2 * {- join("\n * ", @autowarntext) -}
4 * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
6 * Licensed under the Apache License 2.0 (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
13 use OpenSSL::stackhash qw(generate_stack_macros);
16 #ifndef OPENSSL_X509V3_H
17 # define OPENSSL_X509V3_H
20 # include <openssl/macros.h>
21 # ifndef OPENSSL_NO_DEPRECATED_3_0
22 # define HEADER_X509V3_H
25 # include <openssl/bio.h>
26 # include <openssl/x509.h>
27 # include <openssl/conf.h>
28 # include <openssl/x509v3err.h>
29 # ifndef OPENSSL_NO_STDIO
37 /* Forward reference */
43 typedef void *(*X509V3_EXT_NEW)(void);
44 typedef void (*X509V3_EXT_FREE) (void *);
45 typedef void *(*X509V3_EXT_D2I)(void *, const unsigned char **, long);
46 typedef int (*X509V3_EXT_I2D) (const void *, unsigned char **);
47 typedef STACK_OF(CONF_VALUE) *
48 (*X509V3_EXT_I2V) (const struct v3_ext_method *method, void *ext,
49 STACK_OF(CONF_VALUE) *extlist);
50 typedef void *(*X509V3_EXT_V2I)(const struct v3_ext_method *method,
51 struct v3_ext_ctx *ctx,
52 STACK_OF(CONF_VALUE) *values);
53 typedef char *(*X509V3_EXT_I2S)(const struct v3_ext_method *method,
55 typedef void *(*X509V3_EXT_S2I)(const struct v3_ext_method *method,
56 struct v3_ext_ctx *ctx, const char *str);
57 typedef int (*X509V3_EXT_I2R) (const struct v3_ext_method *method, void *ext,
58 BIO *out, int indent);
59 typedef void *(*X509V3_EXT_R2I)(const struct v3_ext_method *method,
60 struct v3_ext_ctx *ctx, const char *str);
62 /* V3 extension structure */
64 struct v3_ext_method {
67 /* If this is set the following four fields are ignored */
69 /* Old style ASN1 calls */
70 X509V3_EXT_NEW ext_new;
71 X509V3_EXT_FREE ext_free;
74 /* The following pair is used for string extensions */
77 /* The following pair is used for multi-valued extensions */
80 /* The following are used for raw extensions */
83 void *usr_data; /* Any extension specific data */
86 typedef struct X509V3_CONF_METHOD_st {
87 char *(*get_string) (void *db, const char *section, const char *value);
88 STACK_OF(CONF_VALUE) *(*get_section) (void *db, const char *section);
89 void (*free_string) (void *db, char *string);
90 void (*free_section) (void *db, STACK_OF(CONF_VALUE) *section);
93 /* Context specific info for producing X509 v3 extensions*/
95 # define X509V3_CTX_TEST 0x1
96 # ifndef OPENSSL_NO_DEPRECATED_3_0
97 # define CTX_TEST X509V3_CTX_TEST
99 # define X509V3_CTX_REPLACE 0x2
103 X509_REQ *subject_req;
105 X509V3_CONF_METHOD *db_meth;
107 EVP_PKEY *issuer_pkey;
108 /* Maybe more here */
111 typedef struct v3_ext_method X509V3_EXT_METHOD;
114 generate_stack_macros("X509V3_EXT_METHOD");
117 /* ext_flags values */
118 # define X509V3_EXT_DYNAMIC 0x1
119 # define X509V3_EXT_CTX_DEP 0x2
120 # define X509V3_EXT_MULTILINE 0x4
122 typedef BIT_STRING_BITNAME ENUMERATED_NAMES;
124 typedef struct BASIC_CONSTRAINTS_st {
126 ASN1_INTEGER *pathlen;
129 typedef struct PKEY_USAGE_PERIOD_st {
130 ASN1_GENERALIZEDTIME *notBefore;
131 ASN1_GENERALIZEDTIME *notAfter;
134 typedef struct otherName_st {
135 ASN1_OBJECT *type_id;
139 typedef struct EDIPartyName_st {
140 ASN1_STRING *nameAssigner;
141 ASN1_STRING *partyName;
144 typedef struct GENERAL_NAME_st {
145 # define GEN_OTHERNAME 0
149 # define GEN_DIRNAME 4
150 # define GEN_EDIPARTY 5
157 OTHERNAME *otherName; /* otherName */
158 ASN1_IA5STRING *rfc822Name;
159 ASN1_IA5STRING *dNSName;
160 ASN1_TYPE *x400Address;
161 X509_NAME *directoryName;
162 EDIPARTYNAME *ediPartyName;
163 ASN1_IA5STRING *uniformResourceIdentifier;
164 ASN1_OCTET_STRING *iPAddress;
165 ASN1_OBJECT *registeredID;
167 ASN1_OCTET_STRING *ip; /* iPAddress */
168 X509_NAME *dirn; /* dirn */
169 ASN1_IA5STRING *ia5; /* rfc822Name, dNSName,
170 * uniformResourceIdentifier */
171 ASN1_OBJECT *rid; /* registeredID */
172 ASN1_TYPE *other; /* x400Address */
