PolarSSL v1.1.4
Data Structures
X.509 module

The X.509 module provides X.509 support which includes: More...

Data Structures

struct  _x509_name
 Container for ASN1 named information objects. More...
struct  _x509_time
 Container for date and time (precision in seconds). More...
struct  _x509_cert
 Container for an X.509 certificate. More...
struct  _x509_crl_entry
 Certificate revocation list entry. More...
struct  _x509_crl
 Certificate revocation list structure. More...

X509 Error codes

#define POLARSSL_ERR_X509_FEATURE_UNAVAILABLE   -0x2080
 Unavailable feature, e.g.
#define POLARSSL_ERR_X509_CERT_INVALID_PEM   -0x2100
 The PEM-encoded certificate contains invalid elements, e.g.
#define POLARSSL_ERR_X509_CERT_INVALID_FORMAT   -0x2180
 The certificate format is invalid, e.g.
#define POLARSSL_ERR_X509_CERT_INVALID_VERSION   -0x2200
 The certificate version element is invalid.
#define POLARSSL_ERR_X509_CERT_INVALID_SERIAL   -0x2280
 The serial tag or value is invalid.
#define POLARSSL_ERR_X509_CERT_INVALID_ALG   -0x2300
 The algorithm tag or value is invalid.
#define POLARSSL_ERR_X509_CERT_INVALID_NAME   -0x2380
 The name tag or value is invalid.
#define POLARSSL_ERR_X509_CERT_INVALID_DATE   -0x2400
 The date tag or value is invalid.
#define POLARSSL_ERR_X509_CERT_INVALID_PUBKEY   -0x2480
 The pubkey tag or value is invalid (only RSA is supported).
#define POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE   -0x2500
 The signature tag or value invalid.
#define POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS   -0x2580
 The extension tag or value is invalid.
#define POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION   -0x2600
 Certificate or CRL has an unsupported version number.
#define POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG   -0x2680
 Signature algorithm (oid) is unsupported.
#define POLARSSL_ERR_X509_UNKNOWN_PK_ALG   -0x2700
 Key algorithm is unsupported (only RSA is supported).
#define POLARSSL_ERR_X509_CERT_SIG_MISMATCH   -0x2780
 Certificate signature algorithms do not match.
#define POLARSSL_ERR_X509_CERT_VERIFY_FAILED   -0x2800
 Certificate verification failed, e.g.
#define POLARSSL_ERR_X509_KEY_INVALID_VERSION   -0x2880
 Unsupported RSA key version.
#define POLARSSL_ERR_X509_KEY_INVALID_FORMAT   -0x2900
 Invalid RSA key tag or value.
#define POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT   -0x2980
 Format not recognized as DER or PEM.
#define POLARSSL_ERR_X509_INVALID_INPUT   -0x2A00
 Input invalid.
#define POLARSSL_ERR_X509_MALLOC_FAILED   -0x2A80
 Allocation of memory failed.
#define POLARSSL_ERR_X509_FILE_IO_ERROR   -0x2B00
 Read/write of file failed.

X509 Verify codes

#define BADCERT_EXPIRED   0x01
 The certificate validity has expired.
#define BADCERT_REVOKED   0x02
 The certificate has been revoked (is on a CRL).
#define BADCERT_CN_MISMATCH   0x04
 The certificate Common Name (CN) does not match with the expected CN.
#define BADCERT_NOT_TRUSTED   0x08
 The certificate is not correctly signed by the trusted CA.
#define BADCRL_NOT_TRUSTED   0x10
 CRL is not correctly signed by the trusted CA.
#define BADCRL_EXPIRED   0x20
 CRL is expired.
#define BADCERT_MISSING   0x40
 Certificate was missing.
#define BADCERT_SKIP_VERIFY   0x80
 Certificate verification was skipped.

