RetroArch
Classes | Macros | Functions
X509_module

Classes

struct  mbedtls_x509_time
 
struct  mbedtls_x509_crl_entry
 
struct  mbedtls_x509_crl
 
struct  mbedtls_x509_crt
 
struct  mbedtls_x509_crt_profile
 
struct  mbedtls_x509write_cert
 
struct  mbedtls_x509_csr
 
struct  mbedtls_x509write_csr
 

Macros

#define MBEDTLS_X509_MAX_INTERMEDIATE_CA   8
 

Functions

int mbedtls_dhm_parse_dhm (mbedtls_dhm_context *dhm, const unsigned char *dhmin, size_t dhminlen)
 Parse DHM parameters in PEM or DER format. More...
 
int mbedtls_dhm_parse_dhmfile (mbedtls_dhm_context *dhm, const char *path)
 Load and parse DHM parameters. More...
 

X509 Error codes

#define MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE   -0x2080
 
#define MBEDTLS_ERR_X509_UNKNOWN_OID   -0x2100
 
#define MBEDTLS_ERR_X509_INVALID_FORMAT   -0x2180
 
#define MBEDTLS_ERR_X509_INVALID_VERSION   -0x2200
 
#define MBEDTLS_ERR_X509_INVALID_SERIAL   -0x2280
 
#define MBEDTLS_ERR_X509_INVALID_ALG   -0x2300
 
#define MBEDTLS_ERR_X509_INVALID_NAME   -0x2380
 
#define MBEDTLS_ERR_X509_INVALID_DATE   -0x2400
 
#define MBEDTLS_ERR_X509_INVALID_SIGNATURE   -0x2480
 
#define MBEDTLS_ERR_X509_INVALID_EXTENSIONS   -0x2500
 
#define MBEDTLS_ERR_X509_UNKNOWN_VERSION   -0x2580
 
#define MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG   -0x2600
 
#define MBEDTLS_ERR_X509_SIG_MISMATCH   -0x2680
 
#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED   -0x2700
 
#define MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT   -0x2780
 
#define MBEDTLS_ERR_X509_BAD_INPUT_DATA   -0x2800
 
#define MBEDTLS_ERR_X509_ALLOC_FAILED   -0x2880
 
#define MBEDTLS_ERR_X509_FILE_IO_ERROR   -0x2900
 
#define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL   -0x2980
 

X509 Verify codes

#define MBEDTLS_X509_BADCERT_EXPIRED   0x01
 
#define MBEDTLS_X509_BADCERT_REVOKED   0x02
 
#define MBEDTLS_X509_BADCERT_CN_MISMATCH   0x04
 
#define MBEDTLS_X509_BADCERT_NOT_TRUSTED   0x08
 
#define MBEDTLS_X509_BADCRL_NOT_TRUSTED   0x10
 
#define MBEDTLS_X509_BADCRL_EXPIRED   0x20
 
#define MBEDTLS_X509_BADCERT_MISSING   0x40
 
#define MBEDTLS_X509_BADCERT_SKIP_VERIFY   0x80
 
#define MBEDTLS_X509_BADCERT_OTHER   0x0100
 
#define MBEDTLS_X509_BADCERT_FUTURE   0x0200
 
#define MBEDTLS_X509_BADCRL_FUTURE   0x0400
 
#define MBEDTLS_X509_BADCERT_KEY_USAGE   0x0800
 
#define MBEDTLS_X509_BADCERT_EXT_KEY_USAGE   0x1000
 
#define MBEDTLS_X509_BADCERT_NS_CERT_TYPE   0x2000
 
#define MBEDTLS_X509_BADCERT_BAD_MD   0x4000
 
#define MBEDTLS_X509_BADCERT_BAD_PK   0x8000
 
#define MBEDTLS_X509_BADCERT_BAD_KEY   0x010000
 
#define MBEDTLS_X509_BADCRL_BAD_MD   0x020000
 
#define MBEDTLS_X509_BADCRL_BAD_PK   0x040000
 
#define MBEDTLS_X509_BADCRL_BAD_KEY   0x080000
 

Structures for parsing X.509 certificates, CRLs and CSRs

typedef mbedtls_asn1_buf mbedtls_x509_buf
 
typedef mbedtls_asn1_bitstring mbedtls_x509_bitstring
 
typedef mbedtls_asn1_named_data mbedtls_x509_name
 
typedef mbedtls_asn1_sequence mbedtls_x509_sequence
 
typedef struct mbedtls_x509_time mbedtls_x509_time
 

Structures and functions for parsing CRLs

typedef struct mbedtls_x509_crl_entry mbedtls_x509_crl_entry
 
typedef struct mbedtls_x509_crl mbedtls_x509_crl
 
