• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /**
2  * \file x509.h
3  *
4  * \brief X.509 generic defines and structures
5  */
6 /*
7  *  Copyright The Mbed TLS Contributors
8  *  SPDX-License-Identifier: Apache-2.0
9  *
10  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
11  *  not use this file except in compliance with the License.
12  *  You may obtain a copy of the License at
13  *
14  *  http://www.apache.org/licenses/LICENSE-2.0
15  *
16  *  Unless required by applicable law or agreed to in writing, software
17  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
18  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19  *  See the License for the specific language governing permissions and
20  *  limitations under the License.
21  */
22 #ifndef MBEDTLS_X509_H
23 #define MBEDTLS_X509_H
24 #include "mbedtls/private_access.h"
25 
26 #include "mbedtls/build_info.h"
27 
28 #include "mbedtls/asn1.h"
29 #include "mbedtls/pk.h"
30 
31 #if defined(MBEDTLS_RSA_C)
32 #include "mbedtls/rsa.h"
33 #endif
34 
35 /**
36  * \addtogroup x509_module
37  * \{
38  */
39 
40 #if !defined(MBEDTLS_X509_MAX_INTERMEDIATE_CA)
41 /**
42  * Maximum number of intermediate CAs in a verification chain.
43  * That is, maximum length of the chain, excluding the end-entity certificate
44  * and the trusted root certificate.
45  *
46  * Set this to a low value to prevent an adversary from making you waste
47  * resources verifying an overlong certificate chain.
48  */
49 #define MBEDTLS_X509_MAX_INTERMEDIATE_CA   8
50 #endif
51 
52 /**
53  * \name X509 Error codes
54  * \{
55  */
56 /** Unavailable feature, e.g. RSA hashing/encryption combination. */
57 #define MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE              -0x2080
58 /** Requested OID is unknown. */
59 #define MBEDTLS_ERR_X509_UNKNOWN_OID                      -0x2100
60 /** The CRT/CRL/CSR format is invalid, e.g. different type expected. */
61 #define MBEDTLS_ERR_X509_INVALID_FORMAT                   -0x2180
62 /** The CRT/CRL/CSR version element is invalid. */
63 #define MBEDTLS_ERR_X509_INVALID_VERSION                  -0x2200
64 /** The serial tag or value is invalid. */
65 #define MBEDTLS_ERR_X509_INVALID_SERIAL                   -0x2280
66 /** The algorithm tag or value is invalid. */
67 #define MBEDTLS_ERR_X509_INVALID_ALG                      -0x2300
68 /** The name tag or value is invalid. */
69 #define MBEDTLS_ERR_X509_INVALID_NAME                     -0x2380
70 /** The date tag or value is invalid. */
71 #define MBEDTLS_ERR_X509_INVALID_DATE                     -0x2400
72 /** The signature tag or value invalid. */
73 #define MBEDTLS_ERR_X509_INVALID_SIGNATURE                -0x2480
74 /** The extension tag or value is invalid. */
75 #define MBEDTLS_ERR_X509_INVALID_EXTENSIONS               -0x2500
76 /** CRT/CRL/CSR has an unsupported version number. */
77 #define MBEDTLS_ERR_X509_UNKNOWN_VERSION                  -0x2580
78 /** Signature algorithm (oid) is unsupported. */
79 #define MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG                  -0x2600
80 /** Signature algorithms do not match. (see \c ::mbedtls_x509_crt sig_oid) */
81 #define MBEDTLS_ERR_X509_SIG_MISMATCH                     -0x2680
82 /** Certificate verification failed, e.g. CRL, CA or signature check failed. */
83 #define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED               -0x2700
84 /** Format not recognized as DER or PEM. */
85 #define MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT              -0x2780
86 /** Input invalid. */
87 #define MBEDTLS_ERR_X509_BAD_INPUT_DATA                   -0x2800
88 /** Allocation of memory failed. */
89 #define MBEDTLS_ERR_X509_ALLOC_FAILED                     -0x2880
90 /** Read/write of file failed. */
91 #define MBEDTLS_ERR_X509_FILE_IO_ERROR                    -0x2900
92 /** Destination buffer is too small. */
93 #define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL                 -0x2980
94 /** A fatal error occurred, eg the chain is too long or the vrfy callback failed. */
