1=pod 2 3=head1 NAME 4 5X509V3_get_d2i, X509V3_add1_i2d, X509V3_EXT_d2i, X509V3_EXT_i2d, 6X509_get_ext_d2i, X509_add1_ext_i2d, 7X509_ACERT_get_ext_d2i, X509_ACERT_add1_ext_i2d, 8X509_CRL_get_ext_d2i, X509_CRL_add1_ext_i2d, 9X509_REVOKED_get_ext_d2i, X509_REVOKED_add1_ext_i2d, 10X509_get0_extensions, X509_ACERT_get0_extensions, X509_CRL_get0_extensions, 11X509_REVOKED_get0_extensions - X509 extension decode and encode functions 12 13=head1 SYNOPSIS 14 15 #include <openssl/x509v3.h> 16 17 void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit, 18 int *idx); 19 int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value, 20 int crit, unsigned long flags); 21 22 void *X509V3_EXT_d2i(X509_EXTENSION *ext); 23 X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc); 24 25 void *X509_get_ext_d2i(const X509 *x, int nid, int *crit, int *idx); 26 int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit, 27 unsigned long flags); 28 29 void *X509_ACERT_get_ext_d2i(const X509_ACERT *x, int nid, int *crit, int *idx); 30 int X509_ACERT_add1_ext_i2d(X509_ACERT *x, int nid, void *value, int crit, 31 unsigned long flags); 32 33 void *X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid, int *crit, int *idx); 34 int X509_CRL_add1_ext_i2d(X509_CRL *crl, int nid, void *value, int crit, 35 unsigned long flags); 36 37 void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *r, int nid, int *crit, int *idx); 38 int X509_REVOKED_add1_ext_i2d(X509_REVOKED *r, int nid, void *value, int crit, 39 unsigned long flags); 40 41 const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x); 42 const STACK_OF(X509_EXTENSION) *X509_ACERT_get0_extensions(const X509 *x); 43 const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl); 44 const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions(const X509_REVOKED *r); 45 46=head1 DESCRIPTION 47 48X509V3_get_d2i() looks for an extension with OID I<nid> in the extensions 49I<x> and, if found, decodes it. If I<idx> is NULL then only one 50occurrence of an extension is permissible, otherwise the first extension after 51index I<*idx> is returned and I<*idx> updated to the location of the extension. 52If I<crit> is not NULL then I<*crit> is set to a status value: -2 if the 53extension occurs multiple times (this is only returned if I<idx> is NULL), 54-1 if the extension could not be found, 0 if the extension is found and is 55not critical and 1 if critical. A pointer to an extension specific structure 56or NULL is returned. 57 58X509V3_add1_i2d() adds extension I<value> to STACK I<*x> (allocating a new 59STACK if necessary) using OID I<nid> and criticality I<crit> according 60to I<flags>. 61 62X509V3_EXT_d2i() attempts to decode the ASN.1 data contained in extension 63I<ext> and returns a pointer to an extension specific structure or NULL 64if the extension could not be decoded (invalid syntax or not supported). 65 66X509V3_EXT_i2d() encodes the extension specific structure I<ext_struc> 67with OID I<ext_nid> and criticality I<crit>. 68 69X509_get_ext_d2i() and X509_add1_ext_i2d() operate on the extensions of 70certificate I<x>. They are otherwise identical to X509V3_get_d2i() and 71X509V3_add1_i2d(). 72 73X509_ACERT_get_ext_d2i() and X509_ACERT_add1_ext_i2d() operate on the extensions 74of B<X509_ACERT> structure I<x>. They are otherwise identical to X509V3_get_d2i() 75and X509V3_add1_i2d(). 76 77X509_CRL_get_ext_d2i() and X509_CRL_add1_ext_i2d() operate on the extensions 78of CRL I<crl>. They are otherwise identical to X509V3_get_d2i() and 79X509V3_add1_i2d(). 80 81X509_REVOKED_get_ext_d2i() and X509_REVOKED_add1_ext_i2d() operate on the 82extensions of B<X509_REVOKED> structure I<r> (i.e for CRL entry extensions). 83They are otherwise identical to X509V3_get_d2i() and X509V3_add1_i2d(). 84 85X509_get0_extensions(), X509_ACERT_get0_extensions(), 86X509_CRL_get0_extensions() and X509_REVOKED_get0_extensions() return a 87STACK of all the extensions of a certificate, an attribute certificate, 88a CRL or a CRL entry respectively. 89 90=head1 NOTES 91 92In almost all cases an extension can occur at most once and multiple 93occurrences is an error. Therefore, the I<idx> parameter is usually NULL. 94 95The I<flags> parameter may be one of the following values. 96 97B<X509V3_ADD_DEFAULT> appends a new extension only if the extension does 98not exist. An error is returned if the extension exists. 99 100B<X509V3_ADD_APPEND> appends a new extension, ignoring whether the extension 101exists. 102 103B<X509V3_ADD_REPLACE> replaces an existing extension. If the extension does 104not exist, appends a new extension. 105 106B<X509V3_ADD_REPLACE_EXISTING> replaces an existing extension. If the 107extension does not exist, returns an error. 108 109B<X509V3_ADD_KEEP_EXISTING> appends a new extension only if the extension does 110not exist. An error is B<not> returned if the extension exists. 111 112B<X509V3_ADD_DELETE> deletes and frees an existing extension. If the extension 113does not exist, returns an error. No new extension is added. 114 115If B<X509V3_ADD_SILENT> is bitwise ORed with I<flags>: any error returned 116will not be added to the error queue. 