1=pod 2 3=head1 NAME 4 5X509V3_get_d2i, X509V3_add1_i2d, X509V3_EXT_d2i, X509V3_EXT_i2d, 6X509_get_ext_d2i, X509_add1_ext_i2d, 7X509_CRL_get_ext_d2i, X509_CRL_add1_ext_i2d, 8X509_REVOKED_get_ext_d2i, X509_REVOKED_add1_ext_i2d, 9X509_get0_extensions, X509_CRL_get0_extensions, 10X509_REVOKED_get0_extensions - X509 extension decode and encode functions 11 12=head1 SYNOPSIS 13 14 #include <openssl/x509v3.h> 15 16 void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit, 17 int *idx); 18 int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value, 19 int crit, unsigned long flags); 20 21 void *X509V3_EXT_d2i(X509_EXTENSION *ext); 22 X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc); 23 24 void *X509_get_ext_d2i(const X509 *x, int nid, int *crit, int *idx); 25 int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit, 26 unsigned long flags); 27 28 void *X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid, int *crit, int *idx); 29 int X509_CRL_add1_ext_i2d(X509_CRL *crl, int nid, void *value, int crit, 30 unsigned long flags); 31 32 void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *r, int nid, int *crit, int *idx); 33 int X509_REVOKED_add1_ext_i2d(X509_REVOKED *r, int nid, void *value, int crit, 34 unsigned long flags); 35 36 const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x); 37 const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl); 38 const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions(const X509_REVOKED *r); 39 40=head1 DESCRIPTION 41 42X509V3_get_d2i() looks for an extension with OID I<nid> in the extensions 43I<x> and, if found, decodes it. If I<idx> is NULL then only one 44occurrence of an extension is permissible, otherwise the first extension after 45index I<*idx> is returned and I<*idx> updated to the location of the extension. 46If I<crit> is not NULL then I<*crit> is set to a status value: -2 if the 47extension occurs multiple times (this is only returned if I<idx> is NULL), 48-1 if the extension could not be found, 0 if the extension is found and is 49not critical and 1 if critical. A pointer to an extension specific structure 50or NULL is returned. 51 52X509V3_add1_i2d() adds extension I<value> to STACK I<*x> (allocating a new 53STACK if necessary) using OID I<nid> and criticality I<crit> according 54to I<flags>. 55 56X509V3_EXT_d2i() attempts to decode the ASN.1 data contained in extension 57I<ext> and returns a pointer to an extension specific structure or NULL 58if the extension could not be decoded (invalid syntax or not supported). 59 60X509V3_EXT_i2d() encodes the extension specific structure I<ext_struc> 61with OID I<ext_nid> and criticality I<crit>. 62 63X509_get_ext_d2i() and X509_add1_ext_i2d() operate on the extensions of 64certificate I<x>. They are otherwise identical to X509V3_get_d2i() and 65X509V3_add1_i2d(). 66 67X509_CRL_get_ext_d2i() and X509_CRL_add1_ext_i2d() operate on the extensions 68of CRL I<crl>. They are otherwise identical to X509V3_get_d2i() and 69X509V3_add1_i2d(). 70 71X509_REVOKED_get_ext_d2i() and X509_REVOKED_add1_ext_i2d() operate on the 72extensions of B<X509_REVOKED> structure I<r> (i.e for CRL entry extensions). 73They are otherwise identical to X509V3_get_d2i() and X509V3_add1_i2d(). 74 75X509_get0_extensions(), X509_CRL_get0_extensions() and 76X509_REVOKED_get0_extensions() return a STACK of all the extensions 77of a certificate, a CRL or a CRL entry respectively. 78 79=head1 NOTES 80 81In almost all cases an extension can occur at most once and multiple 82occurrences is an error. Therefore, the I<idx> parameter is usually NULL. 83 84The I<flags> parameter may be one of the following values. 85 86B<X509V3_ADD_DEFAULT> appends a new extension only if the extension does 87not exist. An error is returned if the extension exists. 88 89B<X509V3_ADD_APPEND> appends a new extension, ignoring whether the extension 90exists. 91 92B<X509V3_ADD_REPLACE> replaces an existing extension. If the extension does 93not exist, appends a new extension. 94 95B<X509V3_ADD_REPLACE_EXISTING> replaces an existing extension. If the 96extension does not exist, returns an error. 97 98B<X509V3_ADD_KEEP_EXISTING> appends a new extension only if the extension does 99not exist. An error is B<not> returned if the extension exists. 100 101B<X509V3_ADD_DELETE> deletes and frees an existing extension. If the extension 102does not exist, returns an error. No new extension is added. 103 104If B<X509V3_ADD_SILENT> is bitwise ORed with I<flags>: any error returned 105will not be added to the error queue. 106 107The function X509V3_get_d2i() and its variants 108will return NULL if the extension is not 109found, occurs multiple times or cannot be decoded. It is possible to 110determine the precise reason by checking the value of I<*crit>. 