95 #define MBEDTLS_ERR_X509_FATAL_ERROR                      -0x3000
96 /** \} name X509 Error codes */
97 
98 /**
99  * \name X509 Verify codes
100  * \{
101  */
102 /* Reminder: update x509_crt_verify_strings[] in library/x509_crt.c */
103 #define MBEDTLS_X509_BADCERT_EXPIRED             0x01  /**< The certificate validity has expired. */
104 #define MBEDTLS_X509_BADCERT_REVOKED             0x02  /**< The certificate has been revoked (is on a CRL). */
105 #define MBEDTLS_X509_BADCERT_CN_MISMATCH         0x04  /**< The certificate Common Name (CN) does not match with the expected CN. */
106 #define MBEDTLS_X509_BADCERT_NOT_TRUSTED         0x08  /**< The certificate is not correctly signed by the trusted CA. */
107 #define MBEDTLS_X509_BADCRL_NOT_TRUSTED          0x10  /**< The CRL is not correctly signed by the trusted CA. */
108 #define MBEDTLS_X509_BADCRL_EXPIRED              0x20  /**< The CRL is expired. */
109 #define MBEDTLS_X509_BADCERT_MISSING             0x40  /**< Certificate was missing. */
110 #define MBEDTLS_X509_BADCERT_SKIP_VERIFY         0x80  /**< Certificate verification was skipped. */
111 #define MBEDTLS_X509_BADCERT_OTHER             0x0100  /**< Other reason (can be used by verify callback) */
112 #define MBEDTLS_X509_BADCERT_FUTURE            0x0200  /**< The certificate validity starts in the future. */
113 #define MBEDTLS_X509_BADCRL_FUTURE             0x0400  /**< The CRL is from the future */
114 #define MBEDTLS_X509_BADCERT_KEY_USAGE         0x0800  /**< Usage does not match the keyUsage extension. */
115 #define MBEDTLS_X509_BADCERT_EXT_KEY_USAGE     0x1000  /**< Usage does not match the extendedKeyUsage extension. */
116 #define MBEDTLS_X509_BADCERT_NS_CERT_TYPE      0x2000  /**< Usage does not match the nsCertType extension. */
117 #define MBEDTLS_X509_BADCERT_BAD_MD            0x4000  /**< The certificate is signed with an unacceptable hash. */
118 #define MBEDTLS_X509_BADCERT_BAD_PK            0x8000  /**< The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA). */
119 #define MBEDTLS_X509_BADCERT_BAD_KEY         0x010000  /**< The certificate is signed with an unacceptable key (eg bad curve, RSA too short). */
120 #define MBEDTLS_X509_BADCRL_BAD_MD           0x020000  /**< The CRL is signed with an unacceptable hash. */
121 #define MBEDTLS_X509_BADCRL_BAD_PK           0x040000  /**< The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA). */
122 #define MBEDTLS_X509_BADCRL_BAD_KEY          0x080000  /**< The CRL is signed with an unacceptable key (eg bad curve, RSA too short). */
123 
124 /** \} name X509 Verify codes */
125 /** \} addtogroup x509_module */
126 
127 /*
128  * X.509 v3 Subject Alternative Name types.
129  *      otherName                       [0]     OtherName,
130  *      rfc822Name                      [1]     IA5String,
131  *      dNSName                         [2]     IA5String,
132  *      x400Address                     [3]     ORAddress,
133  *      directoryName                   [4]     Name,
134  *      ediPartyName                    [5]     EDIPartyName,
135  *      uniformResourceIdentifier       [6]     IA5String,
136  *      iPAddress                       [7]     OCTET STRING,
137  *      registeredID                    [8]     OBJECT IDENTIFIER
138  */
139 #define MBEDTLS_X509_SAN_OTHER_NAME                      0
140 #define MBEDTLS_X509_SAN_RFC822_NAME                     1
141 #define MBEDTLS_X509_SAN_DNS_NAME                        2
142 #define MBEDTLS_X509_SAN_X400_ADDRESS_NAME               3
143 #define MBEDTLS_X509_SAN_DIRECTORY_NAME                  4
144 #define MBEDTLS_X509_SAN_EDI_PARTY_NAME                  5
145 #define MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER     6
146 #define MBEDTLS_X509_SAN_IP_ADDRESS                      7
147 #define MBEDTLS_X509_SAN_REGISTERED_ID                   8
148 
149 /*
150  * X.509 v3 Key Usage Extension flags
151  * Reminder: update mbedtls_x509_info_key_usage() when adding new flags.
