2 * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #ifndef OPENSSL_X509V3_H
11 # define OPENSSL_X509V3_H
14 # include <openssl/macros.h>
15 # ifndef OPENSSL_NO_DEPRECATED_3_0
16 # define HEADER_X509V3_H
19 # include <openssl/bio.h>
20 # include <openssl/x509.h>
21 # include <openssl/conf.h>
22 # include <openssl/x509v3err.h>
28 DEFINE_OR_DECLARE_STACK_OF(GENERAL_NAME
)
29 DEFINE_OR_DECLARE_STACK_OF(X509V3_EXT_METHOD
)
30 DEFINE_OR_DECLARE_STACK_OF(GENERAL_NAMES
)
31 DEFINE_OR_DECLARE_STACK_OF(ACCESS_DESCRIPTION
)
32 DEFINE_OR_DECLARE_STACK_OF(DIST_POINT
)
33 DEFINE_OR_DECLARE_STACK_OF(SXNETID
)
34 DEFINE_OR_DECLARE_STACK_OF(POLICYQUALINFO
)
35 DEFINE_OR_DECLARE_STACK_OF(POLICYINFO
)
36 DEFINE_OR_DECLARE_STACK_OF(POLICY_MAPPING
)
37 DEFINE_OR_DECLARE_STACK_OF(GENERAL_SUBTREE
)
38 DEFINE_OR_DECLARE_STACK_OF(X509_PURPOSE
)
39 DEFINE_OR_DECLARE_STACK_OF(X509_POLICY_NODE
)
40 DEFINE_OR_DECLARE_STACK_OF(ASIdOrRange
)
41 DEFINE_OR_DECLARE_STACK_OF(IPAddressOrRange
)
42 DEFINE_OR_DECLARE_STACK_OF(IPAddressFamily
)
43 DEFINE_OR_DECLARE_STACK_OF(ASN1_STRING
)
44 DEFINE_OR_DECLARE_STACK_OF(ADMISSIONS
)
45 DEFINE_OR_DECLARE_STACK_OF(PROFESSION_INFO
)
47 /* Forward reference */
53 typedef void *(*X509V3_EXT_NEW
)(void);
54 typedef void (*X509V3_EXT_FREE
) (void *);
55 typedef void *(*X509V3_EXT_D2I
)(void *, const unsigned char **, long);
56 typedef int (*X509V3_EXT_I2D
) (const void *, unsigned char **);
57 typedef STACK_OF(CONF_VALUE
) *
58 (*X509V3_EXT_I2V
) (const struct v3_ext_method
*method
, void *ext
,
59 STACK_OF(CONF_VALUE
) *extlist
);
60 typedef void *(*X509V3_EXT_V2I
)(const struct v3_ext_method
*method
,
61 struct v3_ext_ctx
*ctx
,
62 STACK_OF(CONF_VALUE
) *values
);
63 typedef char *(*X509V3_EXT_I2S
)(const struct v3_ext_method
*method
,
65 typedef void *(*X509V3_EXT_S2I
)(const struct v3_ext_method
*method
,
66 struct v3_ext_ctx
*ctx
, const char *str
);
67 typedef int (*X509V3_EXT_I2R
) (const struct v3_ext_method
*method
, void *ext
,
68 BIO
*out
, int indent
);
69 typedef void *(*X509V3_EXT_R2I
)(const struct v3_ext_method
*method
,
70 struct v3_ext_ctx
*ctx
, const char *str
);
72 /* V3 extension structure */
74 struct v3_ext_method
{
77 /* If this is set the following four fields are ignored */
79 /* Old style ASN1 calls */
80 X509V3_EXT_NEW ext_new
;
81 X509V3_EXT_FREE ext_free
;
84 /* The following pair is used for string extensions */
87 /* The following pair is used for multi-valued extensions */
90 /* The following are used for raw extensions */
93 void *usr_data
; /* Any extension specific data */
96 typedef struct X509V3_CONF_METHOD_st
{
97 char *(*get_string
) (void *db
, const char *section
, const char *value
);
98 STACK_OF(CONF_VALUE
) *(*get_section
) (void *db
, const char *section
);
99 void (*free_string
) (void *db
, char *string
);
100 void (*free_section
) (void *db
, STACK_OF(CONF_VALUE
) *section
);
101 } X509V3_CONF_METHOD
;
103 /* Context specific info */
105 # define CTX_TEST 0x1
106 # define X509V3_CTX_REPLACE 0x2
110 X509_REQ
*subject_req
;
112 X509V3_CONF_METHOD
*db_meth
;
114 /* Maybe more here */
117 typedef struct v3_ext_method X509V3_EXT_METHOD
;
119 /* ext_flags values */
120 # define X509V3_EXT_DYNAMIC 0x1
121 # define X509V3_EXT_CTX_DEP 0x2
122 # define X509V3_EXT_MULTILINE 0x4
124 typedef BIT_STRING_BITNAME ENUMERATED_NAMES
;
126 typedef struct BASIC_CONSTRAINTS_st
{
128 ASN1_INTEGER
*pathlen
;
131 typedef struct PKEY_USAGE_PERIOD_st
{
132 ASN1_GENERALIZEDTIME
*notBefore
;
133 ASN1_GENERALIZEDTIME
*notAfter
;
136 typedef struct otherName_st
{
137 ASN1_OBJECT
*type_id
;
141 typedef struct EDIPartyName_st
{
142 ASN1_STRING
*nameAssigner
;
143 ASN1_STRING
*partyName
;
146 typedef struct GENERAL_NAME_st
{
147 # define GEN_OTHERNAME 0
151 # define GEN_DIRNAME 4
152 # define GEN_EDIPARTY 5
159 OTHERNAME
*otherName
