X.509 module#

mbedtls_x509_buf#

typedef mbedtls_asn1_buf mbedtls_x509_buf

Type-length-value structure that allows for ASN1 using DER.

mbedtls_x509_bitstring#

typedef mbedtls_asn1_bitstring mbedtls_x509_bitstring

Container for ASN1 bit strings.

mbedtls_x509_name#

typedef mbedtls_asn1_named_data mbedtls_x509_name

Container for ASN1 named information objects.

It allows for Relative Distinguished Names (e.g. cn=localhost,ou=code,etc.).

mbedtls_x509_sequence#

typedef mbedtls_asn1_sequence mbedtls_x509_sequence

Container for a sequence of ASN.1 items.

mbedtls_x509_crt_restart_ctx#

typedef void mbedtls_x509_crt_restart_ctx

mbedtls_x509_crt_has_ext_type#

static int mbedtls_x509_crt_has_ext_type (const mbedtls_x509_crt * ctx, int ext_type)

Query certificate for given extension type.

Returns

• 0 if the given extension type is not present, non-zero otherwise

MBEDTLS_X509_ID_FLAG#

#define MBEDTLS_X509_ID_FLAG

(id)

Build flag from an algorithm/curve identifier (pk, md, ecp) Since 0 is always XXX_NONE, ignore it.

MBEDTLS_X509_CRT_VERSION_1#

#define MBEDTLS_X509_CRT_VERSION_1

0

MBEDTLS_X509_CRT_VERSION_2#

#define MBEDTLS_X509_CRT_VERSION_2

1

MBEDTLS_X509_CRT_VERSION_3#

#define MBEDTLS_X509_CRT_VERSION_3

2

MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN#

#define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN

32

MBEDTLS_X509_RFC5280_UTC_TIME_LEN#

#define MBEDTLS_X509_RFC5280_UTC_TIME_LEN

15

MBEDTLS_X509_MAX_FILE_PATH_LEN#

#define MBEDTLS_X509_MAX_FILE_PATH_LEN

512

MBEDTLS_X509_CRT_ERROR_INFO_LIST#

#define MBEDTLS_X509_CRT_ERROR_INFO_LIST

MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE#

#define MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE

( MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2 )

Max size of verification chain: end-entity + intermediates + trusted root.

mbedtls_x509_crl_parse_der#

int mbedtls_x509_crl_parse_der (mbedtls_x509_crl * chain, const unsigned char * buf, size_t buflen)

Parse a DER-encoded CRL and append it to the chained list.

Returns

• 0 if successful, or a specific X509 or PEM error code

mbedtls_x509_crl_parse#

int mbedtls_x509_crl_parse (mbedtls_x509_crl * chain, const unsigned char * buf, size_t buflen)

Parse one or more CRLs and append them to the chained list.

Note

• Multiple CRLs are accepted only if using PEM format

Returns

• 0 if successful, or a specific X509 or PEM error code

mbedtls_x509_crl_info#

int mbedtls_x509_crl_info (char * buf, size_t size, const char * prefix, const mbedtls_x509_crl * crl)

Returns an informational string about the CRL.

Returns

• The length of the string written (not including the terminated nul byte), or a negative error code.

mbedtls_x509_crl_init#

void mbedtls_x509_crl_init (mbedtls_x509_crl * crl)

Initialize a CRL (chain)

mbedtls_x509_crl_free#

void mbedtls_x509_crl_free (mbedtls_x509_crl * crl)

Unallocate all CRL data.

MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE#

#define MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE

-0x2080

Unavailable feature, e.g.

RSA hashing/encryption combination.

MBEDTLS_ERR_X509_UNKNOWN_OID#

#define MBEDTLS_ERR_X509_UNKNOWN_OID

-0x2100

Requested OID is unknown.

MBEDTLS_ERR_X509_INVALID_FORMAT#

#define MBEDTLS_ERR_X509_INVALID_FORMAT

-0x2180

The CRT/CRL/CSR format is invalid, e.g.

different type expected.

MBEDTLS_ERR_X509_INVALID_VERSION#

#define MBEDTLS_ERR_X509_INVALID_VERSION

-0x2200

The CRT/CRL/CSR version element is invalid.

MBEDTLS_ERR_X509_INVALID_SERIAL#

#define MBEDTLS_ERR_X509_INVALID_SERIAL

-0x2280

The serial tag or value is invalid.

