mbed TLS v2.3.0
|
The X.509 module provides X.509 support for reading, writing and verification of certificates. More...
Data Structures | |
struct | mbedtls_x509_time |
Container for date and time (precision in seconds). More... | |
struct | mbedtls_x509_crl_entry |
Certificate revocation list entry. More... | |
struct | mbedtls_x509_crl |
Certificate revocation list structure. More... | |
struct | mbedtls_x509_crt |
Container for an X.509 certificate. More... | |
struct | mbedtls_x509_crt_profile |
Security profile for certificate verification. More... | |
struct | mbedtls_x509write_cert |
Container for writing a certificate (CRT) More... | |
struct | mbedtls_x509_csr |
Certificate Signing Request (CSR) structure. More... | |
struct | mbedtls_x509write_csr |
Container for writing a CSR. More... | |
Macros | |
#define | MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 |
Maximum number of intermediate CAs in a verification chain. More... | |
Functions | |
int | mbedtls_dhm_parse_dhm (mbedtls_dhm_context *dhm, const unsigned char *dhmin, size_t dhminlen) |
Parse DHM parameters in PEM or DER format. More... | |
int | mbedtls_dhm_parse_dhmfile (mbedtls_dhm_context *dhm, const char *path) |
Load and parse DHM parameters. More... | |
X509 Error codes | |
#define | MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE -0x2080 |
Unavailable feature, e.g. More... | |
#define | MBEDTLS_ERR_X509_UNKNOWN_OID -0x2100 |
Requested OID is unknown. More... | |
#define | MBEDTLS_ERR_X509_INVALID_FORMAT -0x2180 |
The CRT/CRL/CSR format is invalid, e.g. More... | |
#define | MBEDTLS_ERR_X509_INVALID_VERSION -0x2200 |
The CRT/CRL/CSR version element is invalid. More... | |
#define | MBEDTLS_ERR_X509_INVALID_SERIAL -0x2280 |
The serial tag or value is invalid. More... | |
#define | MBEDTLS_ERR_X509_INVALID_ALG -0x2300 |
The algorithm tag or value is invalid. More... | |
#define | MBEDTLS_ERR_X509_INVALID_NAME -0x2380 |
The name tag or value is invalid. More... | |
#define | MBEDTLS_ERR_X509_INVALID_DATE -0x2400 |
The date tag or value is invalid. More... | |
#define | MBEDTLS_ERR_X509_INVALID_SIGNATURE -0x2480 |
The signature tag or value invalid. More... | |
#define | MBEDTLS_ERR_X509_INVALID_EXTENSIONS -0x2500 |
The extension tag or value is invalid. More... | |
#define | MBEDTLS_ERR_X509_UNKNOWN_VERSION -0x2580 |
CRT/CRL/CSR has an unsupported version number. More... | |
#define | MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG -0x2600 |
Signature algorithm (oid) is unsupported. More... | |
#define | MBEDTLS_ERR_X509_SIG_MISMATCH -0x2680 |
Signature algorithms do not match. More... | |
#define | MBEDTLS_ERR_X509_CERT_VERIFY_FAILED -0x2700 |
Certificate verification failed, e.g. More... | |
#define | MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT -0x2780 |
Format not recognized as DER or PEM. More... | |
#define | MBEDTLS_ERR_X509_BAD_INPUT_DATA -0x2800 |
Input invalid. More... | |
#define | MBEDTLS_ERR_X509_ALLOC_FAILED -0x2880 |
Allocation of memory failed. More... | |
#define | MBEDTLS_ERR_X509_FILE_IO_ERROR -0x2900 |
Read/write of file failed. More... | |
#define | MBEDTLS_ERR_X509_BUFFER_TOO_SMALL -0x2980 |
Destination buffer is too small. More... | |
X509 Verify codes | |
#define | MBEDTLS_X509_BADCERT_EXPIRED 0x01 |
The certificate validity has expired. More... | |
#define | MBEDTLS_X509_BADCERT_REVOKED 0x02 |
The certificate has been revoked (is on a CRL). More... | |
#define | MBEDTLS_X509_BADCERT_CN_MISMATCH 0x04 |
The certificate Common Name (CN) does not match with the expected CN. More... | |
#define | MBEDTLS_X509_BADCERT_NOT_TRUSTED 0x08 |
The certificate is not correctly signed by the trusted CA. More... | |
#define | MBEDTLS_X509_BADCRL_NOT_TRUSTED 0x10 |
The CRL is not correctly signed by the trusted CA. More... | |