; /* otherName */
160 ASN1_IA5STRING
*rfc822Name
;
161 ASN1_IA5STRING
*dNSName
;
162 ASN1_TYPE
*x400Address
;
163 X509_NAME
*directoryName
;
164 EDIPARTYNAME
*ediPartyName
;
165 ASN1_IA5STRING
*uniformResourceIdentifier
;
166 ASN1_OCTET_STRING
*iPAddress
;
167 ASN1_OBJECT
*registeredID
;
169 ASN1_OCTET_STRING
*ip
; /* iPAddress */
170 X509_NAME
*dirn
; /* dirn */
171 ASN1_IA5STRING
*ia5
; /* rfc822Name, dNSName,
172 * uniformResourceIdentifier */
173 ASN1_OBJECT
*rid
; /* registeredID */
174 ASN1_TYPE
*other
; /* x400Address */
178 typedef struct ACCESS_DESCRIPTION_st
{
180 GENERAL_NAME
*location
;
181 } ACCESS_DESCRIPTION
;
183 typedef STACK_OF(ACCESS_DESCRIPTION
) AUTHORITY_INFO_ACCESS
;
185 typedef STACK_OF(ASN1_OBJECT
) EXTENDED_KEY_USAGE
;
187 typedef STACK_OF(ASN1_INTEGER
) TLS_FEATURE
;
189 typedef STACK_OF(GENERAL_NAME
) GENERAL_NAMES
;
191 typedef struct DIST_POINT_NAME_st
{
194 GENERAL_NAMES
*fullname
;
195 STACK_OF(X509_NAME_ENTRY
) *relativename
;
197 /* If relativename then this contains the full distribution point name */
200 /* All existing reasons */
201 # define CRLDP_ALL_REASONS 0x807f
203 # define CRL_REASON_NONE -1
204 # define CRL_REASON_UNSPECIFIED 0
205 # define CRL_REASON_KEY_COMPROMISE 1
206 # define CRL_REASON_CA_COMPROMISE 2
207 # define CRL_REASON_AFFILIATION_CHANGED 3
208 # define CRL_REASON_SUPERSEDED 4
209 # define CRL_REASON_CESSATION_OF_OPERATION 5
210 # define CRL_REASON_CERTIFICATE_HOLD 6
211 # define CRL_REASON_REMOVE_FROM_CRL 8
212 # define CRL_REASON_PRIVILEGE_WITHDRAWN 9
213 # define CRL_REASON_AA_COMPROMISE 10
215 struct DIST_POINT_st
{
216 DIST_POINT_NAME
*distpoint
;
217 ASN1_BIT_STRING
*reasons
;
218 GENERAL_NAMES
*CRLissuer
;
222 typedef STACK_OF(DIST_POINT
) CRL_DIST_POINTS
;
224 struct AUTHORITY_KEYID_st
{
225 ASN1_OCTET_STRING
*keyid
;
226 GENERAL_NAMES
*issuer
;
227 ASN1_INTEGER
*serial
;
230 /* Strong extranet structures */
232 typedef struct SXNET_ID_st
{
234 ASN1_OCTET_STRING
*user
;
237 typedef struct SXNET_st
{
238 ASN1_INTEGER
*version
;
239 STACK_OF(SXNETID
) *ids
;
242 typedef struct ISSUER_SIGN_TOOL_st
{
243 ASN1_UTF8STRING
*signTool
;
244 ASN1_UTF8STRING
*cATool
;
245 ASN1_UTF8STRING
*signToolCert
;
246 ASN1_UTF8STRING
*cAToolCert
;
249 typedef struct NOTICEREF_st
{
250 ASN1_STRING
*organization
;
251 STACK_OF(ASN1_INTEGER
) *noticenos
;
254 typedef struct USERNOTICE_st
{
255 NOTICEREF
*noticeref
;
256 ASN1_STRING
*exptext
;
259 typedef struct POLICYQUALINFO_st
{
260 ASN1_OBJECT
*pqualid
;
262 ASN1_IA5STRING
*cpsuri
;
263 USERNOTICE
*usernotice
;
268 typedef struct POLICYINFO_st
{
269 ASN1_OBJECT
*policyid
;
270 STACK_OF(POLICYQUALINFO
) *qualifiers
;
273 typedef STACK_OF(POLICYINFO
) CERTIFICATEPOLICIES
;
275 typedef struct POLICY_MAPPING_st
{
276 ASN1_OBJECT
*issuerDomainPolicy
;
277 ASN1_OBJECT
*subjectDomainPolicy
;
280 typedef STACK_OF(POLICY_MAPPING
) POLICY_MAPPINGS
;
282 typedef struct GENERAL_SUBTREE_st
{
284 ASN1_INTEGER
*minimum
;
285 ASN1_INTEGER
*maximum
;
288 struct NAME_CONSTRAINTS_st
{
289 STACK_OF(GENERAL_SUBTREE
) *permittedSubtrees
;
290 STACK_OF(GENERAL_SUBTREE
) *excludedSubtrees
;
293 typedef struct POLICY_CONSTRAINTS_st
{
294 ASN1_INTEGER
*requireExplicitPolicy
;
295 ASN1_INTEGER
*inhibitPolicyMapping
;
296 } POLICY_CONSTRAINTS
;
298 /* Proxy certificate structures, see RFC 3820 */
299 typedef struct PROXY_POLICY_st
{
300 ASN1_OBJECT
*policyLanguage
;
301 ASN1_OCTET_STRING
*policy
;
304 typedef struct PROXY_CERT_INFO_EXTENSION_st
{
305 ASN1_INTEGER
*pcPathLengthConstraint
;
306 PROXY_POLICY
*proxyPolicy
;
307 } PROXY_CERT_INFO_EXTENSION
;
309 DECLARE_ASN1_FUNCTIONS(PROXY_POLICY
)
310 DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION
)
312 struct ISSUING_DIST_POINT_st
{
313 DIST_POINT_NAME
*distpoint
;
316 ASN1_BIT_STRING
*onlysomereasons
;
321 /* Values in idp_flags field */
