mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-08-05 19:35:48 +03:00
Make many fields of X.509 structures public
The structures mbedtls_x509_time, mbedtls_x509_crl_entry, mbedtls_x509_crl, mbedtls_x509_crt, mbedtls_x509_san_other_name, mbedtls_x509_subject_alternative_name, mbedtls_x509_csr are designed to expose the result of parsing X.509 data. Document many of their fields as being publicly readable. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
Gilles Peskine
@@ -246,8 +246,8 @@ typedef mbedtls_asn1_sequence mbedtls_x509_sequence;
|
|||||||
/** Container for date and time (precision in seconds). */
|
/** Container for date and time (precision in seconds). */
|
||||||
typedef struct mbedtls_x509_time
|
typedef struct mbedtls_x509_time
|
||||||
{
|
{
|
||||||
int MBEDTLS_PRIVATE(year), MBEDTLS_PRIVATE(mon), MBEDTLS_PRIVATE(day); /**< Date. */
|
int year, mon, day; /**< Date. */
|
||||||
int MBEDTLS_PRIVATE(hour), MBEDTLS_PRIVATE(min), MBEDTLS_PRIVATE(sec); /**< Time. */
|
int hour, min, sec; /**< Time. */
|
||||||
}
|
}
|
||||||
mbedtls_x509_time;
|
mbedtls_x509_time;
|
||||||
|
|
||||||
|
|||||||
@@ -43,16 +43,25 @@ extern "C" {
|
|||||||
/**
|
/**
|
||||||
* Certificate revocation list entry.
|
* Certificate revocation list entry.
|
||||||
* Contains the CA-specific serial numbers and revocation dates.
|
* Contains the CA-specific serial numbers and revocation dates.
|
||||||
|
*
|
||||||
|
* Some fields of this structure are publicly readable. Do not modify
|
||||||
|
* them except via Mbed TLS library functions: the effect of modifying
|
||||||
|
* those fields or the data that those fields points to is unspecified.
|
||||||
*/
|
*/
|
||||||
typedef struct mbedtls_x509_crl_entry
|
typedef struct mbedtls_x509_crl_entry
|
||||||
{
|
{
|
||||||
mbedtls_x509_buf MBEDTLS_PRIVATE(raw);
|
/** Direct access to the whole entry inside the containing buffer. */
|
||||||
|
mbedtls_x509_buf raw;
|
||||||
mbedtls_x509_buf MBEDTLS_PRIVATE(serial);
|
/** The serial number of the revoked certificate. */
|
||||||
|
mbedtls_x509_buf serial;
|
||||||
mbedtls_x509_time MBEDTLS_PRIVATE(revocation_date);
|
/** The revocation date of this entry. */
|
||||||
|
mbedtls_x509_time revocation_date;
|
||||||
mbedtls_x509_buf MBEDTLS_PRIVATE(entry_ext);
|
/** Direct access to the list of CRL entry extensions
|
||||||
|
* (an ASN.1 constructed sequence).
|
||||||
|
*
|
||||||
|
* If there are no extensions, `entry_ext.len == 0` and
|
||||||
|
* `entry_ext.p == NULL`. */
|
||||||
|
mbedtls_x509_buf entry_ext;
|
||||||
|
|
||||||
struct mbedtls_x509_crl_entry *MBEDTLS_PRIVATE(next);
|
struct mbedtls_x509_crl_entry *MBEDTLS_PRIVATE(next);
|
||||||
}
|
}
|
||||||
@@ -64,22 +73,22 @@ mbedtls_x509_crl_entry;
|
|||||||
*/
|
*/
|
||||||
typedef struct mbedtls_x509_crl
|
typedef struct mbedtls_x509_crl
|
||||||
{
|
{
|
||||||
mbedtls_x509_buf MBEDTLS_PRIVATE(raw); /**< The raw certificate data (DER). */
|
mbedtls_x509_buf raw; /**< The raw certificate data (DER). */
|
||||||
mbedtls_x509_buf MBEDTLS_PRIVATE(tbs); /**< The raw certificate body (DER). The part that is To Be Signed. */
|
mbedtls_x509_buf tbs; /**< The raw certificate body (DER). The part that is To Be Signed. */
|
||||||
|
|
||||||
int MBEDTLS_PRIVATE(version); /**< CRL version (1=v1, 2=v2) */
|
int version; /**< CRL version (1=v1, 2=v2) */
|
||||||
mbedtls_x509_buf MBEDTLS_PRIVATE(sig_oid); /**< CRL signature type identifier */
|