176 typedef struct ACCESS_DESCRIPTION_st {
178 GENERAL_NAME *location;
179 } ACCESS_DESCRIPTION;
182 generate_stack_macros("ACCESS_DESCRIPTION")
183 .generate_stack_macros("GENERAL_NAME");
186 typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
187 typedef STACK_OF(ASN1_OBJECT) EXTENDED_KEY_USAGE;
188 typedef STACK_OF(ASN1_INTEGER) TLS_FEATURE;
189 typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES;
192 generate_stack_macros("GENERAL_NAMES");
195 typedef struct DIST_POINT_NAME_st {
198 GENERAL_NAMES *fullname;
199 STACK_OF(X509_NAME_ENTRY) *relativename;
201 /* If relativename then this contains the full distribution point name */
204 /* All existing reasons */
205 # define CRLDP_ALL_REASONS 0x807f
207 # define CRL_REASON_NONE -1
208 # define CRL_REASON_UNSPECIFIED 0
209 # define CRL_REASON_KEY_COMPROMISE 1
210 # define CRL_REASON_CA_COMPROMISE 2
211 # define CRL_REASON_AFFILIATION_CHANGED 3
212 # define CRL_REASON_SUPERSEDED 4
213 # define CRL_REASON_CESSATION_OF_OPERATION 5
214 # define CRL_REASON_CERTIFICATE_HOLD 6
215 # define CRL_REASON_REMOVE_FROM_CRL 8
216 # define CRL_REASON_PRIVILEGE_WITHDRAWN 9
217 # define CRL_REASON_AA_COMPROMISE 10
219 struct DIST_POINT_st {
220 DIST_POINT_NAME *distpoint;
221 ASN1_BIT_STRING *reasons;
222 GENERAL_NAMES *CRLissuer;
227 generate_stack_macros("DIST_POINT");
230 typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS;
232 struct AUTHORITY_KEYID_st {
233 ASN1_OCTET_STRING *keyid;
234 GENERAL_NAMES *issuer;
235 ASN1_INTEGER *serial;
238 /* Strong extranet structures */
240 typedef struct SXNET_ID_st {
242 ASN1_OCTET_STRING *user;
246 generate_stack_macros("SXNETID");
250 typedef struct SXNET_st {
251 ASN1_INTEGER *version;
252 STACK_OF(SXNETID) *ids;
255 typedef struct ISSUER_SIGN_TOOL_st {
256 ASN1_UTF8STRING *signTool;
257 ASN1_UTF8STRING *cATool;
258 ASN1_UTF8STRING *signToolCert;
259 ASN1_UTF8STRING *cAToolCert;
262 typedef struct NOTICEREF_st {
263 ASN1_STRING *organization;
264 STACK_OF(ASN1_INTEGER) *noticenos;
267 typedef struct USERNOTICE_st {
268 NOTICEREF *noticeref;
269 ASN1_STRING *exptext;
272 typedef struct POLICYQUALINFO_st {
273 ASN1_OBJECT *pqualid;
275 ASN1_IA5STRING *cpsuri;
276 USERNOTICE *usernotice;
282 generate_stack_macros("POLICYQUALINFO");
286 typedef struct POLICYINFO_st {
287 ASN1_OBJECT *policyid;
288 STACK_OF(POLICYQUALINFO) *qualifiers;
292 generate_stack_macros("POLICYINFO");
295 typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES;
297 typedef struct POLICY_MAPPING_st {
298 ASN1_OBJECT *issuerDomainPolicy;
299 ASN1_OBJECT *subjectDomainPolicy;
303 generate_stack_macros("POLICY_MAPPING");
306 typedef STACK_OF(POLICY_MAPPING) POLICY_MAPPINGS;
308 typedef struct GENERAL_SUBTREE_st {
310 ASN1_INTEGER *minimum;
311 ASN1_INTEGER *maximum;
315 generate_stack_macros("GENERAL_SUBTREE");
318 struct NAME_CONSTRAINTS_st {
319 STACK_OF(GENERAL_SUBTREE) *permittedSubtrees;
320 STACK_OF(GENERAL_SUBTREE) *excludedSubtrees;
323 typedef struct POLICY_CONSTRAINTS_st {
324 ASN1_INTEGER *requireExplicitPolicy;
325 ASN1_INTEGER *inhibitPolicyMapping;
326 } POLICY_CONSTRAINTS;
328 /* Proxy certificate structures, see RFC 3820 */
329 typedef struct PROXY_POLICY_st {
330 ASN1_OBJECT *policyLanguage;
331 ASN1_OCTET_STRING *policy;
334 typedef struct PROXY_CERT_INFO_EXTENSION_st {
335 ASN1_INTEGER *pcPathLengthConstraint;
336 PROXY_POLICY *proxyPolicy;
337 } PROXY_CERT_INFO_EXTENSION;
339 DECLARE_ASN1_FUNCTIONS(PROXY_POLICY)
340 DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
342 struct ISSUING_DIST_POINT_st {
343 DIST_POINT_NAME *distpoint;
346 ASN1_BIT_STRING *onlysomereasons;
351 /* Values in idp_flags field */
353 # define IDP_PRESENT 0x1
354 /* IDP values inconsistent */
355 # define IDP_INVALID 0x2
357 # define IDP_ONLYUSER 0x4
359 # define IDP_ONLYCA 0x8
361 # define IDP_ONLYATTR 0x10
