Greg Steiert / pegasus_dev

Important changes to repositories hosted on mbed.com

Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.

To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.

It is also possible to export all your personal repositories from the account settings page.

Dependents:   blinky_max32630fthr

features/mbedtls/inc/mbedtls/x509_crt.h@0:5c4d7b2438d3, 2016-11-11 (annotated)

Committer:
switches
Date:
Fri Nov 11 20:59:50 2016 +0000
Revision:
0:5c4d7b2438d3
Initial commit

Who changed what in which revision?

UserRevisionLine numberNew contents of line
switches 0:5c4d7b2438d3 1 /**
switches 0:5c4d7b2438d3 2 * \file x509_crt.h
switches 0:5c4d7b2438d3 3 *
switches 0:5c4d7b2438d3 4 * \brief X.509 certificate parsing and writing
switches 0:5c4d7b2438d3 5 *
switches 0:5c4d7b2438d3 6 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
switches 0:5c4d7b2438d3 7 * SPDX-License-Identifier: Apache-2.0
switches 0:5c4d7b2438d3 8 *
switches 0:5c4d7b2438d3 9 * Licensed under the Apache License, Version 2.0 (the "License"); you may
switches 0:5c4d7b2438d3 10 * not use this file except in compliance with the License.
switches 0:5c4d7b2438d3 11 * You may obtain a copy of the License at
switches 0:5c4d7b2438d3 12 *
switches 0:5c4d7b2438d3 13 * http://www.apache.org/licenses/LICENSE-2.0
switches 0:5c4d7b2438d3 14 *
switches 0:5c4d7b2438d3 15 * Unless required by applicable law or agreed to in writing, software
switches 0:5c4d7b2438d3 16 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
switches 0:5c4d7b2438d3 17 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
switches 0:5c4d7b2438d3 18 * See the License for the specific language governing permissions and
switches 0:5c4d7b2438d3 19 * limitations under the License.
switches 0:5c4d7b2438d3 20 *
switches 0:5c4d7b2438d3 21 * This file is part of mbed TLS (https://tls.mbed.org)
switches 0:5c4d7b2438d3 22 */
switches 0:5c4d7b2438d3 23 #ifndef MBEDTLS_X509_CRT_H
switches 0:5c4d7b2438d3 24 #define MBEDTLS_X509_CRT_H
switches 0:5c4d7b2438d3 25
switches 0:5c4d7b2438d3 26 #if !defined(MBEDTLS_CONFIG_FILE)
switches 0:5c4d7b2438d3 27 #include "config.h"
switches 0:5c4d7b2438d3 28 #else
switches 0:5c4d7b2438d3 29 #include MBEDTLS_CONFIG_FILE
switches 0:5c4d7b2438d3 30 #endif
switches 0:5c4d7b2438d3 31
switches 0:5c4d7b2438d3 32 #include "x509.h"
switches 0:5c4d7b2438d3 33 #include "x509_crl.h"
switches 0:5c4d7b2438d3 34
switches 0:5c4d7b2438d3 35 /**
switches 0:5c4d7b2438d3 36 * \addtogroup x509_module
switches 0:5c4d7b2438d3 37 * \{
switches 0:5c4d7b2438d3 38 */
switches 0:5c4d7b2438d3 39
switches 0:5c4d7b2438d3 40 #ifdef __cplusplus
switches 0:5c4d7b2438d3 41 extern "C" {
switches 0:5c4d7b2438d3 42 #endif
switches 0:5c4d7b2438d3 43
switches 0:5c4d7b2438d3 44 /**
switches 0:5c4d7b2438d3 45 * \name Structures and functions for parsing and writing X.509 certificates
switches 0:5c4d7b2438d3 46 * \{
switches 0:5c4d7b2438d3 47 */
switches 0:5c4d7b2438d3 48
switches 0:5c4d7b2438d3 49 /**
switches 0:5c4d7b2438d3 50 * Container for an X.509 certificate. The certificate may be chained.
switches 0:5c4d7b2438d3 51 */
switches 0:5c4d7b2438d3 52 typedef struct mbedtls_x509_crt
switches 0:5c4d7b2438d3 53 {
switches 0:5c4d7b2438d3 54 mbedtls_x509_buf raw; /**< The raw certificate data (DER). */
switches 0:5c4d7b2438d3 55 mbedtls_x509_buf tbs; /**< The raw certificate body (DER). The part that is To Be Signed. */
switches 0:5c4d7b2438d3 56
switches 0:5c4d7b2438d3 57 int version; /**< The X.509 version. (1=v1, 2=v2, 3=v3) */
switches 0:5c4d7b2438d3 58 mbedtls_x509_buf serial; /**< Unique id for certificate issued by a specific CA. */
switches 0:5c4d7b2438d3 59 mbedtls_x509_buf sig_oid; /**< Signature algorithm, e.g. sha1RSA */
switches 0:5c4d7b2438d3 60
switches 0:5c4d7b2438d3 61 mbedtls_x509_buf issuer_raw; /**< The raw issuer data (DER). Used for quick comparison. */
switches 0:5c4d7b2438d3 62 mbedtls_x509_buf subject_raw; /**< The raw subject data (DER). Used for quick comparison. */
switches 0:5c4d7b2438d3 63
switches 0:5c4d7b2438d3 64 mbedtls_x509_name issuer; /**< The parsed issuer data (named information object). */
switches 0:5c4d7b2438d3 65 mbedtls_x509_name subject; /**< The parsed subject data (named information object). */
switches 0:5c4d7b2438d3 66
switches 0:5c4d7b2438d3 67 mbedtls_x509_time valid_from; /**< Start time of certificate validity. */
switches 0:5c4d7b2438d3 68 mbedtls_x509_time valid_to; /**< End time of certificate validity. */
switches 0:5c4d7b2438d3 69
switches 0:5c4d7b2438d3 70 mbedtls_pk_context pk; /**< Container for the public key context. */
switches 0:5c4d7b2438d3 71
switches 0:5c4d7b2438d3 72 mbedtls_x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */
switches 0:5c4d7b2438d3 73 mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */
