Add X.509 CRT verification API using trusted CA callbacks
This commit is contained in:
Hanno Becker
parent
288dedcc72
commit
5c8df78feb
1 changed files with 64 additions and 0 deletions
|
|
@ -501,6 +501,70 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
|
||||||
void *p_vrfy,
|
void *p_vrfy,
|
||||||
mbedtls_x509_crt_restart_ctx *rs_ctx );
|
mbedtls_x509_crt_restart_ctx *rs_ctx );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
|
||||||
|
/**
|
||||||
|
* \brief The type of trusted certificate callbacks.
|
||||||
|
*
|
||||||
|
* Callbacks of this type are passed to and used by the CRT
|
||||||
|
* verification routine mbedtls_x509_crt_verify_with_cb()
|
||||||
|
* when looking for trusted signers of a given certificate.
|
||||||
|
*
|
||||||
|
* On success, the callback returns a list of trusted
|
||||||
|
* certificates to be considered as potential signers
|
||||||
|
* for the input certificate.
|
||||||
|
*
|
||||||
|
* \param p_ctx An opaque context passed to the callback.
|
||||||
|
* \param child The certificate for which to search a potential signer.
|
||||||
|
* This must point to a readable certificate.
|
||||||
|
* \param candidate_cas The address at which to store the address of the first
|
||||||
|
* entry in the generated linked list of candidate signers.
|
||||||
|
* This must not be \c NULL.
|
||||||
|
*
|
||||||
|
* \note The callback must only return a non-zero value on a
|
||||||
|
* fatal error. If, in contrast, the search for a potential
|
||||||
|
* signer completes without a single candidate, the
|
||||||
|
* callback must return \c 0 and get \c *candidate_cas
|
||||||
|
* to \c NULL.
|
||||||
|
*
|
||||||
|
* \return \c 0 on success. In this case, \c *candidate_cas points
|
||||||
|
* to a heap-allocated linked list of instances of
|
||||||
|
* ::mbedtls_x509_crt, and ownership of this list is passed
|
||||||
|
* to the caller.
|
||||||
|
* \return A negative error code on failure.
|
||||||
|
*/
|
||||||
|
typedef int (*mbedtls_x509_crt_ca_cb_t)( void *p_ctx,
|
||||||
|
mbedtls_x509_crt const *child,
|
||||||
|
mbedtls_x509_crt **candidate_cas );
|
||||||
|
/**
|
||||||
|
* \brief Version of \c mbedtls_x509_crt_verify_with_profile() which
|
||||||
|
* uses a callback to acquire the list of trusted CA
|
||||||
|
* certificates.
|
||||||
|
*
|
||||||
|
* \param crt The certificate chain to be verified.
|
||||||
|
* \param f_ca_cb The callback to be used to query for potential signers
|
||||||
|
* of a given child certificate. See the documentation of
|
||||||
|
* ::mbedtls_x509_crt_ca_cb_t for more information.
|
||||||
|
* \param p_ca_cb The opaque context to be passed to \p f_ca_cb.
|
||||||
|
* \param profile The security profile for the verification.
|
||||||
|
* \param cn The expected Common Name. This may be \c NULL if the
|
||||||
|
* CN need not be verified.
|
||||||
|
* \param flags The address at which to store the result of the verification.
|
||||||
|
* \param f_vrfy The verification callback to use. See the documentation
|
||||||
|
* of mbedtls_x509_crt_verify() for more information.
|
||||||
|
* \param p_vrfy The context to be passed to \p f_vrfy.
|
||||||
|
*
|
||||||
|
* \return See \c mbedtls_crt_verify_with_profile().
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_crt_verify_with_cb( mbedtls_x509_crt *crt,
|
||||||
|
mbedtls_x509_crt_ca_cb_t f_ca_cb,
|
||||||
|
void *p_ca_cb,
|
||||||
|
const mbedtls_x509_crt_profile *profile,
|
||||||
|
const char *cn, uint32_t *flags,
|
||||||
|
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
|
||||||
|
void *p_vrfy );
|
||||||
|
|
||||||
|
#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
|
||||||
|
|
||||||
#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
|
#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
|
||||||
/**
|
/**
|
||||||
* \brief Check usage of certificate against keyUsage extension.
|
* \brief Check usage of certificate against keyUsage extension.
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue