| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385 |
- .\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
- .\"
- .\" Standard preamble:
- .\" ========================================================================
- .de Sp \" Vertical space (when we can't use .PP)
- .if t .sp .5v
- .if n .sp
- ..
- .de Vb \" Begin verbatim text
- .ft CW
- .nf
- .ne \\$1
- ..
- .de Ve \" End verbatim text
- .ft R
- .fi
- ..
- .\" Set up some character translations and predefined strings. \*(-- will
- .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
- .\" double quote, and \*(R" will give a right double quote. \*(C+ will
- .\" give a nicer C++. Capital omega is used to do unbreakable dashes and
- .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
- .\" nothing in troff, for use with C<>.
- .tr \(*W-
- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
- .ie n \{\
- . ds -- \(*W-
- . ds PI pi
- . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
- . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
- . ds L" ""
- . ds R" ""
- . ds C` ""
- . ds C' ""
- 'br\}
- .el\{\
- . ds -- \|\(em\|
- . ds PI \(*p
- . ds L" ``
- . ds R" ''
- . ds C`
- . ds C'
- 'br\}
- .\"
- .\" Escape single quotes in literal strings from groff's Unicode transform.
- .ie \n(.g .ds Aq \(aq
- .el .ds Aq '
- .\"
- .\" If the F register is >0, we'll generate index entries on stderr for
- .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
- .\" entries marked with X<> in POD. Of course, you'll have to process the
- .\" output yourself in some meaningful fashion.
- .\"
- .\" Avoid warning from groff about undefined register 'F'.
- .de IX
- ..
- .nr rF 0
- .if \n(.g .if rF .nr rF 1
- .if (\n(rF:(\n(.g==0)) \{\
- . if \nF \{\
- . de IX
- . tm Index:\\$1\t\\n%\t"\\$2"
- ..
- . if !\nF==2 \{\
- . nr % 0
- . nr F 2
- . \}
- . \}
- .\}
- .rr rF
- .\"
- .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
- .\" Fear. Run. Save yourself. No user-serviceable parts.
- . \" fudge factors for nroff and troff
- .if n \{\
- . ds #H 0
- . ds #V .8m
- . ds #F .3m
- . ds #[ \f1
- . ds #] \fP
- .\}
- .if t \{\
- . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
- . ds #V .6m
- . ds #F 0
- . ds #[ \&
- . ds #] \&
- .\}
- . \" simple accents for nroff and troff
- .if n \{\
- . ds ' \&
- . ds ` \&
- . ds ^ \&
- . ds , \&
- . ds ~ ~
- . ds /
- .\}
- .if t \{\
- . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
- . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
- . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
- . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
- . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
- . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
- .\}
- . \" troff and (daisy-wheel) nroff accents
- .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
- .ds 8 \h'\*(#H'\(*b\h'-\*(#H'
- .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
- .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
- .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
- .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
- .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
- .ds ae a\h'-(\w'a'u*4/10)'e
- .ds Ae A\h'-(\w'A'u*4/10)'E
- . \" corrections for vroff
- .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
- .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
- . \" for low resolution devices (crt and lpr)
- .if \n(.H>23 .if \n(.V>19 \
- \{\
- . ds : e
- . ds 8 ss
- . ds o a
- . ds d- d\h'-1'\(ga
- . ds D- D\h'-1'\(hy
- . ds th \o'bp'
- . ds Th \o'LP'
- . ds ae ae
- . ds Ae AE
- .\}
- .rm #[ #] #H #V #F C
- .\" ========================================================================
- .\"
- .IX Title "X509V3_GET_D2I 3ossl"
- .TH X509V3_GET_D2I 3ossl "2024-09-03" "3.3.2" "OpenSSL"
- .\" For nroff, turn off justification. Always turn off hyphenation; it makes
- .\" way too many mistakes in technical documents.
