X509CERT(3) | Library Functions Manual | X509CERT(3) |
x509cert_encode
, x509cert_sign
,
x509cert_encode_req
,
x509cert_encode_cert
,
x509cert_encode_dn
—
x509cert_dn_string_rdn_len
,
x509cert_parse_dn_string
#include <x509cert.h>
size_t
x509cert_encode
(const
struct x509cert_item *,
unsigned char *);
size_t
x509cert_sign
(const
struct x509cert_item *,
const struct x509cert_skey
*, const br_hash_class
*, unsigned char
*);
size_t
x509cert_encode_req
(const
struct x509cert_req *,
unsigned char *);
x509cert_encoder x509cert_req_encoder;
size_t
x509cert_encode_cert
(const
struct x509cert_cert *,
unsigned char *);
x509cert_encoder x509cert_cert_encoder;
size_t
x509cert_encode_dn
(const
struct x509cert_dn *,
unsigned char *);
x509cert_encoder x509cert_dn_encoder;
size_t
x509cert_dn_string_rdn_len
(const
char *);
int
x509cert_parse_dn_string
(struct
x509cert_rdn *, char
*);
libx509cert
follow a similar pattern.
They take a pointer to a buffer in which to encode some ASN.1 structure, and
return the encoded length, or 0 if it cannot be encoded. In order to determine
an appropriate size for this buffer, the function should first be called with
NULL
to compute the encoded size, and then again with
an allocated buffer of at least this size. This pattern is captured with the
x509cert_encoder function typedef.
A general ASN.1 item is represented with struct x509cert_item, which has the following members:
The x509cert_encode
() function encodes an
ASN.1 item into a buffer. If enc is
NULL
, the default encoder is used, which encodes
tag and len, then copies
len bytes from val into the
buffer. If tag is 0, val is
assumed to be pre-encoded, and no tag-length header is added. Otherwise, the
enc function is called with the item as its argument,
which encodes the item some other way. In this case,
val might point to some structure, with
tag and len unused.
The x509cert_sign
() function DER-encodes a
ASN.1 item along with its signature as an X.509
SIGNED{...} structure into a buffer, returning its length.
If the buffer is NULL
, no encoding or signing takes
place. Instead, the maximum length of the encoded item is returned. The
actual length may be several bytes smaller. The signature algorithm used is
determined by the type of the private key and the hash algorithm. Supported
key types are BR_KEYTYPE_RSA
(up to 4096 bit) and
BR_KEYTYPE_EC
(secp256r1, secp384r1, secp521r1).
A certificate request is described by struct x509cert_req, which has the following members:
x509cert_sign
().The x509cert_encode_req
() function
DER-encodes a PKCS#10 CertificateRequestInfo into a
buffer. If alts_len is positive, an extension request
is added for subjectAltName containing the alternate names
given in alts. Each one must have a one of the
following tags and correseponding value type:
X509CERT_SAN_OTHERNAME
X509CERT_SAN_RFC822NAME
X509CERT_SAN_DNSNAME
X509CERT_SAN_URI
X509CERT_SAN_IPADDRESS
A certificate is described by struct x509cert_cert, which has the following members:
x509cert_encode_req
() except that
pkey needn't match the signing key.x509cert_sign
().x509cert_sign
().The x509cert_encode_cert
() function
DER-encodes an X.509 TBSCertificate into a buffer. If
ca is non-zero, a basicConstraints
extension is added with the cA
field set to
TRUE
, indicating that the subject is a certificate
authority.
A distinguished name is represented with struct x509cert_dn, which has the following members:
Each RDN has type struct x509cert_rdn, which has the following members:
The x509cert_encode_dn
() function
DER-encodes an X.501 DistinguishedName into a buffer. RDNs
with multiple attributes are not supported.
The x509cert_dn_string_rdn_len
() function
determines the number of RDNs represented in a RFC 4514 DN string.
The x509cert_parse_dn_string
() function
parses the RFC 4514 DN string representation (for example,
C=US,CN=example.com
) into an array of RDNs.
Multi-valued RDNs are not supported. The array must be large enough for all
RDNs, the number of which can be determined with
x509cert_dn_string_rdn_len
(). The string buffer is
rewritten in-place with RDN values and encoded OIDs.
The following attribute names are supported:
The OIDs for these attributes are also available for explicit struct x509cert_dn construction as x509cert_oid_*.
x509cert_encode
(),
x509cert_encode_req
(),
x509cert_encode_cert
(), and
x509cert_encode_dn
() functions return the encoded
length of the ASN.1 item, or 0 if the item cannot be encoded.
The x509cert_sign
() function returns the
maximum encoded length of the ASN.1
SIGNED{...} structure if the buffer is
NULL
, and the actual encoded length otherwise. If
the item cannot be encoded, or there is an error computing the signature, 0
is returned.
The x509cert_dn_string_rdn_len
() function
returns the number of RDNs described in the string.
The x509cert_parse_dn_string
() function
returns 1 on success, or 0 if the string is invalid or the buffer is not
large enough.
#include <stdlib.h> #include <x509cert.h> br_x509_certificate selfsigned(const struct x509cert_skey *skey, const br_x509_pkey *pkey) { struct x509cert_dn dn = { .rdn = &(struct x509cert_rdn){ .oid = x509cert_oid_CN, .val.tag = X509CERT_ASN1_UTF8STRING, .val.len = 11, .val.val = "example.com", }, .rdn_len = 1, }; struct x509cert_cert cert = { .req = &(struct x509cert_req){ .subject = {.enc = x509cert_dn_encoder, .val = &dn}, .pkey = *pkey, }, .key_type = skey->type, .hash_id = br_sha256_ID, .issuer = {.enc = x509cert_dn_encoder, .val = &dn} }; struct x509cert_item cert_item = { .enc = x509cert_cert_encoder, .val = &cert, }; size_t len; unsigned char *buf; cert.notbefore = time(NULL); cert.notafter = cert.notbefore + 2592000; /* calculate maximum length */ len = x509cert_sign(&cert_item, skey, &br_sha256_vtable, NULL); if (len == 0 || !(buf = malloc(len))) return (br_x509_certificate){0}; len = x509cert_sign(&cert_item, skey, &br_sha256_vtable, buf); if (len == 0) { free(buf); return (br_x509_certificate){0}; } return (br_x509_certificate){.data = buf, .data_len = len}; }
May 6, 2021 | Linux 5.11.4+ |