362 /* indirectCRL true */
363 # define IDP_INDIRECT 0x20
364 /* onlysomereasons present */
365 # define IDP_REASONS 0x40
367 # define X509V3_conf_err(val) ERR_add_error_data(6, \
368 "section:", (val)->section, \
369 ",name:", (val)->name, ",value:", (val)->value)
371 # define X509V3_set_ctx_test(ctx) \
372 X509V3_set_ctx(ctx, NULL, NULL, NULL, NULL, X509V3_CTX_TEST)
373 # define X509V3_set_ctx_nodb(ctx) (ctx)->db = NULL;
375 # define EXT_BITSTRING(nid, table) { nid, 0, ASN1_ITEM_ref(ASN1_BIT_STRING), \
378 (X509V3_EXT_I2V)i2v_ASN1_BIT_STRING, \
379 (X509V3_EXT_V2I)v2i_ASN1_BIT_STRING, \
383 # define EXT_IA5STRING(nid) { nid, 0, ASN1_ITEM_ref(ASN1_IA5STRING), \
385 (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, \
386 (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, \
390 #define EXT_UTF8STRING(nid) { nid, 0, ASN1_ITEM_ref(ASN1_UTF8STRING), \
392 (X509V3_EXT_I2S)i2s_ASN1_UTF8STRING, \
393 (X509V3_EXT_S2I)s2i_ASN1_UTF8STRING, \
397 # define EXT_END { -1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
399 /* X509_PURPOSE stuff */
401 # define EXFLAG_BCONS 0x1
402 # define EXFLAG_KUSAGE 0x2
403 # define EXFLAG_XKUSAGE 0x4
404 # define EXFLAG_NSCERT 0x8
406 # define EXFLAG_CA 0x10
407 # define EXFLAG_SI 0x20 /* self-issued, maybe not self-signed */
408 # define EXFLAG_V1 0x40
409 # define EXFLAG_INVALID 0x80
410 /* EXFLAG_SET is set to indicate that some values have been precomputed */
411 # define EXFLAG_SET 0x100
412 # define EXFLAG_CRITICAL 0x200
413 # define EXFLAG_PROXY 0x400
415 # define EXFLAG_INVALID_POLICY 0x800
416 # define EXFLAG_FRESHEST 0x1000
417 # define EXFLAG_SS 0x2000 /* cert is apparently self-signed */
419 # define EXFLAG_BCONS_CRITICAL 0x10000
420 # define EXFLAG_AKID_CRITICAL 0x20000
421 # define EXFLAG_SKID_CRITICAL 0x40000
422 # define EXFLAG_SAN_CRITICAL 0x80000
423 # define EXFLAG_NO_FINGERPRINT 0x100000
425 # define KU_DIGITAL_SIGNATURE 0x0080
426 # define KU_NON_REPUDIATION 0x0040
427 # define KU_KEY_ENCIPHERMENT 0x0020
428 # define KU_DATA_ENCIPHERMENT 0x0010
429 # define KU_KEY_AGREEMENT 0x0008
430 # define KU_KEY_CERT_SIGN 0x0004
431 # define KU_CRL_SIGN 0x0002
432 # define KU_ENCIPHER_ONLY 0x0001
433 # define KU_DECIPHER_ONLY 0x8000
435 # define NS_SSL_CLIENT 0x80
436 # define NS_SSL_SERVER 0x40
437 # define NS_SMIME 0x20
438 # define NS_OBJSIGN 0x10
439 # define NS_SSL_CA 0x04
440 # define NS_SMIME_CA 0x02
441 # define NS_OBJSIGN_CA 0x01
442 # define NS_ANY_CA (NS_SSL_CA|NS_SMIME_CA|NS_OBJSIGN_CA)
444 # define XKU_SSL_SERVER 0x1
445 # define XKU_SSL_CLIENT 0x2
446 # define XKU_SMIME 0x4
447 # define XKU_CODE_SIGN 0x8
448 # define XKU_SGC 0x10 /* Netscape or MS Server-Gated Crypto */
449 # define XKU_OCSP_SIGN 0x20
450 # define XKU_TIMESTAMP 0x40
451 # define XKU_DVCS 0x80
452 # define XKU_ANYEKU 0x100
454 # define X509_PURPOSE_DYNAMIC 0x1
455 # define X509_PURPOSE_DYNAMIC_NAME 0x2
457 typedef struct x509_purpose_st {
459 int trust; /* Default trust ID */
461 int (*check_purpose) (const struct x509_purpose_st *, const X509 *, int);
468 generate_stack_macros("X509_PURPOSE");
472 # define X509_PURPOSE_SSL_CLIENT 1
473 # define X509_PURPOSE_SSL_SERVER 2
474 # define X509_PURPOSE_NS_SSL_SERVER 3
475 # define X509_PURPOSE_SMIME_SIGN 4
476 # define X509_PURPOSE_SMIME_ENCRYPT 5
477 # define X509_PURPOSE_CRL_SIGN 6
478 # define X509_PURPOSE_ANY 7
479 # define X509_PURPOSE_OCSP_HELPER 8
480 # define X509_PURPOSE_TIMESTAMP_SIGN 9
481 # define X509_PURPOSE_CODE_SIGN 10
483 # define X509_PURPOSE_MIN 1
484 # define X509_PURPOSE_MAX 10
486 /* Flags for X509V3_EXT_print() */
488 # define X509V3_EXT_UNKNOWN_MASK (0xfL << 16)
489 /* Return error for unknown extensions */
490 # define X509V3_EXT_DEFAULT 0
491 /* Print error for unknown extensions */
492 # define X509V3_EXT_ERROR_UNKNOWN (1L << 16)
493 /* ASN1 parse unknown extensions */
