The X.509 module provides X.509 support which includes:
More...
|
typedef struct _x509_crt | x509_crt |
| Container for an X.509 certificate. More...
|
|
typedef struct _x509write_cert | x509write_cert |
| Container for writing a certificate (CRT) More...
|
|
int | x509_crt_parse_der (x509_crt *chain, const unsigned char *buf, size_t buflen) |
| Parse a single DER formatted certificate and add it to the chained list. More...
|
|
int | x509_crt_parse (x509_crt *chain, const unsigned char *buf, size_t buflen) |
| Parse one or more certificates and add them to the chained list. More...
|
|
int | x509_crt_parse_file (x509_crt *chain, const char *path) |
| Load one or more certificates and add them to the chained list. More...
|
|
int | x509_crt_parse_path (x509_crt *chain, const char *path) |
| Load one or more certificate files from a path and add them to the chained list. More...
|
|
int | x509_crt_info (char *buf, size_t size, const char *prefix, const x509_crt *crt) |
| Returns an informational string about the certificate. More...
|
|
int | x509_crt_verify (x509_crt *crt, x509_crt *trust_ca, x509_crl *ca_crl, const char *cn, int *flags, int(*f_vrfy)(void *, x509_crt *, int, int *), void *p_vrfy) |
| Verify the certificate signature. More...
|
|
int | x509_crt_check_key_usage (const x509_crt *crt, int usage) |
| Check usage of certificate against keyUsage extension. More...
|
|
int | x509_crt_check_extended_key_usage (const x509_crt *crt, const char *usage_oid, size_t usage_len) |
| Check usage of certificate against extentedJeyUsage. More...
|
|
int | x509_crt_revoked (const x509_crt *crt, const x509_crl *crl) |
| Verify the certificate revocation status. More...
|
|
void | x509_crt_init (x509_crt *crt) |
| Initialize a certificate (chain) More...
|
|
void | x509_crt_free (x509_crt *crt) |
| Unallocate all certificate data. More...
|
|
#define | X509_CRT_VERSION_1 0 |
|
#define | X509_CRT_VERSION_2 1 |
|
#define | X509_CRT_VERSION_3 2 |
|
#define | X509_RFC5280_MAX_SERIAL_LEN 32 |
|
#define | X509_RFC5280_UTC_TIME_LEN 15 |
|
The X.509 module provides X.509 support which includes:
This module can be used to build a certificate authority (CA) chain and verify its signature. It is also used to generate Certificate Signing Requests and X509 certificates just as a CA would do.
#define BADCERT_CN_MISMATCH 0x04 |
The certificate Common Name (CN) does not match with the expected CN.
Definition at line 78 of file x509.h.
#define BADCERT_EXPIRED 0x01 |
The certificate validity has expired.
Definition at line 76 of file x509.h.
#define BADCERT_FUTURE 0x0200 |
The certificate validity starts in the future.
Definition at line 85 of file x509.h.
#define BADCERT_MISSING 0x40 |
Certificate was missing.
Definition at line 82 of file x509.h.
#define BADCERT_NOT_TRUSTED 0x08 |
The certificate is not correctly signed by the trusted CA.
Definition at line 79 of file x509.h.
#define BADCERT_OTHER 0x0100 |
Other reason (can be used by verify callback)
Definition at line 84 of file x509.h.
#define BADCERT_REVOKED 0x02 |
The certificate has been revoked (is on a CRL).
Definition at line 77 of file x509.h.
#define BADCERT_SKIP_VERIFY 0x80 |
Certificate verification was skipped.
Definition at line 83 of file x509.h.
#define BADCRL_EXPIRED 0x20 |
CRL is expired.
Definition at line 81 of file x509.h.
#define BADCRL_FUTURE 0x0400 |
The CRL is from the future.
Definition at line 86 of file x509.h.
#define BADCRL_NOT_TRUSTED 0x10 |
CRL is not correctly signed by the trusted CA.
Definition at line 80 of file x509.h.
#define POLARSSL_ERR_X509_BAD_INPUT_DATA -0x2800 |
Input invalid.
Definition at line 67 of file x509.h.
#define POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT -0x2780 |
Format not recognized as DER or PEM.
Definition at line 66 of file x509.h.
#define POLARSSL_ERR_X509_CERT_VERIFY_FAILED -0x2700 |
Certificate verification failed, e.g.
CRL, CA or signature check failed.
Definition at line 65 of file x509.h.
