Make many fields of X.509 structures public
The structures mbedtls_x509_time, mbedtls_x509_crl_entry, mbedtls_x509_crl,
mbedtls_x509_crt, mbedtls_x509_san_other_name,
mbedtls_x509_subject_alternative_name, mbedtls_x509_csr are designed to
expose the result of parsing X.509 data. Document many of their fields as
being publicly readable.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h
index df187cb..9a4be95 100644
--- a/include/mbedtls/x509.h
+++ b/include/mbedtls/x509.h
@@ -246,8 +246,8 @@
/** Container for date and time (precision in seconds). */
typedef struct mbedtls_x509_time
{
- int MBEDTLS_PRIVATE(year), MBEDTLS_PRIVATE(mon), MBEDTLS_PRIVATE(day); /**< Date. */
- int MBEDTLS_PRIVATE(hour), MBEDTLS_PRIVATE(min), MBEDTLS_PRIVATE(sec); /**< Time. */
+ int year, mon, day; /**< Date. */
+ int hour, min, sec; /**< Time. */
}
mbedtls_x509_time;
diff --git a/include/mbedtls/x509_crl.h b/include/mbedtls/x509_crl.h
index 9331827..f65e984 100644
--- a/include/mbedtls/x509_crl.h
+++ b/include/mbedtls/x509_crl.h
@@ -43,16 +43,25 @@
/**
* Certificate revocation list entry.
* Contains the CA-specific serial numbers and revocation dates.
+ *
+ * Some fields of this structure are publicly readable. Do not modify
+ * them except via Mbed TLS library functions: the effect of modifying
+ * those fields or the data that those fields points to is unspecified.
*/
typedef struct mbedtls_x509_crl_entry
{
- mbedtls_x509_buf MBEDTLS_PRIVATE(raw);
-
- mbedtls_x509_buf MBEDTLS_PRIVATE(serial);
-
- mbedtls_x509_time MBEDTLS_PRIVATE(revocation_date);
-
- mbedtls_x509_buf MBEDTLS_PRIVATE(entry_ext);
+ /** Direct access to the whole entry inside the containing buffer. */
+ mbedtls_x509_buf raw;
+ /** The serial number of the revoked certificate. */
+ mbedtls_x509_buf serial;
+ /** The revocation date of this entry. */
+ mbedtls_x509_time revocation_date;
+ /** Direct access to the list of CRL entry extensions
+ * (an ASN.1 constructed sequence).
+ *
+ * If there are no extensions, `entry_ext.len == 0` and
+ * `entry_ext.p == NULL`. */
+ mbedtls_x509_buf entry_ext;
struct mbedtls_x509_crl_entry *MBEDTLS_PRIVATE(next);
}
@@ -64,22 +73,22 @@
*/
typedef struct mbedtls_x509_crl
{
- mbedtls_x509_buf MBEDTLS_PRIVATE(raw); /**< The raw certificate data (DER). */
- mbedtls_x509_buf MBEDTLS_PRIVATE(tbs); /**< The raw certificate body (DER). The part that is To Be Signed. */
+ mbedtls_x509_buf raw; /**< The raw certificate data (DER). */
+ mbedtls_x509_buf tbs; /**< The raw certificate body (DER). The part that is To Be Signed. */
- int MBEDTLS_PRIVATE(version); /**< CRL version (1=v1, 2=v2) */
- mbedtls_x509_buf MBEDTLS_PRIVATE(sig_oid); /**< CRL signature type identifier */
+ int version; /**< CRL version (1=v1, 2=v2) */
+ mbedtls_x509_buf sig_oid; /**< CRL signature type identifier */
- mbedtls_x509_buf MBEDTLS_PRIVATE(issuer_raw); /**< The raw issuer data (DER). */
+ mbedtls_x509_buf issuer_raw; /**< The raw issuer data (DER). */
- mbedtls_x509_name MBEDTLS_PRIVATE(issuer); /**< The parsed issuer data (named information object). */
+ mbedtls_x509_name issuer; /**< The parsed issuer data (named information object). */
- mbedtls_x509_time MBEDTLS_PRIVATE(this_update);
- mbedtls_x509_time MBEDTLS_PRIVATE(next_update);
+ mbedtls_x509_time this_update;
+ mbedtls_x509_time next_update;
- mbedtls_x509_crl_entry MBEDTLS_PRIVATE(entry); /**< The CRL entries containing the certificate revocation times for this CA. */
+ mbedtls_x509_crl_entry entry; /**< The CRL entries containing the certificate revocation times for this CA. */
- mbedtls_x509_buf MBEDTLS_PRIVATE(crl_ext);
+ mbedtls_x509_buf crl_ext;
mbedtls_x509_buf MBEDTLS_PRIVATE(sig_oid2);
mbedtls_x509_buf MBEDTLS_PRIVATE(sig);
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index 49211a9..6731100 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -45,36 +45,40 @@
/**
* Container for an X.509 certificate. The certificate may be chained.
+ *
+ * Some fields of this structure are publicly readable. Do not modify
+ * them except via Mbed TLS library functions: the effect of modifying
+ * those fields or the data that those fields points to is unspecified.
