1X509V3_GET_D2I(3) OpenSSL X509V3_GET_D2I(3)
2
3
4
6 X509_get0_extensions, X509_CRL_get0_extensions,
7 X509_REVOKED_get0_extensions, X509V3_get_d2i, X509V3_add1_i2d,
8 X509V3_EXT_d2i, X509V3_EXT_i2d, X509_get_ext_d2i, X509_add1_ext_i2d,
9 X509_CRL_get_ext_d2i, X509_CRL_add1_ext_i2d, X509_REVOKED_get_ext_d2i,
10 X509_REVOKED_add1_ext_i2d - X509 extension decode and encode functions
11
13 #include <openssl/x509v3.h>
14
15 void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit,
16 int *idx);
17 int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
18 int crit, unsigned long flags);
19
20 void *X509V3_EXT_d2i(X509_EXTENSION *ext);
21 X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext);
22
23 void *X509_get_ext_d2i(const X509 *x, int nid, int *crit, int *idx);
24 int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
25 unsigned long flags);
26
27 void *X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid, int *crit, int *idx);
28 int X509_CRL_add1_ext_i2d(X509_CRL *crl, int nid, void *value, int crit,
29 unsigned long flags);
30
31 void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *r, int nid, int *crit, int *idx);
32 int X509_REVOKED_add1_ext_i2d(X509_REVOKED *r, int nid, void *value, int crit,
33 unsigned long flags);
34
35 const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x);
36 const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl);
37 const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions(const X509_REVOKED *r);
38
40 X509V3_get_ext_d2i() looks for an extension with OID nid in the
41 extensions x and, if found, decodes it. If idx is NULL then only one
42 occurrence of an extension is permissible otherwise the first extension
43 after index *idx is returned and *idx updated to the location of the
44 extension. If crit is not NULL then *crit is set to a status value: -2
45 if the extension occurs multiple times (this is only returned if idx is
46 NULL), -1 if the extension could not be found, 0 if the extension is
47 found and is not critical and 1 if critical. A pointer to an extension
48 specific structure or NULL is returned.
49
50 X509V3_add1_i2d() adds extension value to STACK *x (allocating a new
51 STACK if necessary) using OID nid and criticality crit according to
52 flags.
53
54 X509V3_EXT_d2i() attempts to decode the ASN.1 data contained in
55 extension ext and returns a pointer to an extension specific structure
56 or NULL if the extension could not be decoded (invalid syntax or not
57 supported).
58
59 X509V3_EXT_i2d() encodes the extension specific structure ext with OID
60 ext_nid and criticality crit.
61
62 X509_get_ext_d2i() and X509_add1_ext_i2d() operate on the extensions of
63 certificate x, they are otherwise identical to X509V3_get_d2i() and
64 X509V3_add_i2d().
65
66 X509_CRL_get_ext_d2i() and X509_CRL_add1_ext_i2d() operate on the
67 extensions of CRL crl, they are otherwise identical to X509V3_get_d2i()
68 and X509V3_add_i2d().
69
70 X509_REVOKED_get_ext_d2i() and X509_REVOKED_add1_ext_i2d() operate on
71 the extensions of X509_REVOKED structure r (i.e for CRL entry
72 extensions), they are otherwise identical to X509V3_get_d2i() and
73 X509V3_add_i2d().
74
75 X509_get0_extensions(), X509_CRL_get0_extensions() and
76 X509_REVOKED_get0_extensions() return a stack of all the extensions of
77 a certificate a CRL or a CRL entry respectively.
78
80 In almost all cases an extension can occur at most once and multiple
81 occurrences is an error. Therefore, the idx parameter is usually NULL.
82
83 The flags parameter may be one of the following values.
84
85 X509V3_ADD_DEFAULT appends a new extension only if the extension does
86 not already exist. An error is returned if the extension does already
87 exist.
88
89 X509V3_ADD_APPEND appends a new extension, ignoring whether the
90 extension already exists.
91
92 X509V3_ADD_REPLACE replaces an extension if it exists otherwise appends
93 a new extension.
94
95 X509V3_ADD_REPLACE_EXISTING replaces an existing extension if it exists
96 otherwise returns an error.
97
98 X509V3_ADD_KEEP_EXISTING appends a new extension only if the extension
99 does not already exist. An error is not returned if the extension does
100 already exist.
101
102 X509V3_ADD_DELETE extension nid is deleted: no new extension is added.
103
104 If X509V3_ADD_SILENT is ored with flags: any error returned will not be
105 added to the error queue.
106
107 The function X509V3_get_d2i() will return NULL if the extension is not
108 found, occurs multiple times or cannot be decoded. It is possible to
109 determine the precise reason by checking the value of *crit.
110
112 The following sections contain a list of all supported extensions
113 including their name and NID.
