X509_module

Container for ASN1 bit strings.

Definition at line 192 of file x509.h.

Type-length-value structure that allows for ASN1 using DER.

Definition at line 187 of file x509.h.

Certificate revocation list structure.

Every CRL may have multiple entries.

Certificate revocation list entry.

Contains the CA-specific serial numbers and revocation dates.

Container for an X.509 certificate.

The certificate may be chained.

Certificate Signing Request (CSR) structure.

Container for ASN1 named information objects.

It allows for Relative Distinguished Names (e.g. cn=localhost,ou=code,etc.).

Definition at line 198 of file x509.h.

Container for a sequence of ASN.1 items.

Definition at line 203 of file x509.h.

Container for date and time (precision in seconds).

Container for writing a certificate (CRT)

Container for writing a CSR.

Parse DHM parameters in PEM or DER format.

Parameters:

dhm	DHM context to be initialized
dhmin	input buffer
dhminlen	size of the buffer (including the terminating null byte for PEM data)

Returns:

0 if successful, or a specific DHM or PEM error code

Definition at line 412 of file dhm.c.

Load and parse DHM parameters.

Parameters:

dhm	DHM context to be initialized
path	filename to read the DHM Parameters from

Returns:

0 if successful, or a specific DHM or PEM error code

Definition at line 559 of file dhm.c.

Unallocate all CRL data.

Parameters:

crl	CRL chain to free

Definition at line 662 of file x509_crl.c.

Returns an informational string about the CRL.

Parameters:

buf	Buffer to write to
size	Maximum size of buffer
prefix	A line prefix
crl	The X509 CRL to represent

Returns:

The length of the string written (not including the terminated nul byte), or a negative error code.

Definition at line 579 of file x509_crl.c.

Initialize a CRL (chain)

Parameters:

crl	CRL chain to initialize

Definition at line 654 of file x509_crl.c.

Parse one or more CRLs and append them to the chained list.

Note:

Mutliple CRLs are accepted only if using PEM format

Parameters:

chain	points to the start of the chain
buf	buffer holding the CRL data in PEM or DER format
buflen	size of the buffer (including the terminating null byte for PEM data)

Returns:

0 if successful, or a specific X509 or PEM error code

Definition at line 490 of file x509_crl.c.

Parse a DER-encoded CRL and append it to the chained list.

Parameters:

chain	points to the start of the chain
buf	buffer holding the CRL data in DER format (including the terminating null byte for PEM data)

Returns:

0 if successful, or a specific X509 or PEM error code

Definition at line 255 of file x509_crl.c.

Load one or more CRLs and append them to the chained list.

Note:

Mutliple CRLs are accepted only if using PEM format

Parameters:

chain	points to the start of the chain
path	filename to read the CRLs from (in PEM or DER encoding)

Returns:

0 if successful, or a specific X509 or PEM error code

Definition at line 553 of file x509_crl.c.

Check usage of certificate against extentedJeyUsage.

Parameters:

crt	Leaf certificate used.
usage_oid	Intended usage (eg MBEDTLS_OID_SERVER_AUTH or MBEDTLS_OID_CLIENT_AUTH).
usage_len	Length of usage_oid (eg given by MBEDTLS_OID_SIZE()).

Returns:

0 if this use of the certificate is allowed, MBEDTLS_ERR_X509_BAD_INPUT_DATA if not.

Note:

Usually only makes sense on leaf certificates.

Definition at line 1548 of file x509_crt.c.

Check usage of certificate against keyUsage extension.

Parameters:

crt	Leaf certificate used.
usage	Intended usage(s) (eg MBEDTLS_X509_KU_KEY_ENCIPHERMENT before using the certificate to perform an RSA key exchange).

Note:

Except for decipherOnly and encipherOnly, a bit set in the usage argument means this bit MUST be set in the certificate. For decipherOnly and encipherOnly, it means that bit MAY be set.

Returns:

0 is these uses of the certificate are allowed, MBEDTLS_ERR_X509_BAD_INPUT_DATA if the keyUsage extension is present but does not match the usage argument.

Note:

You should only call this function on leaf certificates, on (intermediate) CAs the keyUsage extension is automatically checked by mbedtls_x509_crt_verify().

Definition at line 1523 of file x509_crt.c.

Unallocate all certificate data.

Parameters:

crt	Certificate chain to free

Definition at line 2303 of file x509_crt.c.

Returns an informational string about the certificate.

Parameters:

buf	Buffer to write to
size	Maximum size of buffer
prefix	A line prefix
crt	The X509 certificate to represent

Returns:

The length of the string written (not including the terminated nul byte), or a negative error code.

Definition at line 1341 of file x509_crt.c.

Initialize a certificate (chain)

Parameters:

crt	Certificate chain to initialize

Definition at line 2295 of file x509_crt.c.

Verify the certificate revocation status.

Parameters:

crt	a certificate to be verified
crl	the CRL to verify against

Returns:

1 if the certificate is revoked, 0 otherwise

Definition at line 1583 of file x509_crt.c.

Parse one or more certificates and add them to the chained list.

Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.

