BA
/
SerialCom
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Fork of
OmniWheels
by 
Gustav Atmel
Embed:
(wiki syntax)
Show/hide line numbers
x509_crt.h
Go to the documentation of this file.
00001 /** 00002 * \file x509_crt.h 00003 * 00004 * \brief X.509 certificate parsing and writing 00005 */ 00006 /* 00007 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00008 * SPDX-License-Identifier: Apache-2.0 00009 * 00010 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00011 * not use this file except in compliance with the License. 00012 * You may obtain a copy of the License at 00013 * 00014 * http://www.apache.org/licenses/LICENSE-2.0 00015 * 00016 * Unless required by applicable law or agreed to in writing, software 00017 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00018 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00019 * See the License for the specific language governing permissions and 00020 * limitations under the License. 00021 * 00022 * This file is part of mbed TLS (https://tls.mbed.org) 00023 */ 00024 #ifndef MBEDTLS_X509_CRT_H 00025 #define MBEDTLS_X509_CRT_H 00026 00027 #if !defined(MBEDTLS_CONFIG_FILE) 00028 #include "config.h" 00029 #else 00030 #include MBEDTLS_CONFIG_FILE 00031 #endif 00032 00033 #include "x509.h" 00034 #include "x509_crl.h" 00035 00036 /** 00037 * \addtogroup x509_module 00038 * \{ 00039 */ 00040 00041 #ifdef __cplusplus 00042 extern "C" { 00043 #endif 00044 00045 /** 00046 * \name Structures and functions for parsing and writing X.509 certificates 00047 * \{ 00048 */ 00049 00050 /** 00051 * Container for an X.509 certificate. The certificate may be chained. 00052 */ 00053 typedef struct mbedtls_x509_crt 00054 { 00055 mbedtls_x509_buf raw; /**< The raw certificate data (DER). */ 00056 mbedtls_x509_buf tbs; /**< The raw certificate body (DER). The part that is To Be Signed. */ 00057 00058 int version; /**< The X.509 version. (1=v1, 2=v2, 3=v3) */ 00059 mbedtls_x509_buf serial; /**< Unique id for certificate issued by a specific CA. */ 00060 mbedtls_x509_buf sig_oid; /**< Signature algorithm, e.g. sha1RSA */ 00061 00062 mbedtls_x509_buf issuer_raw; /**< The raw issuer data (DER). Used for quick comparison. */ 00063 mbedtls_x509_buf subject_raw; /**< The raw subject data (DER). Used for quick comparison. */ 00064 00065 mbedtls_x509_name issuer; /**< The parsed issuer data (named information object). */ 00066 mbedtls_x509_name subject; /**< The parsed subject data (named information object). */ 00067 00068 mbedtls_x509_time valid_from; /**< Start time of certificate validity. */ 00069 mbedtls_x509_time valid_to; /**< End time of certificate validity. */ 00070 00071 mbedtls_pk_context pk; /**< Container for the public key context. */ 00072 00073 mbedtls_x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */ 00074 mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */ 00075 mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */ 00076 mbedtls_x509_sequence subject_alt_names; /**< Optional list of Subject Alternative Names (Only dNSName supported). */ 00077 00078 int ext_types; /**< Bit string containing detected and parsed extensions */ 00079 int ca_istrue; /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */ 00080 int max_pathlen; /**< Optional Basic Constraint extension value: The maximum path length to the root certificate. Path length is 1 higher than RFC 5280 'meaning', so 1+ */ 00081 00082 unsigned int key_usage; /**< Optional key usage extension value: See the values in x509.h */ 00083 00084 mbedtls_x509_sequence ext_key_usage; /**< Optional list of extended key usage OIDs. */ 00085 00086 unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values in x509.h */ 00087 00088 mbedtls_x509_buf sig; /**< Signature: hash of the tbs part signed with the private key. */ 00089 mbedtls_md_type_t sig_md; /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */ 00090 mbedtls_pk_type_t sig_pk; /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ 00091 void *sig_opts; /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */ 00092 00093 struct mbedtls_x509_crt *next; /**< Next certificate in the CA-chain. */ 00094 } 00095 mbedtls_x509_crt; 00096 00097 /** 00098 * Build flag from an algorithm/curve identifier (pk, md, ecp) 00099 * Since 0 is always XXX_NONE, ignore it. 00100 */ 00101 #define MBEDTLS_X509_ID_FLAG( id ) ( 1 << ( id - 1 ) ) 00102 00103 /** 00104 * Security profile for certificate verification. 