MFH r339206-r339212, r339215-r339239

[FreeBSD/FreeBSD.git] / secure / lib / libcrypto / man / X509V3_get_d2i.3

.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
.    ds C`
.    ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.if !\nF .nr F 0
.if \nF>0 \{\
.    de IX
.    tm Index:\\$1\t\\n%\t"\\$2"
..
.    if !\nF==2 \{\
.        nr % 0
.        nr F 2
.    \}
.\}
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509V3_GET_D2I 3"
.TH X509V3_GET_D2I 3 "2018-09-11" "1.1.1" "OpenSSL"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_get0_extensions, X509_CRL_get0_extensions, X509_REVOKED_get0_extensions, X509V3_get_d2i, X509V3_add1_i2d, X509V3_EXT_d2i, X509V3_EXT_i2d, X509_get_ext_d2i, X509_add1_ext_i2d, X509_CRL_get_ext_d2i, X509_CRL_add1_ext_i2d, X509_REVOKED_get_ext_d2i, X509_REVOKED_add1_ext_i2d \- X509 extension decode and encode functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509v3.h>
\&
\& void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit,
\&                      int *idx);
\& int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
\&                     int crit, unsigned long flags);
\&
\& void *X509V3_EXT_d2i(X509_EXTENSION *ext);
\& X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext);
\&
\& void *X509_get_ext_d2i(const X509 *x, int nid, int *crit, int *idx);
\& int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
\&                       unsigned long flags);
\&
\& void *X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid, int *crit, int *idx);
\& int X509_CRL_add1_ext_i2d(X509_CRL *crl, int nid, void *value, int crit,
\&                           unsigned long flags);
\&
\& void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *r, int nid, int *crit, int *idx);
\& int X509_REVOKED_add1_ext_i2d(X509_REVOKED *r, int nid, void *value, int crit,
\&                               unsigned long flags);
\&
\& const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x);
\& const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl);
\& const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions(const X509_REVOKED *r);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fIX509V3_get_ext_d2i()\fR looks for an extension with \s-1OID\s0 \fBnid\fR in the extensions
\&\fBx\fR and, if found, decodes it. If \fBidx\fR is \fB\s-1NULL\s0\fR then only one
occurrence of an extension is permissible otherwise the first extension after
index \fB*idx\fR is returned and \fB*idx\fR updated to the location of the extension.
If \fBcrit\fR is not \fB\s-1NULL\s0\fR then \fB*crit\fR is set to a status value: \-2 if the
extension occurs multiple times (this is only returned if \fBidx\fR is \fB\s-1NULL\s0\fR),
\&\-1 if the extension could not be found, 0 if the extension is found and is
not critical and 1 if critical. A pointer to an extension specific structure
or \fB\s-1NULL\s0\fR is returned.
.PP
\&\fIX509V3_add1_i2d()\fR adds extension \fBvalue\fR to \s-1STACK\s0 \fB*x\fR (allocating a new
\&\s-1STACK\s0 if necessary) using \s-1OID\s0 \fBnid\fR and criticality \fBcrit\fR according
to \fBflags\fR.
.PP
\&\fIX509V3_EXT_d2i()\fR attempts to decode the \s-1ASN.1\s0 data contained in extension
\&\fBext\fR and returns a pointer to an extension specific structure or \fB\s-1NULL\s0\fR
if the extension could not be decoded (invalid syntax or not supported).
.PP
\&\fIX509V3_EXT_i2d()\fR encodes the extension specific structure \fBext\fR
with \s-1OID\s0 \fBext_nid\fR and criticality \fBcrit\fR.
.PP
\&\fIX509_get_ext_d2i()\fR and \fIX509_add1_ext_i2d()\fR operate on the extensions of
certificate \fBx\fR, they are otherwise identical to \fIX509V3_get_d2i()\fR and
\&\fIX509V3_add_i2d()\fR.
.PP
\&\fIX509_CRL_get_ext_d2i()\fR and \fIX509_CRL_add1_ext_i2d()\fR operate on the extensions
of \s-1CRL\s0 \fBcrl\fR, they are otherwise identical to \fIX509V3_get_d2i()\fR and
\&\fIX509V3_add_i2d()\fR.
