Coverage Report

Created: 2025-03-01 06:26

/src/mbedtls/include/mbedtls/x509.h
Line
Count
Source (jump to first uncovered line)
1
/**
2
 * \file x509.h
3
 *
4
 * \brief X.509 generic defines and structures
5
 */
6
/*
7
 *  Copyright The Mbed TLS Contributors
8
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
9
 */
10
#ifndef MBEDTLS_X509_H
11
#define MBEDTLS_X509_H
12
#include "mbedtls/private_access.h"
13
14
#include "mbedtls/build_info.h"
15
16
#include "mbedtls/asn1.h"
17
#include "mbedtls/pk.h"
18
19
#if defined(MBEDTLS_RSA_C)
20
#include "mbedtls/rsa.h"
21
#endif
22
23
/**
24
 * \addtogroup x509_module
25
 * \{
26
 */
27
28
#if !defined(MBEDTLS_X509_MAX_INTERMEDIATE_CA)
29
/**
30
 * Maximum number of intermediate CAs in a verification chain.
31
 * That is, maximum length of the chain, excluding the end-entity certificate
32
 * and the trusted root certificate.
33
 *
34
 * Set this to a low value to prevent an adversary from making you waste
35
 * resources verifying an overlong certificate chain.
36
 */
37
352
#define MBEDTLS_X509_MAX_INTERMEDIATE_CA   8
38
#endif
39
40
/**
41
 * \name X509 Error codes
42
 * \{
43
 */
44
/** Unavailable feature, e.g. RSA hashing/encryption combination. */
45
0
#define MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE              -0x2080
46
/** Requested OID is unknown. */
47
#define MBEDTLS_ERR_X509_UNKNOWN_OID                      -0x2100
48
/** The CRT/CRL/CSR format is invalid, e.g. different type expected. */
49
0
#define MBEDTLS_ERR_X509_INVALID_FORMAT                   -0x2180
50
/** The CRT/CRL/CSR version element is invalid. */
51
#define MBEDTLS_ERR_X509_INVALID_VERSION                  -0x2200
52
/** The serial tag or value is invalid. */
53
#define MBEDTLS_ERR_X509_INVALID_SERIAL                   -0x2280
54
/** The algorithm tag or value is invalid. */
55
0
#define MBEDTLS_ERR_X509_INVALID_ALG                      -0x2300
56
/** The name tag or value is invalid. */
57
0
#define MBEDTLS_ERR_X509_INVALID_NAME                     -0x2380
58
/** The date tag or value is invalid. */
59
0
#define MBEDTLS_ERR_X509_INVALID_DATE                     -0x2400
60
/** The signature tag or value invalid. */
61
#define MBEDTLS_ERR_X509_INVALID_SIGNATURE                -0x2480
62
/** The extension tag or value is invalid. */
63
0
#define MBEDTLS_ERR_X509_INVALID_EXTENSIONS               -0x2500
64
/** CRT/CRL/CSR has an unsupported version number. */
65
0
#define MBEDTLS_ERR_X509_UNKNOWN_VERSION                  -0x2580
66
/** Signature algorithm (oid) is unsupported. */
67
0
#define MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG                  -0x2600
68
/** Signature algorithms do not match. (see \c ::mbedtls_x509_crt sig_oid) */
69
0
#define MBEDTLS_ERR_X509_SIG_MISMATCH                     -0x2680
70
/** Certificate verification failed, e.g. CRL, CA or signature check failed. */
71
0
#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED               -0x2700
72
/** Format not recognized as DER or PEM. */
73
0
#define MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT              -0x2780
74
/** Input invalid. */
75
0
#define MBEDTLS_ERR_X509_BAD_INPUT_DATA                   -0x2800