#define | MBEDTLS_X509_BADCRL_EXPIRED 0x20 |
The CRL is expired. More... | |
#define | MBEDTLS_X509_BADCERT_MISSING 0x40 |
Certificate was missing. More... | |
#define | MBEDTLS_X509_BADCERT_SKIP_VERIFY 0x80 |
Certificate verification was skipped. More... | |
#define | MBEDTLS_X509_BADCERT_OTHER 0x0100 |
Other reason (can be used by verify callback) More... | |
#define | MBEDTLS_X509_BADCERT_FUTURE 0x0200 |
The certificate validity starts in the future. More... | |
#define | MBEDTLS_X509_BADCRL_FUTURE 0x0400 |
The CRL is from the future. More... | |
#define | MBEDTLS_X509_BADCERT_KEY_USAGE 0x0800 |
Usage does not match the keyUsage extension. More... | |
#define | MBEDTLS_X509_BADCERT_EXT_KEY_USAGE 0x1000 |
Usage does not match the extendedKeyUsage extension. More... | |
#define | MBEDTLS_X509_BADCERT_NS_CERT_TYPE 0x2000 |
Usage does not match the nsCertType extension. More... | |
#define | MBEDTLS_X509_BADCERT_BAD_MD 0x4000 |
The certificate is signed with an unacceptable hash. More... | |
#define | MBEDTLS_X509_BADCERT_BAD_PK 0x8000 |
The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA). More... | |
#define | MBEDTLS_X509_BADCERT_BAD_KEY 0x010000 |
The certificate is signed with an unacceptable key (eg bad curve, RSA too short). More... | |
#define | MBEDTLS_X509_BADCRL_BAD_MD 0x020000 |
The CRL is signed with an unacceptable hash. More... | |
#define | MBEDTLS_X509_BADCRL_BAD_PK 0x040000 |
The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA). More... | |
#define | MBEDTLS_X509_BADCRL_BAD_KEY 0x080000 |
The CRL is signed with an unacceptable key (eg bad curve, RSA too short). More... | |
Structures for parsing X.509 certificates, CRLs and CSRs | |
typedef mbedtls_asn1_buf | mbedtls_x509_buf |
Type-length-value structure that allows for ASN1 using DER. More... | |
typedef mbedtls_asn1_bitstring | mbedtls_x509_bitstring |
Container for ASN1 bit strings. More... | |
typedef mbedtls_asn1_named_data | mbedtls_x509_name |
Container for ASN1 named information objects. More... | |
typedef mbedtls_asn1_sequence | mbedtls_x509_sequence |
Container for a sequence of ASN.1 items. More... | |
typedef struct mbedtls_x509_time | mbedtls_x509_time |
Container for date and time (precision in seconds). More... | |
Structures and functions for parsing CRLs | |
typedef struct mbedtls_x509_crl_entry | mbedtls_x509_crl_entry |
Certificate revocation list entry. More... | |
typedef struct mbedtls_x509_crl | mbedtls_x509_crl |
Certificate revocation list structure. More... | |
int | mbedtls_x509_crl_parse_der (mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen) |
Parse a DER-encoded CRL and append it to the chained list. More... | |
int | mbedtls_x509_crl_parse (mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen) |
Parse one or more CRLs and append them to the chained list. More... | |
int | mbedtls_x509_crl_parse_file (mbedtls_x509_crl *chain, const char *path) |
Load one or more CRLs and append them to the chained list. More... | |
int | mbedtls_x509_crl_info (char *buf, size_t size, const char *prefix, const mbedtls_x509_crl *crl) |
Returns an informational string about the CRL. More... | |
void | mbedtls_x509_crl_init (mbedtls_x509_crl *crl) |
Initialize a CRL (chain) More... | |
void | mbedtls_x509_crl_free (mbedtls_x509_crl *crl) |
Unallocate all CRL data. More... | |
Structures and functions for parsing and writing X.509 certificates | |
typedef struct mbedtls_x509_crt | mbedtls_x509_crt |
Container for an X.509 certificate. More... | |
typedef struct mbedtls_x509write_cert | mbedtls_x509write_cert |
Container for writing a certificate (CRT) More... | |
const mbedtls_x509_crt_profile | mbedtls_x509_crt_profile_default |
Default security profile. More... | |
const mbedtls_x509_crt_profile | mbedtls_x509_crt_profile_next |
