takashi kadono
/
Nucleo446_SSD1331
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Embed:
(wiki syntax)
Show/hide line numbers
x509_crt.h
Go to the documentation of this file.
00001 /** 00002 * \file x509_crt.h 00003 * 00004 * \brief X.509 certificate parsing and writing 00005 */ 00006 /* 00007 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00008 * SPDX-License-Identifier: Apache-2.0 00009 * 00010 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00011 * not use this file except in compliance with the License. 00012 * You may obtain a copy of the License at 00013 * 00014 * http://www.apache.org/licenses/LICENSE-2.0 00015 * 00016 * Unless required by applicable law or agreed to in writing, software 00017 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00018 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00019 * See the License for the specific language governing permissions and 00020 * limitations under the License. 00021 * 00022 * This file is part of mbed TLS (https://tls.mbed.org) 00023 */ 00024 #ifndef MBEDTLS_X509_CRT_H 00025 #define MBEDTLS_X509_CRT_H 00026 00027 #if !defined(MBEDTLS_CONFIG_FILE) 00028 #include "config.h" 00029 #else 00030 #include MBEDTLS_CONFIG_FILE 00031 #endif 00032 00033 #include "x509.h" 00034 #include "x509_crl.h" 00035 00036 /** 00037 * \addtogroup x509_module 00038 * \{ 00039 */ 00040 00041 #ifdef __cplusplus 00042 extern "C" { 00043 #endif 00044 00045 /** 00046 * \name Structures and functions for parsing and writing X.509 certificates 00047 * \{ 00048 */ 00049 00050 /** 00051 * Container for an X.509 certificate. The certificate may be chained. 00052 */ 00053 typedef struct mbedtls_x509_crt 00054 { 00055 mbedtls_x509_buf raw; /**< The raw certificate data (DER). */ 00056 mbedtls_x509_buf tbs; /**< The raw certificate body (DER). The part that is To Be Signed. */ 00057 00058 int version; /**< The X.509 version. (1=v1, 2=v2, 3=v3) */ 00059 mbedtls_x509_buf serial; /**< Unique id for certificate issued by a specific CA. */ 00060 mbedtls_x509_buf sig_oid; /**< Signature algorithm, e.g. sha1RSA */ 00061 00062 mbedtls_x509_buf issuer_raw; /**< The raw issuer data (DER). Used for quick comparison. */ 00063 mbedtls_x509_buf subject_raw; /**< The raw subject data (DER). Used for quick comparison. */ 00064 00065 mbedtls_x509_name issuer; /**< The parsed issuer data (named information object). */ 00066 mbedtls_x509_name subject; /**< The parsed subject data (named information object). */ 00067 00068 mbedtls_x509_time valid_from; /**< Start time of certificate validity. */ 00069 mbedtls_x509_time valid_to; /**< End time of certificate validity. */ 00070 00071 mbedtls_pk_context pk; /**< Container for the public key context. */ 00072 00073 mbedtls_x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */ 00074 mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */ 00075 mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */ 00076 mbedtls_x509_sequence subject_alt_names; /**< Optional list of Subject Alternative Names (Only dNSName supported). */ 00077 00078 int ext_types; /**< Bit string containing detected and parsed extensions */ 00079 int ca_istrue; /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */ 00080 int max_pathlen; /**< Optional Basic Constraint extension value: The maximum path length to the root certificate. Path length is 1 higher than RFC 5280 'meaning', so 1+ */ 00081 00082 unsigned int key_usage; /**< Optional key usage extension value: See the values in x509.h */ 00083 00084 mbedtls_x509_sequence ext_key_usage; /**< Optional list of extended key usage OIDs. */ 00085 00086 unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values in x509.h */ 00087 00088 mbedtls_x509_buf sig; /**< Signature: hash of the tbs part signed with the private key. */ 00089 mbedtls_md_type_t sig_md; /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */ 00090 mbedtls_pk_type_t sig_pk; /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ 00091 void *sig_opts; /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */ 00092 00093 struct mbedtls_x509_crt *next; /**< Next certificate in the CA-chain. */ 00094 } 00095 mbedtls_x509_crt; 00096 00097 /** 00098 * Build flag from an algorithm/curve identifier (pk, md, ecp) 00099 * Since 0 is always XXX_NONE, ignore it. 00100 */ 00101 #define MBEDTLS_X509_ID_FLAG( id ) ( 1 << ( id - 1 ) ) 00102 00103 /** 00104 * Security profile for certificate verification. 