X.509 generic defines and structures. More...

#include "mbedtls/private_access.h"
#include "mbedtls/build_info.h"
#include "mbedtls/asn1.h"
#include "mbedtls/pk.h"

Include dependency graph for x509.h:

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures
struct	mbedtls_x509_authority

struct	mbedtls_x509_time

struct	mbedtls_x509_san_other_name

struct	mbedtls_x509_subject_alternative_name

struct	mbedtls_x509_san_list

Macros
#define	MBEDTLS_X509_SAN_OTHER_NAME 0

#define	MBEDTLS_X509_SAN_RFC822_NAME 1

#define	MBEDTLS_X509_SAN_DNS_NAME 2

#define	MBEDTLS_X509_SAN_X400_ADDRESS_NAME 3

#define	MBEDTLS_X509_SAN_DIRECTORY_NAME 4

#define	MBEDTLS_X509_SAN_EDI_PARTY_NAME 5

#define	MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER 6

#define	MBEDTLS_X509_SAN_IP_ADDRESS 7

#define	MBEDTLS_X509_SAN_REGISTERED_ID 8

#define	MBEDTLS_X509_KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */

#define	MBEDTLS_X509_KU_NON_REPUDIATION (0x40) /* bit 1 */

#define	MBEDTLS_X509_KU_KEY_ENCIPHERMENT (0x20) /* bit 2 */

#define	MBEDTLS_X509_KU_DATA_ENCIPHERMENT (0x10) /* bit 3 */

#define	MBEDTLS_X509_KU_KEY_AGREEMENT (0x08) /* bit 4 */

#define	MBEDTLS_X509_KU_KEY_CERT_SIGN (0x04) /* bit 5 */

#define	MBEDTLS_X509_KU_CRL_SIGN (0x02) /* bit 6 */

#define	MBEDTLS_X509_KU_ENCIPHER_ONLY (0x01) /* bit 7 */

#define	MBEDTLS_X509_KU_DECIPHER_ONLY (0x8000) /* bit 8 */

#define	MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */

#define	MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */

#define	MBEDTLS_X509_NS_CERT_TYPE_EMAIL (0x20) /* bit 2 */

#define	MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING (0x10) /* bit 3 */

#define	MBEDTLS_X509_NS_CERT_TYPE_RESERVED (0x08) /* bit 4 */

#define	MBEDTLS_X509_NS_CERT_TYPE_SSL_CA (0x04) /* bit 5 */

#define	MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */

#define	MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */

#define	MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER (1 << 0)

#define	MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER (1 << 1)

#define	MBEDTLS_X509_EXT_KEY_USAGE (1 << 2)

#define	MBEDTLS_X509_EXT_CERTIFICATE_POLICIES (1 << 3)

#define	MBEDTLS_X509_EXT_POLICY_MAPPINGS (1 << 4)

#define	MBEDTLS_X509_EXT_SUBJECT_ALT_NAME (1 << 5) /* Supported (DNS) */

#define	MBEDTLS_X509_EXT_ISSUER_ALT_NAME (1 << 6)

#define	MBEDTLS_X509_EXT_SUBJECT_DIRECTORY_ATTRS (1 << 7)

#define	MBEDTLS_X509_EXT_BASIC_CONSTRAINTS (1 << 8) /* Supported */

#define	MBEDTLS_X509_EXT_NAME_CONSTRAINTS (1 << 9)

#define	MBEDTLS_X509_EXT_POLICY_CONSTRAINTS (1 << 10)

#define	MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE (1 << 11)

#define	MBEDTLS_X509_EXT_CRL_DISTRIBUTION_POINTS (1 << 12)

#define	MBEDTLS_X509_EXT_INIHIBIT_ANYPOLICY (1 << 13)

#define	MBEDTLS_X509_EXT_FRESHEST_CRL (1 << 14)

#define	MBEDTLS_X509_EXT_NS_CERT_TYPE (1 << 16)

#define	MBEDTLS_X509_FORMAT_DER 1

#define	MBEDTLS_X509_FORMAT_PEM 2

#define	MBEDTLS_X509_MAX_DN_NAME_SIZE 256

#define	MBEDTLS_X509_SAFE_SNPRINTF

X509 Error codes
#define	MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE -0x2080

