2 * X.509 common functions for parsing and verification
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
19 * This file is part of mbed TLS (https://tls.mbed.org)
22 * The ITU-T X.509 standard defines a certificate format for PKI.
24 * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
25 * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
26 * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
28 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
29 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
32 #if !defined(MBEDTLS_CONFIG_FILE)
33 #include "mbedtls/config.h"
35 #include MBEDTLS_CONFIG_FILE
38 #if defined(MBEDTLS_X509_USE_C)
40 #include "mbedtls/x509.h"
41 #include "mbedtls/asn1.h"
42 #include "mbedtls/oid.h"
47 #if defined(MBEDTLS_PEM_PARSE_C)
48 #include "mbedtls/pem.h"
51 #if defined(MBEDTLS_PLATFORM_C)
52 #include "mbedtls/platform.h"
56 #define mbedtls_free free
57 #define mbedtls_calloc calloc
58 #define mbedtls_printf printf
59 #define mbedtls_snprintf snprintf
62 #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
68 #if defined(MBEDTLS_FS_IO)
71 #include <sys/types.h>
77 #define CHECK(code) if( ( ret = code ) != 0 ){ return( ret ); }
80 * CertificateSerialNumber ::= INTEGER
82 int mbedtls_x509_get_serial( unsigned char **p
, const unsigned char *end
,
83 mbedtls_x509_buf
*serial
)
87 if( ( end
- *p
) < 1 )
88 return( MBEDTLS_ERR_X509_INVALID_SERIAL
+
89 MBEDTLS_ERR_ASN1_OUT_OF_DATA
);
91 if( **p
!= ( MBEDTLS_ASN1_CONTEXT_SPECIFIC
| MBEDTLS_ASN1_PRIMITIVE
| 2 ) &&
92 **p
!= MBEDTLS_ASN1_INTEGER
)
93 return( MBEDTLS_ERR_X509_INVALID_SERIAL
+
94 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
);
96 serial
->tag
= *(*p
)++;
98 if( ( ret
= mbedtls_asn1_get_len( p
, end
, &serial
->len
) ) != 0 )
99 return( MBEDTLS_ERR_X509_INVALID_SERIAL
+ ret
);
107 /* Get an algorithm identifier without parameters (eg for signatures)
109 * AlgorithmIdentifier ::= SEQUENCE {
110 * algorithm OBJECT IDENTIFIER,
111 * parameters ANY DEFINED BY algorithm OPTIONAL }
113 int mbedtls_x509_get_alg_null( unsigned char **p
, const unsigned char *end
,
114 mbedtls_x509_buf
*alg
)
118 if( ( ret
= mbedtls_asn1_get_alg_null( p
, end
, alg
) ) != 0 )
119 return( MBEDTLS_ERR_X509_INVALID_ALG
+ ret
);
125 * Parse an algorithm identifier with (optional) paramaters
127 int mbedtls_x509_get_alg( unsigned char **p
, const unsigned char *end
,
128 mbedtls_x509_buf
*alg
, mbedtls_x509_buf
*params
)
132 if( ( ret
= mbedtls_asn1_get_alg( p
, end
, alg
, params
) ) != 0 )
133 return( MBEDTLS_ERR_X509_INVALID_ALG
+ ret
);
138 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
140 * HashAlgorithm ::= AlgorithmIdentifier
142 * AlgorithmIdentifier ::= SEQUENCE {
143 * algorithm OBJECT IDENTIFIER,
144 * parameters ANY DEFINED BY algorithm OPTIONAL }
146 * For HashAlgorithm, parameters MUST be NULL or absent.
