Mbed TLS v3.6.0
|
Data Structures | |
struct | mbedtls_x509_authority |
struct | mbedtls_x509_time |
struct | mbedtls_x509_san_other_name |
struct | mbedtls_x509_subject_alternative_name |
struct | mbedtls_x509_san_list |
struct | mbedtls_x509_crl_entry |
struct | mbedtls_x509_crl |
struct | mbedtls_x509_crt |
struct | mbedtls_x509_crt_profile |
struct | mbedtls_x509write_cert |
struct | mbedtls_x509_crt_verify_chain_item |
struct | mbedtls_x509_crt_verify_chain |
struct | mbedtls_x509_csr |
struct | mbedtls_x509write_csr |
Macros | |
#define | MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 |
Functions | |
void | mbedtls_x509write_crt_init (mbedtls_x509write_cert *ctx) |
Initialize a CRT writing context. | |
void | mbedtls_x509write_crt_set_version (mbedtls_x509write_cert *ctx, int version) |
Set the version for a Certificate Default: MBEDTLS_X509_CRT_VERSION_3. | |
int MBEDTLS_DEPRECATED | mbedtls_x509write_crt_set_serial (mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial) |
Set the serial number for a Certificate. | |
int | mbedtls_x509write_crt_set_serial_raw (mbedtls_x509write_cert *ctx, unsigned char *serial, size_t serial_len) |
Set the serial number for a Certificate. | |
int | mbedtls_x509write_crt_set_validity (mbedtls_x509write_cert *ctx, const char *not_before, const char *not_after) |
Set the validity period for a Certificate Timestamps should be in string format for UTC timezone i.e. "YYYYMMDDhhmmss" e.g. "20131231235959" for December 31st 2013 at 23:59:59. | |
int | mbedtls_x509write_crt_set_issuer_name (mbedtls_x509write_cert *ctx, const char *issuer_name) |
Set the issuer name for a Certificate Issuer names should contain a comma-separated list of OID types and values: e.g. "C=UK,O=ARM,CN=Mbed TLS CA". | |
int | mbedtls_x509write_crt_set_subject_name (mbedtls_x509write_cert *ctx, const char *subject_name) |
Set the subject name for a Certificate Subject names should contain a comma-separated list of OID types and values: e.g. "C=UK,O=ARM,CN=Mbed TLS Server 1". | |
void | mbedtls_x509write_crt_set_subject_key (mbedtls_x509write_cert *ctx, mbedtls_pk_context *key) |
Set the subject public key for the certificate. | |
void | mbedtls_x509write_crt_set_issuer_key (mbedtls_x509write_cert *ctx, mbedtls_pk_context *key) |
Set the issuer key used for signing the certificate. | |
void | mbedtls_x509write_crt_set_md_alg (mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg) |
Set the MD algorithm to use for the signature (e.g. MBEDTLS_MD_SHA1) | |
int | mbedtls_x509write_crt_set_extension (mbedtls_x509write_cert *ctx, const char *oid, size_t oid_len, int critical, const unsigned char *val, size_t val_len) |
Generic function to add to or replace an extension in the CRT. | |
int | mbedtls_x509write_crt_set_basic_constraints (mbedtls_x509write_cert *ctx, int is_ca, int max_pathlen) |
Set the basicConstraints extension for a CRT. | |
int | mbedtls_x509write_crt_set_subject_key_identifier (mbedtls_x509write_cert *ctx) |
Set the subjectKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_subject_key() has been called before. | |
int | mbedtls_x509write_crt_set_authority_key_identifier (mbedtls_x509write_cert *ctx) |
Set the authorityKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_issuer_key() has been called before. | |
int | mbedtls_x509write_crt_set_key_usage (mbedtls_x509write_cert *ctx, unsigned int key_usage) |
Set the Key Usage Extension flags (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN) | |
int | mbedtls_x509write_crt_set_ext_key_usage (mbedtls_x509write_cert *ctx, const mbedtls_asn1_sequence *exts) |
Set the Extended Key Usage Extension (e.g. MBEDTLS_OID_SERVER_AUTH) | |
int | mbedtls_x509write_crt_set_ns_cert_type (mbedtls_x509write_cert *ctx, unsigned char ns_cert_type) |
Set the Netscape Cert Type flags (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL) | |
void | mbedtls_x509write_crt_free (mbedtls_x509write_cert *ctx) |
Free the contents of a CRT write context. | |
int | mbedtls_x509write_crt_der (mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng) |
Write a built up certificate to a X509 DER structure Note: data is written at the end of the buffer! Use the return value to determine where you should start using the buffer. | |
int | mbedtls_x509write_crt_pem (mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng) |
Write a built up certificate to a X509 PEM string. | |
void | mbedtls_x509write_csr_init (mbedtls_x509write_csr *ctx) |
Initialize a CSR context. | |
int | mbedtls_x509write_csr_set_subject_name (mbedtls_x509write_csr *ctx, const char *subject_name) |
Set the subject name for a CSR Subject names should contain a comma-separated list of OID types and values: e.g. "C=UK,O=ARM,CN=Mbed TLS Server 1". | |
void | mbedtls_x509write_csr_set_key (mbedtls_x509write_csr *ctx, mbedtls_pk_context *key) |
Set the key for a CSR (public key will be included, private key used to sign the CSR when writing it) | |
void | mbedtls_x509write_csr_set_md_alg (mbedtls_x509write_csr *ctx, mbedtls_md_type_t md_alg) |
Set the MD algorithm to use for the signature (e.g. MBEDTLS_MD_SHA1) | |
int | mbedtls_x509write_csr_set_key_usage (mbedtls_x509write_csr *ctx, unsigned char key_usage) |
Set the Key Usage Extension flags (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN) | |
int | mbedtls_x509write_csr_set_subject_alternative_name (mbedtls_x509write_csr *ctx, const mbedtls_x509_san_list *san_list) |
Set Subject Alternative Name. | |
int | mbedtls_x509write_csr_set_ns_cert_type (mbedtls_x509write_csr *ctx, unsigned char ns_cert_type) |
Set the Netscape Cert Type flags (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL) | |
int | mbedtls_x509write_csr_set_extension (mbedtls_x509write_csr *ctx, const char *oid, size_t oid_len, int critical, const unsigned char *val, size_t val_len) |
Generic function to add to or replace an extension in the CSR. | |
void | mbedtls_x509write_csr_free (mbedtls_x509write_csr *ctx) |
Free the contents of a CSR context. | |
int | mbedtls_x509write_csr_der (mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng) |
Write a CSR (Certificate Signing Request) to a DER structure Note: data is written at the end of the buffer! Use the return value to determine where you should start using the buffer. | |
int | mbedtls_x509write_csr_pem (mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng) |
