doc/man3/X509V3_get_d2i.pod

   1 =pod
   2
   3 =head1 NAME
   4
   5 X509V3_get_d2i, X509V3_add1_i2d, X509V3_EXT_d2i, X509V3_EXT_i2d,
   6 X509_get_ext_d2i, X509_add1_ext_i2d,
   7 X509_ACERT_get_ext_d2i, X509_ACERT_add1_ext_i2d,
   8 X509_CRL_get_ext_d2i, X509_CRL_add1_ext_i2d,
   9 X509_REVOKED_get_ext_d2i, X509_REVOKED_add1_ext_i2d,
  10 X509_get0_extensions, X509_ACERT_get0_extensions, X509_CRL_get0_extensions,
  11 X509_REVOKED_get0_extensions - X509 extension decode and encode functions
  12
  13 =head1 SYNOPSIS
  14
  15  #include <openssl/x509v3.h>
  16
  17  void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit,
  18                       int *idx);
  19  int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
  20                      int crit, unsigned long flags);
  21
  22  void *X509V3_EXT_d2i(X509_EXTENSION *ext);
  23  X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
  24
  25  void *X509_get_ext_d2i(const X509 *x, int nid, int *crit, int *idx);
  26  int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
  27                        unsigned long flags);
  28
  29  void *X509_ACERT_get_ext_d2i(const X509_ACERT *x, int nid, int *crit, int *idx);
  30  int X509_ACERT_add1_ext_i2d(X509_ACERT *x, int nid, void *value, int crit,
  31                              unsigned long flags);
  32
  33  void *X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid, int *crit, int *idx);
  34  int X509_CRL_add1_ext_i2d(X509_CRL *crl, int nid, void *value, int crit,
  35                            unsigned long flags);
  36
  37  void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *r, int nid, int *crit, int *idx);
  38  int X509_REVOKED_add1_ext_i2d(X509_REVOKED *r, int nid, void *value, int crit,
  39                                unsigned long flags);
  40
  41  const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x);
  42  const STACK_OF(X509_EXTENSION) *X509_ACERT_get0_extensions(const X509 *x);
  43  const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl);
  44  const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions(const X509_REVOKED *r);
  45
  46 =head1 DESCRIPTION
  47
  48 X509V3_get_d2i() looks for an extension with OID I<nid> in the extensions
  49 I<x> and, if found, decodes it. If I<idx> is NULL then only one
  50 occurrence of an extension is permissible, otherwise the first extension after
  51 index I<*idx> is returned and I<*idx> updated to the location of the extension.
  52 If I<crit> is not NULL then I<*crit> is set to a status value: -2 if the
  53 extension occurs multiple times (this is only returned if I<idx> is NULL),
  54 -1 if the extension could not be found, 0 if the extension is found and is
  55 not critical and 1 if critical. A pointer to an extension specific structure
  56 or NULL is returned.
  57
  58 X509V3_add1_i2d() adds extension I<value> to STACK I<*x> (allocating a new
  59 STACK if necessary) using OID I<nid> and criticality I<crit> according
  60 to I<flags>.
  61
  62 X509V3_EXT_d2i() attempts to decode the ASN.1 data contained in extension
  63 I<ext> and returns a pointer to an extension specific structure or NULL
  64 if the extension could not be decoded (invalid syntax or not supported).
  65
  66 X509V3_EXT_i2d() encodes the extension specific structure I<ext_struc>
  67 with OID I<ext_nid> and criticality I<crit>.
  68
  69 X509_get_ext_d2i() and X509_add1_ext_i2d() operate on the extensions of
  70 certificate I<x>. They are otherwise identical to X509V3_get_d2i() and
  71 X509V3_add1_i2d().
  72
  73 X509_ACERT_get_ext_d2i() and X509_ACERT_add1_ext_i2d() operate on the extensions
  74 of B<X509_ACERT> structure I<x>. They are otherwise identical to X509V3_get_d2i()
  75 and X509V3_add1_i2d().