00105 * 00106 * All lists are bitfields, built by ORing flags from MBEDTLS_X509_ID_FLAG(). 00107 */ 00108 typedef struct 00109 { 00110 uint32_t allowed_mds; /**< MDs for signatures */ 00111 uint32_t allowed_pks; /**< PK algs for signatures */ 00112 uint32_t allowed_curves; /**< Elliptic curves for ECDSA */ 00113 uint32_t rsa_min_bitlen; /**< Minimum size for RSA keys */ 00114 } 00115 mbedtls_x509_crt_profile; 00116 00117 #define MBEDTLS_X509_CRT_VERSION_1 0 00118 #define MBEDTLS_X509_CRT_VERSION_2 1 00119 #define MBEDTLS_X509_CRT_VERSION_3 2 00120 00121 #define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32 00122 #define MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15 00123 00124 #if !defined( MBEDTLS_X509_MAX_FILE_PATH_LEN ) 00125 #define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 00126 #endif 00127 00128 /** 00129 * Container for writing a certificate (CRT) 00130 */ 00131 typedef struct mbedtls_x509write_cert 00132 { 00133 int version; 00134 mbedtls_mpi serial; 00135 mbedtls_pk_context *subject_key; 00136 mbedtls_pk_context *issuer_key; 00137 mbedtls_asn1_named_data *subject; 00138 mbedtls_asn1_named_data *issuer; 00139 mbedtls_md_type_t md_alg; 00140 char not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1]; 00141 char not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1]; 00142 mbedtls_asn1_named_data *extensions; 00143 } 00144 mbedtls_x509write_cert; 00145 00146 #if defined(MBEDTLS_X509_CRT_PARSE_C) 00147 /** 00148 * Default security profile. Should provide a good balance between security 00149 * and compatibility with current deployments. 00150 */ 00151 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default; 00152 00153 /** 00154 * Expected next default profile. Recommended for new deployments. 00155 * Currently targets a 128-bit security level, except for RSA-2048. 00156 */ 00157 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next; 00158 00159 /** 00160 * NSA Suite B profile. 00161 */ 00162 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb; 00163 00164 /** 00165 * \brief Parse a single DER formatted certificate and add it 00166 * to the chained list. 00167 * 00168 * \param chain points to the start of the chain 00169 * \param buf buffer holding the certificate DER data 00170 * \param buflen size of the buffer 00171 * 00172 * \return 0 if successful, or a specific X509 or PEM error code 00173 */ 00174 int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, const unsigned char *buf, 00175 size_t buflen ); 00176 00177 /** 00178 * \brief Parse one or more certificates and add them 00179 * to the chained list. Parses permissively. If some 00180 * certificates can be parsed, the result is the number 00181 * of failed certificates it encountered. If none complete 00182 * correctly, the first error is returned. 00183 * 00184 * \param chain points to the start of the chain 00185 * \param buf buffer holding the certificate data in PEM or DER format 00186 * \param buflen size of the buffer 00187 * (including the terminating null byte for PEM data) 00188 * 00189 * \return 0 if all certificates parsed successfully, a positive number 00190 * if partly successful or a specific X509 or PEM error code 00191 */ 00192 int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen ); 00193 00194 #if defined(MBEDTLS_FS_IO) 00195 /** 00196 * \brief Load one or more certificates and add them 00197 * to the chained list. Parses permissively. If some 00198 * certificates can be parsed, the result is the number 00199 * of failed certificates it encountered. If none complete 00200 * correctly, the first error is returned. 00201 * 00202 * \param chain points to the start of the chain 00203 * \param path filename to read the certificates from 00204 * 00205 * \return 0 if all certificates parsed successfully, a positive number 00206 * if partly successful or a specific X509 or PEM error code 00207 */ 00208 int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *chain, const char *path ); 00209 00210 /** 00211 * \brief Load one or more certificate files from a path and add them 00212 * to the chained list. Parses permissively. If some 00213 * certificates can be parsed, the result is the number 00214 * of failed certificates it encountered. If none complete 00215 * correctly, the first error is returned. 