148 static int x509_get_hash_alg( const mbedtls_x509_buf
*alg
, mbedtls_md_type_t
*md_alg
)
152 const unsigned char *end
;
153 mbedtls_x509_buf md_oid
;
156 /* Make sure we got a SEQUENCE and setup bounds */
157 if( alg
->tag
!= ( MBEDTLS_ASN1_CONSTRUCTED
| MBEDTLS_ASN1_SEQUENCE
) )
158 return( MBEDTLS_ERR_X509_INVALID_ALG
+
159 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
);
161 p
= (unsigned char *) alg
->p
;
165 return( MBEDTLS_ERR_X509_INVALID_ALG
+
166 MBEDTLS_ERR_ASN1_OUT_OF_DATA
);
171 if( ( ret
= mbedtls_asn1_get_tag( &p
, end
, &md_oid
.len
, MBEDTLS_ASN1_OID
) ) != 0 )
172 return( MBEDTLS_ERR_X509_INVALID_ALG
+ ret
);
177 /* Get md_alg from md_oid */
178 if( ( ret
= mbedtls_oid_get_md_alg( &md_oid
, md_alg
) ) != 0 )
179 return( MBEDTLS_ERR_X509_INVALID_ALG
+ ret
);
181 /* Make sure params is absent of NULL */
185 if( ( ret
= mbedtls_asn1_get_tag( &p
, end
, &len
, MBEDTLS_ASN1_NULL
) ) != 0 || len
!= 0 )
186 return( MBEDTLS_ERR_X509_INVALID_ALG
+ ret
);
189 return( MBEDTLS_ERR_X509_INVALID_ALG
+
190 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
);
196 * RSASSA-PSS-params ::= SEQUENCE {
197 * hashAlgorithm [0] HashAlgorithm DEFAULT sha1Identifier,
198 * maskGenAlgorithm [1] MaskGenAlgorithm DEFAULT mgf1SHA1Identifier,
199 * saltLength [2] INTEGER DEFAULT 20,
200 * trailerField [3] INTEGER DEFAULT 1 }
201 * -- Note that the tags in this Sequence are explicit.
203 * RFC 4055 (which defines use of RSASSA-PSS in PKIX) states that the value
204 * of trailerField MUST be 1, and PKCS#1 v2.2 doesn't even define any other
205 * option. Enfore this at parsing time.
207 int mbedtls_x509_get_rsassa_pss_params( const mbedtls_x509_buf
*params
,
208 mbedtls_md_type_t
*md_alg
, mbedtls_md_type_t
*mgf_md
,
213 const unsigned char *end
, *end2
;
215 mbedtls_x509_buf alg_id
, alg_params
;
217 /* First set everything to defaults */
218 *md_alg
= MBEDTLS_MD_SHA1
;
219 *mgf_md
= MBEDTLS_MD_SHA1
;
222 /* Make sure params is a SEQUENCE and setup bounds */
223 if( params
->tag
!= ( MBEDTLS_ASN1_CONSTRUCTED
| MBEDTLS_ASN1_SEQUENCE
) )
224 return( MBEDTLS_ERR_X509_INVALID_ALG
+
225 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
);
227 p
= (unsigned char *) params
->p
;
228 end
= p
+ params
->len
;
236 if( ( ret
= mbedtls_asn1_get_tag( &p
, end
, &len
,
237 MBEDTLS_ASN1_CONTEXT_SPECIFIC
| MBEDTLS_ASN1_CONSTRUCTED
| 0 ) ) == 0 )
241 /* HashAlgorithm ::= AlgorithmIdentifier (without parameters) */
242 if( ( ret
= mbedtls_x509_get_alg_null( &p
, end2
, &alg_id
) ) != 0 )
245 if( ( ret
= mbedtls_oid_get_md_alg( &alg_id
, md_alg
) ) != 0 )
246 return( MBEDTLS_ERR_X509_INVALID_ALG
+ ret
);
249 return( MBEDTLS_ERR_X509_INVALID_ALG
+
250 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
);
252 else if( ret
!= MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
)
253 return( MBEDTLS_ERR_X509_INVALID_ALG
+ ret
);
261 if( ( ret
= mbedtls_asn1_get_tag( &p
, end
, &len
,
262 MBEDTLS_ASN1_CONTEXT_SPECIFIC
| MBEDTLS_ASN1_CONSTRUCTED
| 1 ) ) == 0 )
266 /* MaskGenAlgorithm ::= AlgorithmIdentifier (params = HashAlgorithm) */
267 if( ( ret
= mbedtls_x509_get_alg( &p
, end2
, &alg_id
, &alg_params
) ) != 0 )
270 /* Only MFG1 is recognised for now */
271 if( MBEDTLS_OID_CMP( MBEDTLS_OID_MGF1
, &alg_id
) != 0 )
272 return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE
+
273 MBEDTLS_ERR_OID_NOT_FOUND
);
275 /* Parse HashAlgorithm */
276 if( ( ret
= x509_get_hash_alg( &alg_params
, mgf_md
