NAME
X509V3_get_d2i
,
X509V3_add1_i2d
,
X509V3_EXT_d2i
,
X509V3_EXT_i2d
,
X509_get_ext_d2i
,
X509_add1_ext_i2d
,
X509_CRL_get_ext_d2i
,
X509_CRL_add1_ext_i2d
,
X509_REVOKED_get_ext_d2i
,
X509_REVOKED_add1_ext_i2d
,
X509_get0_extensions
,
X509_CRL_get0_extensions
,
X509_REVOKED_get0_extensions
,
X509_get0_uids
—
X509 extension decode and encode
functions
SYNOPSIS
#include
<openssl/x509v3.h>
void *
X509V3_get_d2i
(const
STACK_OF(X509_EXTENSION) *x, int nid,
int *crit, int *idx);
int
X509V3_add1_i2d
(STACK_OF(X509_EXTENSION)
**x, int nid, void *value,
int crit, unsigned long
flags);
void *
X509V3_EXT_d2i
(X509_EXTENSION
*ext);
X509_EXTENSION *
X509V3_EXT_i2d
(int ext_nid,
int crit, void *ext);
void *
X509_get_ext_d2i
(const X509 *x,
int nid, int *crit,
int *idx);
int
X509_add1_ext_i2d
(X509 *x,
int nid, void *value,
int crit, unsigned long
flags);
void *
X509_CRL_get_ext_d2i
(const X509_CRL
*crl, int nid, int *crit,
int *idx);
int
X509_CRL_add1_ext_i2d
(X509_CRL
*crl, int nid, void
*value, int crit, unsigned long
flags);
void *
X509_REVOKED_get_ext_d2i
(const
X509_REVOKED *r, int nid, int
*crit, int *idx);
int
X509_REVOKED_add1_ext_i2d
(X509_REVOKED
*r, int nid, void *value,
int crit, unsigned long
flags);
const STACK_OF(X509_EXTENSION) *
X509_get0_extensions
(const X509
*x);
const STACK_OF(X509_EXTENSION) *
X509_CRL_get0_extensions
(const
X509_CRL *crl);
const STACK_OF(X509_EXTENSION) *
X509_REVOKED_get0_extensions
(const
X509_REVOKED *r);
void
X509_get0_uids
(const X509 *x,
const ASN1_BIT_STRING **issuerUID,
const ASN1_BIT_STRING **subjectUID);
DESCRIPTION
X509V3_get_d2i
()
looks for an extension with OID nid in the extensions
x and, if found, decodes it. If
idx is NULL
, then only one
occurrence of an extension is permissible. Otherwise the first extension
after index *idx is returned and
*idx is updated to the location of the extension. If
crit is not NULL
, then
*crit is set to a status value: -2 if the extension
occurs multiple times (this is only returned if idx is
NULL
), -1 if the extension could not be found, 0 if
the extension is found and is not critical, and 1 if it is critical. A
pointer to an extension specific structure or NULL
is returned.
X509V3_add1_i2d
()
adds extension value to STACK *x
(allocating a new STACK if necessary) using OID nid
and criticality crit according to
flags.
X509V3_EXT_d2i
()
attempts to decode the ASN.1 data contained in extension
ext and returns a pointer to an extension specific
structure or NULL
if the extension could not be
decoded (invalid syntax or not supported).
X509V3_EXT_i2d
()
encodes the extension specific structure ext with OID
ext_nid and criticality
crit.
X509_get_ext_d2i
()
and
X509_add1_ext_i2d
()
operate on the extensions of certificate x, and are
otherwise identical to X509V3_get_d2i
() and
X509V3_add1_i2d
().
X509_CRL_get_ext_d2i
()
and
X509_CRL_add1_ext_i2d
()
operate on the extensions of CRL crl, and are
otherwise identical to X509V3_get_d2i
() and
X509V3_add1_i2d
().
