 |
5.11.0.0R3
Software Development Kit |
|
 |
|
5.11.0.0R3
Software Development Kit |
|
|
Data Structures | |
| struct | mbedtls_x509_crl |
| struct | mbedtls_x509_crl_entry |
| struct | mbedtls_x509_crt |
| struct | mbedtls_x509_crt_profile |
| struct | mbedtls_x509_crt_verify_chain |
| struct | mbedtls_x509_crt_verify_chain_item |
| struct | mbedtls_x509_time |
| struct | mbedtls_x509write_cert |
Macros | |
| #define | MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 |
Functions | |
| int | mbedtls_dhm_parse_dhm (mbedtls_dhm_context *dhm, const unsigned char *dhmin, size_t dhminlen) |
| This function parses DHM parameters in PEM or DER format. | |
| int | mbedtls_dhm_parse_dhmfile (mbedtls_dhm_context *dhm, const char *path) |
| This function loads and parses DHM parameters from a file. | |
| int | mbedtls_x509_dn_gets (char *buf, size_t size, const mbedtls_x509_name *dn) |
| Store the certificate DN in printable form into buf; no more than size characters will be written. | |
| int | mbedtls_x509_self_test (int verbose) |
| Checkup routine. | |
| int | mbedtls_x509_serial_gets (char *buf, size_t size, const mbedtls_x509_buf *serial) |
| Store the certificate serial in printable form into buf; no more than size characters will be written. | |
| int | mbedtls_x509_time_is_future (const mbedtls_x509_time *from) |
| Check a given mbedtls_x509_time against the system time and tell if it's in the future. | |
| int | mbedtls_x509_time_is_past (const mbedtls_x509_time *to) |
| Check a given mbedtls_x509_time against the system time and tell if it's in the past. | |
Structures for parsing X.509 certificates, CRLs and CSRs | |
| typedef mbedtls_asn1_buf | mbedtls_x509_buf |
| typedef mbedtls_asn1_bitstring | mbedtls_x509_bitstring |
| typedef mbedtls_asn1_named_data | mbedtls_x509_name |
| typedef mbedtls_asn1_sequence | mbedtls_x509_sequence |
| typedef struct mbedtls_x509_time | mbedtls_x509_time |
Structures and functions for parsing CRLs | |
| typedef struct mbedtls_x509_crl_entry | mbedtls_x509_crl_entry |
| typedef struct mbedtls_x509_crl | mbedtls_x509_crl |
| int | mbedtls_x509_crl_parse_der (mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen) |
| Parse a DER-encoded CRL and append it to the chained list. | |
| int | mbedtls_x509_crl_parse (mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen) |
| Parse one or more CRLs and append them to the chained list. | |
| int | mbedtls_x509_crl_parse_file (mbedtls_x509_crl *chain, const char *path) |
| Load one or more CRLs and append them to the chained list. | |
| int | mbedtls_x509_crl_info (char *buf, size_t size, const char *prefix, const mbedtls_x509_crl *crl) |
| Returns an informational string about the CRL. | |
| void | mbedtls_x509_crl_init (mbedtls_x509_crl *crl) |
| Initialize a CRL (chain) | |
| void | mbedtls_x509_crl_free (mbedtls_x509_crl *crl) |
| Unallocate all CRL data. | |
Structures and functions for parsing and writing X.509 certificates | |
| typedef struct mbedtls_x509_crt | mbedtls_x509_crt |
| typedef struct mbedtls_x509_crt_profile | mbedtls_x509_crt_profile |
| typedef struct mbedtls_x509write_cert | mbedtls_x509write_cert |
| const mbedtls_x509_crt_profile | mbedtls_x509_crt_profile_default |
| const mbedtls_x509_crt_profile | mbedtls_x509_crt_profile_next |
| const mbedtls_x509_crt_profile | mbedtls_x509_crt_profile_suiteb |
| int | mbedtls_x509_crt_parse_der (mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen) |
| Parse a single DER formatted certificate and add it to the chained list. | |
| int | mbedtls_x509_crt_parse (mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen) |
| Parse one DER-encoded or one or more concatenated PEM-encoded certificates and add them to the chained list. | |
| int | mbedtls_x509_crt_parse_file (mbedtls_x509_crt *chain, const char *path) |
| Load one or more certificates and add them to the chained list. Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned. | |
| int | mbedtls_x509_crt_parse_path (mbedtls_x509_crt *chain, const char *path) |
| Load one or more certificate files from a path and add them to the chained list. Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned. | |
| int | mbedtls_x509_crt_info (char *buf, size_t size, const char *prefix, const mbedtls_x509_crt *crt) |
| Returns an informational string about the certificate. | |
| int | mbedtls_x509_crt_verify_info (char *buf, size_t size, const char *prefix, uint32_t flags) |
| Returns an informational string about the verification status of a certificate. | |
| int | mbedtls_x509_crt_verify (mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy) |
| Verify the certificate signature. | |
| int | mbedtls_x509_crt_verify_with_profile (mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy) |