  76
  77 X509_CRL_get_ext_d2i() and X509_CRL_add1_ext_i2d() operate on the extensions
  78 of CRL I<crl>. They are otherwise identical to X509V3_get_d2i() and
  79 X509V3_add1_i2d().
  80
  81 X509_REVOKED_get_ext_d2i() and X509_REVOKED_add1_ext_i2d() operate on the
  82 extensions of B<X509_REVOKED> structure I<r> (i.e for CRL entry extensions).
  83 They are otherwise identical to X509V3_get_d2i() and X509V3_add1_i2d().
  84
  85 X509_get0_extensions(), X509_ACERT_get0_extensions(),
  86 X509_CRL_get0_extensions() and X509_REVOKED_get0_extensions() return a
  87 STACK of all the extensions of a certificate, an attribute certificate,
  88 a CRL or a CRL entry respectively.
  89
  90 =head1 NOTES
  91
  92 In almost all cases an extension can occur at most once and multiple
  93 occurrences is an error. Therefore, the I<idx> parameter is usually NULL.
  94
  95 The I<flags> parameter may be one of the following values.
  96
  97 B<X509V3_ADD_DEFAULT> appends a new extension only if the extension does
  98 not exist. An error is returned if the extension exists.
  99
 100 B<X509V3_ADD_APPEND> appends a new extension, ignoring whether the extension
 101 exists.
 102
 103 B<X509V3_ADD_REPLACE> replaces an existing extension. If the extension does
 104 not exist, appends a new extension.
 105
 106 B<X509V3_ADD_REPLACE_EXISTING> replaces an existing extension. If the
 107 extension does not exist, returns an error.
 108
 109 B<X509V3_ADD_KEEP_EXISTING> appends a new extension only if the extension does
 110 not exist. An error is B<not> returned if the extension exists.
 111
 112 B<X509V3_ADD_DELETE> deletes and frees an existing extension. If the extension
 113 does not exist, returns an error. No new extension is added.
 114
 115 If B<X509V3_ADD_SILENT> is bitwise ORed with I<flags>: any error returned
 116 will not be added to the error queue.
 117
 118 The function X509V3_get_d2i() and its variants
 119 will return NULL if the extension is not
 120 found, occurs multiple times or cannot be decoded. It is possible to
 121 determine the precise reason by checking the value of I<*crit>.
 122
 123 The function X509V3_add1_i2d() and its variants allocate B<X509_EXTENSION>
 124 objects on STACK I<*x> depending on I<flags>. The B<X509_EXTENSION> objects
 125 must be explicitly freed using X509_EXTENSION_free().
 126
 127 =head1 SUPPORTED EXTENSIONS
 128
 129 The following sections contain a list of all supported extensions
 130 including their name and NID.
