Documentation

Documentation

Includes

config.h

#include "config.h"
#include "config.h"

MBEDTLS_CONFIG_FILE

#include MBEDTLS_CONFIG_FILE
#include MBEDTLS_CONFIG_FILE

asn1.h

#include "asn1.h"
#include "asn1.h"

pk.h

#include "pk.h"
#include "pk.h"

rsa.h

#include "rsa.h"
#include "rsa.h"

Macros

Marco MBEDTLS_X509_H

#define MBEDTLS_X509_H


      

Marco MBEDTLS_X509_MAX_INTERMEDIATE_CA

#define MBEDTLS_X509_MAX_INTERMEDIATE_CA  8
/**
 * Maximum number of intermediate CAs in a verification chain.
 * That is, maximum length of the chain, excluding the end-entity certificate
 * and the trusted root certificate.
 *
 * Set this to a low value to prevent an adversary from making you waste
 * resources verifying an overlong certificate chain.
 */

Marco MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE

#define MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE             -8320 /**< Unavailable feature, e.g. RSA hashing/encryption combination. */
/**
 * \name X509 Error codes
 * \{
 */

Marco MBEDTLS_ERR_X509_UNKNOWN_OID

#define MBEDTLS_ERR_X509_UNKNOWN_OID                     -8448 /**< Requested OID is unknown. */


      

Marco MBEDTLS_ERR_X509_INVALID_FORMAT

#define MBEDTLS_ERR_X509_INVALID_FORMAT                  -8576 /**< The CRT/CRL/CSR format is invalid, e.g. different type expected. */


      

Marco MBEDTLS_ERR_X509_INVALID_VERSION

#define MBEDTLS_ERR_X509_INVALID_VERSION                 -8704 /**< The CRT/CRL/CSR version element is invalid. */


      

Marco MBEDTLS_ERR_X509_INVALID_SERIAL

#define MBEDTLS_ERR_X509_INVALID_SERIAL                  -8832 /**< The serial tag or value is invalid. */


      

Marco MBEDTLS_ERR_X509_INVALID_ALG

#define MBEDTLS_ERR_X509_INVALID_ALG                     -8960 /**< The algorithm tag or value is invalid. */


      

Marco MBEDTLS_ERR_X509_INVALID_NAME

#define MBEDTLS_ERR_X509_INVALID_NAME                    -9088 /**< The name tag or value is invalid. */


      

Marco MBEDTLS_ERR_X509_INVALID_DATE

#define MBEDTLS_ERR_X509_INVALID_DATE                    -9216 /**< The date tag or value is invalid. */


      

Marco MBEDTLS_ERR_X509_INVALID_SIGNATURE

#define MBEDTLS_ERR_X509_INVALID_SIGNATURE               -9344 /**< The signature tag or value invalid. */


      

Marco MBEDTLS_ERR_X509_INVALID_EXTENSIONS

#define MBEDTLS_ERR_X509_INVALID_EXTENSIONS              -9472 /**< The extension tag or value is invalid. */


      

Marco MBEDTLS_ERR_X509_UNKNOWN_VERSION

#define MBEDTLS_ERR_X509_UNKNOWN_VERSION                 -9600 /**< CRT/CRL/CSR has an unsupported version number. */


      

Marco MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG

#define MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG                 -9728 /**< Signature algorithm (oid) is unsupported. */


      

Marco MBEDTLS_ERR_X509_SIG_MISMATCH

#define MBEDTLS_ERR_X509_SIG_MISMATCH                    -9856 /**< Signature algorithms do not match. (see \c ::mbedtls_x509_crt sig_oid) */


      

Marco MBEDTLS_ERR_X509_CERT_VERIFY_FAILED

#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED              -9984 /**< Certificate verification failed, e.g. CRL, CA or signature check failed. */


      

Marco MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT

#define MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT             -10112 /**< Format not recognized as DER or PEM. */


      

Marco MBEDTLS_ERR_X509_BAD_INPUT_DATA

#define MBEDTLS_ERR_X509_BAD_INPUT_DATA                  -10240 /**< Input invalid. */


      

Marco MBEDTLS_ERR_X509_ALLOC_FAILED

#define MBEDTLS_ERR_X509_ALLOC_FAILED                    -10368 /**< Allocation of memory failed. */


      