Structures for parsing X.509 certificates and CRLs

typedef asn1_buf x509_buf
 Type-length-value structure that allows for ASN1 using DER.
typedef asn1_bitstring x509_bitstring
 Container for ASN1 bit strings.
typedef struct _x509_name x509_name
 Container for ASN1 named information objects.
typedef asn1_sequence x509_sequence
 Container for a sequence of ASN.1 items.
typedef struct _x509_time x509_time
 Container for date and time (precision in seconds).
typedef struct _x509_cert x509_cert
 Container for an X.509 certificate.
typedef struct _x509_crl_entry x509_crl_entry
 Certificate revocation list entry.
typedef struct _x509_crl x509_crl
 Certificate revocation list structure.

Functions to read in DHM parameters, a certificate, CRL or private RSA key

int x509parse_crt (x509_cert *chain, const unsigned char *buf, size_t buflen)
 Parse one or more certificates and add them to the chained list.
int x509parse_crtfile (x509_cert *chain, const char *path)
 Load one or more certificates and add them to the chained list.
int x509parse_crl (x509_crl *chain, const unsigned char *buf, size_t buflen)
 Parse one or more CRLs and add them to the chained list.
int x509parse_crlfile (x509_crl *chain, const char *path)
 Load one or more CRLs and add them to the chained list.
int x509parse_key (rsa_context *rsa, const unsigned char *key, size_t keylen, const unsigned char *pwd, size_t pwdlen)
 Parse a private RSA key.
int x509parse_keyfile (rsa_context *rsa, const char *path, const char *password)
 Load and parse a private RSA key.
int x509parse_public_key (rsa_context *rsa, const unsigned char *key, size_t keylen)
 Parse a public RSA key.
int x509parse_public_keyfile (rsa_context *rsa, const char *path)
 Load and parse a public RSA key.
int x509parse_dhm (dhm_context *dhm, const unsigned char *dhmin, size_t dhminlen)
 Parse DHM parameters.
int x509parse_dhmfile (dhm_context *dhm, const char *path)
 Load and parse DHM parameters.

Functions to verify a certificate

int x509parse_verify (x509_cert *crt, x509_cert *trust_ca, x509_crl *ca_crl, const char *cn, int *flags, int(*f_vrfy)(void *, x509_cert *, int, int), void *p_vrfy)
 Verify the certificate signature.
int x509parse_revoked (const x509_cert *crt, const x509_crl *crl)
 Verify the certificate signature.

Functions to clear a certificate, CRL or private RSA key

void x509_free (x509_cert *crt)
 Unallocate all certificate data.
void x509_crl_free (x509_crl *crl)
 Unallocate all CRL data.

Detailed Description

The X.509 module provides X.509 support which includes:

This module can be used to build a certificate authority (CA) chain and verify its signature. It is also used to get a (RSA) private key for signing and decryption.


Define Documentation

#define BADCERT_CN_MISMATCH   0x04

The certificate Common Name (CN) does not match with the expected CN.

Definition at line 74 of file x509.h.

#define BADCERT_EXPIRED   0x01

The certificate validity has expired.

Definition at line 72 of file x509.h.

#define BADCERT_MISSING   0x40

Certificate was missing.

Definition at line 78 of file x509.h.

#define BADCERT_NOT_TRUSTED   0x08

The certificate is not correctly signed by the trusted CA.

Definition at line 75 of file x509.h.

#define BADCERT_REVOKED   0x02

The certificate has been revoked (is on a CRL).

Definition at line 73 of file x509.h.

#define BADCERT_SKIP_VERIFY   0x80

Certificate verification was skipped.

Definition at line 79 of file x509.h.

#define BADCRL_EXPIRED   0x20

CRL is expired.

Definition at line 77 of file x509.h.

#define BADCRL_NOT_TRUSTED   0x10

CRL is not correctly signed by the trusted CA.

Definition at line 76 of file x509.h.

#define POLARSSL_ERR_X509_CERT_INVALID_ALG   -0x2300

The algorithm tag or value is invalid.