| Verify the certificate signature according to profile. | |
| int | mbedtls_x509_crt_verify_restartable (mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy, mbedtls_x509_crt_restart_ctx *rs_ctx) |
Restartable version of mbedtls_crt_verify_with_profile() | |
| int | mbedtls_x509_crt_check_key_usage (const mbedtls_x509_crt *crt, unsigned int usage) |
| Check usage of certificate against keyUsage extension. | |
| int | mbedtls_x509_crt_check_extended_key_usage (const mbedtls_x509_crt *crt, const char *usage_oid, size_t usage_len) |
| Check usage of certificate against extendedKeyUsage. | |
| int | mbedtls_x509_crt_is_revoked (const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl) |
| Verify the certificate revocation status. | |
| void | mbedtls_x509_crt_init (mbedtls_x509_crt *crt) |
| Initialize a certificate (chain) | |
| void | mbedtls_x509_crt_free (mbedtls_x509_crt *crt) |
| Unallocate all certificate data. | |
| void | mbedtls_x509write_crt_init (mbedtls_x509write_cert *ctx) |
| Initialize a CRT writing context. | |
| void | mbedtls_x509write_crt_set_version (mbedtls_x509write_cert *ctx, int version) |
| Set the verion for a Certificate Default: MBEDTLS_X509_CRT_VERSION_3. | |
| int | mbedtls_x509write_crt_set_serial (mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial) |
| Set the serial number for a Certificate. | |
| int | mbedtls_x509write_crt_set_validity (mbedtls_x509write_cert *ctx, const char *not_before, const char *not_after) |
| Set the validity period for a Certificate Timestamps should be in string format for UTC timezone i.e. "YYYYMMDDhhmmss" e.g. "20131231235959" for December 31st 2013 at 23:59:59. | |
| int | mbedtls_x509write_crt_set_issuer_name (mbedtls_x509write_cert *ctx, const char *issuer_name) |
| Set the issuer name for a Certificate Issuer names should contain a comma-separated list of OID types and values: e.g. "C=UK,O=ARM,CN=mbed TLS CA". | |
| int | mbedtls_x509write_crt_set_subject_name (mbedtls_x509write_cert *ctx, const char *subject_name) |
| Set the subject name for a Certificate Subject names should contain a comma-separated list of OID types and values: e.g. "C=UK,O=ARM,CN=mbed TLS Server 1". | |
| void | mbedtls_x509write_crt_set_subject_key (mbedtls_x509write_cert *ctx, mbedtls_pk_context *key) |
| Set the subject public key for the certificate. | |
| void | mbedtls_x509write_crt_set_issuer_key (mbedtls_x509write_cert *ctx, mbedtls_pk_context *key) |
| Set the issuer key used for signing the certificate. | |
| void | mbedtls_x509write_crt_set_md_alg (mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg) |
| Set the MD algorithm to use for the signature (e.g. MBEDTLS_MD_SHA1) | |
| int | mbedtls_x509write_crt_set_extension (mbedtls_x509write_cert *ctx, const char *oid, size_t oid_len, int critical, const unsigned char *val, size_t val_len) |
| Generic function to add to or replace an extension in the CRT. | |
| int | mbedtls_x509write_crt_set_basic_constraints (mbedtls_x509write_cert *ctx, int is_ca, int max_pathlen) |
| Set the basicConstraints extension for a CRT. | |
| int | mbedtls_x509write_crt_set_subject_key_identifier (mbedtls_x509write_cert *ctx) |
| Set the subjectKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_subject_key() has been called before. | |
| int | mbedtls_x509write_crt_set_authority_key_identifier (mbedtls_x509write_cert *ctx) |
| Set the authorityKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_issuer_key() has been called before. | |
| int | mbedtls_x509write_crt_set_key_usage (mbedtls_x509write_cert *ctx, unsigned int key_usage) |
| Set the Key Usage Extension flags (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN) | |
| int | mbedtls_x509write_crt_set_ns_cert_type (mbedtls_x509write_cert *ctx, unsigned char ns_cert_type) |
| Set the Netscape Cert Type flags (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL) | |
| void | mbedtls_x509write_crt_free (mbedtls_x509write_cert *ctx) |
| Free the contents of a CRT write context. | |
| int | mbedtls_x509write_crt_der (mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng) |
| Write a built up certificate to a X509 DER structure Note: data is written at the end of the buffer! Use the return value to determine where you should start using the buffer. | |
| int | mbedtls_x509write_crt_pem (mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng) |
| Write a built up certificate to a X509 PEM string. | |
| #define | MBEDTLS_X509_ID_FLAG(id) |
| #define | MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE ( MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2 ) |
X509 Error codes | |
| #define | MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE -0x2080 |
