BA
/
BaBoRo1
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Embed:
(wiki syntax)
Show/hide line numbers
x509_crt.h
Go to the documentation of this file.
00001 /** 00002 * \file x509_crt.h 00003 * 00004 * \brief X.509 certificate parsing and writing 00005 */ 00006 /* 00007 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00008 * SPDX-License-Identifier: Apache-2.0 00009 * 00010 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00011 * not use this file except in compliance with the License. 00012 * You may obtain a copy of the License at 00013 * 00014 * http://www.apache.org/licenses/LICENSE-2.0 00015 * 00016 * Unless required by applicable law or agreed to in writing, software 00017 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00018 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00019 * See the License for the specific language governing permissions and 00020 * limitations under the License. 00021 * 00022 * This file is part of mbed TLS (https://tls.mbed.org) 00023 */ 00024 #ifndef MBEDTLS_X509_CRT_H 00025 #define MBEDTLS_X509_CRT_H 00026 00027 #if !defined(MBEDTLS_CONFIG_FILE) 00028 #include "config.h" 00029 #else 00030 #include MBEDTLS_CONFIG_FILE 00031 #endif 00032 00033 #include "x509.h" 00034 #include "x509_crl.h" 00035 00036 /** 00037 * \addtogroup x509_module 00038 * \{ 00039 */ 00040 00041 #ifdef __cplusplus 00042 extern "C" { 00043 #endif 00044 00045 /** 00046 * \name Structures and functions for parsing and writing X.509 certificates 00047 * \{ 00048 */ 00049 00050 /** 00051 * Container for an X.509 certificate. The certificate may be chained. 00052 */ 00053 typedef struct mbedtls_x509_crt 00054 { 00055 mbedtls_x509_buf raw; /**< The raw certificate data (DER). */ 00056 mbedtls_x509_buf tbs; /**< The raw certificate body (DER). The part that is To Be Signed. */ 00057 00058 int version; /**< The X.509 version. (1=v1, 2=v2, 3=v3) */ 00059 mbedtls_x509_buf serial; /**< Unique id for certificate issued by a specific CA. */ 00060 mbedtls_x509_buf sig_oid; /**< Signature algorithm, e.g. sha1RSA */ 00061 00062 mbedtls_x509_buf issuer_raw; /**< The raw issuer data (DER). Used for quick comparison. */ 00063 mbedtls_x509_buf subject_raw; /**< The raw subject data (DER). Used for quick comparison. */ 00064 00065 mbedtls_x509_name issuer; /**< The parsed issuer data (named information object). */ 00066 mbedtls_x509_name subject; /**< The parsed subject data (named information object). */ 00067 00068 mbedtls_x509_time valid_from; /**< Start time of certificate validity. */ 00069 mbedtls_x509_time valid_to; /**< End time of certificate validity. */ 00070 00071 mbedtls_pk_context pk; /**< Container for the public key context. */ 00072 00073 mbedtls_x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */ 00074 mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */ 00075 mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */ 00076 mbedtls_x509_sequence subject_alt_names; /**< Optional list of Subject Alternative Names (Only dNSName supported). */ 00077 00078 int ext_types; /**< Bit string containing detected and parsed extensions */ 00079 int ca_istrue; /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */ 00080 int max_pathlen; /**< Optional Basic Constraint extension value: The maximum path length to the root certificate. Path length is 1 higher than RFC 5280 'meaning', so 1+ */ 00081 00082 unsigned int key_usage; /**< Optional key usage extension value: See the values in x509.h */ 00083 00084 mbedtls_x509_sequence ext_key_usage; /**< Optional list of extended key usage OIDs. */ 00085 00086 unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values in x509.h */ 00087 00088 mbedtls_x509_buf sig; /**< Signature: hash of the tbs part signed with the private key. */ 00089 mbedtls_md_type_t sig_md; /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */ 00090 mbedtls_pk_type_t sig_pk; /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ 00091 void *sig_opts; /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */ 00092 00093 struct mbedtls_x509_crt *next; /**< Next certificate in the CA-chain. */ 00094 } 00095 mbedtls_x509_crt; 00096 00097 /** 00098 * Build flag from an algorithm/curve identifier (pk, md, ecp) 00099 * Since 0 is always XXX_NONE, ignore it. 00100 */ 00101 #define MBEDTLS_X509_ID_FLAG( id ) ( 1 << ( id - 1 ) ) 00102 00103 /** 00104 * Security profile for certificate verification. 