xref: /openssl/doc/man3/X509V3_get_d2i.pod (revision 50ef944c)
1=pod
2
3=head1 NAME
4
5X509V3_get_d2i, X509V3_add1_i2d, X509V3_EXT_d2i, X509V3_EXT_i2d,
6X509_get_ext_d2i, X509_add1_ext_i2d,
7X509_ACERT_get_ext_d2i, X509_ACERT_add1_ext_i2d,
8X509_CRL_get_ext_d2i, X509_CRL_add1_ext_i2d,
9X509_REVOKED_get_ext_d2i, X509_REVOKED_add1_ext_i2d,
10X509_get0_extensions, X509_ACERT_get0_extensions, X509_CRL_get0_extensions,
11X509_REVOKED_get0_extensions - X509 extension decode and encode functions
12
13=head1 SYNOPSIS
14
15 #include <openssl/x509v3.h>
16
17 void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit,
18                      int *idx);
19 int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
20                     int crit, unsigned long flags);
21
22 void *X509V3_EXT_d2i(X509_EXTENSION *ext);
23 X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
24
25 void *X509_get_ext_d2i(const X509 *x, int nid, int *crit, int *idx);
26 int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
27                       unsigned long flags);
28
29 void *X509_ACERT_get_ext_d2i(const X509_ACERT *x, int nid, int *crit, int *idx);
30 int X509_ACERT_add1_ext_i2d(X509_ACERT *x, int nid, void *value, int crit,
31                             unsigned long flags);
32
33 void *X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid, int *crit, int *idx);
34 int X509_CRL_add1_ext_i2d(X509_CRL *crl, int nid, void *value, int crit,
35                           unsigned long flags);
36
37 void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *r, int nid, int *crit, int *idx);
38 int X509_REVOKED_add1_ext_i2d(X509_REVOKED *r, int nid, void *value, int crit,
39                               unsigned long flags);
40
41 const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x);
42 const STACK_OF(X509_EXTENSION) *X509_ACERT_get0_extensions(const X509 *x);
43 const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl);
44 const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions(const X509_REVOKED *r);
45
46=head1 DESCRIPTION
47
48X509V3_get_d2i() looks for an extension with OID I<nid> in the extensions
49I<x> and, if found, decodes it. If I<idx> is NULL then only one
50occurrence of an extension is permissible, otherwise the first extension after
51index I<*idx> is returned and I<*idx> updated to the location of the extension.
52If I<crit> is not NULL then I<*crit> is set to a status value: -2 if the
53extension occurs multiple times (this is only returned if I<idx> is NULL),
54-1 if the extension could not be found, 0 if the extension is found and is
55not critical and 1 if critical. A pointer to an extension specific structure
56or NULL is returned.
57
58X509V3_add1_i2d() adds extension I<value> to STACK I<*x> (allocating a new
59STACK if necessary) using OID I<nid> and criticality I<crit> according
60to I<flags>.
61
62X509V3_EXT_d2i() attempts to decode the ASN.1 data contained in extension
63I<ext> and returns a pointer to an extension specific structure or NULL
64if the extension could not be decoded (invalid syntax or not supported).
65
66X509V3_EXT_i2d() encodes the extension specific structure I<ext_struc>
67with OID I<ext_nid> and criticality I<crit>.
68
69X509_get_ext_d2i() and X509_add1_ext_i2d() operate on the extensions of
70certificate I<x>. They are otherwise identical to X509V3_get_d2i() and
71X509V3_add1_i2d().
72
73X509_ACERT_get_ext_d2i() and X509_ACERT_add1_ext_i2d() operate on the extensions
74of B<X509_ACERT> structure I<x>. They are otherwise identical to X509V3_get_d2i()
75and X509V3_add1_i2d().
76
77X509_CRL_get_ext_d2i() and X509_CRL_add1_ext_i2d() operate on the extensions
78of CRL I<crl>. They are otherwise identical to X509V3_get_d2i() and
79X509V3_add1_i2d().
