X509_module
Description
Data Structures | |
| struct | mbedtls_x509_crl_entry |
| Certificate revocation list entry. | |
| struct | mbedtls_x509_crl |
| Certificate revocation list structure. | |
| struct | mbedtls_x509_csr |
| Certificate Signing Request (CSR) structure. | |
| struct | mbedtls_x509write_csr |
| Container for writing a CSR. | |
| struct | mbedtls_x509_crt |
| Container for an X.509 certificate. | |
| struct | mbedtls_x509_san_other_name |
| From RFC 5280 section 4.2.1.6: OtherName ::= SEQUENCE { type-id OBJECT IDENTIFIER, value [0] EXPLICIT ANY DEFINED BY type-id }. | |
| struct | mbedtls_x509_subject_alternative_name |
| A structure for holding the parsed Subject Alternative Name, according to type. | |
| struct | mbedtls_x509_crt_profile |
| Security profile for certificate verification. | |
| struct | mbedtls_x509write_cert |
| Container for writing a certificate (CRT) | |
| struct | mbedtls_x509_crt_verify_chain_item |
| Item in a verification chain: cert and flags for it. | |
| struct | mbedtls_x509_crt_verify_chain |
Verification chain as built by mbedtls_crt_verify_chain() | |
| struct | mbedtls_x509_time |
| Container for date and time (precision in seconds). | |
Functions | |
| int | mbedtls_x509_dn_gets (char *buf, size_t size, const mbedtls_x509_name *dn) |
| Store the certificate DN in printable form into buf; no more than size characters will be written. | |
| int | mbedtls_x509_serial_gets (char *buf, size_t size, const mbedtls_x509_buf *serial) |
| Store the certificate serial in printable form into buf; no more than size characters will be written. | |
| int | mbedtls_x509_time_is_past (const mbedtls_x509_time *to) |
| Check a given mbedtls_x509_time against the system time and tell if it's in the past. | |
| int | mbedtls_x509_time_is_future (const mbedtls_x509_time *from) |
| Check a given mbedtls_x509_time against the system time and tell if it's in the future. | |
Macros | |
| #define | MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 |
| Maximum number of intermediate CAs in a verification chain. | |
Structures and functions for parsing CRLs | |
| int | mbedtls_x509_crl_parse_der (mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen) |
| Parse a DER-encoded CRL and append it to the chained list. | |
| int | mbedtls_x509_crl_parse (mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen) |
| Parse one or more CRLs and append them to the chained list. | |
| int | mbedtls_x509_crl_info (char *buf, size_t size, const char *prefix, const mbedtls_x509_crl *crl) |
| Returns an informational string about the CRL. | |
| void | mbedtls_x509_crl_init (mbedtls_x509_crl *crl) |
| Initialize a CRL (chain) | |
| void | mbedtls_x509_crl_free (mbedtls_x509_crl *crl) |
| Unallocate all CRL data. | |
Structures and functions for parsing and writing X.509 certificates | |
| typedef void | mbedtls_x509_crt_restart_ctx |
| #define | MBEDTLS_X509_ID_FLAG(id) ( 1 << ( (id) - 1 ) ) |
| Build flag from an algorithm/curve identifier (pk, md, ecp) Since 0 is always XXX_NONE, ignore it. | |
| #define | MBEDTLS_X509_CRT_VERSION_1 0 |
| #define | MBEDTLS_X509_CRT_VERSION_2 1 |
| #define | MBEDTLS_X509_CRT_VERSION_3 2 |
| #define | MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32 |
| #define | MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15 |
| #define | MBEDTLS_X509_MAX_FILE_PATH_LEN 512 |
| #define | MBEDTLS_X509_CRT_ERROR_INFO_LIST |
| #define | MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE ( MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2 ) |
| Max size of verification chain: end-entity + intermediates + trusted root. | |
X509 Error codes | |
| #define | MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE -0x2080 |
| Unavailable feature, e.g. | |
| #define | MBEDTLS_ERR_X509_UNKNOWN_OID -0x2100 |
| Requested OID is unknown. | |
| #define | MBEDTLS_ERR_X509_INVALID_FORMAT -0x2180 |
| The CRT/CRL/CSR format is invalid, e.g. | |
| #define | MBEDTLS_ERR_X509_INVALID_VERSION -0x2200 |
| The CRT/CRL/CSR version element is invalid. | |
| #define | MBEDTLS_ERR_X509_INVALID_SERIAL -0x2280 |
| The serial tag or value is invalid. | |
| #define | MBEDTLS_ERR_X509_INVALID_ALG -0x2300 |
| The algorithm tag or value is invalid. | |