int mbedtls_x509_crl_parse_der (mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen)
 Parse a DER-encoded CRL and append it to the chained list. More...
 
int mbedtls_x509_crl_parse (mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen)
 Parse one or more CRLs and append them to the chained list. More...
 
int mbedtls_x509_crl_parse_file (mbedtls_x509_crl *chain, const char *path)
 Load one or more CRLs and append them to the chained list. More...
 
int mbedtls_x509_crl_info (char *buf, size_t size, const char *prefix, const mbedtls_x509_crl *crl)
 Returns an informational string about the CRL. More...
 
void mbedtls_x509_crl_init (mbedtls_x509_crl *crl)
 Initialize a CRL (chain) More...
 
void mbedtls_x509_crl_free (mbedtls_x509_crl *crl)
 Unallocate all CRL data. More...
 

Structures and functions for parsing and writing X.509 certificates

typedef struct mbedtls_x509_crt mbedtls_x509_crt
 
typedef struct mbedtls_x509write_cert mbedtls_x509write_cert
 
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default
 
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next
 
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb
 
int mbedtls_x509_crt_parse_der (mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
 Parse a single DER formatted certificate and add it to the chained list. More...
 
int mbedtls_x509_crt_parse (mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
 Parse one or more certificates and add them to the chained list. Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned. More...
 
int mbedtls_x509_crt_parse_file (mbedtls_x509_crt *chain, const char *path)
 Load one or more certificates and add them to the chained list. Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned. More...
 
int mbedtls_x509_crt_parse_path (mbedtls_x509_crt *chain, const char *path)
 Load one or more certificate files from a path and add them to the chained list. Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned. More...
 
int mbedtls_x509_crt_info (char *buf, size_t size, const char *prefix, const mbedtls_x509_crt *crt)
 Returns an informational string about the certificate. More...
 
int mbedtls_x509_crt_verify_info (char *buf, size_t size, const char *prefix, uint32_t flags)
 Returns an informational string about the verification status of a certificate. More...
 
int mbedtls_x509_crt_verify (mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
 Verify the certificate signature. More...
 
int mbedtls_x509_crt_verify_with_profile (mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
 Verify the certificate signature according to profile. More...
 
int mbedtls_x509_crt_check_key_usage (const mbedtls_x509_crt *crt, unsigned int usage)
 Check usage of certificate against keyUsage extension. More...
 
int mbedtls_x509_crt_check_extended_key_usage (const mbedtls_x509_crt *crt, const char *usage_oid, size_t usage_len)
 Check usage of certificate against extentedJeyUsage. More...
 
int mbedtls_x509_crt_is_revoked (const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl)
 Verify the certificate revocation status. More...
 
void mbedtls_x509_crt_init (mbedtls_x509_crt *crt)
 Initialize a certificate (chain) More...
 
void mbedtls_x509_crt_free (mbedtls_x509_crt *crt)
 Unallocate all certificate data. More...
 