Marco MBEDTLS_ERR_X509_FILE_IO_ERROR

#define MBEDTLS_ERR_X509_FILE_IO_ERROR                   -10496 /**< Read/write of file failed. */


      

Marco MBEDTLS_ERR_X509_BUFFER_TOO_SMALL

#define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL                -10624 /**< Destination buffer is too small. */


      

Marco MBEDTLS_ERR_X509_FATAL_ERROR

#define MBEDTLS_ERR_X509_FATAL_ERROR                     -12288 /**< A fatal error occured, eg the chain is too long or the vrfy callback failed. */


      

Marco MBEDTLS_X509_BADCERT_EXPIRED

#define MBEDTLS_X509_BADCERT_EXPIRED            1 /**< The certificate validity has expired. */
/* Reminder: update x509_crt_verify_strings[] in library/x509_crt.c */

Marco MBEDTLS_X509_BADCERT_REVOKED

#define MBEDTLS_X509_BADCERT_REVOKED            2 /**< The certificate has been revoked (is on a CRL). */


      

Marco MBEDTLS_X509_BADCERT_CN_MISMATCH

#define MBEDTLS_X509_BADCERT_CN_MISMATCH        4 /**< The certificate Common Name (CN) does not match with the expected CN. */


      

Marco MBEDTLS_X509_BADCERT_NOT_TRUSTED

#define MBEDTLS_X509_BADCERT_NOT_TRUSTED        8 /**< The certificate is not correctly signed by the trusted CA. */


      

Marco MBEDTLS_X509_BADCRL_NOT_TRUSTED

#define MBEDTLS_X509_BADCRL_NOT_TRUSTED         16 /**< The CRL is not correctly signed by the trusted CA. */


      

Marco MBEDTLS_X509_BADCRL_EXPIRED

#define MBEDTLS_X509_BADCRL_EXPIRED             32 /**< The CRL is expired. */


      

Marco MBEDTLS_X509_BADCERT_MISSING

#define MBEDTLS_X509_BADCERT_MISSING            64 /**< Certificate was missing. */


      

Marco MBEDTLS_X509_BADCERT_SKIP_VERIFY

#define MBEDTLS_X509_BADCERT_SKIP_VERIFY        128 /**< Certificate verification was skipped. */


      

Marco MBEDTLS_X509_BADCERT_OTHER

#define MBEDTLS_X509_BADCERT_OTHER            256 /**< Other reason (can be used by verify callback) */


      

Marco MBEDTLS_X509_BADCERT_FUTURE

#define MBEDTLS_X509_BADCERT_FUTURE           512 /**< The certificate validity starts in the future. */


      

Marco MBEDTLS_X509_BADCRL_FUTURE

#define MBEDTLS_X509_BADCRL_FUTURE            1024 /**< The CRL is from the future */


      

Marco MBEDTLS_X509_BADCERT_KEY_USAGE

#define MBEDTLS_X509_BADCERT_KEY_USAGE        2048 /**< Usage does not match the keyUsage extension. */


      

Marco MBEDTLS_X509_BADCERT_EXT_KEY_USAGE

#define MBEDTLS_X509_BADCERT_EXT_KEY_USAGE    4096 /**< Usage does not match the extendedKeyUsage extension. */


      

Marco MBEDTLS_X509_BADCERT_NS_CERT_TYPE

#define MBEDTLS_X509_BADCERT_NS_CERT_TYPE     8192 /**< Usage does not match the nsCertType extension. */


      

Marco MBEDTLS_X509_BADCERT_BAD_MD

#define MBEDTLS_X509_BADCERT_BAD_MD           16384 /**< The certificate is signed with an unacceptable hash. */


      

Marco MBEDTLS_X509_BADCERT_BAD_PK

#define MBEDTLS_X509_BADCERT_BAD_PK           32768 /**< The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA). */


      

Marco MBEDTLS_X509_BADCERT_BAD_KEY

#define MBEDTLS_X509_BADCERT_BAD_KEY        65536 /**< The certificate is signed with an unacceptable key (eg bad curve, RSA too short). */


      

Marco MBEDTLS_X509_BADCRL_BAD_MD

#define MBEDTLS_X509_BADCRL_BAD_MD          131072 /**< The CRL is signed with an unacceptable hash. */


      

Marco MBEDTLS_X509_BADCRL_BAD_PK

#define MBEDTLS_X509_BADCRL_BAD_PK          262144 /**< The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA). */