) ) != 0 )
280 return( MBEDTLS_ERR_X509_INVALID_ALG
+
281 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
);
283 else if( ret
!= MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
)
284 return( MBEDTLS_ERR_X509_INVALID_ALG
+ ret
);
292 if( ( ret
= mbedtls_asn1_get_tag( &p
, end
, &len
,
293 MBEDTLS_ASN1_CONTEXT_SPECIFIC
| MBEDTLS_ASN1_CONSTRUCTED
| 2 ) ) == 0 )
297 if( ( ret
= mbedtls_asn1_get_int( &p
, end2
, salt_len
) ) != 0 )
298 return( MBEDTLS_ERR_X509_INVALID_ALG
+ ret
);
301 return( MBEDTLS_ERR_X509_INVALID_ALG
+
302 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
);
304 else if( ret
!= MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
)
305 return( MBEDTLS_ERR_X509_INVALID_ALG
+ ret
);
311 * trailer_field (if present, must be 1)
313 if( ( ret
= mbedtls_asn1_get_tag( &p
, end
, &len
,
314 MBEDTLS_ASN1_CONTEXT_SPECIFIC
| MBEDTLS_ASN1_CONSTRUCTED
| 3 ) ) == 0 )
320 if( ( ret
= mbedtls_asn1_get_int( &p
, end2
, &trailer_field
) ) != 0 )
321 return( MBEDTLS_ERR_X509_INVALID_ALG
+ ret
);
324 return( MBEDTLS_ERR_X509_INVALID_ALG
+
325 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
);
327 if( trailer_field
!= 1 )
328 return( MBEDTLS_ERR_X509_INVALID_ALG
);
330 else if( ret
!= MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
)
331 return( MBEDTLS_ERR_X509_INVALID_ALG
+ ret
);
334 return( MBEDTLS_ERR_X509_INVALID_ALG
+
335 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
);
339 #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
342 * AttributeTypeAndValue ::= SEQUENCE {
343 * type AttributeType,
344 * value AttributeValue }
346 * AttributeType ::= OBJECT IDENTIFIER
348 * AttributeValue ::= ANY DEFINED BY AttributeType
350 static int x509_get_attr_type_value( unsigned char **p
,
351 const unsigned char *end
,
352 mbedtls_x509_name
*cur
)
356 mbedtls_x509_buf
*oid
;
357 mbedtls_x509_buf
*val
;
359 if( ( ret
= mbedtls_asn1_get_tag( p
, end
, &len
,
360 MBEDTLS_ASN1_CONSTRUCTED
| MBEDTLS_ASN1_SEQUENCE
) ) != 0 )
361 return( MBEDTLS_ERR_X509_INVALID_NAME
+ ret
);
363 if( ( end
- *p
) < 1 )
364 return( MBEDTLS_ERR_X509_INVALID_NAME
+
365 MBEDTLS_ERR_ASN1_OUT_OF_DATA
);
370 if( ( ret
= mbedtls_asn1_get_tag( p
, end
, &oid
->len
, MBEDTLS_ASN1_OID
) ) != 0 )
371 return( MBEDTLS_ERR_X509_INVALID_NAME
+ ret
);
376 if( ( end
- *p
) < 1 )
377 return( MBEDTLS_ERR_X509_INVALID_NAME
+
378 MBEDTLS_ERR_ASN1_OUT_OF_DATA
);
380 if( **p
!= MBEDTLS_ASN1_BMP_STRING
&& **p
!= MBEDTLS_ASN1_UTF8_STRING
&&
381 **p
!= MBEDTLS_ASN1_T61_STRING
&& **p
!= MBEDTLS_ASN1_PRINTABLE_STRING
&&
382 **p
!= MBEDTLS_ASN1_IA5_STRING
&& **p
!= MBEDTLS_ASN1_UNIVERSAL_STRING
&&
383 **p
!= MBEDTLS_ASN1_BIT_STRING
)
384 return( MBEDTLS_ERR_X509_INVALID_NAME
+
385 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
);
390 if( ( ret
= mbedtls_asn1_get_len( p
, end
, &val
->len
) ) != 0 )
391 return( MBEDTLS_ERR_X509_INVALID_NAME
+ ret
);
402 * Name ::= CHOICE { -- only one possibility for now --
403 * rdnSequence RDNSequence }
405 * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
407 * RelativeDistinguishedName ::=
408 * SET OF AttributeTypeAndValue
410 * AttributeTypeAndValue ::= SEQUENCE {
411 * type AttributeType,
412 * value AttributeValue }
414 * AttributeType ::= OBJECT IDENTIFIER
416 * AttributeValue ::= ANY DEFINED BY AttributeType
418 * The data structure is optimized for the common case where each RDN has only
419 * one element, which is represented as a list of AttributeTypeAndValue.
