X.509 module#

The X.509 module provides X.509 support for reading, writing and verification of certificates.

In summary:

  • X.509 certificate (CRT) reading (see mbedtls_x509_crt_parse(), mbedtls_x509_crt_parse_der(), mbedtls_x509_crt_parse_file()).

  • X.509 certificate revocation list (CRL) reading (see mbedtls_x509_crl_parse(), mbedtls_x509_crl_parse_der(), and mbedtls_x509_crl_parse_file()).

  • X.509 certificate signature verification (see mbedtls_x509_crt_verify() and mbedtls_x509_crt_verify_with_profile().

  • X.509 certificate writing and certificate request writing (see mbedtls_x509write_crt_der() and mbedtls_x509write_csr_der()).

This module can be used to build a certificate authority (CA) chain and verify its signature. It is also used to generate Certificate Signing Requests and X.509 certificates just as a CA would do.

Modules#

mbedtls_x509_crl_entry

mbedtls_x509_crl

mbedtls_x509_csr

mbedtls_x509write_csr

mbedtls_x509_authority

mbedtls_x509_time

mbedtls_x509_san_other_name

mbedtls_x509_subject_alternative_name

mbedtls_x509_san_list

mbedtls_x509_crt

mbedtls_x509_crt_profile

mbedtls_x509write_cert

mbedtls_x509_crt_verify_chain_item

mbedtls_x509_crt_verify_chain

Structures for parsing X.509 certificates, CRLs and CSRs#

Type-length-value structure that allows for ASN1 using DER.

Container for ASN1 bit strings.

Container for ASN1 named information objects.

Container for a sequence of ASN.1 items.

Structures and functions for parsing and writing X.509 certificates#

typedef int(*
mbedtls_x509_crt_ext_cb_t)(void *p_ctx, mbedtls_x509_crt const *crt, mbedtls_x509_buf const *oid, int critical, const unsigned char *p, const unsigned char *end)

The type of certificate extension callbacks.

typedef int(*
mbedtls_x509_crt_ca_cb_t)(void *p_ctx, mbedtls_x509_crt const *child, mbedtls_x509_crt **candidate_cas)

The type of trusted certificate callbacks.

Expected next default profile.

Empty profile that allows nothing.

int
mbedtls_x509write_crt_set_subject_alternative_name(mbedtls_x509write_cert *ctx, const mbedtls_x509_san_list *san_list)

Set Subject Alternative Name.

int
mbedtls_x509_crt_parse_der(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)

Parse a single DER formatted certificate and add it to the end of the provided chained list.

int
mbedtls_x509_crt_parse_der_with_ext_cb(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen, int make_copy, mbedtls_x509_crt_ext_cb_t cb, void *p_ctx)

Parse a single DER formatted certificate and add it to the end of the provided chained list.

int
mbedtls_x509_crt_parse_der_nocopy(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)

Parse a single DER formatted certificate and add it to the end of the provided chained list.

int
mbedtls_x509_crt_parse(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)

Parse one DER-encoded or one or more concatenated PEM-encoded certificates and add them to the chained list.

int
mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix, const mbedtls_x509_crt *crt)

Returns an informational string about the certificate.

int
mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix, uint32_t flags)

Returns an informational string about the verification status of a certificate.

int
mbedtls_x509_crt_verify(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)

Verify a chain of certificates.

int
mbedtls_x509_crt_verify_with_profile(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)

Verify a chain of certificates with respect to a configurable security profile.

int
mbedtls_x509_crt_verify_restartable(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy, mbedtls_x509_crt_restart_ctx *rs_ctx)

Restartable version of mbedtls_crt_verify_with_profile()

int
mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt *crt, unsigned int usage)

Check usage of certificate against keyUsage extension.

int
mbedtls_x509_crt_check_extended_key_usage(const mbedtls_x509_crt *crt, const char *usage_oid, size_t usage_len)

Check usage of certificate against extendedKeyUsage.

int
mbedtls_x509_crt_is_revoked(const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl)

Verify the certificate revocation status.

void
mbedtls_x509_crt_init(mbedtls_x509_crt *crt)

Initialize a certificate (chain)

void
mbedtls_x509_crt_free(mbedtls_x509_crt *crt)

Unallocate all certificate data.

int
mbedtls_x509_crt_has_ext_type(const mbedtls_x509_crt *ctx, int ext_type)

Query certificate for given extension type.

#define

Build flag from an algorithm/curve identifier (pk, md, ecp) Since 0 is always XXX_NONE, ignore it.

#define
MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE (MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2)

Max size of verification chain: end-entity + intermediates + trusted root.

Structures and functions for parsing CRLs#

int
mbedtls_x509_crl_parse_der(mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen)

Parse a DER-encoded CRL and append it to the chained list.

int
mbedtls_x509_crl_parse(mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen)

Parse one or more CRLs and append them to the chained list.

int
mbedtls_x509_crl_info(char *buf, size_t size, const char *prefix, const mbedtls_x509_crl *crl)

Returns an informational string about the CRL.

void
mbedtls_x509_crl_init(mbedtls_x509_crl *crl)

Initialize a CRL (chain)

void
mbedtls_x509_crl_free(mbedtls_x509_crl *crl)

Unallocate all CRL data.

Structures and functions for X.509 Certificate Signing Requests (CSR)#

int
mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen)

Load a Certificate Signing Request (CSR) in DER format.

int
mbedtls_x509_csr_parse(mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen)

Load a Certificate Signing Request (CSR), DER or PEM format.

int
mbedtls_x509_csr_info(char *buf, size_t size, const char *prefix, const mbedtls_x509_csr *csr)

Returns an informational string about the CSR.

void
mbedtls_x509_csr_init(mbedtls_x509_csr *csr)

Initialize a CSR.

void
mbedtls_x509_csr_free(mbedtls_x509_csr *csr)

Unallocate all CSR data.

X509 Error codes#

#define

Unavailable feature, e.g.

#define

Requested OID is unknown.

#define

The CRT/CRL/CSR format is invalid, e.g.

#define

The CRT/CRL/CSR version element is invalid.

#define

The serial tag or value is invalid.

#define

The algorithm tag or value is invalid.

#define

The name tag or value is invalid.

#define

The date tag or value is invalid.

#define

The signature tag or value invalid.

#define

The extension tag or value is invalid.

#define

CRT/CRL/CSR has an unsupported version number.

#define

Signature algorithm (oid) is unsupported.

#define

Signature algorithms do not match.

#define

Certificate verification failed, e.g.

#define

Format not recognized as DER or PEM.

#define

Input invalid.

#define

Allocation of memory failed.

#define

Read/write of file failed.

#define

Destination buffer is too small.

#define

A fatal error occurred, eg the chain is too long or the vrfy callback failed.

X509 Verify codes#

#define

The certificate validity has expired.

#define

The certificate has been revoked (is on a CRL).

#define

The certificate Common Name (CN) does not match with the expected CN.

#define

The certificate is not correctly signed by the trusted CA.

#define

The CRL is not correctly signed by the trusted CA.

#define

The CRL is expired.

#define

Certificate was missing.

#define

Certificate verification was skipped.

#define

Other reason (can be used by verify callback)

#define

The certificate validity starts in the future.

#define

The CRL is from the future.

#define

Usage does not match the keyUsage extension.

#define

Usage does not match the extendedKeyUsage extension.

#define

Usage does not match the nsCertType extension.

#define

The certificate is signed with an unacceptable hash.

#define

The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA).

#define

The certificate is signed with an unacceptable key (eg bad curve, RSA too short).

#define

The CRL is signed with an unacceptable hash.

#define

The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA).

#define

The CRL is signed with an unacceptable key (eg bad curve, RSA too short).