00216 * 00217 * \param chain points to the start of the chain 00218 * \param path directory / folder to read the certificate files from 00219 * 00220 * \return 0 if all certificates parsed successfully, a positive number 00221 * if partly successful or a specific X509 or PEM error code 00222 */ 00223 int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path ); 00224 #endif /* MBEDTLS_FS_IO */ 00225 00226 /** 00227 * \brief Returns an informational string about the 00228 * certificate. 00229 * 00230 * \param buf Buffer to write to 00231 * \param size Maximum size of buffer 00232 * \param prefix A line prefix 00233 * \param crt The X509 certificate to represent 00234 * 00235 * \return The length of the string written (not including the 00236 * terminated nul byte), or a negative error code. 00237 */ 00238 int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix, 00239 const mbedtls_x509_crt *crt ); 00240 00241 /** 00242 * \brief Returns an informational string about the 00243 * verification status of a certificate. 00244 * 00245 * \param buf Buffer to write to 00246 * \param size Maximum size of buffer 00247 * \param prefix A line prefix 00248 * \param flags Verification flags created by mbedtls_x509_crt_verify() 00249 * 00250 * \return The length of the string written (not including the 00251 * terminated nul byte), or a negative error code. 00252 */ 00253 int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix, 00254 uint32_t flags ); 00255 00256 /** 00257 * \brief Verify the certificate signature 00258 * 00259 * The verify callback is a user-supplied callback that 00260 * can clear / modify / add flags for a certificate. If set, 00261 * the verification callback is called for each 00262 * certificate in the chain (from the trust-ca down to the 00263 * presented crt). The parameters for the callback are: 00264 * (void *parameter, mbedtls_x509_crt *crt, int certificate_depth, 00265 * int *flags). With the flags representing current flags for 00266 * that specific certificate and the certificate depth from 00267 * the bottom (Peer cert depth = 0). 00268 * 00269 * All flags left after returning from the callback 00270 * are also returned to the application. The function should 00271 * return 0 for anything (including invalid certificates) 00272 * other than fatal error, as a non-zero return code 00273 * immediately aborts the verification process. For fatal 00274 * errors, a specific error code should be used (different 00275 * from MBEDTLS_ERR_X509_CERT_VERIFY_FAILED which should not 00276 * be returned at this point), or MBEDTLS_ERR_X509_FATAL_ERROR 00277 * can be used if no better code is available. 00278 * 00279 * \note In case verification failed, the results can be displayed 00280 * using \c mbedtls_x509_crt_verify_info() 00281 * 00282 * \note Same as \c mbedtls_x509_crt_verify_with_profile() with the 00283 * default security profile. 00284 * 00285 * \note It is your responsibility to provide up-to-date CRLs for 00286 * all trusted CAs. If no CRL is provided for the CA that was 00287 * used to sign the certificate, CRL verification is skipped 00288 * silently, that is *without* setting any flag. 00289 * 00290 * \param crt a certificate (chain) to be verified 00291 * \param trust_ca the list of trusted CAs 00292 * \param ca_crl the list of CRLs for trusted CAs (see note above) 00293 * \param cn expected Common Name (can be set to 00294 * NULL if the CN must not be verified) 00295 * \param flags result of the verification 00296 * \param f_vrfy verification function 00297 * \param p_vrfy verification parameter 00298 * 00299 * \return 0 (and flags set to 0) if the chain was verified and valid, 00300 * MBEDTLS_ERR_X509_CERT_VERIFY_FAILED if the chain was verified 00301 * but found to be invalid, in which case *flags will have one 00302 * or more MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX 00303 * flags set, or another error (and flags set to 0xffffffff) 00304 * in case of a fatal error encountered during the 00305 * verification process. 