switches 0:5c4d7b2438d3 74 mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */
switches 0:5c4d7b2438d3 75 mbedtls_x509_sequence subject_alt_names; /**< Optional list of Subject Alternative Names (Only dNSName supported). */
switches 0:5c4d7b2438d3 76
switches 0:5c4d7b2438d3 77 int ext_types; /**< Bit string containing detected and parsed extensions */
switches 0:5c4d7b2438d3 78 int ca_istrue; /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */
switches 0:5c4d7b2438d3 79 int max_pathlen; /**< Optional Basic Constraint extension value: The maximum path length to the root certificate. Path length is 1 higher than RFC 5280 'meaning', so 1+ */
switches 0:5c4d7b2438d3 80
switches 0:5c4d7b2438d3 81 unsigned int key_usage; /**< Optional key usage extension value: See the values in x509.h */
switches 0:5c4d7b2438d3 82
switches 0:5c4d7b2438d3 83 mbedtls_x509_sequence ext_key_usage; /**< Optional list of extended key usage OIDs. */
switches 0:5c4d7b2438d3 84
switches 0:5c4d7b2438d3 85 unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values in x509.h */
switches 0:5c4d7b2438d3 86
switches 0:5c4d7b2438d3 87 mbedtls_x509_buf sig; /**< Signature: hash of the tbs part signed with the private key. */
switches 0:5c4d7b2438d3 88 mbedtls_md_type_t sig_md; /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
switches 0:5c4d7b2438d3 89 mbedtls_pk_type_t sig_pk; /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
switches 0:5c4d7b2438d3 90 void *sig_opts; /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
switches 0:5c4d7b2438d3 91
switches 0:5c4d7b2438d3 92 struct mbedtls_x509_crt *next; /**< Next certificate in the CA-chain. */
switches 0:5c4d7b2438d3 93 }
switches 0:5c4d7b2438d3 94 mbedtls_x509_crt;
switches 0:5c4d7b2438d3 95
switches 0:5c4d7b2438d3 96 /**
switches 0:5c4d7b2438d3 97 * Build flag from an algorithm/curve identifier (pk, md, ecp)
switches 0:5c4d7b2438d3 98 * Since 0 is always XXX_NONE, ignore it.
switches 0:5c4d7b2438d3 99 */
switches 0:5c4d7b2438d3 100 #define MBEDTLS_X509_ID_FLAG( id ) ( 1 << ( id - 1 ) )
switches 0:5c4d7b2438d3 101
switches 0:5c4d7b2438d3 102 /**
switches 0:5c4d7b2438d3 103 * Security profile for certificate verification.
switches 0:5c4d7b2438d3 104 *
switches 0:5c4d7b2438d3 105 * All lists are bitfields, built by ORing flags from MBEDTLS_X509_ID_FLAG().
switches 0:5c4d7b2438d3 106 */
switches 0:5c4d7b2438d3 107 typedef struct
switches 0:5c4d7b2438d3 108 {
switches 0:5c4d7b2438d3 109 uint32_t allowed_mds; /**< MDs for signatures */
switches 0:5c4d7b2438d3 110 uint32_t allowed_pks; /**< PK algs for signatures */
switches 0:5c4d7b2438d3 111 uint32_t allowed_curves; /**< Elliptic curves for ECDSA */
switches 0:5c4d7b2438d3 112 uint32_t rsa_min_bitlen; /**< Minimum size for RSA keys */
switches 0:5c4d7b2438d3 113 }
switches 0:5c4d7b2438d3 114 mbedtls_x509_crt_profile;
switches 0:5c4d7b2438d3 115
switches 0:5c4d7b2438d3 116 #define MBEDTLS_X509_CRT_VERSION_1 0
switches 0:5c4d7b2438d3 117 #define MBEDTLS_X509_CRT_VERSION_2 1
switches 0:5c4d7b2438d3 118 #define MBEDTLS_X509_CRT_VERSION_3 2
switches 0:5c4d7b2438d3 119
switches 0:5c4d7b2438d3 120 #define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32
switches 0:5c4d7b2438d3 121 #define MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15
switches 0:5c4d7b2438d3 122
switches 0:5c4d7b2438d3 123 #if !defined( MBEDTLS_X509_MAX_FILE_PATH_LEN )
switches 0:5c4d7b2438d3 124 #define MBEDTLS_X509_MAX_FILE_PATH_LEN 512
switches 0:5c4d7b2438d3 125 #endif
switches 0:5c4d7b2438d3 126
switches 0:5c4d7b2438d3 127 /**
switches 0:5c4d7b2438d3 128 * Container for writing a certificate (CRT)
switches 0:5c4d7b2438d3 129 */
switches 0:5c4d7b2438d3 130 typedef struct mbedtls_x509write_cert
switches 0:5c4d7b2438d3 131 {
switches 0:5c4d7b2438d3 132 int version;
switches 0:5c4d7b2438d3 133 mbedtls_mpi serial;
switches 0:5c4d7b2438d3 134 mbedtls_pk_context *subject_key;
switches 0:5c4d7b2438d3 135 mbedtls_pk_context *issuer_key;
switches 0:5c4d7b2438d3 136 mbedtls_asn1_named_data *subject;
switches 0:5c4d7b2438d3 137 mbedtls_asn1_named_data *issuer;
switches 0:5c4d7b2438d3 138 mbedtls_md_type_t md_alg;
switches 0:5c4d7b2438d3 139 char not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1];
switches 0:5c4d7b2438d3 140 char not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1];
switches 0:5c4d7b2438d3 141 mbedtls_asn1_named_data *extensions;
switches 0:5c4d7b2438d3 142 }
switches 0:5c4d7b2438d3 143 mbedtls_x509write_cert;
switches 0:5c4d7b2438d3 144
switches 0:5c4d7b2438d3 145 #if defined(MBEDTLS_X509_CRT_PARSE_C)
switches 0:5c4d7b2438d3 146 /**
switches 0:5c4d7b2438d3 147 * Default security profile. Should provide a good balance between security
switches 0:5c4d7b2438d3 148 * and compatibility with current deployments.
