PolarSSL v1.1.4
|
The X.509 module provides X.509 support which includes: More...
Data Structures | |
struct | _x509_name |
Container for ASN1 named information objects. More... | |
struct | _x509_time |
Container for date and time (precision in seconds). More... | |
struct | _x509_cert |
Container for an X.509 certificate. More... | |
struct | _x509_crl_entry |
Certificate revocation list entry. More... | |
struct | _x509_crl |
Certificate revocation list structure. More... | |
X509 Error codes | |
#define | POLARSSL_ERR_X509_FEATURE_UNAVAILABLE -0x2080 |
Unavailable feature, e.g. | |
#define | POLARSSL_ERR_X509_CERT_INVALID_PEM -0x2100 |
The PEM-encoded certificate contains invalid elements, e.g. | |
#define | POLARSSL_ERR_X509_CERT_INVALID_FORMAT -0x2180 |
The certificate format is invalid, e.g. | |
#define | POLARSSL_ERR_X509_CERT_INVALID_VERSION -0x2200 |
The certificate version element is invalid. | |
#define | POLARSSL_ERR_X509_CERT_INVALID_SERIAL -0x2280 |
The serial tag or value is invalid. | |
#define | POLARSSL_ERR_X509_CERT_INVALID_ALG -0x2300 |
The algorithm tag or value is invalid. | |
#define | POLARSSL_ERR_X509_CERT_INVALID_NAME -0x2380 |
The name tag or value is invalid. | |
#define | POLARSSL_ERR_X509_CERT_INVALID_DATE -0x2400 |
The date tag or value is invalid. | |
#define | POLARSSL_ERR_X509_CERT_INVALID_PUBKEY -0x2480 |
The pubkey tag or value is invalid (only RSA is supported). | |
#define | POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE -0x2500 |
The signature tag or value invalid. | |
#define | POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS -0x2580 |
The extension tag or value is invalid. | |
#define | POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION -0x2600 |
Certificate or CRL has an unsupported version number. | |
#define | POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG -0x2680 |
Signature algorithm (oid) is unsupported. | |
#define | POLARSSL_ERR_X509_UNKNOWN_PK_ALG -0x2700 |
Key algorithm is unsupported (only RSA is supported). | |
#define | POLARSSL_ERR_X509_CERT_SIG_MISMATCH -0x2780 |
Certificate signature algorithms do not match. | |
#define | POLARSSL_ERR_X509_CERT_VERIFY_FAILED -0x2800 |
Certificate verification failed, e.g. | |
#define | POLARSSL_ERR_X509_KEY_INVALID_VERSION -0x2880 |
Unsupported RSA key version. | |
#define | POLARSSL_ERR_X509_KEY_INVALID_FORMAT -0x2900 |
Invalid RSA key tag or value. | |
#define | POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT -0x2980 |
Format not recognized as DER or PEM. | |
#define | POLARSSL_ERR_X509_INVALID_INPUT -0x2A00 |
Input invalid. | |
#define | POLARSSL_ERR_X509_MALLOC_FAILED -0x2A80 |
Allocation of memory failed. | |
#define | POLARSSL_ERR_X509_FILE_IO_ERROR -0x2B00 |
Read/write of file failed. | |
X509 Verify codes | |
#define | BADCERT_EXPIRED 0x01 |
The certificate validity has expired. | |
#define | BADCERT_REVOKED 0x02 |
The certificate has been revoked (is on a CRL). | |
#define | BADCERT_CN_MISMATCH 0x04 |
The certificate Common Name (CN) does not match with the expected CN. | |
#define | BADCERT_NOT_TRUSTED 0x08 |
The certificate is not correctly signed by the trusted CA. | |
#define | BADCRL_NOT_TRUSTED 0x10 |
CRL is not correctly signed by the trusted CA. | |
#define | BADCRL_EXPIRED 0x20 |
CRL is expired. | |
#define | BADCERT_MISSING 0x40 |
Certificate was missing. | |
#define | BADCERT_SKIP_VERIFY 0x80 |
Certificate verification was skipped. | |
Structures for parsing X.509 certificates and CRLs | |
typedef asn1_buf | x509_buf |
Type-length-value structure that allows for ASN1 using DER. | |
typedef asn1_bitstring | x509_bitstring |
Container for ASN1 bit strings. | |
typedef struct _x509_name | x509_name |
Container for ASN1 named information objects. | |
typedef asn1_sequence | x509_sequence |
Container for a sequence of ASN.1 items. | |
typedef struct _x509_time | x509_time |
Container for date and time (precision in seconds). | |
typedef struct _x509_cert | x509_cert |
Container for an X.509 certificate. | |
typedef struct _x509_crl_entry | x509_crl_entry |
