1 /** 2 * \file x509_crt.h 3 * 4 * \brief X.509 certificate parsing and writing 5 * 6 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 7 * SPDX-License-Identifier: Apache-2.0 8 * 9 * Licensed under the Apache License, Version 2.0 (the "License"); you may 10 * not use this file except in compliance with the License. 11 * You may obtain a copy of the License at 12 * 13 * http://www.apache.org/licenses/LICENSE-2.0 14 * 15 * Unless required by applicable law or agreed to in writing, software 16 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 17 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 18 * See the License for the specific language governing permissions and 19 * limitations under the License. 20 * 21 * This file is part of mbed TLS (https://tls.mbed.org) 22 */ 23 #ifndef MBEDTLS_X509_CRT_H 24 #define MBEDTLS_X509_CRT_H 25 26 #if !defined(MBEDTLS_CONFIG_FILE) 27 #include "config.h" 28 #else 29 #include MBEDTLS_CONFIG_FILE 30 #endif 31 32 #include "x509.h" 33 #include "x509_crl.h" 34 35 /** 36 * \addtogroup x509_module 37 * \{ 38 */ 39 40 #ifdef __cplusplus 41 extern "C" { 42 #endif 43 44 /** 45 * \name Structures and functions for parsing and writing X.509 certificates 46 * \{ 47 */ 48 49 /** 50 * Container for an X.509 certificate. The certificate may be chained. 51 */ 52 typedef struct mbedtls_x509_crt 53 { 54 mbedtls_x509_buf raw; /**< The raw certificate data (DER). */ 55 mbedtls_x509_buf tbs; /**< The raw certificate body (DER). The part that is To Be Signed. */ 56 57 int version; /**< The X.509 version. (1=v1, 2=v2, 3=v3) */ 58 mbedtls_x509_buf serial; /**< Unique id for certificate issued by a specific CA. */ 59 mbedtls_x509_buf sig_oid; /**< Signature algorithm, e.g. sha1RSA */ 60 61 mbedtls_x509_buf issuer_raw; /**< The raw issuer data (DER). Used for quick comparison. */ 62 mbedtls_x509_buf subject_raw; /**< The raw subject data (DER). Used for quick comparison. */ 63 64 mbedtls_x509_name issuer; /**< The parsed issuer data (named information object). */ 65 mbedtls_x509_name subject; /**< The parsed subject data (named information object). */ 66 67 mbedtls_x509_time valid_from; /**< Start time of certificate validity. */ 68 mbedtls_x509_time valid_to; /**< End time of certificate validity. */ 69 70 mbedtls_pk_context pk; /**< Container for the public key context. */ 71 72 mbedtls_x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */ 73 mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */ 74 mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */ 75 mbedtls_x509_sequence subject_alt_names; /**< Optional list of Subject Alternative Names (Only dNSName supported). */ 76 77 int ext_types; /**< Bit string containing detected and parsed extensions */ 78 int ca_istrue; /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */ 79 int max_pathlen; /**< Optional Basic Constraint extension value: The maximum path length to the root certificate. Path length is 1 higher than RFC 5280 'meaning', so 1+ */ 80 81 unsigned int key_usage; /**< Optional key usage extension value: See the values in x509.h */ 82 83 mbedtls_x509_sequence ext_key_usage; /**< Optional list of extended key usage OIDs. */ 84 85 unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values in x509.h */ 86 87 mbedtls_x509_buf sig; /**< Signature: hash of the tbs part signed with the private key. */ 88 mbedtls_md_type_t sig_md; /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */ 89 mbedtls_pk_type_t sig_pk; /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ 90 void *sig_opts; /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */ 91 92 struct mbedtls_x509_crt *next; /**< Next certificate in the CA-chain. */ 93 } 94 mbedtls_x509_crt; 95 96 /** 97 * Build flag from an algorithm/curve identifier (pk, md, ecp) 98 * Since 0 is always XXX_NONE, ignore it. 99 */ 100 #define MBEDTLS_X509_ID_FLAG( id ) ( 1 << ( id - 1 ) ) 101 102 /** 103 * Security profile for certificate verification. 104 * 105 * All lists are bitfields, built by ORing flags from MBEDTLS_X509_ID_FLAG(). 