Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)

Standard preamble:
========================================================================
..

..

.. Set up some character translations and predefined strings. \*(-- will
give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
double quote, and \*(R" will give a right double quote. \*(C+ will
give a nicer C++. Capital omega is used to do unbreakable dashes and
therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
nothing in troff, for use with C<>.
.tr \(*W- . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\}
Escape single quotes in literal strings from groff's Unicode transform.

If the F register is >0, we'll generate index entries on stderr for
titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
entries marked with X<> in POD. Of course, you'll have to process the
output yourself in some meaningful fashion.

Avoid warning from groff about undefined register 'F'.
.. .nr rF 0 . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] .\} . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents . \" corrections for vroff . \" for low resolution devices (crt and lpr) \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} ========================================================================

Title "X509V3_GET_D2I 3ossl" For nroff, turn off justification. Always turn off hyphenation; it makes
way too many mistakes in technical documents.
X509V3_get_d2i, X509V3_add1_i2d, X509V3_EXT_d2i, X509V3_EXT_i2d, X509_get_ext_d2i, X509_add1_ext_i2d, X509_CRL_get_ext_d2i, X509_CRL_add1_ext_i2d, X509_REVOKED_get_ext_d2i, X509_REVOKED_add1_ext_i2d, X509_get0_extensions, X509_CRL_get0_extensions, X509_REVOKED_get0_extensions - X509 extension decode and encode functions Header "SYNOPSIS" .Vb 1 #include <openssl/x509v3.h> \& void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx); int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value, int crit, unsigned long flags); \& void *X509V3_EXT_d2i(X509_EXTENSION *ext); X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc); \& void *X509_get_ext_d2i(const X509 *x, int nid, int *crit, int *idx); int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit, unsigned long flags); \& void *X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid, int *crit, int *idx); int X509_CRL_add1_ext_i2d(X509_CRL *crl, int nid, void *value, int crit, unsigned long flags); \& void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *r, int nid, int *crit, int *idx); int X509_REVOKED_add1_ext_i2d(X509_REVOKED *r, int nid, void *value, int crit, unsigned long flags); \& const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x); const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl); const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions(const X509_REVOKED *r); .Ve Header "DESCRIPTION" \fBX509V3_get_d2i() looks for an extension with \s-1OID\s0 nid in the extensions \fIx and, if found, decodes it. If idx is \s-1NULL\s0 then only one occurrence of an extension is permissible, otherwise the first extension after index *idx is returned and *idx updated to the location of the extension. If crit is not \s-1NULL\s0 then *crit is set to a status value: -2 if the extension occurs multiple times (this is only returned if idx is \s-1NULL\s0), \-1 if the extension could not be found, 0 if the extension is found and is not critical and 1 if critical. A pointer to an extension specific structure or \s-1NULL\s0 is returned.

\fBX509V3_add1_i2d() adds extension value to \s-1STACK\s0 *x (allocating a new \s-1STACK\s0 if necessary) using \s-1OID\s0 nid and criticality crit according to flags.

\fBX509V3_EXT_d2i() attempts to decode the \s-1ASN.1\s0 data contained in extension \fIext and returns a pointer to an extension specific structure or \s-1NULL\s0 if the extension could not be decoded (invalid syntax or not supported).

\fBX509V3_EXT_i2d() encodes the extension specific structure ext_struc with \s-1OID\s0 ext_nid and criticality crit.

\fBX509_get_ext_d2i() and X509_add1_ext_i2d() operate on the extensions of certificate x. They are otherwise identical to X509V3_get_d2i() and \fBX509V3_add1_i2d().

\fBX509_CRL_get_ext_d2i() and X509_CRL_add1_ext_i2d() operate on the extensions of \s-1CRL\s0 crl. They are otherwise identical to X509V3_get_d2i() and \fBX509V3_add1_i2d().

\fBX509_REVOKED_get_ext_d2i() and X509_REVOKED_add1_ext_i2d() operate on the extensions of X509_REVOKED structure r (i.e for \s-1CRL\s0 entry extensions). They are otherwise identical to X509V3_get_d2i() and X509V3_add1_i2d().

\fBX509_get0_extensions(), X509_CRL_get0_extensions() and \fBX509_REVOKED_get0_extensions() return a \s-1STACK\s0 of all the extensions of a certificate, a \s-1CRL\s0 or a \s-1CRL\s0 entry respectively.

Header "NOTES" In almost all cases an extension can occur at most once and multiple occurrences is an error. Therefore, the idx parameter is usually \s-1NULL.\s0

The flags parameter may be one of the following values.

\fBX509V3_ADD_DEFAULT appends a new extension only if the extension does not exist. An error is returned if the extension exists.

\fBX509V3_ADD_APPEND appends a new extension, ignoring whether the extension exists.

\fBX509V3_ADD_REPLACE replaces an existing extension. If the extension does not exist, appends a new extension.

\fBX509V3_ADD_REPLACE_EXISTING replaces an existing extension. If the extension does not exist, returns an error.

\fBX509V3_ADD_KEEP_EXISTING appends a new extension only if the extension does not exist. An error is not returned if the extension exists.

\fBX509V3_ADD_DELETE deletes and frees an existing extension. If the extension does not exist, returns an error. No new extension is added.

