File x509_crt.h
X.509 certificate parsing and writing.
-
struct mbedtls_x509_crt
- #include <x509_crt.h>
Container for an X.509 certificate. The certificate may be chained.
Some fields of this structure are publicly readable. Do not modify them except via Mbed TLS library functions: the effect of modifying those fields or the data that those fields points to is unspecified.
Public Members
-
int private_own_buffer
Indicates if
rawis owned by the structure or not.
-
mbedtls_x509_buf raw
The raw certificate data (DER).
-
mbedtls_x509_buf tbs
The raw certificate body (DER). The part that is To Be Signed.
-
int version
The X.509 version. (1=v1, 2=v2, 3=v3)
-
mbedtls_x509_buf serial
Unique id for certificate issued by a specific CA.
-
mbedtls_x509_buf sig_oid
Signature algorithm, e.g. sha1RSA
-
mbedtls_x509_buf issuer_raw
The raw issuer data (DER). Used for quick comparison.
-
mbedtls_x509_buf subject_raw
The raw subject data (DER). Used for quick comparison.
-
mbedtls_x509_name issuer
The parsed issuer data (named information object).
-
mbedtls_x509_name subject
The parsed subject data (named information object).
-
mbedtls_x509_time valid_from
Start time of certificate validity.
-
mbedtls_x509_time valid_to
End time of certificate validity.
-
mbedtls_x509_buf pk_raw
-
mbedtls_pk_context pk
Container for the public key context.
-
mbedtls_x509_buf issuer_id
Optional X.509 v2/v3 issuer unique identifier.
-
mbedtls_x509_buf subject_id
Optional X.509 v2/v3 subject unique identifier.
-
mbedtls_x509_buf v3_ext
Optional X.509 v3 extensions.
-
mbedtls_x509_sequence subject_alt_names
Optional list of raw entries of Subject Alternative Names extension. These can be later parsed by mbedtls_x509_parse_subject_alt_name.
-
mbedtls_x509_buf subject_key_id
Optional X.509 v3 extension subject key identifier.
-
mbedtls_x509_authority authority_key_id
Optional X.509 v3 extension authority key identifier.
-
mbedtls_x509_sequence certificate_policies
Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed).
-
int private_ext_types
Bit string containing detected and parsed extensions
-
int private_ca_istrue
Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise.
-
int private_max_pathlen
Optional Basic Constraint extension value: The maximum path length to the root certificate. Path length is 1 higher than RFC 5280 ‘meaning’, so 1+
-
unsigned int private_key_usage
Optional key usage extension value: See the values in x509.h
-
mbedtls_x509_sequence ext_key_usage
Optional list of extended key usage OIDs.
-
unsigned char private_ns_cert_type
Optional Netscape certificate type extension value: See the values in x509.h
-
mbedtls_x509_buf private_sig
Signature: hash of the tbs part signed with the private key.
-
mbedtls_md_type_t private_sig_md
Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256
-
mbedtls_pk_sigalg_t private_sig_pk
Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA
-
size_t number
-
void *ptr
-
union mbedtls_x509_crt private_unused
-
struct mbedtls_x509_crt *next
Next certificate in the linked list that constitutes the CA chain.
NULLindicates the end of the list. Do not modify this field directly.
-
int private_own_buffer
-
struct mbedtls_x509_crt_profile
- #include <x509_crt.h>
Security profile for certificate verification.
All lists are bitfields, built by ORing flags from MBEDTLS_X509_ID_FLAG().
The fields of this structure are part of the public API and can be manipulated directly by applications. Future versions of the library may add extra fields or reorder existing fields.
You can create custom profiles by starting from a copy of an existing profile, such as mbedtls_x509_crt_profile_default or mbedtls_x509_ctr_profile_none and then tune it to your needs.
For example to allow SHA-224 in addition to the default:
mbedtls_x509_crt_profile my_profile = mbedtls_x509_crt_profile_default; my_profile.allowed_mds |= MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 );
Or to allow only RSA-3072+ with SHA-256:
mbedtls_x509_crt_profile my_profile = mbedtls_x509_crt_profile_none; my_profile.allowed_mds = MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ); my_profile.allowed_pks = MBEDTLS_X509_ID_FLAG( MBEDTLS_PK_RSA ); my_profile.rsa_min_bitlen = 3072;
-
struct mbedtls_x509write_cert
- #include <x509_crt.h>
Container for writing a certificate (CRT)
Public Members
-
int private_version
-
unsigned char private_serial[MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN]
-
size_t private_serial_len
-
mbedtls_pk_context *private_subject_key
-
mbedtls_pk_context *private_issuer_key
-
mbedtls_asn1_named_data *private_subject
-
mbedtls_asn1_named_data *private_issuer
-
mbedtls_md_type_t private_md_alg
-
char private_not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1]
-
char private_not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1]
-
mbedtls_asn1_named_data *private_extensions
-
int private_version
-
struct mbedtls_x509_crt_verify_chain_item
- #include <x509_crt.h>
Item in a verification chain: cert and flags for it
-
struct mbedtls_x509_crt_verify_chain
- #include <x509_crt.h>
Verification chain as built by
mbedtls_crt_verify_chain()Public Members
-
mbedtls_x509_crt_verify_chain_item private_items[MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE]
-
unsigned private_len
-
mbedtls_x509_crt *private_trust_ca_cb_result
-
mbedtls_x509_crt_verify_chain_item private_items[MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE]
-
struct mbedtls_x509_crt_restart_ctx
- #include <x509_crt.h>
Context for resuming X.509 verify operations.
Public Members
-
mbedtls_pk_restart_ctx private_pk
-
mbedtls_x509_crt *private_parent
-
mbedtls_x509_crt *private_fallback_parent
-
int private_fallback_signature_is_good
-
int private_parent_is_trusted
-
enum mbedtls_x509_crt_restart_ctx private_in_progress
-
int private_self_cnt
-
mbedtls_x509_crt_verify_chain private_ver_chain
-
mbedtls_pk_restart_ctx private_pk