OPTIGA Trust M  1.1.0
C++ library for Optiga Trust M Chip Security Controller
x509.h File Reference

X.509 generic defines and structures. More...

#include "config.h"
#include "asn1.h"
#include "pk.h"
Include dependency graph for x509.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Classes

struct  mbedtls_x509_time
 

Macros

#define MBEDTLS_X509_MAX_INTERMEDIATE_CA   8
 
#define MBEDTLS_X509_KU_DIGITAL_SIGNATURE   (0x80) /* bit 0 */
 
#define MBEDTLS_X509_KU_NON_REPUDIATION   (0x40) /* bit 1 */
 
#define MBEDTLS_X509_KU_KEY_ENCIPHERMENT   (0x20) /* bit 2 */
 
#define MBEDTLS_X509_KU_DATA_ENCIPHERMENT   (0x10) /* bit 3 */
 
#define MBEDTLS_X509_KU_KEY_AGREEMENT   (0x08) /* bit 4 */
 
#define MBEDTLS_X509_KU_KEY_CERT_SIGN   (0x04) /* bit 5 */
 
#define MBEDTLS_X509_KU_CRL_SIGN   (0x02) /* bit 6 */
 
#define MBEDTLS_X509_KU_ENCIPHER_ONLY   (0x01) /* bit 7 */
 
#define MBEDTLS_X509_KU_DECIPHER_ONLY   (0x8000) /* bit 8 */
 
#define MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT   (0x80) /* bit 0 */
 
#define MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER   (0x40) /* bit 1 */
 
#define MBEDTLS_X509_NS_CERT_TYPE_EMAIL   (0x20) /* bit 2 */
 
#define MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING   (0x10) /* bit 3 */
 
#define MBEDTLS_X509_NS_CERT_TYPE_RESERVED   (0x08) /* bit 4 */
 
#define MBEDTLS_X509_NS_CERT_TYPE_SSL_CA   (0x04) /* bit 5 */
 
#define MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA   (0x02) /* bit 6 */
 
#define MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA   (0x01) /* bit 7 */
 
#define MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER   (1 << 0)
 
#define MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER   (1 << 1)
 
#define MBEDTLS_X509_EXT_KEY_USAGE   (1 << 2)
 
#define MBEDTLS_X509_EXT_CERTIFICATE_POLICIES   (1 << 3)
 
#define MBEDTLS_X509_EXT_POLICY_MAPPINGS   (1 << 4)
 
#define MBEDTLS_X509_EXT_SUBJECT_ALT_NAME   (1 << 5) /* Supported (DNS) */
 
#define MBEDTLS_X509_EXT_ISSUER_ALT_NAME   (1 << 6)
 
#define MBEDTLS_X509_EXT_SUBJECT_DIRECTORY_ATTRS   (1 << 7)
 
#define MBEDTLS_X509_EXT_BASIC_CONSTRAINTS   (1 << 8) /* Supported */
 
#define MBEDTLS_X509_EXT_NAME_CONSTRAINTS   (1 << 9)
 
#define MBEDTLS_X509_EXT_POLICY_CONSTRAINTS   (1 << 10)
 
#define MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE   (1 << 11)
 
#define MBEDTLS_X509_EXT_CRL_DISTRIBUTION_POINTS   (1 << 12)
 
#define MBEDTLS_X509_EXT_INIHIBIT_ANYPOLICY   (1 << 13)
 
#define MBEDTLS_X509_EXT_FRESHEST_CRL   (1 << 14)
 
#define MBEDTLS_X509_EXT_NS_CERT_TYPE   (1 << 16)
 
#define MBEDTLS_X509_FORMAT_DER   1
 
#define MBEDTLS_X509_FORMAT_PEM   2
 
#define MBEDTLS_X509_MAX_DN_NAME_SIZE   256
 
#define MBEDTLS_X509_SAFE_SNPRINTF
 
X509 Error codes
#define MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE   -0x2080
 