106 */ 107 typedef struct 108 { 109 uint32_t allowed_mds; /**< MDs for signatures */ 110 uint32_t allowed_pks; /**< PK algs for signatures */ 111 uint32_t allowed_curves; /**< Elliptic curves for ECDSA */ 112 uint32_t rsa_min_bitlen; /**< Minimum size for RSA keys */ 113 } 114 mbedtls_x509_crt_profile; 115 116 #define MBEDTLS_X509_CRT_VERSION_1 0 117 #define MBEDTLS_X509_CRT_VERSION_2 1 118 #define MBEDTLS_X509_CRT_VERSION_3 2 119 120 #define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32 121 #define MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15 122 123 #if !defined( MBEDTLS_X509_MAX_FILE_PATH_LEN ) 124 #define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 125 #endif 126 127 /** 128 * Container for writing a certificate (CRT) 129 */ 130 typedef struct mbedtls_x509write_cert 131 { 132 int version; 133 mbedtls_mpi serial; 134 mbedtls_pk_context *subject_key; 135 mbedtls_pk_context *issuer_key; 136 mbedtls_asn1_named_data *subject; 137 mbedtls_asn1_named_data *issuer; 138 mbedtls_md_type_t md_alg; 139 char not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1]; 140 char not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1]; 141 mbedtls_asn1_named_data *extensions; 142 } 143 mbedtls_x509write_cert; 144 145 #if defined(MBEDTLS_X509_CRT_PARSE_C) 146 /** 147 * Default security profile. Should provide a good balance between security 148 * and compatibility with current deployments. 149 */ 150 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default; 151 152 /** 153 * Expected next default profile. Recommended for new deployments. 154 * Currently targets a 128-bit security level, except for RSA-2048. 155 */ 156 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next; 157 158 /** 159 * NSA Suite B profile. 160 */ 161 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb; 162 163 /** 164 * \brief Parse a single DER formatted certificate and add it 165 * to the chained list. 166 * 167 * \param chain points to the start of the chain 168 * \param buf buffer holding the certificate DER data 169 * \param buflen size of the buffer 170 * 171 * \return 0 if successful, or a specific X509 or PEM error code 172 */ 173 int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, const unsigned char *buf, 174 size_t buflen ); 175 176 /** 177 * \brief Parse one or more certificates and add them 178 * to the chained list. Parses permissively. If some 179 * certificates can be parsed, the result is the number 180 * of failed certificates it encountered. If none complete 181 * correctly, the first error is returned. 182 * 183 * \param chain points to the start of the chain 184 * \param buf buffer holding the certificate data in PEM or DER format 185 * \param buflen size of the buffer 186 * (including the terminating null byte for PEM data) 187 * 188 * \return 0 if all certificates parsed successfully, a positive number 189 * if partly successful or a specific X509 or PEM error code 190 */ 191 int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen ); 192 193 #if defined(MBEDTLS_FS_IO) 194 /** 195 * \brief Load one or more certificates and add them 196 * to the chained list. Parses permissively. If some 197 * certificates can be parsed, the result is the number 198 * of failed certificates it encountered. If none complete 199 * correctly, the first error is returned. 200 * 201 * \param chain points to the start of the chain 202 * \param path filename to read the certificates from 203 * 204 * \return 0 if all certificates parsed successfully, a positive number 205 * if partly successful or a specific X509 or PEM error code 206 */ 207 int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *chain, const char *path ); 208 209 /** 210 * \brief Load one or more certificate files from a path and add them 211 * to the chained list. Parses permissively. If some 212 * certificates can be parsed, the result is the number 213 * of failed certificates it encountered. If none complete 214 * correctly, the first error is returned. 215 * 216 * \param chain points to the start of the chain 217 * \param path directory / folder to read the certificate files from 218 * 219 * \return 0 if all certificates parsed successfully, a positive number 220 * if partly successful or a specific X509 or PEM error code 221 */ 222 int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path ); 223 #endif /* MBEDTLS_FS_IO */ 224 225 /** 226 * \brief Returns an informational string about the 227 * certificate. 228 * 229 * \param buf Buffer to write to 230 * \param size Maximum size of buffer 231 * \param prefix A line prefix 232 * \param crt The X509 certificate to represent 233 * 234 * \return The length of the string written (not including the 235 * terminated nul byte), or a negative error code. 236 */ 237 int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix, 238 const mbedtls_x509_crt *crt ); 239 240 /** 241 * \brief Returns an informational string about the 242 * verification status of a certificate. 