/* * X.509 certificate parsing and verification * * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ /* * The ITU-T X.509 standard defines a certificate format for PKI. * * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs) * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs) * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10) * * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf * * [SIRO] https://cabforum.org/wp-content/uploads/Chunghwatelecom201503cabforumV4.pdf */ #include "common.h" #if defined(MBEDTLS_X509_CRT_PARSE_C) #include "mbedtls/x509_crt.h" #include "x509_internal.h" #include "mbedtls/error.h" #include "mbedtls/oid.h" #include "mbedtls/platform_util.h" #include <string.h> #if defined(MBEDTLS_PEM_PARSE_C) #include "mbedtls/pem.h" #endif #if defined(MBEDTLS_USE_PSA_CRYPTO) #include "psa/crypto.h" #include "psa_util_internal.h" #include "mbedtls/psa_util.h" #endif /* MBEDTLS_USE_PSA_CRYPTO */ #include "pk_internal.h" #include "mbedtls/platform.h" #if defined(MBEDTLS_THREADING_C) #include "mbedtls/threading.h" #endif #if defined(MBEDTLS_HAVE_TIME) #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) #ifndef WIN32_LEAN_AND_MEAN #define WIN32_LEAN_AND_MEAN #endif #include <windows.h> #else #include <time.h> #endif #endif #if defined(MBEDTLS_FS_IO) #include <stdio.h> #if !defined(_WIN32) || defined(EFIX64) || defined(EFI32) #include <sys/types.h> #include <sys/stat.h> #if defined(__MBED__) #include <platform/mbed_retarget.h> #else #include <dirent.h> #endif /* __MBED__ */ #include <errno.h> #endif /* !_WIN32 || EFIX64 || EFI32 */ #endif /* * Item in a verification chain: cert and flags for it */ x509_crt_verify_chain_item; /* * Max size of verification chain: end-entity + intermediates + trusted root */ #define X509_MAX_VERIFY_CHAIN_SIZE … /* Default profile. Do not remove items unless there are serious security * concerns. */ const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default = …; /* Next-generation profile. Currently identical to the default, but may * be tightened at any time. */ const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next = …; /* * NSA Suite B Profile */ const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb = …; /* * Empty / all-forbidden profile */ const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_none = …; /* * Check md_alg against profile * Return 0 if md_alg is acceptable for this profile, -1 otherwise */ static int x509_profile_check_md_alg(const mbedtls_x509_crt_profile *profile, mbedtls_md_type_t md_alg) { … } /* * Check pk_alg against profile * Return 0 if pk_alg is acceptable for this profile, -1 otherwise */ static int x509_profile_check_pk_alg(const mbedtls_x509_crt_profile *profile, mbedtls_pk_type_t pk_alg) { … } /* * Check key against profile * Return 0 if pk is acceptable for this profile, -1 otherwise */ static int x509_profile_check_key(const mbedtls_x509_crt_profile *profile, const mbedtls_pk_context *pk) { … } /* * Like memcmp, but case-insensitive and always returns -1 if different */ static int x509_memcasecmp(const void *s1, const void *s2, size_t len) { … } /* * Return 0 if name matches wildcard, -1 otherwise */ static int x509_check_wildcard(const char *cn, const mbedtls_x509_buf *name) { … } /* * Compare two X.509 strings, case-insensitive, and allowing for some encoding * variations (but not all). * * Return 0 if equal, -1 otherwise. */ static int x509_string_cmp(const mbedtls_x509_buf *a, const mbedtls_x509_buf *b) { … } /* * Compare two X.509 Names (aka rdnSequence). * * See RFC 5280 section 7.1, though we don't implement the whole algorithm: * we sometimes return unequal when the full algorithm would return equal, * but never the other way. (In particular, we don't do Unicode normalisation * or space folding.) * * Return 0 if equal, -1 otherwise. */ static int x509_name_cmp(const mbedtls_x509_name *a, const mbedtls_x509_name *b) { … } /* * Reset (init or clear) a verify_chain */ static void x509_crt_verify_chain_reset( mbedtls_x509_crt_verify_chain *ver_chain) { … } /* * Version ::= INTEGER { v1(0), v2(1), v3(2) } */ static int