Expected next default profile. More... | |
const mbedtls_x509_crt_profile | mbedtls_x509_crt_profile_suiteb |
NSA Suite B profile. More... | |
int | mbedtls_x509_crt_parse_der (mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen) |
Parse a single DER formatted certificate and add it to the chained list. More... | |
int | mbedtls_x509_crt_parse (mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen) |
Parse one or more certificates and add them to the chained list. More... | |
int | mbedtls_x509_crt_parse_file (mbedtls_x509_crt *chain, const char *path) |
Load one or more certificates and add them to the chained list. More... | |
int | mbedtls_x509_crt_parse_path (mbedtls_x509_crt *chain, const char *path) |
Load one or more certificate files from a path and add them to the chained list. More... | |
int | mbedtls_x509_crt_info (char *buf, size_t size, const char *prefix, const mbedtls_x509_crt *crt) |
Returns an informational string about the certificate. More... | |
int | mbedtls_x509_crt_verify_info (char *buf, size_t size, const char *prefix, uint32_t flags) |
Returns an informational string about the verification status of a certificate. More... | |
int | mbedtls_x509_crt_verify (mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy) |
Verify the certificate signature. More... | |
int | mbedtls_x509_crt_verify_with_profile (mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy) |
Verify the certificate signature according to profile. More... | |
int | mbedtls_x509_crt_check_key_usage (const mbedtls_x509_crt *crt, unsigned int usage) |
Check usage of certificate against keyUsage extension. More... | |
int | mbedtls_x509_crt_check_extended_key_usage (const mbedtls_x509_crt *crt, const char *usage_oid, size_t usage_len) |
Check usage of certificate against extentedJeyUsage. More... | |
int | mbedtls_x509_crt_is_revoked (const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl) |
Verify the certificate revocation status. More... | |
void | mbedtls_x509_crt_init (mbedtls_x509_crt *crt) |
Initialize a certificate (chain) More... | |
void | mbedtls_x509_crt_free (mbedtls_x509_crt *crt) |
Unallocate all certificate data. More... | |
#define | MBEDTLS_X509_ID_FLAG(id) ( 1 << ( id - 1 ) ) |
Build flag from an algorithm/curve identifier (pk, md, ecp) Since 0 is always XXX_NONE, ignore it. More... | |
#define | MBEDTLS_X509_CRT_VERSION_1 0 |
#define | MBEDTLS_X509_CRT_VERSION_2 1 |
#define | MBEDTLS_X509_CRT_VERSION_3 2 |
#define | MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32 |
#define | MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15 |
Structures and functions for X.509 Certificate Signing Requests (CSR) | |
typedef struct mbedtls_x509_csr | mbedtls_x509_csr |
Certificate Signing Request (CSR) structure. More... | |
typedef struct mbedtls_x509write_csr | mbedtls_x509write_csr |
Container for writing a CSR. More... | |
int | mbedtls_x509_csr_parse_der (mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen) |
Load a Certificate Signing Request (CSR) in DER format. More... | |
int | mbedtls_x509_csr_parse (mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen) |
Load a Certificate Signing Request (CSR), DER or PEM format. More... | |
int | mbedtls_x509_csr_parse_file (mbedtls_x509_csr *csr, const char *path) |
Load a Certificate Signing Request (CSR) More... | |
int | mbedtls_x509_csr_info (char *buf, size_t size, const char *prefix, const mbedtls_x509_csr *csr) |
Returns an informational string about the CSR. More... | |
void | mbedtls_x509_csr_init (mbedtls_x509_csr *csr) |
Initialize a CSR. More... | |
void | mbedtls_x509_csr_free (mbedtls_x509_csr *csr) |
Unallocate all CSR data. More... | |
The X.509 module provides X.509 support for reading, writing and verification of certificates.