117 118The function X509V3_get_d2i() and its variants 119will return NULL if the extension is not 120found, occurs multiple times or cannot be decoded. It is possible to 121determine the precise reason by checking the value of I<*crit>. 122The returned pointer must be explicitly freed. 123 124The function X509V3_add1_i2d() and its variants allocate B<X509_EXTENSION> 125objects on STACK I<*x> depending on I<flags>. The B<X509_EXTENSION> objects 126must be explicitly freed using X509_EXTENSION_free(). 127 128=head1 SUPPORTED EXTENSIONS 129 130The following sections contain a list of all supported extensions 131including their name and NID. 132 133=head2 PKIX Certificate Extensions 134 135The following certificate extensions are defined in PKIX standards such as 136RFC5280. 137 138 Basic Constraints NID_basic_constraints 139 Key Usage NID_key_usage 140 Extended Key Usage NID_ext_key_usage 141 142 Subject Key Identifier NID_subject_key_identifier 143 Authority Key Identifier NID_authority_key_identifier 144 145 Private Key Usage Period NID_private_key_usage_period 146 147 Subject Alternative Name NID_subject_alt_name 148 Issuer Alternative Name NID_issuer_alt_name 149 150 Authority Information Access NID_info_access 151 Subject Information Access NID_sinfo_access 152 153 Name Constraints NID_name_constraints 154 155 Certificate Policies NID_certificate_policies 156 Policy Mappings NID_policy_mappings 157 Policy Constraints NID_policy_constraints 158 Inhibit Any Policy NID_inhibit_any_policy 159 160 TLS Feature NID_tlsfeature 161 162=head2 Netscape Certificate Extensions 163 164The following are (largely obsolete) Netscape certificate extensions. 165 166 Netscape Cert Type NID_netscape_cert_type 167 Netscape Base Url NID_netscape_base_url 168 Netscape Revocation Url NID_netscape_revocation_url 169 Netscape CA Revocation Url NID_netscape_ca_revocation_url 170 Netscape Renewal Url NID_netscape_renewal_url 171 Netscape CA Policy Url NID_netscape_ca_policy_url 172 Netscape SSL Server Name NID_netscape_ssl_server_name 173 Netscape Comment NID_netscape_comment 174 175=head2 Miscellaneous Certificate Extensions 176 177 Strong Extranet ID NID_sxnet 178 Proxy Certificate Information NID_proxyCertInfo 179 180=head2 PKIX CRL Extensions 181 182The following are CRL extensions from PKIX standards such as RFC5280. 183 184 CRL Number NID_crl_number 185 CRL Distribution Points NID_crl_distribution_points 186 Delta CRL Indicator NID_delta_crl 187 Freshest CRL NID_freshest_crl 188 Invalidity Date NID_invalidity_date 189 Issuing Distribution Point NID_issuing_distribution_point 190 191The following are CRL entry extensions from PKIX standards such as RFC5280. 192 193 CRL Reason Code NID_crl_reason 194 Certificate Issuer NID_certificate_issuer 195 196=head2 OCSP Extensions 197 198 OCSP Nonce NID_id_pkix_OCSP_Nonce 199 OCSP CRL ID NID_id_pkix_OCSP_CrlID 200 Acceptable OCSP Responses NID_id_pkix_OCSP_acceptableResponses 201 OCSP No Check NID_id_pkix_OCSP_noCheck 202 OCSP Archive Cutoff NID_id_pkix_OCSP_archiveCutoff 203 OCSP Service Locator NID_id_pkix_OCSP_serviceLocator 204 Hold Instruction Code NID_hold_instruction_code 205 206=head2 Certificate Transparency Extensions 207 208The following extensions are used by certificate transparency, RFC6962 209 210 CT Precertificate SCTs NID_ct_precert_scts 211 CT Certificate SCTs NID_ct_cert_scts 212 213=head1 RETURN VALUES 214 215X509V3_get_d2i(), its variants, and X509V3_EXT_d2i() return 216a pointer to an extension specific structure or NULL if an error occurs. 217 218X509V3_add1_i2d() and its variants return 1 if the operation is successful 219and 0 if it fails due to a non-fatal error (extension not found, already exists, 220cannot be encoded) or -1 due to a fatal error such as a memory allocation 221failure. 222 223X509V3_EXT_i2d() returns a pointer to an B<X509_EXTENSION> structure 224or NULL if an error occurs. 225 226X509_get0_extensions(), X509_CRL_get0_extensions() and 227X509_REVOKED_get0_extensions() return a stack of extensions. They return 228NULL if no extensions are present. 229 230=head1 SEE ALSO 231 232L<d2i_X509(3)>, 233L<ERR_get_error(3)>, 234L<X509_CRL_get0_by_serial(3)>, 235L<X509_get0_signature(3)>, 236L<X509_get_ext_d2i(3)>, 237L<X509_get_extension_flags(3)>, 238L<X509_get_pubkey(3)>, 239L<X509_get_subject_name(3)>, 240L<X509_get_version(3)>, 241L<X509_NAME_add_entry_by_txt(3)>, 242L<X509_NAME_ENTRY_get_object(3)>, 243L<X509_NAME_get_index_by_NID(3)>, 244L<X509_NAME_print_ex(3)>, 245L<X509_new(3)>, 246L<X509_sign(3)>, 247L<X509_verify_cert(3)> 248 249=head1 HISTORY 250 251X509_ACERT_get_ext_d2i(), X509_ACERT_add1_ext_i2d(), 252X509_ACERT_get0_extensions() were added in OpenSSL 3.4. 253 254=head1 COPYRIGHT 255 256Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved. 257 258Licensed under the Apache License 2.0 (the "License"). You may not use 259this file except in compliance with the License. You can obtain a copy 260in the file LICENSE in the source distribution or at 261L<https://www.openssl.org/source/license.html>. 262 263=cut 264