2 * {- join("\n * ", @autowarntext) -}
4 * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
6 * Licensed under the Apache License 2.0 (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
13 use
OpenSSL::stackhash
qw(generate_stack_macros
);
16 #ifndef OPENSSL_X509V3_H
17 # define OPENSSL_X509V3_H
20 # include <openssl/macros.h>
21 # ifndef OPENSSL_NO_DEPRECATED_3_0
22 # define HEADER_X509V3_H
25 # include <openssl/bio.h>
26 # include <openssl/x509.h>
27 # include <openssl/conf.h>
28 # include <openssl/x509v3err.h>
29 # ifndef OPENSSL_NO_STDIO
37 /* Forward reference */
43 typedef void *(*X509V3_EXT_NEW
)(void);
44 typedef void (*X509V3_EXT_FREE
) (void *);
45 typedef void *(*X509V3_EXT_D2I
)(void *, const unsigned char **, long);
46 typedef int (*X509V3_EXT_I2D
) (const void *, unsigned char **);
47 typedef STACK_OF(CONF_VALUE
) *
48 (*X509V3_EXT_I2V
) (const struct v3_ext_method
*method
, void *ext
,
49 STACK_OF(CONF_VALUE
) *extlist
);
50 typedef void *(*X509V3_EXT_V2I
)(const struct v3_ext_method
*method
,
51 struct v3_ext_ctx
*ctx
,
52 STACK_OF(CONF_VALUE
) *values
);
53 typedef char *(*X509V3_EXT_I2S
)(const struct v3_ext_method
*method
,
55 typedef void *(*X509V3_EXT_S2I
)(const struct v3_ext_method
*method
,
56 struct v3_ext_ctx
*ctx
, const char *str
);
57 typedef int (*X509V3_EXT_I2R
) (const struct v3_ext_method
*method
, void *ext
,
58 BIO
*out
, int indent
);
59 typedef void *(*X509V3_EXT_R2I
)(const struct v3_ext_method
*method
,
60 struct v3_ext_ctx
*ctx
, const char *str
);
62 /* V3 extension structure */
64 struct v3_ext_method
{
67 /* If this is set the following four fields are ignored */
69 /* Old style ASN1 calls */
70 X509V3_EXT_NEW ext_new
;
71 X509V3_EXT_FREE ext_free
;
74 /* The following pair is used for string extensions */
77 /* The following pair is used for multi-valued extensions */
80 /* The following are used for raw extensions */
83 void *usr_data
; /* Any extension specific data */
86 typedef struct X509V3_CONF_METHOD_st
{
87 char *(*get_string
) (void *db
, const char *section
, const char *value
);
88 STACK_OF(CONF_VALUE
) *(*get_section
) (void *db
, const char *section
);
89 void (*free_string
) (void *db
, char *string
);
90 void (*free_section
) (void *db
, STACK_OF(CONF_VALUE
) *section
);
93 /* Context specific info for producing X509 v3 extensions*/
95 # define X509V3_CTX_TEST 0x1
96 # ifndef OPENSSL_NO_DEPRECATED_3_0
97 # define CTX_TEST X509V3_CTX_TEST
99 # define X509V3_CTX_REPLACE 0x2
103 X509_REQ
*subject_req
;
105 X509V3_CONF_METHOD
*db_meth
;
107 EVP_PKEY
*issuer_pkey
;
108 /* Maybe more here */
111 typedef struct v3_ext_method X509V3_EXT_METHOD
;
114 generate_stack_macros("X509V3_EXT_METHOD");
117 /* ext_flags values */
118 # define X509V3_EXT_DYNAMIC 0x1
119 # define X509V3_EXT_CTX_DEP 0x2
120 # define X509V3_EXT_MULTILINE 0x4
122 typedef BIT_STRING_BITNAME ENUMERATED_NAMES
;
124 typedef struct BASIC_CONSTRAINTS_st
{
126 ASN1_INTEGER
*pathlen
;
129 typedef struct PKEY_USAGE_PERIOD_st
{
130 ASN1_GENERALIZEDTIME
*notBefore
;
131 ASN1_GENERALIZEDTIME
*notAfter
;
134 typedef struct otherName_st
{
135 ASN1_OBJECT
*type_id
;
139 typedef struct EDIPartyName_st
{
140 ASN1_STRING
*nameAssigner
;
141 ASN1_STRING
*partyName
;
144 typedef struct GENERAL_NAME_st
{
145 # define GEN_OTHERNAME 0
149 # define GEN_DIRNAME 4
150 # define GEN_EDIPARTY 5
157 OTHERNAME
*otherName
; /* otherName */
158 ASN1_IA5STRING
*rfc822Name
;
159 ASN1_IA5STRING
*dNSName
;
160 ASN1_STRING
*x400Address
;
161 X509_NAME
*directoryName
;
162 EDIPARTYNAME
*ediPartyName
;
163 ASN1_IA5STRING
*uniformResourceIdentifier
;
164 ASN1_OCTET_STRING
*iPAddress
;
165 ASN1_OBJECT
*registeredID
;
167 ASN1_OCTET_STRING
*ip
; /* iPAddress */
168 X509_NAME
*dirn
; /* dirn */
169 ASN1_IA5STRING
*ia5
; /* rfc822Name, dNSName,
170 * uniformResourceIdentifier */
171 ASN1_OBJECT
*rid
; /* registeredID */
172 ASN1_TYPE
*other
; /* x400Address */
176 typedef struct ACCESS_DESCRIPTION_st
{
178 GENERAL_NAME
*location
;
179 } ACCESS_DESCRIPTION
;
