Mbed TLS v2.28.5
x509_crt.h
Go to the documentation of this file.
1 
6 /*
7  * Copyright The Mbed TLS Contributors
8  * SPDX-License-Identifier: Apache-2.0
9  *
10  * Licensed under the Apache License, Version 2.0 (the "License"); you may
11  * not use this file except in compliance with the License.
12  * You may obtain a copy of the License at
13  *
14  * http://www.apache.org/licenses/LICENSE-2.0
15  *
16  * Unless required by applicable law or agreed to in writing, software
17  * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
18  * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19  * See the License for the specific language governing permissions and
20  * limitations under the License.
21  */
22 #ifndef MBEDTLS_X509_CRT_H
23 #define MBEDTLS_X509_CRT_H
24 
25 #if !defined(MBEDTLS_CONFIG_FILE)
26 #include "mbedtls/config.h"
27 #else
28 #include MBEDTLS_CONFIG_FILE
29 #endif
30 
31 #include "mbedtls/x509.h"
32 #include "mbedtls/x509_crl.h"
33 #include "mbedtls/bignum.h"
34 
40 #ifdef __cplusplus
41 extern "C" {
42 #endif
43 
52 typedef struct mbedtls_x509_crt {
53  int own_buffer;
58  int version;
81  int ext_types;
82  int ca_istrue;
85  unsigned int key_usage;
89  unsigned char ns_cert_type;
94  void *sig_opts;
97 }
99 
113  union {
120  struct {
123  }
125  }
126  value;
127 }
129 
134  int type;
135  union {
138  }
139  san;
140 }
142 
147 #define MBEDTLS_X509_ID_FLAG(id) (1 << ((id) - 1))
148 
154 typedef struct mbedtls_x509_crt_profile {
155  uint32_t allowed_mds;
156  uint32_t allowed_pks;
159  uint32_t allowed_curves;
160  uint32_t rsa_min_bitlen;
161 }
163 
164 #define MBEDTLS_X509_CRT_VERSION_1 0
165 #define MBEDTLS_X509_CRT_VERSION_2 1
166 #define MBEDTLS_X509_CRT_VERSION_3 2
167 
168 #define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32
169 #define MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15
170 
171 #if !defined(MBEDTLS_X509_MAX_FILE_PATH_LEN)
172 #define MBEDTLS_X509_MAX_FILE_PATH_LEN 512
173 #endif
174 
178 typedef struct mbedtls_x509write_cert {
179  int version;
189 }
191 
195 typedef struct {
197  uint32_t flags;
199 
203 #define MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE (MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2)
204 
208 typedef struct {
210  unsigned len;
211 
212 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
213  /* This stores the list of potential trusted signers obtained from
214  * the CA callback used for the CRT verification, if configured.
215  * We must track it somewhere because the callback passes its
216  * ownership to the caller. */
217  mbedtls_x509_crt *trust_ca_cb_result;
218 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
220 
221 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
222 
226 typedef struct {
227  /* for check_signature() */
229 
230  /* for find_parent_in() */
231  mbedtls_x509_crt *parent; /* non-null iff parent_in in progress */
232  mbedtls_x509_crt *fallback_parent;
233  int fallback_signature_is_good;
234 
235  /* for find_parent() */
236  int parent_is_trusted; /* -1 if find_parent is not in progress */
237 
238  /* for verify_chain() */
239  enum {
240  x509_crt_rs_none,
241  x509_crt_rs_find_parent,
242  } in_progress; /* none if no operation is in progress */
243  int self_cnt;
245 
247 
248 #else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
249 
250 /* Now we can declare functions that take a pointer to that */
252 
253 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
254 
255 #if defined(MBEDTLS_X509_CRT_PARSE_C)
256 
270 
276 
281 
307  const unsigned char *buf,
308  size_t buflen);
309 
340 typedef int (*mbedtls_x509_crt_ext_cb_t)(void *p_ctx,
341  mbedtls_x509_crt const *crt,
342  mbedtls_x509_buf const *oid,
343  int critical,
344  const unsigned char *p,
345  const unsigned char *end);
346 