switches 0:5c4d7b2438d3 149 */
switches 0:5c4d7b2438d3 150 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default;
switches 0:5c4d7b2438d3 151
switches 0:5c4d7b2438d3 152 /**
switches 0:5c4d7b2438d3 153 * Expected next default profile. Recommended for new deployments.
switches 0:5c4d7b2438d3 154 * Currently targets a 128-bit security level, except for RSA-2048.
switches 0:5c4d7b2438d3 155 */
switches 0:5c4d7b2438d3 156 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next;
switches 0:5c4d7b2438d3 157
switches 0:5c4d7b2438d3 158 /**
switches 0:5c4d7b2438d3 159 * NSA Suite B profile.
switches 0:5c4d7b2438d3 160 */
switches 0:5c4d7b2438d3 161 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb;
switches 0:5c4d7b2438d3 162
switches 0:5c4d7b2438d3 163 /**
switches 0:5c4d7b2438d3 164 * \brief Parse a single DER formatted certificate and add it
switches 0:5c4d7b2438d3 165 * to the chained list.
switches 0:5c4d7b2438d3 166 *
switches 0:5c4d7b2438d3 167 * \param chain points to the start of the chain
switches 0:5c4d7b2438d3 168 * \param buf buffer holding the certificate DER data
switches 0:5c4d7b2438d3 169 * \param buflen size of the buffer
switches 0:5c4d7b2438d3 170 *
switches 0:5c4d7b2438d3 171 * \return 0 if successful, or a specific X509 or PEM error code
switches 0:5c4d7b2438d3 172 */
switches 0:5c4d7b2438d3 173 int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, const unsigned char *buf,
switches 0:5c4d7b2438d3 174 size_t buflen );
switches 0:5c4d7b2438d3 175
switches 0:5c4d7b2438d3 176 /**
switches 0:5c4d7b2438d3 177 * \brief Parse one or more certificates and add them
switches 0:5c4d7b2438d3 178 * to the chained list. Parses permissively. If some
switches 0:5c4d7b2438d3 179 * certificates can be parsed, the result is the number
switches 0:5c4d7b2438d3 180 * of failed certificates it encountered. If none complete
switches 0:5c4d7b2438d3 181 * correctly, the first error is returned.
switches 0:5c4d7b2438d3 182 *
switches 0:5c4d7b2438d3 183 * \param chain points to the start of the chain
switches 0:5c4d7b2438d3 184 * \param buf buffer holding the certificate data in PEM or DER format
switches 0:5c4d7b2438d3 185 * \param buflen size of the buffer
switches 0:5c4d7b2438d3 186 * (including the terminating null byte for PEM data)
switches 0:5c4d7b2438d3 187 *
switches 0:5c4d7b2438d3 188 * \return 0 if all certificates parsed successfully, a positive number
switches 0:5c4d7b2438d3 189 * if partly successful or a specific X509 or PEM error code
switches 0:5c4d7b2438d3 190 */
switches 0:5c4d7b2438d3 191 int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen );
switches 0:5c4d7b2438d3 192
switches 0:5c4d7b2438d3 193 #if defined(MBEDTLS_FS_IO)
switches 0:5c4d7b2438d3 194 /**
switches 0:5c4d7b2438d3 195 * \brief Load one or more certificates and add them
switches 0:5c4d7b2438d3 196 * to the chained list. Parses permissively. If some
switches 0:5c4d7b2438d3 197 * certificates can be parsed, the result is the number
switches 0:5c4d7b2438d3 198 * of failed certificates it encountered. If none complete
switches 0:5c4d7b2438d3 199 * correctly, the first error is returned.
switches 0:5c4d7b2438d3 200 *
switches 0:5c4d7b2438d3 201 * \param chain points to the start of the chain
switches 0:5c4d7b2438d3 202 * \param path filename to read the certificates from
switches 0:5c4d7b2438d3 203 *
switches 0:5c4d7b2438d3 204 * \return 0 if all certificates parsed successfully, a positive number
switches 0:5c4d7b2438d3 205 * if partly successful or a specific X509 or PEM error code
switches 0:5c4d7b2438d3 206 */
switches 0:5c4d7b2438d3 207 int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *chain, const char *path );
switches 0:5c4d7b2438d3 208
switches 0:5c4d7b2438d3 209 /**
switches 0:5c4d7b2438d3 210 * \brief Load one or more certificate files from a path and add them
switches 0:5c4d7b2438d3 211 * to the chained list. Parses permissively. If some
switches 0:5c4d7b2438d3 212 * certificates can be parsed, the result is the number
switches 0:5c4d7b2438d3 213 * of failed certificates it encountered. If none complete
switches 0:5c4d7b2438d3 214 * correctly, the first error is returned.
switches 0:5c4d7b2438d3 215 *
switches 0:5c4d7b2438d3 216 * \param chain points to the start of the chain
switches 0:5c4d7b2438d3 217 * \param path directory / folder to read the certificate files from
switches 0:5c4d7b2438d3 218 *
switches 0:5c4d7b2438d3 219 * \return 0 if all certificates parsed successfully, a positive number
switches 0:5c4d7b2438d3 220 * if partly successful or a specific X509 or PEM error code
switches 0:5c4d7b2438d3 221 */
switches 0:5c4d7b2438d3 222 int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path );
switches 0:5c4d7b2438d3 223 #endif /* MBEDTLS_FS_IO */
switches 0:5c4d7b2438d3 224
switches 0:5c4d7b2438d3 225 /**
switches 0:5c4d7b2438d3 226 * \brief Returns an informational string about the
switches 0:5c4d7b2438d3 227 * certificate.
switches 0:5c4d7b2438d3 228 *
switches 0:5c4d7b2438d3 229 * \param buf Buffer to write to
switches 0:5c4d7b2438d3 230 * \param size Maximum size of buffer
switches 0:5c4d7b2438d3 231 * \param prefix A line prefix
switches 0:5c4d7b2438d3 232 * \param crt The X509 certificate to represent
switches 0:5c4d7b2438d3 233 *
switches 0:5c4d7b2438d3 234 * \return The length of the string written (not including the
switches 0:5c4d7b2438d3 235 * terminated nul byte), or a negative error code.
