]> git.zerfleddert.de Git - proxmark3-svn/blob - common/mbedtls/x509_crt.h
emv/sc fixes and modifications: (#780)
[proxmark3-svn] / common / mbedtls / x509_crt.h
1 /**
2 * \file x509_crt.h
3 *
4 * \brief X.509 certificate parsing and writing
5 */
6 /*
7 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
8 * SPDX-License-Identifier: GPL-2.0
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, write to the Free Software Foundation, Inc.,
22 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 *
24 * This file is part of mbed TLS (https://tls.mbed.org)
25 */
26 #ifndef MBEDTLS_X509_CRT_H
27 #define MBEDTLS_X509_CRT_H
28
29 #if !defined(MBEDTLS_CONFIG_FILE)
30 #include "config.h"
31 #else
32 #include MBEDTLS_CONFIG_FILE
33 #endif
34
35 #include "x509.h"
36 #include "x509_crl.h"
37
38 /**
39 * \addtogroup x509_module
40 * \{
41 */
42
43 #ifdef __cplusplus
44 extern "C" {
45 #endif
46
47 /**
48 * \name Structures and functions for parsing and writing X.509 certificates
49 * \{
50 */
51
52 /**
53 * Container for an X.509 certificate. The certificate may be chained.
54 */
55 typedef struct mbedtls_x509_crt
56 {
57 mbedtls_x509_buf raw; /**< The raw certificate data (DER). */
58 mbedtls_x509_buf tbs; /**< The raw certificate body (DER). The part that is To Be Signed. */
59
60 int version; /**< The X.509 version. (1=v1, 2=v2, 3=v3) */
61 mbedtls_x509_buf serial; /**< Unique id for certificate issued by a specific CA. */
62 mbedtls_x509_buf sig_oid; /**< Signature algorithm, e.g. sha1RSA */
63
64 mbedtls_x509_buf issuer_raw; /**< The raw issuer data (DER). Used for quick comparison. */
65 mbedtls_x509_buf subject_raw; /**< The raw subject data (DER). Used for quick comparison. */
66
67 mbedtls_x509_name issuer; /**< The parsed issuer data (named information object). */
68 mbedtls_x509_name subject; /**< The parsed subject data (named information object). */
69
70 mbedtls_x509_time valid_from; /**< Start time of certificate validity. */
71 mbedtls_x509_time valid_to; /**< End time of certificate validity. */
72
73 mbedtls_pk_context pk; /**< Container for the public key context. */
74
75 mbedtls_x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */
76 mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */
77 mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */
78 mbedtls_x509_sequence subject_alt_names; /**< Optional list of Subject Alternative Names (Only dNSName supported). */
79
80 int ext_types; /**< Bit string containing detected and parsed extensions */
81 int ca_istrue; /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */
82 int max_pathlen; /**< Optional Basic Constraint extension value: The maximum path length to the root certificate. Path length is 1 higher than RFC 5280 'meaning', so 1+ */
83
84 unsigned int key_usage; /**< Optional key usage extension value: See the values in x509.h */
85
86 mbedtls_x509_sequence ext_key_usage; /**< Optional list of extended key usage OIDs. */
87
88 unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values in x509.h */
89
90 mbedtls_x509_buf sig; /**< Signature: hash of the tbs part signed with the private key. */
91 mbedtls_md_type_t sig_md; /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
92 mbedtls_pk_type_t sig_pk; /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
93 void *sig_opts; /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
94
95 struct mbedtls_x509_crt *next; /**< Next certificate in the CA-chain. */
96 }
97 mbedtls_x509_crt;
98
99 /**
100 * Build flag from an algorithm/curve identifier (pk, md, ecp)
101 * Since 0 is always XXX_NONE, ignore it.
102 */
103 #define MBEDTLS_X509_ID_FLAG( id ) ( 1 << ( id - 1 ) )
104
105 /**
106 * Security profile for certificate verification.