Functions#

void
mbedtls_x509write_csr_init(mbedtls_x509write_csr *ctx)

Initialize a CSR context.

int
mbedtls_x509write_csr_set_subject_name(mbedtls_x509write_csr *ctx, const char *subject_name)

Set the subject name for a CSR Subject names should contain a comma-separated list of OID types and values: e.g.

void
mbedtls_x509write_csr_set_key(mbedtls_x509write_csr *ctx, mbedtls_pk_context *key)

Set the key for a CSR (public key will be included, private key used to sign the CSR when writing it)

void
mbedtls_x509write_csr_set_md_alg(mbedtls_x509write_csr *ctx, mbedtls_md_type_t md_alg)

Set the MD algorithm to use for the signature (e.g.

int
mbedtls_x509write_csr_set_key_usage(mbedtls_x509write_csr *ctx, unsigned char key_usage)

Set the Key Usage Extension flags (e.g.

int
mbedtls_x509write_csr_set_subject_alternative_name(mbedtls_x509write_csr *ctx, const mbedtls_x509_san_list *san_list)

Set Subject Alternative Name.

int
mbedtls_x509write_csr_set_ns_cert_type(mbedtls_x509write_csr *ctx, unsigned char ns_cert_type)

Set the Netscape Cert Type flags (e.g.

int
mbedtls_x509write_csr_set_extension(mbedtls_x509write_csr *ctx, const char *oid, size_t oid_len, int critical, const unsigned char *val, size_t val_len)

Generic function to add to or replace an extension in the CSR.

void
mbedtls_x509write_csr_free(mbedtls_x509write_csr *ctx)

Free the contents of a CSR context.

int
mbedtls_x509write_csr_der(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)

Write a CSR (Certificate Signing Request) to a DER structure Note: data is written at the end of the buffer! Use the return value to determine where you should start using the buffer.

int
mbedtls_x509write_csr_pem(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)

Write a CSR (Certificate Signing Request) to a PEM string.

int
mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn)

Store the certificate DN in printable form into buf; no more than size characters will be written.

mbedtls_x509_dn_get_next(mbedtls_x509_name *dn)

Return the next relative DN in an X509 name.

int
mbedtls_x509_serial_gets(char *buf, size_t size, const mbedtls_x509_buf *serial)

Store the certificate serial in printable form into buf; no more than size characters will be written.

int
mbedtls_x509_time_cmp(const mbedtls_x509_time *t1, const mbedtls_x509_time *t2)

Compare pair of mbedtls_x509_time.

int
mbedtls_x509_time_is_past(const mbedtls_x509_time *to)

Check a given mbedtls_x509_time against the system time and tell if it's in the past.

int
mbedtls_x509_time_is_future(const mbedtls_x509_time *from)

Check a given mbedtls_x509_time against the system time and tell if it's in the future.

int
mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf, mbedtls_x509_subject_alternative_name *san)

This function parses an item in the SubjectAlternativeNames extension.

void
mbedtls_x509_free_subject_alt_name(mbedtls_x509_subject_alternative_name *san)

Unallocate all data related to subject alternative name.

void
mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx)

Initialize a CRT writing context.

void
mbedtls_x509write_crt_set_version(mbedtls_x509write_cert *ctx, int version)

Set the version for a Certificate Default: MBEDTLS_X509_CRT_VERSION_3.

int MBEDTLS_DEPRECATED
mbedtls_x509write_crt_set_serial(mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial)

Set the serial number for a Certificate.

int
mbedtls_x509write_crt_set_serial_raw(mbedtls_x509write_cert *ctx, unsigned char *serial, size_t serial_len)

Set the serial number for a Certificate.

int
mbedtls_x509write_crt_set_validity(mbedtls_x509write_cert *ctx, const char *not_before, const char *not_after)

Set the validity period for a Certificate Timestamps should be in string format for UTC timezone i.e.

int
mbedtls_x509write_crt_set_issuer_name(mbedtls_x509write_cert *ctx, const char *issuer_name)

Set the issuer name for a Certificate Issuer names should contain a comma-separated list of OID types and values: e.g.

int
mbedtls_x509write_crt_set_subject_name(mbedtls_x509write_cert *ctx, const char *subject_name)

Set the subject name for a Certificate Subject names should contain a comma-separated list of OID types and values: e.g.

void
mbedtls_x509write_crt_set_subject_key(mbedtls_x509write_cert *ctx, mbedtls_pk_context *key)

Set the subject public key for the certificate.

void
mbedtls_x509write_crt_set_issuer_key(mbedtls_x509write_cert *ctx, mbedtls_pk_context *key)

Set the issuer key used for signing the certificate.

void
mbedtls_x509write_crt_set_md_alg(mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg)

Set the MD algorithm to use for the signature (e.g.

int
mbedtls_x509write_crt_set_extension(mbedtls_x509write_cert *ctx, const char *oid, size_t oid_len, int critical, const unsigned char *val, size_t val_len)

Generic function to add to or replace an extension in the CRT.

int
mbedtls_x509write_crt_set_basic_constraints(mbedtls_x509write_cert *ctx, int is_ca, int max_pathlen)

Set the basicConstraints extension for a CRT.

int
mbedtls_x509write_crt_set_key_usage(mbedtls_x509write_cert *ctx, unsigned int key_usage)

Set the Key Usage Extension flags (e.g.

int
mbedtls_x509write_crt_set_ext_key_usage(mbedtls_x509write_cert *ctx, const mbedtls_asn1_sequence *exts)

Set the Extended Key Usage Extension (e.g.

int
mbedtls_x509write_crt_set_ns_cert_type(mbedtls_x509write_cert *ctx, unsigned char ns_cert_type)

Set the Netscape Cert Type flags (e.g.

void
mbedtls_x509write_crt_free(mbedtls_x509write_cert *ctx)

Free the contents of a CRT write context.

int
mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)

Write a built up certificate to a X509 DER structure Note: data is written at the end of the buffer! Use the return value to determine where you should start using the buffer.

int
mbedtls_x509write_crt_pem(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)

Write a built up certificate to a X509 PEM string.

Macros#

#define

Maximum number of intermediate CAs in a verification chain.

Structures for parsing X.509 certificates, CRLs and CSRs Documentation#

mbedtls_x509_buf#

typedef mbedtls_asn1_buf mbedtls_x509_buf

Type-length-value structure that allows for ASN1 using DER.


Definition at line 228 of file util/third_party/mbedtls/include/mbedtls/x509.h

mbedtls_x509_bitstring#

typedef mbedtls_asn1_bitstring mbedtls_x509_bitstring

Container for ASN1 bit strings.


Definition at line 233 of file util/third_party/mbedtls/include/mbedtls/x509.h

mbedtls_x509_name#

typedef mbedtls_asn1_named_data mbedtls_x509_name

Container for ASN1 named information objects.

It allows for Relative Distinguished Names (e.g. cn=localhost,ou=code,etc.).


Definition at line 239 of file util/third_party/mbedtls/include/mbedtls/x509.h

mbedtls_x509_sequence#

typedef mbedtls_asn1_sequence mbedtls_x509_sequence

Container for a sequence of ASN.1 items.


Definition at line 244 of file util/third_party/mbedtls/include/mbedtls/x509.h

Structures and functions for parsing and writing X.509 certificates Documentation#

mbedtls_x509_crt_restart_ctx#

typedef void mbedtls_x509_crt_restart_ctx

Definition at line 318 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509_crt_ext_cb_t#

typedef int(* mbedtls_x509_crt_ext_cb_t) (void *p_ctx, mbedtls_x509_crt const *crt, mbedtls_x509_buf const *oid, int critical, const unsigned char *p, const unsigned char *end) )(void *p_ctx, mbedtls_x509_crt const *crt, mbedtls_x509_buf const *oid, int critical, const unsigned char *p, const unsigned char *end)

The type of certificate extension callbacks.

Parameters
N/Ap_ctx

An opaque context passed to the callback.

N/Acrt

The certificate being parsed.

N/Aoid

The OID of the extension.

N/Acritical

Whether the extension is critical.

N/Ap

Pointer to the start of the extension value (the content of the OCTET STRING).

N/Aend

End of extension value.

            Callbacks of this type are passed to and used by the
            mbedtls_x509_crt_parse_der_with_ext_cb() routine when
            it encounters either an unsupported extension or a
            "certificate policies" extension containing any
            unsupported certificate policies.
            Future versions of the library may invoke the callback
            in other cases, if and when the need arises.

Note

Returns

  • 0 on success.

  • A negative error code on failure.


Definition at line 414 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509_crt_ca_cb_t#

typedef int(* mbedtls_x509_crt_ca_cb_t) (void *p_ctx, mbedtls_x509_crt const *child, mbedtls_x509_crt **candidate_cas) )(void *p_ctx, mbedtls_x509_crt const *child, mbedtls_x509_crt **candidate_cas)

The type of trusted certificate callbacks.

Parameters
N/Ap_ctx

An opaque context passed to the callback.

N/Achild

The certificate for which to search a potential signer. This will point to a readable certificate.

N/Acandidate_cas

The address at which to store the address of the first entry in the generated linked list of candidate signers. This will not be NULL.

                 Callbacks of this type are passed to and used by the CRT
                 verification routine mbedtls_x509_crt_verify_with_ca_cb()
                 when looking for trusted signers of a given certificate.

                 On success, the callback returns a list of trusted
                 certificates to be considered as potential signers
                 for the input certificate.