00105 * 00106 * All lists are bitfields, built by ORing flags from MBEDTLS_X509_ID_FLAG(). 00107 */ 00108 typedef struct mbedtls_x509_crt_profile 00109 { 00110 uint32_t allowed_mds; /**< MDs for signatures */ 00111 uint32_t allowed_pks; /**< PK algs for signatures */ 00112 uint32_t allowed_curves; /**< Elliptic curves for ECDSA */ 00113 uint32_t rsa_min_bitlen; /**< Minimum size for RSA keys */ 00114 } 00115 mbedtls_x509_crt_profile; 00116 00117 #define MBEDTLS_X509_CRT_VERSION_1 0 00118 #define MBEDTLS_X509_CRT_VERSION_2 1 00119 #define MBEDTLS_X509_CRT_VERSION_3 2 00120 00121 #define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32 00122 #define MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15 00123 00124 #if !defined( MBEDTLS_X509_MAX_FILE_PATH_LEN ) 00125 #define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 00126 #endif 00127 00128 /** 00129 * Container for writing a certificate (CRT) 00130 */ 00131 typedef struct mbedtls_x509write_cert 00132 { 00133 int version; 00134 mbedtls_mpi serial; 00135 mbedtls_pk_context *subject_key; 00136 mbedtls_pk_context *issuer_key; 00137 mbedtls_asn1_named_data *subject; 00138 mbedtls_asn1_named_data *issuer; 00139 mbedtls_md_type_t md_alg; 00140 char not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1]; 00141 char not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1]; 00142 mbedtls_asn1_named_data *extensions; 00143 } 00144 mbedtls_x509write_cert; 00145 00146 #if defined(MBEDTLS_X509_CRT_PARSE_C) 00147 /** 00148 * Default security profile. Should provide a good balance between security 00149 * and compatibility with current deployments. 00150 */ 00151 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default; 00152 00153 /** 00154 * Expected next default profile. Recommended for new deployments. 00155 * Currently targets a 128-bit security level, except for RSA-2048. 00156 */ 00157 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next; 00158 00159 /** 00160 * NSA Suite B profile. 00161 */ 00162 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb; 00163 00164 /** 00165 * \brief Parse a single DER formatted certificate and add it 00166 * to the chained list. 00167 * 00168 * \param chain points to the start of the chain 00169 * \param buf buffer holding the certificate DER data 00170 * \param buflen size of the buffer 00171 * 00172 * \return 0 if successful, or a specific X509 or PEM error code 00173 */ 00174 int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, const unsigned char *buf, 00175 size_t buflen ); 00176 00177 /** 00178 * \brief Parse one or more certificates and add them 00179 * to the chained list. Parses permissively. If some 00180 * certificates can be parsed, the result is the number 00181 * of failed certificates it encountered. If none complete 00182 * correctly, the first error is returned. 00183 * 00184 * \param chain points to the start of the chain 00185 * \param buf buffer holding the certificate data in PEM or DER format 00186 * \param buflen size of the buffer 00187 * (including the terminating null byte for PEM data) 00188 * 00189 * \return 0 if all certificates parsed successfully, a positive number 00190 * if partly successful or a specific X509 or PEM error code 00191 */ 00192 int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen ); 00193 00194 #if defined(MBEDTLS_FS_IO) 00195 /** 00196 * \brief Load one or more certificates and add them 00197 * to the chained list. Parses permissively. If some 00198 * certificates can be parsed, the result is the number 00199 * of failed certificates it encountered. If none complete 00200 * correctly, the first error is returned. 00201 * 00202 * \param chain points to the start of the chain 00203 * \param path filename to read the certificates from 00204 * 00205 * \return 0 if all certificates parsed successfully, a positive number 00206 * if partly successful or a specific X509 or PEM error code 00207 */ 00208 int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *chain, const char *path ); 00209 00210 /** 00211 * \brief Load one or more certificate files from a path and add them 00212 * to the chained list. Parses permissively. If some 00213 * certificates can be parsed, the result is the number 00214 * of failed certificates it encountered. If none complete 00215 * correctly, the first error is returned. 