494 # define X509V3_EXT_PARSE_UNKNOWN (2L << 16)
495 /* BIO_dump unknown extensions */
496 # define X509V3_EXT_DUMP_UNKNOWN (3L << 16)
498 /* Flags for X509V3_add1_i2d */
500 # define X509V3_ADD_OP_MASK 0xfL
501 # define X509V3_ADD_DEFAULT 0L
502 # define X509V3_ADD_APPEND 1L
503 # define X509V3_ADD_REPLACE 2L
504 # define X509V3_ADD_REPLACE_EXISTING 3L
505 # define X509V3_ADD_KEEP_EXISTING 4L
506 # define X509V3_ADD_DELETE 5L
507 # define X509V3_ADD_SILENT 0x10
509 DECLARE_ASN1_FUNCTIONS(BASIC_CONSTRAINTS)
511 DECLARE_ASN1_FUNCTIONS(SXNET)
512 DECLARE_ASN1_FUNCTIONS(SXNETID)
514 DECLARE_ASN1_FUNCTIONS(ISSUER_SIGN_TOOL)
516 int SXNET_add_id_asc(SXNET **psx, const char *zone, const char *user, int userlen);
517 int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, const char *user,
519 int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *izone, const char *user,
522 ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, const char *zone);
523 ASN1_OCTET_STRING *SXNET_get_id_ulong(SXNET *sx, unsigned long lzone);
524 ASN1_OCTET_STRING *SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone);
526 DECLARE_ASN1_FUNCTIONS(AUTHORITY_KEYID)
528 DECLARE_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD)
530 DECLARE_ASN1_FUNCTIONS(GENERAL_NAME)
531 DECLARE_ASN1_DUP_FUNCTION(GENERAL_NAME)
532 int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b);
534 ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
536 STACK_OF(CONF_VALUE) *nval);
537 STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
538 ASN1_BIT_STRING *bits,
539 STACK_OF(CONF_VALUE) *extlist);
540 char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5);
541 ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
542 X509V3_CTX *ctx, const char *str);
543 char *i2s_ASN1_UTF8STRING(X509V3_EXT_METHOD *method, ASN1_UTF8STRING *utf8);
544 ASN1_UTF8STRING *s2i_ASN1_UTF8STRING(X509V3_EXT_METHOD *method,
545 X509V3_CTX *ctx, const char *str);
547 STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
549 STACK_OF(CONF_VALUE) *ret);
550 int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen);
552 DECLARE_ASN1_FUNCTIONS(GENERAL_NAMES)
554 STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
556 STACK_OF(CONF_VALUE) *extlist);
557 GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
558 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
560 DECLARE_ASN1_FUNCTIONS(OTHERNAME)
561 DECLARE_ASN1_FUNCTIONS(EDIPARTYNAME)
562 int OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b);
563 void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value);
564 void *GENERAL_NAME_get0_value(const GENERAL_NAME *a, int *ptype);
565 int GENERAL_NAME_set0_othername(GENERAL_NAME *gen,
566 ASN1_OBJECT *oid, ASN1_TYPE *value);
567 int GENERAL_NAME_get0_otherName(const GENERAL_NAME *gen,
568 ASN1_OBJECT **poid, ASN1_TYPE **pvalue);
570 char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
571 const ASN1_OCTET_STRING *ia5);
572 ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
573 X509V3_CTX *ctx, const char *str);
575 DECLARE_ASN1_FUNCTIONS(EXTENDED_KEY_USAGE)
576 int i2a_ACCESS_DESCRIPTION(BIO *bp, const ACCESS_DESCRIPTION *a);
578 DECLARE_ASN1_ALLOC_FUNCTIONS(TLS_FEATURE)
580 DECLARE_ASN1_FUNCTIONS(CERTIFICATEPOLICIES)
581 DECLARE_ASN1_FUNCTIONS(POLICYINFO)
582 DECLARE_ASN1_FUNCTIONS(POLICYQUALINFO)
583 DECLARE_ASN1_FUNCTIONS(USERNOTICE)
584 DECLARE_ASN1_FUNCTIONS(NOTICEREF)
586 DECLARE_ASN1_FUNCTIONS(CRL_DIST_POINTS)
587 DECLARE_ASN1_FUNCTIONS(DIST_POINT)
588 DECLARE_ASN1_FUNCTIONS(DIST_POINT_NAME)
589 DECLARE_ASN1_FUNCTIONS(ISSUING_DIST_POINT)
591 int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, const X509_NAME *iname);
593 int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc);
594 int NAME_CONSTRAINTS_check_CN(X509 *x, NAME_CONSTRAINTS *nc);
596 DECLARE_ASN1_FUNCTIONS(ACCESS_DESCRIPTION)