In summary:
mbedtls_x509_crt_parse()
, mbedtls_x509_crt_parse_der()
, mbedtls_x509_crt_parse_file()
).mbedtls_x509_crl_parse()
, mbedtls_x509_crl_parse_der()
, and mbedtls_x509_crl_parse_file()
).mbedtls_x509_crt_verify()
and mbedtls_x509_crt_verify_with_profile()
.mbedtls_x509write_crt_der()
and mbedtls_x509write_csr_der()
).This module can be used to build a certificate authority (CA) chain and verify its signature. It is also used to generate Certificate Signing Requests and X.509 certificates just as a CA would do.
#define MBEDTLS_ERR_X509_ALLOC_FAILED -0x2880 |
#define MBEDTLS_ERR_X509_BAD_INPUT_DATA -0x2800 |
#define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL -0x2980 |
#define MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT -0x2780 |
#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED -0x2700 |
#define MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE -0x2080 |
#define MBEDTLS_ERR_X509_FILE_IO_ERROR -0x2900 |
#define MBEDTLS_ERR_X509_INVALID_ALG -0x2300 |
#define MBEDTLS_ERR_X509_INVALID_DATE -0x2400 |
#define MBEDTLS_ERR_X509_INVALID_EXTENSIONS -0x2500 |
#define MBEDTLS_ERR_X509_INVALID_FORMAT -0x2180 |
#define MBEDTLS_ERR_X509_INVALID_NAME -0x2380 |
#define MBEDTLS_ERR_X509_INVALID_SERIAL -0x2280 |
#define MBEDTLS_ERR_X509_INVALID_SIGNATURE -0x2480 |
#define MBEDTLS_ERR_X509_INVALID_VERSION -0x2200 |
#define MBEDTLS_ERR_X509_SIG_MISMATCH -0x2680 |
Signature algorithms do not match.
(see mbedtls_x509_crt
sig_oid)
#define MBEDTLS_ERR_X509_UNKNOWN_OID -0x2100 |
#define MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG -0x2600 |
#define MBEDTLS_ERR_X509_UNKNOWN_VERSION -0x2580 |
#define MBEDTLS_X509_BADCERT_BAD_KEY 0x010000 |
#define MBEDTLS_X509_BADCERT_BAD_MD 0x4000 |
#define MBEDTLS_X509_BADCERT_BAD_PK 0x8000 |
#define MBEDTLS_X509_BADCERT_CN_MISMATCH 0x04 |
#define MBEDTLS_X509_BADCERT_EXPIRED 0x01 |
#define MBEDTLS_X509_BADCERT_EXT_KEY_USAGE 0x1000 |
#define MBEDTLS_X509_BADCERT_FUTURE 0x0200 |
#define MBEDTLS_X509_BADCERT_KEY_USAGE 0x0800 |
#define MBEDTLS_X509_BADCERT_MISSING 0x40 |
#define MBEDTLS_X509_BADCERT_NOT_TRUSTED 0x08 |
#define MBEDTLS_X509_BADCERT_NS_CERT_TYPE 0x2000 |
#define MBEDTLS_X509_BADCERT_OTHER 0x0100 |
#define MBEDTLS_X509_BADCERT_REVOKED 0x02 |
#define MBEDTLS_X509_BADCERT_SKIP_VERIFY 0x80 |
#define MBEDTLS_X509_BADCRL_BAD_KEY 0x080000 |
#define MBEDTLS_X509_BADCRL_BAD_MD 0x020000 |
#define MBEDTLS_X509_BADCRL_BAD_PK 0x040000 |
#define MBEDTLS_X509_BADCRL_FUTURE 0x0400 |
#define MBEDTLS_X509_BADCRL_NOT_TRUSTED 0x10 |
#define MBEDTLS_X509_CRT_VERSION_1 0 |
Definition at line 116 of file x509_crt.h.