Note

  • The callback must only return a non-zero value on a fatal error. If, in contrast, the search for a potential signer completes without a single candidate, the callback must return 0 and set *candidate_cas to NULL.

Returns

  • 0 on success. In this case, *candidate_cas points to a heap-allocated linked list of instances of mbedtls_x509_crt, and ownership of this list is passed to the caller.

  • A negative error code on failure.


Definition at line 796 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509_crt_profile_default#

const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default

Default security profile.

Should provide a good balance between security and compatibility with current deployments.

This profile permits:

  • SHA2 hashes with at least 256 bits: SHA-256, SHA-384, SHA-512.

  • Elliptic curves with 255 bits and above except secp256k1.

  • RSA with 2048 bits and above.

New minor versions of Mbed TLS may extend this profile, for example if new algorithms are added to the library. New minor versions of Mbed TLS will not reduce this profile unless serious security concerns require it.


Definition at line 336 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509_crt_profile_next#

const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next

Expected next default profile.

Recommended for new deployments. Currently targets a 128-bit security level, except for allowing RSA-2048. This profile may change at any time.


Definition at line 343 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509_crt_profile_suiteb#

const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb

NSA Suite B profile.


Definition at line 348 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509_crt_profile_none#

const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_none

Empty profile that allows nothing.

Useful as a basis for constructing custom profiles.


Definition at line 354 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509write_crt_set_subject_alternative_name#

int mbedtls_x509write_crt_set_subject_alternative_name (mbedtls_x509write_cert * ctx, const mbedtls_x509_san_list * san_list)

Set Subject Alternative Name.

Parameters
N/Actx

Certificate context to use

N/Asan_list

List of SAN values

Returns

  • 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED

Note

  • "dnsName", "uniformResourceIdentifier", "IP address", "otherName", and "DirectoryName", as defined in RFC 5280, are supported.


Definition at line 256 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509_crt_parse_der#

int mbedtls_x509_crt_parse_der (mbedtls_x509_crt * chain, const unsigned char * buf, size_t buflen)

Parse a single DER formatted certificate and add it to the end of the provided chained list.

Parameters
N/Achain

The pointer to the start of the CRT chain to attach to. When parsing the first CRT in a chain, this should point to an instance of mbedtls_x509_crt initialized through mbedtls_x509_crt_init().

N/Abuf

The buffer holding the DER encoded certificate.

N/Abuflen

The size in Bytes of buf.

Note

  • If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto subsystem must have been initialized by calling psa_crypto_init() before calling this function.

Note

  • This function makes an internal copy of the CRT buffer buf. In particular, buf may be destroyed or reused after this call returns. To avoid duplicating the CRT buffer (at the cost of stricter lifetime constraints), use mbedtls_x509_crt_parse_der_nocopy() instead.

Returns

  • 0 if successful.

  • A negative error code on failure.


Definition at line 380 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509_crt_parse_der_with_ext_cb#

int mbedtls_x509_crt_parse_der_with_ext_cb (mbedtls_x509_crt * chain, const unsigned char * buf, size_t buflen, int make_copy, mbedtls_x509_crt_ext_cb_t cb, void * p_ctx)

Parse a single DER formatted certificate and add it to the end of the provided chained list.

Parameters
N/Achain

The pointer to the start of the CRT chain to attach to. When parsing the first CRT in a chain, this should point to an instance of mbedtls_x509_crt initialized through mbedtls_x509_crt_init().

N/Abuf

The buffer holding the DER encoded certificate.

N/Abuflen

The size in Bytes of buf.

N/Amake_copy

When not zero this function makes an internal copy of the CRT buffer buf. In particular, buf may be destroyed or reused after this call returns. When zero this function avoids duplicating the CRT buffer by taking temporary ownership thereof until the CRT is destroyed (like mbedtls_x509_crt_parse_der_nocopy())

N/Acb

A callback invoked for every unsupported certificate extension.

N/Ap_ctx

An opaque context passed to the callback.

Note

  • If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto subsystem must have been initialized by calling psa_crypto_init() before calling this function.

Note

  • This call is functionally equivalent to mbedtls_x509_crt_parse_der(), and/or mbedtls_x509_crt_parse_der_nocopy() but it calls the callback with every unsupported certificate extension and additionally the "certificate policies" extension if it contains any unsupported certificate policies. The callback must return a negative error code if it does not know how to handle such an extension. When the callback fails to parse a critical extension mbedtls_x509_crt_parse_der_with_ext_cb() also fails. When the callback fails to parse a non critical extension mbedtls_x509_crt_parse_der_with_ext_cb() simply skips the extension and continues parsing. Future versions of the library may invoke the callback in other cases, if and when the need arises.

Returns

  • 0 if successful.

  • A negative error code on failure.


Definition at line 465 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509_crt_parse_der_nocopy#

int mbedtls_x509_crt_parse_der_nocopy (mbedtls_x509_crt * chain, const unsigned char * buf, size_t buflen)

Parse a single DER formatted certificate and add it to the end of the provided chained list.

Parameters
N/Achain

The pointer to the start of the CRT chain to attach to. When parsing the first CRT in a chain, this should point to an instance of mbedtls_x509_crt initialized through mbedtls_x509_crt_init().

N/Abuf

The address of the readable buffer holding the DER encoded certificate to use. On success, this buffer must be retained and not be changed for the lifetime of the CRT chain chain, that is, until chain is destroyed through a call to mbedtls_x509_crt_free().

N/Abuflen

The size in Bytes of buf.

This is a variant of mbedtls_x509_crt_parse_der() which takes temporary ownership of the CRT buffer until the CRT is destroyed.

Note

  • If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto subsystem must have been initialized by calling psa_crypto_init() before calling this function.

Note

  • This call is functionally equivalent to mbedtls_x509_crt_parse_der(), but it avoids creating a copy of the input buffer at the cost of stronger lifetime constraints. This is useful in constrained environments where duplication of the CRT cannot be tolerated.

Returns

  • 0 if successful.

  • A negative error code on failure.


Definition at line 503 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509_crt_parse#

int mbedtls_x509_crt_parse (mbedtls_x509_crt * chain, const unsigned char * buf, size_t buflen)

Parse one DER-encoded or one or more concatenated PEM-encoded certificates and add them to the chained list.

Parameters
N/Achain

The chain to which to add the parsed certificates.

N/Abuf

The buffer holding the certificate data in PEM or DER format. For certificates in PEM encoding, this may be a concatenation of multiple certificates; for DER encoding, the buffer must comprise exactly one certificate.

N/Abuflen

The size of buf, including the terminating NULL byte in case of PEM encoded data.

For CRTs in PEM encoding, the function parses permissively: if at least one certificate can be parsed, the function returns the number of certificates for which parsing failed (hence 0 if all certificates were parsed successfully). If no certificate could be parsed, the function returns the first (negative) error encountered during parsing.

PEM encoded certificates may be interleaved by other data such as human readable descriptions of their content, as long as the certificates are enclosed in the PEM specific '--—{BEGIN/END} CERTIFICATE--—' delimiters.

Note

  • If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto subsystem must have been initialized by calling psa_crypto_init() before calling this function.

Returns

  • 0 if all certificates were parsed successfully.

  • The (positive) number of certificates that couldn't be parsed if parsing was partly successful (see above).

  • A negative X509 or PEM error code otherwise.


Definition at line 541 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509_crt_info#

int mbedtls_x509_crt_info (char * buf, size_t size, const char * prefix, const mbedtls_x509_crt * crt)

Returns an informational string about the certificate.

Parameters
N/Abuf

Buffer to write to

N/Asize

Maximum size of buffer

N/Aprefix

A line prefix

N/Acrt

The X509 certificate to represent

Returns

  • The length of the string written (not including the terminated nul byte), or a negative error code.


Definition at line 593 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509_crt_verify_info#

int mbedtls_x509_crt_verify_info (char * buf, size_t size, const char * prefix, uint32_t flags)

Returns an informational string about the verification status of a certificate.

Parameters
N/Abuf

Buffer to write to

N/Asize

Maximum size of buffer

N/Aprefix

A line prefix

N/Aflags

Verification flags created by mbedtls_x509_crt_verify()

Returns

  • The length of the string written (not including the terminated nul byte), or a negative error code.


Definition at line 608 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509_crt_verify#

int mbedtls_x509_crt_verify (mbedtls_x509_crt * crt, mbedtls_x509_crt * trust_ca, mbedtls_x509_crl * ca_crl, const char * cn, uint32_t * flags, int(*)(void *, mbedtls_x509_crt *, int, uint32_t *) f_vrfy, void * p_vrfy)

Verify a chain of certificates.