323 # define IDP_PRESENT 0x1
324 /* IDP values inconsistent */
325 # define IDP_INVALID 0x2
327 # define IDP_ONLYUSER 0x4
329 # define IDP_ONLYCA 0x8
331 # define IDP_ONLYATTR 0x10
332 /* indirectCRL true */
333 # define IDP_INDIRECT 0x20
334 /* onlysomereasons present */
335 # define IDP_REASONS 0x40
337 # define X509V3_conf_err(val) ERR_add_error_data(6, \
338 "section:", (val)->section, \
339 ",name:", (val)->name, ",value:", (val)->value)
341 # define X509V3_set_ctx_test(ctx) \
342 X509V3_set_ctx(ctx, NULL, NULL, NULL, NULL, CTX_TEST)
343 # define X509V3_set_ctx_nodb(ctx) (ctx)->db = NULL;
345 # define EXT_BITSTRING(nid, table) { nid, 0, ASN1_ITEM_ref(ASN1_BIT_STRING), \
348 (X509V3_EXT_I2V)i2v_ASN1_BIT_STRING, \
349 (X509V3_EXT_V2I)v2i_ASN1_BIT_STRING, \
353 # define EXT_IA5STRING(nid) { nid, 0, ASN1_ITEM_ref(ASN1_IA5STRING), \
355 (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, \
356 (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, \
360 # define EXT_END { -1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
362 /* X509_PURPOSE stuff */
364 # define EXFLAG_BCONS 0x1
365 # define EXFLAG_KUSAGE 0x2
366 # define EXFLAG_XKUSAGE 0x4
367 # define EXFLAG_NSCERT 0x8
369 # define EXFLAG_CA 0x10
370 /* Really self issued not necessarily self signed */
371 # define EXFLAG_SI 0x20
372 # define EXFLAG_V1 0x40
373 # define EXFLAG_INVALID 0x80
374 /* EXFLAG_SET is set to indicate that some values have been precomputed */
375 # define EXFLAG_SET 0x100
376 # define EXFLAG_CRITICAL 0x200
377 # define EXFLAG_PROXY 0x400
379 # define EXFLAG_INVALID_POLICY 0x800
380 # define EXFLAG_FRESHEST 0x1000
382 # define EXFLAG_SS 0x2000
384 # define KU_DIGITAL_SIGNATURE 0x0080
385 # define KU_NON_REPUDIATION 0x0040
386 # define KU_KEY_ENCIPHERMENT 0x0020
387 # define KU_DATA_ENCIPHERMENT 0x0010
388 # define KU_KEY_AGREEMENT 0x0008
389 # define KU_KEY_CERT_SIGN 0x0004
390 # define KU_CRL_SIGN 0x0002
391 # define KU_ENCIPHER_ONLY 0x0001
392 # define KU_DECIPHER_ONLY 0x8000
394 # define NS_SSL_CLIENT 0x80
395 # define NS_SSL_SERVER 0x40
396 # define NS_SMIME 0x20
397 # define NS_OBJSIGN 0x10
398 # define NS_SSL_CA 0x04
399 # define NS_SMIME_CA 0x02
400 # define NS_OBJSIGN_CA 0x01
401 # define NS_ANY_CA (NS_SSL_CA|NS_SMIME_CA|NS_OBJSIGN_CA)
403 # define XKU_SSL_SERVER 0x1
404 # define XKU_SSL_CLIENT 0x2
405 # define XKU_SMIME 0x4
406 # define XKU_CODE_SIGN 0x8
407 # define XKU_SGC 0x10
408 # define XKU_OCSP_SIGN 0x20
409 # define XKU_TIMESTAMP 0x40
410 # define XKU_DVCS 0x80
411 # define XKU_ANYEKU 0x100
413 # define X509_PURPOSE_DYNAMIC 0x1
414 # define X509_PURPOSE_DYNAMIC_NAME 0x2
416 typedef struct x509_purpose_st
{
418 int trust
; /* Default trust ID */
420 int (*check_purpose
) (const struct x509_purpose_st
*, const X509
*, int);
426 # define X509_PURPOSE_SSL_CLIENT 1
427 # define X509_PURPOSE_SSL_SERVER 2
428 # define X509_PURPOSE_NS_SSL_SERVER 3
429 # define X509_PURPOSE_SMIME_SIGN 4
430 # define X509_PURPOSE_SMIME_ENCRYPT 5
431 # define X509_PURPOSE_CRL_SIGN 6
432 # define X509_PURPOSE_ANY 7
433 # define X509_PURPOSE_OCSP_HELPER 8
434 # define X509_PURPOSE_TIMESTAMP_SIGN 9
436 # define X509_PURPOSE_MIN 1
437 # define X509_PURPOSE_MAX 9
439 /* Flags for X509V3_EXT_print() */
441 # define X509V3_EXT_UNKNOWN_MASK (0xfL << 16)
442 /* Return error for unknown extensions */
443 # define X509V3_EXT_DEFAULT 0
444 /* Print error for unknown extensions */
445 # define X509V3_EXT_ERROR_UNKNOWN (1L << 16)
446 /* ASN1 parse unknown extensions */
447 # define X509V3_EXT_PARSE_UNKNOWN (2L << 16)
448 /* BIO_dump unknown extensions */
449 # define X509V3_EXT_DUMP_UNKNOWN (3L << 16)
451 /* Flags for X509V3_add1_i2d */
453 # define X509V3_ADD_OP_MASK 0xfL
454 # define X509V3_ADD_DEFAULT 0L
455 # define X509V3_ADD_APPEND 1L
456 # define X509V3_ADD_REPLACE 2L
457 # define X509V3_ADD_REPLACE_EXISTING 3L
