5 X509V3_get_d2i, X509V3_add1_i2d, X509V3_EXT_d2i, X509V3_EXT_i2d,
6 X509_get_ext_d2i, X509_add1_ext_i2d,
7 X509_CRL_get_ext_d2i, X509_CRL_add1_ext_i2d,
8 X509_REVOKED_get_ext_d2i, X509_REVOKED_add1_ext_i2d,
9 X509_get0_extensions, X509_CRL_get0_extensions,
10 X509_REVOKED_get0_extensions - X509 extension decode and encode functions
14 #include <openssl/x509v3.h>
16 void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit,
18 int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
19 int crit, unsigned long flags);
21 void *X509V3_EXT_d2i(X509_EXTENSION *ext);
22 X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext);
24 void *X509_get_ext_d2i(const X509 *x, int nid, int *crit, int *idx);
25 int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
28 void *X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid, int *crit, int *idx);
29 int X509_CRL_add1_ext_i2d(X509_CRL *crl, int nid, void *value, int crit,
32 void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *r, int nid, int *crit, int *idx);
33 int X509_REVOKED_add1_ext_i2d(X509_REVOKED *r, int nid, void *value, int crit,
36 const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x);
37 const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl);
38 const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions(const X509_REVOKED *r);
42 X509V3_get_d2i() looks for an extension with OID I<nid> in the extensions
43 I<x> and, if found, decodes it. If I<idx> is NULL then only one
44 occurrence of an extension is permissible otherwise the first extension after
45 index I<*idx> is returned and I<*idx> updated to the location of the extension.
46 If I<crit> is not NULL then I<*crit> is set to a status value: -2 if the
47 extension occurs multiple times (this is only returned if I<idx> is NULL),
48 -1 if the extension could not be found, 0 if the extension is found and is
49 not critical and 1 if critical. A pointer to an extension specific structure
52 X509V3_add1_i2d() adds extension I<value> to STACK I<*x> (allocating a new
53 STACK if necessary) using OID I<nid> and criticality I<crit> according
56 X509V3_EXT_d2i() attempts to decode the ASN.1 data contained in extension
57 I<ext> and returns a pointer to an extension specific structure or NULL
58 if the extension could not be decoded (invalid syntax or not supported).
60 X509V3_EXT_i2d() encodes the extension specific structure I<ext>
61 with OID I<ext_nid> and criticality I<crit>.
63 X509_get_ext_d2i() and X509_add1_ext_i2d() operate on the extensions of
64 certificate I<x>, they are otherwise identical to X509V3_get_d2i() and
67 X509_CRL_get_ext_d2i() and X509_CRL_add1_ext_i2d() operate on the extensions
68 of CRL I<crl>, they are otherwise identical to X509V3_get_d2i() and
71 X509_REVOKED_get_ext_d2i() and X509_REVOKED_add1_ext_i2d() operate on the
72 extensions of B<X509_REVOKED> structure I<r> (i.e for CRL entry extensions),
73 they are otherwise identical to X509V3_get_d2i() and X509V3_add_i2d().
75 X509_get0_extensions(), X509_CRL_get0_extensions() and
76 X509_REVOKED_get0_extensions() return a stack of all the extensions
77 of a certificate a CRL or a CRL entry respectively.
81 In almost all cases an extension can occur at most once and multiple
82 occurrences is an error. Therefore, the I<idx> parameter is usually NULL.
84 The I<flags> parameter may be one of the following values.
86 B<X509V3_ADD_DEFAULT> appends a new extension only if the extension does
87 not already exist. An error is returned if the extension does already
90 B<X509V3_ADD_APPEND> appends a new extension, ignoring whether the extension
93 B<X509V3_ADD_REPLACE> replaces an extension if it exists otherwise appends
96 B<X509V3_ADD_REPLACE_EXISTING> replaces an existing extension if it exists
97 otherwise returns an error.
99 B<X509V3_ADD_KEEP_EXISTING> appends a new extension only if the extension does
100 not already exist. An error B<is not> returned if the extension does already
103 B<X509V3_ADD_DELETE> extension I<nid> is deleted: no new extension is added.
105 If B<X509V3_ADD_SILENT> is ored with I<flags>: any error returned will not
106 be added to the error queue.
108 The function X509V3_get_d2i() and its variants
109 will return NULL if the extension is not
110 found, occurs multiple times or cannot be decoded. It is possible to
111 determine the precise reason by checking the value of I<*crit>.
113 =head1 SUPPORTED EXTENSIONS
115 The following sections contain a list of all supported extensions
116 including their name and NID.