107 *
108 * All lists are bitfields, built by ORing flags from MBEDTLS_X509_ID_FLAG().
109 */
110 typedef struct mbedtls_x509_crt_profile
111 {
112 uint32_t allowed_mds; /**< MDs for signatures */
113 uint32_t allowed_pks; /**< PK algs for signatures */
114 uint32_t allowed_curves; /**< Elliptic curves for ECDSA */
115 uint32_t rsa_min_bitlen; /**< Minimum size for RSA keys */
116 }
117 mbedtls_x509_crt_profile;
118
119 #define MBEDTLS_X509_CRT_VERSION_1 0
120 #define MBEDTLS_X509_CRT_VERSION_2 1
121 #define MBEDTLS_X509_CRT_VERSION_3 2
122
123 #define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32
124 #define MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15
125
126 #if !defined( MBEDTLS_X509_MAX_FILE_PATH_LEN )
127 #define MBEDTLS_X509_MAX_FILE_PATH_LEN 512
128 #endif
129
130 /**
131 * Container for writing a certificate (CRT)
132 */
133 typedef struct mbedtls_x509write_cert
134 {
135 int version;
136 mbedtls_mpi serial;
137 mbedtls_pk_context *subject_key;
138 mbedtls_pk_context *issuer_key;
139 mbedtls_asn1_named_data *subject;
140 mbedtls_asn1_named_data *issuer;
141 mbedtls_md_type_t md_alg;
142 char not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1];
143 char not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1];
144 mbedtls_asn1_named_data *extensions;
145 }
146 mbedtls_x509write_cert;
147
148 #if defined(MBEDTLS_X509_CRT_PARSE_C)
149 /**
150 * Default security profile. Should provide a good balance between security
151 * and compatibility with current deployments.
152 */
153 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default;
154
155 /**
156 * Expected next default profile. Recommended for new deployments.
157 * Currently targets a 128-bit security level, except for RSA-2048.
158 */
159 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next;
160
161 /**
162 * NSA Suite B profile.
163 */
164 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb;
165
166 /**
167 * \brief Parse a single DER formatted certificate and add it
168 * to the chained list.
169 *
170 * \param chain points to the start of the chain
171 * \param buf buffer holding the certificate DER data
172 * \param buflen size of the buffer
173 *
174 * \return 0 if successful, or a specific X509 or PEM error code
175 */
176 int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, const unsigned char *buf,
177 size_t buflen );
178
179 /**
180 * \brief Parse one or more certificates and add them
181 * to the chained list. Parses permissively. If some
182 * certificates can be parsed, the result is the number
183 * of failed certificates it encountered. If none complete
184 * correctly, the first error is returned.
185 *
186 * \param chain points to the start of the chain
187 * \param buf buffer holding the certificate data in PEM or DER format
188 * \param buflen size of the buffer
189 * (including the terminating null byte for PEM data)
190 *
191 * \return 0 if all certificates parsed successfully, a positive number
192 * if partly successful or a specific X509 or PEM error code
193 */
194 int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen );
195
196 #if defined(MBEDTLS_FS_IO)
197 /**
198 * \brief Load one or more certificates and add them
199 * to the chained list. Parses permissively. If some
200 * certificates can be parsed, the result is the number
201 * of failed certificates it encountered. If none complete
202 * correctly, the first error is returned.
203 *
204 * \param chain points to the start of the chain
205 * \param path filename to read the certificates from
206 *
207 * \return 0 if all certificates parsed successfully, a positive number
208 * if partly successful or a specific X509 or PEM error code
209 */
210 int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *chain, const char *path );
211
212 /**
213 * \brief Load one or more certificate files from a path and add them
214 * to the chained list. Parses permissively. If some
215 * certificates can be parsed, the result is the number
216 * of failed certificates it encountered. If none complete
217 * correctly, the first error is returned.
