Mbed TLS v4.0.0
 All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
x509_crt.h
Go to the documentation of this file.
1 
6 /*
7  * Copyright The Mbed TLS Contributors
8  * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
9  */
10 #ifndef MBEDTLS_X509_CRT_H
11 #define MBEDTLS_X509_CRT_H
12 #include "mbedtls/private_access.h"
13 
14 #include "mbedtls/build_info.h"
15 
16 #include "mbedtls/x509.h"
17 #include "mbedtls/x509_crl.h"
18 #include "mbedtls/private/bignum.h"
19 
25 #ifdef __cplusplus
26 extern "C" {
27 #endif
28 
41 typedef struct mbedtls_x509_crt {
42  int MBEDTLS_PRIVATE(own_buffer);
44  mbedtls_x509_buf raw;
45  mbedtls_x509_buf tbs;
47  int version;
48  mbedtls_x509_buf serial;
49  mbedtls_x509_buf sig_oid;
51  mbedtls_x509_buf issuer_raw;
52  mbedtls_x509_buf subject_raw;
54  mbedtls_x509_name issuer;
55  mbedtls_x509_name subject;
57  mbedtls_x509_time valid_from;
58  mbedtls_x509_time valid_to;
60  mbedtls_x509_buf pk_raw;
61  mbedtls_pk_context pk;
63  mbedtls_x509_buf issuer_id;
64  mbedtls_x509_buf subject_id;
65  mbedtls_x509_buf v3_ext;
66  mbedtls_x509_sequence subject_alt_names;
67  mbedtls_x509_buf subject_key_id;
68  mbedtls_x509_authority authority_key_id;
70  mbedtls_x509_sequence certificate_policies;
72  int MBEDTLS_PRIVATE(ext_types);
73  int MBEDTLS_PRIVATE(ca_istrue);
74  int MBEDTLS_PRIVATE(max_pathlen);
76  unsigned int MBEDTLS_PRIVATE(key_usage);
78  mbedtls_x509_sequence ext_key_usage;
80  unsigned char MBEDTLS_PRIVATE(ns_cert_type);
82  mbedtls_x509_buf MBEDTLS_PRIVATE(sig);
83  mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md);
84  mbedtls_pk_sigalg_t MBEDTLS_PRIVATE(sig_pk);
89  struct mbedtls_x509_crt *next;
90 }
91 mbedtls_x509_crt;
92 
97 #define MBEDTLS_X509_ID_FLAG(id) (1 << ((id) - 1))
98 
124 typedef struct mbedtls_x509_crt_profile {
125  uint32_t allowed_mds;
126  uint32_t allowed_pks;
129  uint32_t allowed_curves;
130  uint32_t rsa_min_bitlen;
131 }
132 mbedtls_x509_crt_profile;
133 
134 #define MBEDTLS_X509_CRT_VERSION_1 0
135 #define MBEDTLS_X509_CRT_VERSION_2 1
136 #define MBEDTLS_X509_CRT_VERSION_3 2
137 
138 #define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 20
139 #define MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15
140 
141 #if !defined(MBEDTLS_X509_MAX_FILE_PATH_LEN)
142 #define MBEDTLS_X509_MAX_FILE_PATH_LEN 512
143 #endif
144 
145 /* This macro unfolds to the concatenation of macro invocations
146  * X509_CRT_ERROR_INFO( error code,
147  * error code as string,
148  * human readable description )
149  * where X509_CRT_ERROR_INFO is defined by the user.