#define MBEDTLS_X509_ID_FLAG(id)   ( 1 << ( id - 1 ) )
 
#define MBEDTLS_X509_CRT_VERSION_1   0
 
#define MBEDTLS_X509_CRT_VERSION_2   1
 
#define MBEDTLS_X509_CRT_VERSION_3   2
 
#define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN   32
 
#define MBEDTLS_X509_RFC5280_UTC_TIME_LEN   15
 
#define MBEDTLS_X509_MAX_FILE_PATH_LEN   512
 

Structures and functions for X.509 Certificate Signing Requests (CSR)

typedef struct mbedtls_x509_csr mbedtls_x509_csr
 
typedef struct mbedtls_x509write_csr mbedtls_x509write_csr
 
int mbedtls_x509_csr_parse_der (mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen)
 Load a Certificate Signing Request (CSR) in DER format. More...
 
int mbedtls_x509_csr_parse (mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen)
 Load a Certificate Signing Request (CSR), DER or PEM format. More...
 
int mbedtls_x509_csr_parse_file (mbedtls_x509_csr *csr, const char *path)
 Load a Certificate Signing Request (CSR) More...
 
int mbedtls_x509_csr_info (char *buf, size_t size, const char *prefix, const mbedtls_x509_csr *csr)
 Returns an informational string about the CSR. More...
 
void mbedtls_x509_csr_init (mbedtls_x509_csr *csr)
 Initialize a CSR. More...
 
void mbedtls_x509_csr_free (mbedtls_x509_csr *csr)
 Unallocate all CSR data. More...
 

Detailed Description

Macro Definition Documentation

◆ MBEDTLS_ERR_X509_ALLOC_FAILED

#define MBEDTLS_ERR_X509_ALLOC_FAILED   -0x2880

Allocation of memory failed.

◆ MBEDTLS_ERR_X509_BAD_INPUT_DATA

#define MBEDTLS_ERR_X509_BAD_INPUT_DATA   -0x2800

Input invalid.

◆ MBEDTLS_ERR_X509_BUFFER_TOO_SMALL

#define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL   -0x2980

Destination buffer is too small.

◆ MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT

#define MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT   -0x2780

Format not recognized as DER or PEM.

◆ MBEDTLS_ERR_X509_CERT_VERIFY_FAILED

#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED   -0x2700

Certificate verification failed, e.g. CRL, CA or signature check failed.

◆ MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE

#define MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE   -0x2080

Unavailable feature, e.g. RSA hashing/encryption combination.

◆ MBEDTLS_ERR_X509_FILE_IO_ERROR

#define MBEDTLS_ERR_X509_FILE_IO_ERROR   -0x2900

Read/write of file failed.

◆ MBEDTLS_ERR_X509_INVALID_ALG

#define MBEDTLS_ERR_X509_INVALID_ALG   -0x2300

The algorithm tag or value is invalid.

◆ MBEDTLS_ERR_X509_INVALID_DATE

#define MBEDTLS_ERR_X509_INVALID_DATE   -0x2400

The date tag or value is invalid.

◆ MBEDTLS_ERR_X509_INVALID_EXTENSIONS

#define MBEDTLS_ERR_X509_INVALID_EXTENSIONS   -0x2500

The extension tag or value is invalid.

◆ MBEDTLS_ERR_X509_INVALID_FORMAT

#define MBEDTLS_ERR_X509_INVALID_FORMAT   -0x2180

The CRT/CRL/CSR format is invalid, e.g. different type expected.

◆ MBEDTLS_ERR_X509_INVALID_NAME

#define MBEDTLS_ERR_X509_INVALID_NAME   -0x2380

The name tag or value is invalid.

◆ MBEDTLS_ERR_X509_INVALID_SERIAL

#define MBEDTLS_ERR_X509_INVALID_SERIAL   -0x2280

The serial tag or value is invalid.

◆ MBEDTLS_ERR_X509_INVALID_SIGNATURE

#define MBEDTLS_ERR_X509_INVALID_SIGNATURE   -0x2480

The signature tag or value invalid.

◆ MBEDTLS_ERR_X509_INVALID_VERSION

#define MBEDTLS_ERR_X509_INVALID_VERSION   -0x2200

The CRT/CRL/CSR version element is invalid.

◆ MBEDTLS_ERR_X509_SIG_MISMATCH

#define MBEDTLS_ERR_X509_SIG_MISMATCH   -0x2680

Signature algorithms do not match. (see mbedtls_x509_crt sig_oid)

◆ MBEDTLS_ERR_X509_UNKNOWN_OID

#define MBEDTLS_ERR_X509_UNKNOWN_OID   -0x2100

Requested OID is unknown.