Write a CSR (Certificate Signing Request) to a PEM string. | |
Structures for parsing X.509 certificates, CRLs and CSRs | |
typedef mbedtls_asn1_buf | mbedtls_x509_buf |
typedef mbedtls_asn1_bitstring | mbedtls_x509_bitstring |
typedef mbedtls_asn1_named_data | mbedtls_x509_name |
typedef mbedtls_asn1_sequence | mbedtls_x509_sequence |
typedef struct mbedtls_x509_authority | mbedtls_x509_authority |
typedef struct mbedtls_x509_time | mbedtls_x509_time |
typedef struct mbedtls_x509_san_other_name | mbedtls_x509_san_other_name |
typedef struct mbedtls_x509_subject_alternative_name | mbedtls_x509_subject_alternative_name |
typedef struct mbedtls_x509_san_list | mbedtls_x509_san_list |
Structures and functions for parsing CRLs | |
typedef struct mbedtls_x509_crl_entry | mbedtls_x509_crl_entry |
typedef struct mbedtls_x509_crl | mbedtls_x509_crl |
int | mbedtls_x509_crl_parse_der (mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen) |
Parse a DER-encoded CRL and append it to the chained list. | |
int | mbedtls_x509_crl_parse (mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen) |
Parse one or more CRLs and append them to the chained list. | |
int | mbedtls_x509_crl_parse_file (mbedtls_x509_crl *chain, const char *path) |
Load one or more CRLs and append them to the chained list. | |
int | mbedtls_x509_crl_info (char *buf, size_t size, const char *prefix, const mbedtls_x509_crl *crl) |
Returns an informational string about the CRL. | |
void | mbedtls_x509_crl_init (mbedtls_x509_crl *crl) |
Initialize a CRL (chain) | |
void | mbedtls_x509_crl_free (mbedtls_x509_crl *crl) |
Unallocate all CRL data. | |
Structures and functions for parsing and writing X.509 certificates | |
typedef struct mbedtls_x509_crt | mbedtls_x509_crt |
typedef struct mbedtls_x509_crt_profile | mbedtls_x509_crt_profile |
typedef struct mbedtls_x509write_cert | mbedtls_x509write_cert |
typedef void | mbedtls_x509_crt_restart_ctx |
typedef int(* | mbedtls_x509_crt_ext_cb_t) (void *p_ctx, mbedtls_x509_crt const *crt, mbedtls_x509_buf const *oid, int critical, const unsigned char *p, const unsigned char *end) |
The type of certificate extension callbacks. | |
typedef int(* | mbedtls_x509_crt_ca_cb_t) (void *p_ctx, mbedtls_x509_crt const *child, mbedtls_x509_crt **candidate_cas) |
The type of trusted certificate callbacks. | |
const mbedtls_x509_crt_profile | mbedtls_x509_crt_profile_default |
const mbedtls_x509_crt_profile | mbedtls_x509_crt_profile_next |
const mbedtls_x509_crt_profile | mbedtls_x509_crt_profile_suiteb |
const mbedtls_x509_crt_profile | mbedtls_x509_crt_profile_none |
int | mbedtls_x509write_crt_set_subject_alternative_name (mbedtls_x509write_cert *ctx, const mbedtls_x509_san_list *san_list) |
Set Subject Alternative Name. | |
int | mbedtls_x509_crt_parse_der (mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen) |
Parse a single DER formatted certificate and add it to the end of the provided chained list. | |
int | mbedtls_x509_crt_parse_der_with_ext_cb (mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen, int make_copy, mbedtls_x509_crt_ext_cb_t cb, void *p_ctx) |
Parse a single DER formatted certificate and add it to the end of the provided chained list. | |
int | mbedtls_x509_crt_parse_der_nocopy (mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen) |
Parse a single DER formatted certificate and add it to the end of the provided chained list. This is a variant of mbedtls_x509_crt_parse_der() which takes temporary ownership of the CRT buffer until the CRT is destroyed. | |
int | mbedtls_x509_crt_parse (mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen) |
Parse one DER-encoded or one or more concatenated PEM-encoded certificates and add them to the chained list. | |
int | mbedtls_x509_crt_parse_file (mbedtls_x509_crt *chain, const char *path) |
Load one or more certificates and add them to the chained list. Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned. | |
int | mbedtls_x509_crt_parse_path (mbedtls_x509_crt *chain, const char *path) |
Load one or more certificate files from a path and add them to the chained list. Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned. | |
int | mbedtls_x509_crt_info (char *buf, size_t size, const char *prefix, const mbedtls_x509_crt *crt) |
Returns an informational string about the certificate. | |
int | mbedtls_x509_crt_verify_info (char *buf, size_t size, const char *prefix, uint32_t flags) |
Returns an informational string about the verification status of a certificate. | |
int | mbedtls_x509_crt_verify (mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy) |
Verify a chain of certificates. | |
int | mbedtls_x509_crt_verify_with_profile (mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy) |
Verify a chain of certificates with respect to a configurable security profile. | |
int | mbedtls_x509_crt_verify_restartable (mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy, mbedtls_x509_crt_restart_ctx *rs_ctx) |
Restartable version of mbedtls_crt_verify_with_profile() | |
int | mbedtls_x509_crt_check_key_usage (const mbedtls_x509_crt *crt, unsigned int usage) |
Check usage of certificate against keyUsage extension. | |
int | mbedtls_x509_crt_check_extended_key_usage (const mbedtls_x509_crt *crt, const char *usage_oid, size_t usage_len) |
Check usage of certificate against extendedKeyUsage. | |
int | mbedtls_x509_crt_is_revoked (const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl) |
Verify the certificate revocation status. | |
void | mbedtls_x509_crt_init (mbedtls_x509_crt *crt) |
Initialize a certificate (chain) | |
void | mbedtls_x509_crt_free (mbedtls_x509_crt *crt) |
Unallocate all certificate data. | |
static int | mbedtls_x509_crt_has_ext_type (const mbedtls_x509_crt *ctx, int ext_type) |
Query certificate for given extension type. | |
int | mbedtls_x509_crt_get_ca_istrue (const mbedtls_x509_crt *crt) |
Access the ca_istrue field. | |
#define | MBEDTLS_X509_ID_FLAG(id) (1 << ((id) - 1)) |
#define | MBEDTLS_X509_CRT_VERSION_1 0 |
#define | MBEDTLS_X509_CRT_VERSION_2 1 |
#define | MBEDTLS_X509_CRT_VERSION_3 2 |
#define | MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 20 |
#define | MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15 |
#define | MBEDTLS_X509_MAX_FILE_PATH_LEN 512 |
#define | MBEDTLS_X509_CRT_ERROR_INFO_LIST |