150  * See x509_crt.c for an example of how to use this. */
151 #define MBEDTLS_X509_CRT_ERROR_INFO_LIST \
152  X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_EXPIRED, \
153  "MBEDTLS_X509_BADCERT_EXPIRED", \
154  "The certificate validity has expired") \
155  X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_REVOKED, \
156  "MBEDTLS_X509_BADCERT_REVOKED", \
157  "The certificate has been revoked (is on a CRL)") \
158  X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_CN_MISMATCH, \
159  "MBEDTLS_X509_BADCERT_CN_MISMATCH", \
160  "The certificate Common Name (CN) does not match with the expected CN") \
161  X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_NOT_TRUSTED, \
162  "MBEDTLS_X509_BADCERT_NOT_TRUSTED", \
163  "The certificate is not correctly signed by the trusted CA") \
164  X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCRL_NOT_TRUSTED, \
165  "MBEDTLS_X509_BADCRL_NOT_TRUSTED", \
166  "The CRL is not correctly signed by the trusted CA") \
167  X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCRL_EXPIRED, \
168  "MBEDTLS_X509_BADCRL_EXPIRED", \
169  "The CRL is expired") \
170  X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_MISSING, \
171  "MBEDTLS_X509_BADCERT_MISSING", \
172  "Certificate was missing") \
173  X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_SKIP_VERIFY, \
174  "MBEDTLS_X509_BADCERT_SKIP_VERIFY", \
175  "Certificate verification was skipped") \
176  X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_OTHER, \
177  "MBEDTLS_X509_BADCERT_OTHER", \
178  "Other reason (can be used by verify callback)") \
179  X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_FUTURE, \
180  "MBEDTLS_X509_BADCERT_FUTURE", \
181  "The certificate validity starts in the future") \
182  X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCRL_FUTURE, \
183  "MBEDTLS_X509_BADCRL_FUTURE", \
184  "The CRL is from the future") \
185  X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_KEY_USAGE, \
186  "MBEDTLS_X509_BADCERT_KEY_USAGE", \
187  "Usage does not match the keyUsage extension") \
188  X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_EXT_KEY_USAGE, \
189  "MBEDTLS_X509_BADCERT_EXT_KEY_USAGE", \
190  "Usage does not match the extendedKeyUsage extension") \
191  X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_NS_CERT_TYPE, \
192  "MBEDTLS_X509_BADCERT_NS_CERT_TYPE", \
193  "Usage does not match the nsCertType extension") \
194  X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_BAD_MD, \
195  "MBEDTLS_X509_BADCERT_BAD_MD", \
196  "The certificate is signed with an unacceptable hash.") \
197  X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_BAD_PK, \
198  "MBEDTLS_X509_BADCERT_BAD_PK", \
199  "The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA).") \
200  X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_BAD_KEY, \
201  "MBEDTLS_X509_BADCERT_BAD_KEY", \
202  "The certificate is signed with an unacceptable key (eg bad curve, RSA too short).") \
203  X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCRL_BAD_MD, \
204  "MBEDTLS_X509_BADCRL_BAD_MD", \
205  "The CRL is signed with an unacceptable hash.") \
206  X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCRL_BAD_PK, \
207  "MBEDTLS_X509_BADCRL_BAD_PK", \
208  "The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA).") \
209  X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCRL_BAD_KEY, \
210  "MBEDTLS_X509_BADCRL_BAD_KEY", \
211  "The CRL is signed with an unacceptable key (eg bad curve, RSA too short).")
212 
216 typedef struct mbedtls_x509write_cert {
217  int MBEDTLS_PRIVATE(version);
218  unsigned char MBEDTLS_PRIVATE(serial)[MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN];
219  size_t MBEDTLS_PRIVATE(serial_len);
220  mbedtls_pk_context *MBEDTLS_PRIVATE(subject_key);
221  mbedtls_pk_context *MBEDTLS_PRIVATE(issuer_key);
222  mbedtls_asn1_named_data *MBEDTLS_PRIVATE(subject);
223  mbedtls_asn1_named_data *MBEDTLS_PRIVATE(issuer);
224  mbedtls_md_type_t MBEDTLS_PRIVATE(md_alg);
225  char MBEDTLS_PRIVATE(not_before)[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1];
226  char MBEDTLS_PRIVATE(not_after)[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1];
227  mbedtls_asn1_named_data *MBEDTLS_PRIVATE(extensions);
228 }
229 mbedtls_x509write_cert;
230 
243 int mbedtls_x509write_crt_set_subject_alternative_name(mbedtls_x509write_cert *ctx,
244  const mbedtls_x509_san_list *san_list);
245 
249 typedef struct {
250  mbedtls_x509_crt *MBEDTLS_PRIVATE(crt);
251  uint32_t MBEDTLS_PRIVATE(flags);
252 } mbedtls_x509_crt_verify_chain_item;
253 
257 #define MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE (MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2)
258 
262 typedef struct {
263  mbedtls_x509_crt_verify_chain_item MBEDTLS_PRIVATE(items)[MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE];
264  unsigned MBEDTLS_PRIVATE(len);
265 
266 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
267  /* This stores the list of potential trusted signers obtained from
268  * the CA callback used for the CRT verification, if configured.