- .if n .ad l
- .nh
- .SH "NAME"
- X509V3_get_d2i, X509V3_add1_i2d, X509V3_EXT_d2i, X509V3_EXT_i2d,
- X509_get_ext_d2i, X509_add1_ext_i2d,
- X509_CRL_get_ext_d2i, X509_CRL_add1_ext_i2d,
- X509_REVOKED_get_ext_d2i, X509_REVOKED_add1_ext_i2d,
- X509_get0_extensions, X509_CRL_get0_extensions,
- X509_REVOKED_get0_extensions \- X509 extension decode and encode functions
- .SH "SYNOPSIS"
- .IX Header "SYNOPSIS"
- .Vb 1
- \& #include <openssl/x509v3.h>
- \&
- \& void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit,
- \& int *idx);
- \& int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
- \& int crit, unsigned long flags);
- \&
- \& void *X509V3_EXT_d2i(X509_EXTENSION *ext);
- \& X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
- \&
- \& void *X509_get_ext_d2i(const X509 *x, int nid, int *crit, int *idx);
- \& int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
- \& unsigned long flags);
- \&
- \& void *X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid, int *crit, int *idx);
- \& int X509_CRL_add1_ext_i2d(X509_CRL *crl, int nid, void *value, int crit,
- \& unsigned long flags);
- \&
- \& void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *r, int nid, int *crit, int *idx);
- \& int X509_REVOKED_add1_ext_i2d(X509_REVOKED *r, int nid, void *value, int crit,
- \& unsigned long flags);
- \&
- \& const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x);
- \& const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl);
- \& const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions(const X509_REVOKED *r);
- .Ve
- .SH "DESCRIPTION"
- .IX Header "DESCRIPTION"
- \&\fBX509V3_get_d2i()\fR looks for an extension with \s-1OID\s0 \fInid\fR in the extensions
- \&\fIx\fR and, if found, decodes it. If \fIidx\fR is \s-1NULL\s0 then only one
- occurrence of an extension is permissible, otherwise the first extension after
- index \fI*idx\fR is returned and \fI*idx\fR updated to the location of the extension.
- If \fIcrit\fR is not \s-1NULL\s0 then \fI*crit\fR is set to a status value: \-2 if the
- extension occurs multiple times (this is only returned if \fIidx\fR is \s-1NULL\s0),
- \&\-1 if the extension could not be found, 0 if the extension is found and is
- not critical and 1 if critical. A pointer to an extension specific structure
- or \s-1NULL\s0 is returned.
- .PP
- \&\fBX509V3_add1_i2d()\fR adds extension \fIvalue\fR to \s-1STACK\s0 \fI*x\fR (allocating a new
- \&\s-1STACK\s0 if necessary) using \s-1OID\s0 \fInid\fR and criticality \fIcrit\fR according
- to \fIflags\fR.
- .PP
- \&\fBX509V3_EXT_d2i()\fR attempts to decode the \s-1ASN.1\s0 data contained in extension
- \&\fIext\fR and returns a pointer to an extension specific structure or \s-1NULL\s0
- if the extension could not be decoded (invalid syntax or not supported).
- .PP
- \&\fBX509V3_EXT_i2d()\fR encodes the extension specific structure \fIext_struc\fR
- with \s-1OID\s0 \fIext_nid\fR and criticality \fIcrit\fR.
- .PP
- \&\fBX509_get_ext_d2i()\fR and \fBX509_add1_ext_i2d()\fR operate on the extensions of
- certificate \fIx\fR. They are otherwise identical to \fBX509V3_get_d2i()\fR and
- \&\fBX509V3_add1_i2d()\fR.
- .PP
- \&\fBX509_CRL_get_ext_d2i()\fR and \fBX509_CRL_add1_ext_i2d()\fR operate on the extensions
- of \s-1CRL\s0 \fIcrl\fR. They are otherwise identical to \fBX509V3_get_d2i()\fR and
- \&\fBX509V3_add1_i2d()\fR.
- .PP
- \&\fBX509_REVOKED_get_ext_d2i()\fR and \fBX509_REVOKED_add1_ext_i2d()\fR operate on the
- extensions of \fBX509_REVOKED\fR structure \fIr\fR (i.e for \s-1CRL\s0 entry extensions).
- They are otherwise identical to \fBX509V3_get_d2i()\fR and \fBX509V3_add1_i2d()\fR.
- .PP
- \&\fBX509_get0_extensions()\fR, \fBX509_CRL_get0_extensions()\fR and
- \&\fBX509_REVOKED_get0_extensions()\fR return a \s-1STACK\s0 of all the extensions
- of a certificate, a \s-1CRL\s0 or a \s-1CRL\s0 entry respectively.