458 # define X509V3_ADD_KEEP_EXISTING 4L
459 # define X509V3_ADD_DELETE 5L
460 # define X509V3_ADD_SILENT 0x10
462 DECLARE_ASN1_FUNCTIONS(BASIC_CONSTRAINTS
)
464 DECLARE_ASN1_FUNCTIONS(SXNET
)
465 DECLARE_ASN1_FUNCTIONS(SXNETID
)
467 DECLARE_ASN1_FUNCTIONS(ISSUER_SIGN_TOOL
)
469 int SXNET_add_id_asc(SXNET
**psx
, const char *zone
, const char *user
, int userlen
);
470 int SXNET_add_id_ulong(SXNET
**psx
, unsigned long lzone
, const char *user
,
472 int SXNET_add_id_INTEGER(SXNET
**psx
, ASN1_INTEGER
*izone
, const char *user
,
475 ASN1_OCTET_STRING
*SXNET_get_id_asc(SXNET
*sx
, const char *zone
);
476 ASN1_OCTET_STRING
*SXNET_get_id_ulong(SXNET
*sx
, unsigned long lzone
);
477 ASN1_OCTET_STRING
*SXNET_get_id_INTEGER(SXNET
*sx
, ASN1_INTEGER
*zone
);
479 DECLARE_ASN1_FUNCTIONS(AUTHORITY_KEYID
)
481 DECLARE_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD
)
483 DECLARE_ASN1_FUNCTIONS(GENERAL_NAME
)
484 DECLARE_ASN1_DUP_FUNCTION(GENERAL_NAME
)
485 int GENERAL_NAME_cmp(GENERAL_NAME
*a
, GENERAL_NAME
*b
);
487 ASN1_BIT_STRING
*v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD
*method
,
489 STACK_OF(CONF_VALUE
) *nval
);
490 STACK_OF(CONF_VALUE
) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD
*method
,
491 ASN1_BIT_STRING
*bits
,
492 STACK_OF(CONF_VALUE
) *extlist
);
493 char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD
*method
, ASN1_IA5STRING
*ia5
);
494 ASN1_IA5STRING
*s2i_ASN1_IA5STRING(X509V3_EXT_METHOD
*method
,
495 X509V3_CTX
*ctx
, const char *str
);
497 STACK_OF(CONF_VALUE
) *i2v_GENERAL_NAME(X509V3_EXT_METHOD
*method
,
499 STACK_OF(CONF_VALUE
) *ret
);
500 int GENERAL_NAME_print(BIO
*out
, GENERAL_NAME
*gen
);
502 DECLARE_ASN1_FUNCTIONS(GENERAL_NAMES
)
504 STACK_OF(CONF_VALUE
) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD
*method
,
506 STACK_OF(CONF_VALUE
) *extlist
);
507 GENERAL_NAMES
*v2i_GENERAL_NAMES(const X509V3_EXT_METHOD
*method
,
508 X509V3_CTX
*ctx
, STACK_OF(CONF_VALUE
) *nval
);
510 DECLARE_ASN1_FUNCTIONS(OTHERNAME
)
511 DECLARE_ASN1_FUNCTIONS(EDIPARTYNAME
)
512 int OTHERNAME_cmp(OTHERNAME
*a
, OTHERNAME
*b
);
513 void GENERAL_NAME_set0_value(GENERAL_NAME
*a
, int type
, void *value
);
514 void *GENERAL_NAME_get0_value(const GENERAL_NAME
*a
, int *ptype
);
515 int GENERAL_NAME_set0_othername(GENERAL_NAME
*gen
,
516 ASN1_OBJECT
*oid
, ASN1_TYPE
*value
);
517 int GENERAL_NAME_get0_otherName(const GENERAL_NAME
*gen
,
518 ASN1_OBJECT
**poid
, ASN1_TYPE
**pvalue
);
520 char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD
*method
,
521 const ASN1_OCTET_STRING
*ia5
);
522 ASN1_OCTET_STRING
*s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD
*method
,
523 X509V3_CTX
*ctx
, const char *str
);
525 DECLARE_ASN1_FUNCTIONS(EXTENDED_KEY_USAGE
)
526 int i2a_ACCESS_DESCRIPTION(BIO
*bp
, const ACCESS_DESCRIPTION
*a
);
528 DECLARE_ASN1_ALLOC_FUNCTIONS(TLS_FEATURE
)
530 DECLARE_ASN1_FUNCTIONS(CERTIFICATEPOLICIES
)
531 DECLARE_ASN1_FUNCTIONS(POLICYINFO
)
532 DECLARE_ASN1_FUNCTIONS(POLICYQUALINFO
)
533 DECLARE_ASN1_FUNCTIONS(USERNOTICE
)
534 DECLARE_ASN1_FUNCTIONS(NOTICEREF
)
536 DECLARE_ASN1_FUNCTIONS(CRL_DIST_POINTS
)
537 DECLARE_ASN1_FUNCTIONS(DIST_POINT
)
538 DECLARE_ASN1_FUNCTIONS(DIST_POINT_NAME
)
539 DECLARE_ASN1_FUNCTIONS(ISSUING_DIST_POINT
)
541 int DIST_POINT_set_dpname(DIST_POINT_NAME
*dpn
, const X509_NAME
*iname
);
543 int NAME_CONSTRAINTS_check(X509
*x
, NAME_CONSTRAINTS
*nc
);
544 int NAME_CONSTRAINTS_check_CN(X509
*x
, NAME_CONSTRAINTS
*nc
);
546 DECLARE_ASN1_FUNCTIONS(ACCESS_DESCRIPTION
)
547 DECLARE_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS
)
549 DECLARE_ASN1_ITEM(POLICY_MAPPING
)
550 DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING
)
551 DECLARE_ASN1_ITEM(POLICY_MAPPINGS
)
553 DECLARE_ASN1_ITEM(GENERAL_SUBTREE
)
554 DECLARE_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE
)
556 DECLARE_ASN1_ITEM(NAME_CONSTRAINTS
)
557 DECLARE_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS
)
559 DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS
)
560 DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS
)
562 GENERAL_NAME
*a2i_GENERAL_NAME(GENERAL_NAME
*out
,
563 const X509V3_EXT_METHOD
*method
,
564 X509V3_CTX
*ctx
, int gen_type
,
565 const char *value
, int is_nc
);
567 # ifdef OPENSSL_CONF_H
568 GENERAL_NAME
*v2i_GENERAL_NAME(const X509V3_EXT_METHOD
*method
,
569 X509V3_CTX
*ctx
, CONF_VALUE
*cnf
);
570 GENERAL_NAME
*v2i_GENERAL_NAME_ex(GENERAL_NAME
*out
,
571 const X509V3_EXT_METHOD
*method
,
572 X509V3_CTX
*ctx
, CONF_VALUE
*cnf
,
575 int X509v3_cache_extensions(X509
*x
, OPENSSL_CTX
*libctx
, const char *propq
);
577 void X509V3_conf_free(CONF_VALUE
*val
);
579 X509_EXTENSION
*X509V3_EXT_nconf_nid(CONF
*conf
, X509V3_CTX
*ctx
, int ext_nid
,
581 X509_EXTENSION
*X509V3_EXT_nconf(CONF
*conf
, X509V3_CTX
*ctx
, const char *name
,
583 int X509V3_EXT_add_nconf_sk(CONF
*conf
, X509V3_CTX
*ctx
, const char *section
,
584 STACK_OF(X509_EXTENSION
) **sk
);
585 int X509V3_EXT_add_nconf(CONF
*conf
, X509V3_CTX
*ctx
, const char *section
,
587 int X509V3_EXT_REQ_add_nconf(CONF
*conf
, X509V3_CTX
*ctx
, const char *section
,
589 int X509V3_EXT_CRL_add_nconf(CONF
*conf
, X509V3_CTX
*ctx
, const char *section
,
592 X509_EXTENSION
*X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE
) *conf
,
593 X509V3_CTX
*ctx
, int ext_nid
,
595 X509_EXTENSION
*X509V3_EXT_conf(LHASH_OF(CONF_VALUE
) *conf
, X509V3_CTX
*ctx
,
596 const char *name
, const char *value
);
597 int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE
) *conf
, X509V3_CTX
*ctx
,
598 const char *section
, X509
*cert
);
599 int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE
) *conf
, X509V3_CTX
*ctx
,
600 const char *section
, X509_REQ
*req
);
601 int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE
) *conf
, X509V3_CTX
*ctx
,
602 const char *section
, X509_CRL
*crl
);
604 int X509V3_add_value_bool_nf(const char *name
, int asn1_bool
,
605 STACK_OF(CONF_VALUE
) **extlist
);
606 int X509V3_get_value_bool(const CONF_VALUE
*value
, int *asn1_bool
);
607 int X509V3_get_value_int(const CONF_VALUE
*value
, ASN1_INTEGER
**aint
);
608 void X509V3_set_nconf(X509V3_CTX
*ctx
, CONF
*conf
);
609 void X509V3_set_conf_lhash(X509V3_CTX
*ctx
, LHASH_OF(CONF_VALUE
) *lhash
);
612 char *X509V3_get_string(X509V3_CTX
*ctx
, const char *name
, const char *section
);
613 STACK_OF(CONF_VALUE
) *X509V3_get_section(X509V3_CTX
*ctx
, const char *section
);
614 void X509V3_string_free(X509V3_CTX
*ctx
, char *str
);
615 void X509V3_section_free(X509V3_CTX
*ctx
, STACK_OF(CONF_VALUE
) *section
);
616 void X509V3_set_ctx(X509V3_CTX
*ctx
, X509
*issuer
, X509
*subject
,
617 X509_REQ
*req
, X509_CRL
*crl
, int flags
);
619 int X509V3_add_value(const char *name
, const char *value
,
620 STACK_OF(CONF_VALUE
) **extlist
);
621 int X509V3_add_value_uchar(const char *name
, const unsigned char *value
,
622 STACK_OF(CONF_VALUE
) **extlist
);
623 int X509V3_add_value_bool(const char *name
, int asn1_bool
,
624 STACK_OF(CONF_VALUE
) **extlist
);
625 int X509V3_add_value_int(const char *name
, const ASN1_INTEGER
*aint
,
626 STACK_OF(CONF_VALUE
) **extlist
);
627 char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD
*meth
, const ASN1_INTEGER
*aint
);
628 ASN1_INTEGER
*s2i_ASN1_INTEGER(X509V3_EXT_METHOD
*meth
, const char *value
);
629 char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD
*meth
, const ASN1_ENUMERATED
*aint
);
630 char *i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD
*meth
,
631 const ASN1_ENUMERATED
*aint
);
632 int X509V3_EXT_add(X509V3_EXT_METHOD
*ext
);
633 int X509V3_EXT_add_list(X509V3_EXT_METHOD
*extlist
);
634 int X509V3_EXT_add_alias(int nid_to
, int nid_from