Definition at line 48 of file x509.h.

The date tag or value is invalid.

Definition at line 50 of file x509.h.

The extension tag or value is invalid.

Definition at line 53 of file x509.h.

The certificate format is invalid, e.g.

different type expected.

Definition at line 45 of file x509.h.

The name tag or value is invalid.

Definition at line 49 of file x509.h.

#define POLARSSL_ERR_X509_CERT_INVALID_PEM   -0x2100

The PEM-encoded certificate contains invalid elements, e.g.

invalid character.

Definition at line 44 of file x509.h.

The pubkey tag or value is invalid (only RSA is supported).

Definition at line 51 of file x509.h.

The serial tag or value is invalid.

Definition at line 47 of file x509.h.

The signature tag or value invalid.

Definition at line 52 of file x509.h.

The certificate version element is invalid.

Definition at line 46 of file x509.h.

Certificate signature algorithms do not match.

(see x509_cert sig_oid)

Definition at line 57 of file x509.h.

Format not recognized as DER or PEM.

Definition at line 61 of file x509.h.

Signature algorithm (oid) is unsupported.

Definition at line 55 of file x509.h.

Certificate or CRL has an unsupported version number.

Definition at line 54 of file x509.h.

Certificate verification failed, e.g.

CRL, CA or signature check failed.

Definition at line 58 of file x509.h.

Unavailable feature, e.g.

RSA hashing/encryption combination.

Definition at line 43 of file x509.h.

#define POLARSSL_ERR_X509_FILE_IO_ERROR   -0x2B00

Read/write of file failed.

Definition at line 64 of file x509.h.

#define POLARSSL_ERR_X509_INVALID_INPUT   -0x2A00

Input invalid.

Definition at line 62 of file x509.h.

Invalid RSA key tag or value.

Definition at line 60 of file x509.h.

Unsupported RSA key version.

Definition at line 59 of file x509.h.

#define POLARSSL_ERR_X509_MALLOC_FAILED   -0x2A80

Allocation of memory failed.

Definition at line 63 of file x509.h.

#define POLARSSL_ERR_X509_UNKNOWN_PK_ALG   -0x2700

Key algorithm is unsupported (only RSA is supported).

Definition at line 56 of file x509.h.


Typedef Documentation

Container for ASN1 bit strings.

Definition at line 249 of file x509.h.

typedef asn1_buf x509_buf

Type-length-value structure that allows for ASN1 using DER.

Definition at line 244 of file x509.h.

typedef struct _x509_cert x509_cert

Container for an X.509 certificate.

The certificate may be chained.

typedef struct _x509_crl x509_crl

Certificate revocation list structure.

Every CRL may have multiple entries.

Certificate revocation list entry.

Contains the CA-specific serial numbers and revocation dates.

typedef struct _x509_name x509_name

Container for ASN1 named information objects.

It allows for Relative Distinguished Names (e.g. cn=polarssl,ou=code,etc.).

Container for a sequence of ASN.1 items.

Definition at line 266 of file x509.h.

typedef struct _x509_time x509_time

Container for date and time (precision in seconds).


Function Documentation

void x509_crl_free ( x509_crl crl)

Unallocate all CRL data.

Parameters:
crlCRL chain to free
void x509_free ( x509_cert crt)

Unallocate all certificate data.

Parameters:
crtCertificate chain to free
int x509parse_crl ( x509_crl chain,
const unsigned char *  buf,
size_t  buflen 
)

Parse one or more CRLs and add them to the chained list.

Parameters:
chainpoints to the start of the chain
bufbuffer holding the CRL data
buflensize of the buffer
Returns:
0 if successful, or a specific X509 or PEM error code
int x509parse_crlfile ( x509_crl chain,
const char *  path 
)

Load one or more CRLs and add them to the chained list.