420 * For the general case we still use a flat list, but we mark elements of the
421 * same set so that they are "merged" together in the functions that consume
422 * this list, eg mbedtls_x509_dn_gets().
424 int mbedtls_x509_get_name( unsigned char **p
, const unsigned char *end
,
425 mbedtls_x509_name
*cur
)
429 const unsigned char *end_set
;
431 /* don't use recursion, we'd risk stack overflow if not optimized */
437 if( ( ret
= mbedtls_asn1_get_tag( p
, end
, &set_len
,
438 MBEDTLS_ASN1_CONSTRUCTED
| MBEDTLS_ASN1_SET
) ) != 0 )
439 return( MBEDTLS_ERR_X509_INVALID_NAME
+ ret
);
441 end_set
= *p
+ set_len
;
445 if( ( ret
= x509_get_attr_type_value( p
, end_set
, cur
) ) != 0 )
451 /* Mark this item as being no the only one in a set */
452 cur
->next_merged
= 1;
454 cur
->next
= mbedtls_calloc( 1, sizeof( mbedtls_x509_name
) );
456 if( cur
->next
== NULL
)
457 return( MBEDTLS_ERR_X509_ALLOC_FAILED
);
463 * continue until end of SEQUENCE is reached
468 cur
->next
= mbedtls_calloc( 1, sizeof( mbedtls_x509_name
) );
470 if( cur
->next
== NULL
)
471 return( MBEDTLS_ERR_X509_ALLOC_FAILED
);
477 static int x509_parse_int(unsigned char **p
, unsigned n
, int *res
){
480 if( ( **p
< '0') || ( **p
> '9' ) ) return MBEDTLS_ERR_X509_INVALID_DATE
;
482 *res
+= (*(*p
)++ - '0');
490 * generalTime GeneralizedTime }
492 int mbedtls_x509_get_time( unsigned char **p
, const unsigned char *end
,
493 mbedtls_x509_time
*time
)
499 if( ( end
- *p
) < 1 )
500 return( MBEDTLS_ERR_X509_INVALID_DATE
+
501 MBEDTLS_ERR_ASN1_OUT_OF_DATA
);
505 if( tag
== MBEDTLS_ASN1_UTC_TIME
)
508 ret
= mbedtls_asn1_get_len( p
, end
, &len
);
511 return( MBEDTLS_ERR_X509_INVALID_DATE
+ ret
);
513 CHECK( x509_parse_int( p
, 2, &time
->year
) );
514 CHECK( x509_parse_int( p
, 2, &time
->mon
) );
515 CHECK( x509_parse_int( p
, 2, &time
->day
) );
516 CHECK( x509_parse_int( p
, 2, &time
->hour
) );
517 CHECK( x509_parse_int( p
, 2, &time
->min
) );
519 CHECK( x509_parse_int( p
, 2, &time
->sec
) );
520 if( len
> 12 && *(*p
)++ != 'Z' )
521 return( MBEDTLS_ERR_X509_INVALID_DATE
);
523 time
->year
+= 100 * ( time
->year
< 50 );
528 else if( tag
== MBEDTLS_ASN1_GENERALIZED_TIME
)
531 ret
= mbedtls_asn1_get_len( p
, end
, &len
);
534 return( MBEDTLS_ERR_X509_INVALID_DATE
+ ret
);
536 CHECK( x509_parse_int( p
, 4, &time
->year
) );
537 CHECK( x509_parse_int( p
, 2, &time
->mon
) );
538 CHECK( x509_parse_int( p
, 2, &time
->day
) );
539 CHECK( x509_parse_int( p
, 2, &time
->hour
) );
540 CHECK( x509_parse_int( p
, 2, &time
->min
) );
542 CHECK( x509_parse_int( p
, 2, &time
->sec
) );
543 if( len
> 14 && *(*p
)++ != 'Z' )
544 return( MBEDTLS_ERR_X509_INVALID_DATE
);
549 return( MBEDTLS_ERR_X509_INVALID_DATE
+
550 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
);