x509_get_version(unsigned char **p, const unsigned char *end, int *ver) { … } /* * Validity ::= SEQUENCE { * notBefore Time, * notAfter Time } */ static int x509_get_dates(unsigned char **p, const unsigned char *end, mbedtls_x509_time *from, mbedtls_x509_time *to) { … } /* * X.509 v2/v3 unique identifier (not parsed) */ static int x509_get_uid(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *uid, int n) { … } static int x509_get_basic_constraints(unsigned char **p, const unsigned char *end, int *ca_istrue, int *max_pathlen) { … } /* * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId * * KeyPurposeId ::= OBJECT IDENTIFIER */ static int x509_get_ext_key_usage(unsigned char **p, const unsigned char *end, mbedtls_x509_sequence *ext_key_usage) { … } /* * SubjectKeyIdentifier ::= KeyIdentifier * * KeyIdentifier ::= OCTET STRING */ static int x509_get_subject_key_id(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *subject_key_id) { … } /* * AuthorityKeyIdentifier ::= SEQUENCE { * keyIdentifier [0] KeyIdentifier OPTIONAL, * authorityCertIssuer [1] GeneralNames OPTIONAL, * authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } * * KeyIdentifier ::= OCTET STRING */ static int x509_get_authority_key_id(unsigned char **p, unsigned char *end, mbedtls_x509_authority *authority_key_id) { … } /* * id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 } * * anyPolicy OBJECT IDENTIFIER ::= { id-ce-certificatePolicies 0 } * * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation * * PolicyInformation ::= SEQUENCE { * policyIdentifier CertPolicyId, * policyQualifiers SEQUENCE SIZE (1..MAX) OF * PolicyQualifierInfo OPTIONAL } * * CertPolicyId ::= OBJECT IDENTIFIER * * PolicyQualifierInfo ::= SEQUENCE { * policyQualifierId PolicyQualifierId, * qualifier ANY DEFINED BY policyQualifierId } * * -- policyQualifierIds for Internet policy qualifiers * * id-qt OBJECT IDENTIFIER ::= { id-pkix 2 } * id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 } * id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 } * * PolicyQualifierId ::= OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice ) * * Qualifier ::= CHOICE { * cPSuri CPSuri, * userNotice UserNotice } * * CPSuri ::= IA5String * * UserNotice ::= SEQUENCE { * noticeRef NoticeReference OPTIONAL, * explicitText DisplayText OPTIONAL } * * NoticeReference ::= SEQUENCE { * organization DisplayText, * noticeNumbers SEQUENCE OF INTEGER } * * DisplayText ::= CHOICE { * ia5String IA5String (SIZE (1..200)), * visibleString VisibleString (SIZE (1..200)), * bmpString BMPString (SIZE (1..200)), * utf8String UTF8String (SIZE (1..200)) } * * NOTE: we only parse and use anyPolicy without qualifiers at this point * as defined in RFC 5280. */ static int x509_get_certificate_policies(unsigned char **p, const unsigned char *end, mbedtls_x509_sequence *certificate_policies) { … } /* * X.509 v3 extensions * */ static int x509_get_crt_ext(unsigned char **p, const unsigned char *end, mbedtls_x509_crt *crt, mbedtls_x509_crt_ext_cb_t cb, void *p_ctx) { … } /* * Parse and fill a single X.509 certificate in DER format */ static int x509_crt_parse_der_core(mbedtls_x509_crt *crt, const unsigned char *buf, size_t buflen, int make_copy, mbedtls_x509_crt_ext_cb_t cb, void *p_ctx) { … } /* * Parse one X.509 certificate in DER format from a buffer and add them to a * chained list */ static int mbedtls_x509_crt_parse_der_internal(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen, int make_copy, mbedtls_x509_crt_ext_cb_t cb, void *p_ctx) { … } int mbedtls_x509_crt_parse_der_nocopy(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen) { … } int mbedtls_x509_crt_parse_der_with_ext_cb(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen, int make_copy, mbedtls_x509_crt_ext_cb_t cb, void *p_ctx) { … } int mbedtls_x509_crt_parse_der(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen) { … } /* * Parse one or more PEM certificates from a buffer and add them to the chained * list */ int mbedtls_x509_crt_parse(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen) { … } #if defined(MBEDTLS_FS_IO) /* * Load