| #define | MBEDTLS_ERR_X509_INVALID_NAME -0x2380 |
| The name tag or value is invalid. | |
| #define | MBEDTLS_ERR_X509_INVALID_DATE -0x2400 |
| The date tag or value is invalid. | |
| #define | MBEDTLS_ERR_X509_INVALID_SIGNATURE -0x2480 |
| The signature tag or value invalid. | |
| #define | MBEDTLS_ERR_X509_INVALID_EXTENSIONS -0x2500 |
| The extension tag or value is invalid. | |
| #define | MBEDTLS_ERR_X509_UNKNOWN_VERSION -0x2580 |
| CRT/CRL/CSR has an unsupported version number. | |
| #define | MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG -0x2600 |
| Signature algorithm (oid) is unsupported. | |
| #define | MBEDTLS_ERR_X509_SIG_MISMATCH -0x2680 |
| Signature algorithms do not match. | |
| #define | MBEDTLS_ERR_X509_CERT_VERIFY_FAILED -0x2700 |
| Certificate verification failed, e.g. | |
| #define | MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT -0x2780 |
| Format not recognized as DER or PEM. | |
| #define | MBEDTLS_ERR_X509_BAD_INPUT_DATA -0x2800 |
| Input invalid. | |
| #define | MBEDTLS_ERR_X509_ALLOC_FAILED -0x2880 |
| Allocation of memory failed. | |
| #define | MBEDTLS_ERR_X509_FILE_IO_ERROR -0x2900 |
| Read/write of file failed. | |
| #define | MBEDTLS_ERR_X509_BUFFER_TOO_SMALL -0x2980 |
| Destination buffer is too small. | |
| #define | MBEDTLS_ERR_X509_FATAL_ERROR -0x3000 |
| A fatal error occurred, eg the chain is too long or the vrfy callback failed. | |
X509 Verify codes | |
| #define | MBEDTLS_X509_BADCERT_EXPIRED 0x01 |
| The certificate validity has expired. | |
| #define | MBEDTLS_X509_BADCERT_REVOKED 0x02 |
| The certificate has been revoked (is on a CRL). | |
| #define | MBEDTLS_X509_BADCERT_CN_MISMATCH 0x04 |
| The certificate Common Name (CN) does not match with the expected CN. | |
| #define | MBEDTLS_X509_BADCERT_NOT_TRUSTED 0x08 |
| The certificate is not correctly signed by the trusted CA. | |
| #define | MBEDTLS_X509_BADCRL_NOT_TRUSTED 0x10 |
| The CRL is not correctly signed by the trusted CA. | |
| #define | MBEDTLS_X509_BADCRL_EXPIRED 0x20 |
| The CRL is expired. | |
| #define | MBEDTLS_X509_BADCERT_MISSING 0x40 |
| Certificate was missing. | |
| #define | MBEDTLS_X509_BADCERT_SKIP_VERIFY 0x80 |
| Certificate verification was skipped. | |
| #define | MBEDTLS_X509_BADCERT_OTHER 0x0100 |
| Other reason (can be used by verify callback) | |
| #define | MBEDTLS_X509_BADCERT_FUTURE 0x0200 |
| The certificate validity starts in the future. | |
| #define | MBEDTLS_X509_BADCRL_FUTURE 0x0400 |
| The CRL is from the future. | |
| #define | MBEDTLS_X509_BADCERT_KEY_USAGE 0x0800 |
| Usage does not match the keyUsage extension. | |
| #define | MBEDTLS_X509_BADCERT_EXT_KEY_USAGE 0x1000 |
| Usage does not match the extendedKeyUsage extension. | |
| #define | MBEDTLS_X509_BADCERT_NS_CERT_TYPE 0x2000 |
| Usage does not match the nsCertType extension. | |
| #define | MBEDTLS_X509_BADCERT_BAD_MD 0x4000 |
| The certificate is signed with an unacceptable hash. | |
| #define | MBEDTLS_X509_BADCERT_BAD_PK 0x8000 |
| The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA). | |
| #define | MBEDTLS_X509_BADCERT_BAD_KEY 0x010000 |
| The certificate is signed with an unacceptable key (eg bad curve, RSA too short). | |
| #define | MBEDTLS_X509_BADCRL_BAD_MD 0x020000 |
| The CRL is signed with an unacceptable hash. | |
| #define | MBEDTLS_X509_BADCRL_BAD_PK 0x040000 |
| The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA). | |
| #define | MBEDTLS_X509_BADCRL_BAD_KEY 0x080000 |
| The CRL is signed with an unacceptable key (eg bad curve, RSA too short). | |
Structures for parsing X.509 certificates, CRLs and CSRs | |
| typedef mbedtls_asn1_buf | mbedtls_x509_buf |
| Type-length-value structure that allows for ASN1 using DER. | |
| typedef mbedtls_asn1_bitstring | mbedtls_x509_bitstring |
| Container for ASN1 bit strings. | |
| typedef mbedtls_asn1_named_data | mbedtls_x509_name |
| Container for ASN1 named information objects. | |
| typedef mbedtls_asn1_sequence | mbedtls_x509_sequence |
| Container for a sequence of ASN.1 items. | |
Function Documentation
◆ mbedtls_x509_crl_parse_der()
| int mbedtls_x509_crl_parse_der | ( | mbedtls_x509_crl * | chain, |
| const unsigned char * | buf, |
||
| size_t | buflen |
||
| ) |
Parse a DER-encoded CRL and append it to the chained list.
