File x509_crl.h

X.509 certificate revocation list parsing.

Structures and functions for parsing CRLs

typedef struct mbedtls_x509_crl_entry mbedtls_x509_crl_entry

Certificate revocation list entry. Contains the CA-specific serial numbers and revocation dates.

Some fields of this structure are publicly readable. Do not modify them except via Mbed TLS library functions: the effect of modifying those fields or the data that those fields points to is unspecified.

typedef struct mbedtls_x509_crl mbedtls_x509_crl: Certificate revocation list structure. Every CRL may have multiple entries.

int mbedtls_x509_crl_parse_der(mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen)

Parse a DER-encoded CRL and append it to the chained list.

Note

The PSA crypto subsystem must have been initialized by calling psa_crypto_init() before calling this function.

Parameters:

chain – points to the start of the chain
buf – buffer holding the CRL data in DER format
buflen – size of the buffer (including the terminating null byte for PEM data)

Returns:

0 if successful, or a specific X509 or PEM error code

int mbedtls_x509_crl_parse(mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen)

Parse one or more CRLs and append them to the chained list.

Note

Multiple CRLs are accepted only if using PEM format

Note

The PSA crypto subsystem must have been initialized by calling psa_crypto_init() before calling this function.

Parameters:

chain – points to the start of the chain
buf – buffer holding the CRL data in PEM or DER format
buflen – size of the buffer (including the terminating null byte for PEM data)

Returns:

0 if successful, or a specific X509 or PEM error code

int mbedtls_x509_crl_parse_file(mbedtls_x509_crl *chain, const char *path)

Load one or more CRLs and append them to the chained list.

Note

Multiple CRLs are accepted only if using PEM format

Note

The PSA crypto subsystem must have been initialized by calling psa_crypto_init() before calling this function.

Parameters:

chain – points to the start of the chain
path – filename to read the CRLs from (in PEM or DER encoding)

Returns:

0 if successful, or a specific X509 or PEM error code

void mbedtls_x509_crl_init(mbedtls_x509_crl *crl)

Initialize a CRL (chain)

Parameters:: crl – CRL chain to initialize

void mbedtls_x509_crl_free(mbedtls_x509_crl *crl)

Unallocate all CRL data.

Parameters:: crl – CRL chain to free

struct mbedtls_x509_crl_entry

#include <x509_crl.h>

Certificate revocation list entry. Contains the CA-specific serial numbers and revocation dates.

Some fields of this structure are publicly readable. Do not modify them except via Mbed TLS library functions: the effect of modifying those fields or the data that those fields points to is unspecified.

Public Members

mbedtls_x509_buf raw: Direct access to the whole entry inside the containing buffer.

mbedtls_x509_buf serial: The serial number of the revoked certificate.

mbedtls_x509_time revocation_date: The revocation date of this entry.

mbedtls_x509_buf entry_ext

Direct access to the list of CRL entry extensions (an ASN.1 constructed sequence).

If there are no extensions, entry_ext.len == 0 and entry_ext.p == NULL.

struct mbedtls_x509_crl_entry *next: Next element in the linked list of entries. NULL indicates the end of the list. Do not modify this field directly.

struct mbedtls_x509_crl

#include <x509_crl.h>

Certificate revocation list structure. Every CRL may have multiple entries.

Public Members

mbedtls_x509_buf raw: The raw certificate data (DER).

mbedtls_x509_buf tbs: The raw certificate body (DER). The part that is To Be Signed.

int version: CRL version (1=v1, 2=v2)

mbedtls_x509_buf sig_oid: CRL signature type identifier

mbedtls_x509_buf issuer_raw: The raw issuer data (DER).

mbedtls_x509_name issuer: The parsed issuer data (named information object).

mbedtls_x509_time this_update

mbedtls_x509_time next_update

mbedtls_x509_crl_entry entry: The CRL entries containing the certificate revocation times for this CA.

mbedtls_x509_buf crl_ext

mbedtls_x509_buf private_sig_oid2

mbedtls_x509_buf private_sig

mbedtls_md_type_t private_sig_md: Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256

mbedtls_pk_type_t private_sig_pk: Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA

void *private_sig_opts: Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS

struct mbedtls_x509_crl *next: Next element in the linked list of CRL. NULL indicates the end of the list. Do not modify this field directly.