2012-02-13 23:11:30 +00:00
/**
2016-01-03 16:14:14 +00:00
* \ file x509_crt . h
2012-02-13 23:11:30 +00:00
*
2013-09-16 11:49:26 +00:00
* \ brief X .509 certificate parsing and writing
2018-01-05 15:33:17 +00:00
*/
/*
2015-07-27 09:11:48 +00:00
* Copyright ( C ) 2006 - 2015 , ARM Limited , All Rights Reserved
2015-09-04 12:21:07 +00:00
* SPDX - License - Identifier : Apache - 2.0
2012-02-13 23:11:30 +00:00
*
2015-09-04 12:21:07 +00:00
* Licensed under the Apache License , Version 2.0 ( the " License " ) ; you may
* not use this file except in compliance with the License .
* You may obtain a copy of the License at
2012-02-13 23:11:30 +00:00
*
2015-09-04 12:21:07 +00:00
* http : //www.apache.org/licenses/LICENSE-2.0
2012-02-13 23:11:30 +00:00
*
2015-09-04 12:21:07 +00:00
* Unless required by applicable law or agreed to in writing , software
* distributed under the License is distributed on an " AS IS " BASIS , WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND , either express or implied .
* See the License for the specific language governing permissions and
* limitations under the License .
2012-02-13 23:11:30 +00:00
*
2015-09-04 12:21:07 +00:00
* This file is part of mbed TLS ( https : //tls.mbed.org)
2012-02-13 23:11:30 +00:00
*/
2015-04-08 10:49:31 +00:00
# ifndef MBEDTLS_X509_CRT_H
# define MBEDTLS_X509_CRT_H
2012-02-13 23:11:30 +00:00
2015-04-08 10:49:31 +00:00
# if !defined(MBEDTLS_CONFIG_FILE)
2013-04-19 12:51:29 +00:00
# include "config.h"
2014-04-29 10:39:06 +00:00
# else
2015-04-08 10:49:31 +00:00
# include MBEDTLS_CONFIG_FILE
2014-04-29 10:39:06 +00:00
# endif
2013-04-19 12:51:29 +00:00
2013-08-25 12:47:27 +00:00
# include "x509.h"
2013-09-16 11:49:26 +00:00
# include "x509_crl.h"
2013-08-25 09:47:51 +00:00
/**
* \ addtogroup x509_module
* \ {
*/
2013-06-27 12:29:21 +00:00
# ifdef __cplusplus
extern " C " {
# endif
2013-08-25 09:47:51 +00:00
/**
2013-09-16 11:49:26 +00:00
* \ name Structures and functions for parsing and writing X .509 certificates
2013-08-25 09:47:51 +00:00
* \ {
*/
/**
2013-09-16 11:49:26 +00:00
* Container for an X .509 certificate . The certificate may be chained .
2013-08-25 09:47:51 +00:00
*/
2015-04-08 10:49:31 +00:00
typedef struct mbedtls_x509_crt
2012-02-13 23:11:30 +00:00
{
2015-04-08 10:49:31 +00:00
mbedtls_x509_buf raw ; /**< The raw certificate data (DER). */
mbedtls_x509_buf tbs ; /**< The raw certificate body (DER). The part that is To Be Signed. */
2013-09-16 11:49:26 +00:00
2014-06-19 09:39:46 +00:00
int version ; /**< The X.509 version. (1=v1, 2=v2, 3=v3) */
2015-04-08 10:49:31 +00:00
mbedtls_x509_buf serial ; /**< Unique id for certificate issued by a specific CA. */
mbedtls_x509_buf sig_oid ; /**< Signature algorithm, e.g. sha1RSA */
2013-09-16 11:49:26 +00:00
2015-04-08 10:49:31 +00:00
mbedtls_x509_buf issuer_raw ; /**< The raw issuer data (DER). Used for quick comparison. */
mbedtls_x509_buf subject_raw ; /**< The raw subject data (DER). Used for quick comparison. */
2013-09-16 11:49:26 +00:00
2015-04-08 10:49:31 +00:00
mbedtls_x509_name issuer ; /**< The parsed issuer data (named information object). */
mbedtls_x509_name subject ; /**< The parsed subject data (named information object). */
2013-09-16 11:49:26 +00:00
2015-04-08 10:49:31 +00:00
mbedtls_x509_time valid_from ; /**< Start time of certificate validity. */
mbedtls_x509_time valid_to ; /**< End time of certificate validity. */
2013-09-16 11:49:26 +00:00
2015-04-08 10:49:31 +00:00
mbedtls_pk_context pk ; /**< Container for the public key context. */
2013-09-16 11:49:26 +00:00
2015-04-08 10:49:31 +00:00
mbedtls_x509_buf issuer_id ; /**< Optional X.509 v2/v3 issuer unique identifier. */
mbedtls_x509_buf subject_id ; /**< Optional X.509 v2/v3 subject unique identifier. */
mbedtls_x509_buf v3_ext ; /**< Optional X.509 v3 extensions. */
mbedtls_x509_sequence subject_alt_names ; /**< Optional list of Subject Alternative Names (Only dNSName supported). */