00306 */ 00307 int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt, 00308 mbedtls_x509_crt *trust_ca, 00309 mbedtls_x509_crl *ca_crl, 00310 const char *cn, uint32_t *flags, 00311 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 00312 void *p_vrfy ); 00313 00314 /** 00315 * \brief Verify the certificate signature according to profile 00316 * 00317 * \note Same as \c mbedtls_x509_crt_verify(), but with explicit 00318 * security profile. 00319 * 00320 * \note The restrictions on keys (RSA minimum size, allowed curves 00321 * for ECDSA) apply to all certificates: trusted root, 00322 * intermediate CAs if any, and end entity certificate. 00323 * 00324 * \param crt a certificate (chain) to be verified 00325 * \param trust_ca the list of trusted CAs 00326 * \param ca_crl the list of CRLs for trusted CAs 00327 * \param profile security profile for verification 00328 * \param cn expected Common Name (can be set to 00329 * NULL if the CN must not be verified) 00330 * \param flags result of the verification 00331 * \param f_vrfy verification function 00332 * \param p_vrfy verification parameter 00333 * 00334 * \return 0 if successful or MBEDTLS_ERR_X509_CERT_VERIFY_FAILED 00335 * in which case *flags will have one or more 00336 * MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX flags 00337 * set, 00338 * or another error in case of a fatal error encountered 00339 * during the verification process. 00340 */ 00341 int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt, 00342 mbedtls_x509_crt *trust_ca, 00343 mbedtls_x509_crl *ca_crl, 00344 const mbedtls_x509_crt_profile *profile, 00345 const char *cn, uint32_t *flags, 00346 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 00347 void *p_vrfy ); 00348 00349 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE) 00350 /** 00351 * \brief Check usage of certificate against keyUsage extension. 00352 * 00353 * \param crt Leaf certificate used. 00354 * \param usage Intended usage(s) (eg MBEDTLS_X509_KU_KEY_ENCIPHERMENT 00355 * before using the certificate to perform an RSA key 00356 * exchange). 00357 * 00358 * \note Except for decipherOnly and encipherOnly, a bit set in the 00359 * usage argument means this bit MUST be set in the 00360 * certificate. For decipherOnly and encipherOnly, it means 00361 * that bit MAY be set. 00362 * 00363 * \return 0 is these uses of the certificate are allowed, 00364 * MBEDTLS_ERR_X509_BAD_INPUT_DATA if the keyUsage extension 00365 * is present but does not match the usage argument. 00366 * 00367 * \note You should only call this function on leaf certificates, on 00368 * (intermediate) CAs the keyUsage extension is automatically 00369 * checked by \c mbedtls_x509_crt_verify(). 00370 */ 00371 int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt, 00372 unsigned int usage ); 00373 #endif /* MBEDTLS_X509_CHECK_KEY_USAGE) */ 00374 00375 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) 00376 /** 00377 * \brief Check usage of certificate against extendedKeyUsage. 00378 * 00379 * \param crt Leaf certificate used. 00380 * \param usage_oid Intended usage (eg MBEDTLS_OID_SERVER_AUTH or 00381 * MBEDTLS_OID_CLIENT_AUTH). 00382 * \param usage_len Length of usage_oid (eg given by MBEDTLS_OID_SIZE()). 00383 * 00384 * \return 0 if this use of the certificate is allowed, 00385 * MBEDTLS_ERR_X509_BAD_INPUT_DATA if not. 00386 * 00387 * \note Usually only makes sense on leaf certificates. 00388 */ 00389 int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt, 00390 const char *usage_oid, 00391 size_t usage_len ); 00392 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */ 00393 00394 #if defined(MBEDTLS_X509_CRL_PARSE_C) 00395 /** 00396 * \brief Verify the certificate revocation status 00397 * 00398 * \param crt a certificate to be verified 00399 * \param crl the CRL to verify against 00400 * 00401 * \return 1 if the certificate is revoked, 0 otherwise 00402 * 00403 */ 00404 int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl ); 00405 #endif /* MBEDTLS_X509_CRL_PARSE_C */ 00406 00407 /** 00408 * \brief Initialize a certificate (chain) 00409 * 00410 * \param crt Certificate chain to initialize 00411 */ 00412 void mbedtls_x509_crt_init( mbedtls_x509_crt *crt ); 00413 00414 /** 00415 * \brief Unallocate all certificate data 00416 * 00417 * \param crt Certificate chain to free 00418 */ 00419 void