switches 0:5c4d7b2438d3 236 */
switches 0:5c4d7b2438d3 237 int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
switches 0:5c4d7b2438d3 238 const mbedtls_x509_crt *crt );
switches 0:5c4d7b2438d3 239
switches 0:5c4d7b2438d3 240 /**
switches 0:5c4d7b2438d3 241 * \brief Returns an informational string about the
switches 0:5c4d7b2438d3 242 * verification status of a certificate.
switches 0:5c4d7b2438d3 243 *
switches 0:5c4d7b2438d3 244 * \param buf Buffer to write to
switches 0:5c4d7b2438d3 245 * \param size Maximum size of buffer
switches 0:5c4d7b2438d3 246 * \param prefix A line prefix
switches 0:5c4d7b2438d3 247 * \param flags Verification flags created by mbedtls_x509_crt_verify()
switches 0:5c4d7b2438d3 248 *
switches 0:5c4d7b2438d3 249 * \return The length of the string written (not including the
switches 0:5c4d7b2438d3 250 * terminated nul byte), or a negative error code.
switches 0:5c4d7b2438d3 251 */
switches 0:5c4d7b2438d3 252 int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
switches 0:5c4d7b2438d3 253 uint32_t flags );
switches 0:5c4d7b2438d3 254
switches 0:5c4d7b2438d3 255 /**
switches 0:5c4d7b2438d3 256 * \brief Verify the certificate signature
switches 0:5c4d7b2438d3 257 *
switches 0:5c4d7b2438d3 258 * The verify callback is a user-supplied callback that
switches 0:5c4d7b2438d3 259 * can clear / modify / add flags for a certificate. If set,
switches 0:5c4d7b2438d3 260 * the verification callback is called for each
switches 0:5c4d7b2438d3 261 * certificate in the chain (from the trust-ca down to the
switches 0:5c4d7b2438d3 262 * presented crt). The parameters for the callback are:
switches 0:5c4d7b2438d3 263 * (void *parameter, mbedtls_x509_crt *crt, int certificate_depth,
switches 0:5c4d7b2438d3 264 * int *flags). With the flags representing current flags for
switches 0:5c4d7b2438d3 265 * that specific certificate and the certificate depth from
switches 0:5c4d7b2438d3 266 * the bottom (Peer cert depth = 0).
switches 0:5c4d7b2438d3 267 *
switches 0:5c4d7b2438d3 268 * All flags left after returning from the callback
switches 0:5c4d7b2438d3 269 * are also returned to the application. The function should
switches 0:5c4d7b2438d3 270 * return 0 for anything but a fatal error.
switches 0:5c4d7b2438d3 271 *
switches 0:5c4d7b2438d3 272 * \note In case verification failed, the results can be displayed
switches 0:5c4d7b2438d3 273 * using \c mbedtls_x509_crt_verify_info()
switches 0:5c4d7b2438d3 274 *
switches 0:5c4d7b2438d3 275 * \note Same as \c mbedtls_x509_crt_verify_with_profile() with the
switches 0:5c4d7b2438d3 276 * default security profile.
switches 0:5c4d7b2438d3 277 *
switches 0:5c4d7b2438d3 278 * \note It is your responsibility to provide up-to-date CRLs for
switches 0:5c4d7b2438d3 279 * all trusted CAs. If no CRL is provided for the CA that was
switches 0:5c4d7b2438d3 280 * used to sign the certificate, CRL verification is skipped
switches 0:5c4d7b2438d3 281 * silently, that is *without* setting any flag.
switches 0:5c4d7b2438d3 282 *
switches 0:5c4d7b2438d3 283 * \param crt a certificate (chain) to be verified
switches 0:5c4d7b2438d3 284 * \param trust_ca the list of trusted CAs
switches 0:5c4d7b2438d3 285 * \param ca_crl the list of CRLs for trusted CAs (see note above)
switches 0:5c4d7b2438d3 286 * \param cn expected Common Name (can be set to
switches 0:5c4d7b2438d3 287 * NULL if the CN must not be verified)
switches 0:5c4d7b2438d3 288 * \param flags result of the verification
switches 0:5c4d7b2438d3 289 * \param f_vrfy verification function
switches 0:5c4d7b2438d3 290 * \param p_vrfy verification parameter
switches 0:5c4d7b2438d3 291 *
switches 0:5c4d7b2438d3 292 * \return 0 if successful or MBEDTLS_ERR_X509_CERT_VERIFY_FAILED
switches 0:5c4d7b2438d3 293 * in which case *flags will have one or more
switches 0:5c4d7b2438d3 294 * MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX flags
switches 0:5c4d7b2438d3 295 * set,
switches 0:5c4d7b2438d3 296 * or another error in case of a fatal error encountered
switches 0:5c4d7b2438d3 297 * during the verification process.
switches 0:5c4d7b2438d3 298 */
switches 0:5c4d7b2438d3 299 int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
switches 0:5c4d7b2438d3 300 mbedtls_x509_crt *trust_ca,
switches 0:5c4d7b2438d3 301 mbedtls_x509_crl *ca_crl,
switches 0:5c4d7b2438d3 302 const char *cn, uint32_t *flags,
switches 0:5c4d7b2438d3 303 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
switches 0:5c4d7b2438d3 304 void *p_vrfy );
switches 0:5c4d7b2438d3 305
switches 0:5c4d7b2438d3 306 /**
switches 0:5c4d7b2438d3 307 * \brief Verify the certificate signature according to profile
switches 0:5c4d7b2438d3 308 *
switches 0:5c4d7b2438d3 309 * \note Same as \c mbedtls_x509_crt_verify(), but with explicit
switches 0:5c4d7b2438d3 310 * security profile.
switches 0:5c4d7b2438d3 311 *
switches 0:5c4d7b2438d3 312 * \note The restrictions on keys (RSA minimum size, allowed curves
switches 0:5c4d7b2438d3 313 * for ECDSA) apply to all certificates: trusted root,
switches 0:5c4d7b2438d3 314 * intermediate CAs if any, and end entity certificate.