218 *
219 * \param chain points to the start of the chain
220 * \param path directory / folder to read the certificate files from
221 *
222 * \return 0 if all certificates parsed successfully, a positive number
223 * if partly successful or a specific X509 or PEM error code
224 */
225 int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path );
226 #endif /* MBEDTLS_FS_IO */
227
228 /**
229 * \brief Returns an informational string about the
230 * certificate.
231 *
232 * \param buf Buffer to write to
233 * \param size Maximum size of buffer
234 * \param prefix A line prefix
235 * \param crt The X509 certificate to represent
236 *
237 * \return The length of the string written (not including the
238 * terminated nul byte), or a negative error code.
239 */
240 int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
241 const mbedtls_x509_crt *crt );
242
243 /**
244 * \brief Returns an informational string about the
245 * verification status of a certificate.
246 *
247 * \param buf Buffer to write to
248 * \param size Maximum size of buffer
249 * \param prefix A line prefix
250 * \param flags Verification flags created by mbedtls_x509_crt_verify()
251 *
252 * \return The length of the string written (not including the
253 * terminated nul byte), or a negative error code.
254 */
255 int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
256 uint32_t flags );
257
258 /**
259 * \brief Verify the certificate signature
260 *
261 * The verify callback is a user-supplied callback that
262 * can clear / modify / add flags for a certificate. If set,
263 * the verification callback is called for each
264 * certificate in the chain (from the trust-ca down to the
265 * presented crt). The parameters for the callback are:
266 * (void *parameter, mbedtls_x509_crt *crt, int certificate_depth,
267 * int *flags). With the flags representing current flags for
268 * that specific certificate and the certificate depth from
269 * the bottom (Peer cert depth = 0).
270 *
271 * All flags left after returning from the callback
272 * are also returned to the application. The function should
273 * return 0 for anything (including invalid certificates)
274 * other than fatal error, as a non-zero return code
275 * immediately aborts the verification process. For fatal
276 * errors, a specific error code should be used (different
277 * from MBEDTLS_ERR_X509_CERT_VERIFY_FAILED which should not
278 * be returned at this point), or MBEDTLS_ERR_X509_FATAL_ERROR
279 * can be used if no better code is available.
280 *
281 * \note In case verification failed, the results can be displayed
282 * using \c mbedtls_x509_crt_verify_info()
283 *
284 * \note Same as \c mbedtls_x509_crt_verify_with_profile() with the
285 * default security profile.
286 *
287 * \note It is your responsibility to provide up-to-date CRLs for
288 * all trusted CAs. If no CRL is provided for the CA that was
289 * used to sign the certificate, CRL verification is skipped
290 * silently, that is *without* setting any flag.
291 *
292 * \note The \c trust_ca list can contain two types of certificates:
293 * (1) those of trusted root CAs, so that certificates
294 * chaining up to those CAs will be trusted, and (2)
295 * self-signed end-entity certificates to be trusted (for
296 * specific peers you know) - in that case, the self-signed
297 * certificate doesn't need to have the CA bit set.
298 *
299 * \param crt a certificate (chain) to be verified
300 * \param trust_ca the list of trusted CAs (see note above)
301 * \param ca_crl the list of CRLs for trusted CAs (see note above)
302 * \param cn expected Common Name (can be set to
303 * NULL if the CN must not be verified)
304 * \param flags result of the verification
305 * \param f_vrfy verification function
306 * \param p_vrfy verification parameter
307 *
308 * \return 0 (and flags set to 0) if the chain was verified and valid,
309 * MBEDTLS_ERR_X509_CERT_VERIFY_FAILED if the chain was verified
310 * but found to be invalid, in which case *flags will have one
311 * or more MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX
312 * flags set, or another error (and flags set to 0xffffffff)
313 * in case of a fatal error encountered during the
314 * verification process.
315 */
316 int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
317 mbedtls_x509_crt *trust_ca,
318 mbedtls_x509_crl *ca_crl,
319 const char *cn, uint32_t *flags,
320 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
321 void *p_vrfy );
322
323 /**
324 * \brief Verify the certificate signature according to profile
325 *
326 * \note Same as \c mbedtls_x509_crt_verify(), but with explicit
327 * security profile.
