sandbox
/
mbedtls
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Fork of
mbedtls
by 
Christopher Haster
Embed:
(wiki syntax)
Show/hide line numbers
x509_crt.h
00001 /** 00002 * \file mbedtls_x509_crt.h 00003 * 00004 * \brief X.509 certificate parsing and writing 00005 * 00006 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00007 * SPDX-License-Identifier: Apache-2.0 00008 * 00009 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00010 * not use this file except in compliance with the License. 00011 * You may obtain a copy of the License at 00012 * 00013 * http://www.apache.org/licenses/LICENSE-2.0 00014 * 00015 * Unless required by applicable law or agreed to in writing, software 00016 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00017 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00018 * See the License for the specific language governing permissions and 00019 * limitations under the License. 00020 * 00021 * This file is part of mbed TLS (https://tls.mbed.org) 00022 */ 00023 #ifndef MBEDTLS_X509_CRT_H 00024 #define MBEDTLS_X509_CRT_H 00025 00026 #if !defined(MBEDTLS_CONFIG_FILE) 00027 #include "config.h" 00028 #else 00029 #include MBEDTLS_CONFIG_FILE 00030 #endif 00031 00032 #include "x509.h" 00033 #include "x509_crl.h" 00034 00035 /** 00036 * \addtogroup x509_module 00037 * \{ 00038 */ 00039 00040 #ifdef __cplusplus 00041 extern "C" { 00042 #endif 00043 00044 /** 00045 * \name Structures and functions for parsing and writing X.509 certificates 00046 * \{ 00047 */ 00048 00049 /** 00050 * Container for an X.509 certificate. The certificate may be chained. 00051 */ 00052 typedef struct mbedtls_x509_crt 00053 { 00054 mbedtls_x509_buf raw; /**< The raw certificate data (DER). */ 00055 mbedtls_x509_buf tbs; /**< The raw certificate body (DER). The part that is To Be Signed. */ 00056 00057 int version; /**< The X.509 version. (1=v1, 2=v2, 3=v3) */ 00058 mbedtls_x509_buf serial; /**< Unique id for certificate issued by a specific CA. */ 00059 mbedtls_x509_buf sig_oid; /**< Signature algorithm, e.g. sha1RSA */ 00060 00061 mbedtls_x509_buf issuer_raw; /**< The raw issuer data (DER). Used for quick comparison. */ 00062 mbedtls_x509_buf subject_raw; /**< The raw subject data (DER). Used for quick comparison. */ 00063 00064 mbedtls_x509_name issuer; /**< The parsed issuer data (named information object). */ 00065 mbedtls_x509_name subject; /**< The parsed subject data (named information object). */ 00066 00067 mbedtls_x509_time valid_from; /**< Start time of certificate validity. */ 00068 mbedtls_x509_time valid_to; /**< End time of certificate validity. */ 00069 00070 mbedtls_pk_context pk; /**< Container for the public key context. */ 00071 00072 mbedtls_x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */ 00073 mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */ 00074 mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */ 00075 mbedtls_x509_sequence subject_alt_names; /**< Optional list of Subject Alternative Names (Only dNSName supported). */ 00076 00077 int ext_types; /**< Bit string containing detected and parsed extensions */ 00078 int ca_istrue; /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */ 00079 int max_pathlen; /**< Optional Basic Constraint extension value: The maximum path length to the root certificate. Path length is 1 higher than RFC 5280 'meaning', so 1+ */ 00080 00081 unsigned int key_usage; /**< Optional key usage extension value: See the values in x509.h */ 00082 00083 mbedtls_x509_sequence ext_key_usage; /**< Optional list of extended key usage OIDs. */ 00084 00085 unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values in x509.h */ 00086 00087 mbedtls_x509_buf sig; /**< Signature: hash of the tbs part signed with the private key. */ 00088 mbedtls_md_type_t sig_md; /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */ 00089 mbedtls_pk_type_t sig_pk; /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ 00090 void *sig_opts; /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */ 00091 00092 struct mbedtls_x509_crt *next; /**< Next certificate in the CA-chain. */ 00093 } 00094 mbedtls_x509_crt; 00095 00096 /** 00097 * Build flag from an algorithm/curve identifier (pk, md, ecp) 00098 * Since 0 is always XXX_NONE, ignore it. 00099 */ 00100 #define MBEDTLS_X509_ID_FLAG( id ) ( 1 << ( id - 1 ) ) 00101 00102 /** 00103 * Security profile for certificate verification. 