2013-09-16 11:49:26 +00:00
int ext_types ; /**< Bit string containing detected and parsed extensions */
int ca_istrue ; /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */
int max_pathlen ; /**< Optional Basic Constraint extension value: The maximum path length to the root certificate. Path length is 1 higher than RFC 5280 'meaning', so 1+ */
2015-03-27 15:50:00 +00:00
unsigned int key_usage ; /**< Optional key usage extension value: See the values in x509.h */
2013-09-16 11:49:26 +00:00
2015-04-08 10:49:31 +00:00
mbedtls_x509_sequence ext_key_usage ; /**< Optional list of extended key usage OIDs. */
2013-09-16 11:49:26 +00:00
2014-04-01 10:19:09 +00:00
unsigned char ns_cert_type ; /**< Optional Netscape certificate type extension value: See the values in x509.h */
2013-09-16 11:49:26 +00:00
2015-04-08 10:49:31 +00:00
mbedtls_x509_buf sig ; /**< Signature: hash of the tbs part signed with the private key. */
mbedtls_md_type_t sig_md ; /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
mbedtls_pk_type_t sig_pk ; /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
void * sig_opts ; /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
2013-09-16 11:49:26 +00:00
2015-04-08 10:49:31 +00:00
struct mbedtls_x509_crt * next ; /**< Next certificate in the CA-chain. */
2012-02-13 23:11:30 +00:00
}
2015-04-08 10:49:31 +00:00
mbedtls_x509_crt ;
2013-08-25 08:18:25 +00:00
2015-06-15 13:33:19 +00:00
/**
* Build flag from an algorithm / curve identifier ( pk , md , ecp )
* Since 0 is always XXX_NONE , ignore it .
*/
# define MBEDTLS_X509_ID_FLAG( id ) ( 1 << ( id - 1 ) )
2015-06-15 12:34:59 +00:00
/**
* Security profile for certificate verification .
2015-06-15 08:39:46 +00:00
*
2015-06-15 13:33:19 +00:00
* All lists are bitfields , built by ORing flags from MBEDTLS_X509_ID_FLAG ( ) .
2015-06-15 08:39:46 +00:00
*/
typedef struct
{
2015-06-15 13:33:19 +00:00
uint32_t allowed_mds ; /**< MDs for signatures */
uint32_t allowed_pks ; /**< PK algs for signatures */
uint32_t allowed_curves ; /**< Elliptic curves for ECDSA */
uint32_t rsa_min_bitlen ; /**< Minimum size for RSA keys */
2015-06-15 08:39:46 +00:00
}
mbedtls_x509_crt_profile ;
2015-04-08 10:49:31 +00:00
# define MBEDTLS_X509_CRT_VERSION_1 0
# define MBEDTLS_X509_CRT_VERSION_2 1
# define MBEDTLS_X509_CRT_VERSION_3 2
2013-09-06 07:55:26 +00:00
2015-04-08 10:49:31 +00:00
# define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32
# define MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15
2012-02-13 23:11:30 +00:00
2016-09-02 13:06:04 +00:00
# if !defined( MBEDTLS_X509_MAX_FILE_PATH_LEN )
# define MBEDTLS_X509_MAX_FILE_PATH_LEN 512
# endif
2013-08-25 09:47:51 +00:00
/**
2013-09-06 07:55:26 +00:00
* Container for writing a certificate ( CRT )
2013-08-25 09:47:51 +00:00
*/
2015-04-08 10:49:31 +00:00
typedef struct mbedtls_x509write_cert
2013-08-25 08:18:25 +00:00
{
2013-09-06 07:55:26 +00:00
int version ;
2015-04-08 10:49:31 +00:00
mbedtls_mpi serial ;
mbedtls_pk_context * subject_key ;
mbedtls_pk_context * issuer_key ;
mbedtls_asn1_named_data * subject ;
mbedtls_asn1_named_data * issuer ;
mbedtls_md_type_t md_alg ;
char not_before [ MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1 ] ;
char not_after [ MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1 ] ;
mbedtls_asn1_named_data * extensions ;
2013-08-25 08:18:25 +00:00
}
2015-04-08 10:49:31 +00:00
mbedtls_x509write_cert ;
2013-08-25 08:18:25 +00:00
2015-04-08 10:49:31 +00:00
# if defined(MBEDTLS_X509_CRT_PARSE_C)
2015-06-15 12:34:59 +00:00
/**
* Default security profile . Should provide a good balance between security
* and compatibility with current deployments .
*/
extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default ;
/**
* Expected next default profile . Recommended for new deployments .
* Currently targets a 128 - bit security level , except for RSA - 2048.
*/
extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next ;
/**
* NSA Suite B profile .