X509_REVOKED_get_ext_d2i
()
and
X509_REVOKED_add1_ext_i2d
()
operate on the extensions of the X509_REVOKED
structure r (i.e. for CRL entry extensions), and are
otherwise identical to X509V3_get_d2i
() and
X509V3_add1_i2d
().
X509_get0_extensions
(),
X509_CRL_get0_extensions
(),
and
X509_REVOKED_get0_extensions
()
return a stack of all the extensions of a certificate, a CRL, or a CRL
entry, respectively.
In almost all cases an extension can occur at most once and
multiple occurrences is an error. Therefore the idx
parameter is usually NULL
.
The flags argument consists of two parts
OR'ed together: the operation mode and the optional silent flag. The
operation mode is the bitwise OR of the flags and the
bitmask X509V3_ADD_OP_MASK
. The following operation
modes are recognized:
X509V3_ADD_DEFAULT
appends a new extension
only if the extension does not already exist. An error is returned if the
extension does already exist.
X509V3_ADD_APPEND
appends a new extension,
ignoring whether the extension already exists. This is a misfeature and
should not be used because certificates must not include the same extension
more than once.
X509V3_ADD_REPLACE
replaces an extension
if it exists otherwise appends a new extension.
X509V3_ADD_REPLACE_EXISTING
replaces an
existing extension if it exists otherwise returns an error.
X509V3_ADD_KEEP_EXISTING
appends a
new extension only if the extension does not already exist. An error
is not returned if the
extension does already exist.
X509V3_ADD_DELETE
deletes extension
nid if it exists and errors otherwise. No new
extension is added.
Any other operation mode results in an error.
If X509V3_ADD_SILENT
is OR'd into the
flags, any error returned will not be added to the
error queue.
The function
X509V3_get_d2i
()
will return NULL
if the extension is not found,
occurs multiple times or cannot be decoded. It is possible to determine the
precise reason by checking the value of *crit.
X509_get0_uids
()
returns the issuer and subject unique identifiers of the certificate
x in *issuerUID and
*subjectUID. If a unique identifier field is not
present in x, NULL
is
returned. Either one of issuerUID and
subjectUID can be NULL
.
SUPPORTED EXTENSIONS
The following sections contain a list of all supported extensions including their name and NID.
PKIX Certificate Extensions
The following certificate extensions are defined in PKIX standards such as RFC 5280.
Basic Constraints | NID_basic_constraints |
Key Usage | NID_key_usage |
Extended Key Usage | NID_ext_key_usage |
Subject Key Identifier | NID_subject_key_identifier |
Authority Key Identifier | NID_authority_key_identifier |
Private Key Usage Period | NID_private_key_usage_period |
Subject Alternative Name | NID_subject_alt_name |
Issuer Alternative Name | NID_issuer_alt_name |
Authority Information Access | NID_info_access |
Subject Information Access | NID_sinfo_access |
Name Constraints | NID_name_constraints |
Certificate Policies | NID_certificate_policies |
Policy Mappings | NID_policy_mappings |
Policy Constraints | NID_policy_constraints |
Inhibit Any Policy | NID_inhibit_any_policy |
IP Address Delegation | NID_sbgp_ipAddrBlock |
Autonomous System Identifier Delegation | NID_sbgp_autonomousSysNum |
Netscape Certificate Extensions
The following are (largely obsolete) Netscape certificate extensions.
Netscape Cert Type | NID_netscape_cert_type |
Netscape Base Url | NID_netscape_base_url |
Netscape Revocation Url | NID_netscape_revocation_url |
Netscape CA Revocation Url | NID_netscape_ca_revocation_url |
Netscape Renewal Url | NID_netscape_renewal_url |
Netscape CA Policy Url | NID_netscape_ca_policy_url |
Netscape SSL Server Name | NID_netscape_ssl_server_name |
Netscape Comment | NID_netscape_comment |
Miscellaneous Certificate Extensions
Strong Extranet ID | NID_sxnet |
Proxy Certificate Information | NID_proxyCertInfo |
PKIX CRL Extensions
The following are CRL extensions from PKIX standards such as RFC 5280.