181 int GENERAL_NAME_set1_X509_NAME(GENERAL_NAME
**tgt
, const X509_NAME
*src
);
184 generate_stack_macros("ACCESS_DESCRIPTION")
185 .generate_stack_macros("GENERAL_NAME");
188 typedef STACK_OF(ACCESS_DESCRIPTION
) AUTHORITY_INFO_ACCESS
;
189 typedef STACK_OF(ASN1_OBJECT
) EXTENDED_KEY_USAGE
;
190 typedef STACK_OF(ASN1_INTEGER
) TLS_FEATURE
;
191 typedef STACK_OF(GENERAL_NAME
) GENERAL_NAMES
;
194 generate_stack_macros("GENERAL_NAMES");
197 typedef struct DIST_POINT_NAME_st
{
200 GENERAL_NAMES
*fullname
;
201 STACK_OF(X509_NAME_ENTRY
) *relativename
;
203 /* If relativename then this contains the full distribution point name */
206 DECLARE_ASN1_DUP_FUNCTION(DIST_POINT_NAME
)
207 /* All existing reasons */
208 # define CRLDP_ALL_REASONS 0x807f
210 # define CRL_REASON_NONE -1
211 # define CRL_REASON_UNSPECIFIED 0
212 # define CRL_REASON_KEY_COMPROMISE 1
213 # define CRL_REASON_CA_COMPROMISE 2
214 # define CRL_REASON_AFFILIATION_CHANGED 3
215 # define CRL_REASON_SUPERSEDED 4
216 # define CRL_REASON_CESSATION_OF_OPERATION 5
217 # define CRL_REASON_CERTIFICATE_HOLD 6
218 # define CRL_REASON_REMOVE_FROM_CRL 8
219 # define CRL_REASON_PRIVILEGE_WITHDRAWN 9
220 # define CRL_REASON_AA_COMPROMISE 10
222 struct DIST_POINT_st
{
223 DIST_POINT_NAME
*distpoint
;
224 ASN1_BIT_STRING
*reasons
;
225 GENERAL_NAMES
*CRLissuer
;
230 generate_stack_macros("DIST_POINT");
233 typedef STACK_OF(DIST_POINT
) CRL_DIST_POINTS
;
235 struct AUTHORITY_KEYID_st
{
236 ASN1_OCTET_STRING
*keyid
;
237 GENERAL_NAMES
*issuer
;
238 ASN1_INTEGER
*serial
;
241 /* Strong extranet structures */
243 typedef struct SXNET_ID_st
{
245 ASN1_OCTET_STRING
*user
;
249 generate_stack_macros("SXNETID");
253 typedef struct SXNET_st
{
254 ASN1_INTEGER
*version
;
255 STACK_OF(SXNETID
) *ids
;
258 typedef struct ISSUER_SIGN_TOOL_st
{
259 ASN1_UTF8STRING
*signTool
;
260 ASN1_UTF8STRING
*cATool
;
261 ASN1_UTF8STRING
*signToolCert
;
262 ASN1_UTF8STRING
*cAToolCert
;
265 typedef struct NOTICEREF_st
{
266 ASN1_STRING
*organization
;
267 STACK_OF(ASN1_INTEGER
) *noticenos
;
270 typedef struct USERNOTICE_st
{
271 NOTICEREF
*noticeref
;
272 ASN1_STRING
*exptext
;
275 typedef struct POLICYQUALINFO_st
{
276 ASN1_OBJECT
*pqualid
;
278 ASN1_IA5STRING
*cpsuri
;
279 USERNOTICE
*usernotice
;
285 generate_stack_macros("POLICYQUALINFO");
289 typedef struct POLICYINFO_st
{
290 ASN1_OBJECT
*policyid
;
291 STACK_OF(POLICYQUALINFO
) *qualifiers
;
295 generate_stack_macros("POLICYINFO");
298 typedef STACK_OF(POLICYINFO
) CERTIFICATEPOLICIES
;
300 typedef struct POLICY_MAPPING_st
{
301 ASN1_OBJECT
*issuerDomainPolicy
;
302 ASN1_OBJECT
*subjectDomainPolicy
;
306 generate_stack_macros("POLICY_MAPPING");
309 typedef STACK_OF(POLICY_MAPPING
) POLICY_MAPPINGS
;
311 typedef struct GENERAL_SUBTREE_st
{
313 ASN1_INTEGER
*minimum
;
314 ASN1_INTEGER
*maximum
;
318 generate_stack_macros("GENERAL_SUBTREE");
321 struct NAME_CONSTRAINTS_st
{
322 STACK_OF(GENERAL_SUBTREE
) *permittedSubtrees
;
323 STACK_OF(GENERAL_SUBTREE
) *excludedSubtrees
;
326 typedef struct POLICY_CONSTRAINTS_st
{
327 ASN1_INTEGER
*requireExplicitPolicy
;
328 ASN1_INTEGER
*inhibitPolicyMapping
;
329 } POLICY_CONSTRAINTS
;
331 /* Proxy certificate structures, see RFC 3820 */
332 typedef struct PROXY_POLICY_st
{
333 ASN1_OBJECT
*policyLanguage
;
334 ASN1_OCTET_STRING
*policy
;
337 typedef struct PROXY_CERT_INFO_EXTENSION_st
{
338 ASN1_INTEGER
*pcPathLengthConstraint
;
339 PROXY_POLICY
*proxyPolicy
;
340 } PROXY_CERT_INFO_EXTENSION
;
342 DECLARE_ASN1_FUNCTIONS(PROXY_POLICY
)
343 DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION
)
345 struct ISSUING_DIST_POINT_st
{
346 DIST_POINT_NAME
*distpoint
;
349 ASN1_BIT_STRING
*onlysomereasons
;
354 /* Values in idp_flags field */
356 # define IDP_PRESENT 0x1
357 /* IDP values inconsistent */
358 # define IDP_INVALID 0x2
360 # define IDP_ONLYUSER 0x4
362 # define IDP_ONLYCA 0x8
364 # define IDP_ONLYATTR 0x10
365 /* indirectCRL true */
366 # define IDP_INDIRECT 0x20
367 /* onlysomereasons present */
368 # define IDP_REASONS 0x40