mbedtls_x509_crt_free( mbedtls_x509_crt *crt ); 00420 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 00421 00422 /* \} name */ 00423 /* \} addtogroup x509_module */ 00424 00425 #if defined(MBEDTLS_X509_CRT_WRITE_C) 00426 /** 00427 * \brief Initialize a CRT writing context 00428 * 00429 * \param ctx CRT context to initialize 00430 */ 00431 void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx ); 00432 00433 /** 00434 * \brief Set the verion for a Certificate 00435 * Default: MBEDTLS_X509_CRT_VERSION_3 00436 * 00437 * \param ctx CRT context to use 00438 * \param version version to set (MBEDTLS_X509_CRT_VERSION_1, MBEDTLS_X509_CRT_VERSION_2 or 00439 * MBEDTLS_X509_CRT_VERSION_3) 00440 */ 00441 void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *ctx, int version ); 00442 00443 /** 00444 * \brief Set the serial number for a Certificate. 00445 * 00446 * \param ctx CRT context to use 00447 * \param serial serial number to set 00448 * 00449 * \return 0 if successful 00450 */ 00451 int mbedtls_x509write_crt_set_serial( mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial ); 00452 00453 /** 00454 * \brief Set the validity period for a Certificate 00455 * Timestamps should be in string format for UTC timezone 00456 * i.e. "YYYYMMDDhhmmss" 00457 * e.g. "20131231235959" for December 31st 2013 00458 * at 23:59:59 00459 * 00460 * \param ctx CRT context to use 00461 * \param not_before not_before timestamp 00462 * \param not_after not_after timestamp 00463 * 00464 * \return 0 if timestamp was parsed successfully, or 00465 * a specific error code 00466 */ 00467 int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *ctx, const char *not_before, 00468 const char *not_after ); 00469 00470 /** 00471 * \brief Set the issuer name for a Certificate 00472 * Issuer names should contain a comma-separated list 00473 * of OID types and values: 00474 * e.g. "C=UK,O=ARM,CN=mbed TLS CA" 00475 * 00476 * \param ctx CRT context to use 00477 * \param issuer_name issuer name to set 00478 * 00479 * \return 0 if issuer name was parsed successfully, or 00480 * a specific error code 00481 */ 00482 int mbedtls_x509write_crt_set_issuer_name( mbedtls_x509write_cert *ctx, 00483 const char *issuer_name ); 00484 00485 /** 00486 * \brief Set the subject name for a Certificate 00487 * Subject names should contain a comma-separated list 00488 * of OID types and values: 00489 * e.g. "C=UK,O=ARM,CN=mbed TLS Server 1" 00490 * 00491 * \param ctx CRT context to use 00492 * \param subject_name subject name to set 00493 * 00494 * \return 0 if subject name was parsed successfully, or 00495 * a specific error code 00496 */ 00497 int mbedtls_x509write_crt_set_subject_name( mbedtls_x509write_cert *ctx, 00498 const char *subject_name ); 00499 00500 /** 00501 * \brief Set the subject public key for the certificate 00502 * 00503 * \param ctx CRT context to use 00504 * \param key public key to include 00505 */ 00506 void mbedtls_x509write_crt_set_subject_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key ); 00507 00508 /** 00509 * \brief Set the issuer key used for signing the certificate 00510 * 00511 * \param ctx CRT context to use 00512 * \param key private key to sign with 00513 */ 00514 void mbedtls_x509write_crt_set_issuer_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key ); 00515 00516 /** 00517 * \brief Set the MD algorithm to use for the signature 00518 * (e.g. MBEDTLS_MD_SHA1) 00519 * 00520 * \param ctx CRT context to use 00521 * \param md_alg MD algorithm to use 00522 */ 00523 void mbedtls_x509write_crt_set_md_alg( mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg ); 00524 00525 /** 00526 * \brief Generic function to add to or replace an extension in the 00527 * CRT 00528 * 00529 * \param ctx CRT context to use 00530 * \param oid OID of the extension 00531 * \param oid_len length of the OID 00532 * \param critical if the extension is critical (per the RFC's definition) 00533 * \param val value of the extension OCTET STRING 00534 * \param val_len length of the value data 00535 * 00536 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED 00537 */ 00538 int mbedtls_x509write_crt_set_extension( mbedtls_x509write_cert *ctx, 00539 const char *oid, size_t oid_len, 00540 int critical, 00541 const unsigned char *val, size_t val_len ); 00542 