table of contents
        
      
      
    | X509V3_GET_D2I(3) | Library Functions Manual | X509V3_GET_D2I(3) | 
NAME¶
X509V3_get_d2i,
    X509V3_add1_i2d,
    X509V3_EXT_d2i,
    X509V3_EXT_i2d,
    X509_get_ext_d2i,
    X509_add1_ext_i2d,
    X509_CRL_get_ext_d2i,
    X509_CRL_add1_ext_i2d,
    X509_REVOKED_get_ext_d2i,
    X509_REVOKED_add1_ext_i2d,
    X509_get0_extensions,
    X509_CRL_get0_extensions,
    X509_REVOKED_get0_extensions,
    X509_get0_uids — X509
    extension decode and encode functions
SYNOPSIS¶
#include
    <openssl/x509v3.h>
void *
  
  X509V3_get_d2i(const
    STACK_OF(X509_EXTENSION) *x, int nid,
    int *crit, int *idx);
int
  
  X509V3_add1_i2d(STACK_OF(X509_EXTENSION)
    **x, int nid, void *value,
    int crit, unsigned long
  flags);
void *
  
  X509V3_EXT_d2i(X509_EXTENSION
    *ext);
X509_EXTENSION *
  
  X509V3_EXT_i2d(int ext_nid,
    int crit, void *ext);
void *
  
  X509_get_ext_d2i(const X509 *x,
    int nid, int *crit,
    int *idx);
int
  
  X509_add1_ext_i2d(X509 *x,
    int nid, void *value,
    int crit, unsigned long
  flags);
void *
  
  X509_CRL_get_ext_d2i(const X509_CRL
    *crl, int nid, int *crit,
    int *idx);
int
  
  X509_CRL_add1_ext_i2d(X509_CRL
    *crl, int nid, void
    *value, int crit, unsigned long
    flags);
void *
  
  X509_REVOKED_get_ext_d2i(const
    X509_REVOKED *r, int nid, int
    *crit, int *idx);
int
  
  X509_REVOKED_add1_ext_i2d(X509_REVOKED
    *r, int nid, void *value,
    int crit, unsigned long
  flags);
const STACK_OF(X509_EXTENSION) *
  
  X509_get0_extensions(const X509
    *x);
const STACK_OF(X509_EXTENSION) *
  
  X509_CRL_get0_extensions(const
    X509_CRL *crl);
const STACK_OF(X509_EXTENSION) *
  