370 # define X509V3_conf_err(val) ERR_add_error_data(6, \
371 "section:", (val)->section, \
372 ",name:", (val)->name, ",value:", (val)->value)
374 # define X509V3_set_ctx_test(ctx) \
375 X509V3_set_ctx(ctx, NULL, NULL, NULL, NULL, X509V3_CTX_TEST)
376 # define X509V3_set_ctx_nodb(ctx) (ctx)->db = NULL;
378 # define EXT_BITSTRING(nid, table) { nid, 0, ASN1_ITEM_ref(ASN1_BIT_STRING), \
381 (X509V3_EXT_I2V)i2v_ASN1_BIT_STRING, \
382 (X509V3_EXT_V2I)v2i_ASN1_BIT_STRING, \
386 # define EXT_IA5STRING(nid) { nid, 0, ASN1_ITEM_ref(ASN1_IA5STRING), \
388 (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, \
389 (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, \
393 #define EXT_UTF8STRING(nid) { nid, 0, ASN1_ITEM_ref(ASN1_UTF8STRING), \
395 (X509V3_EXT_I2S)i2s_ASN1_UTF8STRING, \
396 (X509V3_EXT_S2I)s2i_ASN1_UTF8STRING, \
400 # define EXT_END { -1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
402 /* X509_PURPOSE stuff */
404 # define EXFLAG_BCONS 0x1
405 # define EXFLAG_KUSAGE 0x2
406 # define EXFLAG_XKUSAGE 0x4
407 # define EXFLAG_NSCERT 0x8
409 # define EXFLAG_CA 0x10
410 # define EXFLAG_SI 0x20 /* self-issued, maybe not self-signed */
411 # define EXFLAG_V1 0x40
412 # define EXFLAG_INVALID 0x80
413 /* EXFLAG_SET is set to indicate that some values have been precomputed */
414 # define EXFLAG_SET 0x100
415 # define EXFLAG_CRITICAL 0x200
416 # define EXFLAG_PROXY 0x400
418 # define EXFLAG_INVALID_POLICY 0x800
419 # define EXFLAG_FRESHEST 0x1000
420 # define EXFLAG_SS 0x2000 /* cert is apparently self-signed */
422 # define EXFLAG_BCONS_CRITICAL 0x10000
423 # define EXFLAG_AKID_CRITICAL 0x20000
424 # define EXFLAG_SKID_CRITICAL 0x40000
425 # define EXFLAG_SAN_CRITICAL 0x80000
426 # define EXFLAG_NO_FINGERPRINT 0x100000
428 /* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3 */
429 # define KU_DIGITAL_SIGNATURE X509v3_KU_DIGITAL_SIGNATURE
430 # define KU_NON_REPUDIATION X509v3_KU_NON_REPUDIATION
431 # define KU_KEY_ENCIPHERMENT X509v3_KU_KEY_ENCIPHERMENT
432 # define KU_DATA_ENCIPHERMENT X509v3_KU_DATA_ENCIPHERMENT
433 # define KU_KEY_AGREEMENT X509v3_KU_KEY_AGREEMENT
434 # define KU_KEY_CERT_SIGN X509v3_KU_KEY_CERT_SIGN
435 # define KU_CRL_SIGN X509v3_KU_CRL_SIGN
436 # define KU_ENCIPHER_ONLY X509v3_KU_ENCIPHER_ONLY
437 # define KU_DECIPHER_ONLY X509v3_KU_DECIPHER_ONLY
439 # define NS_SSL_CLIENT 0x80
440 # define NS_SSL_SERVER 0x40
441 # define NS_SMIME 0x20
442 # define NS_OBJSIGN 0x10
443 # define NS_SSL_CA 0x04
444 # define NS_SMIME_CA 0x02
445 # define NS_OBJSIGN_CA 0x01
446 # define NS_ANY_CA (NS_SSL_CA|NS_SMIME_CA|NS_OBJSIGN_CA)
448 # define XKU_SSL_SERVER 0x1
449 # define XKU_SSL_CLIENT 0x2
450 # define XKU_SMIME 0x4
451 # define XKU_CODE_SIGN 0x8
452 # define XKU_SGC 0x10 /* Netscape or MS Server-Gated Crypto */
453 # define XKU_OCSP_SIGN 0x20
454 # define XKU_TIMESTAMP 0x40
455 # define XKU_DVCS 0x80
456 # define XKU_ANYEKU 0x100
458 # define X509_PURPOSE_DYNAMIC 0x1
459 # define X509_PURPOSE_DYNAMIC_NAME 0x2
461 typedef struct x509_purpose_st
{
463 int trust
; /* Default trust ID */
465 int (*check_purpose
) (const struct x509_purpose_st
*, const X509
*, int);
472 generate_stack_macros("X509_PURPOSE");
476 # define X509_PURPOSE_SSL_CLIENT 1
477 # define X509_PURPOSE_SSL_SERVER 2
478 # define X509_PURPOSE_NS_SSL_SERVER 3
479 # define X509_PURPOSE_SMIME_SIGN 4
480 # define X509_PURPOSE_SMIME_ENCRYPT 5
481 # define X509_PURPOSE_CRL_SIGN 6
482 # define X509_PURPOSE_ANY 7
483 # define X509_PURPOSE_OCSP_HELPER 8
484 # define X509_PURPOSE_TIMESTAMP_SIGN 9
485 # define X509_PURPOSE_CODE_SIGN 10
487 # define X509_PURPOSE_MIN 1
488 # define X509_PURPOSE_MAX 10
490 /* Flags for X509V3_EXT_print() */
492 # define X509V3_EXT_UNKNOWN_MASK (0xfL << 16)
493 /* Return error for unknown extensions */
494 # define X509V3_EXT_DEFAULT 0
495 /* Print error for unknown extensions */
496 # define X509V3_EXT_ERROR_UNKNOWN (1L << 16)
497 /* ASN1 parse unknown extensions */
498 # define X509V3_EXT_PARSE_UNKNOWN (2L << 16)
499 /* BIO_dump unknown extensions */
