High Performance OPC UA Server SDK
1.2.1.203
|
Modules | |
Certificate Validation Flags | |
Bitmask values for controlling the verification process of pki_cert_verify. | |
Data Structures | |
struct | pki_cert_trust_list |
List of trust list elements (trusted|issuers&certs|crls). More... | |
struct | pki_cert_verification_result |
Certificate verification result. More... | |
struct | pki_cert_identity |
Holds all information about a certificate issuer or subject. More... | |
struct | pki_cert_info |
Holds all additional OPC UA relevant information of a certificate. More... | |
Typedefs | |
typedef void * | pki_cert |
X509 certificate handle. More... | |
typedef void * | pki_crl |
CRL type. | |
typedef void * | pki_cert_writer |
typedef void * | pki_csr_writer |
Enumerations | |
enum | pki_cert_extension { pki_cert_extension_subject_alt_name = 0, pki_cert_extension_basic_constraints = 1, pki_cert_extension_netscape_comment = 2, pki_cert_extension_subject_key_identifier = 3, pki_cert_extension_authority_key_identifier = 4, pki_cert_extension_key_usage = 5, pki_cert_extension_extended_key_usage = 6 } |
Identifiers for supported X509 extenstions. | |
Functions | |
static void | pki_cert_identity_clear (struct pki_cert_identity *id) |
Release all memory referenced by a pki_cert_identitiy structure. More... | |
static void | pki_cert_info_clear (struct pki_cert_info *info) |
Release all memory referenced by a pki_cert_info structure. More... | |
int | pki_cert_from_der (const unsigned char *der, size_t derlen, pki_cert *cert) |
Decode a single certificate from DER format. More... | |
int | pki_cert_verify (size_t cert_len, unsigned char *cert_data, uint32_t verification_flags, struct pki_cert_trust_list *trusted_certs, struct pki_cert_trust_list *trusted_crls, struct pki_cert_trust_list *issuer_certs, struct pki_cert_trust_list *issuer_crls, bool *cert_ok, unsigned int *num_results, struct pki_cert_verification_result *results) |
Check if certificate is valid (time, signature etc.). More... | |
int | pki_cert_get_public_key (pki_cert cert, struct crypto_key *key) |
Get handle to public key of a certificate. More... | |
int | pki_cert_get_identity (pki_cert cert, unsigned char issuer, struct pki_cert_identity *cert_id) |
Get issuer or subject information from a certificate. More... | |
int | pki_cert_get_info (pki_cert cert, struct pki_cert_info *cert_info) |
Get basic X509 information from a certificate. More... | |
void | pki_cert_delete (pki_cert *cert) |
Release handle to certificate. More... | |
int | pki_cert_split_chain (unsigned char *chain, size_t chain_size, uint32_t *pnum_certs, size_t *cert_lengths, unsigned char **cert_datas) |
Get start positions of pnum_certs certificates. More... | |
int | pki_cert_get_extension (pki_cert cert, enum pki_cert_extension ext, unsigned char *val, size_t vallen) |
Get extension from cert. More... | |
int | pki_cert_create_selfsigned_der (const struct pki_cert_info *cert_info, const struct pki_cert_identity *sub, const struct crypto_key *sub_key, enum crypto_hash_alg sign_alg, unsigned char *der, size_t *derlen) |
Creates a new cert based on given certificate data and returns it DER encoded. More... | |
int | pki_cert_create_selfsigned (const struct pki_cert_info *cert_info, const struct pki_cert_identity *sub, const struct crypto_key *sub_key, enum crypto_hash_alg sign_alg, pki_cert *cert) |
Creates a new cert based on given certificate data and returns it in internal format. More... | |
int | pki_csr_create_der (const struct pki_cert_info *cert_info, const struct pki_cert_identity *sub, const struct crypto_key *sub_key, enum crypto_hash_alg sign_alg, unsigned char *der, size_t *derlen) |
Creates a new certificate signing request based on given certificate data and returns it DER encoded. More... | |
