My Project
Functions
CertManager API

Functions

WOLFSSL_CERT_MANAGER * wolfSSL_CertManagerNew_ex (void *heap)
 Allocates and initializes a new Certificate Manager context. This context may be used independent of SSL needs. It may be used to load certificates, verify certificates, and check the revocation status. More...
 
WOLFSSL_CERT_MANAGER * wolfSSL_CertManagerNew (void)
 Allocates and initializes a new Certificate Manager context. This context may be used independent of SSL needs. It may be used to load certificates, verify certificates, and check the revocation status. More...
 
void wolfSSL_CertManagerFree (WOLFSSL_CERT_MANAGER *)
 Frees all resources associated with the Certificate Manager context. Call this when you no longer need to use the Certificate Manager. More...
 
int wolfSSL_CertManagerLoadCA (WOLFSSL_CERT_MANAGER *cm, const char *f, const char *d)
 Specifies the locations for CA certificate loading into the manager context. The PEM certificate CAfile may contain several trusted CA certificates. If CApath is not NULL it specifies a directory containing CA certificates in PEM format. More...
 
int wolfSSL_CertManagerLoadCABuffer (WOLFSSL_CERT_MANAGER *cm, const unsigned char *in, long sz, int format)
 Loads the CA Buffer by calling wolfSSL_CTX_load_verify_buffer and returning that result using a temporary cm so as not to lose the information in the cm passed into the function. More...
 
int wolfSSL_CertManagerUnloadCAs (WOLFSSL_CERT_MANAGER *cm)
 This function unloads the CA signer list. More...
 
int wolfSSL_CertManagerUnloadIntermediateCerts (WOLFSSL_CERT_MANAGER *cm)
 This function unloads intermediate certificates add to the CA signer list. More...
 
int wolfSSL_CertManagerUnload_trust_peers (WOLFSSL_CERT_MANAGER *cm)
 The function will free the Trusted Peer linked list and unlocks the trusted peer list. More...
 
int wolfSSL_CertManagerVerify (WOLFSSL_CERT_MANAGER *cm, const char *f, int format)
 Specifies the certificate to verify with the Certificate Manager context. The format can be SSL_FILETYPE_PEM or SSL_FILETYPE_ASN1. More...
 
int wolfSSL_CertManagerVerifyBuffer (WOLFSSL_CERT_MANAGER *cm, const unsigned char *buff, long sz, int format)
 Specifies the certificate buffer to verify with the Certificate Manager context. The format can be SSL_FILETYPE_PEM or SSL_FILETYPE_ASN1. More...
 
void wolfSSL_CertManagerSetVerify (WOLFSSL_CERT_MANAGER *cm, VerifyCallback vc)
 The function sets the verifyCallback function in the Certificate Manager. If present, it will be called for each cert loaded. If there is a verification error, the verify callback can be used to over-ride the error. More...
 
int wolfSSL_CertManagerEnableCRL (WOLFSSL_CERT_MANAGER *cm, int options)
 Turns on Certificate Revocation List checking when verifying certificates with the Certificate Manager. By default, CRL checking is off. options include WOLFSSL_CRL_CHECKALL which performs CRL checking on each certificate in the chain versus the Leaf certificate only which is the default. More...
 
int wolfSSL_CertManagerDisableCRL (WOLFSSL_CERT_MANAGER *)
 Turns off Certificate Revocation List checking when verifying certificates with the Certificate Manager. By default, CRL checking is off. You can use this function to temporarily or permanently disable CRL checking with this Certificate Manager context that previously had CRL checking enabled. More...
 
int wolfSSL_CertManagerLoadCRL (WOLFSSL_CERT_MANAGER *cm, const char *path, int type, int monitor)
 Error checks and passes through to LoadCRL() in order to load the cert into the CRL for revocation checking. An updated CRL can be loaded by first calling wolfSSL_CertManagerFreeCRL, then loading the new CRL. More...
 
int wolfSSL_CertManagerLoadCRLBuffer (WOLFSSL_CERT_MANAGER *cm, const unsigned char *buff, long sz, int type)
 The function loads the CRL file by calling BufferLoadCRL. More...
 
int wolfSSL_CertManagerSetCRL_Cb (WOLFSSL_CERT_MANAGER *cm, CbMissingCRL cb)
 This function sets the CRL Certificate Manager callback. If HAVE_CRL is defined and a matching CRL record is not found then the cbMissingCRL is called (set via wolfSSL_CertManagerSetCRL_Cb). This allows you to externally retrieve the CRL and load it. More...
 
int wolfSSL_CertManagerSetCRLUpdate_Cb (WOLFSSL_CERT_MANAGER *cm, CbUpdateCRL cb)
 This function sets the CRL Update callback. If HAVE_CRL and HAVE_CRL_UPDATE_CB is defined , and an entry with the same issuer and a lower CRL number exists when a CRL is added, then the CbUpdateCRL is called with the details of the existing entry and the new one replacing it. More...
 
int wolfSSL_CertManagerGetCRLInfo (WOLFSSL_CERT_MANAGER *cm, CrlInfo *info, const byte *buff, long sz, int type) int wolfSSL_CertManagerFreeCRL(WOLFSSL_CERT_MANAGER *cm)
 This function yields a structure with parsed CRL information from an encoded CRL buffer. More...
 