one or more certificates and add them to the chained list */ int mbedtls_x509_crt_parse_file(mbedtls_x509_crt *chain, const char *path) { … } int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path) { … } #endif /* MBEDTLS_FS_IO */ #if !defined(MBEDTLS_X509_REMOVE_INFO) #define PRINT_ITEM(i) … #define CERT_TYPE(type, name) … #define KEY_USAGE(code, name) … static int x509_info_ext_key_usage(char **buf, size_t *size, const mbedtls_x509_sequence *extended_key_usage) { … } static int x509_info_cert_policies(char **buf, size_t *size, const mbedtls_x509_sequence *certificate_policies) { … } /* * Return an informational string about the certificate. */ #define BEFORE_COLON … #define BC … int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix, const mbedtls_x509_crt *crt) { … } struct x509_crt_verify_string { … }; #define X509_CRT_ERROR_INFO … static const struct x509_crt_verify_string x509_crt_verify_strings[] = …; #undef X509_CRT_ERROR_INFO int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix, uint32_t flags) { … } #endif /* MBEDTLS_X509_REMOVE_INFO */ int mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt *crt, unsigned int usage) { … } int mbedtls_x509_crt_check_extended_key_usage(const mbedtls_x509_crt *crt, const char *usage_oid, size_t usage_len) { … } #if defined(MBEDTLS_X509_CRL_PARSE_C) /* * Return 1 if the certificate is revoked, or 0 otherwise. */ int mbedtls_x509_crt_is_revoked(const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl) { … } /* * Check that the given certificate is not revoked according to the CRL. * Skip validation if no CRL for the given CA is present. */ static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca, mbedtls_x509_crl *crl_list, const mbedtls_x509_crt_profile *profile, const mbedtls_x509_time *now) { … } #endif /* MBEDTLS_X509_CRL_PARSE_C */ /* * Check the signature of a certificate by its parent */ static int x509_crt_check_signature(const mbedtls_x509_crt *child, mbedtls_x509_crt *parent, mbedtls_x509_crt_restart_ctx *rs_ctx) { … } /* * Check if 'parent' is a suitable parent (signing CA) for 'child'. * Return 0 if yes, -1 if not. * * top means parent is a locally-trusted certificate */ static int x509_crt_check_parent(const mbedtls_x509_crt *child, const mbedtls_x509_crt *parent, int top) { … } /* * Find a suitable parent for child in candidates, or return NULL. * * Here suitable is defined as: * 1. subject name matches child's issuer * 2. if necessary, the CA bit is set and key usage allows signing certs * 3. for trusted roots, the signature is correct * (for intermediates, the signature is checked and the result reported) * 4. pathlen constraints are satisfied * * If there's a suitable candidate which is also time-valid, return the first * such. Otherwise, return the first suitable candidate (or NULL if there is * none). * * The rationale for this rule is that someone could have a list of trusted * roots with two versions on the same root with different validity periods. * (At least one user reported having such a list and wanted it to just work.) * The reason we don't just require time-validity is that generally there is * only one version, and if it's expired we want the flags to state that * rather than NOT_TRUSTED, as would be the case if we required it here. * * The rationale for rule 3 (signature for trusted roots) is that users might * have two versions of the same CA with different keys in their list, and the * way we select the correct one is by checking the signature (as we don't * rely on key identifier extensions). (This is one way users might choose to * handle key rollover, another relies on self-issued certs, see [SIRO].) * * Arguments: * - [in] child: certificate for which we're looking for a parent * - [in] candidates: chained list of potential parents * - [out] r_parent: parent found (or NULL) * - [out] r_signature_is_good: 1 if child signature by parent is valid, or 0 * - [in] top: 1 if candidates consists of trusted roots, ie we're at the top * of the chain, 0 otherwise * - [in] path_cnt: number of intermediates seen so far * - [in] self_cnt: number of