2 * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #ifndef HEADER_X509V3_H
11 # define HEADER_X509V3_H
13 # include <openssl/bio.h>
14 # include <openssl/x509.h>
15 # include <openssl/conf.h>
16 # include <openssl/x509v3err.h>
22 /* Forward reference */
28 typedef void *(*X509V3_EXT_NEW
)(void);
29 typedef void (*X509V3_EXT_FREE
) (void *);
30 typedef void *(*X509V3_EXT_D2I
)(void *, const unsigned char **, long);
31 typedef int (*X509V3_EXT_I2D
) (void *, unsigned char **);
32 typedef STACK_OF(CONF_VALUE
) *
33 (*X509V3_EXT_I2V
) (const struct v3_ext_method
*method
, void *ext
,
34 STACK_OF(CONF_VALUE
) *extlist
);
35 typedef void *(*X509V3_EXT_V2I
)(const struct v3_ext_method
*method
,
36 struct v3_ext_ctx
*ctx
,
37 STACK_OF(CONF_VALUE
) *values
);
38 typedef char *(*X509V3_EXT_I2S
)(const struct v3_ext_method
*method
,
40 typedef void *(*X509V3_EXT_S2I
)(const struct v3_ext_method
*method
,
41 struct v3_ext_ctx
*ctx
, const char *str
);
42 typedef int (*X509V3_EXT_I2R
) (const struct v3_ext_method
*method
, void *ext
,
43 BIO
*out
, int indent
);
44 typedef void *(*X509V3_EXT_R2I
)(const struct v3_ext_method
*method
,
45 struct v3_ext_ctx
*ctx
, const char *str
);
47 /* V3 extension structure */
49 struct v3_ext_method
{
52 /* If this is set the following four fields are ignored */
54 /* Old style ASN1 calls */
55 X509V3_EXT_NEW ext_new
;
56 X509V3_EXT_FREE ext_free
;
59 /* The following pair is used for string extensions */
62 /* The following pair is used for multi-valued extensions */
65 /* The following are used for raw extensions */
68 void *usr_data
; /* Any extension specific data */
71 typedef struct X509V3_CONF_METHOD_st
{
72 char *(*get_string
) (void *db
, const char *section
, const char *value
);
73 STACK_OF(CONF_VALUE
) *(*get_section
) (void *db
, const char *section
);
74 void (*free_string
) (void *db
, char *string
);
75 void (*free_section
) (void *db
, STACK_OF(CONF_VALUE
) *section
);
78 /* Context specific info */
81 # define X509V3_CTX_REPLACE 0x2
85 X509_REQ
*subject_req
;
87 X509V3_CONF_METHOD
*db_meth
;
92 typedef struct v3_ext_method X509V3_EXT_METHOD
;
94 DEFINE_STACK_OF(X509V3_EXT_METHOD
)
96 /* ext_flags values */
97 # define X509V3_EXT_DYNAMIC 0x1
98 # define X509V3_EXT_CTX_DEP 0x2
99 # define X509V3_EXT_MULTILINE 0x4
101 typedef BIT_STRING_BITNAME ENUMERATED_NAMES
;
103 typedef struct BASIC_CONSTRAINTS_st
{
105 ASN1_INTEGER
*pathlen
;
108 typedef struct PKEY_USAGE_PERIOD_st
{
109 ASN1_GENERALIZEDTIME
*notBefore
;
110 ASN1_GENERALIZEDTIME
*notAfter
;
113 typedef struct otherName_st
{
114 ASN1_OBJECT
*type_id
;
118 typedef struct EDIPartyName_st
{
119 ASN1_STRING
*nameAssigner
;
120 ASN1_STRING
*partyName
;
123 typedef struct GENERAL_NAME_st
{
124 # define GEN_OTHERNAME 0
128 # define GEN_DIRNAME 4
129 # define GEN_EDIPARTY 5
136 OTHERNAME
*otherName
; /* otherName */
137 ASN1_IA5STRING
*rfc822Name
;
138 ASN1_IA5STRING
*dNSName
;
139 ASN1_TYPE
*x400Address
;
140 X509_NAME
*directoryName
;
141 EDIPARTYNAME
*ediPartyName
;
142 ASN1_IA5STRING
*uniformResourceIdentifier
;
143 ASN1_OCTET_STRING
*iPAddress
;
144 ASN1_OBJECT
*registeredID
;
146 ASN1_OCTET_STRING
*ip
; /* iPAddress */
147 X509_NAME
*dirn
; /* dirn */
148 ASN1_IA5STRING
*ia5
; /* rfc822Name, dNSName,
149 * uniformResourceIdentifier */
150 ASN1_OBJECT
*rid
; /* registeredID */