#define	MBEDTLS_ERR_X509_UNKNOWN_OID -0x2100

#define	MBEDTLS_ERR_X509_INVALID_FORMAT -0x2180

#define	MBEDTLS_ERR_X509_INVALID_VERSION -0x2200

#define	MBEDTLS_ERR_X509_INVALID_SERIAL -0x2280

#define	MBEDTLS_ERR_X509_INVALID_ALG -0x2300

#define	MBEDTLS_ERR_X509_INVALID_NAME -0x2380

#define	MBEDTLS_ERR_X509_INVALID_DATE -0x2400

#define	MBEDTLS_ERR_X509_INVALID_SIGNATURE -0x2480

#define	MBEDTLS_ERR_X509_INVALID_EXTENSIONS -0x2500

#define	MBEDTLS_ERR_X509_UNKNOWN_VERSION -0x2580

#define	MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG -0x2600

#define	MBEDTLS_ERR_X509_SIG_MISMATCH -0x2680

#define	MBEDTLS_ERR_X509_CERT_VERIFY_FAILED -0x2700

#define	MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT -0x2780

#define	MBEDTLS_ERR_X509_BAD_INPUT_DATA -0x2800

#define	MBEDTLS_ERR_X509_ALLOC_FAILED PSA_ERROR_INSUFFICIENT_MEMORY

#define	MBEDTLS_ERR_X509_FILE_IO_ERROR -0x2900

#define	MBEDTLS_ERR_X509_BUFFER_TOO_SMALL PSA_ERROR_BUFFER_TOO_SMALL

#define	MBEDTLS_ERR_X509_FATAL_ERROR -0x3000

X509 Verify codes
#define	MBEDTLS_X509_BADCERT_EXPIRED 0x01

#define	MBEDTLS_X509_BADCERT_REVOKED 0x02

#define	MBEDTLS_X509_BADCERT_CN_MISMATCH 0x04

#define	MBEDTLS_X509_BADCERT_NOT_TRUSTED 0x08

#define	MBEDTLS_X509_BADCRL_NOT_TRUSTED 0x10

#define	MBEDTLS_X509_BADCRL_EXPIRED 0x20

#define	MBEDTLS_X509_BADCERT_MISSING 0x40

#define	MBEDTLS_X509_BADCERT_SKIP_VERIFY 0x80

#define	MBEDTLS_X509_BADCERT_OTHER 0x0100

#define	MBEDTLS_X509_BADCERT_FUTURE 0x0200

#define	MBEDTLS_X509_BADCRL_FUTURE 0x0400

#define	MBEDTLS_X509_BADCERT_KEY_USAGE 0x0800

#define	MBEDTLS_X509_BADCERT_EXT_KEY_USAGE 0x1000

#define	MBEDTLS_X509_BADCERT_NS_CERT_TYPE 0x2000

#define	MBEDTLS_X509_BADCERT_BAD_MD 0x4000

#define	MBEDTLS_X509_BADCERT_BAD_PK 0x8000

#define	MBEDTLS_X509_BADCERT_BAD_KEY 0x010000

#define	MBEDTLS_X509_BADCRL_BAD_MD 0x020000

#define	MBEDTLS_X509_BADCRL_BAD_PK 0x040000

#define	MBEDTLS_X509_BADCRL_BAD_KEY 0x080000

Typedefs
Structures for parsing X.509 certificates, CRLs and CSRs
typedef mbedtls_asn1_buf	mbedtls_x509_buf

typedef mbedtls_asn1_bitstring	mbedtls_x509_bitstring

typedef mbedtls_asn1_named_data	mbedtls_x509_name

typedef mbedtls_asn1_sequence	mbedtls_x509_sequence

typedef struct mbedtls_x509_authority	mbedtls_x509_authority

typedef struct mbedtls_x509_time	mbedtls_x509_time

typedef struct mbedtls_x509_san_other_name	mbedtls_x509_san_other_name

typedef struct mbedtls_x509_subject_alternative_name	mbedtls_x509_subject_alternative_name

typedef struct mbedtls_x509_san_list	mbedtls_x509_san_list

Functions
int	mbedtls_x509_dn_gets (char buf, size_t size, const mbedtls_x509_name dn)
	Store the certificate DN in printable form into buf; no more than size characters will be written. More...

int	mbedtls_x509_string_to_names (mbedtls_asn1_named_data *head, const char name)
	Convert the certificate DN string `name` into a linked list of mbedtls_x509_name (equivalent to mbedtls_asn1_named_data). More...

