1=pod 2 3=head1 NAME 4 5X509_get0_extensions, X509_CRL_get0_extensions, X509_REVOKED_get0_extensions, 6X509V3_get_d2i, X509V3_add1_i2d, X509V3_EXT_d2i, X509V3_EXT_i2d, 7X509_get_ext_d2i, X509_add1_ext_i2d, X509_CRL_get_ext_d2i, 8X509_CRL_add1_ext_i2d, X509_REVOKED_get_ext_d2i, 9X509_REVOKED_add1_ext_i2d - X509 extension decode and encode functions 10 11=head1 SYNOPSIS 12 13 #include <openssl/x509v3.h> 14 15 void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit, 16 int *idx); 17 int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value, 18 int crit, unsigned long flags); 19 20 void *X509V3_EXT_d2i(X509_EXTENSION *ext); 21 X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext); 22 23 void *X509_get_ext_d2i(const X509 *x, int nid, int *crit, int *idx); 24 int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit, 25 unsigned long flags); 26 27 void *X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid, int *crit, int *idx); 28 int X509_CRL_add1_ext_i2d(X509_CRL *crl, int nid, void *value, int crit, 29 unsigned long flags); 30 31 void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *r, int nid, int *crit, int *idx); 32 int X509_REVOKED_add1_ext_i2d(X509_REVOKED *r, int nid, void *value, int crit, 33 unsigned long flags); 34 35 const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x); 36 const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl); 37 const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions(const X509_REVOKED *r); 38 39=head1 DESCRIPTION 40 41X509V3_get_ext_d2i() looks for an extension with OID B<nid> in the extensions 42B<x> and, if found, decodes it. If B<idx> is B<NULL> then only one 43occurrence of an extension is permissible otherwise the first extension after 44index B<*idx> is returned and B<*idx> updated to the location of the extension. 45If B<crit> is not B<NULL> then B<*crit> is set to a status value: -2 if the 46extension occurs multiple times (this is only returned if B<idx> is B<NULL>), 47-1 if the extension could not be found, 0 if the extension is found and is 48not critical and 1 if critical. A pointer to an extension specific structure 49or B<NULL> is returned. 50 51X509V3_add1_i2d() adds extension B<value> to STACK B<*x> (allocating a new 52STACK if necessary) using OID B<nid> and criticality B<crit> according 53to B<flags>. 54 55X509V3_EXT_d2i() attempts to decode the ASN.1 data contained in extension 56B<ext> and returns a pointer to an extension specific structure or B<NULL> 57if the extension could not be decoded (invalid syntax or not supported). 58 59X509V3_EXT_i2d() encodes the extension specific structure B<ext> 60with OID B<ext_nid> and criticality B<crit>. 61 62X509_get_ext_d2i() and X509_add1_ext_i2d() operate on the extensions of 63certificate B<x>, they are otherwise identical to X509V3_get_d2i() and 64X509V3_add_i2d(). 65 66X509_CRL_get_ext_d2i() and X509_CRL_add1_ext_i2d() operate on the extensions 67of CRL B<crl>, they are otherwise identical to X509V3_get_d2i() and 68X509V3_add_i2d(). 69 70X509_REVOKED_get_ext_d2i() and X509_REVOKED_add1_ext_i2d() operate on the 71extensions of B<X509_REVOKED> structure B<r> (i.e for CRL entry extensions), 72they are otherwise identical to X509V3_get_d2i() and X509V3_add_i2d(). 73 74X509_get0_extensions(), X509_CRL_get0_extensions() and 75X509_REVOKED_get0_extensions() return a stack of all the extensions 76of a certificate a CRL or a CRL entry respectively. 77 78=head1 NOTES 79 80In almost all cases an extension can occur at most once and multiple 81occurrences is an error. Therefore the B<idx> parameter is usually B<NULL>. 82 83The B<flags> parameter may be one of the following values. 84 85B<X509V3_ADD_DEFAULT> appends a new extension only if the extension does 86not already exist. An error is returned if the extension does already 87exist. 88 89B<X509V3_ADD_APPEND> appends a new extension, ignoring whether the extension 90already exists. 91 92B<X509V3_ADD_REPLACE> replaces an extension if it exists otherwise appends 93a new extension. 94 95B<X509V3_ADD_REPLACE_EXISTING> replaces an existing extension if it exists 96otherwise returns an error. 97 98B<X509V3_ADD_KEEP_EXISTING> appends a new extension only if the extension does 99not already exist. An error B<is not> returned if the extension does already 100exist. 101 102B<X509V3_ADD_DELETE> extension B<nid> is deleted: no new extension is added. 103 104If B<X509V3_ADD_SILENT> is ored with B<flags>: any error returned will not 105be added to the error queue. 