1X509V3_GET_D2I(3)                   OpenSSL                  X509V3_GET_D2I(3)
2
3
4

NAME

6       X509_get0_extensions, X509_CRL_get0_extensions,
7       X509_REVOKED_get0_extensions, X509V3_get_d2i, X509V3_add1_i2d,
8       X509V3_EXT_d2i, X509V3_EXT_i2d, X509_get_ext_d2i, X509_add1_ext_i2d,
9       X509_CRL_get_ext_d2i, X509_CRL_add1_ext_i2d, X509_REVOKED_get_ext_d2i,
10       X509_REVOKED_add1_ext_i2d - X509 extension decode and encode functions
11

SYNOPSIS

13        #include <openssl/x509v3.h>
14
15        void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit,
16                             int *idx);
17        int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
18                            int crit, unsigned long flags);
19
20        void *X509V3_EXT_d2i(X509_EXTENSION *ext);
21        X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext);
22
23        void *X509_get_ext_d2i(const X509 *x, int nid, int *crit, int *idx);
24        int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
25                              unsigned long flags);
26
27        void *X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid, int *crit, int *idx);
28        int X509_CRL_add1_ext_i2d(X509_CRL *crl, int nid, void *value, int crit,
29                                  unsigned long flags);
30
31        void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *r, int nid, int *crit, int *idx);
32        int X509_REVOKED_add1_ext_i2d(X509_REVOKED *r, int nid, void *value, int crit,
33                                      unsigned long flags);
34
35        const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x);
36        const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl);
37        const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions(const X509_REVOKED *r);
38

DESCRIPTION

40       X509V3_get_ext_d2i() looks for an extension with OID nid in the
41       extensions x and, if found, decodes it. If idx is NULL then only one
42       occurrence of an extension is permissible otherwise the first extension
43       after index *idx is returned and *idx updated to the location of the
44       extension.  If crit is not NULL then *crit is set to a status value: -2
45       if the extension occurs multiple times (this is only returned if idx is
46       NULL), -1 if the extension could not be found, 0 if the extension is
47       found and is not critical and 1 if critical. A pointer to an extension
48       specific structure or NULL is returned.
49
50       X509V3_add1_i2d() adds extension value to STACK *x (allocating a new
51       STACK if necessary) using OID nid and criticality crit according to
52       flags.
53
54       X509V3_EXT_d2i() attempts to decode the ASN.1 data contained in
55       extension ext and returns a pointer to an extension specific structure
56       or NULL if the extension could not be decoded (invalid syntax or not
57       supported).
58
59       X509V3_EXT_i2d() encodes the extension specific structure ext with OID
60       ext_nid and criticality crit.
61
62       X509_get_ext_d2i() and X509_add1_ext_i2d() operate on the extensions of
63       certificate x, they are otherwise identical to X509V3_get_d2i() and
64       X509V3_add_i2d().
65
66       X509_CRL_get_ext_d2i() and X509_CRL_add1_ext_i2d() operate on the
67       extensions of CRL crl, they are otherwise identical to X509V3_get_d2i()
68       and X509V3_add_i2d().
69
70       X509_REVOKED_get_ext_d2i() and X509_REVOKED_add1_ext_i2d() operate on
71       the extensions of X509_REVOKED structure r (i.e for CRL entry
72       extensions), they are otherwise identical to X509V3_get_d2i() and
73       X509V3_add_i2d().
74
75       X509_get0_extensions(), X509_CRL_get0_extensions() and
76       X509_REVOKED_get0_extensions() return a stack of all the extensions of
77       a certificate a CRL or a CRL entry respectively.
78

NOTES

80       In almost all cases an extension can occur at most once and multiple
81       occurrences is an error. Therefore, the idx parameter is usually NULL.
82
83       The flags parameter may be one of the following values.
84
85       X509V3_ADD_DEFAULT appends a new extension only if the extension does
86       not already exist. An error is returned if the extension does already
87       exist.
88
89       X509V3_ADD_APPEND appends a new extension, ignoring whether the
90       extension already exists.
91
92       X509V3_ADD_REPLACE replaces an extension if it exists otherwise appends
93       a new extension.
94
95       X509V3_ADD_REPLACE_EXISTING replaces an existing extension if it exists
96       otherwise returns an error.
97
98       X509V3_ADD_KEEP_EXISTING appends a new extension only if the extension
99       does not already exist. An error is not returned if the extension does
100       already exist.
101
102       X509V3_ADD_DELETE extension nid is deleted: no new extension is added.
103
104       If X509V3_ADD_SILENT is ored with flags: any error returned will not be
105       added to the error queue.
106
107       The function X509V3_get_d2i() will return NULL if the extension is not
108       found, occurs multiple times or cannot be decoded. It is possible to
109       determine the precise reason by checking the value of *crit.
110

