File x509.h

X.509 generic defines and structures.

X509 Error codes

MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE: Unavailable feature, e.g. RSA hashing/encryption combination.

MBEDTLS_ERR_X509_UNKNOWN_OID: Requested OID is unknown.

MBEDTLS_ERR_X509_INVALID_FORMAT: The CRT/CRL/CSR format is invalid, e.g. different type expected.

MBEDTLS_ERR_X509_INVALID_VERSION: The CRT/CRL/CSR version element is invalid.

MBEDTLS_ERR_X509_INVALID_SERIAL: The serial tag or value is invalid.

MBEDTLS_ERR_X509_INVALID_ALG: The algorithm tag or value is invalid.

MBEDTLS_ERR_X509_INVALID_NAME: The name tag or value is invalid.

MBEDTLS_ERR_X509_INVALID_DATE: The date tag or value is invalid.

MBEDTLS_ERR_X509_INVALID_SIGNATURE: The signature tag or value invalid.

MBEDTLS_ERR_X509_INVALID_EXTENSIONS: The extension tag or value is invalid.

MBEDTLS_ERR_X509_UNKNOWN_VERSION: CRT/CRL/CSR has an unsupported version number.

MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG: Signature algorithm (oid) is unsupported.

MBEDTLS_ERR_X509_SIG_MISMATCH: Signature algorithms do not match. (see mbedtls_x509_crt sig_oid)

MBEDTLS_ERR_X509_CERT_VERIFY_FAILED: Certificate verification failed, e.g. CRL, CA or signature check failed.

MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT: Format not recognized as DER or PEM.

MBEDTLS_ERR_X509_BAD_INPUT_DATA: Input invalid.

MBEDTLS_ERR_X509_ALLOC_FAILED: Allocation of memory failed.

MBEDTLS_ERR_X509_FILE_IO_ERROR: Read/write of file failed.

MBEDTLS_ERR_X509_BUFFER_TOO_SMALL: Destination buffer is too small.

MBEDTLS_ERR_X509_FATAL_ERROR: A fatal error occurred, eg the chain is too long or the vrfy callback failed.

X509 Verify codes

MBEDTLS_X509_BADCERT_EXPIRED: The certificate validity has expired.

MBEDTLS_X509_BADCERT_REVOKED: The certificate has been revoked (is on a CRL).

MBEDTLS_X509_BADCERT_CN_MISMATCH: The certificate Common Name (CN) does not match with the expected CN.

MBEDTLS_X509_BADCERT_NOT_TRUSTED: The certificate is not correctly signed by the trusted CA.

MBEDTLS_X509_BADCRL_NOT_TRUSTED: The CRL is not correctly signed by the trusted CA.

MBEDTLS_X509_BADCRL_EXPIRED: The CRL is expired.

MBEDTLS_X509_BADCERT_MISSING: Certificate was missing.

MBEDTLS_X509_BADCERT_SKIP_VERIFY: Certificate verification was skipped.

MBEDTLS_X509_BADCERT_OTHER: Other reason (can be used by verify callback)

MBEDTLS_X509_BADCERT_FUTURE: The certificate validity starts in the future.

MBEDTLS_X509_BADCRL_FUTURE: The CRL is from the future

MBEDTLS_X509_BADCERT_KEY_USAGE: Usage does not match the keyUsage extension.

MBEDTLS_X509_BADCERT_EXT_KEY_USAGE: Usage does not match the extendedKeyUsage extension.

MBEDTLS_X509_BADCERT_NS_CERT_TYPE: Usage does not match the nsCertType extension.

MBEDTLS_X509_BADCERT_BAD_MD: The certificate is signed with an unacceptable hash.

MBEDTLS_X509_BADCERT_BAD_PK: The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA).

MBEDTLS_X509_BADCERT_BAD_KEY: The certificate is signed with an unacceptable key (eg bad curve, RSA too short).

MBEDTLS_X509_BADCRL_BAD_MD: The CRL is signed with an unacceptable hash.

MBEDTLS_X509_BADCRL_BAD_PK: The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA).

MBEDTLS_X509_BADCRL_BAD_KEY: The CRL is signed with an unacceptable key (eg bad curve, RSA too short).

Structures for parsing X.509 certificates, CRLs and CSRs

typedef mbedtls_asn1_buf mbedtls_x509_buf: Type-length-value structure that allows for ASN1 using DER.

typedef mbedtls_asn1_bitstring mbedtls_x509_bitstring: Container for ASN1 bit strings.

typedef mbedtls_asn1_named_data mbedtls_x509_name: Container for ASN1 named information objects. It allows for Relative Distinguished Names (e.g. cn=localhost,ou=code,etc.).

typedef mbedtls_asn1_sequence mbedtls_x509_sequence: Container for a sequence of ASN.1 items

typedef struct mbedtls_x509_time mbedtls_x509_time: Container for date and time (precision in seconds).

Defines

MBEDTLS_X509_MAX_INTERMEDIATE_CA

Maximum number of intermediate CAs in a verification chain. That is, maximum length of the chain, excluding the end-entity certificate and the trusted root certificate.

Set this to a low value to prevent an adversary from making you waste resources verifying an overlong certificate chain.