500 # define X509V3_EXT_DUMP_UNKNOWN (3L << 16)
502 /* Flags for X509V3_add1_i2d */
504 # define X509V3_ADD_OP_MASK 0xfL
505 # define X509V3_ADD_DEFAULT 0L
506 # define X509V3_ADD_APPEND 1L
507 # define X509V3_ADD_REPLACE 2L
508 # define X509V3_ADD_REPLACE_EXISTING 3L
509 # define X509V3_ADD_KEEP_EXISTING 4L
510 # define X509V3_ADD_DELETE 5L
511 # define X509V3_ADD_SILENT 0x10
513 DECLARE_ASN1_FUNCTIONS(BASIC_CONSTRAINTS
)
515 DECLARE_ASN1_FUNCTIONS(SXNET
)
516 DECLARE_ASN1_FUNCTIONS(SXNETID
)
518 DECLARE_ASN1_FUNCTIONS(ISSUER_SIGN_TOOL
)
520 int SXNET_add_id_asc(SXNET
**psx
, const char *zone
, const char *user
, int userlen
);
521 int SXNET_add_id_ulong(SXNET
**psx
, unsigned long lzone
, const char *user
,
523 int SXNET_add_id_INTEGER(SXNET
**psx
, ASN1_INTEGER
*izone
, const char *user
,
526 ASN1_OCTET_STRING
*SXNET_get_id_asc(SXNET
*sx
, const char *zone
);
527 ASN1_OCTET_STRING
*SXNET_get_id_ulong(SXNET
*sx
, unsigned long lzone
);
528 ASN1_OCTET_STRING
*SXNET_get_id_INTEGER(SXNET
*sx
, ASN1_INTEGER
*zone
);
530 DECLARE_ASN1_FUNCTIONS(AUTHORITY_KEYID
)
532 DECLARE_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD
)
534 DECLARE_ASN1_FUNCTIONS(GENERAL_NAME
)
535 DECLARE_ASN1_DUP_FUNCTION(GENERAL_NAME
)
536 int GENERAL_NAME_cmp(GENERAL_NAME
*a
, GENERAL_NAME
*b
);
538 ASN1_BIT_STRING
*v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD
*method
,
540 STACK_OF(CONF_VALUE
) *nval
);
541 STACK_OF(CONF_VALUE
) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD
*method
,
542 ASN1_BIT_STRING
*bits
,
543 STACK_OF(CONF_VALUE
) *extlist
);
544 char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD
*method
, ASN1_IA5STRING
*ia5
);
545 ASN1_IA5STRING
*s2i_ASN1_IA5STRING(X509V3_EXT_METHOD
*method
,
546 X509V3_CTX
*ctx
, const char *str
);
547 char *i2s_ASN1_UTF8STRING(X509V3_EXT_METHOD
*method
, ASN1_UTF8STRING
*utf8
);
548 ASN1_UTF8STRING
*s2i_ASN1_UTF8STRING(X509V3_EXT_METHOD
*method
,
549 X509V3_CTX
*ctx
, const char *str
);
551 STACK_OF(CONF_VALUE
) *i2v_GENERAL_NAME(X509V3_EXT_METHOD
*method
,
553 STACK_OF(CONF_VALUE
) *ret
);
554 int GENERAL_NAME_print(BIO
*out
, GENERAL_NAME
*gen
);
556 DECLARE_ASN1_FUNCTIONS(GENERAL_NAMES
)
558 STACK_OF(CONF_VALUE
) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD
*method
,
560 STACK_OF(CONF_VALUE
) *extlist
);
561 GENERAL_NAMES
*v2i_GENERAL_NAMES(const X509V3_EXT_METHOD
*method
,
562 X509V3_CTX
*ctx
, STACK_OF(CONF_VALUE
) *nval
);
564 DECLARE_ASN1_FUNCTIONS(OTHERNAME
)
565 DECLARE_ASN1_FUNCTIONS(EDIPARTYNAME
)
566 int OTHERNAME_cmp(OTHERNAME
*a
, OTHERNAME
*b
);
567 void GENERAL_NAME_set0_value(GENERAL_NAME
*a
, int type
, void *value
);
568 void *GENERAL_NAME_get0_value(const GENERAL_NAME
*a
, int *ptype
);
569 int GENERAL_NAME_set0_othername(GENERAL_NAME
*gen
,
570 ASN1_OBJECT
*oid
, ASN1_TYPE
*value
);
571 int GENERAL_NAME_get0_otherName(const GENERAL_NAME
*gen
,
572 ASN1_OBJECT
**poid
, ASN1_TYPE
**pvalue
);
574 char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD
*method
,
575 const ASN1_OCTET_STRING
*ia5
);
576 ASN1_OCTET_STRING
*s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD
*method
,
577 X509V3_CTX
*ctx
, const char *str
);
579 DECLARE_ASN1_FUNCTIONS(EXTENDED_KEY_USAGE
)
580 int i2a_ACCESS_DESCRIPTION(BIO
*bp
, const ACCESS_DESCRIPTION
*a
);
582 DECLARE_ASN1_ALLOC_FUNCTIONS(TLS_FEATURE
)
584 DECLARE_ASN1_FUNCTIONS(CERTIFICATEPOLICIES
)
585 DECLARE_ASN1_FUNCTIONS(POLICYINFO
)
586 DECLARE_ASN1_FUNCTIONS(POLICYQUALINFO
)
587 DECLARE_ASN1_FUNCTIONS(USERNOTICE
)
588 DECLARE_ASN1_FUNCTIONS(NOTICEREF
)
590 DECLARE_ASN1_FUNCTIONS(CRL_DIST_POINTS
)
591 DECLARE_ASN1_FUNCTIONS(DIST_POINT
)
592 DECLARE_ASN1_FUNCTIONS(DIST_POINT_NAME
)
593 DECLARE_ASN1_FUNCTIONS(ISSUING_DIST_POINT
)
595 int DIST_POINT_set_dpname(DIST_POINT_NAME
*dpn
, const X509_NAME
*iname
);
597 int NAME_CONSTRAINTS_check(X509
*x
, NAME_CONSTRAINTS
*nc
);
598 int NAME_CONSTRAINTS_check_CN(X509
*x
, NAME_CONSTRAINTS
*nc
);
600 DECLARE_ASN1_FUNCTIONS(ACCESS_DESCRIPTION
)
