joey shelton / LED_Demo

Dependencies:   MAX44000 PWM_Tone_Library nexpaq_mdk

Fork of LED_Demo by Maxim nexpaq

Embed: (wiki syntax)

« Back to documentation index

Show/hide line numbers x509_crt.h Source File

x509_crt.h

Go to the documentation of this file.
00001 /**
00002  * \file x509_crt.h
00003  *
00004  * \brief X.509 certificate parsing and writing
00005  *
00006  *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
00007  *  SPDX-License-Identifier: Apache-2.0
00008  *
00009  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
00010  *  not use this file except in compliance with the License.
00011  *  You may obtain a copy of the License at
00012  *
00013  *  http://www.apache.org/licenses/LICENSE-2.0
00014  *
00015  *  Unless required by applicable law or agreed to in writing, software
00016  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
00017  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
00018  *  See the License for the specific language governing permissions and
00019  *  limitations under the License.
00020  *
00021  *  This file is part of mbed TLS (https://tls.mbed.org)
00022  */
00023 #ifndef MBEDTLS_X509_CRT_H
00024 #define MBEDTLS_X509_CRT_H
00025 
00026 #if !defined(MBEDTLS_CONFIG_FILE)
00027 #include "config.h"
00028 #else
00029 #include MBEDTLS_CONFIG_FILE
00030 #endif
00031 
00032 #include "x509.h"
00033 #include "x509_crl.h"
00034 
00035 /**
00036  * \addtogroup x509_module
00037  * \{
00038  */
00039 
00040 #ifdef __cplusplus
00041 extern "C" {
00042 #endif
00043 
00044 /**
00045  * \name Structures and functions for parsing and writing X.509 certificates
00046  * \{
00047  */
00048 
00049 /**
00050  * Container for an X.509 certificate. The certificate may be chained.
00051  */
00052 typedef struct mbedtls_x509_crt
00053 {
00054     mbedtls_x509_buf raw;               /**< The raw certificate data (DER). */
00055     mbedtls_x509_buf tbs;               /**< The raw certificate body (DER). The part that is To Be Signed. */
00056 
00057     int version;                /**< The X.509 version. (1=v1, 2=v2, 3=v3) */
00058     mbedtls_x509_buf serial;            /**< Unique id for certificate issued by a specific CA. */
00059     mbedtls_x509_buf sig_oid;           /**< Signature algorithm, e.g. sha1RSA */
00060 
00061     mbedtls_x509_buf issuer_raw;        /**< The raw issuer data (DER). Used for quick comparison. */
00062     mbedtls_x509_buf subject_raw;       /**< The raw subject data (DER). Used for quick comparison. */
00063 
00064     mbedtls_x509_name issuer;           /**< The parsed issuer data (named information object). */
00065     mbedtls_x509_name subject;          /**< The parsed subject data (named information object). */
00066 
00067     mbedtls_x509_time valid_from;       /**< Start time of certificate validity. */
00068     mbedtls_x509_time valid_to;         /**< End time of certificate validity. */
00069 
00070     mbedtls_pk_context pk;              /**< Container for the public key context. */
00071 
00072     mbedtls_x509_buf issuer_id;         /**< Optional X.509 v2/v3 issuer unique identifier. */
00073     mbedtls_x509_buf subject_id;        /**< Optional X.509 v2/v3 subject unique identifier. */
00074     mbedtls_x509_buf v3_ext;            /**< Optional X.509 v3 extensions.  */
00075     mbedtls_x509_sequence subject_alt_names;    /**< Optional list of Subject Alternative Names (Only dNSName supported). */
00076 
00077     int ext_types;              /**< Bit string containing detected and parsed extensions */
00078     int ca_istrue;              /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */
00079     int max_pathlen;            /**< Optional Basic Constraint extension value: The maximum path length to the root certificate. Path length is 1 higher than RFC 5280 'meaning', so 1+ */
00080 
00081     unsigned int key_usage;     /**< Optional key usage extension value: See the values in x509.h */
00082 
00083     mbedtls_x509_sequence ext_key_usage; /**< Optional list of extended key usage OIDs. */
00084 
00085     unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values in x509.h */
00086 
00087     mbedtls_x509_buf sig;               /**< Signature: hash of the tbs part signed with the private key. */
00088     mbedtls_md_type_t sig_md;           /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
00089     mbedtls_pk_type_t sig_pk;           /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
00090     void *sig_opts;             /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
00091 
00092     struct mbedtls_x509_crt *next;     /**< Next certificate in the CA-chain. */
00093 }
00094 mbedtls_x509_crt;
00095 
00096 /**
00097  * Build flag from an algorithm/curve identifier (pk, md, ecp)
00098  * Since 0 is always XXX_NONE, ignore it.