      

Marco MBEDTLS_X509_BADCRL_BAD_KEY

#define MBEDTLS_X509_BADCRL_BAD_KEY         524288 /**< The CRL is signed with an unacceptable key (eg bad curve, RSA too short). */


      

Marco MBEDTLS_X509_KU_DIGITAL_SIGNATURE

#define MBEDTLS_X509_KU_DIGITAL_SIGNATURE           (128) /* bit 0 */
/*
 * X.509 v3 Key Usage Extension flags
 * Reminder: update x509_info_key_usage() when adding new flags.
 */

Marco MBEDTLS_X509_KU_NON_REPUDIATION

#define MBEDTLS_X509_KU_NON_REPUDIATION             (64) /* bit 1 */


      

Marco MBEDTLS_X509_KU_KEY_ENCIPHERMENT

#define MBEDTLS_X509_KU_KEY_ENCIPHERMENT            (32) /* bit 2 */


      

Marco MBEDTLS_X509_KU_DATA_ENCIPHERMENT

#define MBEDTLS_X509_KU_DATA_ENCIPHERMENT           (16) /* bit 3 */


      

Marco MBEDTLS_X509_KU_KEY_AGREEMENT

#define MBEDTLS_X509_KU_KEY_AGREEMENT               (8) /* bit 4 */


      

Marco MBEDTLS_X509_KU_KEY_CERT_SIGN

#define MBEDTLS_X509_KU_KEY_CERT_SIGN               (4) /* bit 5 */


      

Marco MBEDTLS_X509_KU_CRL_SIGN

#define MBEDTLS_X509_KU_CRL_SIGN                    (2) /* bit 6 */


      

Marco MBEDTLS_X509_KU_ENCIPHER_ONLY

#define MBEDTLS_X509_KU_ENCIPHER_ONLY               (1) /* bit 7 */


      

Marco MBEDTLS_X509_KU_DECIPHER_ONLY

#define MBEDTLS_X509_KU_DECIPHER_ONLY             (32768) /* bit 8 */


      

Marco MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT

#define MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT        (128) /* bit 0 */


      

Marco MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER

#define MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER        (64) /* bit 1 */


      

Marco MBEDTLS_X509_NS_CERT_TYPE_EMAIL

#define MBEDTLS_X509_NS_CERT_TYPE_EMAIL             (32) /* bit 2 */


      

Marco MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING

#define MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING    (16) /* bit 3 */


      

Marco MBEDTLS_X509_NS_CERT_TYPE_RESERVED

#define MBEDTLS_X509_NS_CERT_TYPE_RESERVED          (8) /* bit 4 */


      

Marco MBEDTLS_X509_NS_CERT_TYPE_SSL_CA

#define MBEDTLS_X509_NS_CERT_TYPE_SSL_CA            (4) /* bit 5 */


      

Marco MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA

#define MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA          (2) /* bit 6 */


      

Marco MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA

#define MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA (1) /* bit 7 */


      

Marco MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER

#define MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER   (1 << 0)
/*
 * X.509 extension types
 *
 * Comments refer to the status for using certificates. Status can be
 * different for writing certificates or reading CRLs or CSRs.
 */

Marco MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER

#define MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER     (1 << 1)


      

Marco MBEDTLS_X509_EXT_KEY_USAGE

#define MBEDTLS_X509_EXT_KEY_USAGE                  (1 << 2)


      

Marco MBEDTLS_X509_EXT_CERTIFICATE_POLICIES

#define MBEDTLS_X509_EXT_CERTIFICATE_POLICIES       (1 << 3)


      

Marco MBEDTLS_X509_EXT_POLICY_MAPPINGS

#define MBEDTLS_X509_EXT_POLICY_MAPPINGS            (1 << 4)


      

Marco MBEDTLS_X509_EXT_SUBJECT_ALT_NAME

#define MBEDTLS_X509_EXT_SUBJECT_ALT_NAME           (1 << 5)   /* Supported (DNS) */


      

Marco MBEDTLS_X509_EXT_ISSUER_ALT_NAME

#define MBEDTLS_X509_EXT_ISSUER_ALT_NAME            (1 << 6)


      

Marco MBEDTLS_X509_EXT_SUBJECT_DIRECTORY_ATTRS

#define MBEDTLS_X509_EXT_SUBJECT_DIRECTORY_ATTRS    (1 << 7)