392  const unsigned char *buf,
393  size_t buflen,
394  int make_copy,
396  void *p_ctx);
397 
430  const unsigned char *buf,
431  size_t buflen);
432 
467 int mbedtls_x509_crt_parse(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen);
468 
469 #if defined(MBEDTLS_FS_IO)
470 
487 int mbedtls_x509_crt_parse_file(mbedtls_x509_crt *chain, const char *path);
488 
502 int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path);
503 
504 #endif /* MBEDTLS_FS_IO */
505 
546 int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix,
547  const mbedtls_x509_crt *crt);
548 
561 int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix,
562  uint32_t flags);
563 
631  mbedtls_x509_crt *trust_ca,
632  mbedtls_x509_crl *ca_crl,
633  const char *cn, uint32_t *flags,
634  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
635  void *p_vrfy);
636 
672  mbedtls_x509_crt *trust_ca,
673  mbedtls_x509_crl *ca_crl,
674  const mbedtls_x509_crt_profile *profile,
675  const char *cn, uint32_t *flags,
676  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
677  void *p_vrfy);
678 
706  mbedtls_x509_crt *trust_ca,
707  mbedtls_x509_crl *ca_crl,
708  const mbedtls_x509_crt_profile *profile,
709  const char *cn, uint32_t *flags,
710  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
711  void *p_vrfy,
713 
744 typedef int (*mbedtls_x509_crt_ca_cb_t)(void *p_ctx,
745  mbedtls_x509_crt const *child,
746  mbedtls_x509_crt **candidate_cas);
747 
748 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
749 
771 int mbedtls_x509_crt_verify_with_ca_cb(mbedtls_x509_crt *crt,
772  mbedtls_x509_crt_ca_cb_t f_ca_cb,
773  void *p_ca_cb,
774  const mbedtls_x509_crt_profile *profile,
775  const char *cn, uint32_t *flags,
776  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
777  void *p_vrfy);
778 
779 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
780 
781 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
782 
804  unsigned int usage);
805 #endif /* MBEDTLS_X509_CHECK_KEY_USAGE) */
806 
807 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
808 
822  const char *usage_oid,
823  size_t usage_len);
824 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
825 
826 #if defined(MBEDTLS_X509_CRL_PARSE_C)
827 
837 #endif /* MBEDTLS_X509_CRL_PARSE_C */
838 
845 
852 
853 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
854 
857 void mbedtls_x509_crt_restart_init(mbedtls_x509_crt_restart_ctx *ctx);
858 
862 void mbedtls_x509_crt_restart_free(mbedtls_x509_crt_restart_ctx *ctx);
863 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
864 #endif /* MBEDTLS_X509_CRT_PARSE_C */
865 
868 #if defined(MBEDTLS_X509_CRT_WRITE_C)
869 
875 
885 
895 
910 int mbedtls_x509write_crt_set_validity(mbedtls_x509write_cert *ctx, const char *not_before,
911  const char *not_after);
912 
926  const char *issuer_name);
927 
941  const char *subject_name);
942 
950 
958 
967 
982  const char *oid, size_t oid_len,
983  int critical,
984  const unsigned char *val, size_t val_len);
985 
998  int is_ca, int max_pathlen);
999 
1000 #if defined(MBEDTLS_SHA1_C)
1001 
1011 
1022 #endif /* MBEDTLS_SHA1_C */
1023 
1034  unsigned int key_usage);
1035 
1046  unsigned char ns_cert_type);
1047 
1054 
1075 int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
1076  int (*f_rng)(void *, unsigned char *, size_t),
1077  void *p_rng);
1078 
1079 #if defined(MBEDTLS_PEM_WRITE_C)
1080 
1096 int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
1097  int (*f_rng)(void *, unsigned char *, size_t),
1098  void *p_rng);
1099 #endif /* MBEDTLS_PEM_WRITE_C */
1100 #endif /* MBEDTLS_X509_CRT_WRITE_C */
1101 
1104 #ifdef __cplusplus
1105 }
1106 #endif
1107 
1108 #endif /* mbedtls_x509_crt.h */
int mbedtls_x509_crt_verify(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
Verify a chain of certificates.
Public key container.
