2 * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #ifndef HEADER_X509V3_H
11 # define HEADER_X509V3_H
13 # include <openssl/bio.h>
14 # include <openssl/x509.h>
15 # include <openssl/conf.h>
16 # include <openssl/x509v3err.h>
22 /* Forward reference */
28 typedef void *(*X509V3_EXT_NEW
)(void);
29 typedef void (*X509V3_EXT_FREE
) (void *);
30 typedef void *(*X509V3_EXT_D2I
)(void *, const unsigned char **, long);
31 typedef int (*X509V3_EXT_I2D
) (void *, unsigned char **);
32 typedef STACK_OF(CONF_VALUE
) *
33 (*X509V3_EXT_I2V
) (const struct v3_ext_method
*method
, void *ext
,
34 STACK_OF(CONF_VALUE
) *extlist
);
35 typedef void *(*X509V3_EXT_V2I
)(const struct v3_ext_method
*method
,
36 struct v3_ext_ctx
*ctx
,
37 STACK_OF(CONF_VALUE
) *values
);
38 typedef char *(*X509V3_EXT_I2S
)(const struct v3_ext_method
*method
,
40 typedef void *(*X509V3_EXT_S2I
)(const struct v3_ext_method
*method
,
41 struct v3_ext_ctx
*ctx
, const char *str
);
42 typedef int (*X509V3_EXT_I2R
) (const struct v3_ext_method
*method
, void *ext
,
43 BIO
*out
, int indent
);
44 typedef void *(*X509V3_EXT_R2I
)(const struct v3_ext_method
*method
,
45 struct v3_ext_ctx
*ctx
, const char *str
);
47 /* V3 extension structure */
49 struct v3_ext_method
{
52 /* If this is set the following four fields are ignored */
54 /* Old style ASN1 calls */
55 X509V3_EXT_NEW ext_new
;
56 X509V3_EXT_FREE ext_free
;
59 /* The following pair is used for string extensions */
62 /* The following pair is used for multi-valued extensions */
65 /* The following are used for raw extensions */
68 void *usr_data
; /* Any extension specific data */
71 typedef struct X509V3_CONF_METHOD_st
{
72 char *(*get_string
) (void *db
, const char *section
, const char *value
);
73 STACK_OF(CONF_VALUE
) *(*get_section
) (void *db
, const char *section
);
74 void (*free_string
) (void *db
, char *string
);
75 void (*free_section
) (void *db
, STACK_OF(CONF_VALUE
) *section
);
78 /* Context specific info */
81 # define X509V3_CTX_REPLACE 0x2
85 X509_REQ
*subject_req
;
87 X509V3_CONF_METHOD
*db_meth
;
92 typedef struct v3_ext_method X509V3_EXT_METHOD
;
94 DEFINE_STACK_OF(X509V3_EXT_METHOD
)
96 /* ext_flags values */
97 # define X509V3_EXT_DYNAMIC 0x1
98 # define X509V3_EXT_CTX_DEP 0x2
99 # define X509V3_EXT_MULTILINE 0x4
101 typedef BIT_STRING_BITNAME ENUMERATED_NAMES
;
103 typedef struct BASIC_CONSTRAINTS_st
{
105 ASN1_INTEGER
*pathlen
;
108 typedef struct PKEY_USAGE_PERIOD_st
{
109 ASN1_GENERALIZEDTIME
*notBefore
;
110 ASN1_GENERALIZEDTIME
*notAfter
;
113 typedef struct otherName_st
{
114 ASN1_OBJECT
*type_id
;
118 typedef struct EDIPartyName_st
{
119 ASN1_STRING
*nameAssigner
;
120 ASN1_STRING
*partyName
;
123 typedef struct GENERAL_NAME_st
{
124 # define GEN_OTHERNAME 0
128 # define GEN_DIRNAME 4
129 # define GEN_EDIPARTY 5
136 OTHERNAME
*otherName
; /* otherName */
137 ASN1_IA5STRING
*rfc822Name
;
138 ASN1_IA5STRING
*dNSName
;
139 ASN1_TYPE
*x400Address
;
140 X509_NAME
*directoryName
;
141 EDIPARTYNAME
*ediPartyName
;
142 ASN1_IA5STRING
*uniformResourceIdentifier
;
143 ASN1_OCTET_STRING
*iPAddress
;
144 ASN1_OBJECT
*registeredID
;
146 ASN1_OCTET_STRING
*ip
; /* iPAddress */
147 X509_NAME
*dirn
; /* dirn */
148 ASN1_IA5STRING
*ia5
; /* rfc822Name, dNSName,
149 * uniformResourceIdentifier */
150 ASN1_OBJECT
*rid
; /* registeredID */
151 ASN1_TYPE
*other
; /* x400Address */
155 typedef struct ACCESS_DESCRIPTION_st
{
157 GENERAL_NAME
*location
;
158 } ACCESS_DESCRIPTION
;
160 typedef STACK_OF(ACCESS_DESCRIPTION
) AUTHORITY_INFO_ACCESS
;
162 typedef STACK_OF(ASN1_OBJECT
) EXTENDED_KEY_USAGE
;
164 typedef STACK_OF(ASN1_INTEGER
) TLS_FEATURE
;
166 DEFINE_STACK_OF(GENERAL_NAME