mbedtls_x509_buf sig_oid; /**< CRL signature type identifier */
|
||||||
|
|
||||||
mbedtls_x509_buf MBEDTLS_PRIVATE(issuer_raw); /**< The raw issuer data (DER). */
|
mbedtls_x509_buf issuer_raw; /**< The raw issuer data (DER). */
|
||||||
|
|
||||||
mbedtls_x509_name MBEDTLS_PRIVATE(issuer); /**< The parsed issuer data (named information object). */
|
mbedtls_x509_name issuer; /**< The parsed issuer data (named information object). */
|
||||||
|
|
||||||
mbedtls_x509_time MBEDTLS_PRIVATE(this_update);
|
mbedtls_x509_time this_update;
|
||||||
mbedtls_x509_time MBEDTLS_PRIVATE(next_update);
|
mbedtls_x509_time next_update;
|
||||||
|
|
||||||
mbedtls_x509_crl_entry MBEDTLS_PRIVATE(entry); /**< The CRL entries containing the certificate revocation times for this CA. */
|
mbedtls_x509_crl_entry entry; /**< The CRL entries containing the certificate revocation times for this CA. */
|
||||||
|
|
||||||
mbedtls_x509_buf MBEDTLS_PRIVATE(crl_ext);
|
mbedtls_x509_buf crl_ext;
|
||||||
|
|
||||||
mbedtls_x509_buf MBEDTLS_PRIVATE(sig_oid2);
|
mbedtls_x509_buf MBEDTLS_PRIVATE(sig_oid2);
|
||||||
mbedtls_x509_buf MBEDTLS_PRIVATE(sig);
|
mbedtls_x509_buf MBEDTLS_PRIVATE(sig);
|
||||||
|
|||||||
@@ -45,36 +45,40 @@ extern "C" {
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Container for an X.509 certificate. The certificate may be chained.
|
* Container for an X.509 certificate. The certificate may be chained.
|
||||||
|
*
|
||||||
|
* Some fields of this structure are publicly readable. Do not modify
|
||||||
|
* them except via Mbed TLS library functions: the effect of modifying
|
||||||
|
* those fields or the data that those fields points to is unspecified.
|
||||||
*/
|
*/
|
||||||
typedef struct mbedtls_x509_crt
|
typedef struct mbedtls_x509_crt
|
||||||
{
|
{
|
||||||
int MBEDTLS_PRIVATE(own_buffer); /**< Indicates if \c raw is owned
|
int MBEDTLS_PRIVATE(own_buffer); /**< Indicates if \c raw is owned
|
||||||
* by the structure or not. */
|
* by the structure or not. */
|
||||||
mbedtls_x509_buf MBEDTLS_PRIVATE(raw); /**< The raw certificate data (DER). */
|
mbedtls_x509_buf raw; /**< The raw certificate data (DER). */
|
||||||
mbedtls_x509_buf MBEDTLS_PRIVATE(tbs); /**< The raw certificate body (DER). The part that is To Be Signed. */
|
mbedtls_x509_buf tbs; /**< The raw certificate body (DER). The part that is To Be Signed. */
|
||||||
|
|
||||||
int MBEDTLS_PRIVATE(version); /**< The X.509 version. (1=v1, 2=v2, 3=v3) */
|
int version; /**< The X.509 version. (1=v1, 2=v2, 3=v3) */
|
||||||
mbedtls_x509_buf MBEDTLS_PRIVATE(serial); /**< Unique id for certificate issued by a specific CA. */
|
mbedtls_x509_buf serial; /**< Unique id for certificate issued by a specific CA. */
|
||||||
mbedtls_x509_buf MBEDTLS_PRIVATE(sig_oid); /**< Signature algorithm, e.g. sha1RSA */
|
mbedtls_x509_buf sig_oid; /**< Signature algorithm, e.g. sha1RSA */
|
||||||
|
|
||||||
mbedtls_x509_buf MBEDTLS_PRIVATE(issuer_raw); /**< The raw issuer data (DER). Used for quick comparison. */
|
mbedtls_x509_buf issuer_raw; /**< The raw issuer data (DER). Used for quick comparison. */
|
||||||
mbedtls_x509_buf MBEDTLS_PRIVATE(subject_raw); /**< The raw subject data (DER). Used for quick comparison. */
|
mbedtls_x509_buf subject_raw; /**< The raw subject data (DER). Used for quick comparison. */
|
||||||
|
|
||||||
mbedtls_x509_name MBEDTLS_PRIVATE(issuer); /**< The parsed issuer data (named information object). */
|
