/src/mbedtls/include/mbedtls/x509.h
Line | Count | Source (jump to first uncovered line) |
1 | | /** |
2 | | * \file x509.h |
3 | | * |
4 | | * \brief X.509 generic defines and structures |
5 | | */ |
6 | | /* |
7 | | * Copyright The Mbed TLS Contributors |
8 | | * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later |
9 | | */ |
10 | | #ifndef MBEDTLS_X509_H |
11 | | #define MBEDTLS_X509_H |
12 | | #include "mbedtls/private_access.h" |
13 | | |
14 | | #include "mbedtls/build_info.h" |
15 | | |
16 | | #include "mbedtls/asn1.h" |
17 | | #include "mbedtls/pk.h" |
18 | | |
19 | | #if defined(MBEDTLS_RSA_C) |
20 | | #include "mbedtls/rsa.h" |
21 | | #endif |
22 | | |
23 | | /** |
24 | | * \addtogroup x509_module |
25 | | * \{ |
26 | | */ |
27 | | |
28 | | #if !defined(MBEDTLS_X509_MAX_INTERMEDIATE_CA) |
29 | | /** |
30 | | * Maximum number of intermediate CAs in a verification chain. |
31 | | * That is, maximum length of the chain, excluding the end-entity certificate |
32 | | * and the trusted root certificate. |
33 | | * |
34 | | * Set this to a low value to prevent an adversary from making you waste |
35 | | * resources verifying an overlong certificate chain. |
36 | | */ |
37 | 352 | #define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 |
38 | | #endif |
39 | | |
40 | | /** |
41 | | * \name X509 Error codes |
42 | | * \{ |
43 | | */ |
44 | | /** Unavailable feature, e.g. RSA hashing/encryption combination. */ |
45 | 0 | #define MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE -0x2080 |
46 | | /** Requested OID is unknown. */ |
47 | | #define MBEDTLS_ERR_X509_UNKNOWN_OID -0x2100 |
48 | | /** The CRT/CRL/CSR format is invalid, e.g. different type expected. */ |
49 | 0 | #define MBEDTLS_ERR_X509_INVALID_FORMAT -0x2180 |
50 | | /** The CRT/CRL/CSR version element is invalid. */ |
51 | | #define MBEDTLS_ERR_X509_INVALID_VERSION -0x2200 |
52 | | /** The serial tag or value is invalid. */ |
53 | | #define MBEDTLS_ERR_X509_INVALID_SERIAL -0x2280 |
54 | | /** The algorithm tag or value is invalid. */ |
55 | 0 | #define MBEDTLS_ERR_X509_INVALID_ALG -0x2300 |
56 | | /** The name tag or value is invalid. */ |
57 | 0 | #define MBEDTLS_ERR_X509_INVALID_NAME -0x2380 |
58 | | /** The date tag or value is invalid. */ |
59 | 0 | #define MBEDTLS_ERR_X509_INVALID_DATE -0x2400 |
60 | | /** The signature tag or value invalid. */ |
61 | | #define MBEDTLS_ERR_X509_INVALID_SIGNATURE -0x2480 |
62 | | /** The extension tag or value is invalid. */ |
63 | 0 | #define MBEDTLS_ERR_X509_INVALID_EXTENSIONS -0x2500 |
64 | | /** CRT/CRL/CSR has an unsupported version number. */ |
65 | 0 | #define MBEDTLS_ERR_X509_UNKNOWN_VERSION -0x2580 |
66 | | /** Signature algorithm (oid) is unsupported. */ |
67 | 0 | #define MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG -0x2600 |
68 | | /** Signature algorithms do not match. (see \c ::mbedtls_x509_crt sig_oid) */ |
69 | 0 | #define MBEDTLS_ERR_X509_SIG_MISMATCH -0x2680 |
70 | | /** Certificate verification failed, e.g. CRL, CA or signature check failed. */ |
71 | 0 | #define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED -0x2700 |
72 | | /** Format not recognized as DER or PEM. */ |
73 | 0 | #define MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT -0x2780 |
74 | | /** Input invalid. */ |
75 | 0 | #define MBEDTLS_ERR_X509_BAD_INPUT_DATA -0x2800 |
76 | | /** Allocation of memory failed. */ |
77 | 0 | #define MBEDTLS_ERR_X509_ALLOC_FAILED -0x2880 |