*/
extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb ;
2013-08-25 09:47:51 +00:00
/**
2013-09-16 11:49:26 +00:00
* \ brief Parse a single DER formatted certificate and add it
* to the chained list .
*
* \ param chain points to the start of the chain
* \ param buf buffer holding the certificate DER data
* \ param buflen size of the buffer
2013-08-25 09:47:51 +00:00
*
2013-09-16 11:49:26 +00:00
* \ return 0 if successful , or a specific X509 or PEM error code
2013-08-25 09:47:51 +00:00
*/
2015-04-08 10:49:31 +00:00
int mbedtls_x509_crt_parse_der ( mbedtls_x509_crt * chain , const unsigned char * buf ,
2013-09-18 11:46:23 +00:00
size_t buflen ) ;
2013-08-25 09:47:51 +00:00
/**
2013-09-16 11:49:26 +00:00
* \ brief Parse one or more certificates and add them
* to the chained list . Parses permissively . If some
* certificates can be parsed , the result is the number
* of failed certificates it encountered . If none complete
* correctly , the first error is returned .
2013-08-25 09:47:51 +00:00
*
2013-09-16 11:49:26 +00:00
* \ param chain points to the start of the chain
2015-05-12 09:20:10 +00:00
* \ param buf buffer holding the certificate data in PEM or DER format
2013-09-16 11:49:26 +00:00
* \ param buflen size of the buffer
2015-05-12 09:20:10 +00:00
* ( including the terminating null byte for PEM data )
2013-08-25 09:47:51 +00:00
*
2013-09-16 11:49:26 +00:00
* \ return 0 if all certificates parsed successfully , a positive number
* if partly successful or a specific X509 or PEM error code
2013-08-25 09:47:51 +00:00
*/
2015-04-08 10:49:31 +00:00
int mbedtls_x509_crt_parse ( mbedtls_x509_crt * chain , const unsigned char * buf , size_t buflen ) ;
2013-08-25 09:47:51 +00:00
2015-04-08 10:49:31 +00:00
# if defined(MBEDTLS_FS_IO)
2013-08-25 09:47:51 +00:00
/**
2013-09-16 11:49:26 +00:00
* \ brief Load one or more certificates and add them
* to the chained list . Parses permissively . If some
* certificates can be parsed , the result is the number
* of failed certificates it encountered . If none complete
* correctly , the first error is returned .
*
* \ param chain points to the start of the chain
* \ param path filename to read the certificates from
2013-08-25 09:47:51 +00:00
*
2013-09-16 11:49:26 +00:00
* \ return 0 if all certificates parsed successfully , a positive number
* if partly successful or a specific X509 or PEM error code
2013-08-25 09:47:51 +00:00
*/
2015-04-08 10:49:31 +00:00
int mbedtls_x509_crt_parse_file ( mbedtls_x509_crt * chain , const char * path ) ;
2013-08-25 09:47:51 +00:00
/**
2013-09-16 11:49:26 +00:00
* \ brief Load one or more certificate files from a path and add them
* to the chained list . Parses permissively . If some
* certificates can be parsed , the result is the number
* of failed certificates it encountered . If none complete
* correctly , the first error is returned .
*
* \ param chain points to the start of the chain
* \ param path directory / folder to read the certificate files from
2013-08-25 09:47:51 +00:00
*
2013-09-16 11:49:26 +00:00
* \ return 0 if all certificates parsed successfully , a positive number
* if partly successful or a specific X509 or PEM error code
2013-08-25 09:47:51 +00:00
*/
2015-04-08 10:49:31 +00:00
int mbedtls_x509_crt_parse_path ( mbedtls_x509_crt * chain , const char * path ) ;
# endif /* MBEDTLS_FS_IO */
2013-08-25 09:47:51 +00:00
2013-08-25 12:47:27 +00:00
/**
2013-09-16 11:49:26 +00:00
* \ brief Returns an informational string about the
* certificate .
2013-08-25 12:47:27 +00:00
*
2013-09-16 11:49:26 +00:00
* \ param buf Buffer to write to
* \ param size Maximum size of buffer
* \ param prefix A line prefix
* \ param crt The X509 certificate to represent
2013-08-26 10:05:14 +00:00
*
2015-06-23 10:10:45 +00:00
* \ return The length of the string written ( not including the
* terminated nul byte ) , or a negative error code .
2013-08-25 12:47:27 +00:00
*/
2015-04-08 10:49:31 +00:00
int mbedtls_x509_crt_info ( char * buf , size_t size , const char * prefix ,
const mbedtls_x509_crt * crt ) ;
2013-08-25 12:47:27 +00:00
2015-04-20 09:38:13 +00:00
/**
* \ brief Returns an informational string about the
* verification status of a certificate .
*
* \ param buf Buffer to write to
* \ param size Maximum size of buffer
* \ param prefix A line prefix
* \ param flags Verification flags created by mbedtls_x509_crt_verify ( )
*
2015-06-23 10:10:45 +00:00
* \ return The length of the string written ( not including the
* terminated nul byte ) , or a negative error code .