◆ MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG

#define MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG   -0x2600

Signature algorithm (oid) is unsupported.

◆ MBEDTLS_ERR_X509_UNKNOWN_VERSION

#define MBEDTLS_ERR_X509_UNKNOWN_VERSION   -0x2580

CRT/CRL/CSR has an unsupported version number.

◆ MBEDTLS_X509_BADCERT_BAD_KEY

#define MBEDTLS_X509_BADCERT_BAD_KEY   0x010000

The certificate is signed with an unacceptable key (eg bad curve, RSA too short).

◆ MBEDTLS_X509_BADCERT_BAD_MD

#define MBEDTLS_X509_BADCERT_BAD_MD   0x4000

The certificate is signed with an unacceptable hash.

◆ MBEDTLS_X509_BADCERT_BAD_PK

#define MBEDTLS_X509_BADCERT_BAD_PK   0x8000

The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA).

◆ MBEDTLS_X509_BADCERT_CN_MISMATCH

#define MBEDTLS_X509_BADCERT_CN_MISMATCH   0x04

The certificate Common Name (CN) does not match with the expected CN.

◆ MBEDTLS_X509_BADCERT_EXPIRED

#define MBEDTLS_X509_BADCERT_EXPIRED   0x01

The certificate validity has expired.

◆ MBEDTLS_X509_BADCERT_EXT_KEY_USAGE

#define MBEDTLS_X509_BADCERT_EXT_KEY_USAGE   0x1000

Usage does not match the extendedKeyUsage extension.

◆ MBEDTLS_X509_BADCERT_FUTURE

#define MBEDTLS_X509_BADCERT_FUTURE   0x0200

The certificate validity starts in the future.

◆ MBEDTLS_X509_BADCERT_KEY_USAGE

#define MBEDTLS_X509_BADCERT_KEY_USAGE   0x0800

Usage does not match the keyUsage extension.

◆ MBEDTLS_X509_BADCERT_MISSING

#define MBEDTLS_X509_BADCERT_MISSING   0x40

Certificate was missing.

◆ MBEDTLS_X509_BADCERT_NOT_TRUSTED

#define MBEDTLS_X509_BADCERT_NOT_TRUSTED   0x08

The certificate is not correctly signed by the trusted CA.

◆ MBEDTLS_X509_BADCERT_NS_CERT_TYPE

#define MBEDTLS_X509_BADCERT_NS_CERT_TYPE   0x2000

Usage does not match the nsCertType extension.

◆ MBEDTLS_X509_BADCERT_OTHER

#define MBEDTLS_X509_BADCERT_OTHER   0x0100

Other reason (can be used by verify callback)

◆ MBEDTLS_X509_BADCERT_REVOKED

#define MBEDTLS_X509_BADCERT_REVOKED   0x02

The certificate has been revoked (is on a CRL).

◆ MBEDTLS_X509_BADCERT_SKIP_VERIFY

#define MBEDTLS_X509_BADCERT_SKIP_VERIFY   0x80

Certificate verification was skipped.

◆ MBEDTLS_X509_BADCRL_BAD_KEY

#define MBEDTLS_X509_BADCRL_BAD_KEY   0x080000

The CRL is signed with an unacceptable key (eg bad curve, RSA too short).

◆ MBEDTLS_X509_BADCRL_BAD_MD

#define MBEDTLS_X509_BADCRL_BAD_MD   0x020000

The CRL is signed with an unacceptable hash.

◆ MBEDTLS_X509_BADCRL_BAD_PK

#define MBEDTLS_X509_BADCRL_BAD_PK   0x040000

The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA).

◆ MBEDTLS_X509_BADCRL_EXPIRED

#define MBEDTLS_X509_BADCRL_EXPIRED   0x20

The CRL is expired.

◆ MBEDTLS_X509_BADCRL_FUTURE

#define MBEDTLS_X509_BADCRL_FUTURE   0x0400

The CRL is from the future

◆ MBEDTLS_X509_BADCRL_NOT_TRUSTED

#define MBEDTLS_X509_BADCRL_NOT_TRUSTED   0x10

The CRL is not correctly signed by the trusted CA.