78 | | /** Read/write of file failed. */ |
79 | 0 | #define MBEDTLS_ERR_X509_FILE_IO_ERROR -0x2900 |
80 | | /** Destination buffer is too small. */ |
81 | 0 | #define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL -0x2980 |
82 | | /** A fatal error occurred, eg the chain is too long or the vrfy callback failed. */ |
83 | 0 | #define MBEDTLS_ERR_X509_FATAL_ERROR -0x3000 |
84 | | /** \} name X509 Error codes */ |
85 | | |
86 | | /** |
87 | | * \name X509 Verify codes |
88 | | * \{ |
89 | | */ |
90 | | /* Reminder: update x509_crt_verify_strings[] in library/x509_crt.c */ |
91 | 0 | #define MBEDTLS_X509_BADCERT_EXPIRED 0x01 /**< The certificate validity has expired. */ |
92 | 0 | #define MBEDTLS_X509_BADCERT_REVOKED 0x02 /**< The certificate has been revoked (is on a CRL). */ |
93 | 0 | #define MBEDTLS_X509_BADCERT_CN_MISMATCH 0x04 /**< The certificate Common Name (CN) does not match with the expected CN. */ |
94 | 0 | #define MBEDTLS_X509_BADCERT_NOT_TRUSTED 0x08 /**< The certificate is not correctly signed by the trusted CA. */ |
95 | 0 | #define MBEDTLS_X509_BADCRL_NOT_TRUSTED 0x10 /**< The CRL is not correctly signed by the trusted CA. */ |
96 | 0 | #define MBEDTLS_X509_BADCRL_EXPIRED 0x20 /**< The CRL is expired. */ |
97 | 0 | #define MBEDTLS_X509_BADCERT_MISSING 0x40 /**< Certificate was missing. */ |
98 | 0 | #define MBEDTLS_X509_BADCERT_SKIP_VERIFY 0x80 /**< Certificate verification was skipped. */ |
99 | 0 | #define MBEDTLS_X509_BADCERT_OTHER 0x0100 /**< Other reason (can be used by verify callback) */ |
100 | 0 | #define MBEDTLS_X509_BADCERT_FUTURE 0x0200 /**< The certificate validity starts in the future. */ |
101 | 0 | #define MBEDTLS_X509_BADCRL_FUTURE 0x0400 /**< The CRL is from the future */ |
102 | 0 | #define MBEDTLS_X509_BADCERT_KEY_USAGE 0x0800 /**< Usage does not match the keyUsage extension. */ |
103 | 0 | #define MBEDTLS_X509_BADCERT_EXT_KEY_USAGE 0x1000 /**< Usage does not match the extendedKeyUsage extension. */ |
104 | | #define MBEDTLS_X509_BADCERT_NS_CERT_TYPE 0x2000 /**< Usage does not match the nsCertType extension. */ |
105 | 0 | #define MBEDTLS_X509_BADCERT_BAD_MD 0x4000 /**< The certificate is signed with an unacceptable hash. */ |
106 | 0 | #define MBEDTLS_X509_BADCERT_BAD_PK 0x8000 /**< The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA). */ |
107 | 0 | #define MBEDTLS_X509_BADCERT_BAD_KEY 0x010000 /**< The certificate is signed with an unacceptable key (eg bad curve, RSA too short). */ |
108 | 0 | #define MBEDTLS_X509_BADCRL_BAD_MD 0x020000 /**< The CRL is signed with an unacceptable hash. */ |
109 | 0 | #define MBEDTLS_X509_BADCRL_BAD_PK 0x040000 /**< The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA). */ |
110 | | #define MBEDTLS_X509_BADCRL_BAD_KEY 0x080000 /**< The CRL is signed with an unacceptable key (eg bad curve, RSA too short). */ |
111 | | |
112 | | /** \} name X509 Verify codes */ |
113 | | /** \} addtogroup x509_module */ |
114 | | |
115 | | /* |
116 | | * X.509 v3 Subject Alternative Name types. |
117 | | * otherName [0] OtherName, |
118 | | * rfc822Name [1] IA5String, |
119 | | * dNSName [2] IA5String, |
120 | | * x400Address [3] ORAddress, |
121 | | * directoryName [4] Name, |
122 | | * ediPartyName [5] EDIPartyName, |
123 | | * uniformResourceIdentifier [6] IA5String, |
124 | | * iPAddress [7] OCTET STRING, |
125 | | * registeredID [8] OBJECT IDENTIFIER |
126 | | */ |
127 | 0 | #define MBEDTLS_X509_SAN_OTHER_NAME 0 |
128 | 0 | #define MBEDTLS_X509_SAN_RFC822_NAME 1 |