- .SH "NOTES"
- .IX Header "NOTES"
- In almost all cases an extension can occur at most once and multiple
- occurrences is an error. Therefore, the \fIidx\fR parameter is usually \s-1NULL.\s0
- .PP
- The \fIflags\fR parameter may be one of the following values.
- .PP
- \&\fBX509V3_ADD_DEFAULT\fR appends a new extension only if the extension does
- not exist. An error is returned if the extension exists.
- .PP
- \&\fBX509V3_ADD_APPEND\fR appends a new extension, ignoring whether the extension
- exists.
- .PP
- \&\fBX509V3_ADD_REPLACE\fR replaces an existing extension. If the extension does
- not exist, appends a new extension.
- .PP
- \&\fBX509V3_ADD_REPLACE_EXISTING\fR replaces an existing extension. If the
- extension does not exist, returns an error.
- .PP
- \&\fBX509V3_ADD_KEEP_EXISTING\fR appends a new extension only if the extension does
- not exist. An error is \fBnot\fR returned if the extension exists.
- .PP
- \&\fBX509V3_ADD_DELETE\fR deletes and frees an existing extension. If the extension
- does not exist, returns an error. No new extension is added.
- .PP
- If \fBX509V3_ADD_SILENT\fR is bitwise ORed with \fIflags\fR: any error returned
- will not be added to the error queue.
- .PP
- The function \fBX509V3_get_d2i()\fR and its variants
- will return \s-1NULL\s0 if the extension is not
- found, occurs multiple times or cannot be decoded. It is possible to
- determine the precise reason by checking the value of \fI*crit\fR.
- The returned pointer must be explicitly freed.
- .PP
- The function \fBX509V3_add1_i2d()\fR and its variants allocate \fBX509_EXTENSION\fR
- objects on \s-1STACK\s0 \fI*x\fR depending on \fIflags\fR. The \fBX509_EXTENSION\fR objects
- must be explicitly freed using \fBX509_EXTENSION_free()\fR.
- .SH "SUPPORTED EXTENSIONS"
- .IX Header "SUPPORTED EXTENSIONS"
- The following sections contain a list of all supported extensions
- including their name and \s-1NID.\s0
- .SS "\s-1PKIX\s0 Certificate Extensions"
- .IX Subsection "PKIX Certificate Extensions"
- The following certificate extensions are defined in \s-1PKIX\s0 standards such as
- \&\s-1RFC5280.\s0
- .PP
- .Vb 3
- \& Basic Constraints NID_basic_constraints
- \& Key Usage NID_key_usage
- \& Extended Key Usage NID_ext_key_usage
- \&
- \& Subject Key Identifier NID_subject_key_identifier
- \& Authority Key Identifier NID_authority_key_identifier
- \&
- \& Private Key Usage Period NID_private_key_usage_period
- \&
- \& Subject Alternative Name NID_subject_alt_name
- \& Issuer Alternative Name NID_issuer_alt_name
- \&
- \& Authority Information Access NID_info_access
- \& Subject Information Access NID_sinfo_access
- \&
- \& Name Constraints NID_name_constraints
- \&
- \& Certificate Policies NID_certificate_policies
- \& Policy Mappings NID_policy_mappings
- \& Policy Constraints NID_policy_constraints
- \& Inhibit Any Policy NID_inhibit_any_policy
- \&
- \& TLS Feature NID_tlsfeature
- .Ve
- .SS "Netscape Certificate Extensions"
- .IX Subsection "Netscape Certificate Extensions"
- The following are (largely obsolete) Netscape certificate extensions.