553 int mbedtls_x509_get_sig( unsigned char **p
, const unsigned char *end
, mbedtls_x509_buf
*sig
)
558 if( ( end
- *p
) < 1 )
559 return( MBEDTLS_ERR_X509_INVALID_SIGNATURE
+
560 MBEDTLS_ERR_ASN1_OUT_OF_DATA
);
564 if( ( ret
= mbedtls_asn1_get_bitstring_null( p
, end
, &len
) ) != 0 )
565 return( MBEDTLS_ERR_X509_INVALID_SIGNATURE
+ ret
);
576 * Get signature algorithm from alg OID and optional parameters
578 int mbedtls_x509_get_sig_alg( const mbedtls_x509_buf
*sig_oid
, const mbedtls_x509_buf
*sig_params
,
579 mbedtls_md_type_t
*md_alg
, mbedtls_pk_type_t
*pk_alg
,
584 if( *sig_opts
!= NULL
)
585 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA
);
587 if( ( ret
= mbedtls_oid_get_sig_alg( sig_oid
, md_alg
, pk_alg
) ) != 0 )
588 return( MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG
+ ret
);
590 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
591 if( *pk_alg
== MBEDTLS_PK_RSASSA_PSS
)
593 mbedtls_pk_rsassa_pss_options
*pss_opts
;
595 pss_opts
= mbedtls_calloc( 1, sizeof( mbedtls_pk_rsassa_pss_options
) );
596 if( pss_opts
== NULL
)
597 return( MBEDTLS_ERR_X509_ALLOC_FAILED
);
599 ret
= mbedtls_x509_get_rsassa_pss_params( sig_params
,
601 &pss_opts
->mgf1_hash_id
,
602 &pss_opts
->expected_salt_len
);
605 mbedtls_free( pss_opts
);
609 *sig_opts
= (void *) pss_opts
;
612 #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
614 /* Make sure parameters are absent or NULL */
615 if( ( sig_params
->tag
!= MBEDTLS_ASN1_NULL
&& sig_params
->tag
!= 0 ) ||
616 sig_params
->len
!= 0 )
617 return( MBEDTLS_ERR_X509_INVALID_ALG
);
624 * X.509 Extensions (No parsing of extensions, pointer should
625 * be either manually updated or extensions should be parsed!
627 int mbedtls_x509_get_ext( unsigned char **p
, const unsigned char *end
,
628 mbedtls_x509_buf
*ext
, int tag
)
638 if( ( ret
= mbedtls_asn1_get_tag( p
, end
, &ext
->len
,
639 MBEDTLS_ASN1_CONTEXT_SPECIFIC
| MBEDTLS_ASN1_CONSTRUCTED
| tag
) ) != 0 )
646 * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
648 * Extension ::= SEQUENCE {
649 * extnID OBJECT IDENTIFIER,
650 * critical BOOLEAN DEFAULT FALSE,
651 * extnValue OCTET STRING }
653 if( ( ret
= mbedtls_asn1_get_tag( p
, end
, &len
,
654 MBEDTLS_ASN1_CONSTRUCTED
| MBEDTLS_ASN1_SEQUENCE
) ) != 0 )
655 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS
+ ret
);
657 if( end
!= *p
+ len
)
658 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS
+
659 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
);
665 * Store the name in printable form into buf; no more
666 * than size characters will be written
668 int mbedtls_x509_dn_gets( char *buf
, size_t size
, const mbedtls_x509_name
*dn
)
672 unsigned char c
, merge
= 0;
673 const mbedtls_x509_name
*name
;
674 const char *short_name
= NULL
;
675 char s
[MBEDTLS_X509_MAX_DN_NAME_SIZE
