email.2=steve@there
This is because the configuration file code cannot handle the same name
-occurring twice in the same extension.
+occurring twice in the same section.
The syntax of raw extensions is governed by the extension code: it can
for example contain data in multiple sections. The correct syntax to
According to PKIX recommendations it should exclude the extension entirely,
however some software may require CA set to FALSE for end entity certificates.
+Extended Key Usage.
+
+This extensions consists of a list of usages.
+
+These can either be object short names of the dotted numerical form of OIDs.
+While any OID can be used only certain values make sense. In partiular the
+following PKIX, NS and MS values are meaningful:
+
+Value Meaning
+----- -------
+serverAuth SSL/TLS Web Server Authentication.
+clientAuth SSL/TLS Web Client Authentication.
+codeSigning Code signing.
+emailProtection E-mail Protection (S/MIME).
+timeStamping Trusted Timestamping
+msCodeInd Microsoft Individual Code Signing (authenticode)
+msCodeCom Microsoft Commercial Code Signing (authenticode)
+msCTLSign Microsoft Trust List Signing
+msSGC Microsoft Server Gated Crypto
+msEFS Microsoft Encrypted File System
+nsSGC Netscape Server Gated Crypto
+
+For example, under IE5 a CA can be used for any purpose: by including a list
+of the above usages the CA can be restricted to only authorised uses.
+
+Note: software packages may place additional interpretations on certificate
+use, in particular some usages may only work for selected CAs. Don't for example
+expect just including msSGC or nsSGC will automatically mean that a certificate
+can be used for SGC ("step up" encryption) otherwise anyone could use it.
+
Subject Key Identifier.
This is really a string extension and can take two possible values. Either
For example to produce basicConstraints with the CA flag and a path length of
10:
-x = X509V3_EXT_conf_nid(NULL, NULL, NID_basicConstraints, "CA:TRUE,pathlen:10");
+x = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints,"CA:TRUE,pathlen:10");
X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
This function frees up the string returned by the above function.
-STACK * X509V3_get_section(X509V3_CTX *ctx, char *section);
+STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, char *section);
-This function returns a whole section as a STACK of CONF_VALUE structures.
+This function returns a whole section as a STACK_OF(CONF_VALUE) .
-void X509V3_section_free( X509V3_CTX *ctx, STACK *section);
+void X509V3_section_free( X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section);
This function frees up the STACK returned by the above function.
function pointers:
char * (*get_string)(void *db, char *section, char *value);
-STACK * (*get_section)(void *db, char *section);
+STACK_OF(CONF_VALUE) * (*get_section)(void *db, char *section);
void (*free_string)(void *db, char * string);
-void (*free_section)(void *db, STACK *section);
+void (*free_section)(void *db, STACK_OF(CONF_VALUE) *section);
these will be called and passed the 'db' element in the X509V3_CTX structure
to access the database. If a given function is not implemented or not required
This accepts a decimal integer of arbitrary length and sets an ASN1_INTEGER.
-int X509V3_add_value(const char *name, const char *value, STACK **extlist);
+int X509V3_add_value(const char *name, const char *value,
+ STACK_OF(CONF_VALUE) **extlist);
This simply adds a string name and value pair.
int X509V3_add_value_uchar(const char *name, const unsigned char *value,
- STACK **extlist);
+ STACK_OF(CONF_VALUE) **extlist);
The same as above but for an unsigned character value.
-int X509V3_add_value_bool(const char *name, int asn1_bool, STACK **extlist);
+int X509V3_add_value_bool(const char *name, int asn1_bool,
+ STACK_OF(CONF_VALUE) **extlist);
This adds either "TRUE" or "FALSE" depending on the value of 'ans1_bool'
-int X509V3_add_value_bool_nf(char *name, int asn1_bool, STACK **extlist);
+int X509V3_add_value_bool_nf(char *name, int asn1_bool,
+ STACK_OF(CONF_VALUE) **extlist);
This is the same as above except it adds nothing if asn1_bool is FALSE.
-int X509V3_add_value_int(const char *name, ASN1_INTEGER *aint, STACK **extlist);
+int X509V3_add_value_int(const char *name, ASN1_INTEGER *aint,
+ STACK_OF(CONF_VALUE) **extlist);
This function adds the value of the ASN1_INTEGER in decimal form.
String extensions are simple strings where the value is placed directly in the
extensions, and the string returned is printed out.
-Multi value extensions are passed a STACK of name and value pairs or return
-such a STACK.
+Multi value extensions are passed a STACK_OF(CONF_VALUE) name and value pairs
+or return a STACK_OF(CONF_VALUE).
Raw extensions are just passed a BIO or a value and it is the extensions
responsiblity to handle all the necessary printing.
an allocated internal structure: ext_free() will be used on this internal
structure after use.
-i2v and v2i handle a stack of CONF_VALUE structures:
+i2v and v2i handle a STACK_OF(CONF_VALUE):
typedef struct
{
Only the name and value members are currently used.
-STACK * i2v(struct v3_ext_method *method, void *ext);
+STACK_OF(CONF_VALUE) * i2v(struct v3_ext_method *method, void *ext);
This function is passed the internal structure in the ext parameter and
returns a STACK of CONF_VALUE structures. The values of name, value,
section and the structure itself will be freed up with Free after use.
Several helper functions are available to add values to this STACK.
-void * v2i(struct v3_ext_method *method, struct v3_ext_ctx *ctx, STACK *values);
+void * v2i(struct v3_ext_method *method, struct v3_ext_ctx *ctx,
+ STACK_OF(CONF_VALUE) *values);
-This function takes a STACK of CONF_VALUE structures and should set the
+This function takes a STACK_OF(CONF_VALUE) structures and should set the
values of the external structure. This typically uses the name element to
determine which structure element to set and the value element to determine
what to set it to. Several helper functions are available for this
projects / openssl.git / blobdiff