597 DECLARE_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS)
599 DECLARE_ASN1_ITEM(POLICY_MAPPING)
600 DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING)
601 DECLARE_ASN1_ITEM(POLICY_MAPPINGS)
603 DECLARE_ASN1_ITEM(GENERAL_SUBTREE)
604 DECLARE_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
606 DECLARE_ASN1_ITEM(NAME_CONSTRAINTS)
607 DECLARE_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
609 DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS)
610 DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS)
612 GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
613 const X509V3_EXT_METHOD *method,
614 X509V3_CTX *ctx, int gen_type,
615 const char *value, int is_nc);
617 # ifdef OPENSSL_CONF_H
618 GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method,
619 X509V3_CTX *ctx, CONF_VALUE *cnf);
620 GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
621 const X509V3_EXT_METHOD *method,
622 X509V3_CTX *ctx, CONF_VALUE *cnf,
625 void X509V3_conf_free(CONF_VALUE *val);
627 X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
629 X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, const char *name,
631 int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, const char *section,
632 STACK_OF(X509_EXTENSION) **sk);
633 int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
635 int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
637 int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
640 X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf,
641 X509V3_CTX *ctx, int ext_nid,
643 X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
644 const char *name, const char *value);
645 int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
646 const char *section, X509 *cert);
647 int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
648 const char *section, X509_REQ *req);
649 int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
650 const char *section, X509_CRL *crl);
652 int X509V3_add_value_bool_nf(const char *name, int asn1_bool,
653 STACK_OF(CONF_VALUE) **extlist);
654 int X509V3_get_value_bool(const CONF_VALUE *value, int *asn1_bool);
655 int X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint);
656 void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf);
657 void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash);
660 char *X509V3_get_string(X509V3_CTX *ctx, const char *name, const char *section);
661 STACK_OF(CONF_VALUE) *X509V3_get_section(X509V3_CTX *ctx, const char *section);
662 void X509V3_string_free(X509V3_CTX *ctx, char *str);
663 void X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section);
664 void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject,
665 X509_REQ *req, X509_CRL *crl, int flags);
666 /* For API backward compatibility, this is separate from X509V3_set_ctx(): */
667 int X509V3_set_issuer_pkey(X509V3_CTX *ctx, EVP_PKEY *pkey);
669 int X509V3_add_value(const char *name, const char *value,
670 STACK_OF(CONF_VALUE) **extlist);
671 int X509V3_add_value_uchar(const char *name, const unsigned char *value,
672 STACK_OF(CONF_VALUE) **extlist);
673 int X509V3_add_value_bool(const char *name, int asn1_bool,
674 STACK_OF(CONF_VALUE) **extlist);
675 int X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint,
676 STACK_OF(CONF_VALUE) **extlist);
677 char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD *meth, const ASN1_INTEGER *aint);
678 ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *meth, const char *value);
679 char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *meth, const ASN1_ENUMERATED *aint);
680 char *i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *meth,
681 const ASN1_ENUMERATED *aint);
682 int X509V3_EXT_add(X509V3_EXT_METHOD *ext);
683 int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist);
