File x509_crl.h

X.509 certificate revocation list parsing.

Structures and functions for parsing CRLs

typedef struct mbedtls_x509_crl_entry mbedtls_x509_crl_entry

Certificate revocation list entry. Contains the CA-specific serial numbers and revocation dates.

Some fields of this structure are publicly readable. Do not modify them except via Mbed TLS library functions: the effect of modifying those fields or the data that those fields points to is unspecified.

typedef struct mbedtls_x509_crl mbedtls_x509_crl: Certificate revocation list structure. Every CRL may have multiple entries.

int mbedtls_x509_crl_parse_der(mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen)

Parse a DER-encoded CRL and append it to the chained list.

Note

If MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto subsystem must have been initialized by calling psa_crypto_init() before calling this function.

Parameters

chain – points to the start of the chain
buf – buffer holding the CRL data in DER format
buflen – size of the buffer (including the terminating null byte for PEM data)

Returns

0 if successful, or a specific X509 or PEM error code

int mbedtls_x509_crl_parse(mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen)

Parse one or more CRLs and append them to the chained list.

Note

Multiple CRLs are accepted only if using PEM format

Note

If MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto subsystem must have been initialized by calling psa_crypto_init() before calling this function.

Parameters

chain – points to the start of the chain
buf – buffer holding the CRL data in PEM or DER format
buflen – size of the buffer (including the terminating null byte for PEM data)

Returns

0 if successful, or a specific X509 or PEM error code

int mbedtls_x509_crl_parse_file(mbedtls_x509_crl *chain, const char *path)

Load one or more CRLs and append them to the chained list.

Note

Multiple CRLs are accepted only if using PEM format

Note

If MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto subsystem must have been initialized by calling psa_crypto_init() before calling this function.

Parameters

chain – points to the start of the chain
path – filename to read the CRLs from (in PEM or DER encoding)

Returns

0 if successful, or a specific X509 or PEM error code

void mbedtls_x509_crl_init(mbedtls_x509_crl *crl)

Initialize a CRL (chain)

Parameters: crl – CRL chain to initialize

void mbedtls_x509_crl_free(mbedtls_x509_crl *crl)

Unallocate all CRL data.

Parameters: crl – CRL chain to free

struct mbedtls_x509_crl_entry

#include <x509_crl.h>

Certificate revocation list entry. Contains the CA-specific serial numbers and revocation dates.

Some fields of this structure are publicly readable. Do not modify them except via Mbed TLS library functions: the effect of modifying those fields or the data that those fields points to is unspecified.

Public Members

mbedtls_x509_buf raw: Direct access to the whole entry inside the containing buffer.

mbedtls_x509_buf serial: The serial number of the revoked certificate.

mbedtls_x509_time revocation_date: The revocation date of this entry.

mbedtls_x509_buf entry_ext

Direct access to the list of CRL entry extensions (an ASN.1 constructed sequence).

If there are no extensions, entry_ext.len == 0 and entry_ext.p == NULL.

struct mbedtls_x509_crl_entry *next: Next element in the linked list of entries. NULL indicates the end of the list. Do not modify this field directly.

struct mbedtls_x509_crl

#include <x509_crl.h>

Certificate revocation list structure. Every CRL may have multiple entries.

Public Members

mbedtls_x509_buf raw: The raw certificate data (DER).

mbedtls_x509_buf tbs: The raw certificate body (DER). The part that is To Be Signed.

int version: CRL version (1=v1, 2=v2)

mbedtls_x509_buf sig_oid: CRL signature type identifier

mbedtls_x509_buf issuer_raw: The raw issuer data (DER).

mbedtls_x509_name issuer: The parsed issuer data (named information object).

mbedtls_x509_time this_update

mbedtls_x509_time next_update

mbedtls_x509_crl_entry entry: The CRL entries containing the certificate revocation times for this CA.

mbedtls_x509_buf crl_ext

mbedtls_x509_buf private_sig_oid2

mbedtls_x509_buf private_sig

mbedtls_md_type_t private_sig_md: Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256

mbedtls_pk_type_t private_sig_pk: Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA

void *private_sig_opts: Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS

struct mbedtls_x509_crl *next: Next element in the linked list of CRL. NULL indicates the end of the list. Do not modify this field directly.