  X509_REVOKED_get0_extensions(const
    X509_REVOKED *r);
void
  
  X509_get0_uids(const X509 *x,
    const ASN1_BIT_STRING **issuerUID,
    const ASN1_BIT_STRING **subjectUID);
DESCRIPTION¶
X509V3_get_d2i()
    looks for an extension with OID nid in the extensions
    x and, if found, decodes it. If
    idx is NULL, then only one
    occurrence of an extension is permissible. Otherwise the first extension
    after index *idx is returned and
    *idx is updated to the location of the extension. If
    crit is not NULL, then
    *crit is set to a status value: -2 if the extension
    occurs multiple times (this is only returned if idx is
    NULL), -1 if the extension could not be found, 0 if
    the extension is found and is not critical, and 1 if it is critical. A
    pointer to an extension specific structure or NULL
    is returned.
X509V3_add1_i2d()
    adds extension value to STACK *x
    (allocating a new STACK if necessary) using OID nid
    and criticality crit according to
    flags.
X509V3_EXT_d2i()
    attempts to decode the ASN.1 data contained in extension
    ext and returns a pointer to an extension specific
    structure or NULL if the extension could not be
    decoded (invalid syntax or not supported).
X509V3_EXT_i2d()
    encodes the extension specific structure ext with OID
    ext_nid and criticality
  crit.
X509_get_ext_d2i()
    and
    X509_add1_ext_i2d()
    operate on the extensions of certificate x, and are
    otherwise identical to X509V3_get_d2i() and
    X509V3_add1_i2d().
X509_CRL_get_ext_d2i()
    and
    X509_CRL_add1_ext_i2d()
    operate on the extensions of CRL crl, and are
    otherwise identical to X509V3_get_d2i() and
    X509V3_add1_i2d().
X509_REVOKED_get_ext_d2i()
    and
    X509_REVOKED_add1_ext_i2d()
    operate on the extensions of the X509_REVOKED
    structure r (i.e. for CRL entry extensions), and are
    otherwise identical to X509V3_get_d2i() and
    X509V3_add1_i2d().
X509_get0_extensions(),
    X509_CRL_get0_extensions(),
    and
    X509_REVOKED_get0_extensions()
    return a stack of all the extensions of a certificate, a CRL, or a CRL
    entry, respectively.
In almost all cases an extension can occur at most once and
    multiple occurrences is an error. Therefore the idx
    parameter is usually NULL.
The flags parameter may be one of the following values.
X509V3_ADD_DEFAULT appends a new extension
    only if the extension does not already exist. An error is returned if the
    extension does already exist.
X509V3_ADD_APPEND appends a new extension,
    ignoring whether the extension already exists. This is a misfeature and
    should not be used because certificates must not include the same extension
    more than once.
X509V3_ADD_REPLACE replaces an extension
    if it exists otherwise appends a new extension.
X509V3_ADD_REPLACE_EXISTING replaces an
    existing extension if it exists otherwise returns an error.
X509V3_ADD_KEEP_EXISTING appends a
    new extension only if the extension does not already exist. An error
    is not returned if the
    extension does already exist.
X509V3_ADD_DELETE deletes extension
    nid if it exists and errors otherwise. No new
    extension is added.
If X509V3_ADD_SILENT is OR'd with
    flags, any error returned will not be added to the
    error queue.
The function
    X509V3_get_d2i()
    will return NULL if the extension is not found,
    occurs multiple times or cannot be decoded. It is possible to determine the
    precise reason by checking the value of *crit.
X509_get0_uids()
    returns the issuer and subject unique identifiers of the certificate
    x in *issuerUID and
    *subjectUID. If a unique identifier field is not
    present in x, NULL is
    returned. Either one of issuerUID and
    subjectUID can be NULL.
SUPPORTED EXTENSIONS¶
The following sections contain a list of all supported extensions including their name and NID.
PKIX Certificate Extensions¶
The following certificate extensions are defined in PKIX standards such as RFC 5280.
| Basic Constraints | NID_basic_constraints | 
| Key Usage | NID_key_usage | 
| Extended Key Usage | NID_ext_key_usage | 
| Subject Key Identifier | NID_subject_key_identifier | 
| Authority Key Identifier | NID_authority_key_identifier | 
| Private Key Usage Period | NID_private_key_usage_period | 