00216 * 00217 * \param chain points to the start of the chain 00218 * \param path directory / folder to read the certificate files from 00219 * 00220 * \return 0 if all certificates parsed successfully, a positive number 00221 * if partly successful or a specific X509 or PEM error code 00222 */ 00223 int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path ); 00224 #endif /* MBEDTLS_FS_IO */ 00225 00226 /** 00227 * \brief Returns an informational string about the 00228 * certificate. 00229 * 00230 * \param buf Buffer to write to 00231 * \param size Maximum size of buffer 00232 * \param prefix A line prefix 00233 * \param crt The X509 certificate to represent 00234 * 00235 * \return The length of the string written (not including the 00236 * terminated nul byte), or a negative error code. 00237 */ 00238 int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix, 00239 const mbedtls_x509_crt *crt ); 00240 00241 /** 00242 * \brief Returns an informational string about the 00243 * verification status of a certificate. 00244 * 00245 * \param buf Buffer to write to 00246 * \param size Maximum size of buffer 00247 * \param prefix A line prefix 00248 * \param flags Verification flags created by mbedtls_x509_crt_verify() 00249 * 00250 * \return The length of the string written (not including the 00251 * terminated nul byte), or a negative error code. 00252 */ 00253 int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix, 00254 uint32_t flags ); 00255 00256 /** 00257 * \brief Verify the certificate signature 00258 * 00259 * The verify callback is a user-supplied callback that 00260 * can clear / modify / add flags for a certificate. If set, 00261 * the verification callback is called for each 00262 * certificate in the chain (from the trust-ca down to the 00263 * presented crt). The parameters for the callback are: 00264 * (void *parameter, mbedtls_x509_crt *crt, int certificate_depth, 00265 * int *flags). With the flags representing current flags for 00266 * that specific certificate and the certificate depth from 00267 * the bottom (Peer cert depth = 0). 00268 * 00269 * All flags left after returning from the callback 00270 * are also returned to the application. The function should 00271 * return 0 for anything (including invalid certificates) 00272 * other than fatal error, as a non-zero return code 00273 * immediately aborts the verification process. For fatal 00274 * errors, a specific error code should be used (different 00275 * from MBEDTLS_ERR_X509_CERT_VERIFY_FAILED which should not 00276 * be returned at this point), or MBEDTLS_ERR_X509_FATAL_ERROR 00277 * can be used if no better code is available. 00278 * 00279 * \note In case verification failed, the results can be displayed 00280 * using \c mbedtls_x509_crt_verify_info() 00281 * 00282 * \note Same as \c mbedtls_x509_crt_verify_with_profile() with the 00283 * default security profile. 00284 * 00285 * \note It is your responsibility to provide up-to-date CRLs for 00286 * all trusted CAs. If no CRL is provided for the CA that was 00287 * used to sign the certificate, CRL verification is skipped 00288 * silently, that is *without* setting any flag. 00289 * 00290 * \note The \c trust_ca list can contain two types of certificates: 00291 * (1) those of trusted root CAs, so that certificates 00292 * chaining up to those CAs will be trusted, and (2) 00293 * self-signed end-entity certificates to be trusted (for 00294 * specific peers you know) - in that case, the self-signed 00295 * certificate doesn't need to have the CA bit set. 00296 * 00297 * \param crt a certificate (chain) to be verified 00298 * \param trust_ca the list of trusted CAs (see note above) 00299 * \param ca_crl the list of CRLs for trusted CAs (see note above) 00300 * \param cn expected Common Name (can be set to 00301 * NULL if the CN must not be verified) 00302 * \param flags result of the verification 00303 * \param f_vrfy verification function 00304 * \param p_vrfy verification parameter 00305 * 00306 * \return 0 (and flags set to 0) if the chain was verified and valid, 00307 * MBEDTLS_ERR_X509_CERT_VERIFY_FAILED if the chain was verified 00308 * but found to be invalid, in which case *flags will have one 00309 * or more MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX 00310 * flags set, or another error (and flags set to 0xffffffff) 00311 * in case of a fatal error encountered during the 00312 * verification process. 