static mbedtls_x509_name *	mbedtls_x509_dn_get_next (mbedtls_x509_name *dn)
	Return the next relative DN in an X509 name. More...

int	mbedtls_x509_serial_gets (char buf, size_t size, const mbedtls_x509_buf serial)
	Store the certificate serial in printable form into buf; no more than size characters will be written. More...

int	mbedtls_x509_time_cmp (const mbedtls_x509_time t1, const mbedtls_x509_time t2)
	Compare pair of mbedtls_x509_time. More...

int	mbedtls_x509_time_gmtime (mbedtls_time_t tt, mbedtls_x509_time *now)
	Fill mbedtls_x509_time with provided mbedtls_time_t. More...

int	mbedtls_x509_time_is_past (const mbedtls_x509_time *to)
	Check a given mbedtls_x509_time against the system time and tell if it's in the past. More...

int	mbedtls_x509_time_is_future (const mbedtls_x509_time *from)
	Check a given mbedtls_x509_time against the system time and tell if it's in the future. More...

int	mbedtls_x509_parse_subject_alt_name (const mbedtls_x509_buf san_buf, mbedtls_x509_subject_alternative_name san)
	This function parses an item in the SubjectAlternativeNames extension. Please note that this function might allocate additional memory for a subject alternative name, thus mbedtls_x509_free_subject_alt_name has to be called to dispose of this additional memory afterwards. More...

void	mbedtls_x509_free_subject_alt_name (mbedtls_x509_subject_alternative_name *san)
	Unallocate all data related to subject alternative name. More...

size_t	mbedtls_x509_crt_parse_cn_inet_pton (const char cn, void dst)
	This function parses a CN string as an IP address. More...

Detailed Description

X.509 generic defines and structures.

Definition in file x509.h.

Macro Definition Documentation

#define MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER (1 << 0)

Definition at line 167 of file x509.h.

#define MBEDTLS_X509_EXT_BASIC_CONSTRAINTS (1 << 8) /* Supported */

Definition at line 175 of file x509.h.

#define MBEDTLS_X509_EXT_CERTIFICATE_POLICIES (1 << 3)

Definition at line 170 of file x509.h.

#define MBEDTLS_X509_EXT_CRL_DISTRIBUTION_POINTS (1 << 12)

Definition at line 179 of file x509.h.

#define MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE (1 << 11)

Definition at line 178 of file x509.h.

#define MBEDTLS_X509_EXT_FRESHEST_CRL (1 << 14)

Definition at line 181 of file x509.h.

#define MBEDTLS_X509_EXT_INIHIBIT_ANYPOLICY (1 << 13)

Definition at line 180 of file x509.h.

#define MBEDTLS_X509_EXT_ISSUER_ALT_NAME (1 << 6)

Definition at line 173 of file x509.h.

#define MBEDTLS_X509_EXT_KEY_USAGE (1 << 2)

Definition at line 169 of file x509.h.

#define MBEDTLS_X509_EXT_NAME_CONSTRAINTS (1 << 9)

Definition at line 176 of file x509.h.

#define MBEDTLS_X509_EXT_NS_CERT_TYPE (1 << 16)

Definition at line 182 of file x509.h.

#define MBEDTLS_X509_EXT_POLICY_CONSTRAINTS (1 << 10)

Definition at line 177 of file x509.h.

#define MBEDTLS_X509_EXT_POLICY_MAPPINGS (1 << 4)

Definition at line 171 of file x509.h.

#define MBEDTLS_X509_EXT_SUBJECT_ALT_NAME (1 << 5) /* Supported (DNS) */

Definition at line 172 of file x509.h.

#define MBEDTLS_X509_EXT_SUBJECT_DIRECTORY_ATTRS (1 << 7)

Definition at line 174 of file x509.h.

#define MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER (1 << 1)

Definition at line 168 of file x509.h.

#define MBEDTLS_X509_FORMAT_DER 1

Definition at line 188 of file x509.h.

#define MBEDTLS_X509_FORMAT_PEM 2

Definition at line 189 of file x509.h.

#define MBEDTLS_X509_KU_CRL_SIGN (0x02) /* bit 6 */

Definition at line 143 of file x509.h.

#define MBEDTLS_X509_KU_DATA_ENCIPHERMENT (0x10) /* bit 3 */

Definition at line 140 of file x509.h.