328 *
329 * \note The restrictions on keys (RSA minimum size, allowed curves
330 * for ECDSA) apply to all certificates: trusted root,
331 * intermediate CAs if any, and end entity certificate.
332 *
333 * \param crt a certificate (chain) to be verified
334 * \param trust_ca the list of trusted CAs
335 * \param ca_crl the list of CRLs for trusted CAs
336 * \param profile security profile for verification
337 * \param cn expected Common Name (can be set to
338 * NULL if the CN must not be verified)
339 * \param flags result of the verification
340 * \param f_vrfy verification function
341 * \param p_vrfy verification parameter
342 *
343 * \return 0 if successful or MBEDTLS_ERR_X509_CERT_VERIFY_FAILED
344 * in which case *flags will have one or more
345 * MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX flags
346 * set,
347 * or another error in case of a fatal error encountered
348 * during the verification process.
349 */
350 int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
351 mbedtls_x509_crt *trust_ca,
352 mbedtls_x509_crl *ca_crl,
353 const mbedtls_x509_crt_profile *profile,
354 const char *cn, uint32_t *flags,
355 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
356 void *p_vrfy );
357
358 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
359 /**
360 * \brief Check usage of certificate against keyUsage extension.
361 *
362 * \param crt Leaf certificate used.
363 * \param usage Intended usage(s) (eg MBEDTLS_X509_KU_KEY_ENCIPHERMENT
364 * before using the certificate to perform an RSA key
365 * exchange).
366 *
367 * \note Except for decipherOnly and encipherOnly, a bit set in the
368 * usage argument means this bit MUST be set in the
369 * certificate. For decipherOnly and encipherOnly, it means
370 * that bit MAY be set.
371 *
372 * \return 0 is these uses of the certificate are allowed,
373 * MBEDTLS_ERR_X509_BAD_INPUT_DATA if the keyUsage extension
374 * is present but does not match the usage argument.
375 *
376 * \note You should only call this function on leaf certificates, on
377 * (intermediate) CAs the keyUsage extension is automatically
378 * checked by \c mbedtls_x509_crt_verify().
379 */
380 int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt,
381 unsigned int usage );
382 #endif /* MBEDTLS_X509_CHECK_KEY_USAGE) */
383
384 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
385 /**
386 * \brief Check usage of certificate against extendedKeyUsage.
387 *
388 * \param crt Leaf certificate used.
389 * \param usage_oid Intended usage (eg MBEDTLS_OID_SERVER_AUTH or
390 * MBEDTLS_OID_CLIENT_AUTH).
391 * \param usage_len Length of usage_oid (eg given by MBEDTLS_OID_SIZE()).
392 *
393 * \return 0 if this use of the certificate is allowed,
394 * MBEDTLS_ERR_X509_BAD_INPUT_DATA if not.
395 *
396 * \note Usually only makes sense on leaf certificates.