151 ASN1_TYPE
*other
; /* x400Address */
155 typedef struct ACCESS_DESCRIPTION_st
{
157 GENERAL_NAME
*location
;
158 } ACCESS_DESCRIPTION
;
160 typedef STACK_OF(ACCESS_DESCRIPTION
) AUTHORITY_INFO_ACCESS
;
162 typedef STACK_OF(ASN1_OBJECT
) EXTENDED_KEY_USAGE
;
164 typedef STACK_OF(ASN1_INTEGER
) TLS_FEATURE
;
166 DEFINE_STACK_OF(GENERAL_NAME
)
167 typedef STACK_OF(GENERAL_NAME
) GENERAL_NAMES
;
168 DEFINE_STACK_OF(GENERAL_NAMES
)
170 DEFINE_STACK_OF(ACCESS_DESCRIPTION
)
172 typedef struct DIST_POINT_NAME_st
{
175 GENERAL_NAMES
*fullname
;
176 STACK_OF(X509_NAME_ENTRY
) *relativename
;
178 /* If relativename then this contains the full distribution point name */
181 /* All existing reasons */
182 # define CRLDP_ALL_REASONS 0x807f
184 # define CRL_REASON_NONE -1
185 # define CRL_REASON_UNSPECIFIED 0
186 # define CRL_REASON_KEY_COMPROMISE 1
187 # define CRL_REASON_CA_COMPROMISE 2
188 # define CRL_REASON_AFFILIATION_CHANGED 3
189 # define CRL_REASON_SUPERSEDED 4
190 # define CRL_REASON_CESSATION_OF_OPERATION 5
191 # define CRL_REASON_CERTIFICATE_HOLD 6
192 # define CRL_REASON_REMOVE_FROM_CRL 8
193 # define CRL_REASON_PRIVILEGE_WITHDRAWN 9
194 # define CRL_REASON_AA_COMPROMISE 10
196 struct DIST_POINT_st
{
197 DIST_POINT_NAME
*distpoint
;
198 ASN1_BIT_STRING
*reasons
;
199 GENERAL_NAMES
*CRLissuer
;
203 typedef STACK_OF(DIST_POINT
) CRL_DIST_POINTS
;
205 DEFINE_STACK_OF(DIST_POINT
)
207 struct AUTHORITY_KEYID_st
{
208 ASN1_OCTET_STRING
*keyid
;
209 GENERAL_NAMES
*issuer
;
210 ASN1_INTEGER
*serial
;
213 /* Strong extranet structures */
215 typedef struct SXNET_ID_st
{
217 ASN1_OCTET_STRING
*user
;
220 DEFINE_STACK_OF(SXNETID
)
222 typedef struct SXNET_st
{
223 ASN1_INTEGER
*version
;
224 STACK_OF(SXNETID
) *ids
;
227 typedef struct NOTICEREF_st
{
228 ASN1_STRING
*organization
;
229 STACK_OF(ASN1_INTEGER
) *noticenos
;
232 typedef struct USERNOTICE_st
{
233 NOTICEREF
*noticeref
;
234 ASN1_STRING
*exptext
;
237 typedef struct POLICYQUALINFO_st
{
238 ASN1_OBJECT
*pqualid
;
240 ASN1_IA5STRING
*cpsuri
;
241 USERNOTICE
*usernotice
;
246 DEFINE_STACK_OF(POLICYQUALINFO
)
248 typedef struct POLICYINFO_st
{
249 ASN1_OBJECT
*policyid
;
250 STACK_OF(POLICYQUALINFO
) *qualifiers
;
253 typedef STACK_OF(POLICYINFO
) CERTIFICATEPOLICIES
;
255 DEFINE_STACK_OF(POLICYINFO
)
257 typedef struct POLICY_MAPPING_st
{
258 ASN1_OBJECT
*issuerDomainPolicy
;
259 ASN1_OBJECT
*subjectDomainPolicy
;
262 DEFINE_STACK_OF(POLICY_MAPPING
)
264 typedef STACK_OF(POLICY_MAPPING
) POLICY_MAPPINGS
;
266 typedef struct GENERAL_SUBTREE_st
{
268 ASN1_INTEGER
*minimum
;
269 ASN1_INTEGER
*maximum
;
272 DEFINE_STACK_OF(GENERAL_SUBTREE
)
274 struct NAME_CONSTRAINTS_st
{
275 STACK_OF(GENERAL_SUBTREE
) *permittedSubtrees
;
276 STACK_OF(GENERAL_SUBTREE
) *excludedSubtrees
;
279 typedef struct POLICY_CONSTRAINTS_st
{
280 ASN1_INTEGER
*requireExplicitPolicy
;
281 ASN1_INTEGER
*inhibitPolicyMapping
;
282 } POLICY_CONSTRAINTS
;
284 /* Proxy certificate structures, see RFC 3820 */
285 typedef struct PROXY_POLICY_st
{
286 ASN1_OBJECT
*policyLanguage
;
287 ASN1_OCTET_STRING
*policy
;
290 typedef struct PROXY_CERT_INFO_EXTENSION_st
{
291 ASN1_INTEGER
*pcPathLengthConstraint
;
292 PROXY_POLICY
*proxyPolicy
;
293 } PROXY_CERT_INFO_EXTENSION
;
295 DECLARE_ASN1_FUNCTIONS(PROXY_POLICY
)
296 DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION
)
298 struct ISSUING_DIST_POINT_st
{
299 DIST_POINT_NAME
*distpoint
;
302 ASN1_BIT_STRING
*onlysomereasons
;
307 /* Values in idp_flags field */
309 # define IDP_PRESENT 0x1
310 /* IDP values inconsistent */
311 # define IDP_INVALID 0x2
313 # define IDP_ONLYUSER 0x4
315 # define IDP_ONLYCA 0x8
317 # define IDP_ONLYATTR 0x10
318 /* indirectCRL true */
319 # define IDP_INDIRECT 0x20
320 /* onlysomereasons present */
321 # define IDP_REASONS 0x40
323 # define X509V3_conf_err(val) ERR_add_error_data(6, \
324 "section:", (val)->section, \
325 ",name:", (val)->name, ",value:", (val)->value)
327 # define X509V3_set_ctx_test(ctx) \
328 X509V3_set_ctx(ctx, NULL, NULL, NULL, NULL, CTX_TEST)
329 # define X509V3_set_ctx_nodb(ctx) (ctx)->db = NULL;
331 # define EXT_BITSTRING(nid, table) { nid, 0, ASN1_ITEM_ref(ASN1_BIT_STRING), \
334 (X509V3_EXT_I2V)i2v_ASN1_BIT_STRING, \
335 (X509V3_EXT_V2I)v2i_ASN1_BIT_STRING, \
339 # define EXT_IA5STRING(nid) { nid, 0, ASN1_ITEM_ref(ASN1_IA5STRING), \
341 (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, \
342 (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, \
346 # define EXT_END { -1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
348 /* X509_PURPOSE stuff */
350 # define EXFLAG_BCONS 0x1
351 # define EXFLAG_KUSAGE 0x2
352 # define EXFLAG_XKUSAGE 0x4
353 # define EXFLAG_NSCERT 0x8
355 # define EXFLAG_CA 0x10
356 /* Really self issued not necessarily self signed */
357 # define EXFLAG_SI 0x20
358 # define EXFLAG_V1 0x40
359 # define EXFLAG_INVALID 0x80
360 /* EXFLAG_SET is set to indicate that some values have been precomputed */
361 # define EXFLAG_SET 0x100
362 # define EXFLAG_CRITICAL 0x200
363 # define EXFLAG_PROXY 0x400
365 # define EXFLAG_INVALID_POLICY 0x800
366 # define EXFLAG_FRESHEST 0x1000
368 # define EXFLAG_SS 0x2000
370 # define KU_DIGITAL_SIGNATURE 0x0080
371 # define KU_NON_REPUDIATION 0x0040
372 # define KU_KEY_ENCIPHERMENT 0x0020
373 # define KU_DATA_ENCIPHERMENT 0x0010
374 # define KU_KEY_AGREEMENT 0x0008
375 # define KU_KEY_CERT_SIGN 0x0004
376 # define KU_CRL_SIGN 0x0002
377 # define KU_ENCIPHER_ONLY 0x0001
378 # define KU_DECIPHER_ONLY 0x8000
380 # define NS_SSL_CLIENT 0x80
381 # define NS_SSL_SERVER 0x40
382 # define NS_SMIME 0x20
383 # define NS_OBJSIGN 0x10
384 # define NS_SSL_CA 0x04
385 # define NS_SMIME_CA 0x02
386 # define NS_OBJSIGN_CA 0x01
387 # define NS_ANY_CA (NS_SSL_CA|NS_SMIME_CA|NS_OBJSIGN_CA)
389 # define XKU_SSL_SERVER 0x1
390 # define XKU_SSL_CLIENT 0x2
391 # define XKU_SMIME 0x4
392 # define XKU_CODE_SIGN 0x8
393 # define XKU_SGC 0x10
394 # define XKU_OCSP_SIGN 0x20
395 # define XKU_TIMESTAMP 0x40
396 # define XKU_DVCS 0x80
397 # define XKU_ANYEKU 0x100
399 # define X509_PURPOSE_DYNAMIC 0x1
400 # define X509_PURPOSE_DYNAMIC_NAME 0x2
402 typedef struct x509_purpose_st
{
404 int trust
; /* Default trust ID */
406 int (*check_purpose
) (const struct x509_purpose_st
*, const X509
*, int);
412 # define X509_PURPOSE_SSL_CLIENT 1
413 # define X509_PURPOSE_SSL_SERVER 2
414 # define X509_PURPOSE_NS_SSL_SERVER 3
415 # define X509_PURPOSE_SMIME_SIGN 4
416 # define X509_PURPOSE_SMIME_ENCRYPT 5
417 # define X509_PURPOSE_CRL_SIGN 6
418 # define X509_PURPOSE_ANY 7
419 # define X509_PURPOSE_OCSP_HELPER 8
420 # define X509_PURPOSE_TIMESTAMP_SIGN 9
422 # define X509_PURPOSE_MIN 1