◆ MBEDTLS_X509_CRT_VERSION_1

#define MBEDTLS_X509_CRT_VERSION_1   0

◆ MBEDTLS_X509_CRT_VERSION_2

#define MBEDTLS_X509_CRT_VERSION_2   1

◆ MBEDTLS_X509_CRT_VERSION_3

#define MBEDTLS_X509_CRT_VERSION_3   2

◆ MBEDTLS_X509_ID_FLAG

#define MBEDTLS_X509_ID_FLAG (   id)    ( 1 << ( id - 1 ) )

Build flag from an algorithm/curve identifier (pk, md, ecp) Since 0 is always XXX_NONE, ignore it.

◆ MBEDTLS_X509_MAX_FILE_PATH_LEN

#define MBEDTLS_X509_MAX_FILE_PATH_LEN   512

◆ MBEDTLS_X509_MAX_INTERMEDIATE_CA

#define MBEDTLS_X509_MAX_INTERMEDIATE_CA   8

Maximum number of intermediate CAs in a verification chain. That is, maximum length of the chain, excluding the end-entity certificate and the trusted root certificate.

Set this to a low value to prevent an adversary from making you waste resources verifying an overlong certificate chain.

◆ MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN

#define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN   32

◆ MBEDTLS_X509_RFC5280_UTC_TIME_LEN

#define MBEDTLS_X509_RFC5280_UTC_TIME_LEN   15

Typedef Documentation

◆ mbedtls_x509_bitstring

Container for ASN1 bit strings.

◆ mbedtls_x509_buf

Type-length-value structure that allows for ASN1 using DER.

◆ mbedtls_x509_crl

Certificate revocation list structure. Every CRL may have multiple entries.

◆ mbedtls_x509_crl_entry

Certificate revocation list entry. Contains the CA-specific serial numbers and revocation dates.

◆ mbedtls_x509_crt

Container for an X.509 certificate. The certificate may be chained.

◆ mbedtls_x509_csr

Certificate Signing Request (CSR) structure.

◆ mbedtls_x509_name

Container for ASN1 named information objects. It allows for Relative Distinguished Names (e.g. cn=localhost,ou=code,etc.).

◆ mbedtls_x509_sequence

Container for a sequence of ASN.1 items

◆ mbedtls_x509_time

Container for date and time (precision in seconds).

◆ mbedtls_x509write_cert

Container for writing a certificate (CRT)

◆ mbedtls_x509write_csr

Container for writing a CSR

Function Documentation

◆ mbedtls_dhm_parse_dhm()

int mbedtls_dhm_parse_dhm ( mbedtls_dhm_context dhm,
const unsigned char *  dhmin,
size_t  dhminlen 
)

Parse DHM parameters in PEM or DER format.

Parameters
dhmDHM context to be initialized
dhmininput buffer
dhminlensize of the buffer (including the terminating null byte for PEM data)
Returns
0 if successful, or a specific DHM or PEM error code
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mbedtls_dhm_parse_dhmfile()

int mbedtls_dhm_parse_dhmfile ( mbedtls_dhm_context dhm,
const char *  path 
)

Load and parse DHM parameters.

Parameters
dhmDHM context to be initialized
pathfilename to read the DHM Parameters from
Returns
0 if successful, or a specific DHM or PEM error code
Here is the call graph for this function:

◆ mbedtls_x509_crl_free()

void mbedtls_x509_crl_free ( mbedtls_x509_crl crl)

Unallocate all CRL data.

Parameters
crlCRL chain to free
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mbedtls_x509_crl_info()

int mbedtls_x509_crl_info ( char *  buf,
size_t  size,
const char *  prefix,
const mbedtls_x509_crl crl 
)

Returns an informational string about the CRL.

