Functions
ASN.1

Functions

int wc_InitCert (Cert *)
 This function initializes a default cert, with the default options: version = 3 (0x2), serial = 0, sigType = SHA_WITH_RSA, issuer = blank, daysValid = 500, selfSigned = 1 (true) use subject as issuer, subject = blank. More...
 
Cert * wc_CertNew (void *heap)
 This function allocates a new Cert structure for use during cert operations without the application having to allocate the structure itself. The Cert structure is also initialized by this function thus removing the need to call wc_InitCert(). When the application is finished using the allocated Cert structure wc_CertFree() must be called. More...
 
void wc_CertFree (Cert *cert)
 This function frees the memory allocated for a cert structure by a previous call to wc_CertNew(). More...
 
int wc_MakeCert (Cert *cert, byte *derBuffer, word32 derSz, RsaKey *rsaKey, ecc_key *eccKey, WC_RNG *rng)
 Used to make CA signed certs. Called after the subject information has been entered. This function makes an x509 Certificate v3 RSA or ECC from a cert input. It then writes this cert to derBuffer. It takes in either an rsaKey or an eccKey to generate the certificate. The certificate must be initialized with wc_InitCert before this method is called. More...
 
int wc_MakeCertReq (Cert *cert, byte *derBuffer, word32 derSz, RsaKey *rsaKey, ecc_key *eccKey)
 This function makes a certificate signing request using the input certificate and writes the output to derBuffer. It takes in either an rsaKey or an eccKey to generate the certificate request. wc_SignCert() will need to be called after this function to sign the certificate request. Please see the wolfCrypt test application (./wolfcrypt/test/test.c) for an example usage of this function. More...
 
int wc_SignCert (int requestSz, int sigType, byte *derBuffer, word32 derSz, RsaKey *rsaKey, ecc_key *eccKey, WC_RNG *rng)
 This function signs buffer and adds the signature to the end of buffer. It takes in a signature type. Must be called after wc_MakeCert() or wc_MakeCertReq() if creating a CA signed cert. More...
 
int wc_MakeSelfCert (Cert *cert, byte *derBuffer, word32 derSz, RsaKey *key, WC_RNG *rng)
 This function is a combination of the previous two functions, wc_MakeCert and wc_SignCert for self signing (the previous functions may be used for CA requests). It makes a certificate, and then signs it, generating a self-signed certificate. More...
 
int wc_SetIssuer (Cert *cert, const char *issuerFile)
 This function sets the issuer for a certificate to the issuer in the provided pem issuerFile. It also changes the certificate’s self-signed attribute to false. The issuer specified in issuerFile is verified prior to setting the cert issuer. This method is used to set fields prior to signing. More...
 
int wc_SetSubject (Cert *cert, const char *subjectFile)
 This function sets the subject for a certificate to the subject in the provided pem subjectFile. This method is used to set fields prior to signing. More...
 
int wc_SetSubjectRaw (Cert *cert, const byte *der, int derSz)
 This function sets the raw subject for a certificate from the subject in the provided der buffer. This method is used to set the raw subject field prior to signing. More...
 
int wc_GetSubjectRaw (byte **subjectRaw, Cert *cert)
 This function gets the raw subject from the certificate structure. More...
 
int wc_SetAltNames (Cert *cert, const char *file)
 This function sets the alternate names for a certificate to the alternate names in the provided pem file. This is useful in the case that one wishes to secure multiple domains with the same certificate. This method is used to set fields prior to signing. More...
 
int wc_SetIssuerBuffer (Cert *cert, const byte *der, int derSz)
 This function sets the issuer for a certificate from the issuer in the provided der buffer. It also changes the certificate’s self-signed attribute to false. This method is used to set fields prior to signing. More...
 
int wc_SetIssuerRaw (Cert *cert, const byte *der, int derSz)
 This function sets the raw issuer for a certificate from the issuer in the provided der buffer. This method is used to set the raw issuer field prior to signing. More...
 
int wc_SetSubjectBuffer (Cert *cert, const byte *der, int derSz)
 This function sets the subject for a certificate from the subject in the provided der buffer. This method is used to set fields prior to signing. More...
 
int wc_SetAltNamesBuffer (Cert *cert, const byte *der, int derSz)
 This function sets the alternate names for a certificate from the alternate names in the provided der buffer. This is useful in the case that one wishes to secure multiple domains with the same certificate. This method is used to set fields prior to signing. More...
 
int wc_SetDatesBuffer (Cert *cert, const byte *der, int derSz)
 This function sets the dates for a certificate from the date range in the provided der buffer. This method is used to set fields prior to signing. More...
 
int wc_SetAuthKeyIdFromPublicKey (Cert *cert, RsaKey *rsakey, ecc_key *eckey)
 Set AKID from either an RSA or ECC public key. note: Only set one of rsakey or eckey, not both. More...
 
int wc_SetAuthKeyIdFromCert (Cert *cert, const byte *der, int derSz)
 Set AKID from from DER encoded certificate. More...
 
int wc_SetAuthKeyId (Cert *cert, const char *file)
 Set AKID from certificate file in PEM format. More...
 
int wc_SetSubjectKeyIdFromPublicKey (Cert *cert, RsaKey *rsakey, ecc_key *eckey)
 Set SKID from RSA or ECC public key. More...
 
int wc_SetSubjectKeyId (Cert *cert, const char *file)
 Set SKID from public key file in PEM format. Both arguments are required. More...
 
int wc_PemPubKeyToDer (const char *fileName, unsigned char *derBuf, int derSz)
 Loads a PEM key from a file and converts to a DER encoded buffer. More...
 
int wc_PubKeyPemToDer (const unsigned char *pem, int pemSz, unsigned char *buff, int buffSz)
 Convert a PEM encoded public key to DER. Returns the number of bytes written to the buffer or a negative value for an error. More...
 
int wc_PemCertToDer (const char *fileName, unsigned char *derBuf, int derSz)
 This function converts a pem certificate to a der certificate, and places the resulting certificate in the derBuf buffer provided. More...
 
int wc_DerToPem (const byte *der, word32 derSz, byte *output, word32 outputSz, int type)
 This function converts a der formatted input certificate, contained in the der buffer, into a pem formatted output certificate, contained in the output buffer. It should be noted that this is not an in place conversion, and a separate buffer must be utilized to store the pem formatted output. More...
 
int wc_DerToPemEx (const byte *der, word32 derSz, byte *output, word32 outputSz, byte *cipherIno, int type)
 This function converts a der formatted input certificate, contained in the der buffer, into a pem formatted output certificate, contained in the output buffer. It should be noted that this is not an in place conversion, and a separate buffer must be utilized to store the pem formatted output. Allows setting cipher info. More...
 
int wc_EccPrivateKeyDecode (const byte *input, word32 *inOutIdx, ecc_key *key, word32 inSz)
 This function reads in an ECC private key from the input buffer, input, parses the private key, and uses it to generate an ecc_key object, which it stores in key. More...
 
int wc_EccKeyToDer (ecc_key *key, byte *output, word32 inLen)
 This function writes a private ECC key to der format. More...
 
int wc_EccPublicKeyDecode (const byte *input, word32 *inOutIdx, ecc_key *key, word32 inSz)
 Decodes an ECC public key from an input buffer. It will parse an ASN sequence to retrieve the ECC key. More...
 
int wc_EccPublicKeyToDer (ecc_key *key, byte *output, word32 inLen, int with_AlgCurve)
 This function converts the ECC public key to DER format. It returns the size of buffer used. The public ECC key in DER format is stored in output buffer. The with_AlgCurve flag will include a header that has the Algorithm and Curve information. More...
 
int wc_EccPublicKeyToDer_ex (ecc_key *key, byte *output, word32 inLen, int with_AlgCurve, int comp)
 This function converts the ECC public key to DER format. It returns the size of buffer used. The public ECC key in DER format is stored in output buffer. The with_AlgCurve flag will include a header that has the Algorithm and Curve information. The comp parameter determines if the public key will be exported as compressed. More...
 
word32 wc_EncodeSignature (byte *out, const byte *digest, word32 digSz, int hashOID)
 This function encodes a digital signature into the output buffer, and returns the size of the encoded signature created. More...
 
int wc_GetCTC_HashOID (int type)
 This function returns the hash OID that corresponds to a hashing type. For example, when given the type: WC_SHA512, this function returns the identifier corresponding to a SHA512 hash, SHA512h. More...
 
void wc_SetCert_Free (Cert *cert)
 This function cleans up memory and resources used by the certificate structure's decoded cert cache. When WOLFSSL_CERT_GEN_CACHE is defined the decoded cert structure is cached in the certificate structure. This allows subsequent calls to certificate set functions to avoid parsing the decoded cert on each call. More...
 
int wc_GetPkcs8TraditionalOffset (byte *input, word32 *inOutIdx, word32 sz)
 This function finds the beginning of the traditional private key inside a PKCS#8 unencrypted buffer. More...
 
int wc_CreatePKCS8Key (byte *out, word32 *outSz, byte *key, word32 keySz, int algoID, const byte *curveOID, word32 oidSz)
 This function takes in a DER private key and converts it to PKCS#8 format. Also used in creating PKCS#12 shrouded key bags. See RFC 5208. More...
 
int wc_EncryptPKCS8Key (byte *key, word32 keySz, byte *out, word32 *outSz, const char *password, int passwordSz, int vPKCS, int pbeOid, int encAlgId, byte *salt, word32 saltSz, int itt, WC_RNG *rng, void *heap)
 This function takes in an unencrypted PKCS#8 DER key (e.g. one created by wc_CreatePKCS8Key) and converts it to PKCS#8 encrypted format. The resulting encrypted key can be decrypted using wc_DecryptPKCS8Key. See RFC 5208. More...
 
int wc_DecryptPKCS8Key (byte *input, word32 sz, const char *password, int passwordSz)
 This function takes an encrypted PKCS#8 DER key and decrypts it to PKCS#8 unencrypted DER. Undoes the encryption done by wc_EncryptPKCS8Key. See RFC5208. The input buffer is overwritten with the decrypted data. More...
 
int wc_CreateEncryptedPKCS8Key (byte *key, word32 keySz, byte *out, word32 *outSz, const char *password, int passwordSz, int vPKCS, int pbeOid, int encAlgId, byte *salt, word32 saltSz, int itt, WC_RNG *rng, void *heap)
 This function takes a traditional, DER key, converts it to PKCS#8 format, and encrypts it. It uses wc_CreatePKCS8Key and wc_EncryptPKCS8Key to do this. More...
 