)
167 typedef STACK_OF(GENERAL_NAME
) GENERAL_NAMES
;
168 DEFINE_STACK_OF(GENERAL_NAMES
)
170 DEFINE_STACK_OF(ACCESS_DESCRIPTION
)
172 typedef struct DIST_POINT_NAME_st
{
175 GENERAL_NAMES
*fullname
;
176 STACK_OF(X509_NAME_ENTRY
) *relativename
;
178 /* If relativename then this contains the full distribution point name */
181 /* All existing reasons */
182 # define CRLDP_ALL_REASONS 0x807f
184 # define CRL_REASON_NONE -1
185 # define CRL_REASON_UNSPECIFIED 0
186 # define CRL_REASON_KEY_COMPROMISE 1
187 # define CRL_REASON_CA_COMPROMISE 2
188 # define CRL_REASON_AFFILIATION_CHANGED 3
189 # define CRL_REASON_SUPERSEDED 4
190 # define CRL_REASON_CESSATION_OF_OPERATION 5
191 # define CRL_REASON_CERTIFICATE_HOLD 6
192 # define CRL_REASON_REMOVE_FROM_CRL 8
193 # define CRL_REASON_PRIVILEGE_WITHDRAWN 9
194 # define CRL_REASON_AA_COMPROMISE 10
196 struct DIST_POINT_st
{
197 DIST_POINT_NAME
*distpoint
;
198 ASN1_BIT_STRING
*reasons
;
199 GENERAL_NAMES
*CRLissuer
;
203 typedef STACK_OF(DIST_POINT
) CRL_DIST_POINTS
;
205 DEFINE_STACK_OF(DIST_POINT
)
207 struct AUTHORITY_KEYID_st
{
208 ASN1_OCTET_STRING
*keyid
;
209 GENERAL_NAMES
*issuer
;
210 ASN1_INTEGER
*serial
;
213 /* Strong extranet structures */
215 typedef struct SXNET_ID_st
{
217 ASN1_OCTET_STRING
*user
;
220 DEFINE_STACK_OF(SXNETID
)
222 typedef struct SXNET_st
{
223 ASN1_INTEGER
*version
;
224 STACK_OF(SXNETID
) *ids
;
227 typedef struct NOTICEREF_st
{
228 ASN1_STRING
*organization
;
229 STACK_OF(ASN1_INTEGER
) *noticenos
;
232 typedef struct USERNOTICE_st
{
233 NOTICEREF
*noticeref
;
234 ASN1_STRING
*exptext
;
237 typedef struct POLICYQUALINFO_st
{
238 ASN1_OBJECT
*pqualid
;
240 ASN1_IA5STRING
*cpsuri
;
241 USERNOTICE
*usernotice
;
246 DEFINE_STACK_OF(POLICYQUALINFO
)
248 typedef struct POLICYINFO_st
{
249 ASN1_OBJECT
*policyid
;
250 STACK_OF(POLICYQUALINFO
) *qualifiers
;
253 typedef STACK_OF(POLICYINFO
) CERTIFICATEPOLICIES
;
255 DEFINE_STACK_OF(POLICYINFO
)
257 typedef struct POLICY_MAPPING_st
{
258 ASN1_OBJECT
*issuerDomainPolicy
;
259 ASN1_OBJECT
*subjectDomainPolicy
;
262 DEFINE_STACK_OF(POLICY_MAPPING
)
264 typedef STACK_OF(POLICY_MAPPING
) POLICY_MAPPINGS
;
266 typedef struct GENERAL_SUBTREE_st
{
268 ASN1_INTEGER
*minimum
;
269 ASN1_INTEGER
*maximum
;
272 DEFINE_STACK_OF(GENERAL_SUBTREE
)
274 struct NAME_CONSTRAINTS_st
{
275 STACK_OF(GENERAL_SUBTREE
) *permittedSubtrees
;
276 STACK_OF(GENERAL_SUBTREE
) *excludedSubtrees
;
279 typedef struct POLICY_CONSTRAINTS_st
{
280 ASN1_INTEGER
*requireExplicitPolicy
;
281 ASN1_INTEGER
*inhibitPolicyMapping
;
282 } POLICY_CONSTRAINTS
;
284 /* Proxy certificate structures, see RFC 3820 */
285 typedef struct PROXY_POLICY_st
{
286 ASN1_OBJECT
*policyLanguage
;
287 ASN1_OCTET_STRING
*policy
;
290 typedef struct PROXY_CERT_INFO_EXTENSION_st
{
291 ASN1_INTEGER
*pcPathLengthConstraint
;
292 PROXY_POLICY
*proxyPolicy
;
293 } PROXY_CERT_INFO_EXTENSION
;
295 DECLARE_ASN1_FUNCTIONS(PROXY_POLICY
)
296 DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION
)
298 struct ISSUING_DIST_POINT_st
{
299 DIST_POINT_NAME
*distpoint
;
302 ASN1_BIT_STRING
*onlysomereasons
;
307 /* Values in idp_flags field */
309 # define IDP_PRESENT 0x1
310 /* IDP values inconsistent */
311 # define IDP_INVALID 0x2
313 # define IDP_ONLYUSER 0x4
315 # define IDP_ONLYCA 0x8
317 # define IDP_ONLYATTR 0x10
318 /* indirectCRL true */
319 # define IDP_INDIRECT 0x20
320 /* onlysomereasons present */
321 # define IDP_REASONS 0x40
323 # define X509V3_conf_err(val) ERR_add_error_data(6, \
324 "section:", (val)->section, \
325 ",name:", (val)->name, ",value:", (val)->value)
327 # define X509V3_set_ctx_test(ctx) \
328 X509V3_set_ctx(ctx, NULL, NULL, NULL, NULL, CTX_TEST)
