OpenBSD manual page server

Manual Page Search Parameters

X509V3_GET_D2I(3) Library Functions Manual X509V3_GET_D2I(3)

X509V3_get_d2i, X509V3_add1_i2d, X509V3_EXT_d2i, X509V3_EXT_i2d, X509_get_ext_d2i, X509_add1_ext_i2d, X509_CRL_get_ext_d2i, X509_CRL_add1_ext_i2d, X509_REVOKED_get_ext_d2i, X509_REVOKED_add1_ext_i2d, X509_get0_extensions, X509_CRL_get0_extensions, X509_REVOKED_get0_extensions, X509_get0_uidsX509 extension decode and encode functions

#include <openssl/x509v3.h>

void *
X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx);

int
X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value, int crit, unsigned long flags);

void *
X509V3_EXT_d2i(X509_EXTENSION *ext);

X509_EXTENSION *
X509V3_EXT_i2d(int ext_nid, int crit, void *ext);

void *
X509_get_ext_d2i(const X509 *x, int nid, int *crit, int *idx);

int
X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit, unsigned long flags);

void *
X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid, int *crit, int *idx);

int
X509_CRL_add1_ext_i2d(X509_CRL *crl, int nid, void *value, int crit, unsigned long flags);

void *
X509_REVOKED_get_ext_d2i(const X509_REVOKED *r, int nid, int *crit, int *idx);

int
X509_REVOKED_add1_ext_i2d(X509_REVOKED *r, int nid, void *value, int crit, unsigned long flags);

const STACK_OF(X509_EXTENSION) *
X509_get0_extensions(const X509 *x);

const STACK_OF(X509_EXTENSION) *
X509_CRL_get0_extensions(const X509_CRL *crl);

const STACK_OF(X509_EXTENSION) *
X509_REVOKED_get0_extensions(const X509_REVOKED *r);

void
X509_get0_uids(const X509 *x, const ASN1_BIT_STRING **issuerUID, const ASN1_BIT_STRING **subjectUID);

() looks for an extension with OID nid in the extensions x and, if found, decodes it. If idx is NULL, then only one occurrence of an extension is permissible. Otherwise the first extension after index *idx is returned and *idx is updated to the location of the extension. If crit is not NULL, then *crit is set to a status value: -2 if the extension occurs multiple times (this is only returned if idx is NULL), -1 if the extension could not be found, 0 if the extension is found and is not critical, and 1 if it is critical. A pointer to an extension specific structure or NULL is returned.

() adds extension value to STACK *x (allocating a new STACK if necessary) using OID nid and criticality crit according to flags.

() attempts to decode the ASN.1 data contained in extension ext and returns a pointer to an extension specific structure or NULL if the extension could not be decoded (invalid syntax or not supported).

() encodes the extension specific structure ext with OID ext_nid and criticality crit.

() and () operate on the extensions of certificate x, and are otherwise identical to X509V3_get_d2i() and X509V3_add1_i2d().

() and () operate on the extensions of CRL crl, and are otherwise identical to X509V3_get_d2i() and X509V3_add1_i2d().

() and () operate on the extensions of the X509_REVOKED structure r (i.e. for CRL entry extensions), and are otherwise identical to X509V3_get_d2i() and X509V3_add1_i2d().

(), (), and () return a stack of all the extensions of a certificate, a CRL, or a CRL entry, respectively.

In almost all cases an extension can occur at most once and multiple occurrences is an error. Therefore the idx parameter is usually NULL.

The flags parameter may be one of the following values.

X509V3_ADD_DEFAULT appends a new extension only if the extension does not already exist. An error is returned if the extension does already exist.

X509V3_ADD_APPEND appends a new extension, ignoring whether the extension already exists. This is a misfeature and should not be used because certificates must not include the same extension more than once.

X509V3_ADD_REPLACE replaces an extension if it exists otherwise appends a new extension.

X509V3_ADD_REPLACE_EXISTING replaces an existing extension if it exists otherwise returns an error.

X509V3_ADD_KEEP_EXISTING appends a new extension only if the extension does not already exist. An error returned if the extension does already exist.

X509V3_ADD_DELETE deletes extension nid if it exists and errors otherwise. No new extension is added.