Parameters
bufBuffer to write to
sizeMaximum size of buffer
prefixA line prefix
crlThe X509 CRL to represent
Returns
The length of the string written (not including the terminated nul byte), or a negative error code.
Here is the call graph for this function:

◆ mbedtls_x509_crl_init()

void mbedtls_x509_crl_init ( mbedtls_x509_crl crl)

Initialize a CRL (chain)

Parameters
crlCRL chain to initialize
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mbedtls_x509_crl_parse()

int mbedtls_x509_crl_parse ( mbedtls_x509_crl chain,
const unsigned char *  buf,
size_t  buflen 
)

Parse one or more CRLs and append them to the chained list.

Note
Mutliple CRLs are accepted only if using PEM format
Parameters
chainpoints to the start of the chain
bufbuffer holding the CRL data in PEM or DER format
buflensize of the buffer (including the terminating null byte for PEM data)
Returns
0 if successful, or a specific X509 or PEM error code
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mbedtls_x509_crl_parse_der()

int mbedtls_x509_crl_parse_der ( mbedtls_x509_crl chain,
const unsigned char *  buf,
size_t  buflen 
)

Parse a DER-encoded CRL and append it to the chained list.

Parameters
chainpoints to the start of the chain
bufbuffer holding the CRL data in DER format
buflensize of the buffer (including the terminating null byte for PEM data)
Returns
0 if successful, or a specific X509 or PEM error code
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mbedtls_x509_crl_parse_file()

int mbedtls_x509_crl_parse_file ( mbedtls_x509_crl chain,
const char *  path 
)

Load one or more CRLs and append them to the chained list.

Note
Mutliple CRLs are accepted only if using PEM format
Parameters
chainpoints to the start of the chain
pathfilename to read the CRLs from (in PEM or DER encoding)
Returns
0 if successful, or a specific X509 or PEM error code
Here is the call graph for this function:

◆ mbedtls_x509_crt_check_extended_key_usage()

int mbedtls_x509_crt_check_extended_key_usage ( const mbedtls_x509_crt crt,
const char *  usage_oid,
size_t  usage_len 
)

Check usage of certificate against extentedJeyUsage.

Parameters
crtLeaf certificate used.
usage_oidIntended usage (eg MBEDTLS_OID_SERVER_AUTH or MBEDTLS_OID_CLIENT_AUTH).
usage_lenLength of usage_oid (eg given by MBEDTLS_OID_SIZE()).
Returns
0 if this use of the certificate is allowed, MBEDTLS_ERR_X509_BAD_INPUT_DATA if not.
Note
Usually only makes sense on leaf certificates.
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mbedtls_x509_crt_check_key_usage()

int mbedtls_x509_crt_check_key_usage ( const mbedtls_x509_crt crt,
unsigned int  usage 
)

Check usage of certificate against keyUsage extension.

Parameters
crtLeaf certificate used.
usageIntended usage(s) (eg MBEDTLS_X509_KU_KEY_ENCIPHERMENT before using the certificate to perform an RSA key exchange).
Note
Except for decipherOnly and encipherOnly, a bit set in the usage argument means this bit MUST be set in the certificate. For decipherOnly and encipherOnly, it means that bit MAY be set.
Returns
0 is these uses of the certificate are allowed, MBEDTLS_ERR_X509_BAD_INPUT_DATA if the keyUsage extension is present but does not match the usage argument.
Note
You should only call this function on leaf certificates, on (intermediate) CAs the keyUsage extension is automatically checked by mbedtls_x509_crt_verify().
Here is the caller graph for this function:

◆ mbedtls_x509_crt_free()

void mbedtls_x509_crt_free ( mbedtls_x509_crt crt)

Unallocate all certificate data.

Parameters
crtCertificate chain to free
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mbedtls_x509_crt_info()

int mbedtls_x509_crt_info ( char *  buf,
size_t  size,
const char *  prefix,
const mbedtls_x509_crt crt 
)

Returns an informational string about the certificate.

Parameters
bufBuffer to write to
sizeMaximum size of buffer
prefixA line prefix
crtThe X509 certificate to represent
Returns
The length of the string written (not including the terminated nul byte), or a negative error code.
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mbedtls_x509_crt_init()

void mbedtls_x509_crt_init ( mbedtls_x509_crt crt)

Initialize a certificate (chain)

Parameters
crtCertificate chain to initialize
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mbedtls_x509_crt_is_revoked()

int mbedtls_x509_crt_is_revoked ( const mbedtls_x509_crt crt,
const mbedtls_x509_crl crl 
)

Verify the certificate revocation status.