#define MBEDTLS_ERR_X509_UNKNOWN_OID   -0x2100
 
#define MBEDTLS_ERR_X509_INVALID_FORMAT   -0x2180
 
#define MBEDTLS_ERR_X509_INVALID_VERSION   -0x2200
 
#define MBEDTLS_ERR_X509_INVALID_SERIAL   -0x2280
 
#define MBEDTLS_ERR_X509_INVALID_ALG   -0x2300
 
#define MBEDTLS_ERR_X509_INVALID_NAME   -0x2380
 
#define MBEDTLS_ERR_X509_INVALID_DATE   -0x2400
 
#define MBEDTLS_ERR_X509_INVALID_SIGNATURE   -0x2480
 
#define MBEDTLS_ERR_X509_INVALID_EXTENSIONS   -0x2500
 
#define MBEDTLS_ERR_X509_UNKNOWN_VERSION   -0x2580
 
#define MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG   -0x2600
 
#define MBEDTLS_ERR_X509_SIG_MISMATCH   -0x2680
 
#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED   -0x2700
 
#define MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT   -0x2780
 
#define MBEDTLS_ERR_X509_BAD_INPUT_DATA   -0x2800
 
#define MBEDTLS_ERR_X509_ALLOC_FAILED   -0x2880
 
#define MBEDTLS_ERR_X509_FILE_IO_ERROR   -0x2900
 
#define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL   -0x2980
 
#define MBEDTLS_ERR_X509_FATAL_ERROR   -0x3000
 
X509 Verify codes
#define MBEDTLS_X509_BADCERT_EXPIRED   0x01
 
#define MBEDTLS_X509_BADCERT_REVOKED   0x02
 
#define MBEDTLS_X509_BADCERT_CN_MISMATCH   0x04
 
#define MBEDTLS_X509_BADCERT_NOT_TRUSTED   0x08
 
#define MBEDTLS_X509_BADCRL_NOT_TRUSTED   0x10
 
#define MBEDTLS_X509_BADCRL_EXPIRED   0x20
 
#define MBEDTLS_X509_BADCERT_MISSING   0x40
 
#define MBEDTLS_X509_BADCERT_SKIP_VERIFY   0x80
 
#define MBEDTLS_X509_BADCERT_OTHER   0x0100
 
#define MBEDTLS_X509_BADCERT_FUTURE   0x0200
 
#define MBEDTLS_X509_BADCRL_FUTURE   0x0400
 
#define MBEDTLS_X509_BADCERT_KEY_USAGE   0x0800
 
#define MBEDTLS_X509_BADCERT_EXT_KEY_USAGE   0x1000
 
#define MBEDTLS_X509_BADCERT_NS_CERT_TYPE   0x2000
 
#define MBEDTLS_X509_BADCERT_BAD_MD   0x4000
 
#define MBEDTLS_X509_BADCERT_BAD_PK   0x8000
 
#define MBEDTLS_X509_BADCERT_BAD_KEY   0x010000
 
#define MBEDTLS_X509_BADCRL_BAD_MD   0x020000
 
#define MBEDTLS_X509_BADCRL_BAD_PK   0x040000
 
#define MBEDTLS_X509_BADCRL_BAD_KEY   0x080000
 

Typedefs

Structures for parsing X.509 certificates, CRLs and CSRs
typedef mbedtls_asn1_buf mbedtls_x509_buf
 
typedef mbedtls_asn1_bitstring mbedtls_x509_bitstring
 
typedef mbedtls_asn1_named_data mbedtls_x509_name
 
typedef mbedtls_asn1_sequence mbedtls_x509_sequence
 
typedef struct mbedtls_x509_time mbedtls_x509_time
 

Functions

int mbedtls_x509_dn_gets (char *buf, size_t size, const mbedtls_x509_name *dn)
 Store the certificate DN in printable form into buf; no more than size characters will be written. More...
 
int mbedtls_x509_serial_gets (char *buf, size_t size, const mbedtls_x509_buf *serial)
 Store the certificate serial in printable form into buf; no more than size characters will be written. More...
 
int mbedtls_x509_time_is_past (const mbedtls_x509_time *to)
 Check a given mbedtls_x509_time against the system time and tell if it's in the past. More...
 
int mbedtls_x509_time_is_future (const mbedtls_x509_time *from)
 Check a given mbedtls_x509_time against the system time and tell if it's in the future. More...
 
int mbedtls_x509_self_test (int verbose)
 Checkup routine. More...
 