#define | MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE (MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2) |
Structures and functions for X.509 Certificate Signing Requests (CSR) | |
typedef struct mbedtls_x509_csr | mbedtls_x509_csr |
typedef struct mbedtls_x509write_csr | mbedtls_x509write_csr |
typedef int(* | mbedtls_x509_csr_ext_cb_t) (void *p_ctx, mbedtls_x509_csr const *csr, mbedtls_x509_buf const *oid, int critical, const unsigned char *p, const unsigned char *end) |
The type of certificate extension callbacks. | |
int | mbedtls_x509_csr_parse_der (mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen) |
Load a Certificate Signing Request (CSR) in DER format. | |
int | mbedtls_x509_csr_parse_der_with_ext_cb (mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen, mbedtls_x509_csr_ext_cb_t cb, void *p_ctx) |
Load a Certificate Signing Request (CSR) in DER format. | |
int | mbedtls_x509_csr_parse (mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen) |
Load a Certificate Signing Request (CSR), DER or PEM format. | |
int | mbedtls_x509_csr_parse_file (mbedtls_x509_csr *csr, const char *path) |
Load a Certificate Signing Request (CSR) | |
int | mbedtls_x509_csr_info (char *buf, size_t size, const char *prefix, const mbedtls_x509_csr *csr) |
Returns an informational string about the CSR. | |
void | mbedtls_x509_csr_init (mbedtls_x509_csr *csr) |
Initialize a CSR. | |
void | mbedtls_x509_csr_free (mbedtls_x509_csr *csr) |
Unallocate all CSR data. | |
X509 Error codes | |
#define | MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE -0x2080 |
#define | MBEDTLS_ERR_X509_UNKNOWN_OID -0x2100 |
#define | MBEDTLS_ERR_X509_INVALID_FORMAT -0x2180 |
#define | MBEDTLS_ERR_X509_INVALID_VERSION -0x2200 |
#define | MBEDTLS_ERR_X509_INVALID_SERIAL -0x2280 |
#define | MBEDTLS_ERR_X509_INVALID_ALG -0x2300 |
#define | MBEDTLS_ERR_X509_INVALID_NAME -0x2380 |
#define | MBEDTLS_ERR_X509_INVALID_DATE -0x2400 |
#define | MBEDTLS_ERR_X509_INVALID_SIGNATURE -0x2480 |
#define | MBEDTLS_ERR_X509_INVALID_EXTENSIONS -0x2500 |
#define | MBEDTLS_ERR_X509_UNKNOWN_VERSION -0x2580 |
#define | MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG -0x2600 |
#define | MBEDTLS_ERR_X509_SIG_MISMATCH -0x2680 |
#define | MBEDTLS_ERR_X509_CERT_VERIFY_FAILED -0x2700 |
#define | MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT -0x2780 |
#define | MBEDTLS_ERR_X509_BAD_INPUT_DATA -0x2800 |
#define | MBEDTLS_ERR_X509_ALLOC_FAILED -0x2880 |
#define | MBEDTLS_ERR_X509_FILE_IO_ERROR -0x2900 |
#define | MBEDTLS_ERR_X509_BUFFER_TOO_SMALL -0x2980 |
#define | MBEDTLS_ERR_X509_FATAL_ERROR -0x3000 |
X509 Verify codes | |
#define | MBEDTLS_X509_BADCERT_EXPIRED 0x01 |
#define | MBEDTLS_X509_BADCERT_REVOKED 0x02 |
#define | MBEDTLS_X509_BADCERT_CN_MISMATCH 0x04 |
#define | MBEDTLS_X509_BADCERT_NOT_TRUSTED 0x08 |
#define | MBEDTLS_X509_BADCRL_NOT_TRUSTED 0x10 |
#define | MBEDTLS_X509_BADCRL_EXPIRED 0x20 |
#define | MBEDTLS_X509_BADCERT_MISSING 0x40 |
#define | MBEDTLS_X509_BADCERT_SKIP_VERIFY 0x80 |
#define | MBEDTLS_X509_BADCERT_OTHER 0x0100 |
#define | MBEDTLS_X509_BADCERT_FUTURE 0x0200 |
#define | MBEDTLS_X509_BADCRL_FUTURE 0x0400 |
#define | MBEDTLS_X509_BADCERT_KEY_USAGE 0x0800 |
#define | MBEDTLS_X509_BADCERT_EXT_KEY_USAGE 0x1000 |
#define | MBEDTLS_X509_BADCERT_NS_CERT_TYPE 0x2000 |
#define | MBEDTLS_X509_BADCERT_BAD_MD 0x4000 |
#define | MBEDTLS_X509_BADCERT_BAD_PK 0x8000 |
#define | MBEDTLS_X509_BADCERT_BAD_KEY 0x010000 |
#define | MBEDTLS_X509_BADCRL_BAD_MD 0x020000 |
#define | MBEDTLS_X509_BADCRL_BAD_PK 0x040000 |
#define | MBEDTLS_X509_BADCRL_BAD_KEY 0x080000 |
The X.509 module provides X.509 support for reading, writing and verification of certificates. In summary:
mbedtls_x509_crt_parse()
, mbedtls_x509_crt_parse_der()
, mbedtls_x509_crt_parse_file()
).mbedtls_x509_crl_parse()
, mbedtls_x509_crl_parse_der()
, and mbedtls_x509_crl_parse_file()
).mbedtls_x509_crt_verify()
and mbedtls_x509_crt_verify_with_profile()
.mbedtls_x509write_crt_der()
and mbedtls_x509write_csr_der()
).This module can be used to build a certificate authority (CA) chain and verify its signature. It is also used to generate Certificate Signing Requests and X.509 certificates just as a CA would do.
#define MBEDTLS_ERR_X509_ALLOC_FAILED -0x2880 |
#define MBEDTLS_ERR_X509_BAD_INPUT_DATA -0x2800 |
#define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL -0x2980 |
#define MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT -0x2780 |
#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED -0x2700 |
#define MBEDTLS_ERR_X509_FATAL_ERROR -0x3000 |
#define MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE -0x2080 |
#define MBEDTLS_ERR_X509_FILE_IO_ERROR -0x2900 |
#define MBEDTLS_ERR_X509_INVALID_ALG -0x2300 |
#define MBEDTLS_ERR_X509_INVALID_DATE -0x2400 |
#define MBEDTLS_ERR_X509_INVALID_EXTENSIONS -0x2500 |
#define MBEDTLS_ERR_X509_INVALID_FORMAT -0x2180 |
#define MBEDTLS_ERR_X509_INVALID_NAME -0x2380 |
#define MBEDTLS_ERR_X509_INVALID_SERIAL -0x2280 |
#define MBEDTLS_ERR_X509_INVALID_SIGNATURE -0x2480 |
#define MBEDTLS_ERR_X509_INVALID_VERSION -0x2200 |
#define MBEDTLS_ERR_X509_SIG_MISMATCH -0x2680 |
Signature algorithms do not match. (see mbedtls_x509_crt
sig_oid)
#define MBEDTLS_ERR_X509_UNKNOWN_OID -0x2100 |
#define MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG -0x2600 |
#define MBEDTLS_ERR_X509_UNKNOWN_VERSION -0x2580 |
#define MBEDTLS_X509_BADCERT_BAD_KEY 0x010000 |
#define MBEDTLS_X509_BADCERT_BAD_MD 0x4000 |
#define MBEDTLS_X509_BADCERT_BAD_PK 0x8000 |
#define MBEDTLS_X509_BADCERT_CN_MISMATCH 0x04 |
#define MBEDTLS_X509_BADCERT_EXPIRED 0x01 |
#define MBEDTLS_X509_BADCERT_EXT_KEY_USAGE 0x1000 |
#define MBEDTLS_X509_BADCERT_FUTURE 0x0200 |
#define MBEDTLS_X509_BADCERT_KEY_USAGE 0x0800 |
#define MBEDTLS_X509_BADCERT_MISSING 0x40 |
#define MBEDTLS_X509_BADCERT_NOT_TRUSTED 0x08 |
#define MBEDTLS_X509_BADCERT_NS_CERT_TYPE 0x2000 |
#define MBEDTLS_X509_BADCERT_OTHER 0x0100 |
#define MBEDTLS_X509_BADCERT_REVOKED 0x02 |
#define MBEDTLS_X509_BADCERT_SKIP_VERIFY 0x80 |
#define MBEDTLS_X509_BADCRL_BAD_KEY 0x080000 |
#define MBEDTLS_X509_BADCRL_BAD_MD 0x020000 |
#define MBEDTLS_X509_BADCRL_BAD_PK 0x040000 |
#define MBEDTLS_X509_BADCRL_FUTURE 0x0400 |
#define MBEDTLS_X509_BADCRL_NOT_TRUSTED 0x10 |
#define MBEDTLS_X509_CRT_ERROR_INFO_LIST |
Definition at line 152 of file x509_crt.h.