Parameters
N/Acrt

The certificate chain to be verified.

N/Atrust_ca

The list of trusted CAs.

N/Aca_crl

The list of CRLs for trusted CAs.

N/Acn

The expected Common Name. This will be checked to be present in the certificate's subjectAltNames extension or, if this extension is absent, as a CN component in its Subject name. DNS names and IP addresses are fully supported, while the URI subtype is partially supported: only exact matching, without any normalization procedures described in 7.4 of RFC5280, will result in a positive URI verification. This may be NULL if the CN need not be verified.

N/Aflags

The address at which to store the result of the verification. If the verification couldn't be completed, the flag value is set to (uint32_t) -1.

N/Af_vrfy

The verification callback to use. See the documentation of mbedtls_x509_crt_verify() for more information.

N/Ap_vrfy

The context to be passed to f_vrfy.

            The verify callback is a user-supplied callback that
            can clear / modify / add flags for a certificate. If set,
            the verification callback is called for each
            certificate in the chain (from the trust-ca down to the
            presented crt). The parameters for the callback are:
            (void *parameter, mbedtls_x509_crt *crt, int certificate_depth,
            int *flags). With the flags representing current flags for
            that specific certificate and the certificate depth from
            the bottom (Peer cert depth = 0).

            All flags left after returning from the callback
            are also returned to the application. The function should
            return 0 for anything (including invalid certificates)
            other than fatal error, as a non-zero return code
            immediately aborts the verification process. For fatal
            errors, a specific error code should be used (different
            from MBEDTLS_ERR_X509_CERT_VERIFY_FAILED which should not
            be returned at this point), or MBEDTLS_ERR_X509_FATAL_ERROR
            can be used if no better code is available.

Note

  • In case verification failed, the results can be displayed using mbedtls_x509_crt_verify_info()

  • Same as mbedtls_x509_crt_verify_with_profile() with the default security profile.

  • It is your responsibility to provide up-to-date CRLs for all trusted CAs. If no CRL is provided for the CA that was used to sign the certificate, CRL verification is skipped silently, that is without setting any flag.

  • The trust_ca list can contain two types of certificates: (1) those of trusted root CAs, so that certificates chaining up to those CAs will be trusted, and (2) self-signed end-entity certificates to be trusted (for specific peers you know) - in that case, the self-signed certificate doesn't need to have the CA bit set.

Returns

  • 0 if the chain is valid with respect to the passed CN, CAs, CRLs and security profile.

  • MBEDTLS_ERR_X509_CERT_VERIFY_FAILED in case the certificate chain verification failed. In this case, *flags will have one or more MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX flags set.

  • Another negative error code in case of a fatal error encountered during the verification process.


Definition at line 682 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509_crt_verify_with_profile#

int mbedtls_x509_crt_verify_with_profile (mbedtls_x509_crt * crt, mbedtls_x509_crt * trust_ca, mbedtls_x509_crl * ca_crl, const mbedtls_x509_crt_profile * profile, const char * cn, uint32_t * flags, int(*)(void *, mbedtls_x509_crt *, int, uint32_t *) f_vrfy, void * p_vrfy)

Verify a chain of certificates with respect to a configurable security profile.

Parameters
N/Acrt

The certificate chain to be verified.

N/Atrust_ca

The list of trusted CAs.

N/Aca_crl

The list of CRLs for trusted CAs.

N/Aprofile

The security profile to use for the verification.

N/Acn

The expected Common Name. This may be NULL if the CN need not be verified.

N/Aflags

The address at which to store the result of the verification. If the verification couldn't be completed, the flag value is set to (uint32_t) -1.

N/Af_vrfy

The verification callback to use. See the documentation of mbedtls_x509_crt_verify() for more information.

N/Ap_vrfy

The context to be passed to f_vrfy.

Note

  • Same as mbedtls_x509_crt_verify(), but with explicit security profile.

  • The restrictions on keys (RSA minimum size, allowed curves for ECDSA) apply to all certificates: trusted root, intermediate CAs if any, and end entity certificate.

Returns

  • 0 if the chain is valid with respect to the passed CN, CAs, CRLs and security profile.

  • MBEDTLS_ERR_X509_CERT_VERIFY_FAILED in case the certificate chain verification failed. In this case, *flags will have one or more MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX flags set.

  • Another negative error code in case of a fatal error encountered during the verification process.


Definition at line 723 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509_crt_verify_restartable#

int mbedtls_x509_crt_verify_restartable (mbedtls_x509_crt * crt, mbedtls_x509_crt * trust_ca, mbedtls_x509_crl * ca_crl, const mbedtls_x509_crt_profile * profile, const char * cn, uint32_t * flags, int(*)(void *, mbedtls_x509_crt *, int, uint32_t *) f_vrfy, void * p_vrfy, mbedtls_x509_crt_restart_ctx * rs_ctx)

Restartable version of mbedtls_crt_verify_with_profile()

Parameters
N/Acrt

The certificate chain to be verified.

N/Atrust_ca

The list of trusted CAs.

N/Aca_crl

The list of CRLs for trusted CAs.

N/Aprofile

The security profile to use for the verification.

N/Acn

The expected Common Name. This may be NULL if the CN need not be verified.

N/Aflags

The address at which to store the result of the verification. If the verification couldn't be completed, the flag value is set to (uint32_t) -1.

N/Af_vrfy

The verification callback to use. See the documentation of mbedtls_x509_crt_verify() for more information.

N/Ap_vrfy

The context to be passed to f_vrfy.

N/Ars_ctx

The restart context to use. This may be set to NULL to disable restartable ECC.

Note

  • Performs the same job as mbedtls_crt_verify_with_profile() but can return early and restart according to the limit set with mbedtls_ecp_set_max_ops() to reduce blocking.

Returns

  • See mbedtls_crt_verify_with_profile(), or

  • #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of operations was reached: see mbedtls_ecp_set_max_ops().


Definition at line 757 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509_crt_check_key_usage#

int mbedtls_x509_crt_check_key_usage (const mbedtls_x509_crt * crt, unsigned int usage)

Check usage of certificate against keyUsage extension.

Parameters
N/Acrt

Leaf certificate used.

N/Ausage

Intended usage(s) (eg MBEDTLS_X509_KU_KEY_ENCIPHERMENT before using the certificate to perform an RSA key exchange).

Note

  • Except for decipherOnly and encipherOnly, a bit set in the usage argument means this bit MUST be set in the certificate. For decipherOnly and encipherOnly, it means that bit MAY be set.

Returns

  • 0 is these uses of the certificate are allowed, MBEDTLS_ERR_X509_BAD_INPUT_DATA if the keyUsage extension is present but does not match the usage argument.

Note

  • You should only call this function on leaf certificates, on (intermediate) CAs the keyUsage extension is automatically checked by mbedtls_x509_crt_verify().


Definition at line 854 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509_crt_check_extended_key_usage#

int mbedtls_x509_crt_check_extended_key_usage (const mbedtls_x509_crt * crt, const char * usage_oid, size_t usage_len)

Check usage of certificate against extendedKeyUsage.

Parameters
N/Acrt

Leaf certificate used.

N/Ausage_oid

Intended usage (eg MBEDTLS_OID_SERVER_AUTH or MBEDTLS_OID_CLIENT_AUTH).

N/Ausage_len

Length of usage_oid (eg given by MBEDTLS_OID_SIZE()).

Returns

  • 0 if this use of the certificate is allowed, MBEDTLS_ERR_X509_BAD_INPUT_DATA if not.

Note

  • Usually only makes sense on leaf certificates.


Definition at line 870 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509_crt_is_revoked#

int mbedtls_x509_crt_is_revoked (const mbedtls_x509_crt * crt, const mbedtls_x509_crl * crl)

Verify the certificate revocation status.

Parameters
N/Acrt

a certificate to be verified

N/Acrl

the CRL to verify against

Returns

  • 1 if the certificate is revoked, 0 otherwise


Definition at line 884 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509_crt_init#

void mbedtls_x509_crt_init (mbedtls_x509_crt * crt)

Initialize a certificate (chain)

Parameters
N/Acrt

Certificate chain to initialize


Definition at line 892 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509_crt_free#

void mbedtls_x509_crt_free (mbedtls_x509_crt * crt)

Unallocate all certificate data.

Parameters
N/Acrt

Certificate chain to free


Definition at line 899 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509_crt_has_ext_type#

static int mbedtls_x509_crt_has_ext_type (const mbedtls_x509_crt * ctx, int ext_type)

Query certificate for given extension type.