);
635 void X509V3_EXT_cleanup(void);
637 const X509V3_EXT_METHOD
*X509V3_EXT_get(X509_EXTENSION
*ext
);
638 const X509V3_EXT_METHOD
*X509V3_EXT_get_nid(int nid
);
639 int X509V3_add_standard_extensions(void);
640 STACK_OF(CONF_VALUE
) *X509V3_parse_list(const char *line
);
641 void *X509V3_EXT_d2i(X509_EXTENSION
*ext
);
642 void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION
) *x
, int nid
, int *crit
,
645 X509_EXTENSION
*X509V3_EXT_i2d(int ext_nid
, int crit
, void *ext_struc
);
646 int X509V3_add1_i2d(STACK_OF(X509_EXTENSION
) **x
, int nid
, void *value
,
647 int crit
, unsigned long flags
);
649 #ifndef OPENSSL_NO_DEPRECATED_1_1_0
650 /* The new declarations are in crypto.h, but the old ones were here. */
651 # define hex_to_string OPENSSL_buf2hexstr
652 # define string_to_hex OPENSSL_hexstr2buf
655 void X509V3_EXT_val_prn(BIO
*out
, STACK_OF(CONF_VALUE
) *val
, int indent
,
657 int X509V3_EXT_print(BIO
*out
, X509_EXTENSION
*ext
, unsigned long flag
,
659 #ifndef OPENSSL_NO_STDIO
660 int X509V3_EXT_print_fp(FILE *out
, X509_EXTENSION
*ext
, int flag
, int indent
);
662 int X509V3_extensions_print(BIO
*out
, const char *title
,
663 const STACK_OF(X509_EXTENSION
) *exts
,
664 unsigned long flag
, int indent
);
666 int X509_check_ca(X509
*x
);
667 int X509_check_purpose(X509
*x
, int id
, int ca
);
668 int X509_supported_extension(X509_EXTENSION
*ex
);
669 int X509_PURPOSE_set(int *p
, int purpose
);
670 int X509_check_issued(X509
*issuer
, X509
*subject
);
671 int X509_check_akid(X509
*issuer
, AUTHORITY_KEYID
*akid
);
672 void X509_set_proxy_flag(X509
*x
);
673 void X509_set_proxy_pathlen(X509
*x
, long l
);
674 long X509_get_proxy_pathlen(X509
*x
);
676 uint32_t X509_get_extension_flags(X509
*x
);
677 uint32_t X509_get_key_usage(X509
*x
);
678 uint32_t X509_get_extended_key_usage(X509
*x
);
679 const ASN1_OCTET_STRING
*X509_get0_subject_key_id(X509
*x
);
680 const ASN1_OCTET_STRING
*X509_get0_authority_key_id(X509
*x
);
681 const GENERAL_NAMES
*X509_get0_authority_issuer(X509
*x
);
682 const ASN1_INTEGER
*X509_get0_authority_serial(X509
*x
);
684 int X509_PURPOSE_get_count(void);
685 X509_PURPOSE
*X509_PURPOSE_get0(int idx
);
686 int X509_PURPOSE_get_by_sname(const char *sname
);
687 int X509_PURPOSE_get_by_id(int id
);
688 int X509_PURPOSE_add(int id
, int trust
, int flags
,
689 int (*ck
) (const X509_PURPOSE
*, const X509
*, int),
690 const char *name
, const char *sname
, void *arg
);
691 char *X509_PURPOSE_get0_name(const X509_PURPOSE
*xp
);
692 char *X509_PURPOSE_get0_sname(const X509_PURPOSE
*xp
);
693 int X509_PURPOSE_get_trust(const X509_PURPOSE
*xp
);
694 void X509_PURPOSE_cleanup(void);
695 int X509_PURPOSE_get_id(const X509_PURPOSE
*);
697 STACK_OF(OPENSSL_STRING
) *X509_get1_email(X509
*x
);
698 STACK_OF(OPENSSL_STRING
) *X509_REQ_get1_email(X509_REQ
*x
);
699 void X509_email_free(STACK_OF(OPENSSL_STRING
) *sk
);
700 STACK_OF(OPENSSL_STRING
) *X509_get1_ocsp(X509
*x
);
701 /* Flags for X509_check_* functions */
704 * Always check subject name for host match even if subject alt names present
706 # define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT 0x1
707 /* Disable wildcard matching for dnsName fields and common name. */
708 # define X509_CHECK_FLAG_NO_WILDCARDS 0x2
709 /* Wildcards must not match a partial label. */
710 # define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0x4
711 /* Allow (non-partial) wildcards to match multiple labels. */
712 # define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0x8
713 /* Constraint verifier subdomain patterns to match a single labels. */
714 # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10
715 /* Never check the subject CN */
716 # define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20
718 * Match reference identifiers starting with "." to any sub-domain.