int | pki_cert_create_casigned_der (const struct pki_cert_info *cert_info, const struct pki_cert_identity *sub, const struct crypto_key *sub_key, pki_cert iss_cert, const struct crypto_key *iss_key, enum crypto_hash_alg sign_alg, unsigned char *der, size_t *derlen) |
Creates a new cert based on given certificate data and returns it DER encoded. More... | |
int | pki_cert_create_casigned (const struct pki_cert_info *cert_info, const struct pki_cert_identity *sub, const struct crypto_key *sub_key, const pki_cert iss_cert, const struct crypto_key *iss_key, enum crypto_hash_alg sign_alg, pki_cert *cert) |
Creates a new cert based on given certificate data and returns it in internal format. More... | |
int | pki_csr_sign (unsigned char *csr_der, size_t csr_derlen, const pki_cert iss_cert, const struct crypto_key *iss_key, struct pki_cert_info *cert_info, enum crypto_hash_alg sign_alg, unsigned char *der, size_t *derlen) |
Uses the data from the CRS and some additional data to create a new certificate. More... | |
int | pki_crl_create (pki_crl *crl, uint64_t validity_time, pki_cert iss_cert, uint64_t crl_num) |
Creates a new Certificate Revocation List. More... | |
int | pki_crl_to_der (pki_crl crl, unsigned char *crl_der, size_t *crl_der_len) |
Serializes the revocation list into DER format. More... | |
int | pki_crl_from_der (pki_crl *crl, const unsigned char *crl_der, size_t crl_der_len) |
Get Certificate Revocation List from DER encoded ByteString. More... | |
void | pki_crl_delete (pki_crl *crl) |
Deletes a Certificate Revocation List and frees it's memory. More... | |
int | pki_crl_add_cert (pki_crl crl, const char *revoked_cert_serial, time_t revocation_date) |
Adds a certificate to the Certificate Revocation List. More... | |
int | pki_crl_sign (pki_crl crl, struct crypto_key *iss_key, enum crypto_hash_alg sign_alg) |
Signs a Certificate Revocation List. More... | |
int | pki_crl_get_number (pki_crl crl, uint64_t *crl_number) |
Returns the number of the crl. More... | |
int | pki_crl_get_seconds_until_update (pki_crl crl, int64_t *seconds_until_update) |
Returns number of seconds until the next update. | |
int | pki_csr_set_subject_alt_name (mbedtls_x509write_csr *ctx, const struct pki_cert_info *cert_info) |
int | pki_cert_set_subject_alt_name (mbedtls_x509write_cert *ctx, const struct pki_cert_info *cert_info) |
int | pki_cert_create_time_strings (time_t begin, time_t end, char *not_before, char *not_after) |
int | pki_cert_create_identity_string (const struct pki_cert_identity *id, char *name, size_t namelen) |
int | pki_cert_writer_encode_der (pki_cert_writer cert_writer, unsigned char *der, size_t *derlen) |
void | pki_cert_writer_delete (pki_cert_writer *cert_writer) |
typedef void* pki_cert |
X509 certificate handle.
int pki_cert_create_casigned | ( | const struct pki_cert_info * | cert_info, |
const struct pki_cert_identity * | sub, | ||
const struct crypto_key * | sub_key, | ||
const pki_cert | iss_cert, | ||
const struct crypto_key * | iss_key, | ||
enum crypto_hash_alg | sign_alg, | ||
pki_cert * | cert | ||
) |
Creates a new cert based on given certificate data and returns it in internal format.
cert_info | UA Application information. |
sub | The identity of the cert owner. |
sub_key | The key pair of the cert. The public key part will be stored in the cert. |
iss_cert | The issuer certificate. (not required if self signed) |
iss_key | The key pair of the issuer. (own key if self signed). |
sign_alg | Set the algorithm to be used for signing the new certificate. |
cert | The created certificate in internal format. |
int pki_cert_create_casigned_der | ( | const struct pki_cert_info * | cert_info, |
const struct pki_cert_identity * | sub, | ||
const struct crypto_key * | sub_key, | ||
pki_cert | iss_cert, | ||
const struct crypto_key * | iss_key, | ||
enum crypto_hash_alg | sign_alg, | ||
unsigned char * | der, | ||
size_t * | derlen | ||
) |
Creates a new cert based on given certificate data and returns it DER encoded.
cert_info | UA Application information. |
sub | The identity of the cert owner. |
sub_key | The key pair of the cert. The public key part will be stored in the cert. |
iss_cert | The issuer certificate. (not required if self signed) |
iss_key | The key pair of the issuer. (sub_key if self signed). |
sign_alg | Set the algorithm to be used for signing the new certificate. |
der | Buffer to encode the certificate into. |
derlen | Length of the destination buffer; used size on return. |
int pki_cert_create_selfsigned | ( | const struct pki_cert_info * | cert_info, |
const struct pki_cert_identity * | sub, | ||
const struct crypto_key * | sub_key, | ||
enum crypto_hash_alg | sign_alg, | ||
pki_cert * | cert | ||
) |
Creates a new cert based on given certificate data and returns it in internal format.
cert_info | UA Application information. |
sub | The identity of the cert owner. |
sub_key | The key pair of the cert. The public key part will be stored in the cert. |
sign_alg | Set the algorithm to be used for signing the new certificate. |
cert | The created certificate in internal format. |
int pki_cert_create_selfsigned_der | ( | const struct pki_cert_info * | cert_info, |
const struct pki_cert_identity * | sub, | ||
const struct crypto_key * | sub_key, | ||
enum crypto_hash_alg | sign_alg, | ||
unsigned char * | der, | ||
size_t * | derlen | ||
) |
Creates a new cert based on given certificate data and returns it DER encoded.
cert_info | UA Application information. |
sub | The identity of the cert owner. |
sub_key | The key pair of the cert. The public key part will be stored in the cert. |
sign_alg | Set the algorithm to be used for signing the new certificate. |
der | Buffer to encode the certificate into. |
derlen | Length of the destination buffer; used size on return. |
void pki_cert_delete | ( | pki_cert * | cert | ) |
Release handle to certificate.
cert | Certificate handle to release. |
int pki_cert_from_der | ( | const unsigned char * | der, |
size_t | derlen, | ||
pki_cert * | cert | ||
) |
Decode a single certificate from DER format.
der | Buffer containing a DER encoded certificate. |
derlen | Length of one encoded certificate in the buffer. |
cert | Handle to the decoded certificate. |
int pki_cert_get_extension | ( | pki_cert | cert, |
enum pki_cert_extension | ext, | ||
unsigned char * | val, | ||
size_t | vallen | ||
) |
Get extension from cert.
cert | The cert to use. |
ext | The cert extension to get. |
val | Place to store the value of the specified extension. |
vallen | Length of the value buffer. |
int pki_cert_get_identity | ( | pki_cert | cert, |
unsigned char | issuer, | ||
struct pki_cert_identity * | cert_id | ||
) |
Get issuer or subject information from a certificate.
cert | The cert to use. |
issuer | Set to 0 to get subject information, else issuer information. |
cert_id | Pointer to structure for storing the identity information. Contents must be freed. |
int pki_cert_get_info | ( | pki_cert | cert, |
struct pki_cert_info * | cert_info | ||
) |
Get basic X509 information from a certificate.
cert | The cert to extract the data from. |
cert_info | Pointer to structure for storing the certificate information. Contents must be freed. |
int pki_cert_get_public_key | ( | pki_cert | cert, |
struct crypto_key * | key | ||
) |
Get handle to public key of a certificate.
The key becomes invalid when the certificate is released.
cert | Handle of the certificate. |
key | Pointer to the key handle memory. |
|
inlinestatic |
Release all memory referenced by a pki_cert_identitiy structure.
|
inlinestatic |
Release all memory referenced by a pki_cert_info structure.
int pki_cert_split_chain | ( | unsigned char * | chain, |
size_t | chain_size, | ||
uint32_t * | pnum_certs, | ||
size_t * | cert_lengths, | ||
unsigned char ** | cert_datas | ||
) |
Get start positions of pnum_certs certificates.
The array certs should be long enough to hold the number of expected certificates.
chain | Buffer containing one or more encoded certificates. |
chain_size | Number of bytes in chain. |
pnum_certs | Number of certs elements before call, number of used certs after call. |
cert_lengths | Array of sizes to store the lengths of the chain elements. |
cert_datas | Array of pointers to store the starting positions of the chain elements. |
int pki_cert_verify | ( | size_t | cert_len, |
unsigned char * | cert_data, | ||
uint32_t | verification_flags, | ||
struct pki_cert_trust_list * | trusted_certs, | ||
struct pki_cert_trust_list * | trusted_crls, | ||
struct pki_cert_trust_list * | issuer_certs, | ||
struct pki_cert_trust_list * | issuer_crls, | ||
bool * | cert_ok, | ||
unsigned int * | num_results, | ||
struct pki_cert_verification_result * | results | ||
) |
Check if certificate is valid (time, signature etc.).
