mbed TLS v2.2.0
x509_crt.h
Go to the documentation of this file.
1 
23 #ifndef MBEDTLS_X509_CRT_H
24 #define MBEDTLS_X509_CRT_H
25 
26 #if !defined(MBEDTLS_CONFIG_FILE)
27 #include "config.h"
28 #else
29 #include MBEDTLS_CONFIG_FILE
30 #endif
31 
32 #include "x509.h"
33 #include "x509_crl.h"
34 
40 #ifdef __cplusplus
41 extern "C" {
42 #endif
43 
52 typedef struct mbedtls_x509_crt
53 {
57  int version;
77  int ext_types;
78  int ca_istrue;
81  unsigned int key_usage;
85  unsigned char ns_cert_type;
90  void *sig_opts;
93 }
95 
100 #define MBEDTLS_X509_ID_FLAG( id ) ( 1 << ( id - 1 ) )
101 
107 typedef struct
108 {
109  uint32_t allowed_mds;
110  uint32_t allowed_pks;
111  uint32_t allowed_curves;
112  uint32_t rsa_min_bitlen;
113 }
115 
116 #define MBEDTLS_X509_CRT_VERSION_1 0
117 #define MBEDTLS_X509_CRT_VERSION_2 1
118 #define MBEDTLS_X509_CRT_VERSION_3 2
119 
120 #define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32
121 #define MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15
122 
127 {
128  int version;
138 }
140 
141 #if defined(MBEDTLS_X509_CRT_PARSE_C)
142 
146 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default;
147 
152 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next;
153 
157 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb;
158 
169 int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, const unsigned char *buf,
170  size_t buflen );
171 
187 int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen );
188 
189 #if defined(MBEDTLS_FS_IO)
190 
203 int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *chain, const char *path );
204 
218 int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path );
219 #endif /* MBEDTLS_FS_IO */
220 
233 int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
234  const mbedtls_x509_crt *crt );
235 
248 int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
249  uint32_t flags );
250 
290 int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
291  mbedtls_x509_crt *trust_ca,
292  mbedtls_x509_crl *ca_crl,
293  const char *cn, uint32_t *flags,
294  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
295  void *p_vrfy );
296 
324 int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
325  mbedtls_x509_crt *trust_ca,
326  mbedtls_x509_crl *ca_crl,
327  const mbedtls_x509_crt_profile *profile,
328  const char *cn, uint32_t *flags,
329  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
330  void *p_vrfy );
331 
332 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
333 
354 int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt,
355  unsigned int usage );
356 #endif /* MBEDTLS_X509_CHECK_KEY_USAGE) */
357 
358 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
359 
371 int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt,
372  const char *usage_oid,
373  size_t usage_len );
374 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) */
375 
376 #if defined(MBEDTLS_X509_CRL_PARSE_C)
377 
386 int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl );
387 #endif /* MBEDTLS_X509_CRL_PARSE_C */
388 
394 void mbedtls_x509_crt_init( mbedtls_x509_crt *crt );
395 
401 void mbedtls_x509_crt_free( mbedtls_x509_crt *crt );
402 #endif /* MBEDTLS_X509_CRT_PARSE_C */
403 
404 /* \} name */
405 /* \} addtogroup x509_module */
406 
407 #if defined(MBEDTLS_X509_CRT_WRITE_C)
408 
413 void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx );
414 
423 void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *ctx, int version );
424 
433 int mbedtls_x509write_crt_set_serial( mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial );
434 
449 int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *ctx, const char *not_before,
450  const char *not_after );
451 
464 int mbedtls_x509write_crt_set_issuer_name( mbedtls_x509write_cert *ctx,
465  const char *issuer_name );
466 
479 int mbedtls_x509write_crt_set_subject_name( mbedtls_x509write_cert *ctx,
480  const char *subject_name );
481 
488 void mbedtls_x509write_crt_set_subject_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key );
489 
496 void mbedtls_x509write_crt_set_issuer_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key );
497 
505 void mbedtls_x509write_crt_set_md_alg( mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg );
506 
520 int mbedtls_x509write_crt_set_extension( mbedtls_x509write_cert *ctx,
521  const char *oid, size_t oid_len,
522  int critical,
523  const unsigned char *val, size_t val_len );
524 
536 int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx,
537  int is_ca, int max_pathlen );
538 
539 #if defined(MBEDTLS_SHA1_C)
540 
549 int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ctx );
550 
560 int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx );
561 #endif /* MBEDTLS_SHA1_C */
562 
572 int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx,
573  unsigned int key_usage );
574 
584 int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx,
585  unsigned char ns_cert_type );
586 
592 void mbedtls_x509write_crt_free( mbedtls_x509write_cert *ctx );
593 
614 int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
615  int (*f_rng)(void *, unsigned char *, size_t),
616  void *p_rng );
617 
618 #if defined(MBEDTLS_PEM_WRITE_C)
619 
635 int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
636  int (*f_rng)(void *, unsigned char *, size_t),
637  void *p_rng );
638 #endif /* MBEDTLS_PEM_WRITE_C */
639 #endif /* MBEDTLS_X509_CRT_WRITE_C */
640 
641 #ifdef __cplusplus
642 }
643 #endif
644 
645 #endif /* mbedtls_x509_crt.h */
Public key container.