void wc_InitDecodedCert (struct DecodedCert *cert, const byte *source, word32 inSz, void *heap)
 This function initializes the DecodedCert pointed to by the "cert" parameter. It saves the "source" pointer to a DER-encoded certificate of length "inSz." This certificate can be parsed by a subsequent call to wc_ParseCert. More...
 
int wc_ParseCert (DecodedCert *cert, int type, int verify, void *cm)
 This function parses the DER-encoded certificate saved in the DecodedCert object and populates the fields of that object. The DecodedCert must have been initialized with a prior call to wc_InitDecodedCert. This function takes an optional pointer to a CertificateManager object, which is used to populate the certificate authority information of the DecodedCert, if the CA is found in the CertificateManager. More...
 
void wc_FreeDecodedCert (struct DecodedCert *cert)
 This function frees a DecodedCert that was previously initialized with wc_InitDecodedCert. More...
 
int wc_SetTimeCb (wc_time_cb f)
 This function registers a time callback that will be used anytime wolfSSL needs to get the current time. The prototype of the callback should be the same as the "time" function from the C standard library. More...
 
time_t wc_Time (time_t *t)
 This function gets the current time. By default, it uses the XTIME macro, which varies between platforms. The user can use a function of their choosing instead via the wc_SetTimeCb function. More...
 
int wc_SetCustomExtension (Cert *cert, int critical, const char *oid, const byte *der, word32 derSz)
 This function injects a custom extension in to an X.509 certificate. note: The content at the address pointed to by any of the parameters that are pointers must not be modified until the certificate is generated and you have the der output. This function does NOT copy the contents to another buffer. More...
 
int wc_SetUnknownExtCallback (DecodedCert *cert, wc_UnknownExtCallback cb)
 This function registers a callback that will be used anytime wolfSSL encounters an unknown X.509 extension in a certificate while parsing a certificate. The prototype of the callback should be: More...
 
int wc_CheckCertSigPubKey (const byte *cert, word32 certSz, void *heap, const byte *pubKey, word32 pubKeySz, int pubKeyOID)
 This function verifies the signature in the der form of an X.509 certificate against a public key. The public key is expected to be the full subject public key info in der form. More...
 
int wc_Asn1PrintOptions_Init (Asn1PrintOptions *opts)
 This function initializes the ASN.1 print options. More...
 
int wc_Asn1PrintOptions_Set (Asn1PrintOptions *opts, enum Asn1PrintOpt opt, word32 val)
 This function sets a print option into an ASN.1 print options object. More...
 
int wc_Asn1_Init (Asn1 *asn1)
 This function initializes an ASN.1 parsing object. More...
 
int wc_Asn1_SetFile (Asn1 *asn1, XFILE file)
 This function sets the file to use when printing into an ASN.1 parsing object. More...
 
int wc_Asn1_PrintAll (Asn1 *asn1, Asn1PrintOptions *opts, unsigned char *data, word32 len)
 Print all ASN.1 items. More...
 

Detailed Description

Function Documentation

int wc_Asn1_Init ( Asn1 *  asn1)

This function initializes an ASN.1 parsing object.

Returns
0 on success.
BAD_FUNC_ARG when asn1 is NULL.
Parameters
asn1ASN.1 parse object.

Example

1 Asn1 asn1;
2 
3 // Initialize ASN.1 parse object before use.
4 wc_Asn1_Init(&asn1);
See also
wc_Asn1_SetFile
wc_Asn1_PrintAll
int wc_Asn1_PrintAll ( Asn1 *  asn1,
Asn1PrintOptions *  opts,
unsigned char *  data,
word32  len 
)

Print all ASN.1 items.

Returns
0 on success.
BAD_FUNC_ARG when asn1 or opts is NULL.
ASN_LEN_E when ASN.1 item's length too long.
ASN_DEPTH_E when end offset invalid.
ASN_PARSE_E when not all of an ASN.1 item parsed.
Parameters
asn1The ASN.1 parse object.
optsThe ASN.1 print options.
dataBuffer containing BER/DER data to print.
lenLength of data to print in bytes.
1 Asn1PrintOptions opts;
2 Asn1 asn1;
3 unsigned char data[] = { Initialize with DER/BER data };
4 word32 len = sizeof(data);
5 
6 // Initialize ASN.1 print options before use.
7 wc_Asn1PrintOptions_Init(&opt);
8 // Set the number of indents when printing tag name to be 1.
9 wc_Asn1PrintOptions_Set(&opt, ASN1_PRINT_OPT_INDENT, 1);
10 
11 // Initialize ASN.1 parse object before use.
12 wc_Asn1_Init(&asn1);
13 // Set standard out to be the file descriptor to write to.
14 wc_Asn1_SetFile(&asn1, stdout);
15 // Print all ASN.1 items in buffer with the specified print options.
16 wc_Asn1_PrintAll(&asn1, &opts, data, len);
See also
wc_Asn1_Init
wc_Asn1_SetFile
int wc_Asn1_SetFile ( Asn1 *  asn1,
XFILE  file 
)

This function sets the file to use when printing into an ASN.1 parsing object.

Returns
0 on success.
BAD_FUNC_ARG when asn1 is NULL.
BAD_FUNC_ARG when file is XBADFILE.
Parameters
asn1The ASN.1 parse object.
fileFile to print to.

Example

1 Asn1 asn1;
2 
3 // Initialize ASN.1 parse object before use.
4 wc_Asn1_Init(&asn1);
5 // Set standard out to be the file descriptor to write to.
6 wc_Asn1_SetFile(&asn1, stdout);
See also
wc_Asn1_Init
wc_Asn1_PrintAll
int wc_Asn1PrintOptions_Init ( Asn1PrintOptions *  opts)

This function initializes the ASN.1 print options.

Returns
0 on success.
BAD_FUNC_ARG when asn1 is NULL.
Parameters
optsThe ASN.1 options for printing.

Example

1 Asn1PrintOptions opt;
2 
3 // Initialize ASN.1 print options before use.
4 wc_Asn1PrintOptions_Init(&opt);
See also
wc_Asn1PrintOptions_Set
wc_Asn1_PrintAll
int wc_Asn1PrintOptions_Set ( Asn1PrintOptions *  opts,
enum Asn1PrintOpt  opt,
word32  val 
)

This function sets a print option into an ASN.1 print options object.

Returns
0 on success.
BAD_FUNC_ARG when asn1 is NULL.
BAD_FUNC_ARG when val is out of range for option.
Parameters
optsThe ASN.1 options for printing.
optAn option to set value for.
valThe value to set.

Example

1 Asn1PrintOptions opt;
2 
3 // Initialize ASN.1 print options before use.
4 wc_Asn1PrintOptions_Init(&opt);
5 // Set the number of indents when printing tag name to be 1.
6 wc_Asn1PrintOptions_Set(&opt, ASN1_PRINT_OPT_INDENT, 1);
See also
wc_Asn1PrintOptions_Init
wc_Asn1_PrintAll
void wc_CertFree ( Cert *  cert)

This function frees the memory allocated for a cert structure by a previous call to wc_CertNew().

Returns
None.
Parameters
Apointer to the cert structure to free.

Example

1 Cert* myCert;
2 
3 myCert = wc_CertNew(NULL);
4 
5 // Perform cert operations.
6 
7 wc_CertFree(myCert);
See also
wc_InitCert
wc_MakeCert
wc_CertNew
Cert* wc_CertNew ( void *  heap)

This function allocates a new Cert structure for use during cert operations without the application having to allocate the structure itself. The Cert structure is also initialized by this function thus removing the need to call wc_InitCert(). When the application is finished using the allocated Cert structure wc_CertFree() must be called.

Returns
pointer If successful the call will return a pointer to the newly allocated and initialized Cert.
NULL On a memory allocation failure.
Parameters
Apointer to the heap used for dynamic allocation. Can be NULL.

Example

1 Cert* myCert;
2 
3 myCert = wc_CertNew(NULL);
4 if (myCert == NULL) {
5  // Cert creation failure
6 }
See also
wc_InitCert
wc_MakeCert
wc_CertFree
int wc_CheckCertSigPubKey ( const byte *  cert,
word32  certSz,
void *  heap,
const byte *  pubKey,
word32  pubKeySz,
int  pubKeyOID 
)

This function verifies the signature in the der form of an X.509 certificate against a public key. The public key is expected to be the full subject public key info in der form.

Returns
0 Returned on success.
Other negative values on failure.
Parameters
certThe der encoding of the X.509 certificate.
certSzThe size in bytes of cert.
heapA pointer to the heap used for dynamic allocation. Can be NULL.
pubKeyThe der encoding of the public key.
pubKeySzThe size in bytes of pubKey.
pubKeyOIDOID identifying the algorithm of the public key. (ie: ECDSAk, DSAk or RSAk)
int wc_CreateEncryptedPKCS8Key ( byte *  key,
word32  keySz,
byte *  out,
word32 *  outSz,
const char *  password,
int  passwordSz,
int  vPKCS,
int  pbeOid,
int  encAlgId,
byte *  salt,
word32  saltSz,
int  itt,
WC_RNG *  rng,
void *  heap 
)

This function takes a traditional, DER key, converts it to PKCS#8 format, and encrypts it. It uses wc_CreatePKCS8Key and wc_EncryptPKCS8Key to do this.

Returns
The size of the encrypted key placed in out on success.
LENGTH_ONLY_E if out is NULL, with required output buffer size in outSz.
Other negative values on failure.
Parameters
keyBuffer with traditional DER key.
keySzSize of key buffer.
outBuffer to place result in. If NULL, required out buffer size returned in outSz.
outSzSize of out buffer.
passwordThe password to use for the password-based encryption algorithm.
passwordSzThe length of the password (not including the NULL terminator).
vPKCSThe PKCS version to use. Can be 1 for PKCS12 or PKCS5.
pbeOidThe OID of the PBE scheme to use (e.g. PBES2 or one of the OIDs for PBES1 in RFC 2898 A.3).
encAlgIdThe encryption algorithm ID to use (e.g. AES256CBCb).
saltThe salt buffer to use. If NULL, a random salt will be used.
saltSzThe length of the salt buffer. Can be 0 if passing NULL for salt.
ittThe number of iterations to use for the KDF.
rngA pointer to an initialized WC_RNG object.
heapA pointer to the heap used for dynamic allocation. Can be NULL.