2015-04-20 09:38:13 +00:00
*/
int mbedtls_x509_crt_verify_info ( char * buf , size_t size , const char * prefix ,
2015-05-11 17:54:43 +00:00
uint32_t flags ) ;
2015-04-17 14:14:32 +00:00
2013-08-26 11:41:01 +00:00
/**
2013-09-16 11:49:26 +00:00
* \ brief Verify the certificate signature
2013-08-26 11:41:01 +00:00
*
2013-09-16 11:49:26 +00:00
* The verify callback is a user - supplied callback that
* can clear / modify / add flags for a certificate . If set ,
* the verification callback is called for each
* certificate in the chain ( from the trust - ca down to the
* presented crt ) . The parameters for the callback are :
2015-04-08 10:49:31 +00:00
* ( void * parameter , mbedtls_x509_crt * crt , int certificate_depth ,
2013-09-16 11:49:26 +00:00
* int * flags ) . With the flags representing current flags for
* that specific certificate and the certificate depth from
* the bottom ( Peer cert depth = 0 ) .
2013-08-26 11:41:01 +00:00
*
2013-09-16 11:49:26 +00:00
* All flags left after returning from the callback
* are also returned to the application . The function should
2017-06-26 08:11:49 +00:00
* return 0 for anything ( including invalid certificates )
* other than fatal error , as a non - zero return code
* immediately aborts the verification process . For fatal
* errors , a specific error code should be used ( different
* from MBEDTLS_ERR_X509_CERT_VERIFY_FAILED which should not
* be returned at this point ) , or MBEDTLS_ERR_X509_FATAL_ERROR
* can be used if no better code is available .
2013-09-16 11:49:26 +00:00
*
2015-04-20 09:38:13 +00:00
* \ note In case verification failed , the results can be displayed
* using \ c mbedtls_x509_crt_verify_info ( )
*
2015-06-15 08:39:46 +00:00
* \ note Same as \ c mbedtls_x509_crt_verify_with_profile ( ) with the
* default security profile .
*
2016-02-22 10:36:55 +00:00
* \ note It is your responsibility to provide up - to - date CRLs for
* all trusted CAs . If no CRL is provided for the CA that was
* used to sign the certificate , CRL verification is skipped
* silently , that is * without * setting any flag .
*
2017-10-18 12:20:24 +00:00
* \ note The \ c trust_ca list can contain two types of certificates :
2017-06-21 07:35:44 +00:00
* ( 1 ) those of trusted root CAs , so that certificates
* chaining up to those CAs will be trusted , and ( 2 )
* self - signed end - entity certificates to be trusted ( for
* specific peers you know ) - in that case , the self - signed
2017-08-08 16:09:14 +00:00
* certificate doesn ' t need to have the CA bit set .
2017-06-21 07:35:44 +00:00
*
2016-02-22 10:36:55 +00:00
* \ param crt a certificate ( chain ) to be verified
2017-06-21 07:35:44 +00:00
* \ param trust_ca the list of trusted CAs ( see note above )
2016-02-22 10:36:55 +00:00
* \ param ca_crl the list of CRLs for trusted CAs ( see note above )
2013-09-16 11:49:26 +00:00
* \ param cn expected Common Name ( can be set to
* NULL if the CN must not be verified )
* \ param flags result of the verification
* \ param f_vrfy verification function
* \ param p_vrfy verification parameter
*
2017-07-06 13:00:32 +00:00
* \ return 0 ( and flags set to 0 ) if the chain was verified and valid ,
* MBEDTLS_ERR_X509_CERT_VERIFY_FAILED if the chain was verified
* but found to be invalid , in which case * flags will have one
* or more MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX
* flags set , or another error ( and flags set to 0xffffffff )
* in case of a fatal error encountered during the
* verification process .
2013-08-26 11:41:01 +00:00
*/
2015-04-08 10:49:31 +00:00
int mbedtls_x509_crt_verify ( mbedtls_x509_crt * crt ,
mbedtls_x509_crt * trust_ca ,
mbedtls_x509_crl * ca_crl ,
2015-05-11 17:54:43 +00:00
const char * cn , uint32_t * flags ,
int ( * f_vrfy ) ( void * , mbedtls_x509_crt * , int , uint32_t * ) ,
2013-09-18 11:46:23 +00:00
void * p_vrfy ) ;
2013-08-26 11:41:01 +00:00
2015-06-15 08:39:46 +00:00
/**
* \ brief Verify the certificate signature according to profile
*
* \ note Same as \ c mbedtls_x509_crt_verify ( ) , but with explicit
* security profile .
*
2015-06-17 09:49:39 +00:00
* \ note The restrictions on keys ( RSA minimum size , allowed curves
2015-10-23 12:08:48 +00:00
* for ECDSA ) apply to all certificates : trusted root ,
* intermediate CAs if any , and end entity certificate .