00104 * 00105 * All lists are bitfields, built by ORing flags from MBEDTLS_X509_ID_FLAG(). 00106 */ 00107 typedef struct 00108 { 00109 uint32_t allowed_mds; /**< MDs for signatures */ 00110 uint32_t allowed_pks; /**< PK algs for signatures */ 00111 uint32_t allowed_curves; /**< Elliptic curves for ECDSA */ 00112 uint32_t rsa_min_bitlen; /**< Minimum size for RSA keys */ 00113 } 00114 mbedtls_x509_crt_profile; 00115 00116 #define MBEDTLS_X509_CRT_VERSION_1 0 00117 #define MBEDTLS_X509_CRT_VERSION_2 1 00118 #define MBEDTLS_X509_CRT_VERSION_3 2 00119 00120 #define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32 00121 #define MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15 00122 00123 /** 00124 * Container for writing a certificate (CRT) 00125 */ 00126 typedef struct mbedtls_x509write_cert 00127 { 00128 int version; 00129 mbedtls_mpi serial; 00130 mbedtls_pk_context *subject_key; 00131 mbedtls_pk_context *issuer_key; 00132 mbedtls_asn1_named_data *subject; 00133 mbedtls_asn1_named_data *issuer; 00134 mbedtls_md_type_t md_alg; 00135 char not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1]; 00136 char not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1]; 00137 mbedtls_asn1_named_data *extensions; 00138 } 00139 mbedtls_x509write_cert; 00140 00141 #if defined(MBEDTLS_X509_CRT_PARSE_C) 00142 /** 00143 * Default security profile. Should provide a good balance between security 00144 * and compatibility with current deployments. 00145 */ 00146 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default; 00147 00148 /** 00149 * Expected next default profile. Recommended for new deployments. 00150 * Currently targets a 128-bit security level, except for RSA-2048. 00151 */ 00152 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next; 00153 00154 /** 00155 * NSA Suite B profile. 00156 */ 00157 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb; 00158 00159 /** 00160 * \brief Parse a single DER formatted certificate and add it 00161 * to the chained list. 00162 * 00163 * \param chain points to the start of the chain 00164 * \param buf buffer holding the certificate DER data 00165 * \param buflen size of the buffer 00166 * 00167 * \return 0 if successful, or a specific X509 or PEM error code 00168 */ 00169 int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, const unsigned char *buf, 00170 size_t buflen ); 00171 00172 /** 00173 * \brief Parse one or more certificates and add them 00174 * to the chained list. Parses permissively. If some 00175 * certificates can be parsed, the result is the number 00176 * of failed certificates it encountered. If none complete 00177 * correctly, the first error is returned. 00178 * 00179 * \param chain points to the start of the chain 00180 * \param buf buffer holding the certificate data in PEM or DER format 00181 * \param buflen size of the buffer 00182 * (including the terminating null byte for PEM data) 00183 * 00184 * \return 0 if all certificates parsed successfully, a positive number 00185 * if partly successful or a specific X509 or PEM error code 00186 */ 00187 int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen ); 00188 00189 #if defined(MBEDTLS_FS_IO) 00190 /** 00191 * \brief Load one or more certificates and add them 00192 * to the chained list. Parses permissively. If some 00193 * certificates can be parsed, the result is the number 00194 * of failed certificates it encountered. If none complete 00195 * correctly, the first error is returned. 00196 * 00197 * \param chain points to the start of the chain 00198 * \param path filename to read the certificates from 00199 * 00200 * \return 0 if all certificates parsed successfully, a positive number 00201 * if partly successful or a specific X509 or PEM error code 00202 */ 00203 int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *chain, const char *path ); 00204 00205 /** 00206 * \brief Load one or more certificate files from a path and add them 00207 * to the chained list. Parses permissively. If some 00208 * certificates can be parsed, the result is the number 00209 * of failed certificates it encountered. If none complete 00210 * correctly, the first error is returned. 