00099  */
00100 #define MBEDTLS_X509_ID_FLAG( id )   ( 1 << ( id - 1 ) )
00101 
00102 /**
00103  * Security profile for certificate verification.
00104  *
00105  * All lists are bitfields, built by ORing flags from MBEDTLS_X509_ID_FLAG().
00106  */
00107 typedef struct
00108 {
00109     uint32_t allowed_mds;       /**< MDs for signatures         */
00110     uint32_t allowed_pks;       /**< PK algs for signatures     */
00111     uint32_t allowed_curves;    /**< Elliptic curves for ECDSA  */
00112     uint32_t rsa_min_bitlen;    /**< Minimum size for RSA keys  */
00113 }
00114 mbedtls_x509_crt_profile;
00115 
00116 #define MBEDTLS_X509_CRT_VERSION_1              0
00117 #define MBEDTLS_X509_CRT_VERSION_2              1
00118 #define MBEDTLS_X509_CRT_VERSION_3              2
00119 
00120 #define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32
00121 #define MBEDTLS_X509_RFC5280_UTC_TIME_LEN   15
00122 
00123 /**
00124  * Container for writing a certificate (CRT)
00125  */
00126 typedef struct mbedtls_x509write_cert
00127 {
00128     int version;
00129     mbedtls_mpi serial;
00130     mbedtls_pk_context *subject_key;
00131     mbedtls_pk_context *issuer_key;
00132     mbedtls_asn1_named_data *subject;
00133     mbedtls_asn1_named_data *issuer;
00134     mbedtls_md_type_t md_alg;
00135     char not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1];
00136     char not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1];
00137     mbedtls_asn1_named_data *extensions;
00138 }
00139 mbedtls_x509write_cert;
00140 
00141 #if defined(MBEDTLS_X509_CRT_PARSE_C)
00142 /**
00143  * Default security profile. Should provide a good balance between security
00144  * and compatibility with current deployments.
00145  */
00146 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default;
00147 
00148 /**
00149  * Expected next default profile. Recommended for new deployments.
00150  * Currently targets a 128-bit security level, except for RSA-2048.
00151  */
00152 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next;
00153 
00154 /**
00155  * NSA Suite B profile.
00156  */
00157 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb;
00158 
00159 /**
00160  * \brief          Parse a single DER formatted certificate and add it
00161  *                 to the chained list.
00162  *
00163  * \param chain    points to the start of the chain
00164  * \param buf      buffer holding the certificate DER data
00165  * \param buflen   size of the buffer
00166  *
00167  * \return         0 if successful, or a specific X509 or PEM error code
00168  */
00169 int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, const unsigned char *buf,
00170                         size_t buflen );
00171 
00172 /**
00173  * \brief          Parse one or more certificates and add them
00174  *                 to the chained list. Parses permissively. If some
00175  *                 certificates can be parsed, the result is the number
00176  *                 of failed certificates it encountered. If none complete
00177  *                 correctly, the first error is returned.
00178  *
00179  * \param chain    points to the start of the chain
00180  * \param buf      buffer holding the certificate data in PEM or DER format
00181  * \param buflen   size of the buffer
00182  *                 (including the terminating null byte for PEM data)
00183  *
00184  * \return         0 if all certificates parsed successfully, a positive number
00185  *                 if partly successful or a specific X509 or PEM error code
00186  */
00187 int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen );
00188 
00189 #if defined(MBEDTLS_FS_IO)
00190 /**
00191  * \brief          Load one or more certificates and add them
00192  *                 to the chained list. Parses permissively. If some
00193  *                 certificates can be parsed, the result is the number
00194  *                 of failed certificates it encountered. If none complete
00195  *                 correctly, the first error is returned.