| #define | MBEDTLS_ERR_X509_UNKNOWN_OID -0x2100 |
| #define | MBEDTLS_ERR_X509_INVALID_FORMAT -0x2180 |
| #define | MBEDTLS_ERR_X509_INVALID_VERSION -0x2200 |
| #define | MBEDTLS_ERR_X509_INVALID_SERIAL -0x2280 |
| #define | MBEDTLS_ERR_X509_INVALID_ALG -0x2300 |
| #define | MBEDTLS_ERR_X509_INVALID_NAME -0x2380 |
| #define | MBEDTLS_ERR_X509_INVALID_DATE -0x2400 |
| #define | MBEDTLS_ERR_X509_INVALID_SIGNATURE -0x2480 |
| #define | MBEDTLS_ERR_X509_INVALID_EXTENSIONS -0x2500 |
| #define | MBEDTLS_ERR_X509_UNKNOWN_VERSION -0x2580 |
| #define | MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG -0x2600 |
| #define | MBEDTLS_ERR_X509_SIG_MISMATCH -0x2680 |
| #define | MBEDTLS_ERR_X509_CERT_VERIFY_FAILED -0x2700 |
| #define | MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT -0x2780 |
| #define | MBEDTLS_ERR_X509_BAD_INPUT_DATA -0x2800 |
| #define | MBEDTLS_ERR_X509_ALLOC_FAILED -0x2880 |
| #define | MBEDTLS_ERR_X509_FILE_IO_ERROR -0x2900 |
| #define | MBEDTLS_ERR_X509_BUFFER_TOO_SMALL -0x2980 |
| #define | MBEDTLS_ERR_X509_FATAL_ERROR -0x3000 |
X509 Verify codes | |
| #define | MBEDTLS_X509_BADCERT_EXPIRED 0x01 |
| #define | MBEDTLS_X509_BADCERT_REVOKED 0x02 |
| #define | MBEDTLS_X509_BADCERT_CN_MISMATCH 0x04 |
| #define | MBEDTLS_X509_BADCERT_NOT_TRUSTED 0x08 |
| #define | MBEDTLS_X509_BADCRL_NOT_TRUSTED 0x10 |
| #define | MBEDTLS_X509_BADCRL_EXPIRED 0x20 |
| #define | MBEDTLS_X509_BADCERT_MISSING 0x40 |
| #define | MBEDTLS_X509_BADCERT_SKIP_VERIFY 0x80 |
| #define | MBEDTLS_X509_BADCERT_OTHER 0x0100 |
| #define | MBEDTLS_X509_BADCERT_FUTURE 0x0200 |
| #define | MBEDTLS_X509_BADCRL_FUTURE 0x0400 |
| #define | MBEDTLS_X509_BADCERT_KEY_USAGE 0x0800 |
| #define | MBEDTLS_X509_BADCERT_EXT_KEY_USAGE 0x1000 |
| #define | MBEDTLS_X509_BADCERT_NS_CERT_TYPE 0x2000 |
| #define | MBEDTLS_X509_BADCERT_BAD_MD 0x4000 |
| #define | MBEDTLS_X509_BADCERT_BAD_PK 0x8000 |
| #define | MBEDTLS_X509_BADCERT_BAD_KEY 0x010000 |
| #define | MBEDTLS_X509_BADCRL_BAD_MD 0x020000 |
| #define | MBEDTLS_X509_BADCRL_BAD_PK 0x040000 |
| #define | MBEDTLS_X509_BADCRL_BAD_KEY 0x080000 |
| #define | MBEDTLS_X509_MAX_DN_NAME_SIZE 256 |
| #define MBEDTLS_ERR_X509_ALLOC_FAILED -0x2880 |
Allocation of memory failed.
| #define MBEDTLS_ERR_X509_BAD_INPUT_DATA -0x2800 |
Input invalid.
| #define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL -0x2980 |
Destination buffer is too small.
| #define MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT -0x2780 |
Format not recognized as DER or PEM.
| #define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED -0x2700 |
Certificate verification failed, e.g. CRL, CA or signature check failed.
| #define MBEDTLS_ERR_X509_FATAL_ERROR -0x3000 |
A fatal error occurred, eg the chain is too long or the vrfy callback failed.
| #define MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE -0x2080 |
Unavailable feature, e.g. RSA hashing/encryption combination.
| #define MBEDTLS_ERR_X509_FILE_IO_ERROR -0x2900 |
Read/write of file failed.
| #define MBEDTLS_ERR_X509_INVALID_ALG -0x2300 |
The algorithm tag or value is invalid.
| #define MBEDTLS_ERR_X509_INVALID_DATE -0x2400 |
The date tag or value is invalid.
| #define MBEDTLS_ERR_X509_INVALID_EXTENSIONS -0x2500 |
The extension tag or value is invalid.
| #define MBEDTLS_ERR_X509_INVALID_FORMAT -0x2180 |
The CRT/CRL/CSR format is invalid, e.g. different type expected.
| #define MBEDTLS_ERR_X509_INVALID_NAME -0x2380 |
The name tag or value is invalid.
| #define MBEDTLS_ERR_X509_INVALID_SERIAL -0x2280 |
The serial tag or value is invalid.
| #define MBEDTLS_ERR_X509_INVALID_SIGNATURE -0x2480 |
The signature tag or value invalid.
| #define MBEDTLS_ERR_X509_INVALID_VERSION -0x2200 |
The CRT/CRL/CSR version element is invalid.
| #define MBEDTLS_ERR_X509_SIG_MISMATCH -0x2680 |
Signature algorithms do not match. (see mbedtls_x509_crt sig_oid)
| #define MBEDTLS_ERR_X509_UNKNOWN_OID -0x2100 |
Requested OID is unknown.
| #define MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG -0x2600 |
Signature algorithm (oid) is unsupported.
| #define MBEDTLS_ERR_X509_UNKNOWN_VERSION -0x2580 |
CRT/CRL/CSR has an unsupported version number.
| #define MBEDTLS_X509_BADCERT_BAD_KEY 0x010000 |
The certificate is signed with an unacceptable key (eg bad curve, RSA too short).
| #define MBEDTLS_X509_BADCERT_BAD_MD 0x4000 |
The certificate is signed with an unacceptable hash.
| #define MBEDTLS_X509_BADCERT_BAD_PK 0x8000 |
The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA).
| #define MBEDTLS_X509_BADCERT_CN_MISMATCH 0x04 |
The certificate Common Name (CN) does not match with the expected CN.
| #define MBEDTLS_X509_BADCERT_EXPIRED 0x01 |
The certificate validity has expired.
