mbed TLS v2.24.0
x509_crt.h
Go to the documentation of this file.
1 
6 /*
7  * Copyright The Mbed TLS Contributors
8  * SPDX-License-Identifier: Apache-2.0
9  *
10  * Licensed under the Apache License, Version 2.0 (the "License"); you may
11  * not use this file except in compliance with the License.
12  * You may obtain a copy of the License at
13  *
14  * http://www.apache.org/licenses/LICENSE-2.0
15  *
16  * Unless required by applicable law or agreed to in writing, software
17  * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
18  * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19  * See the License for the specific language governing permissions and
20  * limitations under the License.
21  */
22 #ifndef MBEDTLS_X509_CRT_H
23 #define MBEDTLS_X509_CRT_H
24 
25 #if !defined(MBEDTLS_CONFIG_FILE)
26 #include "mbedtls/config.h"
27 #else
28 #include MBEDTLS_CONFIG_FILE
29 #endif
30 
31 #include "mbedtls/x509.h"
32 #include "mbedtls/x509_crl.h"
33 #include "mbedtls/bignum.h"
34 
40 #ifdef __cplusplus
41 extern "C" {
42 #endif
43 
52 typedef struct mbedtls_x509_crt
53 {
54  int own_buffer;
59  int version;
82  int ext_types;
83  int ca_istrue;
86  unsigned int key_usage;
90  unsigned char ns_cert_type;
95  void *sig_opts;
98 }
100 
108 {
115  union
116  {
123  struct
124  {
127  }
129  }
130  value;
131 }
133 
138 {
139  int type;
140  union {
143  }
144  san;
145 }
147 
152 #define MBEDTLS_X509_ID_FLAG( id ) ( 1 << ( (id) - 1 ) )
153 
160 {
161  uint32_t allowed_mds;
162  uint32_t allowed_pks;
163  uint32_t allowed_curves;
164  uint32_t rsa_min_bitlen;
165 }
167 
168 #define MBEDTLS_X509_CRT_VERSION_1 0
169 #define MBEDTLS_X509_CRT_VERSION_2 1
170 #define MBEDTLS_X509_CRT_VERSION_3 2
171 
172 #define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32
173 #define MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15
174 
175 #if !defined( MBEDTLS_X509_MAX_FILE_PATH_LEN )
176 #define MBEDTLS_X509_MAX_FILE_PATH_LEN 512
177 #endif
178 
183 {
184  int version;
194 }
196 
200 typedef struct {
202  uint32_t flags;
204 
208 #define MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE ( MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2 )
209 
213 typedef struct
214 {
216  unsigned len;
217 
218 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
219  /* This stores the list of potential trusted signers obtained from
220  * the CA callback used for the CRT verification, if configured.
221  * We must track it somewhere because the callback passes its
222  * ownership to the caller. */
224 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
226 
227 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
228 
232 typedef struct
233 {
234  /* for check_signature() */
236 
237  /* for find_parent_in() */
238  mbedtls_x509_crt *parent; /* non-null iff parent_in in progress */
241 
242  /* for find_parent() */
243  int parent_is_trusted; /* -1 if find_parent is not in progress */
244 
245  /* for verify_chain() */
246  enum {
249  } in_progress; /* none if no operation is in progress */
250  int self_cnt;
252 
254 
255 #else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
256 
257 /* Now we can declare functions that take a pointer to that */
258 typedef void mbedtls_x509_crt_restart_ctx;
259 
260 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
261 
262 #if defined(MBEDTLS_X509_CRT_PARSE_C)
263 
268 
274 
279 
301  const unsigned char *buf,
302  size_t buflen );
303 
334 typedef int (*mbedtls_x509_crt_ext_cb_t)( void *p_ctx,
335  mbedtls_x509_crt const *crt,
336  mbedtls_x509_buf const *oid,
337  int critical,
338  const unsigned char *p,
339  const unsigned char *end );
340 
382  const unsigned char *buf,
383  size_t buflen,
384  int make_copy,
386  void *p_ctx );
387 
416  const unsigned char *buf,
417  size_t buflen );
418 
449 int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen );
450 
451 #if defined(MBEDTLS_FS_IO)
452 
465 int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *chain, const char *path );
466 
480 int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path );
481 
482 #endif /* MBEDTLS_FS_IO */
483 
524 int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
525  const mbedtls_x509_crt *crt );
526 
539 int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
540  uint32_t flags );
541 
609  mbedtls_x509_crt *trust_ca,
610  mbedtls_x509_crl *ca_crl,
611  const char *cn, uint32_t *flags,
612  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
613  void *p_vrfy );
614 
650  mbedtls_x509_crt *trust_ca,
651  mbedtls_x509_crl *ca_crl,