269  * We must track it somewhere because the callback passes its
270  * ownership to the caller. */
271  mbedtls_x509_crt *MBEDTLS_PRIVATE(trust_ca_cb_result);
272 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
273 } mbedtls_x509_crt_verify_chain;
274 
275 #if defined(MBEDTLS_ECP_RESTARTABLE)
276 
280 typedef struct {
281  /* for check_signature() */
282  mbedtls_pk_restart_ctx MBEDTLS_PRIVATE(pk);
283 
284  /* for find_parent_in() */
285  mbedtls_x509_crt *MBEDTLS_PRIVATE(parent); /* non-null iff parent_in in progress */
286  mbedtls_x509_crt *MBEDTLS_PRIVATE(fallback_parent);
287  int MBEDTLS_PRIVATE(fallback_signature_is_good);
288 
289  /* for find_parent() */
290  int MBEDTLS_PRIVATE(parent_is_trusted); /* -1 if find_parent is not in progress */
291 
292  /* for verify_chain() */
293  enum {
294  x509_crt_rs_none,
295  x509_crt_rs_find_parent,
296  } MBEDTLS_PRIVATE(in_progress); /* none if no operation is in progress */
297  int MBEDTLS_PRIVATE(self_cnt);
298  mbedtls_x509_crt_verify_chain MBEDTLS_PRIVATE(ver_chain);
299 
300 } mbedtls_x509_crt_restart_ctx;
301 
302 #else /* MBEDTLS_ECP_RESTARTABLE */
303 
304 /* Now we can declare functions that take a pointer to that */
305 typedef void mbedtls_x509_crt_restart_ctx;
306 
307 #endif /* MBEDTLS_ECP_RESTARTABLE */
308 
309 #if defined(MBEDTLS_X509_CRT_PARSE_C)
310 
323 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default;
324 
330 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next;
331 
335 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb;
336 
341 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_none;
342 
366 int mbedtls_x509_crt_parse_der(mbedtls_x509_crt *chain,
367  const unsigned char *buf,
368  size_t buflen);
369 
400 typedef int (*mbedtls_x509_crt_ext_cb_t)(void *p_ctx,
401  mbedtls_x509_crt const *crt,
402  mbedtls_x509_buf const *oid,
403  int critical,
404  const unsigned char *p,
405  const unsigned char *end);
406 
450 int mbedtls_x509_crt_parse_der_with_ext_cb(mbedtls_x509_crt *chain,
451  const unsigned char *buf,
452  size_t buflen,
453  int make_copy,
454  mbedtls_x509_crt_ext_cb_t cb,
455  void *p_ctx);
456 
487 int mbedtls_x509_crt_parse_der_nocopy(mbedtls_x509_crt *chain,
488  const unsigned char *buf,
489  size_t buflen);
490 
524 int mbedtls_x509_crt_parse(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen);
525 
526 #if defined(MBEDTLS_FS_IO)
527 
543 int mbedtls_x509_crt_parse_file(mbedtls_x509_crt *chain, const char *path);
544 
558 int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path);
559 
560 #endif /* MBEDTLS_FS_IO */
561 
562 #if !defined(MBEDTLS_X509_REMOVE_INFO)
563 
575 int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix,
576  const mbedtls_x509_crt *crt);
577 
590 int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix,
591  uint32_t flags);
592 #endif /* !MBEDTLS_X509_REMOVE_INFO */
593 
664 int mbedtls_x509_crt_verify(mbedtls_x509_crt *crt,
665  mbedtls_x509_crt *trust_ca,
666  mbedtls_x509_crl *ca_crl,
667  const char *cn, uint32_t *flags,
668  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
669  void *p_vrfy);
670 
705 int mbedtls_x509_crt_verify_with_profile(mbedtls_x509_crt *crt,
706  mbedtls_x509_crt *trust_ca,
707  mbedtls_x509_crl *ca_crl,
