Rtos API example
X509_module
Data Structures | |
struct | mbedtls_x509_time |
Container for date and time (precision in seconds). More... | |
struct | mbedtls_x509_crl_entry |
Certificate revocation list entry. More... | |
struct | mbedtls_x509_crl |
Certificate revocation list structure. More... | |
struct | mbedtls_x509_crt |
Container for an X.509 certificate. More... | |
struct | mbedtls_x509_crt_profile |
Security profile for certificate verification. More... | |
struct | mbedtls_x509write_cert |
Container for writing a certificate (CRT) More... | |
struct | mbedtls_x509_csr |
Certificate Signing Request (CSR) structure. More... | |
struct | mbedtls_x509write_csr |
Container for writing a CSR. More... | |
Functions | |
int | mbedtls_dhm_parse_dhm (mbedtls_dhm_context *dhm, const unsigned char *dhmin, size_t dhminlen) |
Parse DHM parameters in PEM or DER format. | |
int | mbedtls_dhm_parse_dhmfile (mbedtls_dhm_context *dhm, const char *path) |
Load and parse DHM parameters. | |
Structures for parsing X.509 certificates, CRLs and CSRs | |
typedef mbedtls_asn1_buf | mbedtls_x509_buf |
Type-length-value structure that allows for ASN1 using DER. | |
typedef mbedtls_asn1_bitstring | mbedtls_x509_bitstring |
Container for ASN1 bit strings. | |
typedef mbedtls_asn1_named_data | mbedtls_x509_name |
Container for ASN1 named information objects. | |
typedef mbedtls_asn1_sequence | mbedtls_x509_sequence |
Container for a sequence of ASN.1 items. | |
typedef struct mbedtls_x509_time | mbedtls_x509_time |
Container for date and time (precision in seconds). | |
Structures and functions for parsing CRLs | |
typedef struct mbedtls_x509_crl_entry | mbedtls_x509_crl_entry |
Certificate revocation list entry. | |
typedef struct mbedtls_x509_crl | mbedtls_x509_crl |
Certificate revocation list structure. | |
int | mbedtls_x509_crl_parse_der (mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen) |
Parse a DER-encoded CRL and append it to the chained list. | |
int | mbedtls_x509_crl_parse (mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen) |
Parse one or more CRLs and append them to the chained list. | |
int | mbedtls_x509_crl_parse_file (mbedtls_x509_crl *chain, const char *path) |
Load one or more CRLs and append them to the chained list. | |
int | mbedtls_x509_crl_info (char *buf, size_t size, const char *prefix, const mbedtls_x509_crl *crl) |
Returns an informational string about the CRL. | |
void | mbedtls_x509_crl_init (mbedtls_x509_crl *crl) |
Initialize a CRL (chain) | |
void | mbedtls_x509_crl_free (mbedtls_x509_crl *crl) |
Unallocate all CRL data. | |
Structures and functions for parsing and writing X.509 certificates | |
typedef struct mbedtls_x509_crt | mbedtls_x509_crt |
Container for an X.509 certificate. | |
typedef struct mbedtls_x509write_cert | mbedtls_x509write_cert |
Container for writing a certificate (CRT) | |
const mbedtls_x509_crt_profile | mbedtls_x509_crt_profile_default |
Default security profile. | |
const mbedtls_x509_crt_profile | mbedtls_x509_crt_profile_next |
Expected next default profile. | |
const mbedtls_x509_crt_profile | mbedtls_x509_crt_profile_suiteb |
NSA Suite B profile. | |
int | mbedtls_x509_crt_parse_der (mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen) |
Parse a single DER formatted certificate and add it to the chained list. | |
int | mbedtls_x509_crt_parse (mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen) |
Parse one or more certificates and add them to the chained list. | |
int | mbedtls_x509_crt_parse_file (mbedtls_x509_crt *chain, const char *path) |
Load one or more certificates and add them to the chained list. | |
int | mbedtls_x509_crt_parse_path (mbedtls_x509_crt *chain, const char *path) |
Load one or more certificate files from a path and add them to the chained list. | |
int | mbedtls_x509_crt_info (char *buf, size_t size, const char *prefix, const mbedtls_x509_crt *crt) |
Returns an informational string about the certificate. | |
int | mbedtls_x509_crt_verify_info (char *buf, size_t size, const char *prefix, uint32_t flags) |