int wolfSSL_CertManagerCheckOCSP (WOLFSSL_CERT_MANAGER *cm, unsigned char *der, int sz)
 The function enables the WOLFSSL_CERT_MANAGER’s member, ocspEnabled to signify that the OCSP check option is enabled. More...
 
int wolfSSL_CertManagerEnableOCSP (WOLFSSL_CERT_MANAGER *cm, int options)
 Turns on OCSP if it’s turned off and if compiled with the set option available. More...
 
int wolfSSL_CertManagerDisableOCSP (WOLFSSL_CERT_MANAGER *)
 Disables OCSP certificate revocation. More...
 
int wolfSSL_CertManagerSetOCSPOverrideURL (WOLFSSL_CERT_MANAGER *cm, const char *url)
 The function copies the url to the ocspOverrideURL member of the WOLFSSL_CERT_MANAGER structure. More...
 
int wolfSSL_CertManagerSetOCSP_Cb (WOLFSSL_CERT_MANAGER *cm, CbOCSPIO ioCb, CbOCSPRespFree respFreeCb, void *ioCbCtx)
 The function sets the OCSP callback in the WOLFSSL_CERT_MANAGER. More...
 
int wolfSSL_CertManagerEnableOCSPStapling (WOLFSSL_CERT_MANAGER *cm)
 This function turns on OCSP stapling if it is not turned on as well as set the options. More...
 

Detailed Description

Function Documentation

◆ wolfSSL_CertManagerCheckOCSP()

int wolfSSL_CertManagerCheckOCSP ( WOLFSSL_CERT_MANAGER *  cm,
unsigned char *  der,
int  sz 
)

The function enables the WOLFSSL_CERT_MANAGER’s member, ocspEnabled to signify that the OCSP check option is enabled.

Returns
SSL_SUCCESS returned on successful execution of the function. The ocspEnabled member of the WOLFSSL_CERT_MANAGER is enabled.
BAD_FUNC_ARG returned if the WOLFSSL_CERT_MANAGER structure is NULL or if an argument value that is not allowed is passed to a subroutine.
MEMORY_E returned if there is an error allocating memory within this function or a subroutine.
Parameters
cma pointer to a WOLFSSL_CERT_MANAGER structure, created using wolfSSL_CertManagerNew().
dera byte pointer to the certificate.
szan int type representing the size of the DER cert.

Example

#import <wolfssl/ssl.h>
WOLFSSL* ssl = wolfSSL_new(ctx);
byte* der;
int sz; size of der
...
if(wolfSSL_CertManagerCheckOCSP(cm, der, sz) != SSL_SUCCESS){
Failure case.
}
int wolfSSL_CertManagerCheckOCSP(WOLFSSL_CERT_MANAGER *cm, unsigned char *der, int sz)
The function enables the WOLFSSL_CERT_MANAGER’s member, ocspEnabled to signify that the OCSP check op...
WOLFSSL * wolfSSL_new(WOLFSSL_CTX *)
This function creates a new SSL session, taking an already created SSL context as input.
See also
ParseCertRelative
CheckCertOCSP

◆ wolfSSL_CertManagerDisableCRL()

int wolfSSL_CertManagerDisableCRL ( WOLFSSL_CERT_MANAGER *  )

Turns off Certificate Revocation List checking when verifying certificates with the Certificate Manager. By default, CRL checking is off. You can use this function to temporarily or permanently disable CRL checking with this Certificate Manager context that previously had CRL checking enabled.

Returns
SSL_SUCCESS If successful the call will return.
BAD_FUNC_ARG is the error that will be returned if a function pointer is not provided.
Parameters
cma pointer to a WOLFSSL_CERT_MANAGER structure, created using wolfSSL_CertManagerNew().

Example

#include <wolfssl/ssl.h>
int ret = 0;
WOLFSSL_CERT_MANAGER* cm;
...
if (ret != SSL_SUCCESS) {
error disabling cert manager
}
...
int wolfSSL_CertManagerDisableCRL(WOLFSSL_CERT_MANAGER *)
Turns off Certificate Revocation List checking when verifying certificates with the Certificate Manag...
See also
wolfSSL_CertManagerEnableCRL

◆ wolfSSL_CertManagerDisableOCSP()

int wolfSSL_CertManagerDisableOCSP ( WOLFSSL_CERT_MANAGER *  )

Disables OCSP certificate revocation.

Returns
SSL_SUCCESS wolfSSL_CertMangerDisableCRL successfully disabled the crlEnabled member of the WOLFSSL_CERT_MANAGER structure.
BAD_FUNC_ARG the WOLFSSL structure was NULL.
Parameters
ssl- a pointer to a WOLFSSL structure, created using wolfSSL_new().