*/
typedef struct mbedtls_x509_crt
{
int MBEDTLS_PRIVATE(own_buffer); /**< Indicates if \c raw is owned
* by the structure or not. */
- mbedtls_x509_buf MBEDTLS_PRIVATE(raw); /**< The raw certificate data (DER). */
- mbedtls_x509_buf MBEDTLS_PRIVATE(tbs); /**< The raw certificate body (DER). The part that is To Be Signed. */
+ mbedtls_x509_buf raw; /**< The raw certificate data (DER). */
+ mbedtls_x509_buf tbs; /**< The raw certificate body (DER). The part that is To Be Signed. */
- int MBEDTLS_PRIVATE(version); /**< The X.509 version. (1=v1, 2=v2, 3=v3) */
- mbedtls_x509_buf MBEDTLS_PRIVATE(serial); /**< Unique id for certificate issued by a specific CA. */
- mbedtls_x509_buf MBEDTLS_PRIVATE(sig_oid); /**< Signature algorithm, e.g. sha1RSA */
+ int version; /**< The X.509 version. (1=v1, 2=v2, 3=v3) */
+ mbedtls_x509_buf serial; /**< Unique id for certificate issued by a specific CA. */
+ mbedtls_x509_buf sig_oid; /**< Signature algorithm, e.g. sha1RSA */
- mbedtls_x509_buf MBEDTLS_PRIVATE(issuer_raw); /**< The raw issuer data (DER). Used for quick comparison. */
- mbedtls_x509_buf MBEDTLS_PRIVATE(subject_raw); /**< The raw subject data (DER). Used for quick comparison. */
+ mbedtls_x509_buf issuer_raw; /**< The raw issuer data (DER). Used for quick comparison. */
+ mbedtls_x509_buf subject_raw; /**< The raw subject data (DER). Used for quick comparison. */
- mbedtls_x509_name MBEDTLS_PRIVATE(issuer); /**< The parsed issuer data (named information object). */
- mbedtls_x509_name MBEDTLS_PRIVATE(subject); /**< The parsed subject data (named information object). */
+ mbedtls_x509_name issuer; /**< The parsed issuer data (named information object). */
+ mbedtls_x509_name subject; /**< The parsed subject data (named information object). */
- mbedtls_x509_time MBEDTLS_PRIVATE(valid_from); /**< Start time of certificate validity. */
- mbedtls_x509_time MBEDTLS_PRIVATE(valid_to); /**< End time of certificate validity. */
+ mbedtls_x509_time valid_from; /**< Start time of certificate validity. */
+ mbedtls_x509_time valid_to; /**< End time of certificate validity. */
- mbedtls_x509_buf MBEDTLS_PRIVATE(pk_raw);
- mbedtls_pk_context MBEDTLS_PRIVATE(pk); /**< Container for the public key context. */
+ mbedtls_x509_buf pk_raw;
+ mbedtls_pk_context pk; /**< Container for the public key context. */
- mbedtls_x509_buf MBEDTLS_PRIVATE(issuer_id); /**< Optional X.509 v2/v3 issuer unique identifier. */
- mbedtls_x509_buf MBEDTLS_PRIVATE(subject_id); /**< Optional X.509 v2/v3 subject unique identifier. */
- mbedtls_x509_buf MBEDTLS_PRIVATE(v3_ext); /**< Optional X.509 v3 extensions. */
- mbedtls_x509_sequence MBEDTLS_PRIVATE(subject_alt_names); /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). */
+ mbedtls_x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */
+ mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */
+ mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */
+ mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). */
- mbedtls_x509_sequence MBEDTLS_PRIVATE(certificate_policies); /**< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). */
+ mbedtls_x509_sequence certificate_policies; /**< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). */
int MBEDTLS_PRIVATE(ext_types); /**< Bit string containing detected and parsed extensions */
int MBEDTLS_PRIVATE(ca_istrue); /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */
@@ -82,7 +86,7 @@
unsigned int MBEDTLS_PRIVATE(key_usage); /**< Optional key usage extension value: See the values in x509.h */
- mbedtls_x509_sequence MBEDTLS_PRIVATE(ext_key_usage); /**< Optional list of extended key usage OIDs. */
+ mbedtls_x509_sequence ext_key_usage; /**< Optional list of extended key usage OIDs. */
unsigned char MBEDTLS_PRIVATE(ns_cert_type); /**< Optional Netscape certificate type extension value: See the values in x509.h */
@@ -100,6 +104,9 @@
* OtherName ::= SEQUENCE {
* type-id OBJECT IDENTIFIER,
* value [0] EXPLICIT ANY DEFINED BY type-id }
+ *
+ * Future versions of the library may add new fields to this structure or
+ * to its embedded union and structure.
*/
typedef struct mbedtls_x509_san_other_name
{
@@ -108,7 +115,7 @@
* To check the value of the type id, you should use
* \p MBEDTLS_OID_CMP with a known OID mbedtls_x509_buf.