#define MBEDTLS_X509_KU_DECIPHER_ONLY (0x8000) /* bit 8 */

Definition at line 145 of file x509.h.

#define MBEDTLS_X509_KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */

Definition at line 137 of file x509.h.

#define MBEDTLS_X509_KU_ENCIPHER_ONLY (0x01) /* bit 7 */

Definition at line 144 of file x509.h.

#define MBEDTLS_X509_KU_KEY_AGREEMENT (0x08) /* bit 4 */

Definition at line 141 of file x509.h.

#define MBEDTLS_X509_KU_KEY_CERT_SIGN (0x04) /* bit 5 */

Definition at line 142 of file x509.h.

#define MBEDTLS_X509_KU_KEY_ENCIPHERMENT (0x20) /* bit 2 */

Definition at line 139 of file x509.h.

#define MBEDTLS_X509_KU_NON_REPUDIATION (0x40) /* bit 1 */

Definition at line 138 of file x509.h.

#define MBEDTLS_X509_MAX_DN_NAME_SIZE 256

Maximum value size of a DN entry

Definition at line 191 of file x509.h.

#define MBEDTLS_X509_NS_CERT_TYPE_EMAIL (0x20) /* bit 2 */

Definition at line 154 of file x509.h.

#define MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */

Definition at line 158 of file x509.h.

#define MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING (0x10) /* bit 3 */

Definition at line 155 of file x509.h.

#define MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */

Definition at line 159 of file x509.h.

#define MBEDTLS_X509_NS_CERT_TYPE_RESERVED (0x08) /* bit 4 */

Definition at line 156 of file x509.h.

#define MBEDTLS_X509_NS_CERT_TYPE_SSL_CA (0x04) /* bit 5 */

Definition at line 157 of file x509.h.

#define MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */

Definition at line 152 of file x509.h.

#define MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */

Definition at line 153 of file x509.h.

#define MBEDTLS_X509_SAFE_SNPRINTF

Value:

do {                                                    \
        if (ret < 0 || (size_t) ret >= n)                  \
        return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;    \
                                                          \
        n -= (size_t) ret;                                  \
        p += (size_t) ret;                                  \
    } while (0)

Definition at line 480 of file x509.h.

#define MBEDTLS_X509_SAN_DIRECTORY_NAME 4

Definition at line 127 of file x509.h.

#define MBEDTLS_X509_SAN_DNS_NAME 2

Definition at line 125 of file x509.h.

#define MBEDTLS_X509_SAN_EDI_PARTY_NAME 5

Definition at line 128 of file x509.h.

#define MBEDTLS_X509_SAN_IP_ADDRESS 7

Definition at line 130 of file x509.h.

#define MBEDTLS_X509_SAN_OTHER_NAME 0

Definition at line 123 of file x509.h.

#define MBEDTLS_X509_SAN_REGISTERED_ID 8

Definition at line 131 of file x509.h.

#define MBEDTLS_X509_SAN_RFC822_NAME 1

Definition at line 124 of file x509.h.

#define MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER 6

Definition at line 129 of file x509.h.

#define MBEDTLS_X509_SAN_X400_ADDRESS_NAME 3

Definition at line 126 of file x509.h.

Function Documentation

size_t mbedtls_x509_crt_parse_cn_inet_pton	(	const char *	cn,
		void *	dst
	)

This function parses a CN string as an IP address.

Parameters

cn	The CN string to parse. CN string MUST be null-terminated.
dst	The target buffer to populate with the binary IP address. The buffer MUST be 16 bytes to save IPv6, and should be 4-byte aligned if the result will be used as struct in_addr. e.g. uint32_t dst[4]

Note: cn is parsed as an IPv6 address if string contains ':', else cn is parsed as an IPv4 address.

Returns: Length of binary IP address; num bytes written to target.; 0 on failure to parse CN string as an IP address.

static mbedtls_x509_name* mbedtls_x509_dn_get_next ( mbedtls_x509_name * dn )

inlinestatic

Return the next relative DN in an X509 name.

Note: Intended use is to compare function result to dn->next in order to detect boundaries of multi-valued RDNs.

Parameters

dn	Current node in the X509 name

Returns: Pointer to the first attribute-value pair of the next RDN in sequence, or NULL if end is reached.

Definition at line 347 of file x509.h.