2015-06-17 09:49:39 +00:00
*
2016-02-22 10:36:55 +00:00
* \ param crt a certificate ( chain ) to be verified
* \ param trust_ca the list of trusted CAs
* \ param ca_crl the list of CRLs for trusted CAs
2015-06-15 08:39:46 +00:00
* \ param profile security profile for verification
* \ param cn expected Common Name ( can be set to
* NULL if the CN must not be verified )
* \ param flags result of the verification
* \ param f_vrfy verification function
* \ param p_vrfy verification parameter
*
* \ return 0 if successful or MBEDTLS_ERR_X509_CERT_VERIFY_FAILED
* in which case * flags will have one or more
* MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX flags
* set ,
* or another error in case of a fatal error encountered
* during the verification process .
*/
int mbedtls_x509_crt_verify_with_profile ( mbedtls_x509_crt * crt ,
mbedtls_x509_crt * trust_ca ,
mbedtls_x509_crl * ca_crl ,
const mbedtls_x509_crt_profile * profile ,
const char * cn , uint32_t * flags ,
int ( * f_vrfy ) ( void * , mbedtls_x509_crt * , int , uint32_t * ) ,
void * p_vrfy ) ;
2015-04-08 10:49:31 +00:00
# if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
2014-04-09 07:50:03 +00:00
/**
* \ brief Check usage of certificate against keyUsage extension .
*
* \ param crt Leaf certificate used .
2015-06-23 08:48:44 +00:00
* \ param usage Intended usage ( s ) ( eg MBEDTLS_X509_KU_KEY_ENCIPHERMENT
* before using the certificate to perform an RSA key
* exchange ) .
*
* \ note Except for decipherOnly and encipherOnly , a bit set in the
* usage argument means this bit MUST be set in the
* certificate . For decipherOnly and encipherOnly , it means
* that bit MAY be set .
2014-04-09 07:50:03 +00:00
*
* \ return 0 is these uses of the certificate are allowed ,
2015-04-08 10:49:31 +00:00
* MBEDTLS_ERR_X509_BAD_INPUT_DATA if the keyUsage extension
2015-06-23 08:48:44 +00:00
* is present but does not match the usage argument .
2014-04-09 07:50:03 +00:00
*
* \ note You should only call this function on leaf certificates , on
* ( intermediate ) CAs the keyUsage extension is automatically
2015-04-08 10:49:31 +00:00
* checked by \ c mbedtls_x509_crt_verify ( ) .
2014-04-09 07:50:03 +00:00
*/
2015-06-23 08:48:44 +00:00
int mbedtls_x509_crt_check_key_usage ( const mbedtls_x509_crt * crt ,
unsigned int usage ) ;
2015-04-08 10:49:31 +00:00
# endif /* MBEDTLS_X509_CHECK_KEY_USAGE) */
2014-04-09 07:50:03 +00:00
2015-04-08 10:49:31 +00:00
# if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
2014-04-10 15:53:56 +00:00
/**
2017-11-14 21:40:51 +00:00
* \ brief Check usage of certificate against extendedKeyUsage .
2014-04-10 15:53:56 +00:00
*
2017-11-14 21:40:51 +00:00
* \ param crt Leaf certificate used .
* \ param usage_oid Intended usage ( eg MBEDTLS_OID_SERVER_AUTH or
* MBEDTLS_OID_CLIENT_AUTH ) .
2015-04-08 10:49:31 +00:00
* \ param usage_len Length of usage_oid ( eg given by MBEDTLS_OID_SIZE ( ) ) .
2014-04-10 15:53:56 +00:00
*
2017-11-14 21:40:51 +00:00
* \ return 0 if this use of the certificate is allowed ,
* MBEDTLS_ERR_X509_BAD_INPUT_DATA if not .
2014-04-10 15:53:56 +00:00
*
2017-11-14 21:40:51 +00:00
* \ note Usually only makes sense on leaf certificates .
