xref: /openbsd/lib/libcrypto/man/X509V3_get_d2i.3 (revision 4cfece93) 
1.\" $OpenBSD: X509V3_get_d2i.3,v 1.17 2019/08/22 15:15:35 schwarze Exp $
2.\" full merge up to: OpenSSL ff7fbfd5 Nov 2 11:52:01 2015 +0000
3.\" selective merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
4.\"
5.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
6.\" Copyright (c) 2014, 2015, 2016 The OpenSSL Project.  All rights reserved.
7.\"
8.\" Redistribution and use in source and binary forms, with or without
9.\" modification, are permitted provided that the following conditions
10.\" are met:
11.\"
12.\" 1. Redistributions of source code must retain the above copyright
13.\"    notice, this list of conditions and the following disclaimer.
14.\"
15.\" 2. Redistributions in binary form must reproduce the above copyright
16.\"    notice, this list of conditions and the following disclaimer in
17.\"    the documentation and/or other materials provided with the
18.\"    distribution.
19.\"
20.\" 3. All advertising materials mentioning features or use of this
21.\"    software must display the following acknowledgment:
22.\"    "This product includes software developed by the OpenSSL Project
23.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
24.\"
25.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26.\"    endorse or promote products derived from this software without
27.\"    prior written permission. For written permission, please contact
28.\"    openssl-core@openssl.org.
29.\"
30.\" 5. Products derived from this software may not be called "OpenSSL"
31.\"    nor may "OpenSSL" appear in their names without prior written
32.\"    permission of the OpenSSL Project.
33.\"
34.\" 6. Redistributions of any form whatsoever must retain the following
35.\"    acknowledgment:
36.\"    "This product includes software developed by the OpenSSL Project
37.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
38.\"
39.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
43.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50.\" OF THE POSSIBILITY OF SUCH DAMAGE.
51.\"
52.Dd $Mdocdate: August 22 2019 $
53.Dt X509V3_GET_D2I 3
54.Os
55.Sh NAME
56.Nm X509V3_get_d2i ,
57.Nm X509V3_add1_i2d ,
58.Nm X509V3_EXT_d2i ,
59.Nm X509V3_EXT_i2d ,
60.Nm X509_get_ext_d2i ,
61.Nm X509_add1_ext_i2d ,
62.Nm X509_CRL_get_ext_d2i ,
63.Nm X509_CRL_add1_ext_i2d ,
64.Nm X509_REVOKED_get_ext_d2i ,
65.Nm X509_REVOKED_add1_ext_i2d ,
66.Nm X509_get0_extensions ,
67.Nm X509_CRL_get0_extensions ,
68.Nm X509_REVOKED_get0_extensions
69.Nd X509 extension decode and encode functions
70.Sh SYNOPSIS
71.In openssl/x509v3.h
72.Ft void *
73.Fo X509V3_get_d2i
74.Fa "const STACK_OF(X509_EXTENSION) *x"
75.Fa "int nid"
76.Fa "int *crit"
77.Fa "int *idx"
78.Fc
79.Ft int
80.Fo X509V3_add1_i2d
81.Fa "STACK_OF(X509_EXTENSION) **x"
82.Fa "int nid"
83.Fa "void *value"
84.Fa "int crit"
85.Fa "unsigned long flags"
86.Fc
87.Ft void *
88.Fo X509V3_EXT_d2i
89.Fa "X509_EXTENSION *ext"
90.Fc
91.Ft X509_EXTENSION *
92.Fo X509V3_EXT_i2d
93.Fa "int ext_nid"
94.Fa "int crit"
95.Fa "void *ext"
96.Fc
97.Ft void *
98.Fo X509_get_ext_d2i
99.Fa "const X509 *x"
100.Fa "int nid"
101.Fa "int *crit"
102.Fa "int *idx"
103.Fc
104.Ft int
105.Fo X509_add1_ext_i2d
106.Fa "X509 *x"
107.Fa "int nid"
108.Fa "void *value"
109.Fa "int crit"
110.Fa "unsigned long flags"
111.Fc
112.Ft void *