switches 0:5c4d7b2438d3 315 *
switches 0:5c4d7b2438d3 316 * \param crt a certificate (chain) to be verified
switches 0:5c4d7b2438d3 317 * \param trust_ca the list of trusted CAs
switches 0:5c4d7b2438d3 318 * \param ca_crl the list of CRLs for trusted CAs
switches 0:5c4d7b2438d3 319 * \param profile security profile for verification
switches 0:5c4d7b2438d3 320 * \param cn expected Common Name (can be set to
switches 0:5c4d7b2438d3 321 * NULL if the CN must not be verified)
switches 0:5c4d7b2438d3 322 * \param flags result of the verification
switches 0:5c4d7b2438d3 323 * \param f_vrfy verification function
switches 0:5c4d7b2438d3 324 * \param p_vrfy verification parameter
switches 0:5c4d7b2438d3 325 *
switches 0:5c4d7b2438d3 326 * \return 0 if successful or MBEDTLS_ERR_X509_CERT_VERIFY_FAILED
switches 0:5c4d7b2438d3 327 * in which case *flags will have one or more
switches 0:5c4d7b2438d3 328 * MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX flags
switches 0:5c4d7b2438d3 329 * set,
switches 0:5c4d7b2438d3 330 * or another error in case of a fatal error encountered
switches 0:5c4d7b2438d3 331 * during the verification process.
switches 0:5c4d7b2438d3 332 */
switches 0:5c4d7b2438d3 333 int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
switches 0:5c4d7b2438d3 334 mbedtls_x509_crt *trust_ca,
switches 0:5c4d7b2438d3 335 mbedtls_x509_crl *ca_crl,
switches 0:5c4d7b2438d3 336 const mbedtls_x509_crt_profile *profile,
switches 0:5c4d7b2438d3 337 const char *cn, uint32_t *flags,
switches 0:5c4d7b2438d3 338 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
switches 0:5c4d7b2438d3 339 void *p_vrfy );
switches 0:5c4d7b2438d3 340
switches 0:5c4d7b2438d3 341 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
switches 0:5c4d7b2438d3 342 /**
switches 0:5c4d7b2438d3 343 * \brief Check usage of certificate against keyUsage extension.
switches 0:5c4d7b2438d3 344 *
switches 0:5c4d7b2438d3 345 * \param crt Leaf certificate used.
switches 0:5c4d7b2438d3 346 * \param usage Intended usage(s) (eg MBEDTLS_X509_KU_KEY_ENCIPHERMENT
switches 0:5c4d7b2438d3 347 * before using the certificate to perform an RSA key
switches 0:5c4d7b2438d3 348 * exchange).
switches 0:5c4d7b2438d3 349 *
switches 0:5c4d7b2438d3 350 * \note Except for decipherOnly and encipherOnly, a bit set in the
switches 0:5c4d7b2438d3 351 * usage argument means this bit MUST be set in the
switches 0:5c4d7b2438d3 352 * certificate. For decipherOnly and encipherOnly, it means
switches 0:5c4d7b2438d3 353 * that bit MAY be set.
switches 0:5c4d7b2438d3 354 *
switches 0:5c4d7b2438d3 355 * \return 0 is these uses of the certificate are allowed,
switches 0:5c4d7b2438d3 356 * MBEDTLS_ERR_X509_BAD_INPUT_DATA if the keyUsage extension
switches 0:5c4d7b2438d3 357 * is present but does not match the usage argument.
switches 0:5c4d7b2438d3 358 *
switches 0:5c4d7b2438d3 359 * \note You should only call this function on leaf certificates, on
switches 0:5c4d7b2438d3 360 * (intermediate) CAs the keyUsage extension is automatically
switches 0:5c4d7b2438d3 361 * checked by \c mbedtls_x509_crt_verify().
switches 0:5c4d7b2438d3 362 */
switches 0:5c4d7b2438d3 363 int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt,
switches 0:5c4d7b2438d3 364 unsigned int usage );
switches 0:5c4d7b2438d3 365 #endif /* MBEDTLS_X509_CHECK_KEY_USAGE) */
switches 0:5c4d7b2438d3 366
switches 0:5c4d7b2438d3 367 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
switches 0:5c4d7b2438d3 368 /**
switches 0:5c4d7b2438d3 369 * \brief Check usage of certificate against extentedJeyUsage.
switches 0:5c4d7b2438d3 370 *
switches 0:5c4d7b2438d3 371 * \param crt Leaf certificate used.
switches 0:5c4d7b2438d3 372 * \param usage_oid Intended usage (eg MBEDTLS_OID_SERVER_AUTH or MBEDTLS_OID_CLIENT_AUTH).
switches 0:5c4d7b2438d3 373 * \param usage_len Length of usage_oid (eg given by MBEDTLS_OID_SIZE()).
switches 0:5c4d7b2438d3 374 *
switches 0:5c4d7b2438d3 375 * \return 0 if this use of the certificate is allowed,
switches 0:5c4d7b2438d3 376 * MBEDTLS_ERR_X509_BAD_INPUT_DATA if not.
switches 0:5c4d7b2438d3 377 *
switches 0:5c4d7b2438d3 378 * \note Usually only makes sense on leaf certificates.
