5 X509V3_get_d2i, X509V3_add1_i2d, X509V3_EXT_d2i, X509V3_EXT_i2d,
6 X509_get_ext_d2i, X509_add1_ext_i2d, X509_CRL_get_ext_d2i,
7 X509_CRL_add1_ext_i2d, X509_REVOKED_get_ext_d2i,
8 X509_REVOKED_add1_ext_i2d - X509 extension decode and encode functions
12 #include <openssl/x509v3.h>
14 void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit,
16 int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
17 int crit, unsigned long flags);
19 void *X509V3_EXT_d2i(X509_EXTENSION *ext);
20 X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext);
22 void *X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx);
23 int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
26 void *X509_CRL_get_ext_d2i(X509_CRL *crl, int nid, int *crit, int *idx);
27 int X509_CRL_add1_ext_i2d(X509_CRL *crl, int nid, void *value, int crit,
30 void *X509_REVOKED_get_ext_d2i(X509_REVOKED *r, int nid, int *crit, int *idx);
31 int X509_REVOKED_add1_ext_i2d(X509_REVOKED *r, int nid, void *value, int crit,
36 X509V3_get_ext_d2i() looks for an extension with OID B<nid> in the extensions
37 B<x> and, if found, decodes it. If B<idx> is B<NULL> then only one
38 occurrence of an extension is permissible otherwise the first extension after
39 index B<*idx> is returned and B<*idx> updated to the location of the extension.
40 If B<crit> is not B<NULL> then B<*crit> is set to a status value: -2 if the
41 extension occurs multiple times (this is only returned if B<idx> is B<NULL>),
42 -1 if the extension could not be found, 0 if the extension is found and is
43 not critical and 1 if critical. A pointer to an extension specific structure
44 or B<NULL> is returned.
46 X509V3_add1_i2d() adds extension B<value> to STACK B<*x> (allocating a new
47 STACK if necessary) using OID B<nid> and criticality B<crit> according
50 X509V3_EXT_d2i() attempts to decode the ASN.1 data contained in extension
51 B<ext> and returns a pointer to an extension specific structure or B<NULL>
52 if the extension could not be decoded (invalid syntax or not supported).
54 X509V3_EXT_i2d() encodes the extension specific structure B<ext>
55 with OID B<ext_nid> and criticality B<crit>.
57 X509_get_ext_d2i() and X509_add1_ext_i2d() operate on the extensions of
58 certificate B<x>, they are otherwise identical to X509V3_get_d2i() and
61 X509_CRL_get_ext_d2i() and X509_CRL_add1_ext_i2d() operate on the extensions
62 of CRL B<crl>, they are otherwise identical to X509V3_get_d2i() and
65 X509_REVOKED_get_ext_d2i() and X509_REVOKED_add1_ext_i2d() operate on the
66 extensions of B<X509_REVOKED> structure B<r> (i.e for CRL entry extensions),
67 they are otherwise identical to X509V3_get_d2i() and X509V3_add_i2d().
71 In almost all cases an extension can occur at most once and multiple
72 occurences is an error. Therefore the B<idx> parameter is usually B<NULL>.
74 The B<flags> parameter may be one of the following values.
76 B<X509V3_ADD_DEFAULT> appends a new extension only if the extension does
77 not already exist. An error is returned if the extension does already
80 B<X509V3_ADD_APPEND> appends a new extension, ignoring whether the extension
83 B<X509V3_ADD_REPLACE> replaces an extension if it exists otherwise apppends
86 B<X509V3_ADD_REPLACE_EXISTING> replaces an existing extension if it exists
87 otherwise returns an error.
89 B<X509V3_ADD_KEEP_EXISTING> appends a new extension only if the extension does
90 not already exist. An error B<is not> returned if the extension does already
93 B<X509V3_ADD_DELETE> extension B<nid> is deleted: no new extenion is added.
95 If B<X509V3_ADD_SILENT> is ored with B<flags>: any error returned will not
96 be added to the error queue.
98 The function X509V3_get_d2i() will return B<NULL> if the extension is not
99 found, occurs multiple times or cannot be decoded. It is possible to
100 determine the precise reason by checking the value of B<*crit>.
102 =head1 SUPPORTED EXTENSIONS
104 The following sections contain a list of all supported extensions
105 including their name and NID.