Example

#include <wolfssl/ssl.h>
WOLFSSL_CTX* ctx = wolfSSL_CTX_new(method);
WOLFSSL* ssl = wolfSSL_new(ctx);
...
if(wolfSSL_CertManagerDisableOCSP(ssl) != SSL_SUCCESS){
Fail case.
}
int wolfSSL_CertManagerDisableOCSP(WOLFSSL_CERT_MANAGER *)
Disables OCSP certificate revocation.
WOLFSSL_CTX * wolfSSL_CTX_new(WOLFSSL_METHOD *)
This function creates a new SSL context, taking a desired SSL/TLS protocol method for input.
See also
wolfSSL_DisableCRL

◆ wolfSSL_CertManagerEnableCRL()

int wolfSSL_CertManagerEnableCRL ( WOLFSSL_CERT_MANAGER *  cm,
int  options 
)

Turns on Certificate Revocation List checking when verifying certificates with the Certificate Manager. By default, CRL checking is off. options include WOLFSSL_CRL_CHECKALL which performs CRL checking on each certificate in the chain versus the Leaf certificate only which is the default.

Returns
SSL_SUCCESS If successful the call will return.
NOT_COMPILED_IN will be returned if wolfSSL was not built with CRL enabled.
MEMORY_E will be returned if an out of memory condition occurs.
BAD_FUNC_ARG is the error that will be returned if a pointer is not provided.
SSL_FAILURE will be returned if the CRL context cannot be initialized properly.
Parameters
cma pointer to a WOLFSSL_CERT_MANAGER structure, created using wolfSSL_CertManagerNew().
optionsoptions to use when enabling the Certification Manager, cm.

Example

#include <wolfssl/ssl.h>
int ret = 0;
WOLFSSL_CERT_MANAGER* cm;
...
if (ret != SSL_SUCCESS) {
error enabling cert manager
}
...
int wolfSSL_CertManagerEnableCRL(WOLFSSL_CERT_MANAGER *cm, int options)
Turns on Certificate Revocation List checking when verifying certificates with the Certificate Manage...
See also
wolfSSL_CertManagerDisableCRL

◆ wolfSSL_CertManagerEnableOCSP()

int wolfSSL_CertManagerEnableOCSP ( WOLFSSL_CERT_MANAGER *  cm,
int  options 
)

Turns on OCSP if it’s turned off and if compiled with the set option available.

Returns
SSL_SUCCESS returned if the function call is successful.
BAD_FUNC_ARG if cm struct is NULL.
MEMORY_E if WOLFSSL_OCSP struct value is NULL.
SSL_FAILURE initialization of WOLFSSL_OCSP struct fails to initialize.
NOT_COMPILED_IN build not compiled with correct feature enabled.
Parameters
cma pointer to a WOLFSSL_CERT_MANAGER structure, created using wolfSSL_CertManagerNew().
optionsused to set values in WOLFSSL_CERT_MANAGER struct.

Example

#include <wolfssl/ssl.h>
WOLFSSL_CTX* ctx = wolfSSL_CTX_new(protocol method);
WOLFSSL* ssl = wolfSSL_new(ctx);
WOLFSSL_CERT_MANAGER* cm = wolfSSL_CertManagerNew();
int options;
if(wolfSSL_CertManagerEnableOCSP(SSL_CM(ssl), options) != SSL_SUCCESS){
Failure case.
}
int wolfSSL_CertManagerEnableOCSP(WOLFSSL_CERT_MANAGER *cm, int options)
Turns on OCSP if it’s turned off and if compiled with the set option available.
WOLFSSL_CERT_MANAGER * wolfSSL_CertManagerNew(void)
Allocates and initializes a new Certificate Manager context. This context may be used independent of ...
See also
wolfSSL_CertManagerNew

◆ wolfSSL_CertManagerEnableOCSPStapling()

int wolfSSL_CertManagerEnableOCSPStapling ( WOLFSSL_CERT_MANAGER *  cm)

This function turns on OCSP stapling if it is not turned on as well as set the options.

Returns
SSL_SUCCESS returned if there were no errors and the function executed successfully.
BAD_FUNC_ARG returned if the WOLFSSL_CERT_MANAGER structure is NULL or otherwise if there was a unpermitted argument value passed to a subroutine.
MEMORY_E returned if there was an issue allocating memory.
SSL_FAILURE returned if the initialization of the OCSP structure failed.
NOT_COMPILED_IN returned if wolfSSL was not compiled with HAVE_CERTIFICATE_STATUS_REQUEST option.
Parameters
cma pointer to a WOLFSSL_CERT_MANAGER structure, a member of the WOLFSSL_CTX structure.

Example

int wolfSSL_CTX_EnableOCSPStapling(WOLFSSL_CTX* ctx){
int wolfSSL_CertManagerEnableOCSPStapling(WOLFSSL_CERT_MANAGER *cm)
This function turns on OCSP stapling if it is not turned on as well as set the options.
int wolfSSL_CTX_EnableOCSPStapling(WOLFSSL_CTX *)
This function enables OCSP stapling by calling wolfSSL_CertManagerEnableOCSPStapling().
See also
wolfSSL_CTX_EnableOCSPStapling

◆ wolfSSL_CertManagerFree()

void wolfSSL_CertManagerFree ( WOLFSSL_CERT_MANAGER *  )

Frees all resources associated with the Certificate Manager context. Call this when you no longer need to use the Certificate Manager.

Returns
none
Parameters
cma pointer to a WOLFSSL_CERT_MANAGER structure, created using wolfSSL_CertManagerNew().