Example

1 byte* key; // Traditional private key (DER formatted).
2 word32 keySz; // Size of key.
3 byte* pkcs8Enc; // Encrypted PKCS#8 key.
4 word32 pkcs8EncSz; // Size of pkcs8Enc.
5 const char* password; // Password to use for encryption.
6 int passwordSz; // Length of password (not including NULL terminator).
7 WC_RNG rng;
8 
9 // The following produces an encrypted, PKCS#8 version of key in pkcs8Enc.
10 // The encryption uses password-based encryption scheme 2 (PBE2) from PKCS#5
11 // and the AES cipher in CBC mode with a 256-bit key. See RFC 8018 for more
12 // on PKCS#5.
13 ret = wc_CreateEncryptedPKCS8Key(key, keySz, pkcs8Enc, &pkcs8EncSz,
14  password, passwordSz, PKCS5, PBES2, AES256CBCb, NULL, 0,
15  WC_PKCS12_ITT_DEFAULT, &rng, NULL);
See also
wc_GetPkcs8TraditionalOffset
wc_CreatePKCS8Key
wc_EncryptPKCS8Key
wc_DecryptPKCS8Key
int wc_CreatePKCS8Key ( byte *  out,
word32 *  outSz,
byte *  key,
word32  keySz,
int  algoID,
const byte *  curveOID,
word32  oidSz 
)

This function takes in a DER private key and converts it to PKCS#8 format. Also used in creating PKCS#12 shrouded key bags. See RFC 5208.

Returns
The size of the PKCS#8 key placed into out on success.
LENGTH_ONLY_E if out is NULL, with required output buffer size in outSz.
Other negative values on failure.
Parameters
outBuffer to place result in. If NULL, required out buffer size returned in outSz.
outSzSize of out buffer.
keyBuffer with traditional DER key.
keySzSize of key buffer.
algoIDAlgorithm ID (e.g. RSAk).
curveOIDECC curve OID if used. Should be NULL for RSA keys.
oidSzSize of curve OID. Is set to 0 if curveOID is NULL.

Example

1 ecc_key eccKey; // wolfSSL ECC key object.
2 byte* der; // DER-encoded ECC key.
3 word32 derSize; // Size of der.
4 const byte* curveOid = NULL; // OID of curve used by eccKey.
5 word32 curveOidSz = 0; // Size of curve OID.
6 byte* pkcs8; // Output buffer for PKCS#8 key.
7 word32 pkcs8Sz; // Size of output buffer.
8 
9 derSize = wc_EccKeyDerSize(&eccKey, 1);
10 ...
11 derSize = wc_EccKeyToDer(&eccKey, der, derSize);
12 ...
13 ret = wc_ecc_get_oid(eccKey.dp->oidSum, &curveOid, &curveOidSz);
14 ...
15 ret = wc_CreatePKCS8Key(NULL, &pkcs8Sz, der,
16  derSize, ECDSAk, curveOid, curveOidSz); // Get size needed in pkcs8Sz.
17 ...
18 ret = wc_CreatePKCS8Key(pkcs8, &pkcs8Sz, der,
19  derSize, ECDSAk, curveOid, curveOidSz);
See also
wc_GetPkcs8TraditionalOffset
wc_EncryptPKCS8Key
wc_DecryptPKCS8Key
wc_CreateEncryptedPKCS8Key
int wc_DecryptPKCS8Key ( byte *  input,
word32  sz,
const char *  password,
int  passwordSz 
)

This function takes an encrypted PKCS#8 DER key and decrypts it to PKCS#8 unencrypted DER. Undoes the encryption done by wc_EncryptPKCS8Key. See RFC5208. The input buffer is overwritten with the decrypted data.

Returns
The length of the decrypted buffer on success.
Negative values on failure.
Parameters
inputOn input, buffer containing encrypted PKCS#8 key. On successful output, contains the decrypted key.
szSize of the input buffer.
passwordThe password used to encrypt the key.
passwordSzThe length of the password (not including NULL terminator).

Example

1 byte* pkcs8Enc; // Encrypted PKCS#8 key made with wc_EncryptPKCS8Key.
2 word32 pkcs8EncSz; // Size of pkcs8Enc.
3 const char* password; // Password to use for decryption.
4 int passwordSz; // Length of password (not including NULL terminator).
5 
6 ret = wc_DecryptPKCS8Key(pkcs8Enc, pkcs8EncSz, password, passwordSz);
See also
wc_GetPkcs8TraditionalOffset
wc_CreatePKCS8Key
wc_EncryptPKCS8Key
wc_CreateEncryptedPKCS8Key
int wc_DerToPem ( const byte *  der,
word32  derSz,
byte *  output,
word32  outputSz,
int  type 
)

This function converts a der formatted input certificate, contained in the der buffer, into a pem formatted output certificate, contained in the output buffer. It should be noted that this is not an in place conversion, and a separate buffer must be utilized to store the pem formatted output.

Returns
Success On successfully making a pem certificate from the input der cert, returns the size of the pem cert generated.
BAD_FUNC_ARG Returned if there is an error parsing the der file and storing it as a pem file
MEMORY_E Returned if there is an error allocating memory with XMALLOC
ASN_INPUT_E Returned in the case of a base64 encoding error
BUFFER_E May be returned if the output buffer is too small to store the pem formatted certificate
Parameters
derpointer to the buffer of the certificate to convert
derSzsize of the the certificate to convert
outputpointer to the buffer in which to store the pem formatted certificate
outSzsize of the buffer in which to store the pem formatted certificate
typethe type of certificate to generate. Valid types are: CERT_TYPE, PRIVATEKEY_TYPE, ECC_PRIVATEKEY_TYPE, and CERTREQ_TYPE.

Example

1 byte* der;
2 // initialize der with certificate
3 byte* pemFormatted[FOURK_BUF];
4 
5 word32 pemSz;
6 pemSz = wc_DerToPem(der, derSz,pemFormatted,FOURK_BUF, CERT_TYPE);
See also
wc_PemCertToDer
int wc_DerToPemEx ( const byte *  der,
word32  derSz,
byte *  output,
word32  outputSz,
byte *  cipherIno,
int  type 
)

This function converts a der formatted input certificate, contained in the der buffer, into a pem formatted output certificate, contained in the output buffer. It should be noted that this is not an in place conversion, and a separate buffer must be utilized to store the pem formatted output. Allows setting cipher info.

Returns
Success On successfully making a pem certificate from the input der cert, returns the size of the pem cert generated.
BAD_FUNC_ARG Returned if there is an error parsing the der file and storing it as a pem file
MEMORY_E Returned if there is an error allocating memory with XMALLOC
ASN_INPUT_E Returned in the case of a base64 encoding error
BUFFER_E May be returned if the output buffer is too small to store the pem formatted certificate
Parameters
derpointer to the buffer of the certificate to convert
derSzsize of the the certificate to convert
outputpointer to the buffer in which to store the pem formatted certificate
outSzsize of the buffer in which to store the pem formatted certificate
cipher_infAdditional cipher information.
typethe type of certificate to generate. Valid types are: CERT_TYPE, PRIVATEKEY_TYPE, ECC_PRIVATEKEY_TYPE, and CERTREQ_TYPE.

Example

1 byte* der;
2 // initialize der with certificate
3 byte* pemFormatted[FOURK_BUF];
4 
5 word32 pemSz;
6 byte* cipher_info[] { Additional cipher info. }
7 pemSz = wc_DerToPemEx(der, derSz,pemFormatted,FOURK_BUF, ,CERT_TYPE);
See also
wc_PemCertToDer
int wc_EccKeyToDer ( ecc_key *  key,
byte *  output,
word32  inLen 
)

This function writes a private ECC key to der format.

Returns
Success On successfully writing the ECC key to der format, returns the length written to the buffer
BAD_FUNC_ARG Returned if key or output is null, or inLen equals zero
MEMORY_E Returned if there is an error allocating memory with XMALLOC
BUFFER_E Returned if the converted certificate is too large to store in the output buffer
ASN_UNKNOWN_OID_E Returned if the ECC key used is of an unknown type
MP_MEM Returned if there is an error in the math library used while parsing the private key
MP_VAL Returned if there is an error in the math library used while parsing the private key
MP_RANGE Returned if there is an error in the math library used while parsing the private key
Parameters
keypointer to the buffer containing the input ecc key
outputpointer to a buffer in which to store the der formatted key
inLenthe length of the buffer in which to store the der formatted key

Example

1 int derSz;
2 ecc_key key;
3 // initialize and make key
4 byte der[FOURK_BUF];
5 // store der formatted key here
6 
7 derSz = wc_EccKeyToDer(&key, der, FOURK_BUF);
8 if(derSz < 0) {
9  // error converting ecc key to der buffer
10 }
See also
wc_RsaKeyToDer
int wc_EccPrivateKeyDecode ( const byte *  input,
word32 *  inOutIdx,
ecc_key *  key,
word32  inSz 
)

This function reads in an ECC private key from the input buffer, input, parses the private key, and uses it to generate an ecc_key object, which it stores in key.

Returns
0 On successfully decoding the private key and storing the result in the ecc_key struct
ASN_PARSE_E: Returned if there is an error parsing the der file and storing it as a pem file
MEMORY_E Returned if there is an error allocating memory with XMALLOC
BUFFER_E Returned if the certificate to convert is large than the specified max certificate size
ASN_OBJECT_ID_E Returned if the certificate encoding has an invalid object id
ECC_CURVE_OID_E Returned if the ECC curve of the provided key is not supported
ECC_BAD_ARG_E Returned if there is an error in the ECC key format
NOT_COMPILED_IN Returned if the private key is compressed, and no compression key is provided
MP_MEM Returned if there is an error in the math library used while parsing the private key
MP_VAL Returned if there is an error in the math library used while parsing the private key
MP_RANGE Returned if there is an error in the math library used while parsing the private key
Parameters
inputpointer to the buffer containing the input private key
inOutIdxpointer to a word32 object containing the index in the buffer at which to start
keypointer to an initialized ecc object, on which to store the decoded private key
inSzsize of the input buffer containing the private key

Example

1 int ret, idx=0;
2 ecc_key key; // to store key in
3 
4 byte* tmp; // tmp buffer to read key from
5 tmp = (byte*) malloc(FOURK_BUF);
6 
7 int inSz;
8 inSz = fread(tmp, 1, FOURK_BUF, privateKeyFile);
9 // read key into tmp buffer
10 
11 wc_ecc_init(&key); // initialize key
12 ret = wc_EccPrivateKeyDecode(tmp, &idx, &key, (word32)inSz);
13 if(ret < 0) {
14  // error decoding ecc key
15 }
See also
wc_RSA_PrivateKeyDecode
int wc_EccPublicKeyDecode ( const byte *  input,
word32 *  inOutIdx,
ecc_key *  key,
word32  inSz 
)

Decodes an ECC public key from an input buffer. It will parse an ASN sequence to retrieve the ECC key.