652  const mbedtls_x509_crt_profile *profile,
653  const char *cn, uint32_t *flags,
654  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
655  void *p_vrfy );
656 
684  mbedtls_x509_crt *trust_ca,
685  mbedtls_x509_crl *ca_crl,
686  const mbedtls_x509_crt_profile *profile,
687  const char *cn, uint32_t *flags,
688  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
689  void *p_vrfy,
690  mbedtls_x509_crt_restart_ctx *rs_ctx );
691 
722 typedef int (*mbedtls_x509_crt_ca_cb_t)( void *p_ctx,
723  mbedtls_x509_crt const *child,
724  mbedtls_x509_crt **candidate_cas );
725 
726 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
727 
750  mbedtls_x509_crt_ca_cb_t f_ca_cb,
751  void *p_ca_cb,
752  const mbedtls_x509_crt_profile *profile,
753  const char *cn, uint32_t *flags,
754  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
755  void *p_vrfy );
756 
757 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
758 
759 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
760 
782  unsigned int usage );
783 #endif /* MBEDTLS_X509_CHECK_KEY_USAGE) */
784 
785 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
786 
800  const char *usage_oid,
801  size_t usage_len );
802 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
803 
804 #if defined(MBEDTLS_X509_CRL_PARSE_C)
805 
815 #endif /* MBEDTLS_X509_CRL_PARSE_C */
816 
823 
830 
831 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
832 
835 void mbedtls_x509_crt_restart_init( mbedtls_x509_crt_restart_ctx *ctx );
836 
840 void mbedtls_x509_crt_restart_free( mbedtls_x509_crt_restart_ctx *ctx );
841 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
842 #endif /* MBEDTLS_X509_CRT_PARSE_C */
843 
844 /* \} name */
845 /* \} addtogroup x509_module */
846 
847 #if defined(MBEDTLS_X509_CRT_WRITE_C)
848 
854 
864 
874 
889 int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *ctx, const char *not_before,
890  const char *not_after );
891 
905  const char *issuer_name );
906 
920  const char *subject_name );
921 
929 
937 
946 
961  const char *oid, size_t oid_len,
962  int critical,
963  const unsigned char *val, size_t val_len );
964 
977  int is_ca, int max_pathlen );
978 
979 #if defined(MBEDTLS_SHA1_C)
980 
990 
1001 #endif /* MBEDTLS_SHA1_C */
1002 
1013  unsigned int key_usage );
1014 
1025  unsigned char ns_cert_type );
1026 
1033 
1054 int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
1055  int (*f_rng)(void *, unsigned char *, size_t),
1056  void *p_rng );
1057 
1058 #if defined(MBEDTLS_PEM_WRITE_C)
1059 
1075 int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
1076  int (*f_rng)(void *, unsigned char *, size_t),
1077  void *p_rng );
1078 #endif /* MBEDTLS_PEM_WRITE_C */
1079 #endif /* MBEDTLS_X509_CRT_WRITE_C */
1080 
1081 #ifdef __cplusplus
1082 }
1083 #endif
1084 
1085 #endif /* mbedtls_x509_crt.h */
int mbedtls_x509write_crt_set_authority_key_identifier(mbedtls_x509write_cert *ctx)
Set the authorityKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_issuer_key...
int mbedtls_x509_crt_verify(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
Verify a chain of certificates.
Public key container.
Definition: pk.h:185
int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Write a built up certificate to a X509 DER structure Note: data is written at the end of the buffer! ...
int mbedtls_x509_crt_verify_with_profile(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
Verify a chain of certificates with respect to a configurable security profile.
mbedtls_x509_sequence subject_alt_names
Definition: x509_crt.h:78
mbedtls_x509_buf oid
Definition: x509_crt.h:125
int mbedtls_x509_crt_verify_restartable(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy, mbedtls_x509_crt_restart_ctx *rs_ctx)
Restartable version of mbedtls_crt_verify_with_profile()
struct mbedtls_x509_san_other_name::@6::@7 hardware_module_name
struct mbedtls_x509_san_other_name mbedtls_x509_san_other_name
mbedtls_x509_buf pk_raw
Definition: x509_crt.h:72
int mbedtls_x509_crt_parse_der(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the end of the provided chained list...
int mbedtls_x509write_crt_set_extension(mbedtls_x509write_cert *ctx, const char *oid, size_t oid_len, int critical, const unsigned char *val, size_t val_len)
Generic function to add to or replace an extension in the CRT.
int mbedtls_x509write_crt_set_ns_cert_type(mbedtls_x509write_cert *ctx, unsigned char ns_cert_type)
Set the Netscape Cert Type flags (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TY...
mbedtls_pk_type_t
Public key types.