Parameters
[in]ctx

Certificate context to be queried, must not be NULL

N/Aext_type

Extension type being queried for, must be a valid extension type. Must be one of the MBEDTLS_X509_EXT_XXX values

Returns

  • 0 if the given extension type is not present, non-zero otherwise


Definition at line 925 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

MBEDTLS_X509_ID_FLAG#

#define MBEDTLS_X509_ID_FLAG
Value:
(id)

Build flag from an algorithm/curve identifier (pk, md, ecp) Since 0 is always XXX_NONE, ignore it.


Definition at line 110 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

MBEDTLS_X509_CRT_VERSION_1#

#define MBEDTLS_X509_CRT_VERSION_1
Value:
0

Definition at line 147 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

MBEDTLS_X509_CRT_VERSION_2#

#define MBEDTLS_X509_CRT_VERSION_2
Value:
1

Definition at line 148 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

MBEDTLS_X509_CRT_VERSION_3#

#define MBEDTLS_X509_CRT_VERSION_3
Value:
2

Definition at line 149 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN#

#define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN
Value:
20

Definition at line 151 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

MBEDTLS_X509_RFC5280_UTC_TIME_LEN#

#define MBEDTLS_X509_RFC5280_UTC_TIME_LEN
Value:
15

Definition at line 152 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

MBEDTLS_X509_MAX_FILE_PATH_LEN#

#define MBEDTLS_X509_MAX_FILE_PATH_LEN
Value:
512

Definition at line 155 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

MBEDTLS_X509_CRT_ERROR_INFO_LIST#

#define MBEDTLS_X509_CRT_ERROR_INFO_LIST

Definition at line 164 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE#

#define MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE
Value:
(MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2)

Max size of verification chain: end-entity + intermediates + trusted root.


Definition at line 270 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

Structures and functions for parsing CRLs Documentation#

mbedtls_x509_crl_parse_der#

int mbedtls_x509_crl_parse_der (mbedtls_x509_crl * chain, const unsigned char * buf, size_t buflen)

Parse a DER-encoded CRL and append it to the chained list.

Parameters
N/Achain

points to the start of the chain

N/Abuf

buffer holding the CRL data in DER format

N/Abuflen

size of the buffer (including the terminating null byte for PEM data)

Note

  • If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto subsystem must have been initialized by calling psa_crypto_init() before calling this function.

Returns

  • 0 if successful, or a specific X509 or PEM error code


Definition at line 121 of file util/third_party/mbedtls/include/mbedtls/x509_crl.h

mbedtls_x509_crl_parse#

int mbedtls_x509_crl_parse (mbedtls_x509_crl * chain, const unsigned char * buf, size_t buflen)

Parse one or more CRLs and append them to the chained list.

Parameters
N/Achain

points to the start of the chain

N/Abuf

buffer holding the CRL data in PEM or DER format

N/Abuflen

size of the buffer (including the terminating null byte for PEM data)

Note

  • Multiple CRLs are accepted only if using PEM format

  • If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto subsystem must have been initialized by calling psa_crypto_init() before calling this function.

Returns

  • 0 if successful, or a specific X509 or PEM error code


Definition at line 139 of file util/third_party/mbedtls/include/mbedtls/x509_crl.h

mbedtls_x509_crl_info#

int mbedtls_x509_crl_info (char * buf, size_t size, const char * prefix, const mbedtls_x509_crl * crl)

Returns an informational string about the CRL.

Parameters
N/Abuf

Buffer to write to

N/Asize

Maximum size of buffer

N/Aprefix

A line prefix

N/Acrl

The X509 CRL to represent

Returns

  • The length of the string written (not including the terminated nul byte), or a negative error code.


Definition at line 171 of file util/third_party/mbedtls/include/mbedtls/x509_crl.h

mbedtls_x509_crl_init#

void mbedtls_x509_crl_init (mbedtls_x509_crl * crl)

Initialize a CRL (chain)

Parameters
N/Acrl

CRL chain to initialize


Definition at line 180 of file util/third_party/mbedtls/include/mbedtls/x509_crl.h

mbedtls_x509_crl_free#

void mbedtls_x509_crl_free (mbedtls_x509_crl * crl)

Unallocate all CRL data.

Parameters
N/Acrl

CRL chain to free


Definition at line 187 of file util/third_party/mbedtls/include/mbedtls/x509_crl.h

Structures and functions for X.509 Certificate Signing Requests (CSR) Documentation#

mbedtls_x509_csr_parse_der#

int mbedtls_x509_csr_parse_der (mbedtls_x509_csr * csr, const unsigned char * buf, size_t buflen)

Load a Certificate Signing Request (CSR) in DER format.

Parameters
N/Acsr

CSR context to fill

N/Abuf

buffer holding the CRL data

N/Abuflen

size of the buffer

Note

  • CSR attributes (if any) are currently silently ignored.

  • If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto subsystem must have been initialized by calling psa_crypto_init() before calling this function.

Returns

  • 0 if successful, or a specific X509 error code


Definition at line 102 of file util/third_party/mbedtls/include/mbedtls/x509_csr.h

mbedtls_x509_csr_parse#

int mbedtls_x509_csr_parse (mbedtls_x509_csr * csr, const unsigned char * buf, size_t buflen)

Load a Certificate Signing Request (CSR), DER or PEM format.

Parameters
N/Acsr

CSR context to fill

N/Abuf

buffer holding the CRL data

N/Abuflen

size of the buffer (including the terminating null byte for PEM data)

Note

  • See notes for mbedtls_x509_csr_parse_der()

  • If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto subsystem must have been initialized by calling psa_crypto_init() before calling this function.

Returns

  • 0 if successful, or a specific X509 or PEM error code


Definition at line 121 of file util/third_party/mbedtls/include/mbedtls/x509_csr.h

mbedtls_x509_csr_info#

int mbedtls_x509_csr_info (char * buf, size_t size, const char * prefix, const mbedtls_x509_csr * csr)

Returns an informational string about the CSR.

Parameters
N/Abuf

Buffer to write to

N/Asize

Maximum size of buffer

N/Aprefix

A line prefix

N/Acsr

The X509 CSR to represent

Returns

  • The length of the string written (not including the terminated nul byte), or a negative error code.


Definition at line 150 of file util/third_party/mbedtls/include/mbedtls/x509_csr.h

mbedtls_x509_csr_init#

void mbedtls_x509_csr_init (mbedtls_x509_csr * csr)

Initialize a CSR.

Parameters
N/Acsr

CSR to initialize


Definition at line 159 of file util/third_party/mbedtls/include/mbedtls/x509_csr.h

mbedtls_x509_csr_free#

void mbedtls_x509_csr_free (mbedtls_x509_csr * csr)

Unallocate all CSR data.

Parameters
N/Acsr

CSR to free


Definition at line 166 of file util/third_party/mbedtls/include/mbedtls/x509_csr.h

X509 Error codes Documentation#

MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE#

#define MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE
Value:
-0x2080

Unavailable feature, e.g.

RSA hashing/encryption combination.


Definition at line 57 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_ERR_X509_UNKNOWN_OID#

#define MBEDTLS_ERR_X509_UNKNOWN_OID
Value:
-0x2100

Requested OID is unknown.


Definition at line 59 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_ERR_X509_INVALID_FORMAT#

#define MBEDTLS_ERR_X509_INVALID_FORMAT
Value:
-0x2180

The CRT/CRL/CSR format is invalid, e.g.

different type expected.


Definition at line 61 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_ERR_X509_INVALID_VERSION#

#define MBEDTLS_ERR_X509_INVALID_VERSION
Value:
-0x2200

The CRT/CRL/CSR version element is invalid.


Definition at line 63 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_ERR_X509_INVALID_SERIAL#

#define MBEDTLS_ERR_X509_INVALID_SERIAL
Value:
-0x2280

The serial tag or value is invalid.


Definition at line 65 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_ERR_X509_INVALID_ALG#

#define MBEDTLS_ERR_X509_INVALID_ALG
Value:
-0x2300

The algorithm tag or value is invalid.


Definition at line 67 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_ERR_X509_INVALID_NAME#

#define MBEDTLS_ERR_X509_INVALID_NAME
Value:
-0x2380

The name tag or value is invalid.


Definition at line 69 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_ERR_X509_INVALID_DATE#

#define MBEDTLS_ERR_X509_INVALID_DATE
Value:
-0x2400

The date tag or value is invalid.


Definition at line 71 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_ERR_X509_INVALID_SIGNATURE#

#define MBEDTLS_ERR_X509_INVALID_SIGNATURE
Value:
-0x2480

The signature tag or value invalid.