int mbedtls_x509_get_name (unsigned char **p, const unsigned char *end, mbedtls_x509_name *cur)
 
int mbedtls_x509_get_alg_null (unsigned char **p, const unsigned char *end, mbedtls_x509_buf *alg)
 
int mbedtls_x509_get_alg (unsigned char **p, const unsigned char *end, mbedtls_x509_buf *alg, mbedtls_x509_buf *params)
 
int mbedtls_x509_get_sig (unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig)
 
int mbedtls_x509_get_sig_alg (const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params, mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg, void **sig_opts)
 
int mbedtls_x509_get_time (unsigned char **p, const unsigned char *end, mbedtls_x509_time *t)
 
int mbedtls_x509_get_serial (unsigned char **p, const unsigned char *end, mbedtls_x509_buf *serial)
 
int mbedtls_x509_get_ext (unsigned char **p, const unsigned char *end, mbedtls_x509_buf *ext, int tag)
 
int mbedtls_x509_sig_alg_gets (char *buf, size_t size, const mbedtls_x509_buf *sig_oid, mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg, const void *sig_opts)
 
int mbedtls_x509_key_size_helper (char *buf, size_t buf_size, const char *name)
 
int mbedtls_x509_string_to_names (mbedtls_asn1_named_data **head, const char *name)
 
int mbedtls_x509_set_extension (mbedtls_asn1_named_data **head, const char *oid, size_t oid_len, int critical, const unsigned char *val, size_t val_len)
 
int mbedtls_x509_write_extensions (unsigned char **p, unsigned char *start, mbedtls_asn1_named_data *first)
 
int mbedtls_x509_write_names (unsigned char **p, unsigned char *start, mbedtls_asn1_named_data *first)
 
int mbedtls_x509_write_sig (unsigned char **p, unsigned char *start, const char *oid, size_t oid_len, unsigned char *sig, size_t size)
 

Detailed Description

X.509 generic defines and structures.

Macro Definition Documentation

◆ MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER

#define MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER   (1 << 0)

◆ MBEDTLS_X509_EXT_BASIC_CONSTRAINTS

#define MBEDTLS_X509_EXT_BASIC_CONSTRAINTS   (1 << 8) /* Supported */

◆ MBEDTLS_X509_EXT_CERTIFICATE_POLICIES

#define MBEDTLS_X509_EXT_CERTIFICATE_POLICIES   (1 << 3)

◆ MBEDTLS_X509_EXT_CRL_DISTRIBUTION_POINTS

#define MBEDTLS_X509_EXT_CRL_DISTRIBUTION_POINTS   (1 << 12)

◆ MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE

#define MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE   (1 << 11)

◆ MBEDTLS_X509_EXT_FRESHEST_CRL

#define MBEDTLS_X509_EXT_FRESHEST_CRL   (1 << 14)

◆ MBEDTLS_X509_EXT_INIHIBIT_ANYPOLICY

#define MBEDTLS_X509_EXT_INIHIBIT_ANYPOLICY   (1 << 13)

◆ MBEDTLS_X509_EXT_ISSUER_ALT_NAME

#define MBEDTLS_X509_EXT_ISSUER_ALT_NAME   (1 << 6)

◆ MBEDTLS_X509_EXT_KEY_USAGE

#define MBEDTLS_X509_EXT_KEY_USAGE   (1 << 2)

◆ MBEDTLS_X509_EXT_NAME_CONSTRAINTS

#define MBEDTLS_X509_EXT_NAME_CONSTRAINTS   (1 << 9)

◆ MBEDTLS_X509_EXT_NS_CERT_TYPE

#define MBEDTLS_X509_EXT_NS_CERT_TYPE   (1 << 16)

◆ MBEDTLS_X509_EXT_POLICY_CONSTRAINTS

#define MBEDTLS_X509_EXT_POLICY_CONSTRAINTS   (1 << 10)

◆ MBEDTLS_X509_EXT_POLICY_MAPPINGS

#define MBEDTLS_X509_EXT_POLICY_MAPPINGS   (1 << 4)

◆ MBEDTLS_X509_EXT_SUBJECT_ALT_NAME

#define MBEDTLS_X509_EXT_SUBJECT_ALT_NAME   (1 << 5) /* Supported (DNS) */

◆ MBEDTLS_X509_EXT_SUBJECT_DIRECTORY_ATTRS

#define MBEDTLS_X509_EXT_SUBJECT_DIRECTORY_ATTRS   (1 << 7)