Parameters
crta certificate to be verified
crlthe CRL to verify against
Returns
1 if the certificate is revoked, 0 otherwise
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mbedtls_x509_crt_parse()

int mbedtls_x509_crt_parse ( mbedtls_x509_crt chain,
const unsigned char *  buf,
size_t  buflen 
)

Parse one or more certificates and add them to the chained list. Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.

Parameters
chainpoints to the start of the chain
bufbuffer holding the certificate data in PEM or DER format
buflensize of the buffer (including the terminating null byte for PEM data)
Returns
0 if all certificates parsed successfully, a positive number if partly successful or a specific X509 or PEM error code
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mbedtls_x509_crt_parse_der()

int mbedtls_x509_crt_parse_der ( mbedtls_x509_crt chain,
const unsigned char *  buf,
size_t  buflen 
)

Parse a single DER formatted certificate and add it to the chained list.

Parameters
chainpoints to the start of the chain
bufbuffer holding the certificate DER data
buflensize of the buffer
Returns
0 if successful, or a specific X509 or PEM error code
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mbedtls_x509_crt_parse_file()

int mbedtls_x509_crt_parse_file ( mbedtls_x509_crt chain,
const char *  path 
)

Load one or more certificates and add them to the chained list. Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.

Parameters
chainpoints to the start of the chain
pathfilename to read the certificates from
Returns
0 if all certificates parsed successfully, a positive number if partly successful or a specific X509 or PEM error code
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mbedtls_x509_crt_parse_path()

int mbedtls_x509_crt_parse_path ( mbedtls_x509_crt chain,
const char *  path 
)

Load one or more certificate files from a path and add them to the chained list. Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.

Parameters
chainpoints to the start of the chain
pathdirectory / folder to read the certificate files from
Returns
0 if all certificates parsed successfully, a positive number if partly successful or a specific X509 or PEM error code
Here is the call graph for this function:

◆ mbedtls_x509_crt_verify()

int mbedtls_x509_crt_verify ( mbedtls_x509_crt crt,
mbedtls_x509_crt trust_ca,
mbedtls_x509_crl ca_crl,
const char *  cn,
uint32_t flags,
int(*)(void *, mbedtls_x509_crt *, int, uint32_t *)  f_vrfy,
void p_vrfy 
)

Verify the certificate signature.

            The verify callback is a user-supplied callback that
            can clear / modify / add flags for a certificate. If set,
            the verification callback is called for each
            certificate in the chain (from the trust-ca down to the
            presented crt). The parameters for the callback are:
            (void *parameter, mbedtls_x509_crt *crt, int certificate_depth,
            int *flags). With the flags representing current flags for
            that specific certificate and the certificate depth from
            the bottom (Peer cert depth = 0).

            All flags left after returning from the callback
            are also returned to the application. The function should
            return 0 for anything but a fatal error.
Note
In case verification failed, the results can be displayed using mbedtls_x509_crt_verify_info()
Same as mbedtls_x509_crt_verify_with_profile() with the default security profile.
It is your responsibility to provide up-to-date CRLs for all trusted CAs. If no CRL is provided for the CA that was used to sign the certificate, CRL verification is skipped silently, that is without setting any flag.
Parameters
crta certificate (chain) to be verified
trust_cathe list of trusted CAs
ca_crlthe list of CRLs for trusted CAs (see note above)
cnexpected Common Name (can be set to NULL if the CN must not be verified)
flagsresult of the verification
f_vrfyverification function
p_vrfyverification parameter
Returns
0 if successful or MBEDTLS_ERR_X509_CERT_VERIFY_FAILED in which case *flags will have one or more MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX flags set, or another error in case of a fatal error encountered during the verification process.
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mbedtls_x509_crt_verify_info()

int mbedtls_x509_crt_verify_info ( char *  buf,
size_t  size,
const char *  prefix,
uint32_t  flags 
)

Returns an informational string about the verification status of a certificate.