Parameters:

chain	points to the start of the chain
buf	buffer holding the certificate data in PEM or DER format
buflen	size of the buffer (including the terminating null byte for PEM data)

Returns:

0 if all certificates parsed successfully, a positive number if partly successful or a specific X509 or PEM error code

Definition at line 966 of file x509_crt.c.

Parse a single DER formatted certificate and add it to the chained list.

Parameters:

chain	points to the start of the chain
buf	buffer holding the certificate DER data
buflen	size of the buffer

Returns:

0 if successful, or a specific X509 or PEM error code

Definition at line 915 of file x509_crt.c.

Load one or more certificates and add them to the chained list.

Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.

Parameters:

chain	points to the start of the chain
path	filename to read the certificates from

Returns:

0 if all certificates parsed successfully, a positive number if partly successful or a specific X509 or PEM error code

Definition at line 1077 of file x509_crt.c.

Load one or more certificate files from a path and add them to the chained list.

Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.

Parameters:

chain	points to the start of the chain
path	directory / folder to read the certificate files from

Returns:

0 if all certificates parsed successfully, a positive number if partly successful or a specific X509 or PEM error code

Definition at line 1094 of file x509_crt.c.

Verify the certificate signature.

The verify callback is a user-supplied callback that can clear / modify / add flags for a certificate. If set, the verification callback is called for each certificate in the chain (from the trust-ca down to the presented crt). The parameters for the callback are: (void *parameter, mbedtls_x509_crt *crt, int certificate_depth, int *flags). With the flags representing current flags for that specific certificate and the certificate depth from the bottom (Peer cert depth = 0).

All flags left after returning from the callback are also returned to the application. The function should return 0 for anything but a fatal error.

Note:

In case verification failed, the results can be displayed using mbedtls_x509_crt_verify_info()

Same as mbedtls_x509_crt_verify_with_profile() with the default security profile.

Parameters:

crt	a certificate to be verified
trust_ca	the trusted CA chain
ca_crl	the CRL chain for trusted CA's
cn	expected Common Name (can be set to NULL if the CN must not be verified)
flags	result of the verification
f_vrfy	verification function
p_vrfy	verification parameter

Returns:

0 if successful or MBEDTLS_ERR_X509_CERT_VERIFY_FAILED in which case *flags will have one or more MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX flags set, or another error in case of a fatal error encountered during the verification process.

Definition at line 2141 of file x509_crt.c.

Returns an informational string about the verification status of a certificate.

Parameters:

buf	Buffer to write to
size	Maximum size of buffer
prefix	A line prefix
flags	Verification flags created by mbedtls_x509_crt_verify()

Returns:

The length of the string written (not including the terminated nul byte), or a negative error code.

Definition at line 1494 of file x509_crt.c.

Verify the certificate signature according to profile.

Note:

Same as mbedtls_x509_crt_verify(), but with explicit security profile.

The restrictions on keys (RSA minimum size, allowed curves for ECDSA) apply to all certificates: trusted root, intermediate CAs if any, and end entity certificate.

Parameters:

crt	a certificate to be verified
trust_ca	the trusted CA chain
ca_crl	the CRL chain for trusted CA's
profile	security profile for verification
cn	expected Common Name (can be set to NULL if the CN must not be verified)
flags	result of the verification
f_vrfy	verification function
p_vrfy	verification parameter

Returns:

0 if successful or MBEDTLS_ERR_X509_CERT_VERIFY_FAILED in which case *flags will have one or more MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX flags set, or another error in case of a fatal error encountered during the verification process.

Definition at line 2156 of file x509_crt.c.

Unallocate all CSR data.

Parameters:

csr	CSR to free

Definition at line 385 of file x509_csr.c.

Returns an informational string about the CSR.

Parameters:

buf	Buffer to write to
size	Maximum size of buffer
prefix	A line prefix
csr	The X509 CSR to represent

Returns:

The length of the string written (not including the terminated nul byte), or a negative error code.

Definition at line 334 of file x509_csr.c.

Initialize a CSR.

Parameters:

csr	CSR to initialize

Definition at line 377 of file x509_csr.c.

Load a Certificate Signing Request (CSR), DER or PEM format.

Parameters:

csr	CSR context to fill
buf	buffer holding the CRL data
buflen	size of the buffer (including the terminating null byte for PEM data)

Returns:

0 if successful, or a specific X509 or PEM error code

Definition at line 260 of file x509_csr.c.

Load a Certificate Signing Request (CSR) in DER format.

Parameters:

csr	CSR context to fill
buf	buffer holding the CRL data
buflen	size of the buffer

Returns:

0 if successful, or a specific X509 error code

Definition at line 94 of file x509_csr.c.

Load a Certificate Signing Request (CSR)

Parameters:

csr	CSR context to fill
path	filename to read the CSR from

Returns:

0 if successful, or a specific X509 or PEM error code

Definition at line 311 of file x509_csr.c.

Default security profile.

Should provide a good balance between security and compatibility with current deployments.

Definition at line 86 of file x509_crt.c.

Expected next default profile.

Recommended for new deployments. Currently targets a 128-bit security level, except for RSA-2048.

Definition at line 103 of file x509_crt.c.

NSA Suite B profile.

Definition at line 128 of file x509_crt.c.