| #define MBEDTLS_X509_BADCERT_EXT_KEY_USAGE 0x1000 |
Usage does not match the extendedKeyUsage extension.
| #define MBEDTLS_X509_BADCERT_FUTURE 0x0200 |
The certificate validity starts in the future.
| #define MBEDTLS_X509_BADCERT_KEY_USAGE 0x0800 |
Usage does not match the keyUsage extension.
| #define MBEDTLS_X509_BADCERT_MISSING 0x40 |
Certificate was missing.
| #define MBEDTLS_X509_BADCERT_NOT_TRUSTED 0x08 |
The certificate is not correctly signed by the trusted CA.
| #define MBEDTLS_X509_BADCERT_NS_CERT_TYPE 0x2000 |
Usage does not match the nsCertType extension.
| #define MBEDTLS_X509_BADCERT_OTHER 0x0100 |
Other reason (can be used by verify callback)
| #define MBEDTLS_X509_BADCERT_REVOKED 0x02 |
The certificate has been revoked (is on a CRL).
| #define MBEDTLS_X509_BADCERT_SKIP_VERIFY 0x80 |
Certificate verification was skipped.
| #define MBEDTLS_X509_BADCRL_BAD_KEY 0x080000 |
The CRL is signed with an unacceptable key (eg bad curve, RSA too short).
| #define MBEDTLS_X509_BADCRL_BAD_MD 0x020000 |
The CRL is signed with an unacceptable hash.
| #define MBEDTLS_X509_BADCRL_BAD_PK 0x040000 |
The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA).
| #define MBEDTLS_X509_BADCRL_EXPIRED 0x20 |
The CRL is expired.
| #define MBEDTLS_X509_BADCRL_FUTURE 0x0400 |
The CRL is from the future
| #define MBEDTLS_X509_BADCRL_NOT_TRUSTED 0x10 |
The CRL is not correctly signed by the trusted CA.
| #define MBEDTLS_X509_ID_FLAG | ( | id | ) |
Build flag from an algorithm/curve identifier (pk, md, ecp) Since 0 is always XXX_NONE, ignore it.
| #define MBEDTLS_X509_MAX_DN_NAME_SIZE 256 |
Maximum value size of a DN entry
| #define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 |
Maximum number of intermediate CAs in a verification chain. That is, maximum length of the chain, excluding the end-entity certificate and the trusted root certificate.
Set this to a low value to prevent an adversary from making you waste resources verifying an overlong certificate chain.
| #define MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE ( MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2 ) |
Max size of verification chain: end-entity + intermediates + trusted root
Container for ASN1 bit strings.
| typedef mbedtls_asn1_buf mbedtls_x509_buf |
Type-length-value structure that allows for ASN1 using DER.
| typedef struct mbedtls_x509_crl mbedtls_x509_crl |
Certificate revocation list structure. Every CRL may have multiple entries.
| typedef struct mbedtls_x509_crl_entry mbedtls_x509_crl_entry |
Certificate revocation list entry. Contains the CA-specific serial numbers and revocation dates.
| typedef struct mbedtls_x509_crt mbedtls_x509_crt |
Container for an X.509 certificate. The certificate may be chained.
| typedef struct mbedtls_x509_crt_profile mbedtls_x509_crt_profile |
Security profile for certificate verification.
All lists are bitfields, built by ORing flags from MBEDTLS_X509_ID_FLAG().
Container for ASN1 named information objects. It allows for Relative Distinguished Names (e.g. cn=localhost,ou=code,etc.).
Container for a sequence of ASN.1 items
| typedef struct mbedtls_x509_time mbedtls_x509_time |
Container for date and time (precision in seconds).
| typedef struct mbedtls_x509write_cert mbedtls_x509write_cert |
Container for writing a certificate (CRT)
| int mbedtls_dhm_parse_dhm | ( | mbedtls_dhm_context * | dhm, |
| const unsigned char * | dhmin, | ||
| size_t | dhminlen ) |
This function parses DHM parameters in PEM or DER format.
| dhm | The DHM context to import the DHM parameters into. This must be initialized. |
| dhmin | The input buffer. This must be a readable buffer of length dhminlen Bytes. |
| dhminlen | The size of the input buffer dhmin, including the terminating NULL Byte for PEM data. |
0 on success. MBEDTLS_ERR_DHM_XXX or MBEDTLS_ERR_PEM_XXX error code on failure. | int mbedtls_dhm_parse_dhmfile | ( | mbedtls_dhm_context * | dhm, |
| const char * | path ) |
This function loads and parses DHM parameters from a file.
| dhm | The DHM context to load the parameters to. This must be initialized. |
| path | The filename to read the DHM parameters from. This must not be NULL. |
0 on success. MBEDTLS_ERR_DHM_XXX or MBEDTLS_ERR_PEM_XXX error code on failure. | void mbedtls_x509_crl_free | ( | mbedtls_x509_crl * | crl | ) |
Unallocate all CRL data.
| crl | CRL chain to free |
| int mbedtls_x509_crl_info | ( | char * | buf, |
| size_t | size, | ||
| const char * | prefix, | ||
| const mbedtls_x509_crl * | crl ) |
Returns an informational string about the CRL.