423 # define X509_PURPOSE_MAX 9
425 /* Flags for X509V3_EXT_print() */
427 # define X509V3_EXT_UNKNOWN_MASK (0xfL << 16)
428 /* Return error for unknown extensions */
429 # define X509V3_EXT_DEFAULT 0
430 /* Print error for unknown extensions */
431 # define X509V3_EXT_ERROR_UNKNOWN (1L << 16)
432 /* ASN1 parse unknown extensions */
433 # define X509V3_EXT_PARSE_UNKNOWN (2L << 16)
434 /* BIO_dump unknown extensions */
435 # define X509V3_EXT_DUMP_UNKNOWN (3L << 16)
437 /* Flags for X509V3_add1_i2d */
439 # define X509V3_ADD_OP_MASK 0xfL
440 # define X509V3_ADD_DEFAULT 0L
441 # define X509V3_ADD_APPEND 1L
442 # define X509V3_ADD_REPLACE 2L
443 # define X509V3_ADD_REPLACE_EXISTING 3L
444 # define X509V3_ADD_KEEP_EXISTING 4L
445 # define X509V3_ADD_DELETE 5L
446 # define X509V3_ADD_SILENT 0x10
448 DEFINE_STACK_OF(X509_PURPOSE
)
450 DECLARE_ASN1_FUNCTIONS(BASIC_CONSTRAINTS
)
452 DECLARE_ASN1_FUNCTIONS(SXNET
)
453 DECLARE_ASN1_FUNCTIONS(SXNETID
)
455 int SXNET_add_id_asc(SXNET
**psx
, const char *zone
, const char *user
, int userlen
);
456 int SXNET_add_id_ulong(SXNET
**psx
, unsigned long lzone
, const char *user
,
458 int SXNET_add_id_INTEGER(SXNET
**psx
, ASN1_INTEGER
*izone
, const char *user
,
461 ASN1_OCTET_STRING
*SXNET_get_id_asc(SXNET
*sx
, const char *zone
);
462 ASN1_OCTET_STRING
*SXNET_get_id_ulong(SXNET
*sx
, unsigned long lzone
);
463 ASN1_OCTET_STRING
*SXNET_get_id_INTEGER(SXNET
*sx
, ASN1_INTEGER
*zone
);
465 DECLARE_ASN1_FUNCTIONS(AUTHORITY_KEYID
)
467 DECLARE_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD
)
469 DECLARE_ASN1_FUNCTIONS(GENERAL_NAME
)
470 GENERAL_NAME
*GENERAL_NAME_dup(GENERAL_NAME
*a
);
471 int GENERAL_NAME_cmp(GENERAL_NAME
*a
, GENERAL_NAME
*b
);
473 ASN1_BIT_STRING
*v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD
*method
,
475 STACK_OF(CONF_VALUE
) *nval
);
476 STACK_OF(CONF_VALUE
) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD
*method
,
477 ASN1_BIT_STRING
*bits
,
478 STACK_OF(CONF_VALUE
) *extlist
);
479 char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD
*method
, ASN1_IA5STRING
*ia5
);
480 ASN1_IA5STRING
*s2i_ASN1_IA5STRING(X509V3_EXT_METHOD
*method
,
481 X509V3_CTX
*ctx
, const char *str
);
483 STACK_OF(CONF_VALUE
) *i2v_GENERAL_NAME(X509V3_EXT_METHOD
*method
,
485 STACK_OF(CONF_VALUE
) *ret
);
486 int GENERAL_NAME_print(BIO
*out
, GENERAL_NAME
*gen
);
488 DECLARE_ASN1_FUNCTIONS(GENERAL_NAMES
)
490 STACK_OF(CONF_VALUE
) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD
*method
,
492 STACK_OF(CONF_VALUE
) *extlist
);
493 GENERAL_NAMES
*v2i_GENERAL_NAMES(const X509V3_EXT_METHOD
*method
,
494 X509V3_CTX
*ctx
, STACK_OF(CONF_VALUE
) *nval
);
496 DECLARE_ASN1_FUNCTIONS(OTHERNAME
)
497 DECLARE_ASN1_FUNCTIONS(EDIPARTYNAME
)
498 int OTHERNAME_cmp(OTHERNAME
*a
, OTHERNAME
*b
);
499 void GENERAL_NAME_set0_value(GENERAL_NAME
*a
, int type
, void *value
);
500 void *GENERAL_NAME_get0_value(GENERAL_NAME
*a
, int *ptype
);
501 int GENERAL_NAME_set0_othername(GENERAL_NAME
*gen
,
502 ASN1_OBJECT
*oid
, ASN1_TYPE
*value
);
503 int GENERAL_NAME_get0_otherName(GENERAL_NAME
*gen
,
504 ASN1_OBJECT
**poid
, ASN1_TYPE
**pvalue
);
506 char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD
*method
,
507 const ASN1_OCTET_STRING
*ia5
);
508 ASN1_OCTET_STRING
*s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD
*method
,
509 X509V3_CTX