#define MBEDTLS_X509_CRT_VERSION_1 0 |
Definition at line 135 of file x509_crt.h.
#define MBEDTLS_X509_CRT_VERSION_2 1 |
Definition at line 136 of file x509_crt.h.
#define MBEDTLS_X509_CRT_VERSION_3 2 |
Definition at line 137 of file x509_crt.h.
#define MBEDTLS_X509_ID_FLAG | ( | id | ) | (1 << ((id) - 1)) |
Build flag from an algorithm/curve identifier (pk, md, ecp) Since 0 is always XXX_NONE, ignore it.
Definition at line 98 of file x509_crt.h.
#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 |
Definition at line 143 of file x509_crt.h.
#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 |
Maximum number of intermediate CAs in a verification chain. That is, maximum length of the chain, excluding the end-entity certificate and the trusted root certificate.
Set this to a low value to prevent an adversary from making you waste resources verifying an overlong certificate chain.
#define MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE (MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2) |
Max size of verification chain: end-entity + intermediates + trusted root
Definition at line 258 of file x509_crt.h.
#define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 20 |
Definition at line 139 of file x509_crt.h.
#define MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15 |
Definition at line 140 of file x509_crt.h.
typedef struct mbedtls_x509_authority mbedtls_x509_authority |
typedef mbedtls_asn1_buf mbedtls_x509_buf |
typedef struct mbedtls_x509_crl mbedtls_x509_crl |
Certificate revocation list structure. Every CRL may have multiple entries.
typedef struct mbedtls_x509_crl_entry mbedtls_x509_crl_entry |
Certificate revocation list entry. Contains the CA-specific serial numbers and revocation dates.
Some fields of this structure are publicly readable. Do not modify them except via Mbed TLS library functions: the effect of modifying those fields or the data that those fields points to is unspecified.
typedef struct mbedtls_x509_crt mbedtls_x509_crt |
Container for an X.509 certificate. The certificate may be chained.
Some fields of this structure are publicly readable. Do not modify them except via Mbed TLS library functions: the effect of modifying those fields or the data that those fields points to is unspecified.
typedef int(* mbedtls_x509_crt_ca_cb_t) (void *p_ctx, mbedtls_x509_crt const *child, mbedtls_x509_crt **candidate_cas) |
The type of trusted certificate callbacks.
Callbacks of this type are passed to and used by the CRT verification routine mbedtls_x509_crt_verify_with_ca_cb() when looking for trusted signers of a given certificate. On success, the callback returns a list of trusted certificates to be considered as potential signers for the input certificate.
p_ctx | An opaque context passed to the callback. |
child | The certificate for which to search a potential signer. This will point to a readable certificate. |
candidate_cas | The address at which to store the address of the first entry in the generated linked list of candidate signers. This will not be NULL . |
0
and set *candidate_cas
to NULL
.0
on success. In this case, *candidate_cas
points to a heap-allocated linked list of instances of mbedtls_x509_crt, and ownership of this list is passed to the caller. Definition at line 784 of file x509_crt.h.
typedef int(* mbedtls_x509_crt_ext_cb_t) (void *p_ctx, mbedtls_x509_crt const *crt, mbedtls_x509_buf const *oid, int critical, const unsigned char *p, const unsigned char *end) |
The type of certificate extension callbacks.
Callbacks of this type are passed to and used by the mbedtls_x509_crt_parse_der_with_ext_cb() routine when it encounters either an unsupported extension or a "certificate policies" extension containing any unsupported certificate policies. Future versions of the library may invoke the callback in other cases, if and when the need arises.
p_ctx | An opaque context passed to the callback. |
crt | The certificate being parsed. |
oid | The OID of the extension. |
critical | Whether the extension is critical. |
p | Pointer to the start of the extension value (the content of the OCTET STRING). |
end | End of extension value. |
0
on success. Definition at line 402 of file x509_crt.h.
typedef struct mbedtls_x509_crt_profile mbedtls_x509_crt_profile |
Security profile for certificate verification.
All lists are bitfields, built by ORing flags from MBEDTLS_X509_ID_FLAG().
The fields of this structure are part of the public API and can be manipulated directly by applications. Future versions of the library may add extra fields or reorder existing fields.
You can create custom profiles by starting from a copy of an existing profile, such as mbedtls_x509_crt_profile_default or mbedtls_x509_ctr_profile_none and then tune it to your needs.
For example to allow SHA-224 in addition to the default:
mbedtls_x509_crt_profile my_profile = mbedtls_x509_crt_profile_default; my_profile.allowed_mds |= MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 );
Or to allow only RSA-3072+ with SHA-256:
mbedtls_x509_crt_profile my_profile = mbedtls_x509_crt_profile_none; my_profile.allowed_mds = MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ); my_profile.allowed_pks = MBEDTLS_X509_ID_FLAG( MBEDTLS_PK_RSA ); my_profile.rsa_min_bitlen = 3072;
typedef void mbedtls_x509_crt_restart_ctx |
Definition at line 306 of file x509_crt.h.
typedef struct mbedtls_x509_csr mbedtls_x509_csr |
Certificate Signing Request (CSR) structure.
Some fields of this structure are publicly readable. Do not modify them except via Mbed TLS library functions: the effect of modifying those fields or the data that those fields point to is unspecified.
typedef int(* mbedtls_x509_csr_ext_cb_t) (void *p_ctx, mbedtls_x509_csr const *csr, mbedtls_x509_buf const *oid, int critical, const unsigned char *p, const unsigned char *end) |
The type of certificate extension callbacks.
Callbacks of this type are passed to and used by the mbedtls_x509_csr_parse_der_with_ext_cb() routine when it encounters either an unsupported extension. Future versions of the library may invoke the callback in other cases, if and when the need arises.
p_ctx | An opaque context passed to the callback. |
csr | The CSR being parsed. |
oid | The OID of the extension. |
critical | Whether the extension is critical. |
p | Pointer to the start of the extension value (the content of the OCTET STRING). |
end | End of extension value. |
0
on success. Definition at line 123 of file x509_csr.h.
typedef struct mbedtls_x509_san_list mbedtls_x509_san_list |
typedef struct mbedtls_x509_san_other_name mbedtls_x509_san_other_name |
From RFC 5280 section 4.2.1.6: OtherName ::= SEQUENCE { type-id OBJECT IDENTIFIER, value [0] EXPLICIT ANY DEFINED BY type-id }
Future versions of the library may add new fields to this structure or to its embedded union and structure.