684 int X509V3_EXT_add_alias(int nid_to, int nid_from);
685 void X509V3_EXT_cleanup(void);
687 const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext);
688 const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid);
689 int X509V3_add_standard_extensions(void);
690 STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line);
691 void *X509V3_EXT_d2i(X509_EXTENSION *ext);
692 void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit,
695 X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
696 int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
697 int crit, unsigned long flags);
699 #ifndef OPENSSL_NO_DEPRECATED_1_1_0
700 /* The new declarations are in crypto.h, but the old ones were here. */
701 # define hex_to_string OPENSSL_buf2hexstr
702 # define string_to_hex OPENSSL_hexstr2buf
705 void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent,
707 int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
709 #ifndef OPENSSL_NO_STDIO
710 int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
712 int X509V3_extensions_print(BIO *out, const char *title,
713 const STACK_OF(X509_EXTENSION) *exts,
714 unsigned long flag, int indent);
716 int X509_check_ca(X509 *x);
717 int X509_check_purpose(X509 *x, int id, int ca);
718 int X509_supported_extension(X509_EXTENSION *ex);
719 int X509_PURPOSE_set(int *p, int purpose);
720 int X509_check_issued(X509 *issuer, X509 *subject);
721 int X509_check_akid(const X509 *issuer, const AUTHORITY_KEYID *akid);
722 void X509_set_proxy_flag(X509 *x);
723 void X509_set_proxy_pathlen(X509 *x, long l);
724 long X509_get_proxy_pathlen(X509 *x);
726 uint32_t X509_get_extension_flags(X509 *x);
727 uint32_t X509_get_key_usage(X509 *x);
728 uint32_t X509_get_extended_key_usage(X509 *x);
729 const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x);
730 const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x);
731 const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x);
732 const ASN1_INTEGER *X509_get0_authority_serial(X509 *x);
734 int X509_PURPOSE_get_count(void);
735 X509_PURPOSE *X509_PURPOSE_get0(int idx);
736 int X509_PURPOSE_get_by_sname(const char *sname);
737 int X509_PURPOSE_get_by_id(int id);
738 int X509_PURPOSE_add(int id, int trust, int flags,
739 int (*ck) (const X509_PURPOSE *, const X509 *, int),
740 const char *name, const char *sname, void *arg);
741 char *X509_PURPOSE_get0_name(const X509_PURPOSE *xp);
742 char *X509_PURPOSE_get0_sname(const X509_PURPOSE *xp);
743 int X509_PURPOSE_get_trust(const X509_PURPOSE *xp);
744 void X509_PURPOSE_cleanup(void);
745 int X509_PURPOSE_get_id(const X509_PURPOSE *);
747 STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x);
748 STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x);
749 void X509_email_free(STACK_OF(OPENSSL_STRING) *sk);
750 STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x);
751 /* Flags for X509_check_* functions */
754 * Always check subject name for host match even if subject alt names present
756 # define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT 0x1
757 /* Disable wildcard matching for dnsName fields and common name. */
758 # define X509_CHECK_FLAG_NO_WILDCARDS 0x2
759 /* Wildcards must not match a partial label. */
760 # define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0x4
761 /* Allow (non-partial) wildcards to match multiple labels. */
762 # define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0x8
763 /* Constraint verifier subdomain patterns to match a single labels. */
764 # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10
765 /* Never check the subject CN */
766 # define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20
768 * Match reference identifiers starting with "." to any sub-domain.
769 * This is a non-public flag, turned on implicitly when the subject
770 * reference identity is a DNS name.