00196  *
00197  * \param chain    points to the start of the chain
00198  * \param path     filename to read the certificates from
00199  *
00200  * \return         0 if all certificates parsed successfully, a positive number
00201  *                 if partly successful or a specific X509 or PEM error code
00202  */
00203 int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *chain, const char *path );
00204 
00205 /**
00206  * \brief          Load one or more certificate files from a path and add them
00207  *                 to the chained list. Parses permissively. If some
00208  *                 certificates can be parsed, the result is the number
00209  *                 of failed certificates it encountered. If none complete
00210  *                 correctly, the first error is returned.
00211  *
00212  * \param chain    points to the start of the chain
00213  * \param path     directory / folder to read the certificate files from
00214  *
00215  * \return         0 if all certificates parsed successfully, a positive number
00216  *                 if partly successful or a specific X509 or PEM error code
00217  */
00218 int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path );
00219 #endif /* MBEDTLS_FS_IO */
00220 
00221 /**
00222  * \brief          Returns an informational string about the
00223  *                 certificate.
00224  *
00225  * \param buf      Buffer to write to
00226  * \param size     Maximum size of buffer
00227  * \param prefix   A line prefix
00228  * \param crt      The X509 certificate to represent
00229  *
00230  * \return         The length of the string written (not including the
00231  *                 terminated nul byte), or a negative error code.
00232  */
00233 int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
00234                    const mbedtls_x509_crt *crt );
00235 
00236 /**
00237  * \brief          Returns an informational string about the
00238  *                 verification status of a certificate.
00239  *
00240  * \param buf      Buffer to write to
00241  * \param size     Maximum size of buffer
00242  * \param prefix   A line prefix
00243  * \param flags    Verification flags created by mbedtls_x509_crt_verify()
00244  *
00245  * \return         The length of the string written (not including the
00246  *                 terminated nul byte), or a negative error code.
00247  */
00248 int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
00249                           uint32_t flags );
00250 
00251 /**
00252  * \brief          Verify the certificate signature
00253  *
00254  *                 The verify callback is a user-supplied callback that
00255  *                 can clear / modify / add flags for a certificate. If set,
00256  *                 the verification callback is called for each
00257  *                 certificate in the chain (from the trust-ca down to the
00258  *                 presented crt). The parameters for the callback are:
00259  *                 (void *parameter, mbedtls_x509_crt *crt, int certificate_depth,
00260  *                 int *flags). With the flags representing current flags for
00261  *                 that specific certificate and the certificate depth from
00262  *                 the bottom (Peer cert depth = 0).
00263  *
00264  *                 All flags left after returning from the callback
00265  *                 are also returned to the application. The function should
00266  *                 return 0 for anything but a fatal error.
00267  *
00268  * \note           In case verification failed, the results can be displayed
00269  *                 using \c mbedtls_x509_crt_verify_info()
00270  *
00271  * \note           Same as \c mbedtls_x509_crt_verify_with_profile() with the
00272  *                 default security profile.
00273  *
00274  * \note           It is your responsibility to provide up-to-date CRLs for
00275  *                 all trusted CAs. If no CRL is provided for the CA that was
00276  *                 used to sign the certificate, CRL verification is skipped
00277  *                 silently, that is *without* setting any flag.
00278  *
00279  * \param crt      a certificate (chain) to be verified
00280  * \param trust_ca the list of trusted CAs
00281  * \param ca_crl   the list of CRLs for trusted CAs (see note above)
00282  * \param cn       expected Common Name (can be set to
00283  *                 NULL if the CN must not be verified)
00284  * \param flags    result of the verification
00285  * \param f_vrfy   verification function
00286  * \param p_vrfy   verification parameter
00287  *
00288  * \return         0 if successful or MBEDTLS_ERR_X509_CERT_VERIFY_FAILED
00289  *                 in which case *flags will have one or more
00290  *                 MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX flags
00291  *                 set,
00292  *                 or another error in case of a fatal error encountered
00293  *                 during the verification process.
00294  */
00295 int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
00296                      mbedtls_x509_crt *trust_ca,
00297                      mbedtls_x509_crl *ca_crl,
00298                      const char *cn, uint32_t *flags,
00299                      int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
00300                      void *p_vrfy );
00301 
00302 /**
00303  * \brief          Verify the certificate signature according to profile
00304  *
00305  * \note           Same as \c mbedtls_x509_crt_verify(), but with explicit
00306  *                 security profile.