601 DECLARE_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS
)
603 DECLARE_ASN1_ITEM(POLICY_MAPPING
)
604 DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING
)
605 DECLARE_ASN1_ITEM(POLICY_MAPPINGS
)
607 DECLARE_ASN1_ITEM(GENERAL_SUBTREE
)
608 DECLARE_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE
)
610 DECLARE_ASN1_ITEM(NAME_CONSTRAINTS
)
611 DECLARE_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS
)
613 DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS
)
614 DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS
)
616 GENERAL_NAME
*a2i_GENERAL_NAME(GENERAL_NAME
*out
,
617 const X509V3_EXT_METHOD
*method
,
618 X509V3_CTX
*ctx
, int gen_type
,
619 const char *value
, int is_nc
);
621 # ifdef OPENSSL_CONF_H
622 GENERAL_NAME
*v2i_GENERAL_NAME(const X509V3_EXT_METHOD
*method
,
623 X509V3_CTX
*ctx
, CONF_VALUE
*cnf
);
624 GENERAL_NAME
*v2i_GENERAL_NAME_ex(GENERAL_NAME
*out
,
625 const X509V3_EXT_METHOD
*method
,
626 X509V3_CTX
*ctx
, CONF_VALUE
*cnf
,
629 void X509V3_conf_free(CONF_VALUE
*val
);
631 X509_EXTENSION
*X509V3_EXT_nconf_nid(CONF
*conf
, X509V3_CTX
*ctx
, int ext_nid
,
633 X509_EXTENSION
*X509V3_EXT_nconf(CONF
*conf
, X509V3_CTX
*ctx
, const char *name
,
635 int X509V3_EXT_add_nconf_sk(CONF
*conf
, X509V3_CTX
*ctx
, const char *section
,
636 STACK_OF(X509_EXTENSION
) **sk
);
637 int X509V3_EXT_add_nconf(CONF
*conf
, X509V3_CTX
*ctx
, const char *section
,
639 int X509V3_EXT_REQ_add_nconf(CONF
*conf
, X509V3_CTX
*ctx
, const char *section
,
641 int X509V3_EXT_CRL_add_nconf(CONF
*conf
, X509V3_CTX
*ctx
, const char *section
,
644 X509_EXTENSION
*X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE
) *conf
,
645 X509V3_CTX
*ctx
, int ext_nid
,
647 X509_EXTENSION
*X509V3_EXT_conf(LHASH_OF(CONF_VALUE
) *conf
, X509V3_CTX
*ctx
,
648 const char *name
, const char *value
);
649 int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE
) *conf
, X509V3_CTX
*ctx
,
650 const char *section
, X509
*cert
);
651 int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE
) *conf
, X509V3_CTX
*ctx
,
652 const char *section
, X509_REQ
*req
);
653 int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE
) *conf
, X509V3_CTX
*ctx
,
654 const char *section
, X509_CRL
*crl
);
656 int X509V3_add_value_bool_nf(const char *name
, int asn1_bool
,
657 STACK_OF(CONF_VALUE
) **extlist
);
658 int X509V3_get_value_bool(const CONF_VALUE
*value
, int *asn1_bool
);
659 int X509V3_get_value_int(const CONF_VALUE
*value
, ASN1_INTEGER
**aint
);
660 void X509V3_set_nconf(X509V3_CTX
*ctx
, CONF
*conf
);
661 void X509V3_set_conf_lhash(X509V3_CTX
*ctx
, LHASH_OF(CONF_VALUE
) *lhash
);
664 char *X509V3_get_string(X509V3_CTX
*ctx
, const char *name
, const char *section
);
665 STACK_OF(CONF_VALUE
) *X509V3_get_section(X509V3_CTX
*ctx
, const char *section
);
666 void X509V3_string_free(X509V3_CTX
*ctx
, char *str
);
667 void X509V3_section_free(X509V3_CTX
*ctx
, STACK_OF(CONF_VALUE
) *section
);
668 void X509V3_set_ctx(X509V3_CTX
*ctx
, X509
*issuer
, X509
*subject
,
669 X509_REQ
*req
, X509_CRL
*crl
, int flags
);
670 /* For API backward compatibility, this is separate from X509V3_set_ctx(): */
671 int X509V3_set_issuer_pkey(X509V3_CTX
*ctx
, EVP_PKEY
*pkey
);
673 int X509V3_add_value(const char *name
, const char *value
,
674 STACK_OF(CONF_VALUE
) **extlist
);
675 int X509V3_add_value_uchar(const char *name
, const unsigned char *value
,
676 STACK_OF(CONF_VALUE
) **extlist
);
677 int X509V3_add_value_bool(const char *name
, int asn1_bool
,
678 STACK_OF(CONF_VALUE
) **extlist
);
679 int X509V3_add_value_int(const char *name
, const ASN1_INTEGER
*aint
,
680 STACK_OF(CONF_VALUE
) **extlist
);
681 char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD
*meth
, const ASN1_INTEGER
*aint
);
682 ASN1_INTEGER
*s2i_ASN1_INTEGER(X509V3_EXT_METHOD
*meth
, const char *value
);
683 char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD
*meth
, const ASN1_ENUMERATED
*aint
);
684 char *i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD
*meth
,
685 const ASN1_ENUMERATED