#define POLARSSL_ERR_X509_FEATURE_UNAVAILABLE -0x2080 |
Unavailable feature, e.g.
RSA hashing/encryption combination.
Definition at line 52 of file x509.h.
#define POLARSSL_ERR_X509_FILE_IO_ERROR -0x2900 |
Read/write of file failed.
Definition at line 69 of file x509.h.
#define POLARSSL_ERR_X509_INVALID_ALG -0x2300 |
The algorithm tag or value is invalid.
Definition at line 57 of file x509.h.
#define POLARSSL_ERR_X509_INVALID_DATE -0x2400 |
The date tag or value is invalid.
Definition at line 59 of file x509.h.
#define POLARSSL_ERR_X509_INVALID_EXTENSIONS -0x2500 |
The extension tag or value is invalid.
Definition at line 61 of file x509.h.
#define POLARSSL_ERR_X509_INVALID_FORMAT -0x2180 |
The CRT/CRL/CSR format is invalid, e.g.
different type expected.
Definition at line 54 of file x509.h.
#define POLARSSL_ERR_X509_INVALID_NAME -0x2380 |
The name tag or value is invalid.
Definition at line 58 of file x509.h.
#define POLARSSL_ERR_X509_INVALID_SERIAL -0x2280 |
The serial tag or value is invalid.
Definition at line 56 of file x509.h.
#define POLARSSL_ERR_X509_INVALID_SIGNATURE -0x2480 |
The signature tag or value invalid.
Definition at line 60 of file x509.h.
#define POLARSSL_ERR_X509_INVALID_VERSION -0x2200 |
The CRT/CRL/CSR version element is invalid.
Definition at line 55 of file x509.h.
#define POLARSSL_ERR_X509_MALLOC_FAILED -0x2880 |
Allocation of memory failed.
Definition at line 68 of file x509.h.
#define POLARSSL_ERR_X509_SIG_MISMATCH -0x2680 |
Signature algorithms do not match.
(see x509_crt
sig_oid)
Definition at line 64 of file x509.h.
#define POLARSSL_ERR_X509_UNKNOWN_OID -0x2100 |
Requested OID is unknown.
Definition at line 53 of file x509.h.
#define POLARSSL_ERR_X509_UNKNOWN_SIG_ALG -0x2600 |
Signature algorithm (oid) is unsupported.
Definition at line 63 of file x509.h.
#define POLARSSL_ERR_X509_UNKNOWN_VERSION -0x2580 |
CRT/CRL/CSR has an unsupported version number.
Definition at line 62 of file x509.h.
#define X509_CRT_VERSION_1 0 |
#define X509_CRT_VERSION_2 1 |
#define X509_CRT_VERSION_3 2 |
#define X509_RFC5280_MAX_SERIAL_LEN 32 |
#define X509_RFC5280_UTC_TIME_LEN 15 |
Container for ASN1 bit strings.
Definition at line 167 of file x509.h.
Type-length-value structure that allows for ASN1 using DER.
Definition at line 162 of file x509.h.
Certificate revocation list structure.
Every CRL may have multiple entries.
Certificate revocation list entry.
Contains the CA-specific serial numbers and revocation dates.
Container for an X.509 certificate.
The certificate may be chained.
Certificate Signing Request (CSR) structure.
Container for ASN1 named information objects.
It allows for Relative Distinguished Names (e.g. cn=polarssl,ou=code,etc.).
Definition at line 173 of file x509.h.
Container for a sequence of ASN.1 items.
Definition at line 178 of file x509.h.
Container for date and time (precision in seconds).
Container for writing a certificate (CRT)
Container for writing a CSR.
int dhm_parse_dhm |
( |
dhm_context * |
dhm, |
|
|
const unsigned char * |
dhmin, |
|
|
size_t |
dhminlen |
|
) |
| |
Parse DHM parameters.
- Parameters
-
dhm | DHM context to be initialized |
dhmin | input buffer |
dhminlen | size of the buffer |
- Returns
- 0 if successful, or a specific DHM or PEM error code
int dhm_parse_dhmfile |
( |
dhm_context * |
dhm, |
|
|
const char * |
path |
|
) |
| |
Load and parse DHM parameters.
- Parameters
-
dhm | DHM context to be initialized |
path | filename to read the DHM Parameters from |
- Returns
- 0 if successful, or a specific DHM or PEM error code
Unallocate all CRL data.