152  */
153 #define MBEDTLS_X509_KU_DIGITAL_SIGNATURE            (0x80)  /* bit 0 */
154 #define MBEDTLS_X509_KU_NON_REPUDIATION              (0x40)  /* bit 1 */
155 #define MBEDTLS_X509_KU_KEY_ENCIPHERMENT             (0x20)  /* bit 2 */
156 #define MBEDTLS_X509_KU_DATA_ENCIPHERMENT            (0x10)  /* bit 3 */
157 #define MBEDTLS_X509_KU_KEY_AGREEMENT                (0x08)  /* bit 4 */
158 #define MBEDTLS_X509_KU_KEY_CERT_SIGN                (0x04)  /* bit 5 */
159 #define MBEDTLS_X509_KU_CRL_SIGN                     (0x02)  /* bit 6 */
160 #define MBEDTLS_X509_KU_ENCIPHER_ONLY                (0x01)  /* bit 7 */
161 #define MBEDTLS_X509_KU_DECIPHER_ONLY              (0x8000)  /* bit 8 */
162 
163 /*
164  * Netscape certificate types
165  * (http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html)
166  */
167 
168 #define MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT         (0x80)  /* bit 0 */
169 #define MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER         (0x40)  /* bit 1 */
170 #define MBEDTLS_X509_NS_CERT_TYPE_EMAIL              (0x20)  /* bit 2 */
171 #define MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING     (0x10)  /* bit 3 */
172 #define MBEDTLS_X509_NS_CERT_TYPE_RESERVED           (0x08)  /* bit 4 */
173 #define MBEDTLS_X509_NS_CERT_TYPE_SSL_CA             (0x04)  /* bit 5 */
174 #define MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA           (0x02)  /* bit 6 */
175 #define MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA  (0x01)  /* bit 7 */
176 
177 /*
178  * X.509 extension types
179  *
180  * Comments refer to the status for using certificates. Status can be
181  * different for writing certificates or reading CRLs or CSRs.
182  *
183  * Those are defined in oid.h as oid.c needs them in a data structure. Since
184  * these were previously defined here, let's have aliases for compatibility.
185  */
186 #define MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER MBEDTLS_OID_X509_EXT_AUTHORITY_KEY_IDENTIFIER
187 #define MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER   MBEDTLS_OID_X509_EXT_SUBJECT_KEY_IDENTIFIER
188 #define MBEDTLS_X509_EXT_KEY_USAGE                MBEDTLS_OID_X509_EXT_KEY_USAGE
189 #define MBEDTLS_X509_EXT_CERTIFICATE_POLICIES     MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES
190 #define MBEDTLS_X509_EXT_POLICY_MAPPINGS          MBEDTLS_OID_X509_EXT_POLICY_MAPPINGS
191 #define MBEDTLS_X509_EXT_SUBJECT_ALT_NAME         MBEDTLS_OID_X509_EXT_SUBJECT_ALT_NAME         /* Supported (DNS) */
192 #define MBEDTLS_X509_EXT_ISSUER_ALT_NAME          MBEDTLS_OID_X509_EXT_ISSUER_ALT_NAME
193 #define MBEDTLS_X509_EXT_SUBJECT_DIRECTORY_ATTRS  MBEDTLS_OID_X509_EXT_SUBJECT_DIRECTORY_ATTRS
194 #define MBEDTLS_X509_EXT_BASIC_CONSTRAINTS        MBEDTLS_OID_X509_EXT_BASIC_CONSTRAINTS        /* Supported */
195 #define MBEDTLS_X509_EXT_NAME_CONSTRAINTS         MBEDTLS_OID_X509_EXT_NAME_CONSTRAINTS
196 #define MBEDTLS_X509_EXT_POLICY_CONSTRAINTS       MBEDTLS_OID_X509_EXT_POLICY_CONSTRAINTS
197 #define MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE       MBEDTLS_OID_X509_EXT_EXTENDED_KEY_USAGE