Returns
0 Success
BAD_FUNC_ARG Returns if any arguments are null.
ASN_PARSE_E Returns if there is an error parsing
ASN_ECC_KEY_E Returns if there is an error importing the key. See wc_ecc_import_x963 for possible reasons.
Parameters
inputBuffer containing DER encoded key to decode.
inOutIdxIndex to start reading input buffer from. On output, index is set to last position parsed of input buffer.
keyPointer to ecc_key struct to store the public key.
inSzSize of the input buffer.

Example

1 int ret;
2 word32 idx = 0;
3 byte buff[] = { // initialize with key };
4 ecc_key pubKey;
5 wc_ecc_init(&pubKey);
6 if ( wc_EccPublicKeyDecode(buff, &idx, &pubKey, sizeof(buff)) != 0) {
7  // error decoding key
8 }
See also
wc_ecc_import_x963
int wc_EccPublicKeyToDer ( ecc_key *  key,
byte *  output,
word32  inLen,
int  with_AlgCurve 
)

This function converts the ECC public key to DER format. It returns the size of buffer used. The public ECC key in DER format is stored in output buffer. The with_AlgCurve flag will include a header that has the Algorithm and Curve information.

Returns
>0 Success, size of buffer used
BAD_FUNC_ARG Returned if output or key is null.
LENGTH_ONLY_E Error in getting ECC public key size.
BUFFER_E Returned when output buffer is too small.
Parameters
keyPointer to ECC key
outputPointer to output buffer to write to.
inLenSize of buffer.
with_AlgCurvea flag for when to include a header that has the Algorithm and Curve information.

Example

1 ecc_key key;
2 wc_ecc_init(&key);
3 WC_RNG rng;
4 wc_InitRng(&rng);
5 wc_ecc_make_key(&rng, 32, &key);
6 int derSz = // Some appropriate size for der;
7 byte der[derSz];
8 
9 if(wc_EccPublicKeyToDer(&key, der, derSz, 1) < 0)
10 {
11  // Error converting ECC public key to der
12 }
See also
wc_EccKeyToDer
wc_EccPrivateKeyDecode
int wc_EccPublicKeyToDer_ex ( ecc_key *  key,
byte *  output,
word32  inLen,
int  with_AlgCurve,
int  comp 
)

This function converts the ECC public key to DER format. It returns the size of buffer used. The public ECC key in DER format is stored in output buffer. The with_AlgCurve flag will include a header that has the Algorithm and Curve information. The comp parameter determines if the public key will be exported as compressed.

Returns
>0 Success, size of buffer used
BAD_FUNC_ARG Returned if output or key is null.
LENGTH_ONLY_E Error in getting ECC public key size.
BUFFER_E Returned when output buffer is too small.
Parameters
keyPointer to ECC key
outputPointer to output buffer to write to.
inLenSize of buffer.
with_AlgCurvea flag for when to include a header that has the Algorithm and Curve information.
compIf 1 (non-zero) the ECC public key will be written in compressed form. If 0 it will be written in an uncompressed format.

Example

1 ecc_key key;
2 wc_ecc_init(&key);
3 WC_RNG rng;
4 wc_InitRng(&rng);
5 wc_ecc_make_key(&rng, 32, &key);
6 int derSz = // Some appropriate size for der;
7 byte der[derSz];
8 
9 // Write out a compressed ECC key
10 if(wc_EccPublicKeyToDer_ex(&key, der, derSz, 1, 1) < 0)
11 {
12  // Error converting ECC public key to der
13 }
See also
wc_EccKeyToDer
wc_EccPublicKeyDecode
word32 wc_EncodeSignature ( byte *  out,
const byte *  digest,
word32  digSz,
int  hashOID 
)

This function encodes a digital signature into the output buffer, and returns the size of the encoded signature created.

Returns
Success On successfully writing the encoded signature to output, returns the length written to the buffer
Parameters
outpointer to the buffer where the encoded signature will be written
digestpointer to the digest to use to encode the signature
digSzthe length of the buffer containing the digest
hashOIDOID identifying the hash type used to generate the signature. Valid options, depending on build configurations, are: SHAh, SHA256h, SHA384h, SHA512h, MD2h, MD5h, DESb, DES3b, CTC_MD5wRSA, CTC_SHAwRSA, CTC_SHA256wRSA, CTC_SHA384wRSA, CTC_SHA512wRSA, CTC_SHAwECDSA, CTC_SHA256wECDSA, CTC_SHA384wECDSA, and CTC_SHA512wECDSA.
1 int signSz;
2 byte encodedSig[MAX_ENCODED_SIG_SZ];
3 Sha256 sha256;
4 // initialize sha256 for hashing
5 
6 byte* dig = = (byte*)malloc(WC_SHA256_DIGEST_SIZE);
7 // perform hashing and hash updating so dig stores SHA-256 hash
8 // (see wc_InitSha256, wc_Sha256Update and wc_Sha256Final)
9 signSz = wc_EncodeSignature(encodedSig, dig, WC_SHA256_DIGEST_SIZE, SHA256h);
See also
none
int wc_EncryptPKCS8Key ( byte *  key,
word32  keySz,
byte *  out,
word32 *  outSz,
const char *  password,
int  passwordSz,
int  vPKCS,
int  pbeOid,
int  encAlgId,
byte *  salt,
word32  saltSz,
int  itt,
WC_RNG *  rng,
void *  heap 
)

This function takes in an unencrypted PKCS#8 DER key (e.g. one created by wc_CreatePKCS8Key) and converts it to PKCS#8 encrypted format. The resulting encrypted key can be decrypted using wc_DecryptPKCS8Key. See RFC 5208.

Returns
The size of the encrypted key placed in out on success.
LENGTH_ONLY_E if out is NULL, with required output buffer size in outSz.
Other negative values on failure.
Parameters
keyBuffer with traditional DER key.
keySzSize of key buffer.
outBuffer to place result in. If NULL, required out buffer size returned in outSz.
outSzSize of out buffer.
passwordThe password to use for the password-based encryption algorithm.
passwordSzThe length of the password (not including the NULL terminator).
vPKCSThe PKCS version to use. Can be 1 for PKCS12 or PKCS5.
pbeOidThe OID of the PBE scheme to use (e.g. PBES2 or one of the OIDs for PBES1 in RFC 2898 A.3).
encAlgIdThe encryption algorithm ID to use (e.g. AES256CBCb).
saltThe salt buffer to use. If NULL, a random salt will be used.
saltSzThe length of the salt buffer. Can be 0 if passing NULL for salt.
ittThe number of iterations to use for the KDF.
rngA pointer to an initialized WC_RNG object.
heapA pointer to the heap used for dynamic allocation. Can be NULL.

Example

1 byte* pkcs8; // Unencrypted PKCS#8 key.
2 word32 pkcs8Sz; // Size of pkcs8.
3 byte* pkcs8Enc; // Encrypted PKCS#8 key.
4 word32 pkcs8EncSz; // Size of pkcs8Enc.
5 const char* password; // Password to use for encryption.
6 int passwordSz; // Length of password (not including NULL terminator).
7 WC_RNG rng;
8 
9 // The following produces an encrypted version of pkcs8 in pkcs8Enc. The
10 // encryption uses password-based encryption scheme 2 (PBE2) from PKCS#5 and
11 // the AES cipher in CBC mode with a 256-bit key. See RFC 8018 for more on
12 // PKCS#5.
13 ret = wc_EncryptPKCS8Key(pkcs8, pkcs8Sz, pkcs8Enc, &pkcs8EncSz, password,
14  passwordSz, PKCS5, PBES2, AES256CBCb, NULL, 0,
15  WC_PKCS12_ITT_DEFAULT, &rng, NULL);
See also
wc_GetPkcs8TraditionalOffset
wc_CreatePKCS8Key
wc_DecryptPKCS8Key
wc_CreateEncryptedPKCS8Key
void wc_FreeDecodedCert ( struct DecodedCert *  cert)

This function frees a DecodedCert that was previously initialized with wc_InitDecodedCert.

Parameters
certPointer to an initialized DecodedCert object.

Example

1 int ret;
2 DecodedCert decodedCert; // Decoded certificate object.
3 byte* certBuf; // DER-encoded certificate buffer.
4 word32 certBufSz; // Size of certBuf in bytes.
5 
6 wc_InitDecodedCert(&decodedCert, certBuf, certBufSz, NULL);
7 ret = wc_ParseCert(&decodedCert, CERT_TYPE, NO_VERIFY, NULL);
8 if (ret != 0) {
9  fprintf(stderr, "wc_ParseCert failed.\n");
10 }
11 wc_FreeDecodedCert(&decodedCert);
See also
wc_InitDecodedCert
wc_ParseCert
int wc_GetCTC_HashOID ( int  type)

This function returns the hash OID that corresponds to a hashing type. For example, when given the type: WC_SHA512, this function returns the identifier corresponding to a SHA512 hash, SHA512h.

Returns
Success On success, returns the OID corresponding to the appropriate hash to use with that encryption type.
0 Returned if an unrecognized hash type is passed in as argument.
Parameters
typethe hash type for which to find the OID. Valid options, depending on build configuration, include: WC_MD5, WC_SHA, WC_SHA256, WC_SHA384, WC_SHA512, WC_SHA3_224, WC_SHA3_256, WC_SHA3_384 or WC_SHA3_512

Example

1 int hashOID;
2 
3 hashOID = wc_GetCTC_HashOID(WC_SHA512);
4 if (hashOID == 0) {
5  // WOLFSSL_SHA512 not defined
6 }
See also
none
int wc_GetPkcs8TraditionalOffset ( byte *  input,
word32 *  inOutIdx,
word32  sz 
)

This function finds the beginning of the traditional private key inside a PKCS#8 unencrypted buffer.