329 # define X509V3_set_ctx_nodb(ctx) (ctx)->db = NULL;
331 # define EXT_BITSTRING(nid, table) { nid, 0, ASN1_ITEM_ref(ASN1_BIT_STRING), \
334 (X509V3_EXT_I2V)i2v_ASN1_BIT_STRING, \
335 (X509V3_EXT_V2I)v2i_ASN1_BIT_STRING, \
339 # define EXT_IA5STRING(nid) { nid, 0, ASN1_ITEM_ref(ASN1_IA5STRING), \
341 (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, \
342 (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, \
346 # define EXT_END { -1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
348 /* X509_PURPOSE stuff */
350 # define EXFLAG_BCONS 0x1
351 # define EXFLAG_KUSAGE 0x2
352 # define EXFLAG_XKUSAGE 0x4
353 # define EXFLAG_NSCERT 0x8
355 # define EXFLAG_CA 0x10
356 /* Really self issued not necessarily self signed */
357 # define EXFLAG_SI 0x20
358 # define EXFLAG_V1 0x40
359 # define EXFLAG_INVALID 0x80
360 /* EXFLAG_SET is set to indicate that some values have been precomputed */
361 # define EXFLAG_SET 0x100
362 # define EXFLAG_CRITICAL 0x200
363 # define EXFLAG_PROXY 0x400
365 # define EXFLAG_INVALID_POLICY 0x800
366 # define EXFLAG_FRESHEST 0x1000
368 # define EXFLAG_SS 0x2000
370 # define KU_DIGITAL_SIGNATURE 0x0080
371 # define KU_NON_REPUDIATION 0x0040
372 # define KU_KEY_ENCIPHERMENT 0x0020
373 # define KU_DATA_ENCIPHERMENT 0x0010
374 # define KU_KEY_AGREEMENT 0x0008
375 # define KU_KEY_CERT_SIGN 0x0004
376 # define KU_CRL_SIGN 0x0002
377 # define KU_ENCIPHER_ONLY 0x0001
378 # define KU_DECIPHER_ONLY 0x8000
380 # define NS_SSL_CLIENT 0x80
381 # define NS_SSL_SERVER 0x40
382 # define NS_SMIME 0x20
383 # define NS_OBJSIGN 0x10
384 # define NS_SSL_CA 0x04
385 # define NS_SMIME_CA 0x02
386 # define NS_OBJSIGN_CA 0x01
387 # define NS_ANY_CA (NS_SSL_CA|NS_SMIME_CA|NS_OBJSIGN_CA)
389 # define XKU_SSL_SERVER 0x1
390 # define XKU_SSL_CLIENT 0x2
391 # define XKU_SMIME 0x4
392 # define XKU_CODE_SIGN 0x8
393 # define XKU_SGC 0x10
394 # define XKU_OCSP_SIGN 0x20
395 # define XKU_TIMESTAMP 0x40
396 # define XKU_DVCS 0x80
397 # define XKU_ANYEKU 0x100
399 # define X509_PURPOSE_DYNAMIC 0x1
400 # define X509_PURPOSE_DYNAMIC_NAME 0x2
402 typedef struct x509_purpose_st
{
404 int trust
; /* Default trust ID */
406 int (*check_purpose
) (const struct x509_purpose_st
*, const X509
*, int);
412 # define X509_PURPOSE_SSL_CLIENT 1
413 # define X509_PURPOSE_SSL_SERVER 2
414 # define X509_PURPOSE_NS_SSL_SERVER 3
415 # define X509_PURPOSE_SMIME_SIGN 4
416 # define X509_PURPOSE_SMIME_ENCRYPT 5
417 # define X509_PURPOSE_CRL_SIGN 6
418 # define X509_PURPOSE_ANY 7
419 # define X509_PURPOSE_OCSP_HELPER 8
420 # define X509_PURPOSE_TIMESTAMP_SIGN 9
422 # define X509_PURPOSE_MIN 1
423 # define X509_PURPOSE_MAX 9
425 /* Flags for X509V3_EXT_print() */
427 # define X509V3_EXT_UNKNOWN_MASK (0xfL << 16)
428 /* Return error for unknown extensions */
429 # define X509V3_EXT_DEFAULT 0
430 /* Print error for unknown extensions */
431 # define X509V3_EXT_ERROR_UNKNOWN (1L << 16)
432 /* ASN1 parse unknown extensions */
433 # define X509V3_EXT_PARSE_UNKNOWN (2L << 16)
434 /* BIO_dump unknown extensions */
435 # define X509V3_EXT_DUMP_UNKNOWN (3L << 16)
437 /* Flags for X509V3_add1_i2d */
439 # define X509V3_ADD_OP_MASK 0xfL
440 # define X509V3_ADD_DEFAULT 0L
441 # define X509V3_ADD_APPEND 1L
442 # define X509V3_ADD_REPLACE 2L
443 # define X509V3_ADD_REPLACE_EXISTING 3L
444 # define X509V3_ADD_KEEP_EXISTING 4L
445 # define X509V3_ADD_DELETE 5L
446 # define X509V3_ADD_SILENT 0x10
448 DEFINE_STACK_OF(X509_PURPOSE
)
450 DECLARE_ASN1_FUNCTIONS(BASIC_CONSTRAINTS
)
452 DECLARE_ASN1_FUNCTIONS(SXNET
)
453 DECLARE_ASN1_FUNCTIONS(SXNETID
)
455 int SXNET_add_id_asc(SXNET
**psx
, const char *zone
, const char *user