cert_len | Length in bytes of cert_data. |
cert_data | Array containing the DER encoded certificate to be verified. |
verification_flags | Bit mask of verification control flags (see ). |
trusted_certs | Set of trusted application instance certificate and issuer certificates. |
trusted_crls | Set of trusted issuer CRLs. |
issuer_certs | Set of untrusted issuer certificates for chain completion. |
issuer_crls | Set of untrusted issuer CRLs. |
cert_ok | General verification result on return. |
num_results | Size of array results; number of used elements on return. |
results | Preallocated array for storing validation results. |
int pki_crl_add_cert | ( | pki_crl | crl, |
const char * | revoked_cert_serial, | ||
time_t | revocation_date | ||
) |
Adds a certificate to the Certificate Revocation List.
crl | The CRL to use. |
revoked_cert_serial | Serial number of the certificate to revoke. |
revocation_date | The revocation date to set. |
Creates a new Certificate Revocation List.
crl | A pointer to a variable to store a pointer to the created CRL. |
validity_time | Time from now in seconds until a new CRL will be created. |
iss_cert | The issuer of the CRL (only subject name is used for CRL creation). |
crl_num | The consecutive number of the CRL; gets incremented everytime the CLR is signed. |
void pki_crl_delete | ( | pki_crl * | crl | ) |
Deletes a Certificate Revocation List and frees it's memory.
crl | A pointer to a variable that points to a struct pki_crl. |
int pki_crl_from_der | ( | pki_crl * | crl, |
const unsigned char * | crl_der, | ||
size_t | crl_der_len | ||
) |
Get Certificate Revocation List from DER encoded ByteString.
crl_der | The byte string containing the DER encoded CRL. |
crl_der | The DER encoded CRL. |
crl_der_len | Length of crl_der in bytes. |
int pki_crl_get_number | ( | pki_crl | crl, |
uint64_t * | crl_number | ||
) |
Returns the number of the crl.
crl | The CRL. |
crl_number | Location where the CRL number is stored. |
int pki_crl_sign | ( | pki_crl | crl, |
struct crypto_key * | iss_key, | ||
enum crypto_hash_alg | sign_alg | ||
) |
Signs a Certificate Revocation List.
crl | The CRL to sign. |
iss_key | The key pair used to sign the CRL. |
sign_alg | Identifier for the signing algorithm. |
int pki_crl_to_der | ( | pki_crl | crl, |
unsigned char * | crl_der, | ||
size_t * | crl_der_len | ||
) |
Serializes the revocation list into DER format.
crl | The CRL to encode. |
crl_der | The memory to store the CRL in. |
crl_der_len | Length of crl_pem before and after the operation. |
int pki_csr_create_der | ( | const struct pki_cert_info * | cert_info, |
const struct pki_cert_identity * | sub, | ||
const struct crypto_key * | sub_key, | ||
enum crypto_hash_alg | sign_alg, | ||
unsigned char * | der, | ||
size_t * | derlen | ||
) |
Creates a new certificate signing request based on given certificate data and returns it DER encoded.
cert_info | UA Application information. |
sub | The identity of the cert owner. |
sub_key | The key pair of the cert. The public key part will be stored in the cert. |
sign_alg | Set the algorithm to be used for signing the new certificate. |
der | Buffer to encode the certificate into. |
derlen | Length of the destination buffer; used size on return. |
int pki_csr_sign | ( | unsigned char * | csr_der, |
size_t | csr_derlen, | ||
const pki_cert | iss_cert, | ||
const struct crypto_key * | iss_key, | ||
struct pki_cert_info * | cert_info, | ||
enum crypto_hash_alg | sign_alg, | ||
unsigned char * | der, | ||
size_t * | derlen | ||
) |
Uses the data from the CRS and some additional data to create a new certificate.
csr_der | DER encoded certificate signing request. |
csr_derlen | Length in bytes of csr_der. |
iss_cert | Issuer certificate. |
iss_key | Issuer private key used to sign the certificate. |
cert_info | Contains validity time and serial number; remaining information taken from CSR. |
sign_alg | Algorithm used to sign the new certificate. |
der | Pointer to memory where the new certificate will be stored in DER format. |
derlen | The size in bytes of the destination buffer at "der". |