Returns
Length of traditional private key on success.
Negative values on failure.
Parameters
inputBuffer containing unencrypted PKCS#8 private key.
inOutIdxIndex into the input buffer. On input, it should be a byte offset to the beginning of the the PKCS#8 buffer. On output, it will be the byte offset to the traditional private key within the input buffer.
szThe number of bytes in the input buffer.

Example

1 byte* pkcs8Buf; // Buffer containing PKCS#8 key.
2 word32 idx = 0;
3 word32 sz; // Size of pkcs8Buf.
4 ...
5 ret = wc_GetPkcs8TraditionalOffset(pkcs8Buf, &idx, sz);
6 // pkcs8Buf + idx is now the beginning of the traditional private key bytes.
See also
wc_CreatePKCS8Key
wc_EncryptPKCS8Key
wc_DecryptPKCS8Key
wc_CreateEncryptedPKCS8Key
int wc_GetSubjectRaw ( byte **  subjectRaw,
Cert *  cert 
)

This function gets the raw subject from the certificate structure.

Returns
0 Returned on successfully getting the subject from the certificate
BAD_FUNC_ARG Returned if there is an error processing the certificate extension
Parameters
subjectRawpointer-pointer to the raw subject upon successful return
certpointer to the cert from which to get the raw subject

Example

1 Cert myCert;
2 byte *subjRaw;
3 // initialize myCert
4 
5 if(wc_GetSubjectRaw(&subjRaw, &myCert) != 0) {
6  // error setting subject
7 }
See also
wc_InitCert
wc_SetSubjectRaw
int wc_InitCert ( Cert *  )

This function initializes a default cert, with the default options: version = 3 (0x2), serial = 0, sigType = SHA_WITH_RSA, issuer = blank, daysValid = 500, selfSigned = 1 (true) use subject as issuer, subject = blank.

Returns
none No returns.
Parameters
certpointer to an uninitialized cert structure to initialize

Example

1 Cert myCert;
2 wc_InitCert(&myCert);
See also
wc_MakeCert
wc_MakeCertReq
void wc_InitDecodedCert ( struct DecodedCert *  cert,
const byte *  source,
word32  inSz,
void *  heap 
)

This function initializes the DecodedCert pointed to by the "cert" parameter. It saves the "source" pointer to a DER-encoded certificate of length "inSz." This certificate can be parsed by a subsequent call to wc_ParseCert.

Parameters
certPointer to an allocated DecodedCert object.
sourcePointer to a DER-encoded certificate.
inSzLength of the DER-encoded certificate in bytes.
heapA pointer to the heap used for dynamic allocation. Can be NULL.

Example

1 DecodedCert decodedCert; // Decoded certificate object.
2 byte* certBuf; // DER-encoded certificate buffer.
3 word32 certBufSz; // Size of certBuf in bytes.
4 
5 wc_InitDecodedCert(&decodedCert, certBuf, certBufSz, NULL);
See also
wc_ParseCert
wc_FreeDecodedCert
int wc_MakeCert ( Cert *  cert,
byte *  derBuffer,
word32  derSz,
RsaKey *  rsaKey,
ecc_key *  eccKey,
WC_RNG *  rng 
)

Used to make CA signed certs. Called after the subject information has been entered. This function makes an x509 Certificate v3 RSA or ECC from a cert input. It then writes this cert to derBuffer. It takes in either an rsaKey or an eccKey to generate the certificate. The certificate must be initialized with wc_InitCert before this method is called.

Returns
Success On successfully making an x509 certificate from the specified input cert, returns the size of the cert generated.
MEMORY_E Returned if there is an error allocating memory with XMALLOC
BUFFER_E Returned if the provided derBuffer is too small to store the generated certificate
Others Additional error messages may be returned if the cert generation is not successful.
Parameters
certpointer to an initialized cert structure
derBufferpointer to the buffer in which to hold the generated cert
derSzsize of the buffer in which to store the cert
rsaKeypointer to an RsaKey structure containing the rsa key used to generate the certificate
eccKeypointer to an EccKey structure containing the ecc key used to generate the certificate
rngpointer to the random number generator used to make the cert

Example

1 Cert myCert;
2 wc_InitCert(&myCert);
3 WC_RNG rng;
4 //initialize rng;
5 RsaKey key;
6 //initialize key;
7 byte * derCert = malloc(FOURK_BUF);
8 word32 certSz;
9 certSz = wc_MakeCert(&myCert, derCert, FOURK_BUF, &key, NULL, &rng);
See also
wc_InitCert
wc_MakeCertReq
int wc_MakeCertReq ( Cert *  cert,
byte *  derBuffer,
word32  derSz,
RsaKey *  rsaKey,
ecc_key *  eccKey 
)

This function makes a certificate signing request using the input certificate and writes the output to derBuffer. It takes in either an rsaKey or an eccKey to generate the certificate request. wc_SignCert() will need to be called after this function to sign the certificate request. Please see the wolfCrypt test application (./wolfcrypt/test/test.c) for an example usage of this function.

Returns
Success On successfully making an X.509 certificate request from the specified input cert, returns the size of the certificate request generated.
MEMORY_E Returned if there is an error allocating memory with XMALLOC
BUFFER_E Returned if the provided derBuffer is too small to store the generated certificate
Other Additional error messages may be returned if the certificate request generation is not successful.
Parameters
certpointer to an initialized cert structure
derBufferpointer to the buffer in which to hold the generated certificate request
derSzsize of the buffer in which to store the certificate request
rsaKeypointer to an RsaKey structure containing the rsa key used to generate the certificate request
eccKeypointer to an EccKey structure containing the ecc key used to generate the certificate request

Example

1 Cert myCert;
2 // initialize myCert
3 EccKey key;
4 //initialize key;
5 byte* derCert = (byte*)malloc(FOURK_BUF);
6 
7 word32 certSz;
8 certSz = wc_MakeCertReq(&myCert, derCert, FOURK_BUF, NULL, &key);
See also
wc_InitCert
wc_MakeCert
int wc_MakeSelfCert ( Cert *  cert,
byte *  derBuffer,
word32  derSz,
RsaKey *  key,
WC_RNG *  rng 
)

This function is a combination of the previous two functions, wc_MakeCert and wc_SignCert for self signing (the previous functions may be used for CA requests). It makes a certificate, and then signs it, generating a self-signed certificate.

Returns
Success On successfully signing the certificate, returns the new size of the cert.
MEMORY_E Returned if there is an error allocating memory with XMALLOC
BUFFER_E Returned if the provided buffer is too small to store the generated certificate
Other Additional error messages may be returned if the cert generation is not successful.
Parameters
certpointer to the cert to make and sign
bufferpointer to the buffer in which to hold the signed certificate
buffSzsize of the buffer in which to store the signed certificate
keypointer to an RsaKey structure containing the rsa key to used to sign the certificate
rngpointer to the random number generator used to generate and sign the certificate

Example

1 Cert myCert;
2 byte* derCert = (byte*)malloc(FOURK_BUF);
3 // initialize myCert, derCert
4 RsaKey key;
5 // initialize key;
6 WC_RNG rng;
7 // initialize rng
8 
9 word32 certSz;
10 certSz = wc_MakeSelfCert(&myCert, derCert, FOURK_BUF, &key, NULL, &rng);
See also
wc_InitCert
wc_MakeCert
wc_SignCert
int wc_ParseCert ( DecodedCert *  cert,
int  type,
int  verify,
void *  cm 
)

This function parses the DER-encoded certificate saved in the DecodedCert object and populates the fields of that object. The DecodedCert must have been initialized with a prior call to wc_InitDecodedCert. This function takes an optional pointer to a CertificateManager object, which is used to populate the certificate authority information of the DecodedCert, if the CA is found in the CertificateManager.

Returns
0 on success.
Other negative values on failure.
Parameters
certPointer to an initialized DecodedCert object.
typeType of certificate. See the CertType enum in asn_public.h.
verifyFlag that, if set, indicates the user wants to verify the validity of the certificate.
cmAn optional pointer to a CertificateManager. Can be NULL.

Example

1 int ret;
2 DecodedCert decodedCert; // Decoded certificate object.
3 byte* certBuf; // DER-encoded certificate buffer.
4 word32 certBufSz; // Size of certBuf in bytes.
5 
6 wc_InitDecodedCert(&decodedCert, certBuf, certBufSz, NULL);
7 ret = wc_ParseCert(&decodedCert, CERT_TYPE, NO_VERIFY, NULL);
8 if (ret != 0) {
9  fprintf(stderr, "wc_ParseCert failed.\n");
10 }
See also
wc_InitDecodedCert
wc_FreeDecodedCert
int wc_PemCertToDer ( const char *  fileName,
unsigned char *  derBuf,
int  derSz 
)

This function converts a pem certificate to a der certificate, and places the resulting certificate in the derBuf buffer provided.

Returns
Success On success returns the size of the derBuf generated
BUFFER_E Returned if the size of derBuf is too small to hold the certificate generated
MEMORY_E Returned if the call to XMALLOC fails
Parameters
fileNamepath to the file containing a pem certificate to convert to a der certificate
derBufpointer to a char buffer in which to store the converted certificate
derSzsize of the char buffer in which to store the converted certificate

Example

1 char * file = “./certs/client-cert.pem”;
2 int derSz;
3 byte* der = (byte*)XMALLOC((8*1024), NULL, DYNAMIC_TYPE_CERT);
4 
5 derSz = wc_PemCertToDer(file, der, (8*1024));
6 if (derSz <= 0) {
7  //PemCertToDer error
8 }
See also
none
int wc_PemPubKeyToDer ( const char *  fileName,
unsigned char *  derBuf,
int  derSz 
)

Loads a PEM key from a file and converts to a DER encoded buffer.

Returns
0 Success
<0 Error
SSL_BAD_FILE There is a problem with opening the file.
MEMORY_E There is an error allocating memory for the file buffer.
BUFFER_E derBuf is not large enough to hold the converted key.
Parameters
fileNameName of the file to load.
derBufBuffer for DER encoded key.
derSzSize of DER buffer.

Example

1 char* some_file = "filename";
2 unsigned char der[];
3 
4 if(wc_PemPubKeyToDer(some_file, der, sizeof(der)) != 0)
5 {
6  //Handle Error
7 }
See also
wc_PubKeyPemToDer
int wc_PubKeyPemToDer ( const unsigned char *  pem,
int  pemSz,
unsigned char *  buff,
int  buffSz 
)

Convert a PEM encoded public key to DER. Returns the number of bytes written to the buffer or a negative value for an error.