If X509V3_ADD_SILENT is bitwise ORed with flags: any error returned will not be added to the error queue.

The function X509V3_get_d2i() and its variants will return \s-1NULL\s0 if the extension is not found, occurs multiple times or cannot be decoded. It is possible to determine the precise reason by checking the value of *crit.

The function X509V3_add1_i2d() and its variants allocate X509_EXTENSION objects on \s-1STACK\s0 *x depending on flags. The X509_EXTENSION objects must be explicitly freed using X509_EXTENSION_free().

Header "SUPPORTED EXTENSIONS" The following sections contain a list of all supported extensions including their name and \s-1NID.\s0 Subsection "PKIX Certificate Extensions" The following certificate extensions are defined in \s-1PKIX\s0 standards such as \s-1RFC5280.\s0

.Vb 3 Basic Constraints NID_basic_constraints Key Usage NID_key_usage Extended Key Usage NID_ext_key_usage \& Subject Key Identifier NID_subject_key_identifier Authority Key Identifier NID_authority_key_identifier \& Private Key Usage Period NID_private_key_usage_period \& Subject Alternative Name NID_subject_alt_name Issuer Alternative Name NID_issuer_alt_name \& Authority Information Access NID_info_access Subject Information Access NID_sinfo_access \& Name Constraints NID_name_constraints \& Certificate Policies NID_certificate_policies Policy Mappings NID_policy_mappings Policy Constraints NID_policy_constraints Inhibit Any Policy NID_inhibit_any_policy \& TLS Feature NID_tlsfeature .Ve

Subsection "Netscape Certificate Extensions" The following are (largely obsolete) Netscape certificate extensions.

.Vb 8 Netscape Cert Type NID_netscape_cert_type Netscape Base Url NID_netscape_base_url Netscape Revocation Url NID_netscape_revocation_url Netscape CA Revocation Url NID_netscape_ca_revocation_url Netscape Renewal Url NID_netscape_renewal_url Netscape CA Policy Url NID_netscape_ca_policy_url Netscape SSL Server Name NID_netscape_ssl_server_name Netscape Comment NID_netscape_comment .Ve

Subsection "Miscellaneous Certificate Extensions" .Vb 2 Strong Extranet ID NID_sxnet Proxy Certificate Information NID_proxyCertInfo .Ve Subsection "PKIX CRL Extensions" The following are \s-1CRL\s0 extensions from \s-1PKIX\s0 standards such as \s-1RFC5280.\s0

.Vb 6 CRL Number NID_crl_number CRL Distribution Points NID_crl_distribution_points Delta CRL Indicator NID_delta_crl Freshest CRL NID_freshest_crl Invalidity Date NID_invalidity_date Issuing Distribution Point NID_issuing_distribution_point .Ve

The following are \s-1CRL\s0 entry extensions from \s-1PKIX\s0 standards such as \s-1RFC5280.\s0

.Vb 2 CRL Reason Code NID_crl_reason Certificate Issuer NID_certificate_issuer .Ve

Subsection "OCSP Extensions" .Vb 7 OCSP Nonce NID_id_pkix_OCSP_Nonce OCSP CRL ID NID_id_pkix_OCSP_CrlID Acceptable OCSP Responses NID_id_pkix_OCSP_acceptableResponses OCSP No Check NID_id_pkix_OCSP_noCheck OCSP Archive Cutoff NID_id_pkix_OCSP_archiveCutoff OCSP Service Locator NID_id_pkix_OCSP_serviceLocator Hold Instruction Code NID_hold_instruction_code .Ve Subsection "Certificate Transparency Extensions" The following extensions are used by certificate transparency, \s-1RFC6962\s0

.Vb 2 CT Precertificate SCTs NID_ct_precert_scts CT Certificate SCTs NID_ct_cert_scts .Ve

Header "RETURN VALUES" \fBX509V3_get_d2i(), its variants, and X509V3_EXT_d2i() return a pointer to an extension specific structure or \s-1NULL\s0 if an error occurs.

\fBX509V3_add1_i2d() and its variants return 1 if the operation is successful and 0 if it fails due to a non-fatal error (extension not found, already exists, cannot be encoded) or -1 due to a fatal error such as a memory allocation failure.

\fBX509V3_EXT_i2d() returns a pointer to an X509_EXTENSION structure or \s-1NULL\s0 if an error occurs.

\fBX509_get0_extensions(), X509_CRL_get0_extensions() and \fBX509_REVOKED_get0_extensions() return a stack of extensions. They return \s-1NULL\s0 if no extensions are present.

Header "SEE ALSO" \fBd2i_X509\|(3), \fBERR_get_error\|(3), \fBX509_CRL_get0_by_serial\|(3), \fBX509_get0_signature\|(3), \fBX509_get_ext_d2i\|(3), \fBX509_get_extension_flags\|(3), \fBX509_get_pubkey\|(3), \fBX509_get_subject_name\|(3), \fBX509_get_version\|(3), \fBX509_NAME_add_entry_by_txt\|(3), \fBX509_NAME_ENTRY_get_object\|(3), \fBX509_NAME_get_index_by_NID\|(3), \fBX509_NAME_print_ex\|(3), \fBX509_new\|(3), \fBX509_sign\|(3), \fBX509_verify_cert\|(3) Header "COPYRIGHT" Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at <https://www.openssl.org/source/license.html>.