◆ MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER

#define MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER   (1 << 1)

◆ MBEDTLS_X509_FORMAT_DER

#define MBEDTLS_X509_FORMAT_DER   1

◆ MBEDTLS_X509_FORMAT_PEM

#define MBEDTLS_X509_FORMAT_PEM   2

◆ MBEDTLS_X509_KU_CRL_SIGN

#define MBEDTLS_X509_KU_CRL_SIGN   (0x02) /* bit 6 */

◆ MBEDTLS_X509_KU_DATA_ENCIPHERMENT

#define MBEDTLS_X509_KU_DATA_ENCIPHERMENT   (0x10) /* bit 3 */

◆ MBEDTLS_X509_KU_DECIPHER_ONLY

#define MBEDTLS_X509_KU_DECIPHER_ONLY   (0x8000) /* bit 8 */

◆ MBEDTLS_X509_KU_DIGITAL_SIGNATURE

#define MBEDTLS_X509_KU_DIGITAL_SIGNATURE   (0x80) /* bit 0 */

◆ MBEDTLS_X509_KU_ENCIPHER_ONLY

#define MBEDTLS_X509_KU_ENCIPHER_ONLY   (0x01) /* bit 7 */

◆ MBEDTLS_X509_KU_KEY_AGREEMENT

#define MBEDTLS_X509_KU_KEY_AGREEMENT   (0x08) /* bit 4 */

◆ MBEDTLS_X509_KU_KEY_CERT_SIGN

#define MBEDTLS_X509_KU_KEY_CERT_SIGN   (0x04) /* bit 5 */

◆ MBEDTLS_X509_KU_KEY_ENCIPHERMENT

#define MBEDTLS_X509_KU_KEY_ENCIPHERMENT   (0x20) /* bit 2 */

◆ MBEDTLS_X509_KU_NON_REPUDIATION

#define MBEDTLS_X509_KU_NON_REPUDIATION   (0x40) /* bit 1 */

◆ MBEDTLS_X509_MAX_DN_NAME_SIZE

#define MBEDTLS_X509_MAX_DN_NAME_SIZE   256

Maximum value size of a DN entry

◆ MBEDTLS_X509_NS_CERT_TYPE_EMAIL

#define MBEDTLS_X509_NS_CERT_TYPE_EMAIL   (0x20) /* bit 2 */

◆ MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA

#define MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA   (0x02) /* bit 6 */

◆ MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING

#define MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING   (0x10) /* bit 3 */

◆ MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA

#define MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA   (0x01) /* bit 7 */

◆ MBEDTLS_X509_NS_CERT_TYPE_RESERVED

#define MBEDTLS_X509_NS_CERT_TYPE_RESERVED   (0x08) /* bit 4 */

◆ MBEDTLS_X509_NS_CERT_TYPE_SSL_CA

#define MBEDTLS_X509_NS_CERT_TYPE_SSL_CA   (0x04) /* bit 5 */

◆ MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT

#define MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT   (0x80) /* bit 0 */

◆ MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER

#define MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER   (0x40) /* bit 1 */

◆ MBEDTLS_X509_SAFE_SNPRINTF

#define MBEDTLS_X509_SAFE_SNPRINTF
Value:
do { \
if( ret < 0 || (size_t) ret >= n ) \
\
n -= (size_t) ret; \
p += (size_t) ret; \
} while( 0 )
#define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL
Definition: x509.h:79

Function Documentation

◆ mbedtls_x509_dn_gets()

int mbedtls_x509_dn_gets ( char *  buf,
size_t  size,
const mbedtls_x509_name dn 
)

Store the certificate DN in printable form into buf; no more than size characters will be written.

Parameters
bufBuffer to write to
sizeMaximum size of buffer
dnThe X509 name to represent
Returns
The length of the string written (not including the terminated nul byte), or a negative error code.