129 | 0 | #define MBEDTLS_X509_SAN_DNS_NAME 2 |
130 | | #define MBEDTLS_X509_SAN_X400_ADDRESS_NAME 3 |
131 | 0 | #define MBEDTLS_X509_SAN_DIRECTORY_NAME 4 |
132 | | #define MBEDTLS_X509_SAN_EDI_PARTY_NAME 5 |
133 | 0 | #define MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER 6 |
134 | 0 | #define MBEDTLS_X509_SAN_IP_ADDRESS 7 |
135 | | #define MBEDTLS_X509_SAN_REGISTERED_ID 8 |
136 | | |
137 | | /* |
138 | | * X.509 v3 Key Usage Extension flags |
139 | | * Reminder: update mbedtls_x509_info_key_usage() when adding new flags. |
140 | | */ |
141 | 0 | #define MBEDTLS_X509_KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */ |
142 | | #define MBEDTLS_X509_KU_NON_REPUDIATION (0x40) /* bit 1 */ |
143 | 0 | #define MBEDTLS_X509_KU_KEY_ENCIPHERMENT (0x20) /* bit 2 */ |
144 | | #define MBEDTLS_X509_KU_DATA_ENCIPHERMENT (0x10) /* bit 3 */ |
145 | 0 | #define MBEDTLS_X509_KU_KEY_AGREEMENT (0x08) /* bit 4 */ |
146 | 0 | #define MBEDTLS_X509_KU_KEY_CERT_SIGN (0x04) /* bit 5 */ |
147 | 0 | #define MBEDTLS_X509_KU_CRL_SIGN (0x02) /* bit 6 */ |
148 | 0 | #define MBEDTLS_X509_KU_ENCIPHER_ONLY (0x01) /* bit 7 */ |
149 | 0 | #define MBEDTLS_X509_KU_DECIPHER_ONLY (0x8000) /* bit 8 */ |
150 | | |
151 | | /* |
152 | | * Netscape certificate types |
153 | | * (http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html) |
154 | | */ |
155 | | |
156 | | #define MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */ |
157 | | #define MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */ |
158 | | #define MBEDTLS_X509_NS_CERT_TYPE_EMAIL (0x20) /* bit 2 */ |
159 | | #define MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING (0x10) /* bit 3 */ |
160 | | #define MBEDTLS_X509_NS_CERT_TYPE_RESERVED (0x08) /* bit 4 */ |
161 | | #define MBEDTLS_X509_NS_CERT_TYPE_SSL_CA (0x04) /* bit 5 */ |
162 | | #define MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */ |
163 | | #define MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */ |
164 | | |
165 | | /* |
166 | | * X.509 extension types |
167 | | * |
168 | | * Comments refer to the status for using certificates. Status can be |
169 | | * different for writing certificates or reading CRLs or CSRs. |
170 | | * |
171 | | * Those are defined in oid.h as oid.c needs them in a data structure. Since |
172 | | * these were previously defined here, let's have aliases for compatibility. |
173 | | */ |
174 | 3 | #define MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER MBEDTLS_OID_X509_EXT_AUTHORITY_KEY_IDENTIFIER |
175 | 3 | #define MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER MBEDTLS_OID_X509_EXT_SUBJECT_KEY_IDENTIFIER |
176 | 0 | #define MBEDTLS_X509_EXT_KEY_USAGE MBEDTLS_OID_X509_EXT_KEY_USAGE |
177 | | #define MBEDTLS_X509_EXT_CERTIFICATE_POLICIES MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES |
178 | | #define MBEDTLS_X509_EXT_POLICY_MAPPINGS MBEDTLS_OID_X509_EXT_POLICY_MAPPINGS |
179 | 0 | #define MBEDTLS_X509_EXT_SUBJECT_ALT_NAME MBEDTLS_OID_X509_EXT_SUBJECT_ALT_NAME /* Supported (DNS) */ |
180 | | #define MBEDTLS_X509_EXT_ISSUER_ALT_NAME MBEDTLS_OID_X509_EXT_ISSUER_ALT_NAME |
181 | | #define MBEDTLS_X509_EXT_SUBJECT_DIRECTORY_ATTRS MBEDTLS_OID_X509_EXT_SUBJECT_DIRECTORY_ATTRS |
182 | 3 | #define MBEDTLS_X509_EXT_BASIC_CONSTRAINTS MBEDTLS_OID_X509_EXT_BASIC_CONSTRAINTS /* Supported */ |
183 | | #define MBEDTLS_X509_EXT_NAME_CONSTRAINTS MBEDTLS_OID_X509_EXT_NAME_CONSTRAINTS |