708  const mbedtls_x509_crt_profile *profile,
709  const char *cn, uint32_t *flags,
710  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
711  void *p_vrfy);
712 
739 int mbedtls_x509_crt_verify_restartable(mbedtls_x509_crt *crt,
740  mbedtls_x509_crt *trust_ca,
741  mbedtls_x509_crl *ca_crl,
742  const mbedtls_x509_crt_profile *profile,
743  const char *cn, uint32_t *flags,
744  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
745  void *p_vrfy,
746  mbedtls_x509_crt_restart_ctx *rs_ctx);
747 
778 typedef int (*mbedtls_x509_crt_ca_cb_t)(void *p_ctx,
779  mbedtls_x509_crt const *child,
780  mbedtls_x509_crt **candidate_cas);
781 
782 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
783 
805 int mbedtls_x509_crt_verify_with_ca_cb(mbedtls_x509_crt *crt,
806  mbedtls_x509_crt_ca_cb_t f_ca_cb,
807  void *p_ca_cb,
808  const mbedtls_x509_crt_profile *profile,
809  const char *cn, uint32_t *flags,
810  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
811  void *p_vrfy);
812 
813 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
814 
836 int mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt *crt,
837  unsigned int usage);
838 
852 int mbedtls_x509_crt_check_extended_key_usage(const mbedtls_x509_crt *crt,
853  const char *usage_oid,
854  size_t usage_len);
855 
856 #if defined(MBEDTLS_X509_CRL_PARSE_C)
857 
866 int mbedtls_x509_crt_is_revoked(const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl);
867 #endif /* MBEDTLS_X509_CRL_PARSE_C */
868 
874 void mbedtls_x509_crt_init(mbedtls_x509_crt *crt);
875 
881 void mbedtls_x509_crt_free(mbedtls_x509_crt *crt);
882 
883 #if defined(MBEDTLS_ECP_RESTARTABLE)
884 
887 void mbedtls_x509_crt_restart_init(mbedtls_x509_crt_restart_ctx *ctx);
888 
892 void mbedtls_x509_crt_restart_free(mbedtls_x509_crt_restart_ctx *ctx);
893 #endif /* MBEDTLS_ECP_RESTARTABLE */
894 #endif /* MBEDTLS_X509_CRT_PARSE_C */
895 
907 static inline int mbedtls_x509_crt_has_ext_type(const mbedtls_x509_crt *ctx,
908  int ext_type)
909 {
910  return ctx->MBEDTLS_PRIVATE(ext_types) & ext_type;
911 }
912 
923 int mbedtls_x509_crt_get_ca_istrue(const mbedtls_x509_crt *crt);
924 
927 #if defined(MBEDTLS_X509_CRT_WRITE_C)
928 
933 void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx);
934 
943 void mbedtls_x509write_crt_set_version(mbedtls_x509write_cert *ctx, int version);
944 
958 int mbedtls_x509write_crt_set_serial_raw(mbedtls_x509write_cert *ctx,
959  const unsigned char *serial, size_t serial_len);
960 
975 int mbedtls_x509write_crt_set_validity(mbedtls_x509write_cert *ctx, const char *not_before,
976  const char *not_after);
977 
990 int mbedtls_x509write_crt_set_issuer_name(mbedtls_x509write_cert *ctx,
991  const char *issuer_name);
992 
1005 int mbedtls_x509write_crt_set_subject_name(mbedtls_x509write_cert *ctx,
1006  const char *subject_name);
1007 
1014 void mbedtls_x509write_crt_set_subject_key(mbedtls_x509write_cert *ctx, mbedtls_pk_context *key);
1015 
1022 void mbedtls_x509write_crt_set_issuer_key(mbedtls_x509write_cert *ctx, mbedtls_pk_context *key);
1023 
1031 void mbedtls_x509write_crt_set_md_alg(mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg);
1032 
1046 int mbedtls_x509write_crt_set_extension(mbedtls_x509write_cert *ctx,
1047  const char *oid, size_t oid_len,