198 #define MBEDTLS_X509_EXT_CRL_DISTRIBUTION_POINTS  MBEDTLS_OID_X509_EXT_CRL_DISTRIBUTION_POINTS
199 #define MBEDTLS_X509_EXT_INIHIBIT_ANYPOLICY       MBEDTLS_OID_X509_EXT_INIHIBIT_ANYPOLICY
200 #define MBEDTLS_X509_EXT_FRESHEST_CRL             MBEDTLS_OID_X509_EXT_FRESHEST_CRL
201 #define MBEDTLS_X509_EXT_NS_CERT_TYPE             MBEDTLS_OID_X509_EXT_NS_CERT_TYPE
202 
203 /*
204  * Storage format identifiers
205  * Recognized formats: PEM and DER
206  */
207 #define MBEDTLS_X509_FORMAT_DER                 1
208 #define MBEDTLS_X509_FORMAT_PEM                 2
209 
210 #define MBEDTLS_X509_MAX_DN_NAME_SIZE         256 /**< Maximum value size of a DN entry */
211 
212 #ifdef __cplusplus
213 extern "C" {
214 #endif
215 
216 /**
217  * \addtogroup x509_module
218  * \{ */
219 
220 /**
221  * \name Structures for parsing X.509 certificates, CRLs and CSRs
222  * \{
223  */
224 
225 /**
226  * Type-length-value structure that allows for ASN1 using DER.
227  */
228 typedef mbedtls_asn1_buf mbedtls_x509_buf;
229 
230 /**
231  * Container for ASN1 bit strings.
232  */
233 typedef mbedtls_asn1_bitstring mbedtls_x509_bitstring;
234 
235 /**
236  * Container for ASN1 named information objects.
237  * It allows for Relative Distinguished Names (e.g. cn=localhost,ou=code,etc.).
238  */
239 typedef mbedtls_asn1_named_data mbedtls_x509_name;
240 
241 /**
242  * Container for a sequence of ASN.1 items
243  */
244 typedef mbedtls_asn1_sequence mbedtls_x509_sequence;
245 
246 /** Container for date and time (precision in seconds). */
247 typedef struct mbedtls_x509_time {
248     int year, mon, day;         /**< Date. */
249     int hour, min, sec;         /**< Time. */
250 }
251 mbedtls_x509_time;
252 
253 /**
254  * From RFC 5280 section 4.2.1.6:
255  * OtherName ::= SEQUENCE {
256  *      type-id    OBJECT IDENTIFIER,
257  *      value      [0] EXPLICIT ANY DEFINED BY type-id }
258  *
259  * Future versions of the library may add new fields to this structure or
260  * to its embedded union and structure.
261  */
262 typedef struct mbedtls_x509_san_other_name {
263     /**
264      * The type_id is an OID as defined in RFC 5280.
265      * To check the value of the type id, you should use
266      * \p MBEDTLS_OID_CMP with a known OID mbedtls_x509_buf.
267      */
268     mbedtls_x509_buf type_id;                   /**< The type id. */
269     union {
270         /**
271          * From RFC 4108 section 5:
272          * HardwareModuleName ::= SEQUENCE {
273          *                         hwType OBJECT IDENTIFIER,
274          *                         hwSerialNum OCTET STRING }
275          */
276         struct {
277             mbedtls_x509_buf oid;               /**< The object identifier. */
278             mbedtls_x509_buf val;               /**< The named value. */
279         }
280         hardware_module_name;
281     }
282     value;
283 }
284 mbedtls_x509_san_other_name;
285 
286 /**
287  * A structure for holding the parsed Subject Alternative Name,
288  * according to type.
289  *
290  * Future versions of the library may add new fields to this structure or
291  * to its embedded union and structure.