MBEDTLS_ERR_X509_INVALID_ALG#

#define MBEDTLS_ERR_X509_INVALID_ALG

-0x2300

The algorithm tag or value is invalid.

MBEDTLS_ERR_X509_INVALID_NAME#

#define MBEDTLS_ERR_X509_INVALID_NAME

-0x2380

The name tag or value is invalid.

MBEDTLS_ERR_X509_INVALID_DATE#

#define MBEDTLS_ERR_X509_INVALID_DATE

-0x2400

The date tag or value is invalid.

MBEDTLS_ERR_X509_INVALID_SIGNATURE#

#define MBEDTLS_ERR_X509_INVALID_SIGNATURE

-0x2480

The signature tag or value invalid.

MBEDTLS_ERR_X509_INVALID_EXTENSIONS#

#define MBEDTLS_ERR_X509_INVALID_EXTENSIONS

-0x2500

The extension tag or value is invalid.

MBEDTLS_ERR_X509_UNKNOWN_VERSION#

#define MBEDTLS_ERR_X509_UNKNOWN_VERSION

-0x2580

CRT/CRL/CSR has an unsupported version number.

MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG#

#define MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG

-0x2600

Signature algorithm (oid) is unsupported.

MBEDTLS_ERR_X509_SIG_MISMATCH#

#define MBEDTLS_ERR_X509_SIG_MISMATCH

-0x2680

Signature algorithms do not match.

(see mbedtls_x509_crt sig_oid)

MBEDTLS_ERR_X509_CERT_VERIFY_FAILED#

#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED

-0x2700

Certificate verification failed, e.g.

CRL, CA or signature check failed.

MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT#

#define MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT

-0x2780

Format not recognized as DER or PEM.

MBEDTLS_ERR_X509_BAD_INPUT_DATA#

#define MBEDTLS_ERR_X509_BAD_INPUT_DATA

-0x2800

Input invalid.

MBEDTLS_ERR_X509_ALLOC_FAILED#

#define MBEDTLS_ERR_X509_ALLOC_FAILED

-0x2880

Allocation of memory failed.

MBEDTLS_ERR_X509_FILE_IO_ERROR#

#define MBEDTLS_ERR_X509_FILE_IO_ERROR

-0x2900

Read/write of file failed.

MBEDTLS_ERR_X509_BUFFER_TOO_SMALL#

#define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL

-0x2980

Destination buffer is too small.

MBEDTLS_ERR_X509_FATAL_ERROR#

#define MBEDTLS_ERR_X509_FATAL_ERROR

-0x3000

A fatal error occurred, eg the chain is too long or the vrfy callback failed.

MBEDTLS_X509_BADCERT_EXPIRED#

#define MBEDTLS_X509_BADCERT_EXPIRED

0x01

The certificate validity has expired.

MBEDTLS_X509_BADCERT_REVOKED#

#define MBEDTLS_X509_BADCERT_REVOKED

0x02

The certificate has been revoked (is on a CRL).

MBEDTLS_X509_BADCERT_CN_MISMATCH#

#define MBEDTLS_X509_BADCERT_CN_MISMATCH

0x04

The certificate Common Name (CN) does not match with the expected CN.

MBEDTLS_X509_BADCERT_NOT_TRUSTED#

#define MBEDTLS_X509_BADCERT_NOT_TRUSTED

0x08

The certificate is not correctly signed by the trusted CA.

MBEDTLS_X509_BADCRL_NOT_TRUSTED#

#define MBEDTLS_X509_BADCRL_NOT_TRUSTED

0x10

The CRL is not correctly signed by the trusted CA.

MBEDTLS_X509_BADCRL_EXPIRED#

#define MBEDTLS_X509_BADCRL_EXPIRED

0x20

The CRL is expired.

MBEDTLS_X509_BADCERT_MISSING#

#define MBEDTLS_X509_BADCERT_MISSING

0x40

Certificate was missing.

MBEDTLS_X509_BADCERT_SKIP_VERIFY#

#define MBEDTLS_X509_BADCERT_SKIP_VERIFY

0x80

Certificate verification was skipped.