2014-04-10 15:53:56 +00:00
*/
2015-04-08 10:49:31 +00:00
int mbedtls_x509_crt_check_extended_key_usage ( const mbedtls_x509_crt * crt ,
2017-11-14 21:40:51 +00:00
const char * usage_oid ,
size_t usage_len ) ;
2017-11-14 21:40:02 +00:00
# endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
2014-04-10 15:53:56 +00:00
2015-04-08 10:49:31 +00:00
# if defined(MBEDTLS_X509_CRL_PARSE_C)
2013-08-26 11:41:01 +00:00
/**
2013-09-23 10:20:02 +00:00
* \ brief Verify the certificate revocation status
2013-08-26 11:41:01 +00:00
*
2013-09-16 11:49:26 +00:00
* \ param crt a certificate to be verified
* \ param crl the CRL to verify against
*
* \ return 1 if the certificate is revoked , 0 otherwise
2013-08-26 11:41:01 +00:00
*
*/
2015-06-02 09:38:50 +00:00
int mbedtls_x509_crt_is_revoked ( const mbedtls_x509_crt * crt , const mbedtls_x509_crl * crl ) ;
2015-04-08 10:49:31 +00:00
# endif /* MBEDTLS_X509_CRL_PARSE_C */
2013-08-26 11:41:01 +00:00
2013-09-18 09:58:25 +00:00
/**
* \ brief Initialize a certificate ( chain )
*
* \ param crt Certificate chain to initialize
*/
2015-04-08 10:49:31 +00:00
void mbedtls_x509_crt_init ( mbedtls_x509_crt * crt ) ;
2013-09-18 09:58:25 +00:00
2013-08-25 09:47:51 +00:00
/**
2013-09-16 11:49:26 +00:00
* \ brief Unallocate all certificate data
2013-08-25 09:47:51 +00:00
*
2013-09-16 11:49:26 +00:00
* \ param crt Certificate chain to free
2013-08-25 09:47:51 +00:00
*/
2015-04-08 10:49:31 +00:00
void mbedtls_x509_crt_free ( mbedtls_x509_crt * crt ) ;
# endif /* MBEDTLS_X509_CRT_PARSE_C */
2013-09-16 11:49:26 +00:00
/* \} name */
/* \} addtogroup x509_module */
2013-08-25 08:18:25 +00:00
2015-04-08 10:49:31 +00:00
# if defined(MBEDTLS_X509_CRT_WRITE_C)
2013-09-06 07:55:26 +00:00
/**
* \ brief Initialize a CRT writing context
*
* \ param ctx CRT context to initialize
*/
2015-04-08 10:49:31 +00:00
void mbedtls_x509write_crt_init ( mbedtls_x509write_cert * ctx ) ;
2013-09-06 07:55:26 +00:00
/**
* \ brief Set the verion for a Certificate
2015-04-08 10:49:31 +00:00
* Default : MBEDTLS_X509_CRT_VERSION_3
2013-09-06 07:55:26 +00:00
*
* \ param ctx CRT context to use
2015-04-08 10:49:31 +00:00
* \ param version version to set ( MBEDTLS_X509_CRT_VERSION_1 , MBEDTLS_X509_CRT_VERSION_2 or
* MBEDTLS_X509_CRT_VERSION_3 )
2013-09-06 07:55:26 +00:00
*/
2015-04-08 10:49:31 +00:00
void mbedtls_x509write_crt_set_version ( mbedtls_x509write_cert * ctx , int version ) ;
2013-09-06 07:55:26 +00:00
/**
* \ brief Set the serial number for a Certificate .
*
* \ param ctx CRT context to use
* \ param serial serial number to set
*
* \ return 0 if successful
*/
2015-04-08 10:49:31 +00:00
int mbedtls_x509write_crt_set_serial ( mbedtls_x509write_cert * ctx , const mbedtls_mpi * serial ) ;
2013-09-06 07:55:26 +00:00
/**
* \ brief Set the validity period for a Certificate
* Timestamps should be in string format for UTC timezone
* i . e . " YYYYMMDDhhmmss "
* e . g . " 20131231235959 " for December 31 st 2013
* at 23 : 59 : 59
*
* \ param ctx CRT context to use
* \ param not_before not_before timestamp
* \ param not_after not_after timestamp
*
* \ return 0 if timestamp was parsed successfully , or
* a specific error code
*/
2015-04-08 10:49:31 +00:00
int mbedtls_x509write_crt_set_validity ( mbedtls_x509write_cert * ctx , const char * not_before ,
2013-10-28 20:19:10 +00:00
const char * not_after ) ;
2013-09-06 07:55:26 +00:00
/**
* \ brief Set the issuer name for a Certificate
* Issuer names should contain a comma - separated list
* of OID types and values :
2015-01-22 16:11:05 +00:00
* e . g . " C=UK,O=ARM,CN=mbed TLS CA "
2013-09-06 07:55:26 +00:00
*
* \ param ctx CRT context to use
* \ param issuer_name issuer name to set
*
* \ return 0 if issuer name was parsed successfully , or
* a specific error code
*/
2015-04-08 10:49:31 +00:00
int mbedtls_x509write_crt_set_issuer_name ( mbedtls_x509write_cert * ctx ,
2013-10-28 20:19:10 +00:00
const char * issuer_name ) ;
2013-09-06 07:55:26 +00:00
/**