SUPPORTED EXTENSIONS

112       The following sections contain a list of all supported extensions
113       including their name and NID.
114
115   PKIX Certificate Extensions
116       The following certificate extensions are defined in PKIX standards such
117       as RFC5280.
118
119        Basic Constraints                  NID_basic_constraints
120        Key Usage                          NID_key_usage
121        Extended Key Usage                 NID_ext_key_usage
122
123        Subject Key Identifier             NID_subject_key_identifier
124        Authority Key Identifier           NID_authority_key_identifier
125
126        Private Key Usage Period           NID_private_key_usage_period
127
128        Subject Alternative Name           NID_subject_alt_name
129        Issuer Alternative Name            NID_issuer_alt_name
130
131        Authority Information Access       NID_info_access
132        Subject Information Access         NID_sinfo_access
133
134        Name Constraints                   NID_name_constraints
135
136        Certificate Policies               NID_certificate_policies
137        Policy Mappings                    NID_policy_mappings
138        Policy Constraints                 NID_policy_constraints
139        Inhibit Any Policy                 NID_inhibit_any_policy
140
141        TLS Feature                        NID_tlsfeature
142
143   Netscape Certificate Extensions
144       The following are (largely obsolete) Netscape certificate extensions.
145
146        Netscape Cert Type                 NID_netscape_cert_type
147        Netscape Base Url                  NID_netscape_base_url
148        Netscape Revocation Url            NID_netscape_revocation_url
149        Netscape CA Revocation Url         NID_netscape_ca_revocation_url
150        Netscape Renewal Url               NID_netscape_renewal_url
151        Netscape CA Policy Url             NID_netscape_ca_policy_url
152        Netscape SSL Server Name           NID_netscape_ssl_server_name
153        Netscape Comment                   NID_netscape_comment
154
155   Miscellaneous Certificate Extensions
156        Strong Extranet ID                 NID_sxnet
157        Proxy Certificate Information      NID_proxyCertInfo
158
159   PKIX CRL Extensions
160       The following are CRL extensions from PKIX standards such as RFC5280.
161
162        CRL Number                         NID_crl_number
163        CRL Distribution Points            NID_crl_distribution_points
164        Delta CRL Indicator                NID_delta_crl
165        Freshest CRL                       NID_freshest_crl
166        Invalidity Date                    NID_invalidity_date
167        Issuing Distribution Point         NID_issuing_distribution_point
168
169       The following are CRL entry extensions from PKIX standards such as
170       RFC5280.
171
172        CRL Reason Code                    NID_crl_reason
173        Certificate Issuer                 NID_certificate_issuer
174
175   OCSP Extensions
176        OCSP Nonce                         NID_id_pkix_OCSP_Nonce
177        OCSP CRL ID                        NID_id_pkix_OCSP_CrlID
178        Acceptable OCSP Responses          NID_id_pkix_OCSP_acceptableResponses
179        OCSP No Check                      NID_id_pkix_OCSP_noCheck
180        OCSP Archive Cutoff                NID_id_pkix_OCSP_archiveCutoff
181        OCSP Service Locator               NID_id_pkix_OCSP_serviceLocator
182        Hold Instruction Code              NID_hold_instruction_code
183
184   Certificate Transparency Extensions
185       The following extensions are used by certificate transparency, RFC6962
186
187        CT Precertificate SCTs             NID_ct_precert_scts
188        CT Certificate SCTs                NID_ct_cert_scts
189

RETURN VALUES

191       X509V3_EXT_d2i() and *X509V3_get_d2i() return a pointer to an extension
192       specific structure of NULL if an error occurs.
193
194       X509V3_EXT_i2d() returns a pointer to an X509_EXTENSION structure or
195       NULL if an error occurs.
196
197       X509V3_add1_i2d() returns 1 if the operation is successful and 0 if it
198       fails due to a non-fatal error (extension not found, already exists,
199       cannot be encoded) or -1 due to a fatal error such as a memory
200       allocation failure.
201
202       X509_get0_extensions(), X509_CRL_get0_extensions() and
203       X509_REVOKED_get0_extensions() return a stack of extensions. They
204       return NULL if no extensions are present.
205

SEE ALSO

207       d2i_X509(3), ERR_get_error(3), X509_CRL_get0_by_serial(3),
208       X509_get0_signature(3), X509_get_ext_d2i(3),
209       X509_get_extension_flags(3), X509_get_pubkey(3),
210       X509_get_subject_name(3), X509_get_version(3),
211       X509_NAME_add_entry_by_txt(3), X509_NAME_ENTRY_get_object(3),
212       X509_NAME_get_index_by_NID(3), X509_NAME_print_ex(3), X509_new(3),
213       X509_sign(3), X509_verify_cert(3)
214
216       Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
217
218       Licensed under the OpenSSL license (the "License").  You may not use
219       this file except in compliance with the License.  You can obtain a copy
220       in the file LICENSE in the source distribution or at
221       <https://www.openssl.org/source/license.html>.
222
223
224
2251.1.1l                            2021-09-15                 X509V3_GET_D2I(3)
Impressum