CRL Number | NID_crl_number |
CRL Distribution Points | NID_crl_distribution_points |
Delta CRL Indicator | NID_delta_crl |
Freshest CRL | NID_freshest_crl |
Invalidity Date | NID_invalidity_date |
Issuing Distribution Point | NID_issuing_distribution_point |
The following are CRL entry extensions from PKIX standards such as RFC 5280.
CRL Reason Code | NID_crl_reason |
Certificate Issuer | NID_certificate_issuer |
OCSP Extensions
OCSP Nonce | NID_id_pkix_OCSP_Nonce |
OCSP CRL ID | NID_id_pkix_OCSP_CrlID |
Acceptable OCSP Responses | NID_id_pkix_OCSP_acceptableResponses |
OCSP Check | NID_id_pkix_OCSP_noCheck |
OCSP Archive Cutoff | NID_id_pkix_OCSP_archiveCutoff |
OCSP Service Locator | NID_id_pkix_OCSP_serviceLocator |
Hold Instruction Code | NID_hold_instruction_code |
RETURN VALUES
X509V3_get_d2i
(),
X509V3_EXT_d2i
(),
X509_get_ext_d2i
(),
X509_CRL_get_ext_d2i
(), and
X509_REVOKED_get_ext_d2i
() return a pointer to an
extension specific structure or NULL
if an error
occurs.
X509V3_add1_i2d
(),
X509_add1_ext_i2d
(),
X509_CRL_add1_ext_i2d
(), and
X509_REVOKED_add1_ext_i2d
() return 1 if the
operation is successful, 0 if it fails due to a non-fatal error (extension
not found, already exists, cannot be encoded), or -1 due to a fatal error
such as a memory allocation failure. In some cases of failure, the reason
can be determined with
ERR_get_error(3).
The X509V3_EXT_i2d
() function returns a
pointer to an X509_EXTENSION structure if successful;
otherwise NULL
is returned and an error code can be
retrieved with
ERR_get_error(3).
X509_get0_extensions
(),
X509_CRL_get0_extensions
(), and
X509_REVOKED_get0_extensions
() return a stack of
extensions, or NULL
if no extensions are
present.
SEE ALSO
d2i_X509(3), d2i_X509_EXTENSION(3), X509_check_purpose(3), X509_CRL_get0_by_serial(3), X509_CRL_new(3), X509_EXTENSION_new(3), X509_get_pubkey(3), X509_get_subject_name(3), X509_get_version(3), X509_new(3), X509_REVOKED_new(3), X509V3_EXT_print(3), X509V3_extensions_print(3)
HISTORY
X509V3_EXT_d2i
() first appeared in OpenSSL
0.9.2b. X509V3_EXT_i2d
() first appeared in OpenSSL
0.9.3. Both functions have been available since OpenBSD
2.6.
X509V3_get_d2i
(),
X509_get_ext_d2i
(),
X509_CRL_get_ext_d2i
(), and
X509_REVOKED_get_ext_d2i
() first appeared in OpenSSL
0.9.5 and have been available since OpenBSD 2.7.
X509V3_add1_i2d
(),
X509_add1_ext_i2d
(),
X509_CRL_add1_ext_i2d
(), and
X509_REVOKED_add1_ext_i2d
() first appeared in
OpenSSL 0.9.7 and have been available since OpenBSD
3.2.
X509_get0_extensions
(),
X509_CRL_get0_extensions
(), and
X509_REVOKED_get0_extensions
() first appeared in
OpenSSL 1.1.0 and have been available since OpenBSD
6.3.
X509_get0_uids
() first appeared in OpenSSL
1.1.0 and has been available since OpenBSD 7.3.