, int userlen
);
456 int SXNET_add_id_ulong(SXNET
**psx
, unsigned long lzone
, const char *user
,
458 int SXNET_add_id_INTEGER(SXNET
**psx
, ASN1_INTEGER
*izone
, const char *user
,
461 ASN1_OCTET_STRING
*SXNET_get_id_asc(SXNET
*sx
, const char *zone
);
462 ASN1_OCTET_STRING
*SXNET_get_id_ulong(SXNET
*sx
, unsigned long lzone
);
463 ASN1_OCTET_STRING
*SXNET_get_id_INTEGER(SXNET
*sx
, ASN1_INTEGER
*zone
);
465 DECLARE_ASN1_FUNCTIONS(AUTHORITY_KEYID
)
467 DECLARE_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD
)
469 DECLARE_ASN1_FUNCTIONS(GENERAL_NAME
)
470 GENERAL_NAME
*GENERAL_NAME_dup(GENERAL_NAME
*a
);
471 int GENERAL_NAME_cmp(GENERAL_NAME
*a
, GENERAL_NAME
*b
);
473 ASN1_BIT_STRING
*v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD
*method
,
475 STACK_OF(CONF_VALUE
) *nval
);
476 STACK_OF(CONF_VALUE
) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD
*method
,
477 ASN1_BIT_STRING
*bits
,
478 STACK_OF(CONF_VALUE
) *extlist
);
479 char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD
*method
, ASN1_IA5STRING
*ia5
);
480 ASN1_IA5STRING
*s2i_ASN1_IA5STRING(X509V3_EXT_METHOD
*method
,
481 X509V3_CTX
*ctx
, const char *str
);
483 STACK_OF(CONF_VALUE
) *i2v_GENERAL_NAME(X509V3_EXT_METHOD
*method
,
485 STACK_OF(CONF_VALUE
) *ret
);
486 int GENERAL_NAME_print(BIO
*out
, GENERAL_NAME
*gen
);
488 DECLARE_ASN1_FUNCTIONS(GENERAL_NAMES
)
490 STACK_OF(CONF_VALUE
) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD
*method
,
492 STACK_OF(CONF_VALUE
) *extlist
);
493 GENERAL_NAMES
*v2i_GENERAL_NAMES(const X509V3_EXT_METHOD
*method
,
494 X509V3_CTX
*ctx
, STACK_OF(CONF_VALUE
) *nval
);
496 DECLARE_ASN1_FUNCTIONS(OTHERNAME
)
497 DECLARE_ASN1_FUNCTIONS(EDIPARTYNAME
)
498 int OTHERNAME_cmp(OTHERNAME
*a
, OTHERNAME
*b
);
499 void GENERAL_NAME_set0_value(GENERAL_NAME
*a
, int type
, void *value
);
500 void *GENERAL_NAME_get0_value(GENERAL_NAME
*a
, int *ptype
);
501 int GENERAL_NAME_set0_othername(GENERAL_NAME
*gen
,
502 ASN1_OBJECT
*oid
, ASN1_TYPE
*value
);
503 int GENERAL_NAME_get0_otherName(GENERAL_NAME
*gen
,
504 ASN1_OBJECT
**poid
, ASN1_TYPE
**pvalue
);
506 char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD
*method
,
507 const ASN1_OCTET_STRING
*ia5
);
508 ASN1_OCTET_STRING
*s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD
*method
,
509 X509V3_CTX
*ctx
, const char *str
);
511 DECLARE_ASN1_FUNCTIONS(EXTENDED_KEY_USAGE
)
512 int i2a_ACCESS_DESCRIPTION(BIO
*bp
, const ACCESS_DESCRIPTION
*a
);
514 DECLARE_ASN1_ALLOC_FUNCTIONS(TLS_FEATURE
)
516 DECLARE_ASN1_FUNCTIONS(CERTIFICATEPOLICIES
)
517 DECLARE_ASN1_FUNCTIONS(POLICYINFO
)
518 DECLARE_ASN1_FUNCTIONS(POLICYQUALINFO
)
519 DECLARE_ASN1_FUNCTIONS(USERNOTICE
)
520 DECLARE_ASN1_FUNCTIONS(NOTICEREF
)
522 DECLARE_ASN1_FUNCTIONS(CRL_DIST_POINTS
)
523 DECLARE_ASN1_FUNCTIONS(DIST_POINT
)
524 DECLARE_ASN1_FUNCTIONS(DIST_POINT_NAME
)
525 DECLARE_ASN1_FUNCTIONS(ISSUING_DIST_POINT
)
527 int DIST_POINT_set_dpname(DIST_POINT_NAME
*dpn
, X509_NAME
*iname
);
529 int NAME_CONSTRAINTS_check(X509
*x
, NAME_CONSTRAINTS
*nc
);
530 int NAME_CONSTRAINTS_check_CN(X509
*x
, NAME_CONSTRAINTS
*nc
);
532 DECLARE_ASN1_FUNCTIONS(ACCESS_DESCRIPTION
)
533 DECLARE_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS
)
535 DECLARE_ASN1_ITEM(POLICY_MAPPING
)
536 DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING
)
537 DECLARE_ASN1_ITEM(POLICY_MAPPINGS
)
539 DECLARE_ASN1_ITEM(GENERAL_SUBTREE
)
540 DECLARE_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE
)
542 DECLARE_ASN1_ITEM(NAME_CONSTRAINTS
)
543 DECLARE_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS
)
545 DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS
)
546 DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS
)
548 GENERAL_NAME
*a2i_GENERAL_NAME(GENERAL_NAME
*out
,
549 const X509V3_EXT_METHOD
*method
,
550 X509V3_CTX
*ctx
, int gen_type
,
551 const char *value
, int is_nc
);
553 # ifdef HEADER_CONF_H
554 GENERAL_NAME
*v2i_GENERAL_NAME(const X509V3_EXT_METHOD
*method
,
555 X509V3_CTX
*ctx
, CONF_VALUE
*cnf
);
556 GENERAL_NAME
*v2i_GENERAL_NAME_ex(GENERAL_NAME
*out
,
557 const X509V3_EXT_METHOD
*method
,
558 X509V3_CTX
*ctx
, CONF_VALUE
*cnf
,
560 void X509V3_conf_free(CONF_VALUE
*val
);
562 X509_EXTENSION
*X509V3_EXT_nconf_nid(CONF
*conf
, X509V3_CTX
*ctx
, int ext_nid
,
564 X509_EXTENSION
*X509V3_EXT_nconf(CONF
*conf
, X509V3_CTX
*ctx
, const char *name
,
566 int X509V3_EXT_add_nconf_sk(CONF
*conf
, X509V3_CTX
*ctx
, const char *section
,
567 STACK_OF(X509_EXTENSION
) **sk
);
568 int X509V3_EXT_add_nconf(CONF
*conf
, X509V3_CTX
*ctx
, const char *section
,
570 int X509V3_EXT_REQ_add_nconf(CONF
*conf
, X509V3_CTX
*ctx
, const char *section
,
572 int X509V3_EXT_CRL_add_nconf(CONF
*conf
, X509V3_CTX
*ctx
, const char *section
,
575 X509_EXTENSION
*X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE
) *conf
,
576 X509V3_CTX
*ctx
, int ext_nid
,
578 X509_EXTENSION
*X509V3_EXT_conf(LHASH_OF(CONF_VALUE
) *conf
, X509V3_CTX
*ctx
,
579 const char *name
, const char *value
);
580 int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE
) *conf
, X509V3_CTX
*ctx
,
581 const char *section
, X509
*cert
);
582 int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE
) *conf
, X509V3_CTX
*ctx
,
583 const char *section
, X509_REQ
*req
);
584 int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE
) *conf
, X509V3_CTX
*ctx
,
585 const char *section
, X509_CRL
*crl
);
587 int X509V3_add_value_bool_nf(const char *name
, int asn1_bool
,
588 STACK_OF(CONF_VALUE
) **extlist
);
589 int X509V3_get_value_bool(const CONF_VALUE
*value
, int *asn1_bool
);
590 int X509V3_get_value_int(const CONF_VALUE
*value
, ASN1_INTEGER
**aint
);
591 void X509V3_set_nconf(X509V3_CTX
*ctx
, CONF
*conf
);
592 void X509V3_set_conf_lhash(X509V3_CTX
*ctx
, LHASH_OF(CONF_VALUE
) *lhash
);
595 char *X509V3_get_string(X509V3_CTX
*ctx
, const char *name
, const char *section
);
596 STACK_OF(CONF_VALUE
) *X509V3_get_section(X509V3_CTX
*ctx
, const char *section
);
597 void X509V3_string_free(X509V3_CTX
*ctx
, char *str
);
598 void X509V3_section_free(X509V3_CTX
*ctx
, STACK_OF(CONF_VALUE
) *section
);
599 void X509V3_set_ctx(X509V3_CTX
*ctx
, X509
*issuer
, X509
*subject
,
600 X509_REQ
*req
, X509_CRL
*crl
, int flags
);
602 int X509V3_add_value(const char *name
, const char *value
,
603 STACK_OF(CONF_VALUE
) **extlist
);
604 int X509V3_add_value_uchar(const char *name
, const unsigned char *value
,
605 STACK_OF(CONF_VALUE
) **extlist
);
606 int X509V3_add_value_bool(const char *name
, int asn1_bool
,
607 STACK_OF(CONF_VALUE
) **extlist
);
608 int X509V3_add_value_int(const char *name
, const ASN1_INTEGER
*aint
,
609 STACK_OF(CONF_VALUE
) **extlist
);
610 char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD
*meth
, const ASN1_INTEGER
*aint
);
611 ASN1_INTEGER
*s2i_ASN1_INTEGER(X509V3_EXT_METHOD
*meth
, const char *value
);
612 char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD
*meth
, const ASN1_ENUMERATED
*aint
);
613 char *i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD
*meth
,
614 const ASN1_ENUMERATED
*aint
);
615 int X509V3_EXT_add(X509V3_EXT_METHOD
*ext
);
616 int X509V3_EXT_add_list(X509V3_EXT_METHOD
*extlist
);
617 int X509V3_EXT_add_alias(int nid_to
, int nid_from
);
618 void X509V3_EXT_cleanup(void);
620 const X509V3_EXT_METHOD
*X509V3_EXT_get(X509_EXTENSION
*ext
);
621 const X509V3_EXT_METHOD