00105 * 00106 * All lists are bitfields, built by ORing flags from MBEDTLS_X509_ID_FLAG(). 00107 */ 00108 typedef struct 00109 { 00110 uint32_t allowed_mds; /**< MDs for signatures */ 00111 uint32_t allowed_pks; /**< PK algs for signatures */ 00112 uint32_t allowed_curves; /**< Elliptic curves for ECDSA */ 00113 uint32_t rsa_min_bitlen; /**< Minimum size for RSA keys */ 00114 } 00115 mbedtls_x509_crt_profile; 00116 00117 #define MBEDTLS_X509_CRT_VERSION_1 0 00118 #define MBEDTLS_X509_CRT_VERSION_2 1 00119 #define MBEDTLS_X509_CRT_VERSION_3 2 00120 00121 #define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32 00122 #define MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15 00123 00124 #if !defined( MBEDTLS_X509_MAX_FILE_PATH_LEN ) 00125 #define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 00126 #endif 00127 00128 /** 00129 * Container for writing a certificate (CRT) 00130 */ 00131 typedef struct mbedtls_x509write_cert 00132 { 00133 int version; 00134 mbedtls_mpi serial; 00135 mbedtls_pk_context *subject_key; 00136 mbedtls_pk_context *issuer_key; 00137 mbedtls_asn1_named_data *subject; 00138 mbedtls_asn1_named_data *issuer; 00139 mbedtls_md_type_t md_alg; 00140 char not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1]; 00141 char not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1]; 00142 mbedtls_asn1_named_data *extensions; 00143 } 00144 mbedtls_x509write_cert; 00145 00146 #if defined(MBEDTLS_X509_CRT_PARSE_C) 00147 /** 00148 * Default security profile. Should provide a good balance between security 00149 * and compatibility with current deployments. 00150 */ 00151 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default; 00152 00153 /** 00154 * Expected next default profile. Recommended for new deployments. 00155 * Currently targets a 128-bit security level, except for RSA-2048. 00156 */ 00157 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next; 00158 00159 /** 00160 * NSA Suite B profile. 00161 */ 00162 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb; 00163 00164 /** 00165 * \brief Parse a single DER formatted certificate and add it 00166 * to the chained list. 00167 * 00168 * \param chain points to the start of the chain 00169 * \param buf buffer holding the certificate DER data 00170 * \param buflen size of the buffer 00171 * 00172 * \return 0 if successful, or a specific X509 or PEM error code 00173 */ 00174 int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, const unsigned char *buf, 00175 size_t buflen ); 00176 00177 /** 00178 * \brief Parse one or more certificates and add them 00179 * to the chained list. Parses permissively. If some 00180 * certificates can be parsed, the result is the number 00181 * of failed certificates it encountered. If none complete 00182 * correctly, the first error is returned. 00183 * 00184 * \param chain points to the start of the chain 00185 * \param buf buffer holding the certificate data in PEM or DER format 00186 * \param buflen size of the buffer 00187 * (including the terminating null byte for PEM data) 00188 * 00189 * \return 0 if all certificates parsed successfully, a positive number 00190 * if partly successful or a specific X509 or PEM error code 00191 */ 00192 int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen ); 00193 00194 #if defined(MBEDTLS_FS_IO) 00195 /** 00196 * \brief Load one or more certificates and add them 00197 * to the chained list. Parses permissively. If some 00198 * certificates can be parsed, the result is the number 00199 * of failed certificates it encountered. If none complete 00200 * correctly, the first error is returned. 00201 * 00202 * \param chain points to the start of the chain 00203 * \param path filename to read the certificates from 00204 * 00205 * \return 0 if all certificates parsed successfully, a positive number 00206 * if partly successful or a specific X509 or PEM error code 00207 */ 00208 int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *chain, const char *path ); 00209 00210 /** 00211 * \brief Load one or more certificate files from a path and add them 00212 * to the chained list. Parses permissively. If some 00213 * certificates can be parsed, the result is the number 00214 * of failed certificates it encountered. If none complete 00215 * correctly, the first error is returned. 