Definition: pk.h:80
int mbedtls_x509_crt_is_revoked(const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl)
Verify the certificate revocation status.
Configuration options (set of defines)
char not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN+1]
Definition: x509_crt.h:192
void mbedtls_x509_crt_restart_free(mbedtls_x509_crt_restart_ctx *ctx)
Free the components of a restart context.
int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Write a built up certificate to a X509 PEM string.
mbedtls_x509_sequence certificate_policies
Definition: x509_crt.h:80
struct mbedtls_x509_crt * next
Definition: x509_crt.h:97
mbedtls_x509_crt * fallback_parent
Definition: x509_crt.h:239
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default
int mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt *crt, unsigned int usage)
Check usage of certificate against keyUsage extension.
mbedtls_x509_name issuer
Definition: x509_crt.h:66
mbedtls_pk_restart_ctx pk
Definition: x509_crt.h:235
void mbedtls_x509write_crt_set_subject_key(mbedtls_x509write_cert *ctx, mbedtls_pk_context *key)
Set the subject public key for the certificate.
int mbedtls_x509write_crt_set_key_usage(mbedtls_x509write_cert *ctx, unsigned int key_usage)
Set the Key Usage Extension flags (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_...
void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx)
Initialize a CRT writing context.
mbedtls_x509_buf subject_id
Definition: x509_crt.h:76
struct mbedtls_x509write_cert mbedtls_x509write_cert
void mbedtls_x509write_crt_set_md_alg(mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg)
Set the MD algorithm to use for the signature (e.g. MBEDTLS_MD_SHA1)
mbedtls_x509_buf tbs
Definition: x509_crt.h:57
Multi-precision integer library.
mbedtls_x509_buf subject_raw
Definition: x509_crt.h:64
void mbedtls_x509_crt_free(mbedtls_x509_crt *crt)
Unallocate all certificate data.
mbedtls_x509_buf sig_oid
Definition: x509_crt.h:61
mbedtls_x509_buf issuer_raw
Definition: x509_crt.h:63
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb
mbedtls_x509_san_other_name other_name
Definition: x509_crt.h:141
int mbedtls_x509write_crt_set_basic_constraints(mbedtls_x509write_cert *ctx, int is_ca, int max_pathlen)
Set the basicConstraints extension for a CRT.
mbedtls_x509_crt * parent
Definition: x509_crt.h:238
mbedtls_x509_name subject
Definition: x509_crt.h:67
mbedtls_x509_time valid_to
Definition: x509_crt.h:70
int mbedtls_x509_crt_parse(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse one DER-encoded or one or more concatenated PEM-encoded certificates and add them to the chaine...
struct mbedtls_x509_crt_profile mbedtls_x509_crt_profile
unsigned char ns_cert_type
Definition: x509_crt.h:90
int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path)
Load one or more certificate files from a path and add them to the chained list. Parses permissively...
int mbedtls_x509write_crt_set_subject_key_identifier(mbedtls_x509write_cert *ctx)
Set the subjectKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_subject_key(...
int mbedtls_x509write_crt_set_subject_name(mbedtls_x509write_cert *ctx, const char *subject_name)
Set the subject name for a Certificate Subject names should contain a comma-separated list of OID typ...
mbedtls_x509_buf serial
Definition: x509_crt.h:60
void mbedtls_x509write_crt_set_version(mbedtls_x509write_cert *ctx, int version)
Set the verion for a Certificate Default: MBEDTLS_X509_CRT_VERSION_3.
mbedtls_x509_time valid_from
Definition: x509_crt.h:69
mbedtls_x509_buf raw
Definition: x509_crt.h:56
int mbedtls_x509_crt_check_extended_key_usage(const mbedtls_x509_crt *crt, const char *usage_oid, size_t usage_len)
Check usage of certificate against extendedKeyUsage.
int mbedtls_x509write_crt_set_validity(mbedtls_x509write_cert *ctx, const char *not_before, const char *not_after)
Set the validity period for a Certificate Timestamps should be in string format for UTC timezone i...
mbedtls_x509_crt_verify_chain ver_chain
Definition: x509_crt.h:251
#define MBEDTLS_X509_RFC5280_UTC_TIME_LEN
Definition: x509_crt.h:173
#define MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE
Definition: x509_crt.h:208
void mbedtls_x509write_crt_set_issuer_key(mbedtls_x509write_cert *ctx, mbedtls_pk_context *key)
Set the issuer key used for signing the certificate.