mbedtls_x509_name issuer; /**< The parsed issuer data (named information object). */
|
||||||
mbedtls_x509_name MBEDTLS_PRIVATE(subject); /**< The parsed subject data (named information object). */
|
mbedtls_x509_name subject; /**< The parsed subject data (named information object). */
|
||||||
|
|
||||||
mbedtls_x509_time MBEDTLS_PRIVATE(valid_from); /**< Start time of certificate validity. */
|
mbedtls_x509_time valid_from; /**< Start time of certificate validity. */
|
||||||
mbedtls_x509_time MBEDTLS_PRIVATE(valid_to); /**< End time of certificate validity. */
|
mbedtls_x509_time valid_to; /**< End time of certificate validity. */
|
||||||
|
|
||||||
mbedtls_x509_buf MBEDTLS_PRIVATE(pk_raw);
|
mbedtls_x509_buf pk_raw;
|
||||||
mbedtls_pk_context MBEDTLS_PRIVATE(pk); /**< Container for the public key context. */
|
mbedtls_pk_context pk; /**< Container for the public key context. */
|
||||||
|
|
||||||
mbedtls_x509_buf MBEDTLS_PRIVATE(issuer_id); /**< Optional X.509 v2/v3 issuer unique identifier. */
|
mbedtls_x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */
|
||||||
mbedtls_x509_buf MBEDTLS_PRIVATE(subject_id); /**< Optional X.509 v2/v3 subject unique identifier. */
|
mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */
|
||||||
mbedtls_x509_buf MBEDTLS_PRIVATE(v3_ext); /**< Optional X.509 v3 extensions. */
|
mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */
|
||||||
mbedtls_x509_sequence MBEDTLS_PRIVATE(subject_alt_names); /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). */
|
mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). */
|
||||||
|
|
||||||
mbedtls_x509_sequence MBEDTLS_PRIVATE(certificate_policies); /**< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). */
|
mbedtls_x509_sequence certificate_policies; /**< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). */
|
||||||
|
|
||||||
int MBEDTLS_PRIVATE(ext_types); /**< Bit string containing detected and parsed extensions */
|
int MBEDTLS_PRIVATE(ext_types); /**< Bit string containing detected and parsed extensions */
|
||||||
int MBEDTLS_PRIVATE(ca_istrue); /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */
|
int MBEDTLS_PRIVATE(ca_istrue); /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */
|
||||||
@@ -82,7 +86,7 @@ typedef struct mbedtls_x509_crt
|
|||||||
|
|
||||||
unsigned int MBEDTLS_PRIVATE(key_usage); /**< Optional key usage extension value: See the values in x509.h */
|
unsigned int MBEDTLS_PRIVATE(key_usage); /**< Optional key usage extension value: See the values in x509.h */
|
||||||
|
|
||||||
mbedtls_x509_sequence MBEDTLS_PRIVATE(ext_key_usage); /**< Optional list of extended key usage OIDs. */
|
mbedtls_x509_sequence ext_key_usage; /**< Optional list of extended key usage OIDs. */
|
||||||
|
|
||||||
unsigned char MBEDTLS_PRIVATE(ns_cert_type); /**< Optional Netscape certificate type extension value: See the values in x509.h */
|
unsigned char MBEDTLS_PRIVATE(ns_cert_type); /**< Optional Netscape certificate type extension value: See the values in x509.h */
|
||||||
|
|
||||||
@@ -100,6 +104,9 @@ mbedtls_x509_crt;
|
|||||||
* OtherName ::= SEQUENCE {
|
* OtherName ::= SEQUENCE {
|
||||||
* type-id OBJECT IDENTIFIER,
|
* type-id OBJECT IDENTIFIER,
|
||||||
* value [0] EXPLICIT ANY DEFINED BY type-id }
|
* value [0] EXPLICIT ANY DEFINED BY type-id }
|
||||||
|
*
|
||||||
|
* Future versions of the library may add new fields to this structure or
|
||||||
|
* to its embedded union and structure.