76
/** Allocation of memory failed. */
77
0
#define MBEDTLS_ERR_X509_ALLOC_FAILED                     -0x2880
78
/** Read/write of file failed. */
79
0
#define MBEDTLS_ERR_X509_FILE_IO_ERROR                    -0x2900
80
/** Destination buffer is too small. */
81
0
#define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL                 -0x2980
82
/** A fatal error occurred, eg the chain is too long or the vrfy callback failed. */
83
0
#define MBEDTLS_ERR_X509_FATAL_ERROR                      -0x3000
84
/** \} name X509 Error codes */
85
86
/**
87
 * \name X509 Verify codes
88
 * \{
89
 */
90
/* Reminder: update x509_crt_verify_strings[] in library/x509_crt.c */
91
0
#define MBEDTLS_X509_BADCERT_EXPIRED             0x01  /**< The certificate validity has expired. */
92
0
#define MBEDTLS_X509_BADCERT_REVOKED             0x02  /**< The certificate has been revoked (is on a CRL). */
93
0
#define MBEDTLS_X509_BADCERT_CN_MISMATCH         0x04  /**< The certificate Common Name (CN) does not match with the expected CN. */
94
0
#define MBEDTLS_X509_BADCERT_NOT_TRUSTED         0x08  /**< The certificate is not correctly signed by the trusted CA. */
95
0
#define MBEDTLS_X509_BADCRL_NOT_TRUSTED          0x10  /**< The CRL is not correctly signed by the trusted CA. */
96
0
#define MBEDTLS_X509_BADCRL_EXPIRED              0x20  /**< The CRL is expired. */
97
0
#define MBEDTLS_X509_BADCERT_MISSING             0x40  /**< Certificate was missing. */
98
0
#define MBEDTLS_X509_BADCERT_SKIP_VERIFY         0x80  /**< Certificate verification was skipped. */
99
0
#define MBEDTLS_X509_BADCERT_OTHER             0x0100  /**< Other reason (can be used by verify callback) */
100
0
#define MBEDTLS_X509_BADCERT_FUTURE            0x0200  /**< The certificate validity starts in the future. */
101
0
#define MBEDTLS_X509_BADCRL_FUTURE             0x0400  /**< The CRL is from the future */
102
0
#define MBEDTLS_X509_BADCERT_KEY_USAGE         0x0800  /**< Usage does not match the keyUsage extension. */
103
0
#define MBEDTLS_X509_BADCERT_EXT_KEY_USAGE     0x1000  /**< Usage does not match the extendedKeyUsage extension. */
104
#define MBEDTLS_X509_BADCERT_NS_CERT_TYPE      0x2000  /**< Usage does not match the nsCertType extension. */
105
0
#define MBEDTLS_X509_BADCERT_BAD_MD            0x4000  /**< The certificate is signed with an unacceptable hash. */
106
0
#define MBEDTLS_X509_BADCERT_BAD_PK            0x8000  /**< The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA). */
107
0
#define MBEDTLS_X509_BADCERT_BAD_KEY         0x010000  /**< The certificate is signed with an unacceptable key (eg bad curve, RSA too short). */
108
0
#define MBEDTLS_X509_BADCRL_BAD_MD           0x020000  /**< The CRL is signed with an unacceptable hash. */
109
0
#define MBEDTLS_X509_BADCRL_BAD_PK           0x040000  /**< The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA). */
110
#define MBEDTLS_X509_BADCRL_BAD_KEY          0x080000  /**< The CRL is signed with an unacceptable key (eg bad curve, RSA too short). */
111
112
/** \} name X509 Verify codes */
113
/** \} addtogroup x509_module */
114
115
/*
116
 * X.509 v3 Subject Alternative Name types.