772 # define _X509_CHECK_FLAG_DOT_SUBDOMAINS 0x8000
774 int X509_check_host(X509 *x, const char *chk, size_t chklen,
775 unsigned int flags, char **peername);
776 int X509_check_email(X509 *x, const char *chk, size_t chklen,
778 int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,
780 int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags);
782 ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc);
783 ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc);
784 int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE) *dn_sk,
785 unsigned long chtype);
787 void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent);
789 generate_stack_macros("X509_POLICY_NODE");
793 #ifndef OPENSSL_NO_RFC3779
794 typedef struct ASRange_st {
795 ASN1_INTEGER *min, *max;
798 # define ASIdOrRange_id 0
799 # define ASIdOrRange_range 1
801 typedef struct ASIdOrRange_st {
810 generate_stack_macros("ASIdOrRange");
813 typedef STACK_OF(ASIdOrRange) ASIdOrRanges;
815 # define ASIdentifierChoice_inherit 0
816 # define ASIdentifierChoice_asIdsOrRanges 1
818 typedef struct ASIdentifierChoice_st {
822 ASIdOrRanges *asIdsOrRanges;
824 } ASIdentifierChoice;
826 typedef struct ASIdentifiers_st {
827 ASIdentifierChoice *asnum, *rdi;
830 DECLARE_ASN1_FUNCTIONS(ASRange)
831 DECLARE_ASN1_FUNCTIONS(ASIdOrRange)
832 DECLARE_ASN1_FUNCTIONS(ASIdentifierChoice)
833 DECLARE_ASN1_FUNCTIONS(ASIdentifiers)
835 typedef struct IPAddressRange_st {
836 ASN1_BIT_STRING *min, *max;
839 # define IPAddressOrRange_addressPrefix 0
840 # define IPAddressOrRange_addressRange 1
842 typedef struct IPAddressOrRange_st {
845 ASN1_BIT_STRING *addressPrefix;
846 IPAddressRange *addressRange;
851 generate_stack_macros("IPAddressOrRange");
854 typedef STACK_OF(IPAddressOrRange) IPAddressOrRanges;
856 # define IPAddressChoice_inherit 0
857 # define IPAddressChoice_addressesOrRanges 1
859 typedef struct IPAddressChoice_st {
863 IPAddressOrRanges *addressesOrRanges;
867 typedef struct IPAddressFamily_st {
868 ASN1_OCTET_STRING *addressFamily;
869 IPAddressChoice *ipAddressChoice;
873 generate_stack_macros("IPAddressFamily");
877 typedef STACK_OF(IPAddressFamily) IPAddrBlocks;
879 DECLARE_ASN1_FUNCTIONS(IPAddressRange)
880 DECLARE_ASN1_FUNCTIONS(IPAddressOrRange)
881 DECLARE_ASN1_FUNCTIONS(IPAddressChoice)
882 DECLARE_ASN1_FUNCTIONS(IPAddressFamily)
885 * API tag for elements of the ASIdentifer SEQUENCE.
887 # define V3_ASID_ASNUM 0
888 # define V3_ASID_RDI 1
891 * AFI values, assigned by IANA. It'd be nice to make the AFI
892 * handling code totally generic, but there are too many little things
893 * that would need to be defined for other address families for it to
894 * be worth the trouble.
896 # define IANA_AFI_IPV4 1
897 # define IANA_AFI_IPV6 2
900 * Utilities to construct and extract values from RFC3779 extensions,
901 * since some of the encodings (particularly for IP address prefixes
902 * and ranges) are a bit tedious to work with directly.
904 int X509v3_asid_add_inherit(ASIdentifiers *asid, int which);
905 int X509v3_asid_add_id_or_range(ASIdentifiers *asid, int which,
906 ASN1_INTEGER *min, ASN1_INTEGER *max);
907 int X509v3_addr_add_inherit(IPAddrBlocks *addr,
908 const unsigned afi, const unsigned *safi);
909 int X509v3_addr_add_prefix(IPAddrBlocks *addr,
910 const unsigned afi, const unsigned *safi,
911 unsigned char *a, const int prefixlen);
912 int X509v3_addr_add_range(IPAddrBlocks *addr,
913 const unsigned afi, const unsigned *safi,
914 unsigned char *min, unsigned char *max);
915 unsigned X509v3_addr_get_afi(const IPAddressFamily *f);
916 int X509v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi,
917 unsigned char *min, unsigned char *max,
923 int X509v3_asid_is_canonical(ASIdentifiers *asid);
924 int X509v3_addr_is_canonical(IPAddrBlocks *addr);
925 int X509v3_asid_canonize(ASIdentifiers *asid);
926 int X509v3_addr_canonize(IPAddrBlocks *addr);
929 * Tests for inheritance and containment.
931 int X509v3_asid_inherits(ASIdentifiers *asid);
932 int X509v3_addr_inherits(IPAddrBlocks *addr);
933 int X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b);
934 int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b);
937 * Check whether RFC 3779 extensions nest properly in chains.