00211 * 00212 * \param chain points to the start of the chain 00213 * \param path directory / folder to read the certificate files from 00214 * 00215 * \return 0 if all certificates parsed successfully, a positive number 00216 * if partly successful or a specific X509 or PEM error code 00217 */ 00218 int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path ); 00219 #endif /* MBEDTLS_FS_IO */ 00220 00221 /** 00222 * \brief Returns an informational string about the 00223 * certificate. 00224 * 00225 * \param buf Buffer to write to 00226 * \param size Maximum size of buffer 00227 * \param prefix A line prefix 00228 * \param crt The X509 certificate to represent 00229 * 00230 * \return The length of the string written (not including the 00231 * terminated nul byte), or a negative error code. 00232 */ 00233 int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix, 00234 const mbedtls_x509_crt *crt ); 00235 00236 /** 00237 * \brief Returns an informational string about the 00238 * verification status of a certificate. 00239 * 00240 * \param buf Buffer to write to 00241 * \param size Maximum size of buffer 00242 * \param prefix A line prefix 00243 * \param flags Verification flags created by mbedtls_x509_crt_verify() 00244 * 00245 * \return The length of the string written (not including the 00246 * terminated nul byte), or a negative error code. 00247 */ 00248 int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix, 00249 uint32_t flags ); 00250 00251 /** 00252 * \brief Verify the certificate signature 00253 * 00254 * The verify callback is a user-supplied callback that 00255 * can clear / modify / add flags for a certificate. If set, 00256 * the verification callback is called for each 00257 * certificate in the chain (from the trust-ca down to the 00258 * presented crt). The parameters for the callback are: 00259 * (void *parameter, mbedtls_x509_crt *crt, int certificate_depth, 00260 * int *flags). With the flags representing current flags for 00261 * that specific certificate and the certificate depth from 00262 * the bottom (Peer cert depth = 0). 00263 * 00264 * All flags left after returning from the callback 00265 * are also returned to the application. The function should 00266 * return 0 for anything but a fatal error. 00267 * 00268 * \note In case verification failed, the results can be displayed 00269 * using \c mbedtls_x509_crt_verify_info() 00270 * 00271 * \note Same as \c mbedtls_x509_crt_verify_with_profile() with the 00272 * default security profile. 00273 * 00274 * \param crt a certificate to be verified 00275 * \param trust_ca the trusted CA chain 00276 * \param ca_crl the CRL chain for trusted CA's 00277 * \param cn expected Common Name (can be set to 00278 * NULL if the CN must not be verified) 00279 * \param flags result of the verification 00280 * \param f_vrfy verification function 00281 * \param p_vrfy verification parameter 00282 * 00283 * \return 0 if successful or MBEDTLS_ERR_X509_CERT_VERIFY_FAILED 00284 * in which case *flags will have one or more 00285 * MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX flags 00286 * set, 00287 * or another error in case of a fatal error encountered 00288 * during the verification process. 00289 */ 00290 int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt, 00291 mbedtls_x509_crt *trust_ca, 00292 mbedtls_x509_crl *ca_crl, 00293 const char *cn, uint32_t *flags, 00294 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 00295 void *p_vrfy ); 00296 00297 /** 00298 * \brief Verify the certificate signature according to profile 00299 * 00300 * \note Same as \c mbedtls_x509_crt_verify(), but with explicit 00301 * security profile. 00302 * 00303 * \note The restrictions on keys (RSA minimum size, allowed curves 00304 * for ECDSA) apply to all certificates: trusted root, 00305 * intermediate CAs if any, and end entity certificate. 