MBEDTLS_X509_BADCERT_OTHER#

#define MBEDTLS_X509_BADCERT_OTHER

0x0100

Other reason (can be used by verify callback)

MBEDTLS_X509_BADCERT_FUTURE#

#define MBEDTLS_X509_BADCERT_FUTURE

0x0200

The certificate validity starts in the future.

MBEDTLS_X509_BADCRL_FUTURE#

#define MBEDTLS_X509_BADCRL_FUTURE

0x0400

The CRL is from the future.

MBEDTLS_X509_BADCERT_KEY_USAGE#

#define MBEDTLS_X509_BADCERT_KEY_USAGE

0x0800

Usage does not match the keyUsage extension.

MBEDTLS_X509_BADCERT_EXT_KEY_USAGE#

#define MBEDTLS_X509_BADCERT_EXT_KEY_USAGE

0x1000

Usage does not match the extendedKeyUsage extension.

MBEDTLS_X509_BADCERT_NS_CERT_TYPE#

#define MBEDTLS_X509_BADCERT_NS_CERT_TYPE

0x2000

Usage does not match the nsCertType extension.

MBEDTLS_X509_BADCERT_BAD_MD#

#define MBEDTLS_X509_BADCERT_BAD_MD

0x4000

The certificate is signed with an unacceptable hash.

MBEDTLS_X509_BADCERT_BAD_PK#

#define MBEDTLS_X509_BADCERT_BAD_PK

0x8000

The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA).

MBEDTLS_X509_BADCERT_BAD_KEY#

#define MBEDTLS_X509_BADCERT_BAD_KEY

0x010000

The certificate is signed with an unacceptable key (eg bad curve, RSA too short).

MBEDTLS_X509_BADCRL_BAD_MD#

#define MBEDTLS_X509_BADCRL_BAD_MD

0x020000

The CRL is signed with an unacceptable hash.

MBEDTLS_X509_BADCRL_BAD_PK#

#define MBEDTLS_X509_BADCRL_BAD_PK

0x040000

The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA).

MBEDTLS_X509_BADCRL_BAD_KEY#

#define MBEDTLS_X509_BADCRL_BAD_KEY

0x080000

The CRL is signed with an unacceptable key (eg bad curve, RSA too short).

mbedtls_x509_dn_gets#

int mbedtls_x509_dn_gets (char * buf, size_t size, const mbedtls_x509_name * dn)

Store the certificate DN in printable form into buf; no more than size characters will be written.

Returns

• The length of the string written (not including the terminated nul byte), or a negative error code.

mbedtls_x509_dn_get_next#

static mbedtls_x509_name * mbedtls_x509_dn_get_next (mbedtls_x509_name * dn)

Return the next relative DN in an X509 name.

Note

• Intended use is to compare function result to dn->next in order to detect boundaries of multi-valued RDNs.

Returns

• Pointer to the first attribute-value pair of the next RDN in sequence, or NULL if end is reached.

mbedtls_x509_serial_gets#

int mbedtls_x509_serial_gets (char * buf, size_t size, const mbedtls_x509_buf * serial)

Store the certificate serial in printable form into buf; no more than size characters will be written.

Returns

• The length of the string written (not including the terminated nul byte), or a negative error code.

mbedtls_x509_time_is_past#

int mbedtls_x509_time_is_past (const mbedtls_x509_time * to)

Check a given mbedtls_x509_time against the system time and tell if it's in the past.

Note

• Intended usage is "if( is_past( valid_to ) ) ERROR". Hence the return value of 1 if on internal errors.

Returns

• 1 if the given time is in the past or an error occurred, 0 otherwise.

mbedtls_x509_time_is_future#

int mbedtls_x509_time_is_future (const mbedtls_x509_time * from)

Check a given mbedtls_x509_time against the system time and tell if it's in the future.

Note

• Intended usage is "if( is_future( valid_from ) ) ERROR". Hence the return value of 1 if on internal errors.

Returns

• 1 if the given time is in the future or an error occurred, 0 otherwise.

MBEDTLS_X509_MAX_INTERMEDIATE_CA#

#define MBEDTLS_X509_MAX_INTERMEDIATE_CA

8

Maximum number of intermediate CAs in a verification chain.

That is, maximum length of the chain, excluding the end-entity certificate and the trusted root certificate.

Set this to a low value to prevent an adversary from making you waste resources verifying an overlong certificate chain.