107 =head2 PKIX CERTIFICATE EXTENSIONS
109 The following certificate extensions are defined in PKIX standards such as
112 Basic Constraints NID_basic_constraints
113 Key Usage NID_key_usage
114 Extended Key Usage NID_ext_key_usage
116 Subject Key Identifier NID_subject_key_identifier
117 Authority Key Identifier NID_authority_key_identifier
119 Private Key Usage Period NID_private_key_usage_period
121 Subject Alternative Name NID_subject_alt_name
122 Issuer Alternative Name NID_issuer_alt_name
124 Authority Information Access NID_info_access
125 Subject Information Access NID_sinfo_access
127 Name Constraints NID_name_constraints
129 Certificate Policies NID_certificate_policies
130 Policy Mappings NID_policy_mappings
131 Policy Constraints NID_policy_constraints
132 Inhibit Any Policy NID_inhibit_any_policy
134 =head2 NETSCAPE CERTIFICATE EXTENSIONS
136 The following are (largely obsolete) Netscape certificate extensions.
138 Netscape Cert Type NID_netscape_cert_type
139 Netscape Base Url NID_netscape_base_url
140 Netscape Revocation Url NID_netscape_revocation_url
141 Netscape CA Revocation Url NID_netscape_ca_revocation_url
142 Netscape Renewal Url NID_netscape_renewal_url
143 Netscape CA Policy Url NID_netscape_ca_policy_url
144 Netscape SSL Server Name NID_netscape_ssl_server_name
145 Netscape Comment NID_netscape_comment
147 =head2 MISCELLANEOUS CERTIFICATE EXTENSIONS
149 Strong Extranet ID NID_sxnet
150 Proxy Certificate Information NID_proxyCertInfo
152 =head2 PKIX CRL EXTENSIONS
154 The following are CRL extensions from PKIX standards such as RFC5280.
156 CRL Number NID_crl_number
157 CRL Distribution Points NID_crl_distribution_points
158 Delta CRL Indicator NID_delta_crl
159 Freshest CRL NID_freshest_crl
160 Invalidity Date NID_invalidity_date
161 Issuing Distrubution Point NID_issuing_distribution_point
163 The following are CRL entry extensions from PKIX standards such as RFC5280.
165 CRL Reason Code NID_crl_reason
166 Certificate Issuer NID_certificate_issuer
168 =head2 OCSP EXTENSIONS
170 OCSP Nonce NID_id_pkix_OCSP_Nonce
171 OCSP CRL ID NID_id_pkix_OCSP_CrlID
172 Acceptable OCSP Responses NID_id_pkix_OCSP_acceptableResponses
173 OCSP No Check NID_id_pkix_OCSP_noCheck
174 OCSP Archive Cutoff NID_id_pkix_OCSP_archiveCutoff
175 OCSP Service Locator NID_id_pkix_OCSP_serviceLocator
176 Hold Instruction Code NID_hold_instruction_code
178 =head2 CERTIFICATE TRANSPARENCY EXTENSIONS
180 The following extensions are used by certificate transparency, RFC6962
182 CT Precertificate SCTs NID_ct_precert_scts
183 CT Certificate SCTs NID_ct_cert_scts
187 X509V3_EXT_d2i() and *X509V3_get_d2i() return a pointer to an extension
188 specific structure of B<NULL> if an error occurs.
190 X509V3_EXT_i2d() returns a pointer to an B<X509_EXTENSION> structure
191 or B<NULL> if an error occurs.
193 X509V3_add1_i2d() returns 1 if the operation is successful and 0 if it
194 fails due to a non-fatal error (extension not found, already exists,
195 cannot be encoded) or -1 due to a fatal error such as a memory allocation
201 L<ERR_get_error(3)|ERR_get_error(3)>,
202 L<X509_CRL_get0_by_serial(3)>,
203 L<X509_get0_signature(3)>,
204 L<X509_get_ext_d2i(3)>,
205 L<X509_get_extension_flags(3)>,
206 L<X509_get_pubkey(3)>,
207 L<X509_get_subject_name(3)>,
208 L<X509_get_version(3)>,
209 L<X509_NAME_add_entry_by_txt(3)>,
210 L<X509_NAME_ENTRY_get_object(3)>,
211 L<X509_NAME_get_index_by_NID(3)>,
212 L<X509_NAME_print_ex(3)>,
215 L<X509_verify_cert(3)>