117
 *      otherName                       [0]     OtherName,
118
 *      rfc822Name                      [1]     IA5String,
119
 *      dNSName                         [2]     IA5String,
120
 *      x400Address                     [3]     ORAddress,
121
 *      directoryName                   [4]     Name,
122
 *      ediPartyName                    [5]     EDIPartyName,
123
 *      uniformResourceIdentifier       [6]     IA5String,
124
 *      iPAddress                       [7]     OCTET STRING,
125
 *      registeredID                    [8]     OBJECT IDENTIFIER
126
 */
127
0
#define MBEDTLS_X509_SAN_OTHER_NAME                      0
128
0
#define MBEDTLS_X509_SAN_RFC822_NAME                     1
129
0
#define MBEDTLS_X509_SAN_DNS_NAME                        2
130
#define MBEDTLS_X509_SAN_X400_ADDRESS_NAME               3
131
0
#define MBEDTLS_X509_SAN_DIRECTORY_NAME                  4
132
#define MBEDTLS_X509_SAN_EDI_PARTY_NAME                  5
133
0
#define MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER     6
134
0
#define MBEDTLS_X509_SAN_IP_ADDRESS                      7
135
#define MBEDTLS_X509_SAN_REGISTERED_ID                   8
136
137
/*
138
 * X.509 v3 Key Usage Extension flags
139
 * Reminder: update mbedtls_x509_info_key_usage() when adding new flags.
140
 */
141
0
#define MBEDTLS_X509_KU_DIGITAL_SIGNATURE            (0x80)  /* bit 0 */
142
#define MBEDTLS_X509_KU_NON_REPUDIATION              (0x40)  /* bit 1 */
143
0
#define MBEDTLS_X509_KU_KEY_ENCIPHERMENT             (0x20)  /* bit 2 */
144
#define MBEDTLS_X509_KU_DATA_ENCIPHERMENT            (0x10)  /* bit 3 */
145
0
#define MBEDTLS_X509_KU_KEY_AGREEMENT                (0x08)  /* bit 4 */
146
0
#define MBEDTLS_X509_KU_KEY_CERT_SIGN                (0x04)  /* bit 5 */
147
0
#define MBEDTLS_X509_KU_CRL_SIGN                     (0x02)  /* bit 6 */
148
0
#define MBEDTLS_X509_KU_ENCIPHER_ONLY                (0x01)  /* bit 7 */
149
0
#define MBEDTLS_X509_KU_DECIPHER_ONLY              (0x8000)  /* bit 8 */
150
151
/*
152
 * Netscape certificate types
153
 * (http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html)
154
 */
155
156
#define MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT         (0x80)  /* bit 0 */
157
#define MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER         (0x40)  /* bit 1 */
158
#define MBEDTLS_X509_NS_CERT_TYPE_EMAIL              (0x20)  /* bit 2 */
159
#define MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING     (0x10)  /* bit 3 */
160
#define MBEDTLS_X509_NS_CERT_TYPE_RESERVED           (0x08)  /* bit 4 */
161
#define MBEDTLS_X509_NS_CERT_TYPE_SSL_CA             (0x04)  /* bit 5 */
162
#define MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA           (0x02)  /* bit 6 */
163
#define MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA  (0x01)  /* bit 7 */
164
165
/*
166
 * X.509 extension types
167
 *
168
 * Comments refer to the status for using certificates. Status can be
169
 * different for writing certificates or reading CRLs or CSRs.
170
 *
171
 * Those are defined in oid.h as oid.c needs them in a data structure. Since
172
 * these were previously defined here, let's have aliases for compatibility.