Returns
>0 Success, number of bytes written.
BAD_FUNC_ARG Returns if pem, buff, or buffSz are null
<0 An error occurred in the function.
Parameters
pemPEM encoded key
pemSzSize of pem
buffPointer to buffer for output.
buffSzSize of buffer.

Example

1 byte some_pem[] = { Initialize with PEM key }
2 unsigned char out_buffer[1024]; // Ensure buffer is large enough to fit DER
3 
4 if(wc_PubKeyPemToDer(some_pem, sizeof(some_pem), out_buffer,
5 sizeof(out_buffer)) < 0)
6 {
7  // Handle error
8 }
See also
wc_PemPubKeyToDer
int wc_SetAltNames ( Cert *  cert,
const char *  file 
)

This function sets the alternate names for a certificate to the alternate names in the provided pem file. This is useful in the case that one wishes to secure multiple domains with the same certificate. This method is used to set fields prior to signing.

Returns
0 Returned on successfully setting the alt names for the certificate
MEMORY_E Returned if there is an error allocating memory with XMALLOC
ASN_PARSE_E Returned if there is an error parsing the cert header file
ASN_OBJECT_ID_E Returned if there is an error parsing the encryption type from the cert
ASN_EXPECT_0_E Returned if there is a formatting error in the encryption specification of the cert file
ASN_BEFORE_DATE_E Returned if the date is before the certificate start date
ASN_AFTER_DATE_E Returned if the date is after the certificate expiration date
ASN_BITSTR_E Returned if there is an error parsing a bit string from the certificate
ECC_CURVE_OID_E Returned if there is an error parsing the ECC key from the certificate
ASN_UNKNOWN_OID_E Returned if the certificate is using an unknown key object id
ASN_VERSION_E Returned if the ALLOW_V1_EXTENSIONS option is not defined and the certificate is a V1 or V2 certificate
BAD_FUNC_ARG Returned if there is an error processing the certificate extension
ASN_CRIT_EXT_E Returned if an unfamiliar critical extension is encountered in processing the certificate
ASN_SIG_OID_E Returned if the signature encryption type is not the same as the encryption type of the certificate in the provided file
ASN_SIG_CONFIRM_E Returned if confirming the certification signature fails
ASN_NAME_INVALID_E Returned if the certificate’s name is not permitted by the CA name constraints
ASN_NO_SIGNER_E Returned if there is no CA signer to verify the certificate’s authenticity
Parameters
certpointer to the cert for which to set the alt names
filepath of the file containing the pem formatted certificate

Example

1 Cert myCert;
2 // initialize myCert
3 if(wc_SetSubject(&myCert, ”./path/to/ca-cert.pem”) != 0) {
4  // error setting alt names
5 }
See also
wc_InitCert
wc_SetIssuer
int wc_SetAltNamesBuffer ( Cert *  cert,
const byte *  der,
int  derSz 
)

This function sets the alternate names for a certificate from the alternate names in the provided der buffer. This is useful in the case that one wishes to secure multiple domains with the same certificate. This method is used to set fields prior to signing.

Returns
0 Returned on successfully setting the alternate names for the certificate
MEMORY_E Returned if there is an error allocating memory with XMALLOC
ASN_PARSE_E Returned if there is an error parsing the cert header file
ASN_OBJECT_ID_E Returned if there is an error parsing the encryption type from the cert
ASN_EXPECT_0_E Returned if there is a formatting error in the encryption specification of the cert file
ASN_BEFORE_DATE_E Returned if the date is before the certificate start date
ASN_AFTER_DATE_E Returned if the date is after the certificate expiration date
ASN_BITSTR_E Returned if there is an error parsing a bit string from the certificate
ECC_CURVE_OID_E Returned if there is an error parsing the ECC key from the certificate
ASN_UNKNOWN_OID_E Returned if the certificate is using an unknown key object id
ASN_VERSION_E Returned if the ALLOW_V1_EXTENSIONS option is not defined and the certificate is a V1 or V2 certificate
BAD_FUNC_ARG Returned if there is an error processing the certificate extension
ASN_CRIT_EXT_E Returned if an unfamiliar critical extension is encountered in processing the certificate
ASN_SIG_OID_E Returned if the signature encryption type is not the same as the encryption type of the certificate in the provided file
ASN_SIG_CONFIRM_E Returned if confirming the certification signature fails
ASN_NAME_INVALID_E Returned if the certificate’s name is not permitted by the CA name constraints
ASN_NO_SIGNER_E Returned if there is no CA signer to verify the certificate’s authenticity
Parameters
certpointer to the cert for which to set the alternate names
derpointer to the buffer containing the der formatted certificate from which to grab the alternate names
derSzsize of the buffer containing the der formatted certificate from which to grab the alternate names

Example

1 Cert myCert;
2 // initialize myCert
3 byte* der;
4 der = (byte*)malloc(FOURK_BUF);
5 // initialize der
6 if(wc_SetAltNamesBuffer(&myCert, der, FOURK_BUF) != 0) {
7  // error setting subject
8 }
See also
wc_InitCert
wc_SetAltNames
int wc_SetAuthKeyId ( Cert *  cert,
const char *  file 
)

Set AKID from certificate file in PEM format.

Returns
0 Success
BAD_FUNC_ARG Error if cert or file is null.
MEMORY_E Error if problem allocating memory.
Parameters
certCert struct you want to set the AKID of.
fileBuffer containing PEM cert file.

Example

1 char* file_name = "/path/to/file";
2 cert some_cert;
3 wc_InitCert(&some_cert);
4 
5 if(wc_SetAuthKeyId(&some_cert, file_name) != 0)
6 {
7  // Handle Error
8 }
See also
wc_SetAuthKeyIdFromPublicKey
wc_SetAuthKeyIdFromCert
int wc_SetAuthKeyIdFromCert ( Cert *  cert,
const byte *  der,
int  derSz 
)

Set AKID from from DER encoded certificate.

Returns
0 Success
BAD_FUNC_ARG Error if any argument is null or derSz is less than 0.
MEMORY_E Error if problem allocating memory.
ASN_NO_SKID No subject key ID found.
Parameters
certThe Cert struct to write to.
derThe DER encoded certificate buffer.
derSzSize of der in bytes.

Example

1 Cert some_cert;
2 byte some_der[] = { // Initialize a DER buffer };
3 wc_InitCert(&some_cert);
4 if(wc_SetAuthKeyIdFromCert(&some_cert, some_der, sizeof(some_der) != 0)
5 {
6  // Handle error
7 }
See also
wc_SetAuthKeyIdFromPublicKey
wc_SetAuthKeyId
int wc_SetAuthKeyIdFromPublicKey ( Cert *  cert,
RsaKey *  rsakey,
ecc_key *  eckey 
)

Set AKID from either an RSA or ECC public key. note: Only set one of rsakey or eckey, not both.

Returns
0 Success
BAD_FUNC_ARG Either cert is null or both rsakey and eckey are null.
MEMORY_E Error allocating memory.
PUBLIC_KEY_E Error writing to the key.
Parameters
certPointer to the certificate to set the SKID.
rsakeyPointer to the RsaKey struct to read from.
eckeyPointer to the ecc_key to read from.

Example

1 Cert myCert;
2 RsaKey keypub;
3 
4 wc_InitRsaKey(&keypub, 0);
5 
6 if (wc_SetAuthKeyIdFromPublicKey(&myCert, &keypub, NULL) != 0)
7 {
8  // Handle error
9 }
See also
wc_SetSubjectKeyId
wc_SetAuthKeyId
wc_SetAuthKeyIdFromCert
void wc_SetCert_Free ( Cert *  cert)

This function cleans up memory and resources used by the certificate structure's decoded cert cache. When WOLFSSL_CERT_GEN_CACHE is defined the decoded cert structure is cached in the certificate structure. This allows subsequent calls to certificate set functions to avoid parsing the decoded cert on each call.

Returns
0 on success.
BAD_FUNC_ARG Returned if invalid pointer is passed in as argument.
Parameters
certpointer to an uninitialized certificate information structure.

Example

1 Cert cert; // Initialized certificate structure
2 
3 wc_SetCert_Free(&cert);
See also
wc_SetAuthKeyIdFromCert
wc_SetIssuerBuffer
wc_SetSubjectBuffer
wc_SetSubjectRaw
wc_SetIssuerRaw
wc_SetAltNamesBuffer
wc_SetDatesBuffer
int wc_SetCustomExtension ( Cert *  cert,
int  critical,
const char *  oid,
const byte *  der,
word32  derSz 
)

This function injects a custom extension in to an X.509 certificate. note: The content at the address pointed to by any of the parameters that are pointers must not be modified until the certificate is generated and you have the der output. This function does NOT copy the contents to another buffer.

Returns
0 Returned on success.
Other negative values on failure.
Parameters
certPointer to an initialized DecodedCert object.
criticalIf 0, the extension will not be marked critical, otherwise it will be marked critical.
oidDot separated oid as a string. For example "1.2.840.10045.3.1.7"
derThe der encoding of the content of the extension.
derSzThe size in bytes of the der encoding.

Example

1 int ret = 0;
2 Cert newCert;
3 wc_InitCert(&newCert);
4 
5 // Code to setup subject, public key, issuer, and other things goes here.
6 
7 ret = wc_SetCustomExtension(&newCert, 1, "1.2.3.4.5",
8  (const byte *)"This is a critical extension", 28);
9 if (ret < 0) {
10  // Failed to set the extension.
11 }
12 
13 ret = wc_SetCustomExtension(&newCert, 0, "1.2.3.4.6",
14  (const byte *)"This is NOT a critical extension", 32)
15 if (ret < 0) {
16  // Failed to set the extension.
17 }
18 
19 // Code to sign the certificate and then write it out goes here.
See also
wc_InitCert
wc_SetUnknownExtCallback
int wc_SetDatesBuffer ( Cert *  cert,
const byte *  der,
int  derSz 
)

This function sets the dates for a certificate from the date range in the provided der buffer. This method is used to set fields prior to signing.