Returns an informational string about the verification status of a certificate. | |
int | mbedtls_x509_crt_verify (mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy) |
Verify the certificate signature. | |
int | mbedtls_x509_crt_verify_with_profile (mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy) |
Verify the certificate signature according to profile. | |
int | mbedtls_x509_crt_check_key_usage (const mbedtls_x509_crt *crt, unsigned int usage) |
Check usage of certificate against keyUsage extension. | |
int | mbedtls_x509_crt_check_extended_key_usage (const mbedtls_x509_crt *crt, const char *usage_oid, size_t usage_len) |
Check usage of certificate against extentedJeyUsage. | |
int | mbedtls_x509_crt_is_revoked (const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl) |
Verify the certificate revocation status. | |
void | mbedtls_x509_crt_init (mbedtls_x509_crt *crt) |
Initialize a certificate (chain) | |
void | mbedtls_x509_crt_free (mbedtls_x509_crt *crt) |
Unallocate all certificate data. | |
Structures and functions for X.509 Certificate Signing Requests (CSR) | |
typedef struct mbedtls_x509_csr | mbedtls_x509_csr |
Certificate Signing Request (CSR) structure. | |
typedef struct mbedtls_x509write_csr | mbedtls_x509write_csr |
Container for writing a CSR. | |
int | mbedtls_x509_csr_parse_der (mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen) |
Load a Certificate Signing Request (CSR) in DER format. | |
int | mbedtls_x509_csr_parse (mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen) |
Load a Certificate Signing Request (CSR), DER or PEM format. | |
int | mbedtls_x509_csr_parse_file (mbedtls_x509_csr *csr, const char *path) |
Load a Certificate Signing Request (CSR) | |
int | mbedtls_x509_csr_info (char *buf, size_t size, const char *prefix, const mbedtls_x509_csr *csr) |
Returns an informational string about the CSR. | |
void | mbedtls_x509_csr_init (mbedtls_x509_csr *csr) |
Initialize a CSR. | |
void | mbedtls_x509_csr_free (mbedtls_x509_csr *csr) |
Unallocate all CSR data. |
Typedef Documentation
typedef mbedtls_asn1_buf mbedtls_x509_buf |
typedef struct mbedtls_x509_crl mbedtls_x509_crl |
Certificate revocation list structure.
Every CRL may have multiple entries.
typedef struct mbedtls_x509_crl_entry mbedtls_x509_crl_entry |
Certificate revocation list entry.
Contains the CA-specific serial numbers and revocation dates.
typedef struct mbedtls_x509_crt mbedtls_x509_crt |
Container for an X.509 certificate.
The certificate may be chained.
typedef struct mbedtls_x509_csr mbedtls_x509_csr |
Certificate Signing Request (CSR) structure.
typedef struct mbedtls_x509_time mbedtls_x509_time |
Container for date and time (precision in seconds).
typedef struct mbedtls_x509write_cert mbedtls_x509write_cert |
Container for writing a certificate (CRT)
typedef struct mbedtls_x509write_csr mbedtls_x509write_csr |
Container for writing a CSR.
Function Documentation
int mbedtls_dhm_parse_dhm | ( | mbedtls_dhm_context * | dhm, |
const unsigned char * | dhmin, | ||
size_t | dhminlen | ||
) |
int mbedtls_dhm_parse_dhmfile | ( | mbedtls_dhm_context * | dhm, |
const char * | path | ||
) |
void mbedtls_x509_crl_free | ( | mbedtls_x509_crl * | crl ) |
Unallocate all CRL data.
- Parameters:
-
crl CRL chain to free
Definition at line 664 of file x509_crl.c.
int mbedtls_x509_crl_info | ( | char * | buf, |
size_t | size, | ||
const char * | prefix, | ||
const mbedtls_x509_crl * | crl | ||
) |
Returns an informational string about the CRL.
- Parameters:
-
buf Buffer to write to size Maximum size of buffer prefix A line prefix crl The X509 CRL to represent
- Returns:
- The length of the string written (not including the terminated nul byte), or a negative error code.
Definition at line 581 of file x509_crl.c.
void mbedtls_x509_crl_init | ( | mbedtls_x509_crl * | crl ) |
Initialize a CRL (chain)
- Parameters:
-
crl CRL chain to initialize
Definition at line 656 of file x509_crl.c.
int mbedtls_x509_crl_parse | ( | mbedtls_x509_crl * | chain, |
const unsigned char * | buf, | ||
size_t | buflen | ||
) |
Parse one or more CRLs and append them to the chained list.