939 int X509v3_asid_validate_path(X509_STORE_CTX *);
940 int X509v3_addr_validate_path(X509_STORE_CTX *);
941 int X509v3_asid_validate_resource_set(STACK_OF(X509) *chain,
943 int allow_inheritance);
944 int X509v3_addr_validate_resource_set(STACK_OF(X509) *chain,
945 IPAddrBlocks *ext, int allow_inheritance);
947 #endif /* OPENSSL_NO_RFC3779 */
950 generate_stack_macros("ASN1_STRING");
956 typedef struct NamingAuthority_st NAMING_AUTHORITY;
957 typedef struct ProfessionInfo_st PROFESSION_INFO;
958 typedef struct Admissions_st ADMISSIONS;
959 typedef struct AdmissionSyntax_st ADMISSION_SYNTAX;
960 DECLARE_ASN1_FUNCTIONS(NAMING_AUTHORITY)
961 DECLARE_ASN1_FUNCTIONS(PROFESSION_INFO)
962 DECLARE_ASN1_FUNCTIONS(ADMISSIONS)
963 DECLARE_ASN1_FUNCTIONS(ADMISSION_SYNTAX)
965 generate_stack_macros("PROFESSION_INFO")
966 .generate_stack_macros("ADMISSIONS");
968 typedef STACK_OF(PROFESSION_INFO) PROFESSION_INFOS;
970 const ASN1_OBJECT *NAMING_AUTHORITY_get0_authorityId(
971 const NAMING_AUTHORITY *n);
972 const ASN1_IA5STRING *NAMING_AUTHORITY_get0_authorityURL(
973 const NAMING_AUTHORITY *n);
974 const ASN1_STRING *NAMING_AUTHORITY_get0_authorityText(
975 const NAMING_AUTHORITY *n);
976 void NAMING_AUTHORITY_set0_authorityId(NAMING_AUTHORITY *n,
977 ASN1_OBJECT* namingAuthorityId);
978 void NAMING_AUTHORITY_set0_authorityURL(NAMING_AUTHORITY *n,
979 ASN1_IA5STRING* namingAuthorityUrl);
980 void NAMING_AUTHORITY_set0_authorityText(NAMING_AUTHORITY *n,
981 ASN1_STRING* namingAuthorityText);
983 const GENERAL_NAME *ADMISSION_SYNTAX_get0_admissionAuthority(
984 const ADMISSION_SYNTAX *as);
985 void ADMISSION_SYNTAX_set0_admissionAuthority(
986 ADMISSION_SYNTAX *as, GENERAL_NAME *aa);
987 const STACK_OF(ADMISSIONS) *ADMISSION_SYNTAX_get0_contentsOfAdmissions(
988 const ADMISSION_SYNTAX *as);
989 void ADMISSION_SYNTAX_set0_contentsOfAdmissions(
990 ADMISSION_SYNTAX *as, STACK_OF(ADMISSIONS) *a);
991 const GENERAL_NAME *ADMISSIONS_get0_admissionAuthority(const ADMISSIONS *a);
992 void ADMISSIONS_set0_admissionAuthority(ADMISSIONS *a, GENERAL_NAME *aa);
993 const NAMING_AUTHORITY *ADMISSIONS_get0_namingAuthority(const ADMISSIONS *a);
994 void ADMISSIONS_set0_namingAuthority(ADMISSIONS *a, NAMING_AUTHORITY *na);
995 const PROFESSION_INFOS *ADMISSIONS_get0_professionInfos(const ADMISSIONS *a);
996 void ADMISSIONS_set0_professionInfos(ADMISSIONS *a, PROFESSION_INFOS *pi);
997 const ASN1_OCTET_STRING *PROFESSION_INFO_get0_addProfessionInfo(
998 const PROFESSION_INFO *pi);
999 void PROFESSION_INFO_set0_addProfessionInfo(
1000 PROFESSION_INFO *pi, ASN1_OCTET_STRING *aos);
1001 const NAMING_AUTHORITY *PROFESSION_INFO_get0_namingAuthority(
1002 const PROFESSION_INFO *pi);
1003 void PROFESSION_INFO_set0_namingAuthority(
1004 PROFESSION_INFO *pi, NAMING_AUTHORITY *na);
1005 const STACK_OF(ASN1_STRING) *PROFESSION_INFO_get0_professionItems(
1006 const PROFESSION_INFO *pi);
1007 void PROFESSION_INFO_set0_professionItems(
1008 PROFESSION_INFO *pi, STACK_OF(ASN1_STRING) *as);
1009 const STACK_OF(ASN1_OBJECT) *PROFESSION_INFO_get0_professionOIDs(
1010 const PROFESSION_INFO *pi);
1011 void PROFESSION_INFO_set0_professionOIDs(
1012 PROFESSION_INFO *pi, STACK_OF(ASN1_OBJECT) *po);
1013 const ASN1_PRINTABLESTRING *PROFESSION_INFO_get0_registrationNumber(
1014 const PROFESSION_INFO *pi);
1015 void PROFESSION_INFO_set0_registrationNumber(
1016 PROFESSION_INFO *pi, ASN1_PRINTABLESTRING *rn);