      

Marco MBEDTLS_X509_EXT_BASIC_CONSTRAINTS

#define MBEDTLS_X509_EXT_BASIC_CONSTRAINTS          (1 << 8)   /* Supported */


      

Marco MBEDTLS_X509_EXT_NAME_CONSTRAINTS

#define MBEDTLS_X509_EXT_NAME_CONSTRAINTS           (1 << 9)


      

Marco MBEDTLS_X509_EXT_POLICY_CONSTRAINTS

#define MBEDTLS_X509_EXT_POLICY_CONSTRAINTS         (1 << 10)


      

Marco MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE

#define MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE         (1 << 11)


      

Marco MBEDTLS_X509_EXT_CRL_DISTRIBUTION_POINTS

#define MBEDTLS_X509_EXT_CRL_DISTRIBUTION_POINTS    (1 << 12)


      

Marco MBEDTLS_X509_EXT_INIHIBIT_ANYPOLICY

#define MBEDTLS_X509_EXT_INIHIBIT_ANYPOLICY         (1 << 13)


      

Marco MBEDTLS_X509_EXT_FRESHEST_CRL

#define MBEDTLS_X509_EXT_FRESHEST_CRL               (1 << 14)


      

Marco MBEDTLS_X509_EXT_NS_CERT_TYPE

#define MBEDTLS_X509_EXT_NS_CERT_TYPE               (1 << 16)


      

Marco MBEDTLS_X509_FORMAT_DER

#define MBEDTLS_X509_FORMAT_DER                1
/*
 * Storage format identifiers
 * Recognized formats: PEM and DER
 */

Marco MBEDTLS_X509_FORMAT_PEM

#define MBEDTLS_X509_FORMAT_PEM                2


      

Marco MBEDTLS_X509_MAX_DN_NAME_SIZE

#define MBEDTLS_X509_MAX_DN_NAME_SIZE        256 /**< Maximum value size of a DN entry */


      

Marco MBEDTLS_X509_SAFE_SNPRINTF

#define MBEDTLS_X509_SAFE_SNPRINTF                         \
   do {                                                   \
       if( ret < 0 || (size_t) ret >= n )                 \
           return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL );   \
                                                           \
       n -= (size_t) ret;                                 \
       p += (size_t) ret;                                 \
   } while( 0 )

      

Functions

Func mbedtls_x509_dn_gets

int mbedtls_x509_dn_gets( char *buf, size_t size, const mbedtls_x509_name *dn );
/**
 * \brief          Store the certificate DN in printable form into buf;
 *                 no more than size characters will be written.
 *
 * \param buf      Buffer to write to
 * \param size     Maximum size of buffer
 * \param dn       The X509 name to represent
 *
 * \return         The length of the string written (not including the
 *                 terminated nul byte), or a negative error code.
 */

Func mbedtls_x509_serial_gets

int mbedtls_x509_serial_gets( char *buf, size_t size, const mbedtls_x509_buf *serial );
/**
 * \brief          Store the certificate serial in printable form into buf;
 *                 no more than size characters will be written.
 *
 * \param buf      Buffer to write to
 * \param size     Maximum size of buffer
 * \param serial   The X509 serial to represent
 *
 * \return         The length of the string written (not including the
 *                 terminated nul byte), or a negative error code.
 */

Func mbedtls_x509_time_is_past

int mbedtls_x509_time_is_past( const mbedtls_x509_time *to );
/**
 * \brief          Check a given mbedtls_x509_time against the system time
 *                 and tell if it's in the past.
 *
 * \note           Intended usage is "if( is_past( valid_to ) ) ERROR".
 *                 Hence the return value of 1 if on internal errors.
 *
 * \param to       mbedtls_x509_time to check
 *
 * \return         1 if the given time is in the past or an error occured,
 *                 0 otherwise.
 */

Func mbedtls_x509_time_is_future

int mbedtls_x509_time_is_future( const mbedtls_x509_time *from );
/**
 * \brief          Check a given mbedtls_x509_time against the system time
 *                 and tell if it's in the future.
 *
 * \note           Intended usage is "if( is_future( valid_from ) ) ERROR".
 *                 Hence the return value of 1 if on internal errors.
 *
 * \param from     mbedtls_x509_time to check
 *
 * \return         1 if the given time is in the future or an error occured,
 *                 0 otherwise.
 */