], *p
;
677 memset( s
, 0, sizeof( s
) );
683 while( name
!= NULL
)
693 ret
= mbedtls_snprintf( p
, n
, merge
? " + " : ", " );
694 MBEDTLS_X509_SAFE_SNPRINTF
;
697 ret
= mbedtls_oid_get_attr_short_name( &name
->oid
, &short_name
);
700 ret
= mbedtls_snprintf( p
, n
, "%s=", short_name
);
702 ret
= mbedtls_snprintf( p
, n
, "\?\?=" );
703 MBEDTLS_X509_SAFE_SNPRINTF
;
705 for( i
= 0; i
< name
->val
.len
; i
++ )
707 if( i
>= sizeof( s
) - 1 )
711 if( c
< 32 || c
== 127 || ( c
> 128 && c
< 160 ) )
716 ret
= mbedtls_snprintf( p
, n
, "%s", s
);
717 MBEDTLS_X509_SAFE_SNPRINTF
;
719 merge
= name
->next_merged
;
723 return( (int) ( size
- n
) );
727 * Store the serial in printable form into buf; no more
728 * than size characters will be written
730 int mbedtls_x509_serial_gets( char *buf
, size_t size
, const mbedtls_x509_buf
*serial
)
739 nr
= ( serial
->len
<= 32 )
742 for( i
= 0; i
< nr
; i
++ )
744 if( i
== 0 && nr
> 1 && serial
->p
[i
] == 0x0 )
747 ret
= mbedtls_snprintf( p
, n
, "%02X%s",
748 serial
->p
[i
], ( i
< nr
- 1 ) ? ":" : "" );
749 MBEDTLS_X509_SAFE_SNPRINTF
;
752 if( nr
!= serial
->len
)
754 ret
= mbedtls_snprintf( p
, n
, "...." );
755 MBEDTLS_X509_SAFE_SNPRINTF
;
758 return( (int) ( size
- n
) );
762 * Helper for writing signature algorithms
764 int mbedtls_x509_sig_alg_gets( char *buf
, size_t size
, const mbedtls_x509_buf
*sig_oid
,
765 mbedtls_pk_type_t pk_alg
, mbedtls_md_type_t md_alg
,
766 const void *sig_opts
)
771 const char *desc
= NULL
;
773 ret
= mbedtls_oid_get_sig_alg_desc( sig_oid
, &desc
);
775 ret
= mbedtls_snprintf( p
, n
, "???" );
777 ret
= mbedtls_snprintf( p
, n
, "%s", desc
);
778 MBEDTLS_X509_SAFE_SNPRINTF
;
780 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
781 if( pk_alg
== MBEDTLS_PK_RSASSA_PSS
)
783 const mbedtls_pk_rsassa_pss_options
*pss_opts
;
784 const mbedtls_md_info_t
*md_info
, *mgf_md_info
;
786 pss_opts
= (const mbedtls_pk_rsassa_pss_options
*) sig_opts
;
788 md_info
= mbedtls_md_info_from_type( md_alg
);
789 mgf_md_info
= mbedtls_md_info_from_type( pss_opts
->mgf1_hash_id
);
791 ret
= mbedtls_snprintf( p
, n
, " (%s, MGF1-%s, 0x%02X)",
792 md_info
? mbedtls_md_get_name( md_info
) : "???",
793 mgf_md_info
? mbedtls_md_get_name( mgf_md_info
) : "???",
794 pss_opts
->expected_salt_len
);
795 MBEDTLS_X509_SAFE_SNPRINTF
;
801 #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
803 return( (int)( size
- n
) );
807 * Helper for writing "RSA key size", "EC key size", etc
809 int mbedtls_x509_key_size_helper( char *buf
, size_t buf_size
, const char *name
)
815 ret
= mbedtls_snprintf( p
, n
, "%s key size", name
);
816 MBEDTLS_X509_SAFE_SNPRINTF
;
821 #if defined(MBEDTLS_HAVE_TIME_DATE)
823 * Set the time structure to the current time.
824 * Return 0 on success, non-zero on failure.