173
 */
174
3
#define MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER MBEDTLS_OID_X509_EXT_AUTHORITY_KEY_IDENTIFIER
175
3
#define MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER   MBEDTLS_OID_X509_EXT_SUBJECT_KEY_IDENTIFIER
176
0
#define MBEDTLS_X509_EXT_KEY_USAGE                MBEDTLS_OID_X509_EXT_KEY_USAGE
177
#define MBEDTLS_X509_EXT_CERTIFICATE_POLICIES     MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES
178
#define MBEDTLS_X509_EXT_POLICY_MAPPINGS          MBEDTLS_OID_X509_EXT_POLICY_MAPPINGS
179
0
#define MBEDTLS_X509_EXT_SUBJECT_ALT_NAME         MBEDTLS_OID_X509_EXT_SUBJECT_ALT_NAME         /* Supported (DNS) */
180
#define MBEDTLS_X509_EXT_ISSUER_ALT_NAME          MBEDTLS_OID_X509_EXT_ISSUER_ALT_NAME
181
#define MBEDTLS_X509_EXT_SUBJECT_DIRECTORY_ATTRS  MBEDTLS_OID_X509_EXT_SUBJECT_DIRECTORY_ATTRS
182
3
#define MBEDTLS_X509_EXT_BASIC_CONSTRAINTS        MBEDTLS_OID_X509_EXT_BASIC_CONSTRAINTS        /* Supported */
183
#define MBEDTLS_X509_EXT_NAME_CONSTRAINTS         MBEDTLS_OID_X509_EXT_NAME_CONSTRAINTS
184
#define MBEDTLS_X509_EXT_POLICY_CONSTRAINTS       MBEDTLS_OID_X509_EXT_POLICY_CONSTRAINTS
185
0
#define MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE       MBEDTLS_OID_X509_EXT_EXTENDED_KEY_USAGE
186
#define MBEDTLS_X509_EXT_CRL_DISTRIBUTION_POINTS  MBEDTLS_OID_X509_EXT_CRL_DISTRIBUTION_POINTS
187
#define MBEDTLS_X509_EXT_INIHIBIT_ANYPOLICY       MBEDTLS_OID_X509_EXT_INIHIBIT_ANYPOLICY
188
#define MBEDTLS_X509_EXT_FRESHEST_CRL             MBEDTLS_OID_X509_EXT_FRESHEST_CRL
189
0
#define MBEDTLS_X509_EXT_NS_CERT_TYPE             MBEDTLS_OID_X509_EXT_NS_CERT_TYPE
190
191
/*
192
 * Storage format identifiers
193
 * Recognized formats: PEM and DER
194
 */
195
2
#define MBEDTLS_X509_FORMAT_DER                 1
196
2
#define MBEDTLS_X509_FORMAT_PEM                 2
197
198
#define MBEDTLS_X509_MAX_DN_NAME_SIZE         256 /**< Maximum value size of a DN entry */
199
200
#ifdef __cplusplus
201
extern "C" {
202
#endif
203
204
/**
205
 * \addtogroup x509_module
206
 * \{ */
207
208
/**
209
 * \name Structures for parsing X.509 certificates, CRLs and CSRs
210
 * \{
211
 */
212
213
/**
214
 * Type-length-value structure that allows for ASN1 using DER.
215
 */
216
typedef mbedtls_asn1_buf mbedtls_x509_buf;
217
218
/**
219
 * Container for ASN1 bit strings.
220
 */
221
typedef mbedtls_asn1_bitstring mbedtls_x509_bitstring;
222
223
/**
224
 * Container for ASN1 named information objects.
225
 * It allows for Relative Distinguished Names (e.g. cn=localhost,ou=code,etc.).
226
 */
227
typedef mbedtls_asn1_named_data mbedtls_x509_name;
228
229
/**
230
 * Container for a sequence of ASN.1 items
231
 */
232
typedef mbedtls_asn1_sequence mbedtls_x509_sequence;
233
234
/*
235
 * Container for the fields of the Authority Key Identifier object
236
 */
237
typedef struct mbedtls_x509_authority {
238
    mbedtls_x509_buf keyIdentifier;
239
    mbedtls_x509_sequence authorityCertIssuer;
240
    mbedtls_x509_buf authorityCertSerialNumber;
241
    mbedtls_x509_buf raw;
242
}
243
mbedtls_x509_authority;
244
245
/** Container for date and time (precision in seconds). */
246
typedef struct mbedtls_x509_time {
247
    int year, mon, day;         /**< Date. */
248
    int hour, min, sec;         /**< Time. */
249
}
250
mbedtls_x509_time;
251
252
/**
253
 * From RFC 5280 section 4.2.1.6:
254
 * OtherName ::= SEQUENCE {
255
 *      type-id    OBJECT IDENTIFIER,
256
 *      value      [0] EXPLICIT ANY DEFINED BY type-id }
257
 *
258
 * Future versions of the library may add new fields to this structure or
259
 * to its embedded union and structure.