00307  *
00308  * \note           The restrictions on keys (RSA minimum size, allowed curves
00309  *                 for ECDSA) apply to all certificates: trusted root,
00310  *                 intermediate CAs if any, and end entity certificate.
00311  *
00312  * \param crt      a certificate (chain) to be verified
00313  * \param trust_ca the list of trusted CAs
00314  * \param ca_crl   the list of CRLs for trusted CAs
00315  * \param profile  security profile for verification
00316  * \param cn       expected Common Name (can be set to
00317  *                 NULL if the CN must not be verified)
00318  * \param flags    result of the verification
00319  * \param f_vrfy   verification function
00320  * \param p_vrfy   verification parameter
00321  *
00322  * \return         0 if successful or MBEDTLS_ERR_X509_CERT_VERIFY_FAILED
00323  *                 in which case *flags will have one or more
00324  *                 MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX flags
00325  *                 set,
00326  *                 or another error in case of a fatal error encountered
00327  *                 during the verification process.
00328  */
00329 int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
00330                      mbedtls_x509_crt *trust_ca,
00331                      mbedtls_x509_crl *ca_crl,
00332                      const mbedtls_x509_crt_profile *profile,
00333                      const char *cn, uint32_t *flags,
00334                      int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
00335                      void *p_vrfy );
00336 
00337 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
00338 /**
00339  * \brief          Check usage of certificate against keyUsage extension.
00340  *
00341  * \param crt      Leaf certificate used.
00342  * \param usage    Intended usage(s) (eg MBEDTLS_X509_KU_KEY_ENCIPHERMENT
00343  *                 before using the certificate to perform an RSA key
00344  *                 exchange).
00345  *
00346  * \note           Except for decipherOnly and encipherOnly, a bit set in the
00347  *                 usage argument means this bit MUST be set in the
00348  *                 certificate. For decipherOnly and encipherOnly, it means
00349  *                 that bit MAY be set.
00350  *
00351  * \return         0 is these uses of the certificate are allowed,
00352  *                 MBEDTLS_ERR_X509_BAD_INPUT_DATA if the keyUsage extension
00353  *                 is present but does not match the usage argument.
00354  *
00355  * \note           You should only call this function on leaf certificates, on
00356  *                 (intermediate) CAs the keyUsage extension is automatically
00357  *                 checked by \c mbedtls_x509_crt_verify().
00358  */
00359 int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt,
00360                                       unsigned int usage );
00361 #endif /* MBEDTLS_X509_CHECK_KEY_USAGE) */
00362 
00363 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
00364 /**
00365  * \brief          Check usage of certificate against extentedJeyUsage.
00366  *
00367  * \param crt      Leaf certificate used.
00368  * \param usage_oid Intended usage (eg MBEDTLS_OID_SERVER_AUTH or MBEDTLS_OID_CLIENT_AUTH).
00369  * \param usage_len Length of usage_oid (eg given by MBEDTLS_OID_SIZE()).
00370  *
00371  * \return         0 if this use of the certificate is allowed,
00372  *                 MBEDTLS_ERR_X509_BAD_INPUT_DATA if not.
00373  *
00374  * \note           Usually only makes sense on leaf certificates.
00375  */
00376 int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt,
00377                                        const char *usage_oid,
00378                                        size_t usage_len );
00379 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) */
00380 
00381 #if defined(MBEDTLS_X509_CRL_PARSE_C)
00382 /**
00383  * \brief          Verify the certificate revocation status
00384  *
00385  * \param crt      a certificate to be verified
00386  * \param crl      the CRL to verify against
00387  *
00388  * \return         1 if the certificate is revoked, 0 otherwise
00389  *
00390  */
00391 int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl );
00392 #endif /* MBEDTLS_X509_CRL_PARSE_C */
00393 
00394 /**
00395  * \brief          Initialize a certificate (chain)
00396  *
00397  * \param crt      Certificate chain to initialize
00398  */
00399 void mbedtls_x509_crt_init( mbedtls_x509_crt *crt );
00400 
00401 /**
00402  * \brief          Unallocate all certificate data
00403  *
00404  * \param crt      Certificate chain to free
00405  */
00406 void mbedtls_x509_crt_free( mbedtls_x509_crt *crt );
00407 #endif /* MBEDTLS_X509_CRT_PARSE_C */
00408 
00409 /* \} name */
00410 /* \} addtogroup x509_module */
00411 
00412 #if defined(MBEDTLS_X509_CRT_WRITE_C)
00413 /**
00414  * \brief           Initialize a CRT writing context
00415  *
00416  * \param ctx       CRT context to initialize
00417  */
00418 void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx );
00419 
00420 /**
00421  * \brief           Set the verion for a Certificate
00422  *                  Default: MBEDTLS_X509_CRT_VERSION_3
00423  *
00424  * \param ctx       CRT context to use
00425  * \param version   version to set (MBEDTLS_X509_CRT_VERSION_1, MBEDTLS_X509_CRT_VERSION_2 or
00426  *                                  MBEDTLS_X509_CRT_VERSION_3)
00427  */
00428 void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *ctx, int version );
00429 
00430 /**
00431  * \brief           Set the serial number for a Certificate.