*aint
);
686 int X509V3_EXT_add(X509V3_EXT_METHOD
*ext
);
687 int X509V3_EXT_add_list(X509V3_EXT_METHOD
*extlist
);
688 int X509V3_EXT_add_alias(int nid_to
, int nid_from
);
689 void X509V3_EXT_cleanup(void);
691 const X509V3_EXT_METHOD
*X509V3_EXT_get(X509_EXTENSION
*ext
);
692 const X509V3_EXT_METHOD
*X509V3_EXT_get_nid(int nid
);
693 int X509V3_add_standard_extensions(void);
694 STACK_OF(CONF_VALUE
) *X509V3_parse_list(const char *line
);
695 void *X509V3_EXT_d2i(X509_EXTENSION
*ext
);
696 void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION
) *x
, int nid
, int *crit
,
699 X509_EXTENSION
*X509V3_EXT_i2d(int ext_nid
, int crit
, void *ext_struc
);
700 int X509V3_add1_i2d(STACK_OF(X509_EXTENSION
) **x
, int nid
, void *value
,
701 int crit
, unsigned long flags
);
703 #ifndef OPENSSL_NO_DEPRECATED_1_1_0
704 /* The new declarations are in crypto.h, but the old ones were here. */
705 # define hex_to_string OPENSSL_buf2hexstr
706 # define string_to_hex OPENSSL_hexstr2buf
709 void X509V3_EXT_val_prn(BIO
*out
, STACK_OF(CONF_VALUE
) *val
, int indent
,
711 int X509V3_EXT_print(BIO
*out
, X509_EXTENSION
*ext
, unsigned long flag
,
713 #ifndef OPENSSL_NO_STDIO
714 int X509V3_EXT_print_fp(FILE *out
, X509_EXTENSION
*ext
, int flag
, int indent
);
716 int X509V3_extensions_print(BIO
*out
, const char *title
,
717 const STACK_OF(X509_EXTENSION
) *exts
,
718 unsigned long flag
, int indent
);
720 int X509_check_ca(X509
*x
);
721 int X509_check_purpose(X509
*x
, int id
, int ca
);
722 int X509_supported_extension(X509_EXTENSION
*ex
);
723 int X509_PURPOSE_set(int *p
, int purpose
);
724 int X509_check_issued(X509
*issuer
, X509
*subject
);
725 int X509_check_akid(const X509
*issuer
, const AUTHORITY_KEYID
*akid
);
726 void X509_set_proxy_flag(X509
*x
);
727 void X509_set_proxy_pathlen(X509
*x
, long l
);
728 long X509_get_proxy_pathlen(X509
*x
);
730 uint32_t X509_get_extension_flags(X509
*x
);
731 uint32_t X509_get_key_usage(X509
*x
);
732 uint32_t X509_get_extended_key_usage(X509
*x
);
733 const ASN1_OCTET_STRING
*X509_get0_subject_key_id(X509
*x
);
734 const ASN1_OCTET_STRING
*X509_get0_authority_key_id(X509
*x
);
735 const GENERAL_NAMES
*X509_get0_authority_issuer(X509
*x
);
736 const ASN1_INTEGER
*X509_get0_authority_serial(X509
*x
);
738 int X509_PURPOSE_get_count(void);
739 X509_PURPOSE
*X509_PURPOSE_get0(int idx
);
740 int X509_PURPOSE_get_by_sname(const char *sname
);
741 int X509_PURPOSE_get_by_id(int id
);
742 int X509_PURPOSE_add(int id
, int trust
, int flags
,
743 int (*ck
) (const X509_PURPOSE
*, const X509
*, int),
744 const char *name
, const char *sname
, void *arg
);
745 char *X509_PURPOSE_get0_name(const X509_PURPOSE
*xp
);
746 char *X509_PURPOSE_get0_sname(const X509_PURPOSE
*xp
);
747 int X509_PURPOSE_get_trust(const X509_PURPOSE
*xp
);
748 void X509_PURPOSE_cleanup(void);
749 int X509_PURPOSE_get_id(const X509_PURPOSE
*);
751 STACK_OF(OPENSSL_STRING
) *X509_get1_email(X509
*x
);
752 STACK_OF(OPENSSL_STRING
) *X509_REQ_get1_email(X509_REQ
*x
);
753 void X509_email_free(STACK_OF(OPENSSL_STRING
) *sk
);
754 STACK_OF(OPENSSL_STRING
) *X509_get1_ocsp(X509
*x
);
755 /* Flags for X509_check_* functions */
758 * Always check subject name for host match even if subject alt names present
760 # define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT 0x1
761 /* Disable wildcard matching for dnsName fields and common name. */
762 # define X509_CHECK_FLAG_NO_WILDCARDS 0x2
763 /* Wildcards must not match a partial label. */
764 # define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0x4
765 /* Allow (non-partial) wildcards to match multiple labels. */
766 # define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0x8
767 /* Constraint verifier subdomain patterns to match a single labels. */
768 # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10
769 /* Never check the subject CN */
770 # define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20
772 * Match reference identifiers starting with "." to any sub-domain.