switches 0:5c4d7b2438d3 379 */
switches 0:5c4d7b2438d3 380 int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt,
switches 0:5c4d7b2438d3 381 const char *usage_oid,
switches 0:5c4d7b2438d3 382 size_t usage_len );
switches 0:5c4d7b2438d3 383 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) */
switches 0:5c4d7b2438d3 384
switches 0:5c4d7b2438d3 385 #if defined(MBEDTLS_X509_CRL_PARSE_C)
switches 0:5c4d7b2438d3 386 /**
switches 0:5c4d7b2438d3 387 * \brief Verify the certificate revocation status
switches 0:5c4d7b2438d3 388 *
switches 0:5c4d7b2438d3 389 * \param crt a certificate to be verified
switches 0:5c4d7b2438d3 390 * \param crl the CRL to verify against
switches 0:5c4d7b2438d3 391 *
switches 0:5c4d7b2438d3 392 * \return 1 if the certificate is revoked, 0 otherwise
switches 0:5c4d7b2438d3 393 *
switches 0:5c4d7b2438d3 394 */
switches 0:5c4d7b2438d3 395 int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl );
switches 0:5c4d7b2438d3 396 #endif /* MBEDTLS_X509_CRL_PARSE_C */
switches 0:5c4d7b2438d3 397
switches 0:5c4d7b2438d3 398 /**
switches 0:5c4d7b2438d3 399 * \brief Initialize a certificate (chain)
switches 0:5c4d7b2438d3 400 *
switches 0:5c4d7b2438d3 401 * \param crt Certificate chain to initialize
switches 0:5c4d7b2438d3 402 */
switches 0:5c4d7b2438d3 403 void mbedtls_x509_crt_init( mbedtls_x509_crt *crt );
switches 0:5c4d7b2438d3 404
switches 0:5c4d7b2438d3 405 /**
switches 0:5c4d7b2438d3 406 * \brief Unallocate all certificate data
switches 0:5c4d7b2438d3 407 *
switches 0:5c4d7b2438d3 408 * \param crt Certificate chain to free
switches 0:5c4d7b2438d3 409 */
switches 0:5c4d7b2438d3 410 void mbedtls_x509_crt_free( mbedtls_x509_crt *crt );
switches 0:5c4d7b2438d3 411 #endif /* MBEDTLS_X509_CRT_PARSE_C */
switches 0:5c4d7b2438d3 412
switches 0:5c4d7b2438d3 413 /* \} name */
switches 0:5c4d7b2438d3 414 /* \} addtogroup x509_module */
switches 0:5c4d7b2438d3 415
switches 0:5c4d7b2438d3 416 #if defined(MBEDTLS_X509_CRT_WRITE_C)
switches 0:5c4d7b2438d3 417 /**
switches 0:5c4d7b2438d3 418 * \brief Initialize a CRT writing context
switches 0:5c4d7b2438d3 419 *
switches 0:5c4d7b2438d3 420 * \param ctx CRT context to initialize
switches 0:5c4d7b2438d3 421 */
switches 0:5c4d7b2438d3 422 void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx );
switches 0:5c4d7b2438d3 423
switches 0:5c4d7b2438d3 424 /**
switches 0:5c4d7b2438d3 425 * \brief Set the verion for a Certificate
switches 0:5c4d7b2438d3 426 * Default: MBEDTLS_X509_CRT_VERSION_3
switches 0:5c4d7b2438d3 427 *
switches 0:5c4d7b2438d3 428 * \param ctx CRT context to use
switches 0:5c4d7b2438d3 429 * \param version version to set (MBEDTLS_X509_CRT_VERSION_1, MBEDTLS_X509_CRT_VERSION_2 or
switches 0:5c4d7b2438d3 430 * MBEDTLS_X509_CRT_VERSION_3)
switches 0:5c4d7b2438d3 431 */
switches 0:5c4d7b2438d3 432 void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *ctx, int version );
switches 0:5c4d7b2438d3 433
switches 0:5c4d7b2438d3 434 /**
switches 0:5c4d7b2438d3 435 * \brief Set the serial number for a Certificate.
switches 0:5c4d7b2438d3 436 *
switches 0:5c4d7b2438d3 437 * \param ctx CRT context to use
switches 0:5c4d7b2438d3 438 * \param serial serial number to set
switches 0:5c4d7b2438d3 439 *
switches 0:5c4d7b2438d3 440 * \return 0 if successful
switches 0:5c4d7b2438d3 441 */
switches 0:5c4d7b2438d3 442 int mbedtls_x509write_crt_set_serial( mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial );
switches 0:5c4d7b2438d3 443
switches 0:5c4d7b2438d3 444 /**
switches 0:5c4d7b2438d3 445 * \brief Set the validity period for a Certificate
switches 0:5c4d7b2438d3 446 * Timestamps should be in string format for UTC timezone
switches 0:5c4d7b2438d3 447 * i.e. "YYYYMMDDhhmmss"
switches 0:5c4d7b2438d3 448 * e.g. "20131231235959" for December 31st 2013
switches 0:5c4d7b2438d3 449 * at 23:59:59
switches 0:5c4d7b2438d3 450 *
switches 0:5c4d7b2438d3 451 * \param ctx CRT context to use
switches 0:5c4d7b2438d3 452 * \param not_before not_before timestamp
switches 0:5c4d7b2438d3 453 * \param not_after not_after timestamp
switches 0:5c4d7b2438d3 454 *
switches 0:5c4d7b2438d3 455 * \return 0 if timestamp was parsed successfully, or
switches 0:5c4d7b2438d3 456 * a specific error code
switches 0:5c4d7b2438d3 457 */
switches 0:5c4d7b2438d3 458 int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *ctx, const char *not_before,
switches 0:5c4d7b2438d3 459 const char *not_after );
switches 0:5c4d7b2438d3 460
switches 0:5c4d7b2438d3 461 /**
switches 0:5c4d7b2438d3 462 * \brief Set the issuer name for a Certificate
switches 0:5c4d7b2438d3 463 * Issuer names should contain a comma-separated list
switches 0:5c4d7b2438d3 464 * of OID types and values:
switches 0:5c4d7b2438d3 465 * e.g. "C=UK,O=ARM,CN=mbed TLS CA"
switches 0:5c4d7b2438d3 466 *
switches 0:5c4d7b2438d3 467 * \param ctx CRT context to use
switches 0:5c4d7b2438d3 468 * \param issuer_name issuer name to set
switches 0:5c4d7b2438d3 469 *
switches 0:5c4d7b2438d3 470 * \return 0 if issuer name was parsed successfully, or
switches 0:5c4d7b2438d3 471 * a specific error code
switches 0:5c4d7b2438d3 472 */
switches 0:5c4d7b2438d3 473 int mbedtls_x509write_crt_set_issuer_name( mbedtls_x509write_cert *ctx,