Certificate revocation list entry. | |
typedef struct _x509_crl | x509_crl |
Certificate revocation list structure. | |
Functions to read in DHM parameters, a certificate, CRL or private RSA key | |
int | x509parse_crt (x509_cert *chain, const unsigned char *buf, size_t buflen) |
Parse one or more certificates and add them to the chained list. | |
int | x509parse_crtfile (x509_cert *chain, const char *path) |
Load one or more certificates and add them to the chained list. | |
int | x509parse_crl (x509_crl *chain, const unsigned char *buf, size_t buflen) |
Parse one or more CRLs and add them to the chained list. | |
int | x509parse_crlfile (x509_crl *chain, const char *path) |
Load one or more CRLs and add them to the chained list. | |
int | x509parse_key (rsa_context *rsa, const unsigned char *key, size_t keylen, const unsigned char *pwd, size_t pwdlen) |
Parse a private RSA key. | |
int | x509parse_keyfile (rsa_context *rsa, const char *path, const char *password) |
Load and parse a private RSA key. | |
int | x509parse_public_key (rsa_context *rsa, const unsigned char *key, size_t keylen) |
Parse a public RSA key. | |
int | x509parse_public_keyfile (rsa_context *rsa, const char *path) |
Load and parse a public RSA key. | |
int | x509parse_dhm (dhm_context *dhm, const unsigned char *dhmin, size_t dhminlen) |
Parse DHM parameters. | |
int | x509parse_dhmfile (dhm_context *dhm, const char *path) |
Load and parse DHM parameters. | |
Functions to verify a certificate | |
int | x509parse_verify (x509_cert *crt, x509_cert *trust_ca, x509_crl *ca_crl, const char *cn, int *flags, int(*f_vrfy)(void *, x509_cert *, int, int), void *p_vrfy) |
Verify the certificate signature. | |
int | x509parse_revoked (const x509_cert *crt, const x509_crl *crl) |
Verify the certificate signature. | |
Functions to clear a certificate, CRL or private RSA key | |
void | x509_free (x509_cert *crt) |
Unallocate all certificate data. | |
void | x509_crl_free (x509_crl *crl) |
Unallocate all CRL data. |
The X.509 module provides X.509 support which includes:
x509parse_crt()
and x509parse_crtfile()
).x509parse_crl()
andx509parse_crlfile()
).x509parse_key()
and x509parse_keyfile()
).x509parse_verify()
)This module can be used to build a certificate authority (CA) chain and verify its signature. It is also used to get a (RSA) private key for signing and decryption.
#define BADCERT_CN_MISMATCH 0x04 |
#define BADCERT_EXPIRED 0x01 |
#define BADCERT_MISSING 0x40 |
#define BADCERT_NOT_TRUSTED 0x08 |
#define BADCERT_REVOKED 0x02 |
#define BADCERT_SKIP_VERIFY 0x80 |
#define BADCRL_EXPIRED 0x20 |
#define BADCRL_NOT_TRUSTED 0x10 |
#define POLARSSL_ERR_X509_CERT_INVALID_ALG -0x2300 |
#define POLARSSL_ERR_X509_CERT_INVALID_DATE -0x2400 |
#define POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS -0x2580 |
#define POLARSSL_ERR_X509_CERT_INVALID_FORMAT -0x2180 |
#define POLARSSL_ERR_X509_CERT_INVALID_NAME -0x2380 |
#define POLARSSL_ERR_X509_CERT_INVALID_PEM -0x2100 |
#define POLARSSL_ERR_X509_CERT_INVALID_PUBKEY -0x2480 |
#define POLARSSL_ERR_X509_CERT_INVALID_SERIAL -0x2280 |
#define POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE -0x2500 |
#define POLARSSL_ERR_X509_CERT_INVALID_VERSION -0x2200 |
#define POLARSSL_ERR_X509_CERT_SIG_MISMATCH -0x2780 |
#define POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT -0x2980 |
#define POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG -0x2680 |
#define POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION -0x2600 |
#define POLARSSL_ERR_X509_CERT_VERIFY_FAILED -0x2800 |
#define POLARSSL_ERR_X509_FEATURE_UNAVAILABLE -0x2080 |
#define POLARSSL_ERR_X509_FILE_IO_ERROR -0x2B00 |
#define POLARSSL_ERR_X509_INVALID_INPUT -0x2A00 |
#define POLARSSL_ERR_X509_KEY_INVALID_FORMAT -0x2900 |
#define POLARSSL_ERR_X509_KEY_INVALID_VERSION -0x2880 |
#define POLARSSL_ERR_X509_MALLOC_FAILED -0x2A80 |
#define POLARSSL_ERR_X509_UNKNOWN_PK_ALG -0x2700 |
typedef asn1_bitstring x509_bitstring |
typedef struct _x509_cert x509_cert |
Container for an X.509 certificate.