719 * This is a non-public flag, turned on implicitly when the subject
720 * reference identity is a DNS name.
722 # define _X509_CHECK_FLAG_DOT_SUBDOMAINS 0x8000
724 int X509_check_host(X509
*x
, const char *chk
, size_t chklen
,
725 unsigned int flags
, char **peername
);
726 int X509_check_email(X509
*x
, const char *chk
, size_t chklen
,
728 int X509_check_ip(X509
*x
, const unsigned char *chk
, size_t chklen
,
730 int X509_check_ip_asc(X509
*x
, const char *ipasc
, unsigned int flags
);
732 ASN1_OCTET_STRING
*a2i_IPADDRESS(const char *ipasc
);
733 ASN1_OCTET_STRING
*a2i_IPADDRESS_NC(const char *ipasc
);
734 int X509V3_NAME_from_section(X509_NAME
*nm
, STACK_OF(CONF_VALUE
) *dn_sk
,
735 unsigned long chtype
);
737 void X509_POLICY_NODE_print(BIO
*out
, X509_POLICY_NODE
*node
, int indent
);
739 #ifndef OPENSSL_NO_RFC3779
740 typedef struct ASRange_st
{
741 ASN1_INTEGER
*min
, *max
;
744 # define ASIdOrRange_id 0
745 # define ASIdOrRange_range 1
747 typedef struct ASIdOrRange_st
{
755 typedef STACK_OF(ASIdOrRange
) ASIdOrRanges
;
757 # define ASIdentifierChoice_inherit 0
758 # define ASIdentifierChoice_asIdsOrRanges 1
760 typedef struct ASIdentifierChoice_st
{
764 ASIdOrRanges
*asIdsOrRanges
;
766 } ASIdentifierChoice
;
768 typedef struct ASIdentifiers_st
{
769 ASIdentifierChoice
*asnum
, *rdi
;
772 DECLARE_ASN1_FUNCTIONS(ASRange
)
773 DECLARE_ASN1_FUNCTIONS(ASIdOrRange
)
774 DECLARE_ASN1_FUNCTIONS(ASIdentifierChoice
)
775 DECLARE_ASN1_FUNCTIONS(ASIdentifiers
)
777 typedef struct IPAddressRange_st
{
778 ASN1_BIT_STRING
*min
, *max
;
781 # define IPAddressOrRange_addressPrefix 0
782 # define IPAddressOrRange_addressRange 1
784 typedef struct IPAddressOrRange_st
{
787 ASN1_BIT_STRING
*addressPrefix
;
788 IPAddressRange
*addressRange
;
792 typedef STACK_OF(IPAddressOrRange
) IPAddressOrRanges
;
794 # define IPAddressChoice_inherit 0
795 # define IPAddressChoice_addressesOrRanges 1
797 typedef struct IPAddressChoice_st
{
801 IPAddressOrRanges
*addressesOrRanges
;
805 typedef struct IPAddressFamily_st
{
806 ASN1_OCTET_STRING
*addressFamily
;
807 IPAddressChoice
*ipAddressChoice
;
810 typedef STACK_OF(IPAddressFamily
) IPAddrBlocks
;
812 DECLARE_ASN1_FUNCTIONS(IPAddressRange
)
813 DECLARE_ASN1_FUNCTIONS(IPAddressOrRange
)
814 DECLARE_ASN1_FUNCTIONS(IPAddressChoice
)
815 DECLARE_ASN1_FUNCTIONS(IPAddressFamily
)
818 * API tag for elements of the ASIdentifer SEQUENCE.
820 # define V3_ASID_ASNUM 0
821 # define V3_ASID_RDI 1
824 * AFI values, assigned by IANA. It'd be nice to make the AFI
825 * handling code totally generic, but there are too many little things
826 * that would need to be defined for other address families for it to
827 * be worth the trouble.
829 # define IANA_AFI_IPV4 1
830 # define IANA_AFI_IPV6 2
833 * Utilities to construct and extract values from RFC3779 extensions,
834 * since some of the encodings (particularly for IP address prefixes
835 * and ranges) are a bit tedious to work with directly.
837 int X509v3_asid_add_inherit(ASIdentifiers
*asid
, int which
);
838 int X509v3_asid_add_id_or_range(ASIdentifiers
*asid
, int which
,
839 ASN1_INTEGER
*min
, ASN1_INTEGER
*max
);
840 int X509v3_addr_add_inherit(IPAddrBlocks
*addr
,
841 const unsigned afi
, const unsigned *safi
);
842 int X509v3_addr_add_prefix(IPAddrBlocks
*addr
,
843 const unsigned afi
, const unsigned *safi
,
844 unsigned char *a
, const int prefixlen
);
845 int X509v3_addr_add_range(IPAddrBlocks
*addr
,
846 const unsigned afi
, const unsigned *safi
,
847 unsigned char *min
, unsigned char *max
);
848 unsigned X509v3_addr_get_afi(const IPAddressFamily
*f
);
849 int X509v3_addr_get_range(IPAddressOrRange
*aor
, const unsigned afi
,
850 unsigned char *min
, unsigned char *max
,
856 int X509v3_asid_is_canonical(ASIdentifiers
*asid
);
857 int X509v3_addr_is_canonical(IPAddrBlocks
*addr
);
858 int X509v3_asid_canonize(ASIdentifiers
*asid
);
859 int X509v3_addr_canonize(IPAddrBlocks
*addr
);
862 * Tests for inheritance and containment.