80
81X509_REVOKED_get_ext_d2i() and X509_REVOKED_add1_ext_i2d() operate on the
82extensions of B<X509_REVOKED> structure I<r> (i.e for CRL entry extensions).
83They are otherwise identical to X509V3_get_d2i() and X509V3_add1_i2d().
84
85X509_get0_extensions(), X509_ACERT_get0_extensions(),
86X509_CRL_get0_extensions() and X509_REVOKED_get0_extensions() return a
87STACK of all the extensions of a certificate, an attribute certificate,
88a CRL or a CRL entry respectively.
89
90=head1 NOTES
91
92In almost all cases an extension can occur at most once and multiple
93occurrences is an error. Therefore, the I<idx> parameter is usually NULL.
94
95The I<flags> parameter may be one of the following values.
96
97B<X509V3_ADD_DEFAULT> appends a new extension only if the extension does
98not exist. An error is returned if the extension exists.
99
100B<X509V3_ADD_APPEND> appends a new extension, ignoring whether the extension
101exists.
102
103B<X509V3_ADD_REPLACE> replaces an existing extension. If the extension does
104not exist, appends a new extension.
105
106B<X509V3_ADD_REPLACE_EXISTING> replaces an existing extension. If the
107extension does not exist, returns an error.
108
109B<X509V3_ADD_KEEP_EXISTING> appends a new extension only if the extension does
110not exist. An error is B<not> returned if the extension exists.
111
112B<X509V3_ADD_DELETE> deletes and frees an existing extension. If the extension
113does not exist, returns an error. No new extension is added.
114
115If B<X509V3_ADD_SILENT> is bitwise ORed with I<flags>: any error returned
116will not be added to the error queue.
117
118The function X509V3_get_d2i() and its variants
119will return NULL if the extension is not
120found, occurs multiple times or cannot be decoded. It is possible to
121determine the precise reason by checking the value of I<*crit>.
122The returned pointer must be explicitly freed.
123
124The function X509V3_add1_i2d() and its variants allocate B<X509_EXTENSION>
125objects on STACK I<*x> depending on I<flags>. The B<X509_EXTENSION> objects
126must be explicitly freed using X509_EXTENSION_free().
127
128=head1 SUPPORTED EXTENSIONS
129
130The following sections contain a list of all supported extensions
131including their name and NID.
132
133=head2 PKIX Certificate Extensions
134
135The following certificate extensions are defined in PKIX standards such as
136RFC5280.
137
138 Basic Constraints                  NID_basic_constraints
139 Key Usage                          NID_key_usage
140 Extended Key Usage                 NID_ext_key_usage
141
142 Subject Key Identifier             NID_subject_key_identifier
143 Authority Key Identifier           NID_authority_key_identifier
144
145 Private Key Usage Period           NID_private_key_usage_period
146
147 Subject Alternative Name           NID_subject_alt_name
148 Issuer Alternative Name            NID_issuer_alt_name
149
150 Authority Information Access       NID_info_access
151 Subject Information Access         NID_sinfo_access
152
153 Name Constraints                   NID_name_constraints
154
155 Certificate Policies               NID_certificate_policies
156 Policy Mappings                    NID_policy_mappings
157 Policy Constraints                 NID_policy_constraints
158 Inhibit Any Policy                 NID_inhibit_any_policy
159
160 TLS Feature                        NID_tlsfeature
161
162=head2 Netscape Certificate Extensions
163
164The following are (largely obsolete) Netscape certificate extensions.