- Parameters
-
int x509_crl_info |
( |
char * |
buf, |
|
|
size_t |
size, |
|
|
const char * |
prefix, |
|
|
const x509_crl * |
crl |
|
) |
| |
Returns an informational string about the CRL.
- Parameters
-
buf | Buffer to write to |
size | Maximum size of buffer |
prefix | A line prefix |
crl | The X509 CRL to represent |
- Returns
- The amount of data written to the buffer, or -1 in case of an error.
Referenced by x509parse_crl_info().
Initialize a CRL (chain)
- Parameters
-
crl | CRL chain to initialize |
int x509_crl_parse |
( |
x509_crl * |
chain, |
|
|
const unsigned char * |
buf, |
|
|
size_t |
buflen |
|
) |
| |
Parse one or more CRLs and add them to the chained list.
- Parameters
-
chain | points to the start of the chain |
buf | buffer holding the CRL data |
buflen | size of the buffer |
- Returns
- 0 if successful, or a specific X509 or PEM error code
Referenced by x509parse_crl().
int x509_crl_parse_file |
( |
x509_crl * |
chain, |
|
|
const char * |
path |
|
) |
| |
Load one or more CRLs and add them to the chained list.
- Parameters
-
chain | points to the start of the chain |
path | filename to read the CRLs from |
- Returns
- 0 if successful, or a specific X509 or PEM error code
Referenced by x509parse_crlfile().
int x509_crt_check_extended_key_usage |
( |
const x509_crt * |
crt, |
|
|
const char * |
usage_oid, |
|
|
size_t |
usage_len |
|
) |
| |
Check usage of certificate against extentedJeyUsage.
- Parameters
-
crt | Leaf certificate used. |
usage_oid | Intended usage (eg OID_SERVER_AUTH or OID_CLIENT_AUTH). |
usage_len | Length of usage_oid (eg given by OID_SIZE()). |
- Returns
- 0 is this use of the certificate is allowed, POLARSSL_ERR_X509_BAD_INPUT_DATA if not.
- Note
- Usually only makes sense on leaf certificates.
int x509_crt_check_key_usage |
( |
const x509_crt * |
crt, |
|
|
int |
usage |
|
) |
| |
Check usage of certificate against keyUsage extension.
- Parameters
-
crt | Leaf certificate used. |
usage | Intended usage(s) (eg KU_KEY_ENCIPHERMENT before using the certificate to perform an RSA key exchange). |
- Returns
- 0 is these uses of the certificate are allowed, POLARSSL_ERR_X509_BAD_INPUT_DATA if the keyUsage extension is present but does not contain all the bits set in the usage argument.
- Note
- You should only call this function on leaf certificates, on (intermediate) CAs the keyUsage extension is automatically checked by
x509_crt_verify()
.
Unallocate all certificate data.
- Parameters
-
crt | Certificate chain to free |
Referenced by x509_free().
int x509_crt_info |
( |
char * |
buf, |
|
|
size_t |
size, |
|
|
const char * |
prefix, |
|
|
const x509_crt * |
crt |
|
) |
| |
Returns an informational string about the certificate.
- Parameters
-
buf | Buffer to write to |
size | Maximum size of buffer |
prefix | A line prefix |
crt | The X509 certificate to represent |
- Returns
- The amount of data written to the buffer, or -1 in case of an error.
Referenced by x509parse_cert_info().
Initialize a certificate (chain)
- Parameters
-
crt | Certificate chain to initialize |
int x509_crt_parse |
( |
x509_crt * |
chain, |
|
|
const unsigned char * |
buf, |
|
|
size_t |
buflen |
|
) |
| |
Parse one or more certificates and add them to the chained list.
Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.
- Parameters
-
chain | points to the start of the chain |
buf | buffer holding the certificate data |
buflen | size of the buffer |
- Returns
- 0 if all certificates parsed successfully, a positive number if partly successful or a specific X509 or PEM error code
Referenced by x509parse_crt().
int x509_crt_parse_der |
( |
x509_crt * |
chain, |
|
|
const unsigned char * |
buf, |
|
|
size_t |
buflen |
|
) |
| |
Parse a single DER formatted certificate and add it to the chained list.
- Parameters
-
chain | points to the start of the chain |
buf | buffer holding the certificate DER data |
buflen | size of the buffer |
- Returns
- 0 if successful, or a specific X509 or PEM error code
Referenced by x509parse_crt_der().
int x509_crt_parse_file |
( |
x509_crt * |
chain, |
|
|
const char * |
path |
|
) |
| |
Load one or more certificates and add them to the chained list.
Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.