00432  *
00433  * \param ctx       CRT context to use
00434  * \param serial    serial number to set
00435  *
00436  * \return          0 if successful
00437  */
00438 int mbedtls_x509write_crt_set_serial( mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial );
00439 
00440 /**
00441  * \brief           Set the validity period for a Certificate
00442  *                  Timestamps should be in string format for UTC timezone
00443  *                  i.e. "YYYYMMDDhhmmss"
00444  *                  e.g. "20131231235959" for December 31st 2013
00445  *                       at 23:59:59
00446  *
00447  * \param ctx       CRT context to use
00448  * \param not_before    not_before timestamp
00449  * \param not_after     not_after timestamp
00450  *
00451  * \return          0 if timestamp was parsed successfully, or
00452  *                  a specific error code
00453  */
00454 int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *ctx, const char *not_before,
00455                                 const char *not_after );
00456 
00457 /**
00458  * \brief           Set the issuer name for a Certificate
00459  *                  Issuer names should contain a comma-separated list
00460  *                  of OID types and values:
00461  *                  e.g. "C=UK,O=ARM,CN=mbed TLS CA"
00462  *
00463  * \param ctx           CRT context to use
00464  * \param issuer_name   issuer name to set
00465  *
00466  * \return          0 if issuer name was parsed successfully, or
00467  *                  a specific error code
00468  */
00469 int mbedtls_x509write_crt_set_issuer_name( mbedtls_x509write_cert *ctx,
00470                                    const char *issuer_name );
00471 
00472 /**
00473  * \brief           Set the subject name for a Certificate
00474  *                  Subject names should contain a comma-separated list
00475  *                  of OID types and values:
00476  *                  e.g. "C=UK,O=ARM,CN=mbed TLS Server 1"
00477  *
00478  * \param ctx           CRT context to use
00479  * \param subject_name  subject name to set
00480  *
00481  * \return          0 if subject name was parsed successfully, or
00482  *                  a specific error code
00483  */
00484 int mbedtls_x509write_crt_set_subject_name( mbedtls_x509write_cert *ctx,
00485                                     const char *subject_name );
00486 
00487 /**
00488  * \brief           Set the subject public key for the certificate
00489  *
00490  * \param ctx       CRT context to use
00491  * \param key       public key to include
00492  */
00493 void mbedtls_x509write_crt_set_subject_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key );
00494 
00495 /**
00496  * \brief           Set the issuer key used for signing the certificate
00497  *
00498  * \param ctx       CRT context to use
00499  * \param key       private key to sign with
00500  */
00501 void mbedtls_x509write_crt_set_issuer_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key );
00502 
00503 /**
00504  * \brief           Set the MD algorithm to use for the signature
00505  *                  (e.g. MBEDTLS_MD_SHA1)
00506  *
00507  * \param ctx       CRT context to use
00508  * \param md_alg    MD algorithm to use
00509  */
00510 void mbedtls_x509write_crt_set_md_alg( mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg );
00511 
00512 /**
00513  * \brief           Generic function to add to or replace an extension in the
00514  *                  CRT
00515  *
00516  * \param ctx       CRT context to use
00517  * \param oid       OID of the extension
00518  * \param oid_len   length of the OID
00519  * \param critical  if the extension is critical (per the RFC's definition)
00520  * \param val       value of the extension OCTET STRING
00521  * \param val_len   length of the value data
00522  *
00523  * \return          0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
00524  */
00525 int mbedtls_x509write_crt_set_extension( mbedtls_x509write_cert *ctx,
00526                                  const char *oid, size_t oid_len,
00527                                  int critical,
00528                                  const unsigned char *val, size_t val_len );
00529 
00530 /**
00531  * \brief           Set the basicConstraints extension for a CRT
00532  *
00533  * \param ctx       CRT context to use
00534  * \param is_ca     is this a CA certificate
00535  * \param max_pathlen   maximum length of certificate chains below this
00536  *                      certificate (only for CA certificates, -1 is
00537  *                      inlimited)
00538  *
00539  * \return          0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