243 * 244 * \param buf Buffer to write to 245 * \param size Maximum size of buffer 246 * \param prefix A line prefix 247 * \param flags Verification flags created by mbedtls_x509_crt_verify() 248 * 249 * \return The length of the string written (not including the 250 * terminated nul byte), or a negative error code. 251 */ 252 int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix, 253 uint32_t flags ); 254 255 /** 256 * \brief Verify the certificate signature 257 * 258 * The verify callback is a user-supplied callback that 259 * can clear / modify / add flags for a certificate. If set, 260 * the verification callback is called for each 261 * certificate in the chain (from the trust-ca down to the 262 * presented crt). The parameters for the callback are: 263 * (void *parameter, mbedtls_x509_crt *crt, int certificate_depth, 264 * int *flags). With the flags representing current flags for 265 * that specific certificate and the certificate depth from 266 * the bottom (Peer cert depth = 0). 267 * 268 * All flags left after returning from the callback 269 * are also returned to the application. The function should 270 * return 0 for anything but a fatal error. 271 * 272 * \note In case verification failed, the results can be displayed 273 * using \c mbedtls_x509_crt_verify_info() 274 * 275 * \note Same as \c mbedtls_x509_crt_verify_with_profile() with the 276 * default security profile. 277 * 278 * \note It is your responsibility to provide up-to-date CRLs for 279 * all trusted CAs. If no CRL is provided for the CA that was 280 * used to sign the certificate, CRL verification is skipped 281 * silently, that is *without* setting any flag. 282 * 283 * \param crt a certificate (chain) to be verified 284 * \param trust_ca the list of trusted CAs 285 * \param ca_crl the list of CRLs for trusted CAs (see note above) 286 * \param cn expected Common Name (can be set to 287 * NULL if the CN must not be verified) 288 * \param flags result of the verification 289 * \param f_vrfy verification function 290 * \param p_vrfy verification parameter 291 * 292 * \return 0 if successful or MBEDTLS_ERR_X509_CERT_VERIFY_FAILED 293 * in which case *flags will have one or more 294 * MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX flags 295 * set, 296 * or another error in case of a fatal error encountered 297 * during the verification process. 298 */ 299 int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt, 300 mbedtls_x509_crt *trust_ca, 301 mbedtls_x509_crl *ca_crl, 302 const char *cn, uint32_t *flags, 303 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 304 void *p_vrfy ); 305 306 /** 307 * \brief Verify the certificate signature according to profile 308 * 309 * \note Same as \c mbedtls_x509_crt_verify(), but with explicit 310 * security profile. 311 * 312 * \note The restrictions on keys (RSA minimum size, allowed curves 313 * for ECDSA) apply to all certificates: trusted root, 314 * intermediate CAs if any, and end entity certificate. 315 * 316 * \param crt a certificate (chain) to be verified 317 * \param trust_ca the list of trusted CAs 318 * \param ca_crl the list of CRLs for trusted CAs 319 * \param profile security profile for verification 320 * \param cn expected Common Name (can be set to 321 * NULL if the CN must not be verified) 322 * \param flags result of the verification 323 * \param f_vrfy verification function 324 * \param p_vrfy verification parameter 325 * 326 * \return 0 if successful or MBEDTLS_ERR_X509_CERT_VERIFY_FAILED 327 * in which case *flags will have one or more 328 * MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX flags 329 * set, 330 * or another error in case of a fatal error encountered 331 * during the verification process. 332 */ 333 int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt, 334 mbedtls_x509_crt *trust_ca, 335 mbedtls_x509_crl *ca_crl, 336 const mbedtls_x509_crt_profile *profile, 337 const char *cn, uint32_t *flags, 338 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 339 void *p_vrfy ); 340 341 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE) 342 /** 343 * \brief Check usage of certificate against keyUsage extension. 344 * 345 * \param crt Leaf certificate used. 346 * \param usage Intended usage(s) (eg MBEDTLS_X509_KU_KEY_ENCIPHERMENT 347 * before using the certificate to perform an RSA key 348 * exchange). 349 * 350 * \note Except for decipherOnly and encipherOnly, a bit set in the 351 * usage argument means this bit MUST be set in the 352 * certificate. For decipherOnly and encipherOnly, it means 353 * that bit MAY be set. 354 * 355 * \return 0 is these uses of the certificate are allowed, 356 * MBEDTLS_ERR_X509_BAD_INPUT_DATA if the keyUsage extension 357 * is present but does not match the usage argument. 358 * 359 * \note You should only call this function on leaf certificates, on 360 * (intermediate) CAs the keyUsage extension is automatically 361 * checked by \c mbedtls_x509_crt_verify(). 362 */ 363 int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt, 364 unsigned int usage ); 365 #endif /* MBEDTLS_X509_CHECK_KEY_USAGE) */ 366 367 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) 368 /** 369 * \brief Check usage of certificate against extentedJeyUsage. 