292  */
293 typedef struct mbedtls_x509_subject_alternative_name {
294     int type;                              /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */
295     union {
296         mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */
297         mbedtls_x509_buf   unstructured_name; /**< The buffer for the unconstructed types. Only rfc822Name, dnsName and uniformResourceIdentifier are currently supported */
298     }
299     san; /**< A union of the supported SAN types */
300 }
301 mbedtls_x509_subject_alternative_name;
302 
303 /** \} name Structures for parsing X.509 certificates, CRLs and CSRs */
304 
305 /**
306  * \brief          Store the certificate DN in printable form into buf;
307  *                 no more than size characters will be written.
308  *
309  * \param buf      Buffer to write to
310  * \param size     Maximum size of buffer
311  * \param dn       The X509 name to represent
312  *
313  * \return         The length of the string written (not including the
314  *                 terminated nul byte), or a negative error code.
315  */
316 int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn);
317 
318 /**
319  * \brief          Return the next relative DN in an X509 name.
320  *
321  * \note           Intended use is to compare function result to dn->next
322  *                 in order to detect boundaries of multi-valued RDNs.
323  *
324  * \param dn       Current node in the X509 name
325  *
326  * \return         Pointer to the first attribute-value pair of the
327  *                 next RDN in sequence, or NULL if end is reached.
328  */
mbedtls_x509_dn_get_next(mbedtls_x509_name * dn)329 static inline mbedtls_x509_name *mbedtls_x509_dn_get_next(
330     mbedtls_x509_name *dn)
331 {
332     while (dn->MBEDTLS_PRIVATE(next_merged) && dn->next != NULL) {
333         dn = dn->next;
334     }
335     return dn->next;
336 }
337 
338 /**
339  * \brief          Store the certificate serial in printable form into buf;
340  *                 no more than size characters will be written.
341  *
342  * \param buf      Buffer to write to
343  * \param size     Maximum size of buffer
344  * \param serial   The X509 serial to represent
345  *
346  * \return         The length of the string written (not including the
347  *                 terminated nul byte), or a negative error code.
348  */
349 int mbedtls_x509_serial_gets(char *buf, size_t size, const mbedtls_x509_buf *serial);
350 
351 /**
352  * \brief          Check a given mbedtls_x509_time against the system time
353  *                 and tell if it's in the past.
354  *
355  * \note           Intended usage is "if( is_past( valid_to ) ) ERROR".
356  *                 Hence the return value of 1 if on internal errors.
357  *
358  * \param to       mbedtls_x509_time to check
359  *
360  * \return         1 if the given time is in the past or an error occurred,
361  *                 0 otherwise.
362  */
363 int mbedtls_x509_time_is_past(const mbedtls_x509_time *to);
364 
365 /**
366  * \brief          Check a given mbedtls_x509_time against the system time
367  *                 and tell if it's in the future.
368  *
369  * \note           Intended usage is "if( is_future( valid_from ) ) ERROR".
370  *                 Hence the return value of 1 if on internal errors.
371  *
372  * \param from     mbedtls_x509_time to check
373  *
374  * \return         1 if the given time is in the future or an error occurred,
375  *                 0 otherwise.
376  */
377 int mbedtls_x509_time_is_future(const mbedtls_x509_time *from);
378 
379 /**
380  * \brief          This function parses an item in the SubjectAlternativeNames
381  *                 extension.
382  *
383  * \param san_buf  The buffer holding the raw data item of the subject
384  *                 alternative name.
385  * \param san      The target structure to populate with the parsed presentation
386  *                 of the subject alternative name encoded in \p san_raw.
387  *
388  * \note           Supported GeneralName types, as defined in RFC 5280:
389  *                 "rfc822Name", "dnsName", "uniformResourceIdentifier" and "hardware_module_name"
390  *                 of type "otherName", as defined in RFC 4108.
391  *
392  * \note           This function should be called on a single raw data of
393  *                 subject alternative name. For example, after successful
394  *                 certificate parsing, one must iterate on every item in the
395  *                 \p crt->subject_alt_names sequence, and pass it to
396  *                 this function.