| buf | Buffer to write to |
| size | Maximum size of buffer |
| prefix | A line prefix |
| crl | The X509 CRL to represent |
| void mbedtls_x509_crl_init | ( | mbedtls_x509_crl * | crl | ) |
Initialize a CRL (chain)
| crl | CRL chain to initialize |
| int mbedtls_x509_crl_parse | ( | mbedtls_x509_crl * | chain, |
| const unsigned char * | buf, | ||
| size_t | buflen ) |
Parse one or more CRLs and append them to the chained list.
| chain | points to the start of the chain |
| buf | buffer holding the CRL data in PEM or DER format |
| buflen | size of the buffer (including the terminating null byte for PEM data) |
| int mbedtls_x509_crl_parse_der | ( | mbedtls_x509_crl * | chain, |
| const unsigned char * | buf, | ||
| size_t | buflen ) |
Parse a DER-encoded CRL and append it to the chained list.
| chain | points to the start of the chain |
| buf | buffer holding the CRL data in DER format |
| buflen | size of the buffer (including the terminating null byte for PEM data) |
| int mbedtls_x509_crl_parse_file | ( | mbedtls_x509_crl * | chain, |
| const char * | path ) |
Load one or more CRLs and append them to the chained list.
| chain | points to the start of the chain |
| path | filename to read the CRLs from (in PEM or DER encoding) |
| int mbedtls_x509_crt_check_extended_key_usage | ( | const mbedtls_x509_crt * | crt, |
| const char * | usage_oid, | ||
| size_t | usage_len ) |
Check usage of certificate against extendedKeyUsage.
| crt | Leaf certificate used. |
| usage_oid | Intended usage (eg MBEDTLS_OID_SERVER_AUTH or MBEDTLS_OID_CLIENT_AUTH). |
| usage_len | Length of usage_oid (eg given by MBEDTLS_OID_SIZE()). |
| int mbedtls_x509_crt_check_key_usage | ( | const mbedtls_x509_crt * | crt, |
| unsigned int | usage ) |
Check usage of certificate against keyUsage extension.
| crt | Leaf certificate used. |
| usage | Intended usage(s) (eg MBEDTLS_X509_KU_KEY_ENCIPHERMENT before using the certificate to perform an RSA key exchange). |
mbedtls_x509_crt_verify(). | void mbedtls_x509_crt_free | ( | mbedtls_x509_crt * | crt | ) |
Unallocate all certificate data.
| crt | Certificate chain to free |
| int mbedtls_x509_crt_info | ( | char * | buf, |
| size_t | size, | ||
| const char * | prefix, | ||
| const mbedtls_x509_crt * | crt ) |
Returns an informational string about the certificate.
| buf | Buffer to write to |
| size | Maximum size of buffer |
| prefix | A line prefix |
| crt | The X509 certificate to represent |
| void mbedtls_x509_crt_init | ( | mbedtls_x509_crt * | crt | ) |
Initialize a certificate (chain)
| crt | Certificate chain to initialize |
| int mbedtls_x509_crt_is_revoked | ( | const mbedtls_x509_crt * | crt, |
| const mbedtls_x509_crl * | crl ) |
Verify the certificate revocation status.
| crt | a certificate to be verified |
| crl | the CRL to verify against |
| int mbedtls_x509_crt_parse | ( | mbedtls_x509_crt * | chain, |
| const unsigned char * | buf, | ||
| size_t | buflen ) |
Parse one DER-encoded or one or more concatenated PEM-encoded certificates and add them to the chained list.
For CRTs in PEM encoding, the function parses permissively: if at least one certificate can be parsed, the function returns the number of certificates for which parsing failed (hence 0 if all certificates were parsed successfully). If no certificate could be parsed, the function returns the first (negative) error encountered during parsing.
PEM encoded certificates may be interleaved by other data such as human readable descriptions of their content, as long as the certificates are enclosed in the PEM specific '--—{BEGIN/END} CERTIFICATE--—' delimiters.
| chain | The chain to which to add the parsed certificates. |
| buf | The buffer holding the certificate data in PEM or DER format. For certificates in PEM encoding, this may be a concatenation of multiple certificates; for DER encoding, the buffer must comprise exactly one certificate. |
| buflen | The size of buf, including the terminating NULL byte in case of PEM encoded data. |
0 if all certificates were parsed successfully. | int mbedtls_x509_crt_parse_der | ( | mbedtls_x509_crt * | chain, |
| const unsigned char * | buf, | ||
| size_t | buflen ) |
Parse a single DER formatted certificate and add it to the chained list.
| chain | points to the start of the chain |
| buf | buffer holding the certificate DER data |
| buflen | size of the buffer |
| int mbedtls_x509_crt_parse_file | ( | mbedtls_x509_crt * | chain, |
| const char * | path ) |
Load one or more certificates and add them to the chained list. Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.
| chain | points to the start of the chain |
| path | filename to read the certificates from |
| int mbedtls_x509_crt_parse_path | ( | mbedtls_x509_crt * | chain, |
| const char * | path ) |
Load one or more certificate files from a path and add them to the chained list. Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.
| chain | points to the start of the chain |
| path | directory / folder to read the certificate files from |
| int mbedtls_x509_crt_verify | ( | mbedtls_x509_crt * | crt, |
| mbedtls_x509_crt * | trust_ca, | ||
| mbedtls_x509_crl * | ca_crl, | ||
| const char * | cn, | ||
| uint32_t * | flags, | ||
| int(* | f_vrfy )(void *, mbedtls_x509_crt *, int, uint32_t *), | ||
| void * | p_vrfy ) |
Verify the certificate signature.