*X509V3_EXT_get_nid(int nid
);
622 int X509V3_add_standard_extensions(void);
623 STACK_OF(CONF_VALUE
) *X509V3_parse_list(const char *line
);
624 void *X509V3_EXT_d2i(X509_EXTENSION
*ext
);
625 void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION
) *x
, int nid
, int *crit
,
628 X509_EXTENSION
*X509V3_EXT_i2d(int ext_nid
, int crit
, void *ext_struc
);
629 int X509V3_add1_i2d(STACK_OF(X509_EXTENSION
) **x
, int nid
, void *value
,
630 int crit
, unsigned long flags
);
632 #if !OPENSSL_API_1_1_0
633 /* The new declarations are in crypto.h, but the old ones were here. */
634 # define hex_to_string OPENSSL_buf2hexstr
635 # define string_to_hex OPENSSL_hexstr2buf
638 void X509V3_EXT_val_prn(BIO
*out
, STACK_OF(CONF_VALUE
) *val
, int indent
,
640 int X509V3_EXT_print(BIO
*out
, X509_EXTENSION
*ext
, unsigned long flag
,
642 #ifndef OPENSSL_NO_STDIO
643 int X509V3_EXT_print_fp(FILE *out
, X509_EXTENSION
*ext
, int flag
, int indent
);
645 int X509V3_extensions_print(BIO
*out
, const char *title
,
646 const STACK_OF(X509_EXTENSION
) *exts
,
647 unsigned long flag
, int indent
);
649 int X509_check_ca(X509
*x
);
650 int X509_check_purpose(X509
*x
, int id
, int ca
);
651 int X509_supported_extension(X509_EXTENSION
*ex
);
652 int X509_PURPOSE_set(int *p
, int purpose
);
653 int X509_check_issued(X509
*issuer
, X509
*subject
);
654 int X509_check_akid(X509
*issuer
, AUTHORITY_KEYID
*akid
);
655 void X509_set_proxy_flag(X509
*x
);
656 void X509_set_proxy_pathlen(X509
*x
, long l
);
657 long X509_get_proxy_pathlen(X509
*x
);
659 uint32_t X509_get_extension_flags(X509
*x
);
660 uint32_t X509_get_key_usage(X509
*x
);
661 uint32_t X509_get_extended_key_usage(X509
*x
);
662 const ASN1_OCTET_STRING
*X509_get0_subject_key_id(X509
*x
);
663 const ASN1_OCTET_STRING
*X509_get0_authority_key_id(X509
*x
);
665 int X509_PURPOSE_get_count(void);
666 X509_PURPOSE
*X509_PURPOSE_get0(int idx
);
667 int X509_PURPOSE_get_by_sname(const char *sname
);
668 int X509_PURPOSE_get_by_id(int id
);
669 int X509_PURPOSE_add(int id
, int trust
, int flags
,
670 int (*ck
) (const X509_PURPOSE
*, const X509
*, int),
671 const char *name
, const char *sname
, void *arg
);
672 char *X509_PURPOSE_get0_name(const X509_PURPOSE
*xp
);
673 char *X509_PURPOSE_get0_sname(const X509_PURPOSE
*xp
);
674 int X509_PURPOSE_get_trust(const X509_PURPOSE
*xp
);
675 void X509_PURPOSE_cleanup(void);
676 int X509_PURPOSE_get_id(const X509_PURPOSE
*);
678 STACK_OF(OPENSSL_STRING
) *X509_get1_email(X509
*x
);
679 STACK_OF(OPENSSL_STRING
) *X509_REQ_get1_email(X509_REQ
*x
);
680 void X509_email_free(STACK_OF(OPENSSL_STRING
) *sk
);
681 STACK_OF(OPENSSL_STRING
) *X509_get1_ocsp(X509
*x
);
682 /* Flags for X509_check_* functions */
685 * Always check subject name for host match even if subject alt names present
687 # define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT 0x1
688 /* Disable wildcard matching for dnsName fields and common name. */
689 # define X509_CHECK_FLAG_NO_WILDCARDS 0x2
690 /* Wildcards must not match a partial label. */
691 # define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0x4
692 /* Allow (non-partial) wildcards to match multiple labels. */
693 # define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0x8
694 /* Constraint verifier subdomain patterns to match a single labels. */
695 # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10
696 /* Never check the subject CN */
697 # define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20
699 * Match reference identifiers starting with "." to any sub-domain.
700 * This is a non-public flag, turned on implicitly when the subject
701 * reference identity is a DNS name.