self-signed intermediates seen so far * (will never be greater than path_cnt) * - [in-out] rs_ctx: context for restarting operations * * Return value: * - 0 on success * - MBEDTLS_ERR_ECP_IN_PROGRESS otherwise */ static int x509_crt_find_parent_in( mbedtls_x509_crt *child, mbedtls_x509_crt *candidates, mbedtls_x509_crt **r_parent, int *r_signature_is_good, int top, unsigned path_cnt, unsigned self_cnt, mbedtls_x509_crt_restart_ctx *rs_ctx, const mbedtls_x509_time *now) { … } /* * Find a parent in trusted CAs or the provided chain, or return NULL. * * Searches in trusted CAs first, and return the first suitable parent found * (see find_parent_in() for definition of suitable). * * Arguments: * - [in] child: certificate for which we're looking for a parent, followed * by a chain of possible intermediates * - [in] trust_ca: list of locally trusted certificates * - [out] parent: parent found (or NULL) * - [out] parent_is_trusted: 1 if returned `parent` is trusted, or 0 * - [out] signature_is_good: 1 if child signature by parent is valid, or 0 * - [in] path_cnt: number of links in the chain so far (EE -> ... -> child) * - [in] self_cnt: number of self-signed certs in the chain so far * (will always be no greater than path_cnt) * - [in-out] rs_ctx: context for restarting operations * * Return value: * - 0 on success * - MBEDTLS_ERR_ECP_IN_PROGRESS otherwise */ static int x509_crt_find_parent( mbedtls_x509_crt *child, mbedtls_x509_crt *trust_ca, mbedtls_x509_crt **parent, int *parent_is_trusted, int *signature_is_good, unsigned path_cnt, unsigned self_cnt, mbedtls_x509_crt_restart_ctx *rs_ctx, const mbedtls_x509_time *now) { … } /* * Check if an end-entity certificate is locally trusted * * Currently we require such certificates to be self-signed (actually only * check for self-issued as self-signatures are not checked) */ static int x509_crt_check_ee_locally_trusted( mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca) { … } /* * Build and verify a certificate chain * * Given a peer-provided list of certificates EE, C1, ..., Cn and * a list of trusted certs R1, ... Rp, try to build and verify a chain * EE, Ci1, ... Ciq [, Rj] * such that every cert in the chain is a child of the next one, * jumping to a trusted root as early as possible. * * Verify that chain and return it with flags for all issues found. * * Special cases: * - EE == Rj -> return a one-element list containing it * - EE, Ci1, ..., Ciq cannot be continued with a trusted root * -> return that chain with NOT_TRUSTED set on Ciq * * Tests for (aspects of) this function should include at least: * - trusted EE * - EE -> trusted root * - EE -> intermediate CA -> trusted root * - if relevant: EE untrusted * - if relevant: EE -> intermediate, untrusted * with the aspect under test checked at each relevant level (EE, int, root). * For some aspects longer chains are required, but usually length 2 is * enough (but length 1 is not in general). * * Arguments: * - [in] crt: the cert list EE, C1, ..., Cn * - [in] trust_ca: the trusted list R1, ..., Rp * - [in] ca_crl, profile: as in verify_with_profile() * - [out] ver_chain: the built and verified chain * Only valid when return value is 0, may contain garbage otherwise! * Restart note: need not be the same when calling again to resume. * - [in-out] rs_ctx: context for restarting operations * * Return value: * - non-zero if the chain could not be fully built and examined * - 0 is the chain was successfully built and examined, * even if it was found to be invalid */ static int x509_crt_verify_chain( mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, mbedtls_x509_crt_ca_cb_t f_ca_cb, void *p_ca_cb, const mbedtls_x509_crt_profile *profile, mbedtls_x509_crt_verify_chain *ver_chain, mbedtls_x509_crt_restart_ctx *rs_ctx) { … } #ifdef _WIN32 #ifdef _MSC_VER #pragma comment(lib, "ws2_32.lib") #include <winsock2.h> #include <ws2tcpip.h> #elif (defined(__MINGW32__) || defined(__MINGW64__)) && _WIN32_WINNT >= 0x0600 #include <winsock2.h> #include <ws2tcpip.h> #else /* inet_pton() is not supported, fallback to software version */ #define MBEDTLS_TEST_SW_INET_PTON #endif #elif defined(__sun) /* Solaris requires -lsocket -lnsl for inet_pton() */ #elif defined(__has_include) #if __has_include(<sys/socket.h>) #include <sys/socket.h> #endif #if __has_include(<arpa/inet.h>) #include <arpa/inet.h> #endif #endif /* Use whether or not AF_INET6 is defined to indicate whether or not to use * the platform inet_pton() or a local implementation (below). The local * implementation may be used even in cases where the platform provides * inet_pton(), e.g. when there are different includes required and/or the * platform implementation requires dependencies on additional libraries. * Specifically, Windows requires custom includes and additional link * dependencies, and Solaris requires additional link dependencies. * Also, as a coarse heuristic, use the local implementation if the compiler * does not support __has_include(), or if the definition of AF_INET6 is not * provided by headers included (or not) via __has_include() above. * MBEDTLS_TEST_SW_INET_PTON is a bypass define to force testing of this code //no-check-names * despite having a platform that has inet_pton. */ #if !defined(AF_INET6) || defined(MBEDTLS_TEST_SW_INET_PTON) //no-check-names /* Definition located further below to possibly reduce compiler inlining */ static int x509_inet_pton_ipv4(const char *src, void *dst); #define li_cton … static int x509_inet_pton_ipv6(const char *src, void *dst) { const unsigned char *p = (const unsigned char *) src; int nonzero_groups = 0, num_digits, zero_group_start = -1; uint16_t addr[8]; do { /* note: allows excess leading 0's, e.g. 1:0002:3:... */ uint16_t group = num_digits = 0; for (uint8_t digit; num_digits < 4; num_digits++) { if (li_cton(*p, digit) == 0) { break; } group = (group << 4) | digit; p++; } if (num_digits != 0) { MBEDTLS_PUT_UINT16_BE(group, addr, nonzero_groups); nonzero_groups++; if (*p == '\0') { break; } else if (*p == '.') { /* Don't accept IPv4 too early or late */ if ((nonzero_groups == 0 && zero_group_start == -1) || nonzero_groups >= 7) { break; } /* Walk back to prior ':', then parse as IPv4-mapped */ int steps = 4; do { p--; steps--; } while (*p != ':' && steps > 0); if (*p != ':') { break; } p++; nonzero_groups--; if (x509_inet_pton_ipv4((const char *) p, addr + nonzero_groups) != 0) { break; } nonzero_groups += 2; p = (const unsigned char *) ""; break; } else if (*p != ':') { return -1; } } else { /* Don't accept a second zero group or an invalid delimiter */ if (zero_group_start != -1 || *p != ':') { return -1; } zero_group_start = nonzero_groups; /* Accept a zero group at start, but it has to be a double colon */ if (zero_group_start == 0 && *++p != ':') { return -1; } if (p[1] == '\0') { ++p; break; } } ++p; } while (nonzero_groups < 8); if (*p != '\0') { return -1; } if (zero_group_start != -1) { if (nonzero_groups > 6) { return -1; } int zero_groups = 8 - nonzero_groups; int groups_after_zero = nonzero_groups - zero_group_start; /* Move the non-zero part to after the zeroes */ if (groups_after_zero) { memmove(addr + zero_group_start + zero_groups, addr + zero_group_start, groups_after_zero * sizeof(*addr)); } memset(addr + zero_group_start, 0, zero_groups * sizeof(*addr)); } else { if (nonzero_groups != 8) { return -1; } } memcpy(dst, addr, sizeof(addr)); return 0; } static int x509_inet_pton_ipv4(const char *src, void *dst) { const unsigned char *p = (const unsigned char *) src; uint8_t *res = (uint8_t *) dst; uint8_t digit, num_digits = 0; uint8_t num_octets = 0; uint16_t octet; do { octet = num_digits = 0; do { digit = *p - '0'; if (digit > 9) { break; } /* Don't allow leading zeroes. These might mean octal format, * which this implementation does not support. */ if (octet == 0 && num_digits > 0) { return -1; } octet = octet * 10 + digit; num_digits++; p++; } while (num_digits < 3); if (octet >= 256 || num_digits > 3 || num_digits == 0) { return -1; } *res++ = (uint8_t) octet; num_octets++; } while (num_octets < 4 && *p++ == '.'); return num_octets == 4 && *p == '\0' ? 