Definition: pk.h:126
mbedtls_x509_sequence subject_alt_names
Optional list of Subject Alternative Names (Only dNSName supported).
Definition: x509_crt.h:75
int ext_types
Bit string containing detected and parsed extensions.
Definition: x509_crt.h:77
uint32_t allowed_curves
Elliptic curves for ECDSA.
Definition: x509_crt.h:111
Certificate revocation list structure.
Definition: x509_crl.h:69
mbedtls_pk_type_t
Public key types.
Definition: pk.h:74
Compatibility names (set of defines)
char not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN+1]
Definition: x509_crt.h:136
struct mbedtls_x509_crt * next
Next certificate in the CA-chain.
Definition: x509_crt.h:92
Container for a sequence of ASN.1 items.
Definition: asn1.h:140
mbedtls_x509_name issuer
The parsed issuer data (named information object).
Definition: x509_crt.h:64
mbedtls_x509_buf subject_id
Optional X.509 v2/v3 subject unique identifier.
Definition: x509_crt.h:73
struct mbedtls_x509write_cert mbedtls_x509write_cert
Container for writing a certificate (CRT)
mbedtls_x509_buf tbs
The raw certificate body (DER).
Definition: x509_crt.h:55
Container for a sequence or list of 'named' ASN.1 data items.
Definition: asn1.h:150
mbedtls_x509_buf subject_raw
The raw subject data (DER).
Definition: x509_crt.h:62
mbedtls_x509_buf sig_oid
Signature algorithm, e.g.
Definition: x509_crt.h:59
mbedtls_x509_buf issuer_raw
The raw issuer data (DER).
Definition: x509_crt.h:61
mbedtls_x509_name subject
The parsed subject data (named information object).
Definition: x509_crt.h:65
mbedtls_x509_time valid_to
End time of certificate validity.
Definition: x509_crt.h:68
unsigned char ns_cert_type
Optional Netscape certificate type extension value: See the values in x509.h.
Definition: x509_crt.h:85
Type-length-value structure that allows for ASN1 using DER.
Definition: asn1.h:118
Container for date and time (precision in seconds).
Definition: x509.h:206
Container for writing a certificate (CRT)
Definition: x509_crt.h:126
mbedtls_x509_buf serial
Unique id for certificate issued by a specific CA.
Definition: x509_crt.h:58
uint32_t rsa_min_bitlen
Minimum size for RSA keys.
Definition: x509_crt.h:112
mbedtls_x509_time valid_from
Start time of certificate validity.
Definition: x509_crt.h:67
mbedtls_x509_buf raw
The raw certificate data (DER).
Definition: x509_crt.h:54
#define MBEDTLS_X509_RFC5280_UTC_TIME_LEN
Definition: x509_crt.h:121
mbedtls_pk_context * subject_key
Definition: x509_crt.h:130
mbedtls_pk_type_t sig_pk
Internal representation of the Public Key algorithm of the signature algorithm, e.g.
Definition: x509_crt.h:89
X.509 generic defines and structures.
mbedtls_asn1_named_data * subject
Definition: x509_crt.h:132
mbedtls_pk_context * issuer_key
Definition: x509_crt.h:131
void * sig_opts
Signature options to be passed to mbedtls_pk_verify_ext(), e.g.
Definition: x509_crt.h:90
char not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN+1]
Definition: x509_crt.h:135
mbedtls_md_type_t md_alg
Definition: x509_crt.h:134
mbedtls_x509_buf issuer_id
Optional X.509 v2/v3 issuer unique identifier.
Definition: x509_crt.h:72
MPI structure.
Definition: bignum.h:143
X.509 certificate revocation list parsing.
Container for an X.509 certificate.
Definition: x509_crt.h:52
struct mbedtls_x509_crt mbedtls_x509_crt
Container for an X.509 certificate.
mbedtls_x509_sequence ext_key_usage
Optional list of extended key usage OIDs.
Definition: x509_crt.h:83
int max_pathlen
Optional Basic Constraint extension value: The maximum path length to the root certificate.
Definition: x509_crt.h:79
Security profile for certificate verification.
Definition: x509_crt.h:107
mbedtls_asn1_named_data * extensions
Definition: x509_crt.h:137
unsigned int key_usage
Optional key usage extension value: See the values in x509.h.
Definition: x509_crt.h:81
uint32_t allowed_pks
PK algs for signatures.
Definition: x509_crt.h:110
uint32_t allowed_mds
MDs for signatures.
Definition: x509_crt.h:109
mbedtls_pk_context pk
Container for the public key context.
Definition: x509_crt.h:70
mbedtls_x509_buf sig
Signature: hash of the tbs part signed with the private key.
Definition: x509_crt.h:87
mbedtls_md_type_t
Definition: md.h:39
mbedtls_asn1_named_data * issuer
Definition: x509_crt.h:133
mbedtls_mpi serial
Definition: x509_crt.h:129
mbedtls_x509_buf v3_ext
Optional X.509 v3 extensions.
Definition: x509_crt.h:74
int ca_istrue
Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise...
Definition: x509_crt.h:78
int version
The X.509 version.
Definition: x509_crt.h:57
mbedtls_md_type_t sig_md
Internal representation of the MD algorithm of the signature algorithm, e.g.
Definition: x509_crt.h:88