|
||||||
*/
|
*/
|
||||||
typedef struct mbedtls_x509_san_other_name
|
typedef struct mbedtls_x509_san_other_name
|
||||||
{
|
{
|
||||||
@@ -108,7 +115,7 @@ typedef struct mbedtls_x509_san_other_name
|
|||||||
* To check the value of the type id, you should use
|
* To check the value of the type id, you should use
|
||||||
* \p MBEDTLS_OID_CMP with a known OID mbedtls_x509_buf.
|
* \p MBEDTLS_OID_CMP with a known OID mbedtls_x509_buf.
|
||||||
*/
|
*/
|
||||||
mbedtls_x509_buf MBEDTLS_PRIVATE(type_id); /**< The type id. */
|
mbedtls_x509_buf type_id; /**< The type id. */
|
||||||
union
|
union
|
||||||
{
|
{
|
||||||
/**
|
/**
|
||||||
@@ -119,26 +126,30 @@ typedef struct mbedtls_x509_san_other_name
|
|||||||
*/
|
*/
|
||||||
struct
|
struct
|
||||||
{
|
{
|
||||||
mbedtls_x509_buf MBEDTLS_PRIVATE(oid); /**< The object identifier. */
|
mbedtls_x509_buf oid; /**< The object identifier. */
|
||||||
mbedtls_x509_buf MBEDTLS_PRIVATE(val); /**< The named value. */
|
mbedtls_x509_buf val; /**< The named value. */
|
||||||
}
|
}
|
||||||
MBEDTLS_PRIVATE(hardware_module_name);
|
hardware_module_name;
|
||||||
}
|
}
|
||||||
MBEDTLS_PRIVATE(value);
|
value;
|
||||||
}
|
}
|
||||||
mbedtls_x509_san_other_name;
|
mbedtls_x509_san_other_name;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A structure for holding the parsed Subject Alternative Name, according to type
|
* A structure for holding the parsed Subject Alternative Name,
|
||||||
|
* according to type.
|
||||||
|
*
|
||||||
|
* Future versions of the library may add new fields to this structure or
|
||||||
|
* to its embedded union and structure.
|
||||||
*/
|
*/
|
||||||
typedef struct mbedtls_x509_subject_alternative_name
|
typedef struct mbedtls_x509_subject_alternative_name
|
||||||
{
|
{
|
||||||
int MBEDTLS_PRIVATE(type); /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */
|
int type; /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */
|
||||||
union {
|
union {
|
||||||
mbedtls_x509_san_other_name MBEDTLS_PRIVATE(other_name); /**< The otherName supported type. */
|
mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */
|
||||||
mbedtls_x509_buf MBEDTLS_PRIVATE(unstructured_name); /**< The buffer for the un constructed types. Only dnsName currently supported */
|
mbedtls_x509_buf unstructured_name; /**< The buffer for the un constructed types. Only dnsName currently supported */
|
||||||
}
|
}
|
||||||
MBEDTLS_PRIVATE(san); /**< A union of the supported SAN types */
|
san; /**< A union of the supported SAN types */
|
||||||
}
|
}
|
||||||
mbedtls_x509_subject_alternative_name;
|
mbedtls_x509_subject_alternative_name;
|
||||||
|
|
||||||
|
|||||||
@@ -42,20 +42,24 @@ extern "C" {
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Certificate Signing Request (CSR) structure.
|
* Certificate Signing Request (CSR) structure.
|
||||||
|
*
|
||||||
|
* Some fields of this structure are publicly readable. Do not modify
|
||||||
|
* them except via Mbed TLS library functions: the effect of modifying
|
||||||
|
* those fields or the data that those fields points to is unspecified.
