xref: /freebsd/crypto/openssl/doc/man3/X509V3_get_d2i.pod (revision 7fdf597e96a02165cfe22ff357b857d5fa15ed8a)
1=pod
2
3=head1 NAME
4
5X509V3_get_d2i, X509V3_add1_i2d, X509V3_EXT_d2i, X509V3_EXT_i2d,
6X509_get_ext_d2i, X509_add1_ext_i2d,
7X509_CRL_get_ext_d2i, X509_CRL_add1_ext_i2d,
8X509_REVOKED_get_ext_d2i, X509_REVOKED_add1_ext_i2d,
9X509_get0_extensions, X509_CRL_get0_extensions,
10X509_REVOKED_get0_extensions - X509 extension decode and encode functions
11
12=head1 SYNOPSIS
13
14 #include <openssl/x509v3.h>
15
16 void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit,
17                      int *idx);
18 int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
19                     int crit, unsigned long flags);
20
21 void *X509V3_EXT_d2i(X509_EXTENSION *ext);
22 X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
23
24 void *X509_get_ext_d2i(const X509 *x, int nid, int *crit, int *idx);
25 int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
26                       unsigned long flags);
27
28 void *X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid, int *crit, int *idx);
29 int X509_CRL_add1_ext_i2d(X509_CRL *crl, int nid, void *value, int crit,
30                           unsigned long flags);
31
32 void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *r, int nid, int *crit, int *idx);
33 int X509_REVOKED_add1_ext_i2d(X509_REVOKED *r, int nid, void *value, int crit,
34                               unsigned long flags);
35
36 const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x);
37 const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl);
38 const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions(const X509_REVOKED *r);
39
40=head1 DESCRIPTION
41
42X509V3_get_d2i() looks for an extension with OID I<nid> in the extensions
43I<x> and, if found, decodes it. If I<idx> is NULL then only one
44occurrence of an extension is permissible, otherwise the first extension after
45index I<*idx> is returned and I<*idx> updated to the location of the extension.
46If I<crit> is not NULL then I<*crit> is set to a status value: -2 if the
47extension occurs multiple times (this is only returned if I<idx> is NULL),
48-1 if the extension could not be found, 0 if the extension is found and is
49not critical and 1 if critical. A pointer to an extension specific structure
50or NULL is returned.
51
52X509V3_add1_i2d() adds extension I<value> to STACK I<*x> (allocating a new
53STACK if necessary) using OID I<nid> and criticality I<crit> according
54to I<flags>.
55
56X509V3_EXT_d2i() attempts to decode the ASN.1 data contained in extension
57I<ext> and returns a pointer to an extension specific structure or NULL
58if the extension could not be decoded (invalid syntax or not supported).
59
60X509V3_EXT_i2d() encodes the extension specific structure I<ext_struc>
61with OID I<ext_nid> and criticality I<crit>.
62
63X509_get_ext_d2i() and X509_add1_ext_i2d() operate on the extensions of
64certificate I<x>. They are otherwise identical to X509V3_get_d2i() and
65X509V3_add1_i2d().
66
67X509_CRL_get_ext_d2i() and X509_CRL_add1_ext_i2d() operate on the extensions
68of CRL I<crl>. They are otherwise identical to X509V3_get_d2i() and
69X509V3_add1_i2d().
70
71X509_REVOKED_get_ext_d2i() and X509_REVOKED_add1_ext_i2d() operate on the
72extensions of B<X509_REVOKED> structure I<r> (i.e for CRL entry extensions).
73They are otherwise identical to X509V3_get_d2i() and X509V3_add1_i2d().
74
75X509_get0_extensions(), X509_CRL_get0_extensions() and
76X509_REVOKED_get0_extensions() return a STACK of all the extensions
77of a certificate, a CRL or a CRL entry respectively.
78
79=head1 NOTES
80
81In almost all cases an extension can occur at most once and multiple
82occurrences is an error. Therefore, the I<idx> parameter is usually NULL.
83
84The I<flags> parameter may be one of the following values.
85
86B<X509V3_ADD_DEFAULT> appends a new extension only if the extension does
87not exist. An error is returned if the extension exists.
88
89B<X509V3_ADD_APPEND> appends a new extension, ignoring whether the extension
90exists.
91
92B<X509V3_ADD_REPLACE> replaces an existing extension. If the extension does
93not exist, appends a new extension.
94
95B<X509V3_ADD_REPLACE_EXISTING> replaces an existing extension. If the
96extension does not exist, returns an error.
97
98B<X509V3_ADD_KEEP_EXISTING> appends a new extension only if the extension does
99not exist. An error is B<not> returned if the extension exists.
100
101B<X509V3_ADD_DELETE> deletes and frees an existing extension. If the extension
102does not exist, returns an error. No new extension is added.
103
104If B<X509V3_ADD_SILENT> is bitwise ORed with I<flags>: any error returned
105will not be added to the error queue.
106
107The function X509V3_get_d2i() and its variants
108will return NULL if the extension is not
109found, occurs multiple times or cannot be decoded. It is possible to
110determine the precise reason by checking the value of I<*crit>.
111The returned pointer must be explicitly freed.
112
113The function X509V3_add1_i2d() and its variants allocate B<X509_EXTENSION>
114objects on STACK I<*x> depending on I<flags>. The B<X509_EXTENSION> objects
115must be explicitly freed using X509_EXTENSION_free().