114
115 PKIX Certificate Extensions
116 The following certificate extensions are defined in PKIX standards such
117 as RFC5280.
118
119 Basic Constraints NID_basic_constraints
120 Key Usage NID_key_usage
121 Extended Key Usage NID_ext_key_usage
122
123 Subject Key Identifier NID_subject_key_identifier
124 Authority Key Identifier NID_authority_key_identifier
125
126 Private Key Usage Period NID_private_key_usage_period
127
128 Subject Alternative Name NID_subject_alt_name
129 Issuer Alternative Name NID_issuer_alt_name
130
131 Authority Information Access NID_info_access
132 Subject Information Access NID_sinfo_access
133
134 Name Constraints NID_name_constraints
135
136 Certificate Policies NID_certificate_policies
137 Policy Mappings NID_policy_mappings
138 Policy Constraints NID_policy_constraints
139 Inhibit Any Policy NID_inhibit_any_policy
140
141 TLS Feature NID_tlsfeature
142
143 Netscape Certificate Extensions
144 The following are (largely obsolete) Netscape certificate extensions.
145
146 Netscape Cert Type NID_netscape_cert_type
147 Netscape Base Url NID_netscape_base_url
148 Netscape Revocation Url NID_netscape_revocation_url
149 Netscape CA Revocation Url NID_netscape_ca_revocation_url
150 Netscape Renewal Url NID_netscape_renewal_url
151 Netscape CA Policy Url NID_netscape_ca_policy_url
152 Netscape SSL Server Name NID_netscape_ssl_server_name
153 Netscape Comment NID_netscape_comment
154
155 Miscellaneous Certificate Extensions
156 Strong Extranet ID NID_sxnet
157 Proxy Certificate Information NID_proxyCertInfo
158
159 PKIX CRL Extensions
160 The following are CRL extensions from PKIX standards such as RFC5280.
161
162 CRL Number NID_crl_number
163 CRL Distribution Points NID_crl_distribution_points
164 Delta CRL Indicator NID_delta_crl
165 Freshest CRL NID_freshest_crl
166 Invalidity Date NID_invalidity_date
167 Issuing Distribution Point NID_issuing_distribution_point
168
169 The following are CRL entry extensions from PKIX standards such as
170 RFC5280.
171
172 CRL Reason Code NID_crl_reason
173 Certificate Issuer NID_certificate_issuer
174
175 OCSP Extensions
176 OCSP Nonce NID_id_pkix_OCSP_Nonce
177 OCSP CRL ID NID_id_pkix_OCSP_CrlID
178 Acceptable OCSP Responses NID_id_pkix_OCSP_acceptableResponses
179 OCSP No Check NID_id_pkix_OCSP_noCheck
180 OCSP Archive Cutoff NID_id_pkix_OCSP_archiveCutoff
181 OCSP Service Locator NID_id_pkix_OCSP_serviceLocator
182 Hold Instruction Code NID_hold_instruction_code
183
184 Certificate Transparency Extensions
185 The following extensions are used by certificate transparency, RFC6962
186
187 CT Precertificate SCTs NID_ct_precert_scts
188 CT Certificate SCTs NID_ct_cert_scts
189
191 X509V3_EXT_d2i() and *X509V3_get_d2i() return a pointer to an extension
192 specific structure of NULL if an error occurs.
193
194 X509V3_EXT_i2d() returns a pointer to an X509_EXTENSION structure or
195 NULL if an error occurs.
196
197 X509V3_add1_i2d() returns 1 if the operation is successful and 0 if it
198 fails due to a non-fatal error (extension not found, already exists,
199 cannot be encoded) or -1 due to a fatal error such as a memory
200 allocation failure.
201
202 X509_get0_extensions(), X509_CRL_get0_extensions() and
203 X509_REVOKED_get0_extensions() return a stack of extensions. They
204 return NULL if no extensions are present.
205
207 d2i_X509(3), ERR_get_error(3), X509_CRL_get0_by_serial(3),
208 X509_get0_signature(3), X509_get_ext_d2i(3),
209 X509_get_extension_flags(3), X509_get_pubkey(3),
210 X509_get_subject_name(3), X509_get_version(3),
211 X509_NAME_add_entry_by_txt(3), X509_NAME_ENTRY_get_object(3),
212 X509_NAME_get_index_by_NID(3), X509_NAME_print_ex(3), X509_new(3),
213 X509_sign(3), X509_verify_cert(3)
214
216 Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
217
218 Licensed under the OpenSSL license (the "License"). You may not use
219 this file except in compliance with the License. You can obtain a copy
220 in the file LICENSE in the source distribution or at
221 <https://www.openssl.org/source/license.html>.
222
223
224
2251.1.1i 2021-01-26 X509V3_GET_D2I(3)