397 */
398 int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt,
399 const char *usage_oid,
400 size_t usage_len );
401 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
402
403 #if defined(MBEDTLS_X509_CRL_PARSE_C)
404 /**
405 * \brief Verify the certificate revocation status
406 *
407 * \param crt a certificate to be verified
408 * \param crl the CRL to verify against
409 *
410 * \return 1 if the certificate is revoked, 0 otherwise
411 *
412 */
413 int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl );
414 #endif /* MBEDTLS_X509_CRL_PARSE_C */
415
416 /**
417 * \brief Initialize a certificate (chain)
418 *
419 * \param crt Certificate chain to initialize
420 */
421 void mbedtls_x509_crt_init( mbedtls_x509_crt *crt );
422
423 /**
424 * \brief Unallocate all certificate data
425 *
426 * \param crt Certificate chain to free
427 */
428 void mbedtls_x509_crt_free( mbedtls_x509_crt *crt );
429 #endif /* MBEDTLS_X509_CRT_PARSE_C */
430
431 /* \} name */
432 /* \} addtogroup x509_module */
433
434 #if defined(MBEDTLS_X509_CRT_WRITE_C)
435 /**
436 * \brief Initialize a CRT writing context
437 *
438 * \param ctx CRT context to initialize
439 */
440 void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx );
441
442 /**
443 * \brief Set the verion for a Certificate
444 * Default: MBEDTLS_X509_CRT_VERSION_3
445 *
446 * \param ctx CRT context to use
447 * \param version version to set (MBEDTLS_X509_CRT_VERSION_1, MBEDTLS_X509_CRT_VERSION_2 or
448 * MBEDTLS_X509_CRT_VERSION_3)
449 */
450 void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *ctx, int version );
451
452 /**
453 * \brief Set the serial number for a Certificate.
454 *
455 * \param ctx CRT context to use
456 * \param serial serial number to set
457 *
458 * \return 0 if successful
459 */
460 int mbedtls_x509write_crt_set_serial( mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial );
461
462 /**
463 * \brief Set the validity period for a Certificate
464 * Timestamps should be in string format for UTC timezone
465 * i.e. "YYYYMMDDhhmmss"
466 * e.g. "20131231235959" for December 31st 2013
467 * at 23:59:59
468 *
469 * \param ctx CRT context to use
470 * \param not_before not_before timestamp
471 * \param not_after not_after timestamp
472 *
473 * \return 0 if timestamp was parsed successfully, or
474 * a specific error code
475 */
476 int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *ctx, const char *not_before,
477 const char *not_after );
478
479 /**
480 * \brief Set the issuer name for a Certificate
481 * Issuer names should contain a comma-separated list
482 * of OID types and values:
483 * e.g. "C=UK,O=ARM,CN=mbed TLS CA"
484 *
485 * \param ctx CRT context to use
486 * \param issuer_name issuer name to set
487 *
488 * \return 0 if issuer name was parsed successfully, or
489 * a specific error code
490 */
491 int mbedtls_x509write_crt_set_issuer_name( mbedtls_x509write_cert *ctx,
492 const char *issuer_name );
493
494 /**
495 * \brief Set the subject name for a Certificate
496 * Subject names should contain a comma-separated list
497 * of OID types and values:
498 * e.g. "C=UK,O=ARM,CN=mbed TLS Server 1"
499 *
500 * \param ctx CRT context to use
501 * \param subject_name subject name to set
502 *
503 * \return 0 if subject name was parsed successfully, or
504 * a specific error code
505 */
506 int mbedtls_x509write_crt_set_subject_name( mbedtls_x509write_cert *ctx,
507 const char *subject_name );
508
509 /**
510 * \brief Set the subject public key for the certificate
511 *
512 * \param ctx CRT context to use
513 * \param key public key to include
514 */
515 void mbedtls_x509write_crt_set_subject_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key );
516
517 /**
518 * \brief Set the issuer key used for signing the certificate
519 *
520 * \param ctx CRT context to use
521 * \param key private key to sign with
522 */
523 void mbedtls_x509write_crt_set_issuer_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key );
524
525 /**
526 * \brief Set the MD algorithm to use for the signature
527 * (e.g. MBEDTLS_MD_SHA1)
528 *
529 * \param ctx CRT context to use
530 * \param md_alg MD algorithm to use
531 */
532 void mbedtls_x509write_crt_set_md_alg( mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg );
533
534 /**
535 * \brief Generic function to add to or replace an extension in the
536 * CRT
537 *
538 * \param ctx CRT context to use
539 * \param oid OID of the extension
540 * \param oid_len length of the OID