Returns
0 Returned on successfully setting the dates for the certificate
MEMORY_E Returned if there is an error allocating memory with XMALLOC
ASN_PARSE_E Returned if there is an error parsing the cert header file
ASN_OBJECT_ID_E Returned if there is an error parsing the encryption type from the cert
ASN_EXPECT_0_E Returned if there is a formatting error in the encryption specification of the cert file
ASN_BEFORE_DATE_E Returned if the date is before the certificate start date
ASN_AFTER_DATE_E Returned if the date is after the certificate expiration date
ASN_BITSTR_E Returned if there is an error parsing a bit string from the certificate
ECC_CURVE_OID_E Returned if there is an error parsing the ECC key from the certificate
ASN_UNKNOWN_OID_E Returned if the certificate is using an unknown key object id
ASN_VERSION_E Returned if the ALLOW_V1_EXTENSIONS option is not defined and the certificate is a V1 or V2 certificate
BAD_FUNC_ARG Returned if there is an error processing the certificate extension
ASN_CRIT_EXT_E Returned if an unfamiliar critical extension is encountered in processing the certificate
ASN_SIG_OID_E Returned if the signature encryption type is not the same as the encryption type of the certificate in the provided file
ASN_SIG_CONFIRM_E Returned if confirming the certification signature fails
ASN_NAME_INVALID_E Returned if the certificate’s name is not permitted by the CA name constraints
ASN_NO_SIGNER_E Returned if there is no CA signer to verify the certificate’s authenticity
Parameters
certpointer to the cert for which to set the dates
derpointer to the buffer containing the der formatted certificate from which to grab the date range
derSzsize of the buffer containing the der formatted certificate from which to grab the date range

Example

1 Cert myCert;
2 // initialize myCert
3 byte* der;
4 der = (byte*)malloc(FOURK_BUF);
5 // initialize der
6 if(wc_SetDatesBuffer(&myCert, der, FOURK_BUF) != 0) {
7  // error setting subject
8 }
See also
wc_InitCert
int wc_SetIssuer ( Cert *  cert,
const char *  issuerFile 
)

This function sets the issuer for a certificate to the issuer in the provided pem issuerFile. It also changes the certificate’s self-signed attribute to false. The issuer specified in issuerFile is verified prior to setting the cert issuer. This method is used to set fields prior to signing.

Returns
0 Returned on successfully setting the issuer for the certificate
MEMORY_E Returned if there is an error allocating memory with XMALLOC
ASN_PARSE_E Returned if there is an error parsing the cert header file
ASN_OBJECT_ID_E Returned if there is an error parsing the encryption type from the cert
ASN_EXPECT_0_E Returned if there is a formatting error in the encryption specification of the cert file
ASN_BEFORE_DATE_E Returned if the date is before the certificate start date
ASN_AFTER_DATE_E Returned if the date is after the certificate expiration date
ASN_BITSTR_E Returned if there is an error parsing a bit string from the certificate
ECC_CURVE_OID_E Returned if there is an error parsing the ECC key from the certificate
ASN_UNKNOWN_OID_E Returned if the certificate is using an unknown key object id
ASN_VERSION_E Returned if the ALLOW_V1_EXTENSIONS option is not defined and the certificate is a V1 or V2 certificate
BAD_FUNC_ARG Returned if there is an error processing the certificate extension
ASN_CRIT_EXT_E Returned if an unfamiliar critical extension is encountered in processing the certificate
ASN_SIG_OID_E Returned if the signature encryption type is not the same as the encryption type of the certificate in the provided file
ASN_SIG_CONFIRM_E Returned if confirming the certification signature fails
ASN_NAME_INVALID_E Returned if the certificate’s name is not permitted by the CA name constraints
ASN_NO_SIGNER_E Returned if there is no CA signer to verify the certificate’s authenticity
Parameters
certpointer to the cert for which to set the issuer
issuerFilepath of the file containing the pem formatted certificate

Example

1 Cert myCert;
2 // initialize myCert
3 if(wc_SetIssuer(&myCert, ”./path/to/ca-cert.pem”) != 0) {
4  // error setting issuer
5 }
See also
wc_InitCert
wc_SetSubject
wc_SetIssuerBuffer
int wc_SetIssuerBuffer ( Cert *  cert,
const byte *  der,
int  derSz 
)

This function sets the issuer for a certificate from the issuer in the provided der buffer. It also changes the certificate’s self-signed attribute to false. This method is used to set fields prior to signing.

Returns
0 Returned on successfully setting the issuer for the certificate
MEMORY_E Returned if there is an error allocating memory with XMALLOC
ASN_PARSE_E Returned if there is an error parsing the cert header file
ASN_OBJECT_ID_E Returned if there is an error parsing the encryption type from the cert
ASN_EXPECT_0_E Returned if there is a formatting error in the encryption specification of the cert file
ASN_BEFORE_DATE_E Returned if the date is before the certificate start date
ASN_AFTER_DATE_E Returned if the date is after the certificate expiration date
ASN_BITSTR_E Returned if there is an error parsing a bit string from the certificate
ECC_CURVE_OID_E Returned if there is an error parsing the ECC key from the certificate
ASN_UNKNOWN_OID_E Returned if the certificate is using an unknown key object id
ASN_VERSION_E Returned if the ALLOW_V1_EXTENSIONS option is not defined and the certificate is a V1 or V2 certificate
BAD_FUNC_ARG Returned if there is an error processing the certificate extension
ASN_CRIT_EXT_E Returned if an unfamiliar critical extension is encountered in processing the certificate
ASN_SIG_OID_E Returned if the signature encryption type is not the same as the encryption type of the certificate in the provided file
ASN_SIG_CONFIRM_E Returned if confirming the certification signature fails
ASN_NAME_INVALID_E Returned if the certificate’s name is not permitted by the CA name constraints
ASN_NO_SIGNER_E Returned if there is no CA signer to verify the certificate’s authenticity
Parameters
certpointer to the cert for which to set the issuer
derpointer to the buffer containing the der formatted certificate from which to grab the issuer
derSzsize of the buffer containing the der formatted certificate from which to grab the issuer

Example

1 Cert myCert;
2 // initialize myCert
3 byte* der;
4 der = (byte*)malloc(FOURK_BUF);
5 // initialize der
6 if(wc_SetIssuerBuffer(&myCert, der, FOURK_BUF) != 0) {
7  // error setting issuer
8 }
See also
wc_InitCert
wc_SetIssuer
int wc_SetIssuerRaw ( Cert *  cert,
const byte *  der,
int  derSz 
)

This function sets the raw issuer for a certificate from the issuer in the provided der buffer. This method is used to set the raw issuer field prior to signing.

Returns
0 Returned on successfully setting the issuer for the certificate
MEMORY_E Returned if there is an error allocating memory with XMALLOC
ASN_PARSE_E Returned if there is an error parsing the cert header file
ASN_OBJECT_ID_E Returned if there is an error parsing the encryption type from the cert
ASN_EXPECT_0_E Returned if there is a formatting error in the encryption specification of the cert file
ASN_BEFORE_DATE_E Returned if the date is before the certificate start date
ASN_AFTER_DATE_E Returned if the date is after the certificate expiration date
ASN_BITSTR_E Returned if there is an error parsing a bit string from the certificate
ECC_CURVE_OID_E Returned if there is an error parsing the ECC key from the certificate
ASN_UNKNOWN_OID_E Returned if the certificate is using an unknown key object id
ASN_VERSION_E Returned if the ALLOW_V1_EXTENSIONS option is not defined and the certificate is a V1 or V2 certificate
BAD_FUNC_ARG Returned if there is an error processing the certificate extension
ASN_CRIT_EXT_E Returned if an unfamiliar critical extension is encountered in processing the certificate
ASN_SIG_OID_E Returned if the signature encryption type is not the same as the encryption type of the certificate in the provided file
ASN_SIG_CONFIRM_E Returned if confirming the certification signature fails
ASN_NAME_INVALID_E Returned if the certificate’s name is not permitted by the CA name constraints
ASN_NO_SIGNER_E Returned if there is no CA signer to verify the certificate’s authenticity
Parameters
certpointer to the cert for which to set the raw issuer
derpointer to the buffer containing the der formatted certificate from which to grab the subject
derSzsize of the buffer containing the der formatted certificate from which to grab the subject

Example

1 Cert myCert;
2 // initialize myCert
3 byte* der;
4 der = (byte*)malloc(FOURK_BUF);
5 // initialize der
6 if(wc_SetIssuerRaw(&myCert, der, FOURK_BUF) != 0) {
7  // error setting subject
8 }
See also
wc_InitCert
wc_SetIssuer
int wc_SetSubject ( Cert *  cert,
const char *  subjectFile 
)

This function sets the subject for a certificate to the subject in the provided pem subjectFile. This method is used to set fields prior to signing.

Returns
0 Returned on successfully setting the issuer for the certificate
MEMORY_E Returned if there is an error allocating memory with XMALLOC
ASN_PARSE_E Returned if there is an error parsing the cert header file
ASN_OBJECT_ID_E Returned if there is an error parsing the encryption type from the cert
ASN_EXPECT_0_E Returned if there is a formatting error in the encryption specification of the cert file
ASN_BEFORE_DATE_E Returned if the date is before the certificate start date
ASN_AFTER_DATE_E Returned if the date is after the certificate expiration date
ASN_BITSTR_E Returned if there is an error parsing a bit string from the certificate
ECC_CURVE_OID_E Returned if there is an error parsing the ECC key from the certificate
ASN_UNKNOWN_OID_E Returned if the certificate is using an unknown key object id
ASN_VERSION_E Returned if the ALLOW_V1_EXTENSIONS option is not defined and the certificate is a V1 or V2 certificate
BAD_FUNC_ARG Returned if there is an error processing the certificate extension
ASN_CRIT_EXT_E Returned if an unfamiliar critical extension is encountered in processing the certificate
ASN_SIG_OID_E Returned if the signature encryption type is not the same as the encryption type of the certificate in the provided file
ASN_SIG_CONFIRM_E Returned if confirming the certification signature fails
ASN_NAME_INVALID_E Returned if the certificate’s name is not permitted by the CA name constraints
ASN_NO_SIGNER_E Returned if there is no CA signer to verify the certificate’s authenticity
Parameters
certpointer to the cert for which to set the issuer
subjectFilepath of the file containing the pem formatted certificate

Example

1 Cert myCert;
2 // initialize myCert
3 if(wc_SetSubject(&myCert, ”./path/to/ca-cert.pem”) != 0) {
4  // error setting subject
5 }
See also
wc_InitCert
wc_SetIssuer
int wc_SetSubjectBuffer ( Cert *  cert,
const byte *  der,
int  derSz 
)

This function sets the subject for a certificate from the subject in the provided der buffer. This method is used to set fields prior to signing.