.PP
\&\fIX509_REVOKED_get_ext_d2i()\fR and \fIX509_REVOKED_add1_ext_i2d()\fR operate on the
extensions of \fBX509_REVOKED\fR structure \fBr\fR (i.e for \s-1CRL\s0 entry extensions),
they are otherwise identical to \fIX509V3_get_d2i()\fR and \fIX509V3_add_i2d()\fR.
.PP
\&\fIX509_get0_extensions()\fR, \fIX509_CRL_get0_extensions()\fR and
\&\fIX509_REVOKED_get0_extensions()\fR return a stack of all the extensions
of a certificate a \s-1CRL\s0 or a \s-1CRL\s0 entry respectively.
.SH "NOTES"
.IX Header "NOTES"
In almost all cases an extension can occur at most once and multiple
occurrences is an error. Therefore the \fBidx\fR parameter is usually \fB\s-1NULL\s0\fR.
.PP
The \fBflags\fR parameter may be one of the following values.
.PP
\&\fBX509V3_ADD_DEFAULT\fR appends a new extension only if the extension does
not already exist. An error is returned if the extension does already
exist.
.PP
\&\fBX509V3_ADD_APPEND\fR appends a new extension, ignoring whether the extension
already exists.
.PP
\&\fBX509V3_ADD_REPLACE\fR replaces an extension if it exists otherwise appends
a new extension.
.PP
\&\fBX509V3_ADD_REPLACE_EXISTING\fR replaces an existing extension if it exists
otherwise returns an error.
.PP
\&\fBX509V3_ADD_KEEP_EXISTING\fR appends a new extension only if the extension does
not already exist. An error \fBis not\fR returned if the extension does already
exist.
.PP
\&\fBX509V3_ADD_DELETE\fR extension \fBnid\fR is deleted: no new extension is added.
.PP
If \fBX509V3_ADD_SILENT\fR is ored with \fBflags\fR: any error returned will not
be added to the error queue.
.PP
The function \fIX509V3_get_d2i()\fR will return \fB\s-1NULL\s0\fR if the extension is not
found, occurs multiple times or cannot be decoded. It is possible to
determine the precise reason by checking the value of \fB*crit\fR.
.SH "SUPPORTED EXTENSIONS"
.IX Header "SUPPORTED EXTENSIONS"
The following sections contain a list of all supported extensions
including their name and \s-1NID.\s0
.SS "\s-1PKIX\s0 Certificate Extensions"
.IX Subsection "PKIX Certificate Extensions"
The following certificate extensions are defined in \s-1PKIX\s0 standards such as
\&\s-1RFC5280.\s0
.PP
.Vb 3
\& Basic Constraints                  NID_basic_constraints
\& Key Usage                          NID_key_usage
\& Extended Key Usage                 NID_ext_key_usage
\&
\& Subject Key Identifier             NID_subject_key_identifier
\& Authority Key Identifier           NID_authority_key_identifier
\&
\& Private Key Usage Period           NID_private_key_usage_period
\&
\& Subject Alternative Name           NID_subject_alt_name
\& Issuer Alternative Name            NID_issuer_alt_name
\&
\& Authority Information Access       NID_info_access
\& Subject Information Access         NID_sinfo_access
\&
\& Name Constraints                   NID_name_constraints
\&
\& Certificate Policies               NID_certificate_policies
\& Policy Mappings                    NID_policy_mappings
\& Policy Constraints                 NID_policy_constraints
\& Inhibit Any Policy                 NID_inhibit_any_policy
\&
\& TLS Feature                        NID_tlsfeature
.Ve
.SS "Netscape Certificate Extensions"
.IX Subsection "Netscape Certificate Extensions"
The following are (largely obsolete) Netscape certificate extensions.