370 * 371 * \param crt Leaf certificate used. 372 * \param usage_oid Intended usage (eg MBEDTLS_OID_SERVER_AUTH or MBEDTLS_OID_CLIENT_AUTH). 373 * \param usage_len Length of usage_oid (eg given by MBEDTLS_OID_SIZE()). 374 * 375 * \return 0 if this use of the certificate is allowed, 376 * MBEDTLS_ERR_X509_BAD_INPUT_DATA if not. 377 * 378 * \note Usually only makes sense on leaf certificates. 379 */ 380 int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt, 381 const char *usage_oid, 382 size_t usage_len ); 383 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) */ 384 385 #if defined(MBEDTLS_X509_CRL_PARSE_C) 386 /** 387 * \brief Verify the certificate revocation status 388 * 389 * \param crt a certificate to be verified 390 * \param crl the CRL to verify against 391 * 392 * \return 1 if the certificate is revoked, 0 otherwise 393 * 394 */ 395 int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl ); 396 #endif /* MBEDTLS_X509_CRL_PARSE_C */ 397 398 /** 399 * \brief Initialize a certificate (chain) 400 * 401 * \param crt Certificate chain to initialize 402 */ 403 void mbedtls_x509_crt_init( mbedtls_x509_crt *crt ); 404 405 /** 406 * \brief Unallocate all certificate data 407 * 408 * \param crt Certificate chain to free 409 */ 410 void mbedtls_x509_crt_free( mbedtls_x509_crt *crt ); 411 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 412 413 /* \} name */ 414 /* \} addtogroup x509_module */ 415 416 #if defined(MBEDTLS_X509_CRT_WRITE_C) 417 /** 418 * \brief Initialize a CRT writing context 419 * 420 * \param ctx CRT context to initialize 421 */ 422 void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx ); 423 424 /** 425 * \brief Set the verion for a Certificate 426 * Default: MBEDTLS_X509_CRT_VERSION_3 427 * 428 * \param ctx CRT context to use 429 * \param version version to set (MBEDTLS_X509_CRT_VERSION_1, MBEDTLS_X509_CRT_VERSION_2 or 430 * MBEDTLS_X509_CRT_VERSION_3) 431 */ 432 void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *ctx, int version ); 433 434 /** 435 * \brief Set the serial number for a Certificate. 436 * 437 * \param ctx CRT context to use 438 * \param serial serial number to set 439 * 440 * \return 0 if successful 441 */ 442 int mbedtls_x509write_crt_set_serial( mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial ); 443 444 /** 445 * \brief Set the validity period for a Certificate 446 * Timestamps should be in string format for UTC timezone 447 * i.e. "YYYYMMDDhhmmss" 448 * e.g. "20131231235959" for December 31st 2013 449 * at 23:59:59 450 * 451 * \param ctx CRT context to use 452 * \param not_before not_before timestamp 453 * \param not_after not_after timestamp 454 * 455 * \return 0 if timestamp was parsed successfully, or 456 * a specific error code 457 */ 458 int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *ctx, const char *not_before, 459 const char *not_after ); 460 461 /** 462 * \brief Set the issuer name for a Certificate 463 * Issuer names should contain a comma-separated list 464 * of OID types and values: 465 * e.g. "C=UK,O=ARM,CN=mbed TLS CA" 466 * 467 * \param ctx CRT context to use 468 * \param issuer_name issuer name to set 469 * 470 * \return 0 if issuer name was parsed successfully, or 471 * a specific error code 472 */ 473 int mbedtls_x509write_crt_set_issuer_name( mbedtls_x509write_cert *ctx, 474 const char *issuer_name ); 475 476 /** 477 * \brief Set the subject name for a Certificate 478 * Subject names should contain a comma-separated list 479 * of OID types and values: 480 * e.g. "C=UK,O=ARM,CN=mbed TLS Server 1" 481 * 482 * \param ctx CRT context to use 483 * \param subject_name subject name to set 484 * 485 * \return 0 if subject name was parsed successfully, or 486 * a specific error code 487 */ 488 int mbedtls_x509write_crt_set_subject_name( mbedtls_x509write_cert *ctx, 489 const char *subject_name ); 490 491 /** 492 * \brief Set the subject public key for the certificate 493 * 494 * \param ctx CRT context to use 495 * \param key public key to include 496 */ 497 void mbedtls_x509write_crt_set_subject_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key ); 498 499 /** 500 * \brief Set the issuer key used for signing the certificate 501 * 502 * \param ctx CRT context to use 503 * \param key private key to sign with 504 */ 505 void mbedtls_x509write_crt_set_issuer_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key ); 506 507 /** 508 * \brief Set the MD algorithm to use for the signature 509 * (e.g. MBEDTLS_MD_SHA1) 510 * 511 * \param ctx CRT context to use 512 * \param md_alg MD algorithm to use 513 */ 514 void