864 int X509v3_asid_inherits(ASIdentifiers
*asid
);
865 int X509v3_addr_inherits(IPAddrBlocks
*addr
);
866 int X509v3_asid_subset(ASIdentifiers
*a
, ASIdentifiers
*b
);
867 int X509v3_addr_subset(IPAddrBlocks
*a
, IPAddrBlocks
*b
);
870 * Check whether RFC 3779 extensions nest properly in chains.
872 int X509v3_asid_validate_path(X509_STORE_CTX
*);
873 int X509v3_addr_validate_path(X509_STORE_CTX
*);
874 int X509v3_asid_validate_resource_set(STACK_OF(X509
) *chain
,
876 int allow_inheritance
);
877 int X509v3_addr_validate_resource_set(STACK_OF(X509
) *chain
,
878 IPAddrBlocks
*ext
, int allow_inheritance
);
880 #endif /* OPENSSL_NO_RFC3779 */
886 typedef struct NamingAuthority_st NAMING_AUTHORITY
;
887 typedef struct ProfessionInfo_st PROFESSION_INFO
;
888 typedef struct Admissions_st ADMISSIONS
;
889 typedef struct AdmissionSyntax_st ADMISSION_SYNTAX
;
890 DECLARE_ASN1_FUNCTIONS(NAMING_AUTHORITY
)
891 DECLARE_ASN1_FUNCTIONS(PROFESSION_INFO
)
892 DECLARE_ASN1_FUNCTIONS(ADMISSIONS
)
893 DECLARE_ASN1_FUNCTIONS(ADMISSION_SYNTAX
)
894 typedef STACK_OF(PROFESSION_INFO
) PROFESSION_INFOS
;
896 const ASN1_OBJECT
*NAMING_AUTHORITY_get0_authorityId(
897 const NAMING_AUTHORITY
*n
);
898 const ASN1_IA5STRING
*NAMING_AUTHORITY_get0_authorityURL(
899 const NAMING_AUTHORITY
*n
);
900 const ASN1_STRING
*NAMING_AUTHORITY_get0_authorityText(
901 const NAMING_AUTHORITY
*n
);
902 void NAMING_AUTHORITY_set0_authorityId(NAMING_AUTHORITY
*n
,
903 ASN1_OBJECT
* namingAuthorityId
);
904 void NAMING_AUTHORITY_set0_authorityURL(NAMING_AUTHORITY
*n
,
905 ASN1_IA5STRING
* namingAuthorityUrl
);
906 void NAMING_AUTHORITY_set0_authorityText(NAMING_AUTHORITY
*n
,
907 ASN1_STRING
* namingAuthorityText
);
909 const GENERAL_NAME
*ADMISSION_SYNTAX_get0_admissionAuthority(
910 const ADMISSION_SYNTAX
*as
);
911 void ADMISSION_SYNTAX_set0_admissionAuthority(
912 ADMISSION_SYNTAX
*as
, GENERAL_NAME
*aa
);
913 const STACK_OF(ADMISSIONS
) *ADMISSION_SYNTAX_get0_contentsOfAdmissions(
914 const ADMISSION_SYNTAX
*as
);
915 void ADMISSION_SYNTAX_set0_contentsOfAdmissions(
916 ADMISSION_SYNTAX
*as
, STACK_OF(ADMISSIONS
) *a
);
917 const GENERAL_NAME
*ADMISSIONS_get0_admissionAuthority(const ADMISSIONS
*a
);
918 void ADMISSIONS_set0_admissionAuthority(ADMISSIONS
*a
, GENERAL_NAME
*aa
);
919 const NAMING_AUTHORITY
*ADMISSIONS_get0_namingAuthority(const ADMISSIONS
*a
);
920 void ADMISSIONS_set0_namingAuthority(ADMISSIONS
*a
, NAMING_AUTHORITY
*na
);
921 const PROFESSION_INFOS
*ADMISSIONS_get0_professionInfos(const ADMISSIONS
*a
);
922 void ADMISSIONS_set0_professionInfos(ADMISSIONS
*a
, PROFESSION_INFOS
*pi
);
923 const ASN1_OCTET_STRING
*PROFESSION_INFO_get0_addProfessionInfo(
924 const PROFESSION_INFO
*pi
);
925 void PROFESSION_INFO_set0_addProfessionInfo(
926 PROFESSION_INFO
*pi
, ASN1_OCTET_STRING
*aos
);
927 const NAMING_AUTHORITY
*PROFESSION_INFO_get0_namingAuthority(
928 const PROFESSION_INFO
*pi
);
929 void PROFESSION_INFO_set0_namingAuthority(
930 PROFESSION_INFO
*pi
, NAMING_AUTHORITY
*na
);
931 const STACK_OF(ASN1_STRING
) *PROFESSION_INFO_get0_professionItems(
932 const PROFESSION_INFO
*pi
);
933 void PROFESSION_INFO_set0_professionItems(
934 PROFESSION_INFO
*pi
, STACK_OF(ASN1_STRING
) *as
);
935 const STACK_OF(ASN1_OBJECT
) *PROFESSION_INFO_get0_professionOIDs(
936 const PROFESSION_INFO
*pi
);
937 void PROFESSION_INFO_set0_professionOIDs(
938 PROFESSION_INFO
*pi
, STACK_OF(ASN1_OBJECT
) *po
);
939 const ASN1_PRINTABLESTRING
*PROFESSION_INFO_get0_registrationNumber(
940 const PROFESSION_INFO
*pi
);
941 void PROFESSION_INFO_set0_registrationNumber(
942 PROFESSION_INFO
*pi
, ASN1_PRINTABLESTRING
*rn
);