1X509V3_GET_D2I(3ossl) OpenSSL X509V3_GET_D2I(3ossl)
2
6 X509V3_get_d2i, X509V3_add1_i2d, X509V3_EXT_d2i, X509V3_EXT_i2d,
7 X509_get_ext_d2i, X509_add1_ext_i2d, X509_CRL_get_ext_d2i,
8 X509_CRL_add1_ext_i2d, X509_REVOKED_get_ext_d2i,
9 X509_REVOKED_add1_ext_i2d, X509_get0_extensions,
10 X509_CRL_get0_extensions, X509_REVOKED_get0_extensions - X509 extension
11 decode and encode functions
12
14 #include <openssl/x509v3.h>
15 void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit,
17 int *idx);
18 int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
19 int crit, unsigned long flags);
20 void *X509V3_EXT_d2i(X509_EXTENSION *ext);
22 X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
23 void *X509_get_ext_d2i(const X509 *x, int nid, int *crit, int *idx);
25 int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
26 unsigned long flags);
27 void *X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid, int *crit, int *idx);
29 int X509_CRL_add1_ext_i2d(X509_CRL *crl, int nid, void *value, int crit,
30 unsigned long flags);
31 void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *r, int nid, int *crit, int *idx);
33 int X509_REVOKED_add1_ext_i2d(X509_REVOKED *r, int nid, void *value, int crit,
34 unsigned long flags);
35 const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x);
37 const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl);
38 const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions(const X509_REVOKED *r);
39
41 X509V3_get_d2i() looks for an extension with OID nid in the extensions
42 x and, if found, decodes it. If idx is NULL then only one occurrence of
43 an extension is permissible, otherwise the first extension after index
44 *idx is returned and *idx updated to the location of the extension. If
45 crit is not NULL then *crit is set to a status value: -2 if the
46 extension occurs multiple times (this is only returned if idx is NULL),
47 -1 if the extension could not be found, 0 if the extension is found and
48 is not critical and 1 if critical. A pointer to an extension specific
49 structure or NULL is returned.
50 X509V3_add1_i2d() adds extension value to STACK *x (allocating a new
52 STACK if necessary) using OID nid and criticality crit according to
53 flags.
54 X509V3_EXT_d2i() attempts to decode the ASN.1 data contained in
56 extension ext and returns a pointer to an extension specific structure
57 or NULL if the extension could not be decoded (invalid syntax or not
58 supported).
59 X509V3_EXT_i2d() encodes the extension specific structure ext_struc
61 with OID ext_nid and criticality crit.
62 X509_get_ext_d2i() and X509_add1_ext_i2d() operate on the extensions of
64 certificate x. They are otherwise identical to X509V3_get_d2i() and
65 X509V3_add1_i2d().
66 X509_CRL_get_ext_d2i() and X509_CRL_add1_ext_i2d() operate on the
68 extensions of CRL crl. They are otherwise identical to X509V3_get_d2i()
69 and X509V3_add1_i2d().
70 X509_REVOKED_get_ext_d2i() and X509_REVOKED_add1_ext_i2d() operate on
72 the extensions of X509_REVOKED structure r (i.e for CRL entry
73 extensions). They are otherwise identical to X509V3_get_d2i() and
74 X509V3_add1_i2d().
75 X509_get0_extensions(), X509_CRL_get0_extensions() and
77 X509_REVOKED_get0_extensions() return a STACK of all the extensions of
78 a certificate, a CRL or a CRL entry respectively.
79
81 In almost all cases an extension can occur at most once and multiple
82 occurrences is an error. Therefore, the idx parameter is usually NULL.
83 The flags parameter may be one of the following values.
85 X509V3_ADD_DEFAULT appends a new extension only if the extension does
87 not exist. An error is returned if the extension exists.
88 X509V3_ADD_APPEND appends a new extension, ignoring whether the
90 extension exists.
91 X509V3_ADD_REPLACE replaces an existing extension. If the extension
93 does not exist, appends a new extension.
94 X509V3_ADD_REPLACE_EXISTING replaces an existing extension. If the
96 extension does not exist, returns an error.
97 X509V3_ADD_KEEP_EXISTING appends a new extension only if the extension
99 does not exist. An error is not returned if the extension exists.
100 X509V3_ADD_DELETE deletes and frees an existing extension. If the
102 extension does not exist, returns an error. No new extension is added.
103 If X509V3_ADD_SILENT is bitwise ORed with flags: any error returned
105 will not be added to the error queue.
106 The function X509V3_get_d2i() and its variants will return NULL if the
108 extension is not found, occurs multiple times or cannot be decoded. It
109 is possible to determine the precise reason by checking the value of
110 *crit.
111 The function X509V3_add1_i2d() and its variants allocate X509_EXTENSION
113 objects on STACK *x depending on flags. The X509_EXTENSION objects must
114 be explicitly freed using X509_EXTENSION_free().