703 # define _X509_CHECK_FLAG_DOT_SUBDOMAINS 0x8000
705 int X509_check_host(X509
*x
, const char *chk
, size_t chklen
,
706 unsigned int flags
, char **peername
);
707 int X509_check_email(X509
*x
, const char *chk
, size_t chklen
,
709 int X509_check_ip(X509
*x
, const unsigned char *chk
, size_t chklen
,
711 int X509_check_ip_asc(X509
*x
, const char *ipasc
, unsigned int flags
);
713 ASN1_OCTET_STRING
*a2i_IPADDRESS(const char *ipasc
);
714 ASN1_OCTET_STRING
*a2i_IPADDRESS_NC(const char *ipasc
);
715 int X509V3_NAME_from_section(X509_NAME
*nm
, STACK_OF(CONF_VALUE
) *dn_sk
,
716 unsigned long chtype
);
718 void X509_POLICY_NODE_print(BIO
*out
, X509_POLICY_NODE
*node
, int indent
);
719 DEFINE_STACK_OF(X509_POLICY_NODE
)
721 #ifndef OPENSSL_NO_RFC3779
722 typedef struct ASRange_st
{
723 ASN1_INTEGER
*min
, *max
;
726 # define ASIdOrRange_id 0
727 # define ASIdOrRange_range 1
729 typedef struct ASIdOrRange_st
{
737 typedef STACK_OF(ASIdOrRange
) ASIdOrRanges
;
738 DEFINE_STACK_OF(ASIdOrRange
)
740 # define ASIdentifierChoice_inherit 0
741 # define ASIdentifierChoice_asIdsOrRanges 1
743 typedef struct ASIdentifierChoice_st
{
747 ASIdOrRanges
*asIdsOrRanges
;
749 } ASIdentifierChoice
;
751 typedef struct ASIdentifiers_st
{
752 ASIdentifierChoice
*asnum
, *rdi
;
755 DECLARE_ASN1_FUNCTIONS(ASRange
)
756 DECLARE_ASN1_FUNCTIONS(ASIdOrRange
)
757 DECLARE_ASN1_FUNCTIONS(ASIdentifierChoice
)
758 DECLARE_ASN1_FUNCTIONS(ASIdentifiers
)
760 typedef struct IPAddressRange_st
{
761 ASN1_BIT_STRING
*min
, *max
;
764 # define IPAddressOrRange_addressPrefix 0
765 # define IPAddressOrRange_addressRange 1
767 typedef struct IPAddressOrRange_st
{
770 ASN1_BIT_STRING
*addressPrefix
;
771 IPAddressRange
*addressRange
;
775 typedef STACK_OF(IPAddressOrRange
) IPAddressOrRanges
;
776 DEFINE_STACK_OF(IPAddressOrRange
)
778 # define IPAddressChoice_inherit 0
779 # define IPAddressChoice_addressesOrRanges 1
781 typedef struct IPAddressChoice_st
{
785 IPAddressOrRanges
*addressesOrRanges
;
789 typedef struct IPAddressFamily_st
{
790 ASN1_OCTET_STRING
*addressFamily
;
791 IPAddressChoice
*ipAddressChoice
;
794 typedef STACK_OF(IPAddressFamily
) IPAddrBlocks
;
795 DEFINE_STACK_OF(IPAddressFamily
)
797 DECLARE_ASN1_FUNCTIONS(IPAddressRange
)
798 DECLARE_ASN1_FUNCTIONS(IPAddressOrRange
)
799 DECLARE_ASN1_FUNCTIONS(IPAddressChoice
)
800 DECLARE_ASN1_FUNCTIONS(IPAddressFamily
)
803 * API tag for elements of the ASIdentifer SEQUENCE.
805 # define V3_ASID_ASNUM 0
806 # define V3_ASID_RDI 1
809 * AFI values, assigned by IANA. It'd be nice to make the AFI
810 * handling code totally generic, but there are too many little things
811 * that would need to be defined for other address families for it to
812 * be worth the trouble.
814 # define IANA_AFI_IPV4 1
815 # define IANA_AFI_IPV6 2
818 * Utilities to construct and extract values from RFC3779 extensions,
819 * since some of the encodings (particularly for IP address prefixes
820 * and ranges) are a bit tedious to work with directly.
822 int X509v3_asid_add_inherit(ASIdentifiers
*asid
, int which
);
823 int X509v3_asid_add_id_or_range(ASIdentifiers
*asid
, int which
,
824 ASN1_INTEGER
*min
, ASN1_INTEGER
*max
);
825 int X509v3_addr_add_inherit(IPAddrBlocks
*addr
,
826 const unsigned afi
, const unsigned *safi
);
827 int X509v3_addr_add_prefix(IPAddrBlocks
*addr
,
828 const unsigned afi
, const unsigned *safi
,
829 unsigned char *a
, const int prefixlen
);
830 int X509v3_addr_add_range(IPAddrBlocks
*addr
,
831 const unsigned afi
, const unsigned *safi
,
832 unsigned char *min
, unsigned char *max
);
833 unsigned X509v3_addr_get_afi(const IPAddressFamily
*f
);
834 int X509v3_addr_get_range(IPAddressOrRange
*aor
, const unsigned afi
,
835 unsigned char *min
, unsigned char *max
,
841 int X509v3_asid_is_canonical(ASIdentifiers
*asid
);
842 int X509v3_addr_is_canonical(IPAddrBlocks
*addr
);
843 int X509v3_asid_canonize(ASIdentifiers
*asid
);
844 int X509v3_addr_canonize(IPAddrBlocks
*addr
);
847 * Tests for inheritance and containment.
849 int X509v3_asid_inherits(ASIdentifiers
*asid
);
850 int X509v3_addr_inherits(IPAddrBlocks
*addr
);
851 int X509v3_asid_subset(ASIdentifiers
*a
, ASIdentifiers
*b
);
852 int X509v3_addr_subset(IPAddrBlocks
*a
, IPAddrBlocks
*b
);
855 * Check whether RFC 3779 extensions nest properly in chains.