switches 0:5c4d7b2438d3 474 const char *issuer_name );
switches 0:5c4d7b2438d3 475
switches 0:5c4d7b2438d3 476 /**
switches 0:5c4d7b2438d3 477 * \brief Set the subject name for a Certificate
switches 0:5c4d7b2438d3 478 * Subject names should contain a comma-separated list
switches 0:5c4d7b2438d3 479 * of OID types and values:
switches 0:5c4d7b2438d3 480 * e.g. "C=UK,O=ARM,CN=mbed TLS Server 1"
switches 0:5c4d7b2438d3 481 *
switches 0:5c4d7b2438d3 482 * \param ctx CRT context to use
switches 0:5c4d7b2438d3 483 * \param subject_name subject name to set
switches 0:5c4d7b2438d3 484 *
switches 0:5c4d7b2438d3 485 * \return 0 if subject name was parsed successfully, or
switches 0:5c4d7b2438d3 486 * a specific error code
switches 0:5c4d7b2438d3 487 */
switches 0:5c4d7b2438d3 488 int mbedtls_x509write_crt_set_subject_name( mbedtls_x509write_cert *ctx,
switches 0:5c4d7b2438d3 489 const char *subject_name );
switches 0:5c4d7b2438d3 490
switches 0:5c4d7b2438d3 491 /**
switches 0:5c4d7b2438d3 492 * \brief Set the subject public key for the certificate
switches 0:5c4d7b2438d3 493 *
switches 0:5c4d7b2438d3 494 * \param ctx CRT context to use
switches 0:5c4d7b2438d3 495 * \param key public key to include
switches 0:5c4d7b2438d3 496 */
switches 0:5c4d7b2438d3 497 void mbedtls_x509write_crt_set_subject_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key );
switches 0:5c4d7b2438d3 498
switches 0:5c4d7b2438d3 499 /**
switches 0:5c4d7b2438d3 500 * \brief Set the issuer key used for signing the certificate
switches 0:5c4d7b2438d3 501 *
switches 0:5c4d7b2438d3 502 * \param ctx CRT context to use
switches 0:5c4d7b2438d3 503 * \param key private key to sign with
switches 0:5c4d7b2438d3 504 */
switches 0:5c4d7b2438d3 505 void mbedtls_x509write_crt_set_issuer_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key );
switches 0:5c4d7b2438d3 506
switches 0:5c4d7b2438d3 507 /**
switches 0:5c4d7b2438d3 508 * \brief Set the MD algorithm to use for the signature
switches 0:5c4d7b2438d3 509 * (e.g. MBEDTLS_MD_SHA1)
switches 0:5c4d7b2438d3 510 *
switches 0:5c4d7b2438d3 511 * \param ctx CRT context to use
switches 0:5c4d7b2438d3 512 * \param md_alg MD algorithm to use
switches 0:5c4d7b2438d3 513 */
switches 0:5c4d7b2438d3 514 void mbedtls_x509write_crt_set_md_alg( mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg );
switches 0:5c4d7b2438d3 515
switches 0:5c4d7b2438d3 516 /**
switches 0:5c4d7b2438d3 517 * \brief Generic function to add to or replace an extension in the
switches 0:5c4d7b2438d3 518 * CRT
switches 0:5c4d7b2438d3 519 *
switches 0:5c4d7b2438d3 520 * \param ctx CRT context to use
switches 0:5c4d7b2438d3 521 * \param oid OID of the extension
switches 0:5c4d7b2438d3 522 * \param oid_len length of the OID
switches 0:5c4d7b2438d3 523 * \param critical if the extension is critical (per the RFC's definition)
switches 0:5c4d7b2438d3 524 * \param val value of the extension OCTET STRING
switches 0:5c4d7b2438d3 525 * \param val_len length of the value data
switches 0:5c4d7b2438d3 526 *
switches 0:5c4d7b2438d3 527 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
switches 0:5c4d7b2438d3 528 */
switches 0:5c4d7b2438d3 529 int mbedtls_x509write_crt_set_extension( mbedtls_x509write_cert *ctx,
switches 0:5c4d7b2438d3 530 const char *oid, size_t oid_len,
switches 0:5c4d7b2438d3 531 int critical,
switches 0:5c4d7b2438d3 532 const unsigned char *val, size_t val_len );
switches 0:5c4d7b2438d3 533
switches 0:5c4d7b2438d3 534 /**
switches 0:5c4d7b2438d3 535 * \brief Set the basicConstraints extension for a CRT
switches 0:5c4d7b2438d3 536 *
switches 0:5c4d7b2438d3 537 * \param ctx CRT context to use
switches 0:5c4d7b2438d3 538 * \param is_ca is this a CA certificate
switches 0:5c4d7b2438d3 539 * \param max_pathlen maximum length of certificate chains below this
switches 0:5c4d7b2438d3 540 * certificate (only for CA certificates, -1 is
switches 0:5c4d7b2438d3 541 * inlimited)
switches 0:5c4d7b2438d3 542 *
switches 0:5c4d7b2438d3 543 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
switches 0:5c4d7b2438d3 544 */
switches 0:5c4d7b2438d3 545 int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx,
switches 0:5c4d7b2438d3 546 int is_ca, int max_pathlen );
switches 0:5c4d7b2438d3 547
switches 0:5c4d7b2438d3 548 #if defined(MBEDTLS_SHA1_C)
switches 0:5c4d7b2438d3 549 /**
switches 0:5c4d7b2438d3 550 * \brief Set the subjectKeyIdentifier extension for a CRT
switches 0:5c4d7b2438d3 551 * Requires that mbedtls_x509write_crt_set_subject_key() has been
switches 0:5c4d7b2438d3 552 * called before
switches 0:5c4d7b2438d3 553 *
switches 0:5c4d7b2438d3 554 * \param ctx CRT context to use
switches 0:5c4d7b2438d3 555 *
switches 0:5c4d7b2438d3 556 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
switches 0:5c4d7b2438d3 557 */
switches 0:5c4d7b2438d3 558 int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ctx );
switches 0:5c4d7b2438d3 559
switches 0:5c4d7b2438d3 560 /**
switches 0:5c4d7b2438d3 561 * \brief Set the authorityKeyIdentifier extension for a CRT
switches 0:5c4d7b2438d3 562 * Requires that mbedtls_x509write_crt_set_issuer_key() has been
switches 0:5c4d7b2438d3 563 * called before