If X509V3_ADD_SILENT is OR'd with flags, any error returned will not be added to the error queue.

The function () will return NULL if the extension is not found, occurs multiple times or cannot be decoded. It is possible to determine the precise reason by checking the value of *crit.

() returns the issuer and subject unique identifiers of the certificate x in *issuerUID and *subjectUID. If a unique identifier field is not present in x, NULL is returned. Either one of issuerUID and subjectUID can be NULL.

The following sections contain a list of all supported extensions including their name and NID.

The following certificate extensions are defined in PKIX standards such as RFC 5280.

Basic Constraints
Key Usage
Extended Key Usage
Subject Key Identifier
Authority Key Identifier
Private Key Usage Period
Subject Alternative Name
Issuer Alternative Name
Authority Information Access
Subject Information Access
Name Constraints
Certificate Policies
Policy Mappings
Policy Constraints
Inhibit Any Policy
IP Address Delegation
Autonomous System Identifier Delegation

The following are (largely obsolete) Netscape certificate extensions.

Netscape Cert Type
Netscape Base Url
Netscape Revocation Url
Netscape CA Revocation Url
Netscape Renewal Url
Netscape CA Policy Url
Netscape SSL Server Name
Netscape Comment

Strong Extranet ID
Proxy Certificate Information

The following are CRL extensions from PKIX standards such as RFC 5280.

CRL Number
CRL Distribution Points
Delta CRL Indicator
Freshest CRL
Invalidity Date
Issuing Distribution Point

The following are CRL entry extensions from PKIX standards such as RFC 5280.

CRL Reason Code
Certificate Issuer

OCSP Nonce
OCSP CRL ID
Acceptable OCSP Responses
OCSP Check
OCSP Archive Cutoff
OCSP Service Locator
Hold Instruction Code

X509V3_get_d2i(), X509V3_EXT_d2i(), X509_get_ext_d2i(), X509_CRL_get_ext_d2i(), and X509_REVOKED_get_ext_d2i() return a pointer to an extension specific structure or NULL if an error occurs.

X509V3_add1_i2d(), X509_add1_ext_i2d(), X509_CRL_add1_ext_i2d(), and X509_REVOKED_add1_ext_i2d() return 1 if the operation is successful, 0 if it fails due to a non-fatal error (extension not found, already exists, cannot be encoded), or -1 due to a fatal error such as a memory allocation failure. In some cases of failure, the reason can be determined with ERR_get_error(3).

The X509V3_EXT_i2d() function returns a pointer to an X509_EXTENSION structure if successful; otherwise NULL is returned and an error code can be retrieved with ERR_get_error(3).

X509_get0_extensions(), X509_CRL_get0_extensions(), and X509_REVOKED_get0_extensions() return a stack of extensions, or NULL if no extensions are present.

d2i_X509(3), d2i_X509_EXTENSION(3), X509_check_purpose(3), X509_CRL_get0_by_serial(3), X509_CRL_new(3), X509_EXTENSION_new(3), X509_get_pubkey(3), X509_get_subject_name(3), X509_get_version(3), X509_new(3), X509_REVOKED_new(3), X509V3_EXT_print(3), X509V3_extensions_print(3)

X509V3_EXT_d2i() first appeared in OpenSSL 0.9.2b. X509V3_EXT_i2d() first appeared in OpenSSL 0.9.3. Both functions have been available since OpenBSD 2.6.

X509V3_get_d2i(), X509_get_ext_d2i(), X509_CRL_get_ext_d2i(), and X509_REVOKED_get_ext_d2i() first appeared in OpenSSL 0.9.5 and have been available since OpenBSD 2.7.

X509V3_add1_i2d(), X509_add1_ext_i2d(), X509_CRL_add1_ext_i2d(), and X509_REVOKED_add1_ext_i2d() first appeared in OpenSSL 0.9.7 and have been available since OpenBSD 3.2.

X509_get0_extensions(), X509_CRL_get0_extensions(), and X509_REVOKED_get0_extensions() first appeared in OpenSSL 1.1.0 and have been available since OpenBSD 6.3.

X509_get0_uids() first appeared in OpenSSL 1.1.0 and has been available since OpenBSD 7.3.

May 15, 2024 OpenBSD-current