Returns
0 Returned on successfully setting the subject for the certificate
MEMORY_E Returned if there is an error allocating memory with XMALLOC
ASN_PARSE_E Returned if there is an error parsing the cert header file
ASN_OBJECT_ID_E Returned if there is an error parsing the encryption type from the cert
ASN_EXPECT_0_E Returned if there is a formatting error in the encryption specification of the cert file
ASN_BEFORE_DATE_E Returned if the date is before the certificate start date
ASN_AFTER_DATE_E Returned if the date is after the certificate expiration date
ASN_BITSTR_E Returned if there is an error parsing a bit string from the certificate
ECC_CURVE_OID_E Returned if there is an error parsing the ECC key from the certificate
ASN_UNKNOWN_OID_E Returned if the certificate is using an unknown key object id
ASN_VERSION_E Returned if the ALLOW_V1_EXTENSIONS option is not defined and the certificate is a V1 or V2 certificate
BAD_FUNC_ARG Returned if there is an error processing the certificate extension
ASN_CRIT_EXT_E Returned if an unfamiliar critical extension is encountered in processing the certificate
ASN_SIG_OID_E Returned if the signature encryption type is not the same as the encryption type of the certificate in the provided file
ASN_SIG_CONFIRM_E Returned if confirming the certification signature fails
ASN_NAME_INVALID_E Returned if the certificate’s name is not permitted by the CA name constraints
ASN_NO_SIGNER_E Returned if there is no CA signer to verify the certificate’s authenticity
Parameters
certpointer to the cert for which to set the subject
derpointer to the buffer containing the der formatted certificate from which to grab the subject
derSzsize of the buffer containing the der formatted certificate from which to grab the subject

Example

1 Cert myCert;
2 // initialize myCert
3 byte* der;
4 der = (byte*)malloc(FOURK_BUF);
5 // initialize der
6 if(wc_SetSubjectBuffer(&myCert, der, FOURK_BUF) != 0) {
7  // error setting subject
8 }
See also
wc_InitCert
wc_SetSubject
int wc_SetSubjectKeyId ( Cert *  cert,
const char *  file 
)

Set SKID from public key file in PEM format. Both arguments are required.

Returns
0 Success
BAD_FUNC_ARG Returns if cert or file is null.
MEMORY_E Returns if there is a problem allocating memory for key.
PUBLIC_KEY_E Returns if there is an error decoding the public key.
Parameters
certCert structure to set the SKID of.
fileContains the PEM encoded file.

Example

1 const char* file_name = "path/to/file";
2 Cert some_cert;
3 wc_InitCert(&some_cert);
4 
5 if(wc_SetSubjectKeyId(&some_cert, file_name) != 0)
6 {
7  // Handle Error
8 }
See also
wc_SetSubjectKeyIdFromPublicKey
int wc_SetSubjectKeyIdFromPublicKey ( Cert *  cert,
RsaKey *  rsakey,
ecc_key *  eckey 
)

Set SKID from RSA or ECC public key.

Returns
0 Success
BAD_FUNC_ARG Returned if cert or rsakey and eckey are null.
MEMORY_E Returned if there is an error allocating memory.
PUBLIC_KEY_E Returned if there is an error getting the public key.
Parameters
certPointer to a Cert structure to be used.
rsakeyPointer to an RsaKey structure
eckeyPointer to an ecc_key structure

Example

1 Cert some_cert;
2 RsaKey some_key;
3 wc_InitCert(&some_cert);
4 wc_InitRsaKey(&some_key);
5 
6 if(wc_SetSubjectKeyIdFromPublicKey(&some_cert,&some_key, NULL) != 0)
7 {
8  // Handle Error
9 }
See also
wc_SetSubjectKeyId
int wc_SetSubjectRaw ( Cert *  cert,
const byte *  der,
int  derSz 
)

This function sets the raw subject for a certificate from the subject in the provided der buffer. This method is used to set the raw subject field prior to signing.

Returns
0 Returned on successfully setting the subject for the certificate
MEMORY_E Returned if there is an error allocating memory with XMALLOC
ASN_PARSE_E Returned if there is an error parsing the cert header file
ASN_OBJECT_ID_E Returned if there is an error parsing the encryption type from the cert
ASN_EXPECT_0_E Returned if there is a formatting error in the encryption specification of the cert file
ASN_BEFORE_DATE_E Returned if the date is before the certificate start date
ASN_AFTER_DATE_E Returned if the date is after the certificate expiration date
ASN_BITSTR_E Returned if there is an error parsing a bit string from the certificate
ECC_CURVE_OID_E Returned if there is an error parsing the ECC key from the certificate
ASN_UNKNOWN_OID_E Returned if the certificate is using an unknown key object id
ASN_VERSION_E Returned if the ALLOW_V1_EXTENSIONS option is not defined and the certificate is a V1 or V2 certificate
BAD_FUNC_ARG Returned if there is an error processing the certificate extension
ASN_CRIT_EXT_E Returned if an unfamiliar critical extension is encountered in processing the certificate
ASN_SIG_OID_E Returned if the signature encryption type is not the same as the encryption type of the certificate in the provided file
ASN_SIG_CONFIRM_E Returned if confirming the certification signature fails
ASN_NAME_INVALID_E Returned if the certificate’s name is not permitted by the CA name constraints
ASN_NO_SIGNER_E Returned if there is no CA signer to verify the certificate’s authenticity
Parameters
certpointer to the cert for which to set the raw subject
derpointer to the buffer containing the der formatted certificate from which to grab the subject
derSzsize of the buffer containing the der formatted certificate from which to grab the subject

Example

1 Cert myCert;
2 // initialize myCert
3 byte* der;
4 der = (byte*)malloc(FOURK_BUF);
5 // initialize der
6 if(wc_SetSubjectRaw(&myCert, der, FOURK_BUF) != 0) {
7  // error setting subject
8 }
See also
wc_InitCert
wc_SetSubject
int wc_SetTimeCb ( wc_time_cb  f)

This function registers a time callback that will be used anytime wolfSSL needs to get the current time. The prototype of the callback should be the same as the "time" function from the C standard library.

Returns
0 Returned on success.
Parameters
ffunction to register as the time callback.

Example

1 int ret = 0;
2 // Time callback prototype
3 time_t my_time_cb(time_t* t);
4 // Register it
5 ret = wc_SetTimeCb(my_time_cb);
6 if (ret != 0) {
7  // failed to set time callback
8 }
9 time_t my_time_cb(time_t* t)
10 {
11  // custom time function
12 }
See also
wc_Time
int wc_SetUnknownExtCallback ( DecodedCert *  cert,
wc_UnknownExtCallback  cb 
)

This function registers a callback that will be used anytime wolfSSL encounters an unknown X.509 extension in a certificate while parsing a certificate. The prototype of the callback should be:

Returns
0 Returned on success.
Other negative values on failure.
Parameters
certthe DecodedCert struct that is to be associated with this callback.
cbfunction to register as the time callback.

Example

1 int ret = 0;
2 // Unkown extension callback prototype
3 int myUnknownExtCallback(const word16* oid, word32 oidSz, int crit,
4  const unsigned char* der, word32 derSz);
5 
6 // Register it
7 ret = wc_SetUnknownExtCallback(cert, myUnknownExtCallback);
8 if (ret != 0) {
9  // failed to set the callback
10 }
11 
12 // oid: Array of integers that are the dot separated values in an oid.
13 // oidSz: Number of values in oid.
14 // crit: Whether the extension was mark critical.
15 // der: The der encoding of the content of the extension.
16 // derSz: The size in bytes of the der encoding.
17 int myCustomExtCallback(const word16* oid, word32 oidSz, int crit,
18  const unsigned char* der, word32 derSz) {
19 
20  // Logic to parse extension goes here.
21 
22  // NOTE: by returning zero, we are accepting this extension and
23  // informing wolfSSL that it is acceptable. If you find an extension
24  // that you do not find acceptable, you should return an error. The
25  // standard behavior upon encountering an unknown extension with the
26  // critical flag set is to return ASN_CRIT_EXT_E. For the sake of
27  // brevity, this example is always accepting every extension; you
28  // should use different logic.
29  return 0;
30 }
See also
ParseCert
wc_SetCustomExtension
int wc_SignCert ( int  requestSz,
int  sigType,
byte *  derBuffer,
word32  derSz,
RsaKey *  rsaKey,
ecc_key *  eccKey,
WC_RNG *  rng 
)

This function signs buffer and adds the signature to the end of buffer. It takes in a signature type. Must be called after wc_MakeCert() or wc_MakeCertReq() if creating a CA signed cert.

Returns
Success On successfully signing the certificate, returns the new size of the cert (including signature).
MEMORY_E Returned if there is an error allocating memory with XMALLOC
BUFFER_E Returned if the provided buffer is too small to store the generated certificate
Other Additional error messages may be returned if the cert generation is not successful.
Parameters
requestSzthe size of the certificate body we’re requesting to have signed
sTypeType of signature to create. Valid options are: CTC_MD5wRSA, CTC_SHAwRSA, CTC_SHAwECDSA, CTC_SHA256wECDSA, and CTC_SHA256wRSA
bufferpointer to the buffer containing the certificate to be signed. On success: will hold the newly signed certificate
buffSzthe (total) size of the buffer in which to store the newly signed certificate
rsaKeypointer to an RsaKey structure containing the rsa key to used to sign the certificate
eccKeypointer to an EccKey structure containing the ecc key to used to sign the certificate
rngpointer to the random number generator used to sign the certificate

Example

1 Cert myCert;
2 byte* derCert = (byte*)malloc(FOURK_BUF);
3 // initialize myCert, derCert
4 RsaKey key;
5 // initialize key;
6 WC_RNG rng;
7 // initialize rng
8 
9 word32 certSz;
10 certSz = wc_SignCert(myCert.bodySz, myCert.sigType,derCert,FOURK_BUF,
11 &key, NULL,
12 &rng);
See also
wc_InitCert
wc_MakeCert
time_t wc_Time ( time_t *  t)

This function gets the current time. By default, it uses the XTIME macro, which varies between platforms. The user can use a function of their choosing instead via the wc_SetTimeCb function.

Returns
Time Current time returned on success.
Parameters
tOptional time_t pointer to populate with current time.

Example

1 time_t currentTime = 0;
2 currentTime = wc_Time(NULL);
3 wc_Time(&currentTime);
See also
wc_SetTimeCb