Example

#include <wolfssl/ssl.h>
WOLFSSL_CERT_MANAGER* cm;
...
wolfSSL_CertManagerFree(cm);
See also
wolfSSL_CertManagerNew

◆ wolfSSL_CertManagerGetCRLInfo()

int wolfSSL_CertManagerGetCRLInfo ( WOLFSSL_CERT_MANAGER *  cm,
CrlInfo *  info,
const byte *  buff,
long  sz,
int  type 
)

This function yields a structure with parsed CRL information from an encoded CRL buffer.

Returns
SSL_SUCCESS returned upon successful execution of the function and subroutines.
BAD_FUNC_ARG returned if the WOLFSSL_CERT_MANAGER structure is NULL.
Parameters
cmthe WOLFSSL_CERT_MANAGER structure..
infopointer to caller managed CrlInfo structure that will receive the CRL information.
buffinput buffer containing encoded CRL.
szthe length in bytes of the input CRL data in buff.
typeWOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_DER

Example

#include <wolfssl/ssl.h>
CrlInfo info;
WOLFSSL_CERT_MANAGER* cm = NULL;
// Read crl data from file into buffer
wolfSSL_CertManagerGetCRLInfo(cm, &info, crlData, crlDataLen,
WOLFSSL_FILETYPE_PEM);
int wolfSSL_CertManagerGetCRLInfo(WOLFSSL_CERT_MANAGER *cm, CrlInfo *info, const byte *buff, long sz, int type) int wolfSSL_CertManagerFreeCRL(WOLFSSL_CERT_MANAGER *cm)
This function yields a structure with parsed CRL information from an encoded CRL buffer.
See also
CbUpdateCRL
wolfSSL_SetCRL_Cb

This function frees the CRL stored in the Cert Manager. An application can update the CRL by calling wolfSSL_CertManagerFreeCRL and then loading the new CRL.

Returns
SSL_SUCCESS returned upon successful execution of the function and subroutines.
BAD_FUNC_ARG returned if the WOLFSSL_CERT_MANAGER structure is NULL.
Parameters
cma pointer to a WOLFSSL_CERT_MANAGER structure, created using wolfSSL_CertManagerNew().

Example

#include <wolfssl/ssl.h>
const char* crl1 = "./certs/crl/crl.pem";
WOLFSSL_CERT_MANAGER* cm = NULL;
wolfSSL_CertManagerLoadCRL(cm, crl1, WOLFSSL_FILETYPE_PEM, 0);
wolfSSL_CertManagerFreeCRL(cm);
int wolfSSL_CertManagerLoadCRL(WOLFSSL_CERT_MANAGER *cm, const char *path, int type, int monitor)
Error checks and passes through to LoadCRL() in order to load the cert into the CRL for revocation ch...
See also
wolfSSL_CertManagerLoadCRL

◆ wolfSSL_CertManagerLoadCA()

int wolfSSL_CertManagerLoadCA ( WOLFSSL_CERT_MANAGER *  cm,
const char *  f,
const char *  d 
)

Specifies the locations for CA certificate loading into the manager context. The PEM certificate CAfile may contain several trusted CA certificates. If CApath is not NULL it specifies a directory containing CA certificates in PEM format.

Returns
SSL_SUCCESS If successful the call will return.
SSL_BAD_FILETYPE will be returned if the file is the wrong format.
SSL_BAD_FILE will be returned if the file doesn’t exist, can’t be read, or is corrupted.
MEMORY_E will be returned if an out of memory condition occurs.
ASN_INPUT_E will be returned if Base16 decoding fails on the file.
BAD_FUNC_ARG is the error that will be returned if a pointer is not provided.
SSL_FATAL_ERROR - will be returned upon failure.
Parameters
cma pointer to a WOLFSSL_CERT_MANAGER structure, created using wolfSSL_CertManagerNew().
filepointer to the name of the file containing CA certificates to load.
pathpointer to the name of a directory path containing CA c ertificates to load. The NULL pointer may be used if no certificate directory is desired.

Example

#include <wolfssl/ssl.h>
int ret = 0;
WOLFSSL_CERT_MANAGER* cm;
...
ret = wolfSSL_CertManagerLoadCA(cm, “path/to/cert-file.pem”, 0);
if (ret != SSL_SUCCESS) {
// error loading CA certs into cert manager
}
int wolfSSL_CertManagerLoadCA(WOLFSSL_CERT_MANAGER *cm, const char *f, const char *d)
Specifies the locations for CA certificate loading into the manager context. The PEM certificate CAfi...
See also
wolfSSL_CertManagerVerify

◆ wolfSSL_CertManagerLoadCABuffer()

int wolfSSL_CertManagerLoadCABuffer ( WOLFSSL_CERT_MANAGER *  cm,
const unsigned char *  in,
long  sz,
int  format 
)

Loads the CA Buffer by calling wolfSSL_CTX_load_verify_buffer and returning that result using a temporary cm so as not to lose the information in the cm passed into the function.

Returns
SSL_FATAL_ERROR is returned if the WOLFSSL_CERT_MANAGER struct is NULL or if wolfSSL_CTX_new() returns NULL.
SSL_SUCCESS is returned for a successful execution.
Parameters
cma pointer to a WOLFSSL_CERT_MANAGER structure, created using wolfSSL_CertManagerNew().
inbuffer for cert information.
szlength of the buffer.
formatcertificate format, either PEM or DER.