115
117 The following sections contain a list of all supported extensions
118 including their name and NID.
119 PKIX Certificate Extensions
121 The following certificate extensions are defined in PKIX standards such
122 as RFC5280.
123 Basic Constraints NID_basic_constraints
125 Key Usage NID_key_usage
126 Extended Key Usage NID_ext_key_usage
127 Subject Key Identifier NID_subject_key_identifier
129 Authority Key Identifier NID_authority_key_identifier
130 Private Key Usage Period NID_private_key_usage_period
132 Subject Alternative Name NID_subject_alt_name
134 Issuer Alternative Name NID_issuer_alt_name
135 Authority Information Access NID_info_access
137 Subject Information Access NID_sinfo_access
138 Name Constraints NID_name_constraints
140 Certificate Policies NID_certificate_policies
142 Policy Mappings NID_policy_mappings
143 Policy Constraints NID_policy_constraints
144 Inhibit Any Policy NID_inhibit_any_policy
145 TLS Feature NID_tlsfeature
147 Netscape Certificate Extensions
149 The following are (largely obsolete) Netscape certificate extensions.
150 Netscape Cert Type NID_netscape_cert_type
152 Netscape Base Url NID_netscape_base_url
153 Netscape Revocation Url NID_netscape_revocation_url
154 Netscape CA Revocation Url NID_netscape_ca_revocation_url
155 Netscape Renewal Url NID_netscape_renewal_url
156 Netscape CA Policy Url NID_netscape_ca_policy_url
157 Netscape SSL Server Name NID_netscape_ssl_server_name
158 Netscape Comment NID_netscape_comment
159 Miscellaneous Certificate Extensions
161 Strong Extranet ID NID_sxnet
162 Proxy Certificate Information NID_proxyCertInfo
163 PKIX CRL Extensions
165 The following are CRL extensions from PKIX standards such as RFC5280.
166 CRL Number NID_crl_number
168 CRL Distribution Points NID_crl_distribution_points
169 Delta CRL Indicator NID_delta_crl
170 Freshest CRL NID_freshest_crl
171 Invalidity Date NID_invalidity_date
172 Issuing Distribution Point NID_issuing_distribution_point
173 The following are CRL entry extensions from PKIX standards such as
175 RFC5280.
176 CRL Reason Code NID_crl_reason
178 Certificate Issuer NID_certificate_issuer
179 OCSP Extensions
181 OCSP Nonce NID_id_pkix_OCSP_Nonce
182 OCSP CRL ID NID_id_pkix_OCSP_CrlID
183 Acceptable OCSP Responses NID_id_pkix_OCSP_acceptableResponses
184 OCSP No Check NID_id_pkix_OCSP_noCheck
185 OCSP Archive Cutoff NID_id_pkix_OCSP_archiveCutoff
186 OCSP Service Locator NID_id_pkix_OCSP_serviceLocator
187 Hold Instruction Code NID_hold_instruction_code
188 Certificate Transparency Extensions
190 The following extensions are used by certificate transparency, RFC6962
191 CT Precertificate SCTs NID_ct_precert_scts
193 CT Certificate SCTs NID_ct_cert_scts
194
196 X509V3_get_d2i(), its variants, and X509V3_EXT_d2i() return a pointer
197 to an extension specific structure or NULL if an error occurs.
198 X509V3_add1_i2d() and its variants return 1 if the operation is
200 successful and 0 if it fails due to a non-fatal error (extension not
201 found, already exists, cannot be encoded) or -1 due to a fatal error
202 such as a memory allocation failure.
203 X509V3_EXT_i2d() returns a pointer to an X509_EXTENSION structure or
205 NULL if an error occurs.
206 X509_get0_extensions(), X509_CRL_get0_extensions() and
208 X509_REVOKED_get0_extensions() return a stack of extensions. They
209 return NULL if no extensions are present.
210
212 d2i_X509(3), ERR_get_error(3), X509_CRL_get0_by_serial(3),
213 X509_get0_signature(3), X509_get_ext_d2i(3),
214 X509_get_extension_flags(3), X509_get_pubkey(3),
215 X509_get_subject_name(3), X509_get_version(3),
216 X509_NAME_add_entry_by_txt(3), X509_NAME_ENTRY_get_object(3),
217 X509_NAME_get_index_by_NID(3), X509_NAME_print_ex(3), X509_new(3),
218 X509_sign(3), X509_verify_cert(3)
219
221 Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
222 Licensed under the Apache License 2.0 (the "License"). You may not use
224 this file except in compliance with the License. You can obtain a copy
225 in the file LICENSE in the source distribution or at
226 <https://www.openssl.org/source/license.html>.
2273.1.1 2023-08-31 X509V3_GET_D2I(3ossl)