A structure for holding the parsed Subject Alternative Name, according to type.
Future versions of the library may add new fields to this structure or to its embedded union and structure.
typedef struct mbedtls_x509_time mbedtls_x509_time |
Container for date and time (precision in seconds).
typedef struct mbedtls_x509write_cert mbedtls_x509write_cert |
Container for writing a certificate (CRT)
typedef struct mbedtls_x509write_csr mbedtls_x509write_csr |
Container for writing a CSR
void mbedtls_x509_crl_free | ( | mbedtls_x509_crl * | crl | ) |
Unallocate all CRL data.
crl | CRL chain to free |
int mbedtls_x509_crl_info | ( | char * | buf, |
size_t | size, | ||
const char * | prefix, | ||
const mbedtls_x509_crl * | crl | ||
) |
Returns an informational string about the CRL.
buf | Buffer to write to |
size | Maximum size of buffer |
prefix | A line prefix |
crl | The X509 CRL to represent |
void mbedtls_x509_crl_init | ( | mbedtls_x509_crl * | crl | ) |
Initialize a CRL (chain)
crl | CRL chain to initialize |
int mbedtls_x509_crl_parse | ( | mbedtls_x509_crl * | chain, |
const unsigned char * | buf, | ||
size_t | buflen | ||
) |
Parse one or more CRLs and append them to the chained list.
chain | points to the start of the chain |
buf | buffer holding the CRL data in PEM or DER format |
buflen | size of the buffer (including the terminating null byte for PEM data) |
int mbedtls_x509_crl_parse_der | ( | mbedtls_x509_crl * | chain, |
const unsigned char * | buf, | ||
size_t | buflen | ||
) |
Parse a DER-encoded CRL and append it to the chained list.
chain | points to the start of the chain |
buf | buffer holding the CRL data in DER format |
buflen | size of the buffer (including the terminating null byte for PEM data) |
int mbedtls_x509_crl_parse_file | ( | mbedtls_x509_crl * | chain, |
const char * | path | ||
) |
Load one or more CRLs and append them to the chained list.
chain | points to the start of the chain |
path | filename to read the CRLs from (in PEM or DER encoding) |
int mbedtls_x509_crt_check_extended_key_usage | ( | const mbedtls_x509_crt * | crt, |
const char * | usage_oid, | ||
size_t | usage_len | ||
) |
Check usage of certificate against extendedKeyUsage.
crt | Leaf certificate used. |
usage_oid | Intended usage (eg MBEDTLS_OID_SERVER_AUTH or MBEDTLS_OID_CLIENT_AUTH). |
usage_len | Length of usage_oid (eg given by MBEDTLS_OID_SIZE()). |
int mbedtls_x509_crt_check_key_usage | ( | const mbedtls_x509_crt * | crt, |
unsigned int | usage | ||
) |
Check usage of certificate against keyUsage extension.
crt | Leaf certificate used. |
usage | Intended usage(s) (eg MBEDTLS_X509_KU_KEY_ENCIPHERMENT before using the certificate to perform an RSA key exchange). |
mbedtls_x509_crt_verify()
. void mbedtls_x509_crt_free | ( | mbedtls_x509_crt * | crt | ) |
Unallocate all certificate data.
crt | Certificate chain to free |
int mbedtls_x509_crt_get_ca_istrue | ( | const mbedtls_x509_crt * | crt | ) |
Access the ca_istrue field.
[in] | crt | Certificate to be queried, must not be NULL |
1
if this a CA certificate 0
otherwise.
|
inlinestatic |
Query certificate for given extension type.
[in] | ctx | Certificate context to be queried, must not be NULL |
ext_type | Extension type being queried for, must be a valid extension type. Must be one of the MBEDTLS_X509_EXT_XXX values |
Definition at line 913 of file x509_crt.h.
int mbedtls_x509_crt_info | ( | char * | buf, |
size_t | size, | ||
const char * | prefix, | ||
const mbedtls_x509_crt * | crt | ||
) |
Returns an informational string about the certificate.
buf | Buffer to write to |
size | Maximum size of buffer |
prefix | A line prefix |
crt | The X509 certificate to represent |
void mbedtls_x509_crt_init | ( | mbedtls_x509_crt * | crt | ) |
Initialize a certificate (chain)
crt | Certificate chain to initialize |
int mbedtls_x509_crt_is_revoked | ( | const mbedtls_x509_crt * | crt, |
const mbedtls_x509_crl * | crl | ||
) |
Verify the certificate revocation status.
crt | a certificate to be verified |
crl | the CRL to verify against |
int mbedtls_x509_crt_parse | ( | mbedtls_x509_crt * | chain, |
const unsigned char * | buf, | ||
size_t | buflen | ||
) |
Parse one DER-encoded or one or more concatenated PEM-encoded certificates and add them to the chained list.
For CRTs in PEM encoding, the function parses permissively: if at least one certificate can be parsed, the function returns the number of certificates for which parsing failed (hence 0
if all certificates were parsed successfully). If no certificate could be parsed, the function returns the first (negative) error encountered during parsing.
PEM encoded certificates may be interleaved by other data such as human readable descriptions of their content, as long as the certificates are enclosed in the PEM specific '--—{BEGIN/END} CERTIFICATE--—' delimiters.
chain | The chain to which to add the parsed certificates. |
buf | The buffer holding the certificate data in PEM or DER format. For certificates in PEM encoding, this may be a concatenation of multiple certificates; for DER encoding, the buffer must comprise exactly one certificate. |
buflen | The size of buf , including the terminating NULL byte in case of PEM encoded data. |
0
if all certificates were parsed successfully. int mbedtls_x509_crt_parse_der | ( | mbedtls_x509_crt * | chain, |
const unsigned char * | buf, | ||
size_t | buflen | ||
) |
Parse a single DER formatted certificate and add it to the end of the provided chained list.
chain | The pointer to the start of the CRT chain to attach to. When parsing the first CRT in a chain, this should point to an instance of mbedtls_x509_crt initialized through mbedtls_x509_crt_init(). |
buf | The buffer holding the DER encoded certificate. |
buflen | The size in Bytes of buf . |
buf
. In particular, buf
may be destroyed or reused after this call returns. To avoid duplicating the CRT buffer (at the cost of stricter lifetime constraints), use mbedtls_x509_crt_parse_der_nocopy() instead.0
if successful. int mbedtls_x509_crt_parse_der_nocopy | ( | mbedtls_x509_crt * | chain, |
const unsigned char * | buf, | ||
size_t | buflen | ||
) |
Parse a single DER formatted certificate and add it to the end of the provided chained list. This is a variant of mbedtls_x509_crt_parse_der() which takes temporary ownership of the CRT buffer until the CRT is destroyed.