Func mbedtls_x509_self_test

int mbedtls_x509_self_test( int verbose );
/**
 * \brief          Checkup routine
 *
 * \return         0 if successful, or 1 if the test failed
 */

Func mbedtls_x509_get_name

int mbedtls_x509_get_name( unsigned char **p, const unsigned char *end,
                  mbedtls_x509_name *cur );
/*
 * Internal module functions. You probably do not want to use these unless you
 * know you do.
 */

Func mbedtls_x509_get_alg_null

int mbedtls_x509_get_alg_null( unsigned char **p, const unsigned char *end,
                      mbedtls_x509_buf *alg );


      

Func mbedtls_x509_get_alg

int mbedtls_x509_get_alg( unsigned char **p, const unsigned char *end,
                 mbedtls_x509_buf *alg, mbedtls_x509_buf *params );


      

Func mbedtls_x509_get_rsassa_pss_params

int mbedtls_x509_get_rsassa_pss_params( const mbedtls_x509_buf *params,
                               mbedtls_md_type_t *md_alg, mbedtls_md_type_t *mgf_md,
                               int *salt_len );


      

Func mbedtls_x509_get_sig

int mbedtls_x509_get_sig( unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig );


      

Func mbedtls_x509_get_sig_alg

int mbedtls_x509_get_sig_alg( const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params,
                     mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg,
                     void **sig_opts );


      

Func mbedtls_x509_get_time

int mbedtls_x509_get_time( unsigned char **p, const unsigned char *end,
                  mbedtls_x509_time *t );


      

Func mbedtls_x509_get_serial

int mbedtls_x509_get_serial( unsigned char **p, const unsigned char *end,
                    mbedtls_x509_buf *serial );


      

Func mbedtls_x509_get_ext

int mbedtls_x509_get_ext( unsigned char **p, const unsigned char *end,
                 mbedtls_x509_buf *ext, int tag );


      

Func mbedtls_x509_sig_alg_gets

int mbedtls_x509_sig_alg_gets( char *buf, size_t size, const mbedtls_x509_buf *sig_oid,
                      mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg,
                      const void *sig_opts );


      

Func mbedtls_x509_key_size_helper

int mbedtls_x509_key_size_helper( char *buf, size_t buf_size, const char *name );


      

Func mbedtls_x509_string_to_names

int mbedtls_x509_string_to_names( mbedtls_asn1_named_data **head, const char *name );


      

Func mbedtls_x509_set_extension

int mbedtls_x509_set_extension( mbedtls_asn1_named_data **head, const char *oid, size_t oid_len,
                       int critical, const unsigned char *val,
                       size_t val_len );


      

Func mbedtls_x509_write_extensions

int mbedtls_x509_write_extensions( unsigned char **p, unsigned char *start,
                          mbedtls_asn1_named_data *first );


      

Func mbedtls_x509_write_names

int mbedtls_x509_write_names( unsigned char **p, unsigned char *start,
                     mbedtls_asn1_named_data *first );


      

Func mbedtls_x509_write_sig

int mbedtls_x509_write_sig( unsigned char **p, unsigned char *start,
                   const char *oid, size_t oid_len,
                   unsigned char *sig, size_t size );

      

Vars

Consts

Types

Typedefs

Typedef mbedtls_x509_buf

typedef mbedtls_asn1_buf mbedtls_x509_buf;
/**
 * Type-length-value structure that allows for ASN1 using DER.
 */

Typedef mbedtls_x509_bitstring

typedef mbedtls_asn1_bitstring mbedtls_x509_bitstring;
/**
 * Container for ASN1 bit strings.
 */

Typedef mbedtls_x509_name

typedef mbedtls_asn1_named_data mbedtls_x509_name;
/**
 * Container for ASN1 named information objects.
 * It allows for Relative Distinguished Names (e.g. cn=localhost,ou=code,etc.).
 */

Typedef mbedtls_x509_sequence

typedef mbedtls_asn1_sequence mbedtls_x509_sequence;
/**
 * Container for a sequence of ASN.1 items
 */

Typedef mbedtls_x509_time;

typedef struct mbedtls_x509_time
{
   int year, mon, day;        /**< Date. */
   int hour, min, sec;        /**< Time. */
}
mbedtls_x509_time;
/** Container for date and time (precision in seconds). */