* \ brief Set the subject name for a Certificate
* Subject names should contain a comma - separated list
* of OID types and values :
2015-01-22 16:11:05 +00:00
* e . g . " C=UK,O=ARM,CN=mbed TLS Server 1 "
2013-09-06 07:55:26 +00:00
*
* \ param ctx CRT context to use
* \ param subject_name subject name to set
*
* \ return 0 if subject name was parsed successfully , or
* a specific error code
*/
2015-04-08 10:49:31 +00:00
int mbedtls_x509write_crt_set_subject_name ( mbedtls_x509write_cert * ctx ,
2013-10-28 20:19:10 +00:00
const char * subject_name ) ;
2013-09-06 07:55:26 +00:00
/**
* \ brief Set the subject public key for the certificate
*
* \ param ctx CRT context to use
2013-09-12 03:21:54 +00:00
* \ param key public key to include
2013-09-06 07:55:26 +00:00
*/
2015-04-08 10:49:31 +00:00
void mbedtls_x509write_crt_set_subject_key ( mbedtls_x509write_cert * ctx , mbedtls_pk_context * key ) ;
2013-09-06 07:55:26 +00:00
/**
* \ brief Set the issuer key used for signing the certificate
*
* \ param ctx CRT context to use
2013-09-12 03:21:54 +00:00
* \ param key private key to sign with
2013-09-06 07:55:26 +00:00
*/
2015-04-08 10:49:31 +00:00
void mbedtls_x509write_crt_set_issuer_key ( mbedtls_x509write_cert * ctx , mbedtls_pk_context * key ) ;
2013-09-06 07:55:26 +00:00
/**
* \ brief Set the MD algorithm to use for the signature
2015-04-08 10:49:31 +00:00
* ( e . g . MBEDTLS_MD_SHA1 )
2013-09-06 07:55:26 +00:00
*
* \ param ctx CRT context to use
2013-12-30 16:57:27 +00:00
* \ param md_alg MD algorithm to use
2013-09-06 07:55:26 +00:00
*/
2015-04-08 10:49:31 +00:00
void mbedtls_x509write_crt_set_md_alg ( mbedtls_x509write_cert * ctx , mbedtls_md_type_t md_alg ) ;
2013-09-06 07:55:26 +00:00
2013-09-06 17:27:21 +00:00
/**
* \ brief Generic function to add to or replace an extension in the
* CRT
*
* \ param ctx CRT context to use
* \ param oid OID of the extension
* \ param oid_len length of the OID
* \ param critical if the extension is critical ( per the RFC ' s definition )
* \ param val value of the extension OCTET STRING
* \ param val_len length of the value data
*
2015-05-28 07:33:39 +00:00
* \ return 0 if successful , or a MBEDTLS_ERR_X509_ALLOC_FAILED
2013-09-06 17:27:21 +00:00
*/
2015-04-08 10:49:31 +00:00
int mbedtls_x509write_crt_set_extension ( mbedtls_x509write_cert * ctx ,
2013-09-06 17:27:21 +00:00
const char * oid , size_t oid_len ,
int critical ,
const unsigned char * val , size_t val_len ) ;
/**
* \ brief Set the basicConstraints extension for a CRT
*
* \ param ctx CRT context to use
* \ param is_ca is this a CA certificate
* \ param max_pathlen maximum length of certificate chains below this
* certificate ( only for CA certificates , - 1 is
* inlimited )
*
2015-05-28 07:33:39 +00:00
* \ return 0 if successful , or a MBEDTLS_ERR_X509_ALLOC_FAILED
2013-09-06 17:27:21 +00:00
*/
2015-04-08 10:49:31 +00:00
int mbedtls_x509write_crt_set_basic_constraints ( mbedtls_x509write_cert * ctx ,
2013-09-06 17:27:21 +00:00
int is_ca , int max_pathlen ) ;
2015-04-08 10:49:31 +00:00
# if defined(MBEDTLS_SHA1_C)
2013-09-06 17:27:21 +00:00
/**
* \ brief Set the subjectKeyIdentifier extension for a CRT
2015-04-08 10:49:31 +00:00
* Requires that mbedtls_x509write_crt_set_subject_key ( ) has been
2013-09-06 17:27:21 +00:00
* called before
*
* \ param ctx CRT context to use
*
2015-05-28 07:33:39 +00:00
* \ return 0 if successful , or a MBEDTLS_ERR_X509_ALLOC_FAILED
2013-09-06 17:27:21 +00:00
*/
2015-04-08 10:49:31 +00:00
int mbedtls_x509write_crt_set_subject_key_identifier ( mbedtls_x509write_cert * ctx ) ;
2013-09-06 17:27:21 +00:00
/**
* \ brief Set the authorityKeyIdentifier extension for a CRT
2015-04-08 10:49:31 +00:00
* Requires that mbedtls_x509write_crt_set_issuer_key ( ) has been
2013-09-06 17:27:21 +00:00
* called before
*
* \ param ctx CRT context to use
*
2015-05-28 07:33:39 +00:00
* \ return 0 if successful , or a MBEDTLS_ERR_X509_ALLOC_FAILED
2013-09-06 17:27:21 +00:00
*/
2015-04-08 10:49:31 +00:00