113.Fo X509_CRL_get_ext_d2i
114.Fa "const X509_CRL *crl"
115.Fa "int nid"
116.Fa "int *crit"
117.Fa "int *idx"
118.Fc
119.Ft int
120.Fo X509_CRL_add1_ext_i2d
121.Fa "X509_CRL *crl"
122.Fa "int nid"
123.Fa "void *value"
124.Fa "int crit"
125.Fa "unsigned long flags"
126.Fc
127.Ft void *
128.Fo X509_REVOKED_get_ext_d2i
129.Fa "const X509_REVOKED *r"
130.Fa "int nid"
131.Fa "int *crit"
132.Fa "int *idx"
133.Fc
134.Ft int
135.Fo X509_REVOKED_add1_ext_i2d
136.Fa "X509_REVOKED *r"
137.Fa "int nid"
138.Fa "void *value"
139.Fa "int crit"
140.Fa "unsigned long flags"
141.Fc
142.Ft const STACK_OF(X509_EXTENSION) *
143.Fo X509_get0_extensions
144.Fa "const X509 *x"
145.Fc
146.Ft const STACK_OF(X509_EXTENSION) *
147.Fo X509_CRL_get0_extensions
148.Fa "const X509_CRL *crl"
149.Fc
150.Ft const STACK_OF(X509_EXTENSION) *
151.Fo X509_REVOKED_get0_extensions
152.Fa "const X509_REVOKED *r"
153.Fc
154.Sh DESCRIPTION
155.Fn X509V3_get_d2i
156looks for an extension with OID
157.Fa nid
158in the extensions
159.Fa x
160and, if found, decodes it.
161If
162.Fa idx
163is
164.Dv NULL ,
165then only one occurrence of an extension is permissible.
166Otherwise the first extension after index
167.Pf * Fa idx
168is returned and
169.Pf * Fa idx
170is updated to the location of the extension.
171If
172.Fa crit
173is not
174.Dv NULL ,
175then
176.Pf * Fa crit
177is set to a status value: -2 if the extension occurs multiple times
178(this is only returned if
179.Fa idx
180is
181.Dv NULL ) ,
182-1 if the extension could not be found, 0 if the extension is found
183and is not critical, and 1 if it is critical.
184A pointer to an extension specific structure or
185.Dv NULL
186is returned.
187.Pp
188.Fn X509V3_add1_i2d
189adds extension
190.Fa value
191to STACK
192.Pf * Fa x
193(allocating a new STACK if necessary) using OID
194.Fa nid
195and criticality
196.Fa crit
197according to
198.Fa flags .
199.Pp
200.Fn X509V3_EXT_d2i
201attempts to decode the ASN.1 data contained in extension
202.Fa ext
203and returns a pointer to an extension specific structure or
204.Dv NULL
205if the extension could not be decoded (invalid syntax or not supported).
206.Pp
207.Fn X509V3_EXT_i2d
208encodes the extension specific structure
209.Fa ext
210with OID
211.Fa ext_nid
212and criticality
213.Fa crit .
214.Pp
215.Fn X509_get_ext_d2i
216and
217.Fn X509_add1_ext_i2d
218operate on the extensions of certificate
219.Fa x ,
220and are otherwise identical to
221.Fn X509V3_get_d2i
222and
223.Fn X509V3_add1_i2d .
224.Pp
225.Fn X509_CRL_get_ext_d2i
226and
227.Fn X509_CRL_add1_ext_i2d
228operate on the extensions of CRL
229.Fa crl ,
230and are otherwise identical to
231.Fn X509V3_get_d2i
232and
233.Fn X509V3_add1_i2d .
234.Pp
235.Fn X509_REVOKED_get_ext_d2i
236and
237.Fn X509_REVOKED_add1_ext_i2d
238operate on the extensions of the
239.Vt X509_REVOKED
240structure
241.Fa r
242(i.e. for CRL entry extensions), and are otherwise identical to
243.Fn X509V3_get_d2i
244and
245.Fn X509V3_add1_i2d .
246.Pp
247.Fn X509_get0_extensions ,
248.Fn X509_CRL_get0_extensions ,
249and
250.Fn X509_REVOKED_get0_extensions
251return a stack of all the extensions of a certificate, a CRL,
252or a CRL entry, respectively.
253.Pp
254In almost all cases an extension can occur at most once and multiple
255occurrences is an error.
256Therefore the
257.Fa idx
258parameter is usually
259.Dv NULL .