#define MBEDTLS_X509_CRT_VERSION_2 1 |
Definition at line 117 of file x509_crt.h.
#define MBEDTLS_X509_CRT_VERSION_3 2 |
Definition at line 118 of file x509_crt.h.
#define MBEDTLS_X509_ID_FLAG | ( | id | ) | ( 1 << ( id - 1 ) ) |
Build flag from an algorithm/curve identifier (pk, md, ecp) Since 0 is always XXX_NONE, ignore it.
Definition at line 100 of file x509_crt.h.
#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 |
Maximum number of intermediate CAs in a verification chain.
That is, maximum length of the chain, excluding the end-entity certificate and the trusted root certificate.
Set this to a low value to prevent an adversary from making you waste resources verifying an overlong certificate chain.
#define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32 |
Definition at line 120 of file x509_crt.h.
#define MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15 |
Definition at line 121 of file x509_crt.h.
typedef mbedtls_asn1_buf mbedtls_x509_buf |
typedef struct mbedtls_x509_crl mbedtls_x509_crl |
Certificate revocation list structure.
Every CRL may have multiple entries.
typedef struct mbedtls_x509_crl_entry mbedtls_x509_crl_entry |
Certificate revocation list entry.
Contains the CA-specific serial numbers and revocation dates.
typedef struct mbedtls_x509_crt mbedtls_x509_crt |
Container for an X.509 certificate.
The certificate may be chained.
typedef struct mbedtls_x509_csr mbedtls_x509_csr |
Certificate Signing Request (CSR) structure.
typedef struct mbedtls_x509_time mbedtls_x509_time |
Container for date and time (precision in seconds).
typedef struct mbedtls_x509write_cert mbedtls_x509write_cert |
Container for writing a certificate (CRT)
typedef struct mbedtls_x509write_csr mbedtls_x509write_csr |
Container for writing a CSR.
int mbedtls_dhm_parse_dhm | ( | mbedtls_dhm_context * | dhm, |
const unsigned char * | dhmin, | ||
size_t | dhminlen | ||
) |
Parse DHM parameters in PEM or DER format.
dhm | DHM context to be initialized |
dhmin | input buffer |
dhminlen | size of the buffer (including the terminating null byte for PEM data) |
int mbedtls_dhm_parse_dhmfile | ( | mbedtls_dhm_context * | dhm, |
const char * | path | ||
) |
Load and parse DHM parameters.
dhm | DHM context to be initialized |
path | filename to read the DHM Parameters from |
void mbedtls_x509_crl_free | ( | mbedtls_x509_crl * | crl | ) |
Unallocate all CRL data.
crl | CRL chain to free |
int mbedtls_x509_crl_info | ( | char * | buf, |
size_t | size, | ||
const char * | prefix, | ||
const mbedtls_x509_crl * | crl | ||
) |
Returns an informational string about the CRL.
buf | Buffer to write to |
size | Maximum size of buffer |
prefix | A line prefix |
crl | The X509 CRL to represent |
void mbedtls_x509_crl_init | ( | mbedtls_x509_crl * | crl | ) |
Initialize a CRL (chain)
crl | CRL chain to initialize |
int mbedtls_x509_crl_parse | ( | mbedtls_x509_crl * | chain, |
const unsigned char * | buf, | ||
size_t | buflen | ||
) |
Parse one or more CRLs and append them to the chained list.
chain | points to the start of the chain |
buf | buffer holding the CRL data in PEM or DER format |
buflen | size of the buffer (including the terminating null byte for PEM data) |
int mbedtls_x509_crl_parse_der | ( | mbedtls_x509_crl * | chain, |
const unsigned char * | buf, | ||
size_t | buflen | ||
) |
Parse a DER-encoded CRL and append it to the chained list.