00540  */
00541 int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx,
00542                                          int is_ca, int max_pathlen );
00543 
00544 #if defined(MBEDTLS_SHA1_C)
00545 /**
00546  * \brief           Set the subjectKeyIdentifier extension for a CRT
00547  *                  Requires that mbedtls_x509write_crt_set_subject_key() has been
00548  *                  called before
00549  *
00550  * \param ctx       CRT context to use
00551  *
00552  * \return          0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
00553  */
00554 int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ctx );
00555 
00556 /**
00557  * \brief           Set the authorityKeyIdentifier extension for a CRT
00558  *                  Requires that mbedtls_x509write_crt_set_issuer_key() has been
00559  *                  called before
00560  *
00561  * \param ctx       CRT context to use
00562  *
00563  * \return          0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
00564  */
00565 int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx );
00566 #endif /* MBEDTLS_SHA1_C */
00567 
00568 /**
00569  * \brief           Set the Key Usage Extension flags
00570  *                  (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN)
00571  *
00572  * \param ctx       CRT context to use
00573  * \param key_usage key usage flags to set
00574  *
00575  * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
00576  */
00577 int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx,
00578                                          unsigned int key_usage );
00579 
00580 /**
00581  * \brief           Set the Netscape Cert Type flags
00582  *                  (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL)
00583  *
00584  * \param ctx           CRT context to use
00585  * \param ns_cert_type  Netscape Cert Type flags to set
00586  *
00587  * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
00588  */
00589 int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx,
00590                                     unsigned char ns_cert_type );
00591 
00592 /**
00593  * \brief           Free the contents of a CRT write context
00594  *
00595  * \param ctx       CRT context to free
00596  */
00597 void mbedtls_x509write_crt_free( mbedtls_x509write_cert *ctx );
00598 
00599 /**
00600  * \brief           Write a built up certificate to a X509 DER structure
00601  *                  Note: data is written at the end of the buffer! Use the
00602  *                        return value to determine where you should start
00603  *                        using the buffer
00604  *
00605  * \param ctx       certificate to write away
00606  * \param buf       buffer to write to
00607  * \param size      size of the buffer
00608  * \param f_rng     RNG function (for signature, see note)
00609  * \param p_rng     RNG parameter
00610  *
00611  * \return          length of data written if successful, or a specific
00612  *                  error code
00613  *
00614  * \note            f_rng may be NULL if RSA is used for signature and the
00615  *                  signature is made offline (otherwise f_rng is desirable
00616  *                  for countermeasures against timing attacks).
00617  *                  ECDSA signatures always require a non-NULL f_rng.
00618  */
00619 int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
00620                        int (*f_rng)(void *, unsigned char *, size_t),
00621                        void *p_rng );
00622 
00623 #if defined(MBEDTLS_PEM_WRITE_C)
00624 /**
00625  * \brief           Write a built up certificate to a X509 PEM string
00626  *
00627  * \param ctx       certificate to write away
00628  * \param buf       buffer to write to
00629  * \param size      size of the buffer
00630  * \param f_rng     RNG function (for signature, see note)
00631  * \param p_rng     RNG parameter
00632  *
00633  * \return          0 if successful, or a specific error code
00634  *
00635  * \note            f_rng may be NULL if RSA is used for signature and the
00636  *                  signature is made offline (otherwise f_rng is desirable
00637  *                  for countermeasures against timing attacks).
00638  *                  ECDSA signatures always require a non-NULL f_rng.
00639  */
00640 int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
00641                        int (*f_rng)(void *, unsigned char *, size_t),
00642                        void *p_rng );
00643 #endif /* MBEDTLS_PEM_WRITE_C */
00644 #endif /* MBEDTLS_X509_CRT_WRITE_C */
00645 
00646 #ifdef __cplusplus
00647 }
00648 #endif
00649 
00650 #endif /* mbedtls_x509_crt.h */