826 #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
827 static int x509_get_current_time( mbedtls_x509_time
*now
)
831 GetSystemTime( &st
);
833 now
->year
= st
.wYear
;
834 now
->mon
= st
.wMonth
;
836 now
->hour
= st
.wHour
;
837 now
->min
= st
.wMinute
;
838 now
->sec
= st
.wSecond
;
843 static int x509_get_current_time( mbedtls_x509_time
*now
)
849 #if defined(MBEDTLS_THREADING_C)
850 if( mbedtls_mutex_lock( &mbedtls_threading_gmtime_mutex
) != 0 )
851 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR
);
861 now
->year
= lt
->tm_year
+ 1900;
862 now
->mon
= lt
->tm_mon
+ 1;
863 now
->day
= lt
->tm_mday
;
864 now
->hour
= lt
->tm_hour
;
865 now
->min
= lt
->tm_min
;
866 now
->sec
= lt
->tm_sec
;
869 #if defined(MBEDTLS_THREADING_C)
870 if( mbedtls_mutex_unlock( &mbedtls_threading_gmtime_mutex
) != 0 )
871 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR
);
876 #endif /* _WIN32 && !EFIX64 && !EFI32 */
879 * Return 0 if before <= after, 1 otherwise
881 static int x509_check_time( const mbedtls_x509_time
*before
, const mbedtls_x509_time
*after
)
883 if( before
->year
> after
->year
)
886 if( before
->year
== after
->year
&&
887 before
->mon
> after
->mon
)
890 if( before
->year
== after
->year
&&
891 before
->mon
== after
->mon
&&
892 before
->day
> after
->day
)
895 if( before
->year
== after
->year
&&
896 before
->mon
== after
->mon
&&
897 before
->day
== after
->day
&&
898 before
->hour
> after
->hour
)
901 if( before
->year
== after
->year
&&
902 before
->mon
== after
->mon
&&
903 before
->day
== after
->day
&&
904 before
->hour
== after
->hour
&&
905 before
->min
> after
->min
)
908 if( before
->year
== after
->year
&&
909 before
->mon
== after
->mon
&&
910 before
->day
== after
->day
&&
911 before
->hour
== after
->hour
&&
912 before
->min
== after
->min
&&
913 before
->sec
> after
->sec
)
919 int mbedtls_x509_time_is_past( const mbedtls_x509_time
*to
)
921 mbedtls_x509_time now
;
923 if( x509_get_current_time( &now
) != 0 )
926 return( x509_check_time( &now
, to
) );
929 int mbedtls_x509_time_is_future( const mbedtls_x509_time
*from
)
931 mbedtls_x509_time now
;
933 if( x509_get_current_time( &now
) != 0 )
936 return( x509_check_time( from
, &now
) );
939 #else /* MBEDTLS_HAVE_TIME_DATE */
941 int mbedtls_x509_time_is_past( const mbedtls_x509_time
*to
)
947 int mbedtls_x509_time_is_future( const mbedtls_x509_time
*from
)
952 #endif /* MBEDTLS_HAVE_TIME_DATE */
954 #if defined(MBEDTLS_SELF_TEST)
956 #include "mbedtls/x509_crt.h"
957 #include "mbedtls/certs.h"
962 int mbedtls_x509_self_test( int verbose
)
964 #if defined(MBEDTLS_CERTS_C) && defined(MBEDTLS_SHA1_C)
967 mbedtls_x509_crt cacert
;
968 mbedtls_x509_crt clicert
;
971 mbedtls_printf( " X.509 certificate load: " );
973 mbedtls_x509_crt_init( &clicert
);
975 ret
= mbedtls_x509_crt_parse( &clicert
, (const unsigned char *) mbedtls_test_cli_crt
,
976 mbedtls_test_cli_crt_len
);
980 mbedtls_printf( "failed\n" );
985 mbedtls_x509_crt_init( &cacert
);
987 ret
= mbedtls_x509_crt_parse( &cacert
, (const unsigned char *) mbedtls_test_ca_crt
,
988 mbedtls_test_ca_crt_len
);
992 mbedtls_printf( "failed\n" );
998 mbedtls_printf( "passed\n X.509 signature verify: ");
1000 ret
= mbedtls_x509_crt_verify( &clicert
, &cacert
, NULL
, NULL
, &flags
, NULL
, NULL
);
1004 mbedtls_printf( "failed\n" );
1010 mbedtls_printf( "passed\n\n");
1012 mbedtls_x509_crt_free( &cacert
);
1013 mbedtls_x509_crt_free( &clicert
);
1019 #endif /* MBEDTLS_CERTS_C && MBEDTLS_SHA1_C */
1022 #endif /* MBEDTLS_SELF_TEST */
1024 #endif /* MBEDTLS_X509_USE_C */