| Subject Alternative Name | NID_subject_alt_name | 
| Issuer Alternative Name | NID_issuer_alt_name | 
| Authority Information Access | NID_info_access | 
| Subject Information Access | NID_sinfo_access | 
| Name Constraints | NID_name_constraints | 
| Certificate Policies | NID_certificate_policies | 
| Policy Mappings | NID_policy_mappings | 
| Policy Constraints | NID_policy_constraints | 
| Inhibit Any Policy | NID_inhibit_any_policy | 
| IP Address Delegation | NID_sbgp_ipAddrBlock | 
| Autonomous System Identifier Delegation | NID_sbgp_autonomousSysNum | 
Netscape Certificate Extensions¶
The following are (largely obsolete) Netscape certificate extensions.
| Netscape Cert Type | NID_netscape_cert_type | 
| Netscape Base Url | NID_netscape_base_url | 
| Netscape Revocation Url | NID_netscape_revocation_url | 
| Netscape CA Revocation Url | NID_netscape_ca_revocation_url | 
| Netscape Renewal Url | NID_netscape_renewal_url | 
| Netscape CA Policy Url | NID_netscape_ca_policy_url | 
| Netscape SSL Server Name | NID_netscape_ssl_server_name | 
| Netscape Comment | NID_netscape_comment | 
Miscellaneous Certificate Extensions¶
| Strong Extranet ID | NID_sxnet | 
| Proxy Certificate Information | NID_proxyCertInfo | 
PKIX CRL Extensions¶
The following are CRL extensions from PKIX standards such as RFC 5280.
| CRL Number | NID_crl_number | 
| CRL Distribution Points | NID_crl_distribution_points | 
| Delta CRL Indicator | NID_delta_crl | 
| Freshest CRL | NID_freshest_crl | 
| Invalidity Date | NID_invalidity_date | 
| Issuing Distribution Point | NID_issuing_distribution_point | 
The following are CRL entry extensions from PKIX standards such as RFC 5280.
| CRL Reason Code | NID_crl_reason | 
| Certificate Issuer | NID_certificate_issuer | 
OCSP Extensions¶
| OCSP Nonce | NID_id_pkix_OCSP_Nonce | 
| OCSP CRL ID | NID_id_pkix_OCSP_CrlID | 
| Acceptable OCSP Responses | NID_id_pkix_OCSP_acceptableResponses | 
| OCSP Check | NID_id_pkix_OCSP_noCheck | 
| OCSP Archive Cutoff | NID_id_pkix_OCSP_archiveCutoff | 
| OCSP Service Locator | NID_id_pkix_OCSP_serviceLocator | 
| Hold Instruction Code | NID_hold_instruction_code | 
RETURN VALUES¶
X509V3_get_d2i(),
    X509V3_EXT_d2i(),
    X509_get_ext_d2i(),
    X509_CRL_get_ext_d2i(), and
    X509_REVOKED_get_ext_d2i() return a pointer to an
    extension specific structure or NULL if an error
    occurs.
X509V3_add1_i2d(),
    X509_add1_ext_i2d(),
    X509_CRL_add1_ext_i2d(), and
    X509_REVOKED_add1_ext_i2d() return 1 if the
    operation is successful, 0 if it fails due to a non-fatal error (extension
    not found, already exists, cannot be encoded), or -1 due to a fatal error
    such as a memory allocation failure. In some cases of failure, the reason
    can be determined with ERR_get_error(3).
The X509V3_EXT_i2d() function returns a
    pointer to an X509_EXTENSION structure if successful;
    otherwise NULL is returned and an error code can be
    retrieved with ERR_get_error(3).
X509_get0_extensions(),
    X509_CRL_get0_extensions(), and
    X509_REVOKED_get0_extensions() return a stack of
    extensions, or NULL if no extensions are
  present.
SEE ALSO¶
d2i_X509(3), d2i_X509_EXTENSION(3), X509_check_purpose(3), X509_CRL_get0_by_serial(3), X509_CRL_new(3), X509_EXTENSION_new(3), X509_get_pubkey(3), X509_get_subject_name(3), X509_get_version(3), X509_new(3), X509_REVOKED_new(3), X509V3_EXT_print(3), X509V3_extensions_print(3)
HISTORY¶
X509V3_EXT_d2i() first appeared in OpenSSL
    0.9.2b. X509V3_EXT_i2d() first appeared in OpenSSL
    0.9.3. Both functions have been available since OpenBSD
    2.6.
X509V3_get_d2i(),
    X509_get_ext_d2i(),
    X509_CRL_get_ext_d2i(), and
    X509_REVOKED_get_ext_d2i() first appeared in OpenSSL
    0.9.5 and have been available since OpenBSD 2.7.
X509V3_add1_i2d(),
    X509_add1_ext_i2d(),
    X509_CRL_add1_ext_i2d(), and
    X509_REVOKED_add1_ext_i2d() first appeared in
    OpenSSL 0.9.7 and have been available since OpenBSD
    3.2.
X509_get0_extensions(),
    X509_CRL_get0_extensions(), and
    X509_REVOKED_get0_extensions() first appeared in
    OpenSSL 1.1.0 and have been available since OpenBSD
    6.3.
X509_get0_uids() first appeared in OpenSSL
    1.1.0 and has been available since OpenBSD 7.3.
| May 15, 2024 | Linux 6.14.1-1-default |