Definition: pk.h:197
int mbedtls_x509write_crt_set_extension(mbedtls_x509write_cert *ctx, const char *oid, size_t oid_len, int critical, const unsigned char *val, size_t val_len)
Generic function to add to or replace an extension in the CRT.
int mbedtls_x509_crt_verify_with_profile(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
Verify a chain of certificates with respect to a configurable security profile.
mbedtls_x509_sequence subject_alt_names
Definition: x509_crt.h:77
mbedtls_x509_buf oid
Definition: x509_crt.h:121
void mbedtls_x509write_crt_set_version(mbedtls_x509write_cert *ctx, int version)
Set the version for a Certificate Default: MBEDTLS_X509_CRT_VERSION_3.
int mbedtls_x509_crt_verify_restartable(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy, mbedtls_x509_crt_restart_ctx *rs_ctx)
Restartable version of mbedtls_crt_verify_with_profile()
int mbedtls_x509write_crt_set_subject_name(mbedtls_x509write_cert *ctx, const char *subject_name)
Set the subject name for a Certificate Subject names should contain a comma-separated list of OID typ...
struct mbedtls_x509_san_other_name::@1::@2 hardware_module_name
struct mbedtls_x509_san_other_name mbedtls_x509_san_other_name
int mbedtls_x509write_crt_set_serial(mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial)
Set the serial number for a Certificate.
mbedtls_x509_buf pk_raw
Definition: x509_crt.h:71
int mbedtls_x509_crt_parse_der(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the end of the provided chained list...
mbedtls_pk_type_t
Public key types.
Definition: pk.h:95
int(* mbedtls_x509_crt_ca_cb_t)(void *p_ctx, mbedtls_x509_crt const *child, mbedtls_x509_crt **candidate_cas)
The type of trusted certificate callbacks.
Definition: x509_crt.h:744
int mbedtls_x509_crt_is_revoked(const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl)
Verify the certificate revocation status.
Configuration options (set of defines)
char not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN+1]
Definition: x509_crt.h:187
mbedtls_x509_sequence certificate_policies
Definition: x509_crt.h:79
struct mbedtls_x509_crt * next
Definition: x509_crt.h:96
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default
int mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt *crt, unsigned int usage)
Check usage of certificate against keyUsage extension.
mbedtls_x509_name issuer
Definition: x509_crt.h:65
mbedtls_x509_buf subject_id
Definition: x509_crt.h:75
struct mbedtls_x509write_cert mbedtls_x509write_cert
mbedtls_x509_buf tbs
Definition: x509_crt.h:56
Multi-precision integer library.
mbedtls_x509_buf subject_raw
Definition: x509_crt.h:63
void mbedtls_x509_crt_free(mbedtls_x509_crt *crt)
Unallocate all certificate data.
mbedtls_x509_buf sig_oid
Definition: x509_crt.h:60
void mbedtls_pk_restart_ctx
Definition: pk.h:212
mbedtls_x509_buf issuer_raw
Definition: x509_crt.h:62
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb
mbedtls_x509_san_other_name other_name
Definition: x509_crt.h:136
mbedtls_x509_name subject
Definition: x509_crt.h:66
mbedtls_x509_time valid_to
Definition: x509_crt.h:69
int mbedtls_x509_crt_parse(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse one DER-encoded or one or more concatenated PEM-encoded certificates and add them to the chaine...
void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx)
Initialize a CRT writing context.
struct mbedtls_x509_crt_profile mbedtls_x509_crt_profile
unsigned char ns_cert_type
Definition: x509_crt.h:89
int mbedtls_x509write_crt_set_validity(mbedtls_x509write_cert *ctx, const char *not_before, const char *not_after)
Set the validity period for a Certificate Timestamps should be in string format for UTC timezone i...
int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path)
Load one or more certificate files from a path and add them to the chained list. Parses permissively...
int mbedtls_x509write_crt_set_ns_cert_type(mbedtls_x509write_cert *ctx, unsigned char ns_cert_type)
Set the Netscape Cert Type flags (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TY...
int mbedtls_x509write_crt_set_authority_key_identifier(mbedtls_x509write_cert *ctx)
Set the authorityKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_issuer_key...
mbedtls_x509_buf serial
Definition: x509_crt.h:59
void mbedtls_x509_crt_restart_ctx
Definition: x509_crt.h:251
mbedtls_x509_time valid_from
Definition: x509_crt.h:68
mbedtls_x509_buf raw
Definition: x509_crt.h:55
int mbedtls_x509_crt_check_extended_key_usage(const mbedtls_x509_crt *crt, const char *usage_oid, size_t usage_len)
Check usage of certificate against extendedKeyUsage.