1048  int critical,
1049  const unsigned char *val, size_t val_len);
1050 
1062 int mbedtls_x509write_crt_set_basic_constraints(mbedtls_x509write_cert *ctx,
1063  int is_ca, int max_pathlen);
1064 
1065 #if defined(PSA_WANT_ALG_SHA_1)
1066 
1075 int mbedtls_x509write_crt_set_subject_key_identifier(mbedtls_x509write_cert *ctx);
1076 
1086 int mbedtls_x509write_crt_set_authority_key_identifier(mbedtls_x509write_cert *ctx);
1087 #endif /* PSA_WANT_ALG_SHA_1 */
1088 
1098 int mbedtls_x509write_crt_set_key_usage(mbedtls_x509write_cert *ctx,
1099  unsigned int key_usage);
1100 
1111 int mbedtls_x509write_crt_set_ext_key_usage(mbedtls_x509write_cert *ctx,
1112  const mbedtls_asn1_sequence *exts);
1113 
1123 int mbedtls_x509write_crt_set_ns_cert_type(mbedtls_x509write_cert *ctx,
1124  unsigned char ns_cert_type);
1125 
1131 void mbedtls_x509write_crt_free(mbedtls_x509write_cert *ctx);
1132 
1146 int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size);
1147 
1148 #if defined(MBEDTLS_PEM_WRITE_C)
1149 
1159 int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size);
1160 #endif /* MBEDTLS_PEM_WRITE_C */
1161 #endif /* MBEDTLS_X509_CRT_WRITE_C */
1162 
1165 #ifdef __cplusplus
1166 }
1167 #endif
1168 
1169 #endif /* mbedtls_x509_crt.h */
mbedtls_x509_san_list
Definition: x509.h:296
mbedtls_x509_crt_verify
int mbedtls_x509_crt_verify(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
Verify a chain of certificates.
mbedtls_pk_context
Public key container.
Definition: pk.h:142
mbedtls_x509write_crt_set_extension
int mbedtls_x509write_crt_set_extension(mbedtls_x509write_cert *ctx, const char *oid, size_t oid_len, int critical, const unsigned char *val, size_t val_len)
Generic function to add to or replace an extension in the CRT.
mbedtls_x509_crt_verify_with_profile
int mbedtls_x509_crt_verify_with_profile(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
Verify a chain of certificates with respect to a configurable security profile.
mbedtls_x509_crt::subject_alt_names
mbedtls_x509_sequence subject_alt_names
Definition: x509_crt.h:66
mbedtls_x509write_crt_der
int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size)
Write a built up certificate to a X509 DER structure Note: data is written at the end of the buffer! ...
mbedtls_x509write_crt_set_version
void mbedtls_x509write_crt_set_version(mbedtls_x509write_cert *ctx, int version)
Set the version for a Certificate Default: MBEDTLS_X509_CRT_VERSION_3.
mbedtls_x509_crt_verify_restartable
int mbedtls_x509_crt_verify_restartable(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy, mbedtls_x509_crt_restart_ctx *rs_ctx)
Restartable version of mbedtls_crt_verify_with_profile()
mbedtls_x509write_crt_set_subject_name
int mbedtls_x509write_crt_set_subject_name(mbedtls_x509write_cert *ctx, const char *subject_name)
Set the subject name for a Certificate Subject names should contain a comma-separated list of OID typ...
mbedtls_x509_crt_profile::allowed_curves
uint32_t allowed_curves
Definition: x509_crt.h:129
mbedtls_x509_crl
Definition: x509_crl.h:64
mbedtls_x509write_crt_set_subject_alternative_name
int mbedtls_x509write_crt_set_subject_alternative_name(mbedtls_x509write_cert *ctx, const mbedtls_x509_san_list *san_list)
Set Subject Alternative Name.