Example

WOLFSSL_CERT_MANAGER* cm = (WOLFSSL_CERT_MANAGER*)vp;
const unsigned char* in;
long sz;
int format;
if(wolfSSL_CertManagerLoadCABuffer(vp, sz, format) != SSL_SUCCESS){
Error returned. Failure case code block.
}
int wolfSSL_CertManagerLoadCABuffer(WOLFSSL_CERT_MANAGER *cm, const unsigned char *in, long sz, int format)
Loads the CA Buffer by calling wolfSSL_CTX_load_verify_buffer and returning that result using a tempo...
See also
wolfSSL_CTX_load_verify_buffer
ProcessChainBuffer
ProcessBuffer
cm_pick_method

◆ wolfSSL_CertManagerLoadCRL()

int wolfSSL_CertManagerLoadCRL ( WOLFSSL_CERT_MANAGER *  cm,
const char *  path,
int  type,
int  monitor 
)

Error checks and passes through to LoadCRL() in order to load the cert into the CRL for revocation checking. An updated CRL can be loaded by first calling wolfSSL_CertManagerFreeCRL, then loading the new CRL.

Returns
SSL_SUCCESS if there is no error in wolfSSL_CertManagerLoadCRL and if LoadCRL returns successfully.
BAD_FUNC_ARG if the WOLFSSL_CERT_MANAGER struct is NULL.
SSL_FATAL_ERROR if wolfSSL_CertManagerEnableCRL returns anything other than SSL_SUCCESS.
BAD_PATH_ERROR if the path is NULL.
MEMORY_E if LoadCRL fails to allocate heap memory.
Parameters
cma pointer to a WOLFSSL_CERT_MANAGER structure, created using wolfSSL_CertManagerNew().
patha constant char pointer holding the CRL path.
typetype of certificate to be loaded.
monitorrequests monitoring in LoadCRL().

Example

#include <wolfssl/ssl.h>
int wolfSSL_LoadCRL(WOLFSSL* ssl, const char* path, int type,
int monitor);
wolfSSL_CertManagerLoadCRL(SSL_CM(ssl), path, type, monitor);
int wolfSSL_LoadCRL(WOLFSSL *ssl, const char *path, int type, int monitor)
A wrapper function that ends up calling LoadCRL to load the certificate for revocation checking.
See also
wolfSSL_CertManagerEnableCRL
wolfSSL_LoadCRL
wolfSSL_CertManagerFreeCRL

◆ wolfSSL_CertManagerLoadCRLBuffer()

int wolfSSL_CertManagerLoadCRLBuffer ( WOLFSSL_CERT_MANAGER *  cm,
const unsigned char *  buff,
long  sz,
int  type 
)

The function loads the CRL file by calling BufferLoadCRL.

Returns
SSL_SUCCESS returned if the function completed without errors.
BAD_FUNC_ARG returned if the WOLFSSL_CERT_MANAGER is NULL.
SSL_FATAL_ERROR returned if there is an error associated with the WOLFSSL_CERT_MANAGER.
Parameters
cma pointer to a WOLFSSL_CERT_MANAGER structure.
buffa constant byte type and is the buffer.
sza long int representing the size of the buffer.
typea long integer that holds the certificate type.

Example

#include <wolfssl/ssl.h>
WOLFSSL_CERT_MANAGER* cm;
const unsigned char* buff;
long sz; size of buffer
int type; cert type
...
int ret = wolfSSL_CertManagerLoadCRLBuffer(cm, buff, sz, type);
if(ret == SSL_SUCCESS){
return ret;
} else {
Failure case.
}
int wolfSSL_CertManagerLoadCRLBuffer(WOLFSSL_CERT_MANAGER *cm, const unsigned char *buff, long sz, int type)
The function loads the CRL file by calling BufferLoadCRL.
See also
BufferLoadCRL
wolfSSL_CertManagerEnableCRL

◆ wolfSSL_CertManagerNew()

WOLFSSL_CERT_MANAGER* wolfSSL_CertManagerNew ( void  )

Allocates and initializes a new Certificate Manager context. This context may be used independent of SSL needs. It may be used to load certificates, verify certificates, and check the revocation status.

Returns
WOLFSSL_CERT_MANAGER If successful the call will return a valid WOLFSSL_CERT_MANAGER pointer.
NULL will be returned for an error state.
Parameters
noneNo parameters.

Example

#import <wolfssl/ssl.h>
WOLFSSL_CERT_MANAGER* cm;
if (cm == NULL) {
// error creating new cert manager
}
See also
wolfSSL_CertManagerFree

◆ wolfSSL_CertManagerNew_ex()

WOLFSSL_CERT_MANAGER* wolfSSL_CertManagerNew_ex ( void *  heap)

Allocates and initializes a new Certificate Manager context. This context may be used independent of SSL needs. It may be used to load certificates, verify certificates, and check the revocation status.