*ctx
, const char *str
);
511 DECLARE_ASN1_FUNCTIONS(EXTENDED_KEY_USAGE
)
512 int i2a_ACCESS_DESCRIPTION(BIO
*bp
, const ACCESS_DESCRIPTION
*a
);
514 DECLARE_ASN1_ALLOC_FUNCTIONS(TLS_FEATURE
)
516 DECLARE_ASN1_FUNCTIONS(CERTIFICATEPOLICIES
)
517 DECLARE_ASN1_FUNCTIONS(POLICYINFO
)
518 DECLARE_ASN1_FUNCTIONS(POLICYQUALINFO
)
519 DECLARE_ASN1_FUNCTIONS(USERNOTICE
)
520 DECLARE_ASN1_FUNCTIONS(NOTICEREF
)
522 DECLARE_ASN1_FUNCTIONS(CRL_DIST_POINTS
)
523 DECLARE_ASN1_FUNCTIONS(DIST_POINT
)
524 DECLARE_ASN1_FUNCTIONS(DIST_POINT_NAME
)
525 DECLARE_ASN1_FUNCTIONS(ISSUING_DIST_POINT
)
527 int DIST_POINT_set_dpname(DIST_POINT_NAME
*dpn
, X509_NAME
*iname
);
529 int NAME_CONSTRAINTS_check(X509
*x
, NAME_CONSTRAINTS
*nc
);
530 int NAME_CONSTRAINTS_check_CN(X509
*x
, NAME_CONSTRAINTS
*nc
);
532 DECLARE_ASN1_FUNCTIONS(ACCESS_DESCRIPTION
)
533 DECLARE_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS
)
535 DECLARE_ASN1_ITEM(POLICY_MAPPING
)
536 DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING
)
537 DECLARE_ASN1_ITEM(POLICY_MAPPINGS
)
539 DECLARE_ASN1_ITEM(GENERAL_SUBTREE
)
540 DECLARE_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE
)
542 DECLARE_ASN1_ITEM(NAME_CONSTRAINTS
)
543 DECLARE_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS
)
545 DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS
)
546 DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS
)
548 GENERAL_NAME
*a2i_GENERAL_NAME(GENERAL_NAME
*out
,
549 const X509V3_EXT_METHOD
*method
,
550 X509V3_CTX
*ctx
, int gen_type
,
551 const char *value
, int is_nc
);
553 # ifdef HEADER_CONF_H
554 GENERAL_NAME
*v2i_GENERAL_NAME(const X509V3_EXT_METHOD
*method
,
555 X509V3_CTX
*ctx
, CONF_VALUE
*cnf
);
556 GENERAL_NAME
*v2i_GENERAL_NAME_ex(GENERAL_NAME
*out
,
557 const X509V3_EXT_METHOD
*method
,
558 X509V3_CTX
*ctx
, CONF_VALUE
*cnf
,
560 void X509V3_conf_free(CONF_VALUE
*val
);
562 X509_EXTENSION
*X509V3_EXT_nconf_nid(CONF
*conf
, X509V3_CTX
*ctx
, int ext_nid
,
564 X509_EXTENSION
*X509V3_EXT_nconf(CONF
*conf
, X509V3_CTX
*ctx
, const char *name
,
566 int X509V3_EXT_add_nconf_sk(CONF
*conf
, X509V3_CTX
*ctx
, const char *section
,
567 STACK_OF(X509_EXTENSION
) **sk
);
568 int X509V3_EXT_add_nconf(CONF
*conf
, X509V3_CTX
*ctx
, const char *section
,
570 int X509V3_EXT_REQ_add_nconf(CONF
*conf
, X509V3_CTX
*ctx
, const char *section
,
572 int X509V3_EXT_CRL_add_nconf(CONF
*conf
, X509V3_CTX
*ctx
, const char *section
,
575 X509_EXTENSION
*X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE
) *conf
,
576 X509V3_CTX
*ctx
, int ext_nid
,
578 X509_EXTENSION
*X509V3_EXT_conf(LHASH_OF(CONF_VALUE
) *conf
, X509V3_CTX
*ctx
,
579 const char *name
, const char *value
);
580 int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE
) *conf
, X509V3_CTX
*ctx
,
581 const char *section
, X509
*cert
);
582 int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE
) *conf
, X509V3_CTX
*ctx
,
583 const char *section
, X509_REQ
*req
);
584 int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE
) *conf
, X509V3_CTX
*ctx
,
585 const char *section
, X509_CRL
*crl
);
587 int X509V3_add_value_bool_nf(const char *name
, int asn1_bool
,
588 STACK_OF(CONF_VALUE
) **extlist
);
589 int X509V3_get_value_bool(const CONF_VALUE
*value
, int *asn1_bool
);
590 int X509V3_get_value_int(const CONF_VALUE
*value
, ASN1_INTEGER
**aint
);