The certificate may be chained.
Certificate revocation list structure.
Every CRL may have multiple entries.
typedef struct _x509_crl_entry x509_crl_entry |
Certificate revocation list entry.
Contains the CA-specific serial numbers and revocation dates.
typedef struct _x509_name x509_name |
Container for ASN1 named information objects.
It allows for Relative Distinguished Names (e.g. cn=polarssl,ou=code,etc.).
typedef asn1_sequence x509_sequence |
typedef struct _x509_time x509_time |
Container for date and time (precision in seconds).
void x509_crl_free | ( | x509_crl * | crl | ) |
Unallocate all CRL data.
crl | CRL chain to free |
Unallocate all certificate data.
crt | Certificate chain to free |
int x509parse_crl | ( | x509_crl * | chain, |
const unsigned char * | buf, | ||
size_t | buflen | ||
) |
Parse one or more CRLs and add them to the chained list.
chain | points to the start of the chain |
buf | buffer holding the CRL data |
buflen | size of the buffer |
int x509parse_crlfile | ( | x509_crl * | chain, |
const char * | path | ||
) |
Load one or more CRLs and add them to the chained list.
chain | points to the start of the chain |
path | filename to read the CRLs from |
int x509parse_crt | ( | x509_cert * | chain, |
const unsigned char * | buf, | ||
size_t | buflen | ||
) |
Parse one or more certificates and add them to the chained list.
Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.
chain | points to the start of the chain |
buf | buffer holding the certificate data |
buflen | size of the buffer |
int x509parse_crtfile | ( | x509_cert * | chain, |
const char * | path | ||
) |
Load one or more certificates and add them to the chained list.
Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.
chain | points to the start of the chain |
path | filename to read the certificates from |
int x509parse_dhm | ( | dhm_context * | dhm, |
const unsigned char * | dhmin, | ||
size_t | dhminlen | ||
) |
Parse DHM parameters.
dhm | DHM context to be initialized |
dhmin | input buffer |
dhminlen | size of the buffer |
int x509parse_dhmfile | ( | dhm_context * | dhm, |
const char * | path | ||
) |
Load and parse DHM parameters.
dhm | DHM context to be initialized |
path | filename to read the DHM Parameters from |
int x509parse_key | ( | rsa_context * | rsa, |
const unsigned char * | key, | ||
size_t | keylen, | ||
const unsigned char * | pwd, | ||
size_t | pwdlen | ||
) |
Parse a private RSA key.
rsa | RSA context to be initialized |
key | input buffer |
keylen | size of the buffer |
pwd | password for decryption (optional) |
pwdlen | size of the password |
int x509parse_keyfile | ( | rsa_context * | rsa, |
const char * | path, | ||
const char * | password | ||
) |
Load and parse a private RSA key.
rsa | RSA context to be initialized |
path | filename to read the private key from |
password | password to decrypt the file (can be NULL) |
int x509parse_public_key | ( | rsa_context * | rsa, |
const unsigned char * | key, | ||
size_t | keylen | ||
) |
Parse a public RSA key.
rsa | RSA context to be initialized |
key | input buffer |
keylen | size of the buffer |
int x509parse_public_keyfile | ( | rsa_context * | rsa, |
const char * | path | ||
) |
Load and parse a public RSA key.
rsa | RSA context to be initialized |
path | filename to read the private key from |
int x509parse_revoked | ( | const x509_cert * | crt, |
const x509_crl * | crl | ||
) |
Verify the certificate signature.
crt | a certificate to be verified |
crl | the CRL to verify against |
int x509parse_verify | ( | x509_cert * | crt, |
x509_cert * | trust_ca, | ||
x509_crl * | ca_crl, | ||
const char * | cn, | ||
int * | flags, | ||
int(*)(void *, x509_cert *, int, int) | f_vrfy, | ||
void * | p_vrfy | ||
) |
Verify the certificate signature.
crt | a certificate to be verified |
trust_ca | the trusted CA chain |
ca_crl | the CRL chain for trusted CA's |
cn | expected Common Name (can be set to NULL if the CN must not be verified) |
flags | result of the verification |
f_vrfy | verification function |
p_vrfy | verification parameter |