References mbedtls_asn1_named_data::next.

int mbedtls_x509_dn_gets	(	char *	buf,
		size_t	size,
		const mbedtls_x509_name *	dn
	)

Store the certificate DN in printable form into buf; no more than size characters will be written.

Parameters

buf	Buffer to write to
size	Maximum size of buffer
dn	The X509 name to represent

Returns: The length of the string written (not including the terminated nul byte), or a negative error code.

void mbedtls_x509_free_subject_alt_name ( mbedtls_x509_subject_alternative_name * san )

Unallocate all data related to subject alternative name.

Parameters

san	SAN structure - extra memory owned by this structure will be freed

int mbedtls_x509_parse_subject_alt_name	(	const mbedtls_x509_buf *	san_buf,
		mbedtls_x509_subject_alternative_name *	san
	)

This function parses an item in the SubjectAlternativeNames extension. Please note that this function might allocate additional memory for a subject alternative name, thus mbedtls_x509_free_subject_alt_name has to be called to dispose of this additional memory afterwards.

Parameters

san_buf	The buffer holding the raw data item of the subject alternative name.
san	The target structure to populate with the parsed presentation of the subject alternative name encoded in `san_buf`.

Note: Supported GeneralName types, as defined in RFC 5280: "rfc822Name", "dnsName", "directoryName", "uniformResourceIdentifier" and "hardware_module_name" of type "otherName", as defined in RFC 4108.; This function should be called on a single raw data of subject alternative name. For example, after successful certificate parsing, one must iterate on every item in the crt->subject_alt_names sequence, and pass it to this function.

Warning: The target structure contains pointers to the raw data of the parsed certificate, and its lifetime is restricted by the lifetime of the certificate.

Returns: 0 on success; MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE for an unsupported SAN type.; Another negative value for any other failure.

int mbedtls_x509_serial_gets	(	char *	buf,
		size_t	size,
		const mbedtls_x509_buf *	serial
	)

Store the certificate serial in printable form into buf; no more than size characters will be written.

Parameters

buf	Buffer to write to
size	Maximum size of buffer
serial	The X509 serial to represent

Returns: The length of the string written (not including the terminated nul byte), or a negative error code.

int mbedtls_x509_string_to_names	(	mbedtls_asn1_named_data **	head,
		const char *	name
	)

Convert the certificate DN string name into a linked list of mbedtls_x509_name (equivalent to mbedtls_asn1_named_data).

Note: This function allocates a linked list, and places the head pointer in head. This list must later be freed by a call to mbedtls_asn1_free_named_data_list().

Parameters

[out]	head	Address in which to store the pointer to the head of the allocated list of mbedtls_x509_name. Must point to NULL on entry.
[in]	name	The string representation of a DN to convert

Returns: 0 on success, or a negative error code.

int mbedtls_x509_time_cmp	(	const mbedtls_x509_time *	t1,
		const mbedtls_x509_time *	t2
	)

Compare pair of mbedtls_x509_time.

Parameters

t1	mbedtls_x509_time to compare
t2	mbedtls_x509_time to compare

Returns: < 0 if t1 is before t2 0 if t1 equals t2 > 0 if t1 is after t2

int mbedtls_x509_time_gmtime	(	mbedtls_time_t	tt,
		mbedtls_x509_time *	now
	)

Fill mbedtls_x509_time with provided mbedtls_time_t.

Parameters

tt	mbedtls_time_t to convert
now	mbedtls_x509_time to fill with converted mbedtls_time_t

Returns: 0 on success; A non-zero return value on failure.

int mbedtls_x509_time_is_future ( const mbedtls_x509_time * from )

Check a given mbedtls_x509_time against the system time and tell if it's in the future.

Note: Intended usage is "if( is_future( valid_from ) ) ERROR". Hence the return value of 1 if on internal errors.

Parameters

from	mbedtls_x509_time to check

Returns: 1 if the given time is in the future or an error occurred, 0 otherwise.

int mbedtls_x509_time_is_past ( const mbedtls_x509_time * to )

Check a given mbedtls_x509_time against the system time and tell if it's in the past.

Note: Intended usage is "if( is_past( valid_to ) ) ERROR". Hence the return value of 1 if on internal errors.

Parameters

to	mbedtls_x509_time to check

Returns: 1 if the given time is in the past or an error occurred, 0 otherwise.

Data Structures

Macros

Typedefs

Functions

Detailed Description

Macro Definition Documentation

Function Documentation