591 void X509V3_set_nconf(X509V3_CTX
*ctx
, CONF
*conf
);
592 void X509V3_set_conf_lhash(X509V3_CTX
*ctx
, LHASH_OF(CONF_VALUE
) *lhash
);
595 char *X509V3_get_string(X509V3_CTX
*ctx
, const char *name
, const char *section
);
596 STACK_OF(CONF_VALUE
) *X509V3_get_section(X509V3_CTX
*ctx
, const char *section
);
597 void X509V3_string_free(X509V3_CTX
*ctx
, char *str
);
598 void X509V3_section_free(X509V3_CTX
*ctx
, STACK_OF(CONF_VALUE
) *section
);
599 void X509V3_set_ctx(X509V3_CTX
*ctx
, X509
*issuer
, X509
*subject
,
600 X509_REQ
*req
, X509_CRL
*crl
, int flags
);
602 int X509V3_add_value(const char *name
, const char *value
,
603 STACK_OF(CONF_VALUE
) **extlist
);
604 int X509V3_add_value_uchar(const char *name
, const unsigned char *value
,
605 STACK_OF(CONF_VALUE
) **extlist
);
606 int X509V3_add_value_bool(const char *name
, int asn1_bool
,
607 STACK_OF(CONF_VALUE
) **extlist
);
608 int X509V3_add_value_int(const char *name
, const ASN1_INTEGER
*aint
,
609 STACK_OF(CONF_VALUE
) **extlist
);
610 char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD
*meth
, const ASN1_INTEGER
*aint
);
611 ASN1_INTEGER
*s2i_ASN1_INTEGER(X509V3_EXT_METHOD
*meth
, const char *value
);
612 char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD
*meth
, const ASN1_ENUMERATED
*aint
);
613 char *i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD
*meth
,
614 const ASN1_ENUMERATED
*aint
);
615 int X509V3_EXT_add(X509V3_EXT_METHOD
*ext
);
616 int X509V3_EXT_add_list(X509V3_EXT_METHOD
*extlist
);
617 int X509V3_EXT_add_alias(int nid_to
, int nid_from
);
618 void X509V3_EXT_cleanup(void);
620 const X509V3_EXT_METHOD
*X509V3_EXT_get(X509_EXTENSION
*ext
);
621 const X509V3_EXT_METHOD
*X509V3_EXT_get_nid(int nid
);
622 int X509V3_add_standard_extensions(void);
623 STACK_OF(CONF_VALUE
) *X509V3_parse_list(const char *line
);
624 void *X509V3_EXT_d2i(X509_EXTENSION
*ext
);
625 void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION
) *x
, int nid
, int *crit
,
628 X509_EXTENSION
*X509V3_EXT_i2d(int ext_nid
, int crit
, void *ext_struc
);
629 int X509V3_add1_i2d(STACK_OF(X509_EXTENSION
) **x
, int nid
, void *value
,
630 int crit
, unsigned long flags
);
632 #if OPENSSL_API_COMPAT < 0x10100000L
633 /* The new declarations are in crypto.h, but the old ones were here. */
634 # define hex_to_string OPENSSL_buf2hexstr
635 # define string_to_hex OPENSSL_hexstr2buf
638 void X509V3_EXT_val_prn(BIO
*out
, STACK_OF(CONF_VALUE
) *val
, int indent
,
640 int X509V3_EXT_print(BIO
*out
, X509_EXTENSION
*ext
, unsigned long flag
,
642 #ifndef OPENSSL_NO_STDIO
643 int X509V3_EXT_print_fp(FILE *out
, X509_EXTENSION
*ext
, int flag
, int indent
);
645 int X509V3_extensions_print(BIO
*out
, const char *title
,
646 const STACK_OF(X509_EXTENSION
) *exts
,
647 unsigned long flag
, int indent
);
649 int X509_check_ca(X509
*x
);
650 int X509_check_purpose(X509
*x
, int id
, int ca
);
651 int X509_supported_extension(X509_EXTENSION
*ex
);
652 int X509_PURPOSE_set(int *p
, int purpose
);
653 int X509_check_issued(X509
*issuer
, X509
*subject
);
654 int X509_check_akid(X509
*issuer
, AUTHORITY_KEYID
*akid
);
655 void X509_set_proxy_flag(X509
*x
);
656 void X509_set_proxy_pathlen(X509
*x
, long l
);
657 long X509_get_proxy_pathlen(X509
*x
);
659 uint32_t X509_get_extension_flags(X509
*x
);