chain | The pointer to the start of the CRT chain to attach to. When parsing the first CRT in a chain, this should point to an instance of mbedtls_x509_crt initialized through mbedtls_x509_crt_init(). |
buf | The address of the readable buffer holding the DER encoded certificate to use. On success, this buffer must be retained and not be changed for the lifetime of the CRT chain chain , that is, until chain is destroyed through a call to mbedtls_x509_crt_free(). |
buflen | The size in Bytes of buf . |
0
if successful. int mbedtls_x509_crt_parse_der_with_ext_cb | ( | mbedtls_x509_crt * | chain, |
const unsigned char * | buf, | ||
size_t | buflen, | ||
int | make_copy, | ||
mbedtls_x509_crt_ext_cb_t | cb, | ||
void * | p_ctx | ||
) |
Parse a single DER formatted certificate and add it to the end of the provided chained list.
chain | The pointer to the start of the CRT chain to attach to. When parsing the first CRT in a chain, this should point to an instance of mbedtls_x509_crt initialized through mbedtls_x509_crt_init(). |
buf | The buffer holding the DER encoded certificate. |
buflen | The size in Bytes of buf . |
make_copy | When not zero this function makes an internal copy of the CRT buffer buf . In particular, buf may be destroyed or reused after this call returns. When zero this function avoids duplicating the CRT buffer by taking temporary ownership thereof until the CRT is destroyed (like mbedtls_x509_crt_parse_der_nocopy()) |
cb | A callback invoked for every unsupported certificate extension. |
p_ctx | An opaque context passed to the callback. |
0
if successful. int mbedtls_x509_crt_parse_file | ( | mbedtls_x509_crt * | chain, |
const char * | path | ||
) |
Load one or more certificates and add them to the chained list. Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.
chain | points to the start of the chain |
path | filename to read the certificates from |
int mbedtls_x509_crt_parse_path | ( | mbedtls_x509_crt * | chain, |
const char * | path | ||
) |
Load one or more certificate files from a path and add them to the chained list. Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.
chain | points to the start of the chain |
path | directory / folder to read the certificate files from |
int mbedtls_x509_crt_verify | ( | mbedtls_x509_crt * | crt, |
mbedtls_x509_crt * | trust_ca, | ||
mbedtls_x509_crl * | ca_crl, | ||
const char * | cn, | ||
uint32_t * | flags, | ||
int(*)(void *, mbedtls_x509_crt *, int, uint32_t *) | f_vrfy, | ||
void * | p_vrfy | ||
) |
Verify a chain of certificates.
The verify callback is a user-supplied callback that can clear / modify / add flags for a certificate. If set, the verification callback is called for each certificate in the chain (from the trust-ca down to the presented crt). The parameters for the callback are: (void *parameter, mbedtls_x509_crt *crt, int certificate_depth, int *flags). With the flags representing current flags for that specific certificate and the certificate depth from the bottom (Peer cert depth = 0). All flags left after returning from the callback are also returned to the application. The function should return 0 for anything (including invalid certificates) other than fatal error, as a non-zero return code immediately aborts the verification process. For fatal errors, a specific error code should be used (different from MBEDTLS_ERR_X509_CERT_VERIFY_FAILED which should not be returned at this point), or MBEDTLS_ERR_X509_FATAL_ERROR can be used if no better code is available.
mbedtls_x509_crt_verify_info()
mbedtls_x509_crt_verify_with_profile()
with the default security profile.trust_ca
list can contain two types of certificates: (1) those of trusted root CAs, so that certificates chaining up to those CAs will be trusted, and (2) self-signed end-entity certificates to be trusted (for specific peers you know) - in that case, the self-signed certificate doesn't need to have the CA bit set.crt | The certificate chain to be verified. |
trust_ca | The list of trusted CAs. |
ca_crl | The list of CRLs for trusted CAs. |
cn | The expected Common Name. This will be checked to be present in the certificate's subjectAltNames extension or, if this extension is absent, as a CN component in its Subject name. DNS names and IP addresses are fully supported, while the URI subtype is partially supported: only exact matching, without any normalization procedures described in 7.4 of RFC5280, will result in a positive URI verification. This may be NULL if the CN need not be verified. |
flags | The address at which to store the result of the verification. If the verification couldn't be completed, the flag value is set to (uint32_t) -1. |
f_vrfy | The verification callback to use. See the documentation of mbedtls_x509_crt_verify() for more information. |
p_vrfy | The context to be passed to f_vrfy . |
0
if the chain is valid with respect to the passed CN, CAs, CRLs and security profile. *flags
will have one or more MBEDTLS_X509_BADCERT_XXX
or MBEDTLS_X509_BADCRL_XXX
flags set. int mbedtls_x509_crt_verify_info | ( | char * | buf, |
size_t | size, | ||
const char * | prefix, | ||
uint32_t | flags | ||
) |
Returns an informational string about the verification status of a certificate.
buf | Buffer to write to |
size | Maximum size of buffer |
prefix | A line prefix |
flags | Verification flags created by mbedtls_x509_crt_verify() |
int mbedtls_x509_crt_verify_restartable | ( | mbedtls_x509_crt * | crt, |
mbedtls_x509_crt * | trust_ca, | ||
mbedtls_x509_crl * | ca_crl, | ||
const mbedtls_x509_crt_profile * | profile, | ||
const char * | cn, | ||
uint32_t * | flags, | ||
int(*)(void *, mbedtls_x509_crt *, int, uint32_t *) | f_vrfy, | ||
void * | p_vrfy, | ||
mbedtls_x509_crt_restart_ctx * | rs_ctx | ||
) |
Restartable version of mbedtls_crt_verify_with_profile()
mbedtls_crt_verify_with_profile()
but can return early and restart according to the limit set with mbedtls_ecp_set_max_ops()
to reduce blocking.crt | The certificate chain to be verified. |
trust_ca | The list of trusted CAs. |
ca_crl | The list of CRLs for trusted CAs. |
profile | The security profile to use for the verification. |
cn | The expected Common Name. This may be NULL if the CN need not be verified. |
flags | The address at which to store the result of the verification. If the verification couldn't be completed, the flag value is set to (uint32_t) -1. |
f_vrfy | The verification callback to use. See the documentation of mbedtls_x509_crt_verify() for more information. |
p_vrfy | The context to be passed to f_vrfy . |
rs_ctx | The restart context to use. This may be set to NULL to disable restartable ECC. |
mbedtls_crt_verify_with_profile()
, or mbedtls_ecp_set_max_ops()
. int mbedtls_x509_crt_verify_with_profile | ( | mbedtls_x509_crt * | crt, |
mbedtls_x509_crt * | trust_ca, | ||
mbedtls_x509_crl * | ca_crl, | ||
const mbedtls_x509_crt_profile * | profile, | ||
const char * | cn, | ||
uint32_t * | flags, | ||
int(*)(void *, mbedtls_x509_crt *, int, uint32_t *) | f_vrfy, | ||
void * | p_vrfy | ||
) |
Verify a chain of certificates with respect to a configurable security profile.