The verify callback is a user-supplied callback that
can clear / modify / add flags for a certificate. If set,
the verification callback is called for each
certificate in the chain (from the trust-ca down to the
presented crt). The parameters for the callback are:
(void *parameter, mbedtls_x509_crt *crt, int certificate_depth,
int *flags). With the flags representing current flags for
that specific certificate and the certificate depth from
the bottom (Peer cert depth = 0).
All flags left after returning from the callback
are also returned to the application. The function should
return 0 for anything (including invalid certificates)
other than fatal error, as a non-zero return code
immediately aborts the verification process. For fatal
errors, a specific error code should be used (different
from MBEDTLS_ERR_X509_CERT_VERIFY_FAILED which should not
be returned at this point), or MBEDTLS_ERR_X509_FATAL_ERROR
can be used if no better code is available.
mbedtls_x509_crt_verify_info() mbedtls_x509_crt_verify_with_profile() with the default security profile.trust_ca list can contain two types of certificates: (1) those of trusted root CAs, so that certificates chaining up to those CAs will be trusted, and (2) self-signed end-entity certificates to be trusted (for specific peers you know) - in that case, the self-signed certificate doesn't need to have the CA bit set.| crt | a certificate (chain) to be verified |
| trust_ca | the list of trusted CAs (see note above) |
| ca_crl | the list of CRLs for trusted CAs (see note above) |
| cn | expected Common Name (can be set to NULL if the CN must not be verified) |
| flags | result of the verification |
| f_vrfy | verification function |
| p_vrfy | verification parameter |
| int mbedtls_x509_crt_verify_info | ( | char * | buf, |
| size_t | size, | ||
| const char * | prefix, | ||
| uint32_t | flags ) |
Returns an informational string about the verification status of a certificate.
| buf | Buffer to write to |
| size | Maximum size of buffer |
| prefix | A line prefix |
| flags | Verification flags created by mbedtls_x509_crt_verify() |
| int mbedtls_x509_crt_verify_restartable | ( | mbedtls_x509_crt * | crt, |
| mbedtls_x509_crt * | trust_ca, | ||
| mbedtls_x509_crl * | ca_crl, | ||
| const mbedtls_x509_crt_profile * | profile, | ||
| const char * | cn, | ||
| uint32_t * | flags, | ||
| int(* | f_vrfy )(void *, mbedtls_x509_crt *, int, uint32_t *), | ||
| void * | p_vrfy, | ||
| mbedtls_x509_crt_restart_ctx * | rs_ctx ) |
Restartable version of mbedtls_crt_verify_with_profile()
mbedtls_crt_verify_with_profile() but can return early and restart according to the limit set with mbedtls_ecp_set_max_ops() to reduce blocking.| crt | a certificate (chain) to be verified |
| trust_ca | the list of trusted CAs |
| ca_crl | the list of CRLs for trusted CAs |
| profile | security profile for verification |
| cn | expected Common Name (can be set to NULL if the CN must not be verified) |
| flags | result of the verification |
| f_vrfy | verification function |
| p_vrfy | verification parameter |
| rs_ctx | restart context (NULL to disable restart) |
mbedtls_crt_verify_with_profile(), or mbedtls_ecp_set_max_ops(). | int mbedtls_x509_crt_verify_with_profile | ( | mbedtls_x509_crt * | crt, |
| mbedtls_x509_crt * | trust_ca, | ||
| mbedtls_x509_crl * | ca_crl, | ||
| const mbedtls_x509_crt_profile * | profile, | ||
| const char * | cn, | ||
| uint32_t * | flags, | ||
| int(* | f_vrfy )(void *, mbedtls_x509_crt *, int, uint32_t *), | ||
| void * | p_vrfy ) |
Verify the certificate signature according to profile.
mbedtls_x509_crt_verify(), but with explicit security profile.| crt | a certificate (chain) to be verified |
| trust_ca | the list of trusted CAs |
| ca_crl | the list of CRLs for trusted CAs |
| profile | security profile for verification |
| cn | expected Common Name (can be set to NULL if the CN must not be verified) |
| flags | result of the verification |
| f_vrfy | verification function |
| p_vrfy | verification parameter |
| int mbedtls_x509_dn_gets | ( | char * | buf, |
| size_t | size, | ||
| const mbedtls_x509_name * | dn ) |
Store the certificate DN in printable form into buf; no more than size characters will be written.
| buf | Buffer to write to |
| size | Maximum size of buffer |
| dn | The X509 name to represent |
| int mbedtls_x509_self_test | ( | int | verbose | ) |
Checkup routine.
| int mbedtls_x509_serial_gets | ( | char * | buf, |
| size_t | size, | ||
| const mbedtls_x509_buf * | serial ) |
Store the certificate serial in printable form into buf; no more than size characters will be written.
| buf | Buffer to write to |
| size | Maximum size of buffer |
| serial | The X509 serial to represent |
| int mbedtls_x509_time_is_future | ( | const mbedtls_x509_time * | from | ) |
Check a given mbedtls_x509_time against the system time and tell if it's in the future.
| from | mbedtls_x509_time to check |
| int mbedtls_x509_time_is_past | ( | const mbedtls_x509_time * | to | ) |
Check a given mbedtls_x509_time against the system time and tell if it's in the past.