Definition at line 73 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_ERR_X509_INVALID_EXTENSIONS#

#define MBEDTLS_ERR_X509_INVALID_EXTENSIONS
Value:
-0x2500

The extension tag or value is invalid.


Definition at line 75 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_ERR_X509_UNKNOWN_VERSION#

#define MBEDTLS_ERR_X509_UNKNOWN_VERSION
Value:
-0x2580

CRT/CRL/CSR has an unsupported version number.


Definition at line 77 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG#

#define MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG
Value:
-0x2600

Signature algorithm (oid) is unsupported.


Definition at line 79 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_ERR_X509_SIG_MISMATCH#

#define MBEDTLS_ERR_X509_SIG_MISMATCH
Value:
-0x2680

Signature algorithms do not match.

(see mbedtls_x509_crt sig_oid)


Definition at line 81 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_ERR_X509_CERT_VERIFY_FAILED#

#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED
Value:
-0x2700

Certificate verification failed, e.g.

CRL, CA or signature check failed.


Definition at line 83 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT#

#define MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT
Value:
-0x2780

Format not recognized as DER or PEM.


Definition at line 85 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_ERR_X509_BAD_INPUT_DATA#

#define MBEDTLS_ERR_X509_BAD_INPUT_DATA
Value:
-0x2800

Input invalid.


Definition at line 87 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_ERR_X509_ALLOC_FAILED#

#define MBEDTLS_ERR_X509_ALLOC_FAILED
Value:
-0x2880

Allocation of memory failed.


Definition at line 89 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_ERR_X509_FILE_IO_ERROR#

#define MBEDTLS_ERR_X509_FILE_IO_ERROR
Value:
-0x2900

Read/write of file failed.


Definition at line 91 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_ERR_X509_BUFFER_TOO_SMALL#

#define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL
Value:
-0x2980

Destination buffer is too small.


Definition at line 93 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_ERR_X509_FATAL_ERROR#

#define MBEDTLS_ERR_X509_FATAL_ERROR
Value:
-0x3000

A fatal error occurred, eg the chain is too long or the vrfy callback failed.


Definition at line 95 of file util/third_party/mbedtls/include/mbedtls/x509.h

X509 Verify codes Documentation#

MBEDTLS_X509_BADCERT_EXPIRED#

#define MBEDTLS_X509_BADCERT_EXPIRED
Value:
0x01

The certificate validity has expired.


Definition at line 103 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_X509_BADCERT_REVOKED#

#define MBEDTLS_X509_BADCERT_REVOKED
Value:
0x02

The certificate has been revoked (is on a CRL).


Definition at line 104 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_X509_BADCERT_CN_MISMATCH#

#define MBEDTLS_X509_BADCERT_CN_MISMATCH
Value:
0x04

The certificate Common Name (CN) does not match with the expected CN.


Definition at line 105 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_X509_BADCERT_NOT_TRUSTED#

#define MBEDTLS_X509_BADCERT_NOT_TRUSTED
Value:
0x08

The certificate is not correctly signed by the trusted CA.


Definition at line 106 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_X509_BADCRL_NOT_TRUSTED#

#define MBEDTLS_X509_BADCRL_NOT_TRUSTED
Value:
0x10

The CRL is not correctly signed by the trusted CA.


Definition at line 107 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_X509_BADCRL_EXPIRED#

#define MBEDTLS_X509_BADCRL_EXPIRED
Value:
0x20

The CRL is expired.


Definition at line 108 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_X509_BADCERT_MISSING#

#define MBEDTLS_X509_BADCERT_MISSING
Value:
0x40

Certificate was missing.


Definition at line 109 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_X509_BADCERT_SKIP_VERIFY#

#define MBEDTLS_X509_BADCERT_SKIP_VERIFY
Value:
0x80

Certificate verification was skipped.


Definition at line 110 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_X509_BADCERT_OTHER#

#define MBEDTLS_X509_BADCERT_OTHER
Value:
0x0100

Other reason (can be used by verify callback)


Definition at line 111 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_X509_BADCERT_FUTURE#

#define MBEDTLS_X509_BADCERT_FUTURE
Value:
0x0200

The certificate validity starts in the future.


Definition at line 112 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_X509_BADCRL_FUTURE#

#define MBEDTLS_X509_BADCRL_FUTURE
Value:
0x0400

The CRL is from the future.


Definition at line 113 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_X509_BADCERT_KEY_USAGE#

#define MBEDTLS_X509_BADCERT_KEY_USAGE
Value:
0x0800

Usage does not match the keyUsage extension.


Definition at line 114 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_X509_BADCERT_EXT_KEY_USAGE#

#define MBEDTLS_X509_BADCERT_EXT_KEY_USAGE
Value:
0x1000

Usage does not match the extendedKeyUsage extension.


Definition at line 115 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_X509_BADCERT_NS_CERT_TYPE#

#define MBEDTLS_X509_BADCERT_NS_CERT_TYPE
Value:
0x2000

Usage does not match the nsCertType extension.


Definition at line 116 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_X509_BADCERT_BAD_MD#

#define MBEDTLS_X509_BADCERT_BAD_MD
Value:
0x4000

The certificate is signed with an unacceptable hash.


Definition at line 117 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_X509_BADCERT_BAD_PK#

#define MBEDTLS_X509_BADCERT_BAD_PK
Value:
0x8000

The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA).


Definition at line 118 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_X509_BADCERT_BAD_KEY#

#define MBEDTLS_X509_BADCERT_BAD_KEY
Value:
0x010000

The certificate is signed with an unacceptable key (eg bad curve, RSA too short).


Definition at line 119 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_X509_BADCRL_BAD_MD#

#define MBEDTLS_X509_BADCRL_BAD_MD
Value:
0x020000

The CRL is signed with an unacceptable hash.


Definition at line 120 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_X509_BADCRL_BAD_PK#

#define MBEDTLS_X509_BADCRL_BAD_PK
Value:
0x040000

The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA).


Definition at line 121 of file util/third_party/mbedtls/include/mbedtls/x509.h

MBEDTLS_X509_BADCRL_BAD_KEY#

#define MBEDTLS_X509_BADCRL_BAD_KEY
Value:
0x080000

The CRL is signed with an unacceptable key (eg bad curve, RSA too short).


Definition at line 122 of file util/third_party/mbedtls/include/mbedtls/x509.h

Function Documentation#

mbedtls_x509write_csr_init#

void mbedtls_x509write_csr_init (mbedtls_x509write_csr * ctx)

Initialize a CSR context.

Parameters
N/Actx

CSR context to initialize


Definition at line 177 of file util/third_party/mbedtls/include/mbedtls/x509_csr.h

mbedtls_x509write_csr_set_subject_name#

int mbedtls_x509write_csr_set_subject_name (mbedtls_x509write_csr * ctx, const char * subject_name)

Set the subject name for a CSR Subject names should contain a comma-separated list of OID types and values: e.g.

Parameters
N/Actx

CSR context to use

N/Asubject_name

subject name to set

"C=UK,O=ARM,CN=Mbed TLS Server 1"

Returns

  • 0 if subject name was parsed successfully, or a specific error code


Definition at line 191 of file util/third_party/mbedtls/include/mbedtls/x509_csr.h

mbedtls_x509write_csr_set_key#

void mbedtls_x509write_csr_set_key (mbedtls_x509write_csr * ctx, mbedtls_pk_context * key)

Set the key for a CSR (public key will be included, private key used to sign the CSR when writing it)

Parameters
N/Actx

CSR context to use

N/Akey

Asymmetric key to include


Definition at line 201 of file util/third_party/mbedtls/include/mbedtls/x509_csr.h

mbedtls_x509write_csr_set_md_alg#

void mbedtls_x509write_csr_set_md_alg (mbedtls_x509write_csr * ctx, mbedtls_md_type_t md_alg)

Set the MD algorithm to use for the signature (e.g.

Parameters
N/Actx

CSR context to use

N/Amd_alg

MD algorithm to use

MBEDTLS_MD_SHA1)


Definition at line 210 of file util/third_party/mbedtls/include/mbedtls/x509_csr.h

mbedtls_x509write_csr_set_key_usage#

int mbedtls_x509write_csr_set_key_usage (mbedtls_x509write_csr * ctx, unsigned char key_usage)

Set the Key Usage Extension flags (e.g.

Parameters
N/Actx

CSR context to use

N/Akey_usage

key usage flags to set

MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN)

Returns

  • 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED

Note

  • The decipherOnly flag from the Key Usage extension is represented by bit 8 (i.e. 0x8000), which cannot typically be represented in an unsigned char. Therefore, the flag decipherOnly (i.e. #MBEDTLS_X509_KU_DECIPHER_ONLY) cannot be set using this function.


Definition at line 229 of file util/third_party/mbedtls/include/mbedtls/x509_csr.h

mbedtls_x509write_csr_set_subject_alternative_name#

int mbedtls_x509write_csr_set_subject_alternative_name (mbedtls_x509write_csr * ctx, const mbedtls_x509_san_list * san_list)

Set Subject Alternative Name.

Parameters
N/Actx

CSR context to use

N/Asan_list

List of SAN values

Returns

  • 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED

Note

  • Only "dnsName", "uniformResourceIdentifier" and "otherName", as defined in RFC 5280, are supported.


Definition at line 242 of file util/third_party/mbedtls/include/mbedtls/x509_csr.h

mbedtls_x509write_csr_set_ns_cert_type#

int mbedtls_x509write_csr_set_ns_cert_type (mbedtls_x509write_csr * ctx, unsigned char ns_cert_type)

Set the Netscape Cert Type flags (e.g.

Parameters
N/Actx

CSR context to use

N/Ans_cert_type

Netscape Cert Type flags to set

MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL)

Returns

  • 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED


Definition at line 254 of file util/third_party/mbedtls/include/mbedtls/x509_csr.h

mbedtls_x509write_csr_set_extension#

int mbedtls_x509write_csr_set_extension (mbedtls_x509write_csr * ctx, const char * oid, size_t oid_len, int critical, const unsigned char * val, size_t val_len)

Generic function to add to or replace an extension in the CSR.

Parameters
N/Actx

CSR context to use

N/Aoid

OID of the extension

N/Aoid_len

length of the OID

N/Acritical

Set to 1 to mark the extension as critical, 0 otherwise.

N/Aval

value of the extension OCTET STRING

N/Aval_len

length of the value data

Returns

  • 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED


Definition at line 270 of file util/third_party/mbedtls/include/mbedtls/x509_csr.h

mbedtls_x509write_csr_free#

void mbedtls_x509write_csr_free (mbedtls_x509write_csr * ctx)

Free the contents of a CSR context.

Parameters
N/Actx

CSR context to free


Definition at line 280 of file util/third_party/mbedtls/include/mbedtls/x509_csr.h

mbedtls_x509write_csr_der#

int mbedtls_x509write_csr_der (mbedtls_x509write_csr * ctx, unsigned char * buf, size_t size, int(*)(void *, unsigned char *, size_t) f_rng, void * p_rng)

Write a CSR (Certificate Signing Request) to a DER structure Note: data is written at the end of the buffer! Use the return value to determine where you should start using the buffer.

Parameters
N/Actx

CSR to write away

N/Abuf

buffer to write to

N/Asize

size of the buffer

N/Af_rng

RNG function. This must not be NULL.

N/Ap_rng

RNG parameter

Returns

  • length of data written if successful, or a specific error code

Note

  • f_rng is used for the signature operation.


Definition at line 300 of file util/third_party/mbedtls/include/mbedtls/x509_csr.h

mbedtls_x509write_csr_pem#

int mbedtls_x509write_csr_pem (mbedtls_x509write_csr * ctx, unsigned char * buf, size_t size, int(*)(void *, unsigned char *, size_t) f_rng, void * p_rng)

Write a CSR (Certificate Signing Request) to a PEM string.

Parameters
N/Actx

CSR to write away

N/Abuf

buffer to write to

N/Asize

size of the buffer

N/Af_rng

RNG function. This must not be NULL.

N/Ap_rng

RNG parameter

Returns

  • 0 if successful, or a specific error code

Note

  • f_rng is used for the signature operation.


Definition at line 319 of file util/third_party/mbedtls/include/mbedtls/x509_csr.h

mbedtls_x509_dn_gets#

int mbedtls_x509_dn_gets (char * buf, size_t size, const mbedtls_x509_name * dn)

Store the certificate DN in printable form into buf; no more than size characters will be written.

Parameters
N/Abuf

Buffer to write to

N/Asize

Maximum size of buffer

N/Adn

The X509 name to represent

Returns

  • The length of the string written (not including the terminated nul byte), or a negative error code.


Definition at line 334 of file util/third_party/mbedtls/include/mbedtls/x509.h

mbedtls_x509_dn_get_next#

static mbedtls_x509_name * mbedtls_x509_dn_get_next (mbedtls_x509_name * dn)

Return the next relative DN in an X509 name.

Parameters
N/Adn

Current node in the X509 name

Note

  • Intended use is to compare function result to dn->next in order to detect boundaries of multi-valued RDNs.

Returns

  • Pointer to the first attribute-value pair of the next RDN in sequence, or NULL if end is reached.


Definition at line 347 of file util/third_party/mbedtls/include/mbedtls/x509.h

mbedtls_x509_serial_gets#

int mbedtls_x509_serial_gets (char * buf, size_t size, const mbedtls_x509_buf * serial)

Store the certificate serial in printable form into buf; no more than size characters will be written.

Parameters
N/Abuf

Buffer to write to

N/Asize

Maximum size of buffer

N/Aserial

The X509 serial to represent

Returns

  • The length of the string written (not including the terminated nul byte), or a negative error code.


Definition at line 367 of file util/third_party/mbedtls/include/mbedtls/x509.h

mbedtls_x509_time_cmp#

int mbedtls_x509_time_cmp (const mbedtls_x509_time * t1, const mbedtls_x509_time * t2)

Compare pair of mbedtls_x509_time.

Parameters
N/At1

mbedtls_x509_time to compare

N/At2

mbedtls_x509_time to compare

Returns

  • < 0 if t1 is before t2 0 if t1 equals t2 > 0 if t1 is after t2


Definition at line 379 of file util/third_party/mbedtls/include/mbedtls/x509.h

mbedtls_x509_time_is_past#

int mbedtls_x509_time_is_past (const mbedtls_x509_time * to)

Check a given mbedtls_x509_time against the system time and tell if it's in the past.

Parameters
N/Ato

mbedtls_x509_time to check

Note

  • Intended usage is "if( is_past( valid_to ) ) ERROR". Hence the return value of 1 if on internal errors.

Returns

  • 1 if the given time is in the past or an error occurred, 0 otherwise.


Definition at line 406 of file util/third_party/mbedtls/include/mbedtls/x509.h

mbedtls_x509_time_is_future#

int mbedtls_x509_time_is_future (const mbedtls_x509_time * from)

Check a given mbedtls_x509_time against the system time and tell if it's in the future.

Parameters
N/Afrom

mbedtls_x509_time to check

Note

  • Intended usage is "if( is_future( valid_from ) ) ERROR". Hence the return value of 1 if on internal errors.

Returns

  • 1 if the given time is in the future or an error occurred, 0 otherwise.


Definition at line 420 of file util/third_party/mbedtls/include/mbedtls/x509.h

mbedtls_x509_parse_subject_alt_name#

int mbedtls_x509_parse_subject_alt_name (const mbedtls_x509_buf * san_buf, mbedtls_x509_subject_alternative_name * san)

This function parses an item in the SubjectAlternativeNames extension.

Parameters
N/Asan_buf

The buffer holding the raw data item of the subject alternative name.

N/Asan

The target structure to populate with the parsed presentation of the subject alternative name encoded in san_buf.

Please note that this function might allocate additional memory for a subject alternative name, thus mbedtls_x509_free_subject_alt_name has to be called to dispose of this additional memory afterwards.

Note

  • Supported GeneralName types, as defined in RFC 5280: "rfc822Name", "dnsName", "directoryName", "uniformResourceIdentifier" and "hardware_module_name" of type "otherName", as defined in RFC 4108.

  • This function should be called on a single raw data of subject alternative name. For example, after successful certificate parsing, one must iterate on every item in the crt->subject_alt_names sequence, and pass it to this function.

Warnings

  • The target structure contains pointers to the raw data of the parsed certificate, and its lifetime is restricted by the lifetime of the certificate.

Returns


Definition at line 454 of file util/third_party/mbedtls/include/mbedtls/x509.h

mbedtls_x509_free_subject_alt_name#

void mbedtls_x509_free_subject_alt_name (mbedtls_x509_subject_alternative_name * san)

Unallocate all data related to subject alternative name.

Parameters
N/Asan

SAN structure - extra memory owned by this structure will be freed


Definition at line 461 of file util/third_party/mbedtls/include/mbedtls/x509.h

mbedtls_x509write_crt_init#

void mbedtls_x509write_crt_init (mbedtls_x509write_cert * ctx)

Initialize a CRT writing context.