773 * This is a non-public flag, turned on implicitly when the subject
774 * reference identity is a DNS name.
776 # define _X509_CHECK_FLAG_DOT_SUBDOMAINS 0x8000
778 int X509_check_host(X509
*x
, const char *chk
, size_t chklen
,
779 unsigned int flags
, char **peername
);
780 int X509_check_email(X509
*x
, const char *chk
, size_t chklen
,
782 int X509_check_ip(X509
*x
, const unsigned char *chk
, size_t chklen
,
784 int X509_check_ip_asc(X509
*x
, const char *ipasc
, unsigned int flags
);
786 ASN1_OCTET_STRING
*a2i_IPADDRESS(const char *ipasc
);
787 ASN1_OCTET_STRING
*a2i_IPADDRESS_NC(const char *ipasc
);
788 int X509V3_NAME_from_section(X509_NAME
*nm
, STACK_OF(CONF_VALUE
) *dn_sk
,
789 unsigned long chtype
);
791 void X509_POLICY_NODE_print(BIO
*out
, X509_POLICY_NODE
*node
, int indent
);
793 generate_stack_macros("X509_POLICY_NODE");
797 #ifndef OPENSSL_NO_RFC3779
798 typedef struct ASRange_st
{
799 ASN1_INTEGER
*min
, *max
;
802 # define ASIdOrRange_id 0
803 # define ASIdOrRange_range 1
805 typedef struct ASIdOrRange_st
{
814 generate_stack_macros("ASIdOrRange");
817 typedef STACK_OF(ASIdOrRange
) ASIdOrRanges
;
819 # define ASIdentifierChoice_inherit 0
820 # define ASIdentifierChoice_asIdsOrRanges 1
822 typedef struct ASIdentifierChoice_st
{
826 ASIdOrRanges
*asIdsOrRanges
;
828 } ASIdentifierChoice
;
830 typedef struct ASIdentifiers_st
{
831 ASIdentifierChoice
*asnum
, *rdi
;
834 DECLARE_ASN1_FUNCTIONS(ASRange
)
835 DECLARE_ASN1_FUNCTIONS(ASIdOrRange
)
836 DECLARE_ASN1_FUNCTIONS(ASIdentifierChoice
)
837 DECLARE_ASN1_FUNCTIONS(ASIdentifiers
)
839 typedef struct IPAddressRange_st
{
840 ASN1_BIT_STRING
*min
, *max
;
843 # define IPAddressOrRange_addressPrefix 0
844 # define IPAddressOrRange_addressRange 1
846 typedef struct IPAddressOrRange_st
{
849 ASN1_BIT_STRING
*addressPrefix
;
850 IPAddressRange
*addressRange
;
855 generate_stack_macros("IPAddressOrRange");
858 typedef STACK_OF(IPAddressOrRange
) IPAddressOrRanges
;
860 # define IPAddressChoice_inherit 0
861 # define IPAddressChoice_addressesOrRanges 1
863 typedef struct IPAddressChoice_st
{
867 IPAddressOrRanges
*addressesOrRanges
;
871 typedef struct IPAddressFamily_st
{
872 ASN1_OCTET_STRING
*addressFamily
;
873 IPAddressChoice
*ipAddressChoice
;
877 generate_stack_macros("IPAddressFamily");
881 typedef STACK_OF(IPAddressFamily
) IPAddrBlocks
;
883 DECLARE_ASN1_FUNCTIONS(IPAddressRange
)
884 DECLARE_ASN1_FUNCTIONS(IPAddressOrRange
)
885 DECLARE_ASN1_FUNCTIONS(IPAddressChoice
)
886 DECLARE_ASN1_FUNCTIONS(IPAddressFamily
)
889 * API tag for elements of the ASIdentifer SEQUENCE.
891 # define V3_ASID_ASNUM 0
892 # define V3_ASID_RDI 1
895 * AFI values, assigned by IANA. It'd be nice to make the AFI
896 * handling code totally generic, but there are too many little things
897 * that would need to be defined for other address families for it to
898 * be worth the trouble.
900 # define IANA_AFI_IPV4 1
901 # define IANA_AFI_IPV6 2
904 * Utilities to construct and extract values from RFC3779 extensions,
905 * since some of the encodings (particularly for IP address prefixes
906 * and ranges) are a bit tedious to work with directly.
908 int X509v3_asid_add_inherit(ASIdentifiers
*asid
, int which
);
909 int X509v3_asid_add_id_or_range(ASIdentifiers
*asid
, int which
,
910 ASN1_INTEGER
*min
, ASN1_INTEGER
*max
);
911 int X509v3_addr_add_inherit(IPAddrBlocks
*addr
,
912 const unsigned afi
, const unsigned *safi
);
913 int X509v3_addr_add_prefix(IPAddrBlocks
*addr
,
914 const unsigned afi
, const unsigned *safi
,
915 unsigned char *a
, const int prefixlen
);
916 int X509v3_addr_add_range(IPAddrBlocks
*addr
,
917 const unsigned afi
, const unsigned *safi
,
918 unsigned char *min
, unsigned char *max
);
919 unsigned X509v3_addr_get_afi(const IPAddressFamily
*f
);
920 int X509v3_addr_get_range(IPAddressOrRange
*aor
, const unsigned afi
,
921 unsigned char *min
, unsigned char *max
,
927 int X509v3_asid_is_canonical(ASIdentifiers
*asid
);
928 int X509v3_addr_is_canonical(IPAddrBlocks
*addr
);
929 int X509v3_asid_canonize(ASIdentifiers
*asid
);
930 int X509v3_addr_canonize(IPAddrBlocks
*addr
);
933 * Tests for inheritance and containment.