mbedtls_x509_crt::pk_raw
mbedtls_x509_buf pk_raw
Definition: x509_crt.h:60
mbedtls_x509_crt_parse_der
int mbedtls_x509_crt_parse_der(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the end of the provided chained list...
mbedtls_x509_crt_is_revoked
int mbedtls_x509_crt_is_revoked(const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl)
Verify the certificate revocation status.
mbedtls_x509_crt_restart_free
void mbedtls_x509_crt_restart_free(mbedtls_x509_crt_restart_ctx *ctx)
Free the components of a restart context.
mbedtls_x509_crt::certificate_policies
mbedtls_x509_sequence certificate_policies
Definition: x509_crt.h:70
mbedtls_x509_crt::next
struct mbedtls_x509_crt * next
Definition: x509_crt.h:89
mbedtls_asn1_sequence
Definition: asn1.h:157
mbedtls_x509_crt_profile_default
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default
mbedtls_x509_crt_check_key_usage
int mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt *crt, unsigned int usage)
Check usage of certificate against keyUsage extension.
mbedtls_x509_crt::issuer
mbedtls_x509_name issuer
Definition: x509_crt.h:54
mbedtls_x509_crt_verify_chain
Definition: x509_crt.h:262
mbedtls_x509_crt_restart_ctx::x509_crt_rs_none
Definition: x509_crt.h:294
mbedtls_x509_crt::subject_id
mbedtls_x509_buf subject_id
Definition: x509_crt.h:64
mbedtls_x509write_cert
struct mbedtls_x509write_cert mbedtls_x509write_cert
mbedtls_x509_crt::tbs
mbedtls_x509_buf tbs
Definition: x509_crt.h:45
mbedtls_asn1_named_data
Definition: asn1.h:174
mbedtls_x509_crt::subject_raw
mbedtls_x509_buf subject_raw
Definition: x509_crt.h:52
mbedtls_x509_crt_free
void mbedtls_x509_crt_free(mbedtls_x509_crt *crt)
Unallocate all certificate data.
mbedtls_x509_crt::sig_oid
mbedtls_x509_buf sig_oid
Definition: x509_crt.h:49
mbedtls_x509_crt::issuer_raw
mbedtls_x509_buf issuer_raw
Definition: x509_crt.h:51
mbedtls_x509_crt_profile_suiteb
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb
mbedtls_x509_crt::subject
mbedtls_x509_name subject
Definition: x509_crt.h:55
mbedtls_x509_crt::valid_to
mbedtls_x509_time valid_to
Definition: x509_crt.h:58
mbedtls_x509_crt_parse
int mbedtls_x509_crt_parse(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse one DER-encoded or one or more concatenated PEM-encoded certificates and add them to the chaine...
mbedtls_x509write_crt_init
void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx)
Initialize a CRT writing context.
mbedtls_x509_crt_profile
struct mbedtls_x509_crt_profile mbedtls_x509_crt_profile
mbedtls_x509_crt_has_ext_type
static int mbedtls_x509_crt_has_ext_type(const mbedtls_x509_crt *ctx, int ext_type)
Query certificate for given extension type.
Definition: x509_crt.h:907
mbedtls_asn1_buf
Definition: asn1.h:137
mbedtls_x509write_crt_set_validity
int mbedtls_x509write_crt_set_validity(mbedtls_x509write_cert *ctx, const char *not_before, const char *not_after)
Set the validity period for a Certificate Timestamps should be in string format for UTC timezone i...
mbedtls_x509_time
Definition: x509.h:239
mbedtls_x509_crt_parse_path
int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path)
Load one or more certificate files from a path and add them to the chained list. Parses permissively...
mbedtls_x509write_cert
Definition: x509_crt.h:216
mbedtls_x509_crt::authority_key_id
mbedtls_x509_authority authority_key_id
Definition: x509_crt.h:68
mbedtls_x509write_crt_set_ns_cert_type
int mbedtls_x509write_crt_set_ns_cert_type(mbedtls_x509write_cert *ctx, unsigned char ns_cert_type)
Set the Netscape Cert Type flags (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TY...
