDTLS_X509_MAX_DN_NAME_SIZE   256

Maximum value size of a DN entry.

Definition at line 169 of file x509.h.

#define MBEDTLS_X509_NS_CERT_TYPE_EMAIL   (0x20) /* bit 2 */

Definition at line 131 of file x509.h.

#define MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA   (0x02) /* bit 6 */

Definition at line 135 of file x509.h.

#define MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING   (0x10) /* bit 3 */

Definition at line 132 of file x509.h.

#define MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA   (0x01) /* bit 7 */

Definition at line 136 of file x509.h.

#define MBEDTLS_X509_NS_CERT_TYPE_RESERVED   (0x08) /* bit 4 */

Definition at line 133 of file x509.h.

#define MBEDTLS_X509_NS_CERT_TYPE_SSL_CA   (0x04) /* bit 5 */

Definition at line 134 of file x509.h.

#define MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT   (0x80) /* bit 0 */

Definition at line 129 of file x509.h.

#define MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER   (0x40) /* bit 1 */

Definition at line 130 of file x509.h.

#define MBEDTLS_X509_SAFE_SNPRINTF
Value:
do { \
if( ret < 0 || (size_t) ret >= n ) \
\
n -= (size_t) ret; \
p += (size_t) ret; \
} while( 0 )
#define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL
Destination buffer is too small.
Definition: x509.h:78

Definition at line 318 of file x509.h.

Function Documentation

int mbedtls_x509_dn_gets ( char *  buf,
size_t  size,
const mbedtls_x509_name dn 
)

Store the certificate DN in printable form into buf; no more than size characters will be written.

Parameters
bufBuffer to write to
sizeMaximum size of buffer
dnThe X509 name to represent
Returns
The length of the string written (not including the terminated nul byte), or a negative error code.
int mbedtls_x509_get_alg ( unsigned char **  p,
const unsigned char *  end,
mbedtls_x509_buf alg,
mbedtls_x509_buf params 
)
int mbedtls_x509_get_alg_null ( unsigned char **  p,
const unsigned char *  end,
mbedtls_x509_buf alg 
)
int mbedtls_x509_get_ext ( unsigned char **  p,
const unsigned char *  end,
mbedtls_x509_buf ext,
int  tag 
)
int mbedtls_x509_get_name ( unsigned char **  p,
const unsigned char *  end,
mbedtls_x509_name cur 
)
int mbedtls_x509_get_serial ( unsigned char **  p,
const unsigned char *  end,
mbedtls_x509_buf serial 
)
int mbedtls_x509_get_sig ( unsigned char **  p,
const unsigned char *  end,
mbedtls_x509_buf sig 
)
int mbedtls_x509_get_sig_alg ( const mbedtls_x509_buf sig_oid,
const mbedtls_x509_buf sig_params,
mbedtls_md_type_t md_alg,
mbedtls_pk_type_t pk_alg,
void **  sig_opts 
)
int mbedtls_x509_get_time ( unsigned char **  p,
const unsigned char *  end,
mbedtls_x509_time time 
)
int mbedtls_x509_key_size_helper ( char *  buf,
size_t  buf_size,
const char *  name 
)
int mbedtls_x509_self_test ( int  verbose)

Checkup routine.

Returns
0 if successful, or 1 if the test failed
int mbedtls_x509_serial_gets ( char *  buf,
size_t  size,
const mbedtls_x509_buf serial 
)

Store the certificate serial in printable form into buf; no more than size characters will be written.

Parameters
bufBuffer to write to
sizeMaximum size of buffer
serialThe X509 serial to represent
Returns
The length of the string written (not including the terminated nul byte), or a negative error code.
int mbedtls_x509_set_extension ( mbedtls_asn1_named_data **  head,
const char *  oid,
size_t  oid_len,
int  critical,
const unsigned char *  val,
size_t  val_len 
)
int mbedtls_x509_sig_alg_gets ( char *  buf,
size_t  size,
const mbedtls_x509_buf sig_oid,
mbedtls_pk_type_t  pk_alg,
mbedtls_md_type_t  md_alg,
const void *  sig_opts 
)
int mbedtls_x509_string_to_names ( mbedtls_asn1_named_data **  head,
const char *  name 
)
int mbedtls_x509_time_is_future ( const mbedtls_x509_time time)

Check a given mbedtls_x509_time against the system time and tell if it's in the future.

Note
Intended usage is "if( is_future( valid_from ) ) ERROR". Hence the return value of 1 if on internal errors.
Parameters
timembedtls_x509_time to check
Returns
1 if the given time is in the future or an error occured, 0 otherwise.
int mbedtls_x509_time_is_past ( const mbedtls_x509_time time)

Check a given mbedtls_x509_time against the system time and tell if it's in the past.

Note
Intended usage is "if( is_past( valid_to ) ) ERROR". Hence the return value of 1 if on internal errors.
Parameters
timembedtls_x509_time to check
Returns
1 if the given time is in the past or an error occured, 0 otherwise.
int mbedtls_x509_write_extensions ( unsigned char **  p,
unsigned char *  start,
mbedtls_asn1_named_data first 
)
int mbedtls_x509_write_names ( unsigned char **  p,
unsigned char *  start,
mbedtls_asn1_named_data first 
)
int mbedtls_x509_write_sig ( unsigned char **  p,
unsigned char *  start,
const char *  oid,
size_t  oid_len,
unsigned char *  sig,
size_t  size 
)