935 int X509v3_asid_inherits(ASIdentifiers
*asid
);
936 int X509v3_addr_inherits(IPAddrBlocks
*addr
);
937 int X509v3_asid_subset(ASIdentifiers
*a
, ASIdentifiers
*b
);
938 int X509v3_addr_subset(IPAddrBlocks
*a
, IPAddrBlocks
*b
);
941 * Check whether RFC 3779 extensions nest properly in chains.
943 int X509v3_asid_validate_path(X509_STORE_CTX
*);
944 int X509v3_addr_validate_path(X509_STORE_CTX
*);
945 int X509v3_asid_validate_resource_set(STACK_OF(X509
) *chain
,
947 int allow_inheritance
);
948 int X509v3_addr_validate_resource_set(STACK_OF(X509
) *chain
,
949 IPAddrBlocks
*ext
, int allow_inheritance
);
951 #endif /* OPENSSL_NO_RFC3779 */
954 generate_stack_macros("ASN1_STRING");
960 typedef struct NamingAuthority_st NAMING_AUTHORITY
;
961 typedef struct ProfessionInfo_st PROFESSION_INFO
;
962 typedef struct Admissions_st ADMISSIONS
;
963 typedef struct AdmissionSyntax_st ADMISSION_SYNTAX
;
964 DECLARE_ASN1_FUNCTIONS(NAMING_AUTHORITY
)
965 DECLARE_ASN1_FUNCTIONS(PROFESSION_INFO
)
966 DECLARE_ASN1_FUNCTIONS(ADMISSIONS
)
967 DECLARE_ASN1_FUNCTIONS(ADMISSION_SYNTAX
)
969 generate_stack_macros("PROFESSION_INFO")
970 .generate_stack_macros("ADMISSIONS");
972 typedef STACK_OF(PROFESSION_INFO
) PROFESSION_INFOS
;
974 const ASN1_OBJECT
*NAMING_AUTHORITY_get0_authorityId(
975 const NAMING_AUTHORITY
*n
);
976 const ASN1_IA5STRING
*NAMING_AUTHORITY_get0_authorityURL(
977 const NAMING_AUTHORITY
*n
);
978 const ASN1_STRING
*NAMING_AUTHORITY_get0_authorityText(
979 const NAMING_AUTHORITY
*n
);
980 void NAMING_AUTHORITY_set0_authorityId(NAMING_AUTHORITY
*n
,
981 ASN1_OBJECT
* namingAuthorityId
);
982 void NAMING_AUTHORITY_set0_authorityURL(NAMING_AUTHORITY
*n
,
983 ASN1_IA5STRING
* namingAuthorityUrl
);
984 void NAMING_AUTHORITY_set0_authorityText(NAMING_AUTHORITY
*n
,
985 ASN1_STRING
* namingAuthorityText
);
987 const GENERAL_NAME
*ADMISSION_SYNTAX_get0_admissionAuthority(
988 const ADMISSION_SYNTAX
*as
);
989 void ADMISSION_SYNTAX_set0_admissionAuthority(
990 ADMISSION_SYNTAX
*as
, GENERAL_NAME
*aa
);
991 const STACK_OF(ADMISSIONS
) *ADMISSION_SYNTAX_get0_contentsOfAdmissions(
992 const ADMISSION_SYNTAX
*as
);
993 void ADMISSION_SYNTAX_set0_contentsOfAdmissions(
994 ADMISSION_SYNTAX
*as
, STACK_OF(ADMISSIONS
) *a
);
995 const GENERAL_NAME
*ADMISSIONS_get0_admissionAuthority(const ADMISSIONS
*a
);
996 void ADMISSIONS_set0_admissionAuthority(ADMISSIONS
*a
, GENERAL_NAME
*aa
);
997 const NAMING_AUTHORITY
*ADMISSIONS_get0_namingAuthority(const ADMISSIONS
*a
);
998 void ADMISSIONS_set0_namingAuthority(ADMISSIONS
*a
, NAMING_AUTHORITY
*na
);
999 const PROFESSION_INFOS
*ADMISSIONS_get0_professionInfos(const ADMISSIONS
*a
);
1000 void ADMISSIONS_set0_professionInfos(ADMISSIONS
*a
, PROFESSION_INFOS
*pi
);
1001 const ASN1_OCTET_STRING
*PROFESSION_INFO_get0_addProfessionInfo(
1002 const PROFESSION_INFO
*pi
);
1003 void PROFESSION_INFO_set0_addProfessionInfo(
1004 PROFESSION_INFO
*pi
, ASN1_OCTET_STRING
*aos
);
1005 const NAMING_AUTHORITY
*PROFESSION_INFO_get0_namingAuthority(
1006 const PROFESSION_INFO
*pi
);
1007 void PROFESSION_INFO_set0_namingAuthority(
1008 PROFESSION_INFO
*pi
, NAMING_AUTHORITY
*na
);
1009 const STACK_OF(ASN1_STRING
) *PROFESSION_INFO_get0_professionItems(
1010 const PROFESSION_INFO
*pi
);
1011 void PROFESSION_INFO_set0_professionItems(
1012 PROFESSION_INFO
*pi
, STACK_OF(ASN1_STRING
) *as
);
1013 const STACK_OF(ASN1_OBJECT
) *PROFESSION_INFO_get0_professionOIDs(
1014 const PROFESSION_INFO
*pi
);
1015 void PROFESSION_INFO_set0_professionOIDs(
1016 PROFESSION_INFO
*pi
, STACK_OF(ASN1_OBJECT
) *po
);
1017 const ASN1_PRINTABLESTRING
*PROFESSION_INFO_get0_registrationNumber(
1018 const PROFESSION_INFO
*pi
);
1019 void PROFESSION_INFO_set0_registrationNumber(
1020 PROFESSION_INFO
*pi
, ASN1_PRINTABLESTRING
*rn
);