260.Pp
261The
262.Fa flags
263parameter may be one of the following values.
264.Pp
265.Dv X509V3_ADD_DEFAULT
266appends a new extension only if the extension does not already exist.
267An error is returned if the extension does already exist.
268.Pp
269.Dv X509V3_ADD_APPEND
270appends a new extension, ignoring whether the extension already exists.
271.Pp
272.Dv X509V3_ADD_REPLACE
273replaces an extension if it exists otherwise appends a new extension.
274.Pp
275.Dv X509V3_ADD_REPLACE_EXISTING
276replaces an existing extension if it exists otherwise returns an error.
277.Pp
278.Dv X509V3_ADD_KEEP_EXISTING
279appends a new extension only if the extension does not already exist.
280An error
281.Sy is not
282returned if the extension does already exist.
283.Pp
284.Dv X509V3_ADD_DELETE
285deletes extension
286.Fa nid .
287No new extension is added.
288.Pp
289If
290.Dv X509V3_ADD_SILENT
291is OR'd with
292.Fa flags ,
293any error returned will not be added to the error queue.
294.Pp
295The function
296.Fn X509V3_get_d2i
297will return
298.Dv NULL
299if the extension is not found, occurs multiple times or cannot be
300decoded.
301It is possible to determine the precise reason by checking the value of
302.Pf * Fa crit .
303.Sh SUPPORTED EXTENSIONS
304The following sections contain a list of all supported extensions
305including their name and NID.
306.Ss PKIX Certificate Extensions
307The following certificate extensions are defined in PKIX standards such
308as RFC 5280.
309.Bl -column 30n 30n
310.It Basic Constraints             Ta Dv NID_basic_constraints
311.It Key Usage                     Ta Dv NID_key_usage
312.It Extended Key Usage            Ta Dv NID_ext_key_usage
313.It Subject Key Identifier        Ta Dv NID_subject_key_identifier
314.It Authority Key Identifier      Ta Dv NID_authority_key_identifier
315.It Private Key Usage Period      Ta Dv NID_private_key_usage_period
316.It Subject Alternative Name      Ta Dv NID_subject_alt_name
317.It Issuer Alternative Name       Ta Dv NID_issuer_alt_name
318.It Authority Information Access  Ta Dv NID_info_access
319.It Subject Information Access    Ta Dv NID_sinfo_access
320.It Name Constraints              Ta Dv NID_name_constraints
321.It Certificate Policies          Ta Dv NID_certificate_policies
322.It Policy Mappings               Ta Dv NID_policy_mappings
323.It Policy Constraints            Ta Dv NID_policy_constraints
324.It Inhibit Any Policy            Ta Dv NID_inhibit_any_policy
325.El
326.Ss Netscape Certificate Extensions
327The following are (largely obsolete) Netscape certificate extensions.
328.Bl -column 30n 30n
329.It Netscape Cert Type            Ta Dv NID_netscape_cert_type
330.It Netscape Base Url             Ta Dv NID_netscape_base_url
331.It Netscape Revocation Url       Ta Dv NID_netscape_revocation_url
332.It Netscape CA Revocation Url    Ta Dv NID_netscape_ca_revocation_url
333.It Netscape Renewal Url          Ta Dv NID_netscape_renewal_url
334.It Netscape CA Policy Url        Ta Dv NID_netscape_ca_policy_url
335.It Netscape SSL Server Name      Ta Dv NID_netscape_ssl_server_name
336.It Netscape Comment              Ta Dv NID_netscape_comment
337.El
338.Ss Miscellaneous Certificate Extensions
339.Bl -column 30n 30n
340.It Strong Extranet ID            Ta Dv NID_sxnet
341.It Proxy Certificate Information Ta Dv NID_proxyCertInfo
342.El
343.Ss PKIX CRL Extensions
344The following are CRL extensions from PKIX standards such as RFC 5280.
345.Bl -column 30n 30n
346.It CRL Number                    Ta Dv NID_crl_number
347.It CRL Distribution Points       Ta Dv NID_crl_distribution_points
348.It Delta CRL Indicator           Ta Dv NID_delta_crl
349.It Freshest CRL                  Ta Dv NID_freshest_crl
350.It Invalidity Date               Ta Dv NID_invalidity_date
351.It Issuing Distribution Point    Ta Dv NID_issuing_distribution_point
352.El
353.Pp
354The following are CRL entry extensions from PKIX standards such as
355RFC 5280.