mbedtls_x509_crt_verify()
, but with explicit security profile.crt | The certificate chain to be verified. |
trust_ca | The list of trusted CAs. |
ca_crl | The list of CRLs for trusted CAs. |
profile | The security profile to use for the verification. |
cn | The expected Common Name. This may be NULL if the CN need not be verified. |
flags | The address at which to store the result of the verification. If the verification couldn't be completed, the flag value is set to (uint32_t) -1. |
f_vrfy | The verification callback to use. See the documentation of mbedtls_x509_crt_verify() for more information. |
p_vrfy | The context to be passed to f_vrfy . |
0
if the chain is valid with respect to the passed CN, CAs, CRLs and security profile. *flags
will have one or more MBEDTLS_X509_BADCERT_XXX
or MBEDTLS_X509_BADCRL_XXX
flags set. void mbedtls_x509_csr_free | ( | mbedtls_x509_csr * | csr | ) |
Unallocate all CSR data.
csr | CSR to free |
int mbedtls_x509_csr_info | ( | char * | buf, |
size_t | size, | ||
const char * | prefix, | ||
const mbedtls_x509_csr * | csr | ||
) |
Returns an informational string about the CSR.
buf | Buffer to write to |
size | Maximum size of buffer |
prefix | A line prefix |
csr | The X509 CSR to represent |
void mbedtls_x509_csr_init | ( | mbedtls_x509_csr * | csr | ) |
Initialize a CSR.
csr | CSR to initialize |
int mbedtls_x509_csr_parse | ( | mbedtls_x509_csr * | csr, |
const unsigned char * | buf, | ||
size_t | buflen | ||
) |
Load a Certificate Signing Request (CSR), DER or PEM format.
mbedtls_x509_csr_parse_der()
csr | CSR context to fill |
buf | buffer holding the CRL data |
buflen | size of the buffer (including the terminating null byte for PEM data) |
int mbedtls_x509_csr_parse_der | ( | mbedtls_x509_csr * | csr, |
const unsigned char * | buf, | ||
size_t | buflen | ||
) |
Load a Certificate Signing Request (CSR) in DER format.
csr | CSR context to fill |
buf | buffer holding the CRL data |
buflen | size of the buffer |
int mbedtls_x509_csr_parse_der_with_ext_cb | ( | mbedtls_x509_csr * | csr, |
const unsigned char * | buf, | ||
size_t | buflen, | ||
mbedtls_x509_csr_ext_cb_t | cb, | ||
void * | p_ctx | ||
) |
Load a Certificate Signing Request (CSR) in DER format.
csr | CSR context to fill |
buf | buffer holding the CRL data |
buflen | size of the buffer |
cb | A callback invoked for every unsupported certificate extension. |
p_ctx | An opaque context passed to the callback. |
int mbedtls_x509_csr_parse_file | ( | mbedtls_x509_csr * | csr, |
const char * | path | ||
) |
Load a Certificate Signing Request (CSR)
mbedtls_x509_csr_parse()
csr | CSR context to fill |
path | filename to read the CSR from |
int mbedtls_x509write_crt_der | ( | mbedtls_x509write_cert * | ctx, |
unsigned char * | buf, | ||
size_t | size, | ||
int(*)(void *, unsigned char *, size_t) | f_rng, | ||
void * | p_rng | ||
) |
Write a built up certificate to a X509 DER structure Note: data is written at the end of the buffer! Use the return value to determine where you should start using the buffer.
ctx | certificate to write away |
buf | buffer to write to |
size | size of the buffer |
f_rng | RNG function. This must not be NULL . |
p_rng | RNG parameter |
f_rng
is used for the signature operation. void mbedtls_x509write_crt_free | ( | mbedtls_x509write_cert * | ctx | ) |
Free the contents of a CRT write context.
ctx | CRT context to free |
void mbedtls_x509write_crt_init | ( | mbedtls_x509write_cert * | ctx | ) |
Initialize a CRT writing context.
ctx | CRT context to initialize |
int mbedtls_x509write_crt_pem | ( | mbedtls_x509write_cert * | ctx, |
unsigned char * | buf, | ||
size_t | size, | ||
int(*)(void *, unsigned char *, size_t) | f_rng, | ||
void * | p_rng | ||
) |
Write a built up certificate to a X509 PEM string.
ctx | certificate to write away |
buf | buffer to write to |
size | size of the buffer |
f_rng | RNG function. This must not be NULL . |
p_rng | RNG parameter |
f_rng
is used for the signature operation. int mbedtls_x509write_crt_set_authority_key_identifier | ( | mbedtls_x509write_cert * | ctx | ) |
Set the authorityKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_issuer_key() has been called before.
ctx | CRT context to use |
int mbedtls_x509write_crt_set_basic_constraints | ( | mbedtls_x509write_cert * | ctx, |
int | is_ca, | ||
int | max_pathlen | ||
) |
Set the basicConstraints extension for a CRT.
ctx | CRT context to use |
is_ca | is this a CA certificate |
max_pathlen | maximum length of certificate chains below this certificate (only for CA certificates, -1 is unlimited) |
int mbedtls_x509write_crt_set_ext_key_usage | ( | mbedtls_x509write_cert * | ctx, |
const mbedtls_asn1_sequence * | exts | ||
) |
Set the Extended Key Usage Extension (e.g. MBEDTLS_OID_SERVER_AUTH)
ctx | CRT context to use |
exts | extended key usage extensions to set, a sequence of MBEDTLS_ASN1_OID objects |
int mbedtls_x509write_crt_set_extension | ( | mbedtls_x509write_cert * | ctx, |
const char * | oid, | ||
size_t | oid_len, | ||
int | critical, | ||
const unsigned char * | val, | ||
size_t | val_len | ||
) |
Generic function to add to or replace an extension in the CRT.
ctx | CRT context to use |
oid | OID of the extension |
oid_len | length of the OID |
critical | if the extension is critical (per the RFC's definition) |
val | value of the extension OCTET STRING |
val_len | length of the value data |
void mbedtls_x509write_crt_set_issuer_key | ( | mbedtls_x509write_cert * | ctx, |
mbedtls_pk_context * | key | ||
) |
Set the issuer key used for signing the certificate.
ctx | CRT context to use |
key | private key to sign with |
int mbedtls_x509write_crt_set_issuer_name | ( | mbedtls_x509write_cert * | ctx, |
const char * | issuer_name | ||
) |
Set the issuer name for a Certificate Issuer names should contain a comma-separated list of OID types and values: e.g. "C=UK,O=ARM,CN=Mbed TLS CA".
ctx | CRT context to use |
issuer_name | issuer name to set |
int mbedtls_x509write_crt_set_key_usage | ( | mbedtls_x509write_cert * | ctx, |
unsigned int | key_usage | ||
) |
Set the Key Usage Extension flags (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN)
ctx | CRT context to use |
key_usage | key usage flags to set |
void mbedtls_x509write_crt_set_md_alg | ( | mbedtls_x509write_cert * | ctx, |
mbedtls_md_type_t | md_alg | ||
) |
Set the MD algorithm to use for the signature (e.g. MBEDTLS_MD_SHA1)
ctx | CRT context to use |
md_alg | MD algorithm to use |
int mbedtls_x509write_crt_set_ns_cert_type | ( | mbedtls_x509write_cert * | ctx, |
unsigned char | ns_cert_type | ||
) |
Set the Netscape Cert Type flags (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL)
ctx | CRT context to use |
ns_cert_type | Netscape Cert Type flags to set |
int MBEDTLS_DEPRECATED mbedtls_x509write_crt_set_serial | ( | mbedtls_x509write_cert * | ctx, |
const mbedtls_mpi * | serial | ||
) |
Set the serial number for a Certificate.