0 : -1; } #else static int x509_inet_pton_ipv6(const char *src, void *dst) { … } static int x509_inet_pton_ipv4(const char *src, void *dst) { … } #endif /* !AF_INET6 || MBEDTLS_TEST_SW_INET_PTON */ //no-check-names size_t mbedtls_x509_crt_parse_cn_inet_pton(const char *cn, void *dst) { … } /* * Check for CN match */ static int x509_crt_check_cn(const mbedtls_x509_buf *name, const char *cn, size_t cn_len) { … } static int x509_crt_check_san_ip(const mbedtls_x509_sequence *san, const char *cn, size_t cn_len) { … } static int x509_crt_check_san_uri(const mbedtls_x509_sequence *san, const char *cn, size_t cn_len) { … } /* * Check for SAN match, see RFC 5280 Section 4.2.1.6 */ static int x509_crt_check_san(const mbedtls_x509_sequence *san, const char *cn, size_t cn_len) { … } /* * Verify the requested CN - only call this if cn is not NULL! */ static void x509_crt_verify_name(const mbedtls_x509_crt *crt, const char *cn, uint32_t *flags) { … } /* * Merge the flags for all certs in the chain, after calling callback */ static int x509_crt_merge_flags_with_cb( uint32_t *flags, const mbedtls_x509_crt_verify_chain *ver_chain, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy) { … } /* * Verify the certificate validity, with profile, restartable version * * This function: * - checks the requested CN (if any) * - checks the type and size of the EE cert's key, * as that isn't done as part of chain building/verification currently * - builds and verifies the chain * - then calls the callback and merges the flags * * The parameters pairs `trust_ca`, `ca_crl` and `f_ca_cb`, `p_ca_cb` * are mutually exclusive: If `f_ca_cb != NULL`, it will be used by the * verification routine to search for trusted signers, and CRLs will * be disabled. Otherwise, `trust_ca` will be used as the static list * of trusted signers, and `ca_crl` will be use as the static list * of CRLs. */ static int x509_crt_verify_restartable_ca_cb(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, mbedtls_x509_crt_ca_cb_t f_ca_cb, void *p_ca_cb, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy, mbedtls_x509_crt_restart_ctx *rs_ctx) { … } /* * Verify the certificate validity (default profile, not restartable) */ int mbedtls_x509_crt_verify(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const char *cn, uint32_t *flags, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy) { … } /* * Verify the certificate validity (user-chosen profile, not restartable) */ int mbedtls_x509_crt_verify_with_profile(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy) { … } #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) /* * Verify the certificate validity (user-chosen profile, CA callback, * not restartable). */ int mbedtls_x509_crt_verify_with_ca_cb(mbedtls_x509_crt *crt, mbedtls_x509_crt_ca_cb_t f_ca_cb, void *p_ca_cb, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy) { return x509_crt_verify_restartable_ca_cb(crt, NULL, NULL, f_ca_cb, p_ca_cb, profile, cn, flags, f_vrfy, p_vrfy, NULL); } #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ int mbedtls_x509_crt_verify_restartable(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy, mbedtls_x509_crt_restart_ctx *rs_ctx) { … } /* * Initialize a certificate chain */ void mbedtls_x509_crt_init(mbedtls_x509_crt *crt) { … } /* * Unallocate all certificate data */ void mbedtls_x509_crt_free(mbedtls_x509_crt *crt) { … } #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) /* * Initialize a restart context */ void mbedtls_x509_crt_restart_init(mbedtls_x509_crt_restart_ctx *ctx) { mbedtls_pk_restart_init(&ctx->pk); ctx->parent = NULL; ctx->fallback_parent = NULL; ctx->fallback_signature_is_good = 0; ctx->parent_is_trusted = -1; ctx->in_progress = x509_crt_rs_none; ctx->self_cnt = 0; x509_crt_verify_chain_reset(&ctx->ver_chain); } /* * Free the components of a restart context */ void mbedtls_x509_crt_restart_free(mbedtls_x509_crt_restart_ctx *ctx) { if (ctx == NULL) { return; } mbedtls_pk_restart_free(&ctx->pk); mbedtls_x509_crt_restart_init(ctx); } #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */ int mbedtls_x509_crt_get_ca_istrue(const mbedtls_x509_crt *crt) { … } #endif /* MBEDTLS_X509_CRT_PARSE_C */
Codebase Browser
godot