1X509V3_GET_D2I(3ossl)               OpenSSL              X509V3_GET_D2I(3ossl)
2
3
4

NAME

6       X509V3_get_d2i, X509V3_add1_i2d, X509V3_EXT_d2i, X509V3_EXT_i2d,
7       X509_get_ext_d2i, X509_add1_ext_i2d, X509_CRL_get_ext_d2i,
8       X509_CRL_add1_ext_i2d, X509_REVOKED_get_ext_d2i,
9       X509_REVOKED_add1_ext_i2d, X509_get0_extensions,
10       X509_CRL_get0_extensions, X509_REVOKED_get0_extensions - X509 extension
11       decode and encode functions
12

SYNOPSIS

14        #include <openssl/x509v3.h>
15
16        void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit,
17                             int *idx);
18        int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
19                            int crit, unsigned long flags);
20
21        void *X509V3_EXT_d2i(X509_EXTENSION *ext);
22        X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext);
23
24        void *X509_get_ext_d2i(const X509 *x, int nid, int *crit, int *idx);
25        int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
26                              unsigned long flags);
27
28        void *X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid, int *crit, int *idx);
29        int X509_CRL_add1_ext_i2d(X509_CRL *crl, int nid, void *value, int crit,
30                                  unsigned long flags);
31
32        void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *r, int nid, int *crit, int *idx);
33        int X509_REVOKED_add1_ext_i2d(X509_REVOKED *r, int nid, void *value, int crit,
34                                      unsigned long flags);
35
36        const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x);
37        const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl);
38        const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions(const X509_REVOKED *r);
39

DESCRIPTION

41       X509V3_get_d2i() looks for an extension with OID nid in the extensions
42       x and, if found, decodes it. If idx is NULL then only one occurrence of
43       an extension is permissible otherwise the first extension after index
44       *idx is returned and *idx updated to the location of the extension.  If
45       crit is not NULL then *crit is set to a status value: -2 if the
46       extension occurs multiple times (this is only returned if idx is NULL),
47       -1 if the extension could not be found, 0 if the extension is found and
48       is not critical and 1 if critical. A pointer to an extension specific
49       structure or NULL is returned.
50
51       X509V3_add1_i2d() adds extension value to STACK *x (allocating a new
52       STACK if necessary) using OID nid and criticality crit according to
53       flags.
54
55       X509V3_EXT_d2i() attempts to decode the ASN.1 data contained in
56       extension ext and returns a pointer to an extension specific structure
57       or NULL if the extension could not be decoded (invalid syntax or not
58       supported).
59
60       X509V3_EXT_i2d() encodes the extension specific structure ext with OID
61       ext_nid and criticality crit.
62
63       X509_get_ext_d2i() and X509_add1_ext_i2d() operate on the extensions of
64       certificate x, they are otherwise identical to X509V3_get_d2i() and
65       X509V3_add_i2d().
66
67       X509_CRL_get_ext_d2i() and X509_CRL_add1_ext_i2d() operate on the
68       extensions of CRL crl, they are otherwise identical to X509V3_get_d2i()
69       and X509V3_add_i2d().
70
71       X509_REVOKED_get_ext_d2i() and X509_REVOKED_add1_ext_i2d() operate on
72       the extensions of X509_REVOKED structure r (i.e for CRL entry
73       extensions), they are otherwise identical to X509V3_get_d2i() and
74       X509V3_add_i2d().
75
76       X509_get0_extensions(), X509_CRL_get0_extensions() and
77       X509_REVOKED_get0_extensions() return a stack of all the extensions of
78       a certificate a CRL or a CRL entry respectively.
79

NOTES

81       In almost all cases an extension can occur at most once and multiple
82       occurrences is an error. Therefore, the idx parameter is usually NULL.
83
84       The flags parameter may be one of the following values.
85
86       X509V3_ADD_DEFAULT appends a new extension only if the extension does
87       not already exist. An error is returned if the extension does already
88       exist.
89
90       X509V3_ADD_APPEND appends a new extension, ignoring whether the
91       extension already exists.
92
93       X509V3_ADD_REPLACE replaces an extension if it exists otherwise appends
94       a new extension.
95
96       X509V3_ADD_REPLACE_EXISTING replaces an existing extension if it exists
97       otherwise returns an error.
98
99       X509V3_ADD_KEEP_EXISTING appends a new extension only if the extension
100       does not already exist. An error is not returned if the extension does
101       already exist.
102
103       X509V3_ADD_DELETE extension nid is deleted: no new extension is added.
104
105       If X509V3_ADD_SILENT is ored with flags: any error returned will not be
106       added to the error queue.
107
108       The function X509V3_get_d2i() and its variants will return NULL if the
109       extension is not found, occurs multiple times or cannot be decoded. It
110       is possible to determine the precise reason by checking the value of
111       *crit.
112