- Note:
- Mutliple CRLs are accepted only if using PEM format
- Parameters:
-
chain points to the start of the chain buf buffer holding the CRL data in PEM or DER format buflen size of the buffer (including the terminating null byte for PEM data)
- Returns:
- 0 if successful, or a specific X509 or PEM error code
Definition at line 490 of file x509_crl.c.
int mbedtls_x509_crl_parse_der | ( | mbedtls_x509_crl * | chain, |
const unsigned char * | buf, | ||
size_t | buflen | ||
) |
Parse a DER-encoded CRL and append it to the chained list.
- Parameters:
-
chain points to the start of the chain buf buffer holding the CRL data in DER format buflen size of the buffer (including the terminating null byte for PEM data)
- Returns:
- 0 if successful, or a specific X509 or PEM error code
Definition at line 255 of file x509_crl.c.
int mbedtls_x509_crl_parse_file | ( | mbedtls_x509_crl * | chain, |
const char * | path | ||
) |
Load one or more CRLs and append them to the chained list.
- Note:
- Mutliple CRLs are accepted only if using PEM format
- Parameters:
-
chain points to the start of the chain path filename to read the CRLs from (in PEM or DER encoding)
- Returns:
- 0 if successful, or a specific X509 or PEM error code
Definition at line 555 of file x509_crl.c.
int mbedtls_x509_crt_check_extended_key_usage | ( | const mbedtls_x509_crt * | crt, |
const char * | usage_oid, | ||
size_t | usage_len | ||
) |
Check usage of certificate against extentedJeyUsage.
- Parameters:
-
crt Leaf certificate used. usage_oid Intended usage (eg MBEDTLS_OID_SERVER_AUTH or MBEDTLS_OID_CLIENT_AUTH). usage_len Length of usage_oid (eg given by MBEDTLS_OID_SIZE()).
- Returns:
- 0 if this use of the certificate is allowed, MBEDTLS_ERR_X509_BAD_INPUT_DATA if not.
- Note:
- Usually only makes sense on leaf certificates.
Definition at line 1577 of file x509_crt.c.
int mbedtls_x509_crt_check_key_usage | ( | const mbedtls_x509_crt * | crt, |
unsigned int | usage | ||
) |
Check usage of certificate against keyUsage extension.
- Parameters:
-
crt Leaf certificate used. usage Intended usage(s) (eg MBEDTLS_X509_KU_KEY_ENCIPHERMENT before using the certificate to perform an RSA key exchange).
- Note:
- Except for decipherOnly and encipherOnly, a bit set in the usage argument means this bit MUST be set in the certificate. For decipherOnly and encipherOnly, it means that bit MAY be set.
- Returns:
- 0 is these uses of the certificate are allowed, MBEDTLS_ERR_X509_BAD_INPUT_DATA if the keyUsage extension is present but does not match the usage argument.
- Note:
- You should only call this function on leaf certificates, on (intermediate) CAs the keyUsage extension is automatically checked by
mbedtls_x509_crt_verify()
.
Definition at line 1552 of file x509_crt.c.
void mbedtls_x509_crt_free | ( | mbedtls_x509_crt * | crt ) |
Unallocate all certificate data.
- Parameters:
-
crt Certificate chain to free
Definition at line 2346 of file x509_crt.c.
int mbedtls_x509_crt_info | ( | char * | buf, |
size_t | size, | ||
const char * | prefix, | ||
const mbedtls_x509_crt * | crt | ||
) |
Returns an informational string about the certificate.
- Parameters:
-
buf Buffer to write to size Maximum size of buffer prefix A line prefix crt The X509 certificate to represent
- Returns:
- The length of the string written (not including the terminated nul byte), or a negative error code.
Definition at line 1362 of file x509_crt.c.
void mbedtls_x509_crt_init | ( | mbedtls_x509_crt * | crt ) |
Initialize a certificate (chain)
- Parameters:
-
crt Certificate chain to initialize
Definition at line 2338 of file x509_crt.c.
int mbedtls_x509_crt_is_revoked | ( | const mbedtls_x509_crt * | crt, |
const mbedtls_x509_crl * | crl | ||
) |
Verify the certificate revocation status.