Parameters:
chainpoints to the start of the chain
pathfilename to read the CRLs from
Returns:
0 if successful, or a specific X509 or PEM error code
int x509parse_crt ( x509_cert chain,
const unsigned char *  buf,
size_t  buflen 
)

Parse one or more certificates and add them to the chained list.

Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.

Parameters:
chainpoints to the start of the chain
bufbuffer holding the certificate data
buflensize of the buffer
Returns:
0 if all certificates parsed successfully, a positive number if partly successful or a specific X509 or PEM error code
int x509parse_crtfile ( x509_cert chain,
const char *  path 
)

Load one or more certificates and add them to the chained list.

Parses permissively. If some certificates can be parsed, the result is the number of failed certificates it encountered. If none complete correctly, the first error is returned.

Parameters:
chainpoints to the start of the chain
pathfilename to read the certificates from
Returns:
0 if all certificates parsed successfully, a positive number if partly successful or a specific X509 or PEM error code
int x509parse_dhm ( dhm_context dhm,
const unsigned char *  dhmin,
size_t  dhminlen 
)

Parse DHM parameters.

Parameters:
dhmDHM context to be initialized
dhmininput buffer
dhminlensize of the buffer
Returns:
0 if successful, or a specific X509 or PEM error code
int x509parse_dhmfile ( dhm_context dhm,
const char *  path 
)

Load and parse DHM parameters.

Parameters:
dhmDHM context to be initialized
pathfilename to read the DHM Parameters from
Returns:
0 if successful, or a specific X509 or PEM error code
int x509parse_key ( rsa_context rsa,
const unsigned char *  key,
size_t  keylen,
const unsigned char *  pwd,
size_t  pwdlen 
)

Parse a private RSA key.

Parameters:
rsaRSA context to be initialized
keyinput buffer
keylensize of the buffer
pwdpassword for decryption (optional)
pwdlensize of the password
Returns:
0 if successful, or a specific X509 or PEM error code
int x509parse_keyfile ( rsa_context rsa,
const char *  path,
const char *  password 
)

Load and parse a private RSA key.

Parameters:
rsaRSA context to be initialized
pathfilename to read the private key from
passwordpassword to decrypt the file (can be NULL)
Returns:
0 if successful, or a specific X509 or PEM error code
int x509parse_public_key ( rsa_context rsa,
const unsigned char *  key,
size_t  keylen 
)

Parse a public RSA key.

Parameters:
rsaRSA context to be initialized
keyinput buffer
keylensize of the buffer
Returns:
0 if successful, or a specific X509 or PEM error code
int x509parse_public_keyfile ( rsa_context rsa,
const char *  path 
)

Load and parse a public RSA key.

Parameters:
rsaRSA context to be initialized
pathfilename to read the private key from
Returns:
0 if successful, or a specific X509 or PEM error code
int x509parse_revoked ( const x509_cert crt,
const x509_crl crl 
)

Verify the certificate signature.

Parameters:
crta certificate to be verified
crlthe CRL to verify against
Returns:
1 if the certificate is revoked, 0 otherwise
int x509parse_verify ( x509_cert crt,
x509_cert trust_ca,
x509_crl ca_crl,
const char *  cn,
int *  flags,
int(*)(void *, x509_cert *, int, int)  f_vrfy,
void *  p_vrfy 
)

Verify the certificate signature.

Parameters:
crta certificate to be verified
trust_cathe trusted CA chain
ca_crlthe CRL chain for trusted CA's
cnexpected Common Name (can be set to NULL if the CN must not be verified)
flagsresult of the verification
f_vrfyverification function
p_vrfyverification parameter
Returns:
0 if successful or POLARSSL_ERR_X509_SIG_VERIFY_FAILED, in which case *flags will have one or more of the following values set: BADCERT_EXPIRED -- BADCERT_REVOKED -- BADCERT_CN_MISMATCH -- BADCERT_NOT_TRUSTED
Note:
TODO: add two arguments, depth and crl