356.Bl -column 30n 30n
357.It CRL Reason Code               Ta Dv NID_crl_reason
358.It Certificate Issuer            Ta Dv NID_certificate_issuer
359.El
360.Ss OCSP Extensions
361.Bl -column 30n 30n
362.It OCSP Nonce                    Ta Dv NID_id_pkix_OCSP_Nonce
363.It OCSP CRL ID                   Ta Dv NID_id_pkix_OCSP_CrlID
364.It Acceptable OCSP Responses     Ta Dv NID_id_pkix_OCSP_acceptableResponses
365.It OCSP No Check                 Ta Dv NID_id_pkix_OCSP_noCheck
366.It OCSP Archive Cutoff           Ta Dv NID_id_pkix_OCSP_archiveCutoff
367.It OCSP Service Locator          Ta Dv NID_id_pkix_OCSP_serviceLocator
368.It Hold Instruction Code         Ta Dv NID_hold_instruction_code
369.El
370.Sh RETURN VALUES
371.Fn X509V3_get_d2i ,
372.Fn X509V3_EXT_d2i ,
373.Fn X509_get_ext_d2i ,
374.Fn X509_CRL_get_ext_d2i ,
375and
376.Fn X509_REVOKED_get_ext_d2i
377return a pointer to an extension specific structure or
378.Dv NULL
379if an error occurs.
380.Pp
381.Fn X509V3_add1_i2d ,
382.Fn X509_add1_ext_i2d ,
383.Fn X509_CRL_add1_ext_i2d ,
384and
385.Fn X509_REVOKED_add1_ext_i2d
386return 1 if the operation is successful, 0 if it fails due to a
387non-fatal error (extension not found, already exists, cannot be encoded),
388or -1 due to a fatal error such as a memory allocation failure.
389In some cases of failure, the reason can be determined with
390.Xr ERR_get_error 3 .
391.Pp
392The
393.Fn X509V3_EXT_i2d
394function returns a pointer to an
395.Vt X509_EXTENSION
396structure if successful; otherwise
397.Dv NULL
398is returned and an error code can be retrieved with
399.Xr ERR_get_error 3 .
400.Pp
401.Fn X509_get0_extensions ,
402.Fn X509_CRL_get0_extensions ,
403and
404.Fn X509_REVOKED_get0_extensions
405return a stack of extensions, or
406.Dv NULL
407if no extensions are present.
408.Sh SEE ALSO
409.Xr d2i_X509 3 ,
410.Xr d2i_X509_EXTENSION 3 ,
411.Xr X509_check_purpose 3 ,
412.Xr X509_CRL_get0_by_serial 3 ,
413.Xr X509_CRL_new 3 ,
414.Xr X509_EXTENSION_new 3 ,
415.Xr X509_get_pubkey 3 ,
416.Xr X509_get_subject_name 3 ,
417.Xr X509_get_version 3 ,
418.Xr X509_new 3 ,
419.Xr X509_REVOKED_new 3
420.Sh HISTORY
421.Fn X509V3_EXT_d2i
422first appeared in OpenSSL 0.9.2b.
423.Fn X509V3_EXT_i2d
424first appeared in OpenSSL 0.9.3.
425Both functions have been available since
426.Ox 2.6 .
427.Pp
428.Fn X509V3_get_d2i ,
429.Fn X509_get_ext_d2i ,
430.Fn X509_CRL_get_ext_d2i ,
431and
432.Fn X509_REVOKED_get_ext_d2i
433first appeared in OpenSSL 0.9.5 and have been available since
434.Ox 2.7 .
435.Pp
436.Fn X509V3_add1_i2d ,
437.Fn X509_add1_ext_i2d ,
438.Fn X509_CRL_add1_ext_i2d ,
439and
440.Fn X509_REVOKED_add1_ext_i2d
441first appeared in OpenSSL 0.9.7 and have been available since
442.Ox 3.2 .
443.Pp
444.Fn X509_get0_extensions ,
445.Fn X509_CRL_get0_extensions ,
446and
447.Fn X509_REVOKED_get0_extensions
448first appeared in OpenSSL 1.1.0 and have been available since
449.Ox 6.3 .
450