Returns
WOLFSSL_CERT_MANAGER If successful the call will return a valid WOLFSSL_CERT_MANAGER pointer.
NULL will be returned for an error state.
Parameters
noneNo parameters.
See also
wolfSSL_CertManagerFree

◆ wolfSSL_CertManagerSetCRL_Cb()

int wolfSSL_CertManagerSetCRL_Cb ( WOLFSSL_CERT_MANAGER *  cm,
CbMissingCRL  cb 
)

This function sets the CRL Certificate Manager callback. If HAVE_CRL is defined and a matching CRL record is not found then the cbMissingCRL is called (set via wolfSSL_CertManagerSetCRL_Cb). This allows you to externally retrieve the CRL and load it.

Returns
SSL_SUCCESS returned upon successful execution of the function and subroutines.
BAD_FUNC_ARG returned if the WOLFSSL_CERT_MANAGER structure is NULL.
Parameters
cmthe WOLFSSL_CERT_MANAGER structure holding the information for the certificate.
cba function pointer to (*CbMissingCRL) that is set to the cbMissingCRL member of the WOLFSSL_CERT_MANAGER.

Example

#include <wolfssl/ssl.h>
WOLFSSL_CTX* ctx = wolfSSL_CTX_new(protocol method);
WOLFSSL* ssl = wolfSSL_new(ctx);
void cb(const char* url){
Function body.
}
CbMissingCRL cb = CbMissingCRL;
if(ctx){
return wolfSSL_CertManagerSetCRL_Cb(SSL_CM(ssl), cb);
}
int wolfSSL_CertManagerSetCRL_Cb(WOLFSSL_CERT_MANAGER *cm, CbMissingCRL cb)
This function sets the CRL Certificate Manager callback. If HAVE_CRL is defined and a matching CRL re...
See also
CbMissingCRL
wolfSSL_SetCRL_Cb

◆ wolfSSL_CertManagerSetCRLUpdate_Cb()

int wolfSSL_CertManagerSetCRLUpdate_Cb ( WOLFSSL_CERT_MANAGER *  cm,
CbUpdateCRL  cb 
)

This function sets the CRL Update callback. If HAVE_CRL and HAVE_CRL_UPDATE_CB is defined , and an entry with the same issuer and a lower CRL number exists when a CRL is added, then the CbUpdateCRL is called with the details of the existing entry and the new one replacing it.

Returns
SSL_SUCCESS returned upon successful execution of the function and subroutines.
BAD_FUNC_ARG returned if the WOLFSSL_CERT_MANAGER structure is NULL.
Parameters
cmthe WOLFSSL_CERT_MANAGER structure holding the information for the certificate.
cba function pointer to (*CbUpdateCRL) that is set to the cbUpdateCRL member of the WOLFSSL_CERT_MANAGER. Signature requirement: void (*CbUpdateCRL)(CrlInfo *old, CrlInfo *new);

Example

#include <wolfssl/ssl.h>
WOLFSSL_CTX* ctx = wolfSSL_CTX_new(protocol method);
WOLFSSL* ssl = wolfSSL_new(ctx);
void cb(CrlInfo *old, CrlInfo *new){
Function body.
}
CbUpdateCRL cb = CbUpdateCRL;
if(ctx){
return wolfSSL_CertManagerSetCRLUpdate_Cb(SSL_CM(ssl), cb);
}
int wolfSSL_CertManagerSetCRLUpdate_Cb(WOLFSSL_CERT_MANAGER *cm, CbUpdateCRL cb)
This function sets the CRL Update callback. If HAVE_CRL and HAVE_CRL_UPDATE_CB is defined ,...
See also
CbUpdateCRL

◆ wolfSSL_CertManagerSetOCSP_Cb()

int wolfSSL_CertManagerSetOCSP_Cb ( WOLFSSL_CERT_MANAGER *  cm,
CbOCSPIO  ioCb,
CbOCSPRespFree  respFreeCb,
void *  ioCbCtx 
)

The function sets the OCSP callback in the WOLFSSL_CERT_MANAGER.

Returns
SSL_SUCCESS returned on successful execution. The arguments are saved in the WOLFSSL_CERT_MANAGER structure.
BAD_FUNC_ARG returned if the WOLFSSL_CERT_MANAGER is NULL.
Parameters
cma pointer to a WOLFSSL_CERT_MANAGER structure.
ioCba function pointer of type CbOCSPIO.
respFreeCb- a function pointer of type CbOCSPRespFree.
ioCbCtx- a void pointer variable to the I/O callback user registered context.

Example

#include <wolfssl/ssl.h>
wolfSSL_SetOCSP_Cb(WOLFSSL* ssl, CbOCSPIO ioCb,
CbOCSPRespFree respFreeCb, void* ioCbCtx){
return wolfSSL_CertManagerSetOCSP_Cb(SSL_CM(ssl), ioCb, respFreeCb, ioCbCtx);
int wolfSSL_CertManagerSetOCSP_Cb(WOLFSSL_CERT_MANAGER *cm, CbOCSPIO ioCb, CbOCSPRespFree respFreeCb, void *ioCbCtx)
The function sets the OCSP callback in the WOLFSSL_CERT_MANAGER.
int wolfSSL_SetOCSP_Cb(WOLFSSL *ssl, CbOCSPIO ioCb, CbOCSPRespFree respFreeCb, void *ioCbCtx)
This function sets the OCSP callback in the WOLFSSL_CERT_MANAGER structure.
See also
wolfSSL_CertManagerSetOCSPOverrideURL
wolfSSL_CertManagerCheckOCSP
wolfSSL_CertManagerEnableOCSPStapling
wolfSSL_EnableOCSP
wolfSSL_DisableOCSP
wolfSSL_SetOCSP_Cb

◆ wolfSSL_CertManagerSetOCSPOverrideURL()

int wolfSSL_CertManagerSetOCSPOverrideURL ( WOLFSSL_CERT_MANAGER *  cm,
const char *  url 
)

The function copies the url to the ocspOverrideURL member of the WOLFSSL_CERT_MANAGER structure.