260
 */
261
typedef struct mbedtls_x509_san_other_name {
262
    /**
263
     * The type_id is an OID as defined in RFC 5280.
264
     * To check the value of the type id, you should use
265
     * \p MBEDTLS_OID_CMP with a known OID mbedtls_x509_buf.
266
     */
267
    mbedtls_x509_buf type_id;                   /**< The type id. */
268
    union {
269
        /**
270
         * From RFC 4108 section 5:
271
         * HardwareModuleName ::= SEQUENCE {
272
         *                         hwType OBJECT IDENTIFIER,
273
         *                         hwSerialNum OCTET STRING }
274
         */
275
        struct {
276
            mbedtls_x509_buf oid;               /**< The object identifier. */
277
            mbedtls_x509_buf val;               /**< The named value. */
278
        }
279
        hardware_module_name;
280
    }
281
    value;
282
}
283
mbedtls_x509_san_other_name;
284
285
/**
286
 * A structure for holding the parsed Subject Alternative Name,
287
 * according to type.
288
 *
289
 * Future versions of the library may add new fields to this structure or
290
 * to its embedded union and structure.
291
 */
292
typedef struct mbedtls_x509_subject_alternative_name {
293
    int type;                              /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */
294
    union {
295
        mbedtls_x509_san_other_name other_name;
296
        mbedtls_x509_name directory_name;
297
        mbedtls_x509_buf unstructured_name; /**< The buffer for the unstructured types. rfc822Name, dnsName and uniformResourceIdentifier are currently supported. */
298
    }
299
    san; /**< A union of the supported SAN types */
300
}
301
mbedtls_x509_subject_alternative_name;
302
303
typedef struct mbedtls_x509_san_list {
304
    mbedtls_x509_subject_alternative_name node;
305
    struct mbedtls_x509_san_list *next;
306
}
307
mbedtls_x509_san_list;
308
309
/** \} name Structures for parsing X.509 certificates, CRLs and CSRs */
310
/** \} addtogroup x509_module */
311
312
/**
313
 * \brief          Store the certificate DN in printable form into buf;
314
 *                 no more than size characters will be written.
315
 *
316
 * \param buf      Buffer to write to
317
 * \param size     Maximum size of buffer
318
 * \param dn       The X509 name to represent
319
 *
320
 * \return         The length of the string written (not including the
321
 *                 terminated nul byte), or a negative error code.
322
 */
323
int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn);
324
325
/**
326
 * \brief            Convert the certificate DN string \p name into
327
 *                   a linked list of mbedtls_x509_name (equivalent to
328
 *                   mbedtls_asn1_named_data).
329
 *
330
 * \note             This function allocates a linked list, and places the head
331
 *                   pointer in \p head. This list must later be freed by a
332
 *                   call to mbedtls_asn1_free_named_data_list().
333
 *
334
 * \param[out] head  Address in which to store the pointer to the head of the
335
 *                   allocated list of mbedtls_x509_name
336
 * \param[in] name   The string representation of a DN to convert
337
 *
338
 * \return           0 on success, or a negative error code.
339
 */
340
int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *name);
341
342
/**
343
 * \brief          Return the next relative DN in an X509 name.
344
 *
345
 * \note           Intended use is to compare function result to dn->next
346
 *                 in order to detect boundaries of multi-valued RDNs.
347
 *
348
 * \param dn       Current node in the X509 name
349
 *
350
 * \return         Pointer to the first attribute-value pair of the
351
 *                 next RDN in sequence, or NULL if end is reached.