- Parameters
-
chainpoints to the start of the chain bufbuffer holding the CRL data in DER format buflensize of the buffer (including the terminating null byte for PEM data)
- Returns
- 0 if successful, or a specific X509 or PEM error code
◆ mbedtls_x509_crl_parse()
| int mbedtls_x509_crl_parse | ( | mbedtls_x509_crl * | chain, |
| const unsigned char * | buf, |
||
| size_t | buflen |
||
| ) |
Parse one or more CRLs and append them to the chained list.
- Note
- Multiple CRLs are accepted only if using PEM format
- Parameters
-
chainpoints to the start of the chain bufbuffer holding the CRL data in PEM or DER format buflensize of the buffer (including the terminating null byte for PEM data)
- Returns
- 0 if successful, or a specific X509 or PEM error code
◆ mbedtls_x509_crl_info()
| int mbedtls_x509_crl_info | ( | char * | buf, |
| size_t | size, |
||
| const char * | prefix, |
||
| const mbedtls_x509_crl * | crl |
||
| ) |
Returns an informational string about the CRL.
- Parameters
-
bufBuffer to write to sizeMaximum size of buffer prefixA line prefix crlThe X509 CRL to represent
- Returns
- The length of the string written (not including the terminated nul byte), or a negative error code.
◆ mbedtls_x509_crl_init()
| void mbedtls_x509_crl_init | ( | mbedtls_x509_crl * | crl | ) |
Initialize a CRL (chain)
- Parameters
-
crlCRL chain to initialize
◆ mbedtls_x509_crl_free()
| void mbedtls_x509_crl_free | ( | mbedtls_x509_crl * | crl | ) |
Unallocate all CRL data.
- Parameters
-
crlCRL chain to free
◆ mbedtls_x509_dn_gets()
| int mbedtls_x509_dn_gets | ( | char * | buf, |
| size_t | size, |
||
| const mbedtls_x509_name * | dn |
||
| ) |
Store the certificate DN in printable form into buf; no more than size characters will be written.
- Parameters
-
bufBuffer to write to sizeMaximum size of buffer dnThe X509 name to represent
- Returns
- The length of the string written (not including the terminated nul byte), or a negative error code.
◆ mbedtls_x509_serial_gets()
| int mbedtls_x509_serial_gets | ( | char * | buf, |
| size_t | size, |
||
| const mbedtls_x509_buf * | serial |
||
| ) |
Store the certificate serial in printable form into buf; no more than size characters will be written.
- Parameters
-
bufBuffer to write to sizeMaximum size of buffer serialThe X509 serial to represent
- Returns
- The length of the string written (not including the terminated nul byte), or a negative error code.
◆ mbedtls_x509_time_is_past()
| int mbedtls_x509_time_is_past | ( | const mbedtls_x509_time * | to | ) |
Check a given mbedtls_x509_time against the system time and tell if it's in the past.
- Note
- Intended usage is "if( is_past( valid_to ) ) ERROR". Hence the return value of 1 if on internal errors.
- Parameters
-
tombedtls_x509_time to check
- Returns
- 1 if the given time is in the past or an error occurred, 0 otherwise.
◆ mbedtls_x509_time_is_future()
| int mbedtls_x509_time_is_future | ( | const mbedtls_x509_time * | from | ) |
Check a given mbedtls_x509_time against the system time and tell if it's in the future.
- Note
- Intended usage is "if( is_future( valid_from ) ) ERROR". Hence the return value of 1 if on internal errors.