- Parameters:
-
crt a certificate to be verified crl the CRL to verify against
- Returns:
- 1 if the certificate is revoked, 0 otherwise
Definition at line 1612 of file x509_crt.c.
int mbedtls_x509_crt_parse | ( | mbedtls_x509_crt * | chain, |
const unsigned char * | buf, | ||
size_t | buflen | ||
) |
Parse one or more certificates and add them to the chained list.
Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.
- Parameters:
-
chain points to the start of the chain buf buffer holding the certificate data in PEM or DER format buflen size of the buffer (including the terminating null byte for PEM data)
- Returns:
- 0 if all certificates parsed successfully, a positive number if partly successful or a specific X509 or PEM error code
Definition at line 972 of file x509_crt.c.
int mbedtls_x509_crt_parse_der | ( | mbedtls_x509_crt * | chain, |
const unsigned char * | buf, | ||
size_t | buflen | ||
) |
Parse a single DER formatted certificate and add it to the chained list.
- Parameters:
-
chain points to the start of the chain buf buffer holding the certificate DER data buflen size of the buffer
- Returns:
- 0 if successful, or a specific X509 or PEM error code
Definition at line 921 of file x509_crt.c.
int mbedtls_x509_crt_parse_file | ( | mbedtls_x509_crt * | chain, |
const char * | path | ||
) |
Load one or more certificates and add them to the chained list.
Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.
- Parameters:
-
chain points to the start of the chain path filename to read the certificates from
- Returns:
- 0 if all certificates parsed successfully, a positive number if partly successful or a specific X509 or PEM error code
Definition at line 1087 of file x509_crt.c.
int mbedtls_x509_crt_parse_path | ( | mbedtls_x509_crt * | chain, |
const char * | path | ||
) |
Load one or more certificate files from a path and add them to the chained list.
Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.
- Parameters:
-
chain points to the start of the chain path directory / folder to read the certificate files from
- Returns:
- 0 if all certificates parsed successfully, a positive number if partly successful or a specific X509 or PEM error code
Definition at line 1104 of file x509_crt.c.
int mbedtls_x509_crt_verify | ( | mbedtls_x509_crt * | crt, |
mbedtls_x509_crt * | trust_ca, | ||
mbedtls_x509_crl * | ca_crl, | ||
const char * | cn, | ||
uint32_t * | flags, | ||
int(*)(void *, mbedtls_x509_crt *, int, uint32_t *) | f_vrfy, | ||
void * | p_vrfy | ||
) |
Verify the certificate signature.
The verify callback is a user-supplied callback that can clear / modify / add flags for a certificate. If set, the verification callback is called for each certificate in the chain (from the trust-ca down to the presented crt). The parameters for the callback are: (void *parameter, mbedtls_x509_crt *crt, int certificate_depth, int *flags). With the flags representing current flags for that specific certificate and the certificate depth from the bottom (Peer cert depth = 0).
All flags left after returning from the callback are also returned to the application. The function should return 0 for anything (including invalid certificates) other than fatal error, as a non-zero return code immediately aborts the verification process. For fatal errors, a specific error code should be used (different from MBEDTLS_ERR_X509_CERT_VERIFY_FAILED which should not be returned at this point), or MBEDTLS_ERR_X509_FATAL_ERROR can be used if no better code is available.
- Note:
- In case verification failed, the results can be displayed using
mbedtls_x509_crt_verify_info()
-
Same as
mbedtls_x509_crt_verify_with_profile()
with the default security profile. - It is your responsibility to provide up-to-date CRLs for all trusted CAs. If no CRL is provided for the CA that was used to sign the certificate, CRL verification is skipped silently, that is *without* setting any flag.
- Parameters:
-
crt a certificate (chain) to be verified trust_ca the list of trusted CAs ca_crl the list of CRLs for trusted CAs (see note above) cn expected Common Name (can be set to NULL if the CN must not be verified) flags result of the verification f_vrfy verification function p_vrfy verification parameter
- Returns:
- 0 (and flags set to 0) if the chain was verified and valid, MBEDTLS_ERR_X509_CERT_VERIFY_FAILED if the chain was verified but found to be invalid, in which case *flags will have one or more MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX flags set, or another error (and flags set to 0xffffffff) in case of a fatal error encountered during the verification process.