106 107The function X509V3_get_d2i() will return B<NULL> if the extension is not 108found, occurs multiple times or cannot be decoded. It is possible to 109determine the precise reason by checking the value of B<*crit>. 110 111=head1 SUPPORTED EXTENSIONS 112 113The following sections contain a list of all supported extensions 114including their name and NID. 115 116=head2 PKIX Certificate Extensions 117 118The following certificate extensions are defined in PKIX standards such as 119RFC5280. 120 121 Basic Constraints NID_basic_constraints 122 Key Usage NID_key_usage 123 Extended Key Usage NID_ext_key_usage 124 125 Subject Key Identifier NID_subject_key_identifier 126 Authority Key Identifier NID_authority_key_identifier 127 128 Private Key Usage Period NID_private_key_usage_period 129 130 Subject Alternative Name NID_subject_alt_name 131 Issuer Alternative Name NID_issuer_alt_name 132 133 Authority Information Access NID_info_access 134 Subject Information Access NID_sinfo_access 135 136 Name Constraints NID_name_constraints 137 138 Certificate Policies NID_certificate_policies 139 Policy Mappings NID_policy_mappings 140 Policy Constraints NID_policy_constraints 141 Inhibit Any Policy NID_inhibit_any_policy 142 143 TLS Feature NID_tlsfeature 144 145=head2 Netscape Certificate Extensions 146 147The following are (largely obsolete) Netscape certificate extensions. 148 149 Netscape Cert Type NID_netscape_cert_type 150 Netscape Base Url NID_netscape_base_url 151 Netscape Revocation Url NID_netscape_revocation_url 152 Netscape CA Revocation Url NID_netscape_ca_revocation_url 153 Netscape Renewal Url NID_netscape_renewal_url 154 Netscape CA Policy Url NID_netscape_ca_policy_url 155 Netscape SSL Server Name NID_netscape_ssl_server_name 156 Netscape Comment NID_netscape_comment 157 158=head2 Miscellaneous Certificate Extensions 159 160 Strong Extranet ID NID_sxnet 161 Proxy Certificate Information NID_proxyCertInfo 162 163=head2 PKIX CRL Extensions 164 165The following are CRL extensions from PKIX standards such as RFC5280. 166 167 CRL Number NID_crl_number 168 CRL Distribution Points NID_crl_distribution_points 169 Delta CRL Indicator NID_delta_crl 170 Freshest CRL NID_freshest_crl 171 Invalidity Date NID_invalidity_date 172 Issuing Distribution Point NID_issuing_distribution_point 173 174The following are CRL entry extensions from PKIX standards such as RFC5280. 175 176 CRL Reason Code NID_crl_reason 177 Certificate Issuer NID_certificate_issuer 178 179=head2 OCSP Extensions 180 181 OCSP Nonce NID_id_pkix_OCSP_Nonce 182 OCSP CRL ID NID_id_pkix_OCSP_CrlID 183 Acceptable OCSP Responses NID_id_pkix_OCSP_acceptableResponses 184 OCSP No Check NID_id_pkix_OCSP_noCheck 185 OCSP Archive Cutoff NID_id_pkix_OCSP_archiveCutoff 186 OCSP Service Locator NID_id_pkix_OCSP_serviceLocator 187 Hold Instruction Code NID_hold_instruction_code 188 189=head2 Certificate Transparency Extensions 190 191The following extensions are used by certificate transparency, RFC6962 192 193 CT Precertificate SCTs NID_ct_precert_scts 194 CT Certificate SCTs NID_ct_cert_scts 195 196=head1 RETURN VALUES 197 198X509V3_EXT_d2i() and *X509V3_get_d2i() return a pointer to an extension 199specific structure of B<NULL> if an error occurs. 200 201X509V3_EXT_i2d() returns a pointer to an B<X509_EXTENSION> structure 202or B<NULL> if an error occurs. 203 204X509V3_add1_i2d() returns 1 if the operation is successful and 0 if it 205fails due to a non-fatal error (extension not found, already exists, 206cannot be encoded) or -1 due to a fatal error such as a memory allocation 207failure. 208 209X509_get0_extensions(), X509_CRL_get0_extensions() and 210X509_REVOKED_get0_extensions() return a stack of extensions. They return 211NULL if no extensions are present. 212 213=head1 SEE ALSO 214 215L<d2i_X509(3)>, 216L<ERR_get_error(3)>, 217L<X509_CRL_get0_by_serial(3)>, 218L<X509_get0_signature(3)>, 219L<X509_get_ext_d2i(3)>, 220L<X509_get_extension_flags(3)>, 221L<X509_get_pubkey(3)>, 222L<X509_get_subject_name(3)>, 223L<X509_get_version(3)>, 224L<X509_NAME_add_entry_by_txt(3)>, 225L<X509_NAME_ENTRY_get_object(3)>, 226L<X509_NAME_get_index_by_NID(3)>, 227L<X509_NAME_print_ex(3)>, 228L<X509_new(3)>, 229L<X509_sign(3)>, 230L<X509_verify_cert(3)> 231 232=head1 COPYRIGHT 233 234Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. 235 236Licensed under the OpenSSL license (the "License"). You may not use 237this file except in compliance with the License. You can obtain a copy 238in the file LICENSE in the source distribution or at 239L<https://www.openssl.org/source/license.html>. 240 241=cut 242