00543 /** 00544 * \brief Set the basicConstraints extension for a CRT 00545 * 00546 * \param ctx CRT context to use 00547 * \param is_ca is this a CA certificate 00548 * \param max_pathlen maximum length of certificate chains below this 00549 * certificate (only for CA certificates, -1 is 00550 * inlimited) 00551 * 00552 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED 00553 */ 00554 int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx, 00555 int is_ca, int max_pathlen ); 00556 00557 #if defined(MBEDTLS_SHA1_C) 00558 /** 00559 * \brief Set the subjectKeyIdentifier extension for a CRT 00560 * Requires that mbedtls_x509write_crt_set_subject_key() has been 00561 * called before 00562 * 00563 * \param ctx CRT context to use 00564 * 00565 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED 00566 */ 00567 int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ctx ); 00568 00569 /** 00570 * \brief Set the authorityKeyIdentifier extension for a CRT 00571 * Requires that mbedtls_x509write_crt_set_issuer_key() has been 00572 * called before 00573 * 00574 * \param ctx CRT context to use 00575 * 00576 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED 00577 */ 00578 int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx ); 00579 #endif /* MBEDTLS_SHA1_C */ 00580 00581 /** 00582 * \brief Set the Key Usage Extension flags 00583 * (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN) 00584 * 00585 * \param ctx CRT context to use 00586 * \param key_usage key usage flags to set 00587 * 00588 * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED 00589 */ 00590 int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx, 00591 unsigned int key_usage ); 00592 00593 /** 00594 * \brief Set the Netscape Cert Type flags 00595 * (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL) 00596 * 00597 * \param ctx CRT context to use 00598 * \param ns_cert_type Netscape Cert Type flags to set 00599 * 00600 * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED 00601 */ 00602 int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx, 00603 unsigned char ns_cert_type ); 00604 00605 /** 00606 * \brief Free the contents of a CRT write context 00607 * 00608 * \param ctx CRT context to free 00609 */ 00610 void mbedtls_x509write_crt_free( mbedtls_x509write_cert *ctx ); 00611 00612 /** 00613 * \brief Write a built up certificate to a X509 DER structure 00614 * Note: data is written at the end of the buffer! Use the 00615 * return value to determine where you should start 00616 * using the buffer 00617 * 00618 * \param ctx certificate to write away 00619 * \param buf buffer to write to 00620 * \param size size of the buffer 00621 * \param f_rng RNG function (for signature, see note) 00622 * \param p_rng RNG parameter 00623 * 00624 * \return length of data written if successful, or a specific 00625 * error code 00626 * 00627 * \note f_rng may be NULL if RSA is used for signature and the 00628 * signature is made offline (otherwise f_rng is desirable 00629 * for countermeasures against timing attacks). 00630 * ECDSA signatures always require a non-NULL f_rng. 00631 */ 00632 int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, 00633 int (*f_rng)(void *, unsigned char *, size_t), 00634 void *p_rng ); 00635 00636 #if defined(MBEDTLS_PEM_WRITE_C) 00637 /** 00638 * \brief Write a built up certificate to a X509 PEM string 00639 * 00640 * \param ctx certificate to write away 00641 * \param buf buffer to write to 00642 * \param size size of the buffer 00643 * \param f_rng RNG function (for signature, see note) 00644 * \param p_rng RNG parameter 00645 * 00646 * \return 0 if successful, or a specific error code 00647 * 00648 * \note f_rng may be NULL if RSA is used for signature and the 00649 * signature is made offline (otherwise f_rng is desirable 00650 * for countermeasures against timing attacks). 00651 * ECDSA signatures always require a non-NULL f_rng. 00652 */ 00653 int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, 00654 int (*f_rng)(void *, unsigned char *, size_t), 00655 void *p_rng ); 00656 #endif /* MBEDTLS_PEM_WRITE_C */ 00657 #endif /* MBEDTLS_X509_CRT_WRITE_C */ 00658 00659 #ifdef __cplusplus 00660 } 00661 #endif 00662 00663 #endif /* mbedtls_x509_crt.h */
Generated on Fri Jul 22 2022 04:54:05 by
1.7.2