Parameters
bufBuffer to write to
sizeMaximum size of buffer
prefixA line prefix
flagsVerification flags created by mbedtls_x509_crt_verify()
Returns
The length of the string written (not including the terminated nul byte), or a negative error code.
Here is the caller graph for this function:

◆ mbedtls_x509_crt_verify_with_profile()

int mbedtls_x509_crt_verify_with_profile ( mbedtls_x509_crt crt,
mbedtls_x509_crt trust_ca,
mbedtls_x509_crl ca_crl,
const mbedtls_x509_crt_profile profile,
const char *  cn,
uint32_t flags,
int(*)(void *, mbedtls_x509_crt *, int, uint32_t *)  f_vrfy,
void p_vrfy 
)

Verify the certificate signature according to profile.

Note
Same as mbedtls_x509_crt_verify(), but with explicit security profile.
The restrictions on keys (RSA minimum size, allowed curves for ECDSA) apply to all certificates: trusted root, intermediate CAs if any, and end entity certificate.
Parameters
crta certificate (chain) to be verified
trust_cathe list of trusted CAs
ca_crlthe list of CRLs for trusted CAs
profilesecurity profile for verification
cnexpected Common Name (can be set to NULL if the CN must not be verified)
flagsresult of the verification
f_vrfyverification function
p_vrfyverification parameter
Returns
0 if successful or MBEDTLS_ERR_X509_CERT_VERIFY_FAILED in which case *flags will have one or more MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX flags set, or another error in case of a fatal error encountered during the verification process.
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mbedtls_x509_csr_free()

void mbedtls_x509_csr_free ( mbedtls_x509_csr csr)

Unallocate all CSR data.

Parameters
csrCSR to free
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mbedtls_x509_csr_info()

int mbedtls_x509_csr_info ( char *  buf,
size_t  size,
const char *  prefix,
const mbedtls_x509_csr csr 
)

Returns an informational string about the CSR.

Parameters
bufBuffer to write to
sizeMaximum size of buffer
prefixA line prefix
csrThe X509 CSR to represent
Returns
The length of the string written (not including the terminated nul byte), or a negative error code.
Here is the call graph for this function:

◆ mbedtls_x509_csr_init()

void mbedtls_x509_csr_init ( mbedtls_x509_csr csr)

Initialize a CSR.

Parameters
csrCSR to initialize
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mbedtls_x509_csr_parse()

int mbedtls_x509_csr_parse ( mbedtls_x509_csr csr,
const unsigned char *  buf,
size_t  buflen 
)

Load a Certificate Signing Request (CSR), DER or PEM format.

Note
See notes for mbedtls_x509_csr_parse_der()
Parameters
csrCSR context to fill
bufbuffer holding the CRL data
buflensize of the buffer (including the terminating null byte for PEM data)
Returns
0 if successful, or a specific X509 or PEM error code
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mbedtls_x509_csr_parse_der()

int mbedtls_x509_csr_parse_der ( mbedtls_x509_csr csr,
const unsigned char *  buf,
size_t  buflen 
)

Load a Certificate Signing Request (CSR) in DER format.

Note
CSR attributes (if any) are currently silently ignored.
Parameters
csrCSR context to fill
bufbuffer holding the CRL data
buflensize of the buffer
Returns
0 if successful, or a specific X509 error code
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mbedtls_x509_csr_parse_file()

int mbedtls_x509_csr_parse_file ( mbedtls_x509_csr csr,
const char *  path 
)

Load a Certificate Signing Request (CSR)

Note
See notes for mbedtls_x509_csr_parse()
Parameters
csrCSR context to fill
pathfilename to read the CSR from
Returns
0 if successful, or a specific X509 or PEM error code
Here is the call graph for this function:

Variable Documentation

◆ mbedtls_x509_crt_profile_default

const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default

Default security profile. Should provide a good balance between security and compatibility with current deployments.

◆ mbedtls_x509_crt_profile_next

const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next

Expected next default profile. Recommended for new deployments. Currently targets a 128-bit security level, except for RSA-2048.

◆ mbedtls_x509_crt_profile_suiteb

const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb

NSA Suite B profile.