352
 */
353
static inline mbedtls_x509_name *mbedtls_x509_dn_get_next(
354
    mbedtls_x509_name *dn)
355
0
{
356
0
    while (dn->MBEDTLS_PRIVATE(next_merged) && dn->next != NULL) {
357
0
        dn = dn->next;
358
0
    }
359
0
    return dn->next;
360
0
}
Unexecuted instantiation: fuzz_client.c:mbedtls_x509_dn_get_next
Unexecuted instantiation: ssl_msg.c:mbedtls_x509_dn_get_next
Unexecuted instantiation: ssl_tls.c:mbedtls_x509_dn_get_next
Unexecuted instantiation: ssl_tls12_client.c:mbedtls_x509_dn_get_next
Unexecuted instantiation: ssl_tls12_server.c:mbedtls_x509_dn_get_next
Unexecuted instantiation: ssl_tls13_server.c:mbedtls_x509_dn_get_next
Unexecuted instantiation: ssl_tls13_client.c:mbedtls_x509_dn_get_next
Unexecuted instantiation: ssl_tls13_generic.c:mbedtls_x509_dn_get_next
Unexecuted instantiation: debug.c:mbedtls_x509_dn_get_next
Unexecuted instantiation: ssl_ciphersuites.c:mbedtls_x509_dn_get_next
Unexecuted instantiation: ssl_client.c:mbedtls_x509_dn_get_next
Unexecuted instantiation: ssl_debug_helpers_generated.c:mbedtls_x509_dn_get_next
Unexecuted instantiation: ssl_tls13_keys.c:mbedtls_x509_dn_get_next
Unexecuted instantiation: x509.c:mbedtls_x509_dn_get_next
Unexecuted instantiation: x509_crt.c:mbedtls_x509_dn_get_next
Unexecuted instantiation: psa_util.c:mbedtls_x509_dn_get_next
361
362
/**
363
 * \brief          Store the certificate serial in printable form into buf;
364
 *                 no more than size characters will be written.
365
 *
366
 * \param buf      Buffer to write to
367
 * \param size     Maximum size of buffer
368
 * \param serial   The X509 serial to represent
369
 *
370
 * \return         The length of the string written (not including the
371
 *                 terminated nul byte), or a negative error code.
372
 */
373
int mbedtls_x509_serial_gets(char *buf, size_t size, const mbedtls_x509_buf *serial);
374
375
/**
376
 * \brief          Compare pair of mbedtls_x509_time.
377
 *
378
 * \param t1       mbedtls_x509_time to compare
379
 * \param t2       mbedtls_x509_time to compare
380
 *
381
 * \return         < 0 if t1 is before t2
382
 *                   0 if t1 equals t2
383
 *                 > 0 if t1 is after t2
384
 */
385
int mbedtls_x509_time_cmp(const mbedtls_x509_time *t1, const mbedtls_x509_time *t2);
386
387
#if defined(MBEDTLS_HAVE_TIME_DATE)
388
/**
389
 * \brief          Fill mbedtls_x509_time with provided mbedtls_time_t.
390
 *
391
 * \param tt       mbedtls_time_t to convert
392
 * \param now      mbedtls_x509_time to fill with converted mbedtls_time_t
393
 *
394
 * \return         \c 0 on success
395
 * \return         A non-zero return value on failure.
396
 */
397
int mbedtls_x509_time_gmtime(mbedtls_time_t tt, mbedtls_x509_time *now);
398
#endif /* MBEDTLS_HAVE_TIME_DATE */
399
400
/**
401
 * \brief          Check a given mbedtls_x509_time against the system time
402
 *                 and tell if it's in the past.
403
 *
404
 * \note           Intended usage is "if( is_past( valid_to ) ) ERROR".
405
 *                 Hence the return value of 1 if on internal errors.
406
 *
407
 * \param to       mbedtls_x509_time to check
408
 *
409
 * \return         1 if the given time is in the past or an error occurred,
410
 *                 0 otherwise.