| to | mbedtls_x509_time to check |
| int mbedtls_x509write_crt_der | ( | mbedtls_x509write_cert * | ctx, |
| unsigned char * | buf, | ||
| size_t | size, | ||
| int(* | f_rng )(void *, unsigned char *, size_t), | ||
| void * | p_rng ) |
Write a built up certificate to a X509 DER structure Note: data is written at the end of the buffer! Use the return value to determine where you should start using the buffer.
| ctx | certificate to write away |
| buf | buffer to write to |
| size | size of the buffer |
| f_rng | RNG function (for signature, see note) |
| p_rng | RNG parameter |
| void mbedtls_x509write_crt_free | ( | mbedtls_x509write_cert * | ctx | ) |
Free the contents of a CRT write context.
| ctx | CRT context to free |
| void mbedtls_x509write_crt_init | ( | mbedtls_x509write_cert * | ctx | ) |
Initialize a CRT writing context.
| ctx | CRT context to initialize |
| int mbedtls_x509write_crt_pem | ( | mbedtls_x509write_cert * | ctx, |
| unsigned char * | buf, | ||
| size_t | size, | ||
| int(* | f_rng )(void *, unsigned char *, size_t), | ||
| void * | p_rng ) |
Write a built up certificate to a X509 PEM string.
| ctx | certificate to write away |
| buf | buffer to write to |
| size | size of the buffer |
| f_rng | RNG function (for signature, see note) |
| p_rng | RNG parameter |
| int mbedtls_x509write_crt_set_authority_key_identifier | ( | mbedtls_x509write_cert * | ctx | ) |
Set the authorityKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_issuer_key() has been called before.
| ctx | CRT context to use |
| int mbedtls_x509write_crt_set_basic_constraints | ( | mbedtls_x509write_cert * | ctx, |
| int | is_ca, | ||
| int | max_pathlen ) |
Set the basicConstraints extension for a CRT.
| ctx | CRT context to use |
| is_ca | is this a CA certificate |
| max_pathlen | maximum length of certificate chains below this certificate (only for CA certificates, -1 is inlimited) |
| int mbedtls_x509write_crt_set_extension | ( | mbedtls_x509write_cert * | ctx, |
| const char * | oid, | ||
| size_t | oid_len, | ||
| int | critical, | ||
| const unsigned char * | val, | ||
| size_t | val_len ) |
Generic function to add to or replace an extension in the CRT.
| ctx | CRT context to use |
| oid | OID of the extension |
| oid_len | length of the OID |
| critical | if the extension is critical (per the RFC's definition) |
| val | value of the extension OCTET STRING |
| val_len | length of the value data |
| void mbedtls_x509write_crt_set_issuer_key | ( | mbedtls_x509write_cert * | ctx, |
| mbedtls_pk_context * | key ) |
Set the issuer key used for signing the certificate.
| ctx | CRT context to use |
| key | private key to sign with |
| int mbedtls_x509write_crt_set_issuer_name | ( | mbedtls_x509write_cert * | ctx, |
| const char * | issuer_name ) |
Set the issuer name for a Certificate Issuer names should contain a comma-separated list of OID types and values: e.g. "C=UK,O=ARM,CN=mbed TLS CA".
| ctx | CRT context to use |
| issuer_name | issuer name to set |
| int mbedtls_x509write_crt_set_key_usage | ( | mbedtls_x509write_cert * | ctx, |
| unsigned int | key_usage ) |
Set the Key Usage Extension flags (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN)
| ctx | CRT context to use |
| key_usage | key usage flags to set |
| void mbedtls_x509write_crt_set_md_alg | ( | mbedtls_x509write_cert * | ctx, |
| mbedtls_md_type_t | md_alg ) |
Set the MD algorithm to use for the signature (e.g. MBEDTLS_MD_SHA1)
| ctx | CRT context to use |
| md_alg | MD algorithm to use |
| int mbedtls_x509write_crt_set_ns_cert_type | ( | mbedtls_x509write_cert * | ctx, |
| unsigned char | ns_cert_type ) |
Set the Netscape Cert Type flags (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL)
| ctx | CRT context to use |
| ns_cert_type | Netscape Cert Type flags to set |
| int mbedtls_x509write_crt_set_serial | ( | mbedtls_x509write_cert * | ctx, |
| const mbedtls_mpi * | serial ) |
Set the serial number for a Certificate.
| ctx | CRT context to use |
| serial | serial number to set |
| void mbedtls_x509write_crt_set_subject_key | ( | mbedtls_x509write_cert * | ctx, |
| mbedtls_pk_context * | key ) |
Set the subject public key for the certificate.
| ctx | CRT context to use |
| key | public key to include |
| int mbedtls_x509write_crt_set_subject_key_identifier | ( | mbedtls_x509write_cert * | ctx | ) |
Set the subjectKeyIdentifier extension for a CRT Requires that mbedtls_x509write_crt_set_subject_key() has been called before.
| ctx | CRT context to use |
| int mbedtls_x509write_crt_set_subject_name | ( | mbedtls_x509write_cert * | ctx, |
| const char * | subject_name ) |
Set the subject name for a Certificate Subject names should contain a comma-separated list of OID types and values: e.g. "C=UK,O=ARM,CN=mbed TLS Server 1".
| ctx | CRT context to use |
| subject_name | subject name to set |
| int mbedtls_x509write_crt_set_validity | ( | mbedtls_x509write_cert * | ctx, |
| const char * | not_before, | ||
| const char * | not_after ) |
Set the validity period for a Certificate Timestamps should be in string format for UTC timezone i.e. "YYYYMMDDhhmmss" e.g. "20131231235959" for December 31st 2013 at 23:59:59.