118 =head2 PKIX Certificate Extensions
120 The following certificate extensions are defined in PKIX standards such as
123 Basic Constraints NID_basic_constraints
124 Key Usage NID_key_usage
125 Extended Key Usage NID_ext_key_usage
127 Subject Key Identifier NID_subject_key_identifier
128 Authority Key Identifier NID_authority_key_identifier
130 Private Key Usage Period NID_private_key_usage_period
132 Subject Alternative Name NID_subject_alt_name
133 Issuer Alternative Name NID_issuer_alt_name
135 Authority Information Access NID_info_access
136 Subject Information Access NID_sinfo_access
138 Name Constraints NID_name_constraints
140 Certificate Policies NID_certificate_policies
141 Policy Mappings NID_policy_mappings
142 Policy Constraints NID_policy_constraints
143 Inhibit Any Policy NID_inhibit_any_policy
145 TLS Feature NID_tlsfeature
147 =head2 Netscape Certificate Extensions
149 The following are (largely obsolete) Netscape certificate extensions.
151 Netscape Cert Type NID_netscape_cert_type
152 Netscape Base Url NID_netscape_base_url
153 Netscape Revocation Url NID_netscape_revocation_url
154 Netscape CA Revocation Url NID_netscape_ca_revocation_url
155 Netscape Renewal Url NID_netscape_renewal_url
156 Netscape CA Policy Url NID_netscape_ca_policy_url
157 Netscape SSL Server Name NID_netscape_ssl_server_name
158 Netscape Comment NID_netscape_comment
160 =head2 Miscellaneous Certificate Extensions
162 Strong Extranet ID NID_sxnet
163 Proxy Certificate Information NID_proxyCertInfo
165 =head2 PKIX CRL Extensions
167 The following are CRL extensions from PKIX standards such as RFC5280.
169 CRL Number NID_crl_number
170 CRL Distribution Points NID_crl_distribution_points
171 Delta CRL Indicator NID_delta_crl
172 Freshest CRL NID_freshest_crl
173 Invalidity Date NID_invalidity_date
174 Issuing Distribution Point NID_issuing_distribution_point
176 The following are CRL entry extensions from PKIX standards such as RFC5280.
178 CRL Reason Code NID_crl_reason
179 Certificate Issuer NID_certificate_issuer
181 =head2 OCSP Extensions
183 OCSP Nonce NID_id_pkix_OCSP_Nonce
184 OCSP CRL ID NID_id_pkix_OCSP_CrlID
185 Acceptable OCSP Responses NID_id_pkix_OCSP_acceptableResponses
186 OCSP No Check NID_id_pkix_OCSP_noCheck
187 OCSP Archive Cutoff NID_id_pkix_OCSP_archiveCutoff
188 OCSP Service Locator NID_id_pkix_OCSP_serviceLocator
189 Hold Instruction Code NID_hold_instruction_code
191 =head2 Certificate Transparency Extensions
193 The following extensions are used by certificate transparency, RFC6962
195 CT Precertificate SCTs NID_ct_precert_scts
196 CT Certificate SCTs NID_ct_cert_scts
200 X509V3_get_d2i(), its variants, and X509V3_EXT_d2i() return
201 a pointer to an extension specific structure or NULL if an error occurs.
203 X509V3_add1_i2d() and its variants return 1 if the operation is successful
204 and 0 if it fails due to a non-fatal error (extension not found, already exists,
205 cannot be encoded) or -1 due to a fatal error such as a memory allocation
208 X509V3_EXT_i2d() returns a pointer to an B<X509_EXTENSION> structure
209 or NULL if an error occurs.
211 X509_get0_extensions(), X509_CRL_get0_extensions() and
212 X509_REVOKED_get0_extensions() return a stack of extensions. They return
213 NULL if no extensions are present.
219 L<X509_CRL_get0_by_serial(3)>,
220 L<X509_get0_signature(3)>,
221 L<X509_get_ext_d2i(3)>,
222 L<X509_get_extension_flags(3)>,
223 L<X509_get_pubkey(3)>,
224 L<X509_get_subject_name(3)>,
225 L<X509_get_version(3)>,
226 L<X509_NAME_add_entry_by_txt(3)>,
227 L<X509_NAME_ENTRY_get_object(3)>,
228 L<X509_NAME_get_index_by_NID(3)>,
229 L<X509_NAME_print_ex(3)>,
232 L<X509_verify_cert(3)>
236 Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
238 Licensed under the Apache License 2.0 (the "License"). You may not use
239 this file except in compliance with the License. You can obtain a copy
240 in the file LICENSE in the source distribution or at
241 L<https://www.openssl.org/source/license.html>.