- .PP
- .Vb 8
- \& Netscape Cert Type NID_netscape_cert_type
- \& Netscape Base Url NID_netscape_base_url
- \& Netscape Revocation Url NID_netscape_revocation_url
- \& Netscape CA Revocation Url NID_netscape_ca_revocation_url
- \& Netscape Renewal Url NID_netscape_renewal_url
- \& Netscape CA Policy Url NID_netscape_ca_policy_url
- \& Netscape SSL Server Name NID_netscape_ssl_server_name
- \& Netscape Comment NID_netscape_comment
- .Ve
- .SS "Miscellaneous Certificate Extensions"
- .IX Subsection "Miscellaneous Certificate Extensions"
- .Vb 2
- \& Strong Extranet ID NID_sxnet
- \& Proxy Certificate Information NID_proxyCertInfo
- .Ve
- .SS "\s-1PKIX CRL\s0 Extensions"
- .IX Subsection "PKIX CRL Extensions"
- The following are \s-1CRL\s0 extensions from \s-1PKIX\s0 standards such as \s-1RFC5280.\s0
- .PP
- .Vb 6
- \& CRL Number NID_crl_number
- \& CRL Distribution Points NID_crl_distribution_points
- \& Delta CRL Indicator NID_delta_crl
- \& Freshest CRL NID_freshest_crl
- \& Invalidity Date NID_invalidity_date
- \& Issuing Distribution Point NID_issuing_distribution_point
- .Ve
- .PP
- The following are \s-1CRL\s0 entry extensions from \s-1PKIX\s0 standards such as \s-1RFC5280.\s0
- .PP
- .Vb 2
- \& CRL Reason Code NID_crl_reason
- \& Certificate Issuer NID_certificate_issuer
- .Ve
- .SS "\s-1OCSP\s0 Extensions"
- .IX Subsection "OCSP Extensions"
- .Vb 7
- \& OCSP Nonce NID_id_pkix_OCSP_Nonce
- \& OCSP CRL ID NID_id_pkix_OCSP_CrlID
- \& Acceptable OCSP Responses NID_id_pkix_OCSP_acceptableResponses
- \& OCSP No Check NID_id_pkix_OCSP_noCheck
- \& OCSP Archive Cutoff NID_id_pkix_OCSP_archiveCutoff
- \& OCSP Service Locator NID_id_pkix_OCSP_serviceLocator
- \& Hold Instruction Code NID_hold_instruction_code
- .Ve
- .SS "Certificate Transparency Extensions"
- .IX Subsection "Certificate Transparency Extensions"
- The following extensions are used by certificate transparency, \s-1RFC6962\s0
- .PP
- .Vb 2
- \& CT Precertificate SCTs NID_ct_precert_scts
- \& CT Certificate SCTs NID_ct_cert_scts
- .Ve
- .SH "RETURN VALUES"
- .IX Header "RETURN VALUES"
- \&\fBX509V3_get_d2i()\fR, its variants, and \fBX509V3_EXT_d2i()\fR return
- a pointer to an extension specific structure or \s-1NULL\s0 if an error occurs.
- .PP
- \&\fBX509V3_add1_i2d()\fR and its variants return 1 if the operation is successful
- and 0 if it fails due to a non-fatal error (extension not found, already exists,
- cannot be encoded) or \-1 due to a fatal error such as a memory allocation
- failure.
- .PP
- \&\fBX509V3_EXT_i2d()\fR returns a pointer to an \fBX509_EXTENSION\fR structure
- or \s-1NULL\s0 if an error occurs.
- .PP
- \&\fBX509_get0_extensions()\fR, \fBX509_CRL_get0_extensions()\fR and
- \&\fBX509_REVOKED_get0_extensions()\fR return a stack of extensions. They return
- \&\s-1NULL\s0 if no extensions are present.
- .SH "SEE ALSO"
- .IX Header "SEE ALSO"
- \&\fBd2i_X509\fR\|(3),
- \&\fBERR_get_error\fR\|(3),
- \&\fBX509_CRL_get0_by_serial\fR\|(3),
- \&\fBX509_get0_signature\fR\|(3),
- \&\fBX509_get_ext_d2i\fR\|(3),
- \&\fBX509_get_extension_flags\fR\|(3),
- \&\fBX509_get_pubkey\fR\|(3),
- \&\fBX509_get_subject_name\fR\|(3),
- \&\fBX509_get_version\fR\|(3),
- \&\fBX509_NAME_add_entry_by_txt\fR\|(3),
- \&\fBX509_NAME_ENTRY_get_object\fR\|(3),
- \&\fBX509_NAME_get_index_by_NID\fR\|(3),
- \&\fBX509_NAME_print_ex\fR\|(3),
- \&\fBX509_new\fR\|(3),
- \&\fBX509_sign\fR\|(3),
- \&\fBX509_verify_cert\fR\|(3)
- .SH "COPYRIGHT"
- .IX Header "COPYRIGHT"
- Copyright 2015\-2024 The OpenSSL Project Authors. All Rights Reserved.
- .PP
- Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
- this file except in compliance with the License. You can obtain a copy
- in the file \s-1LICENSE\s0 in the source distribution or at
- <https://www.openssl.org/source/license.html>.
|