Returns
SSL_SUCCESS the function was able to execute as expected.
BAD_FUNC_ARG the WOLFSSL_CERT_MANAGER struct is NULL.
MEMEORY_E Memory was not able to be allocated for the ocspOverrideURL member of the certificate manager.
Parameters
ssla pointer to a WOLFSSL structure, created using wolfSSL_new().

Example

#include <wolfssl/ssl.h>
WOLFSSL_CERT_MANAGER* cm = wolfSSL_CertManagerNew();
const char* url;
int wolfSSL_SetOCSP_OverrideURL(WOLFSSL* ssl, const char* url)
if(wolfSSL_CertManagerSetOCSPOverrideURL(SSL_CM(ssl), url) != SSL_SUCCESS){
Failure case.
}
int wolfSSL_CertManagerSetOCSPOverrideURL(WOLFSSL_CERT_MANAGER *cm, const char *url)
The function copies the url to the ocspOverrideURL member of the WOLFSSL_CERT_MANAGER structure.
int wolfSSL_SetOCSP_OverrideURL(WOLFSSL *ssl, const char *url)
This function sets the ocspOverrideURL member in the WOLFSSL_CERT_MANAGER structure.
See also
ocspOverrideURL
wolfSSL_SetOCSP_OverrideURL

◆ wolfSSL_CertManagerSetVerify()

void wolfSSL_CertManagerSetVerify ( WOLFSSL_CERT_MANAGER *  cm,
VerifyCallback  vc 
)

The function sets the verifyCallback function in the Certificate Manager. If present, it will be called for each cert loaded. If there is a verification error, the verify callback can be used to over-ride the error.

Returns
none No return.
Parameters
cma pointer to a WOLFSSL_CERT_MANAGER structure, created using wolfSSL_CertManagerNew().
vca VerifyCallback function pointer to the callback routine

Example

#include <wolfssl/ssl.h>
int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)
{ // do custom verification of certificate }
WOLFSSL_CTX* ctx = WOLFSSL_CTX_new(Protocol define);
WOLFSSL_CERT_MANAGER* cm = wolfSSL_CertManagerNew();
...
wolfSSL_CertManagerSetVerify(cm, myVerify);
See also
wolfSSL_CertManagerVerify

◆ wolfSSL_CertManagerUnload_trust_peers()

int wolfSSL_CertManagerUnload_trust_peers ( WOLFSSL_CERT_MANAGER *  cm)

The function will free the Trusted Peer linked list and unlocks the trusted peer list.

Returns
SSL_SUCCESS if the function completed normally.
BAD_FUNC_ARG if the WOLFSSL_CERT_MANAGER is NULL.
BAD_MUTEX_E mutex error if tpLock, a member of the WOLFSSL_CERT_MANAGER struct, is 0 (nill).
Parameters
cma pointer to a WOLFSSL_CERT_MANAGER structure, created using wolfSSL_CertManagerNew().

Example

#include <wolfssl/ssl.h>
WOLFSSL_CTX* ctx = WOLFSSL_CTX_new(Protocol define);
WOLFSSL_CERT_MANAGER* cm = wolfSSL_CertManagerNew();
...
The function did not execute successfully.
}
int wolfSSL_CertManagerUnload_trust_peers(WOLFSSL_CERT_MANAGER *cm)
The function will free the Trusted Peer linked list and unlocks the trusted peer list.
See also
UnLockMutex

◆ wolfSSL_CertManagerUnloadCAs()

int wolfSSL_CertManagerUnloadCAs ( WOLFSSL_CERT_MANAGER *  cm)

This function unloads the CA signer list.

Returns
SSL_SUCCESS returned on successful execution of the function.
BAD_FUNC_ARG returned if the WOLFSSL_CERT_MANAGER is NULL.
BAD_MUTEX_E returned if there was a mutex error.
Parameters
cma pointer to a WOLFSSL_CERT_MANAGER structure, created using wolfSSL_CertManagerNew().

Example

#include <wolfssl/ssl.h>
WOLFSSL_CTX* ctx = wolfSSL_CTX_new(protocol method);
WOLFSSL_CERT_MANAGER* cm = wolfSSL_CTX_GetCertManager(ctx);
...
if(wolfSSL_CertManagerUnloadCAs(cm) != SSL_SUCCESS){
Failure case.
}
int wolfSSL_CertManagerUnloadCAs(WOLFSSL_CERT_MANAGER *cm)
This function unloads the CA signer list.
See also
UnlockMutex

◆ wolfSSL_CertManagerUnloadIntermediateCerts()

int wolfSSL_CertManagerUnloadIntermediateCerts ( WOLFSSL_CERT_MANAGER *  cm)

This function unloads intermediate certificates add to the CA signer list.