165
166 Netscape Cert Type                 NID_netscape_cert_type
167 Netscape Base Url                  NID_netscape_base_url
168 Netscape Revocation Url            NID_netscape_revocation_url
169 Netscape CA Revocation Url         NID_netscape_ca_revocation_url
170 Netscape Renewal Url               NID_netscape_renewal_url
171 Netscape CA Policy Url             NID_netscape_ca_policy_url
172 Netscape SSL Server Name           NID_netscape_ssl_server_name
173 Netscape Comment                   NID_netscape_comment
174
175=head2 Miscellaneous Certificate Extensions
176
177 Strong Extranet ID                 NID_sxnet
178 Proxy Certificate Information      NID_proxyCertInfo
179
180=head2 PKIX CRL Extensions
181
182The following are CRL extensions from PKIX standards such as RFC5280.
183
184 CRL Number                         NID_crl_number
185 CRL Distribution Points            NID_crl_distribution_points
186 Delta CRL Indicator                NID_delta_crl
187 Freshest CRL                       NID_freshest_crl
188 Invalidity Date                    NID_invalidity_date
189 Issuing Distribution Point         NID_issuing_distribution_point
190
191The following are CRL entry extensions from PKIX standards such as RFC5280.
192
193 CRL Reason Code                    NID_crl_reason
194 Certificate Issuer                 NID_certificate_issuer
195
196=head2 OCSP Extensions
197
198 OCSP Nonce                         NID_id_pkix_OCSP_Nonce
199 OCSP CRL ID                        NID_id_pkix_OCSP_CrlID
200 Acceptable OCSP Responses          NID_id_pkix_OCSP_acceptableResponses
201 OCSP No Check                      NID_id_pkix_OCSP_noCheck
202 OCSP Archive Cutoff                NID_id_pkix_OCSP_archiveCutoff
203 OCSP Service Locator               NID_id_pkix_OCSP_serviceLocator
204 Hold Instruction Code              NID_hold_instruction_code
205
206=head2 Certificate Transparency Extensions
207
208The following extensions are used by certificate transparency, RFC6962
209
210 CT Precertificate SCTs             NID_ct_precert_scts
211 CT Certificate SCTs                NID_ct_cert_scts
212
213=head1 RETURN VALUES
214
215X509V3_get_d2i(), its variants, and X509V3_EXT_d2i() return
216a pointer to an extension specific structure or NULL if an error occurs.
217
218X509V3_add1_i2d() and its variants return 1 if the operation is successful
219and 0 if it fails due to a non-fatal error (extension not found, already exists,
220cannot be encoded) or -1 due to a fatal error such as a memory allocation
221failure.
222
223X509V3_EXT_i2d() returns a pointer to an B<X509_EXTENSION> structure
224or NULL if an error occurs.
225
226X509_get0_extensions(), X509_CRL_get0_extensions() and
227X509_REVOKED_get0_extensions() return a stack of extensions. They return
228NULL if no extensions are present.
229
230=head1 SEE ALSO
231
232L<d2i_X509(3)>,
233L<ERR_get_error(3)>,
234L<X509_CRL_get0_by_serial(3)>,
235L<X509_get0_signature(3)>,
236L<X509_get_ext_d2i(3)>,
237L<X509_get_extension_flags(3)>,
238L<X509_get_pubkey(3)>,
239L<X509_get_subject_name(3)>,
240L<X509_get_version(3)>,
241L<X509_NAME_add_entry_by_txt(3)>,
242L<X509_NAME_ENTRY_get_object(3)>,
243L<X509_NAME_get_index_by_NID(3)>,
244L<X509_NAME_print_ex(3)>,
245L<X509_new(3)>,
246L<X509_sign(3)>,
247L<X509_verify_cert(3)>
248
249=head1 HISTORY
250
251X509_ACERT_get_ext_d2i(), X509_ACERT_add1_ext_i2d(),
252X509_ACERT_get0_extensions() were added in OpenSSL 3.4.
253
254=head1 COPYRIGHT
255
256Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
257
258Licensed under the Apache License 2.0 (the "License").  You may not use
259this file except in compliance with the License.  You can obtain a copy
260in the file LICENSE in the source distribution or at
261L<https://www.openssl.org/source/license.html>.
262
263=cut
264