ctx | CRT context to use |
serial | serial number to set |
int mbedtls_x509write_crt_set_serial_raw | ( | mbedtls_x509write_cert * | ctx, |
unsigned char * | serial, | ||
size_t | serial_len | ||
) |
Set the serial number for a Certificate.
ctx | CRT context to use |
serial | A raw array of bytes containing the serial number in big endian format |
serial_len | Length of valid bytes (expressed in bytes) in serial input buffer |
int mbedtls_x509write_crt_set_subject_alternative_name | ( | mbedtls_x509write_cert * | ctx, |
const mbedtls_x509_san_list * | san_list | ||
) |
Set Subject Alternative Name.
ctx | Certificate context to use |
san_list | List of SAN values |
void mbedtls_x509write_crt_set_subject_key | ( | mbedtls_x509write_cert * | ctx, |
mbedtls_pk_context * | key | ||
) |
Set the subject public key for the certificate.
ctx | CRT context to use |
key | public key to include |
int mbedtls_x509write_crt_set_subject_key_identifier | ( | mbedtls_x509write_cert * | ctx | ) |
Set the subjectKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_subject_key() has been called before.
ctx | CRT context to use |
int mbedtls_x509write_crt_set_subject_name | ( | mbedtls_x509write_cert * | ctx, |
const char * | subject_name | ||
) |
Set the subject name for a Certificate Subject names should contain a comma-separated list of OID types and values: e.g. "C=UK,O=ARM,CN=Mbed TLS Server 1".
ctx | CRT context to use |
subject_name | subject name to set |
int mbedtls_x509write_crt_set_validity | ( | mbedtls_x509write_cert * | ctx, |
const char * | not_before, | ||
const char * | not_after | ||
) |
Set the validity period for a Certificate Timestamps should be in string format for UTC timezone i.e. "YYYYMMDDhhmmss" e.g. "20131231235959" for December 31st 2013 at 23:59:59.
ctx | CRT context to use |
not_before | not_before timestamp |
not_after | not_after timestamp |
void mbedtls_x509write_crt_set_version | ( | mbedtls_x509write_cert * | ctx, |
int | version | ||
) |
Set the version for a Certificate Default: MBEDTLS_X509_CRT_VERSION_3.
ctx | CRT context to use |
version | version to set (MBEDTLS_X509_CRT_VERSION_1, MBEDTLS_X509_CRT_VERSION_2 or MBEDTLS_X509_CRT_VERSION_3) |
int mbedtls_x509write_csr_der | ( | mbedtls_x509write_csr * | ctx, |
unsigned char * | buf, | ||
size_t | size, | ||
int(*)(void *, unsigned char *, size_t) | f_rng, | ||
void * | p_rng | ||
) |
Write a CSR (Certificate Signing Request) to a DER structure Note: data is written at the end of the buffer! Use the return value to determine where you should start using the buffer.
ctx | CSR to write away |
buf | buffer to write to |
size | size of the buffer |
f_rng | RNG function. This must not be NULL . |
p_rng | RNG parameter |
f_rng
is used for the signature operation. void mbedtls_x509write_csr_free | ( | mbedtls_x509write_csr * | ctx | ) |
Free the contents of a CSR context.
ctx | CSR context to free |
void mbedtls_x509write_csr_init | ( | mbedtls_x509write_csr * | ctx | ) |
Initialize a CSR context.
ctx | CSR context to initialize |
int mbedtls_x509write_csr_pem | ( | mbedtls_x509write_csr * | ctx, |
unsigned char * | buf, | ||
size_t | size, | ||
int(*)(void *, unsigned char *, size_t) | f_rng, | ||
void * | p_rng | ||
) |
Write a CSR (Certificate Signing Request) to a PEM string.
ctx | CSR to write away |
buf | buffer to write to |
size | size of the buffer |
f_rng | RNG function. This must not be NULL . |
p_rng | RNG parameter |
f_rng
is used for the signature operation. int mbedtls_x509write_csr_set_extension | ( | mbedtls_x509write_csr * | ctx, |
const char * | oid, | ||
size_t | oid_len, | ||
int | critical, | ||
const unsigned char * | val, | ||
size_t | val_len | ||
) |
Generic function to add to or replace an extension in the CSR.
ctx | CSR context to use |
oid | OID of the extension |
oid_len | length of the OID |
critical | Set to 1 to mark the extension as critical, 0 otherwise. |
val | value of the extension OCTET STRING |
val_len | length of the value data |
void mbedtls_x509write_csr_set_key | ( | mbedtls_x509write_csr * | ctx, |
mbedtls_pk_context * | key | ||
) |
Set the key for a CSR (public key will be included, private key used to sign the CSR when writing it)
ctx | CSR context to use |
key | Asymmetric key to include |
int mbedtls_x509write_csr_set_key_usage | ( | mbedtls_x509write_csr * | ctx, |
unsigned char | key_usage | ||
) |
Set the Key Usage Extension flags (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN)
ctx | CSR context to use |
key_usage | key usage flags to set |
decipherOnly
flag from the Key Usage extension is represented by bit 8 (i.e. 0x8000
), which cannot typically be represented in an unsigned char. Therefore, the flag decipherOnly
(i.e. MBEDTLS_X509_KU_DECIPHER_ONLY) cannot be set using this function. void mbedtls_x509write_csr_set_md_alg | ( | mbedtls_x509write_csr * | ctx, |
mbedtls_md_type_t | md_alg | ||
) |
Set the MD algorithm to use for the signature (e.g. MBEDTLS_MD_SHA1)
ctx | CSR context to use |
md_alg | MD algorithm to use |
int mbedtls_x509write_csr_set_ns_cert_type | ( | mbedtls_x509write_csr * | ctx, |
unsigned char | ns_cert_type | ||
) |
Set the Netscape Cert Type flags (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL)
ctx | CSR context to use |
ns_cert_type | Netscape Cert Type flags to set |
int mbedtls_x509write_csr_set_subject_alternative_name | ( | mbedtls_x509write_csr * | ctx, |
const mbedtls_x509_san_list * | san_list | ||
) |
Set Subject Alternative Name.
ctx | CSR context to use |
san_list | List of SAN values |
int mbedtls_x509write_csr_set_subject_name | ( | mbedtls_x509write_csr * | ctx, |
const char * | subject_name | ||
) |
Set the subject name for a CSR Subject names should contain a comma-separated list of OID types and values: e.g. "C=UK,O=ARM,CN=Mbed TLS Server 1".
ctx | CSR context to use |
subject_name | subject name to set |
|
extern |
Default security profile. Should provide a good balance between security and compatibility with current deployments.
This profile permits:
New minor versions of Mbed TLS may extend this profile, for example if new algorithms are added to the library. New minor versions of Mbed TLS will not reduce this profile unless serious security concerns require it.
|
extern |
Expected next default profile. Recommended for new deployments. Currently targets a 128-bit security level, except for allowing RSA-2048. This profile may change at any time.
|
extern |
Empty profile that allows nothing. Useful as a basis for constructing custom profiles.
|
extern |
NSA Suite B profile.