- Parameters
-
frommbedtls_x509_time to check
- Returns
- 1 if the given time is in the future or an error occurred, 0 otherwise.
Macro Definition Documentation
◆ MBEDTLS_X509_ID_FLAG
| #define MBEDTLS_X509_ID_FLAG | ( | id | ) | ( 1 << ( (id) - 1 ) ) |
Build flag from an algorithm/curve identifier (pk, md, ecp) Since 0 is always XXX_NONE, ignore it.
◆ MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE
| #define MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE ( MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2 ) |
Max size of verification chain: end-entity + intermediates + trusted root.
◆ MBEDTLS_X509_MAX_INTERMEDIATE_CA
| #define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 |
Maximum number of intermediate CAs in a verification chain.
That is, maximum length of the chain, excluding the end-entity certificate and the trusted root certificate.
Set this to a low value to prevent an adversary from making you waste resources verifying an overlong certificate chain.
◆ MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE
| #define MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE -0x2080 |
Unavailable feature, e.g.
RSA hashing/encryption combination.
◆ MBEDTLS_ERR_X509_UNKNOWN_OID
| #define MBEDTLS_ERR_X509_UNKNOWN_OID -0x2100 |
Requested OID is unknown.
◆ MBEDTLS_ERR_X509_INVALID_FORMAT
| #define MBEDTLS_ERR_X509_INVALID_FORMAT -0x2180 |
The CRT/CRL/CSR format is invalid, e.g.
different type expected.
◆ MBEDTLS_ERR_X509_INVALID_VERSION
| #define MBEDTLS_ERR_X509_INVALID_VERSION -0x2200 |
The CRT/CRL/CSR version element is invalid.
◆ MBEDTLS_ERR_X509_INVALID_SERIAL
| #define MBEDTLS_ERR_X509_INVALID_SERIAL -0x2280 |
The serial tag or value is invalid.
◆ MBEDTLS_ERR_X509_INVALID_ALG
| #define MBEDTLS_ERR_X509_INVALID_ALG -0x2300 |
The algorithm tag or value is invalid.
◆ MBEDTLS_ERR_X509_INVALID_NAME
| #define MBEDTLS_ERR_X509_INVALID_NAME -0x2380 |
The name tag or value is invalid.
◆ MBEDTLS_ERR_X509_INVALID_DATE
| #define MBEDTLS_ERR_X509_INVALID_DATE -0x2400 |
The date tag or value is invalid.
◆ MBEDTLS_ERR_X509_INVALID_SIGNATURE
| #define MBEDTLS_ERR_X509_INVALID_SIGNATURE -0x2480 |
The signature tag or value invalid.
◆ MBEDTLS_ERR_X509_INVALID_EXTENSIONS
| #define MBEDTLS_ERR_X509_INVALID_EXTENSIONS -0x2500 |
The extension tag or value is invalid.
◆ MBEDTLS_ERR_X509_UNKNOWN_VERSION
| #define MBEDTLS_ERR_X509_UNKNOWN_VERSION -0x2580 |
CRT/CRL/CSR has an unsupported version number.
◆ MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG
| #define MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG -0x2600 |
Signature algorithm (oid) is unsupported.
◆ MBEDTLS_ERR_X509_SIG_MISMATCH
| #define MBEDTLS_ERR_X509_SIG_MISMATCH -0x2680 |
Signature algorithms do not match.
(see mbedtls_x509_crt sig_oid)
◆ MBEDTLS_ERR_X509_CERT_VERIFY_FAILED
| #define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED -0x2700 |
Certificate verification failed, e.g.
CRL, CA or signature check failed.
◆ MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT
| #define MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT -0x2780 |
Format not recognized as DER or PEM.
◆ MBEDTLS_ERR_X509_BAD_INPUT_DATA
| #define MBEDTLS_ERR_X509_BAD_INPUT_DATA -0x2800 |
Input invalid.
◆ MBEDTLS_ERR_X509_ALLOC_FAILED
| #define MBEDTLS_ERR_X509_ALLOC_FAILED -0x2880 |
Allocation of memory failed.
◆ MBEDTLS_ERR_X509_FILE_IO_ERROR
| #define MBEDTLS_ERR_X509_FILE_IO_ERROR -0x2900 |
Read/write of file failed.
◆ MBEDTLS_ERR_X509_BUFFER_TOO_SMALL
| #define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL -0x2980 |
Destination buffer is too small.
◆ MBEDTLS_ERR_X509_FATAL_ERROR
| #define MBEDTLS_ERR_X509_FATAL_ERROR -0x3000 |
A fatal error occurred, eg the chain is too long or the vrfy callback failed.