chain | points to the start of the chain |
buf | buffer holding the CRL data in DER format |
buflen | size of the buffer (including the terminating null byte for PEM data) |
int mbedtls_x509_crl_parse_file | ( | mbedtls_x509_crl * | chain, |
const char * | path | ||
) |
Load one or more CRLs and append them to the chained list.
chain | points to the start of the chain |
path | filename to read the CRLs from (in PEM or DER encoding) |
int mbedtls_x509_crt_check_extended_key_usage | ( | const mbedtls_x509_crt * | crt, |
const char * | usage_oid, | ||
size_t | usage_len | ||
) |
Check usage of certificate against extentedJeyUsage.
crt | Leaf certificate used. |
usage_oid | Intended usage (eg MBEDTLS_OID_SERVER_AUTH or MBEDTLS_OID_CLIENT_AUTH). |
usage_len | Length of usage_oid (eg given by MBEDTLS_OID_SIZE()). |
int mbedtls_x509_crt_check_key_usage | ( | const mbedtls_x509_crt * | crt, |
unsigned int | usage | ||
) |
Check usage of certificate against keyUsage extension.
crt | Leaf certificate used. |
usage | Intended usage(s) (eg MBEDTLS_X509_KU_KEY_ENCIPHERMENT before using the certificate to perform an RSA key exchange). |
mbedtls_x509_crt_verify()
. void mbedtls_x509_crt_free | ( | mbedtls_x509_crt * | crt | ) |
Unallocate all certificate data.
crt | Certificate chain to free |
int mbedtls_x509_crt_info | ( | char * | buf, |
size_t | size, | ||
const char * | prefix, | ||
const mbedtls_x509_crt * | crt | ||
) |
Returns an informational string about the certificate.
buf | Buffer to write to |
size | Maximum size of buffer |
prefix | A line prefix |
crt | The X509 certificate to represent |
void mbedtls_x509_crt_init | ( | mbedtls_x509_crt * | crt | ) |
Initialize a certificate (chain)
crt | Certificate chain to initialize |
int mbedtls_x509_crt_is_revoked | ( | const mbedtls_x509_crt * | crt, |
const mbedtls_x509_crl * | crl | ||
) |
Verify the certificate revocation status.
crt | a certificate to be verified |
crl | the CRL to verify against |
int mbedtls_x509_crt_parse | ( | mbedtls_x509_crt * | chain, |
const unsigned char * | buf, | ||
size_t | buflen | ||
) |
Parse one or more certificates and add them to the chained list.
Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.
chain | points to the start of the chain |
buf | buffer holding the certificate data in PEM or DER format |
buflen | size of the buffer (including the terminating null byte for PEM data) |
int mbedtls_x509_crt_parse_der | ( | mbedtls_x509_crt * | chain, |
const unsigned char * | buf, | ||
size_t | buflen | ||
) |
Parse a single DER formatted certificate and add it to the chained list.
chain | points to the start of the chain |
buf | buffer holding the certificate DER data |
buflen | size of the buffer |
int mbedtls_x509_crt_parse_file | ( | mbedtls_x509_crt * | chain, |
const char * | path | ||
) |
Load one or more certificates and add them to the chained list.
Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.
chain | points to the start of the chain |
path | filename to read the certificates from |
int mbedtls_x509_crt_parse_path | ( | mbedtls_x509_crt * | chain, |
const char * | path | ||
) |
Load one or more certificate files from a path and add them to the chained list.
Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.
chain | points to the start of the chain |
path | directory / folder to read the certificate files from |
int mbedtls_x509_crt_verify | ( | mbedtls_x509_crt * | crt, |
mbedtls_x509_crt * | trust_ca, | ||
mbedtls_x509_crl * | ca_crl, | ||
const char * | cn, | ||
uint32_t * | flags, | ||
int(*)(void *, mbedtls_x509_crt *, int, uint32_t *) | f_vrfy, | ||
void * | p_vrfy | ||
) |
Verify the certificate signature.