void mbedtls_x509write_crt_set_md_alg(mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg)
Set the MD algorithm to use for the signature (e.g. MBEDTLS_MD_SHA1)
union mbedtls_x509_subject_alternative_name::@3 san
#define MBEDTLS_X509_RFC5280_UTC_TIME_LEN
Definition: x509_crt.h:169
#define MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE
Definition: x509_crt.h:203
void mbedtls_x509write_crt_set_issuer_key(mbedtls_x509write_cert *ctx, mbedtls_pk_context *key)
Set the issuer key used for signing the certificate.
mbedtls_x509_buf val
Definition: x509_crt.h:122
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next
mbedtls_pk_context * subject_key
Definition: x509_crt.h:181
mbedtls_pk_type_t sig_pk
Definition: x509_crt.h:93
int(* mbedtls_x509_crt_ext_cb_t)(void *p_ctx, mbedtls_x509_crt const *crt, mbedtls_x509_buf const *oid, int critical, const unsigned char *p, const unsigned char *end)
The type of certificate extension callbacks.
Definition: x509_crt.h:340
X.509 generic defines and structures.
int mbedtls_x509write_crt_set_key_usage(mbedtls_x509write_cert *ctx, unsigned int key_usage)
Set the Key Usage Extension flags (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_...
void mbedtls_x509write_crt_free(mbedtls_x509write_cert *ctx)
Free the contents of a CRT write context.
int mbedtls_x509_crt_parse_der_with_ext_cb(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen, int make_copy, mbedtls_x509_crt_ext_cb_t cb, void *p_ctx)
Parse a single DER formatted certificate and add it to the end of the provided chained list...
int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix, const mbedtls_x509_crt *crt)
Returns an informational string about the certificate.
mbedtls_asn1_named_data * subject
Definition: x509_crt.h:183
int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf, mbedtls_x509_subject_alternative_name *san)
This function parses an item in the SubjectAlternativeNames extension.
int mbedtls_x509_crt_parse_file(mbedtls_x509_crt *chain, const char *path)
Load one or more certificates and add them to the chained list. Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.
mbedtls_pk_context * issuer_key
Definition: x509_crt.h:182
void * sig_opts
Definition: x509_crt.h:94
int mbedtls_x509write_crt_set_subject_key_identifier(mbedtls_x509write_cert *ctx)
Set the subjectKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_subject_key(...
char not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN+1]
Definition: x509_crt.h:186
mbedtls_md_type_t md_alg
Definition: x509_crt.h:185
mbedtls_x509_buf issuer_id
Definition: x509_crt.h:74
MPI structure.
Definition: bignum.h:208
X.509 certificate revocation list parsing.
struct mbedtls_x509_crt mbedtls_x509_crt
mbedtls_x509_sequence ext_key_usage
Definition: x509_crt.h:87
int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Write a built up certificate to a X509 DER structure Note: data is written at the end of the buffer! ...
int mbedtls_x509_crt_parse_der_nocopy(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the end of the provided chained list...
int mbedtls_x509write_crt_set_issuer_name(mbedtls_x509write_cert *ctx, const char *issuer_name)
Set the issuer name for a Certificate Issuer names should contain a comma-separated list of OID types...
void mbedtls_x509_crt_init(mbedtls_x509_crt *crt)
Initialize a certificate (chain)
mbedtls_asn1_named_data * extensions
Definition: x509_crt.h:188
unsigned int key_usage
Definition: x509_crt.h:85
union mbedtls_x509_san_other_name::@1 value
mbedtls_x509_buf type_id
Definition: x509_crt.h:112
int mbedtls_x509write_crt_set_basic_constraints(mbedtls_x509write_cert *ctx, int is_ca, int max_pathlen)
Set the basicConstraints extension for a CRT.
void mbedtls_x509write_crt_set_subject_key(mbedtls_x509write_cert *ctx, mbedtls_pk_context *key)
Set the subject public key for the certificate.
mbedtls_pk_context pk
Definition: x509_crt.h:72
mbedtls_x509_buf sig
Definition: x509_crt.h:91
mbedtls_md_type_t
Supported message digests.
Definition: md.h:62
int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix, uint32_t flags)
Returns an informational string about the verification status of a certificate.
struct mbedtls_x509_subject_alternative_name mbedtls_x509_subject_alternative_name
mbedtls_asn1_named_data * issuer
Definition: x509_crt.h:184
mbedtls_mpi serial
Definition: x509_crt.h:180
int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Write a built up certificate to a X509 PEM string.
mbedtls_x509_buf v3_ext
Definition: x509_crt.h:76
mbedtls_md_type_t sig_md
Definition: x509_crt.h:92