541 * \param critical if the extension is critical (per the RFC's definition)
542 * \param val value of the extension OCTET STRING
543 * \param val_len length of the value data
544 *
545 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
546 */
547 int mbedtls_x509write_crt_set_extension( mbedtls_x509write_cert *ctx,
548 const char *oid, size_t oid_len,
549 int critical,
550 const unsigned char *val, size_t val_len );
551
552 /**
553 * \brief Set the basicConstraints extension for a CRT
554 *
555 * \param ctx CRT context to use
556 * \param is_ca is this a CA certificate
557 * \param max_pathlen maximum length of certificate chains below this
558 * certificate (only for CA certificates, -1 is
559 * inlimited)
560 *
561 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
562 */
563 int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx,
564 int is_ca, int max_pathlen );
565
566 #if defined(MBEDTLS_SHA1_C)
567 /**
568 * \brief Set the subjectKeyIdentifier extension for a CRT
569 * Requires that mbedtls_x509write_crt_set_subject_key() has been
570 * called before
571 *
572 * \param ctx CRT context to use
573 *
574 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
575 */
576 int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ctx );
577
578 /**
579 * \brief Set the authorityKeyIdentifier extension for a CRT
580 * Requires that mbedtls_x509write_crt_set_issuer_key() has been
581 * called before
582 *
583 * \param ctx CRT context to use
584 *
585 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
586 */
587 int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx );
588 #endif /* MBEDTLS_SHA1_C */
589
590 /**
591 * \brief Set the Key Usage Extension flags
592 * (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN)
593 *
594 * \param ctx CRT context to use
595 * \param key_usage key usage flags to set
596 *
597 * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
598 */
599 int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx,
600 unsigned int key_usage );
601
602 /**
603 * \brief Set the Netscape Cert Type flags
604 * (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL)
605 *
606 * \param ctx CRT context to use
607 * \param ns_cert_type Netscape Cert Type flags to set
608 *
609 * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
610 */
611 int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx,
612 unsigned char ns_cert_type );
613
614 /**
615 * \brief Free the contents of a CRT write context
616 *
617 * \param ctx CRT context to free
618 */
619 void mbedtls_x509write_crt_free( mbedtls_x509write_cert *ctx );
620
621 /**
622 * \brief Write a built up certificate to a X509 DER structure
623 * Note: data is written at the end of the buffer! Use the
624 * return value to determine where you should start
625 * using the buffer
626 *
627 * \param ctx certificate to write away
628 * \param buf buffer to write to
629 * \param size size of the buffer
630 * \param f_rng RNG function (for signature, see note)
631 * \param p_rng RNG parameter
632 *
633 * \return length of data written if successful, or a specific
634 * error code
635 *
636 * \note f_rng may be NULL if RSA is used for signature and the
637 * signature is made offline (otherwise f_rng is desirable
638 * for countermeasures against timing attacks).
639 * ECDSA signatures always require a non-NULL f_rng.
640 */
641 int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
642 int (*f_rng)(void *, unsigned char *, size_t),
643 void *p_rng );
644
645 #if defined(MBEDTLS_PEM_WRITE_C)
646 /**
647 * \brief Write a built up certificate to a X509 PEM string
648 *
649 * \param ctx certificate to write away
650 * \param buf buffer to write to
651 * \param size size of the buffer
652 * \param f_rng RNG function (for signature, see note)
653 * \param p_rng RNG parameter
654 *
655 * \return 0 if successful, or a specific error code
656 *
657 * \note f_rng may be NULL if RSA is used for signature and the
658 * signature is made offline (otherwise f_rng is desirable
659 * for countermeasures against timing attacks).
660 * ECDSA signatures always require a non-NULL f_rng.
661 */
662 int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
663 int (*f_rng)(void *, unsigned char *, size_t),
664 void *p_rng );
665 #endif /* MBEDTLS_PEM_WRITE_C */
666 #endif /* MBEDTLS_X509_CRT_WRITE_C */
667
668 #ifdef __cplusplus
669 }
670 #endif
671
672 #endif /* mbedtls_x509_crt.h */
Impressum, Datenschutz