111The returned pointer must be explicitly freed. 112 113The function X509V3_add1_i2d() and its variants allocate B<X509_EXTENSION> 114objects on STACK I<*x> depending on I<flags>. The B<X509_EXTENSION> objects 115must be explicitly freed using X509_EXTENSION_free(). 116 117=head1 SUPPORTED EXTENSIONS 118 119The following sections contain a list of all supported extensions 120including their name and NID. 121 122=head2 PKIX Certificate Extensions 123 124The following certificate extensions are defined in PKIX standards such as 125RFC5280. 126 127 Basic Constraints NID_basic_constraints 128 Key Usage NID_key_usage 129 Extended Key Usage NID_ext_key_usage 130 131 Subject Key Identifier NID_subject_key_identifier 132 Authority Key Identifier NID_authority_key_identifier 133 134 Private Key Usage Period NID_private_key_usage_period 135 136 Subject Alternative Name NID_subject_alt_name 137 Issuer Alternative Name NID_issuer_alt_name 138 139 Authority Information Access NID_info_access 140 Subject Information Access NID_sinfo_access 141 142 Name Constraints NID_name_constraints 143 144 Certificate Policies NID_certificate_policies 145 Policy Mappings NID_policy_mappings 146 Policy Constraints NID_policy_constraints 147 Inhibit Any Policy NID_inhibit_any_policy 148 149 TLS Feature NID_tlsfeature 150 151=head2 Netscape Certificate Extensions 152 153The following are (largely obsolete) Netscape certificate extensions. 154 155 Netscape Cert Type NID_netscape_cert_type 156 Netscape Base Url NID_netscape_base_url 157 Netscape Revocation Url NID_netscape_revocation_url 158 Netscape CA Revocation Url NID_netscape_ca_revocation_url 159 Netscape Renewal Url NID_netscape_renewal_url 160 Netscape CA Policy Url NID_netscape_ca_policy_url 161 Netscape SSL Server Name NID_netscape_ssl_server_name 162 Netscape Comment NID_netscape_comment 163 164=head2 Miscellaneous Certificate Extensions 165 166 Strong Extranet ID NID_sxnet 167 Proxy Certificate Information NID_proxyCertInfo 168 169=head2 PKIX CRL Extensions 170 171The following are CRL extensions from PKIX standards such as RFC5280. 172 173 CRL Number NID_crl_number 174 CRL Distribution Points NID_crl_distribution_points 175 Delta CRL Indicator NID_delta_crl 176 Freshest CRL NID_freshest_crl 177 Invalidity Date NID_invalidity_date 178 Issuing Distribution Point NID_issuing_distribution_point 179 180The following are CRL entry extensions from PKIX standards such as RFC5280. 181 182 CRL Reason Code NID_crl_reason 183 Certificate Issuer NID_certificate_issuer 184 185=head2 OCSP Extensions 186 187 OCSP Nonce NID_id_pkix_OCSP_Nonce 188 OCSP CRL ID NID_id_pkix_OCSP_CrlID 189 Acceptable OCSP Responses NID_id_pkix_OCSP_acceptableResponses 190 OCSP No Check NID_id_pkix_OCSP_noCheck 191 OCSP Archive Cutoff NID_id_pkix_OCSP_archiveCutoff 192 OCSP Service Locator NID_id_pkix_OCSP_serviceLocator 193 Hold Instruction Code NID_hold_instruction_code 194 195=head2 Certificate Transparency Extensions 196 197The following extensions are used by certificate transparency, RFC6962 198 199 CT Precertificate SCTs NID_ct_precert_scts 200 CT Certificate SCTs NID_ct_cert_scts 201 202=head1 RETURN VALUES 203 204X509V3_get_d2i(), its variants, and X509V3_EXT_d2i() return 205a pointer to an extension specific structure or NULL if an error occurs. 206 207X509V3_add1_i2d() and its variants return 1 if the operation is successful 208and 0 if it fails due to a non-fatal error (extension not found, already exists, 209cannot be encoded) or -1 due to a fatal error such as a memory allocation 210failure. 211 212X509V3_EXT_i2d() returns a pointer to an B<X509_EXTENSION> structure 213or NULL if an error occurs. 214 215X509_get0_extensions(), X509_CRL_get0_extensions() and 216X509_REVOKED_get0_extensions() return a stack of extensions. They return 217NULL if no extensions are present. 218 219=head1 SEE ALSO 220 221L<d2i_X509(3)>, 222L<ERR_get_error(3)>, 223L<X509_CRL_get0_by_serial(3)>, 224L<X509_get0_signature(3)>, 225L<X509_get_ext_d2i(3)>, 226L<X509_get_extension_flags(3)>, 227L<X509_get_pubkey(3)>, 228L<X509_get_subject_name(3)>, 229L<X509_get_version(3)>, 230L<X509_NAME_add_entry_by_txt(3)>, 231L<X509_NAME_ENTRY_get_object(3)>, 232L<X509_NAME_get_index_by_NID(3)>, 233L<X509_NAME_print_ex(3)>, 234L<X509_new(3)>, 235L<X509_sign(3)>, 236L<X509_verify_cert(3)> 237 238=head1 COPYRIGHT 239 240Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved. 241 242Licensed under the Apache License 2.0 (the "License"). You may not use 243this file except in compliance with the License. You can obtain a copy 244in the file LICENSE in the source distribution or at 245L<https://www.openssl.org/source/license.html>. 246 247=cut 248