857 int X509v3_asid_validate_path(X509_STORE_CTX
*);
858 int X509v3_addr_validate_path(X509_STORE_CTX
*);
859 int X509v3_asid_validate_resource_set(STACK_OF(X509
) *chain
,
861 int allow_inheritance
);
862 int X509v3_addr_validate_resource_set(STACK_OF(X509
) *chain
,
863 IPAddrBlocks
*ext
, int allow_inheritance
);
865 #endif /* OPENSSL_NO_RFC3779 */
867 DEFINE_STACK_OF(ASN1_STRING
)
872 typedef struct NamingAuthority_st NAMING_AUTHORITY
;
873 typedef struct ProfessionInfo_st PROFESSION_INFO
;
874 typedef struct Admissions_st ADMISSIONS
;
875 typedef struct AdmissionSyntax_st ADMISSION_SYNTAX
;
876 DECLARE_ASN1_FUNCTIONS(NAMING_AUTHORITY
)
877 DECLARE_ASN1_FUNCTIONS(PROFESSION_INFO
)
878 DECLARE_ASN1_FUNCTIONS(ADMISSIONS
)
879 DECLARE_ASN1_FUNCTIONS(ADMISSION_SYNTAX
)
880 DEFINE_STACK_OF(ADMISSIONS
)
881 DEFINE_STACK_OF(PROFESSION_INFO
)
882 typedef STACK_OF(PROFESSION_INFO
) PROFESSION_INFOS
;
884 const ASN1_OBJECT
*NAMING_AUTHORITY_get0_authorityId(
885 const NAMING_AUTHORITY
*n
);
886 const ASN1_IA5STRING
*NAMING_AUTHORITY_get0_authorityURL(
887 const NAMING_AUTHORITY
*n
);
888 const ASN1_STRING
*NAMING_AUTHORITY_get0_authorityText(
889 const NAMING_AUTHORITY
*n
);
890 void NAMING_AUTHORITY_set0_authorityId(NAMING_AUTHORITY
*n
,
891 ASN1_OBJECT
* namingAuthorityId
);
892 void NAMING_AUTHORITY_set0_authorityURL(NAMING_AUTHORITY
*n
,
893 ASN1_IA5STRING
* namingAuthorityUrl
);
894 void NAMING_AUTHORITY_set0_authorityText(NAMING_AUTHORITY
*n
,
895 ASN1_STRING
* namingAuthorityText
);
897 const GENERAL_NAME
*ADMISSION_SYNTAX_get0_admissionAuthority(
898 const ADMISSION_SYNTAX
*as
);
899 void ADMISSION_SYNTAX_set0_admissionAuthority(
900 ADMISSION_SYNTAX
*as
, GENERAL_NAME
*aa
);
901 const STACK_OF(ADMISSIONS
) *ADMISSION_SYNTAX_get0_contentsOfAdmissions(
902 const ADMISSION_SYNTAX
*as
);
903 void ADMISSION_SYNTAX_set0_contentsOfAdmissions(
904 ADMISSION_SYNTAX
*as
, STACK_OF(ADMISSIONS
) *a
);
905 const GENERAL_NAME
*ADMISSIONS_get0_admissionAuthority(const ADMISSIONS
*a
);
906 void ADMISSIONS_set0_admissionAuthority(ADMISSIONS
*a
, GENERAL_NAME
*aa
);
907 const NAMING_AUTHORITY
*ADMISSIONS_get0_namingAuthority(const ADMISSIONS
*a
);
908 void ADMISSIONS_set0_namingAuthority(ADMISSIONS
*a
, NAMING_AUTHORITY
*na
);
909 const PROFESSION_INFOS
*ADMISSIONS_get0_professionInfos(const ADMISSIONS
*a
);
910 void ADMISSIONS_set0_professionInfos(ADMISSIONS
*a
, PROFESSION_INFOS
*pi
);
911 const ASN1_OCTET_STRING
*PROFESSION_INFO_get0_addProfessionInfo(
912 const PROFESSION_INFO
*pi
);
913 void PROFESSION_INFO_set0_addProfessionInfo(
914 PROFESSION_INFO
*pi
, ASN1_OCTET_STRING
*aos
);
915 const NAMING_AUTHORITY
*PROFESSION_INFO_get0_namingAuthority(
916 const PROFESSION_INFO
*pi
);
917 void PROFESSION_INFO_set0_namingAuthority(
918 PROFESSION_INFO
*pi
, NAMING_AUTHORITY
*na
);
919 const STACK_OF(ASN1_STRING
) *PROFESSION_INFO_get0_professionItems(
920 const PROFESSION_INFO
*pi
);
921 void PROFESSION_INFO_set0_professionItems(
922 PROFESSION_INFO
*pi
, STACK_OF(ASN1_STRING
) *as
);
923 const STACK_OF(ASN1_OBJECT
) *PROFESSION_INFO_get0_professionOIDs(
924 const PROFESSION_INFO
*pi
);
925 void PROFESSION_INFO_set0_professionOIDs(
926 PROFESSION_INFO
*pi
, STACK_OF(ASN1_OBJECT
) *po
);
927 const ASN1_PRINTABLESTRING
*PROFESSION_INFO_get0_registrationNumber(
928 const PROFESSION_INFO
*pi
);
929 void PROFESSION_INFO_set0_registrationNumber(
930 PROFESSION_INFO
*pi
, ASN1_PRINTABLESTRING
*rn
);