116
117=head1 SUPPORTED EXTENSIONS
118
119The following sections contain a list of all supported extensions
120including their name and NID.
121
122=head2 PKIX Certificate Extensions
123
124The following certificate extensions are defined in PKIX standards such as
125RFC5280.
126
127 Basic Constraints                  NID_basic_constraints
128 Key Usage                          NID_key_usage
129 Extended Key Usage                 NID_ext_key_usage
130
131 Subject Key Identifier             NID_subject_key_identifier
132 Authority Key Identifier           NID_authority_key_identifier
133
134 Private Key Usage Period           NID_private_key_usage_period
135
136 Subject Alternative Name           NID_subject_alt_name
137 Issuer Alternative Name            NID_issuer_alt_name
138
139 Authority Information Access       NID_info_access
140 Subject Information Access         NID_sinfo_access
141
142 Name Constraints                   NID_name_constraints
143
144 Certificate Policies               NID_certificate_policies
145 Policy Mappings                    NID_policy_mappings
146 Policy Constraints                 NID_policy_constraints
147 Inhibit Any Policy                 NID_inhibit_any_policy
148
149 TLS Feature                        NID_tlsfeature
150
151=head2 Netscape Certificate Extensions
152
153The following are (largely obsolete) Netscape certificate extensions.
154
155 Netscape Cert Type                 NID_netscape_cert_type
156 Netscape Base Url                  NID_netscape_base_url
157 Netscape Revocation Url            NID_netscape_revocation_url
158 Netscape CA Revocation Url         NID_netscape_ca_revocation_url
159 Netscape Renewal Url               NID_netscape_renewal_url
160 Netscape CA Policy Url             NID_netscape_ca_policy_url
161 Netscape SSL Server Name           NID_netscape_ssl_server_name
162 Netscape Comment                   NID_netscape_comment
163
164=head2 Miscellaneous Certificate Extensions
165
166 Strong Extranet ID                 NID_sxnet
167 Proxy Certificate Information      NID_proxyCertInfo
168
169=head2 PKIX CRL Extensions
170
171The following are CRL extensions from PKIX standards such as RFC5280.
172
173 CRL Number                         NID_crl_number
174 CRL Distribution Points            NID_crl_distribution_points
175 Delta CRL Indicator                NID_delta_crl
176 Freshest CRL                       NID_freshest_crl
177 Invalidity Date                    NID_invalidity_date
178 Issuing Distribution Point         NID_issuing_distribution_point
179
180The following are CRL entry extensions from PKIX standards such as RFC5280.
181
182 CRL Reason Code                    NID_crl_reason
183 Certificate Issuer                 NID_certificate_issuer
184
185=head2 OCSP Extensions
186
187 OCSP Nonce                         NID_id_pkix_OCSP_Nonce
188 OCSP CRL ID                        NID_id_pkix_OCSP_CrlID
189 Acceptable OCSP Responses          NID_id_pkix_OCSP_acceptableResponses
190 OCSP No Check                      NID_id_pkix_OCSP_noCheck
191 OCSP Archive Cutoff                NID_id_pkix_OCSP_archiveCutoff
192 OCSP Service Locator               NID_id_pkix_OCSP_serviceLocator
193 Hold Instruction Code              NID_hold_instruction_code
194
195=head2 Certificate Transparency Extensions
196
197The following extensions are used by certificate transparency, RFC6962
198
199 CT Precertificate SCTs             NID_ct_precert_scts
200 CT Certificate SCTs                NID_ct_cert_scts
201
202=head1 RETURN VALUES
203
204X509V3_get_d2i(), its variants, and X509V3_EXT_d2i() return
205a pointer to an extension specific structure or NULL if an error occurs.
206
207X509V3_add1_i2d() and its variants return 1 if the operation is successful
208and 0 if it fails due to a non-fatal error (extension not found, already exists,
209cannot be encoded) or -1 due to a fatal error such as a memory allocation
210failure.
211
212X509V3_EXT_i2d() returns a pointer to an B<X509_EXTENSION> structure
213or NULL if an error occurs.
214
215X509_get0_extensions(), X509_CRL_get0_extensions() and
216X509_REVOKED_get0_extensions() return a stack of extensions. They return
217NULL if no extensions are present.
218
219=head1 SEE ALSO
220
221L<d2i_X509(3)>,
222L<ERR_get_error(3)>,
223L<X509_CRL_get0_by_serial(3)>,
224L<X509_get0_signature(3)>,
225L<X509_get_ext_d2i(3)>,
226L<X509_get_extension_flags(3)>,
227L<X509_get_pubkey(3)>,
228L<X509_get_subject_name(3)>,
229L<X509_get_version(3)>,
230L<X509_NAME_add_entry_by_txt(3)>,
231L<X509_NAME_ENTRY_get_object(3)>,
232L<X509_NAME_get_index_by_NID(3)>,
233L<X509_NAME_print_ex(3)>,
234L<X509_new(3)>,
235L<X509_sign(3)>,
236L<X509_verify_cert(3)>
237
238=head1 COPYRIGHT
239
240Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
241
242Licensed under the Apache License 2.0 (the "License").  You may not use
243this file except in compliance with the License.  You can obtain a copy
244in the file LICENSE in the source distribution or at
245L<https://www.openssl.org/source/license.html>.
246
247=cut
248