Definition at line 2178 of file x509_crt.c.
int mbedtls_x509_crt_verify_info | ( | char * | buf, |
size_t | size, | ||
const char * | prefix, | ||
uint32_t | flags | ||
) |
Returns an informational string about the verification status of a certificate.
- Parameters:
-
buf Buffer to write to size Maximum size of buffer prefix A line prefix flags Verification flags created by mbedtls_x509_crt_verify()
- Returns:
- The length of the string written (not including the terminated nul byte), or a negative error code.
Definition at line 1523 of file x509_crt.c.
int mbedtls_x509_crt_verify_with_profile | ( | mbedtls_x509_crt * | crt, |
mbedtls_x509_crt * | trust_ca, | ||
mbedtls_x509_crl * | ca_crl, | ||
const mbedtls_x509_crt_profile * | profile, | ||
const char * | cn, | ||
uint32_t * | flags, | ||
int(*)(void *, mbedtls_x509_crt *, int, uint32_t *) | f_vrfy, | ||
void * | p_vrfy | ||
) |
Verify the certificate signature according to profile.
- Note:
- Same as
mbedtls_x509_crt_verify()
, but with explicit security profile. - The restrictions on keys (RSA minimum size, allowed curves for ECDSA) apply to all certificates: trusted root, intermediate CAs if any, and end entity certificate.
- Parameters:
-
crt a certificate (chain) to be verified trust_ca the list of trusted CAs ca_crl the list of CRLs for trusted CAs profile security profile for verification cn expected Common Name (can be set to NULL if the CN must not be verified) flags result of the verification f_vrfy verification function p_vrfy verification parameter
- Returns:
- 0 if successful or MBEDTLS_ERR_X509_CERT_VERIFY_FAILED in which case *flags will have one or more MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX flags set, or another error in case of a fatal error encountered during the verification process.
Definition at line 2193 of file x509_crt.c.
void mbedtls_x509_csr_free | ( | mbedtls_x509_csr * | csr ) |
int mbedtls_x509_csr_info | ( | char * | buf, |
size_t | size, | ||
const char * | prefix, | ||
const mbedtls_x509_csr * | csr | ||
) |
Returns an informational string about the CSR.
- Parameters:
-
buf Buffer to write to size Maximum size of buffer prefix A line prefix csr The X509 CSR to represent
- Returns:
- The length of the string written (not including the terminated nul byte), or a negative error code.
Definition at line 340 of file x509_csr.c.
void mbedtls_x509_csr_init | ( | mbedtls_x509_csr * | csr ) |
int mbedtls_x509_csr_parse | ( | mbedtls_x509_csr * | csr, |
const unsigned char * | buf, | ||
size_t | buflen | ||
) |
Load a Certificate Signing Request (CSR), DER or PEM format.
- Note:
- See notes for
mbedtls_x509_csr_parse_der()
- Parameters:
-
csr CSR context to fill buf buffer holding the CRL data buflen size of the buffer (including the terminating null byte for PEM data)
- Returns:
- 0 if successful, or a specific X509 or PEM error code
Definition at line 266 of file x509_csr.c.
int mbedtls_x509_csr_parse_der | ( | mbedtls_x509_csr * | csr, |
const unsigned char * | buf, | ||
size_t | buflen | ||
) |
Load a Certificate Signing Request (CSR) in DER format.
- Note:
- CSR attributes (if any) are currently silently ignored.
- Parameters:
-
csr CSR context to fill buf buffer holding the CRL data buflen size of the buffer
- Returns:
- 0 if successful, or a specific X509 error code
Definition at line 94 of file x509_csr.c.
int mbedtls_x509_csr_parse_file | ( | mbedtls_x509_csr * | csr, |
const char * | path | ||
) |
Load a Certificate Signing Request (CSR)
- Note:
- See notes for
mbedtls_x509_csr_parse()
- Parameters:
-
csr CSR context to fill path filename to read the CSR from
- Returns:
- 0 if successful, or a specific X509 or PEM error code
Definition at line 317 of file x509_csr.c.
Variable Documentation
Default security profile.
Should provide a good balance between security and compatibility with current deployments.
Definition at line 86 of file x509_crt.c.
Expected next default profile.
Recommended for new deployments. Currently targets a 128-bit security level, except for RSA-2048.
Definition at line 105 of file x509_crt.c.
NSA Suite B profile.
Definition at line 130 of file x509_crt.c.
Generated on Sun Jul 17 2022 08:25:38 by 1.7.2