| ctx | CRT context to use |
| not_before | not_before timestamp |
| not_after | not_after timestamp |
| void mbedtls_x509write_crt_set_version | ( | mbedtls_x509write_cert * | ctx, |
| int | version ) |
Set the verion for a Certificate Default: MBEDTLS_X509_CRT_VERSION_3.
| ctx | CRT context to use |
| version | version to set (MBEDTLS_X509_CRT_VERSION_1, MBEDTLS_X509_CRT_VERSION_2 or MBEDTLS_X509_CRT_VERSION_3) |
| uint32_t mbedtls_x509_crt_profile::allowed_curves |
Elliptic curves for ECDSA
| uint32_t mbedtls_x509_crt_profile::allowed_mds |
MDs for signatures
| uint32_t mbedtls_x509_crt_profile::allowed_pks |
PK algs for signatures
| int mbedtls_x509_crt::ca_istrue |
Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise.
| int mbedtls_x509_time::day |
Date.
| mbedtls_x509_crl_entry mbedtls_x509_crl::entry |
The CRL entries containing the certificate revocation times for this CA.
| mbedtls_x509_sequence mbedtls_x509_crt::ext_key_usage |
Optional list of extended key usage OIDs.
| int mbedtls_x509_crt::ext_types |
Bit string containing detected and parsed extensions
| mbedtls_x509_name mbedtls_x509_crl::issuer |
The parsed issuer data (named information object).
| mbedtls_x509_name mbedtls_x509_crt::issuer |
The parsed issuer data (named information object).
| mbedtls_x509_buf mbedtls_x509_crt::issuer_id |
Optional X.509 v2/v3 issuer unique identifier.
| mbedtls_x509_buf mbedtls_x509_crl::issuer_raw |
The raw issuer data (DER).
| mbedtls_x509_buf mbedtls_x509_crt::issuer_raw |
The raw issuer data (DER). Used for quick comparison.
| unsigned int mbedtls_x509_crt::key_usage |
Optional key usage extension value: See the values in x509.h
| int mbedtls_x509_crt::max_pathlen |
Optional Basic Constraint extension value: The maximum path length to the root certificate. Path length is 1 higher than RFC 5280 'meaning', so 1+
|
extern |
Default security profile. Should provide a good balance between security and compatibility with current deployments.
|
extern |
Expected next default profile. Recommended for new deployments. Currently targets a 128-bit security level, except for RSA-2048.
|
extern |
NSA Suite B profile.
| struct mbedtls_x509_crt* mbedtls_x509_crt::next |
Next certificate in the CA-chain.
| unsigned char mbedtls_x509_crt::ns_cert_type |
Optional Netscape certificate type extension value: See the values in x509.h
| mbedtls_pk_context mbedtls_x509_crt::pk |
Container for the public key context.
| mbedtls_x509_buf mbedtls_x509_crl::raw |
The raw certificate data (DER).
| mbedtls_x509_buf mbedtls_x509_crt::raw |
The raw certificate data (DER).
| uint32_t mbedtls_x509_crt_profile::rsa_min_bitlen |
Minimum size for RSA keys
| int mbedtls_x509_time::sec |
Time.
| mbedtls_x509_buf mbedtls_x509_crt::serial |
Unique id for certificate issued by a specific CA.
| mbedtls_x509_buf mbedtls_x509_crt::sig |
Signature: hash of the tbs part signed with the private key.
| mbedtls_md_type_t mbedtls_x509_crl::sig_md |
Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256
| mbedtls_md_type_t mbedtls_x509_crt::sig_md |
Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256
| mbedtls_x509_buf mbedtls_x509_crl::sig_oid |
CRL signature type identifier
| mbedtls_x509_buf mbedtls_x509_crt::sig_oid |
Signature algorithm, e.g. sha1RSA
| void* mbedtls_x509_crl::sig_opts |
Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS
| void* mbedtls_x509_crt::sig_opts |
Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS
| mbedtls_pk_type_t mbedtls_x509_crl::sig_pk |
Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA
| mbedtls_pk_type_t mbedtls_x509_crt::sig_pk |
Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA
| mbedtls_x509_name mbedtls_x509_crt::subject |
The parsed subject data (named information object).
| mbedtls_x509_sequence mbedtls_x509_crt::subject_alt_names |
Optional list of Subject Alternative Names (Only dNSName supported).
| mbedtls_x509_buf mbedtls_x509_crt::subject_id |
Optional X.509 v2/v3 subject unique identifier.
| mbedtls_x509_buf mbedtls_x509_crt::subject_raw |
The raw subject data (DER). Used for quick comparison.
| mbedtls_x509_buf mbedtls_x509_crl::tbs |
The raw certificate body (DER). The part that is To Be Signed.
| mbedtls_x509_buf mbedtls_x509_crt::tbs |
The raw certificate body (DER). The part that is To Be Signed.
| mbedtls_x509_buf mbedtls_x509_crt::v3_ext |
Optional X.509 v3 extensions.
| mbedtls_x509_time mbedtls_x509_crt::valid_from |
Start time of certificate validity.
| mbedtls_x509_time mbedtls_x509_crt::valid_to |
End time of certificate validity.
| int mbedtls_x509_crl::version |
CRL version (1=v1, 2=v2)
| int mbedtls_x509_crt::version |
The X.509 version. (1=v1, 2=v2, 3=v3)