397  *
398  * \warning        The target structure contains pointers to the raw data of the
399  *                 parsed certificate, and its lifetime is restricted by the
400  *                 lifetime of the certificate.
401  *
402  * \return         \c 0 on success
403  * \return         #MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE for an unsupported
404  *                 SAN type.
405  * \return         Another negative value for any other failure.
406  */
407 int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf,
408                                         mbedtls_x509_subject_alternative_name *san);
409 
410 /** \} addtogroup x509_module */
411 
412 /*
413  * Internal module functions. You probably do not want to use these unless you
414  * know you do.
415  */
416 int mbedtls_x509_get_name(unsigned char **p, const unsigned char *end,
417                           mbedtls_x509_name *cur);
418 int mbedtls_x509_get_alg_null(unsigned char **p, const unsigned char *end,
419                               mbedtls_x509_buf *alg);
420 int mbedtls_x509_get_alg(unsigned char **p, const unsigned char *end,
421                          mbedtls_x509_buf *alg, mbedtls_x509_buf *params);
422 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
423 int mbedtls_x509_get_rsassa_pss_params(const mbedtls_x509_buf *params,
424                                        mbedtls_md_type_t *md_alg, mbedtls_md_type_t *mgf_md,
425                                        int *salt_len);
426 #endif
427 int mbedtls_x509_get_sig(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig);
428 int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params,
429                              mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg,
430                              void **sig_opts);
431 int mbedtls_x509_get_time(unsigned char **p, const unsigned char *end,
432                           mbedtls_x509_time *t);
433 int mbedtls_x509_get_serial(unsigned char **p, const unsigned char *end,
434                             mbedtls_x509_buf *serial);
435 int mbedtls_x509_get_ext(unsigned char **p, const unsigned char *end,
436                          mbedtls_x509_buf *ext, int tag);
437 #if !defined(MBEDTLS_X509_REMOVE_INFO)
438 int mbedtls_x509_sig_alg_gets(char *buf, size_t size, const mbedtls_x509_buf *sig_oid,
439                               mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg,
440                               const void *sig_opts);
441 #endif
442 int mbedtls_x509_key_size_helper(char *buf, size_t buf_size, const char *name);
443 int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *name);
444 int mbedtls_x509_set_extension(mbedtls_asn1_named_data **head, const char *oid, size_t oid_len,
445                                int critical, const unsigned char *val,
446                                size_t val_len);
447 int mbedtls_x509_write_extensions(unsigned char **p, unsigned char *start,
448                                   mbedtls_asn1_named_data *first);
449 int mbedtls_x509_write_names(unsigned char **p, unsigned char *start,
450                              mbedtls_asn1_named_data *first);
451 int mbedtls_x509_write_sig(unsigned char **p, unsigned char *start,
452                            const char *oid, size_t oid_len,
453                            unsigned char *sig, size_t size);
454 int mbedtls_x509_get_ns_cert_type(unsigned char **p,
455                                   const unsigned char *end,
456                                   unsigned char *ns_cert_type);
457 int mbedtls_x509_get_key_usage(unsigned char **p,
458                                const unsigned char *end,
459                                unsigned int *key_usage);
460 int mbedtls_x509_get_subject_alt_name(unsigned char **p,
461                                       const unsigned char *end,
462                                       mbedtls_x509_sequence *subject_alt_name);
463 int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size,
464                                        const mbedtls_x509_sequence
465                                        *subject_alt_name,
466                                        const char *prefix);
467 int mbedtls_x509_info_cert_type(char **buf, size_t *size,
468                                 unsigned char ns_cert_type);
469 int mbedtls_x509_info_key_usage(char **buf, size_t *size,
470                                 unsigned int key_usage);
471 
472 #define MBEDTLS_X509_SAFE_SNPRINTF                          \
473     do {                                                    \
474         if (ret < 0 || (size_t) ret >= n)                  \
475         return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;    \
476                                                           \
477         n -= (size_t) ret;                                  \
478         p += (size_t) ret;                                  \
479     } while (0)
480 
481 #ifdef __cplusplus
482 }
483 #endif
484 
485 #endif /* x509.h */
486