184 | | #define MBEDTLS_X509_EXT_POLICY_CONSTRAINTS MBEDTLS_OID_X509_EXT_POLICY_CONSTRAINTS |
185 | 0 | #define MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE MBEDTLS_OID_X509_EXT_EXTENDED_KEY_USAGE |
186 | | #define MBEDTLS_X509_EXT_CRL_DISTRIBUTION_POINTS MBEDTLS_OID_X509_EXT_CRL_DISTRIBUTION_POINTS |
187 | | #define MBEDTLS_X509_EXT_INIHIBIT_ANYPOLICY MBEDTLS_OID_X509_EXT_INIHIBIT_ANYPOLICY |
188 | | #define MBEDTLS_X509_EXT_FRESHEST_CRL MBEDTLS_OID_X509_EXT_FRESHEST_CRL |
189 | 0 | #define MBEDTLS_X509_EXT_NS_CERT_TYPE MBEDTLS_OID_X509_EXT_NS_CERT_TYPE |
190 | | |
191 | | /* |
192 | | * Storage format identifiers |
193 | | * Recognized formats: PEM and DER |
194 | | */ |
195 | 2 | #define MBEDTLS_X509_FORMAT_DER 1 |
196 | 2 | #define MBEDTLS_X509_FORMAT_PEM 2 |
197 | | |
198 | | #define MBEDTLS_X509_MAX_DN_NAME_SIZE 256 /**< Maximum value size of a DN entry */ |
199 | | |
200 | | #ifdef __cplusplus |
201 | | extern "C" { |
202 | | #endif |
203 | | |
204 | | /** |
205 | | * \addtogroup x509_module |
206 | | * \{ */ |
207 | | |
208 | | /** |
209 | | * \name Structures for parsing X.509 certificates, CRLs and CSRs |
210 | | * \{ |
211 | | */ |
212 | | |
213 | | /** |
214 | | * Type-length-value structure that allows for ASN1 using DER. |
215 | | */ |
216 | | typedef mbedtls_asn1_buf mbedtls_x509_buf; |
217 | | |
218 | | /** |
219 | | * Container for ASN1 bit strings. |
220 | | */ |
221 | | typedef mbedtls_asn1_bitstring mbedtls_x509_bitstring; |
222 | | |
223 | | /** |
224 | | * Container for ASN1 named information objects. |
225 | | * It allows for Relative Distinguished Names (e.g. cn=localhost,ou=code,etc.). |
226 | | */ |
227 | | typedef mbedtls_asn1_named_data mbedtls_x509_name; |
228 | | |
229 | | /** |
230 | | * Container for a sequence of ASN.1 items |
231 | | */ |
232 | | typedef mbedtls_asn1_sequence mbedtls_x509_sequence; |
233 | | |
234 | | /* |
235 | | * Container for the fields of the Authority Key Identifier object |
236 | | */ |
237 | | typedef struct mbedtls_x509_authority { |
238 | | mbedtls_x509_buf keyIdentifier; |
239 | | mbedtls_x509_sequence authorityCertIssuer; |
240 | | mbedtls_x509_buf authorityCertSerialNumber; |
241 | | mbedtls_x509_buf raw; |
242 | | } |
243 | | mbedtls_x509_authority; |
244 | | |
245 | | /** Container for date and time (precision in seconds). */ |
246 | | typedef struct mbedtls_x509_time { |
247 | | int year, mon, day; /**< Date. */ |
248 | | int hour, min, sec; /**< Time. */ |
249 | | } |
250 | | mbedtls_x509_time; |
251 | | |
252 | | /** |
253 | | * From RFC 5280 section 4.2.1.6: |
254 | | * OtherName ::= SEQUENCE { |
255 | | * type-id OBJECT IDENTIFIER, |
256 | | * value [0] EXPLICIT ANY DEFINED BY type-id } |
257 | | * |
258 | | * Future versions of the library may add new fields to this structure or |
259 | | * to its embedded union and structure. |
260 | | */ |
261 | | typedef struct mbedtls_x509_san_other_name { |
262 | | /** |
263 | | * The type_id is an OID as defined in RFC 5280. |
264 | | * To check the value of the type id, you should use |
265 | | * \p MBEDTLS_OID_CMP with a known OID mbedtls_x509_buf. |
266 | | */ |
267 | | mbedtls_x509_buf type_id; /**< The type id. */ |
268 | | union { |
269 | | /** |
270 | | * From RFC 4108 section 5: |
271 | | * HardwareModuleName ::= SEQUENCE { |
272 | | * hwType OBJECT IDENTIFIER, |
273 | | * hwSerialNum OCTET STRING } |
274 | | */ |
275 | | struct { |
276 | | mbedtls_x509_buf oid; /**< The object identifier. */ |