- Parameters
-
chain | points to the start of the chain |
path | filename to read the certificates from |
- Returns
- 0 if all certificates parsed successfully, a positive number if partly successful or a specific X509 or PEM error code
Referenced by x509parse_crtfile().
int x509_crt_parse_path |
( |
x509_crt * |
chain, |
|
|
const char * |
path |
|
) |
| |
Load one or more certificate files from a path and add them to the chained list.
Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.
- Warning
- This function is NOT thread-safe unless POLARSSL_THREADING_PTHREADS is defined. If you're using an alternative threading implementation, you should either use this function only in the main thread, or mutex it.
- Parameters
-
chain | points to the start of the chain |
path | directory / folder to read the certificate files from |
- Returns
- 0 if all certificates parsed successfully, a positive number if partly successful or a specific X509 or PEM error code
Referenced by x509parse_crtpath().
Verify the certificate revocation status.
- Parameters
-
crt | a certificate to be verified |
crl | the CRL to verify against |
- Returns
- 1 if the certificate is revoked, 0 otherwise
Referenced by x509parse_revoked().
int x509_crt_verify |
( |
x509_crt * |
crt, |
|
|
x509_crt * |
trust_ca, |
|
|
x509_crl * |
ca_crl, |
|
|
const char * |
cn, |
|
|
int * |
flags, |
|
|
int(*)(void *, x509_crt *, int, int *) |
f_vrfy, |
|
|
void * |
p_vrfy |
|
) |
| |
Verify the certificate signature.
The verify callback is a user-supplied callback that can clear / modify / add flags for a certificate. If set, the verification callback is called for each certificate in the chain (from the trust-ca down to the presented crt). The parameters for the callback are: (void *parameter, x509_crt *crt, int certificate_depth, int *flags). With the flags representing current flags for that specific certificate and the certificate depth from the bottom (Peer cert depth = 0).
All flags left after returning from the callback are also returned to the application. The function should return 0 for anything but a fatal error.
- Parameters
-
crt | a certificate to be verified |
trust_ca | the trusted CA chain |
ca_crl | the CRL chain for trusted CA's |
cn | expected Common Name (can be set to NULL if the CN must not be verified) |
flags | result of the verification |
f_vrfy | verification function |
p_vrfy | verification parameter |
- Returns
- 0 if successful or POLARSSL_ERR_X509_SIG_VERIFY_FAILED, in which case *flags will have one or more of the following values set: BADCERT_EXPIRED – BADCERT_REVOKED – BADCERT_CN_MISMATCH – BADCERT_NOT_TRUSTED or another error in case of a fatal error encountered during the verification process.
Referenced by x509parse_verify().
Unallocate all CSR data.
- Parameters
-
int x509_csr_info |
( |
char * |
buf, |
|
|
size_t |
size, |
|
|
const char * |
prefix, |
|
|
const x509_csr * |
csr |
|
) |
| |
Returns an informational string about the CSR.
- Parameters
-
buf | Buffer to write to |
size | Maximum size of buffer |
prefix | A line prefix |
csr | The X509 CSR to represent |
- Returns
- The length of the string written (exluding the terminating null byte), or a negative value in case of an error.
Referenced by x509parse_csr_info().
Initialize a CSR.
- Parameters
-
int x509_csr_parse |
( |
x509_csr * |
csr, |
|
|
const unsigned char * |
buf, |
|
|
size_t |
buflen |
|
) |
| |
Load a Certificate Signing Request (CSR), DER or PEM format.
- Parameters
-
csr | CSR context to fill |
buf | buffer holding the CRL data |
buflen | size of the buffer |
- Returns
- 0 if successful, or a specific X509 or PEM error code
Referenced by x509parse_csr().
int x509_csr_parse_der |
( |
x509_csr * |
csr, |
|
|
const unsigned char * |
buf, |
|
|
size_t |
buflen |
|
) |
| |
Load a Certificate Signing Request (CSR) in DER format.
- Parameters
-
csr | CSR context to fill |
buf | buffer holding the CRL data |
buflen | size of the buffer |
- Returns
- 0 if successful, or a specific X509 error code
int x509_csr_parse_file |
( |
x509_csr * |
csr, |
|
|
const char * |
path |
|
) |
| |
Load a Certificate Signing Request (CSR)
- Parameters
-
csr | CSR context to fill |
path | filename to read the CSR from |
- Returns
- 0 if successful, or a specific X509 or PEM error code
Referenced by x509parse_csrfile().