00216 * 00217 * \param chain points to the start of the chain 00218 * \param path directory / folder to read the certificate files from 00219 * 00220 * \return 0 if all certificates parsed successfully, a positive number 00221 * if partly successful or a specific X509 or PEM error code 00222 */ 00223 int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path ); 00224 #endif /* MBEDTLS_FS_IO */ 00225 00226 /** 00227 * \brief Returns an informational string about the 00228 * certificate. 00229 * 00230 * \param buf Buffer to write to 00231 * \param size Maximum size of buffer 00232 * \param prefix A line prefix 00233 * \param crt The X509 certificate to represent 00234 * 00235 * \return The length of the string written (not including the 00236 * terminated nul byte), or a negative error code. 00237 */ 00238 int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix, 00239 const mbedtls_x509_crt *crt ); 00240 00241 /** 00242 * \brief Returns an informational string about the 00243 * verification status of a certificate. 00244 * 00245 * \param buf Buffer to write to 00246 * \param size Maximum size of buffer 00247 * \param prefix A line prefix 00248 * \param flags Verification flags created by mbedtls_x509_crt_verify() 00249 * 00250 * \return The length of the string written (not including the 00251 * terminated nul byte), or a negative error code. 00252 */ 00253 int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix, 00254 uint32_t flags ); 00255 00256 /** 00257 * \brief Verify the certificate signature 00258 * 00259 * The verify callback is a user-supplied callback that 00260 * can clear / modify / add flags for a certificate. If set, 00261 * the verification callback is called for each 00262 * certificate in the chain (from the trust-ca down to the 00263 * presented crt). The parameters for the callback are: 00264 * (void *parameter, mbedtls_x509_crt *crt, int certificate_depth, 00265 * int *flags). With the flags representing current flags for 00266 * that specific certificate and the certificate depth from 00267 * the bottom (Peer cert depth = 0). 00268 * 00269 * All flags left after returning from the callback 00270 * are also returned to the application. The function should 00271 * return 0 for anything (including invalid certificates) 00272 * other than fatal error, as a non-zero return code 00273 * immediately aborts the verification process. For fatal 00274 * errors, a specific error code should be used (different 00275 * from MBEDTLS_ERR_X509_CERT_VERIFY_FAILED which should not 00276 * be returned at this point), or MBEDTLS_ERR_X509_FATAL_ERROR 00277 * can be used if no better code is available. 00278 * 00279 * \note In case verification failed, the results can be displayed 00280 * using \c mbedtls_x509_crt_verify_info() 00281 * 00282 * \note Same as \c mbedtls_x509_crt_verify_with_profile() with the 00283 * default security profile. 00284 * 00285 * \note It is your responsibility to provide up-to-date CRLs for 00286 * all trusted CAs. If no CRL is provided for the CA that was 00287 * used to sign the certificate, CRL verification is skipped 00288 * silently, that is *without* setting any flag. 00289 * 00290 * \param crt a certificate (chain) to be verified 00291 * \param trust_ca the list of trusted CAs 00292 * \param ca_crl the list of CRLs for trusted CAs (see note above) 00293 * \param cn expected Common Name (can be set to 00294 * NULL if the CN must not be verified) 00295 * \param flags result of the verification 00296 * \param f_vrfy verification function 00297 * \param p_vrfy verification parameter 00298 * 00299 * \return 0 (and flags set to 0) if the chain was verified and valid, 00300 * MBEDTLS_ERR_X509_CERT_VERIFY_FAILED if the chain was verified 00301 * but found to be invalid, in which case *flags will have one 00302 * or more MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX 00303 * flags set, or another error (and flags set to 0xffffffff) 00304 * in case of a fatal error encountered during the 00305 * verification process. 