277 | | mbedtls_x509_buf val; /**< The named value. */ |
278 | | } |
279 | | hardware_module_name; |
280 | | } |
281 | | value; |
282 | | } |
283 | | mbedtls_x509_san_other_name; |
284 | | |
285 | | /** |
286 | | * A structure for holding the parsed Subject Alternative Name, |
287 | | * according to type. |
288 | | * |
289 | | * Future versions of the library may add new fields to this structure or |
290 | | * to its embedded union and structure. |
291 | | */ |
292 | | typedef struct mbedtls_x509_subject_alternative_name { |
293 | | int type; /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */ |
294 | | union { |
295 | | mbedtls_x509_san_other_name other_name; |
296 | | mbedtls_x509_name directory_name; |
297 | | mbedtls_x509_buf unstructured_name; /**< The buffer for the unstructured types. rfc822Name, dnsName and uniformResourceIdentifier are currently supported. */ |
298 | | } |
299 | | san; /**< A union of the supported SAN types */ |
300 | | } |
301 | | mbedtls_x509_subject_alternative_name; |
302 | | |
303 | | typedef struct mbedtls_x509_san_list { |
304 | | mbedtls_x509_subject_alternative_name node; |
305 | | struct mbedtls_x509_san_list *next; |
306 | | } |
307 | | mbedtls_x509_san_list; |
308 | | |
309 | | /** \} name Structures for parsing X.509 certificates, CRLs and CSRs */ |
310 | | /** \} addtogroup x509_module */ |
311 | | |
312 | | /** |
313 | | * \brief Store the certificate DN in printable form into buf; |
314 | | * no more than size characters will be written. |
315 | | * |
316 | | * \param buf Buffer to write to |
317 | | * \param size Maximum size of buffer |
318 | | * \param dn The X509 name to represent |
319 | | * |
320 | | * \return The length of the string written (not including the |
321 | | * terminated nul byte), or a negative error code. |
322 | | */ |
323 | | int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn); |
324 | | |
325 | | /** |
326 | | * \brief Convert the certificate DN string \p name into |
327 | | * a linked list of mbedtls_x509_name (equivalent to |
328 | | * mbedtls_asn1_named_data). |
329 | | * |
330 | | * \note This function allocates a linked list, and places the head |
331 | | * pointer in \p head. This list must later be freed by a |
332 | | * call to mbedtls_asn1_free_named_data_list(). |
333 | | * |
334 | | * \param[out] head Address in which to store the pointer to the head of the |
335 | | * allocated list of mbedtls_x509_name |
336 | | * \param[in] name The string representation of a DN to convert |
337 | | * |
338 | | * \return 0 on success, or a negative error code. |
339 | | */ |
340 | | int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *name); |
341 | | |
342 | | /** |
343 | | * \brief Return the next relative DN in an X509 name. |
344 | | * |
345 | | * \note Intended use is to compare function result to dn->next |
346 | | * in order to detect boundaries of multi-valued RDNs. |
347 | | * |
348 | | * \param dn Current node in the X509 name |
349 | | * |
350 | | * \return Pointer to the first attribute-value pair of the |
351 | | * next RDN in sequence, or NULL if end is reached. |
352 | | */ |
353 | | static inline mbedtls_x509_name *mbedtls_x509_dn_get_next( |
354 | | mbedtls_x509_name *dn) |
355 | 0 | { |
356 | 0 | while (dn->MBEDTLS_PRIVATE(next_merged) && dn->next != NULL) { |
357 | 0 | dn = dn->next; |
358 | 0 | } |
359 | 0 | return dn->next; |