mbedtls_x509write_crt_set_md_alg( mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg ); 515 516 /** 517 * \brief Generic function to add to or replace an extension in the 518 * CRT 519 * 520 * \param ctx CRT context to use 521 * \param oid OID of the extension 522 * \param oid_len length of the OID 523 * \param critical if the extension is critical (per the RFC's definition) 524 * \param val value of the extension OCTET STRING 525 * \param val_len length of the value data 526 * 527 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED 528 */ 529 int mbedtls_x509write_crt_set_extension( mbedtls_x509write_cert *ctx, 530 const char *oid, size_t oid_len, 531 int critical, 532 const unsigned char *val, size_t val_len ); 533 534 /** 535 * \brief Set the basicConstraints extension for a CRT 536 * 537 * \param ctx CRT context to use 538 * \param is_ca is this a CA certificate 539 * \param max_pathlen maximum length of certificate chains below this 540 * certificate (only for CA certificates, -1 is 541 * inlimited) 542 * 543 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED 544 */ 545 int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx, 546 int is_ca, int max_pathlen ); 547 548 #if defined(MBEDTLS_SHA1_C) 549 /** 550 * \brief Set the subjectKeyIdentifier extension for a CRT 551 * Requires that mbedtls_x509write_crt_set_subject_key() has been 552 * called before 553 * 554 * \param ctx CRT context to use 555 * 556 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED 557 */ 558 int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ctx ); 559 560 /** 561 * \brief Set the authorityKeyIdentifier extension for a CRT 562 * Requires that mbedtls_x509write_crt_set_issuer_key() has been 563 * called before 564 * 565 * \param ctx CRT context to use 566 * 567 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED 568 */ 569 int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx ); 570 #endif /* MBEDTLS_SHA1_C */ 571 572 /** 573 * \brief Set the Key Usage Extension flags 574 * (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN) 575 * 576 * \param ctx CRT context to use 577 * \param key_usage key usage flags to set 578 * 579 * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED 580 */ 581 int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx, 582 unsigned int key_usage ); 583 584 /** 585 * \brief Set the Netscape Cert Type flags 586 * (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL) 587 * 588 * \param ctx CRT context to use 589 * \param ns_cert_type Netscape Cert Type flags to set 590 * 591 * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED 592 */ 593 int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx, 594 unsigned char ns_cert_type ); 595 596 /** 597 * \brief Free the contents of a CRT write context 598 * 599 * \param ctx CRT context to free 600 */ 601 void mbedtls_x509write_crt_free( mbedtls_x509write_cert *ctx ); 602 603 /** 604 * \brief Write a built up certificate to a X509 DER structure 605 * Note: data is written at the end of the buffer! Use the 606 * return value to determine where you should start 607 * using the buffer 608 * 609 * \param ctx certificate to write away 610 * \param buf buffer to write to 611 * \param size size of the buffer 612 * \param f_rng RNG function (for signature, see note) 613 * \param p_rng RNG parameter 614 * 615 * \return length of data written if successful, or a specific 616 * error code 617 * 618 * \note f_rng may be NULL if RSA is used for signature and the 619 * signature is made offline (otherwise f_rng is desirable 620 * for countermeasures against timing attacks). 621 * ECDSA signatures always require a non-NULL f_rng. 622 */ 623 int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, 624 int (*f_rng)(void *, unsigned char *, size_t), 625 void *p_rng ); 626 627 #if defined(MBEDTLS_PEM_WRITE_C) 628 /** 629 * \brief Write a built up certificate to a X509 PEM string 630 * 631 * \param ctx certificate to write away 632 * \param buf buffer to write to 633 * \param size size of the buffer 634 * \param f_rng RNG function (for signature, see note) 635 * \param p_rng RNG parameter 636 * 637 * \return 0 if successful, or a specific error code 638 * 639 * \note f_rng may be NULL if RSA is used for signature and the 640 * signature is made offline (otherwise f_rng is desirable 641 * for countermeasures against timing attacks). 642 * ECDSA signatures always require a non-NULL f_rng. 643 */ 644 int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, 645 int (*f_rng)(void *, unsigned char *, size_t), 646 void *p_rng ); 647 #endif /* MBEDTLS_PEM_WRITE_C */ 648 #endif /* MBEDTLS_X509_CRT_WRITE_C */ 649 650 #ifdef __cplusplus 651 } 652 #endif 653 654 #endif /* mbedtls_x509_crt.h */ 655