 131
 132 =head2 PKIX Certificate Extensions
 133
 134 The following certificate extensions are defined in PKIX standards such as
 135 RFC5280.
 136
 137  Basic Constraints                  NID_basic_constraints
 138  Key Usage                          NID_key_usage
 139  Extended Key Usage                 NID_ext_key_usage
 140
 141  Subject Key Identifier             NID_subject_key_identifier
 142  Authority Key Identifier           NID_authority_key_identifier
 143
 144  Private Key Usage Period           NID_private_key_usage_period
 145
 146  Subject Alternative Name           NID_subject_alt_name
 147  Issuer Alternative Name            NID_issuer_alt_name
 148
 149  Authority Information Access       NID_info_access
 150  Subject Information Access         NID_sinfo_access
 151
 152  Name Constraints                   NID_name_constraints
 153
 154  Certificate Policies               NID_certificate_policies
 155  Policy Mappings                    NID_policy_mappings
 156  Policy Constraints                 NID_policy_constraints
 157  Inhibit Any Policy                 NID_inhibit_any_policy
 158
 159  TLS Feature                        NID_tlsfeature
 160
 161 =head2 Netscape Certificate Extensions
 162
 163 The following are (largely obsolete) Netscape certificate extensions.
 164
 165  Netscape Cert Type                 NID_netscape_cert_type
 166  Netscape Base Url                  NID_netscape_base_url
 167  Netscape Revocation Url            NID_netscape_revocation_url
 168  Netscape CA Revocation Url         NID_netscape_ca_revocation_url
 169  Netscape Renewal Url               NID_netscape_renewal_url
 170  Netscape CA Policy Url             NID_netscape_ca_policy_url
 171  Netscape SSL Server Name           NID_netscape_ssl_server_name
 172  Netscape Comment                   NID_netscape_comment
 173
 174 =head2 Miscellaneous Certificate Extensions
 175
 176  Strong Extranet ID                 NID_sxnet
 177  Proxy Certificate Information      NID_proxyCertInfo
 178
 179 =head2 PKIX CRL Extensions
 180
 181 The following are CRL extensions from PKIX standards such as RFC5280.
 182
 183  CRL Number                         NID_crl_number
 184  CRL Distribution Points            NID_crl_distribution_points
 185  Delta CRL Indicator                NID_delta_crl
 186  Freshest CRL                       NID_freshest_crl
 187  Invalidity Date                    NID_invalidity_date
 188  Issuing Distribution Point         NID_issuing_distribution_point
 189
 190 The following are CRL entry extensions from PKIX standards such as RFC5280.
 191
 192  CRL Reason Code                    NID_crl_reason
 193  Certificate Issuer                 NID_certificate_issuer
 194
 195 =head2 OCSP Extensions
 196
 197  OCSP Nonce                         NID_id_pkix_OCSP_Nonce
 198  OCSP CRL ID                        NID_id_pkix_OCSP_CrlID
 199  Acceptable OCSP Responses          NID_id_pkix_OCSP_acceptableResponses
 200  OCSP No Check                      NID_id_pkix_OCSP_noCheck
 201  OCSP Archive Cutoff                NID_id_pkix_OCSP_archiveCutoff
 202  OCSP Service Locator               NID_id_pkix_OCSP_serviceLocator
 203  Hold Instruction Code              NID_hold_instruction_code
 204
 205 =head2 Certificate Transparency Extensions
 206
 207 The following extensions are used by certificate transparency, RFC6962
 208
 209  CT Precertificate SCTs             NID_ct_precert_scts
 210  CT Certificate SCTs                NID_ct_cert_scts
 211
 212 =head1 RETURN VALUES
 213
 214 X509V3_get_d2i(), its variants, and X509V3_EXT_d2i() return
 215 a pointer to an extension specific structure or NULL if an error occurs.
 216
 217 X509V3_add1_i2d() and its variants return 1 if the operation is successful
 218 and 0 if it fails due to a non-fatal error (extension not found, already exists,
 219 cannot be encoded) or -1 due to a fatal error such as a memory allocation
 220 failure.
 221
 222 X509V3_EXT_i2d() returns a pointer to an B<X509_EXTENSION> structure
 223 or NULL if an error occurs.
 224
 225 X509_get0_extensions(), X509_CRL_get0_extensions() and
 226 X509_REVOKED_get0_extensions() return a stack of extensions. They return
 227 NULL if no extensions are present.
 228
 229 =head1 SEE ALSO
 230
 231 L<d2i_X509(3)>,
 232 L<ERR_get_error(3)>,
 233 L<X509_CRL_get0_by_serial(3)>,
 234 L<X509_get0_signature(3)>,
 235 L<X509_get_ext_d2i(3)>,
 236 L<X509_get_extension_flags(3)>,
 237 L<X509_get_pubkey(3)>,
 238 L<X509_get_subject_name(3)>,
 239 L<X509_get_version(3)>,
 240 L<X509_NAME_add_entry_by_txt(3)>,
 241 L<X509_NAME_ENTRY_get_object(3)>,
 242 L<X509_NAME_get_index_by_NID(3)>,
 243 L<X509_NAME_print_ex(3)>,
 244 L<X509_new(3)>,
 245 L<X509_sign(3)>,
 246 L<X509_verify_cert(3)>
 247
 248 =head1 COPYRIGHT
 249
 250 Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
 251
 252 Licensed under the Apache License 2.0 (the "License").  You may not use
 253 this file except in compliance with the License.  You can obtain a copy
 254 in the file LICENSE in the source distribution or at
 255 L<https://www.openssl.org/source/license.html>.
 256
 257 =cut