MBEDTLS_X509_SAN_OTHER_NAME

MBEDTLS_X509_SAN_RFC822_NAME

MBEDTLS_X509_SAN_DNS_NAME

MBEDTLS_X509_SAN_X400_ADDRESS_NAME

MBEDTLS_X509_SAN_DIRECTORY_NAME

MBEDTLS_X509_SAN_EDI_PARTY_NAME

MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER

MBEDTLS_X509_SAN_IP_ADDRESS

MBEDTLS_X509_SAN_REGISTERED_ID

MBEDTLS_X509_KU_DIGITAL_SIGNATURE

MBEDTLS_X509_KU_NON_REPUDIATION

MBEDTLS_X509_KU_KEY_ENCIPHERMENT

MBEDTLS_X509_KU_DATA_ENCIPHERMENT

MBEDTLS_X509_KU_KEY_AGREEMENT

MBEDTLS_X509_KU_KEY_CERT_SIGN

MBEDTLS_X509_KU_CRL_SIGN

MBEDTLS_X509_KU_ENCIPHER_ONLY

MBEDTLS_X509_KU_DECIPHER_ONLY

MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT

MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER

MBEDTLS_X509_NS_CERT_TYPE_EMAIL

MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING

MBEDTLS_X509_NS_CERT_TYPE_RESERVED

MBEDTLS_X509_NS_CERT_TYPE_SSL_CA

MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA

MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA

MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER

MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER

MBEDTLS_X509_EXT_KEY_USAGE

MBEDTLS_X509_EXT_CERTIFICATE_POLICIES

MBEDTLS_X509_EXT_POLICY_MAPPINGS

MBEDTLS_X509_EXT_SUBJECT_ALT_NAME

MBEDTLS_X509_EXT_ISSUER_ALT_NAME

MBEDTLS_X509_EXT_SUBJECT_DIRECTORY_ATTRS

MBEDTLS_X509_EXT_BASIC_CONSTRAINTS

MBEDTLS_X509_EXT_NAME_CONSTRAINTS

MBEDTLS_X509_EXT_POLICY_CONSTRAINTS

MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE

MBEDTLS_X509_EXT_CRL_DISTRIBUTION_POINTS

MBEDTLS_X509_EXT_INIHIBIT_ANYPOLICY

MBEDTLS_X509_EXT_FRESHEST_CRL

MBEDTLS_X509_EXT_NS_CERT_TYPE

MBEDTLS_X509_FORMAT_DER

MBEDTLS_X509_FORMAT_PEM

MBEDTLS_X509_MAX_DN_NAME_SIZE: Maximum value size of a DN entry

MBEDTLS_X509_SAFE_SNPRINTF

Functions

int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn)

Store the certificate DN in printable form into buf; no more than size characters will be written.

Parameters:

buf – Buffer to write to
size – Maximum size of buffer
dn – The X509 name to represent

Returns:

The length of the string written (not including the terminated nul byte), or a negative error code.

int mbedtls_x509_serial_gets(char *buf, size_t size, const mbedtls_x509_buf *serial)

Store the certificate serial in printable form into buf; no more than size characters will be written.

Parameters:

buf – Buffer to write to
size – Maximum size of buffer
serial – The X509 serial to represent

Returns:

The length of the string written (not including the terminated nul byte), or a negative error code.

int mbedtls_x509_time_is_past(const mbedtls_x509_time *to)

Check a given mbedtls_x509_time against the system time and tell if it’s in the past.

Note

Intended usage is “if( is_past( valid_to ) ) ERROR”. Hence the return value of 1 if on internal errors.

Parameters:: to – mbedtls_x509_time to check
Returns:: 1 if the given time is in the past or an error occurred, 0 otherwise.

int mbedtls_x509_time_is_future(const mbedtls_x509_time *from)

Check a given mbedtls_x509_time against the system time and tell if it’s in the future.

Note

Intended usage is “if( is_future( valid_from ) ) ERROR”. Hence the return value of 1 if on internal errors.

Parameters:: from – mbedtls_x509_time to check
Returns:: 1 if the given time is in the future or an error occurred, 0 otherwise.

int mbedtls_x509_self_test(int verbose)

Checkup routine.

Returns:: 0 if successful, or 1 if the test failed

int mbedtls_x509_get_name(unsigned char **p, const unsigned char *end, mbedtls_x509_name *cur)

int mbedtls_x509_get_alg_null(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *alg)

int mbedtls_x509_get_alg(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *alg, mbedtls_x509_buf *params)

int mbedtls_x509_get_rsassa_pss_params(const mbedtls_x509_buf *params, mbedtls_md_type_t *md_alg, mbedtls_md_type_t *mgf_md, int *salt_len)

int mbedtls_x509_get_sig(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig)

int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params, mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg, void **sig_opts)

int mbedtls_x509_get_time(unsigned char **p, const unsigned char *end, mbedtls_x509_time *t)

int mbedtls_x509_get_serial(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *serial)

int mbedtls_x509_get_ext(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *ext, int tag)

int mbedtls_x509_sig_alg_gets(char *buf, size_t size, const mbedtls_x509_buf *sig_oid, mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg, const void *sig_opts)

int mbedtls_x509_key_size_helper(char *buf, size_t buf_size, const char *name)

int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *name)

int mbedtls_x509_set_extension(mbedtls_asn1_named_data **head, const char *oid, size_t oid_len, int critical, const unsigned char *val, size_t val_len)

int mbedtls_x509_write_extensions(unsigned char **p, unsigned char *start, mbedtls_asn1_named_data *first)

int mbedtls_x509_write_names(unsigned char **p, unsigned char *start, mbedtls_asn1_named_data *first)

int mbedtls_x509_write_sig(unsigned char **p, unsigned char *start, const char *oid, size_t oid_len, unsigned char *sig, size_t size, mbedtls_pk_type_t pk_alg)

struct mbedtls_x509_time

#include <x509.h>

Container for date and time (precision in seconds).

Public Members

int year

int mon

int day: Date.

int hour

int min

int sec: Time.