660 uint32_t X509_get_key_usage(X509
*x
);
661 uint32_t X509_get_extended_key_usage(X509
*x
);
662 const ASN1_OCTET_STRING
*X509_get0_subject_key_id(X509
*x
);
664 int X509_PURPOSE_get_count(void);
665 X509_PURPOSE
*X509_PURPOSE_get0(int idx
);
666 int X509_PURPOSE_get_by_sname(const char *sname
);
667 int X509_PURPOSE_get_by_id(int id
);
668 int X509_PURPOSE_add(int id
, int trust
, int flags
,
669 int (*ck
) (const X509_PURPOSE
*, const X509
*, int),
670 const char *name
, const char *sname
, void *arg
);
671 char *X509_PURPOSE_get0_name(const X509_PURPOSE
*xp
);
672 char *X509_PURPOSE_get0_sname(const X509_PURPOSE
*xp
);
673 int X509_PURPOSE_get_trust(const X509_PURPOSE
*xp
);
674 void X509_PURPOSE_cleanup(void);
675 int X509_PURPOSE_get_id(const X509_PURPOSE
*);
677 STACK_OF(OPENSSL_STRING
) *X509_get1_email(X509
*x
);
678 STACK_OF(OPENSSL_STRING
) *X509_REQ_get1_email(X509_REQ
*x
);
679 void X509_email_free(STACK_OF(OPENSSL_STRING
) *sk
);
680 STACK_OF(OPENSSL_STRING
) *X509_get1_ocsp(X509
*x
);
681 /* Flags for X509_check_* functions */
684 * Always check subject name for host match even if subject alt names present
686 # define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT 0x1
687 /* Disable wildcard matching for dnsName fields and common name. */
688 # define X509_CHECK_FLAG_NO_WILDCARDS 0x2
689 /* Wildcards must not match a partial label. */
690 # define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0x4
691 /* Allow (non-partial) wildcards to match multiple labels. */
692 # define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0x8
693 /* Constraint verifier subdomain patterns to match a single labels. */
694 # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10
695 /* Never check the subject CN */
696 # define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20
698 * Match reference identifiers starting with "." to any sub-domain.
699 * This is a non-public flag, turned on implicitly when the subject
700 * reference identity is a DNS name.
702 # define _X509_CHECK_FLAG_DOT_SUBDOMAINS 0x8000
704 int X509_check_host(X509
*x
, const char *chk
, size_t chklen
,
705 unsigned int flags
, char **peername
);
706 int X509_check_email(X509
*x
, const char *chk
, size_t chklen
,
708 int X509_check_ip(X509
*x
, const unsigned char *chk
, size_t chklen
,
710 int X509_check_ip_asc(X509
*x
, const char *ipasc
, unsigned int flags
);
712 ASN1_OCTET_STRING
*a2i_IPADDRESS(const char *ipasc
);
713 ASN1_OCTET_STRING
*a2i_IPADDRESS_NC(const char *ipasc
);
714 int X509V3_NAME_from_section(X509_NAME
*nm
, STACK_OF(CONF_VALUE
) *dn_sk
,
715 unsigned long chtype
);
717 void X509_POLICY_NODE_print(BIO
*out
, X509_POLICY_NODE
*node
, int indent
);
718 DEFINE_STACK_OF(X509_POLICY_NODE
)
720 #ifndef OPENSSL_NO_RFC3779
721 typedef struct ASRange_st
{
722 ASN1_INTEGER
*min
, *max
;
725 # define ASIdOrRange_id 0
726 # define ASIdOrRange_range 1
728 typedef struct ASIdOrRange_st
{
736 typedef STACK_OF(ASIdOrRange
) ASIdOrRanges
;
737 DEFINE_STACK_OF(ASIdOrRange
)
739 # define ASIdentifierChoice_inherit 0
740 # define ASIdentifierChoice_asIdsOrRanges 1
742 typedef struct ASIdentifierChoice_st
{
746 ASIdOrRanges
*asIdsOrRanges
;
748 } ASIdentifierChoice
;
750 typedef struct ASIdentifiers_st
{
751 ASIdentifierChoice
*asnum
, *rdi
;
754 DECLARE_ASN1_FUNCTIONS(ASRange
)
755 DECLARE_ASN1_FUNCTIONS(ASIdOrRange