00313 */ 00314 int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt, 00315 mbedtls_x509_crt *trust_ca, 00316 mbedtls_x509_crl *ca_crl, 00317 const char *cn, uint32_t *flags, 00318 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 00319 void *p_vrfy ); 00320 00321 /** 00322 * \brief Verify the certificate signature according to profile 00323 * 00324 * \note Same as \c mbedtls_x509_crt_verify(), but with explicit 00325 * security profile. 00326 * 00327 * \note The restrictions on keys (RSA minimum size, allowed curves 00328 * for ECDSA) apply to all certificates: trusted root, 00329 * intermediate CAs if any, and end entity certificate. 00330 * 00331 * \param crt a certificate (chain) to be verified 00332 * \param trust_ca the list of trusted CAs 00333 * \param ca_crl the list of CRLs for trusted CAs 00334 * \param profile security profile for verification 00335 * \param cn expected Common Name (can be set to 00336 * NULL if the CN must not be verified) 00337 * \param flags result of the verification 00338 * \param f_vrfy verification function 00339 * \param p_vrfy verification parameter 00340 * 00341 * \return 0 if successful or MBEDTLS_ERR_X509_CERT_VERIFY_FAILED 00342 * in which case *flags will have one or more 00343 * MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX flags 00344 * set, 00345 * or another error in case of a fatal error encountered 00346 * during the verification process. 00347 */ 00348 int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt, 00349 mbedtls_x509_crt *trust_ca, 00350 mbedtls_x509_crl *ca_crl, 00351 const mbedtls_x509_crt_profile *profile, 00352 const char *cn, uint32_t *flags, 00353 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 00354 void *p_vrfy ); 00355 00356 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE) 00357 /** 00358 * \brief Check usage of certificate against keyUsage extension. 00359 * 00360 * \param crt Leaf certificate used. 00361 * \param usage Intended usage(s) (eg MBEDTLS_X509_KU_KEY_ENCIPHERMENT 00362 * before using the certificate to perform an RSA key 00363 * exchange). 00364 * 00365 * \note Except for decipherOnly and encipherOnly, a bit set in the 00366 * usage argument means this bit MUST be set in the 00367 * certificate. For decipherOnly and encipherOnly, it means 00368 * that bit MAY be set. 00369 * 00370 * \return 0 is these uses of the certificate are allowed, 00371 * MBEDTLS_ERR_X509_BAD_INPUT_DATA if the keyUsage extension 00372 * is present but does not match the usage argument. 00373 * 00374 * \note You should only call this function on leaf certificates, on 00375 * (intermediate) CAs the keyUsage extension is automatically 00376 * checked by \c mbedtls_x509_crt_verify(). 00377 */ 00378 int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt, 00379 unsigned int usage ); 00380 #endif /* MBEDTLS_X509_CHECK_KEY_USAGE) */ 00381 00382 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) 00383 /** 00384 * \brief Check usage of certificate against extendedKeyUsage. 00385 * 00386 * \param crt Leaf certificate used. 00387 * \param usage_oid Intended usage (eg MBEDTLS_OID_SERVER_AUTH or 00388 * MBEDTLS_OID_CLIENT_AUTH). 00389 * \param usage_len Length of usage_oid (eg given by MBEDTLS_OID_SIZE()). 00390 * 00391 * \return 0 if this use of the certificate is allowed, 00392 * MBEDTLS_ERR_X509_BAD_INPUT_DATA if not. 00393 * 00394 * \note Usually only makes sense on leaf certificates. 00395 */ 00396 int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt, 00397 const char *usage_oid, 00398 size_t usage_len ); 00399 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */ 00400 00401 #if defined(MBEDTLS_X509_CRL_PARSE_C) 00402 /** 00403 * \brief Verify the certificate revocation status 00404 * 00405 * \param crt a certificate to be verified 00406 * \param crl the CRL to verify against 00407 * 00408 * \return 1 if the certificate is revoked, 0 otherwise 00409 * 00410 */ 00411 int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl ); 00412 #endif /* MBEDTLS_X509_CRL_PARSE_C */ 00413 00414 /** 00415 * \brief Initialize a certificate (chain) 00416 * 00417 * \param crt Certificate chain to initialize 00418 */ 00419 void mbedtls_x509_crt_init( mbedtls_x509_crt *crt ); 00420 00421 /** 00422 * \brief Unallocate all certificate data 00423 * 00424 * \param crt Certificate chain to free 00425 */ 00426 void mbedtls_x509_crt_free( mbedtls_x509_crt *crt ); 00427 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 00428 00429 /* \} name */ 00430 /* \} addtogroup x509_module */ 00431 00432 #if defined(MBEDTLS_X509_CRT_WRITE_C) 00433 /** 00434 * \brief Initialize a CRT writing context 00435 * 00436 * \param ctx CRT context to initialize 00437 */ 00438 void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx ); 00439 00440 /** 00441 * \brief Set the verion for a Certificate 00442 * Default: MBEDTLS_X509_CRT_VERSION_3 00443 * 00444 * \param ctx CRT context to use 00445 * \param version version to set (MBEDTLS_X509_CRT_VERSION_1, MBEDTLS_X509_CRT_VERSION_2 or 00446 * MBEDTLS_X509_CRT_VERSION_3) 00447 */ 00448 void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *ctx, int version ); 00449 00450 /** 00451 * \brief Set the serial number for a Certificate. 00452 * 00453 * \param ctx CRT context to use 00454 * \param serial serial number to set 00455 * 00456 * \return 0 if successful 00457 */ 00458 int mbedtls_x509write_crt_set_serial( mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial ); 00459 00460 /** 00461 * \brief Set the validity period for a Certificate 00462 * Timestamps should be in string format for UTC timezone 00463 * i.e. "YYYYMMDDhhmmss" 00464 * e.g. "20131231235959" for December 31st 2013 00465 * at 23:59:59 00466 * 00467 * \param ctx CRT context to use 00468 * \param not_before not_before timestamp 00469 * \param not_after not_after timestamp 00470 * 00471 * \return 0 if timestamp was parsed successfully, or 00472 * a specific error code 00473 */ 00474 int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *ctx, const char *not_before, 00475 const char *not_after ); 00476 00477 /** 00478 * \brief Set the issuer name for a Certificate 00479 * Issuer names should contain a comma-separated list 00480 * of OID types and values: 00481 * e.g. "C=UK,O=ARM,CN=mbed TLS CA" 00482 * 00483 * \param ctx CRT context to use 00484 * \param issuer_name issuer name to set 00485 * 00486 * \return 0 if issuer name was parsed successfully, or 00487 * a specific error code 00488 */ 00489 int mbedtls_x509write_crt_set_issuer_name( mbedtls_x509write_cert *ctx, 00490 const char *issuer_name ); 00491 00492 /** 00493 * \brief Set the subject name for a Certificate 00494 * Subject names should contain a comma-separated list 00495 * of OID types and values: 00496 * e.g. "C=UK,O=ARM,CN=mbed TLS Server 1" 00497 * 00498 * \param ctx CRT context to use 00499 * \param subject_name subject name to set 00500 * 00501 * \return 0 if subject name was parsed successfully, or 00502 * a specific error code 00503 */ 00504 int mbedtls_x509write_crt_set_subject_name( mbedtls_x509write_cert *ctx, 00505 const char *subject_name ); 00506 00507 /** 00508 * \brief Set the subject public key for the certificate 00509 * 00510 * \param ctx CRT context to use 00511 * \param key public key to include 00512 */ 00513 void mbedtls_x509write_crt_set_subject_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key ); 00514 00515 /** 00516 * \brief Set the issuer key used for signing the certificate 00517 * 00518 * \param ctx CRT context to use 00519 * \param key private key to sign with 00520 */ 00521 void mbedtls_x509write_crt_set_issuer_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key ); 00522 00523 /** 00524 * \brief Set the MD algorithm to use for the signature 00525 * (e.g. MBEDTLS_MD_SHA1) 00526 * 00527 * \param ctx CRT context to use 00528 * \param md_alg MD algorithm to use 00529 */ 00530 void mbedtls_x509write_crt_set_md_alg( mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg ); 00531 00532 /** 00533 * \brief Generic function to add to or replace an extension in the 00534 * CRT 00535 * 00536 * \param ctx CRT context to use 00537 * \param oid OID of the extension 00538 * \param oid_len length of the OID 00539 * \param critical if the extension is critical (per the RFC's definition) 00540 * \param val value of the extension OCTET STRING 00541 * \param val_len length of the value data 00542 * 00543 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED 00544 */ 00545 int mbedtls_x509write_crt_set_extension( mbedtls_x509write_cert *ctx, 00546 const char *oid, size_t oid_len, 00547 