00306 * 00307 * \param crt a certificate to be verified 00308 * \param trust_ca the trusted CA chain 00309 * \param ca_crl the CRL chain for trusted CA's 00310 * \param profile security profile for verification 00311 * \param cn expected Common Name (can be set to 00312 * NULL if the CN must not be verified) 00313 * \param flags result of the verification 00314 * \param f_vrfy verification function 00315 * \param p_vrfy verification parameter 00316 * 00317 * \return 0 if successful or MBEDTLS_ERR_X509_CERT_VERIFY_FAILED 00318 * in which case *flags will have one or more 00319 * MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX flags 00320 * set, 00321 * or another error in case of a fatal error encountered 00322 * during the verification process. 00323 */ 00324 int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt, 00325 mbedtls_x509_crt *trust_ca, 00326 mbedtls_x509_crl *ca_crl, 00327 const mbedtls_x509_crt_profile *profile, 00328 const char *cn, uint32_t *flags, 00329 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 00330 void *p_vrfy ); 00331 00332 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE) 00333 /** 00334 * \brief Check usage of certificate against keyUsage extension. 00335 * 00336 * \param crt Leaf certificate used. 00337 * \param usage Intended usage(s) (eg MBEDTLS_X509_KU_KEY_ENCIPHERMENT 00338 * before using the certificate to perform an RSA key 00339 * exchange). 00340 * 00341 * \note Except for decipherOnly and encipherOnly, a bit set in the 00342 * usage argument means this bit MUST be set in the 00343 * certificate. For decipherOnly and encipherOnly, it means 00344 * that bit MAY be set. 00345 * 00346 * \return 0 is these uses of the certificate are allowed, 00347 * MBEDTLS_ERR_X509_BAD_INPUT_DATA if the keyUsage extension 00348 * is present but does not match the usage argument. 00349 * 00350 * \note You should only call this function on leaf certificates, on 00351 * (intermediate) CAs the keyUsage extension is automatically 00352 * checked by \c mbedtls_x509_crt_verify(). 00353 */ 00354 int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt, 00355 unsigned int usage ); 00356 #endif /* MBEDTLS_X509_CHECK_KEY_USAGE) */ 00357 00358 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) 00359 /** 00360 * \brief Check usage of certificate against extentedJeyUsage. 00361 * 00362 * \param crt Leaf certificate used. 00363 * \param usage_oid Intended usage (eg MBEDTLS_OID_SERVER_AUTH or MBEDTLS_OID_CLIENT_AUTH). 00364 * \param usage_len Length of usage_oid (eg given by MBEDTLS_OID_SIZE()). 00365 * 00366 * \return 0 if this use of the certificate is allowed, 00367 * MBEDTLS_ERR_X509_BAD_INPUT_DATA if not. 00368 * 00369 * \note Usually only makes sense on leaf certificates. 00370 */ 00371 int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt, 00372 const char *usage_oid, 00373 size_t usage_len ); 00374 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) */ 00375 00376 #if defined(MBEDTLS_X509_CRL_PARSE_C) 00377 /** 00378 * \brief Verify the certificate revocation status 00379 * 00380 * \param crt a certificate to be verified 00381 * \param crl the CRL to verify against 00382 * 00383 * \return 1 if the certificate is revoked, 0 otherwise 00384 * 00385 */ 00386 int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl ); 00387 #endif /* MBEDTLS_X509_CRL_PARSE_C */ 00388 00389 /** 00390 * \brief Initialize a certificate (chain) 00391 * 00392 * \param crt Certificate chain to initialize 00393 */ 00394 void mbedtls_x509_crt_init( mbedtls_x509_crt *crt ); 00395 00396 /** 00397 * \brief Unallocate all certificate data 00398 * 00399 * \param crt Certificate chain to free 00400 */ 00401 void mbedtls_x509_crt_free( mbedtls_x509_crt *crt ); 00402 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 00403 00404 /* \} name */ 00405 /* \} addtogroup x509_module */ 00406 00407 #if defined(MBEDTLS_X509_CRT_WRITE_C) 00408 /** 00409 * \brief Initialize a CRT writing context 00410 * 00411 * \param ctx CRT context to initialize 00412 */ 00413 void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx ); 00414 00415 /** 00416 * \brief Set the verion for a Certificate 00417 * Default: MBEDTLS_X509_CRT_VERSION_3 00418 * 00419 * \param ctx CRT context to use 00420 * \param version version to set (MBEDTLS_X509_CRT_VERSION_1, MBEDTLS_X509_CRT_VERSION_2 or 00421 * MBEDTLS_X509_CRT_VERSION_3) 00422 */ 00423 void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *ctx, int version ); 00424 00425 /** 00426 * \brief Set the serial number for a Certificate. 