*/
- mbedtls_x509_buf MBEDTLS_PRIVATE(type_id); /**< The type id. */
+ mbedtls_x509_buf type_id; /**< The type id. */
union
{
/**
@@ -119,26 +126,30 @@
*/
struct
{
- mbedtls_x509_buf MBEDTLS_PRIVATE(oid); /**< The object identifier. */
- mbedtls_x509_buf MBEDTLS_PRIVATE(val); /**< The named value. */
+ mbedtls_x509_buf oid; /**< The object identifier. */
+ mbedtls_x509_buf val; /**< The named value. */
}
- MBEDTLS_PRIVATE(hardware_module_name);
+ hardware_module_name;
}
- MBEDTLS_PRIVATE(value);
+ value;
}
mbedtls_x509_san_other_name;
/**
- * A structure for holding the parsed Subject Alternative Name, according to type
+ * A structure for holding the parsed Subject Alternative Name,
+ * according to type.
+ *
+ * Future versions of the library may add new fields to this structure or
+ * to its embedded union and structure.
*/
typedef struct mbedtls_x509_subject_alternative_name
{
- int MBEDTLS_PRIVATE(type); /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */
+ int type; /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */
union {
- mbedtls_x509_san_other_name MBEDTLS_PRIVATE(other_name); /**< The otherName supported type. */
- mbedtls_x509_buf MBEDTLS_PRIVATE(unstructured_name); /**< The buffer for the un constructed types. Only dnsName currently supported */
+ mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */
+ mbedtls_x509_buf unstructured_name; /**< The buffer for the un constructed types. Only dnsName currently supported */
}
- MBEDTLS_PRIVATE(san); /**< A union of the supported SAN types */
+ san; /**< A union of the supported SAN types */
}
mbedtls_x509_subject_alternative_name;
diff --git a/include/mbedtls/x509_csr.h b/include/mbedtls/x509_csr.h
index 674f9ce..5d1ce0e 100644
--- a/include/mbedtls/x509_csr.h
+++ b/include/mbedtls/x509_csr.h
@@ -42,20 +42,24 @@
/**
* Certificate Signing Request (CSR) structure.
+ *
+ * Some fields of this structure are publicly readable. Do not modify
+ * them except via Mbed TLS library functions: the effect of modifying
+ * those fields or the data that those fields points to is unspecified.
*/
typedef struct mbedtls_x509_csr
{
- mbedtls_x509_buf MBEDTLS_PRIVATE(raw); /**< The raw CSR data (DER). */
- mbedtls_x509_buf MBEDTLS_PRIVATE(cri); /**< The raw CertificateRequestInfo body (DER). */
+ mbedtls_x509_buf raw; /**< The raw CSR data (DER). */
+ mbedtls_x509_buf cri; /**< The raw CertificateRequestInfo body (DER). */
- int MBEDTLS_PRIVATE(version); /**< CSR version (1=v1). */
+ int version; /**< CSR version (1=v1). */
- mbedtls_x509_buf MBEDTLS_PRIVATE(subject_raw); /**< The raw subject data (DER). */
- mbedtls_x509_name MBEDTLS_PRIVATE(subject); /**< The parsed subject data (named information object). */
+ mbedtls_x509_buf subject_raw; /**< The raw subject data (DER). */
+ mbedtls_x509_name subject; /**< The parsed subject data (named information object). */
- mbedtls_pk_context MBEDTLS_PRIVATE(pk); /**< Container for the public key context. */
+ mbedtls_pk_context pk; /**< Container for the public key context. */
- mbedtls_x509_buf MBEDTLS_PRIVATE(sig_oid);
+ mbedtls_x509_buf sig_oid;
mbedtls_x509_buf MBEDTLS_PRIVATE(sig);
mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md); /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c
index 9a20d63..763f868 100644
--- a/programs/x509/cert_write.c
+++ b/programs/x509/cert_write.c
@@ -514,7 +514,7 @@
}
ret = mbedtls_x509_dn_gets( issuer_name, sizeof(issuer_name),
- &issuer_crt.MBEDTLS_PRIVATE(subject) );
+ &issuer_crt.subject );
if( ret < 0 )
{
mbedtls_strerror( ret, buf, 1024 );
@@ -548,7 +548,7 @@
}
ret = mbedtls_x509_dn_gets( subject_name, sizeof(subject_name),
- &csr.MBEDTLS_PRIVATE(subject) );
+ &csr.subject );
if( ret < 0 )
{
mbedtls_strerror( ret, buf, 1024 );
@@ -558,7 +558,7 @@
}
opt.subject_name = subject_name;
- subject_key = &csr.MBEDTLS_PRIVATE(pk);
+ subject_key = &csr.pk;
mbedtls_printf( " ok\n" );
}
@@ -602,7 +602,7 @@
//
if( strlen( opt.issuer_crt ) )
{
- if( mbedtls_pk_check_pair( &issuer_crt.MBEDTLS_PRIVATE(pk), issuer_key,
+ if( mbedtls_pk_check_pair( &issuer_crt.pk, issuer_key,
mbedtls_ctr_drbg_random, &ctr_drbg ) != 0 )
{
mbedtls_printf( " failed\n ! issuer_key does not match "