.PP
.Vb 8
\& Netscape Cert Type                 NID_netscape_cert_type
\& Netscape Base Url                  NID_netscape_base_url
\& Netscape Revocation Url            NID_netscape_revocation_url
\& Netscape CA Revocation Url         NID_netscape_ca_revocation_url
\& Netscape Renewal Url               NID_netscape_renewal_url
\& Netscape CA Policy Url             NID_netscape_ca_policy_url
\& Netscape SSL Server Name           NID_netscape_ssl_server_name
\& Netscape Comment                   NID_netscape_comment
.Ve
.SS "Miscellaneous Certificate Extensions"
.IX Subsection "Miscellaneous Certificate Extensions"
.Vb 2
\& Strong Extranet ID                 NID_sxnet
\& Proxy Certificate Information      NID_proxyCertInfo
.Ve
.SS "\s-1PKIX CRL\s0 Extensions"
.IX Subsection "PKIX CRL Extensions"
The following are \s-1CRL\s0 extensions from \s-1PKIX\s0 standards such as \s-1RFC5280.\s0
.PP
.Vb 6
\& CRL Number                         NID_crl_number
\& CRL Distribution Points            NID_crl_distribution_points
\& Delta CRL Indicator                NID_delta_crl
\& Freshest CRL                       NID_freshest_crl
\& Invalidity Date                    NID_invalidity_date
\& Issuing Distribution Point         NID_issuing_distribution_point
.Ve
.PP
The following are \s-1CRL\s0 entry extensions from \s-1PKIX\s0 standards such as \s-1RFC5280.\s0
.PP
.Vb 2
\& CRL Reason Code                    NID_crl_reason
\& Certificate Issuer                 NID_certificate_issuer
.Ve
.SS "\s-1OCSP\s0 Extensions"
.IX Subsection "OCSP Extensions"
.Vb 7
\& OCSP Nonce                         NID_id_pkix_OCSP_Nonce
\& OCSP CRL ID                        NID_id_pkix_OCSP_CrlID
\& Acceptable OCSP Responses          NID_id_pkix_OCSP_acceptableResponses
\& OCSP No Check                      NID_id_pkix_OCSP_noCheck
\& OCSP Archive Cutoff                NID_id_pkix_OCSP_archiveCutoff
\& OCSP Service Locator               NID_id_pkix_OCSP_serviceLocator
\& Hold Instruction Code              NID_hold_instruction_code
.Ve
.SS "Certificate Transparency Extensions"
.IX Subsection "Certificate Transparency Extensions"
The following extensions are used by certificate transparency, \s-1RFC6962\s0
.PP
.Vb 2
\& CT Precertificate SCTs             NID_ct_precert_scts
\& CT Certificate SCTs                NID_ct_cert_scts
.Ve
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fIX509V3_EXT_d2i()\fR and *\fIX509V3_get_d2i()\fR return a pointer to an extension
specific structure of \fB\s-1NULL\s0\fR if an error occurs.
.PP
\&\fIX509V3_EXT_i2d()\fR returns a pointer to an \fBX509_EXTENSION\fR structure
or \fB\s-1NULL\s0\fR if an error occurs.
.PP
\&\fIX509V3_add1_i2d()\fR returns 1 if the operation is successful and 0 if it
fails due to a non-fatal error (extension not found, already exists,
cannot be encoded) or \-1 due to a fatal error such as a memory allocation
failure.
.PP
\&\fIX509_get0_extensions()\fR, \fIX509_CRL_get0_extensions()\fR and
\&\fIX509_REVOKED_get0_extensions()\fR return a stack of extensions. They return
\&\s-1NULL\s0 if no extensions are present.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fId2i_X509\fR\|(3),
\&\fIERR_get_error\fR\|(3),
\&\fIX509_CRL_get0_by_serial\fR\|(3),
\&\fIX509_get0_signature\fR\|(3),
\&\fIX509_get_ext_d2i\fR\|(3),
\&\fIX509_get_extension_flags\fR\|(3),
\&\fIX509_get_pubkey\fR\|(3),
\&\fIX509_get_subject_name\fR\|(3),
\&\fIX509_get_version\fR\|(3),
\&\fIX509_NAME_add_entry_by_txt\fR\|(3),
\&\fIX509_NAME_ENTRY_get_object\fR\|(3),
\&\fIX509_NAME_get_index_by_NID\fR\|(3),
\&\fIX509_NAME_print_ex\fR\|(3),
\&\fIX509_new\fR\|(3),
\&\fIX509_sign\fR\|(3),
\&\fIX509_verify_cert\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.