int critical, 00548 const unsigned char *val, size_t val_len ); 00549 00550 /** 00551 * \brief Set the basicConstraints extension for a CRT 00552 * 00553 * \param ctx CRT context to use 00554 * \param is_ca is this a CA certificate 00555 * \param max_pathlen maximum length of certificate chains below this 00556 * certificate (only for CA certificates, -1 is 00557 * inlimited) 00558 * 00559 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED 00560 */ 00561 int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx, 00562 int is_ca, int max_pathlen ); 00563 00564 #if defined(MBEDTLS_SHA1_C) 00565 /** 00566 * \brief Set the subjectKeyIdentifier extension for a CRT 00567 * Requires that mbedtls_x509write_crt_set_subject_key() has been 00568 * called before 00569 * 00570 * \param ctx CRT context to use 00571 * 00572 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED 00573 */ 00574 int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ctx ); 00575 00576 /** 00577 * \brief Set the authorityKeyIdentifier extension for a CRT 00578 * Requires that mbedtls_x509write_crt_set_issuer_key() has been 00579 * called before 00580 * 00581 * \param ctx CRT context to use 00582 * 00583 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED 00584 */ 00585 int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx ); 00586 #endif /* MBEDTLS_SHA1_C */ 00587 00588 /** 00589 * \brief Set the Key Usage Extension flags 00590 * (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN) 00591 * 00592 * \param ctx CRT context to use 00593 * \param key_usage key usage flags to set 00594 * 00595 * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED 00596 */ 00597 int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx, 00598 unsigned int key_usage ); 00599 00600 /** 00601 * \brief Set the Netscape Cert Type flags 00602 * (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL) 00603 * 00604 * \param ctx CRT context to use 00605 * \param ns_cert_type Netscape Cert Type flags to set 00606 * 00607 * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED 00608 */ 00609 int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx, 00610 unsigned char ns_cert_type ); 00611 00612 /** 00613 * \brief Free the contents of a CRT write context 00614 * 00615 * \param ctx CRT context to free 00616 */ 00617 void mbedtls_x509write_crt_free( mbedtls_x509write_cert *ctx ); 00618 00619 /** 00620 * \brief Write a built up certificate to a X509 DER structure 00621 * Note: data is written at the end of the buffer! Use the 00622 * return value to determine where you should start 00623 * using the buffer 00624 * 00625 * \param ctx certificate to write away 00626 * \param buf buffer to write to 00627 * \param size size of the buffer 00628 * \param f_rng RNG function (for signature, see note) 00629 * \param p_rng RNG parameter 00630 * 00631 * \return length of data written if successful, or a specific 00632 * error code 00633 * 00634 * \note f_rng may be NULL if RSA is used for signature and the 00635 * signature is made offline (otherwise f_rng is desirable 00636 * for countermeasures against timing attacks). 00637 * ECDSA signatures always require a non-NULL f_rng. 00638 */ 00639 int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, 00640 int (*f_rng)(void *, unsigned char *, size_t), 00641 void *p_rng ); 00642 00643 #if defined(MBEDTLS_PEM_WRITE_C) 00644 /** 00645 * \brief Write a built up certificate to a X509 PEM string 00646 * 00647 * \param ctx certificate to write away 00648 * \param buf buffer to write to 00649 * \param size size of the buffer 00650 * \param f_rng RNG function (for signature, see note) 00651 * \param p_rng RNG parameter 00652 * 00653 * \return 0 if successful, or a specific error code 00654 * 00655 * \note f_rng may be NULL if RSA is used for signature and the 00656 * signature is made offline (otherwise f_rng is desirable 00657 * for countermeasures against timing attacks). 00658 * ECDSA signatures always require a non-NULL f_rng. 00659 */ 00660 int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, 00661 int (*f_rng)(void *, unsigned char *, size_t), 00662 void *p_rng ); 00663 #endif /* MBEDTLS_PEM_WRITE_C */ 00664 #endif /* MBEDTLS_X509_CRT_WRITE_C */ 00665 00666 #ifdef __cplusplus 00667 } 00668 #endif 00669 00670 #endif /* mbedtls_x509_crt.h */
Generated on Tue Jul 12 2022 13:53:47 by
1.7.2