mbedtls_x509write_crt_pem
int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size)
Write a built up certificate to a X509 PEM string.
mbedtls_x509_crt_profile_none
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_none
mbedtls_x509write_crt_set_authority_key_identifier
int mbedtls_x509write_crt_set_authority_key_identifier(mbedtls_x509write_cert *ctx)
Set the authorityKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_issuer_key...
mbedtls_x509_crt::serial
mbedtls_x509_buf serial
Definition: x509_crt.h:48
mbedtls_x509_authority
Definition: x509.h:230
mbedtls_x509_crt_profile::rsa_min_bitlen
uint32_t rsa_min_bitlen
Definition: x509_crt.h:130
mbedtls_x509_crt::valid_from
mbedtls_x509_time valid_from
Definition: x509_crt.h:57
mbedtls_x509_crt::raw
mbedtls_x509_buf raw
Definition: x509_crt.h:44
mbedtls_x509_crt_check_extended_key_usage
int mbedtls_x509_crt_check_extended_key_usage(const mbedtls_x509_crt *crt, const char *usage_oid, size_t usage_len)
Check usage of certificate against extendedKeyUsage.
mbedtls_x509write_crt_set_md_alg
void mbedtls_x509write_crt_set_md_alg(mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg)
Set the MD algorithm to use for the signature (e.g. MBEDTLS_MD_SHA1)
MBEDTLS_X509_RFC5280_UTC_TIME_LEN
#define MBEDTLS_X509_RFC5280_UTC_TIME_LEN
Definition: x509_crt.h:139
MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE
#define MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE
Definition: x509_crt.h:257
build_info.h
Build-time configuration info.
mbedtls_x509write_crt_set_issuer_key
void mbedtls_x509write_crt_set_issuer_key(mbedtls_x509write_cert *ctx, mbedtls_pk_context *key)
Set the issuer key used for signing the certificate.
mbedtls_x509_crt_profile_next
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next
x509.h
X.509 generic defines and structures.
mbedtls_x509_crt_verify_with_ca_cb
int mbedtls_x509_crt_verify_with_ca_cb(mbedtls_x509_crt *crt, mbedtls_x509_crt_ca_cb_t f_ca_cb, void *p_ca_cb, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
Version of mbedtls_x509_crt_verify_with_profile() which uses a callback to acquire the list of truste...
mbedtls_x509write_crt_set_key_usage
int mbedtls_x509write_crt_set_key_usage(mbedtls_x509write_cert *ctx, unsigned int key_usage)
Set the Key Usage Extension flags (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_...
mbedtls_x509_crt::subject_key_id
mbedtls_x509_buf subject_key_id
Definition: x509_crt.h:67
mbedtls_x509write_crt_free
void mbedtls_x509write_crt_free(mbedtls_x509write_cert *ctx)
Free the contents of a CRT write context.
mbedtls_x509_crt_parse_der_with_ext_cb
int mbedtls_x509_crt_parse_der_with_ext_cb(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen, int make_copy, mbedtls_x509_crt_ext_cb_t cb, void *p_ctx)
Parse a single DER formatted certificate and add it to the end of the provided chained list...
mbedtls_x509_crt_restart_init
void mbedtls_x509_crt_restart_init(mbedtls_x509_crt_restart_ctx *ctx)
Initialize a restart context.
mbedtls_x509_crt_parse_file
int mbedtls_x509_crt_parse_file(mbedtls_x509_crt *chain, const char *path)
Load one or more certificates and add them to the chained list. Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.
mbedtls_x509write_crt_set_subject_key_identifier
int mbedtls_x509write_crt_set_subject_key_identifier(mbedtls_x509write_cert *ctx)
Set the subjectKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_subject_key(...
mbedtls_x509_crt_get_ca_istrue
int mbedtls_x509_crt_get_ca_istrue(const mbedtls_x509_crt *crt)
Access the ca_istrue field.