mbedtls_x509_buf val
Definition: x509_crt.h:126
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next
mbedtls_pk_context * subject_key
Definition: x509_crt.h:186
mbedtls_pk_type_t sig_pk
Definition: x509_crt.h:94
X.509 generic defines and structures.
int mbedtls_x509_crt_verify_with_ca_cb(mbedtls_x509_crt *crt, mbedtls_x509_crt_ca_cb_t f_ca_cb, void *p_ca_cb, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
Version of mbedtls_x509_crt_verify_with_profile() which uses a callback to acquire the list of truste...
int mbedtls_x509_crt_parse_der_with_ext_cb(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen, int make_copy, mbedtls_x509_crt_ext_cb_t cb, void *p_ctx)
Parse a single DER formatted certificate and add it to the end of the provided chained list...
void mbedtls_x509_crt_restart_init(mbedtls_x509_crt_restart_ctx *ctx)
Initialize a restart context.
int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix, const mbedtls_x509_crt *crt)
Returns an informational string about the certificate.
int mbedtls_x509write_crt_set_issuer_name(mbedtls_x509write_cert *ctx, const char *issuer_name)
Set the issuer name for a Certificate Issuer names should contain a comma-separated list of OID types...
mbedtls_asn1_named_data * subject
Definition: x509_crt.h:188
int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf, mbedtls_x509_subject_alternative_name *san)
This function parses an item in the SubjectAlternativeNames extension.
int mbedtls_x509_crt_parse_file(mbedtls_x509_crt *chain, const char *path)
Load one or more certificates and add them to the chained list. Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.
mbedtls_pk_context * issuer_key
Definition: x509_crt.h:187
void * sig_opts
Definition: x509_crt.h:95
char not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN+1]
Definition: x509_crt.h:191
mbedtls_md_type_t md_alg
Definition: x509_crt.h:190
mbedtls_x509_buf issuer_id
Definition: x509_crt.h:75
int mbedtls_x509write_crt_set_serial(mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial)
Set the serial number for a Certificate.
MPI structure.
Definition: bignum.h:184
X.509 certificate revocation list parsing.
void mbedtls_x509write_crt_free(mbedtls_x509write_cert *ctx)
Free the contents of a CRT write context.
struct mbedtls_x509_crt mbedtls_x509_crt
mbedtls_x509_sequence ext_key_usage
Definition: x509_crt.h:88
int(* mbedtls_x509_crt_ext_cb_t)(void *p_ctx, mbedtls_x509_crt const *crt, mbedtls_x509_buf const *oid, int critical, const unsigned char *p, const unsigned char *end)
The type of certificate extension callbacks.
Definition: x509_crt.h:334
mbedtls_x509_crt * trust_ca_cb_result
Definition: x509_crt.h:223
int mbedtls_x509_crt_parse_der_nocopy(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the end of the provided chained list...
Context for resuming operations.
Definition: pk.h:195
void mbedtls_x509_crt_init(mbedtls_x509_crt *crt)
Initialize a certificate (chain)
mbedtls_asn1_named_data * extensions
Definition: x509_crt.h:193
unsigned int key_usage
Definition: x509_crt.h:86
mbedtls_x509_buf type_id
Definition: x509_crt.h:114
mbedtls_pk_context pk
Definition: x509_crt.h:73
Context for resuming X.509 verify operations.
Definition: x509_crt.h:232
mbedtls_x509_buf sig
Definition: x509_crt.h:92
mbedtls_md_type_t
Supported message digests.
Definition: md.h:56
int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix, uint32_t flags)
Returns an informational string about the verification status of a certificate.
struct mbedtls_x509_subject_alternative_name mbedtls_x509_subject_alternative_name
mbedtls_asn1_named_data * issuer
Definition: x509_crt.h:189
mbedtls_mpi serial
Definition: x509_crt.h:185
union mbedtls_x509_san_other_name::@6 value
mbedtls_x509_buf v3_ext
Definition: x509_crt.h:77
mbedtls_md_type_t sig_md
Definition: x509_crt.h:93
int(* mbedtls_x509_crt_ca_cb_t)(void *p_ctx, mbedtls_x509_crt const *child, mbedtls_x509_crt **candidate_cas)
The type of trusted certificate callbacks.
Definition: x509_crt.h:722
union mbedtls_x509_subject_alternative_name::@8 san