411
 */
412
int mbedtls_x509_time_is_past(const mbedtls_x509_time *to);
413
414
/**
415
 * \brief          Check a given mbedtls_x509_time against the system time
416
 *                 and tell if it's in the future.
417
 *
418
 * \note           Intended usage is "if( is_future( valid_from ) ) ERROR".
419
 *                 Hence the return value of 1 if on internal errors.
420
 *
421
 * \param from     mbedtls_x509_time to check
422
 *
423
 * \return         1 if the given time is in the future or an error occurred,
424
 *                 0 otherwise.
425
 */
426
int mbedtls_x509_time_is_future(const mbedtls_x509_time *from);
427
428
/**
429
 * \brief          This function parses an item in the SubjectAlternativeNames
430
 *                 extension. Please note that this function might allocate
431
 *                 additional memory for a subject alternative name, thus
432
 *                 mbedtls_x509_free_subject_alt_name has to be called
433
 *                 to dispose of this additional memory afterwards.
434
 *
435
 * \param san_buf  The buffer holding the raw data item of the subject
436
 *                 alternative name.
437
 * \param san      The target structure to populate with the parsed presentation
438
 *                 of the subject alternative name encoded in \p san_buf.
439
 *
440
 * \note           Supported GeneralName types, as defined in RFC 5280:
441
 *                 "rfc822Name", "dnsName", "directoryName",
442
 *                 "uniformResourceIdentifier" and "hardware_module_name"
443
 *                 of type "otherName", as defined in RFC 4108.
444
 *
445
 * \note           This function should be called on a single raw data of
446
 *                 subject alternative name. For example, after successful
447
 *                 certificate parsing, one must iterate on every item in the
448
 *                 \c crt->subject_alt_names sequence, and pass it to
449
 *                 this function.
450
 *
451
 * \warning        The target structure contains pointers to the raw data of the
452
 *                 parsed certificate, and its lifetime is restricted by the
453
 *                 lifetime of the certificate.
454
 *
455
 * \return         \c 0 on success
456
 * \return         #MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE for an unsupported
457
 *                 SAN type.
458
 * \return         Another negative value for any other failure.
459
 */
460
int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf,
461
                                        mbedtls_x509_subject_alternative_name *san);
462
/**
463
 * \brief          Unallocate all data related to subject alternative name
464
 *
465
 * \param san      SAN structure - extra memory owned by this structure will be freed
466
 */
467
void mbedtls_x509_free_subject_alt_name(mbedtls_x509_subject_alternative_name *san);
468
469
/**
470
 * \brief          This function parses a CN string as an IP address.
471
 *
472
 * \param cn       The CN string to parse. CN string MUST be null-terminated.
473
 * \param dst      The target buffer to populate with the binary IP address.
474
 *                 The buffer MUST be 16 bytes to save IPv6, and should be
475
 *                 4-byte aligned if the result will be used as struct in_addr.
476
 *                 e.g. uint32_t dst[4]
477
 *
478
 * \note           \p cn is parsed as an IPv6 address if string contains ':',
479
 *                 else \p cn is parsed as an IPv4 address.
480
 *
481
 * \return         Length of binary IP address; num bytes written to target.
482
 * \return         \c 0 on failure to parse CN string as an IP address.
483
 */
484
size_t mbedtls_x509_crt_parse_cn_inet_pton(const char *cn, void *dst);
485
486
#define MBEDTLS_X509_SAFE_SNPRINTF                          \
487
0
    do {                                                    \
488
0
        if (ret < 0 || (size_t) ret >= n)                  \
489
0
        return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;    \
490
0
                                                          \
491
0
        n -= (size_t) ret;                                  \
492
0
        p += (size_t) ret;                                  \
493
0
    } while (0)
494
495
#ifdef __cplusplus
496
}
497
#endif
498
499
#endif /* MBEDTLS_X509_H */