Returns
SSL_SUCCESS returned on successful execution of the function.
BAD_FUNC_ARG returned if the WOLFSSL_CERT_MANAGER is NULL.
BAD_MUTEX_E returned if there was a mutex error.
Parameters
cma pointer to a WOLFSSL_CERT_MANAGER structure, created using wolfSSL_CertManagerNew().

Example

#include <wolfssl/ssl.h>
WOLFSSL_CTX* ctx = wolfSSL_CTX_new(protocol method);
WOLFSSL_CERT_MANAGER* cm = wolfSSL_CTX_GetCertManager(ctx);
...
Failure case.
}
int wolfSSL_CertManagerUnloadIntermediateCerts(WOLFSSL_CERT_MANAGER *cm)
This function unloads intermediate certificates add to the CA signer list.
See also
UnlockMutex

◆ wolfSSL_CertManagerVerify()

int wolfSSL_CertManagerVerify ( WOLFSSL_CERT_MANAGER *  cm,
const char *  f,
int  format 
)

Specifies the certificate to verify with the Certificate Manager context. The format can be SSL_FILETYPE_PEM or SSL_FILETYPE_ASN1.

Returns
SSL_SUCCESS If successful.
ASN_SIG_CONFIRM_E will be returned if the signature could not be verified.
ASN_SIG_OID_E will be returned if the signature type is not supported.
CRL_CERT_REVOKED is an error that is returned if this certificate has been revoked.
CRL_MISSING is an error that is returned if a current issuer CRL is not available.
ASN_BEFORE_DATE_E will be returned if the current date is before the before date.
ASN_AFTER_DATE_E will be returned if the current date is after the after date.
SSL_BAD_FILETYPE will be returned if the file is the wrong format.
SSL_BAD_FILE will be returned if the file doesn’t exist, can’t be read, or is corrupted.
MEMORY_E will be returned if an out of memory condition occurs.
ASN_INPUT_E will be returned if Base16 decoding fails on the file.
BAD_FUNC_ARG is the error that will be returned if a pointer is not provided.
Parameters
cma pointer to a WOLFSSL_CERT_MANAGER structure, created using wolfSSL_CertManagerNew().
fnamepointer to the name of the file containing the certificates to verify.
formatformat of the certificate to verify - either SSL_FILETYPE_ASN1 or SSL_FILETYPE_PEM.

Example

int ret = 0;
WOLFSSL_CERT_MANAGER* cm;
...
ret = wolfSSL_CertManagerVerify(cm, “path/to/cert-file.pem”,
SSL_FILETYPE_PEM);
if (ret != SSL_SUCCESS) {
error verifying certificate
}
int wolfSSL_CertManagerVerify(WOLFSSL_CERT_MANAGER *cm, const char *f, int format)
Specifies the certificate to verify with the Certificate Manager context. The format can be SSL_FILET...
See also
wolfSSL_CertManagerLoadCA
wolfSSL_CertManagerVerifyBuffer

◆ wolfSSL_CertManagerVerifyBuffer()

int wolfSSL_CertManagerVerifyBuffer ( WOLFSSL_CERT_MANAGER *  cm,
const unsigned char *  buff,
long  sz,
int  format 
)

Specifies the certificate buffer to verify with the Certificate Manager context. The format can be SSL_FILETYPE_PEM or SSL_FILETYPE_ASN1.

Returns
SSL_SUCCESS If successful.
ASN_SIG_CONFIRM_E will be returned if the signature could not be verified.
ASN_SIG_OID_E will be returned if the signature type is not supported.
CRL_CERT_REVOKED is an error that is returned if this certificate has been revoked.
CRL_MISSING is an error that is returned if a current issuer CRL is not available.
ASN_BEFORE_DATE_E will be returned if the current date is before the before date.
ASN_AFTER_DATE_E will be returned if the current date is after the after date.
SSL_BAD_FILETYPE will be returned if the file is the wrong format.
SSL_BAD_FILE will be returned if the file doesn’t exist, can’t be read, or is corrupted.
MEMORY_E will be returned if an out of memory condition occurs.
ASN_INPUT_E will be returned if Base16 decoding fails on the file.
BAD_FUNC_ARG is the error that will be returned if a pointer is not provided.
Parameters
cma pointer to a WOLFSSL_CERT_MANAGER structure, created using wolfSSL_CertManagerNew().
buffbuffer containing the certificates to verify.
szsize of the buffer, buf.
formatformat of the certificate to verify, located in buf - either SSL_FILETYPE_ASN1 or SSL_FILETYPE_PEM.

Example

#include <wolfssl/ssl.h>
int ret = 0;
int sz = 0;
WOLFSSL_CERT_MANAGER* cm;
byte certBuff[...];
...
ret = wolfSSL_CertManagerVerifyBuffer(cm, certBuff, sz, SSL_FILETYPE_PEM);
if (ret != SSL_SUCCESS) {
error verifying certificate
}
int wolfSSL_CertManagerVerifyBuffer(WOLFSSL_CERT_MANAGER *cm, const unsigned char *buff, long sz, int format)
Specifies the certificate buffer to verify with the Certificate Manager context. The format can be SS...
See also
wolfSSL_CertManagerLoadCA
wolfSSL_CertManagerVerify