The verify callback is a user-supplied callback that can clear / modify / add flags for a certificate. If set, the verification callback is called for each certificate in the chain (from the trust-ca down to the presented crt). The parameters for the callback are: (void *parameter, mbedtls_x509_crt *crt, int certificate_depth, int *flags). With the flags representing current flags for that specific certificate and the certificate depth from the bottom (Peer cert depth = 0).
All flags left after returning from the callback are also returned to the application. The function should return 0 for anything but a fatal error.
mbedtls_x509_crt_verify_info()
mbedtls_x509_crt_verify_with_profile()
with the default security profile.crt | a certificate (chain) to be verified |
trust_ca | the list of trusted CAs |
ca_crl | the list of CRLs for trusted CAs (see note above) |
cn | expected Common Name (can be set to NULL if the CN must not be verified) |
flags | result of the verification |
f_vrfy | verification function |
p_vrfy | verification parameter |
int mbedtls_x509_crt_verify_info | ( | char * | buf, |
size_t | size, | ||
const char * | prefix, | ||
uint32_t | flags | ||
) |
Returns an informational string about the verification status of a certificate.
buf | Buffer to write to |
size | Maximum size of buffer |
prefix | A line prefix |
flags | Verification flags created by mbedtls_x509_crt_verify() |
int mbedtls_x509_crt_verify_with_profile | ( | mbedtls_x509_crt * | crt, |
mbedtls_x509_crt * | trust_ca, | ||
mbedtls_x509_crl * | ca_crl, | ||
const mbedtls_x509_crt_profile * | profile, | ||
const char * | cn, | ||
uint32_t * | flags, | ||
int(*)(void *, mbedtls_x509_crt *, int, uint32_t *) | f_vrfy, | ||
void * | p_vrfy | ||
) |
Verify the certificate signature according to profile.
mbedtls_x509_crt_verify()
, but with explicit security profile.crt | a certificate (chain) to be verified |
trust_ca | the list of trusted CAs |
ca_crl | the list of CRLs for trusted CAs |
profile | security profile for verification |
cn | expected Common Name (can be set to NULL if the CN must not be verified) |
flags | result of the verification |
f_vrfy | verification function |
p_vrfy | verification parameter |
void mbedtls_x509_csr_free | ( | mbedtls_x509_csr * | csr | ) |
Unallocate all CSR data.
csr | CSR to free |
int mbedtls_x509_csr_info | ( | char * | buf, |
size_t | size, | ||
const char * | prefix, | ||
const mbedtls_x509_csr * | csr | ||
) |
Returns an informational string about the CSR.
buf | Buffer to write to |
size | Maximum size of buffer |
prefix | A line prefix |
csr | The X509 CSR to represent |
void mbedtls_x509_csr_init | ( | mbedtls_x509_csr * | csr | ) |
Initialize a CSR.
csr | CSR to initialize |
int mbedtls_x509_csr_parse | ( | mbedtls_x509_csr * | csr, |
const unsigned char * | buf, | ||
size_t | buflen | ||
) |
Load a Certificate Signing Request (CSR), DER or PEM format.
mbedtls_x509_csr_parse_der()
csr | CSR context to fill |
buf | buffer holding the CRL data |
buflen | size of the buffer (including the terminating null byte for PEM data) |
int mbedtls_x509_csr_parse_der | ( | mbedtls_x509_csr * | csr, |
const unsigned char * | buf, | ||
size_t | buflen | ||
) |
Load a Certificate Signing Request (CSR) in DER format.
csr | CSR context to fill |
buf | buffer holding the CRL data |
buflen | size of the buffer |
int mbedtls_x509_csr_parse_file | ( | mbedtls_x509_csr * | csr, |
const char * | path | ||
) |
Load a Certificate Signing Request (CSR)
mbedtls_x509_csr_parse()
csr | CSR context to fill |
path | filename to read the CSR from |
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default |
Default security profile.
Should provide a good balance between security and compatibility with current deployments.
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next |
Expected next default profile.
Recommended for new deployments. Currently targets a 128-bit security level, except for RSA-2048.
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb |
NSA Suite B profile.