360 | 0 | } Unexecuted instantiation: fuzz_client.c:mbedtls_x509_dn_get_next Unexecuted instantiation: ssl_msg.c:mbedtls_x509_dn_get_next Unexecuted instantiation: ssl_tls.c:mbedtls_x509_dn_get_next Unexecuted instantiation: ssl_tls12_client.c:mbedtls_x509_dn_get_next Unexecuted instantiation: ssl_tls12_server.c:mbedtls_x509_dn_get_next Unexecuted instantiation: ssl_tls13_server.c:mbedtls_x509_dn_get_next Unexecuted instantiation: ssl_tls13_client.c:mbedtls_x509_dn_get_next Unexecuted instantiation: ssl_tls13_generic.c:mbedtls_x509_dn_get_next Unexecuted instantiation: debug.c:mbedtls_x509_dn_get_next Unexecuted instantiation: ssl_ciphersuites.c:mbedtls_x509_dn_get_next Unexecuted instantiation: ssl_client.c:mbedtls_x509_dn_get_next Unexecuted instantiation: ssl_debug_helpers_generated.c:mbedtls_x509_dn_get_next Unexecuted instantiation: ssl_tls13_keys.c:mbedtls_x509_dn_get_next Unexecuted instantiation: x509.c:mbedtls_x509_dn_get_next Unexecuted instantiation: x509_crt.c:mbedtls_x509_dn_get_next Unexecuted instantiation: psa_util.c:mbedtls_x509_dn_get_next |
361 | | |
362 | | /** |
363 | | * \brief Store the certificate serial in printable form into buf; |
364 | | * no more than size characters will be written. |
365 | | * |
366 | | * \param buf Buffer to write to |
367 | | * \param size Maximum size of buffer |
368 | | * \param serial The X509 serial to represent |
369 | | * |
370 | | * \return The length of the string written (not including the |
371 | | * terminated nul byte), or a negative error code. |
372 | | */ |
373 | | int mbedtls_x509_serial_gets(char *buf, size_t size, const mbedtls_x509_buf *serial); |
374 | | |
375 | | /** |
376 | | * \brief Compare pair of mbedtls_x509_time. |
377 | | * |
378 | | * \param t1 mbedtls_x509_time to compare |
379 | | * \param t2 mbedtls_x509_time to compare |
380 | | * |
381 | | * \return < 0 if t1 is before t2 |
382 | | * 0 if t1 equals t2 |
383 | | * > 0 if t1 is after t2 |
384 | | */ |
385 | | int mbedtls_x509_time_cmp(const mbedtls_x509_time *t1, const mbedtls_x509_time *t2); |
386 | | |
387 | | #if defined(MBEDTLS_HAVE_TIME_DATE) |
388 | | /** |
389 | | * \brief Fill mbedtls_x509_time with provided mbedtls_time_t. |
390 | | * |
391 | | * \param tt mbedtls_time_t to convert |
392 | | * \param now mbedtls_x509_time to fill with converted mbedtls_time_t |
393 | | * |
394 | | * \return \c 0 on success |
395 | | * \return A non-zero return value on failure. |
396 | | */ |
397 | | int mbedtls_x509_time_gmtime(mbedtls_time_t tt, mbedtls_x509_time *now); |
398 | | #endif /* MBEDTLS_HAVE_TIME_DATE */ |
399 | | |
400 | | /** |
401 | | * \brief Check a given mbedtls_x509_time against the system time |
402 | | * and tell if it's in the past. |
403 | | * |
404 | | * \note Intended usage is "if( is_past( valid_to ) ) ERROR". |
405 | | * Hence the return value of 1 if on internal errors. |
406 | | * |
407 | | * \param to mbedtls_x509_time to check |
408 | | * |
409 | | * \return 1 if the given time is in the past or an error occurred, |
410 | | * 0 otherwise. |
411 | | */ |
412 | | int mbedtls_x509_time_is_past(const mbedtls_x509_time *to); |
413 | | |
414 | | /** |
415 | | * \brief Check a given mbedtls_x509_time against the system time |
416 | | * and tell if it's in the future. |
417 | | * |
418 | | * \note Intended usage is "if( is_future( valid_from ) ) ERROR". |
419 | | * Hence the return value of 1 if on internal errors. |
420 | | * |
421 | | * \param from mbedtls_x509_time to check |
422 | | * |
423 | | * \return 1 if the given time is in the future or an error occurred, |
