OpenBSD manual page server

Manual Page Search Parameters

SXNET_NEW(3) Library Functions Manual SXNET_NEW(3)

SXNET_new, SXNET_free, SXNETID_new, SXNETID_free, d2i_SXNET, i2d_SXNET, d2i_SXNETID, i2d_SXNETIDThawte strong extranet X.509 extension

#include <openssl/x509v3.h>

SXNET *
SXNET_new(void);

void
SXNET_free(SXNET *sxnet);

SXNETID *
SXNETID_new(void);

void
SXNETID_free(SXNETID *sxnetid);

SXNET *
d2i_SXNET(SXNET **val_out, const unsigned char **der_in, long length);

int
i2d_SXNET(SXNET *val_in, unsigned char **der_out);

SXNETID *
d2i_SXNETID(SXNETID **val_out, const unsigned char **der_in, long length);

int
i2d_SXNETID(SXNETID *val_in, unsigned char **der_out);

() allocates and initializes an empty SXNET object representing a non-standard proprietary Thawte strong extranet X.509 extension. () frees sxnet.

() allocates and initializes an empty SXNETID object. It is used inside SXNET. () frees sxnetid.

The remaining functions decode and encode these objects using DER format. For details about the semantics, examples, caveats, and bugs, see ASN1_item_d2i(3).

SXNET_new() and d2i_SXNET() return an SXNET object or NULL if an error occurs.

SXNETID_new() and d2i_SXNETID() return an SXNETID object or NULL if an error occurs.

i2d_SXNET() and i2d_SXNETID() return the number of bytes successfully encoded or a negative value if an error occurs.

X509_EXTENSION_new(3), X509_new(3)

M. Shuttleworth, The Strong Extranet: real-world personal certification, Thawte Consulting, South Africa, 1998.

These functions first appeared in OpenSSL 0.9.3 and have been available since OpenBSD 2.6.

This manual page does not explain what the extension actually does because no authoritative information was found online so far.

The only hint was found in an ancient white paper "Securing IBM Applications with Public Key Infrastructure" on the IBM website, dated June 13, 2001: "Thawte also has a technology called Strong Extranet that allows institutions to encode customer information in the extensions to their customer's certificates. Because multiple institutions can add information, the user needs only one certificate, making renewal and revocation simpler, although the issue of modifying an extension to an existing certificate is not addressed."

It is unclear whether that explanation is accurate, but in any case, it is not very specific.

March 21, 2018 OpenBSD-7.3