mbedtls_x509_crt_restart_ctx::x509_crt_rs_find_parent
Definition: x509_crt.h:295
mbedtls_x509_crt::issuer_id
mbedtls_x509_buf issuer_id
Definition: x509_crt.h:63
mbedtls_x509_crt_verify_chain_item
Definition: x509_crt.h:249
x509_crl.h
X.509 certificate revocation list parsing.
mbedtls_x509_crt
Definition: x509_crt.h:41
mbedtls_x509_crt
struct mbedtls_x509_crt mbedtls_x509_crt
mbedtls_x509_crt::ext_key_usage
mbedtls_x509_sequence ext_key_usage
Definition: x509_crt.h:78
mbedtls_x509_crt_ext_cb_t
int(* mbedtls_x509_crt_ext_cb_t)(void *p_ctx, mbedtls_x509_crt const *crt, mbedtls_x509_buf const *oid, int critical, const unsigned char *p, const unsigned char *end)
The type of certificate extension callbacks.
Definition: x509_crt.h:400
mbedtls_x509_crt_parse_der_nocopy
int mbedtls_x509_crt_parse_der_nocopy(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the end of the provided chained list...
mbedtls_x509_crt_profile
Definition: x509_crt.h:124
mbedtls_x509write_crt_set_issuer_name
int mbedtls_x509write_crt_set_issuer_name(mbedtls_x509write_cert *ctx, const char *issuer_name)
Set the issuer name for a Certificate Issuer names should contain a comma-separated list of OID types...
mbedtls_pk_restart_ctx
Context for resuming operations.
Definition: pk.h:191
mbedtls_x509_crt_init
void mbedtls_x509_crt_init(mbedtls_x509_crt *crt)
Initialize a certificate (chain)
mbedtls_x509_crt_profile::allowed_pks
uint32_t allowed_pks
Definition: x509_crt.h:126
mbedtls_x509write_crt_set_basic_constraints
int mbedtls_x509write_crt_set_basic_constraints(mbedtls_x509write_cert *ctx, int is_ca, int max_pathlen)
Set the basicConstraints extension for a CRT.
mbedtls_x509_crt_profile::allowed_mds
uint32_t allowed_mds
Definition: x509_crt.h:125
mbedtls_x509write_crt_set_subject_key
void mbedtls_x509write_crt_set_subject_key(mbedtls_x509write_cert *ctx, mbedtls_pk_context *key)
Set the subject public key for the certificate.
mbedtls_x509_crt::pk
mbedtls_pk_context pk
Definition: x509_crt.h:61
mbedtls_x509_crt_restart_ctx
Context for resuming X.509 verify operations.
Definition: x509_crt.h:280
mbedtls_x509write_crt_set_serial_raw
int mbedtls_x509write_crt_set_serial_raw(mbedtls_x509write_cert *ctx, const unsigned char *serial, size_t serial_len)
Set the serial number for a Certificate.
mbedtls_md_type_t
mbedtls_md_type_t
Supported message digests.
Definition: md.h:50
mbedtls_pk_sigalg_t
mbedtls_pk_sigalg_t
Definition: pk.h:53
mbedtls_x509write_crt_set_ext_key_usage
int mbedtls_x509write_crt_set_ext_key_usage(mbedtls_x509write_cert *ctx, const mbedtls_asn1_sequence *exts)
Set the Extended Key Usage Extension (e.g. MBEDTLS_OID_SERVER_AUTH)
MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN
#define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN
Definition: x509_crt.h:138
mbedtls_x509_crt::v3_ext
mbedtls_x509_buf v3_ext
Definition: x509_crt.h:65
mbedtls_x509_crt::version
int version
Definition: x509_crt.h:47
mbedtls_x509_crt_ca_cb_t
int(* mbedtls_x509_crt_ca_cb_t)(void *p_ctx, mbedtls_x509_crt const *child, mbedtls_x509_crt **candidate_cas)
The type of trusted certificate callbacks.
Definition: x509_crt.h:778
Generated on Thu Feb 5 2026 15:22:17 for Mbed TLS v4.0.0 by   doxygen 1.8.6