switches 0:5c4d7b2438d3 564 *
switches 0:5c4d7b2438d3 565 * \param ctx CRT context to use
switches 0:5c4d7b2438d3 566 *
switches 0:5c4d7b2438d3 567 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
switches 0:5c4d7b2438d3 568 */
switches 0:5c4d7b2438d3 569 int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx );
switches 0:5c4d7b2438d3 570 #endif /* MBEDTLS_SHA1_C */
switches 0:5c4d7b2438d3 571
switches 0:5c4d7b2438d3 572 /**
switches 0:5c4d7b2438d3 573 * \brief Set the Key Usage Extension flags
switches 0:5c4d7b2438d3 574 * (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN)
switches 0:5c4d7b2438d3 575 *
switches 0:5c4d7b2438d3 576 * \param ctx CRT context to use
switches 0:5c4d7b2438d3 577 * \param key_usage key usage flags to set
switches 0:5c4d7b2438d3 578 *
switches 0:5c4d7b2438d3 579 * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
switches 0:5c4d7b2438d3 580 */
switches 0:5c4d7b2438d3 581 int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx,
switches 0:5c4d7b2438d3 582 unsigned int key_usage );
switches 0:5c4d7b2438d3 583
switches 0:5c4d7b2438d3 584 /**
switches 0:5c4d7b2438d3 585 * \brief Set the Netscape Cert Type flags
switches 0:5c4d7b2438d3 586 * (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL)
switches 0:5c4d7b2438d3 587 *
switches 0:5c4d7b2438d3 588 * \param ctx CRT context to use
switches 0:5c4d7b2438d3 589 * \param ns_cert_type Netscape Cert Type flags to set
switches 0:5c4d7b2438d3 590 *
switches 0:5c4d7b2438d3 591 * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
switches 0:5c4d7b2438d3 592 */
switches 0:5c4d7b2438d3 593 int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx,
switches 0:5c4d7b2438d3 594 unsigned char ns_cert_type );
switches 0:5c4d7b2438d3 595
switches 0:5c4d7b2438d3 596 /**
switches 0:5c4d7b2438d3 597 * \brief Free the contents of a CRT write context
switches 0:5c4d7b2438d3 598 *
switches 0:5c4d7b2438d3 599 * \param ctx CRT context to free
switches 0:5c4d7b2438d3 600 */
switches 0:5c4d7b2438d3 601 void mbedtls_x509write_crt_free( mbedtls_x509write_cert *ctx );
switches 0:5c4d7b2438d3 602
switches 0:5c4d7b2438d3 603 /**
switches 0:5c4d7b2438d3 604 * \brief Write a built up certificate to a X509 DER structure
switches 0:5c4d7b2438d3 605 * Note: data is written at the end of the buffer! Use the
switches 0:5c4d7b2438d3 606 * return value to determine where you should start
switches 0:5c4d7b2438d3 607 * using the buffer
switches 0:5c4d7b2438d3 608 *
switches 0:5c4d7b2438d3 609 * \param ctx certificate to write away
switches 0:5c4d7b2438d3 610 * \param buf buffer to write to
switches 0:5c4d7b2438d3 611 * \param size size of the buffer
switches 0:5c4d7b2438d3 612 * \param f_rng RNG function (for signature, see note)
switches 0:5c4d7b2438d3 613 * \param p_rng RNG parameter
switches 0:5c4d7b2438d3 614 *
switches 0:5c4d7b2438d3 615 * \return length of data written if successful, or a specific
switches 0:5c4d7b2438d3 616 * error code
switches 0:5c4d7b2438d3 617 *
switches 0:5c4d7b2438d3 618 * \note f_rng may be NULL if RSA is used for signature and the
switches 0:5c4d7b2438d3 619 * signature is made offline (otherwise f_rng is desirable
switches 0:5c4d7b2438d3 620 * for countermeasures against timing attacks).
switches 0:5c4d7b2438d3 621 * ECDSA signatures always require a non-NULL f_rng.
switches 0:5c4d7b2438d3 622 */
switches 0:5c4d7b2438d3 623 int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
switches 0:5c4d7b2438d3 624 int (*f_rng)(void *, unsigned char *, size_t),
switches 0:5c4d7b2438d3 625 void *p_rng );
switches 0:5c4d7b2438d3 626
switches 0:5c4d7b2438d3 627 #if defined(MBEDTLS_PEM_WRITE_C)
switches 0:5c4d7b2438d3 628 /**
switches 0:5c4d7b2438d3 629 * \brief Write a built up certificate to a X509 PEM string
switches 0:5c4d7b2438d3 630 *
switches 0:5c4d7b2438d3 631 * \param ctx certificate to write away
switches 0:5c4d7b2438d3 632 * \param buf buffer to write to
switches 0:5c4d7b2438d3 633 * \param size size of the buffer
switches 0:5c4d7b2438d3 634 * \param f_rng RNG function (for signature, see note)
switches 0:5c4d7b2438d3 635 * \param p_rng RNG parameter
switches 0:5c4d7b2438d3 636 *
switches 0:5c4d7b2438d3 637 * \return 0 if successful, or a specific error code
switches 0:5c4d7b2438d3 638 *
switches 0:5c4d7b2438d3 639 * \note f_rng may be NULL if RSA is used for signature and the
switches 0:5c4d7b2438d3 640 * signature is made offline (otherwise f_rng is desirable
switches 0:5c4d7b2438d3 641 * for countermeasures against timing attacks).
switches 0:5c4d7b2438d3 642 * ECDSA signatures always require a non-NULL f_rng.
switches 0:5c4d7b2438d3 643 */
switches 0:5c4d7b2438d3 644 int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
switches 0:5c4d7b2438d3 645 int (*f_rng)(void *, unsigned char *, size_t),
switches 0:5c4d7b2438d3 646 void *p_rng );
switches 0:5c4d7b2438d3 647 #endif /* MBEDTLS_PEM_WRITE_C */
switches 0:5c4d7b2438d3 648 #endif /* MBEDTLS_X509_CRT_WRITE_C */
switches 0:5c4d7b2438d3 649
switches 0:5c4d7b2438d3 650 #ifdef __cplusplus
switches 0:5c4d7b2438d3 651 }
switches 0:5c4d7b2438d3 652 #endif
switches 0:5c4d7b2438d3 653
switches 0:5c4d7b2438d3 654 #endif /* mbedtls_x509_crt.h */