◆ MBEDTLS_X509_BADCERT_EXPIRED
| #define MBEDTLS_X509_BADCERT_EXPIRED 0x01 |
The certificate validity has expired.
◆ MBEDTLS_X509_BADCERT_REVOKED
| #define MBEDTLS_X509_BADCERT_REVOKED 0x02 |
The certificate has been revoked (is on a CRL).
◆ MBEDTLS_X509_BADCERT_CN_MISMATCH
| #define MBEDTLS_X509_BADCERT_CN_MISMATCH 0x04 |
The certificate Common Name (CN) does not match with the expected CN.
◆ MBEDTLS_X509_BADCERT_NOT_TRUSTED
| #define MBEDTLS_X509_BADCERT_NOT_TRUSTED 0x08 |
The certificate is not correctly signed by the trusted CA.
◆ MBEDTLS_X509_BADCRL_NOT_TRUSTED
| #define MBEDTLS_X509_BADCRL_NOT_TRUSTED 0x10 |
The CRL is not correctly signed by the trusted CA.
◆ MBEDTLS_X509_BADCRL_EXPIRED
| #define MBEDTLS_X509_BADCRL_EXPIRED 0x20 |
The CRL is expired.
◆ MBEDTLS_X509_BADCERT_MISSING
| #define MBEDTLS_X509_BADCERT_MISSING 0x40 |
Certificate was missing.
◆ MBEDTLS_X509_BADCERT_SKIP_VERIFY
| #define MBEDTLS_X509_BADCERT_SKIP_VERIFY 0x80 |
Certificate verification was skipped.
◆ MBEDTLS_X509_BADCERT_OTHER
| #define MBEDTLS_X509_BADCERT_OTHER 0x0100 |
Other reason (can be used by verify callback)
◆ MBEDTLS_X509_BADCERT_FUTURE
| #define MBEDTLS_X509_BADCERT_FUTURE 0x0200 |
The certificate validity starts in the future.
◆ MBEDTLS_X509_BADCRL_FUTURE
| #define MBEDTLS_X509_BADCRL_FUTURE 0x0400 |
The CRL is from the future.
◆ MBEDTLS_X509_BADCERT_KEY_USAGE
| #define MBEDTLS_X509_BADCERT_KEY_USAGE 0x0800 |
Usage does not match the keyUsage extension.
◆ MBEDTLS_X509_BADCERT_EXT_KEY_USAGE
| #define MBEDTLS_X509_BADCERT_EXT_KEY_USAGE 0x1000 |
Usage does not match the extendedKeyUsage extension.
◆ MBEDTLS_X509_BADCERT_NS_CERT_TYPE
| #define MBEDTLS_X509_BADCERT_NS_CERT_TYPE 0x2000 |
Usage does not match the nsCertType extension.
◆ MBEDTLS_X509_BADCERT_BAD_MD
| #define MBEDTLS_X509_BADCERT_BAD_MD 0x4000 |
The certificate is signed with an unacceptable hash.
◆ MBEDTLS_X509_BADCERT_BAD_PK
| #define MBEDTLS_X509_BADCERT_BAD_PK 0x8000 |
The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA).
◆ MBEDTLS_X509_BADCERT_BAD_KEY
| #define MBEDTLS_X509_BADCERT_BAD_KEY 0x010000 |
The certificate is signed with an unacceptable key (eg bad curve, RSA too short).
◆ MBEDTLS_X509_BADCRL_BAD_MD
| #define MBEDTLS_X509_BADCRL_BAD_MD 0x020000 |
The CRL is signed with an unacceptable hash.
◆ MBEDTLS_X509_BADCRL_BAD_PK
| #define MBEDTLS_X509_BADCRL_BAD_PK 0x040000 |
The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA).
◆ MBEDTLS_X509_BADCRL_BAD_KEY
| #define MBEDTLS_X509_BADCRL_BAD_KEY 0x080000 |
The CRL is signed with an unacceptable key (eg bad curve, RSA too short).
Typedef Documentation
◆ mbedtls_x509_buf
| typedef mbedtls_asn1_buf mbedtls_x509_buf |
Type-length-value structure that allows for ASN1 using DER.
◆ mbedtls_x509_bitstring
Container for ASN1 bit strings.
◆ mbedtls_x509_name
Container for ASN1 named information objects.
It allows for Relative Distinguished Names (e.g. cn=localhost,ou=code,etc.).
◆ mbedtls_x509_sequence
Container for a sequence of ASN.1 items.