00427 * 00428 * \param ctx CRT context to use 00429 * \param serial serial number to set 00430 * 00431 * \return 0 if successful 00432 */ 00433 int mbedtls_x509write_crt_set_serial( mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial ); 00434 00435 /** 00436 * \brief Set the validity period for a Certificate 00437 * Timestamps should be in string format for UTC timezone 00438 * i.e. "YYYYMMDDhhmmss" 00439 * e.g. "20131231235959" for December 31st 2013 00440 * at 23:59:59 00441 * 00442 * \param ctx CRT context to use 00443 * \param not_before not_before timestamp 00444 * \param not_after not_after timestamp 00445 * 00446 * \return 0 if timestamp was parsed successfully, or 00447 * a specific error code 00448 */ 00449 int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *ctx, const char *not_before, 00450 const char *not_after ); 00451 00452 /** 00453 * \brief Set the issuer name for a Certificate 00454 * Issuer names should contain a comma-separated list 00455 * of OID types and values: 00456 * e.g. "C=UK,O=ARM,CN=mbed TLS CA" 00457 * 00458 * \param ctx CRT context to use 00459 * \param issuer_name issuer name to set 00460 * 00461 * \return 0 if issuer name was parsed successfully, or 00462 * a specific error code 00463 */ 00464 int mbedtls_x509write_crt_set_issuer_name( mbedtls_x509write_cert *ctx, 00465 const char *issuer_name ); 00466 00467 /** 00468 * \brief Set the subject name for a Certificate 00469 * Subject names should contain a comma-separated list 00470 * of OID types and values: 00471 * e.g. "C=UK,O=ARM,CN=mbed TLS Server 1" 00472 * 00473 * \param ctx CRT context to use 00474 * \param subject_name subject name to set 00475 * 00476 * \return 0 if subject name was parsed successfully, or 00477 * a specific error code 00478 */ 00479 int mbedtls_x509write_crt_set_subject_name( mbedtls_x509write_cert *ctx, 00480 const char *subject_name ); 00481 00482 /** 00483 * \brief Set the subject public key for the certificate 00484 * 00485 * \param ctx CRT context to use 00486 * \param key public key to include 00487 */ 00488 void mbedtls_x509write_crt_set_subject_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key ); 00489 00490 /** 00491 * \brief Set the issuer key used for signing the certificate 00492 * 00493 * \param ctx CRT context to use 00494 * \param key private key to sign with 00495 */ 00496 void mbedtls_x509write_crt_set_issuer_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key ); 00497 00498 /** 00499 * \brief Set the MD algorithm to use for the signature 00500 * (e.g. MBEDTLS_MD_SHA1) 00501 * 00502 * \param ctx CRT context to use 00503 * \param md_alg MD algorithm to use 00504 */ 00505 void mbedtls_x509write_crt_set_md_alg( mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg ); 00506 00507 /** 00508 * \brief Generic function to add to or replace an extension in the 00509 * CRT 00510 * 00511 * \param ctx CRT context to use 00512 * \param oid OID of the extension 00513 * \param oid_len length of the OID 00514 * \param critical if the extension is critical (per the RFC's definition) 00515 * \param val value of the extension OCTET STRING 00516 * \param val_len length of the value data 00517 * 00518 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED 00519 */ 00520 int mbedtls_x509write_crt_set_extension( mbedtls_x509write_cert *ctx, 00521 const char *oid, size_t oid_len, 00522 int critical, 00523 const unsigned char *val, size_t val_len ); 00524 00525 /** 00526 * \brief Set the basicConstraints extension for a CRT 00527 * 00528 * \param ctx CRT context to use 00529 * \param is_ca is this a CA certificate 00530 * \param max_pathlen maximum length of certificate chains below this 00531 * certificate (only for CA certificates, -1 is 00532 * inlimited) 00533 * 00534 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED 00535 */ 00536 int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx, 00537 int is_ca, int max_pathlen ); 00538 00539 #if defined(MBEDTLS_SHA1_C) 00540 /** 00541 * \brief Set the subjectKeyIdentifier extension for a CRT 00542 * Requires that mbedtls_x509write_crt_set_subject_key() has been 00543 * called before 00544 * 00545 * \param ctx CRT context to use 00546 * 00547 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED 00548 */ 00549 int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ctx ); 00550 00551 /** 00552 * \brief Set the authorityKeyIdentifier extension for a CRT 00553 * Requires that mbedtls_x509write_crt_set_issuer_key() has been 00554 * called before 00555 * 00556 * \param ctx CRT context to use 00557 * 00558 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED 00559 */ 00560 int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx ); 00561 #endif /* MBEDTLS_SHA1_C */ 00562 00563 /** 00564 * \brief Set the Key Usage Extension flags 00565 * (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN) 00566 * 00567 * \param ctx CRT context to use 00568 * \param key_usage key usage flags to set 00569 * 00570 * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED 00571 */ 00572 int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx, 00573 unsigned int key_usage ); 00574 00575 /** 00576 * \brief Set the Netscape Cert Type flags 00577 * (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL) 00578 * 00579 * \param ctx CRT context to use 00580 * \param ns_cert_type Netscape Cert Type flags to set 00581 * 00582 * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED 00583 */ 00584 int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx, 00585 unsigned char ns_cert_type ); 00586 00587 /** 00588 * \brief Free the contents of a CRT write context 00589 * 00590 * \param ctx CRT context to free 00591 */ 00592 void mbedtls_x509write_crt_free( mbedtls_x509write_cert *ctx ); 00593 00594 /** 00595 * \brief Write a built up certificate to a X509 DER structure 00596 * Note: data is written at the end of the buffer! Use the 00597 * return value to determine where you should start 00598 * using the buffer 00599 * 00600 * \param ctx certificate to write away 00601 * \param buf buffer to write to 00602 * \param size size of the buffer 00603 * \param f_rng RNG function (for signature, see note) 00604 * \param p_rng RNG parameter 00605 * 00606 * \return length of data written if successful, or a specific 00607 * error code 00608 * 00609 * \note f_rng may be NULL if RSA is used for signature and the 00610 * signature is made offline (otherwise f_rng is desirable 00611 * for countermeasures against timing attacks). 00612 * ECDSA signatures always require a non-NULL f_rng. 00613 */ 00614 int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, 00615 int (*f_rng)(void *, unsigned char *, size_t), 00616 void *p_rng ); 00617 00618 #if defined(MBEDTLS_PEM_WRITE_C) 00619 /** 00620 * \brief Write a built up certificate to a X509 PEM string 00621 * 00622 * \param ctx certificate to write away 00623 * \param buf buffer to write to 00624 * \param size size of the buffer 00625 * \param f_rng RNG function (for signature, see note) 00626 * \param p_rng RNG parameter 00627 * 00628 * \return 0 if successful, or a specific error code 00629 * 00630 * \note f_rng may be NULL if RSA is used for signature and the 00631 * signature is made offline (otherwise f_rng is desirable 00632 * for countermeasures against timing attacks). 00633 * ECDSA signatures always require a non-NULL f_rng. 00634 */ 00635 int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, 00636 int (*f_rng)(void *, unsigned char *, size_t), 00637 void *p_rng ); 00638 #endif /* MBEDTLS_PEM_WRITE_C */ 00639 #endif /* MBEDTLS_X509_CRT_WRITE_C */ 00640 00641 #ifdef __cplusplus 00642 } 00643 #endif 00644 00645 #endif /* mbedtls_x509_crt.h */
Generated on Tue Jul 12 2022 12:52:50 by
1.7.2