00306 */ 00307 int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt, 00308 mbedtls_x509_crt *trust_ca, 00309 mbedtls_x509_crl *ca_crl, 00310 const char *cn, uint32_t *flags, 00311 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 00312 void *p_vrfy ); 00313 00314 /** 00315 * \brief Verify the certificate signature according to profile 00316 * 00317 * \note Same as \c mbedtls_x509_crt_verify(), but with explicit 00318 * security profile. 00319 * 00320 * \note The restrictions on keys (RSA minimum size, allowed curves 00321 * for ECDSA) apply to all certificates: trusted root, 00322 * intermediate CAs if any, and end entity certificate. 00323 * 00324 * \param crt a certificate (chain) to be verified 00325 * \param trust_ca the list of trusted CAs 00326 * \param ca_crl the list of CRLs for trusted CAs 00327 * \param profile security profile for verification 00328 * \param cn expected Common Name (can be set to 00329 * NULL if the CN must not be verified) 00330 * \param flags result of the verification 00331 * \param f_vrfy verification function 00332 * \param p_vrfy verification parameter 00333 * 00334 * \return 0 if successful or MBEDTLS_ERR_X509_CERT_VERIFY_FAILED 00335 * in which case *flags will have one or more 00336 * MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX flags 00337 * set, 00338 * or another error in case of a fatal error encountered 00339 * during the verification process. 00340 */ 00341 int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt, 00342 mbedtls_x509_crt *trust_ca, 00343 mbedtls_x509_crl *ca_crl, 00344 const mbedtls_x509_crt_profile *profile, 00345 const char *cn, uint32_t *flags, 00346 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 00347 void *p_vrfy ); 00348 00349 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE) 00350 /** 00351 * \brief Check usage of certificate against keyUsage extension. 00352 * 00353 * \param crt Leaf certificate used. 00354 * \param usage Intended usage(s) (eg MBEDTLS_X509_KU_KEY_ENCIPHERMENT 00355 * before using the certificate to perform an RSA key 00356 * exchange). 00357 * 00358 * \note Except for decipherOnly and encipherOnly, a bit set in the 00359 * usage argument means this bit MUST be set in the 00360 * certificate. For decipherOnly and encipherOnly, it means 00361 * that bit MAY be set. 00362 * 00363 * \return 0 is these uses of the certificate are allowed, 00364 * MBEDTLS_ERR_X509_BAD_INPUT_DATA if the keyUsage extension 00365 * is present but does not match the usage argument. 00366 * 00367 * \note You should only call this function on leaf certificates, on 00368 * (intermediate) CAs the keyUsage extension is automatically 00369 * checked by \c mbedtls_x509_crt_verify(). 00370 */ 00371 int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt, 00372 unsigned int usage ); 00373 #endif /* MBEDTLS_X509_CHECK_KEY_USAGE) */ 00374 00375 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) 00376 /** 00377 * \brief Check usage of certificate against extendedKeyUsage. 00378 * 00379 * \param crt Leaf certificate used. 00380 * \param usage_oid Intended usage (eg MBEDTLS_OID_SERVER_AUTH or 00381 * MBEDTLS_OID_CLIENT_AUTH). 00382 * \param usage_len Length of usage_oid (eg given by MBEDTLS_OID_SIZE()). 00383 * 00384 * \return 0 if this use of the certificate is allowed, 00385 * MBEDTLS_ERR_X509_BAD_INPUT_DATA if not. 00386 * 00387 * \note Usually only makes sense on leaf certificates. 00388 */ 00389 int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt, 00390 const char *usage_oid, 00391 size_t usage_len ); 00392 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */ 00393 00394 #if defined(MBEDTLS_X509_CRL_PARSE_C) 00395 /** 00396 * \brief Verify the certificate revocation status 00397 * 00398 * \param crt a certificate to be verified 00399 * \param crl the CRL to verify against 00400 * 00401 * \return 1 if the certificate is revoked, 0 otherwise 00402 * 00403 */ 00404 int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl ); 00405 #endif /* MBEDTLS_X509_CRL_PARSE_C */ 00406 00407 /** 00408 * \brief Initialize a certificate (chain) 00409 * 00410 * \param crt Certificate chain to initialize 00411 */ 00412 void mbedtls_x509_crt_init( mbedtls_x509_crt *crt ); 00413 00414 /** 00415 * \brief Unallocate all certificate data 00416 * 00417 * \param crt Certificate chain to free 00418 */ 00419 void mbedtls_x509_crt_free( mbedtls_x509_crt *crt ); 00420 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 00421 00422 /* \} name */ 00423 /* \} addtogroup x509_module */ 00424 00425 #if defined(MBEDTLS_X509_CRT_WRITE_C) 00426 /** 00427 * \brief Initialize a CRT writing context 00428 * 00429 * \param ctx CRT context to initialize 00430 */ 00431 void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx ); 00432 00433 /** 00434 * \brief Set the verion for a Certificate 00435 * Default: MBEDTLS_X509_CRT_VERSION_3 00436 * 00437 * \param ctx CRT context to use 00438 * \param version version to set (MBEDTLS_X509_CRT_VERSION_1, MBEDTLS_X509_CRT_VERSION_2 or 00439 * MBEDTLS_X509_CRT_VERSION_3) 00440 */ 00441 void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *ctx, int version ); 00442 00443 /** 00444 * \brief Set the serial number for a Certificate. 00445 * 00446 * \param ctx CRT context to use 00447 * \param serial serial number to set 00448 * 00449 * \return 0 if successful 00450 */ 00451 int mbedtls_x509write_crt_set_serial( mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial ); 00452 00453 /** 00454 * \brief Set the validity period for a Certificate 00455 * Timestamps should be in string format for UTC timezone 00456 * i.e. "YYYYMMDDhhmmss" 00457 * e.g. "20131231235959" for December 31st 2013 00458 * at 23:59:59 00459 * 00460 * \param ctx CRT context to use 00461 * \param not_before not_before timestamp 00462 * \param not_after not_after timestamp 00463 * 00464 * \return 0 if timestamp was parsed successfully, or 00465 * a specific error code 00466 */ 00467 int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *ctx, const char *not_before, 00468 const char *not_after ); 00469 00470 /** 00471 * \brief Set the issuer name for a Certificate 00472 * Issuer names should contain a comma-separated list 00473 * of OID types and values: 00474 * e.g. "C=UK,O=ARM,CN=mbed TLS CA" 00475 * 00476 * \param ctx CRT context to use 00477 * \param issuer_name issuer name to set 00478 * 00479 * \return 0 if issuer name was parsed successfully, or 00480 * a specific error code 00481 */ 00482 int mbedtls_x509write_crt_set_issuer_name( mbedtls_x509write_cert *ctx, 00483 const char *issuer_name ); 00484 00485 /** 00486 * \brief Set the subject name for a Certificate 00487 * Subject names should contain a comma-separated list 00488 * of OID types and values: 00489 * e.g. "C=UK,O=ARM,CN=mbed TLS Server 1" 00490 * 00491 * \param ctx CRT context to use 00492 * \param subject_name subject name to set 00493 * 00494 * \return 0 if subject name was parsed successfully, or 00495 * a specific error code 00496 */ 00497 int mbedtls_x509write_crt_set_subject_name( mbedtls_x509write_cert *ctx, 00498 const char *subject_name ); 00499 00500 /** 00501 * \brief Set the subject public key for the certificate 00502 * 00503 * \param ctx CRT context to use 00504 * \param key public key to include 00505 */ 00506 void mbedtls_x509write_crt_set_subject_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key ); 00507 00508 /** 00509 * \brief Set the issuer key used for signing the certificate 00510 * 00511 * \param ctx CRT context to use 00512 * \param key private key to sign with 00513 */ 00514 void mbedtls_x509write_crt_set_issuer_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key ); 00515 00516 /** 00517 * \brief Set the MD algorithm to use for the signature 00518 * (e.g. MBEDTLS_MD_SHA1) 00519 * 00520 * \param ctx CRT context to use 00521 * \param md_alg MD algorithm to use 00522 */ 00523 void mbedtls_x509write_crt_set_md_alg( mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg ); 00524 00525 /** 00526 * \brief Generic function to add to or replace an extension in the 00527 * CRT 00528 * 00529 * \param ctx CRT context to use 00530 * \param oid OID of the extension 00531 * \param oid_len length of the OID 00532 * \param critical if the extension is critical (per the RFC's definition) 00533 * \param val value of the extension OCTET STRING 00534 * \param val_len length of the value data 00535 * 00536 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED 00537 */ 00538 int mbedtls_x509write_crt_set_extension( mbedtls_x509write_cert *ctx, 00539 const char *oid, size_t oid_len, 00540 int critical, 00541 const unsigned char *val, size_t val_len ); 00542 00543 /** 00544 * \brief Set the basicConstraints extension for a CRT 00545 * 00546 * \param ctx CRT context to use 00547 * \param is_ca is this a CA certificate 00548 * \param max_pathlen maximum length of certificate chains below this 00549 * certificate (only for CA certificates, -1 is 00550 * inlimited) 00551 * 00552 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED 00553 */ 00554 int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx, 00555 int is_ca, int max_pathlen ); 00556 00557 #if defined(MBEDTLS_SHA1_C) 00558 /** 00559 * \brief Set the subjectKeyIdentifier extension for a CRT 00560 * Requires that mbedtls_x509write_crt_set_subject_key() has been 00561 * called before 00562 * 00563 * \param ctx CRT context to use 00564 * 00565 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED 00566 */ 00567 int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ctx ); 00568 00569 /** 00570 * \brief Set the authorityKeyIdentifier extension for a CRT 00571 * Requires that mbedtls_x509write_crt_set_issuer_key() has been 00572 * called before 00573 * 00574 * \param ctx CRT context to use 00575 * 00576 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED 00577 */ 00578 int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx ); 00579 #endif /* MBEDTLS_SHA1_C */ 00580 00581 /** 00582 * \brief Set the Key Usage Extension flags 00583 * (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN) 00584 * 00585 * \param ctx CRT context to use 00586 * \param key_usage key usage flags to set 00587 * 00588 * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED 00589 */ 00590 int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx, 00591 unsigned int key_usage ); 00592 00593 /** 00594 * \brief Set the Netscape Cert Type flags 00595 * (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL) 00596 * 00597 * \param ctx CRT context to use 00598 * \param ns_cert_type Netscape Cert Type flags to set 00599 * 00600 * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED 00601 */ 00602 int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx, 00603 unsigned char ns_cert_type ); 00604 00605 /** 00606 * \brief Free the contents of a CRT write context 00607 * 00608 * \param ctx CRT context to free 00609 */ 00610 void mbedtls_x509write_crt_free( mbedtls_x509write_cert *ctx ); 00611 00612 /** 00613 * \brief Write a built up certificate to a X509 DER structure 00614 * Note: data is written at the end of the buffer! Use the 00615 * return value to determine where you should start 00616 * using the buffer 00617 * 00618 * \param ctx certificate to write away 00619 * \param buf buffer to write to 00620 * \param size size of the buffer 00621 * \param f_rng RNG function (for signature, see note) 00622 * \param p_rng RNG parameter 00623 * 00624 * \return length of data written if successful, or a specific 00625 * error code 00626 * 00627 * \note f_rng may be NULL if RSA is used for signature and the 00628 * signature is made offline (otherwise f_rng is desirable 00629 * for countermeasures against timing attacks). 00630 * ECDSA signatures always require a non-NULL f_rng. 00631 */ 00632 int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, 00633 int (*f_rng)(void *, unsigned char *, size_t), 00634 void *p_rng ); 00635 00636 #if defined(MBEDTLS_PEM_WRITE_C) 00637 /** 00638 * \brief Write a built up certificate to a X509 PEM string 00639 * 00640 * \param ctx certificate to write away 00641 * \param buf buffer to write to 00642 * \param size size of the buffer 00643 * \param f_rng RNG function (for signature, see note) 00644 * \param p_rng RNG parameter 00645 * 00646 * \return 0 if successful, or a specific error code 00647 * 00648 * \note f_rng may be NULL if RSA is used for signature and the 00649 * signature is made offline (otherwise f_rng is desirable 00650 * for countermeasures against timing attacks). 00651 * ECDSA signatures always require a non-NULL f_rng. 00652 */ 00653 int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, 00654 int (*f_rng)(void *, unsigned char *, size_t), 00655 void *p_rng ); 00656 #endif /* MBEDTLS_PEM_WRITE_C */ 00657 #endif /* MBEDTLS_X509_CRT_WRITE_C */ 00658 00659 #ifdef __cplusplus 00660 } 00661 #endif 00662 00663 #endif /* mbedtls_x509_crt.h */
Generated on Tue Jul 12 2022 12:22:29 by
1.7.2