|
||||||
*/
|
*/
|
||||||
typedef struct mbedtls_x509_csr
|
typedef struct mbedtls_x509_csr
|
||||||
{
|
{
|
||||||
mbedtls_x509_buf MBEDTLS_PRIVATE(raw); /**< The raw CSR data (DER). */
|
mbedtls_x509_buf raw; /**< The raw CSR data (DER). */
|
||||||
mbedtls_x509_buf MBEDTLS_PRIVATE(cri); /**< The raw CertificateRequestInfo body (DER). */
|
mbedtls_x509_buf cri; /**< The raw CertificateRequestInfo body (DER). */
|
||||||
|
|
||||||
int MBEDTLS_PRIVATE(version); /**< CSR version (1=v1). */
|
int version; /**< CSR version (1=v1). */
|
||||||
|
|
||||||
mbedtls_x509_buf MBEDTLS_PRIVATE(subject_raw); /**< The raw subject data (DER). */
|
mbedtls_x509_buf subject_raw; /**< The raw subject data (DER). */
|
||||||
mbedtls_x509_name MBEDTLS_PRIVATE(subject); /**< The parsed subject data (named information object). */
|
mbedtls_x509_name subject; /**< The parsed subject data (named information object). */
|
||||||
|
|
||||||
mbedtls_pk_context MBEDTLS_PRIVATE(pk); /**< Container for the public key context. */
|
mbedtls_pk_context pk; /**< Container for the public key context. */
|
||||||
|
|
||||||
mbedtls_x509_buf MBEDTLS_PRIVATE(sig_oid);
|
mbedtls_x509_buf sig_oid;
|
||||||
mbedtls_x509_buf MBEDTLS_PRIVATE(sig);
|
mbedtls_x509_buf MBEDTLS_PRIVATE(sig);
|
||||||
mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md); /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
|
mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md); /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
|
||||||
mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
|
mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
|
||||||
|
|||||||
@@ -514,7 +514,7 @@ int main( int argc, char *argv[] )
|
|||||||
}
|
}
|
||||||
|
|
||||||
ret = mbedtls_x509_dn_gets( issuer_name, sizeof(issuer_name),
|
ret = mbedtls_x509_dn_gets( issuer_name, sizeof(issuer_name),
|
||||||
&issuer_crt.MBEDTLS_PRIVATE(subject) );
|
&issuer_crt.subject );
|
||||||
if( ret < 0 )
|
if( ret < 0 )
|
||||||
{
|
{
|
||||||
mbedtls_strerror( ret, buf, 1024 );
|
mbedtls_strerror( ret, buf, 1024 );
|
||||||
@@ -548,7 +548,7 @@ int main( int argc, char *argv[] )
|
|||||||
}
|
}
|
||||||
|
|
||||||
ret = mbedtls_x509_dn_gets( subject_name, sizeof(subject_name),
|
ret = mbedtls_x509_dn_gets( subject_name, sizeof(subject_name),
|
||||||
&csr.MBEDTLS_PRIVATE(subject) );
|
&csr.subject );
|
||||||
if( ret < 0 )
|
if( ret < 0 )
|
||||||
{
|
{
|
||||||
mbedtls_strerror( ret, buf, 1024 );
|
mbedtls_strerror( ret, buf, 1024 );
|
||||||
@@ -558,7 +558,7 @@ int main( int argc, char *argv[] )
|
|||||||
}
|
}
|
||||||
|
|
||||||
opt.subject_name = subject_name;
|
opt.subject_name = subject_name;
|
||||||
subject_key = &csr.MBEDTLS_PRIVATE(pk);
|
subject_key = &csr.pk;
|
||||||
|
|
||||||
mbedtls_printf( " ok\n" );
|
mbedtls_printf( " ok\n" );
|
||||||
}
|
}
|
||||||
@@ -602,7 +602,7 @@ int main( int argc, char *argv[] )
|
|||||||
//
|
//
|
||||||
if( strlen( opt.issuer_crt ) )
|
if( strlen( opt.issuer_crt ) )
|
||||||
{
|
{
|
||||||
if( mbedtls_pk_check_pair( &issuer_crt.MBEDTLS_PRIVATE(pk), issuer_key,
|
if( mbedtls_pk_check_pair( &issuer_crt.pk, issuer_key,
|
||||||
mbedtls_ctr_drbg_random, &ctr_drbg ) != 0 )
|
mbedtls_ctr_drbg_random, &ctr_drbg ) != 0 )
|
||||||
{
|
{
|
||||||
mbedtls_printf( " failed\n ! issuer_key does not match "
|
mbedtls_printf( " failed\n ! issuer_key does not match "
|
||||||
|
|||||||
Reference in New Issue
Block a user