◆ mbedtls_x509_get_alg()

int mbedtls_x509_get_alg ( unsigned char **  p,
const unsigned char *  end,
mbedtls_x509_buf alg,
mbedtls_x509_buf params 
)

◆ mbedtls_x509_get_alg_null()

int mbedtls_x509_get_alg_null ( unsigned char **  p,
const unsigned char *  end,
mbedtls_x509_buf alg 
)

◆ mbedtls_x509_get_ext()

int mbedtls_x509_get_ext ( unsigned char **  p,
const unsigned char *  end,
mbedtls_x509_buf ext,
int  tag 
)

◆ mbedtls_x509_get_name()

int mbedtls_x509_get_name ( unsigned char **  p,
const unsigned char *  end,
mbedtls_x509_name cur 
)

◆ mbedtls_x509_get_serial()

int mbedtls_x509_get_serial ( unsigned char **  p,
const unsigned char *  end,
mbedtls_x509_buf serial 
)

◆ mbedtls_x509_get_sig()

int mbedtls_x509_get_sig ( unsigned char **  p,
const unsigned char *  end,
mbedtls_x509_buf sig 
)

◆ mbedtls_x509_get_sig_alg()

int mbedtls_x509_get_sig_alg ( const mbedtls_x509_buf sig_oid,
const mbedtls_x509_buf sig_params,
mbedtls_md_type_t md_alg,
mbedtls_pk_type_t pk_alg,
void **  sig_opts 
)

◆ mbedtls_x509_get_time()

int mbedtls_x509_get_time ( unsigned char **  p,
const unsigned char *  end,
mbedtls_x509_time t 
)

◆ mbedtls_x509_key_size_helper()

int mbedtls_x509_key_size_helper ( char *  buf,
size_t  buf_size,
const char *  name 
)

◆ mbedtls_x509_self_test()

int mbedtls_x509_self_test ( int  verbose)

Checkup routine.

Returns
0 if successful, or 1 if the test failed

◆ mbedtls_x509_serial_gets()

int mbedtls_x509_serial_gets ( char *  buf,
size_t  size,
const mbedtls_x509_buf serial 
)

Store the certificate serial in printable form into buf; no more than size characters will be written.

Parameters
bufBuffer to write to
sizeMaximum size of buffer
serialThe X509 serial to represent
Returns
The length of the string written (not including the terminated nul byte), or a negative error code.

◆ mbedtls_x509_set_extension()

int mbedtls_x509_set_extension ( mbedtls_asn1_named_data **  head,
const char *  oid,
size_t  oid_len,
int  critical,
const unsigned char *  val,
size_t  val_len 
)

◆ mbedtls_x509_sig_alg_gets()

int mbedtls_x509_sig_alg_gets ( char *  buf,
size_t  size,
const mbedtls_x509_buf sig_oid,
mbedtls_pk_type_t  pk_alg,
mbedtls_md_type_t  md_alg,
const void *  sig_opts 
)

◆ mbedtls_x509_string_to_names()

int mbedtls_x509_string_to_names ( mbedtls_asn1_named_data **  head,
const char *  name 
)

◆ mbedtls_x509_time_is_future()

int mbedtls_x509_time_is_future ( const mbedtls_x509_time from)

Check a given mbedtls_x509_time against the system time and tell if it's in the future.

Note
Intended usage is "if( is_future( valid_from ) ) ERROR". Hence the return value of 1 if on internal errors.
Parameters
frommbedtls_x509_time to check
Returns
1 if the given time is in the future or an error occured, 0 otherwise.

◆ mbedtls_x509_time_is_past()

int mbedtls_x509_time_is_past ( const mbedtls_x509_time to)

Check a given mbedtls_x509_time against the system time and tell if it's in the past.

Note
Intended usage is "if( is_past( valid_to ) ) ERROR". Hence the return value of 1 if on internal errors.
Parameters
tombedtls_x509_time to check
Returns
1 if the given time is in the past or an error occured, 0 otherwise.

◆ mbedtls_x509_write_extensions()

int mbedtls_x509_write_extensions ( unsigned char **  p,
unsigned char *  start,
mbedtls_asn1_named_data first 
)

◆ mbedtls_x509_write_names()

int mbedtls_x509_write_names ( unsigned char **  p,
unsigned char *  start,
mbedtls_asn1_named_data first 
)

◆ mbedtls_x509_write_sig()

int mbedtls_x509_write_sig ( unsigned char **  p,
unsigned char *  start,
const char *  oid,
size_t  oid_len,
unsigned char *  sig,
size_t  size 
)