int mbedtls_x509write_crt_set_authority_key_identifier ( mbedtls_x509write_cert * ctx ) ;
# endif /* MBEDTLS_SHA1_C */
2013-08-25 08:18:25 +00:00
2013-08-25 09:47:51 +00:00
/**
2013-09-09 10:37:54 +00:00
* \ brief Set the Key Usage Extension flags
2015-04-08 10:49:31 +00:00
* ( e . g . MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN )
2013-09-09 10:37:54 +00:00
*
* \ param ctx CRT context to use
* \ param key_usage key usage flags to set
*
2015-05-28 07:33:39 +00:00
* \ return 0 if successful , or MBEDTLS_ERR_X509_ALLOC_FAILED
2013-09-09 10:37:54 +00:00
*/
2015-06-23 09:07:37 +00:00
int mbedtls_x509write_crt_set_key_usage ( mbedtls_x509write_cert * ctx ,
unsigned int key_usage ) ;
2013-09-09 10:37:54 +00:00
/**
* \ brief Set the Netscape Cert Type flags
2015-04-08 10:49:31 +00:00
* ( e . g . MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL )
2013-09-09 10:37:54 +00:00
*
* \ param ctx CRT context to use
* \ param ns_cert_type Netscape Cert Type flags to set
*
2015-05-28 07:33:39 +00:00
* \ return 0 if successful , or MBEDTLS_ERR_X509_ALLOC_FAILED
2013-09-09 10:37:54 +00:00
*/
2015-04-08 10:49:31 +00:00
int mbedtls_x509write_crt_set_ns_cert_type ( mbedtls_x509write_cert * ctx ,
2013-09-09 10:37:54 +00:00
unsigned char ns_cert_type ) ;
2013-09-06 07:55:26 +00:00
/**
* \ brief Free the contents of a CRT write context
*
* \ param ctx CRT context to free
*/
2015-04-08 10:49:31 +00:00
void mbedtls_x509write_crt_free ( mbedtls_x509write_cert * ctx ) ;
2013-09-06 07:55:26 +00:00
/**
* \ brief Write a built up certificate to a X509 DER structure
2013-08-25 09:47:51 +00:00
* Note : data is written at the end of the buffer ! Use the
* return value to determine where you should start
* using the buffer
*
2013-12-30 16:57:27 +00:00
* \ param ctx certificate to write away
2013-08-25 09:47:51 +00:00
* \ param buf buffer to write to
* \ param size size of the buffer
2013-09-12 03:59:05 +00:00
* \ param f_rng RNG function ( for signature , see note )
* \ param p_rng RNG parameter
2013-08-25 09:47:51 +00:00
*
* \ return length of data written if successful , or a specific
* error code
2013-09-12 03:59:05 +00:00
*
* \ note f_rng may be NULL if RSA is used for signature and the
* signature is made offline ( otherwise f_rng is desirable
* for countermeasures against timing attacks ) .
* ECDSA signatures always require a non - NULL f_rng .
2013-08-25 09:47:51 +00:00
*/
2015-04-08 10:49:31 +00:00
int mbedtls_x509write_crt_der ( mbedtls_x509write_cert * ctx , unsigned char * buf , size_t size ,
2013-09-12 03:59:05 +00:00
int ( * f_rng ) ( void * , unsigned char * , size_t ) ,
void * p_rng ) ;
2013-08-25 09:47:51 +00:00
2015-04-08 10:49:31 +00:00
# if defined(MBEDTLS_PEM_WRITE_C)
2013-08-26 15:22:23 +00:00
/**
2013-09-06 07:55:26 +00:00
* \ brief Write a built up certificate to a X509 PEM string
*
2013-12-30 16:57:27 +00:00
* \ param ctx certificate to write away
2013-09-06 07:55:26 +00:00
* \ param buf buffer to write to
* \ param size size of the buffer
2013-09-12 03:59:05 +00:00
* \ param f_rng RNG function ( for signature , see note )
* \ param p_rng RNG parameter
2013-09-06 07:55:26 +00:00
*
2015-05-29 10:53:47 +00:00
* \ return 0 if successful , or a specific error code
2013-09-12 03:59:05 +00:00
*
* \ note f_rng may be NULL if RSA is used for signature and the
* signature is made offline ( otherwise f_rng is desirable
* for countermeasures against timing attacks ) .
* ECDSA signatures always require a non - NULL f_rng .
2013-09-06 07:55:26 +00:00
*/
2015-04-08 10:49:31 +00:00
int mbedtls_x509write_crt_pem ( mbedtls_x509write_cert * ctx , unsigned char * buf , size_t size ,
2013-09-12 03:59:05 +00:00
int ( * f_rng ) ( void * , unsigned char * , size_t ) ,
void * p_rng ) ;
2015-04-08 10:49:31 +00:00
# endif /* MBEDTLS_PEM_WRITE_C */
# endif /* MBEDTLS_X509_CRT_WRITE_C */
2013-08-26 14:54:13 +00:00
2013-06-27 12:29:21 +00:00
# ifdef __cplusplus
}
# endif
2015-04-08 10:49:31 +00:00
# endif /* mbedtls_x509_crt.h */