424 | | * 0 otherwise. |
425 | | */ |
426 | | int mbedtls_x509_time_is_future(const mbedtls_x509_time *from); |
427 | | |
428 | | /** |
429 | | * \brief This function parses an item in the SubjectAlternativeNames |
430 | | * extension. Please note that this function might allocate |
431 | | * additional memory for a subject alternative name, thus |
432 | | * mbedtls_x509_free_subject_alt_name has to be called |
433 | | * to dispose of this additional memory afterwards. |
434 | | * |
435 | | * \param san_buf The buffer holding the raw data item of the subject |
436 | | * alternative name. |
437 | | * \param san The target structure to populate with the parsed presentation |
438 | | * of the subject alternative name encoded in \p san_buf. |
439 | | * |
440 | | * \note Supported GeneralName types, as defined in RFC 5280: |
441 | | * "rfc822Name", "dnsName", "directoryName", |
442 | | * "uniformResourceIdentifier" and "hardware_module_name" |
443 | | * of type "otherName", as defined in RFC 4108. |
444 | | * |
445 | | * \note This function should be called on a single raw data of |
446 | | * subject alternative name. For example, after successful |
447 | | * certificate parsing, one must iterate on every item in the |
448 | | * \c crt->subject_alt_names sequence, and pass it to |
449 | | * this function. |
450 | | * |
451 | | * \warning The target structure contains pointers to the raw data of the |
452 | | * parsed certificate, and its lifetime is restricted by the |
453 | | * lifetime of the certificate. |
454 | | * |
455 | | * \return \c 0 on success |
456 | | * \return #MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE for an unsupported |
457 | | * SAN type. |
458 | | * \return Another negative value for any other failure. |
459 | | */ |
460 | | int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf, |
461 | | mbedtls_x509_subject_alternative_name *san); |
462 | | /** |
463 | | * \brief Unallocate all data related to subject alternative name |
464 | | * |
465 | | * \param san SAN structure - extra memory owned by this structure will be freed |
466 | | */ |
467 | | void mbedtls_x509_free_subject_alt_name(mbedtls_x509_subject_alternative_name *san); |
468 | | |
469 | | /** |
470 | | * \brief This function parses a CN string as an IP address. |
471 | | * |
472 | | * \param cn The CN string to parse. CN string MUST be null-terminated. |
473 | | * \param dst The target buffer to populate with the binary IP address. |
474 | | * The buffer MUST be 16 bytes to save IPv6, and should be |
475 | | * 4-byte aligned if the result will be used as struct in_addr. |
476 | | * e.g. uint32_t dst[4] |
477 | | * |
478 | | * \note \p cn is parsed as an IPv6 address if string contains ':', |
479 | | * else \p cn is parsed as an IPv4 address. |
480 | | * |
481 | | * \return Length of binary IP address; num bytes written to target. |
482 | | * \return \c 0 on failure to parse CN string as an IP address. |
483 | | */ |
484 | | size_t mbedtls_x509_crt_parse_cn_inet_pton(const char *cn, void *dst); |
485 | | |
486 | | #define MBEDTLS_X509_SAFE_SNPRINTF \ |
487 | 0 | do { \ |
488 | 0 | if (ret < 0 || (size_t) ret >= n) \ |
489 | 0 | return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; \ |
490 | 0 | \ |
491 | 0 | n -= (size_t) ret; \ |
492 | 0 | p += (size_t) ret; \ |
493 | 0 | } while (0) |
494 | | |
495 | | #ifdef __cplusplus |
496 | | } |
497 | | #endif |
498 | | |
499 | | #endif /* MBEDTLS_X509_H */ |