X.509 information access
Using the information access extensions, certificates and certificate revocation lists can point to auxiliary information and services available online, for example online validation services or CA policy data.
allocates and initializes an empty ACCESS_DESCRIPTION
object, representing an ASN.1 AccessDescription
structure defined in RFC 5280 section 220.127.116.11. It can hold a pointer to a
GENERAL_NAME object documented in
GENERAL_NAME_new(3) and an access method identifier.
The access method identifier is somewhat misnamed; it identifies the type and format of the information provided. How to access that information is often obvious from the GENERAL_NAME which may for example include a uniform resource identifier.
Four standard access method identifiers are defined in RFC 5280:
- "id-ad-caIssuers" can occur in the authority information access extension of certificates and certificate revocation lists and provides access to certificates issued to the CA that issued the certificate, or provides access to certificates used for signing the CRL, in order to help constructing a certification path.
- "id-ad-ocsp" can occur in the authority information access extension of certificates and provides access to revocation information via the Online Certificate Status Protocol (OCSP) defined in RFC 6960.
- "id-ad-caRepository" can occur in the subject information access extension of CA certificates and provides access to an online repository of certificates issued by the CA.
- "id-ad-timeStamping" can occur in the subject information access extension of end entity certificates and indicates that the subject offers timestamping services using the Time Stamp Protocol defined in RFC 3161.
allocates and initializes an empty
AUTHORITY_INFO_ACCESS object, which is a
STACK_OF(ACCESS_DESCRIPTION) and represents an ASN.1
AuthorityInfoAccessSyntax structure defined in RFC
5280 section 18.104.22.168. It can be used for the authority information access
extension of certificates and certificate revocation lists and for the
subject information access extension of certificates.
AUTHORITY_INFO_ACCESS_new() return the new
AUTHORITY_INFO_ACCESS object, respectively, or
NULL if an error occurs.
d2i_ACCESS_DESCRIPTION(3), DIST_POINT_new(3), GENERAL_NAME_new(3), OCSP_REQUEST_new(3), TS_REQ_new(3), X509_CRL_new(3), X509_EXTENSION_new(3), X509_new(3)
These extensions are only defined in the following RFC and not specified in the underlying X.509 standard.
RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile:
- section 22.214.171.124: Certificate Extensions: Authority Information Access
- section 126.96.36.199: Certificate Extensions: Subject Information Access
- section 5.2.7: CRL Extensions: Authority Information Access
Regarding OCSP and TSP, see:
RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol
RFC 3161: Internet X.509 Public Key Infrastructure Time-Stamp Protocol
AUTHORITY_INFO_ACCESS_free() first appeared in
OpenSSL 0.9.5 and have been available since OpenBSD