Parameters
N/Actx

CRT context to initialize


Definition at line 939 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509write_crt_set_version#

void mbedtls_x509write_crt_set_version (mbedtls_x509write_cert * ctx, int version)

Set the version for a Certificate Default: MBEDTLS_X509_CRT_VERSION_3.

Parameters
N/Actx

CRT context to use

N/Aversion

version to set (MBEDTLS_X509_CRT_VERSION_1, MBEDTLS_X509_CRT_VERSION_2 or MBEDTLS_X509_CRT_VERSION_3)


Definition at line 949 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509write_crt_set_serial#

int MBEDTLS_DEPRECATED mbedtls_x509write_crt_set_serial (mbedtls_x509write_cert * ctx, const mbedtls_mpi * serial)

Set the serial number for a Certificate.

Parameters
N/Actx

CRT context to use

N/Aserial

serial number to set

Note

  • Even though the MBEDTLS_BIGNUM_C guard looks redundant since X509 depends on PK and PK depends on BIGNUM, this emphasizes a direct dependency between X509 and BIGNUM which is going to be deprecated in the future.

Returns

  • 0 if successful


Definition at line 969 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509write_crt_set_serial_raw#

int mbedtls_x509write_crt_set_serial_raw (mbedtls_x509write_cert * ctx, unsigned char * serial, size_t serial_len)

Set the serial number for a Certificate.

Parameters
N/Actx

CRT context to use

N/Aserial

A raw array of bytes containing the serial number in big endian format

N/Aserial_len

Length of valid bytes (expressed in bytes) in serial input buffer

Returns

  • 0 if successful, or MBEDTLS_ERR_X509_BAD_INPUT_DATA if the provided input buffer is too big (longer than MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN)


Definition at line 986 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509write_crt_set_validity#

int mbedtls_x509write_crt_set_validity (mbedtls_x509write_cert * ctx, const char * not_before, const char * not_after)

Set the validity period for a Certificate Timestamps should be in string format for UTC timezone i.e.

Parameters
N/Actx

CRT context to use

N/Anot_before

not_before timestamp

N/Anot_after

not_after timestamp

"YYYYMMDDhhmmss" e.g. "20131231235959" for December 31st 2013 at 23:59:59

Returns

  • 0 if timestamp was parsed successfully, or a specific error code


Definition at line 1003 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509write_crt_set_issuer_name#

int mbedtls_x509write_crt_set_issuer_name (mbedtls_x509write_cert * ctx, const char * issuer_name)

Set the issuer name for a Certificate Issuer names should contain a comma-separated list of OID types and values: e.g.

Parameters
N/Actx

CRT context to use

N/Aissuer_name

issuer name to set

"C=UK,O=ARM,CN=Mbed TLS CA"

Returns

  • 0 if issuer name was parsed successfully, or a specific error code


Definition at line 1018 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509write_crt_set_subject_name#

int mbedtls_x509write_crt_set_subject_name (mbedtls_x509write_cert * ctx, const char * subject_name)

Set the subject name for a Certificate Subject names should contain a comma-separated list of OID types and values: e.g.

Parameters
N/Actx

CRT context to use

N/Asubject_name

subject name to set

"C=UK,O=ARM,CN=Mbed TLS Server 1"

Returns

  • 0 if subject name was parsed successfully, or a specific error code


Definition at line 1033 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509write_crt_set_subject_key#

void mbedtls_x509write_crt_set_subject_key (mbedtls_x509write_cert * ctx, mbedtls_pk_context * key)

Set the subject public key for the certificate.

Parameters
N/Actx

CRT context to use

N/Akey

public key to include


Definition at line 1042 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509write_crt_set_issuer_key#

void mbedtls_x509write_crt_set_issuer_key (mbedtls_x509write_cert * ctx, mbedtls_pk_context * key)

Set the issuer key used for signing the certificate.

Parameters
N/Actx

CRT context to use

N/Akey

private key to sign with


Definition at line 1050 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509write_crt_set_md_alg#

void mbedtls_x509write_crt_set_md_alg (mbedtls_x509write_cert * ctx, mbedtls_md_type_t md_alg)

Set the MD algorithm to use for the signature (e.g.

Parameters
N/Actx

CRT context to use

N/Amd_alg

MD algorithm to use

MBEDTLS_MD_SHA1)


Definition at line 1059 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509write_crt_set_extension#

int mbedtls_x509write_crt_set_extension (mbedtls_x509write_cert * ctx, const char * oid, size_t oid_len, int critical, const unsigned char * val, size_t val_len)

Generic function to add to or replace an extension in the CRT.

Parameters
N/Actx

CRT context to use

N/Aoid

OID of the extension

N/Aoid_len

length of the OID

N/Acritical

if the extension is critical (per the RFC's definition)

N/Aval

value of the extension OCTET STRING

N/Aval_len

length of the value data

Returns

  • 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED


Definition at line 1074 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509write_crt_set_basic_constraints#

int mbedtls_x509write_crt_set_basic_constraints (mbedtls_x509write_cert * ctx, int is_ca, int max_pathlen)

Set the basicConstraints extension for a CRT.

Parameters
N/Actx

CRT context to use

N/Ais_ca

is this a CA certificate

N/Amax_pathlen

maximum length of certificate chains below this certificate (only for CA certificates, -1 is unlimited)

Returns

  • 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED


Definition at line 1090 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509write_crt_set_key_usage#

int mbedtls_x509write_crt_set_key_usage (mbedtls_x509write_cert * ctx, unsigned int key_usage)

Set the Key Usage Extension flags (e.g.

Parameters
N/Actx

CRT context to use

N/Akey_usage

key usage flags to set

MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN)

Returns

  • 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED


Definition at line 1126 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509write_crt_set_ext_key_usage#

int mbedtls_x509write_crt_set_ext_key_usage (mbedtls_x509write_cert * ctx, const mbedtls_asn1_sequence * exts)

Set the Extended Key Usage Extension (e.g.

Parameters
N/Actx

CRT context to use

N/Aexts

extended key usage extensions to set, a sequence of MBEDTLS_ASN1_OID objects

MBEDTLS_OID_SERVER_AUTH)

Returns

  • 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED


Definition at line 1139 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509write_crt_set_ns_cert_type#

int mbedtls_x509write_crt_set_ns_cert_type (mbedtls_x509write_cert * ctx, unsigned char ns_cert_type)

Set the Netscape Cert Type flags (e.g.

Parameters
N/Actx

CRT context to use

N/Ans_cert_type

Netscape Cert Type flags to set

MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL)

Returns

  • 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED


Definition at line 1151 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509write_crt_free#

void mbedtls_x509write_crt_free (mbedtls_x509write_cert * ctx)

Free the contents of a CRT write context.

Parameters
N/Actx

CRT context to free


Definition at line 1159 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509write_crt_der#

int mbedtls_x509write_crt_der (mbedtls_x509write_cert * ctx, unsigned char * buf, size_t size, int(*)(void *, unsigned char *, size_t) f_rng, void * p_rng)

Write a built up certificate to a X509 DER structure Note: data is written at the end of the buffer! Use the return value to determine where you should start using the buffer.

Parameters
N/Actx

certificate to write away

N/Abuf

buffer to write to

N/Asize

size of the buffer

N/Af_rng

RNG function. This must not be NULL.

N/Ap_rng

RNG parameter

Returns

  • length of data written if successful, or a specific error code

Note

  • f_rng is used for the signature operation.


Definition at line 1178 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

mbedtls_x509write_crt_pem#

int mbedtls_x509write_crt_pem (mbedtls_x509write_cert * ctx, unsigned char * buf, size_t size, int(*)(void *, unsigned char *, size_t) f_rng, void * p_rng)

Write a built up certificate to a X509 PEM string.

Parameters
N/Actx

certificate to write away

N/Abuf

buffer to write to

N/Asize

size of the buffer

N/Af_rng

RNG function. This must not be NULL.

N/Ap_rng

RNG parameter

Returns

  • 0 if successful, or a specific error code

Note

  • f_rng is used for the signature operation.


Definition at line 1196 of file util/third_party/mbedtls/include/mbedtls/x509_crt.h

Macro Definition Documentation#

MBEDTLS_X509_MAX_INTERMEDIATE_CA#

#define MBEDTLS_X509_MAX_INTERMEDIATE_CA
Value:
8

Maximum number of intermediate CAs in a verification chain.

That is, maximum length of the chain, excluding the end-entity certificate and the trusted root certificate.

Set this to a low value to prevent an adversary from making you waste resources verifying an overlong certificate chain.


Definition at line 49 of file util/third_party/mbedtls/include/mbedtls/x509.h