)
756 DECLARE_ASN1_FUNCTIONS(ASIdentifierChoice
)
757 DECLARE_ASN1_FUNCTIONS(ASIdentifiers
)
759 typedef struct IPAddressRange_st
{
760 ASN1_BIT_STRING
*min
, *max
;
763 # define IPAddressOrRange_addressPrefix 0
764 # define IPAddressOrRange_addressRange 1
766 typedef struct IPAddressOrRange_st
{
769 ASN1_BIT_STRING
*addressPrefix
;
770 IPAddressRange
*addressRange
;
774 typedef STACK_OF(IPAddressOrRange
) IPAddressOrRanges
;
775 DEFINE_STACK_OF(IPAddressOrRange
)
777 # define IPAddressChoice_inherit 0
778 # define IPAddressChoice_addressesOrRanges 1
780 typedef struct IPAddressChoice_st
{
784 IPAddressOrRanges
*addressesOrRanges
;
788 typedef struct IPAddressFamily_st
{
789 ASN1_OCTET_STRING
*addressFamily
;
790 IPAddressChoice
*ipAddressChoice
;
793 typedef STACK_OF(IPAddressFamily
) IPAddrBlocks
;
794 DEFINE_STACK_OF(IPAddressFamily
)
796 DECLARE_ASN1_FUNCTIONS(IPAddressRange
)
797 DECLARE_ASN1_FUNCTIONS(IPAddressOrRange
)
798 DECLARE_ASN1_FUNCTIONS(IPAddressChoice
)
799 DECLARE_ASN1_FUNCTIONS(IPAddressFamily
)
802 * API tag for elements of the ASIdentifer SEQUENCE.
804 # define V3_ASID_ASNUM 0
805 # define V3_ASID_RDI 1
808 * AFI values, assigned by IANA. It'd be nice to make the AFI
809 * handling code totally generic, but there are too many little things
810 * that would need to be defined for other address families for it to
811 * be worth the trouble.
813 # define IANA_AFI_IPV4 1
814 # define IANA_AFI_IPV6 2
817 * Utilities to construct and extract values from RFC3779 extensions,
818 * since some of the encodings (particularly for IP address prefixes
819 * and ranges) are a bit tedious to work with directly.
821 int X509v3_asid_add_inherit(ASIdentifiers
*asid
, int which
);
822 int X509v3_asid_add_id_or_range(ASIdentifiers
*asid
, int which
,
823 ASN1_INTEGER
*min
, ASN1_INTEGER
*max
);
824 int X509v3_addr_add_inherit(IPAddrBlocks
*addr
,
825 const unsigned afi
, const unsigned *safi
);
826 int X509v3_addr_add_prefix(IPAddrBlocks
*addr
,
827 const unsigned afi
, const unsigned *safi
,
828 unsigned char *a
, const int prefixlen
);
829 int X509v3_addr_add_range(IPAddrBlocks
*addr
,
830 const unsigned afi
, const unsigned *safi
,
831 unsigned char *min
, unsigned char *max
);
832 unsigned X509v3_addr_get_afi(const IPAddressFamily
*f
);
833 int X509v3_addr_get_range(IPAddressOrRange
*aor
, const unsigned afi
,
834 unsigned char *min
, unsigned char *max
,
840 int X509v3_asid_is_canonical(ASIdentifiers
*asid
);
841 int X509v3_addr_is_canonical(IPAddrBlocks
*addr
);
842 int X509v3_asid_canonize(ASIdentifiers
*asid
);
843 int X509v3_addr_canonize(IPAddrBlocks
*addr
);
846 * Tests for inheritance and containment.
848 int X509v3_asid_inherits(ASIdentifiers
*asid
);
849 int X509v3_addr_inherits(IPAddrBlocks
*addr
);
850 int X509v3_asid_subset(ASIdentifiers
*a
, ASIdentifiers
*b
);
851 int X509v3_addr_subset(IPAddrBlocks
*a
, IPAddrBlocks
*b
);
854 * Check whether RFC 3779 extensions nest properly in chains.
856 int X509v3_asid_validate_path(X509_STORE_CTX
*);
857 int X509v3_addr_validate_path(X509_STORE_CTX
*);
858 int X509v3_asid_validate_resource_set(STACK_OF(X509
) *chain
,
860 int allow_inheritance
);
861 int X509v3_addr_validate_resource_set(STACK_OF(X509
) *chain
,
862 IPAddrBlocks
*ext
, int allow_inheritance
);
864 #endif /* OPENSSL_NO_RFC3779 */