SUPPORTED EXTENSIONS

114       The following sections contain a list of all supported extensions
115       including their name and NID.
116
117   PKIX Certificate Extensions
118       The following certificate extensions are defined in PKIX standards such
119       as RFC5280.
120
121        Basic Constraints                  NID_basic_constraints
122        Key Usage                          NID_key_usage
123        Extended Key Usage                 NID_ext_key_usage
124
125        Subject Key Identifier             NID_subject_key_identifier
126        Authority Key Identifier           NID_authority_key_identifier
127
128        Private Key Usage Period           NID_private_key_usage_period
129
130        Subject Alternative Name           NID_subject_alt_name
131        Issuer Alternative Name            NID_issuer_alt_name
132
133        Authority Information Access       NID_info_access
134        Subject Information Access         NID_sinfo_access
135
136        Name Constraints                   NID_name_constraints
137
138        Certificate Policies               NID_certificate_policies
139        Policy Mappings                    NID_policy_mappings
140        Policy Constraints                 NID_policy_constraints
141        Inhibit Any Policy                 NID_inhibit_any_policy
142
143        TLS Feature                        NID_tlsfeature
144
145   Netscape Certificate Extensions
146       The following are (largely obsolete) Netscape certificate extensions.
147
148        Netscape Cert Type                 NID_netscape_cert_type
149        Netscape Base Url                  NID_netscape_base_url
150        Netscape Revocation Url            NID_netscape_revocation_url
151        Netscape CA Revocation Url         NID_netscape_ca_revocation_url
152        Netscape Renewal Url               NID_netscape_renewal_url
153        Netscape CA Policy Url             NID_netscape_ca_policy_url
154        Netscape SSL Server Name           NID_netscape_ssl_server_name
155        Netscape Comment                   NID_netscape_comment
156
157   Miscellaneous Certificate Extensions
158        Strong Extranet ID                 NID_sxnet
159        Proxy Certificate Information      NID_proxyCertInfo
160
161   PKIX CRL Extensions
162       The following are CRL extensions from PKIX standards such as RFC5280.
163
164        CRL Number                         NID_crl_number
165        CRL Distribution Points            NID_crl_distribution_points
166        Delta CRL Indicator                NID_delta_crl
167        Freshest CRL                       NID_freshest_crl
168        Invalidity Date                    NID_invalidity_date
169        Issuing Distribution Point         NID_issuing_distribution_point
170
171       The following are CRL entry extensions from PKIX standards such as
172       RFC5280.
173
174        CRL Reason Code                    NID_crl_reason
175        Certificate Issuer                 NID_certificate_issuer
176
177   OCSP Extensions
178        OCSP Nonce                         NID_id_pkix_OCSP_Nonce
179        OCSP CRL ID                        NID_id_pkix_OCSP_CrlID
180        Acceptable OCSP Responses          NID_id_pkix_OCSP_acceptableResponses
181        OCSP No Check                      NID_id_pkix_OCSP_noCheck
182        OCSP Archive Cutoff                NID_id_pkix_OCSP_archiveCutoff
183        OCSP Service Locator               NID_id_pkix_OCSP_serviceLocator
184        Hold Instruction Code              NID_hold_instruction_code
185
186   Certificate Transparency Extensions
187       The following extensions are used by certificate transparency, RFC6962
188
189        CT Precertificate SCTs             NID_ct_precert_scts
190        CT Certificate SCTs                NID_ct_cert_scts
191

RETURN VALUES

193       X509V3_get_d2i(), its variants, and X509V3_EXT_d2i() return a pointer
194       to an extension specific structure or NULL if an error occurs.
195
196       X509V3_add1_i2d() and its variants return 1 if the operation is
197       successful and 0 if it fails due to a non-fatal error (extension not
198       found, already exists, cannot be encoded) or -1 due to a fatal error
199       such as a memory allocation failure.
200
201       X509V3_EXT_i2d() returns a pointer to an X509_EXTENSION structure or
202       NULL if an error occurs.
203
204       X509_get0_extensions(), X509_CRL_get0_extensions() and
205       X509_REVOKED_get0_extensions() return a stack of extensions. They
206       return NULL if no extensions are present.
207

SEE ALSO

209       d2i_X509(3), ERR_get_error(3), X509_CRL_get0_by_serial(3),
210       X509_get0_signature(3), X509_get_ext_d2i(3),
211       X509_get_extension_flags(3), X509_get_pubkey(3),
212       X509_get_subject_name(3), X509_get_version(3),
213       X509_NAME_add_entry_by_txt(3), X509_NAME_ENTRY_get_object(3),
214       X509_NAME_get_index_by_NID(3), X509_NAME_print_ex(3), X509_new(3),
215       X509_sign(3), X509_verify_cert(3)
216
218       Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
219
220       Licensed under the Apache License 2.0 (the "License").  You may not use
221       this file except in compliance with the License.  You can obtain a copy
222       in the file LICENSE in the source distribution or at
223       <https://www.openssl.org/source/license.html>.
224
225
226
2273.0.5                             2022-11-01             X509V3_GET_D2I(3ossl)
Impressum